blob: 33099fd34cf655fdb20629b5686a6be68b8a1905 [file] [log] [blame]
Willy Tarreau6a06a402007-07-15 20:15:28 +02001 ----------------------
Willy Tarreau8317b282014-04-23 01:49:41 +02002 HAProxy
Willy Tarreau6a06a402007-07-15 20:15:28 +02003 Configuration Manual
4 ----------------------
Willy Tarreau1db55792020-11-05 17:20:35 +01005 version 2.4
Willy Tarreau6a06a402007-07-15 20:15:28 +02006 willy tarreau
Willy Tarreau6cbbecf2021-05-14 09:03:30 +02007 2021/05/14
Willy Tarreau6a06a402007-07-15 20:15:28 +02008
9
10This document covers the configuration language as implemented in the version
Davor Ocelice9ed2812017-12-25 17:49:28 +010011specified above. It does not provide any hints, examples, or advice. For such
Willy Tarreau0ba27502007-12-24 16:55:16 +010012documentation, please refer to the Reference Manual or the Architecture Manual.
Davor Ocelice9ed2812017-12-25 17:49:28 +010013The summary below is meant to help you find sections by name and navigate
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014through the document.
Willy Tarreau6a06a402007-07-15 20:15:28 +020015
Willy Tarreauc57f0e22009-05-10 13:12:33 +020016Note to documentation contributors :
Jamie Gloudonaaa21002012-08-25 00:18:33 -040017 This document is formatted with 80 columns per line, with even number of
Willy Tarreauc57f0e22009-05-10 13:12:33 +020018 spaces for indentation and without tabs. Please follow these rules strictly
19 so that it remains easily printable everywhere. If a line needs to be
20 printed verbatim and does not fit, please end each line with a backslash
Willy Tarreau62a36c42010-08-17 15:53:10 +020021 ('\') and continue on next line, indented by two characters. It is also
Davor Ocelice9ed2812017-12-25 17:49:28 +010022 sometimes useful to prefix all output lines (logs, console outputs) with 3
23 closing angle brackets ('>>>') in order to emphasize the difference between
24 inputs and outputs when they may be ambiguous. If you add sections,
Willy Tarreau62a36c42010-08-17 15:53:10 +020025 please update the summary below for easier searching.
Willy Tarreauc57f0e22009-05-10 13:12:33 +020026
27
28Summary
29-------
30
311. Quick reminder about HTTP
321.1. The HTTP transaction model
331.2. HTTP request
Davor Ocelice9ed2812017-12-25 17:49:28 +0100341.2.1. The request line
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200351.2.2. The request headers
361.3. HTTP response
Davor Ocelice9ed2812017-12-25 17:49:28 +0100371.3.1. The response line
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200381.3.2. The response headers
39
402. Configuring HAProxy
412.1. Configuration file format
William Lallemandf9873ba2015-05-05 17:37:14 +0200422.2. Quoting and escaping
William Lallemandb2f07452015-05-12 14:27:13 +0200432.3. Environment variables
Willy Tarreau4b103022021-02-12 17:59:10 +0100442.4. Conditional blocks
452.5. Time format
462.6. Examples
Willy Tarreauc57f0e22009-05-10 13:12:33 +020047
483. Global parameters
493.1. Process management and security
503.2. Performance tuning
513.3. Debugging
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100523.4. Userlists
Cyril Bontédc4d9032012-04-08 21:57:39 +0200533.5. Peers
Cyril Bonté307ee1e2015-09-28 23:16:06 +0200543.6. Mailers
William Lallemandc9515522019-06-12 16:32:11 +0200553.7. Programs
Christopher Faulet76edc0f2020-01-13 15:52:01 +0100563.8. HTTP-errors
Emeric Brun99c453d2020-05-25 15:01:04 +0200573.9. Rings
William Lallemand0217b7b2020-11-18 10:41:24 +0100583.10. Log forwarding
Willy Tarreauc57f0e22009-05-10 13:12:33 +020059
604. Proxies
614.1. Proxy keywords matrix
624.2. Alphabetically sorted keywords reference
63
Davor Ocelice9ed2812017-12-25 17:49:28 +0100645. Bind and server options
Willy Tarreau086fbf52012-09-24 20:34:51 +0200655.1. Bind options
665.2. Server and default-server options
Baptiste Assmann1fa66662015-04-14 00:28:47 +0200675.3. Server DNS resolution
685.3.1. Global overview
695.3.2. The resolvers section
Willy Tarreauc57f0e22009-05-10 13:12:33 +020070
Julien Pivotto6ccee412019-11-27 15:49:54 +0100716. Cache
726.1. Limitation
736.2. Setup
746.2.1. Cache section
756.2.2. Proxy section
76
Willy Tarreau74ca5042013-06-11 23:12:07 +0200777. Using ACLs and fetching samples
787.1. ACL basics
797.1.1. Matching booleans
807.1.2. Matching integers
817.1.3. Matching strings
827.1.4. Matching regular expressions (regexes)
837.1.5. Matching arbitrary data blocks
847.1.6. Matching IPv4 and IPv6 addresses
857.2. Using ACLs to form conditions
867.3. Fetching samples
Thierry FOURNIER060762e2014-04-23 13:29:15 +0200877.3.1. Converters
887.3.2. Fetching samples from internal states
897.3.3. Fetching samples at Layer 4
907.3.4. Fetching samples at Layer 5
917.3.5. Fetching samples from buffer contents (Layer 6)
927.3.6. Fetching HTTP samples (Layer 7)
Christopher Faulete596d182020-05-05 17:46:34 +0200937.3.7. Fetching samples for developers
Willy Tarreau74ca5042013-06-11 23:12:07 +0200947.4. Pre-defined ACLs
Willy Tarreauc57f0e22009-05-10 13:12:33 +020095
968. Logging
978.1. Log levels
988.2. Log formats
998.2.1. Default log format
1008.2.2. TCP log format
1018.2.3. HTTP log format
William Lallemand48940402012-01-30 16:47:22 +01001028.2.4. Custom log format
Willy Tarreau5f51e1a2012-12-03 18:40:10 +01001038.2.5. Error log format
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001048.3. Advanced logging options
1058.3.1. Disabling logging of external tests
1068.3.2. Logging before waiting for the session to terminate
1078.3.3. Raising log level upon errors
1088.3.4. Disabling logging of successful connections
1098.4. Timing events
1108.5. Session state at disconnection
1118.6. Non-printable characters
1128.7. Capturing HTTP cookies
1138.8. Capturing HTTP headers
1148.9. Examples of logs
115
Christopher Fauletc3fe5332016-04-07 15:30:10 +02001169. Supported filters
1179.1. Trace
1189.2. HTTP compression
Christopher Fauletf7e4e7e2016-10-27 22:29:49 +02001199.3. Stream Processing Offload Engine (SPOE)
Christopher Faulet99a17a22018-12-11 09:18:27 +01001209.4. Cache
Christopher Fauletb30b3102019-09-12 23:03:09 +02001219.5. fcgi-app
Miroslav Zagoracdc32cd92020-12-13 18:32:57 +01001229.6. OpenTracing
Christopher Fauletc3fe5332016-04-07 15:30:10 +0200123
Christopher Fauletb30b3102019-09-12 23:03:09 +020012410. FastCGI applications
12510.1. Setup
12610.1.1. Fcgi-app section
12710.1.2. Proxy section
12810.1.3. Example
12910.2. Default parameters
13010.3. Limitations
131
Emeric Brunce325c42021-04-02 17:05:09 +020013211. Address formats
13311.1. Address family prefixes
13411.2. Socket type prefixes
13511.3. Protocol prefixes
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200136
1371. Quick reminder about HTTP
138----------------------------
139
Davor Ocelice9ed2812017-12-25 17:49:28 +0100140When HAProxy is running in HTTP mode, both the request and the response are
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200141fully analyzed and indexed, thus it becomes possible to build matching criteria
142on almost anything found in the contents.
143
144However, it is important to understand how HTTP requests and responses are
145formed, and how HAProxy decomposes them. It will then become easier to write
146correct rules and to debug existing configurations.
147
148
1491.1. The HTTP transaction model
150-------------------------------
151
152The HTTP protocol is transaction-driven. This means that each request will lead
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100153to one and only one response. Traditionally, a TCP connection is established
Davor Ocelice9ed2812017-12-25 17:49:28 +0100154from the client to the server, a request is sent by the client through the
155connection, the server responds, and the connection is closed. A new request
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200156will involve a new connection :
157
158 [CON1] [REQ1] ... [RESP1] [CLO1] [CON2] [REQ2] ... [RESP2] [CLO2] ...
159
160In this mode, called the "HTTP close" mode, there are as many connection
161establishments as there are HTTP transactions. Since the connection is closed
162by the server after the response, the client does not need to know the content
163length.
164
165Due to the transactional nature of the protocol, it was possible to improve it
166to avoid closing a connection between two subsequent transactions. In this mode
167however, it is mandatory that the server indicates the content length for each
168response so that the client does not wait indefinitely. For this, a special
169header is used: "Content-length". This mode is called the "keep-alive" mode :
170
171 [CON] [REQ1] ... [RESP1] [REQ2] ... [RESP2] [CLO] ...
172
173Its advantages are a reduced latency between transactions, and less processing
174power required on the server side. It is generally better than the close mode,
175but not always because the clients often limit their concurrent connections to
Patrick Mezard9ec2ec42010-06-12 17:02:45 +0200176a smaller value.
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200177
Willy Tarreau95c4e142017-11-26 12:18:55 +0100178Another improvement in the communications is the pipelining mode. It still uses
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200179keep-alive, but the client does not wait for the first response to send the
180second request. This is useful for fetching large number of images composing a
181page :
182
183 [CON] [REQ1] [REQ2] ... [RESP1] [RESP2] [CLO] ...
184
185This can obviously have a tremendous benefit on performance because the network
186latency is eliminated between subsequent requests. Many HTTP agents do not
187correctly support pipelining since there is no way to associate a response with
188the corresponding request in HTTP. For this reason, it is mandatory for the
Cyril Bonté78caf842010-03-10 22:41:43 +0100189server to reply in the exact same order as the requests were received.
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200190
Willy Tarreau95c4e142017-11-26 12:18:55 +0100191The next improvement is the multiplexed mode, as implemented in HTTP/2. This
192time, each transaction is assigned a single stream identifier, and all streams
193are multiplexed over an existing connection. Many requests can be sent in
194parallel by the client, and responses can arrive in any order since they also
195carry the stream identifier.
196
Willy Tarreau70dffda2014-01-30 03:07:23 +0100197By default HAProxy operates in keep-alive mode with regards to persistent
198connections: for each connection it processes each request and response, and
199leaves the connection idle on both sides between the end of a response and the
Willy Tarreau95c4e142017-11-26 12:18:55 +0100200start of a new request. When it receives HTTP/2 connections from a client, it
201processes all the requests in parallel and leaves the connection idling,
202waiting for new requests, just as if it was a keep-alive HTTP connection.
Patrick Mezard9ec2ec42010-06-12 17:02:45 +0200203
Christopher Faulet315b39c2018-09-21 16:26:19 +0200204HAProxy supports 4 connection modes :
Willy Tarreau70dffda2014-01-30 03:07:23 +0100205 - keep alive : all requests and responses are processed (default)
206 - tunnel : only the first request and response are processed,
Christopher Faulet6c9bbb22019-03-26 21:37:23 +0100207 everything else is forwarded with no analysis (deprecated).
Willy Tarreau70dffda2014-01-30 03:07:23 +0100208 - server close : the server-facing connection is closed after the response.
Christopher Faulet315b39c2018-09-21 16:26:19 +0200209 - close : the connection is actively closed after end of response.
Willy Tarreau70dffda2014-01-30 03:07:23 +0100210
Willy Tarreau95c4e142017-11-26 12:18:55 +0100211
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200212
2131.2. HTTP request
214-----------------
215
216First, let's consider this HTTP request :
217
218 Line Contents
Willy Tarreaud72758d2010-01-12 10:42:19 +0100219 number
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200220 1 GET /serv/login.php?lang=en&profile=2 HTTP/1.1
221 2 Host: www.mydomain.com
222 3 User-agent: my small browser
223 4 Accept: image/jpeg, image/gif
224 5 Accept: image/png
225
226
2271.2.1. The Request line
228-----------------------
229
230Line 1 is the "request line". It is always composed of 3 fields :
231
232 - a METHOD : GET
233 - a URI : /serv/login.php?lang=en&profile=2
234 - a version tag : HTTP/1.1
235
236All of them are delimited by what the standard calls LWS (linear white spaces),
237which are commonly spaces, but can also be tabs or line feeds/carriage returns
238followed by spaces/tabs. The method itself cannot contain any colon (':') and
239is limited to alphabetic letters. All those various combinations make it
240desirable that HAProxy performs the splitting itself rather than leaving it to
241the user to write a complex or inaccurate regular expression.
242
243The URI itself can have several forms :
244
245 - A "relative URI" :
246
247 /serv/login.php?lang=en&profile=2
248
249 It is a complete URL without the host part. This is generally what is
250 received by servers, reverse proxies and transparent proxies.
251
252 - An "absolute URI", also called a "URL" :
253
254 http://192.168.0.12:8080/serv/login.php?lang=en&profile=2
255
256 It is composed of a "scheme" (the protocol name followed by '://'), a host
257 name or address, optionally a colon (':') followed by a port number, then
258 a relative URI beginning at the first slash ('/') after the address part.
259 This is generally what proxies receive, but a server supporting HTTP/1.1
260 must accept this form too.
261
262 - a star ('*') : this form is only accepted in association with the OPTIONS
263 method and is not relayable. It is used to inquiry a next hop's
264 capabilities.
Willy Tarreaud72758d2010-01-12 10:42:19 +0100265
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200266 - an address:port combination : 192.168.0.12:80
267 This is used with the CONNECT method, which is used to establish TCP
268 tunnels through HTTP proxies, generally for HTTPS, but sometimes for
269 other protocols too.
270
271In a relative URI, two sub-parts are identified. The part before the question
272mark is called the "path". It is typically the relative path to static objects
273on the server. The part after the question mark is called the "query string".
274It is mostly used with GET requests sent to dynamic scripts and is very
275specific to the language, framework or application in use.
276
Willy Tarreau95c4e142017-11-26 12:18:55 +0100277HTTP/2 doesn't convey a version information with the request, so the version is
Davor Ocelice9ed2812017-12-25 17:49:28 +0100278assumed to be the same as the one of the underlying protocol (i.e. "HTTP/2").
Willy Tarreau95c4e142017-11-26 12:18:55 +0100279
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200280
2811.2.2. The request headers
282--------------------------
283
284The headers start at the second line. They are composed of a name at the
285beginning of the line, immediately followed by a colon (':'). Traditionally,
286an LWS is added after the colon but that's not required. Then come the values.
287Multiple identical headers may be folded into one single line, delimiting the
288values with commas, provided that their order is respected. This is commonly
289encountered in the "Cookie:" field. A header may span over multiple lines if
290the subsequent lines begin with an LWS. In the example in 1.2, lines 4 and 5
291define a total of 3 values for the "Accept:" header.
292
Davor Ocelice9ed2812017-12-25 17:49:28 +0100293Contrary to a common misconception, header names are not case-sensitive, and
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200294their values are not either if they refer to other header names (such as the
Willy Tarreau95c4e142017-11-26 12:18:55 +0100295"Connection:" header). In HTTP/2, header names are always sent in lower case,
Willy Tarreau253c2512020-07-07 15:55:23 +0200296as can be seen when running in debug mode. Internally, all header names are
297normalized to lower case so that HTTP/1.x and HTTP/2 use the exact same
298representation, and they are sent as-is on the other side. This explains why an
299HTTP/1.x request typed with camel case is delivered in lower case.
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200300
301The end of the headers is indicated by the first empty line. People often say
302that it's a double line feed, which is not exact, even if a double line feed
303is one valid form of empty line.
304
305Fortunately, HAProxy takes care of all these complex combinations when indexing
306headers, checking values and counting them, so there is no reason to worry
307about the way they could be written, but it is important not to accuse an
308application of being buggy if it does unusual, valid things.
309
310Important note:
Lukas Tribus23953682017-04-28 13:24:30 +0000311 As suggested by RFC7231, HAProxy normalizes headers by replacing line breaks
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200312 in the middle of headers by LWS in order to join multi-line headers. This
313 is necessary for proper analysis and helps less capable HTTP parsers to work
314 correctly and not to be fooled by such complex constructs.
315
316
3171.3. HTTP response
318------------------
319
320An HTTP response looks very much like an HTTP request. Both are called HTTP
321messages. Let's consider this HTTP response :
322
323 Line Contents
Willy Tarreaud72758d2010-01-12 10:42:19 +0100324 number
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200325 1 HTTP/1.1 200 OK
326 2 Content-length: 350
327 3 Content-Type: text/html
328
Willy Tarreau816b9792009-09-15 21:25:21 +0200329As a special case, HTTP supports so called "Informational responses" as status
330codes 1xx. These messages are special in that they don't convey any part of the
331response, they're just used as sort of a signaling message to ask a client to
Willy Tarreau5843d1a2010-02-01 15:13:32 +0100332continue to post its request for instance. In the case of a status 100 response
333the requested information will be carried by the next non-100 response message
334following the informational one. This implies that multiple responses may be
335sent to a single request, and that this only works when keep-alive is enabled
336(1xx messages are HTTP/1.1 only). HAProxy handles these messages and is able to
337correctly forward and skip them, and only process the next non-100 response. As
338such, these messages are neither logged nor transformed, unless explicitly
339state otherwise. Status 101 messages indicate that the protocol is changing
Daniel Corbett9f0843f2021-05-08 10:50:37 -0400340over the same connection and that HAProxy must switch to tunnel mode, just as
Willy Tarreau5843d1a2010-02-01 15:13:32 +0100341if a CONNECT had occurred. Then the Upgrade header would contain additional
342information about the type of protocol the connection is switching to.
Willy Tarreau816b9792009-09-15 21:25:21 +0200343
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200344
Davor Ocelice9ed2812017-12-25 17:49:28 +01003451.3.1. The response line
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200346------------------------
347
348Line 1 is the "response line". It is always composed of 3 fields :
349
350 - a version tag : HTTP/1.1
351 - a status code : 200
352 - a reason : OK
353
354The status code is always 3-digit. The first digit indicates a general status :
Davor Ocelice9ed2812017-12-25 17:49:28 +0100355 - 1xx = informational message to be skipped (e.g. 100, 101)
356 - 2xx = OK, content is following (e.g. 200, 206)
357 - 3xx = OK, no content following (e.g. 302, 304)
358 - 4xx = error caused by the client (e.g. 401, 403, 404)
359 - 5xx = error caused by the server (e.g. 500, 502, 503)
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200360
Lukas Tribus23953682017-04-28 13:24:30 +0000361Please refer to RFC7231 for the detailed meaning of all such codes. The
Willy Tarreaud72758d2010-01-12 10:42:19 +0100362"reason" field is just a hint, but is not parsed by clients. Anything can be
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200363found there, but it's a common practice to respect the well-established
364messages. It can be composed of one or multiple words, such as "OK", "Found",
365or "Authentication Required".
366
Davor Ocelice9ed2812017-12-25 17:49:28 +0100367HAProxy may emit the following status codes by itself :
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200368
369 Code When / reason
370 200 access to stats page, and when replying to monitoring requests
371 301 when performing a redirection, depending on the configured code
372 302 when performing a redirection, depending on the configured code
373 303 when performing a redirection, depending on the configured code
Willy Tarreaub67fdc42013-03-29 19:28:11 +0100374 307 when performing a redirection, depending on the configured code
375 308 when performing a redirection, depending on the configured code
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200376 400 for an invalid or too large request
377 401 when an authentication is required to perform the action (when
378 accessing the stats page)
Christopher Faulet87f1f3d2019-07-18 14:51:20 +0200379 403 when a request is forbidden by a "http-request deny" rule
Florian Tham9205fea2020-01-08 13:35:30 +0100380 404 when the requested resource could not be found
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200381 408 when the request timeout strikes before the request is complete
Florian Tham272e29b2020-01-08 10:19:05 +0100382 410 when the requested resource is no longer available and will not
383 be available again
Daniel Corbett9f0843f2021-05-08 10:50:37 -0400384 500 when HAProxy encounters an unrecoverable internal error, such as a
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200385 memory allocation failure, which should never happen
Daniel Corbett9f0843f2021-05-08 10:50:37 -0400386 501 when HAProxy is unable to satisfy a client request because of an
Christopher Faulete095f312020-12-07 11:22:24 +0100387 unsupported feature
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200388 502 when the server returns an empty, invalid or incomplete response, or
Christopher Faulet87f1f3d2019-07-18 14:51:20 +0200389 when an "http-response deny" rule blocks the response.
