blob: f0fdcc009daa220e3e50c134c15e7e45576c6439 [file] [log] [blame]
Willy Tarreau2212e6a2015-10-13 14:40:55 +02001 ------------------------
2 HAProxy Management Guide
3 ------------------------
Willy Tarreau73dec762021-11-23 15:50:11 +01004 version 2.6
Willy Tarreau2212e6a2015-10-13 14:40:55 +02005
6
7This document describes how to start, stop, manage, and troubleshoot HAProxy,
8as well as some known limitations and traps to avoid. It does not describe how
9to configure it (for this please read configuration.txt).
10
11Note to documentation contributors :
12 This document is formatted with 80 columns per line, with even number of
13 spaces for indentation and without tabs. Please follow these rules strictly
14 so that it remains easily printable everywhere. If you add sections, please
15 update the summary below for easier searching.
16
17
18Summary
19-------
20
211. Prerequisites
222. Quick reminder about HAProxy's architecture
233. Starting HAProxy
244. Stopping and restarting HAProxy
255. File-descriptor limitations
266. Memory management
277. CPU usage
288. Logging
299. Statistics and monitoring
Willy Tarreau44aed902015-10-13 14:45:29 +0200309.1. CSV format
Willy Tarreau5d8b9792016-03-11 11:09:34 +0100319.2. Typed output format
329.3. Unix Socket commands
William Lallemand142db372018-12-11 18:56:45 +0100339.4. Master CLI
William Lallemandaf140ab2022-02-02 14:44:19 +0100349.4.1. Master CLI commands
Willy Tarreau2212e6a2015-10-13 14:40:55 +02003510. Tricks for easier configuration management
3611. Well-known traps to avoid
3712. Debugging and performance issues
3813. Security considerations
39
40
411. Prerequisites
42----------------
43
44In this document it is assumed that the reader has sufficient administration
45skills on a UNIX-like operating system, uses the shell on a daily basis and is
46familiar with troubleshooting utilities such as strace and tcpdump.
47
48
492. Quick reminder about HAProxy's architecture
50----------------------------------------------
51
Willy Tarreau3f364482019-02-27 15:01:46 +010052HAProxy is a multi-threaded, event-driven, non-blocking daemon. This means is
Willy Tarreau2212e6a2015-10-13 14:40:55 +020053uses event multiplexing to schedule all of its activities instead of relying on
54the system to schedule between multiple activities. Most of the time it runs as
55a single process, so the output of "ps aux" on a system will report only one
56"haproxy" process, unless a soft reload is in progress and an older process is
57finishing its job in parallel to the new one. It is thus always easy to trace
Willy Tarreau3f364482019-02-27 15:01:46 +010058its activity using the strace utility. In order to scale with the number of
59available processors, by default haproxy will start one worker thread per
60processor it is allowed to run on. Unless explicitly configured differently,
61the incoming traffic is spread over all these threads, all running the same
62event loop. A great care is taken to limit inter-thread dependencies to the
63strict minimum, so as to try to achieve near-linear scalability. This has some
64impacts such as the fact that a given connection is served by a single thread.
65Thus in order to use all available processing capacity, it is needed to have at
66least as many connections as there are threads, which is almost always granted.
Willy Tarreau2212e6a2015-10-13 14:40:55 +020067
68HAProxy is designed to isolate itself into a chroot jail during startup, where
69it cannot perform any file-system access at all. This is also true for the
70libraries it depends on (eg: libc, libssl, etc). The immediate effect is that
71a running process will not be able to reload a configuration file to apply
72changes, instead a new process will be started using the updated configuration
73file. Some other less obvious effects are that some timezone files or resolver
74files the libc might attempt to access at run time will not be found, though
75this should generally not happen as they're not needed after startup. A nice
76consequence of this principle is that the HAProxy process is totally stateless,
77and no cleanup is needed after it's killed, so any killing method that works
78will do the right thing.
79
80HAProxy doesn't write log files, but it relies on the standard syslog protocol
81to send logs to a remote server (which is often located on the same system).
82
83HAProxy uses its internal clock to enforce timeouts, that is derived from the
84system's time but where unexpected drift is corrected. This is done by limiting
85the time spent waiting in poll() for an event, and measuring the time it really
86took. In practice it never waits more than one second. This explains why, when
87running strace over a completely idle process, periodic calls to poll() (or any
88of its variants) surrounded by two gettimeofday() calls are noticed. They are
89normal, completely harmless and so cheap that the load they imply is totally
90undetectable at the system scale, so there's nothing abnormal there. Example :
91
92 16:35:40.002320 gettimeofday({1442759740, 2605}, NULL) = 0
93 16:35:40.002942 epoll_wait(0, {}, 200, 1000) = 0
94 16:35:41.007542 gettimeofday({1442759741, 7641}, NULL) = 0
95 16:35:41.007998 gettimeofday({1442759741, 8114}, NULL) = 0
96 16:35:41.008391 epoll_wait(0, {}, 200, 1000) = 0
97 16:35:42.011313 gettimeofday({1442759742, 11411}, NULL) = 0
98
99HAProxy is a TCP proxy, not a router. It deals with established connections that
100have been validated by the kernel, and not with packets of any form nor with
101sockets in other states (eg: no SYN_RECV nor TIME_WAIT), though their existence
102may prevent it from binding a port. It relies on the system to accept incoming
103connections and to initiate outgoing connections. An immediate effect of this is
104that there is no relation between packets observed on the two sides of a
105forwarded connection, which can be of different size, numbers and even family.
106Since a connection may only be accepted from a socket in LISTEN state, all the
107sockets it is listening to are necessarily visible using the "netstat" utility
108to show listening sockets. Example :
109
110 # netstat -ltnp
111 Active Internet connections (only servers)
112 Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
113 tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1629/sshd
114 tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2847/haproxy
115 tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 2847/haproxy
116
117
1183. Starting HAProxy
119-------------------
120
121HAProxy is started by invoking the "haproxy" program with a number of arguments
122passed on the command line. The actual syntax is :
123
124 $ haproxy [<options>]*
125
126where [<options>]* is any number of options. An option always starts with '-'
127followed by one of more letters, and possibly followed by one or multiple extra
128arguments. Without any option, HAProxy displays the help page with a reminder
129about supported options. Available options may vary slightly based on the
130operating system. A fair number of these options overlap with an equivalent one
131if the "global" section. In this case, the command line always has precedence
132over the configuration file, so that the command line can be used to quickly
133enforce some settings without touching the configuration files. The current
134list of options is :
135
136 -- <cfgfile>* : all the arguments following "--" are paths to configuration
Maxime de Roucy379d9c72016-05-13 23:52:56 +0200137 file/directory to be loaded and processed in the declaration order. It is
138 mostly useful when relying on the shell to load many files that are
139 numerically ordered. See also "-f". The difference between "--" and "-f" is
140 that one "-f" must be placed before each file name, while a single "--" is
141 needed before all file names. Both options can be used together, the
142 command line ordering still applies. When more than one file is specified,
143 each file must start on a section boundary, so the first keyword of each
144 file must be one of "global", "defaults", "peers", "listen", "frontend",
145 "backend", and so on. A file cannot contain just a server list for example.
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200146
Maxime de Roucy379d9c72016-05-13 23:52:56 +0200147 -f <cfgfile|cfgdir> : adds <cfgfile> to the list of configuration files to be
148 loaded. If <cfgdir> is a directory, all the files (and only files) it
Dan Lloyd8e48b872016-07-01 21:01:18 -0400149 contains are added in lexical order (using LC_COLLATE=C) to the list of
Maxime de Roucy379d9c72016-05-13 23:52:56 +0200150 configuration files to be loaded ; only files with ".cfg" extension are
151 added, only non hidden files (not prefixed with ".") are added.
152 Configuration files are loaded and processed in their declaration order.
153 This option may be specified multiple times to load multiple files. See
154 also "--". The difference between "--" and "-f" is that one "-f" must be
155 placed before each file name, while a single "--" is needed before all file
156 names. Both options can be used together, the command line ordering still
157 applies. When more than one file is specified, each file must start on a
158 section boundary, so the first keyword of each file must be one of
159 "global", "defaults", "peers", "listen", "frontend", "backend", and so on.
160 A file cannot contain just a server list for example.
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200161
162 -C <dir> : changes to directory <dir> before loading configuration
163 files. This is useful when using relative paths. Warning when using
164 wildcards after "--" which are in fact replaced by the shell before
165 starting haproxy.
166
167 -D : start as a daemon. The process detaches from the current terminal after
168 forking, and errors are not reported anymore in the terminal. It is
169 equivalent to the "daemon" keyword in the "global" section of the
170 configuration. It is recommended to always force it in any init script so
171 that a faulty configuration doesn't prevent the system from booting.
172
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200173 -L <name> : change the local peer name to <name>, which defaults to the local
William Lallemanddaf4cd22018-04-17 16:46:13 +0200174 hostname. This is used only with peers replication. You can use the
175 variable $HAPROXY_LOCALPEER in the configuration file to reference the
176 peer name.
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200177
178 -N <limit> : sets the default per-proxy maxconn to <limit> instead of the
179 builtin default value (usually 2000). Only useful for debugging.
180
181 -V : enable verbose mode (disables quiet mode). Reverts the effect of "-q" or
182 "quiet".
183
William Lallemande202b1e2017-06-01 17:38:56 +0200184 -W : master-worker mode. It is equivalent to the "master-worker" keyword in
185 the "global" section of the configuration. This mode will launch a "master"
186 which will monitor the "workers". Using this mode, you can reload HAProxy
187 directly by sending a SIGUSR2 signal to the master. The master-worker mode
188 is compatible either with the foreground or daemon mode. It is
189 recommended to use this mode with multiprocess and systemd.
190
Pavlos Parissisf65f2572018-02-07 21:42:16 +0100191 -Ws : master-worker mode with support of `notify` type of systemd service.
192 This option is only available when HAProxy was built with `USE_SYSTEMD`
193 build option enabled.
194
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200195 -c : only performs a check of the configuration files and exits before trying
196 to bind. The exit status is zero if everything is OK, or non-zero if an
Willy Tarreaubebd2122020-04-15 16:06:11 +0200197 error is encountered. Presence of warnings will be reported if any.
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200198
Maximilian Maderfc0cceb2021-06-06 00:50:22 +0200199 -cc : evaluates a condition as used within a conditional block of the
200 configuration. The exit status is zero if the condition is true, 1 if the
201 condition is false or 2 if an error is encountered.
202
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200203 -d : enable debug mode. This disables daemon mode, forces the process to stay
Willy Tarreauccf42992020-10-09 19:15:03 +0200204 in foreground and to show incoming and outgoing events. It must never be
205 used in an init script.
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200206
Amaury Denoyelle7b01a8d2021-03-29 10:29:07 +0200207 -dD : enable diagnostic mode. This mode will output extra warnings about
208 suspicious configuration statements. This will never prevent startup even in
209 "zero-warning" mode nor change the exit status code.
210
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200211 -dG : disable use of getaddrinfo() to resolve host names into addresses. It
212 can be used when suspecting that getaddrinfo() doesn't work as expected.
213 This option was made available because many bogus implementations of
214 getaddrinfo() exist on various systems and cause anomalies that are
215 difficult to troubleshoot.
216
Willy Tarreau76871a42022-03-08 16:01:40 +0100217 -dK<class[,class]*> : dumps the list of registered keywords in each class.
218 The list of classes is available with "-dKhelp". All classes may be dumped
219 using "-dKall", otherwise a selection of those shown in the help can be
220 specified as a comma-delimited list. The output format will vary depending
221 on what class of keywords is being dumped (e.g. "cfg" will show the known
222 configuration keywords in a format ressembling the config file format while
223 "smp" will show sample fetch functions prefixed with a compatibility matrix
224 with each rule set). These may rarely be used as-is by humans but can be of
225 great help for external tools that try to detect the appearance of new
226 keywords at certain places to automatically update some documentation,
227 syntax highlighting files, configuration parsers, API etc. The output
228 format may evolve a bit over time so it is really recommended to use this
229 output mostly to detect differences with previous archives. Note that not
230 all keywords are listed because many keywords have existed long before the
231 different keyword registration subsystems were created, and they do not
232 appear there. However since new keywords are only added via the modern
233 mechanisms, it's reasonably safe to assume that this output may be used to
234 detect language additions with a good accuracy. The keywords are only
235 dumped after the configuration is fully parsed, so that even dynamically
236 created keywords can be dumped. A good way to dump and exit is to run a
237 silent config check on an existing configuration:
238
239 ./haproxy -dKall -q -c -f foo.cfg
240
241 If no configuration file is available, using "-f /dev/null" will work as
242 well to dump all default keywords, but then the return status will not be
243 zero since there will be no listener, and will have to be ignored.
244
Willy Tarreau654726d2021-12-28 15:43:11 +0100245 -dL : dumps the list of dynamic shared libraries that are loaded at the end
246 of the config processing. This will generally also include deep dependencies
247 such as anything loaded from Lua code for example, as well as the executable
248 itself. The list is printed in a format that ought to be easy enough to
249 sanitize to directly produce a tarball of all dependencies. Since it doesn't
250 stop the program's startup, it is recommended to only use it in combination
251 with "-c" and "-q" where only the list of loaded objects will be displayed
252 (or nothing in case of error). In addition, keep in mind that when providing
253 such a package to help with a core file analysis, most libraries are in fact
254 symbolic links that need to be dereferenced when creating the archive:
255
256 ./haproxy -W -q -c -dL -f foo.cfg | tar -T - -hzcf archive.tgz
257
Willy Tarreauf4b79c42022-02-23 15:20:53 +0100258 -dM[<byte>[,]][help|options,...] : forces memory poisoning, and/or changes
259 memory other debugging options. Memory poisonning means that each and every
Willy Tarreaubafbe012017-11-24 17:34:44 +0100260 memory region allocated with malloc() or pool_alloc() will be filled with
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200261 <byte> before being passed to the caller. When <byte> is not specified, it
262 defaults to 0x50 ('P'). While this slightly slows down operations, it is
263 useful to reliably trigger issues resulting from missing initializations in
264 the code that cause random crashes. Note that -dM0 has the effect of
265 turning any malloc() into a calloc(). In any case if a bug appears or
266 disappears when using this option it means there is a bug in haproxy, so
Willy Tarreauf4b79c42022-02-23 15:20:53 +0100267 please report it. A number of other options are available either alone or
268 after a comma following the byte. The special option "help" will list the
269 currently supported options and their current value. Each debugging option
270 may be forced on or off. The most optimal options are usually chosen at
271 build time based on the operating system and do not need to be adjusted,
272 unless suggested by a developer. Supported debugging options include
273 (set/clear):
274 - fail / no-fail:
275 This enables randomly failing memory allocations, in conjunction with
276 the global "tune.fail-alloc" setting. This is used to detect missing
277 error checks in the code.
278
279 - no-merge / merge:
280 By default, pools of very similar sizes are merged, resulting in more
281 efficiency, but this complicates the analysis of certain memory dumps.
282 This option allows to disable this mechanism, and may slightly increase
283 the memory usage.
284
285 - cold-first / hot-first:
286 In order to optimize the CPU cache hit ratio, by default the most
287 recently released objects ("hot") are recycled for new allocations.
288 But doing so also complicates analysis of memory dumps and may hide
289 use-after-free bugs. This option allows to instead pick the coldest
290 objects first, which may result in a slight increase of CPU usage.
291
292 - integrity / no-integrity:
293 When this option is enabled, memory integrity checks are enabled on
294 the allocated area to verify that it hasn't been modified since it was
295 last released. This works best with "no-merge", "cold-first" and "tag".
296 Enabling this option will slightly increase the CPU usage.
297
298 - no-global / global:
299 Depending on the operating system, a process-wide global memory cache
300 may be enabled if it is estimated that the standard allocator is too
301 slow or inefficient with threads. This option allows to forcefully
302 disable it or enable it. Disabling it may result in a CPU usage
303 increase with inefficient allocators. Enabling it may result in a
304 higher memory usage with efficient allocators.
305
306 - no-cache / cache:
307 Each thread uses a very fast local object cache for allocations, which
308 is always enabled by default. This option allows to disable it. Since
309 the global cache also passes via the local caches, this will
310 effectively result in disabling all caches and allocating directly from
311 the default allocator. This may result in a significant increase of CPU
312 usage, but may also result in small memory savings on tiny systems.
313
314 - caller / no-caller:
315 Enabling this option reserves some extra space in each allocated object
316 to store the address of the last caller that allocated or released it.
317 This helps developers go back in time when analysing memory dumps and
318 to guess how something unexpected happened.
319
320 - tag / no-tag:
321 Enabling this option reserves some extra space in each allocated object
322 to store a tag that allows to detect bugs such as double-free, freeing
323 an invalid object, and buffer overflows. It offers much stronger
324 reliability guarantees at the expense of 4 or 8 extra bytes per
325 allocation. It usually is the first step to detect memory corruption.
326
327 - poison / no-poison:
328 Enabling this option will fill allocated objects with a fixed pattern
329 that will make sure that some accidental values such as 0 will not be
330 present if a newly added field was mistakenly forgotten in an
331 initialization routine. Such bugs tend to rarely reproduce, especially
332 when pools are not merged. This is normally enabled by directly passing
333 the byte's value to -dM but using this option allows to disable/enable
334 use of a previously set value.
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200335
336 -dS : disable use of the splice() system call. It is equivalent to the
337 "global" section's "nosplice" keyword. This may be used when splice() is
338 suspected to behave improperly or to cause performance issues, or when
339 using strace to see the forwarded data (which do not appear when using
340 splice()).
341
342 -dV : disable SSL verify on the server side. It is equivalent to having
343 "ssl-server-verify none" in the "global" section. This is useful when
344 trying to reproduce production issues out of the production
345 environment. Never use this in an init script as it degrades SSL security
346 to the servers.
347
Willy Tarreau3eb10b82020-04-15 16:42:39 +0200348 -dW : if set, haproxy will refuse to start if any warning was emitted while
349 processing the configuration. This helps detect subtle mistakes and keep the
350 configuration clean and portable across versions. It is recommended to set
351 this option in service scripts when configurations are managed by humans,
352 but it is recommended not to use it with generated configurations, which
353 tend to emit more warnings. It may be combined with "-c" to cause warnings
354 in checked configurations to fail. This is equivalent to global option
355 "zero-warning".
356
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200357 -db : disable background mode and multi-process mode. The process remains in
358 foreground. It is mainly used during development or during small tests, as
359 Ctrl-C is enough to stop the process. Never use it in an init script.
360
361 -de : disable the use of the "epoll" poller. It is equivalent to the "global"
362 section's keyword "noepoll". It is mostly useful when suspecting a bug
363 related to this poller. On systems supporting epoll, the fallback will
364 generally be the "poll" poller.
365
366 -dk : disable the use of the "kqueue" poller. It is equivalent to the
367 "global" section's keyword "nokqueue". It is mostly useful when suspecting
368 a bug related to this poller. On systems supporting kqueue, the fallback
369 will generally be the "poll" poller.
370
371 -dp : disable the use of the "poll" poller. It is equivalent to the "global"
372 section's keyword "nopoll". It is mostly useful when suspecting a bug
373 related to this poller. On systems supporting poll, the fallback will
374 generally be the "select" poller, which cannot be disabled and is limited
375 to 1024 file descriptors.
376
Willy Tarreau3eed10e2016-11-07 21:03:16 +0100377 -dr : ignore server address resolution failures. It is very common when
378 validating a configuration out of production not to have access to the same
379 resolvers and to fail on server address resolution, making it difficult to
380 test a configuration. This option simply appends the "none" method to the
381 list of address resolution methods for all servers, ensuring that even if
382 the libc fails to resolve an address, the startup sequence is not
383 interrupted.
384
Willy Tarreau70060452015-12-14 12:46:07 +0100385 -m <limit> : limit the total allocatable memory to <limit> megabytes across
386 all processes. This may cause some connection refusals or some slowdowns
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200387 depending on the amount of memory needed for normal operations. This is
Willy Tarreau70060452015-12-14 12:46:07 +0100388 mostly used to force the processes to work in a constrained resource usage
389 scenario. It is important to note that the memory is not shared between
390 processes, so in a multi-process scenario, this value is first divided by
391 global.nbproc before forking.
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200392
393 -n <limit> : limits the per-process connection limit to <limit>. This is
394 equivalent to the global section's keyword "maxconn". It has precedence
395 over this keyword. This may be used to quickly force lower limits to avoid
396 a service outage on systems where resource limits are too low.
397
398 -p <file> : write all processes' pids into <file> during startup. This is
399 equivalent to the "global" section's keyword "pidfile". The file is opened
400 before entering the chroot jail, and after doing the chdir() implied by
401 "-C". Each pid appears on its own line.
402
403 -q : set "quiet" mode. This disables some messages during the configuration
404 parsing and during startup. It can be used in combination with "-c" to
405 just check if a configuration file is valid or not.
406
William Lallemand142db372018-12-11 18:56:45 +0100407 -S <bind>[,bind_options...]: in master-worker mode, bind a master CLI, which
408 allows the access to every processes, running or leaving ones.
409 For security reasons, it is recommended to bind the master CLI to a local
410 UNIX socket. The bind options are the same as the keyword "bind" in
411 the configuration file with words separated by commas instead of spaces.
412
413 Note that this socket can't be used to retrieve the listening sockets from
414 an old process during a seamless reload.
415
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200416 -sf <pid>* : send the "finish" signal (SIGUSR1) to older processes after boot
417 completion to ask them to finish what they are doing and to leave. <pid>
418 is a list of pids to signal (one per argument). The list ends on any
419 option starting with a "-". It is not a problem if the list of pids is
420 empty, so that it can be built on the fly based on the result of a command
421 like "pidof" or "pgrep".
422
423 -st <pid>* : send the "terminate" signal (SIGTERM) to older processes after
424 boot completion to terminate them immediately without finishing what they
425 were doing. <pid> is a list of pids to signal (one per argument). The list
426 is ends on any option starting with a "-". It is not a problem if the list
427 of pids is empty, so that it can be built on the fly based on the result of
428 a command like "pidof" or "pgrep".
429
430 -v : report the version and build date.
431
432 -vv : display the version, build options, libraries versions and usable
433 pollers. This output is systematically requested when filing a bug report.
434
Olivier Houchardd33fc3a2017-04-05 22:50:59 +0200435 -x <unix_socket> : connect to the specified socket and try to retrieve any
436 listening sockets from the old process, and use them instead of trying to
437 bind new ones. This is useful to avoid missing any new connection when
William Lallemandf6975e92017-05-26 17:42:10 +0200438 reloading the configuration on Linux. The capability must be enable on the
439 stats socket using "expose-fd listeners" in your configuration.
William Lallemand2be557f2021-11-24 18:45:37 +0100440 In master-worker mode, the master will use this option upon a reload with
441 the "sockpair@" syntax, which allows the master to connect directly to a
442 worker without using stats socket declared in the configuration.
Olivier Houchardd33fc3a2017-04-05 22:50:59 +0200443
Dan Lloyd8e48b872016-07-01 21:01:18 -0400444A safe way to start HAProxy from an init file consists in forcing the daemon
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200445mode, storing existing pids to a pid file and using this pid file to notify
446older processes to finish before leaving :
447
448 haproxy -f /etc/haproxy.cfg \
449 -D -p /var/run/haproxy.pid -sf $(cat /var/run/haproxy.pid)
450
451When the configuration is split into a few specific files (eg: tcp vs http),
452it is recommended to use the "-f" option :
453
454 haproxy -f /etc/haproxy/global.cfg -f /etc/haproxy/stats.cfg \
455 -f /etc/haproxy/default-tcp.cfg -f /etc/haproxy/tcp.cfg \
456 -f /etc/haproxy/default-http.cfg -f /etc/haproxy/http.cfg \
457 -D -p /var/run/haproxy.pid -sf $(cat /var/run/haproxy.pid)
458
459When an unknown number of files is expected, such as customer-specific files,
460it is recommended to assign them a name starting with a fixed-size sequence
461number and to use "--" to load them, possibly after loading some defaults :
462
463 haproxy -f /etc/haproxy/global.cfg -f /etc/haproxy/stats.cfg \
464 -f /etc/haproxy/default-tcp.cfg -f /etc/haproxy/tcp.cfg \
465 -f /etc/haproxy/default-http.cfg -f /etc/haproxy/http.cfg \
466 -D -p /var/run/haproxy.pid -sf $(cat /var/run/haproxy.pid) \
467 -f /etc/haproxy/default-customers.cfg -- /etc/haproxy/customers/*
468
469Sometimes a failure to start may happen for whatever reason. Then it is
470important to verify if the version of HAProxy you are invoking is the expected
471version and if it supports the features you are expecting (eg: SSL, PCRE,
472compression, Lua, etc). This can be verified using "haproxy -vv". Some
473important information such as certain build options, the target system and
474the versions of the libraries being used are reported there. It is also what
475you will systematically be asked for when posting a bug report :
476
477 $ haproxy -vv
Willy Tarreau58000fe2021-05-09 06:25:16 +0200478 HAProxy version 1.6-dev7-a088d3-4 2015/10/08
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200479 Copyright 2000-2015 Willy Tarreau <willy@haproxy.org>
480
481 Build options :
482 TARGET = linux2628
483 CPU = generic
484 CC = gcc
485 CFLAGS = -pg -O0 -g -fno-strict-aliasing -Wdeclaration-after-statement \
486 -DBUFSIZE=8030 -DMAXREWRITE=1030 -DSO_MARK=36 -DTCP_REPAIR=19
487 OPTIONS = USE_ZLIB=1 USE_DLMALLOC=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1
488
489 Default settings :
490 maxconn = 2000, bufsize = 8030, maxrewrite = 1030, maxpollevents = 200
491
492 Encrypted password support via crypt(3): yes
493 Built with zlib version : 1.2.6
494 Compression algorithms supported : identity("identity"), deflate("deflate"), \
495 raw-deflate("deflate"), gzip("gzip")
496 Built with OpenSSL version : OpenSSL 1.0.1o 12 Jun 2015
497 Running on OpenSSL version : OpenSSL 1.0.1o 12 Jun 2015
498 OpenSSL library supports TLS extensions : yes
499 OpenSSL library supports SNI : yes
500 OpenSSL library supports prefer-server-ciphers : yes
501 Built with PCRE version : 8.12 2011-01-15
502 PCRE library supports JIT : no (USE_PCRE_JIT not set)
503 Built with Lua version : Lua 5.3.1
504 Built with transparent proxy support using: IP_TRANSPARENT IP_FREEBIND
505
506 Available polling systems :
507 epoll : pref=300, test result OK
508 poll : pref=200, test result OK
509 select : pref=150, test result OK
510 Total: 3 (3 usable), will use epoll.
511
512The relevant information that many non-developer users can verify here are :
513 - the version : 1.6-dev7-a088d3-4 above means the code is currently at commit
514 ID "a088d3" which is the 4th one after after official version "1.6-dev7".
515 Version 1.6-dev7 would show as "1.6-dev7-8c1ad7". What matters here is in
516 fact "1.6-dev7". This is the 7th development version of what will become
517 version 1.6 in the future. A development version not suitable for use in
518 production (unless you know exactly what you are doing). A stable version
519 will show as a 3-numbers version, such as "1.5.14-16f863", indicating the
520 14th level of fix on top of version 1.5. This is a production-ready version.
521
522 - the release date : 2015/10/08. It is represented in the universal
523 year/month/day format. Here this means August 8th, 2015. Given that stable
524 releases are issued every few months (1-2 months at the beginning, sometimes
525 6 months once the product becomes very stable), if you're seeing an old date
526 here, it means you're probably affected by a number of bugs or security
527 issues that have since been fixed and that it might be worth checking on the
528 official site.
529
530 - build options : they are relevant to people who build their packages
531 themselves, they can explain why things are not behaving as expected. For
532 example the development version above was built for Linux 2.6.28 or later,
Dan Lloyd8e48b872016-07-01 21:01:18 -0400533 targeting a generic CPU (no CPU-specific optimizations), and lacks any
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200534 code optimization (-O0) so it will perform poorly in terms of performance.
535
536 - libraries versions : zlib version is reported as found in the library
537 itself. In general zlib is considered a very stable product and upgrades
538 are almost never needed. OpenSSL reports two versions, the version used at
539 build time and the one being used, as found on the system. These ones may
540 differ by the last letter but never by the numbers. The build date is also
541 reported because most OpenSSL bugs are security issues and need to be taken
542 seriously, so this library absolutely needs to be kept up to date. Seeing a
543 4-months old version here is highly suspicious and indeed an update was
544 missed. PCRE provides very fast regular expressions and is highly
545 recommended. Certain of its extensions such as JIT are not present in all
546 versions and still young so some people prefer not to build with them,
Dan Lloyd8e48b872016-07-01 21:01:18 -0400547 which is why the build status is reported as well. Regarding the Lua
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200548 scripting language, HAProxy expects version 5.3 which is very young since
549 it was released a little time before HAProxy 1.6. It is important to check
550 on the Lua web site if some fixes are proposed for this branch.
551
552 - Available polling systems will affect the process's scalability when
553 dealing with more than about one thousand of concurrent connections. These
554 ones are only available when the correct system was indicated in the TARGET
555 variable during the build. The "epoll" mechanism is highly recommended on
556 Linux, and the kqueue mechanism is highly recommended on BSD. Lacking them
557 will result in poll() or even select() being used, causing a high CPU usage
558 when dealing with a lot of connections.