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200390 503 when no server was available to handle the request, or in response to
391 monitoring requests which match the "monitor fail" condition
392 504 when the response timeout strikes before the server responds
393
394The error 4xx and 5xx codes above may be customized (see "errorloc" in section
3954.2).
396
397
3981.3.2. The response headers
399---------------------------
400
401Response headers work exactly like request headers, and as such, HAProxy uses
402the same parsing function for both. Please refer to paragraph 1.2.2 for more
403details.
404
405
4062. Configuring HAProxy
407----------------------
408
4092.1. Configuration file format
410------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +0200411
412HAProxy's configuration process involves 3 major sources of parameters :
413
414 - the arguments from the command-line, which always take precedence
Willy Tarreau6f1129d2020-11-25 19:58:20 +0100415 - the configuration file(s), whose format is described here
Thayne McCombscdbcca92021-01-07 21:24:41 -0700416 - the running process's environment, in case some environment variables are
Willy Tarreau6f1129d2020-11-25 19:58:20 +0100417 explicitly referenced
Willy Tarreau6a06a402007-07-15 20:15:28 +0200418
Willy Tarreau6f1129d2020-11-25 19:58:20 +0100419The configuration file follows a fairly simple hierarchical format which obey
420a few basic rules:
Willy Tarreau0ba27502007-12-24 16:55:16 +0100421
Willy Tarreau6f1129d2020-11-25 19:58:20 +0100422 1. a configuration file is an ordered sequence of statements
423
424 2. a statement is a single non-empty line before any unprotected "#" (hash)
425
426 3. a line is a series of tokens or "words" delimited by unprotected spaces or
427 tab characters
428
429 4. the first word or sequence of words of a line is one of the keywords or
430 keyword sequences listed in this document
431
432 5. all other words are all arguments of the first one, some being well-known
433 keywords listed in this document, others being values, references to other
434 parts of the configuration, or expressions
435
436 6. certain keywords delimit a section inside which only a subset of keywords
437 are supported
438
439 7. a section ends at the end of a file or on a special keyword starting a new
440 section
441
442This is all that is needed to know to write a simple but reliable configuration
443generator, but this is not enough to reliably parse any configuration nor to
444figure how to deal with certain corner cases.
445
446First, there are a few consequences of the rules above. Rule 6 and 7 imply that
447the keywords used to define a new section are valid everywhere and cannot have
448a different meaning in a specific section. These keywords are always a single
449word (as opposed to a sequence of words), and traditionally the section that
450follows them is designated using the same name. For example when speaking about
451the "global section", it designates the section of configuration that follows
452the "global" keyword. This usage is used a lot in error messages to help locate
453the parts that need to be addressed.
454
455A number of sections create an internal object or configuration space, which
456requires to be distinguished from other ones. In this case they will take an
457extra word which will set the name of this particular section. For some of them
458the section name is mandatory. For example "frontend foo" will create a new
459section of type "frontend" named "foo". Usually a name is specific to its
460section and two sections of different types may use the same name, but this is
461not recommended as it tends to complexify configuration management.
462
463A direct consequence of rule 7 is that when multiple files are read at once,
464each of them must start with a new section, and the end of each file will end
465a section. A file cannot contain sub-sections nor end an existing section and
466start a new one.
467
468Rule 1 mentioned that ordering matters. Indeed, some keywords create directives
469that can be repeated multiple times to create ordered sequences of rules to be
470applied in a certain order. For example "tcp-request" can be used to alternate
471"accept" and "reject" rules on varying criteria. As such, a configuration file
472processor must always preserve a section's ordering when editing a file. The
473ordering of sections usually does not matter except for the global section
474which must be placed before other sections, but it may be repeated if needed.
475In addition, some automatic identifiers may automatically be assigned to some
476of the created objects (e.g. proxies), and by reordering sections, their
477identifiers will change. These ones appear in the statistics for example. As
478such, the configuration below will assign "foo" ID number 1 and "bar" ID number
4792, which will be swapped if the two sections are reversed:
480
481 listen foo
482 bind :80
483
484 listen bar
485 bind :81
486
487Another important point is that according to rules 2 and 3 above, empty lines,
488spaces, tabs, and comments following and unprotected "#" character are not part
489of the configuration as they are just used as delimiters. This implies that the
490following configurations are strictly equivalent:
491
492 global#this is the global section
493 daemon#daemonize
494 frontend foo
495 mode http # or tcp
496
497and:
498
499 global
500 daemon
501
502 # this is the public web frontend
503 frontend foo
504 mode http
505
506The common practice is to align to the left only the keyword that initiates a
507new section, and indent (i.e. prepend a tab character or a few spaces) all
508other keywords so that it's instantly visible that they belong to the same
509section (as done in the second example above). Placing comments before a new
510section helps the reader decide if it's the desired one. Leaving a blank line
511at the end of a section also visually helps spotting the end when editing it.
512
513Tabs are very convenient for indent but they do not copy-paste well. If spaces
514are used instead, it is recommended to avoid placing too many (2 to 4) so that
515editing in field doesn't become a burden with limited editors that do not
516support automatic indent.
517
518In the early days it used to be common to see arguments split at fixed tab
519positions because most keywords would not take more than two arguments. With
520modern versions featuring complex expressions this practice does not stand
521anymore, and is not recommended.
522
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200523
William Lallemandf9873ba2015-05-05 17:37:14 +02005242.2. Quoting and escaping
525-------------------------
526
Willy Tarreau6f1129d2020-11-25 19:58:20 +0100527In modern configurations, some arguments require the use of some characters
528that were previously considered as pure delimiters. In order to make this
529possible, HAProxy supports character escaping by prepending a backslash ('\')
530in front of the character to be escaped, weak quoting within double quotes
531('"') and strong quoting within single quotes ("'").
William Lallemandf9873ba2015-05-05 17:37:14 +0200532
Willy Tarreau6f1129d2020-11-25 19:58:20 +0100533This is pretty similar to what is done in a number of programming languages and
534very close to what is commonly encountered in Bourne shell. The principle is
535the following: while the configuration parser cuts the lines into words, it
536also takes care of quotes and backslashes to decide whether a character is a
537delimiter or is the raw representation of this character within the current
538word. The escape character is then removed, the quotes are removed, and the
539remaining word is used as-is as a keyword or argument for example.
William Lallemandf9873ba2015-05-05 17:37:14 +0200540
Willy Tarreau6f1129d2020-11-25 19:58:20 +0100541If a backslash is needed in a word, it must either be escaped using itself
542(i.e. double backslash) or be strongly quoted.
543
544Escaping outside quotes is achieved by preceding a special character by a
545backslash ('\'):
William Lallemandf9873ba2015-05-05 17:37:14 +0200546
547 \ to mark a space and differentiate it from a delimiter
548 \# to mark a hash and differentiate it from a comment
549 \\ to use a backslash
550 \' to use a single quote and differentiate it from strong quoting
551 \" to use a double quote and differentiate it from weak quoting
552
Willy Tarreau6f1129d2020-11-25 19:58:20 +0100553In addition, a few non-printable characters may be emitted using their usual
554C-language representation:
555
556 \n to insert a line feed (LF, character \x0a or ASCII 10 decimal)
557 \r to insert a carriage return (CR, character \x0d or ASCII 13 decimal)
558 \t to insert a tab (character \x09 or ASCII 9 decimal)
559 \xNN to insert character having ASCII code hex NN (e.g \x0a for LF).
560
561Weak quoting is achieved by surrounding double quotes ("") around the character
562or sequence of characters to protect. Weak quoting prevents the interpretation
563of:
William Lallemandf9873ba2015-05-05 17:37:14 +0200564
Willy Tarreau6f1129d2020-11-25 19:58:20 +0100565 space or tab as a word separator
William Lallemandf9873ba2015-05-05 17:37:14 +0200566 ' single quote as a strong quoting delimiter
567 # hash as a comment start
568
Willy Tarreau6f1129d2020-11-25 19:58:20 +0100569Weak quoting permits the interpretation of environment variables (which are not
570evaluated outside of quotes) by preceding them with a dollar sign ('$'). If a
571dollar character is needed inside double quotes, it must be escaped using a
572backslash.
William Lallemandb2f07452015-05-12 14:27:13 +0200573
Willy Tarreau6f1129d2020-11-25 19:58:20 +0100574Strong quoting is achieved by surrounding single quotes ('') around the
575character or sequence of characters to protect. Inside single quotes, nothing
576is interpreted, it's the efficient way to quote regular expressions.
William Lallemandf9873ba2015-05-05 17:37:14 +0200577
Willy Tarreau6f1129d2020-11-25 19:58:20 +0100578As a result, here is the matrix indicating how special characters can be
579entered in different contexts (unprintable characters are replaced with their
580name within angle brackets). Note that some characters that may only be
581represented escaped have no possible representation inside single quotes,
582hence the '-' there:
William Lallemandf9873ba2015-05-05 17:37:14 +0200583
Willy Tarreau6f1129d2020-11-25 19:58:20 +0100584 Character | Unquoted | Weakly quoted | Strongly quoted
585 -----------+---------------+-----------------------------+-----------------
586 <TAB> | \<TAB>, \x09 | "<TAB>", "\<TAB>", "\x09" | '<TAB>'
587 <LF> | \n, \x0a | "\n", "\x0a" | -
588 <CR> | \r, \x0d | "\r", "\x0d" | -
589 <SPC> | \<SPC>, \x20 | "<SPC>", "\<SPC>", "\x20" | '<SPC>'
590 " | \", \x22 | "\"", "\x22" | '"'
591 # | \#, \x23 | "#", "\#", "\x23" | '#'
592 $ | $, \$, \x24 | "\$", "\x24" | '$'
593 ' | \', \x27 | "'", "\'", "\x27" | -
594 \ | \\, \x5c | "\\", "\x5c" | '\'
William Lallemandf9873ba2015-05-05 17:37:14 +0200595
596 Example:
Willy Tarreau6f1129d2020-11-25 19:58:20 +0100597 # those are all strictly equivalent:
William Lallemandf9873ba2015-05-05 17:37:14 +0200598 log-format %{+Q}o\ %t\ %s\ %{-Q}r
599 log-format "%{+Q}o %t %s %{-Q}r"
600 log-format '%{+Q}o %t %s %{-Q}r'
601 log-format "%{+Q}o %t"' %s %{-Q}r'
602 log-format "%{+Q}o %t"' %s'\ %{-Q}r
603
Willy Tarreau6f1129d2020-11-25 19:58:20 +0100604There is one particular case where a second level of quoting or escaping may be
605necessary. Some keywords take arguments within parenthesis, sometimes delimited
606by commas. These arguments are commonly integers or predefined words, but when
607they are arbitrary strings, it may be required to perform a separate level of
608escaping to disambiguate the characters that belong to the argument from the
609characters that are used to delimit the arguments themselves. A pretty common
610case is the "regsub" converter. It takes a regular expression in argument, and
611if a closing parenthesis is needed inside, this one will require to have its
612own quotes.
613
614The keyword argument parser is exactly the same as the top-level one regarding
615quotes, except that is will not make special cases of backslashes. But what is
Ilya Shipitsin2272d8a2020-12-21 01:22:40 +0500616not always obvious is that the delimiters used inside must first be escaped or
Willy Tarreau6f1129d2020-11-25 19:58:20 +0100617quoted so that they are not resolved at the top level.
618
619Let's take this example making use of the "regsub" converter which takes 3
620arguments, one regular expression, one replacement string and one set of flags:
621
622 # replace all occurrences of "foo" with "blah" in the path:
623 http-request set-path %[path,regsub(foo,blah,g)]
624
625Here no special quoting was necessary. But if now we want to replace either
626"foo" or "bar" with "blah", we'll need the regular expression "(foo|bar)". We
627cannot write:
628
629 http-request set-path %[path,regsub((foo|bar),blah,g)]
630
631because we would like the string to cut like this:
632
633 http-request set-path %[path,regsub((foo|bar),blah,g)]
634 |---------|----|-|
635 arg1 _/ / /
636 arg2 __________/ /
637 arg3 ______________/
638
639but actually what is passed is a string between the opening and closing
640parenthesis then garbage:
641
642 http-request set-path %[path,regsub((foo|bar),blah,g)]
643 |--------|--------|
644 arg1=(foo|bar _/ /
645 trailing garbage _________/
646
647The obvious solution here seems to be that the closing parenthesis needs to be
648quoted, but alone this will not work, because as mentioned above, quotes are
649processed by the top-level parser which will resolve them before processing
650this word:
651
652 http-request set-path %[path,regsub("(foo|bar)",blah,g)]
653 ------------ -------- ----------------------------------
654 word1 word2 word3=%[path,regsub((foo|bar),blah,g)]
655
656So we didn't change anything for the argument parser at the second level which
657still sees a truncated regular expression as the only argument, and garbage at
658the end of the string. By escaping the quotes they will be passed unmodified to
659the second level:
660
661 http-request set-path %[path,regsub(\"(foo|bar)\",blah,g)]
662 ------------ -------- ------------------------------------
663 word1 word2 word3=%[path,regsub("(foo|bar)",blah,g)]
664 |---------||----|-|
665 arg1=(foo|bar) _/ / /
666 arg2=blah ___________/ /
667 arg3=g _______________/
668
Ilya Shipitsin2272d8a2020-12-21 01:22:40 +0500669Another approach consists in using single quotes outside the whole string and
Willy Tarreau6f1129d2020-11-25 19:58:20 +0100670double quotes inside (so that the double quotes are not stripped again):
671
672 http-request set-path '%[path,regsub("(foo|bar)",blah,g)]'
673 ------------ -------- ----------------------------------
674 word1 word2 word3=%[path,regsub("(foo|bar)",blah,g)]
675 |---------||----|-|
676 arg1=(foo|bar) _/ / /
677 arg2 ___________/ /
678 arg3 _______________/
679
680When using regular expressions, it can happen that the dollar ('$') character
681appears in the expression or that a backslash ('\') is used in the replacement
682string. In this case these ones will also be processed inside the double quotes
683thus single quotes are preferred (or double escaping). Example:
684
685 http-request set-path '%[path,regsub("^/(here)(/|$)","my/\1",g)]'
686 ------------ -------- -----------------------------------------
687 word1 word2 word3=%[path,regsub("^/(here)(/|$)","my/\1",g)]
688 |-------------| |-----||-|
689 arg1=(here)(/|$) _/ / /
690 arg2=my/\1 ________________/ /
691 arg3 ______________________/
692
Daniel Corbett9f0843f2021-05-08 10:50:37 -0400693Remember that backslashes are not escape characters within single quotes and
Willy Tarreau6f1129d2020-11-25 19:58:20 +0100694that the whole word3 above is already protected against them using the single
695quotes. Conversely, if double quotes had been used around the whole expression,
696single the dollar character and the backslashes would have been resolved at top
697level, breaking the argument contents at the second level.
698
699When in doubt, simply do not use quotes anywhere, and start to place single or
700double quotes around arguments that require a comma or a closing parenthesis,
701and think about escaping these quotes using a backslash of the string contains
702a dollar or a backslash. Again, this is pretty similar to what is used under
703a Bourne shell when double-escaping a command passed to "eval". For API writers
704the best is probably to place escaped quotes around each and every argument,
705regardless of their contents. Users will probably find that using single quotes
706around the whole expression and double quotes around each argument provides
707more readable configurations.
William Lallemandf9873ba2015-05-05 17:37:14 +0200708
709
William Lallemandb2f07452015-05-12 14:27:13 +02007102.3. Environment variables
711--------------------------
712
713HAProxy's configuration supports environment variables. Those variables are
714interpreted only within double quotes. Variables are expanded during the
715configuration parsing. Variable names must be preceded by a dollar ("$") and
716optionally enclosed with braces ("{}") similarly to what is done in Bourne
717shell. Variable names can contain alphanumerical characters or the character
Amaury Denoyellefa41cb62020-10-01 14:32:35 +0200718underscore ("_") but should not start with a digit. If the variable contains a
719list of several values separated by spaces, it can be expanded as individual
720arguments by enclosing the variable with braces and appending the suffix '[*]'
721before the closing brace.
William Lallemandb2f07452015-05-12 14:27:13 +0200722
723 Example:
724
725 bind "fd@${FD_APP1}"
726
727 log "${LOCAL_SYSLOG}:514" local0 notice # send to local server
728
729 user "$HAPROXY_USER"
730
William Lallemand4d03e432019-06-14 15:35:37 +0200731Some variables are defined by HAProxy, they can be used in the configuration
732file, or could be inherited by a program (See 3.7. Programs):
William Lallemanddaf4cd22018-04-17 16:46:13 +0200733
William Lallemand4d03e432019-06-14 15:35:37 +0200734* HAPROXY_LOCALPEER: defined at the startup of the process which contains the
735 name of the local peer. (See "-L" in the management guide.)
736
737* HAPROXY_CFGFILES: list of the configuration files loaded by HAProxy,
738 separated by semicolons. Can be useful in the case you specified a
739 directory.
740
741* HAPROXY_MWORKER: In master-worker mode, this variable is set to 1.
742
John Roeslerfb2fce12019-07-10 15:45:51 -0500743* HAPROXY_CLI: configured listeners addresses of the stats socket for every
William Lallemand4d03e432019-06-14 15:35:37 +0200744 processes, separated by semicolons.
745
John Roeslerfb2fce12019-07-10 15:45:51 -0500746* HAPROXY_MASTER_CLI: In master-worker mode, listeners addresses of the master
William Lallemand4d03e432019-06-14 15:35:37 +0200747 CLI, separated by semicolons.
748
Willy Tarreaua46f1af2021-05-06 10:25:11 +0200749In addition, some pseudo-variables are internally resolved and may be used as
750regular variables. Pseudo-variables always start with a dot ('.'), and are the
751only ones where the dot is permitted. The current list of pseudo-variables is:
752
753* .FILE: the name of the configuration file currently being parsed.
754
755* .LINE: the line number of the configuration file currently being parsed,
756 starting at one.
757
758* .SECTION: the name of the section currently being parsed, or its type if the
759 section doesn't have a name (e.g. "global"), or an empty string before the
760 first section.
761
762These variables are resolved at the location where they are parsed. For example
763if a ".LINE" variable is used in a "log-format" directive located in a defaults
764section, its line number will be resolved before parsing and compiling the
765"log-format" directive, so this same line number will be reused by subsequent
766proxies.
767
768This way it is possible to emit information to help locate a rule in variables,
769logs, error statuses, health checks, header values, or even to use line numbers
770to name some config objects like servers for example.
771
William Lallemand4d03e432019-06-14 15:35:37 +0200772See also "external-check command" for other variables.
William Lallemandb2f07452015-05-12 14:27:13 +0200773
Willy Tarreau4b103022021-02-12 17:59:10 +0100774
7752.4. Conditional blocks
776-----------------------
777
778It may sometimes be convenient to be able to conditionally enable or disable
779some arbitrary parts of the configuration, for example to enable/disable SSL or
780ciphers, enable or disable some pre-production listeners without modifying the
781configuration, or adjust the configuration's syntax to support two distinct
782versions of HAProxy during a migration.. HAProxy brings a set of nestable
783preprocessor-like directives which allow to integrate or ignore some blocks of
784text. These directives must be placed on their own line and they act on the
785lines that follow them. Two of them support an expression, the other ones only
786switch to an alternate block or end a current level. The 4 following directives
787are defined to form conditional blocks:
788
789 - .if <condition>
790 - .elif <condition>
791 - .else
792 - .endif
793
794The ".if" directive nests a new level, ".elif" stays at the same level, ".else"
795as well, and ".endif" closes a level. Each ".if" must be terminated by a
796matching ".endif". The ".elif" may only be placed after ".if" or ".elif", and
797there is no limit to the number of ".elif" that may be chained. There may be
798only one ".else" per ".if" and it must always be after the ".if" or the last
799".elif" of a block.
800
801Comments may be placed on the same line if needed after a '#', they will be
802ignored. The directives are tokenized like other configuration directives, and
803as such it is possible to use environment variables in conditions.
804
805The conditions are currently limited to:
806
807 - an empty string, always returns "false"
808 - the integer zero ('0'), always returns "false"
809 - a non-nul integer (e.g. '1'), always returns "true".
Willy Tarreau42ed14b2021-05-06 15:55:14 +0200810 - a predicate optionally followed by argument(s) in parenthesis.