559
560
5614. Stopping and restarting HAProxy
562----------------------------------
563
564HAProxy supports a graceful and a hard stop. The hard stop is simple, when the
565SIGTERM signal is sent to the haproxy process, it immediately quits and all
566established connections are closed. The graceful stop is triggered when the
567SIGUSR1 signal is sent to the haproxy process. It consists in only unbinding
568from listening ports, but continue to process existing connections until they
569close. Once the last connection is closed, the process leaves.
570
571The hard stop method is used for the "stop" or "restart" actions of the service
572management script. The graceful stop is used for the "reload" action which
573tries to seamlessly reload a new configuration in a new process.
574
575Both of these signals may be sent by the new haproxy process itself during a
576reload or restart, so that they are sent at the latest possible moment and only
577if absolutely required. This is what is performed by the "-st" (hard) and "-sf"
578(graceful) options respectively.
579
William Lallemande202b1e2017-06-01 17:38:56 +0200580In master-worker mode, it is not needed to start a new haproxy process in
581order to reload the configuration. The master process reacts to the SIGUSR2
582signal by reexecuting itself with the -sf parameter followed by the PIDs of
583the workers. The master will then parse the configuration file and fork new
584workers.
585
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200586To understand better how these signals are used, it is important to understand
587the whole restart mechanism.
588
589First, an existing haproxy process is running. The administrator uses a system
Jackie Tapia749f74c2020-07-22 18:59:40 -0500590specific command such as "/etc/init.d/haproxy reload" to indicate they want to
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200591take the new configuration file into effect. What happens then is the following.
592First, the service script (/etc/init.d/haproxy or equivalent) will verify that
593the configuration file parses correctly using "haproxy -c". After that it will
594try to start haproxy with this configuration file, using "-st" or "-sf".
595
596Then HAProxy tries to bind to all listening ports. If some fatal errors happen
597(eg: address not present on the system, permission denied), the process quits
598with an error. If a socket binding fails because a port is already in use, then
599the process will first send a SIGTTOU signal to all the pids specified in the
600"-st" or "-sf" pid list. This is what is called the "pause" signal. It instructs
601all existing haproxy processes to temporarily stop listening to their ports so
602that the new process can try to bind again. During this time, the old process
603continues to process existing connections. If the binding still fails (because
604for example a port is shared with another daemon), then the new process sends a
605SIGTTIN signal to the old processes to instruct them to resume operations just
606as if nothing happened. The old processes will then restart listening to the
Jonathon Lacherc5b5e7b2021-08-04 00:29:05 -0500607ports and continue to accept connections. Note that this mechanism is system
Dan Lloyd8e48b872016-07-01 21:01:18 -0400608dependent and some operating systems may not support it in multi-process mode.
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200609
610If the new process manages to bind correctly to all ports, then it sends either
611the SIGTERM (hard stop in case of "-st") or the SIGUSR1 (graceful stop in case
612of "-sf") to all processes to notify them that it is now in charge of operations
613and that the old processes will have to leave, either immediately or once they
614have finished their job.
615
616It is important to note that during this timeframe, there are two small windows
617of a few milliseconds each where it is possible that a few connection failures
618will be noticed during high loads. Typically observed failure rates are around
6191 failure during a reload operation every 10000 new connections per second,
620which means that a heavily loaded site running at 30000 new connections per
621second may see about 3 failed connection upon every reload. The two situations
622where this happens are :
623
624 - if the new process fails to bind due to the presence of the old process,
625 it will first have to go through the SIGTTOU+SIGTTIN sequence, which
626 typically lasts about one millisecond for a few tens of frontends, and
627 during which some ports will not be bound to the old process and not yet
628 bound to the new one. HAProxy works around this on systems that support the
629 SO_REUSEPORT socket options, as it allows the new process to bind without
630 first asking the old one to unbind. Most BSD systems have been supporting
631 this almost forever. Linux has been supporting this in version 2.0 and
632 dropped it around 2.2, but some patches were floating around by then. It
633 was reintroduced in kernel 3.9, so if you are observing a connection
Dan Lloyd8e48b872016-07-01 21:01:18 -0400634 failure rate above the one mentioned above, please ensure that your kernel
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200635 is 3.9 or newer, or that relevant patches were backported to your kernel
636 (less likely).
637
638 - when the old processes close the listening ports, the kernel may not always
639 redistribute any pending connection that was remaining in the socket's
640 backlog. Under high loads, a SYN packet may happen just before the socket
641 is closed, and will lead to an RST packet being sent to the client. In some
642 critical environments where even one drop is not acceptable, these ones are
643 sometimes dealt with using firewall rules to block SYN packets during the
644 reload, forcing the client to retransmit. This is totally system-dependent,
645 as some systems might be able to visit other listening queues and avoid
646 this RST. A second case concerns the ACK from the client on a local socket
647 that was in SYN_RECV state just before the close. This ACK will lead to an
648 RST packet while the haproxy process is still not aware of it. This one is
Dan Lloyd8e48b872016-07-01 21:01:18 -0400649 harder to get rid of, though the firewall filtering rules mentioned above
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200650 will work well if applied one second or so before restarting the process.
651
652For the vast majority of users, such drops will never ever happen since they
653don't have enough load to trigger the race conditions. And for most high traffic
654users, the failure rate is still fairly within the noise margin provided that at
655least SO_REUSEPORT is properly supported on their systems.
656
657
6585. File-descriptor limitations
659------------------------------
660
661In order to ensure that all incoming connections will successfully be served,
662HAProxy computes at load time the total number of file descriptors that will be
663needed during the process's life. A regular Unix process is generally granted
6641024 file descriptors by default, and a privileged process can raise this limit
665itself. This is one reason for starting HAProxy as root and letting it adjust
666the limit. The default limit of 1024 file descriptors roughly allow about 500
667concurrent connections to be processed. The computation is based on the global
668maxconn parameter which limits the total number of connections per process, the
669number of listeners, the number of servers which have a health check enabled,
670the agent checks, the peers, the loggers and possibly a few other technical
671requirements. A simple rough estimate of this number consists in simply
672doubling the maxconn value and adding a few tens to get the approximate number
673of file descriptors needed.
674
675Originally HAProxy did not know how to compute this value, and it was necessary
676to pass the value using the "ulimit-n" setting in the global section. This
677explains why even today a lot of configurations are seen with this setting
678present. Unfortunately it was often miscalculated resulting in connection
679failures when approaching maxconn instead of throttling incoming connection
680while waiting for the needed resources. For this reason it is important to
Dan Lloyd8e48b872016-07-01 21:01:18 -0400681remove any vestigial "ulimit-n" setting that can remain from very old versions.
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200682
683Raising the number of file descriptors to accept even moderate loads is
684mandatory but comes with some OS-specific adjustments. First, the select()
685polling system is limited to 1024 file descriptors. In fact on Linux it used
686to be capable of handling more but since certain OS ship with excessively
687restrictive SELinux policies forbidding the use of select() with more than
6881024 file descriptors, HAProxy now refuses to start in this case in order to
689avoid any issue at run time. On all supported operating systems, poll() is
690available and will not suffer from this limitation. It is automatically picked
Dan Lloyd8e48b872016-07-01 21:01:18 -0400691so there is nothing to do to get a working configuration. But poll's becomes
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200692very slow when the number of file descriptors increases. While HAProxy does its
693best to limit this performance impact (eg: via the use of the internal file
694descriptor cache and batched processing), a good rule of thumb is that using
695poll() with more than a thousand concurrent connections will use a lot of CPU.
696
697For Linux systems base on kernels 2.6 and above, the epoll() system call will
698be used. It's a much more scalable mechanism relying on callbacks in the kernel
699that guarantee a constant wake up time regardless of the number of registered
700monitored file descriptors. It is automatically used where detected, provided
701that HAProxy had been built for one of the Linux flavors. Its presence and
702support can be verified using "haproxy -vv".
703
704For BSD systems which support it, kqueue() is available as an alternative. It
705is much faster than poll() and even slightly faster than epoll() thanks to its
706batched handling of changes. At least FreeBSD and OpenBSD support it. Just like
707with Linux's epoll(), its support and availability are reported in the output
708of "haproxy -vv".
709
710Having a good poller is one thing, but it is mandatory that the process can
711reach the limits. When HAProxy starts, it immediately sets the new process's
712file descriptor limits and verifies if it succeeds. In case of failure, it
713reports it before forking so that the administrator can see the problem. As
714long as the process is started by as root, there should be no reason for this
715setting to fail. However, it can fail if the process is started by an
716unprivileged user. If there is a compelling reason for *not* starting haproxy
717as root (eg: started by end users, or by a per-application account), then the
718file descriptor limit can be raised by the system administrator for this
719specific user. The effectiveness of the setting can be verified by issuing
720"ulimit -n" from the user's command line. It should reflect the new limit.
721
722Warning: when an unprivileged user's limits are changed in this user's account,
723it is fairly common that these values are only considered when the user logs in
724and not at all in some scripts run at system boot time nor in crontabs. This is
725totally dependent on the operating system, keep in mind to check "ulimit -n"
726before starting haproxy when running this way. The general advice is never to
727start haproxy as an unprivileged user for production purposes. Another good
728reason is that it prevents haproxy from enabling some security protections.
729
730Once it is certain that the system will allow the haproxy process to use the
731requested number of file descriptors, two new system-specific limits may be
732encountered. The first one is the system-wide file descriptor limit, which is
733the total number of file descriptors opened on the system, covering all
734processes. When this limit is reached, accept() or socket() will typically
735return ENFILE. The second one is the per-process hard limit on the number of
736file descriptors, it prevents setrlimit() from being set higher. Both are very
737dependent on the operating system. On Linux, the system limit is set at boot
738based on the amount of memory. It can be changed with the "fs.file-max" sysctl.
739And the per-process hard limit is set to 1048576 by default, but it can be
740changed using the "fs.nr_open" sysctl.
741
742File descriptor limitations may be observed on a running process when they are
743set too low. The strace utility will report that accept() and socket() return
744"-1 EMFILE" when the process's limits have been reached. In this case, simply
745raising the "ulimit-n" value (or removing it) will solve the problem. If these
746system calls return "-1 ENFILE" then it means that the kernel's limits have
747been reached and that something must be done on a system-wide parameter. These
748trouble must absolutely be addressed, as they result in high CPU usage (when
749accept() fails) and failed connections that are generally visible to the user.
750One solution also consists in lowering the global maxconn value to enforce
751serialization, and possibly to disable HTTP keep-alive to force connections
752to be released and reused faster.
753
754
7556. Memory management
756--------------------
757
758HAProxy uses a simple and fast pool-based memory management. Since it relies on
759a small number of different object types, it's much more efficient to pick new
760objects from a pool which already contains objects of the appropriate size than
761to call malloc() for each different size. The pools are organized as a stack or
762LIFO, so that newly allocated objects are taken from recently released objects
763still hot in the CPU caches. Pools of similar sizes are merged together, in
764order to limit memory fragmentation.
765
766By default, since the focus is set on performance, each released object is put
767back into the pool it came from, and allocated objects are never freed since
768they are expected to be reused very soon.
769
770On the CLI, it is possible to check how memory is being used in pools thanks to
771the "show pools" command :
772
773 > show pools
774 Dumping pools usage. Use SIGQUIT to flush them.
Willy Tarreau0a93b642018-10-16 07:58:39 +0200775 - Pool cache_st (16 bytes) : 0 allocated (0 bytes), 0 used, 0 failures, 1 users, @0x9ccc40=03 [SHARED]
776 - Pool pipe (32 bytes) : 5 allocated (160 bytes), 5 used, 0 failures, 2 users, @0x9ccac0=00 [SHARED]
777 - Pool comp_state (48 bytes) : 3 allocated (144 bytes), 3 used, 0 failures, 5 users, @0x9cccc0=04 [SHARED]
778 - Pool filter (64 bytes) : 0 allocated (0 bytes), 0 used, 0 failures, 3 users, @0x9ccbc0=02 [SHARED]
779 - Pool vars (80 bytes) : 0 allocated (0 bytes), 0 used, 0 failures, 2 users, @0x9ccb40=01 [SHARED]
780 - Pool uniqueid (128 bytes) : 0 allocated (0 bytes), 0 used, 0 failures, 2 users, @0x9cd240=15 [SHARED]
781 - Pool task (144 bytes) : 55 allocated (7920 bytes), 55 used, 0 failures, 1 users, @0x9cd040=11 [SHARED]
782 - Pool session (160 bytes) : 1 allocated (160 bytes), 1 used, 0 failures, 1 users, @0x9cd140=13 [SHARED]
783 - Pool h2s (208 bytes) : 0 allocated (0 bytes), 0 used, 0 failures, 2 users, @0x9ccec0=08 [SHARED]
784 - Pool h2c (288 bytes) : 0 allocated (0 bytes), 0 used, 0 failures, 1 users, @0x9cce40=07 [SHARED]
785 - Pool spoe_ctx (304 bytes) : 0 allocated (0 bytes), 0 used, 0 failures, 2 users, @0x9ccf40=09 [SHARED]
786 - Pool connection (400 bytes) : 2 allocated (800 bytes), 2 used, 0 failures, 1 users, @0x9cd1c0=14 [SHARED]
787 - Pool hdr_idx (416 bytes) : 0 allocated (0 bytes), 0 used, 0 failures, 1 users, @0x9cd340=17 [SHARED]
788 - Pool dns_resolut (480 bytes) : 0 allocated (0 bytes), 0 used, 0 failures, 1 users, @0x9ccdc0=06 [SHARED]
789 - Pool dns_answer_ (576 bytes) : 0 allocated (0 bytes), 0 used, 0 failures, 1 users, @0x9ccd40=05 [SHARED]
790 - Pool stream (960 bytes) : 1 allocated (960 bytes), 1 used, 0 failures, 1 users, @0x9cd0c0=12 [SHARED]
791 - Pool requri (1024 bytes) : 0 allocated (0 bytes), 0 used, 0 failures, 1 users, @0x9cd2c0=16 [SHARED]
792 - Pool buffer (8030 bytes) : 3 allocated (24090 bytes), 2 used, 0 failures, 1 users, @0x9cd3c0=18 [SHARED]
793 - Pool trash (8062 bytes) : 1 allocated (8062 bytes), 1 used, 0 failures, 1 users, @0x9cd440=19
794 Total: 19 pools, 42296 bytes allocated, 34266 used.
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200795
796The pool name is only indicative, it's the name of the first object type using
797this pool. The size in parenthesis is the object size for objects in this pool.
798Object sizes are always rounded up to the closest multiple of 16 bytes. The
799number of objects currently allocated and the equivalent number of bytes is
800reported so that it is easy to know which pool is responsible for the highest
801memory usage. The number of objects currently in use is reported as well in the
802"used" field. The difference between "allocated" and "used" corresponds to the
Willy Tarreau0a93b642018-10-16 07:58:39 +0200803objects that have been freed and are available for immediate use. The address
804at the end of the line is the pool's address, and the following number is the
805pool index when it exists, or is reported as -1 if no index was assigned.
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200806
807It is possible to limit the amount of memory allocated per process using the
808"-m" command line option, followed by a number of megabytes. It covers all of
809the process's addressable space, so that includes memory used by some libraries
810as well as the stack, but it is a reliable limit when building a resource
811constrained system. It works the same way as "ulimit -v" on systems which have
812it, or "ulimit -d" for the other ones.
813
814If a memory allocation fails due to the memory limit being reached or because
815the system doesn't have any enough memory, then haproxy will first start to
816free all available objects from all pools before attempting to allocate memory
817again. This mechanism of releasing unused memory can be triggered by sending
818the signal SIGQUIT to the haproxy process. When doing so, the pools state prior
819to the flush will also be reported to stderr when the process runs in
820foreground.
821
822During a reload operation, the process switched to the graceful stop state also
823automatically performs some flushes after releasing any connection so that all
824possible memory is released to save it for the new process.
825
826
8277. CPU usage
828------------
829
830HAProxy normally spends most of its time in the system and a smaller part in
831userland. A finely tuned 3.5 GHz CPU can sustain a rate about 80000 end-to-end
832connection setups and closes per second at 100% CPU on a single core. When one
833core is saturated, typical figures are :
834 - 95% system, 5% user for long TCP connections or large HTTP objects
835 - 85% system and 15% user for short TCP connections or small HTTP objects in
836 close mode
837 - 70% system and 30% user for small HTTP objects in keep-alive mode
838
839The amount of rules processing and regular expressions will increase the user
840land part. The presence of firewall rules, connection tracking, complex routing
841tables in the system will instead increase the system part.
842
843On most systems, the CPU time observed during network transfers can be cut in 4
844parts :
845 - the interrupt part, which concerns all the processing performed upon I/O
846 receipt, before the target process is even known. Typically Rx packets are
847 accounted for in interrupt. On some systems such as Linux where interrupt
848 processing may be deferred to a dedicated thread, it can appear as softirq,
849 and the thread is called ksoftirqd/0 (for CPU 0). The CPU taking care of
850 this load is generally defined by the hardware settings, though in the case
851 of softirq it is often possible to remap the processing to another CPU.
852 This interrupt part will often be perceived as parasitic since it's not
853 associated with any process, but it actually is some processing being done
854 to prepare the work for the process.
855
856 - the system part, which concerns all the processing done using kernel code
857 called from userland. System calls are accounted as system for example. All
858 synchronously delivered Tx packets will be accounted for as system time. If
859 some packets have to be deferred due to queues filling up, they may then be
860 processed in interrupt context later (eg: upon receipt of an ACK opening a
861 TCP window).
862
863 - the user part, which exclusively runs application code in userland. HAProxy
864 runs exclusively in this part, though it makes heavy use of system calls.
865 Rules processing, regular expressions, compression, encryption all add to
866 the user portion of CPU consumption.
867
868 - the idle part, which is what the CPU does when there is nothing to do. For
869 example HAProxy waits for an incoming connection, or waits for some data to
870 leave, meaning the system is waiting for an ACK from the client to push
871 these data.
872
873In practice regarding HAProxy's activity, it is in general reasonably accurate
874(but totally inexact) to consider that interrupt/softirq are caused by Rx
875processing in kernel drivers, that user-land is caused by layer 7 processing
876in HAProxy, and that system time is caused by network processing on the Tx
877path.
878
879Since HAProxy runs around an event loop, it waits for new events using poll()
880(or any alternative) and processes all these events as fast as possible before
881going back to poll() waiting for new events. It measures the time spent waiting
882in poll() compared to the time spent doing processing events. The ratio of
883polling time vs total time is called the "idle" time, it's the amount of time
884spent waiting for something to happen. This ratio is reported in the stats page
885on the "idle" line, or "Idle_pct" on the CLI. When it's close to 100%, it means
886the load is extremely low. When it's close to 0%, it means that there is
887constantly some activity. While it cannot be very accurate on an overloaded
888system due to other processes possibly preempting the CPU from the haproxy
889process, it still provides a good estimate about how HAProxy considers it is
890working : if the load is low and the idle ratio is low as well, it may indicate
891that HAProxy has a lot of work to do, possibly due to very expensive rules that
892have to be processed. Conversely, if HAProxy indicates the idle is close to
893100% while things are slow, it means that it cannot do anything to speed things
894up because it is already waiting for incoming data to process. In the example
895below, haproxy is completely idle :
896
897 $ echo "show info" | socat - /var/run/haproxy.sock | grep ^Idle
898 Idle_pct: 100
899
900When the idle ratio starts to become very low, it is important to tune the
901system and place processes and interrupts correctly to save the most possible
902CPU resources for all tasks. If a firewall is present, it may be worth trying
903to disable it or to tune it to ensure it is not responsible for a large part
904of the performance limitation. It's worth noting that unloading a stateful
905firewall generally reduces both the amount of interrupt/softirq and of system
906usage since such firewalls act both on the Rx and the Tx paths. On Linux,
907unloading the nf_conntrack and ip_conntrack modules will show whether there is
908anything to gain. If so, then the module runs with default settings and you'll
909have to figure how to tune it for better performance. In general this consists
910in considerably increasing the hash table size. On FreeBSD, "pfctl -d" will
911disable the "pf" firewall and its stateful engine at the same time.
912
913If it is observed that a lot of time is spent in interrupt/softirq, it is
914important to ensure that they don't run on the same CPU. Most systems tend to
915pin the tasks on the CPU where they receive the network traffic because for
916certain workloads it improves things. But with heavily network-bound workloads
917it is the opposite as the haproxy process will have to fight against its kernel
918counterpart. Pinning haproxy to one CPU core and the interrupts to another one,
919all sharing the same L3 cache tends to sensibly increase network performance
920because in practice the amount of work for haproxy and the network stack are
921quite close, so they can almost fill an entire CPU each. On Linux this is done
922using taskset (for haproxy) or using cpu-map (from the haproxy config), and the
923interrupts are assigned under /proc/irq. Many network interfaces support
924multiple queues and multiple interrupts. In general it helps to spread them
925across a small number of CPU cores provided they all share the same L3 cache.
926Please always stop irq_balance which always does the worst possible thing on
927such workloads.
928
929For CPU-bound workloads consisting in a lot of SSL traffic or a lot of
930compression, it may be worth using multiple processes dedicated to certain
931tasks, though there is no universal rule here and experimentation will have to
932be performed.
933
934In order to increase the CPU capacity, it is possible to make HAProxy run as
935several processes, using the "nbproc" directive in the global section. There
936are some limitations though :
937 - health checks are run per process, so the target servers will get as many
938 checks as there are running processes ;
939 - maxconn values and queues are per-process so the correct value must be set
940 to avoid overloading the servers ;
941 - outgoing connections should avoid using port ranges to avoid conflicts
942 - stick-tables are per process and are not shared between processes ;
943 - each peers section may only run on a single process at a time ;
944 - the CLI operations will only act on a single process at a time.
945
946With this in mind, it appears that the easiest setup often consists in having
947one first layer running on multiple processes and in charge for the heavy
948processing, passing the traffic to a second layer running in a single process.
949This mechanism is suited to SSL and compression which are the two CPU-heavy
950features. Instances can easily be chained over UNIX sockets (which are cheaper
fengpeiyuancc123c62016-01-15 16:40:53 +0800951than TCP sockets and which do not waste ports), and the proxy protocol which is
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200952useful to pass client information to the next stage. When doing so, it is
953generally a good idea to bind all the single-process tasks to process number 1
954and extra tasks to next processes, as this will make it easier to generate
955similar configurations for different machines.
956
957On Linux versions 3.9 and above, running HAProxy in multi-process mode is much
958more efficient when each process uses a distinct listening socket on the same
959IP:port ; this will make the kernel evenly distribute the load across all
960processes instead of waking them all up. Please check the "process" option of
961the "bind" keyword lines in the configuration manual for more information.
962
963
9648. Logging
965----------
966
967For logging, HAProxy always relies on a syslog server since it does not perform
968any file-system access. The standard way of using it is to send logs over UDP
969to the log server (by default on port 514). Very commonly this is configured to
970127.0.0.1 where the local syslog daemon is running, but it's also used over the
971network to log to a central server. The central server provides additional
972benefits especially in active-active scenarios where it is desirable to keep
973the logs merged in arrival order. HAProxy may also make use of a UNIX socket to
974send its logs to the local syslog daemon, but it is not recommended at all,
975because if the syslog server is restarted while haproxy runs, the socket will
976be replaced and new logs will be lost. Since HAProxy will be isolated inside a
977chroot jail, it will not have the ability to reconnect to the new socket. It
978has also been observed in field that the log buffers in use on UNIX sockets are
979very small and lead to lost messages even at very light loads. But this can be
980fine for testing however.
981
982It is recommended to add the following directive to the "global" section to
983make HAProxy log to the local daemon using facility "local0" :
984
985 log 127.0.0.1:514 local0
986
987and then to add the following one to each "defaults" section or to each frontend
988and backend section :
989
990 log global
991
992This way, all logs will be centralized through the global definition of where
993the log server is.
994
995Some syslog daemons do not listen to UDP traffic by default, so depending on
996the daemon being used, the syntax to enable this will vary :
997
998 - on sysklogd, you need to pass argument "-r" on the daemon's command line
999 so that it listens to a UDP socket for "remote" logs ; note that there is
1000 no way to limit it to address 127.0.0.1 so it will also receive logs from
1001 remote systems ;
1002
1003 - on rsyslogd, the following lines must be added to the configuration file :
1004
1005 $ModLoad imudp
1006 $UDPServerAddress *
1007 $UDPServerRun 514
1008
1009 - on syslog-ng, a new source can be created the following way, it then needs
1010 to be added as a valid source in one of the "log" directives :
1011
1012 source s_udp {
1013 udp(ip(127.0.0.1) port(514));
1014 };
1015
1016Please consult your syslog daemon's manual for more information. If no logs are
1017seen in the system's log files, please consider the following tests :
1018
1019 - restart haproxy. Each frontend and backend logs one line indicating it's
1020 starting. If these logs are received, it means logs are working.
1021
1022 - run "strace -tt -s100 -etrace=sendmsg -p <haproxy's pid>" and perform some
1023 activity that you expect to be logged. You should see the log messages
1024 being sent using sendmsg() there. If they don't appear, restart using
1025 strace on top of haproxy. If you still see no logs, it definitely means
1026 that something is wrong in your configuration.
1027
1028 - run tcpdump to watch for port 514, for example on the loopback interface if
1029 the traffic is being sent locally : "tcpdump -As0 -ni lo port 514". If the
1030 packets are seen there, it's the proof they're sent then the syslogd daemon
1031 needs to be troubleshooted.
1032
1033While traffic logs are sent from the frontends (where the incoming connections
1034are accepted), backends also need to be able to send logs in order to report a
1035server state change consecutive to a health check. Please consult HAProxy's
1036configuration manual for more information regarding all possible log settings.
1037
Dan Lloyd8e48b872016-07-01 21:01:18 -04001038It is convenient to chose a facility that is not used by other daemons. HAProxy
Willy Tarreau2212e6a2015-10-13 14:40:55 +02001039examples often suggest "local0" for traffic logs and "local1" for admin logs
1040because they're never seen in field. A single facility would be enough as well.
1041Having separate logs is convenient for log analysis, but it's also important to
1042remember that logs may sometimes convey confidential information, and as such
Dan Lloyd8e48b872016-07-01 21:01:18 -04001043they must not be mixed with other logs that may accidentally be handed out to
Willy Tarreau2212e6a2015-10-13 14:40:55 +02001044unauthorized people.
1045
1046For in-field troubleshooting without impacting the server's capacity too much,
1047it is recommended to make use of the "halog" utility provided with HAProxy.
1048This is sort of a grep-like utility designed to process HAProxy log files at
1049a very fast data rate. Typical figures range between 1 and 2 GB of logs per
1050second. It is capable of extracting only certain logs (eg: search for some
1051classes of HTTP status codes, connection termination status, search by response
1052time ranges, look for errors only), count lines, limit the output to a number
1053of lines, and perform some more advanced statistics such as sorting servers
1054by response time or error counts, sorting URLs by time or count, sorting client
1055addresses by access count, and so on. It is pretty convenient to quickly spot
1056anomalies such as a bot looping on the site, and block them.
1057
1058
10599. Statistics and monitoring
1060----------------------------
1061
Willy Tarreau44aed902015-10-13 14:45:29 +02001062It is possible to query HAProxy about its status. The most commonly used
1063mechanism is the HTTP statistics page. This page also exposes an alternative
1064CSV output format for monitoring tools. The same format is provided on the
1065Unix socket.
1066
Amaury Denoyelle072f97e2020-10-05 11:49:37 +02001067Statistics are regroup in categories labelled as domains, corresponding to the
Ilya Shipitsin2272d8a2020-12-21 01:22:40 +05001068multiple components of HAProxy. There are two domains available: proxy and dns.
Amaury Denoyellefbd0bc92020-10-05 11:49:46 +02001069If not specified, the proxy domain is selected. Note that only the proxy
1070statistics are printed on the HTTP page.
Willy Tarreau44aed902015-10-13 14:45:29 +02001071
10729.1. CSV format
1073---------------
1074
1075The statistics may be consulted either from the unix socket or from the HTTP
1076page. Both means provide a CSV format whose fields follow. The first line
1077begins with a sharp ('#') and has one word per comma-delimited field which
1078represents the title of the column. All other lines starting at the second one
1079use a classical CSV format using a comma as the delimiter, and the double quote
1080('"') as an optional text delimiter, but only if the enclosed text is ambiguous
1081(if it contains a quote or a comma). The double-quote character ('"') in the
1082text is doubled ('""'), which is the format that most tools recognize. Please
1083do not insert any column before these ones in order not to break tools which
1084use hard-coded column positions.
1085
Amaury Denoyelle50660a82020-10-05 11:49:39 +02001086For proxy statistics, after each field name, the types which may have a value
1087for that field are specified in brackets. The types are L (Listeners), F
1088(Frontends), B (Backends), and S (Servers). There is a fixed set of static
1089fields that are always available in the same order. A column containing the
1090character '-' delimits the end of the static fields, after which presence or
1091order of the fields are not guaranteed.
Willy Tarreau44aed902015-10-13 14:45:29 +02001092
Amaury Denoyelle50660a82020-10-05 11:49:39 +02001093Here is the list of static fields using the proxy statistics domain:
Willy Tarreau44aed902015-10-13 14:45:29 +02001094 0. pxname [LFBS]: proxy name
1095 1. svname [LFBS]: service name (FRONTEND for frontend, BACKEND for backend,
1096 any name for server/listener)
1097 2. qcur [..BS]: current queued requests. For the backend this reports the
1098 number queued without a server assigned.