811
812The list of currently supported predicates is the following:
813
814 - defined(<name>) : returns true if an environment variable <name>
815 exists, regardless of its contents
816
Willy Tarreau58ca7062021-05-06 16:34:23 +0200817 - feature(<name>) : returns true if feature <name> is listed as present
818 in the features list reported by "haproxy -vv"
819 (which means a <name> appears after a '+')
820
Willy Tarreau6492e872021-05-06 16:10:09 +0200821 - streq(<str1>,<str2>) : returns true only if the two strings are equal
822 - strneq(<str1>,<str2>) : returns true only if the two strings differ
823
Willy Tarreau0b7c78a2021-05-06 16:53:26 +0200824 - version_atleast(<ver>): returns true if the current haproxy version is
825 at least as recent as <ver> otherwise false. The
826 version syntax is the same as shown by "haproxy -v"
827 and missing components are assumed as being zero.
828
829 - version_before(<ver>) : returns true if the current haproxy version is
830 strictly older than <ver> otherwise false. The
831 version syntax is the same as shown by "haproxy -v"
832 and missing components are assumed as being zero.
833
Willy Tarreau42ed14b2021-05-06 15:55:14 +0200834Example:
Willy Tarreau4b103022021-02-12 17:59:10 +0100835
Willy Tarreau42ed14b2021-05-06 15:55:14 +0200836 .if defined(HAPROXY_MWORKER)
837 listen mwcli_px
838 bind :1111
839 ...
840 .endif
Willy Tarreau4b103022021-02-12 17:59:10 +0100841
Willy Tarreau6492e872021-05-06 16:10:09 +0200842 .if strneq("$SSL_ONLY",yes)
843 bind :80
844 .endif
845
846 .if streq("$WITH_SSL",yes)
Willy Tarreau58ca7062021-05-06 16:34:23 +0200847 .if feature(OPENSSL)
Willy Tarreau6492e872021-05-06 16:10:09 +0200848 bind :443 ssl crt ...
Willy Tarreau58ca7062021-05-06 16:34:23 +0200849 .endif
Willy Tarreau6492e872021-05-06 16:10:09 +0200850 .endif
851
Willy Tarreau0b7c78a2021-05-06 16:53:26 +0200852 .if version_atleast(2.4-dev19)
853 profiling.memory on
854 .endif
855
Willy Tarreau7190b982021-05-07 08:59:50 +0200856Four other directives are provided to report some status:
Willy Tarreau4b103022021-02-12 17:59:10 +0100857
Willy Tarreau7190b982021-05-07 08:59:50 +0200858 - .diag "message" : emit this message only when in diagnostic mode (-dD)
Willy Tarreau4b103022021-02-12 17:59:10 +0100859 - .notice "message" : emit this message at level NOTICE
860 - .warning "message" : emit this message at level WARNING
861 - .alert "message" : emit this message at level ALERT
862
863Messages emitted at level WARNING may cause the process to fail to start if the
864"strict-mode" is enabled. Messages emitted at level ALERT will always cause a
865fatal error. These can be used to detect some inappropriate conditions and
866provide advice to the user.
867
868Example:
869
870 .if "${A}"
871 .if "${B}"
872 .notice "A=1, B=1"
873 .elif "${C}"
874 .notice "A=1, B=0, C=1"
875 .elif "${D}"
876 .warning "A=1, B=0, C=0, D=1"
877 .else
878 .alert "A=1, B=0, C=0, D=0"
879 .endif
880 .else
881 .notice "A=0"
882 .endif
883
Willy Tarreau7190b982021-05-07 08:59:50 +0200884 .diag "WTA/2021-05-07: replace 'redirect' with 'return' after switch to 2.4"
885 http-request redirect location /goaway if ABUSE
886
Willy Tarreau4b103022021-02-12 17:59:10 +0100887
8882.5. Time format
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200889----------------
890
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100891Some parameters involve values representing time, such as timeouts. These
Willy Tarreau0ba27502007-12-24 16:55:16 +0100892values are generally expressed in milliseconds (unless explicitly stated
893otherwise) but may be expressed in any other unit by suffixing the unit to the
894numeric value. It is important to consider this because it will not be repeated
895for every keyword. Supported units are :
896
897 - us : microseconds. 1 microsecond = 1/1000000 second
898 - ms : milliseconds. 1 millisecond = 1/1000 second. This is the default.
899 - s : seconds. 1s = 1000ms
900 - m : minutes. 1m = 60s = 60000ms
901 - h : hours. 1h = 60m = 3600s = 3600000ms
902 - d : days. 1d = 24h = 1440m = 86400s = 86400000ms
903
904
Willy Tarreau4b103022021-02-12 17:59:10 +01009052.6. Examples
Patrick Mezard35da19c2010-06-12 17:02:47 +0200906-------------
907
908 # Simple configuration for an HTTP proxy listening on port 80 on all
909 # interfaces and forwarding requests to a single backend "servers" with a
910 # single server "server1" listening on 127.0.0.1:8000
911 global
912 daemon
913 maxconn 256
914
915 defaults
916 mode http
917 timeout connect 5000ms
918 timeout client 50000ms
919 timeout server 50000ms
920
921 frontend http-in
922 bind *:80
923 default_backend servers
924
925 backend servers
926 server server1 127.0.0.1:8000 maxconn 32
927
928
929 # The same configuration defined with a single listen block. Shorter but
930 # less expressive, especially in HTTP mode.
931 global
932 daemon
933 maxconn 256
934
935 defaults
936 mode http
937 timeout connect 5000ms
938 timeout client 50000ms
939 timeout server 50000ms
940
941 listen http-in
942 bind *:80
943 server server1 127.0.0.1:8000 maxconn 32
944
945
946Assuming haproxy is in $PATH, test these configurations in a shell with:
947
Willy Tarreauccb289d2010-12-11 20:19:38 +0100948 $ sudo haproxy -f configuration.conf -c
Patrick Mezard35da19c2010-06-12 17:02:47 +0200949
950
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009513. Global parameters
Willy Tarreau6a06a402007-07-15 20:15:28 +0200952--------------------
953
954Parameters in the "global" section are process-wide and often OS-specific. They
955are generally set once for all and do not need being changed once correct. Some
956of them have command-line equivalents.
957
958The following keywords are supported in the "global" section :
959
960 * Process management and security
Emeric Brunc8e8d122012-10-02 18:42:10 +0200961 - ca-base
Willy Tarreau6a06a402007-07-15 20:15:28 +0200962 - chroot
Emeric Brunc8e8d122012-10-02 18:42:10 +0200963 - crt-base
Baptiste Assmann3493d0f2015-10-12 20:21:23 +0200964 - cpu-map
Willy Tarreau6a06a402007-07-15 20:15:28 +0200965 - daemon
Willy Tarreau8a022d52021-04-27 20:29:11 +0200966 - default-path
Baptiste Assmann3493d0f2015-10-12 20:21:23 +0200967 - description
968 - deviceatlas-json-file
969 - deviceatlas-log-level
970 - deviceatlas-separator
971 - deviceatlas-properties-cookie
Amaury Denoyelled2e53cd2021-05-06 16:21:39 +0200972 - expose-experimental-directives
Simon Horman98637e52014-06-20 12:30:16 +0900973 - external-check
Willy Tarreau6a06a402007-07-15 20:15:28 +0200974 - gid
975 - group
Cyril Bonté203ec5a2017-03-23 22:44:13 +0100976 - hard-stop-after
Christopher Faulet98fbe952019-07-22 16:18:24 +0200977 - h1-case-adjust
978 - h1-case-adjust-file
Willy Tarreaud96f1122019-12-03 07:07:36 +0100979 - insecure-fork-wanted
Willy Tarreaua45a8b52019-12-06 16:31:45 +0100980 - insecure-setuid-wanted
Emmanuel Hocdet70df7bf2019-01-04 11:08:20 +0100981 - issuers-chain-path
Dragan Dosen13cd54c2020-06-18 18:24:05 +0200982 - localpeer
Willy Tarreau6a06a402007-07-15 20:15:28 +0200983 - log
Baptiste Assmann3493d0f2015-10-12 20:21:23 +0200984 - log-tag
Joe Williamsdf5b38f2010-12-29 17:05:48 +0100985 - log-send-hostname
Baptiste Assmann3493d0f2015-10-12 20:21:23 +0200986 - lua-load
Thierry Fournier59f11be2020-11-29 00:37:41 +0100987 - lua-load-per-thread
Tim Duesterhusdd74b5f2020-01-12 13:55:40 +0100988 - lua-prepend-path
William Lallemand27edc4b2019-05-07 17:49:33 +0200989 - mworker-max-reloads
Willy Tarreau6a06a402007-07-15 20:15:28 +0200990 - nbproc
Christopher Fauletbe0faa22017-08-29 15:37:10 +0200991 - nbthread
Baptiste Assmann3493d0f2015-10-12 20:21:23 +0200992 - node
Amaury Denoyelle0f50cb92021-03-26 18:50:33 +0100993 - numa-cpu-mapping
Willy Tarreau6a06a402007-07-15 20:15:28 +0200994 - pidfile
Willy Tarreau119e50e2020-05-22 13:53:29 +0200995 - pp2-never-send-local
Willy Tarreau1d549722016-02-16 12:41:57 +0100996 - presetenv
997 - resetenv
Willy Tarreau6a06a402007-07-15 20:15:28 +0200998 - uid
999 - ulimit-n
1000 - user
Willy Tarreau636848a2019-04-15 19:38:50 +02001001 - set-dumpable
Willy Tarreau13d2ba22021-03-26 11:38:08 +01001002 - set-var
Willy Tarreau1d549722016-02-16 12:41:57 +01001003 - setenv
Willy Tarreaufbee7132007-10-18 13:53:22 +02001004 - stats
Baptiste Assmann3493d0f2015-10-12 20:21:23 +02001005 - ssl-default-bind-ciphers
Dirkjan Bussink415150f2018-09-14 11:14:21 +02001006 - ssl-default-bind-ciphersuites
Jerome Magninb203ff62020-04-03 15:28:22 +02001007 - ssl-default-bind-curves
Baptiste Assmann3493d0f2015-10-12 20:21:23 +02001008 - ssl-default-bind-options
1009 - ssl-default-server-ciphers
Dirkjan Bussink415150f2018-09-14 11:14:21 +02001010 - ssl-default-server-ciphersuites
Baptiste Assmann3493d0f2015-10-12 20:21:23 +02001011 - ssl-default-server-options
1012 - ssl-dh-param-file
Emeric Brun850efd52014-01-29 12:24:34 +01001013 - ssl-server-verify
Emmanuel Hocdetc3b7e742020-04-22 11:06:19 +02001014 - ssl-skip-self-issued-ca
Willy Tarreauceb24bc2010-11-09 12:46:41 +01001015 - unix-bind
Willy Tarreau1d549722016-02-16 12:41:57 +01001016 - unsetenv
Thomas Holmesdb04f192015-05-18 13:21:39 +01001017 - 51degrees-data-file
1018 - 51degrees-property-name-list
Dragan Dosen93b38d92015-06-29 16:43:25 +02001019 - 51degrees-property-separator
Dragan Dosenae6d39a2015-06-29 16:43:27 +02001020 - 51degrees-cache-size
Willy Tarreaub3cc9f22019-04-19 16:03:32 +02001021 - wurfl-data-file
1022 - wurfl-information-list
1023 - wurfl-information-list-separator
Willy Tarreaub3cc9f22019-04-19 16:03:32 +02001024 - wurfl-cache-size
William Dauchy0fec3ab2019-10-27 20:08:11 +01001025 - strict-limits
Willy Tarreaud72758d2010-01-12 10:42:19 +01001026
Willy Tarreau6a06a402007-07-15 20:15:28 +02001027 * Performance tuning
William Dauchy0a8824f2019-10-27 20:08:09 +01001028 - busy-polling
Willy Tarreau1746eec2014-04-25 10:46:47 +02001029 - max-spread-checks
Willy Tarreau6a06a402007-07-15 20:15:28 +02001030 - maxconn
Willy Tarreau81c25d02011-09-07 15:17:21 +02001031 - maxconnrate
William Lallemandd85f9172012-11-09 17:05:39 +01001032 - maxcomprate
William Lallemand072a2bf2012-11-20 17:01:01 +01001033 - maxcompcpuusage
Willy Tarreauff4f82d2009-02-06 11:28:13 +01001034 - maxpipes
Willy Tarreau93e7c002013-10-07 18:51:07 +02001035 - maxsessrate
Willy Tarreau403edff2012-09-06 11:58:37 +02001036 - maxsslconn
Willy Tarreaue43d5322013-10-07 20:01:52 +02001037 - maxsslrate
Baptiste Assmann3493d0f2015-10-12 20:21:23 +02001038 - maxzlibmem
Willy Tarreau6a06a402007-07-15 20:15:28 +02001039 - noepoll
1040 - nokqueue
Emmanuel Hocdet0ba4f482019-04-08 16:53:32 +00001041 - noevports
Willy Tarreau6a06a402007-07-15 20:15:28 +02001042 - nopoll
Willy Tarreauff4f82d2009-02-06 11:28:13 +01001043 - nosplice
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03001044 - nogetaddrinfo
Lukas Tribusa0bcbdc2016-09-12 21:42:20 +00001045 - noreuseport
Willy Tarreau75c62c22018-11-22 11:02:09 +01001046 - profiling.tasks
Willy Tarreaufe255b72007-10-14 23:09:26 +02001047 - spread-checks
Baptiste Assmann5626f482015-08-23 10:00:10 +02001048 - server-state-base
Baptiste Assmannef1f0fc2015-08-23 10:06:39 +02001049 - server-state-file
Grant Zhang872f9c22017-01-21 01:10:18 +00001050 - ssl-engine
Grant Zhangfa6c7ee2017-01-14 01:42:15 +00001051 - ssl-mode-async
Baptiste Assmann3493d0f2015-10-12 20:21:23 +02001052 - tune.buffers.limit
1053 - tune.buffers.reserve
Willy Tarreau27a674e2009-08-17 07:23:33 +02001054 - tune.bufsize
Willy Tarreau43961d52010-10-04 20:39:20 +02001055 - tune.chksize
William Lallemandf3747832012-11-09 12:33:10 +01001056 - tune.comp.maxlevel
Willy Tarreaubc52bec2020-06-18 08:58:47 +02001057 - tune.fd.edge-triggered
Willy Tarreaufe20e5b2017-07-27 11:42:14 +02001058 - tune.h2.header-table-size
Willy Tarreaue6baec02017-07-27 11:45:11 +02001059 - tune.h2.initial-window-size
Willy Tarreau5242ef82017-07-27 11:47:28 +02001060 - tune.h2.max-concurrent-streams
Willy Tarreau193b8c62012-11-22 00:17:38 +01001061 - tune.http.cookielen
Stéphane Cottin23e9e932017-05-18 08:58:41 +02001062 - tune.http.logurilen
Willy Tarreauac1932d2011-10-24 19:14:41 +02001063 - tune.http.maxhdr
Willy Tarreau76cc6992020-07-01 18:49:24 +02001064 - tune.idle-pool.shared
Willy Tarreau7e312732014-02-12 16:35:14 +01001065 - tune.idletimer
Thierry FOURNIER90da1912015-03-05 11:17:06 +01001066 - tune.lua.forced-yield
Willy Tarreau32f61e22015-03-18 17:54:59 +01001067 - tune.lua.maxmem
Thierry FOURNIER90da1912015-03-05 11:17:06 +01001068 - tune.lua.session-timeout
1069 - tune.lua.task-timeout
Thierry FOURNIER7dd784b2015-10-01 14:49:33 +02001070 - tune.lua.service-timeout
Willy Tarreaua0250ba2008-01-06 11:22:57 +01001071 - tune.maxaccept
1072 - tune.maxpollevents
Willy Tarreau27a674e2009-08-17 07:23:33 +02001073 - tune.maxrewrite
Willy Tarreauf3045d22015-04-29 16:24:50 +02001074 - tune.pattern.cache-size
Willy Tarreaubd9a0a72011-10-23 21:14:29 +02001075 - tune.pipesize
Willy Tarreaua8e2d972020-07-01 18:27:16 +02001076 - tune.pool-high-fd-ratio
1077 - tune.pool-low-fd-ratio
Willy Tarreaue803de22010-01-21 17:43:04 +01001078 - tune.rcvbuf.client
1079 - tune.rcvbuf.server
Willy Tarreaub22fc302015-12-14 12:04:35 +01001080 - tune.recv_enough
Olivier Houchard1599b802018-05-24 18:59:04 +02001081 - tune.runqueue-depth
Willy Tarreaue7723bd2020-06-24 11:11:02 +02001082 - tune.sched.low-latency
Willy Tarreaue803de22010-01-21 17:43:04 +01001083 - tune.sndbuf.client
1084 - tune.sndbuf.server
Willy Tarreau6ec58db2012-11-16 16:32:15 +01001085 - tune.ssl.cachesize
William Lallemand7d42ef52020-07-06 11:41:30 +02001086 - tune.ssl.keylog
Willy Tarreaubfd59462013-02-21 07:46:09 +01001087 - tune.ssl.lifetime
Emeric Brun8dc60392014-05-09 13:52:00 +02001088 - tune.ssl.force-private-cache
Willy Tarreaubfd59462013-02-21 07:46:09 +01001089 - tune.ssl.maxrecord
Remi Gacognef46cd6e2014-06-12 14:58:40 +02001090 - tune.ssl.default-dh-param
Christopher Faulet31af49d2015-06-09 17:29:50 +02001091 - tune.ssl.ssl-ctx-cache-size
Thierry FOURNIER5bf77322017-02-25 12:45:22 +01001092 - tune.ssl.capture-cipherlist-size
Thierry FOURNIER4834bc72015-06-06 19:29:07 +02001093 - tune.vars.global-max-size
Christopher Fauletff2613e2016-11-09 11:36:17 +01001094 - tune.vars.proc-max-size
Thierry FOURNIER4834bc72015-06-06 19:29:07 +02001095 - tune.vars.reqres-max-size
1096 - tune.vars.sess-max-size
1097 - tune.vars.txn-max-size
William Lallemanda509e4c2012-11-07 16:54:34 +01001098 - tune.zlib.memlevel
1099 - tune.zlib.windowsize
Willy Tarreaud72758d2010-01-12 10:42:19 +01001100
Willy Tarreau6a06a402007-07-15 20:15:28 +02001101 * Debugging
Willy Tarreau6a06a402007-07-15 20:15:28 +02001102 - quiet
Willy Tarreau3eb10b82020-04-15 16:42:39 +02001103 - zero-warning
Willy Tarreau6a06a402007-07-15 20:15:28 +02001104
1105
Willy Tarreauc57f0e22009-05-10 13:12:33 +020011063.1. Process management and security
Willy Tarreau6a06a402007-07-15 20:15:28 +02001107------------------------------------
1108
Emeric Brunc8e8d122012-10-02 18:42:10 +02001109ca-base <dir>
1110 Assigns a default directory to fetch SSL CA certificates and CRLs from when a
Emmanuel Hocdet842e94e2019-12-16 16:39:17 +01001111 relative path is used with "ca-file", "ca-verify-file" or "crl-file"
1112 directives. Absolute locations specified in "ca-file", "ca-verify-file" and
1113 "crl-file" prevail and ignore "ca-base".
Emeric Brunc8e8d122012-10-02 18:42:10 +02001114
Willy Tarreau6a06a402007-07-15 20:15:28 +02001115chroot <jail dir>
1116 Changes current directory to <jail dir> and performs a chroot() there before
1117 dropping privileges. This increases the security level in case an unknown
1118 vulnerability would be exploited, since it would make it very hard for the
1119 attacker to exploit the system. This only works when the process is started
1120 with superuser privileges. It is important to ensure that <jail_dir> is both
Davor Ocelice9ed2812017-12-25 17:49:28 +01001121 empty and non-writable to anyone.
Willy Tarreaud72758d2010-01-12 10:42:19 +01001122
Christopher Fauletcb6a9452017-11-22 16:50:41 +01001123cpu-map [auto:]<process-set>[/<thread-set>] <cpu-set>...
1124 On Linux 2.6 and above, it is possible to bind a process or a thread to a
1125 specific CPU set. This means that the process or the thread will never run on
1126 other CPUs. The "cpu-map" directive specifies CPU sets for process or thread
1127 sets. The first argument is a process set, eventually followed by a thread
1128 set. These sets have the format
1129
1130 all | odd | even | number[-[number]]
1131
1132 <number>> must be a number between 1 and 32 or 64, depending on the machine's
Davor Ocelice9ed2812017-12-25 17:49:28 +01001133 word size. Any process IDs above nbproc and any thread IDs above nbthread are
Christopher Fauletcb6a9452017-11-22 16:50:41 +01001134 ignored. It is possible to specify a range with two such number delimited by
1135 a dash ('-'). It also is possible to specify all processes at once using
Christopher Faulet1dcb9cb2017-11-22 10:24:40 +01001136 "all", only odd numbers using "odd" or even numbers using "even", just like
1137 with the "bind-process" directive. The second and forthcoming arguments are
Amaury Denoyelle982fb532021-04-21 18:39:58 +02001138 CPU sets. Each CPU set is either a unique number starting at 0 for the first
1139 CPU or a range with two such numbers delimited by a dash ('-'). Outside of
1140 Linux and BSDs, there may be a limitation on the maximum CPU index to either
1141 31 or 63. Multiple CPU numbers or ranges may be specified, and the processes
1142 or threads will be allowed to bind to all of them. Obviously, multiple
1143 "cpu-map" directives may be specified. Each "cpu-map" directive will replace
1144 the previous ones when they overlap. A thread will be bound on the
1145 intersection of its mapping and the one of the process on which it is
1146 attached. If the intersection is null, no specific binding will be set for
1147 the thread.
Willy Tarreaufc6c0322012-11-16 16:12:27 +01001148
Christopher Fauletff4121f2017-11-22 16:38:49 +01001149 Ranges can be partially defined. The higher bound can be omitted. In such
1150 case, it is replaced by the corresponding maximum value, 32 or 64 depending
1151 on the machine's word size.
1152
Christopher Faulet26028f62017-11-22 15:01:51 +01001153 The prefix "auto:" can be added before the process set to let HAProxy
Christopher Fauletcb6a9452017-11-22 16:50:41 +01001154 automatically bind a process or a thread to a CPU by incrementing
1155 process/thread and CPU sets. To be valid, both sets must have the same
1156 size. No matter the declaration order of the CPU sets, it will be bound from
1157 the lowest to the highest bound. Having a process and a thread range with the
1158 "auto:" prefix is not supported. Only one range is supported, the other one
1159 must be a fixed number.
Christopher Faulet26028f62017-11-22 15:01:51 +01001160
1161 Examples:
Christopher Fauletcb6a9452017-11-22 16:50:41 +01001162 cpu-map 1-4 0-3 # bind processes 1 to 4 on the first 4 CPUs
1163
1164 cpu-map 1/all 0-3 # bind all threads of the first process on the
1165 # first 4 CPUs
1166
1167 cpu-map 1- 0- # will be replaced by "cpu-map 1-64 0-63"
1168 # or "cpu-map 1-32 0-31" depending on the machine's
1169 # word size.
1170
Christopher Faulet26028f62017-11-22 15:01:51 +01001171 # all these lines bind the process 1 to the cpu 0, the process 2 to cpu 1
Christopher Fauletcb6a9452017-11-22 16:50:41 +01001172 # and so on.
Christopher Faulet26028f62017-11-22 15:01:51 +01001173 cpu-map auto:1-4 0-3
1174 cpu-map auto:1-4 0-1 2-3
1175 cpu-map auto:1-4 3 2 1 0
1176
Christopher Fauletcb6a9452017-11-22 16:50:41 +01001177 # all these lines bind the thread 1 to the cpu 0, the thread 2 to cpu 1
1178 # and so on.
1179 cpu-map auto:1/1-4 0-3
1180 cpu-map auto:1/1-4 0-1 2-3
1181 cpu-map auto:1/1-4 3 2 1 0
1182
Davor Ocelice9ed2812017-12-25 17:49:28 +01001183 # bind each process to exactly one CPU using all/odd/even keyword
Christopher Faulet26028f62017-11-22 15:01:51 +01001184 cpu-map auto:all 0-63
1185 cpu-map auto:even 0-31
1186 cpu-map auto:odd 32-63
1187
1188 # invalid cpu-map because process and CPU sets have different sizes.
1189 cpu-map auto:1-4 0 # invalid
1190 cpu-map auto:1 0-3 # invalid
1191
Christopher Fauletcb6a9452017-11-22 16:50:41 +01001192 # invalid cpu-map because automatic binding is used with a process range
1193 # and a thread range.
1194 cpu-map auto:all/all 0 # invalid
1195 cpu-map auto:all/1-4 0 # invalid
1196 cpu-map auto:1-4/all 0 # invalid
1197
Emeric Brunc8e8d122012-10-02 18:42:10 +02001198crt-base <dir>
1199 Assigns a default directory to fetch SSL certificates from when a relative
William Dauchy238ea3b2020-01-11 13:09:12 +01001200 path is used with "crtfile" or "crt" directives. Absolute locations specified
1201 prevail and ignore "crt-base".
Emeric Brunc8e8d122012-10-02 18:42:10 +02001202
Willy Tarreau6a06a402007-07-15 20:15:28 +02001203daemon
1204 Makes the process fork into background. This is the recommended mode of
1205 operation. It is equivalent to the command line "-D" argument. It can be
Lukas Tribusf46bf952017-11-21 12:39:34 +01001206 disabled by the command line "-db" argument. This option is ignored in
1207 systemd mode.
Willy Tarreau6a06a402007-07-15 20:15:28 +02001208
Willy Tarreau8a022d52021-04-27 20:29:11 +02001209default-path { current | config | parent | origin <path> }
Daniel Corbett9f0843f2021-05-08 10:50:37 -04001210 By default HAProxy loads all files designated by a relative path from the
Willy Tarreau8a022d52021-04-27 20:29:11 +02001211 location the process is started in. In some circumstances it might be
1212 desirable to force all relative paths to start from a different location
1213 just as if the process was started from such locations. This is what this
1214 directive is made for. Technically it will perform a temporary chdir() to
1215 the designated location while processing each configuration file, and will
1216 return to the original directory after processing each file. It takes an
1217 argument indicating the policy to use when loading files whose path does
1218 not start with a slash ('/'):
1219 - "current" indicates that all relative files are to be loaded from the
1220 directory the process is started in ; this is the default.
1221
1222 - "config" indicates that all relative files should be loaded from the
1223 directory containing the configuration file. More specifically, if the
1224 configuration file contains a slash ('/'), the longest part up to the
1225 last slash is used as the directory to change to, otherwise the current
1226 directory is used. This mode is convenient to bundle maps, errorfiles,
1227 certificates and Lua scripts together as relocatable packages. When
1228 multiple configuration files are loaded, the directory is updated for
1229 each of them.
1230
1231 - "parent" indicates that all relative files should be loaded from the
1232 parent of the directory containing the configuration file. More
1233 specifically, if the configuration file contains a slash ('/'), ".."
1234 is appended to the longest part up to the last slash is used as the
1235 directory to change to, otherwise the directory is "..". This mode is
1236 convenient to bundle maps, errorfiles, certificates and Lua scripts
1237 together as relocatable packages, but where each part is located in a
1238 different subdirectory (e.g. "config/", "certs/", "maps/", ...).
1239
1240 - "origin" indicates that all relative files should be loaded from the
1241 designated (mandatory) path. This may be used to ease management of
Daniel Corbett9f0843f2021-05-08 10:50:37 -04001242 different HAProxy instances running in parallel on a system, where each
Willy Tarreau8a022d52021-04-27 20:29:11 +02001243 instance uses a different prefix but where the rest of the sections are
1244 made easily relocatable.
1245
1246 Each "default-path" directive instantly replaces any previous one and will
1247 possibly result in switching to a different directory. While this should
1248 always result in the desired behavior, it is really not a good practice to
1249 use multiple default-path directives, and if used, the policy ought to remain
1250 consistent across all configuration files.
1251
1252 Warning: some configuration elements such as maps or certificates are
1253 uniquely identified by their configured path. By using a relocatable layout,
1254 it becomes possible for several of them to end up with the same unique name,
1255 making it difficult to update them at run time, especially when multiple
1256 configuration files are loaded from different directories. It is essential to
1257 observe a strict collision-free file naming scheme before adopting relative
1258 paths. A robust approach could consist in prefixing all files names with
1259 their respective site name, or in doing so at the directory level.
1260
David Carlier8167f302015-06-01 13:50:06 +02001261deviceatlas-json-file <path>
1262 Sets the path of the DeviceAtlas JSON data file to be loaded by the API.
Davor Ocelice9ed2812017-12-25 17:49:28 +01001263 The path must be a valid JSON data file and accessible by HAProxy process.
David Carlier8167f302015-06-01 13:50:06 +02001264
1265deviceatlas-log-level <value>
Davor Ocelice9ed2812017-12-25 17:49:28 +01001266 Sets the level of information returned by the API. This directive is
David Carlier8167f302015-06-01 13:50:06 +02001267 optional and set to 0 by default if not set.
1268
1269deviceatlas-separator <char>
1270 Sets the character separator for the API properties results. This directive
1271 is optional and set to | by default if not set.
1272
Cyril Bonté0306c4a2015-10-26 22:37:38 +01001273deviceatlas-properties-cookie <name>
Cyril Bonté307ee1e2015-09-28 23:16:06 +02001274 Sets the client cookie's name used for the detection if the DeviceAtlas
1275 Client-side component was used during the request. This directive is optional
1276 and set to DAPROPS by default if not set.
David Carlier29b3ca32015-09-25 14:09:21 +01001277
Amaury Denoyelled2e53cd2021-05-06 16:21:39 +02001278expose-experimental-directives
1279 This statement must appear before using directives tagged as experimental or
1280 the config file will be rejected.
1281
Simon Horman98637e52014-06-20 12:30:16 +09001282external-check
Willy Tarreaud96f1122019-12-03 07:07:36 +01001283 Allows the use of an external agent to perform health checks. This is
1284 disabled by default as a security precaution, and even when enabled, checks
Willy Tarreaua45a8b52019-12-06 16:31:45 +01001285 may still fail unless "insecure-fork-wanted" is enabled as well. If the
1286 program launched makes use of a setuid executable (it should really not),
1287 you may also need to set "insecure-setuid-wanted" in the global section.
1288 See "option external-check", and "insecure-fork-wanted", and
1289 "insecure-setuid-wanted".
Simon Horman98637e52014-06-20 12:30:16 +09001290
Willy Tarreau6a06a402007-07-15 20:15:28 +02001291gid <number>
Thayne McCombscdbcca92021-01-07 21:24:41 -07001292 Changes the process's group ID to <number>. It is recommended that the group
Willy Tarreau6a06a402007-07-15 20:15:28 +02001293 ID is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
1294 be started with a user belonging to this group, or with superuser privileges.
Daniel Corbett9f0843f2021-05-08 10:50:37 -04001295 Note that if HAProxy is started from a user having supplementary groups, it
Michael Schererab012dd2013-01-12 18:35:19 +01001296 will only be able to drop these groups if started with superuser privileges.
Willy Tarreau6a06a402007-07-15 20:15:28 +02001297 See also "group" and "uid".
Willy Tarreaud72758d2010-01-12 10:42:19 +01001298
Willy Tarreau11770ce2019-12-03 08:29:22 +01001299group <group name>
1300 Similar to "gid" but uses the GID of group name <group name> from /etc/group.
1301 See also "gid" and "user".
1302
Cyril Bonté203ec5a2017-03-23 22:44:13 +01001303hard-stop-after <time>
1304 Defines the maximum time allowed to perform a clean soft-stop.
1305
1306 Arguments :
1307 <time> is the maximum time (by default in milliseconds) for which the
1308 instance will remain alive when a soft-stop is received via the
1309 SIGUSR1 signal.
1310
1311 This may be used to ensure that the instance will quit even if connections
1312 remain opened during a soft-stop (for example with long timeouts for a proxy
1313 in tcp mode). It applies both in TCP and HTTP mode.
1314
1315 Example:
1316 global
1317 hard-stop-after 30s
1318
Christopher Faulet98fbe952019-07-22 16:18:24 +02001319h1-case-adjust <from> <to>
1320 Defines the case adjustment to apply, when enabled, to the header name
1321 <from>, to change it to <to> before sending it to HTTP/1 clients or
1322 servers. <from> must be in lower case, and <from> and <to> must not differ
1323 except for their case. It may be repeated if several header names need to be
Ilya Shipitsin8525fd92020-02-29 12:34:59 +05001324 adjusted. Duplicate entries are not allowed. If a lot of header names have to
Christopher Faulet98fbe952019-07-22 16:18:24 +02001325 be adjusted, it might be more convenient to use "h1-case-adjust-file".
1326 Please note that no transformation will be applied unless "option
1327 h1-case-adjust-bogus-client" or "option h1-case-adjust-bogus-server" is
1328 specified in a proxy.
1329
1330 There is no standard case for header names because, as stated in RFC7230,
1331 they are case-insensitive. So applications must handle them in a case-
1332 insensitive manner. But some bogus applications violate the standards and
1333 erroneously rely on the cases most commonly used by browsers. This problem
1334 becomes critical with HTTP/2 because all header names must be exchanged in
1335 lower case, and HAProxy follows the same convention. All header names are
1336 sent in lower case to clients and servers, regardless of the HTTP version.
1337
1338 Applications which fail to properly process requests or responses may require
1339 to temporarily use such workarounds to adjust header names sent to them for
1340 the time it takes the application to be fixed. Please note that an
1341 application which requires such workarounds might be vulnerable to content
1342 smuggling attacks and must absolutely be fixed.
1343
1344 Example:
1345 global
1346 h1-case-adjust content-length Content-Length
1347
1348 See "h1-case-adjust-file", "option h1-case-adjust-bogus-client" and
1349 "option h1-case-adjust-bogus-server".
1350
1351h1-case-adjust-file <hdrs-file>
1352 Defines a file containing a list of key/value pairs used to adjust the case
1353 of some header names before sending them to HTTP/1 clients or servers. The
1354 file <hdrs-file> must contain 2 header names per line. The first one must be
1355 in lower case and both must not differ except for their case. Lines which
1356 start with '#' are ignored, just like empty lines. Leading and trailing tabs
1357 and spaces are stripped. Duplicate entries are not allowed. Please note that
1358 no transformation will be applied unless "option h1-case-adjust-bogus-client"
1359 or "option h1-case-adjust-bogus-server" is specified in a proxy.
1360
1361 If this directive is repeated, only the last one will be processed. It is an
1362 alternative to the directive "h1-case-adjust" if a lot of header names need
1363 to be adjusted. Please read the risks associated with using this.
1364
1365 See "h1-case-adjust", "option h1-case-adjust-bogus-client" and
1366 "option h1-case-adjust-bogus-server".
1367
Willy Tarreaud96f1122019-12-03 07:07:36 +01001368insecure-fork-wanted
Daniel Corbett9f0843f2021-05-08 10:50:37 -04001369 By default HAProxy tries hard to prevent any thread and process creation
Willy Tarreaud96f1122019-12-03 07:07:36 +01001370 after it starts. Doing so is particularly important when using Lua files of
1371 uncertain origin, and when experimenting with development versions which may
1372 still contain bugs whose exploitability is uncertain. And generally speaking
1373 it's good hygiene to make sure that no unexpected background activity can be
1374 triggered by traffic. But this prevents external checks from working, and may
1375 break some very specific Lua scripts which actively rely on the ability to
1376 fork. This option is there to disable this protection. Note that it is a bad
Daniel Corbett9f0843f2021-05-08 10:50:37 -04001377 idea to disable it, as a vulnerability in a library or within HAProxy itself
Willy Tarreaud96f1122019-12-03 07:07:36 +01001378 will be easier to exploit once disabled. In addition, forking from Lua or
1379 anywhere else is not reliable as the forked process may randomly embed a lock
1380 set by another thread and never manage to finish an operation. As such it is
1381 highly recommended that this option is never used and that any workload
1382 requiring such a fork be reconsidered and moved to a safer solution (such as
1383 agents instead of external checks). This option supports the "no" prefix to
1384 disable it.
1385
Willy Tarreaua45a8b52019-12-06 16:31:45 +01001386insecure-setuid-wanted
1387 HAProxy doesn't need to call executables at run time (except when using
1388 external checks which are strongly recommended against), and is even expected
1389 to isolate itself into an empty chroot. As such, there basically is no valid
1390 reason to allow a setuid executable to be called without the user being fully
Daniel Corbett9f0843f2021-05-08 10:50:37 -04001391 aware of the risks. In a situation where HAProxy would need to call external
Willy Tarreaua45a8b52019-12-06 16:31:45 +01001392 checks and/or disable chroot, exploiting a vulnerability in a library or in
Daniel Corbett9f0843f2021-05-08 10:50:37 -04001393 HAProxy itself could lead to the execution of an external program. On Linux
Willy Tarreaua45a8b52019-12-06 16:31:45 +01001394 it is possible to lock the process so that any setuid bit present on such an
1395 executable is ignored. This significantly reduces the risk of privilege
Daniel Corbett9f0843f2021-05-08 10:50:37 -04001396 escalation in such a situation. This is what HAProxy does by default. In case
Willy Tarreaua45a8b52019-12-06 16:31:45 +01001397 this causes a problem to an external check (for example one which would need
1398 the "ping" command), then it is possible to disable this protection by
1399 explicitly adding this directive in the global section. If enabled, it is
1400 possible to turn it back off by prefixing it with the "no" keyword.
1401
Emmanuel Hocdet70df7bf2019-01-04 11:08:20 +01001402issuers-chain-path <dir>
1403 Assigns a directory to load certificate chain for issuer completion. All
1404 files must be in PEM format. For certificates loaded with "crt" or "crt-list",
1405 if certificate chain is not included in PEM (also commonly known as
Daniel Corbett9f0843f2021-05-08 10:50:37 -04001406 intermediate certificate), HAProxy will complete chain if the issuer of the
Emmanuel Hocdet70df7bf2019-01-04 11:08:20 +01001407 certificate corresponds to the first certificate of the chain loaded with
1408 "issuers-chain-path".
1409 A "crt" file with PrivateKey+Certificate+IntermediateCA2+IntermediateCA1
1410 could be replaced with PrivateKey+Certificate. HAProxy will complete the
1411 chain if a file with IntermediateCA2+IntermediateCA1 is present in
1412 "issuers-chain-path" directory. All other certificates with the same issuer
1413 will share the chain in memory.
1414
Dragan Dosen13cd54c2020-06-18 18:24:05 +02001415localpeer <name>
1416 Sets the local instance's peer name. It will be ignored if the "-L"
1417 command line argument is specified or if used after "peers" section
1418 definitions. In such cases, a warning message will be emitted during
1419 the configuration parsing.
1420
1421 This option will also set the HAPROXY_LOCALPEER environment variable.
1422 See also "-L" in the management guide and "peers" section below.
1423
Jan Wagner3e678602020-12-17 22:22:32 +01001424log <address> [len <length>] [format <format>] [sample <ranges>:<sample_size>]
Frédéric Lécailled690dfa2019-04-25 10:52:17 +02001425 <facility> [max level [min level]]
Cyril Bonté3e954872018-03-20 23:30:27 +01001426 Adds a global syslog server. Several global servers can be defined. They
Davor Ocelice9ed2812017-12-25 17:49:28 +01001427 will receive logs for starts and exits, as well as all logs from proxies
Robert Tsai81ae1952007-12-05 10:47:29 +01001428 configured with "log global".
1429
1430 <address> can be one of:
1431
Willy Tarreau2769aa02007-12-27 18:26:09 +01001432 - An IPv4 address optionally followed by a colon and a UDP port. If
Robert Tsai81ae1952007-12-05 10:47:29 +01001433 no port is specified, 514 is used by default (the standard syslog
1434 port).
1435
David du Colombier24bb5f52011-03-17 10:40:23 +01001436 - An IPv6 address followed by a colon and optionally a UDP port. If
1437 no port is specified, 514 is used by default (the standard syslog
1438 port).
1439
Willy Tarreau5a32ecc2018-11-12 07:34:59 +01001440 - A filesystem path to a datagram UNIX domain socket, keeping in mind
Robert Tsai81ae1952007-12-05 10:47:29 +01001441 considerations for chroot (be sure the path is accessible inside
1442 the chroot) and uid/gid (be sure the path is appropriately
Davor Ocelice9ed2812017-12-25 17:49:28 +01001443 writable).