1099 3. qmax [..BS]: max value of qcur
1100 4. scur [LFBS]: current sessions
1101 5. smax [LFBS]: max sessions
1102 6. slim [LFBS]: configured session limit
Willy Tarreauc73810f2016-01-11 13:52:04 +01001103 7. stot [LFBS]: cumulative number of sessions
Willy Tarreau44aed902015-10-13 14:45:29 +02001104 8. bin [LFBS]: bytes in
1105 9. bout [LFBS]: bytes out
1106 10. dreq [LFB.]: requests denied because of security concerns.
1107 - For tcp this is because of a matched tcp-request content rule.
1108 - For http this is because of a matched http-request or tarpit rule.
1109 11. dresp [LFBS]: responses denied because of security concerns.
1110 - For http this is because of a matched http-request rule, or
1111 "option checkcache".
1112 12. ereq [LF..]: request errors. Some of the possible causes are:
1113 - early termination from the client, before the request has been sent.
1114 - read error from the client
1115 - client timeout
1116 - client closed connection
1117 - various bad requests from the client.
1118 - request was tarpitted.
1119 13. econ [..BS]: number of requests that encountered an error trying to
1120 connect to a backend server. The backend stat is the sum of the stat
1121 for all servers of that backend, plus any connection errors not
1122 associated with a particular server (such as the backend having no
1123 active servers).
1124 14. eresp [..BS]: response errors. srv_abrt will be counted here also.
1125 Some other errors are:
1126 - write error on the client socket (won't be counted for the server stat)
1127 - failure applying filters to the response.
1128 15. wretr [..BS]: number of times a connection to a server was retried.
1129 16. wredis [..BS]: number of times a request was redispatched to another
1130 server. The server value counts the number of times that server was
1131 switched away from.
Willy Tarreaub96dd282016-11-09 14:45:51 +01001132 17. status [LFBS]: status (UP/DOWN/NOLB/MAINT/MAINT(via)/MAINT(resolution)...)
Willy Tarreaubd715102020-10-23 22:44:30 +02001133 18. weight [..BS]: total effective weight (backend), effective weight (server)
Willy Tarreau44aed902015-10-13 14:45:29 +02001134 19. act [..BS]: number of active servers (backend), server is active (server)
1135 20. bck [..BS]: number of backup servers (backend), server is backup (server)
1136 21. chkfail [...S]: number of failed checks. (Only counts checks failed when
1137 the server is up.)
1138 22. chkdown [..BS]: number of UP->DOWN transitions. The backend counter counts
1139 transitions to the whole backend being down, rather than the sum of the
1140 counters for each server.
1141 23. lastchg [..BS]: number of seconds since the last UP<->DOWN transition
1142 24. downtime [..BS]: total downtime (in seconds). The value for the backend
1143 is the downtime for the whole backend, not the sum of the server downtime.
1144 25. qlimit [...S]: configured maxqueue for the server, or nothing in the
1145 value is 0 (default, meaning no limit)
1146 26. pid [LFBS]: process id (0 for first instance, 1 for second, ...)
1147 27. iid [LFBS]: unique proxy id
1148 28. sid [L..S]: server id (unique inside a proxy)
1149 29. throttle [...S]: current throttle percentage for the server, when
1150 slowstart is active, or no value if not in slowstart.
1151 30. lbtot [..BS]: total number of times a server was selected, either for new
1152 sessions, or when re-dispatching. The server counter is the number
1153 of times that server was selected.
1154 31. tracked [...S]: id of proxy/server if tracking is enabled.
1155 32. type [LFBS]: (0=frontend, 1=backend, 2=server, 3=socket/listener)
1156 33. rate [.FBS]: number of sessions per second over last elapsed second
1157 34. rate_lim [.F..]: configured limit on new sessions per second
1158 35. rate_max [.FBS]: max number of new sessions per second
1159 36. check_status [...S]: status of last health check, one of:
1160 UNK -> unknown
1161 INI -> initializing
1162 SOCKERR -> socket error
1163 L4OK -> check passed on layer 4, no upper layers testing enabled
1164 L4TOUT -> layer 1-4 timeout
1165 L4CON -> layer 1-4 connection problem, for example
1166 "Connection refused" (tcp rst) or "No route to host" (icmp)
1167 L6OK -> check passed on layer 6
1168 L6TOUT -> layer 6 (SSL) timeout
1169 L6RSP -> layer 6 invalid response - protocol error
1170 L7OK -> check passed on layer 7
1171 L7OKC -> check conditionally passed on layer 7, for example 404 with
1172 disable-on-404
1173 L7TOUT -> layer 7 (HTTP/SMTP) timeout
1174 L7RSP -> layer 7 invalid response - protocol error
1175 L7STS -> layer 7 response error, for example HTTP 5xx
Daniel Schnellerb6c8b0d2017-09-01 19:13:55 +02001176 Notice: If a check is currently running, the last known status will be
1177 reported, prefixed with "* ". e. g. "* L7OK".
Willy Tarreau44aed902015-10-13 14:45:29 +02001178 37. check_code [...S]: layer5-7 code, if available
1179 38. check_duration [...S]: time in ms took to finish last health check
1180 39. hrsp_1xx [.FBS]: http responses with 1xx code
1181 40. hrsp_2xx [.FBS]: http responses with 2xx code
1182 41. hrsp_3xx [.FBS]: http responses with 3xx code
1183 42. hrsp_4xx [.FBS]: http responses with 4xx code
1184 43. hrsp_5xx [.FBS]: http responses with 5xx code
1185 44. hrsp_other [.FBS]: http responses with other codes (protocol error)
1186 45. hanafail [...S]: failed health checks details
1187 46. req_rate [.F..]: HTTP requests per second over last elapsed second
1188 47. req_rate_max [.F..]: max number of HTTP requests per second observed
Willy Tarreaufb981bd2016-12-12 14:31:46 +01001189 48. req_tot [.FB.]: total number of HTTP requests received
Willy Tarreau44aed902015-10-13 14:45:29 +02001190 49. cli_abrt [..BS]: number of data transfers aborted by the client
1191 50. srv_abrt [..BS]: number of data transfers aborted by the server
1192 (inc. in eresp)
1193 51. comp_in [.FB.]: number of HTTP response bytes fed to the compressor
1194 52. comp_out [.FB.]: number of HTTP response bytes emitted by the compressor
1195 53. comp_byp [.FB.]: number of bytes that bypassed the HTTP compressor
1196 (CPU/BW limit)
1197 54. comp_rsp [.FB.]: number of HTTP responses that were compressed
1198 55. lastsess [..BS]: number of seconds since last session assigned to
1199 server/backend
1200 56. last_chk [...S]: last health check contents or textual error
1201 57. last_agt [...S]: last agent check contents or textual error
1202 58. qtime [..BS]: the average queue time in ms over the 1024 last requests
1203 59. ctime [..BS]: the average connect time in ms over the 1024 last requests
1204 60. rtime [..BS]: the average response time in ms over the 1024 last requests
1205 (0 for TCP)
1206 61. ttime [..BS]: the average total session time in ms over the 1024 last
1207 requests
Willy Tarreau7f618842016-01-08 11:40:03 +01001208 62. agent_status [...S]: status of last agent check, one of:
1209 UNK -> unknown
1210 INI -> initializing
1211 SOCKERR -> socket error
1212 L4OK -> check passed on layer 4, no upper layers testing enabled
1213 L4TOUT -> layer 1-4 timeout
1214 L4CON -> layer 1-4 connection problem, for example
1215 "Connection refused" (tcp rst) or "No route to host" (icmp)
1216 L7OK -> agent reported "up"
1217 L7STS -> agent reported "fail", "stop", or "down"
1218 63. agent_code [...S]: numeric code reported by agent if any (unused for now)
1219 64. agent_duration [...S]: time in ms taken to finish last check
Willy Tarreaudd7354b2016-01-08 13:47:26 +01001220 65. check_desc [...S]: short human-readable description of check_status
1221 66. agent_desc [...S]: short human-readable description of agent_status
Willy Tarreau3141f592016-01-08 14:25:28 +01001222 67. check_rise [...S]: server's "rise" parameter used by checks
1223 68. check_fall [...S]: server's "fall" parameter used by checks
1224 69. check_health [...S]: server's health check value between 0 and rise+fall-1
1225 70. agent_rise [...S]: agent's "rise" parameter, normally 1
1226 71. agent_fall [...S]: agent's "fall" parameter, normally 1
1227 72. agent_health [...S]: agent's health parameter, between 0 and rise+fall-1
Willy Tarreaua6f5a732016-01-08 16:59:56 +01001228 73. addr [L..S]: address:port or "unix". IPv6 has brackets around the address.
Willy Tarreaue4847c62016-01-08 15:43:54 +01001229 74: cookie [..BS]: server's cookie value or backend's cookie name
Willy Tarreauf8211df2016-01-11 14:09:38 +01001230 75: mode [LFBS]: proxy mode (tcp, http, health, unknown)
Willy Tarreauf1516d92016-01-11 14:48:36 +01001231 76: algo [..B.]: load balancing algorithm
Willy Tarreauc73810f2016-01-11 13:52:04 +01001232 77: conn_rate [.F..]: number of connections over the last elapsed second
1233 78: conn_rate_max [.F..]: highest known conn_rate
1234 79: conn_tot [.F..]: cumulative number of connections
Willy Tarreau5b9bdff2016-01-11 14:40:47 +01001235 80: intercepted [.FB.]: cum. number of intercepted requests (monitor, stats)
Willy Tarreau8a90b8e2016-10-21 18:15:32 +02001236 81: dcon [LF..]: requests denied by "tcp-request connection" rules
Willy Tarreaua5bc36b2016-10-21 18:16:27 +02001237 82: dses [LF..]: requests denied by "tcp-request session" rules
Willy Tarreauea96a822018-05-28 15:15:43 +02001238 83: wrew [LFBS]: cumulative number of failed header rewriting warnings
Jérôme Magnin708eb882019-07-17 09:24:46 +02001239 84: connect [..BS]: cumulative number of connection establishment attempts
1240 85: reuse [..BS]: cumulative number of connection reuses
Willy Tarreau72974292019-11-08 07:29:34 +01001241 86: cache_lookups [.FB.]: cumulative number of cache lookups
Jérôme Magnin34ebb5c2019-07-17 14:04:40 +02001242 87: cache_hits [.FB.]: cumulative number of cache hits
Christopher Faulet2ac25742019-11-08 15:27:27 +01001243 88: srv_icur [...S]: current number of idle connections available for reuse
1244 89: src_ilim [...S]: limit on the number of available idle connections
1245 90. qtime_max [..BS]: the maximum observed queue time in ms
1246 91. ctime_max [..BS]: the maximum observed connect time in ms
1247 92. rtime_max [..BS]: the maximum observed response time in ms (0 for TCP)
1248 93. ttime_max [..BS]: the maximum observed total session time in ms
Christopher Faulet0159ee42019-12-16 14:40:39 +01001249 94. eint [LFBS]: cumulative number of internal errors
Pierre Cheynier08eb7182020-10-08 16:37:14 +02001250 95. idle_conn_cur [...S]: current number of unsafe idle connections
1251 96. safe_conn_cur [...S]: current number of safe idle connections
1252 97. used_conn_cur [...S]: current number of connections in use
1253 98. need_conn_est [...S]: estimated needed number of connections
Willy Tarreaubd715102020-10-23 22:44:30 +02001254 99. uweight [..BS]: total user weight (backend), server user weight (server)
Willy Tarreau44aed902015-10-13 14:45:29 +02001255
Amaury Denoyelle50660a82020-10-05 11:49:39 +02001256For all other statistics domains, the presence or the order of the fields are
1257not guaranteed. In this case, the header line should always be used to parse
1258the CSV data.
Willy Tarreau44aed902015-10-13 14:45:29 +02001259
Phil Schererb931f962020-12-02 19:36:08 +000012609.2. Typed output format
Willy Tarreau5d8b9792016-03-11 11:09:34 +01001261------------------------
1262
1263Both "show info" and "show stat" support a mode where each output value comes
1264with its type and sufficient information to know how the value is supposed to
1265be aggregated between processes and how it evolves.
1266
1267In all cases, the output consists in having a single value per line with all
1268the information split into fields delimited by colons (':').
1269
1270The first column designates the object or metric being dumped. Its format is
1271specific to the command producing this output and will not be described in this
1272section. Usually it will consist in a series of identifiers and field names.
1273
1274The second column contains 3 characters respectively indicating the origin, the
1275nature and the scope of the value being reported. The first character (the
1276origin) indicates where the value was extracted from. Possible characters are :
1277
1278 M The value is a metric. It is valid at one instant any may change depending
1279 on its nature .
1280
1281 S The value is a status. It represents a discrete value which by definition
1282 cannot be aggregated. It may be the status of a server ("UP" or "DOWN"),
1283 the PID of the process, etc.
1284
1285 K The value is a sorting key. It represents an identifier which may be used
1286 to group some values together because it is unique among its class. All
1287 internal identifiers are keys. Some names can be listed as keys if they
1288 are unique (eg: a frontend name is unique). In general keys come from the
Dan Lloyd8e48b872016-07-01 21:01:18 -04001289 configuration, even though some of them may automatically be assigned. For
Willy Tarreau5d8b9792016-03-11 11:09:34 +01001290 most purposes keys may be considered as equivalent to configuration.
1291
1292 C The value comes from the configuration. Certain configuration values make
1293 sense on the output, for example a concurrent connection limit or a cookie
1294 name. By definition these values are the same in all processes started
1295 from the same configuration file.
1296
1297 P The value comes from the product itself. There are very few such values,
1298 most common use is to report the product name, version and release date.
1299 These elements are also the same between all processes.
1300
1301The second character (the nature) indicates the nature of the information
1302carried by the field in order to let an aggregator decide on what operation to
1303use to aggregate multiple values. Possible characters are :
1304
1305 A The value represents an age since a last event. This is a bit different
1306 from the duration in that an age is automatically computed based on the
1307 current date. A typical example is how long ago did the last session
1308 happen on a server. Ages are generally aggregated by taking the minimum
1309 value and do not need to be stored.
1310
1311 a The value represents an already averaged value. The average response times
1312 and server weights are of this nature. Averages can typically be averaged
1313 between processes.
1314
1315 C The value represents a cumulative counter. Such measures perpetually
1316 increase until they wrap around. Some monitoring protocols need to tell
1317 the difference between a counter and a gauge to report a different type.
1318 In general counters may simply be summed since they represent events or
1319 volumes. Examples of metrics of this nature are connection counts or byte
1320 counts.
1321
1322 D The value represents a duration for a status. There are a few usages of
1323 this, most of them include the time taken by the last health check and
1324 the time a server has spent down. Durations are generally not summed,
1325 most of the time the maximum will be retained to compute an SLA.
1326
1327 G The value represents a gauge. It's a measure at one instant. The memory
1328 usage or the current number of active connections are of this nature.
1329 Metrics of this type are typically summed during aggregation.
1330
1331 L The value represents a limit (generally a configured one). By nature,
1332 limits are harder to aggregate since they are specific to the point where
1333 they were retrieved. In certain situations they may be summed or be kept
1334 separate.
1335
1336 M The value represents a maximum. In general it will apply to a gauge and
1337 keep the highest known value. An example of such a metric could be the
1338 maximum amount of concurrent connections that was encountered in the
1339 product's life time. To correctly aggregate maxima, you are supposed to
1340 output a range going from the maximum of all maxima and the sum of all
1341 of them. There is indeed no way to know if they were encountered
1342 simultaneously or not.
1343
1344 m The value represents a minimum. In general it will apply to a gauge and
1345 keep the lowest known value. An example of such a metric could be the
1346 minimum amount of free memory pools that was encountered in the product's
1347 life time. To correctly aggregate minima, you are supposed to output a
1348 range going from the minimum of all minima and the sum of all of them.
1349 There is indeed no way to know if they were encountered simultaneously
1350 or not.
1351
1352 N The value represents a name, so it is a string. It is used to report
1353 proxy names, server names and cookie names. Names have configuration or
1354 keys as their origin and are supposed to be the same among all processes.
1355
1356 O The value represents a free text output. Outputs from various commands,
1357 returns from health checks, node descriptions are of such nature.
1358
1359 R The value represents an event rate. It's a measure at one instant. It is
1360 quite similar to a gauge except that the recipient knows that this measure
1361 moves slowly and may decide not to keep all values. An example of such a
1362 metric is the measured amount of connections per second. Metrics of this
1363 type are typically summed during aggregation.
1364
1365 T The value represents a date or time. A field emitting the current date
1366 would be of this type. The method to aggregate such information is left
1367 as an implementation choice. For now no field uses this type.
1368
1369The third character (the scope) indicates what extent the value reflects. Some
1370elements may be per process while others may be per configuration or per system.
1371The distinction is important to know whether or not a single value should be
1372kept during aggregation or if values have to be aggregated. The following
1373characters are currently supported :
1374
1375 C The value is valid for a whole cluster of nodes, which is the set of nodes
1376 communicating over the peers protocol. An example could be the amount of
1377 entries present in a stick table that is replicated with other peers. At
1378 the moment no metric use this scope.
1379
1380 P The value is valid only for the process reporting it. Most metrics use
1381 this scope.
1382
1383 S The value is valid for the whole service, which is the set of processes
1384 started together from the same configuration file. All metrics originating
1385 from the configuration use this scope. Some other metrics may use it as
1386 well for some shared resources (eg: shared SSL cache statistics).
1387
1388 s The value is valid for the whole system, such as the system's hostname,
1389 current date or resource usage. At the moment this scope is not used by
1390 any metric.
1391
1392Consumers of these information will generally have enough of these 3 characters
1393to determine how to accurately report aggregated information across multiple
1394processes.
1395
1396After this column, the third column indicates the type of the field, among "s32"
1397(signed 32-bit integer), "s64" (signed 64-bit integer), "u32" (unsigned 32-bit
1398integer), "u64" (unsigned 64-bit integer), "str" (string). It is important to
1399know the type before parsing the value in order to properly read it. For example
1400a string containing only digits is still a string an not an integer (eg: an
1401error code extracted by a check).
1402
1403Then the fourth column is the value itself, encoded according to its type.
1404Strings are dumped as-is immediately after the colon without any leading space.
1405If a string contains a colon, it will appear normally. This means that the
1406output should not be exclusively split around colons or some check outputs
1407or server addresses might be truncated.
1408
1409
14109.3. Unix Socket commands
Willy Tarreau44aed902015-10-13 14:45:29 +02001411-------------------------
1412
1413The stats socket is not enabled by default. In order to enable it, it is
1414necessary to add one line in the global section of the haproxy configuration.
1415A second line is recommended to set a larger timeout, always appreciated when
1416issuing commands by hand :
1417
1418 global
1419 stats socket /var/run/haproxy.sock mode 600 level admin
1420 stats timeout 2m
1421
1422It is also possible to add multiple instances of the stats socket by repeating
1423the line, and make them listen to a TCP port instead of a UNIX socket. This is
1424never done by default because this is dangerous, but can be handy in some
1425situations :
1426
1427 global
1428 stats socket /var/run/haproxy.sock mode 600 level admin
1429 stats socket ipv4@192.168.0.1:9999 level admin
1430 stats timeout 2m
1431
1432To access the socket, an external utility such as "socat" is required. Socat is
1433a swiss-army knife to connect anything to anything. We use it to connect
1434terminals to the socket, or a couple of stdin/stdout pipes to it for scripts.
1435The two main syntaxes we'll use are the following :
1436
1437 # socat /var/run/haproxy.sock stdio
1438 # socat /var/run/haproxy.sock readline
1439
1440The first one is used with scripts. It is possible to send the output of a
1441script to haproxy, and pass haproxy's output to another script. That's useful
1442for retrieving counters or attack traces for example.
1443
1444The second one is only useful for issuing commands by hand. It has the benefit
1445that the terminal is handled by the readline library which supports line
1446editing and history, which is very convenient when issuing repeated commands
1447(eg: watch a counter).
1448
1449The socket supports two operation modes :
1450 - interactive
1451 - non-interactive
1452
1453The non-interactive mode is the default when socat connects to the socket. In
1454this mode, a single line may be sent. It is processed as a whole, responses are
1455sent back, and the connection closes after the end of the response. This is the
1456mode that scripts and monitoring tools use. It is possible to send multiple
1457commands in this mode, they need to be delimited by a semi-colon (';'). For
1458example :
1459
1460 # echo "show info;show stat;show table" | socat /var/run/haproxy stdio
1461
Dragan Dosena1c35ab2016-11-24 11:33:12 +01001462If a command needs to use a semi-colon or a backslash (eg: in a value), it
Joseph Herlant71b4b152018-11-13 16:55:16 -08001463must be preceded by a backslash ('\').
Chad Lavoiee3f50312016-05-26 16:42:25 -04001464
Willy Tarreau44aed902015-10-13 14:45:29 +02001465The interactive mode displays a prompt ('>') and waits for commands to be
1466entered on the line, then processes them, and displays the prompt again to wait
1467for a new command. This mode is entered via the "prompt" command which must be
1468sent on the first line in non-interactive mode. The mode is a flip switch, if
1469"prompt" is sent in interactive mode, it is disabled and the connection closes
1470after processing the last command of the same line.
1471
1472For this reason, when debugging by hand, it's quite common to start with the
1473"prompt" command :
1474
1475 # socat /var/run/haproxy readline
1476 prompt
1477 > show info
1478 ...
1479 >
1480
1481Since multiple commands may be issued at once, haproxy uses the empty line as a
1482delimiter to mark an end of output for each command, and takes care of ensuring
1483that no command can emit an empty line on output. A script can thus easily
1484parse the output even when multiple commands were pipelined on a single line.
1485
Aurélien Nephtaliabbf6072018-04-18 13:26:46 +02001486Some commands may take an optional payload. To add one to a command, the first
1487line needs to end with the "<<\n" pattern. The next lines will be treated as
1488the payload and can contain as many lines as needed. To validate a command with
1489a payload, it needs to end with an empty line.
1490
1491Limitations do exist: the length of the whole buffer passed to the CLI must
1492not be greater than tune.bfsize and the pattern "<<" must not be glued to the
1493last word of the line.
1494
1495When entering a paylod while in interactive mode, the prompt will change from
1496"> " to "+ ".
1497
Willy Tarreau44aed902015-10-13 14:45:29 +02001498It is important to understand that when multiple haproxy processes are started
1499on the same sockets, any process may pick up the request and will output its
1500own stats.
1501
1502The list of commands currently supported on the stats socket is provided below.
1503If an unknown command is sent, haproxy displays the usage message which reminds
1504all supported commands. Some commands support a more complex syntax, generally
1505it will explain what part of the command is invalid when this happens.
1506
Olivier Doucetd8703e82017-08-31 11:05:10 +02001507Some commands require a higher level of privilege to work. If you do not have
1508enough privilege, you will get an error "Permission denied". Please check
1509the "level" option of the "bind" keyword lines in the configuration manual
1510for more information.
1511
Remi Tricot-Le Bretone88a2ca2021-04-08 15:30:23 +02001512abort ssl ca-file <cafile>
1513 Abort and destroy a temporary CA file update transaction.
1514
1515 See also "set ssl ca-file" and "commit ssl ca-file".
1516
William Lallemand6ab08b32019-11-29 16:48:43 +01001517abort ssl cert <filename>
1518 Abort and destroy a temporary SSL certificate update transaction.
1519
1520 See also "set ssl cert" and "commit ssl cert".
1521
Remi Tricot-Le Breton3c222bd2021-04-27 16:28:25 +02001522abort ssl crl-file <crlfile>
1523 Abort and destroy a temporary CRL file update transaction.
1524
1525 See also "set ssl crl-file" and "commit ssl crl-file".
1526
Willy Tarreaubb51c442021-04-30 15:23:36 +02001527add acl [@<ver>] <acl> <pattern>
Willy Tarreau44aed902015-10-13 14:45:29 +02001528 Add an entry into the acl <acl>. <acl> is the #<id> or the <file> returned by
Willy Tarreaubb51c442021-04-30 15:23:36 +02001529 "show acl". This command does not verify if the entry already exists. Entries
1530 are added to the current version of the ACL, unless a specific version is
1531 specified with "@<ver>". This version number must have preliminary been
1532 allocated by "prepare acl", and it will be comprised between the versions
1533 reported in "curr_ver" and "next_ver" on the output of "show acl". Entries
1534 added with a specific version number will not match until a "commit acl"
1535 operation is performed on them. They may however be consulted using the
1536 "show acl @<ver>" command, and cleared using a "clear acl @<ver>" command.
1537 This command cannot be used if the reference <acl> is a file also used with
1538 a map. In this case, the "add map" command must be used instead.
Willy Tarreau44aed902015-10-13 14:45:29 +02001539
Willy Tarreaubb51c442021-04-30 15:23:36 +02001540add map [@<ver>] <map> <key> <value>
1541add map [@<ver>] <map> <payload>
Willy Tarreau44aed902015-10-13 14:45:29 +02001542 Add an entry into the map <map> to associate the value <value> to the key
1543 <key>. This command does not verify if the entry already exists. It is
Willy Tarreaubb51c442021-04-30 15:23:36 +02001544 mainly used to fill a map after a "clear" or "prepare" operation. Entries
1545 are added to the current version of the ACL, unless a specific version is
1546 specified with "@<ver>". This version number must have preliminary been
1547 allocated by "prepare acl", and it will be comprised between the versions
1548 reported in "curr_ver" and "next_ver" on the output of "show acl". Entries
1549 added with a specific version number will not match until a "commit map"
1550 operation is performed on them. They may however be consulted using the
1551 "show map @<ver>" command, and cleared using a "clear acl @<ver>" command.
1552 If the designated map is also used as an ACL, the ACL will only match the
1553 <key> part and will ignore the <value> part. Using the payload syntax it is
1554 possible to add multiple key/value pairs by entering them on separate lines.
1555 On each new line, the first word is the key and the rest of the line is
1556 considered to be the value which can even contains spaces.
Aurélien Nephtali25650ce2018-04-18 14:04:47 +02001557
1558 Example:
1559
1560 # socat /tmp/sock1 -
1561 prompt
1562
1563 > add map #-1 <<
1564 + key1 value1
1565 + key2 value2 with spaces
1566 + key3 value3 also with spaces
1567 + key4 value4
1568
1569 >
Willy Tarreau44aed902015-10-13 14:45:29 +02001570
Amaury Denoyellef99f77a2021-03-08 17:13:32 +01001571add server <backend>/<server> [args]*
Amaury Denoyelle76e8b702022-03-09 15:07:31 +01001572 Instantiate a new server attached to the backend <backend>.
Amaury Denoyellef99f77a2021-03-08 17:13:32 +01001573
1574 The <server> name must not be already used in the backend. A special
Amaury Denoyelleeafd7012021-04-29 14:59:42 +02001575 restriction is put on the backend which must used a dynamic load-balancing
1576 algorithm. A subset of keywords from the server config file statement can be
1577 used to configure the server behavior. Also note that no settings will be
1578 reused from an hypothetical 'default-server' statement in the same backend.
Amaury Denoyellefc465a52021-03-09 17:36:23 +01001579
Amaury Denoyelleefbf35c2021-06-10 17:34:10 +02001580 Currently a dynamic server is statically initialized with the "none"
1581 init-addr method. This means that no resolution will be undertaken if a FQDN
1582 is specified as an address, even if the server creation will be validated.
1583
Amaury Denoyelle14c3c5c2021-08-23 14:10:51 +02001584 To support the reload operations, it is expected that the server created via
1585 the CLI is also manually inserted in the relevant haproxy configuration file.
1586 A dynamic server not present in the configuration won't be restored after a
1587 reload operation.
1588
Amaury Denoyelle56eb8ed2021-07-13 10:36:03 +02001589 A dynamic server may use the "track" keyword to follow the check status of
1590 another server from the configuration. However, it is not possible to track
1591 another dynamic server. This is to ensure that the tracking chain is kept
1592 consistent even in the case of dynamic servers deletion.
1593
Amaury Denoyelle2fc4d392021-07-22 16:04:59 +02001594 Use the "check" keyword to enable health-check support. Note that the
1595 health-check is disabled by default and must be enabled independently from
Amaury Denoyelleb65f4ca2021-08-04 11:33:14 +02001596 the server using the "enable health" command. For agent checks, use the
1597 "agent-check" keyword and the "enable agent" command. Note that in this case
1598 the server may be activated via the agent depending on the status reported,
1599 without an explicit "enable server" command. This also means that extra care
1600 is required when removing a dynamic server with agent check. The agent should
1601 be first deactivated via "disable agent" to be able to put the server in the
1602 required maintenance mode before removal.
Amaury Denoyelle2fc4d392021-07-22 16:04:59 +02001603
Amaury Denoyelle414a6122021-08-06 10:25:32 +02001604 It may be possible to reach the fd limit when using a large number of dynamic
1605 servers. Please refer to the "u-limit" global keyword documentation in this
1606 case.