Robert Tsai81ae1952007-12-05 10:47:29 +01001444
Willy Tarreau5a32ecc2018-11-12 07:34:59 +01001445 - A file descriptor number in the form "fd@<number>", which may point
1446 to a pipe, terminal, or socket. In this case unbuffered logs are used
1447 and one writev() call per log is performed. This is a bit expensive
1448 but acceptable for most workloads. Messages sent this way will not be
1449 truncated but may be dropped, in which case the DroppedLogs counter
1450 will be incremented. The writev() call is atomic even on pipes for
1451 messages up to PIPE_BUF size, which POSIX recommends to be at least
1452 512 and which is 4096 bytes on most modern operating systems. Any
1453 larger message may be interleaved with messages from other processes.
1454 Exceptionally for debugging purposes the file descriptor may also be
Daniel Corbett9f0843f2021-05-08 10:50:37 -04001455 directed to a file, but doing so will significantly slow HAProxy down
Willy Tarreau5a32ecc2018-11-12 07:34:59 +01001456 as non-blocking calls will be ignored. Also there will be no way to
1457 purge nor rotate this file without restarting the process. Note that
1458 the configured syslog format is preserved, so the output is suitable
Willy Tarreauc1b06452018-11-12 11:57:56 +01001459 for use with a TCP syslog server. See also the "short" and "raw"
1460 format below.
Willy Tarreau5a32ecc2018-11-12 07:34:59 +01001461
1462 - "stdout" / "stderr", which are respectively aliases for "fd@1" and
1463 "fd@2", see above.
1464
Willy Tarreauc046d162019-08-30 15:24:59 +02001465 - A ring buffer in the form "ring@<name>", which will correspond to an
1466 in-memory ring buffer accessible over the CLI using the "show events"
1467 command, which will also list existing rings and their sizes. Such
1468 buffers are lost on reload or restart but when used as a complement
1469 this can help troubleshooting by having the logs instantly available.
1470
William Lallemandb2f07452015-05-12 14:27:13 +02001471 You may want to reference some environment variables in the address
1472 parameter, see section 2.3 about environment variables.
Willy Tarreaudad36a32013-03-11 01:20:04 +01001473
Willy Tarreau18324f52014-06-27 18:10:07 +02001474 <length> is an optional maximum line length. Log lines larger than this value
1475 will be truncated before being sent. The reason is that syslog
1476 servers act differently on log line length. All servers support the
1477 default value of 1024, but some servers simply drop larger lines
1478 while others do log them. If a server supports long lines, it may
1479 make sense to set this value here in order to avoid truncating long
1480 lines. Similarly, if a server drops long lines, it is preferable to
1481 truncate them before sending them. Accepted values are 80 to 65535
1482 inclusive. The default value of 1024 is generally fine for all
1483 standard usages. Some specific cases of long captures or
Davor Ocelice9ed2812017-12-25 17:49:28 +01001484 JSON-formatted logs may require larger values. You may also need to
1485 increase "tune.http.logurilen" if your request URIs are truncated.
Willy Tarreau18324f52014-06-27 18:10:07 +02001486
Dragan Dosen7ad31542015-09-28 17:16:47 +02001487 <format> is the log format used when generating syslog messages. It may be
1488 one of the following :
1489
Emeric Brun0237c4e2020-11-27 16:24:34 +01001490 local Analog to rfc3164 syslog message format except that hostname
1491 field is stripped. This is the default.
1492 Note: option "log-send-hostname" switches the default to
1493 rfc3164.
1494
1495 rfc3164 The RFC3164 syslog message format.
Dragan Dosen7ad31542015-09-28 17:16:47 +02001496 (https://tools.ietf.org/html/rfc3164)
1497
1498 rfc5424 The RFC5424 syslog message format.
1499 (https://tools.ietf.org/html/rfc5424)
1500
Emeric Brun54648852020-07-06 15:54:06 +02001501 priority A message containing only a level plus syslog facility between
1502 angle brackets such as '<63>', followed by the text. The PID,
1503 date, time, process name and system name are omitted. This is
1504 designed to be used with a local log server.
1505
Willy Tarreaue8746a02018-11-12 08:45:00 +01001506 short A message containing only a level between angle brackets such as
1507 '<3>', followed by the text. The PID, date, time, process name
1508 and system name are omitted. This is designed to be used with a
1509 local log server. This format is compatible with what the systemd
1510 logger consumes.
1511
Emeric Brun54648852020-07-06 15:54:06 +02001512 timed A message containing only a level between angle brackets such as
1513 '<3>', followed by ISO date and by the text. The PID, process
1514 name and system name are omitted. This is designed to be
1515 used with a local log server.
1516
1517 iso A message containing only the ISO date, followed by the text.
1518 The PID, process name and system name are omitted. This is
1519 designed to be used with a local log server.
1520
Willy Tarreauc1b06452018-11-12 11:57:56 +01001521 raw A message containing only the text. The level, PID, date, time,
1522 process name and system name are omitted. This is designed to be
1523 used in containers or during development, where the severity only
1524 depends on the file descriptor used (stdout/stderr).
1525
Frédéric Lécailled690dfa2019-04-25 10:52:17 +02001526 <ranges> A list of comma-separated ranges to identify the logs to sample.
1527 This is used to balance the load of the logs to send to the log
1528 server. The limits of the ranges cannot be null. They are numbered
1529 from 1. The size or period (in number of logs) of the sample must be
1530 set with <sample_size> parameter.
1531
1532 <sample_size>
1533 The size of the sample in number of logs to consider when balancing
1534 their logging loads. It is used to balance the load of the logs to
1535 send to the syslog server. This size must be greater or equal to the
1536 maximum of the high limits of the ranges.
1537 (see also <ranges> parameter).
1538
Robert Tsai81ae1952007-12-05 10:47:29 +01001539 <facility> must be one of the 24 standard syslog facilities :
Willy Tarreau6a06a402007-07-15 20:15:28 +02001540
Willy Tarreaue8746a02018-11-12 08:45:00 +01001541 kern user mail daemon auth syslog lpr news
1542 uucp cron auth2 ftp ntp audit alert cron2
1543 local0 local1 local2 local3 local4 local5 local6 local7
1544
Willy Tarreauc1b06452018-11-12 11:57:56 +01001545 Note that the facility is ignored for the "short" and "raw"
1546 formats, but still required as a positional field. It is
1547 recommended to use "daemon" in this case to make it clear that
1548 it's only supposed to be used locally.
Willy Tarreau6a06a402007-07-15 20:15:28 +02001549
1550 An optional level can be specified to filter outgoing messages. By default,
Willy Tarreauf7edefa2009-05-10 17:20:05 +02001551 all messages are sent. If a maximum level is specified, only messages with a
1552 severity at least as important as this level will be sent. An optional minimum
1553 level can be specified. If it is set, logs emitted with a more severe level
1554 than this one will be capped to this level. This is used to avoid sending
1555 "emerg" messages on all terminals on some default syslog configurations.
1556 Eight levels are known :
Willy Tarreau6a06a402007-07-15 20:15:28 +02001557
Cyril Bontédc4d9032012-04-08 21:57:39 +02001558 emerg alert crit err warning notice info debug
Willy Tarreau6a06a402007-07-15 20:15:28 +02001559
Joe Williamsdf5b38f2010-12-29 17:05:48 +01001560log-send-hostname [<string>]
1561 Sets the hostname field in the syslog header. If optional "string" parameter
1562 is set the header is set to the string contents, otherwise uses the hostname
1563 of the system. Generally used if one is not relaying logs through an
1564 intermediate syslog server or for simply customizing the hostname printed in
1565 the logs.
1566
Kevinm48936af2010-12-22 16:08:21 +00001567log-tag <string>
1568 Sets the tag field in the syslog header to this string. It defaults to the
1569 program name as launched from the command line, which usually is "haproxy".
1570 Sometimes it can be useful to differentiate between multiple processes
Willy Tarreau094af4e2015-01-07 15:03:42 +01001571 running on the same host. See also the per-proxy "log-tag" directive.
Kevinm48936af2010-12-22 16:08:21 +00001572
Thierry FOURNIER90da1912015-03-05 11:17:06 +01001573lua-load <file>
Thierry Fournier59f11be2020-11-29 00:37:41 +01001574 This global directive loads and executes a Lua file in the shared context
1575 that is visible to all threads. Any variable set in such a context is visible
1576 from any thread. This is the easiest and recommended way to load Lua programs
1577 but it will not scale well if a lot of Lua calls are performed, as only one
1578 thread may be running on the global state at a time. A program loaded this
1579 way will always see 0 in the "core.thread" variable. This directive can be
Thierry FOURNIER90da1912015-03-05 11:17:06 +01001580 used multiple times.
1581
Thierry Fournier59f11be2020-11-29 00:37:41 +01001582lua-load-per-thread <file>
1583 This global directive loads and executes a Lua file into each started thread.
1584 Any global variable has a thread-local visibility so that each thread could
1585 see a different value. As such it is strongly recommended not to use global
1586 variables in programs loaded this way. An independent copy is loaded and
1587 initialized for each thread, everything is done sequentially and in the
1588 thread's numeric order from 1 to nbthread. If some operations need to be
1589 performed only once, the program should check the "core.thread" variable to
1590 figure what thread is being initialized. Programs loaded this way will run
1591 concurrently on all threads and will be highly scalable. This is the
1592 recommended way to load simple functions that register sample-fetches,
1593 converters, actions or services once it is certain the program doesn't depend
1594 on global variables. For the sake of simplicity, the directive is available
1595 even if only one thread is used and even if threads are disabled (in which
1596 case it will be equivalent to lua-load). This directive can be used multiple
1597 times.
1598
Tim Duesterhusdd74b5f2020-01-12 13:55:40 +01001599lua-prepend-path <string> [<type>]
1600 Prepends the given string followed by a semicolon to Lua's package.<type>
1601 variable.
1602 <type> must either be "path" or "cpath". If <type> is not given it defaults
1603 to "path".
1604
1605 Lua's paths are semicolon delimited lists of patterns that specify how the
1606 `require` function attempts to find the source file of a library. Question
1607 marks (?) within a pattern will be replaced by module name. The path is
1608 evaluated left to right. This implies that paths that are prepended later
1609 will be checked earlier.
1610
1611 As an example by specifying the following path:
1612
1613 lua-prepend-path /usr/share/haproxy-lua/?/init.lua
1614 lua-prepend-path /usr/share/haproxy-lua/?.lua
1615
1616 When `require "example"` is being called Lua will first attempt to load the
1617 /usr/share/haproxy-lua/example.lua script, if that does not exist the
1618 /usr/share/haproxy-lua/example/init.lua will be attempted and the default
1619 paths if that does not exist either.
1620
1621 See https://www.lua.org/pil/8.1.html for the details within the Lua
1622 documentation.
1623
William Lallemand4cfede82017-11-24 22:02:34 +01001624master-worker [no-exit-on-failure]
William Lallemande202b1e2017-06-01 17:38:56 +02001625 Master-worker mode. It is equivalent to the command line "-W" argument.
1626 This mode will launch a "master" which will monitor the "workers". Using
1627 this mode, you can reload HAProxy directly by sending a SIGUSR2 signal to
Davor Ocelice9ed2812017-12-25 17:49:28 +01001628 the master. The master-worker mode is compatible either with the foreground
William Lallemande202b1e2017-06-01 17:38:56 +02001629 or daemon mode. It is recommended to use this mode with multiprocess and
1630 systemd.
William Lallemand4cfede82017-11-24 22:02:34 +01001631 By default, if a worker exits with a bad return code, in the case of a
1632 segfault for example, all workers will be killed, and the master will leave.
1633 It is convenient to combine this behavior with Restart=on-failure in a
1634 systemd unit file in order to relaunch the whole process. If you don't want
1635 this behavior, you must use the keyword "no-exit-on-failure".
William Lallemande202b1e2017-06-01 17:38:56 +02001636
William Lallemand4cfede82017-11-24 22:02:34 +01001637 See also "-W" in the management guide.
William Lallemande202b1e2017-06-01 17:38:56 +02001638
William Lallemand27edc4b2019-05-07 17:49:33 +02001639mworker-max-reloads <number>
1640 In master-worker mode, this option limits the number of time a worker can
John Roeslerfb2fce12019-07-10 15:45:51 -05001641 survive to a reload. If the worker did not leave after a reload, once its
William Lallemand27edc4b2019-05-07 17:49:33 +02001642 number of reloads is greater than this number, the worker will receive a
1643 SIGTERM. This option helps to keep under control the number of workers.
1644 See also "show proc" in the Management Guide.
1645
Willy Tarreauf42d7942020-10-20 11:54:49 +02001646nbproc <number> (deprecated)
Willy Tarreau6a06a402007-07-15 20:15:28 +02001647 Creates <number> processes when going daemon. This requires the "daemon"
1648 mode. By default, only one process is created, which is the recommended mode
1649 of operation. For systems limited to small sets of file descriptors per
Willy Tarreau149ab772019-01-26 14:27:06 +01001650 process, it may be needed to fork multiple daemons. When set to a value
1651 larger than 1, threads are automatically disabled. USING MULTIPLE PROCESSES
Willy Tarreauf42d7942020-10-20 11:54:49 +02001652 IS HARDER TO DEBUG AND IS REALLY DISCOURAGED. This directive is deprecated
1653 and scheduled for removal in 2.5. Please use "nbthread" instead. See also
1654 "daemon" and "nbthread".
Willy Tarreau6a06a402007-07-15 20:15:28 +02001655
Christopher Fauletbe0faa22017-08-29 15:37:10 +02001656nbthread <number>
1657 This setting is only available when support for threads was built in. It
Daniel Corbett9f0843f2021-05-08 10:50:37 -04001658 makes HAProxy run on <number> threads. This is exclusive with "nbproc". While
Willy Tarreau26f6ae12019-02-02 12:56:15 +01001659 "nbproc" historically used to be the only way to use multiple processors, it
1660 also involved a number of shortcomings related to the lack of synchronization
1661 between processes (health-checks, peers, stick-tables, stats, ...) which do
1662 not affect threads. As such, any modern configuration is strongly encouraged
Willy Tarreau149ab772019-01-26 14:27:06 +01001663 to migrate away from "nbproc" to "nbthread". "nbthread" also works when
1664 HAProxy is started in foreground. On some platforms supporting CPU affinity,
1665 when nbproc is not used, the default "nbthread" value is automatically set to
1666 the number of CPUs the process is bound to upon startup. This means that the
1667 thread count can easily be adjusted from the calling process using commands
1668 like "taskset" or "cpuset". Otherwise, this value defaults to 1. The default
1669 value is reported in the output of "haproxy -vv". See also "nbproc".
Christopher Fauletbe0faa22017-08-29 15:37:10 +02001670
Amaury Denoyelle0f50cb92021-03-26 18:50:33 +01001671numa-cpu-mapping
Daniel Corbett9f0843f2021-05-08 10:50:37 -04001672 By default, if running on Linux, HAProxy inspects on startup the CPU topology
Amaury Denoyelle0f50cb92021-03-26 18:50:33 +01001673 of the machine. If a multi-socket machine is detected, the affinity is
1674 automatically calculated to run on the CPUs of a single node. This is done in
1675 order to not suffer from the performance penalties caused by the inter-socket
1676 bus latency. However, if the applied binding is non optimal on a particular
1677 architecture, it can be disabled with the statement 'no numa-cpu-mapping'.
1678 This automatic binding is also not applied if a nbthread statement is present
1679 in the configuration, or the affinity of the process is already specified,
1680 for example via the 'cpu-map' directive or the taskset utility.
1681
Willy Tarreau6a06a402007-07-15 20:15:28 +02001682pidfile <pidfile>
MIZUTA Takeshic32f3942020-08-26 13:46:19 +09001683 Writes PIDs of all daemons into file <pidfile> when daemon mode or writes PID
1684 of master process into file <pidfile> when master-worker mode. This option is
1685 equivalent to the "-p" command line argument. The file must be accessible to
1686 the user starting the process. See also "daemon" and "master-worker".
Willy Tarreau6a06a402007-07-15 20:15:28 +02001687
Willy Tarreau119e50e2020-05-22 13:53:29 +02001688pp2-never-send-local
1689 A bug in the PROXY protocol v2 implementation was present in HAProxy up to
1690 version 2.1, causing it to emit a PROXY command instead of a LOCAL command
1691 for health checks. This is particularly minor but confuses some servers'
1692 logs. Sadly, the bug was discovered very late and revealed that some servers
1693 which possibly only tested their PROXY protocol implementation against
1694 HAProxy fail to properly handle the LOCAL command, and permanently remain in
1695 the "down" state when HAProxy checks them. When this happens, it is possible
1696 to enable this global option to revert to the older (bogus) behavior for the
1697 time it takes to contact the affected components' vendors and get them fixed.
1698 This option is disabled by default and acts on all servers having the
1699 "send-proxy-v2" statement.
1700
Willy Tarreau1d549722016-02-16 12:41:57 +01001701presetenv <name> <value>
1702 Sets environment variable <name> to value <value>. If the variable exists, it
1703 is NOT overwritten. The changes immediately take effect so that the next line
1704 in the configuration file sees the new value. See also "setenv", "resetenv",
1705 and "unsetenv".
1706
1707resetenv [<name> ...]
1708 Removes all environment variables except the ones specified in argument. It
1709 allows to use a clean controlled environment before setting new values with
1710 setenv or unsetenv. Please note that some internal functions may make use of
1711 some environment variables, such as time manipulation functions, but also
1712 OpenSSL or even external checks. This must be used with extreme care and only
1713 after complete validation. The changes immediately take effect so that the
1714 next line in the configuration file sees the new environment. See also
1715 "setenv", "presetenv", and "unsetenv".
1716
Christopher Fauletff4121f2017-11-22 16:38:49 +01001717stats bind-process [ all | odd | even | <process_num>[-[process_num>]] ] ...
Willy Tarreau35b7b162012-10-22 23:17:18 +02001718 Limits the stats socket to a certain set of processes numbers. By default the
1719 stats socket is bound to all processes, causing a warning to be emitted when
1720 nbproc is greater than 1 because there is no way to select the target process
1721 when connecting. However, by using this setting, it becomes possible to pin
1722 the stats socket to a specific set of processes, typically the first one. The
1723 warning will automatically be disabled when this setting is used, whatever
Willy Tarreaua9db57e2013-01-18 11:29:29 +01001724 the number of processes used. The maximum process ID depends on the machine's
Christopher Fauletff4121f2017-11-22 16:38:49 +01001725 word size (32 or 64). Ranges can be partially defined. The higher bound can
1726 be omitted. In such case, it is replaced by the corresponding maximum
1727 value. A better option consists in using the "process" setting of the "stats
1728 socket" line to force the process on each line.
Willy Tarreau35b7b162012-10-22 23:17:18 +02001729
Baptiste Assmann5626f482015-08-23 10:00:10 +02001730server-state-base <directory>
1731 Specifies the directory prefix to be prepended in front of all servers state
Baptiste Assmann01c6cc32015-08-23 11:45:29 +02001732 file names which do not start with a '/'. See also "server-state-file",
1733 "load-server-state-from-file" and "server-state-file-name".
Baptiste Assmannef1f0fc2015-08-23 10:06:39 +02001734
1735server-state-file <file>
1736 Specifies the path to the file containing state of servers. If the path starts
1737 with a slash ('/'), it is considered absolute, otherwise it is considered
1738 relative to the directory specified using "server-state-base" (if set) or to
1739 the current directory. Before reloading HAProxy, it is possible to save the
1740 servers' current state using the stats command "show servers state". The
1741 output of this command must be written in the file pointed by <file>. When
1742 starting up, before handling traffic, HAProxy will read, load and apply state
1743 for each server found in the file and available in its current running
Baptiste Assmann01c6cc32015-08-23 11:45:29 +02001744 configuration. See also "server-state-base" and "show servers state",
1745 "load-server-state-from-file" and "server-state-file-name"
Baptiste Assmann5626f482015-08-23 10:00:10 +02001746
Willy Tarreau13d2ba22021-03-26 11:38:08 +01001747set-var <var-name> <expr>
1748 Sets the process-wide variable '<var-name>' to the result of the evaluation
1749 of the sample expression <expr>. The variable '<var-name>' may only be a
1750 process-wide variable (using the 'proc.' prefix). It works exactly like the
1751 'set-var' action in TCP or HTTP rules except that the expression is evaluated
1752 at configuration parsing time and that the variable is instantly set. The
1753 sample fetch functions and converters permitted in the expression are only
1754 those using internal data, typically 'int(value)' or 'str(value)'. It's is
1755 possible to reference previously allocated variables as well. These variables
1756 will then be readable (and modifiable) from the regular rule sets.
1757
1758 Example:
1759 global
1760 set-var proc.current_state str(primary)
1761 set-var proc.prio int(100)
1762 set-var proc.threshold int(200),sub(proc.prio)
1763
Willy Tarreau1d549722016-02-16 12:41:57 +01001764setenv <name> <value>
1765 Sets environment variable <name> to value <value>. If the variable exists, it
1766 is overwritten. The changes immediately take effect so that the next line in
1767 the configuration file sees the new value. See also "presetenv", "resetenv",
1768 and "unsetenv".
1769
Willy Tarreau636848a2019-04-15 19:38:50 +02001770set-dumpable
1771 This option is better left disabled by default and enabled only upon a
William Dauchyec730982019-10-27 20:08:10 +01001772 developer's request. If it has been enabled, it may still be forcibly
1773 disabled by prefixing it with the "no" keyword. It has no impact on
1774 performance nor stability but will try hard to re-enable core dumps that were
1775 possibly disabled by file size limitations (ulimit -f), core size limitations
1776 (ulimit -c), or "dumpability" of a process after changing its UID/GID (such
1777 as /proc/sys/fs/suid_dumpable on Linux). Core dumps might still be limited by
1778 the current directory's permissions (check what directory the file is started
1779 from), the chroot directory's permission (it may be needed to temporarily
1780 disable the chroot directive or to move it to a dedicated writable location),
1781 or any other system-specific constraint. For example, some Linux flavours are
1782 notorious for replacing the default core file with a path to an executable
1783 not even installed on the system (check /proc/sys/kernel/core_pattern). Often,
1784 simply writing "core", "core.%p" or "/var/log/core/core.%p" addresses the
1785 issue. When trying to enable this option waiting for a rare issue to
1786 re-appear, it's often a good idea to first try to obtain such a dump by
Daniel Corbett9f0843f2021-05-08 10:50:37 -04001787 issuing, for example, "kill -11" to the "haproxy" process and verify that it
William Dauchyec730982019-10-27 20:08:10 +01001788 leaves a core where expected when dying.
Willy Tarreau636848a2019-04-15 19:38:50 +02001789
Willy Tarreau610f04b2014-02-13 11:36:41 +01001790ssl-default-bind-ciphers <ciphers>
1791 This setting is only available when support for OpenSSL was built in. It sets
1792 the default string describing the list of cipher algorithms ("cipher suite")
Bertrand Jacquin8cf7c1e2019-02-03 18:35:25 +00001793 that are negotiated during the SSL/TLS handshake up to TLSv1.2 for all
Dirkjan Bussink415150f2018-09-14 11:14:21 +02001794 "bind" lines which do not explicitly define theirs. The format of the string
Bertrand Jacquin4f03ab02019-02-03 18:48:49 +00001795 is defined in "man 1 ciphers" from OpenSSL man pages. For background
1796 information and recommendations see e.g.
1797 (https://wiki.mozilla.org/Security/Server_Side_TLS) and
1798 (https://mozilla.github.io/server-side-tls/ssl-config-generator/). For TLSv1.3
1799 cipher configuration, please check the "ssl-default-bind-ciphersuites" keyword.
1800 Please check the "bind" keyword for more information.
Dirkjan Bussink415150f2018-09-14 11:14:21 +02001801
1802ssl-default-bind-ciphersuites <ciphersuites>
1803 This setting is only available when support for OpenSSL was built in and
1804 OpenSSL 1.1.1 or later was used to build HAProxy. It sets the default string
1805 describing the list of cipher algorithms ("cipher suite") that are negotiated
1806 during the TLSv1.3 handshake for all "bind" lines which do not explicitly define
1807 theirs. The format of the string is defined in
Bertrand Jacquin4f03ab02019-02-03 18:48:49 +00001808 "man 1 ciphers" from OpenSSL man pages under the section "ciphersuites". For
1809 cipher configuration for TLSv1.2 and earlier, please check the
1810 "ssl-default-bind-ciphers" keyword. Please check the "bind" keyword for more
Dirkjan Bussink415150f2018-09-14 11:14:21 +02001811 information.
Willy Tarreau610f04b2014-02-13 11:36:41 +01001812
Jerome Magninb203ff62020-04-03 15:28:22 +02001813ssl-default-bind-curves <curves>
1814 This setting is only available when support for OpenSSL was built in. It sets
1815 the default string describing the list of elliptic curves algorithms ("curve
1816 suite") that are negotiated during the SSL/TLS handshake with ECDHE. The format
1817 of the string is a colon-delimited list of curve name.
1818 Please check the "bind" keyword for more information.
1819
Emeric Brun2c86cbf2014-10-30 15:56:50 +01001820ssl-default-bind-options [<option>]...
1821 This setting is only available when support for OpenSSL was built in. It sets
1822 default ssl-options to force on all "bind" lines. Please check the "bind"
1823 keyword to see available options.
1824
1825 Example:
1826 global
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +02001827 ssl-default-bind-options ssl-min-ver TLSv1.0 no-tls-tickets
Emeric Brun2c86cbf2014-10-30 15:56:50 +01001828
Willy Tarreau610f04b2014-02-13 11:36:41 +01001829ssl-default-server-ciphers <ciphers>
1830 This setting is only available when support for OpenSSL was built in. It
1831 sets the default string describing the list of cipher algorithms that are
Bertrand Jacquin8cf7c1e2019-02-03 18:35:25 +00001832 negotiated during the SSL/TLS handshake up to TLSv1.2 with the server,
Dirkjan Bussink415150f2018-09-14 11:14:21 +02001833 for all "server" lines which do not explicitly define theirs. The format of
Bertrand Jacquin4f03ab02019-02-03 18:48:49 +00001834 the string is defined in "man 1 ciphers" from OpenSSL man pages. For background
1835 information and recommendations see e.g.
1836 (https://wiki.mozilla.org/Security/Server_Side_TLS) and
1837 (https://mozilla.github.io/server-side-tls/ssl-config-generator/).
1838 For TLSv1.3 cipher configuration, please check the
1839 "ssl-default-server-ciphersuites" keyword. Please check the "server" keyword
1840 for more information.
Dirkjan Bussink415150f2018-09-14 11:14:21 +02001841
1842ssl-default-server-ciphersuites <ciphersuites>
1843 This setting is only available when support for OpenSSL was built in and
1844 OpenSSL 1.1.1 or later was used to build HAProxy. It sets the default
1845 string describing the list of cipher algorithms that are negotiated during
1846 the TLSv1.3 handshake with the server, for all "server" lines which do not
1847 explicitly define theirs. The format of the string is defined in
Bertrand Jacquin4f03ab02019-02-03 18:48:49 +00001848 "man 1 ciphers" from OpenSSL man pages under the section "ciphersuites". For
1849 cipher configuration for TLSv1.2 and earlier, please check the
1850 "ssl-default-server-ciphers" keyword. Please check the "server" keyword for
1851 more information.
Willy Tarreau610f04b2014-02-13 11:36:41 +01001852
Emeric Brun2c86cbf2014-10-30 15:56:50 +01001853ssl-default-server-options [<option>]...
1854 This setting is only available when support for OpenSSL was built in. It sets
1855 default ssl-options to force on all "server" lines. Please check the "server"
1856 keyword to see available options.
1857
Remi Gacogne47783ef2015-05-29 15:53:22 +02001858ssl-dh-param-file <file>
1859 This setting is only available when support for OpenSSL was built in. It sets
1860 the default DH parameters that are used during the SSL/TLS handshake when
1861 ephemeral Diffie-Hellman (DHE) key exchange is used, for all "bind" lines
Davor Ocelice9ed2812017-12-25 17:49:28 +01001862 which do not explicitly define theirs. It will be overridden by custom DH
Remi Gacogne47783ef2015-05-29 15:53:22 +02001863 parameters found in a bind certificate file if any. If custom DH parameters
Cyril Bonté307ee1e2015-09-28 23:16:06 +02001864 are not specified either by using ssl-dh-param-file or by setting them
1865 directly in the certificate file, pre-generated DH parameters of the size
1866 specified by tune.ssl.default-dh-param will be used. Custom parameters are
1867 known to be more secure and therefore their use is recommended.
Remi Gacogne47783ef2015-05-29 15:53:22 +02001868 Custom DH parameters may be generated by using the OpenSSL command
1869 "openssl dhparam <size>", where size should be at least 2048, as 1024-bit DH
1870 parameters should not be considered secure anymore.
1871
William Lallemand8e8581e2020-10-20 17:36:46 +02001872ssl-load-extra-del-ext
1873 This setting allows to configure the way HAProxy does the lookup for the
1874 extra SSL files. By default HAProxy adds a new extension to the filename.
William Lallemand089c1382020-10-23 17:35:12 +02001875 (ex: with "foobar.crt" load "foobar.crt.key"). With this option enabled,
William Lallemand8e8581e2020-10-20 17:36:46 +02001876 HAProxy removes the extension before adding the new one (ex: with
William Lallemand089c1382020-10-23 17:35:12 +02001877 "foobar.crt" load "foobar.key").
1878
1879 Your crt file must have a ".crt" extension for this option to work.
William Lallemand8e8581e2020-10-20 17:36:46 +02001880
1881 This option is not compatible with bundle extensions (.ecdsa, .rsa. .dsa)
1882 and won't try to remove them.
1883
1884 This option is disabled by default. See also "ssl-load-extra-files".
1885
William Lallemand4c5adbf2020-02-24 14:23:22 +01001886ssl-load-extra-files <none|all|bundle|sctl|ocsp|issuer|key>*
William Lallemand3af48e72020-02-03 17:15:52 +01001887 This setting alters the way HAProxy will look for unspecified files during
Remi Tricot-Le Breton7c980df2021-05-07 15:28:08 +02001888 the loading of the SSL certificates. This option applies to certificates
1889 associated to "bind" lines as well as "server" lines but some of the extra
1890 files will not have any functional impact for "server" line certificates.
William Lallemand3af48e72020-02-03 17:15:52 +01001891
1892 By default, HAProxy discovers automatically a lot of files not specified in
1893 the configuration, and you may want to disable this behavior if you want to
1894 optimize the startup time.
1895
1896 "none": Only load the files specified in the configuration. Don't try to load
1897 a certificate bundle if the file does not exist. In the case of a directory,
1898 it won't try to bundle the certificates if they have the same basename.
1899
1900 "all": This is the default behavior, it will try to load everything,
William Lallemand4c5adbf2020-02-24 14:23:22 +01001901 bundles, sctl, ocsp, issuer, key.
William Lallemand3af48e72020-02-03 17:15:52 +01001902
1903 "bundle": When a file specified in the configuration does not exist, HAProxy
Remi Tricot-Le Breton7c980df2021-05-07 15:28:08 +02001904 will try to load a "cert bundle". Certificate bundles are only managed on the
1905 frontend side and will not work for backend certificates.
William Lallemandf9ff3ec2020-10-02 17:57:44 +02001906
1907 Starting from HAProxy 2.3, the bundles are not loaded in the same OpenSSL
1908 certificate store, instead it will loads each certificate in a separate
1909 store which is equivalent to declaring multiple "crt". OpenSSL 1.1.1 is
1910 required to achieve this. Which means that bundles are now used only for
1911 backward compatibility and are not mandatory anymore to do an hybrid RSA/ECC
Remi Tricot-Le Breton7c980df2021-05-07 15:28:08 +02001912 bind configuration.
William Lallemandf9ff3ec2020-10-02 17:57:44 +02001913
1914 To associate these PEM files into a "cert bundle" that is recognized by
Daniel Corbett9f0843f2021-05-08 10:50:37 -04001915 HAProxy, they must be named in the following way: All PEM files that are to
William Lallemandf9ff3ec2020-10-02 17:57:44 +02001916 be bundled must have the same base name, with a suffix indicating the key
1917 type. Currently, three suffixes are supported: rsa, dsa and ecdsa. For
1918 example, if www.example.com has two PEM files, an RSA file and an ECDSA
1919 file, they must be named: "example.pem.rsa" and "example.pem.ecdsa". The
1920 first part of the filename is arbitrary; only the suffix matters. To load
Daniel Corbett9f0843f2021-05-08 10:50:37 -04001921 this bundle into HAProxy, specify the base name only:
William Lallemandf9ff3ec2020-10-02 17:57:44 +02001922
1923 Example : bind :8443 ssl crt example.pem
1924
Daniel Corbett9f0843f2021-05-08 10:50:37 -04001925 Note that the suffix is not given to HAProxy; this tells HAProxy to look for
William Lallemandf9ff3ec2020-10-02 17:57:44 +02001926 a cert bundle.
1927
1928 HAProxy will load all PEM files in the bundle as if they were configured
1929 separately in several "crt".
1930
1931 The bundle loading does not have an impact anymore on the directory loading
1932 since files are loading separately.
1933
1934 On the CLI, bundles are seen as separate files, and the bundle extension is
1935 required to commit them.
1936
William Dauchy57dd6f12020-10-06 15:22:37 +02001937 OCSP files (.ocsp), issuer files (.issuer), Certificate Transparency (.sctl)
William Lallemandf9ff3ec2020-10-02 17:57:44 +02001938 as well as private keys (.key) are supported with multi-cert bundling.
William Lallemand3af48e72020-02-03 17:15:52 +01001939
Remi Tricot-Le Breton7c980df2021-05-07 15:28:08 +02001940 "sctl": Try to load "<basename>.sctl" for each crt keyword. If provided for
1941 a backend certificate, it will be loaded but will not have any functional
1942 impact.
William Lallemand3af48e72020-02-03 17:15:52 +01001943
Remi Tricot-Le Breton7c980df2021-05-07 15:28:08 +02001944 "ocsp": Try to load "<basename>.ocsp" for each crt keyword. If provided for
1945 a backend certificate, it will be loaded but will not have any functional
1946 impact.
William Lallemand3af48e72020-02-03 17:15:52 +01001947
1948 "issuer": Try to load "<basename>.issuer" if the issuer of the OCSP file is
Remi Tricot-Le Breton7c980df2021-05-07 15:28:08 +02001949 not provided in the PEM file. If provided for a backend certificate, it will
1950 be loaded but will not have any functional impact.
William Lallemand3af48e72020-02-03 17:15:52 +01001951
William Lallemand4c5adbf2020-02-24 14:23:22 +01001952 "key": If the private key was not provided by the PEM file, try to load a
1953 file "<basename>.key" containing a private key.
1954
William Lallemand3af48e72020-02-03 17:15:52 +01001955 The default behavior is "all".
1956
1957 Example:
1958 ssl-load-extra-files bundle sctl
1959 ssl-load-extra-files sctl ocsp issuer
1960 ssl-load-extra-files none
1961
Remi Tricot-Le Breton7c980df2021-05-07 15:28:08 +02001962 See also: "crt", section 5.1 about bind options and section 5.2 about server
1963 options.
William Lallemand3af48e72020-02-03 17:15:52 +01001964
Emeric Brun850efd52014-01-29 12:24:34 +01001965ssl-server-verify [none|required]
1966 The default behavior for SSL verify on servers side. If specified to 'none',
1967 servers certificates are not verified. The default is 'required' except if
1968 forced using cmdline option '-dV'.
1969
Emmanuel Hocdetc3b7e742020-04-22 11:06:19 +02001970ssl-skip-self-issued-ca
Daniel Corbett67a82712020-07-06 23:01:19 -04001971 Self issued CA, aka x509 root CA, is the anchor for chain validation: as a
Emmanuel Hocdetc3b7e742020-04-22 11:06:19 +02001972 server is useless to send it, client must have it. Standard configuration
1973 need to not include such CA in PEM file. This option allows you to keep such
1974 CA in PEM file without sending it to the client. Use case is to provide
1975 issuer for ocsp without the need for '.issuer' file and be able to share it
1976 with 'issuers-chain-path'. This concerns all certificates without intermediate
1977 certificates. It's useless for BoringSSL, .issuer is ignored because ocsp
William Lallemand9a1d8392020-08-10 17:28:23 +02001978 bits does not need it. Requires at least OpenSSL 1.0.2.
Emmanuel Hocdetc3b7e742020-04-22 11:06:19 +02001979
Willy Tarreauabb175f2012-09-24 12:43:26 +02001980stats socket [<address:port>|<path>] [param*]
1981 Binds a UNIX socket to <path> or a TCPv4/v6 address to <address:port>.
1982 Connections to this socket will return various statistics outputs and even
1983 allow some commands to be issued to change some runtime settings. Please
Willy Tarreau1af20c72017-06-23 16:01:14 +02001984 consult section 9.3 "Unix Socket commands" of Management Guide for more
Kevin Decherf949c7202015-10-13 23:26:44 +02001985 details.
Willy Tarreau6162db22009-10-10 17:13:00 +02001986
Willy Tarreauabb175f2012-09-24 12:43:26 +02001987 All parameters supported by "bind" lines are supported, for instance to
1988 restrict access to some users or their access rights. Please consult
1989 section 5.1 for more information.
Willy Tarreaufbee7132007-10-18 13:53:22 +02001990
1991stats timeout <timeout, in milliseconds>
1992 The default timeout on the stats socket is set to 10 seconds. It is possible
1993 to change this value with "stats timeout". The value must be passed in
Willy Tarreaubefdff12007-12-02 22:27:38 +01001994 milliseconds, or be suffixed by a time unit among { us, ms, s, m, h, d }.
Willy Tarreaufbee7132007-10-18 13:53:22 +02001995
1996stats maxconn <connections>
1997 By default, the stats socket is limited to 10 concurrent connections. It is
1998 possible to change this value with "stats maxconn".
1999
Willy Tarreau6a06a402007-07-15 20:15:28 +02002000uid <number>
Thayne McCombscdbcca92021-01-07 21:24:41 -07002001 Changes the process's user ID to <number>. It is recommended that the user ID
Willy Tarreau6a06a402007-07-15 20:15:28 +02002002 is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
2003 be started with superuser privileges in order to be able to switch to another
2004 one. See also "gid" and "user".
2005
2006ulimit-n <number>
2007 Sets the maximum number of per-process file-descriptors to <number>. By
2008 default, it is automatically computed, so it is recommended not to use this
2009 option.
2010
Willy Tarreauceb24bc2010-11-09 12:46:41 +01002011unix-bind [ prefix <prefix> ] [ mode <mode> ] [ user <user> ] [ uid <uid> ]
2012 [ group <group> ] [ gid <gid> ]
2013
2014 Fixes common settings to UNIX listening sockets declared in "bind" statements.
2015 This is mainly used to simplify declaration of those UNIX sockets and reduce
2016 the risk of errors, since those settings are most commonly required but are
2017 also process-specific. The <prefix> setting can be used to force all socket
2018 path to be relative to that directory. This might be needed to access another
Daniel Corbett9f0843f2021-05-08 10:50:37 -04002019 component's chroot. Note that those paths are resolved before HAProxy chroots
Willy Tarreauceb24bc2010-11-09 12:46:41 +01002020 itself, so they are absolute. The <mode>, <user>, <uid>, <group> and <gid>
2021 all have the same meaning as their homonyms used by the "bind" statement. If
2022 both are specified, the "bind" statement has priority, meaning that the
2023 "unix-bind" settings may be seen as process-wide default settings.
2024
Willy Tarreau1d549722016-02-16 12:41:57 +01002025unsetenv [<name> ...]
2026 Removes environment variables specified in arguments. This can be useful to
2027 hide some sensitive information that are occasionally inherited from the
2028 user's environment during some operations. Variables which did not exist are
2029 silently ignored so that after the operation, it is certain that none of
2030 these variables remain. The changes immediately take effect so that the next
2031 line in the configuration file will not see these variables. See also
2032 "setenv", "presetenv", and "resetenv".
2033
Willy Tarreau6a06a402007-07-15 20:15:28 +02002034user <user name>
2035 Similar to "uid" but uses the UID of user name <user name> from /etc/passwd.
2036 See also "uid" and "group".
2037
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +02002038node <name>
2039 Only letters, digits, hyphen and underscore are allowed, like in DNS names.
2040
2041 This statement is useful in HA configurations where two or more processes or
2042 servers share the same IP address. By setting a different node-name on all
2043 nodes, it becomes easy to immediately spot what server is handling the
2044 traffic.
2045
2046description <text>
2047 Add a text that describes the instance.
2048
2049 Please note that it is required to escape certain characters (# for example)
2050 and this text is inserted into a html page so you should avoid using
2051 "<" and ">" characters.
2052
Thomas Holmesdb04f192015-05-18 13:21:39 +0100205351degrees-data-file <file path>
2054 The path of the 51Degrees data file to provide device detection services. The
Davor Ocelice9ed2812017-12-25 17:49:28 +01002055 file should be unzipped and accessible by HAProxy with relevant permissions.