1607
Amaury Denoyellefc465a52021-03-09 17:36:23 +01001608 Here is the list of the currently supported keywords :
1609
Amaury Denoyelleb65f4ca2021-08-04 11:33:14 +02001610 - agent-addr
1611 - agent-check
1612 - agent-inter
1613 - agent-port
1614 - agent-send
Amaury Denoyelle34897d22021-05-19 09:49:41 +02001615 - allow-0rtt
1616 - alpn
Amaury Denoyelle2fc4d392021-07-22 16:04:59 +02001617 - addr
Amaury Denoyellefc465a52021-03-09 17:36:23 +01001618 - backup
Amaury Denoyelle34897d22021-05-19 09:49:41 +02001619 - ca-file
Amaury Denoyelle2fc4d392021-07-22 16:04:59 +02001620 - check
Amaury Denoyelle79b90e82021-09-20 15:15:19 +02001621 - check-alpn
Amaury Denoyelle2fc4d392021-07-22 16:04:59 +02001622 - check-proto
1623 - check-send-proxy
Amaury Denoyelle79b90e82021-09-20 15:15:19 +02001624 - check-sni
1625 - check-ssl
Amaury Denoyelle2fc4d392021-07-22 16:04:59 +02001626 - check-via-socks4
Amaury Denoyelle34897d22021-05-19 09:49:41 +02001627 - ciphers
1628 - ciphersuites
1629 - crl-file
1630 - crt
Amaury Denoyellefc465a52021-03-09 17:36:23 +01001631 - disabled
Amaury Denoyelle2fc4d392021-07-22 16:04:59 +02001632 - downinter
Amaury Denoyellefc465a52021-03-09 17:36:23 +01001633 - enabled
Amaury Denoyelle725f8d22021-09-20 15:16:12 +02001634 - error-limit
Amaury Denoyelle2fc4d392021-07-22 16:04:59 +02001635 - fall
1636 - fastinter
Amaury Denoyelle34897d22021-05-19 09:49:41 +02001637 - force-sslv3/tlsv10/tlsv11/tlsv12/tlsv13
Amaury Denoyellefc465a52021-03-09 17:36:23 +01001638 - id
Amaury Denoyelle2fc4d392021-07-22 16:04:59 +02001639 - inter
Amaury Denoyellefc465a52021-03-09 17:36:23 +01001640 - maxconn
1641 - maxqueue
1642 - minconn
Amaury Denoyelle34897d22021-05-19 09:49:41 +02001643 - no-ssl-reuse
1644 - no-sslv3/tlsv10/tlsv11/tlsv12/tlsv13
1645 - no-tls-tickets
1646 - npn
Amaury Denoyelle725f8d22021-09-20 15:16:12 +02001647 - observe
1648 - on-error
1649 - on-marked-down
1650 - on-marked-up
Amaury Denoyellefc465a52021-03-09 17:36:23 +01001651 - pool-low-conn
1652 - pool-max-conn
1653 - pool-purge-delay
Amaury Denoyelle2fc4d392021-07-22 16:04:59 +02001654 - port
Amaury Denoyelle30467232021-03-12 18:03:27 +01001655 - proto
Amaury Denoyellefc465a52021-03-09 17:36:23 +01001656 - proxy-v2-options
Amaury Denoyelle2fc4d392021-07-22 16:04:59 +02001657 - rise
Amaury Denoyellefc465a52021-03-09 17:36:23 +01001658 - send-proxy
1659 - send-proxy-v2
Amaury Denoyelle34897d22021-05-19 09:49:41 +02001660 - send-proxy-v2-ssl
1661 - send-proxy-v2-ssl-cn
Amaury Denoyellecd8a6f22021-09-21 11:51:54 +02001662 - slowstart
Amaury Denoyelle34897d22021-05-19 09:49:41 +02001663 - sni
Amaury Denoyellefc465a52021-03-09 17:36:23 +01001664 - source
Amaury Denoyelle34897d22021-05-19 09:49:41 +02001665 - ssl
1666 - ssl-max-ver
1667 - ssl-min-ver
Amaury Denoyellefc465a52021-03-09 17:36:23 +01001668 - tfo
Amaury Denoyelle34897d22021-05-19 09:49:41 +02001669 - tls-tickets
Amaury Denoyelle56eb8ed2021-07-13 10:36:03 +02001670 - track
Amaury Denoyellefc465a52021-03-09 17:36:23 +01001671 - usesrc
Amaury Denoyelle34897d22021-05-19 09:49:41 +02001672 - verify
1673 - verifyhost
Amaury Denoyellefc465a52021-03-09 17:36:23 +01001674 - weight
Amaury Denoyellef9d59572021-10-18 14:40:29 +02001675 - ws
Amaury Denoyellefc465a52021-03-09 17:36:23 +01001676
1677 Their syntax is similar to the server line from the configuration file,
1678 please refer to their individual documentation for details.
Amaury Denoyellef99f77a2021-03-08 17:13:32 +01001679
William Lallemandaccac232020-04-02 17:42:51 +02001680add ssl crt-list <crtlist> <certificate>
1681add ssl crt-list <crtlist> <payload>
1682 Add an certificate in a crt-list. It can also be used for directories since
1683 directories are now loaded the same way as the crt-lists. This command allow
1684 you to use a certificate name in parameter, to use SSL options or filters a
1685 crt-list line must sent as a payload instead. Only one crt-list line is
1686 supported in the payload. This command will load the certificate for every
1687 bind lines using the crt-list. To push a new certificate to HAProxy the
1688 commands "new ssl cert" and "set ssl cert" must be used.
1689
1690 Example:
1691 $ echo "new ssl cert foobar.pem" | socat /tmp/sock1 -
1692 $ echo -e "set ssl cert foobar.pem <<\n$(cat foobar.pem)\n" | socat
1693 /tmp/sock1 -
1694 $ echo "commit ssl cert foobar.pem" | socat /tmp/sock1 -
1695 $ echo "add ssl crt-list certlist1 foobar.pem" | socat /tmp/sock1 -
1696
1697 $ echo -e 'add ssl crt-list certlist1 <<\nfoobar.pem [allow-0rtt] foo.bar.com
1698 !test1.com\n' | socat /tmp/sock1 -
1699
Willy Tarreau44aed902015-10-13 14:45:29 +02001700clear counters
1701 Clear the max values of the statistics counters in each proxy (frontend &
Willy Tarreaud80cb4e2018-01-20 19:30:13 +01001702 backend) and in each server. The accumulated counters are not affected. The
1703 internal activity counters reported by "show activity" are also reset. This
Willy Tarreau44aed902015-10-13 14:45:29 +02001704 can be used to get clean counters after an incident, without having to
1705 restart nor to clear traffic counters. This command is restricted and can
1706 only be issued on sockets configured for levels "operator" or "admin".
1707
1708clear counters all
1709 Clear all statistics counters in each proxy (frontend & backend) and in each
1710 server. This has the same effect as restarting. This command is restricted
1711 and can only be issued on sockets configured for level "admin".
1712
Willy Tarreauff3feeb2021-04-30 13:31:43 +02001713clear acl [@<ver>] <acl>
Willy Tarreau44aed902015-10-13 14:45:29 +02001714 Remove all entries from the acl <acl>. <acl> is the #<id> or the <file>
1715 returned by "show acl". Note that if the reference <acl> is a file and is
Willy Tarreauff3feeb2021-04-30 13:31:43 +02001716 shared with a map, this map will be also cleared. By default only the current
1717 version of the ACL is cleared (the one being matched against). However it is
1718 possible to specify another version using '@' followed by this version.
Willy Tarreau44aed902015-10-13 14:45:29 +02001719
Willy Tarreauff3feeb2021-04-30 13:31:43 +02001720clear map [@<ver>] <map>
Willy Tarreau44aed902015-10-13 14:45:29 +02001721 Remove all entries from the map <map>. <map> is the #<id> or the <file>
1722 returned by "show map". Note that if the reference <map> is a file and is
Willy Tarreauff3feeb2021-04-30 13:31:43 +02001723 shared with a acl, this acl will be also cleared. By default only the current
1724 version of the map is cleared (the one being matched against). However it is
1725 possible to specify another version using '@' followed by this version.
Willy Tarreau44aed902015-10-13 14:45:29 +02001726
1727clear table <table> [ data.<type> <operator> <value> ] | [ key <key> ]
1728 Remove entries from the stick-table <table>.
1729
1730 This is typically used to unblock some users complaining they have been
1731 abusively denied access to a service, but this can also be used to clear some
1732 stickiness entries matching a server that is going to be replaced (see "show
1733 table" below for details). Note that sometimes, removal of an entry will be
1734 refused because it is currently tracked by a session. Retrying a few seconds
1735 later after the session ends is usual enough.
1736
1737 In the case where no options arguments are given all entries will be removed.
1738
1739 When the "data." form is used entries matching a filter applied using the
1740 stored data (see "stick-table" in section 4.2) are removed. A stored data
1741 type must be specified in <type>, and this data type must be stored in the
1742 table otherwise an error is reported. The data is compared according to
1743 <operator> with the 64-bit integer <value>. Operators are the same as with
1744 the ACLs :
1745
1746 - eq : match entries whose data is equal to this value
1747 - ne : match entries whose data is not equal to this value
1748 - le : match entries whose data is less than or equal to this value
1749 - ge : match entries whose data is greater than or equal to this value
1750 - lt : match entries whose data is less than this value
1751 - gt : match entries whose data is greater than this value
1752
1753 When the key form is used the entry <key> is removed. The key must be of the
1754 same type as the table, which currently is limited to IPv4, IPv6, integer and
1755 string.
1756
1757 Example :
1758 $ echo "show table http_proxy" | socat stdio /tmp/sock1
1759 >>> # table: http_proxy, type: ip, size:204800, used:2
1760 >>> 0x80e6a4c: key=127.0.0.1 use=0 exp=3594729 gpc0=0 conn_rate(30000)=1 \
1761 bytes_out_rate(60000)=187
1762 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
1763 bytes_out_rate(60000)=191
1764
1765 $ echo "clear table http_proxy key 127.0.0.1" | socat stdio /tmp/sock1
1766
1767 $ echo "show table http_proxy" | socat stdio /tmp/sock1
1768 >>> # table: http_proxy, type: ip, size:204800, used:1
1769 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
1770 bytes_out_rate(60000)=191
1771 $ echo "clear table http_proxy data.gpc0 eq 1" | socat stdio /tmp/sock1
1772 $ echo "show table http_proxy" | socat stdio /tmp/sock1
1773 >>> # table: http_proxy, type: ip, size:204800, used:1
1774
Willy Tarreau7a562ca2021-04-30 15:10:01 +02001775commit acl @<ver> <acl>
1776 Commit all changes made to version <ver> of ACL <acl>, and deletes all past
1777 versions. <acl> is the #<id> or the <file> returned by "show acl". The
1778 version number must be between "curr_ver"+1 and "next_ver" as reported in
1779 "show acl". The contents to be committed to the ACL can be consulted with
1780 "show acl @<ver> <acl>" if desired. The specified version number has normally
1781 been created with the "prepare acl" command. The replacement is atomic. It
1782 consists in atomically updating the current version to the specified version,
1783 which will instantly cause all entries in other versions to become invisible,
1784 and all entries in the new version to become visible. It is also possible to
1785 use this command to perform an atomic removal of all visible entries of an
1786 ACL by calling "prepare acl" first then committing without adding any
1787 entries. This command cannot be used if the reference <acl> is a file also
1788 used as a map. In this case, the "commit map" command must be used instead.
1789
1790commit map @<ver> <map>
1791 Commit all changes made to version <ver> of map <map>, and deletes all past
1792 versions. <map> is the #<id> or the <file> returned by "show map". The
1793 version number must be between "curr_ver"+1 and "next_ver" as reported in
1794 "show map". The contents to be committed to the map can be consulted with
1795 "show map @<ver> <map>" if desired. The specified version number has normally
1796 been created with the "prepare map" command. The replacement is atomic. It
1797 consists in atomically updating the current version to the specified version,
1798 which will instantly cause all entries in other versions to become invisible,
1799 and all entries in the new version to become visible. It is also possible to
1800 use this command to perform an atomic removal of all visible entries of an
1801 map by calling "prepare map" first then committing without adding any
1802 entries.
1803
Remi Tricot-Le Bretone88a2ca2021-04-08 15:30:23 +02001804commit ssl ca-file <cafile>
1805 Commit a temporary SSL CA file update transaction.
1806
1807 In the case of an existing CA file (in a "Used" state in "show ssl ca-file"),
1808 the new CA file tree entry is inserted in the CA file tree and every instance
1809 that used the CA file entry is rebuilt, along with the SSL contexts it needs.
1810 All the contexts previously used by the rebuilt instances are removed.
1811 Upon success, the previous CA file entry is removed from the tree.
1812 Upon failure, nothing is removed or deleted, and all the original SSL
1813 contexts are kept and used.
1814 Once the temporary transaction is committed, it is destroyed.
1815
1816 In the case of a new CA file (after a "new ssl ca-file" and in a "Unused"
1817 state in "show ssl ca-file"), the CA file will be inserted in the CA file
1818 tree but it won't be used anywhere in HAProxy. To use it and generate SSL
1819 contexts that use it, you will need to add it to a crt-list with "add ssl
1820 crt-list".
1821
1822 See also "new ssl ca-file", "set ssl ca-file", "abort ssl ca-file" and
1823 "add ssl crt-list".
1824
William Lallemand6ab08b32019-11-29 16:48:43 +01001825commit ssl cert <filename>
William Lallemandc184d872020-06-26 15:39:57 +02001826 Commit a temporary SSL certificate update transaction.
1827
1828 In the case of an existing certificate (in a "Used" state in "show ssl
1829 cert"), generate every SSL contextes and SNIs it need, insert them, and
1830 remove the previous ones. Replace in memory the previous SSL certificates
1831 everywhere the <filename> was used in the configuration. Upon failure it
1832 doesn't remove or insert anything. Once the temporary transaction is
1833 committed, it is destroyed.
1834
1835 In the case of a new certificate (after a "new ssl cert" and in a "Unused"
Ilya Shipitsin2272d8a2020-12-21 01:22:40 +05001836 state in "show ssl cert"), the certificate will be committed in a certificate
William Lallemandc184d872020-06-26 15:39:57 +02001837 storage, but it won't be used anywhere in haproxy. To use it and generate
1838 its SNIs you will need to add it to a crt-list or a directory with "add ssl
1839 crt-list".
William Lallemand6ab08b32019-11-29 16:48:43 +01001840
Remi Tricot-Le Bretone88a2ca2021-04-08 15:30:23 +02001841 See also "new ssl cert", "set ssl cert", "abort ssl cert" and
William Lallemandc184d872020-06-26 15:39:57 +02001842 "add ssl crt-list".
William Lallemand6ab08b32019-11-29 16:48:43 +01001843
Remi Tricot-Le Breton3c222bd2021-04-27 16:28:25 +02001844commit ssl crl-file <crlfile>
1845 Commit a temporary SSL CRL file update transaction.
1846
1847 In the case of an existing CRL file (in a "Used" state in "show ssl
1848 crl-file"), the new CRL file entry is inserted in the CA file tree (which
1849 holds both the CA files and the CRL files) and every instance that used the
1850 CRL file entry is rebuilt, along with the SSL contexts it needs.
1851 All the contexts previously used by the rebuilt instances are removed.
1852 Upon success, the previous CRL file entry is removed from the tree.
1853 Upon failure, nothing is removed or deleted, and all the original SSL
1854 contexts are kept and used.
1855 Once the temporary transaction is committed, it is destroyed.
1856
1857 In the case of a new CRL file (after a "new ssl crl-file" and in a "Unused"
1858 state in "show ssl crl-file"), the CRL file will be inserted in the CRL file
1859 tree but it won't be used anywhere in HAProxy. To use it and generate SSL
1860 contexts that use it, you will need to add it to a crt-list with "add ssl
1861 crt-list".
1862
1863 See also "new ssl crl-file", "set ssl crl-file", "abort ssl crl-file" and
1864 "add ssl crt-list".
1865
Willy Tarreau6bdf3e92019-05-20 14:25:05 +02001866debug dev <command> [args]*
Willy Tarreaub24ab222019-10-24 18:03:39 +02001867 Call a developer-specific command. Only supported on a CLI connection running
1868 in expert mode (see "expert-mode on"). Such commands are extremely dangerous
1869 and not forgiving, any misuse may result in a crash of the process. They are
1870 intended for experts only, and must really not be used unless told to do so.
1871 Some of them are only available when haproxy is built with DEBUG_DEV defined
1872 because they may have security implications. All of these commands require
1873 admin privileges, and are purposely not documented to avoid encouraging their
1874 use by people who are not at ease with the source code.
Willy Tarreau6bdf3e92019-05-20 14:25:05 +02001875
Willy Tarreau44aed902015-10-13 14:45:29 +02001876del acl <acl> [<key>|#<ref>]
1877 Delete all the acl entries from the acl <acl> corresponding to the key <key>.
1878 <acl> is the #<id> or the <file> returned by "show acl". If the <ref> is used,
1879 this command delete only the listed reference. The reference can be found with
1880 listing the content of the acl. Note that if the reference <acl> is a file and
1881 is shared with a map, the entry will be also deleted in the map.
1882
1883del map <map> [<key>|#<ref>]
1884 Delete all the map entries from the map <map> corresponding to the key <key>.
1885 <map> is the #<id> or the <file> returned by "show map". If the <ref> is used,
1886 this command delete only the listed reference. The reference can be found with
1887 listing the content of the map. Note that if the reference <map> is a file and
1888 is shared with a acl, the entry will be also deleted in the map.
1889
Remi Tricot-Le Bretone88a2ca2021-04-08 15:30:23 +02001890del ssl ca-file <cafile>
1891 Delete a CA file tree entry from HAProxy. The CA file must be unused and
1892 removed from any crt-list. "show ssl ca-file" displays the status of the CA
1893 files. The deletion doesn't work with a certificate referenced directly with
1894 the "ca-file" or "ca-verify-file" directives in the configuration.
1895
William Lallemand419e6342020-04-08 12:05:39 +02001896del ssl cert <certfile>
1897 Delete a certificate store from HAProxy. The certificate must be unused and
1898 removed from any crt-list or directory. "show ssl cert" displays the status
1899 of the certificate. The deletion doesn't work with a certificate referenced
1900 directly with the "crt" directive in the configuration.
1901
Remi Tricot-Le Breton3c222bd2021-04-27 16:28:25 +02001902del ssl crl-file <crlfile>
1903 Delete a CRL file tree entry from HAProxy. The CRL file must be unused and
1904 removed from any crt-list. "show ssl crl-file" displays the status of the CRL
1905 files. The deletion doesn't work with a certificate referenced directly with
1906 the "crl-file" directive in the configuration.
1907
William Lallemand0a9b9412020-04-06 17:43:05 +02001908del ssl crt-list <filename> <certfile[:line]>
1909 Delete an entry in a crt-list. This will delete every SNIs used for this
1910 entry in the frontends. If a certificate is used several time in a crt-list,
1911 you will need to provide which line you want to delete. To display the line
1912 numbers, use "show ssl crt-list -n <crtlist>".
1913
Amaury Denoyellee5580432021-04-15 14:41:20 +02001914del server <backend>/<server>
Amaury Denoyelle14c3c5c2021-08-23 14:10:51 +02001915 Remove a server attached to the backend <backend>. All servers are eligible,
1916 except servers which are referenced by other configuration elements. The
1917 server must be put in maintenance mode prior to its deletion. The operation
1918 is cancelled if the serveur still has active or idle connection or its
1919 connection queue is not empty.
Amaury Denoyellee5580432021-04-15 14:41:20 +02001920
Willy Tarreau44aed902015-10-13 14:45:29 +02001921disable agent <backend>/<server>
1922 Mark the auxiliary agent check as temporarily stopped.
1923
1924 In the case where an agent check is being run as a auxiliary check, due
1925 to the agent-check parameter of a server directive, new checks are only
Dan Lloyd8e48b872016-07-01 21:01:18 -04001926 initialized when the agent is in the enabled. Thus, disable agent will
Willy Tarreau44aed902015-10-13 14:45:29 +02001927 prevent any new agent checks from begin initiated until the agent
1928 re-enabled using enable agent.
1929
1930 When an agent is disabled the processing of an auxiliary agent check that
1931 was initiated while the agent was set as enabled is as follows: All
1932 results that would alter the weight, specifically "drain" or a weight
1933 returned by the agent, are ignored. The processing of agent check is
1934 otherwise unchanged.
1935
1936 The motivation for this feature is to allow the weight changing effects
1937 of the agent checks to be paused to allow the weight of a server to be
1938 configured using set weight without being overridden by the agent.
1939
1940 This command is restricted and can only be issued on sockets configured for
1941 level "admin".
1942
Olivier Houchard614f8d72017-03-14 20:08:46 +01001943disable dynamic-cookie backend <backend>
Ilya Shipitsin2a950d02020-03-06 13:07:38 +05001944 Disable the generation of dynamic cookies for the backend <backend>
Olivier Houchard614f8d72017-03-14 20:08:46 +01001945
Willy Tarreau44aed902015-10-13 14:45:29 +02001946disable frontend <frontend>
1947 Mark the frontend as temporarily stopped. This corresponds to the mode which
1948 is used during a soft restart : the frontend releases the port but can be
1949 enabled again if needed. This should be used with care as some non-Linux OSes
1950 are unable to enable it back. This is intended to be used in environments
1951 where stopping a proxy is not even imaginable but a misconfigured proxy must
1952 be fixed. That way it's possible to release the port and bind it into another
1953 process to restore operations. The frontend will appear with status "STOP"
1954 on the stats page.
1955
1956 The frontend may be specified either by its name or by its numeric ID,
1957 prefixed with a sharp ('#').
1958
1959 This command is restricted and can only be issued on sockets configured for
1960 level "admin".
1961
1962disable health <backend>/<server>
1963 Mark the primary health check as temporarily stopped. This will disable
1964 sending of health checks, and the last health check result will be ignored.
1965 The server will be in unchecked state and considered UP unless an auxiliary
1966 agent check forces it down.
1967
1968 This command is restricted and can only be issued on sockets configured for
1969 level "admin".
1970
1971disable server <backend>/<server>
1972 Mark the server DOWN for maintenance. In this mode, no more checks will be
1973 performed on the server until it leaves maintenance.
1974 If the server is tracked by other servers, those servers will be set to DOWN
1975 during the maintenance.
1976
1977 In the statistics page, a server DOWN for maintenance will appear with a
1978 "MAINT" status, its tracking servers with the "MAINT(via)" one.
1979
1980 Both the backend and the server may be specified either by their name or by
1981 their numeric ID, prefixed with a sharp ('#').
1982
1983 This command is restricted and can only be issued on sockets configured for
1984 level "admin".
1985
1986enable agent <backend>/<server>
1987 Resume auxiliary agent check that was temporarily stopped.
1988
1989 See "disable agent" for details of the effect of temporarily starting
1990 and stopping an auxiliary agent.
1991
1992 This command is restricted and can only be issued on sockets configured for
1993 level "admin".
1994
Olivier Houchard614f8d72017-03-14 20:08:46 +01001995enable dynamic-cookie backend <backend>
n9@users.noreply.github.com25a1c8e2019-08-23 11:21:05 +02001996 Enable the generation of dynamic cookies for the backend <backend>.
1997 A secret key must also be provided.
Olivier Houchard614f8d72017-03-14 20:08:46 +01001998
Willy Tarreau44aed902015-10-13 14:45:29 +02001999enable frontend <frontend>
2000 Resume a frontend which was temporarily stopped. It is possible that some of
2001 the listening ports won't be able to bind anymore (eg: if another process
2002 took them since the 'disable frontend' operation). If this happens, an error
2003 is displayed. Some operating systems might not be able to resume a frontend
2004 which was disabled.
2005
2006 The frontend may be specified either by its name or by its numeric ID,
2007 prefixed with a sharp ('#').
2008
2009 This command is restricted and can only be issued on sockets configured for
2010 level "admin".
2011
2012enable health <backend>/<server>
2013 Resume a primary health check that was temporarily stopped. This will enable
2014 sending of health checks again. Please see "disable health" for details.
2015
2016 This command is restricted and can only be issued on sockets configured for
2017 level "admin".
2018
2019enable server <backend>/<server>
2020 If the server was previously marked as DOWN for maintenance, this marks the
2021 server UP and checks are re-enabled.
2022
2023 Both the backend and the server may be specified either by their name or by
2024 their numeric ID, prefixed with a sharp ('#').
2025
2026 This command is restricted and can only be issued on sockets configured for
2027 level "admin".
2028
Amaury Denoyelle18487fb2021-03-18 15:32:53 +01002029experimental-mode [on|off]
2030 Without options, this indicates whether the experimental mode is enabled or
2031 disabled on the current connection. When passed "on", it turns the
2032 experimental mode on for the current CLI connection only. With "off" it turns
2033 it off.
2034
2035 The experimental mode is used to access to extra features still in
2036 development. These features are currently not stable and should be used with
Ilya Shipitsinba13f162021-03-19 22:21:44 +05002037 care. They may be subject to breaking changes across versions.
Amaury Denoyelle18487fb2021-03-18 15:32:53 +01002038
William Lallemand7267f782022-02-01 16:08:50 +01002039 When used from the master CLI, this command shouldn't be prefixed, as it will
2040 set the mode for any worker when connecting to its CLI.
2041
2042 Example:
Amaury Denoyelle76e8b702022-03-09 15:07:31 +01002043 echo "@1; experimental-mode on; <experimental_cmd>..." | socat /var/run/haproxy.master -
2044 echo "experimental-mode on; @1 <experimental_cmd>..." | socat /var/run/haproxy.master -
William Lallemand7267f782022-02-01 16:08:50 +01002045
Willy Tarreauabb9f9b2019-10-24 17:55:53 +02002046expert-mode [on|off]
Amaury Denoyelle18487fb2021-03-18 15:32:53 +01002047 This command is similar to experimental-mode but is used to toggle the
2048 expert mode.
2049
2050 The expert mode enables displaying of expert commands that can be extremely
Willy Tarreauabb9f9b2019-10-24 17:55:53 +02002051 dangerous for the process and which may occasionally help developers collect
2052 important information about complex bugs. Any misuse of these features will
2053 likely lead to a process crash. Do not use this option without being invited
2054 to do so. Note that this command is purposely not listed in the help message.
2055 This command is only accessible in admin level. Changing to another level
2056 automatically resets the expert mode.
2057
William Lallemand7267f782022-02-01 16:08:50 +01002058 When used from the master CLI, this command shouldn't be prefixed, as it will
2059 set the mode for any worker when connecting to its CLI.
2060
2061 Example:
2062 echo "@1; expert-mode on; debug dev exit 1" | socat /var/run/haproxy.master -
2063 echo "expert-mode on; @1 debug dev exit 1" | socat /var/run/haproxy.master -
2064
Willy Tarreau44aed902015-10-13 14:45:29 +02002065get map <map> <value>
2066get acl <acl> <value>
2067 Lookup the value <value> in the map <map> or in the ACL <acl>. <map> or <acl>
2068 are the #<id> or the <file> returned by "show map" or "show acl". This command
2069 returns all the matching patterns associated with this map. This is useful for
2070 debugging maps and ACLs. The output format is composed by one line par
2071 matching type. Each line is composed by space-delimited series of words.
2072
2073 The first two words are:
2074
2075 <match method>: The match method applied. It can be "found", "bool",
2076 "int", "ip", "bin", "len", "str", "beg", "sub", "dir",
2077 "dom", "end" or "reg".
2078
2079 <match result>: The result. Can be "match" or "no-match".
2080
2081 The following words are returned only if the pattern matches an entry.
2082
2083 <index type>: "tree" or "list". The internal lookup algorithm.
2084
2085 <case>: "case-insensitive" or "case-sensitive". The
2086 interpretation of the case.
2087
2088 <entry matched>: match="<entry>". Return the matched pattern. It is
2089 useful with regular expressions.
2090
2091 The two last word are used to show the returned value and its type. With the
2092 "acl" case, the pattern doesn't exist.
2093
2094 return=nothing: No return because there are no "map".
2095 return="<value>": The value returned in the string format.
2096 return=cannot-display: The value cannot be converted as string.
2097
2098 type="<type>": The type of the returned sample.
2099
Willy Tarreauc35eb382021-03-26 14:51:31 +01002100get var <name>
2101 Show the existence, type and contents of the process-wide variable 'name'.
2102 Only process-wide variables are readable, so the name must begin with
2103 'proc.' otherwise no variable will be found. This command requires levels
2104 "operator" or "admin".
2105
Willy Tarreau44aed902015-10-13 14:45:29 +02002106get weight <backend>/<server>
2107 Report the current weight and the initial weight of server <server> in
2108 backend <backend> or an error if either doesn't exist. The initial weight is
2109 the one that appears in the configuration file. Both are normally equal
2110 unless the current weight has been changed. Both the backend and the server
2111 may be specified either by their name or by their numeric ID, prefixed with a
2112 sharp ('#').
2113
Willy Tarreau0b1b8302021-05-09 20:59:23 +02002114help [<command>]
2115 Print the list of known keywords and their basic usage, or commands matching
2116 the requested one. The same help screen is also displayed for unknown
2117 commands.
Willy Tarreau44aed902015-10-13 14:45:29 +02002118
William Lallemandb175c232021-10-19 14:53:55 +02002119httpclient <method> <URI>
2120 Launch an HTTP client request and print the response on the CLI. Only
2121 supported on a CLI connection running in expert mode (see "expert-mode on").