Thomas Holmesdb04f192015-05-18 13:21:39 +01002056
Daniel Corbett9f0843f2021-05-08 10:50:37 -04002057 Please note that this option is only available when HAProxy has been
Thomas Holmesdb04f192015-05-18 13:21:39 +01002058 compiled with USE_51DEGREES.
2059
Ben Shillitof25e8e52016-12-02 14:25:37 +0000206051degrees-property-name-list [<string> ...]
Thomas Holmesdb04f192015-05-18 13:21:39 +01002061 A list of 51Degrees property names to be load from the dataset. A full list
2062 of names is available on the 51Degrees website:
2063 https://51degrees.com/resources/property-dictionary
2064
Daniel Corbett9f0843f2021-05-08 10:50:37 -04002065 Please note that this option is only available when HAProxy has been
Thomas Holmesdb04f192015-05-18 13:21:39 +01002066 compiled with USE_51DEGREES.
2067
Dragan Dosen93b38d92015-06-29 16:43:25 +0200206851degrees-property-separator <char>
Thomas Holmesdb04f192015-05-18 13:21:39 +01002069 A char that will be appended to every property value in a response header
2070 containing 51Degrees results. If not set that will be set as ','.
2071
Daniel Corbett9f0843f2021-05-08 10:50:37 -04002072 Please note that this option is only available when HAProxy has been
Dragan Dosenae6d39a2015-06-29 16:43:27 +02002073 compiled with USE_51DEGREES.
2074
207551degrees-cache-size <number>
2076 Sets the size of the 51Degrees converter cache to <number> entries. This
2077 is an LRU cache which reminds previous device detections and their results.
2078 By default, this cache is disabled.
2079
Daniel Corbett9f0843f2021-05-08 10:50:37 -04002080 Please note that this option is only available when HAProxy has been
Thomas Holmesdb04f192015-05-18 13:21:39 +01002081 compiled with USE_51DEGREES.
2082
Willy Tarreaub3cc9f22019-04-19 16:03:32 +02002083wurfl-data-file <file path>
2084 The path of the WURFL data file to provide device detection services. The
2085 file should be accessible by HAProxy with relevant permissions.
2086
Daniel Corbett9f0843f2021-05-08 10:50:37 -04002087 Please note that this option is only available when HAProxy has been compiled
Willy Tarreaub3cc9f22019-04-19 16:03:32 +02002088 with USE_WURFL=1.
2089
2090wurfl-information-list [<capability>]*
2091 A space-delimited list of WURFL capabilities, virtual capabilities, property
2092 names we plan to use in injected headers. A full list of capability and
2093 virtual capability names is available on the Scientiamobile website :
2094
2095 https://www.scientiamobile.com/wurflCapability
2096
2097 Valid WURFL properties are:
2098 - wurfl_id Contains the device ID of the matched device.
2099
2100 - wurfl_root_id Contains the device root ID of the matched
2101 device.
2102
2103 - wurfl_isdevroot Tells if the matched device is a root device.
2104 Possible values are "TRUE" or "FALSE".
2105
2106 - wurfl_useragent The original useragent coming with this
2107 particular web request.
2108
2109 - wurfl_api_version Contains a string representing the currently
2110 used Libwurfl API version.
2111
Willy Tarreaub3cc9f22019-04-19 16:03:32 +02002112 - wurfl_info A string containing information on the parsed
2113 wurfl.xml and its full path.
2114
2115 - wurfl_last_load_time Contains the UNIX timestamp of the last time
2116 WURFL has been loaded successfully.
2117
2118 - wurfl_normalized_useragent The normalized useragent.
2119
Daniel Corbett9f0843f2021-05-08 10:50:37 -04002120 Please note that this option is only available when HAProxy has been compiled
Willy Tarreaub3cc9f22019-04-19 16:03:32 +02002121 with USE_WURFL=1.
2122
2123wurfl-information-list-separator <char>
2124 A char that will be used to separate values in a response header containing
2125 WURFL results. If not set that a comma (',') will be used by default.
2126
Daniel Corbett9f0843f2021-05-08 10:50:37 -04002127 Please note that this option is only available when HAProxy has been compiled
Willy Tarreaub3cc9f22019-04-19 16:03:32 +02002128 with USE_WURFL=1.
2129
2130wurfl-patch-file [<file path>]
2131 A list of WURFL patch file paths. Note that patches are loaded during startup
2132 thus before the chroot.
2133
Daniel Corbett9f0843f2021-05-08 10:50:37 -04002134 Please note that this option is only available when HAProxy has been compiled
Willy Tarreaub3cc9f22019-04-19 16:03:32 +02002135 with USE_WURFL=1.
2136
paulborilebad132c2019-04-18 11:57:04 +02002137wurfl-cache-size <size>
2138 Sets the WURFL Useragent cache size. For faster lookups, already processed user
2139 agents are kept in a LRU cache :
Willy Tarreaub3cc9f22019-04-19 16:03:32 +02002140 - "0" : no cache is used.
paulborilebad132c2019-04-18 11:57:04 +02002141 - <size> : size of lru cache in elements.
Willy Tarreaub3cc9f22019-04-19 16:03:32 +02002142
Daniel Corbett9f0843f2021-05-08 10:50:37 -04002143 Please note that this option is only available when HAProxy has been compiled
Willy Tarreaub3cc9f22019-04-19 16:03:32 +02002144 with USE_WURFL=1.
2145
William Dauchy0fec3ab2019-10-27 20:08:11 +01002146strict-limits
Daniel Corbett9f0843f2021-05-08 10:50:37 -04002147 Makes process fail at startup when a setrlimit fails. HAProxy tries to set the
William Dauchya5194602020-03-28 19:29:58 +01002148 best setrlimit according to what has been calculated. If it fails, it will
2149 emit a warning. This option is here to guarantee an explicit failure of
Daniel Corbett9f0843f2021-05-08 10:50:37 -04002150 HAProxy when those limits fail. It is enabled by default. It may still be
William Dauchya5194602020-03-28 19:29:58 +01002151 forcibly disabled by prefixing it with the "no" keyword.
William Dauchy0fec3ab2019-10-27 20:08:11 +01002152
Willy Tarreauc57f0e22009-05-10 13:12:33 +020021533.2. Performance tuning
Willy Tarreau6a06a402007-07-15 20:15:28 +02002154-----------------------
2155
Willy Tarreaubeb859a2018-11-22 18:07:59 +01002156busy-polling
2157 In some situations, especially when dealing with low latency on processors
2158 supporting a variable frequency or when running inside virtual machines, each
2159 time the process waits for an I/O using the poller, the processor goes back
2160 to sleep or is offered to another VM for a long time, and it causes
2161 excessively high latencies. This option provides a solution preventing the
2162 processor from sleeping by always using a null timeout on the pollers. This
2163 results in a significant latency reduction (30 to 100 microseconds observed)
2164 at the expense of a risk to overheat the processor. It may even be used with
2165 threads, in which case improperly bound threads may heavily conflict,
2166 resulting in a worse performance and high values for the CPU stolen fields
2167 in "show info" output, indicating which threads are misconfigured. It is
2168 important not to let the process run on the same processor as the network
2169 interrupts when this option is used. It is also better to avoid using it on
2170 multiple CPU threads sharing the same core. This option is disabled by
2171 default. If it has been enabled, it may still be forcibly disabled by
2172 prefixing it with the "no" keyword. It is ignored by the "select" and
2173 "poll" pollers.
2174
William Dauchy3894d972019-12-28 15:36:02 +01002175 This option is automatically disabled on old processes in the context of
2176 seamless reload; it avoids too much cpu conflicts when multiple processes
2177 stay around for some time waiting for the end of their current connections.
2178
Willy Tarreau1746eec2014-04-25 10:46:47 +02002179max-spread-checks <delay in milliseconds>
Daniel Corbett9f0843f2021-05-08 10:50:37 -04002180 By default, HAProxy tries to spread the start of health checks across the
Willy Tarreau1746eec2014-04-25 10:46:47 +02002181 smallest health check interval of all the servers in a farm. The principle is
2182 to avoid hammering services running on the same server. But when using large
2183 check intervals (10 seconds or more), the last servers in the farm take some
2184 time before starting to be tested, which can be a problem. This parameter is
2185 used to enforce an upper bound on delay between the first and the last check,
2186 even if the servers' check intervals are larger. When servers run with
2187 shorter intervals, their intervals will be respected though.
2188
Willy Tarreau6a06a402007-07-15 20:15:28 +02002189maxconn <number>
2190 Sets the maximum per-process number of concurrent connections to <number>. It
2191 is equivalent to the command-line argument "-n". Proxies will stop accepting
2192 connections when this limit is reached. The "ulimit-n" parameter is
Willy Tarreau8274e102014-06-19 15:31:25 +02002193 automatically adjusted according to this value. See also "ulimit-n". Note:
2194 the "select" poller cannot reliably use more than 1024 file descriptors on
2195 some platforms. If your platform only supports select and reports "select
2196 FAILED" on startup, you need to reduce maxconn until it works (slightly
Willy Tarreaub28f3442019-03-04 08:13:43 +01002197 below 500 in general). If this value is not set, it will automatically be
2198 calculated based on the current file descriptors limit reported by the
2199 "ulimit -n" command, possibly reduced to a lower value if a memory limit
2200 is enforced, based on the buffer size, memory allocated to compression, SSL
2201 cache size, and use or not of SSL and the associated maxsslconn (which can
2202 also be automatic).
Willy Tarreau6a06a402007-07-15 20:15:28 +02002203
Willy Tarreau81c25d02011-09-07 15:17:21 +02002204maxconnrate <number>
2205 Sets the maximum per-process number of connections per second to <number>.
2206 Proxies will stop accepting connections when this limit is reached. It can be
2207 used to limit the global capacity regardless of each frontend capacity. It is
2208 important to note that this can only be used as a service protection measure,
2209 as there will not necessarily be a fair share between frontends when the
2210 limit is reached, so it's a good idea to also limit each frontend to some
2211 value close to its expected share. Also, lowering tune.maxaccept can improve
2212 fairness.
2213
William Lallemandd85f9172012-11-09 17:05:39 +01002214maxcomprate <number>
2215 Sets the maximum per-process input compression rate to <number> kilobytes
Davor Ocelice9ed2812017-12-25 17:49:28 +01002216 per second. For each session, if the maximum is reached, the compression
William Lallemandd85f9172012-11-09 17:05:39 +01002217 level will be decreased during the session. If the maximum is reached at the
2218 beginning of a session, the session will not compress at all. If the maximum
2219 is not reached, the compression level will be increased up to
Davor Ocelice9ed2812017-12-25 17:49:28 +01002220 tune.comp.maxlevel. A value of zero means there is no limit, this is the
William Lallemandd85f9172012-11-09 17:05:39 +01002221 default value.
2222
William Lallemand072a2bf2012-11-20 17:01:01 +01002223maxcompcpuusage <number>
2224 Sets the maximum CPU usage HAProxy can reach before stopping the compression
2225 for new requests or decreasing the compression level of current requests.
2226 It works like 'maxcomprate' but measures CPU usage instead of incoming data
Daniel Corbett9f0843f2021-05-08 10:50:37 -04002227 bandwidth. The value is expressed in percent of the CPU used by HAProxy. In
William Lallemand072a2bf2012-11-20 17:01:01 +01002228 case of multiple processes (nbproc > 1), each process manages its individual
2229 usage. A value of 100 disable the limit. The default value is 100. Setting
2230 a lower value will prevent the compression work from slowing the whole
2231 process down and from introducing high latencies.
2232
Willy Tarreauff4f82d2009-02-06 11:28:13 +01002233maxpipes <number>
2234 Sets the maximum per-process number of pipes to <number>. Currently, pipes
2235 are only used by kernel-based tcp splicing. Since a pipe contains two file
2236 descriptors, the "ulimit-n" value will be increased accordingly. The default
2237 value is maxconn/4, which seems to be more than enough for most heavy usages.
2238 The splice code dynamically allocates and releases pipes, and can fall back
2239 to standard copy, so setting this value too low may only impact performance.
2240
Willy Tarreau93e7c002013-10-07 18:51:07 +02002241maxsessrate <number>
2242 Sets the maximum per-process number of sessions per second to <number>.
2243 Proxies will stop accepting connections when this limit is reached. It can be
2244 used to limit the global capacity regardless of each frontend capacity. It is
2245 important to note that this can only be used as a service protection measure,
2246 as there will not necessarily be a fair share between frontends when the
2247 limit is reached, so it's a good idea to also limit each frontend to some
2248 value close to its expected share. Also, lowering tune.maxaccept can improve
2249 fairness.
2250
Willy Tarreau403edff2012-09-06 11:58:37 +02002251maxsslconn <number>
2252 Sets the maximum per-process number of concurrent SSL connections to
2253 <number>. By default there is no SSL-specific limit, which means that the
2254 global maxconn setting will apply to all connections. Setting this limit
2255 avoids having openssl use too much memory and crash when malloc returns NULL
2256 (since it unfortunately does not reliably check for such conditions). Note
2257 that the limit applies both to incoming and outgoing connections, so one
2258 connection which is deciphered then ciphered accounts for 2 SSL connections.
Willy Tarreaud0256482015-01-15 21:45:22 +01002259 If this value is not set, but a memory limit is enforced, this value will be
2260 automatically computed based on the memory limit, maxconn, the buffer size,
2261 memory allocated to compression, SSL cache size, and use of SSL in either
2262 frontends, backends or both. If neither maxconn nor maxsslconn are specified
Daniel Corbett9f0843f2021-05-08 10:50:37 -04002263 when there is a memory limit, HAProxy will automatically adjust these values
Willy Tarreaud0256482015-01-15 21:45:22 +01002264 so that 100% of the connections can be made over SSL with no risk, and will
2265 consider the sides where it is enabled (frontend, backend, both).
Willy Tarreau403edff2012-09-06 11:58:37 +02002266
Willy Tarreaue43d5322013-10-07 20:01:52 +02002267maxsslrate <number>
2268 Sets the maximum per-process number of SSL sessions per second to <number>.
2269 SSL listeners will stop accepting connections when this limit is reached. It
2270 can be used to limit the global SSL CPU usage regardless of each frontend
2271 capacity. It is important to note that this can only be used as a service
2272 protection measure, as there will not necessarily be a fair share between
2273 frontends when the limit is reached, so it's a good idea to also limit each
2274 frontend to some value close to its expected share. It is also important to
2275 note that the sessions are accounted before they enter the SSL stack and not
2276 after, which also protects the stack against bad handshakes. Also, lowering
2277 tune.maxaccept can improve fairness.
2278
William Lallemand9d5f5482012-11-07 16:12:57 +01002279maxzlibmem <number>
2280 Sets the maximum amount of RAM in megabytes per process usable by the zlib.
2281 When the maximum amount is reached, future sessions will not compress as long
2282 as RAM is unavailable. When sets to 0, there is no limit.
William Lallemande3a7d992012-11-20 11:25:20 +01002283 The default value is 0. The value is available in bytes on the UNIX socket
2284 with "show info" on the line "MaxZlibMemUsage", the memory used by zlib is
2285 "ZlibMemUsage" in bytes.
2286
Willy Tarreau6a06a402007-07-15 20:15:28 +02002287noepoll
2288 Disables the use of the "epoll" event polling system on Linux. It is
2289 equivalent to the command-line argument "-de". The next polling system
Willy Tarreaue9f49e72012-11-11 17:42:00 +01002290 used will generally be "poll". See also "nopoll".
Willy Tarreau6a06a402007-07-15 20:15:28 +02002291
2292nokqueue
2293 Disables the use of the "kqueue" event polling system on BSD. It is
2294 equivalent to the command-line argument "-dk". The next polling system
2295 used will generally be "poll". See also "nopoll".
2296
Emmanuel Hocdet0ba4f482019-04-08 16:53:32 +00002297noevports
2298 Disables the use of the event ports event polling system on SunOS systems
2299 derived from Solaris 10 and later. It is equivalent to the command-line
2300 argument "-dv". The next polling system used will generally be "poll". See
2301 also "nopoll".
2302
Willy Tarreau6a06a402007-07-15 20:15:28 +02002303nopoll
2304 Disables the use of the "poll" event polling system. It is equivalent to the
2305 command-line argument "-dp". The next polling system used will be "select".
Willy Tarreau0ba27502007-12-24 16:55:16 +01002306 It should never be needed to disable "poll" since it's available on all
Emmanuel Hocdet0ba4f482019-04-08 16:53:32 +00002307 platforms supported by HAProxy. See also "nokqueue", "noepoll" and
2308 "noevports".
Willy Tarreau6a06a402007-07-15 20:15:28 +02002309
Willy Tarreauff4f82d2009-02-06 11:28:13 +01002310nosplice
2311 Disables the use of kernel tcp splicing between sockets on Linux. It is
Davor Ocelice9ed2812017-12-25 17:49:28 +01002312 equivalent to the command line argument "-dS". Data will then be copied
Willy Tarreauff4f82d2009-02-06 11:28:13 +01002313 using conventional and more portable recv/send calls. Kernel tcp splicing is
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002314 limited to some very recent instances of kernel 2.6. Most versions between
Willy Tarreauff4f82d2009-02-06 11:28:13 +01002315 2.6.25 and 2.6.28 are buggy and will forward corrupted data, so they must not
2316 be used. This option makes it easier to globally disable kernel splicing in
2317 case of doubt. See also "option splice-auto", "option splice-request" and
2318 "option splice-response".
2319
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03002320nogetaddrinfo
2321 Disables the use of getaddrinfo(3) for name resolving. It is equivalent to
2322 the command line argument "-dG". Deprecated gethostbyname(3) will be used.
2323
Lukas Tribusa0bcbdc2016-09-12 21:42:20 +00002324noreuseport
2325 Disables the use of SO_REUSEPORT - see socket(7). It is equivalent to the
2326 command line argument "-dR".
2327
Willy Tarreauca3afc22021-05-05 18:33:19 +02002328profiling.memory { on | off }
2329 Enables ('on') or disables ('off') per-function memory profiling. This will
2330 keep usage statistics of malloc/calloc/realloc/free calls anywhere in the
2331 process (including libraries) which will be reported on the CLI using the
2332 "show profiling" command. This is essentially meant to be used when an
2333 abnormal memory usage is observed that cannot be explained by the pools and
2334 other info are required. The performance hit will typically be around 1%,
2335 maybe a bit more on highly threaded machines, so it is normally suitable for
2336 use in production. The same may be achieved at run time on the CLI using the
2337 "set profiling memory" command, please consult the management manual.
2338
Willy Tarreaud2d33482019-04-25 17:09:07 +02002339profiling.tasks { auto | on | off }
2340 Enables ('on') or disables ('off') per-task CPU profiling. When set to 'auto'
2341 the profiling automatically turns on a thread when it starts to suffer from
2342 an average latency of 1000 microseconds or higher as reported in the
2343 "avg_loop_us" activity field, and automatically turns off when the latency
John Roeslerfb2fce12019-07-10 15:45:51 -05002344 returns below 990 microseconds (this value is an average over the last 1024
Willy Tarreaud2d33482019-04-25 17:09:07 +02002345 loops so it does not vary quickly and tends to significantly smooth short
2346 spikes). It may also spontaneously trigger from time to time on overloaded
2347 systems, containers, or virtual machines, or when the system swaps (which
2348 must absolutely never happen on a load balancer).
2349
2350 CPU profiling per task can be very convenient to report where the time is
2351 spent and which requests have what effect on which other request. Enabling
2352 it will typically affect the overall's performance by less than 1%, thus it
2353 is recommended to leave it to the default 'auto' value so that it only
2354 operates when a problem is identified. This feature requires a system
Willy Tarreau75c62c22018-11-22 11:02:09 +01002355 supporting the clock_gettime(2) syscall with clock identifiers
2356 CLOCK_MONOTONIC and CLOCK_THREAD_CPUTIME_ID, otherwise the reported time will
2357 be zero. This option may be changed at run time using "set profiling" on the
2358 CLI.
2359
Willy Tarreaufe255b72007-10-14 23:09:26 +02002360spread-checks <0..50, in percent>
Simon Hormand60d6912013-11-25 10:46:36 +09002361 Sometimes it is desirable to avoid sending agent and health checks to
2362 servers at exact intervals, for instance when many logical servers are
2363 located on the same physical server. With the help of this parameter, it
2364 becomes possible to add some randomness in the check interval between 0
2365 and +/- 50%. A value between 2 and 5 seems to show good results. The
2366 default value remains at 0.