2122 It's only meant for debugging. It currently can't resolve FQDN so your URI must
2123 contains an IP.
2124
Remi Tricot-Le Bretone88a2ca2021-04-08 15:30:23 +02002125new ssl ca-file <cafile>
2126 Create a new empty CA file tree entry to be filled with a set of CA
2127 certificates and added to a crt-list. This command should be used in
2128 combination with "set ssl ca-file" and "add ssl crt-list".
2129
William Lallemandaccac232020-04-02 17:42:51 +02002130new ssl cert <filename>
2131 Create a new empty SSL certificate store to be filled with a certificate and
2132 added to a directory or a crt-list. This command should be used in
2133 combination with "set ssl cert" and "add ssl crt-list".
2134
Remi Tricot-Le Breton3c222bd2021-04-27 16:28:25 +02002135new ssl crl-file <crlfile>
2136 Create a new empty CRL file tree entry to be filled with a set of CRLs
2137 and added to a crt-list. This command should be used in combination with "set
2138 ssl crl-file" and "add ssl crt-list".
2139
Willy Tarreau97218ce2021-04-30 14:57:03 +02002140prepare acl <acl>
2141 Allocate a new version number in ACL <acl> for atomic replacement. <acl> is
2142 the #<id> or the <file> returned by "show acl". The new version number is
2143 shown in response after "New version created:". This number will then be
2144 usable to prepare additions of new entries into the ACL which will then
2145 atomically replace the current ones once committed. It is reported as
2146 "next_ver" in "show acl". There is no impact of allocating new versions, as
2147 unused versions will automatically be removed once a more recent version is
2148 committed. Version numbers are unsigned 32-bit values which wrap at the end,
2149 so care must be taken when comparing them in an external program. This
2150 command cannot be used if the reference <acl> is a file also used as a map.
2151 In this case, the "prepare map" command must be used instead.
2152
2153prepare map <map>
2154 Allocate a new version number in map <map> for atomic replacement. <map> is
2155 the #<id> or the <file> returned by "show map". The new version number is
2156 shown in response after "New version created:". This number will then be
2157 usable to prepare additions of new entries into the map which will then
2158 atomically replace the current ones once committed. It is reported as
2159 "next_ver" in "show map". There is no impact of allocating new versions, as
2160 unused versions will automatically be removed once a more recent version is
2161 committed. Version numbers are unsigned 32-bit values which wrap at the end,
2162 so care must be taken when comparing them in an external program.
2163
Willy Tarreau44aed902015-10-13 14:45:29 +02002164prompt
2165 Toggle the prompt at the beginning of the line and enter or leave interactive
2166 mode. In interactive mode, the connection is not closed after a command
2167 completes. Instead, the prompt will appear again, indicating the user that
2168 the interpreter is waiting for a new command. The prompt consists in a right
2169 angle bracket followed by a space "> ". This mode is particularly convenient
2170 when one wants to periodically check information such as stats or errors.
2171 It is also a good idea to enter interactive mode before issuing a "help"
2172 command.
2173
2174quit
2175 Close the connection when in interactive mode.
2176
Olivier Houchard614f8d72017-03-14 20:08:46 +01002177set dynamic-cookie-key backend <backend> <value>
2178 Modify the secret key used to generate the dynamic persistent cookies.
2179 This will break the existing sessions.
2180
Willy Tarreau44aed902015-10-13 14:45:29 +02002181set map <map> [<key>|#<ref>] <value>
2182 Modify the value corresponding to each key <key> in a map <map>. <map> is the
2183 #<id> or <file> returned by "show map". If the <ref> is used in place of
2184 <key>, only the entry pointed by <ref> is changed. The new value is <value>.
2185
2186set maxconn frontend <frontend> <value>
2187 Dynamically change the specified frontend's maxconn setting. Any positive
2188 value is allowed including zero, but setting values larger than the global
2189 maxconn does not make much sense. If the limit is increased and connections
2190 were pending, they will immediately be accepted. If it is lowered to a value
2191 below the current number of connections, new connections acceptation will be
2192 delayed until the threshold is reached. The frontend might be specified by
2193 either its name or its numeric ID prefixed with a sharp ('#').
2194
Andrew Hayworthedb93a72015-10-27 21:46:25 +00002195set maxconn server <backend/server> <value>
2196 Dynamically change the specified server's maxconn setting. Any positive
2197 value is allowed including zero, but setting values larger than the global
2198 maxconn does not make much sense.
2199
Willy Tarreau44aed902015-10-13 14:45:29 +02002200set maxconn global <maxconn>
2201 Dynamically change the global maxconn setting within the range defined by the
2202 initial global maxconn setting. If it is increased and connections were
2203 pending, they will immediately be accepted. If it is lowered to a value below
2204 the current number of connections, new connections acceptation will be
2205 delayed until the threshold is reached. A value of zero restores the initial
2206 setting.
2207
Willy Tarreau00dd44f2021-05-05 16:44:23 +02002208set profiling { tasks | memory } { auto | on | off }
2209 Enables or disables CPU or memory profiling for the indicated subsystem. This
2210 is equivalent to setting or clearing the "profiling" settings in the "global"
Willy Tarreaucfa71012021-01-29 11:56:21 +01002211 section of the configuration file. Please also see "show profiling". Note
2212 that manually setting the tasks profiling to "on" automatically resets the
2213 scheduler statistics, thus allows to check activity over a given interval.
Willy Tarreau00dd44f2021-05-05 16:44:23 +02002214 The memory profiling is limited to certain operating systems (known to work
2215 on the linux-glibc target), and requires USE_MEMORY_PROFILING to be set at
2216 compile time.
Willy Tarreau75c62c22018-11-22 11:02:09 +01002217
Willy Tarreau44aed902015-10-13 14:45:29 +02002218set rate-limit connections global <value>
2219 Change the process-wide connection rate limit, which is set by the global
2220 'maxconnrate' setting. A value of zero disables the limitation. This limit
2221 applies to all frontends and the change has an immediate effect. The value
2222 is passed in number of connections per second.
2223
2224set rate-limit http-compression global <value>
2225 Change the maximum input compression rate, which is set by the global
2226 'maxcomprate' setting. A value of zero disables the limitation. The value is
2227 passed in number of kilobytes per second. The value is available in the "show
2228 info" on the line "CompressBpsRateLim" in bytes.
2229
2230set rate-limit sessions global <value>
2231 Change the process-wide session rate limit, which is set by the global
2232 'maxsessrate' setting. A value of zero disables the limitation. This limit
2233 applies to all frontends and the change has an immediate effect. The value
2234 is passed in number of sessions per second.
2235
2236set rate-limit ssl-sessions global <value>
2237 Change the process-wide SSL session rate limit, which is set by the global
2238 'maxsslrate' setting. A value of zero disables the limitation. This limit
2239 applies to all frontends and the change has an immediate effect. The value
2240 is passed in number of sessions per second sent to the SSL stack. It applies
2241 before the handshake in order to protect the stack against handshake abuses.
2242
Baptiste Assmann3749ebf2016-08-03 22:34:12 +02002243set server <backend>/<server> addr <ip4 or ip6 address> [port <port>]
Willy Tarreau44aed902015-10-13 14:45:29 +02002244 Replace the current IP address of a server by the one provided.
Michael Prokop4438c602019-05-24 10:25:45 +02002245 Optionally, the port can be changed using the 'port' parameter.
Baptiste Assmann3749ebf2016-08-03 22:34:12 +02002246 Note that changing the port also support switching from/to port mapping
2247 (notation with +X or -Y), only if a port is configured for the health check.
Willy Tarreau44aed902015-10-13 14:45:29 +02002248
2249set server <backend>/<server> agent [ up | down ]
2250 Force a server's agent to a new state. This can be useful to immediately
2251 switch a server's state regardless of some slow agent checks for example.
2252 Note that the change is propagated to tracking servers if any.
2253
William Dauchy7cabc062021-02-11 22:51:24 +01002254set server <backend>/<server> agent-addr <addr> [port <port>]
Misiek43972902017-01-09 09:53:06 +01002255 Change addr for servers agent checks. Allows to migrate agent-checks to
2256 another address at runtime. You can specify both IP and hostname, it will be
2257 resolved.
William Dauchy7cabc062021-02-11 22:51:24 +01002258 Optionally, change the port agent.
2259
2260set server <backend>/<server> agent-port <port>
2261 Change the port used for agent checks.
Misiek43972902017-01-09 09:53:06 +01002262
2263set server <backend>/<server> agent-send <value>
2264 Change agent string sent to agent check target. Allows to update string while
2265 changing server address to keep those two matching.
2266
Willy Tarreau44aed902015-10-13 14:45:29 +02002267set server <backend>/<server> health [ up | stopping | down ]
2268 Force a server's health to a new state. This can be useful to immediately
2269 switch a server's state regardless of some slow health checks for example.
2270 Note that the change is propagated to tracking servers if any.
2271
William Dauchyb456e1f2021-02-11 22:51:23 +01002272set server <backend>/<server> check-addr <ip4 | ip6> [port <port>]
2273 Change the IP address used for server health checks.
2274 Optionally, change the port used for server health checks.
2275
Baptiste Assmann50946562016-08-31 23:26:29 +02002276set server <backend>/<server> check-port <port>
2277 Change the port used for health checking to <port>
2278
Willy Tarreau44aed902015-10-13 14:45:29 +02002279set server <backend>/<server> state [ ready | drain | maint ]
2280 Force a server's administrative state to a new state. This can be useful to
2281 disable load balancing and/or any traffic to a server. Setting the state to
2282 "ready" puts the server in normal mode, and the command is the equivalent of
2283 the "enable server" command. Setting the state to "maint" disables any traffic
2284 to the server as well as any health checks. This is the equivalent of the
2285 "disable server" command. Setting the mode to "drain" only removes the server
2286 from load balancing but still allows it to be checked and to accept new
2287 persistent connections. Changes are propagated to tracking servers if any.
2288
2289set server <backend>/<server> weight <weight>[%]
2290 Change a server's weight to the value passed in argument. This is the exact
2291 equivalent of the "set weight" command below.
2292
Frédéric Lécailleb418c122017-04-26 11:24:02 +02002293set server <backend>/<server> fqdn <FQDN>
Lukas Tribusc5dd5a52018-08-14 11:39:35 +02002294 Change a server's FQDN to the value passed in argument. This requires the
2295 internal run-time DNS resolver to be configured and enabled for this server.
Frédéric Lécailleb418c122017-04-26 11:24:02 +02002296
William Lallemand9998a332022-01-19 15:17:08 +01002297set server <backend>/<server> ssl [ on | off ] (deprecated)
William Dauchyf6370442020-11-14 19:25:33 +01002298 This option configures SSL ciphering on outgoing connections to the server.
William Dauchya087f872022-01-06 16:57:15 +01002299 When switch off, all traffic becomes plain text; health check path is not
2300 changed.
William Dauchyf6370442020-11-14 19:25:33 +01002301
William Lallemand9998a332022-01-19 15:17:08 +01002302 This command is deprecated, create a new server dynamically with or without
2303 SSL instead, using the "add server" command.
2304
Andjelko Iharosc4df59e2017-07-20 11:59:48 +02002305set severity-output [ none | number | string ]
2306 Change the severity output format of the stats socket connected to for the
2307 duration of the current session.
2308
Remi Tricot-Le Bretone88a2ca2021-04-08 15:30:23 +02002309set ssl ca-file <cafile> <payload>
2310 This command is part of a transaction system, the "commit ssl ca-file" and
2311 "abort ssl ca-file" commands could be required.
2312 If there is no on-going transaction, it will create a CA file tree entry into
2313 which the certificates contained in the payload will be stored. The CA file
2314 entry will not be stored in the CA file tree and will only be kept in a
2315 temporary transaction. If a transaction with the same filename already exists,
2316 the previous CA file entry will be deleted and replaced by the new one.
2317 Once the modifications are done, you have to commit the transaction through
2318 a "commit ssl ca-file" call.
2319
2320 Example:
2321 echo -e "set ssl ca-file cafile.pem <<\n$(cat rootCA.crt)\n" | \
2322 socat /var/run/haproxy.stat -
2323 echo "commit ssl ca-file cafile.pem" | socat /var/run/haproxy.stat -
2324
William Lallemand6ab08b32019-11-29 16:48:43 +01002325set ssl cert <filename> <payload>
2326 This command is part of a transaction system, the "commit ssl cert" and
2327 "abort ssl cert" commands could be required.
Remi Tricot-Le Breton34459092021-04-14 16:19:28 +02002328 This whole transaction system works on any certificate displayed by the
Remi Tricot-Le Bretonb5f0fac2021-04-14 16:19:29 +02002329 "show ssl cert" command, so on any frontend or backend certificate.
William Lallemand6ab08b32019-11-29 16:48:43 +01002330 If there is no on-going transaction, it will duplicate the certificate
2331 <filename> in memory to a temporary transaction, then update this
2332 transaction with the PEM file in the payload. If a transaction exists with
2333 the same filename, it will update this transaction. It's also possible to
2334 update the files linked to a certificate (.issuer, .sctl, .oscp etc.)
2335 Once the modification are done, you have to "commit ssl cert" the
2336 transaction.
2337
William Lallemanded8bfad2021-09-16 17:30:51 +02002338 Injection of files over the CLI must be done with caution since an empty line
2339 is used to notify the end of the payload. It is recommended to inject a PEM
2340 file which has been sanitized. A simple method would be to remove every empty
2341 line and only leave what are in the PEM sections. It could be achieved with a
2342 sed command.
2343
William Lallemand6ab08b32019-11-29 16:48:43 +01002344 Example:
William Lallemanded8bfad2021-09-16 17:30:51 +02002345
2346 # With some simple sanitizing
2347 echo -e "set ssl cert localhost.pem <<\n$(sed -n '/^$/d;/-BEGIN/,/-END/p' 127.0.0.1.pem)\n" | \
2348 socat /var/run/haproxy.stat -
2349
2350 # Complete example with commit
William Lallemand6ab08b32019-11-29 16:48:43 +01002351 echo -e "set ssl cert localhost.pem <<\n$(cat 127.0.0.1.pem)\n" | \
2352 socat /var/run/haproxy.stat -
2353 echo -e \
2354 "set ssl cert localhost.pem.issuer <<\n $(cat 127.0.0.1.pem.issuer)\n" | \
2355 socat /var/run/haproxy.stat -
2356 echo -e \
2357 "set ssl cert localhost.pem.ocsp <<\n$(base64 -w 1000 127.0.0.1.pem.ocsp)\n" | \
2358 socat /var/run/haproxy.stat -
2359 echo "commit ssl cert localhost.pem" | socat /var/run/haproxy.stat -
2360
Remi Tricot-Le Breton3c222bd2021-04-27 16:28:25 +02002361set ssl crl-file <crlfile> <payload>
2362 This command is part of a transaction system, the "commit ssl crl-file" and
2363 "abort ssl crl-file" commands could be required.
2364 If there is no on-going transaction, it will create a CRL file tree entry into
2365 which the Revocation Lists contained in the payload will be stored. The CRL
2366 file entry will not be stored in the CRL file tree and will only be kept in a
2367 temporary transaction. If a transaction with the same filename already exists,
2368 the previous CRL file entry will be deleted and replaced by the new one.
2369 Once the modifications are done, you have to commit the transaction through
2370 a "commit ssl crl-file" call.
2371
2372 Example:
2373 echo -e "set ssl crl-file crlfile.pem <<\n$(cat rootCRL.pem)\n" | \
2374 socat /var/run/haproxy.stat -
2375 echo "commit ssl crl-file crlfile.pem" | socat /var/run/haproxy.stat -
2376
Aurélien Nephtali1e0867c2018-04-18 14:04:58 +02002377set ssl ocsp-response <response | payload>
Willy Tarreau44aed902015-10-13 14:45:29 +02002378 This command is used to update an OCSP Response for a certificate (see "crt"
2379 on "bind" lines). Same controls are performed as during the initial loading of
2380 the response. The <response> must be passed as a base64 encoded string of the
Emmanuel Hocdet2c32d8f2017-05-22 14:58:00 +02002381 DER encoded response from the OCSP server. This command is not supported with
2382 BoringSSL.
Willy Tarreau44aed902015-10-13 14:45:29 +02002383
2384 Example:
2385 openssl ocsp -issuer issuer.pem -cert server.pem \
2386 -host ocsp.issuer.com:80 -respout resp.der
2387 echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \
2388 socat stdio /var/run/haproxy.stat
2389
Aurélien Nephtali1e0867c2018-04-18 14:04:58 +02002390 using the payload syntax:
2391 echo -e "set ssl ocsp-response <<\n$(base64 resp.der)\n" | \
2392 socat stdio /var/run/haproxy.stat
2393
Willy Tarreau44aed902015-10-13 14:45:29 +02002394set ssl tls-key <id> <tlskey>
2395 Set the next TLS key for the <id> listener to <tlskey>. This key becomes the
2396 ultimate key, while the penultimate one is used for encryption (others just
2397 decrypt). The oldest TLS key present is overwritten. <id> is either a numeric
2398 #<id> or <file> returned by "show tls-keys". <tlskey> is a base64 encoded 48
Emeric Brun9e754772019-01-10 17:51:55 +01002399 or 80 bits TLS ticket key (ex. openssl rand 80 | openssl base64 -A).
Willy Tarreau44aed902015-10-13 14:45:29 +02002400
2401set table <table> key <key> [data.<data_type> <value>]*
2402 Create or update a stick-table entry in the table. If the key is not present,
2403 an entry is inserted. See stick-table in section 4.2 to find all possible
2404 values for <data_type>. The most likely use consists in dynamically entering
2405 entries for source IP addresses, with a flag in gpc0 to dynamically block an
2406 IP address or affect its quality of service. It is possible to pass multiple
2407 data_types in a single call.
2408
2409set timeout cli <delay>
2410 Change the CLI interface timeout for current connection. This can be useful
2411 during long debugging sessions where the user needs to constantly inspect
2412 some indicators without being disconnected. The delay is passed in seconds.
2413
Willy Tarreau4000ff02021-04-30 14:45:53 +02002414set var <name> <expression>
Willy Tarreaue93bff42021-09-03 09:47:37 +02002415set var <name> expr <expression>
2416set var <name> fmt <format>
Willy Tarreau4000ff02021-04-30 14:45:53 +02002417 Allows to set or overwrite the process-wide variable 'name' with the result
Willy Tarreaue93bff42021-09-03 09:47:37 +02002418 of expression <expression> or format string <format>. Only process-wide
2419 variables may be used, so the name must begin with 'proc.' otherwise no
2420 variable will be set. The <expression> and <format> may only involve
2421 "internal" sample fetch keywords and converters even though the most likely
2422 useful ones will be str('something'), int(), simple strings or references to
2423 other variables. Note that the command line parser doesn't know about quotes,
2424 so any space in the expression must be preceded by a backslash. This command
2425 requires levels "operator" or "admin". This command is only supported on a
2426 CLI connection running in experimental mode (see "experimental-mode on").
Willy Tarreau4000ff02021-04-30 14:45:53 +02002427
Willy Tarreau44aed902015-10-13 14:45:29 +02002428set weight <backend>/<server> <weight>[%]
2429 Change a server's weight to the value passed in argument. If the value ends
2430 with the '%' sign, then the new weight will be relative to the initially
2431 configured weight. Absolute weights are permitted between 0 and 256.
2432 Relative weights must be positive with the resulting absolute weight is
2433 capped at 256. Servers which are part of a farm running a static
2434 load-balancing algorithm have stricter limitations because the weight
2435 cannot change once set. Thus for these servers, the only accepted values
2436 are 0 and 100% (or 0 and the initial weight). Changes take effect
2437 immediately, though certain LB algorithms require a certain amount of
2438 requests to consider changes. A typical usage of this command is to
2439 disable a server during an update by setting its weight to zero, then to
2440 enable it again after the update by setting it back to 100%. This command
2441 is restricted and can only be issued on sockets configured for level
2442 "admin". Both the backend and the server may be specified either by their
2443 name or by their numeric ID, prefixed with a sharp ('#').
2444
Willy Tarreau95f753e2021-04-30 12:09:54 +02002445show acl [[@<ver>] <acl>]
Willy Tarreaud6129fc2017-07-28 16:52:23 +02002446 Dump info about acl converters. Without argument, the list of all available
Willy Tarreau95f753e2021-04-30 12:09:54 +02002447 acls is returned. If a <acl> is specified, its contents are dumped. <acl> is
2448 the #<id> or <file>. By default the current version of the ACL is shown (the
2449 version currently being matched against and reported as 'curr_ver' in the ACL
2450 list). It is possible to instead dump other versions by prepending '@<ver>'
2451 before the ACL's identifier. The version works as a filter and non-existing
2452 versions will simply report no result. The dump format is the same as for the
2453 maps even for the sample values. The data returned are not a list of
2454 available ACL, but are the list of all patterns composing any ACL. Many of
Dragan Dosena75eea72021-05-21 16:59:15 +02002455 these patterns can be shared with maps. The 'entry_cnt' value represents the
2456 count of all the ACL entries, not just the active ones, which means that it
2457 also includes entries currently being added.
Willy Tarreaud6129fc2017-07-28 16:52:23 +02002458
2459show backend
2460 Dump the list of backends available in the running process
2461
William Lallemand67a234f2018-12-13 09:05:45 +01002462show cli level
2463 Display the CLI level of the current CLI session. The result could be
2464 'admin', 'operator' or 'user'. See also the 'operator' and 'user' commands.
2465
2466 Example :
2467
2468 $ socat /tmp/sock1 readline
2469 prompt
2470 > operator
2471 > show cli level
2472 operator
2473 > user
2474 > show cli level
2475 user
2476 > operator
2477 Permission denied
2478
2479operator
2480 Decrease the CLI level of the current CLI session to operator. It can't be
Amaury Denoyelle18487fb2021-03-18 15:32:53 +01002481 increased. It also drops expert and experimental mode. See also "show cli
2482 level".
William Lallemand67a234f2018-12-13 09:05:45 +01002483
2484user
2485 Decrease the CLI level of the current CLI session to user. It can't be
Amaury Denoyelle18487fb2021-03-18 15:32:53 +01002486 increased. It also drops expert and experimental mode. See also "show cli
2487 level".
William Lallemand67a234f2018-12-13 09:05:45 +01002488
Willy Tarreau4c356932019-05-16 17:39:32 +02002489show activity
2490 Reports some counters about internal events that will help developers and
2491 more generally people who know haproxy well enough to narrow down the causes
2492 of reports of abnormal behaviours. A typical example would be a properly
2493 running process never sleeping and eating 100% of the CPU. The output fields
2494 will be made of one line per metric, and per-thread counters on the same
Thayne McCombscdbcca92021-01-07 21:24:41 -07002495 line. These counters are 32-bit and will wrap during the process's life, which
Willy Tarreau4c356932019-05-16 17:39:32 +02002496 is not a problem since calls to this command will typically be performed
2497 twice. The fields are purposely not documented so that their exact meaning is
2498 verified in the code where the counters are fed. These values are also reset
2499 by the "clear counters" command.
2500
William Lallemand51132162016-12-16 16:38:58 +01002501show cli sockets
2502 List CLI sockets. The output format is composed of 3 fields separated by
2503 spaces. The first field is the socket address, it can be a unix socket, a
2504 ipv4 address:port couple or a ipv6 one. Socket of other types won't be dump.
2505 The second field describe the level of the socket: 'admin', 'user' or
2506 'operator'. The last field list the processes on which the socket is bound,
2507 separated by commas, it can be numbers or 'all'.
2508
2509 Example :
2510
2511 $ echo 'show cli sockets' | socat stdio /tmp/sock1
2512 # socket lvl processes
2513 /tmp/sock1 admin all
2514 127.0.0.1:9999 user 2,3,4
2515 127.0.0.2:9969 user 2
2516 [::1]:9999 operator 2
2517
William Lallemand86d0df02017-11-24 21:36:45 +01002518show cache
Cyril Bonté7b888f12017-11-26 22:24:31 +01002519 List the configured caches and the objects stored in each cache tree.
William Lallemand86d0df02017-11-24 21:36:45 +01002520
2521 $ echo 'show cache' | socat stdio /tmp/sock1
2522 0x7f6ac6c5b03a: foobar (shctx:0x7f6ac6c5b000, available blocks:3918)
2523 1 2 3 4
2524
2525 1. pointer to the cache structure
2526 2. cache name
2527 3. pointer to the mmap area (shctx)
2528 4. number of blocks available for reuse in the shctx
2529
Remi Tricot-Le Bretone3e1e5f2020-11-27 15:48:40 +01002530 0x7f6ac6c5b4cc hash:286881868 vary:0x0011223344556677 size:39114 (39 blocks), refcount:9, expire:237
2531 1 2 3 4 5 6 7
William Lallemand86d0df02017-11-24 21:36:45 +01002532
2533 1. pointer to the cache entry
2534 2. first 32 bits of the hash
Remi Tricot-Le Bretone3e1e5f2020-11-27 15:48:40 +01002535 3. secondary hash of the entry in case of vary
2536 4. size of the object in bytes
2537 5. number of blocks used for the object
2538 6. number of transactions using the entry
2539 7. expiration time, can be negative if already expired
William Lallemand86d0df02017-11-24 21:36:45 +01002540
Willy Tarreauae795722016-02-16 11:27:28 +01002541show env [<name>]
2542 Dump one or all environment variables known by the process. Without any
2543 argument, all variables are dumped. With an argument, only the specified
2544 variable is dumped if it exists. Otherwise "Variable not found" is emitted.
2545 Variables are dumped in the same format as they are stored or returned by the
2546 "env" utility, that is, "<name>=<value>". This can be handy when debugging
2547 certain configuration files making heavy use of environment variables to
2548 ensure that they contain the expected values. This command is restricted and
2549 can only be issued on sockets configured for levels "operator" or "admin".
2550
Willy Tarreau35069f82016-11-25 09:16:37 +01002551show errors [<iid>|<proxy>] [request|response]
Willy Tarreau44aed902015-10-13 14:45:29 +02002552 Dump last known request and response errors collected by frontends and
2553 backends. If <iid> is specified, the limit the dump to errors concerning
Willy Tarreau234ba2d2016-11-25 08:39:10 +01002554 either frontend or backend whose ID is <iid>. Proxy ID "-1" will cause
2555 all instances to be dumped. If a proxy name is specified instead, its ID
Willy Tarreau35069f82016-11-25 09:16:37 +01002556 will be used as the filter. If "request" or "response" is added after the
2557 proxy name or ID, only request or response errors will be dumped. This
2558 command is restricted and can only be issued on sockets configured for
2559 levels "operator" or "admin".
Willy Tarreau44aed902015-10-13 14:45:29 +02002560
2561 The errors which may be collected are the last request and response errors
2562 caused by protocol violations, often due to invalid characters in header
2563 names. The report precisely indicates what exact character violated the
2564 protocol. Other important information such as the exact date the error was
2565 detected, frontend and backend names, the server name (when known), the
2566 internal session ID and the source address which has initiated the session
2567 are reported too.
2568
2569 All characters are returned, and non-printable characters are encoded. The
2570 most common ones (\t = 9, \n = 10, \r = 13 and \e = 27) are encoded as one
2571 letter following a backslash. The backslash itself is encoded as '\\' to
2572 avoid confusion. Other non-printable characters are encoded '\xNN' where
2573 NN is the two-digits hexadecimal representation of the character's ASCII
2574 code.
2575
2576 Lines are prefixed with the position of their first character, starting at 0
2577 for the beginning of the buffer. At most one input line is printed per line,
2578 and large lines will be broken into multiple consecutive output lines so that
2579 the output never goes beyond 79 characters wide. It is easy to detect if a
2580 line was broken, because it will not end with '\n' and the next line's offset
2581 will be followed by a '+' sign, indicating it is a continuation of previous
2582 line.
2583
2584 Example :
Willy Tarreau35069f82016-11-25 09:16:37 +01002585 $ echo "show errors -1 response" | socat stdio /tmp/sock1
Willy Tarreau44aed902015-10-13 14:45:29 +02002586 >>> [04/Mar/2009:15:46:56.081] backend http-in (#2) : invalid response
2587 src 127.0.0.1, session #54, frontend fe-eth0 (#1), server s2 (#1)
2588 response length 213 bytes, error at position 23:
2589
2590 00000 HTTP/1.0 200 OK\r\n
2591 00017 header/bizarre:blah\r\n
2592 00038 Location: blah\r\n
2593 00054 Long-line: this is a very long line which should b
2594 00104+ e broken into multiple lines on the output buffer,
2595 00154+ otherwise it would be too large to print in a ter
2596 00204+ minal\r\n
2597 00211 \r\n
2598
2599 In the example above, we see that the backend "http-in" which has internal
2600 ID 2 has blocked an invalid response from its server s2 which has internal
2601 ID 1. The request was on session 54 initiated by source 127.0.0.1 and
2602 received by frontend fe-eth0 whose ID is 1. The total response length was
2603 213 bytes when the error was detected, and the error was at byte 23. This
2604 is the slash ('/') in header name "header/bizarre", which is not a valid
2605 HTTP character for a header name.
2606
Willy Tarreau1d181e42019-08-30 11:17:01 +02002607show events [<sink>] [-w] [-n]
Willy Tarreau9f830d72019-08-26 18:17:04 +02002608 With no option, this lists all known event sinks and their types. With an
2609 option, it will dump all available events in the designated sink if it is of
Willy Tarreau1d181e42019-08-30 11:17:01 +02002610 type buffer. If option "-w" is passed after the sink name, then once the end
2611 of the buffer is reached, the command will wait for new events and display
2612 them. It is possible to stop the operation by entering any input (which will
2613 be discarded) or by closing the session. Finally, option "-n" is used to
2614 directly seek to the end of the buffer, which is often convenient when
2615 combined with "-w" to only report new events. For convenience, "-wn" or "-nw"
2616 may be used to enable both options at once.
Willy Tarreau9f830d72019-08-26 18:17:04 +02002617
Willy Tarreau7a4a0ac2017-07-25 19:32:50 +02002618show fd [<fd>]
2619 Dump the list of either all open file descriptors or just the one number <fd>
2620 if specified. This is only aimed at developers who need to observe internal
2621 states in order to debug complex issues such as abnormal CPU usages. One fd
2622 is reported per lines, and for each of them, its state in the poller using
2623 upper case letters for enabled flags and lower case for disabled flags, using
2624 "P" for "polled", "R" for "ready", "A" for "active", the events status using
2625 "H" for "hangup", "E" for "error", "O" for "output", "P" for "priority" and
2626 "I" for "input", a few other flags like "N" for "new" (just added into the fd
2627 cache), "U" for "updated" (received an update in the fd cache), "L" for
2628 "linger_risk", "C" for "cloned", then the cached entry position, the pointer
2629 to the internal owner, the pointer to the I/O callback and its name when
2630 known. When the owner is a connection, the connection flags, and the target
2631 are reported (frontend, proxy or server). When the owner is a listener, the
2632 listener's state and its frontend are reported. There is no point in using
2633 this command without a good knowledge of the internals. It's worth noting
2634 that the output format may evolve over time so this output must not be parsed
Willy Tarreau8050efe2021-01-21 08:26:06 +01002635 by tools designed to be durable. Some internal structure states may look
2636 suspicious to the function listing them, in this case the output line will be
2637 suffixed with an exclamation mark ('!'). This may help find a starting point
2638 when trying to diagnose an incident.
Willy Tarreau7a4a0ac2017-07-25 19:32:50 +02002639
Willy Tarreau27456202021-05-08 07:54:24 +02002640show info [typed|json] [desc] [float]
Willy Tarreau5d8b9792016-03-11 11:09:34 +01002641 Dump info about haproxy status on current process. If "typed" is passed as an
2642 optional argument, field numbers, names and types are emitted as well so that
2643 external monitoring products can easily retrieve, possibly aggregate, then
2644 report information found in fields they don't know. Each field is dumped on
Simon Horman05ee2132017-01-04 09:37:25 +01002645 its own line. If "json" is passed as an optional argument then
2646 information provided by "typed" output is provided in JSON format as a
2647 list of JSON objects. By default, the format contains only two columns
2648 delimited by a colon (':'). The left one is the field name and the right
2649 one is the value. It is very important to note that in typed output
2650 format, the dump for a single object is contiguous so that there is no
Willy Tarreau27456202021-05-08 07:54:24 +02002651 need for a consumer to store everything at once. If "float" is passed as an
2652 optional argument, some fields usually emitted as integers may switch to
2653 floats for higher accuracy. It is purposely unspecified which ones are
2654 concerned as this might evolve over time. Using this option implies that the
2655 consumer is able to process floats. The output format used is sprintf("%f").
Willy Tarreau5d8b9792016-03-11 11:09:34 +01002656
2657 When using the typed output format, each line is made of 4 columns delimited
2658 by colons (':'). The first column is a dot-delimited series of 3 elements. The
2659 first element is the numeric position of the field in the list (starting at
2660 zero). This position shall not change over time, but holes are to be expected,
2661 depending on build options or if some fields are deleted in the future. The
2662 second element is the field name as it appears in the default "show info"
2663 output. The third element is the relative process number starting at 1.
2664
2665 The rest of the line starting after the first colon follows the "typed output
2666 format" described in the section above. In short, the second column (after the
2667 first ':') indicates the origin, nature and scope of the variable. The third
2668 column indicates the type of the field, among "s32", "s64", "u32", "u64" and
2669 "str". Then the fourth column is the value itself, which the consumer knows
2670 how to parse thanks to column 3 and how to process thanks to column 2.
2671
2672 Thus the overall line format in typed mode is :
2673
2674 <field_pos>.<field_name>.<process_num>:<tags>:<type>:<value>
2675
Willy Tarreau6b19b142019-10-09 15:44:21 +02002676 When "desc" is appended to the command, one extra colon followed by a quoted
2677 string is appended with a description for the metric. At the time of writing,
2678 this is only supported for the "typed" and default output formats.
2679
Willy Tarreau5d8b9792016-03-11 11:09:34 +01002680 Example :
2681
2682 > show info
2683 Name: HAProxy
2684 Version: 1.7-dev1-de52ea-146
2685 Release_date: 2016/03/11
2686 Nbproc: 1
2687 Process_num: 1
2688 Pid: 28105
2689 Uptime: 0d 0h00m04s
2690 Uptime_sec: 4
2691 Memmax_MB: 0
2692 PoolAlloc_MB: 0
2693 PoolUsed_MB: 0
2694 PoolFailed: 0
2695 (...)
2696
2697 > show info typed
2698 0.Name.1:POS:str:HAProxy
2699 1.Version.1:POS:str:1.7-dev1-de52ea-146
2700 2.Release_date.1:POS:str:2016/03/11
2701 3.Nbproc.1:CGS:u32:1
2702 4.Process_num.1:KGP:u32:1
2703 5.Pid.1:SGP:u32:28105
2704 6.Uptime.1:MDP:str:0d 0h00m08s
2705 7.Uptime_sec.1:MDP:u32:8
2706 8.Memmax_MB.1:CLP:u32:0
2707 9.PoolAlloc_MB.1:MGP:u32:0
2708 10.PoolUsed_MB.1:MGP:u32:0
2709 11.PoolFailed.1:MCP:u32:0
2710 (...)
2711
Simon Horman1084a362016-11-21 17:00:24 +01002712 In the typed format, the presence of the process ID at the end of the
2713 first column makes it very easy to visually aggregate outputs from
2714 multiple processes.
Willy Tarreau5d8b9792016-03-11 11:09:34 +01002715 Example :
2716
2717 $ ( echo show info typed | socat /var/run/haproxy.sock1 ; \
2718 echo show info typed | socat /var/run/haproxy.sock2 ) | \
2719 sort -t . -k 1,1n -k 2,2 -k 3,3n
2720 0.Name.1:POS:str:HAProxy
2721 0.Name.2:POS:str:HAProxy
2722 1.Version.1:POS:str:1.7-dev1-868ab3-148
2723 1.Version.2:POS:str:1.7-dev1-868ab3-148
2724 2.Release_date.1:POS:str:2016/03/11
2725 2.Release_date.2:POS:str:2016/03/11
2726 3.Nbproc.1:CGS:u32:2
2727 3.Nbproc.2:CGS:u32:2
2728 4.Process_num.1:KGP:u32:1
2729 4.Process_num.2:KGP:u32:2
2730 5.Pid.1:SGP:u32:30120
2731 5.Pid.2:SGP:u32:30121
2732 6.Uptime.1:MDP:str:0d 0h01m28s
2733 6.Uptime.2:MDP:str:0d 0h01m28s
2734 (...)
Willy Tarreau44aed902015-10-13 14:45:29 +02002735
Simon Horman05ee2132017-01-04 09:37:25 +01002736 The format of JSON output is described in a schema which may be output
Simon Horman6f6bb382017-01-04 09:37:26 +01002737 using "show schema json".
Simon Horman05ee2132017-01-04 09:37:25 +01002738
2739 The JSON output contains no extra whitespace in order to reduce the
2740 volume of output. For human consumption passing the output through a
2741 pretty printer may be helpful. Example :
2742
2743 $ echo "show info json" | socat /var/run/haproxy.sock stdio | \
2744 python -m json.tool
2745
Simon Horman6f6bb382017-01-04 09:37:26 +01002746 The JSON output contains no extra whitespace in order to reduce the
2747 volume of output. For human consumption passing the output through a
2748 pretty printer may be helpful. Example :
2749
2750 $ echo "show info json" | socat /var/run/haproxy.sock stdio | \
2751 python -m json.tool
2752
Willy Tarreau6ab7b212021-12-28 09:57:10 +01002753show libs
2754 Dump the list of loaded shared dynamic libraries and object files, on systems
2755 that support it. When available, for each shared object the range of virtual
2756 addresses will be indicated, the size and the path to the object. This can be
2757 used for example to try to estimate what library provides a function that
2758 appears in a dump. Note that on many systems, addresses will change upon each
2759 restart (address space randomization), so that this list would need to be
2760 retrieved upon startup if it is expected to be used to analyse a core file.
2761 This command may only be issued on sockets configured for levels "operator"
2762 or "admin". Note that the output format may vary between operating systems,
2763 architectures and even haproxy versions, and ought not to be relied on in
2764 scripts.
2765
Willy Tarreau95f753e2021-04-30 12:09:54 +02002766show map [[@<ver>] <map>]
Willy Tarreau44aed902015-10-13 14:45:29 +02002767 Dump info about map converters. Without argument, the list of all available
2768 maps is returned. If a <map> is specified, its contents are dumped. <map> is
Willy Tarreau95f753e2021-04-30 12:09:54 +02002769 the #<id> or <file>. By default the current version of the map is shown (the
2770 version currently being matched against and reported as 'curr_ver' in the map
2771 list). It is possible to instead dump other versions by prepending '@<ver>'
2772 before the map's identifier. The version works as a filter and non-existing
Dragan Dosena75eea72021-05-21 16:59:15 +02002773 versions will simply report no result. The 'entry_cnt' value represents the
2774 count of all the map entries, not just the active ones, which means that it
2775 also includes entries currently being added.
Willy Tarreau95f753e2021-04-30 12:09:54 +02002776
2777 In the output, the first column is a unique entry identifier, which is usable
2778 as a reference for operations "del map" and "set map". The second column is
Willy Tarreau44aed902015-10-13 14:45:29 +02002779 the pattern and the third column is the sample if available. The data returned
2780 are not directly a list of available maps, but are the list of all patterns
2781 composing any map. Many of these patterns can be shared with ACL.
2782
Willy Tarreau49962b52021-02-12 16:56:22 +01002783show peers [dict|-] [<peers section>]
Frédéric Lécaille21dde502019-04-15 13:50:23 +02002784 Dump info about the peers configured in "peers" sections. Without argument,
2785 the list of the peers belonging to all the "peers" sections are listed. If
2786 <peers section> is specified, only the information about the peers belonging
Willy Tarreau49962b52021-02-12 16:56:22 +01002787 to this "peers" section are dumped. When "dict" is specified before the peers
2788 section name, the entire Tx/Rx dictionary caches will also be dumped (very
2789 large). Passing "-" may be required to dump a peers section called "dict".
Frédéric Lécaille21dde502019-04-15 13:50:23 +02002790
Michael Prokop4438c602019-05-24 10:25:45 +02002791 Here are two examples of outputs where hostA, hostB and hostC peers belong to
Frédéric Lécaille21dde502019-04-15 13:50:23 +02002792 "sharedlb" peers sections. Only hostA and hostB are connected. Only hostA has
2793 sent data to hostB.
2794
2795 $ echo "show peers" | socat - /tmp/hostA
2796 0x55deb0224320: [15/Apr/2019:11:28:01] id=sharedlb state=0 flags=0x3 \
Emeric Brun0bbec0f2019-04-18 11:39:43 +02002797 resync_timeout=<PAST> task_calls=45122
Frédéric Lécaille21dde502019-04-15 13:50:23 +02002798 0x55deb022b540: id=hostC(remote) addr=127.0.0.12:10002 status=CONN \
2799 reconnect=4s confirm=0
2800 flags=0x0
2801 0x55deb022a440: id=hostA(local) addr=127.0.0.10:10000 status=NONE \
2802 reconnect=<NEVER> confirm=0
2803 flags=0x0
2804 0x55deb0227d70: id=hostB(remote) addr=127.0.0.11:10001 status=ESTA
2805 reconnect=2s confirm=0
Emeric Brun0bbec0f2019-04-18 11:39:43 +02002806 flags=0x20000200 appctx:0x55deb028fba0 st0=7 st1=0 task_calls=14456 \
2807 state=EST
Frédéric Lécaille21dde502019-04-15 13:50:23 +02002808 xprt=RAW src=127.0.0.1:37257 addr=127.0.0.10:10000
2809 remote_table:0x55deb0224a10 id=stkt local_id=1 remote_id=1
2810 last_local_table:0x55deb0224a10 id=stkt local_id=1 remote_id=1
2811 shared tables:
2812 0x55deb0224a10 local_id=1 remote_id=1 flags=0x0 remote_data=0x65
2813 last_acked=0 last_pushed=3 last_get=0 teaching_origin=0 update=3
2814 table:0x55deb022d6a0 id=stkt update=3 localupdate=3 \
2815 commitupdate=3 syncing=0
2816
2817 $ echo "show peers" | socat - /tmp/hostB
2818 0x55871b5ab320: [15/Apr/2019:11:28:03] id=sharedlb state=0 flags=0x3 \
Emeric Brun0bbec0f2019-04-18 11:39:43 +02002819 resync_timeout=<PAST> task_calls=3
Frédéric Lécaille21dde502019-04-15 13:50:23 +02002820 0x55871b5b2540: id=hostC(remote) addr=127.0.0.12:10002 status=CONN \
2821 reconnect=3s confirm=0
2822 flags=0x0
2823 0x55871b5b1440: id=hostB(local) addr=127.0.0.11:10001 status=NONE \
2824 reconnect=<NEVER> confirm=0
2825 flags=0x0
2826 0x55871b5aed70: id=hostA(remote) addr=127.0.0.10:10000 status=ESTA \
2827 reconnect=2s confirm=0
Emeric Brun0bbec0f2019-04-18 11:39:43 +02002828 flags=0x20000200 appctx:0x7fa46800ee00 st0=7 st1=0 task_calls=62356 \
2829 state=EST
Frédéric Lécaille21dde502019-04-15 13:50:23 +02002830 remote_table:0x55871b5ab960 id=stkt local_id=1 remote_id=1
2831 last_local_table:0x55871b5ab960 id=stkt local_id=1 remote_id=1
2832 shared tables:
2833 0x55871b5ab960 local_id=1 remote_id=1 flags=0x0 remote_data=0x65
2834 last_acked=3 last_pushed=0 last_get=3 teaching_origin=0 update=0
2835 table:0x55871b5b46a0 id=stkt update=1 localupdate=0 \
2836 commitupdate=0 syncing=0
2837
Willy Tarreau44aed902015-10-13 14:45:29 +02002838show pools
2839 Dump the status of internal memory pools. This is useful to track memory
2840 usage when suspecting a memory leak for example. It does exactly the same
2841 as the SIGQUIT when running in foreground except that it does not flush
2842 the pools.
2843
Willy Tarreauf1c8a382021-05-13 10:00:17 +02002844show profiling [{all | status | tasks | memory}] [byaddr] [<max_lines>]
Willy Tarreau75c62c22018-11-22 11:02:09 +01002845 Dumps the current profiling settings, one per line, as well as the command
Willy Tarreau1bd67e92021-01-29 00:07:40 +01002846 needed to change them. When tasks profiling is enabled, some per-function
2847 statistics collected by the scheduler will also be emitted, with a summary
Willy Tarreau42712cb2021-05-05 17:48:13 +02002848 covering the number of calls, total/avg CPU time and total/avg latency. When
2849 memory profiling is enabled, some information such as the number of
2850 allocations/releases and their sizes will be reported. It is possible to
2851 limit the dump to only the profiling status, the tasks, or the memory
2852 profiling by specifying the respective keywords; by default all profiling
2853 information are dumped. It is also possible to limit the number of lines
Willy Tarreauf1c8a382021-05-13 10:00:17 +02002854 of output of each category by specifying a numeric limit. If is possible to
2855 request that the output is sorted by address instead of usage, e.g. to ease
2856 comparisons between subsequent calls. Please note that profiling is
2857 essentially aimed at developers since it gives hints about where CPU cycles
2858 or memory are wasted in the code. There is nothing useful to monitor there.
Willy Tarreau75c62c22018-11-22 11:02:09 +01002859
Willy Tarreau87ef3232021-01-29 12:01:46 +01002860show resolvers [<resolvers section id>]
2861 Dump statistics for the given resolvers section, or all resolvers sections
2862 if no section is supplied.
2863
2864 For each name server, the following counters are reported:
2865 sent: number of DNS requests sent to this server
2866 valid: number of DNS valid responses received from this server
2867 update: number of DNS responses used to update the server's IP address
2868 cname: number of CNAME responses
2869 cname_error: CNAME errors encountered with this server
2870 any_err: number of empty response (IE: server does not support ANY type)
2871 nx: non existent domain response received from this server
2872 timeout: how many time this server did not answer in time
2873 refused: number of requests refused by this server
2874 other: any other DNS errors
2875 invalid: invalid DNS response (from a protocol point of view)
2876 too_big: too big response
2877 outdated: number of response arrived too late (after an other name server)
2878
Willy Tarreau69f591e2020-07-01 07:00:59 +02002879show servers conn [<backend>]
2880 Dump the current and idle connections state of the servers belonging to the
2881 designated backend (or all backends if none specified). A backend name or
2882 identifier may be used.
2883
2884 The output consists in a header line showing the fields titles, then one
2885 server per line with for each, the backend name and ID, server name and ID,
2886 the address, port and a series or values. The number of fields varies
2887 depending on thread count.
2888
2889 Given the threaded nature of idle connections, it's important to understand
2890 that some values may change once read, and that as such, consistency within a
2891 line isn't granted. This output is mostly provided as a debugging tool and is
2892 not relevant to be routinely monitored nor graphed.
2893
Willy Tarreau44aed902015-10-13 14:45:29 +02002894show servers state [<backend>]
2895 Dump the state of the servers found in the running configuration. A backend
2896 name or identifier may be provided to limit the output to this backend only.
2897
2898 The dump has the following format:
2899 - first line contains the format version (1 in this specification);
2900 - second line contains the column headers, prefixed by a sharp ('#');
2901 - third line and next ones contain data;
2902 - each line starting by a sharp ('#') is considered as a comment.
2903
Dan Lloyd8e48b872016-07-01 21:01:18 -04002904 Since multiple versions of the output may co-exist, below is the list of
Willy Tarreau44aed902015-10-13 14:45:29 +02002905 fields and their order per file format version :
2906 1:
2907 be_id: Backend unique id.
2908 be_name: Backend label.
2909 srv_id: Server unique id (in the backend).
2910 srv_name: Server label.
2911 srv_addr: Server IP address.
2912 srv_op_state: Server operational state (UP/DOWN/...).
Cyril Bonté5b2ce8a2016-11-02 00:19:58 +01002913 0 = SRV_ST_STOPPED
2914 The server is down.
2915 1 = SRV_ST_STARTING
2916 The server is warming up (up but
2917 throttled).
2918 2 = SRV_ST_RUNNING
2919 The server is fully up.
2920 3 = SRV_ST_STOPPING
2921 The server is up but soft-stopping
2922 (eg: 404).
Willy Tarreau44aed902015-10-13 14:45:29 +02002923 srv_admin_state: Server administrative state (MAINT/DRAIN/...).
Cyril Bonté5b2ce8a2016-11-02 00:19:58 +01002924 The state is actually a mask of values :
2925 0x01 = SRV_ADMF_FMAINT
2926 The server was explicitly forced into
2927 maintenance.
2928 0x02 = SRV_ADMF_IMAINT
2929 The server has inherited the maintenance
2930 status from a tracked server.
2931 0x04 = SRV_ADMF_CMAINT
2932 The server is in maintenance because of
2933 the configuration.
2934 0x08 = SRV_ADMF_FDRAIN
2935 The server was explicitly forced into
2936 drain state.
2937 0x10 = SRV_ADMF_IDRAIN
2938 The server has inherited the drain status
2939 from a tracked server.
Baptiste Assmann89aa7f32016-11-02 21:31:27 +01002940 0x20 = SRV_ADMF_RMAINT
2941 The server is in maintenance because of an
2942 IP address resolution failure.
Frédéric Lécailleb418c122017-04-26 11:24:02 +02002943 0x40 = SRV_ADMF_HMAINT
2944 The server FQDN was set from stats socket.
2945
Willy Tarreau44aed902015-10-13 14:45:29 +02002946 srv_uweight: User visible server's weight.
2947 srv_iweight: Server's initial weight.
2948 srv_time_since_last_change: Time since last operational change.
2949 srv_check_status: Last health check status.
2950 srv_check_result: Last check result (FAILED/PASSED/...).
Cyril Bonté5b2ce8a2016-11-02 00:19:58 +01002951 0 = CHK_RES_UNKNOWN
2952 Initialized to this by default.
2953 1 = CHK_RES_NEUTRAL
2954 Valid check but no status information.
2955 2 = CHK_RES_FAILED
2956 Check failed.
2957 3 = CHK_RES_PASSED
2958 Check succeeded and server is fully up
2959 again.
2960 4 = CHK_RES_CONDPASS
2961 Check reports the server doesn't want new
2962 sessions.
Willy Tarreau44aed902015-10-13 14:45:29 +02002963 srv_check_health: Checks rise / fall current counter.
2964 srv_check_state: State of the check (ENABLED/PAUSED/...).
Cyril Bonté5b2ce8a2016-11-02 00:19:58 +01002965 The state is actually a mask of values :
2966 0x01 = CHK_ST_INPROGRESS
2967 A check is currently running.
2968 0x02 = CHK_ST_CONFIGURED
2969 This check is configured and may be
2970 enabled.
2971 0x04 = CHK_ST_ENABLED
2972 This check is currently administratively
2973 enabled.
2974 0x08 = CHK_ST_PAUSED
2975 Checks are paused because of maintenance
2976 (health only).
Willy Tarreau44aed902015-10-13 14:45:29 +02002977 srv_agent_state: State of the agent check (ENABLED/PAUSED/...).
Cyril Bonté5b2ce8a2016-11-02 00:19:58 +01002978 This state uses the same mask values as
2979 "srv_check_state", adding this specific one :
2980 0x10 = CHK_ST_AGENT
2981 Check is an agent check (otherwise it's a
2982 health check).
Willy Tarreau44aed902015-10-13 14:45:29 +02002983 bk_f_forced_id: Flag to know if the backend ID is forced by
2984 configuration.
2985 srv_f_forced_id: Flag to know if the server's ID is forced by
2986 configuration.
Frédéric Lécailleb418c122017-04-26 11:24:02 +02002987 srv_fqdn: Server FQDN.
Frédéric Lécaille31694712017-08-01 08:47:19 +02002988 srv_port: Server port.
Baptiste Assmann6d0f38f2018-07-02 17:00:54 +02002989 srvrecord: DNS SRV record associated to this SRV.
William Dauchyf6370442020-11-14 19:25:33 +01002990 srv_use_ssl: use ssl for server connections.
William Dauchyd1a7b852021-02-11 22:51:26 +01002991 srv_check_port: Server health check port.
2992 srv_check_addr: Server health check address.
2993 srv_agent_addr: Server health agent address.
2994 srv_agent_port: Server health agent port.
Willy Tarreau44aed902015-10-13 14:45:29 +02002995
2996show sess
2997 Dump all known sessions. Avoid doing this on slow connections as this can
2998 be huge. This command is restricted and can only be issued on sockets
Willy Tarreauc6e7a1b2020-06-28 01:24:12 +02002999 configured for levels "operator" or "admin". Note that on machines with
3000 quickly recycled connections, it is possible that this output reports less
3001 entries than really exist because it will dump all existing sessions up to
3002 the last one that was created before the command was entered; those which
3003 die in the mean time will not appear.
Willy Tarreau44aed902015-10-13 14:45:29 +02003004
3005show sess <id>
3006 Display a lot of internal information about the specified session identifier.
3007 This identifier is the first field at the beginning of the lines in the dumps
3008 of "show sess" (it corresponds to the session pointer). Those information are
3009 useless to most users but may be used by haproxy developers to troubleshoot a
3010 complex bug. The output format is intentionally not documented so that it can
3011 freely evolve depending on demands. You may find a description of all fields
3012 returned in src/dumpstats.c
3013
3014 The special id "all" dumps the states of all sessions, which must be avoided
3015 as much as possible as it is highly CPU intensive and can take a lot of time.
3016
Daniel Corbettc40edac2020-11-01 10:54:17 -05003017show stat [domain <dns|proxy>] [{<iid>|<proxy>} <type> <sid>] [typed|json] \
Willy Tarreau698097b2020-10-23 20:19:47 +02003018 [desc] [up|no-maint]
Daniel Corbettc40edac2020-11-01 10:54:17 -05003019 Dump statistics. The domain is used to select which statistics to print; dns
3020 and proxy are available for now. By default, the CSV format is used; you can
Amaury Denoyelle072f97e2020-10-05 11:49:37 +02003021 activate the extended typed output format described in the section above if
3022 "typed" is passed after the other arguments; or in JSON if "json" is passed
3023 after the other arguments. By passing <id>, <type> and <sid>, it is possible
3024 to dump only selected items :
Willy Tarreaua1b1ed52016-11-25 08:50:58 +01003025 - <iid> is a proxy ID, -1 to dump everything. Alternatively, a proxy name
3026 <proxy> may be specified. In this case, this proxy's ID will be used as
3027 the ID selector.
Willy Tarreau44aed902015-10-13 14:45:29 +02003028 - <type> selects the type of dumpable objects : 1 for frontends, 2 for
3029 backends, 4 for servers, -1 for everything. These values can be ORed,
3030 for example:
3031 1 + 2 = 3 -> frontend + backend.
3032 1 + 2 + 4 = 7 -> frontend + backend + server.
3033 - <sid> is a server ID, -1 to dump everything from the selected proxy.
3034
3035 Example :
3036 $ echo "show info;show stat" | socat stdio unix-connect:/tmp/sock1
3037 >>> Name: HAProxy
3038 Version: 1.4-dev2-49
3039 Release_date: 2009/09/23
3040 Nbproc: 1
3041 Process_num: 1
3042 (...)
3043
3044 # pxname,svname,qcur,qmax,scur,smax,slim,stot,bin,bout,dreq, (...)
3045 stats,FRONTEND,,,0,0,1000,0,0,0,0,0,0,,,,,OPEN,,,,,,,,,1,1,0, (...)
3046 stats,BACKEND,0,0,0,0,1000,0,0,0,0,0,,0,0,0,0,UP,0,0,0,,0,250,(...)
3047 (...)
3048 www1,BACKEND,0,0,0,0,1000,0,0,0,0,0,,0,0,0,0,UP,1,1,0,,0,250, (...)
3049
3050 $
3051
Willy Tarreau5d8b9792016-03-11 11:09:34 +01003052 In this example, two commands have been issued at once. That way it's easy to
3053 find which process the stats apply to in multi-process mode. This is not
3054 needed in the typed output format as the process number is reported on each
3055 line. Notice the empty line after the information output which marks the end
3056 of the first block. A similar empty line appears at the end of the second
3057 block (stats) so that the reader knows the output has not been truncated.
3058
3059 When "typed" is specified, the output format is more suitable to monitoring
3060 tools because it provides numeric positions and indicates the type of each
3061 output field. Each value stands on its own line with process number, element
3062 number, nature, origin and scope. This same format is available via the HTTP
3063 stats by passing ";typed" after the URI. It is very important to note that in
Dan Lloyd8e48b872016-07-01 21:01:18 -04003064 typed output format, the dump for a single object is contiguous so that there
Willy Tarreau5d8b9792016-03-11 11:09:34 +01003065 is no need for a consumer to store everything at once.
3066
Willy Tarreau698097b2020-10-23 20:19:47 +02003067 The "up" modifier will result in listing only servers which reportedly up or
3068 not checked. Those down, unresolved, or in maintenance will not be listed.
3069 This is analogous to the ";up" option on the HTTP stats. Similarly, the
3070 "no-maint" modifier will act like the ";no-maint" HTTP modifier and will
3071 result in disabled servers not to be listed. The difference is that those
3072 which are enabled but down will not be evicted.
3073
Willy Tarreau5d8b9792016-03-11 11:09:34 +01003074 When using the typed output format, each line is made of 4 columns delimited
3075 by colons (':'). The first column is a dot-delimited series of 5 elements. The
3076 first element is a letter indicating the type of the object being described.
3077 At the moment the following object types are known : 'F' for a frontend, 'B'
3078 for a backend, 'L' for a listener, and 'S' for a server. The second element
3079 The second element is a positive integer representing the unique identifier of
3080 the proxy the object belongs to. It is equivalent to the "iid" column of the
3081 CSV output and matches the value in front of the optional "id" directive found
3082 in the frontend or backend section. The third element is a positive integer
3083 containing the unique object identifier inside the proxy, and corresponds to
3084 the "sid" column of the CSV output. ID 0 is reported when dumping a frontend
3085 or a backend. For a listener or a server, this corresponds to their respective
3086 ID inside the proxy. The fourth element is the numeric position of the field
3087 in the list (starting at zero). This position shall not change over time, but
3088 holes are to be expected, depending on build options or if some fields are
3089 deleted in the future. The fifth element is the field name as it appears in
3090 the CSV output. The sixth element is a positive integer and is the relative
3091 process number starting at 1.
3092
3093 The rest of the line starting after the first colon follows the "typed output
3094 format" described in the section above. In short, the second column (after the
3095 first ':') indicates the origin, nature and scope of the variable. The third
Willy Tarreau589722e2021-05-08 07:46:44 +02003096 column indicates the field type, among "s32", "s64", "u32", "u64", "flt' and
Willy Tarreau5d8b9792016-03-11 11:09:34 +01003097 "str". Then the fourth column is the value itself, which the consumer knows
3098 how to parse thanks to column 3 and how to process thanks to column 2.
3099
Willy Tarreau6b19b142019-10-09 15:44:21 +02003100 When "desc" is appended to the command, one extra colon followed by a quoted
3101 string is appended with a description for the metric. At the time of writing,
3102 this is only supported for the "typed" output format.
3103
Willy Tarreau5d8b9792016-03-11 11:09:34 +01003104 Thus the overall line format in typed mode is :
3105
3106 <obj>.<px_id>.<id>.<fpos>.<fname>.<process_num>:<tags>:<type>:<value>
3107
3108 Here's an example of typed output format :
3109
3110 $ echo "show stat typed" | socat stdio unix-connect:/tmp/sock1
3111 F.2.0.0.pxname.1:MGP:str:private-frontend
3112 F.2.0.1.svname.1:MGP:str:FRONTEND
3113 F.2.0.8.bin.1:MGP:u64:0
3114 F.2.0.9.bout.1:MGP:u64:0
3115 F.2.0.40.hrsp_2xx.1:MGP:u64:0
3116 L.2.1.0.pxname.1:MGP:str:private-frontend
3117 L.2.1.1.svname.1:MGP:str:sock-1
3118 L.2.1.17.status.1:MGP:str:OPEN
3119 L.2.1.73.addr.1:MGP:str:0.0.0.0:8001
3120 S.3.13.60.rtime.1:MCP:u32:0
3121 S.3.13.61.ttime.1:MCP:u32:0
3122 S.3.13.62.agent_status.1:MGP:str:L4TOUT
3123 S.3.13.64.agent_duration.1:MGP:u64:2001
3124 S.3.13.65.check_desc.1:MCP:str:Layer4 timeout
3125 S.3.13.66.agent_desc.1:MCP:str:Layer4 timeout
3126 S.3.13.67.check_rise.1:MCP:u32:2
3127 S.3.13.68.check_fall.1:MCP:u32:3
3128 S.3.13.69.check_health.1:SGP:u32:0
3129 S.3.13.70.agent_rise.1:MaP:u32:1
3130 S.3.13.71.agent_fall.1:SGP:u32:1
3131 S.3.13.72.agent_health.1:SGP:u32:1
3132 S.3.13.73.addr.1:MCP:str:1.255.255.255:8888
3133 S.3.13.75.mode.1:MAP:str:http
3134 B.3.0.0.pxname.1:MGP:str:private-backend
3135 B.3.0.1.svname.1:MGP:str:BACKEND
3136 B.3.0.2.qcur.1:MGP:u32:0
3137 B.3.0.3.qmax.1:MGP:u32:0
3138 B.3.0.4.scur.1:MGP:u32:0
3139 B.3.0.5.smax.1:MGP:u32:0
3140 B.3.0.6.slim.1:MGP:u32:1000
3141 B.3.0.55.lastsess.1:MMP:s32:-1
3142 (...)
3143
Simon Horman1084a362016-11-21 17:00:24 +01003144 In the typed format, the presence of the process ID at the end of the
3145 first column makes it very easy to visually aggregate outputs from
3146 multiple processes, as show in the example below where each line appears
3147 for each process :
Willy Tarreau5d8b9792016-03-11 11:09:34 +01003148
3149 $ ( echo show stat typed | socat /var/run/haproxy.sock1 - ; \
3150 echo show stat typed | socat /var/run/haproxy.sock2 - ) | \
3151 sort -t . -k 1,1 -k 2,2n -k 3,3n -k 4,4n -k 5,5 -k 6,6n
3152 B.3.0.0.pxname.1:MGP:str:private-backend
3153 B.3.0.0.pxname.2:MGP:str:private-backend
3154 B.3.0.1.svname.1:MGP:str:BACKEND
3155 B.3.0.1.svname.2:MGP:str:BACKEND
3156 B.3.0.2.qcur.1:MGP:u32:0
3157 B.3.0.2.qcur.2:MGP:u32:0
3158 B.3.0.3.qmax.1:MGP:u32:0
3159 B.3.0.3.qmax.2:MGP:u32:0
3160 B.3.0.4.scur.1:MGP:u32:0
3161 B.3.0.4.scur.2:MGP:u32:0
3162 B.3.0.5.smax.1:MGP:u32:0
3163 B.3.0.5.smax.2:MGP:u32:0
3164 B.3.0.6.slim.1:MGP:u32:1000
3165 B.3.0.6.slim.2:MGP:u32:1000
3166 (...)
Willy Tarreau44aed902015-10-13 14:45:29 +02003167
Simon Horman05ee2132017-01-04 09:37:25 +01003168 The format of JSON output is described in a schema which may be output
Simon Horman6f6bb382017-01-04 09:37:26 +01003169 using "show schema json".
3170
3171 The JSON output contains no extra whitespace in order to reduce the
3172 volume of output. For human consumption passing the output through a
3173 pretty printer may be helpful. Example :
3174
3175 $ echo "show stat json" | socat /var/run/haproxy.sock stdio | \
3176 python -m json.tool
Simon Horman05ee2132017-01-04 09:37:25 +01003177
3178 The JSON output contains no extra whitespace in order to reduce the
3179 volume of output. For human consumption passing the output through a
3180 pretty printer may be helpful. Example :
3181
3182 $ echo "show stat json" | socat /var/run/haproxy.sock stdio | \
3183 python -m json.tool
3184
Remi Tricot-Le Bretone88a2ca2021-04-08 15:30:23 +02003185show ssl ca-file [<cafile>[:<index>]]
3186 Display the list of CA files used by HAProxy and their respective certificate
3187 counts. If a filename is prefixed by an asterisk, it is a transaction which
3188 is not committed yet. If a <cafile> is specified without <index>, it will show
3189 the status of the CA file ("Used"/"Unused") followed by details about all the
3190 certificates contained in the CA file. The details displayed for every
3191 certificate are the same as the ones displayed by a "show ssl cert" command.
3192 If a <cafile> is specified followed by an <index>, it will only display the
3193 details of the certificate having the specified index. Indexes start from 1.
3194 If the index is invalid (too big for instance), nothing will be displayed.
3195 This command can be useful to check if a CA file was properly updated.
3196 You can also display the details of an ongoing transaction by prefixing the
3197 filename by an asterisk.
3198
3199 Example :
3200
3201 $ echo "show ssl ca-file" | socat /var/run/haproxy.master -
3202 # transaction
3203 *cafile.crt - 2 certificate(s)
3204 # filename
3205 cafile.crt - 1 certificate(s)
3206
3207 $ echo "show ssl ca-file cafile.crt" | socat /var/run/haproxy.master -
3208 Filename: /home/tricot/work/haproxy/reg-tests/ssl/set_cafile_ca2.crt
3209 Status: Used
3210
3211 Certificate #1:
3212 Serial: 11A4D2200DC84376E7D233CAFF39DF44BF8D1211
3213 notBefore: Apr 1 07:40:53 2021 GMT
3214 notAfter: Aug 17 07:40:53 2048 GMT
3215 Subject Alternative Name:
3216 Algorithm: RSA4096
3217 SHA1 FingerPrint: A111EF0FEFCDE11D47FE3F33ADCA8435EBEA4864
3218 Subject: /C=FR/ST=Some-State/O=HAProxy Technologies/CN=HAProxy Technologies CA
3219 Issuer: /C=FR/ST=Some-State/O=HAProxy Technologies/CN=HAProxy Technologies CA
3220
3221 $ echo "show ssl ca-file *cafile.crt:2" | socat /var/run/haproxy.master -
3222 Filename: */home/tricot/work/haproxy/reg-tests/ssl/set_cafile_ca2.crt
3223 Status: Unused
3224
3225 Certificate #2:
3226 Serial: 587A1CE5ED855040A0C82BF255FF300ADB7C8136
3227 [...]
3228
William Lallemandd4f946c2019-12-05 10:26:40 +01003229show ssl cert [<filename>]
Remi Tricot-Le Bretonb5f0fac2021-04-14 16:19:29 +02003230 Display the list of certificates used on frontends and backends.
3231 If a filename is prefixed by an asterisk, it is a transaction which is not
3232 committed yet. If a filename is specified, it will show details about the
3233 certificate. This command can be useful to check if a certificate was well
3234 updated. You can also display details on a transaction by prefixing the
3235 filename by an asterisk.
Remi Tricot-Le Breton6056e612021-06-10 13:51:15 +02003236 This command can also be used to display the details of a certificate's OCSP
3237 response by suffixing the filename with a ".ocsp" extension. It works for
3238 committed certificates as well as for ongoing transactions. On a committed
3239 certificate, this command is equivalent to calling "show ssl ocsp-response"
3240 with the certificate's corresponding OCSP response ID.
William Lallemandd4f946c2019-12-05 10:26:40 +01003241
3242 Example :
3243
3244 $ echo "@1 show ssl cert" | socat /var/run/haproxy.master -
3245 # transaction
3246 *test.local.pem
3247 # filename
3248 test.local.pem
3249
3250 $ echo "@1 show ssl cert test.local.pem" | socat /var/run/haproxy.master -
3251 Filename: test.local.pem
3252 Serial: 03ECC19BA54B25E85ABA46EE561B9A10D26F
3253 notBefore: Sep 13 21:20:24 2019 GMT
3254 notAfter: Dec 12 21:20:24 2019 GMT
3255 Issuer: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
3256 Subject: /CN=test.local
3257 Subject Alternative Name: DNS:test.local, DNS:imap.test.local
3258 Algorithm: RSA2048
3259 SHA1 FingerPrint: 417A11CAE25F607B24F638B4A8AEE51D1E211477
3260
3261 $ echo "@1 show ssl cert *test.local.pem" | socat /var/run/haproxy.master -
3262 Filename: *test.local.pem
3263 [...]
3264
Remi Tricot-Le Breton3c222bd2021-04-27 16:28:25 +02003265show ssl crl-file [<crlfile>[:<index>]]
3266 Display the list of CRL files used by HAProxy.
3267 If a filename is prefixed by an asterisk, it is a transaction which is not
3268 committed yet. If a <crlfile> is specified without <index>, it will show the
3269 status of the CRL file ("Used"/"Unused") followed by details about all the
3270 Revocation Lists contained in the CRL file. The details displayed for every
3271 list are based on the output of "openssl crl -text -noout -in <file>".
3272 If a <crlfile> is specified followed by an <index>, it will only display the
3273 details of the list having the specified index. Indexes start from 1.
3274 If the index is invalid (too big for instance), nothing will be displayed.
3275 This command can be useful to check if a CRL file was properly updated.
3276 You can also display the details of an ongoing transaction by prefixing the
3277 filename by an asterisk.
3278
3279 Example :
3280
3281 $ echo "show ssl crl-file" | socat /var/run/haproxy.master -
3282 # transaction
3283 *crlfile.pem
3284 # filename
3285 crlfile.pem
3286
3287 $ echo "show ssl crl-file crlfile.pem" | socat /var/run/haproxy.master -
3288 Filename: /home/tricot/work/haproxy/reg-tests/ssl/crlfile.pem
3289 Status: Used
3290
3291 Certificate Revocation List #1:
3292 Version 1
3293 Signature Algorithm: sha256WithRSAEncryption
3294 Issuer: /C=FR/O=HAProxy Technologies/CN=Intermediate CA2
3295 Last Update: Apr 23 14:45:39 2021 GMT
3296 Next Update: Sep 8 14:45:39 2048 GMT
3297 Revoked Certificates:
3298 Serial Number: 1008
3299 Revocation Date: Apr 23 14:45:36 2021 GMT
3300
3301 Certificate Revocation List #2:
3302 Version 1
3303 Signature Algorithm: sha256WithRSAEncryption
3304 Issuer: /C=FR/O=HAProxy Technologies/CN=Root CA
3305 Last Update: Apr 23 14:30:44 2021 GMT
3306 Next Update: Sep 8 14:30:44 2048 GMT
3307 No Revoked Certificates.
3308
William Lallemandc69f02d2020-04-06 19:07:03 +02003309show ssl crt-list [-n] [<filename>]
William Lallemandaccac232020-04-02 17:42:51 +02003310 Display the list of crt-list and directories used in the HAProxy
William Lallemandc69f02d2020-04-06 19:07:03 +02003311 configuration. If a filename is specified, dump the content of a crt-list or
3312 a directory. Once dumped the output can be used as a crt-list file.
3313 The '-n' option can be used to display the line number, which is useful when
3314 combined with the 'del ssl crt-list' option when a entry is duplicated. The
3315 output with the '-n' option is not compatible with the crt-list format and
3316 not loadable by haproxy.
William Lallemandaccac232020-04-02 17:42:51 +02003317
3318 Example:
William Lallemandc69f02d2020-04-06 19:07:03 +02003319 echo "show ssl crt-list -n localhost.crt-list" | socat /tmp/sock1 -
William Lallemandaccac232020-04-02 17:42:51 +02003320 # localhost.crt-list
William Lallemandc69f02d2020-04-06 19:07:03 +02003321 common.pem:1 !not.test1.com *.test1.com !localhost
3322 common.pem:2
3323 ecdsa.pem:3 [verify none allow-0rtt ssl-min-ver TLSv1.0 ssl-max-ver TLSv1.3] localhost !www.test1.com
3324 ecdsa.pem:4 [verify none allow-0rtt ssl-min-ver TLSv1.0 ssl-max-ver TLSv1.3]
William Lallemandaccac232020-04-02 17:42:51 +02003325
Remi Tricot-Le Bretond92fd112021-06-10 13:51:13 +02003326show ssl ocsp-response [<id>]
3327 Display the IDs of the OCSP tree entries corresponding to all the OCSP
3328 responses used in HAProxy, as well as the issuer's name and key hash and the
3329 serial number of the certificate for which the OCSP response was built.
3330 If a valid <id> is provided, display the contents of the corresponding OCSP
3331 response. The information displayed is the same as in an "openssl ocsp -respin
3332 <ocsp-response> -text" call.
3333
3334 Example :
3335
3336 $ echo "show ssl ocsp-response" | socat /var/run/haproxy.master -
3337 # Certificate IDs
3338 Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100a
3339 Certificate ID:
Remi Tricot-Le Bretond92fd112021-06-10 13:51:13 +02003340 Issuer Name Hash: 8A83E0060FAFF709CA7E9B95522A2E81635FDA0A
3341 Issuer Key Hash: F652B0E435D5EA923851508F0ADBE92D85DE007A
3342 Serial Number: 100A
3343
3344 $ echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100a" | socat /var/run/haproxy.master -
3345 OCSP Response Data:
3346 OCSP Response Status: successful (0x0)
3347 Response Type: Basic OCSP Response
3348 Version: 1 (0x0)
3349 Responder Id: C = FR, O = HAProxy Technologies, CN = ocsp.haproxy.com
3350 Produced At: May 27 15:43:38 2021 GMT
3351 Responses:
3352 Certificate ID:
3353 Hash Algorithm: sha1
3354 Issuer Name Hash: 8A83E0060FAFF709CA7E9B95522A2E81635FDA0A
3355 Issuer Key Hash: F652B0E435D5EA923851508F0ADBE92D85DE007A
3356 Serial Number: 100A
3357 Cert Status: good
3358 This Update: May 27 15:43:38 2021 GMT
3359 Next Update: Oct 12 15:43:38 2048 GMT
3360 [...]
3361
Willy Tarreau44aed902015-10-13 14:45:29 +02003362show table
3363 Dump general information on all known stick-tables. Their name is returned
3364 (the name of the proxy which holds them), their type (currently zero, always
3365 IP), their size in maximum possible number of entries, and the number of
3366 entries currently in use.
3367
3368 Example :
3369 $ echo "show table" | socat stdio /tmp/sock1
3370 >>> # table: front_pub, type: ip, size:204800, used:171454
3371 >>> # table: back_rdp, type: ip, size:204800, used:0
3372
Adis Nezirovic1a693fc2020-01-16 15:19:29 +01003373show table <name> [ data.<type> <operator> <value> [data.<type> ...]] | [ key <key> ]
Willy Tarreau44aed902015-10-13 14:45:29 +02003374 Dump contents of stick-table <name>. In this mode, a first line of generic
3375 information about the table is reported as with "show table", then all
3376 entries are dumped. Since this can be quite heavy, it is possible to specify
3377 a filter in order to specify what entries to display.
3378
3379 When the "data." form is used the filter applies to the stored data (see
3380 "stick-table" in section 4.2). A stored data type must be specified
3381 in <type>, and this data type must be stored in the table otherwise an
3382 error is reported. The data is compared according to <operator> with the
3383 64-bit integer <value>. Operators are the same as with the ACLs :
3384
3385 - eq : match entries whose data is equal to this value
3386 - ne : match entries whose data is not equal to this value
3387 - le : match entries whose data is less than or equal to this value
3388 - ge : match entries whose data is greater than or equal to this value
3389 - lt : match entries whose data is less than this value
3390 - gt : match entries whose data is greater than this value
3391
Adis Nezirovic1a693fc2020-01-16 15:19:29 +01003392 In this form, you can use multiple data filter entries, up to a maximum
3393 defined during build time (4 by default).
Willy Tarreau44aed902015-10-13 14:45:29 +02003394
3395 When the key form is used the entry <key> is shown. The key must be of the
3396 same type as the table, which currently is limited to IPv4, IPv6, integer,
3397 and string.
3398
3399 Example :
3400 $ echo "show table http_proxy" | socat stdio /tmp/sock1
3401 >>> # table: http_proxy, type: ip, size:204800, used:2
3402 >>> 0x80e6a4c: key=127.0.0.1 use=0 exp=3594729 gpc0=0 conn_rate(30000)=1 \
3403 bytes_out_rate(60000)=187
3404 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
3405 bytes_out_rate(60000)=191
3406
3407 $ echo "show table http_proxy data.gpc0 gt 0" | socat stdio /tmp/sock1
3408 >>> # table: http_proxy, type: ip, size:204800, used:2
3409 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
3410 bytes_out_rate(60000)=191
3411
3412 $ echo "show table http_proxy data.conn_rate gt 5" | \
3413 socat stdio /tmp/sock1
3414 >>> # table: http_proxy, type: ip, size:204800, used:2
3415 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
3416 bytes_out_rate(60000)=191
3417
3418 $ echo "show table http_proxy key 127.0.0.2" | \
3419 socat stdio /tmp/sock1
3420 >>> # table: http_proxy, type: ip, size:204800, used:2
3421 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
3422 bytes_out_rate(60000)=191
3423
3424 When the data criterion applies to a dynamic value dependent on time such as
3425 a bytes rate, the value is dynamically computed during the evaluation of the
3426 entry in order to decide whether it has to be dumped or not. This means that
3427 such a filter could match for some time then not match anymore because as
3428 time goes, the average event rate drops.
3429
3430 It is possible to use this to extract lists of IP addresses abusing the
3431 service, in order to monitor them or even blacklist them in a firewall.
3432 Example :
3433 $ echo "show table http_proxy data.gpc0 gt 0" \
3434 | socat stdio /tmp/sock1 \
3435 | fgrep 'key=' | cut -d' ' -f2 | cut -d= -f2 > abusers-ip.txt
3436 ( or | awk '/key/{ print a[split($2,a,"=")]; }' )
3437
Willy Tarreau7eff06e2021-01-29 11:32:55 +01003438show tasks
3439 Dumps the number of tasks currently in the run queue, with the number of
3440 occurrences for each function, and their average latency when it's known
3441 (for pure tasks with task profiling enabled). The dump is a snapshot of the
3442 instant it's done, and there may be variations depending on what tasks are
3443 left in the queue at the moment it happens, especially in mono-thread mode
3444 as there's less chance that I/Os can refill the queue (unless the queue is
3445 full). This command takes exclusive access to the process and can cause
3446 minor but measurable latencies when issued on a highly loaded process, so
3447 it must not be abused by monitoring bots.
3448
Willy Tarreau4e2b6462019-05-16 17:44:30 +02003449show threads
3450 Dumps some internal states and structures for each thread, that may be useful
3451 to help developers understand a problem. The output tries to be readable by
Willy Tarreauc7091d82019-05-17 10:08:49 +02003452 showing one block per thread. When haproxy is built with USE_THREAD_DUMP=1,
3453 an advanced dump mechanism involving thread signals is used so that each
3454 thread can dump its own state in turn. Without this option, the thread
3455 processing the command shows all its details but the other ones are less
Willy Tarreaue6a02fa2019-05-22 07:06:44 +02003456 detailed. A star ('*') is displayed in front of the thread handling the
3457 command. A right angle bracket ('>') may also be displayed in front of
3458 threads which didn't make any progress since last invocation of this command,
3459 indicating a bug in the code which must absolutely be reported. When this
3460 happens between two threads it usually indicates a deadlock. If a thread is
3461 alone, it's a different bug like a corrupted list. In all cases the process
3462 needs is not fully functional anymore and needs to be restarted.
3463
3464 The output format is purposely not documented so that it can easily evolve as
3465 new needs are identified, without having to maintain any form of backwards
3466 compatibility, and just like with "show activity", the values are meaningless
3467 without the code at hand.
Willy Tarreau4e2b6462019-05-16 17:44:30 +02003468
William Lallemandbb933462016-05-31 21:09:53 +02003469show tls-keys [id|*]
3470 Dump all loaded TLS ticket keys references. The TLS ticket key reference ID
3471 and the file from which the keys have been loaded is shown. Both of those
3472 can be used to update the TLS keys using "set ssl tls-key". If an ID is
3473 specified as parameter, it will dump the tickets, using * it will dump every
3474 keys from every references.
Willy Tarreau44aed902015-10-13 14:45:29 +02003475
Simon Horman6f6bb382017-01-04 09:37:26 +01003476show schema json
3477 Dump the schema used for the output of "show info json" and "show stat json".
3478
3479 The contains no extra whitespace in order to reduce the volume of output.
3480 For human consumption passing the output through a pretty printer may be
3481 helpful. Example :
3482
3483 $ echo "show schema json" | socat /var/run/haproxy.sock stdio | \
3484 python -m json.tool
3485
3486 The schema follows "JSON Schema" (json-schema.org) and accordingly
3487 verifiers may be used to verify the output of "show info json" and "show
3488 stat json" against the schema.
3489
Willy Tarreauf909c912019-08-22 20:06:04 +02003490show trace [<source>]
3491 Show the current trace status. For each source a line is displayed with a
3492 single-character status indicating if the trace is stopped, waiting, or
3493 running. The output sink used by the trace is indicated (or "none" if none
3494 was set), as well as the number of dropped events in this sink, followed by a
3495 brief description of the source. If a source name is specified, a detailed
3496 list of all events supported by the source, and their status for each action
3497 (report, start, pause, stop), indicated by a "+" if they are enabled, or a
3498 "-" otherwise. All these events are independent and an event might trigger
3499 a start without being reported and conversely.
Simon Horman6f6bb382017-01-04 09:37:26 +01003500
William Lallemand740629e2021-12-14 15:22:29 +01003501show version
3502 Show the version of the current HAProxy process. This is available from
3503 master and workers CLI.
3504 Example:
3505
3506 $ echo "show version" | socat /var/run/haproxy.sock stdio
3507 2.4.9
3508
3509 $ echo "show version" | socat /var/run/haproxy-master.sock stdio
3510 2.5.0
3511
Willy Tarreau44aed902015-10-13 14:45:29 +02003512shutdown frontend <frontend>
3513 Completely delete the specified frontend. All the ports it was bound to will
3514 be released. It will not be possible to enable the frontend anymore after
3515 this operation. This is intended to be used in environments where stopping a
3516 proxy is not even imaginable but a misconfigured proxy must be fixed. That
3517 way it's possible to release the port and bind it into another process to
3518 restore operations. The frontend will not appear at all on the stats page
3519 once it is terminated.
3520
3521 The frontend may be specified either by its name or by its numeric ID,
3522 prefixed with a sharp ('#').
3523
3524 This command is restricted and can only be issued on sockets configured for
3525 level "admin".
3526
3527shutdown session <id>
3528 Immediately terminate the session matching the specified session identifier.
3529 This identifier is the first field at the beginning of the lines in the dumps
3530 of "show sess" (it corresponds to the session pointer). This can be used to
3531 terminate a long-running session without waiting for a timeout or when an
3532 endless transfer is ongoing. Such terminated sessions are reported with a 'K'
3533 flag in the logs.
3534
3535shutdown sessions server <backend>/<server>
3536 Immediately terminate all the sessions attached to the specified server. This
3537 can be used to terminate long-running sessions after a server is put into
3538 maintenance mode, for instance. Such terminated sessions are reported with a
3539 'K' flag in the logs.
3540
Willy Tarreauf909c912019-08-22 20:06:04 +02003541trace
3542 The "trace" command alone lists the trace sources, their current status, and
3543 their brief descriptions. It is only meant as a menu to enter next levels,
3544 see other "trace" commands below.
3545
3546trace 0
3547 Immediately stops all traces. This is made to be used as a quick solution
3548 to terminate a debugging session or as an emergency action to be used in case
3549 complex traces were enabled on multiple sources and impact the service.
3550
3551trace <source> event [ [+|-|!]<name> ]
3552 Without argument, this will list all the events supported by the designated
3553 source. They are prefixed with a "-" if they are not enabled, or a "+" if
3554 they are enabled. It is important to note that a single trace may be labelled
3555 with multiple events, and as long as any of the enabled events matches one of
3556 the events labelled on the trace, the event will be passed to the trace
3557 subsystem. For example, receiving an HTTP/2 frame of type HEADERS may trigger
3558 a frame event and a stream event since the frame creates a new stream. If
3559 either the frame event or the stream event are enabled for this source, the
3560 frame will be passed to the trace framework.
3561
3562 With an argument, it is possible to toggle the state of each event and
3563 individually enable or disable them. Two special keywords are supported,
3564 "none", which matches no event, and is used to disable all events at once,
3565 and "any" which matches all events, and is used to enable all events at
3566 once. Other events are specific to the event source. It is possible to
3567 enable one event by specifying its name, optionally prefixed with '+' for
3568 better readability. It is possible to disable one event by specifying its
3569 name prefixed by a '-' or a '!'.
3570
3571 One way to completely disable a trace source is to pass "event none", and
3572 this source will instantly be totally ignored.
3573
3574trace <source> level [<level>]
Willy Tarreau2ea549b2019-08-29 08:01:48 +02003575 Without argument, this will list all trace levels for this source, and the
Willy Tarreauf909c912019-08-22 20:06:04 +02003576 current one will be indicated by a star ('*') prepended in front of it. With
Willy Tarreau2ea549b2019-08-29 08:01:48 +02003577 an argument, this will change the trace level to the specified level. Detail
Willy Tarreauf909c912019-08-22 20:06:04 +02003578 levels are a form of filters that are applied before reporting the events.
Willy Tarreau2ea549b2019-08-29 08:01:48 +02003579 These filters are used to selectively include or exclude events depending on
3580 their level of importance. For example a developer might need to know
3581 precisely where in the code an HTTP header was considered invalid while the
3582 end user may not even care about this header's validity at all. There are
3583 currently 5 distinct levels for a trace :
Willy Tarreauf909c912019-08-22 20:06:04 +02003584
3585 user this will report information that are suitable for use by a
3586 regular haproxy user who wants to observe his traffic.
3587 Typically some HTTP requests and responses will be reported
3588 without much detail. Most sources will set this as the
3589 default level to ease operations.
3590
Willy Tarreau2ea549b2019-08-29 08:01:48 +02003591 proto in addition to what is reported at the "user" level, it also
3592 displays protocol-level updates. This can for example be the
3593 frame types or HTTP headers after decoding.
Willy Tarreauf909c912019-08-22 20:06:04 +02003594
3595 state in addition to what is reported at the "proto" level, it
3596 will also display state transitions (or failed transitions)
3597 which happen in parsers, so this will show attempts to
3598 perform an operation while the "proto" level only shows
3599 the final operation.
3600
Willy Tarreau2ea549b2019-08-29 08:01:48 +02003601 data in addition to what is reported at the "state" level, it
3602 will also include data transfers between the various layers.
3603
Willy Tarreauf909c912019-08-22 20:06:04 +02003604 developer it reports everything available, which can include advanced
3605 information such as "breaking out of this loop" that are
3606 only relevant to a developer trying to understand a bug that
Willy Tarreau09fb0df2019-08-29 08:40:59 +02003607 only happens once in a while in field. Function names are
3608 only reported at this level.
Willy Tarreauf909c912019-08-22 20:06:04 +02003609
3610 It is highly recommended to always use the "user" level only and switch to
3611 other levels only if instructed to do so by a developer. Also it is a good
3612 idea to first configure the events before switching to higher levels, as it
3613 may save from dumping many lines if no filter is applied.
3614
3615trace <source> lock [criterion]
3616 Without argument, this will list all the criteria supported by this source
3617 for lock-on processing, and display the current choice by a star ('*') in
3618 front of it. Lock-on means that the source will focus on the first matching
3619 event and only stick to the criterion which triggered this event, and ignore
3620 all other ones until the trace stops. This allows for example to take a trace
3621 on a single connection or on a single stream. The following criteria are
3622 supported by some traces, though not necessarily all, since some of them
3623 might not be available to the source :
3624
3625 backend lock on the backend that started the trace
3626 connection lock on the connection that started the trace
3627 frontend lock on the frontend that started the trace
3628 listener lock on the listener that started the trace
3629 nothing do not lock on anything
3630 server lock on the server that started the trace
3631 session lock on the session that started the trace
3632 thread lock on the thread that started the trace
3633
3634 In addition to this, each source may provide up to 4 specific criteria such
3635 as internal states or connection IDs. For example in HTTP/2 it is possible
3636 to lock on the H2 stream and ignore other streams once a strace starts.
3637
3638 When a criterion is passed in argument, this one is used instead of the
3639 other ones and any existing tracking is immediately terminated so that it can
3640 restart with the new criterion. The special keyword "nothing" is supported by
3641 all sources to permanently disable tracking.
3642
3643trace <source> { pause | start | stop } [ [+|-|!]event]
3644 Without argument, this will list the events enabled to automatically pause,
3645 start, or stop a trace for this source. These events are specific to each
3646 trace source. With an argument, this will either enable the event for the
3647 specified action (if optionally prefixed by a '+') or disable it (if
3648 prefixed by a '-' or '!'). The special keyword "now" is not an event and
3649 requests to take the action immediately. The keywords "none" and "any" are
3650 supported just like in "trace event".
3651
3652 The 3 supported actions are respectively "pause", "start" and "stop". The
3653 "pause" action enumerates events which will cause a running trace to stop and
3654 wait for a new start event to restart it. The "start" action enumerates the
3655 events which switch the trace into the waiting mode until one of the start
3656 events appears. And the "stop" action enumerates the events which definitely
3657 stop the trace until it is manually enabled again. In practice it makes sense
3658 to manually start a trace using "start now" without caring about events, and
3659 to stop it using "stop now". In order to capture more subtle event sequences,
3660 setting "start" to a normal event (like receiving an HTTP request) and "stop"
3661 to a very rare event like emitting a certain error, will ensure that the last
3662 captured events will match the desired criteria. And the pause event is
3663 useful to detect the end of a sequence, disable the lock-on and wait for
3664 another opportunity to take a capture. In this case it can make sense to
3665 enable lock-on to spot only one specific criterion (e.g. a stream), and have
3666 "start" set to anything that starts this criterion (e.g. all events which
3667 create a stream), "stop" set to the expected anomaly, and "pause" to anything
3668 that ends that criterion (e.g. any end of stream event). In this case the
3669 trace log will contain complete sequences of perfectly clean series affecting
3670 a single object, until the last sequence containing everything from the
3671 beginning to the anomaly.
3672
3673trace <source> sink [<sink>]
3674 Without argument, this will list all event sinks available for this source,
3675 and the currently configured one will have a star ('*') prepended in front
3676 of it. Sink "none" is always available and means that all events are simply
3677 dropped, though their processing is not ignored (e.g. lock-on does occur).
3678 Other sinks are available depending on configuration and build options, but
3679 typically "stdout" and "stderr" will be usable in debug mode, and in-memory
3680 ring buffers should be available as well. When a name is specified, the sink
3681 instantly changes for the specified source. Events are not changed during a
3682 sink change. In the worst case some may be lost if an invalid sink is used
3683 (or "none"), but operations do continue to a different destination.
3684
Willy Tarreau370a6942019-08-29 08:24:16 +02003685trace <source> verbosity [<level>]
3686 Without argument, this will list all verbosity levels for this source, and the
3687 current one will be indicated by a star ('*') prepended in front of it. With
3688 an argument, this will change the verbosity level to the specified one.
3689
3690 Verbosity levels indicate how far the trace decoder should go to provide
3691 detailed information. It depends on the trace source, since some sources will
3692 not even provide a specific decoder. Level "quiet" is always available and
3693 disables any decoding. It can be useful when trying to figure what's
3694 happening before trying to understand the details, since it will have a very
3695 low impact on performance and trace size. When no verbosity levels are
3696 declared by a source, level "default" is available and will cause a decoder
3697 to be called when specified in the traces. It is an opportunistic decoding.
3698 When the source declares some verbosity levels, these ones are listed with
3699 a description of what they correspond to. In this case the trace decoder
3700 provided by the source will be as accurate as possible based on the
3701 information available at the trace point. The first level above "quiet" is
3702 set by default.
3703
Willy Tarreau2212e6a2015-10-13 14:40:55 +02003704
William Lallemand142db372018-12-11 18:56:45 +010037059.4. Master CLI
3706---------------
3707
3708The master CLI is a socket bound to the master process in master-worker mode.
3709This CLI gives access to the unix socket commands in every running or leaving
3710processes and allows a basic supervision of those processes.
3711
3712The master CLI is configurable only from the haproxy program arguments with
3713the -S option. This option also takes bind options separated by commas.
3714
3715Example:
3716
3717 # haproxy -W -S 127.0.0.1:1234 -f test1.cfg
3718 # haproxy -Ws -S /tmp/master-socket,uid,1000,gid,1000,mode,600 -f test1.cfg
William Lallemandb7ea1412018-12-13 09:05:47 +01003719 # haproxy -W -S /tmp/master-socket,level,user -f test1.cfg
William Lallemand142db372018-12-11 18:56:45 +01003720
William Lallemand142db372018-12-11 18:56:45 +01003721
William Lallemanda6622752022-03-31 15:26:51 +020037229.4.1. Master CLI commands
William Lallemandaf140ab2022-02-02 14:44:19 +01003723--------------------------
William Lallemand142db372018-12-11 18:56:45 +01003724
William Lallemandaf140ab2022-02-02 14:44:19 +01003725@<[!]pid>
3726 The master CLI uses a special prefix notation to access the multiple
3727 processes. This notation is easily identifiable as it begins by a @.
William Lallemand142db372018-12-11 18:56:45 +01003728
William Lallemandaf140ab2022-02-02 14:44:19 +01003729 A @ prefix can be followed by a relative process number or by an exclamation
3730 point and a PID. (e.g. @1 or @!1271). A @ alone could be use to specify the
3731 master. Leaving processes are only accessible with the PID as relative process
3732 number are only usable with the current processes.
William Lallemand142db372018-12-11 18:56:45 +01003733
William Lallemandaf140ab2022-02-02 14:44:19 +01003734 Examples:
William Lallemand142db372018-12-11 18:56:45 +01003735
William Lallemandaf140ab2022-02-02 14:44:19 +01003736 $ socat /var/run/haproxy-master.sock readline
3737 prompt
3738 master> @1 show info; @2 show info
3739 [...]
3740 Process_num: 1
3741 Pid: 1271
3742 [...]
3743 Process_num: 2
3744 Pid: 1272
3745 [...]
3746 master>
Willy Tarreau52880f92018-12-15 13:30:03 +01003747
William Lallemandaf140ab2022-02-02 14:44:19 +01003748 $ echo '@!1271 show info; @!1272 show info' | socat /var/run/haproxy-master.sock -
3749 [...]
William Lallemand142db372018-12-11 18:56:45 +01003750
William Lallemandaf140ab2022-02-02 14:44:19 +01003751 A prefix could be use as a command, which will send every next commands to
3752 the specified process.
William Lallemand142db372018-12-11 18:56:45 +01003753
William Lallemandaf140ab2022-02-02 14:44:19 +01003754 Examples:
William Lallemand142db372018-12-11 18:56:45 +01003755
William Lallemandaf140ab2022-02-02 14:44:19 +01003756 $ socat /var/run/haproxy-master.sock readline
3757 prompt
3758 master> @1
3759 1271> show info
3760 [...]
3761 1271> show stat
3762 [...]
3763 1271> @
3764 master>
William Lallemand142db372018-12-11 18:56:45 +01003765
William Lallemandaf140ab2022-02-02 14:44:19 +01003766 $ echo '@1; show info; show stat; @2; show info; show stat' | socat /var/run/haproxy-master.sock -
3767 [...]
William Lallemand142db372018-12-11 18:56:45 +01003768
William Lallemanda5ce28b2022-02-02 15:29:21 +01003769expert-mode [on|off]
3770 This command activates the "expert-mode" for every worker accessed from the
William Lallemand2a171912022-02-02 11:43:20 +01003771 master CLI. Combined with "mcli-debug-mode" it also activates the command on
William Lallemanddae12c72022-02-02 14:13:54 +01003772 the master. Display the flag "e" in the master CLI prompt.
William Lallemanda5ce28b2022-02-02 15:29:21 +01003773
William Lallemand2a171912022-02-02 11:43:20 +01003774 See also "expert-mode" in Section 9.3 and "mcli-debug-mode" in 9.4.1.
William Lallemanda5ce28b2022-02-02 15:29:21 +01003775
3776experimental-mode [on|off]
3777 This command activates the "experimental-mode" for every worker accessed from
William Lallemand2a171912022-02-02 11:43:20 +01003778 the master CLI. Combined with "mcli-debug-mode" it also activates the command on
William Lallemanddae12c72022-02-02 14:13:54 +01003779 the master. Display the flag "x" in the master CLI prompt.
William Lallemand2a171912022-02-02 11:43:20 +01003780
3781 See also "experimental-mode" in Section 9.3 and "mcli-debug-mode" in 9.4.1.
William Lallemanda5ce28b2022-02-02 15:29:21 +01003782
William Lallemand2a171912022-02-02 11:43:20 +01003783mcli-debug-mode [on|off]
3784 This keyword allows a special mode in the master CLI which enables every
3785 keywords that were meant for a worker CLI on the master CLI, allowing to debug
3786 the master process. Once activated, you list the new available keywords with
3787 "help". Combined with "experimental-mode" or "expert-mode" it enables even
William Lallemanddae12c72022-02-02 14:13:54 +01003788 more keywords. Display the flag "d" in the master CLI prompt.
William Lallemanda5ce28b2022-02-02 15:29:21 +01003789
William Lallemandaf140ab2022-02-02 14:44:19 +01003790prompt
3791 When the prompt is enabled (via the "prompt" command), the context the CLI is
3792 working on is displayed in the prompt. The master is identified by the "master"
3793 string, and other processes are identified with their PID. In case the last
3794 reload failed, the master prompt will be changed to "master[ReloadFailed]>" so
3795 that it becomes visible that the process is still running on the previous
3796 configuration and that the new configuration is not operational.
William Lallemand142db372018-12-11 18:56:45 +01003797
William Lallemanddae12c72022-02-02 14:13:54 +01003798 The prompt of the master CLI is able to display several flags which are the
3799 enable modes. "d" for mcli-debug-mode, "e" for expert-mode, "x" for
3800 experimental-mode.
3801
3802 Example:
3803 $ socat /var/run/haproxy-master.sock -
3804 prompt
3805 master> expert-mode on
3806 master(e)> experimental-mode on
3807 master(xe)> mcli-debug-mode on
3808 master(xed)> @1
3809 95191(xed)>
3810
William Lallemandaf140ab2022-02-02 14:44:19 +01003811reload
3812 You can also reload the HAProxy master process with the "reload" command which
3813 does the same as a `kill -USR2` on the master process, provided that the user
3814 has at least "operator" or "admin" privileges.
William Lallemand142db372018-12-11 18:56:45 +01003815
William Lallemandaf140ab2022-02-02 14:44:19 +01003816 Example:
William Lallemand142db372018-12-11 18:56:45 +01003817
William Lallemandaf140ab2022-02-02 14:44:19 +01003818 $ echo "reload" | socat /var/run/haproxy-master.sock stdin
William Lallemand142db372018-12-11 18:56:45 +01003819
William Lallemandaf140ab2022-02-02 14:44:19 +01003820 Note that a reload will close the connection to the master CLI.
William Lallemanda57b7e32018-12-14 21:11:31 +01003821
William Lallemandaf140ab2022-02-02 14:44:19 +01003822show proc
3823 The master CLI introduces a 'show proc' command to surpervise the
3824 processe.
William Lallemanda57b7e32018-12-14 21:11:31 +01003825
William Lallemandaf140ab2022-02-02 14:44:19 +01003826 Example:
William Lallemanda57b7e32018-12-14 21:11:31 +01003827
William Lallemandaf140ab2022-02-02 14:44:19 +01003828 $ echo 'show proc' | socat /var/run/haproxy-master.sock -
3829 #<PID> <type> <reloads> <uptime> <version>
3830 1162 master 5 [failed: 0] 0d00h02m07s 2.5-dev13
3831 # workers
3832 1271 worker 1 0d00h00m00s 2.5-dev13
3833 # old workers
3834 1233 worker 3 0d00h00m43s 2.0-dev3-6019f6-289
3835 # programs
3836 1244 foo 0 0d00h00m00s -
3837 1255 bar 0 0d00h00m00s -
William Lallemanda57b7e32018-12-14 21:11:31 +01003838
William Lallemandaf140ab2022-02-02 14:44:19 +01003839 In this example, the master has been reloaded 5 times but one of the old
3840 worker is still running and survived 3 reloads. You could access the CLI of
3841 this worker to understand what's going on.
William Lallemand142db372018-12-11 18:56:45 +01003842
Willy Tarreau2212e6a2015-10-13 14:40:55 +0200384310. Tricks for easier configuration management
3844----------------------------------------------
3845
3846It is very common that two HAProxy nodes constituting a cluster share exactly
3847the same configuration modulo a few addresses. Instead of having to maintain a
3848duplicate configuration for each node, which will inevitably diverge, it is
3849possible to include environment variables in the configuration. Thus multiple
3850configuration may share the exact same file with only a few different system
3851wide environment variables. This started in version 1.5 where only addresses
3852were allowed to include environment variables, and 1.6 goes further by
3853supporting environment variables everywhere. The syntax is the same as in the
3854UNIX shell, a variable starts with a dollar sign ('$'), followed by an opening
3855curly brace ('{'), then the variable name followed by the closing brace ('}').
3856Except for addresses, environment variables are only interpreted in arguments
3857surrounded with double quotes (this was necessary not to break existing setups
3858using regular expressions involving the dollar symbol).
3859
3860Environment variables also make it convenient to write configurations which are
3861expected to work on various sites where only the address changes. It can also
3862permit to remove passwords from some configs. Example below where the the file
3863"site1.env" file is sourced by the init script upon startup :
3864
3865 $ cat site1.env
3866 LISTEN=192.168.1.1
3867 CACHE_PFX=192.168.11
3868 SERVER_PFX=192.168.22
3869 LOGGER=192.168.33.1
3870 STATSLP=admin:pa$$w0rd
3871 ABUSERS=/etc/haproxy/abuse.lst
3872 TIMEOUT=10s
3873
3874 $ cat haproxy.cfg
3875 global
3876 log "${LOGGER}:514" local0
3877
3878 defaults
3879 mode http
3880 timeout client "${TIMEOUT}"
3881 timeout server "${TIMEOUT}"
3882 timeout connect 5s
3883
3884 frontend public
3885 bind "${LISTEN}:80"
3886 http-request reject if { src -f "${ABUSERS}" }
3887 stats uri /stats
3888 stats auth "${STATSLP}"
3889 use_backend cache if { path_end .jpg .css .ico }
3890 default_backend server
3891
3892 backend cache
3893 server cache1 "${CACHE_PFX}.1:18080" check
3894 server cache2 "${CACHE_PFX}.2:18080" check
3895
3896 backend server
3897 server cache1 "${SERVER_PFX}.1:8080" check
3898 server cache2 "${SERVER_PFX}.2:8080" check
3899
3900
390111. Well-known traps to avoid
3902-----------------------------
3903
3904Once in a while, someone reports that after a system reboot, the haproxy
3905service wasn't started, and that once they start it by hand it works. Most
3906often, these people are running a clustered IP address mechanism such as
3907keepalived, to assign the service IP address to the master node only, and while
3908it used to work when they used to bind haproxy to address 0.0.0.0, it stopped
3909working after they bound it to the virtual IP address. What happens here is
3910that when the service starts, the virtual IP address is not yet owned by the
3911local node, so when HAProxy wants to bind to it, the system rejects this
3912because it is not a local IP address. The fix doesn't consist in delaying the
3913haproxy service startup (since it wouldn't stand a restart), but instead to
3914properly configure the system to allow binding to non-local addresses. This is
3915easily done on Linux by setting the net.ipv4.ip_nonlocal_bind sysctl to 1. This
3916is also needed in order to transparently intercept the IP traffic that passes
3917through HAProxy for a specific target address.
3918
3919Multi-process configurations involving source port ranges may apparently seem
3920to work but they will cause some random failures under high loads because more
3921than one process may try to use the same source port to connect to the same
3922server, which is not possible. The system will report an error and a retry will
3923happen, picking another port. A high value in the "retries" parameter may hide
3924the effect to a certain extent but this also comes with increased CPU usage and
3925processing time. Logs will also report a certain number of retries. For this
3926reason, port ranges should be avoided in multi-process configurations.
3927
Dan Lloyd8e48b872016-07-01 21:01:18 -04003928Since HAProxy uses SO_REUSEPORT and supports having multiple independent
Willy Tarreau2212e6a2015-10-13 14:40:55 +02003929processes bound to the same IP:port, during troubleshooting it can happen that
3930an old process was not stopped before a new one was started. This provides
3931absurd test results which tend to indicate that any change to the configuration
3932is ignored. The reason is that in fact even the new process is restarted with a
3933new configuration, the old one also gets some incoming connections and
3934processes them, returning unexpected results. When in doubt, just stop the new
3935process and try again. If it still works, it very likely means that an old
3936process remains alive and has to be stopped. Linux's "netstat -lntp" is of good
3937help here.
3938
3939When adding entries to an ACL from the command line (eg: when blacklisting a
3940source address), it is important to keep in mind that these entries are not
3941synchronized to the file and that if someone reloads the configuration, these
3942updates will be lost. While this is often the desired effect (for blacklisting)
3943it may not necessarily match expectations when the change was made as a fix for
3944a problem. See the "add acl" action of the CLI interface.
3945
3946
394712. Debugging and performance issues
3948------------------------------------
3949
3950When HAProxy is started with the "-d" option, it will stay in the foreground
3951and will print one line per event, such as an incoming connection, the end of a
3952connection, and for each request or response header line seen. This debug
3953output is emitted before the contents are processed, so they don't consider the
3954local modifications. The main use is to show the request and response without
3955having to run a network sniffer. The output is less readable when multiple
3956connections are handled in parallel, though the "debug2ansi" and "debug2html"
3957scripts found in the examples/ directory definitely help here by coloring the
3958output.
3959
3960If a request or response is rejected because HAProxy finds it is malformed, the
3961best thing to do is to connect to the CLI and issue "show errors", which will
3962report the last captured faulty request and response for each frontend and
3963backend, with all the necessary information to indicate precisely the first
3964character of the input stream that was rejected. This is sometimes needed to
3965prove to customers or to developers that a bug is present in their code. In
3966this case it is often possible to relax the checks (but still keep the
3967captures) using "option accept-invalid-http-request" or its equivalent for
3968responses coming from the server "option accept-invalid-http-response". Please
3969see the configuration manual for more details.
3970
3971Example :
3972
3973 > show errors
3974 Total events captured on [13/Oct/2015:13:43:47.169] : 1
3975
3976 [13/Oct/2015:13:43:40.918] frontend HAProxyLocalStats (#2): invalid request
3977 backend <NONE> (#-1), server <NONE> (#-1), event #0
3978 src 127.0.0.1:51981, session #0, session flags 0x00000080
3979 HTTP msg state 26, msg flags 0x00000000, tx flags 0x00000000
3980 HTTP chunk len 0 bytes, HTTP body len 0 bytes
3981 buffer flags 0x00808002, out 0 bytes, total 31 bytes
3982 pending 31 bytes, wrapping at 8040, error at position 13:
3983
3984 00000 GET /invalid request HTTP/1.1\r\n
3985
3986
3987The output of "show info" on the CLI provides a number of useful information
3988regarding the maximum connection rate ever reached, maximum SSL key rate ever
3989reached, and in general all information which can help to explain temporary
3990issues regarding CPU or memory usage. Example :
3991
3992 > show info
3993 Name: HAProxy
3994 Version: 1.6-dev7-e32d18-17
3995 Release_date: 2015/10/12
3996 Nbproc: 1
3997 Process_num: 1
3998 Pid: 7949
3999 Uptime: 0d 0h02m39s
4000 Uptime_sec: 159
4001 Memmax_MB: 0
4002 Ulimit-n: 120032
4003 Maxsock: 120032
4004 Maxconn: 60000
4005 Hard_maxconn: 60000
4006 CurrConns: 0
4007 CumConns: 3
4008 CumReq: 3
4009 MaxSslConns: 0
4010 CurrSslConns: 0
4011 CumSslConns: 0
4012 Maxpipes: 0
4013 PipesUsed: 0
4014 PipesFree: 0
4015 ConnRate: 0
4016 ConnRateLimit: 0
4017 MaxConnRate: 1
4018 SessRate: 0
4019 SessRateLimit: 0
4020 MaxSessRate: 1
4021 SslRate: 0
4022 SslRateLimit: 0
4023 MaxSslRate: 0
4024 SslFrontendKeyRate: 0
4025 SslFrontendMaxKeyRate: 0
4026 SslFrontendSessionReuse_pct: 0
4027 SslBackendKeyRate: 0
4028 SslBackendMaxKeyRate: 0
4029 SslCacheLookups: 0
4030 SslCacheMisses: 0
4031 CompressBpsIn: 0
4032 CompressBpsOut: 0
4033 CompressBpsRateLim: 0
4034 ZlibMemUsage: 0
4035 MaxZlibMemUsage: 0
4036 Tasks: 5
4037 Run_queue: 1
4038 Idle_pct: 100
4039 node: wtap
4040 description:
4041
4042When an issue seems to randomly appear on a new version of HAProxy (eg: every
4043second request is aborted, occasional crash, etc), it is worth trying to enable
Dan Lloyd8e48b872016-07-01 21:01:18 -04004044memory poisoning so that each call to malloc() is immediately followed by the
Willy Tarreau2212e6a2015-10-13 14:40:55 +02004045filling of the memory area with a configurable byte. By default this byte is
40460x50 (ASCII for 'P'), but any other byte can be used, including zero (which
4047will have the same effect as a calloc() and which may make issues disappear).
Dan Lloyd8e48b872016-07-01 21:01:18 -04004048Memory poisoning is enabled on the command line using the "-dM" option. It
Willy Tarreau2212e6a2015-10-13 14:40:55 +02004049slightly hurts performance and is not recommended for use in production. If
Dan Lloyd8e48b872016-07-01 21:01:18 -04004050an issue happens all the time with it or never happens when poisoning uses
Willy Tarreau2212e6a2015-10-13 14:40:55 +02004051byte zero, it clearly means you've found a bug and you definitely need to
4052report it. Otherwise if there's no clear change, the problem it is not related.
4053
4054When debugging some latency issues, it is important to use both strace and
4055tcpdump on the local machine, and another tcpdump on the remote system. The
4056reason for this is that there are delays everywhere in the processing chain and
4057it is important to know which one is causing latency to know where to act. In
4058practice, the local tcpdump will indicate when the input data come in. Strace
4059will indicate when haproxy receives these data (using recv/recvfrom). Warning,
4060openssl uses read()/write() syscalls instead of recv()/send(). Strace will also
4061show when haproxy sends the data, and tcpdump will show when the system sends
4062these data to the interface. Then the external tcpdump will show when the data
4063sent are really received (since the local one only shows when the packets are
4064queued). The benefit of sniffing on the local system is that strace and tcpdump
4065will use the same reference clock. Strace should be used with "-tts200" to get
4066complete timestamps and report large enough chunks of data to read them.
4067Tcpdump should be used with "-nvvttSs0" to report full packets, real sequence
4068numbers and complete timestamps.
4069
4070In practice, received data are almost always immediately received by haproxy
4071(unless the machine has a saturated CPU or these data are invalid and not
4072delivered). If these data are received but not sent, it generally is because
4073the output buffer is saturated (ie: recipient doesn't consume the data fast
4074enough). This can be confirmed by seeing that the polling doesn't notify of
4075the ability to write on the output file descriptor for some time (it's often
4076easier to spot in the strace output when the data finally leave and then roll
4077back to see when the write event was notified). It generally matches an ACK
4078received from the recipient, and detected by tcpdump. Once the data are sent,
4079they may spend some time in the system doing nothing. Here again, the TCP
4080congestion window may be limited and not allow these data to leave, waiting for
4081an ACK to open the window. If the traffic is idle and the data take 40 ms or
4082200 ms to leave, it's a different issue (which is not an issue), it's the fact
4083that the Nagle algorithm prevents empty packets from leaving immediately, in
4084hope that they will be merged with subsequent data. HAProxy automatically
4085disables Nagle in pure TCP mode and in tunnels. However it definitely remains
4086enabled when forwarding an HTTP body (and this contributes to the performance
4087improvement there by reducing the number of packets). Some HTTP non-compliant
4088applications may be sensitive to the latency when delivering incomplete HTTP
4089response messages. In this case you will have to enable "option http-no-delay"
4090to disable Nagle in order to work around their design, keeping in mind that any
4091other proxy in the chain may similarly be impacted. If tcpdump reports that data
4092leave immediately but the other end doesn't see them quickly, it can mean there
Dan Lloyd8e48b872016-07-01 21:01:18 -04004093is a congested WAN link, a congested LAN with flow control enabled and
Willy Tarreau2212e6a2015-10-13 14:40:55 +02004094preventing the data from leaving, or more commonly that HAProxy is in fact
4095running in a virtual machine and that for whatever reason the hypervisor has
4096decided that the data didn't need to be sent immediately. In virtualized
4097environments, latency issues are almost always caused by the virtualization
4098layer, so in order to save time, it's worth first comparing tcpdump in the VM
4099and on the external components. Any difference has to be credited to the
4100hypervisor and its accompanying drivers.
4101
4102When some TCP SACK segments are seen in tcpdump traces (using -vv), it always
4103means that the side sending them has got the proof of a lost packet. While not
4104seeing them doesn't mean there are no losses, seeing them definitely means the
4105network is lossy. Losses are normal on a network, but at a rate where SACKs are
4106not noticeable at the naked eye. If they appear a lot in the traces, it is
4107worth investigating exactly what happens and where the packets are lost. HTTP
4108doesn't cope well with TCP losses, which introduce huge latencies.
4109
4110The "netstat -i" command will report statistics per interface. An interface
4111where the Rx-Ovr counter grows indicates that the system doesn't have enough
4112resources to receive all incoming packets and that they're lost before being
4113processed by the network driver. Rx-Drp indicates that some received packets
4114were lost in the network stack because the application doesn't process them
4115fast enough. This can happen during some attacks as well. Tx-Drp means that
4116the output queues were full and packets had to be dropped. When using TCP it
Dan Lloyd8e48b872016-07-01 21:01:18 -04004117should be very rare, but will possibly indicate a saturated outgoing link.
Willy Tarreau2212e6a2015-10-13 14:40:55 +02004118
4119
412013. Security considerations
4121---------------------------
4122
4123HAProxy is designed to run with very limited privileges. The standard way to
4124use it is to isolate it into a chroot jail and to drop its privileges to a
4125non-root user without any permissions inside this jail so that if any future
4126vulnerability were to be discovered, its compromise would not affect the rest
4127of the system.
4128
Dan Lloyd8e48b872016-07-01 21:01:18 -04004129In order to perform a chroot, it first needs to be started as a root user. It is
Willy Tarreau2212e6a2015-10-13 14:40:55 +02004130pointless to build hand-made chroots to start the process there, these ones are
4131painful to build, are never properly maintained and always contain way more
4132bugs than the main file-system. And in case of compromise, the intruder can use
4133the purposely built file-system. Unfortunately many administrators confuse
4134"start as root" and "run as root", resulting in the uid change to be done prior
4135to starting haproxy, and reducing the effective security restrictions.
4136
4137HAProxy will need to be started as root in order to :
4138 - adjust the file descriptor limits
4139 - bind to privileged port numbers
4140 - bind to a specific network interface
4141 - transparently listen to a foreign address
4142 - isolate itself inside the chroot jail
4143 - drop to another non-privileged UID
4144
4145HAProxy may require to be run as root in order to :
4146 - bind to an interface for outgoing connections
4147 - bind to privileged source ports for outgoing connections
Dan Lloyd8e48b872016-07-01 21:01:18 -04004148 - transparently bind to a foreign address for outgoing connections
Willy Tarreau2212e6a2015-10-13 14:40:55 +02004149
4150Most users will never need the "run as root" case. But the "start as root"
4151covers most usages.
4152
4153A safe configuration will have :
4154
4155 - a chroot statement pointing to an empty location without any access
4156 permissions. This can be prepared this way on the UNIX command line :
4157
4158 # mkdir /var/empty && chmod 0 /var/empty || echo "Failed"
4159
4160 and referenced like this in the HAProxy configuration's global section :
4161
4162 chroot /var/empty
4163
4164 - both a uid/user and gid/group statements in the global section :
4165
4166 user haproxy
4167 group haproxy
4168
4169 - a stats socket whose mode, uid and gid are set to match the user and/or
4170 group allowed to access the CLI so that nobody may access it :
4171
4172 stats socket /var/run/haproxy.stat uid hatop gid hatop mode 600
4173