Willy Tarreaufe255b72007-10-14 23:09:26 +02002367
Davor Ocelice9ed2812017-12-25 17:49:28 +01002368ssl-engine <name> [algo <comma-separated list of algorithms>]
Grant Zhang872f9c22017-01-21 01:10:18 +00002369 Sets the OpenSSL engine to <name>. List of valid values for <name> may be
Davor Ocelice9ed2812017-12-25 17:49:28 +01002370 obtained using the command "openssl engine". This statement may be used
Grant Zhang872f9c22017-01-21 01:10:18 +00002371 multiple times, it will simply enable multiple crypto engines. Referencing an
Daniel Corbett9f0843f2021-05-08 10:50:37 -04002372 unsupported engine will prevent HAProxy from starting. Note that many engines
Grant Zhang872f9c22017-01-21 01:10:18 +00002373 will lead to lower HTTPS performance than pure software with recent
2374 processors. The optional command "algo" sets the default algorithms an ENGINE
2375 will supply using the OPENSSL function ENGINE_set_default_string(). A value
Davor Ocelice9ed2812017-12-25 17:49:28 +01002376 of "ALL" uses the engine for all cryptographic operations. If no list of
2377 algo is specified then the value of "ALL" is used. A comma-separated list
Grant Zhang872f9c22017-01-21 01:10:18 +00002378 of different algorithms may be specified, including: RSA, DSA, DH, EC, RAND,
2379 CIPHERS, DIGESTS, PKEY, PKEY_CRYPTO, PKEY_ASN1. This is the same format that
2380 openssl configuration file uses:
2381 https://www.openssl.org/docs/man1.0.2/apps/config.html
2382
Grant Zhangfa6c7ee2017-01-14 01:42:15 +00002383ssl-mode-async
2384 Adds SSL_MODE_ASYNC mode to the SSL context. This enables asynchronous TLS
Emeric Brun3854e012017-05-17 20:42:48 +02002385 I/O operations if asynchronous capable SSL engines are used. The current
Emeric Brunb5e42a82017-06-06 12:35:14 +00002386 implementation supports a maximum of 32 engines. The Openssl ASYNC API
2387 doesn't support moving read/write buffers and is not compliant with
Daniel Corbett9f0843f2021-05-08 10:50:37 -04002388 HAProxy's buffer management. So the asynchronous mode is disabled on
John Roeslerfb2fce12019-07-10 15:45:51 -05002389 read/write operations (it is only enabled during initial and renegotiation
Emeric Brunb5e42a82017-06-06 12:35:14 +00002390 handshakes).
Grant Zhangfa6c7ee2017-01-14 01:42:15 +00002391
Willy Tarreau33cb0652014-12-23 22:52:37 +01002392tune.buffers.limit <number>
2393 Sets a hard limit on the number of buffers which may be allocated per process.
2394 The default value is zero which means unlimited. The minimum non-zero value
2395 will always be greater than "tune.buffers.reserve" and should ideally always
2396 be about twice as large. Forcing this value can be particularly useful to
2397 limit the amount of memory a process may take, while retaining a sane
Davor Ocelice9ed2812017-12-25 17:49:28 +01002398 behavior. When this limit is reached, sessions which need a buffer wait for
Willy Tarreau33cb0652014-12-23 22:52:37 +01002399 another one to be released by another session. Since buffers are dynamically
2400 allocated and released, the waiting time is very short and not perceptible
2401 provided that limits remain reasonable. In fact sometimes reducing the limit
2402 may even increase performance by increasing the CPU cache's efficiency. Tests
2403 have shown good results on average HTTP traffic with a limit to 1/10 of the
2404 expected global maxconn setting, which also significantly reduces memory
2405 usage. The memory savings come from the fact that a number of connections
2406 will not allocate 2*tune.bufsize. It is best not to touch this value unless
Daniel Corbett9f0843f2021-05-08 10:50:37 -04002407 advised to do so by an HAProxy core developer.
Willy Tarreau33cb0652014-12-23 22:52:37 +01002408
Willy Tarreau1058ae72014-12-23 22:40:40 +01002409tune.buffers.reserve <number>
2410 Sets the number of buffers which are pre-allocated and reserved for use only
2411 during memory shortage conditions resulting in failed memory allocations. The
2412 minimum value is 2 and is also the default. There is no reason a user would
Daniel Corbett9f0843f2021-05-08 10:50:37 -04002413 want to change this value, it's mostly aimed at HAProxy core developers.
Willy Tarreau1058ae72014-12-23 22:40:40 +01002414
Willy Tarreau27a674e2009-08-17 07:23:33 +02002415tune.bufsize <number>
2416 Sets the buffer size to this size (in bytes). Lower values allow more
2417 sessions to coexist in the same amount of RAM, and higher values allow some
2418 applications with very large cookies to work. The default value is 16384 and
2419 can be changed at build time. It is strongly recommended not to change this
2420 from the default value, as very low values will break some services such as
2421 statistics, and values larger than default size will increase memory usage,
2422 possibly causing the system to run out of memory. At least the global maxconn
Willy Tarreau45a66cc2017-11-24 11:28:00 +01002423 parameter should be decreased by the same factor as this one is increased. In
2424 addition, use of HTTP/2 mandates that this value must be 16384 or more. If an
Daniel Corbett9f0843f2021-05-08 10:50:37 -04002425 HTTP request is larger than (tune.bufsize - tune.maxrewrite), HAProxy will
Dmitry Sivachenkof6f4f7b2012-10-21 18:10:25 +04002426 return HTTP 400 (Bad Request) error. Similarly if an HTTP response is larger
Daniel Corbett9f0843f2021-05-08 10:50:37 -04002427 than this size, HAProxy will return HTTP 502 (Bad Gateway). Note that the
Willy Tarreauc77d3642018-12-12 06:19:42 +01002428 value set using this parameter will automatically be rounded up to the next
2429 multiple of 8 on 32-bit machines and 16 on 64-bit machines.
Willy Tarreau27a674e2009-08-17 07:23:33 +02002430
Christopher Fauletbb9fb8b2020-11-25 17:20:57 +01002431tune.chksize <number> (deprecated)
2432 This option is deprecated and ignored.
Willy Tarreau43961d52010-10-04 20:39:20 +02002433
William Lallemandf3747832012-11-09 12:33:10 +01002434tune.comp.maxlevel <number>
2435 Sets the maximum compression level. The compression level affects CPU
2436 usage during compression. This value affects CPU usage during compression.
2437 Each session using compression initializes the compression algorithm with
2438 this value. The default value is 1.
2439
Willy Tarreauc299e1e2019-02-27 11:35:12 +01002440tune.fail-alloc
2441 If compiled with DEBUG_FAIL_ALLOC, gives the percentage of chances an
2442 allocation attempt fails. Must be between 0 (no failure) and 100 (no
2443 success). This is useful to debug and make sure memory failures are handled
2444 gracefully.
2445
Willy Tarreaubc52bec2020-06-18 08:58:47 +02002446tune.fd.edge-triggered { on | off } [ EXPERIMENTAL ]
2447 Enables ('on') or disables ('off') the edge-triggered polling mode for FDs
2448 that support it. This is currently only support with epoll. It may noticeably
2449 reduce the number of epoll_ctl() calls and slightly improve performance in
2450 certain scenarios. This is still experimental, it may result in frozen
2451 connections if bugs are still present, and is disabled by default.
2452
Willy Tarreaufe20e5b2017-07-27 11:42:14 +02002453tune.h2.header-table-size <number>
2454 Sets the HTTP/2 dynamic header table size. It defaults to 4096 bytes and
2455 cannot be larger than 65536 bytes. A larger value may help certain clients
2456 send more compact requests, depending on their capabilities. This amount of
2457 memory is consumed for each HTTP/2 connection. It is recommended not to
2458 change it.
2459
Willy Tarreaue6baec02017-07-27 11:45:11 +02002460tune.h2.initial-window-size <number>
2461 Sets the HTTP/2 initial window size, which is the number of bytes the client
Daniel Corbett9f0843f2021-05-08 10:50:37 -04002462 can upload before waiting for an acknowledgment from HAProxy. This setting
Davor Ocelice9ed2812017-12-25 17:49:28 +01002463 only affects payload contents (i.e. the body of POST requests), not headers.
Willy Tarreaue6baec02017-07-27 11:45:11 +02002464 The default value is 65535, which roughly allows up to 5 Mbps of upload
2465 bandwidth per client over a network showing a 100 ms ping time, or 500 Mbps
2466 over a 1-ms local network. It can make sense to increase this value to allow
2467 faster uploads, or to reduce it to increase fairness when dealing with many
2468 clients. It doesn't affect resource usage.
2469
Willy Tarreau5242ef82017-07-27 11:47:28 +02002470tune.h2.max-concurrent-streams <number>
2471 Sets the HTTP/2 maximum number of concurrent streams per connection (ie the
2472 number of outstanding requests on a single connection). The default value is
2473 100. A larger one may slightly improve page load time for complex sites when
2474 visited over high latency networks, but increases the amount of resources a
2475 single client may allocate. A value of zero disables the limit so a single
Daniel Corbett9f0843f2021-05-08 10:50:37 -04002476 client may create as many streams as allocatable by HAProxy. It is highly
Willy Tarreau5242ef82017-07-27 11:47:28 +02002477 recommended not to change this value.
2478
Willy Tarreaua24b35c2019-02-21 13:24:36 +01002479tune.h2.max-frame-size <number>
Daniel Corbett9f0843f2021-05-08 10:50:37 -04002480 Sets the HTTP/2 maximum frame size that HAProxy announces it is willing to
Willy Tarreaua24b35c2019-02-21 13:24:36 +01002481 receive to its peers. The default value is the largest between 16384 and the
Daniel Corbett9f0843f2021-05-08 10:50:37 -04002482 buffer size (tune.bufsize). In any case, HAProxy will not announce support
Willy Tarreaua24b35c2019-02-21 13:24:36 +01002483 for frame sizes larger than buffers. The main purpose of this setting is to
2484 allow to limit the maximum frame size setting when using large buffers. Too
2485 large frame sizes might have performance impact or cause some peers to
2486 misbehave. It is highly recommended not to change this value.
2487
Willy Tarreau193b8c62012-11-22 00:17:38 +01002488tune.http.cookielen <number>
2489 Sets the maximum length of captured cookies. This is the maximum value that
2490 the "capture cookie xxx len yyy" will be allowed to take, and any upper value
2491 will automatically be truncated to this one. It is important not to set too
2492 high a value because all cookie captures still allocate this size whatever
2493 their configured value (they share a same pool). This value is per request
2494 per response, so the memory allocated is twice this value per connection.
2495 When not specified, the limit is set to 63 characters. It is recommended not
2496 to change this value.
2497
Stéphane Cottin23e9e932017-05-18 08:58:41 +02002498tune.http.logurilen <number>
Davor Ocelice9ed2812017-12-25 17:49:28 +01002499 Sets the maximum length of request URI in logs. This prevents truncating long
2500 request URIs with valuable query strings in log lines. This is not related
Stéphane Cottin23e9e932017-05-18 08:58:41 +02002501 to syslog limits. If you increase this limit, you may also increase the
Davor Ocelice9ed2812017-12-25 17:49:28 +01002502 'log ... len yyy' parameter. Your syslog daemon may also need specific
Stéphane Cottin23e9e932017-05-18 08:58:41 +02002503 configuration directives too.
2504 The default value is 1024.
2505
Willy Tarreauac1932d2011-10-24 19:14:41 +02002506tune.http.maxhdr <number>
2507 Sets the maximum number of headers in a request. When a request comes with a
2508 number of headers greater than this value (including the first line), it is
2509 rejected with a "400 Bad Request" status code. Similarly, too large responses
2510 are blocked with "502 Bad Gateway". The default value is 101, which is enough
2511 for all usages, considering that the widely deployed Apache server uses the
2512 same limit. It can be useful to push this limit further to temporarily allow
Christopher Faulet50174f32017-06-21 16:31:35 +02002513 a buggy application to work by the time it gets fixed. The accepted range is
2514 1..32767. Keep in mind that each new header consumes 32bits of memory for
2515 each session, so don't push this limit too high.
Willy Tarreauac1932d2011-10-24 19:14:41 +02002516
Willy Tarreau76cc6992020-07-01 18:49:24 +02002517tune.idle-pool.shared { on | off }
2518 Enables ('on') or disables ('off') sharing of idle connection pools between
2519 threads for a same server. The default is to share them between threads in
2520 order to minimize the number of persistent connections to a server, and to
2521 optimize the connection reuse rate. But to help with debugging or when
2522 suspecting a bug in HAProxy around connection reuse, it can be convenient to
2523 forcefully disable this idle pool sharing between multiple threads, and force
Willy Tarreau0784db82021-02-19 11:45:22 +01002524 this option to "off". The default is on. It is strongly recommended against
2525 disabling this option without setting a conservative value on "pool-low-conn"
2526 for all servers relying on connection reuse to achieve a high performance
2527 level, otherwise connections might be closed very often as the thread count
2528 increases.
Willy Tarreau76cc6992020-07-01 18:49:24 +02002529
Willy Tarreau7e312732014-02-12 16:35:14 +01002530tune.idletimer <timeout>
Daniel Corbett9f0843f2021-05-08 10:50:37 -04002531 Sets the duration after which HAProxy will consider that an empty buffer is
Willy Tarreau7e312732014-02-12 16:35:14 +01002532 probably associated with an idle stream. This is used to optimally adjust
2533 some packet sizes while forwarding large and small data alternatively. The
2534 decision to use splice() or to send large buffers in SSL is modulated by this
2535 parameter. The value is in milliseconds between 0 and 65535. A value of zero
Daniel Corbett9f0843f2021-05-08 10:50:37 -04002536 means that HAProxy will not try to detect idle streams. The default is 1000,
Davor Ocelice9ed2812017-12-25 17:49:28 +01002537 which seems to correctly detect end user pauses (e.g. read a page before
John Roeslerfb2fce12019-07-10 15:45:51 -05002538 clicking). There should be no reason for changing this value. Please check
Willy Tarreau7e312732014-02-12 16:35:14 +01002539 tune.ssl.maxrecord below.
2540
Willy Tarreau7ac908b2019-02-27 12:02:18 +01002541tune.listener.multi-queue { on | off }
2542 Enables ('on') or disables ('off') the listener's multi-queue accept which
2543 spreads the incoming traffic to all threads a "bind" line is allowed to run
2544 on instead of taking them for itself. This provides a smoother traffic
2545 distribution and scales much better, especially in environments where threads
2546 may be unevenly loaded due to external activity (network interrupts colliding
2547 with one thread for example). This option is enabled by default, but it may
2548 be forcefully disabled for troubleshooting or for situations where it is
2549 estimated that the operating system already provides a good enough
2550 distribution and connections are extremely short-lived.
2551
Thierry FOURNIER90da1912015-03-05 11:17:06 +01002552tune.lua.forced-yield <number>
2553 This directive forces the Lua engine to execute a yield each <number> of
Tim Düsterhus4896c442016-11-29 02:15:19 +01002554 instructions executed. This permits interrupting a long script and allows the
Thierry FOURNIER90da1912015-03-05 11:17:06 +01002555 HAProxy scheduler to process other tasks like accepting connections or
2556 forwarding traffic. The default value is 10000 instructions. If HAProxy often
Davor Ocelice9ed2812017-12-25 17:49:28 +01002557 executes some Lua code but more responsiveness is required, this value can be
Thierry FOURNIER90da1912015-03-05 11:17:06 +01002558 lowered. If the Lua code is quite long and its result is absolutely required
2559 to process the data, the <number> can be increased.
2560
Willy Tarreau32f61e22015-03-18 17:54:59 +01002561tune.lua.maxmem
2562 Sets the maximum amount of RAM in megabytes per process usable by Lua. By
2563 default it is zero which means unlimited. It is important to set a limit to
2564 ensure that a bug in a script will not result in the system running out of
2565 memory.
2566
Thierry FOURNIER90da1912015-03-05 11:17:06 +01002567tune.lua.session-timeout <timeout>
2568 This is the execution timeout for the Lua sessions. This is useful for
Thierry FOURNIER7dd784b2015-10-01 14:49:33 +02002569 preventing infinite loops or spending too much time in Lua. This timeout
2570 counts only the pure Lua runtime. If the Lua does a sleep, the sleep is
Davor Ocelice9ed2812017-12-25 17:49:28 +01002571 not taken in account. The default timeout is 4s.
Thierry FOURNIER90da1912015-03-05 11:17:06 +01002572
2573tune.lua.task-timeout <timeout>
2574 Purpose is the same as "tune.lua.session-timeout", but this timeout is
2575 dedicated to the tasks. By default, this timeout isn't set because a task may
2576 remain alive during of the lifetime of HAProxy. For example, a task used to
2577 check servers.
2578
Thierry FOURNIER7dd784b2015-10-01 14:49:33 +02002579tune.lua.service-timeout <timeout>
2580 This is the execution timeout for the Lua services. This is useful for
2581 preventing infinite loops or spending too much time in Lua. This timeout
2582 counts only the pure Lua runtime. If the Lua does a sleep, the sleep is
Davor Ocelice9ed2812017-12-25 17:49:28 +01002583 not taken in account. The default timeout is 4s.
Thierry FOURNIER7dd784b2015-10-01 14:49:33 +02002584
Willy Tarreaua0250ba2008-01-06 11:22:57 +01002585tune.maxaccept <number>
Willy Tarreau16a21472012-11-19 12:39:59 +01002586 Sets the maximum number of consecutive connections a process may accept in a
2587 row before switching to other work. In single process mode, higher numbers
Willy Tarreau66161322021-02-19 15:50:27 +01002588 used to give better performance at high connection rates, though this is not
2589 the case anymore with the multi-queue. This value applies individually to
2590 each listener, so that the number of processes a listener is bound to is
2591 taken into account. This value defaults to 4 which showed best results. If a
2592 significantly higher value was inherited from an ancient config, it might be
2593 worth removing it as it will both increase performance and lower response
2594 time. In multi-process mode, it is divided by twice the number of processes
2595 the listener is bound to. Setting this value to -1 completely disables the
2596 limitation. It should normally not be needed to tweak this value.
Willy Tarreaua0250ba2008-01-06 11:22:57 +01002597
2598tune.maxpollevents <number>
2599 Sets the maximum amount of events that can be processed at once in a call to
2600 the polling system. The default value is adapted to the operating system. It
2601 has been noticed that reducing it below 200 tends to slightly decrease
2602 latency at the expense of network bandwidth, and increasing it above 200
2603 tends to trade latency for slightly increased bandwidth.
2604
Willy Tarreau27a674e2009-08-17 07:23:33 +02002605tune.maxrewrite <number>
2606 Sets the reserved buffer space to this size in bytes. The reserved space is
2607 used for header rewriting or appending. The first reads on sockets will never
2608 fill more than bufsize-maxrewrite. Historically it has defaulted to half of
2609 bufsize, though that does not make much sense since there are rarely large
2610 numbers of headers to add. Setting it too high prevents processing of large
2611 requests or responses. Setting it too low prevents addition of new headers
2612 to already large requests or to POST requests. It is generally wise to set it
2613 to about 1024. It is automatically readjusted to half of bufsize if it is
2614 larger than that. This means you don't have to worry about it when changing
2615 bufsize.
2616
Willy Tarreauf3045d22015-04-29 16:24:50 +02002617tune.pattern.cache-size <number>
2618 Sets the size of the pattern lookup cache to <number> entries. This is an LRU
2619 cache which reminds previous lookups and their results. It is used by ACLs
2620 and maps on slow pattern lookups, namely the ones using the "sub", "reg",
2621 "dir", "dom", "end", "bin" match methods as well as the case-insensitive
2622 strings. It applies to pattern expressions which means that it will be able
2623 to memorize the result of a lookup among all the patterns specified on a
2624 configuration line (including all those loaded from files). It automatically
2625 invalidates entries which are updated using HTTP actions or on the CLI. The
2626 default cache size is set to 10000 entries, which limits its footprint to
Willy Tarreau403bfbb2019-10-23 06:59:31 +02002627 about 5 MB per process/thread on 32-bit systems and 8 MB per process/thread
2628 on 64-bit systems, as caches are thread/process local. There is a very low
Willy Tarreauf3045d22015-04-29 16:24:50 +02002629 risk of collision in this cache, which is in the order of the size of the
2630 cache divided by 2^64. Typically, at 10000 requests per second with the
2631 default cache size of 10000 entries, there's 1% chance that a brute force
2632 attack could cause a single collision after 60 years, or 0.1% after 6 years.
2633 This is considered much lower than the risk of a memory corruption caused by
2634 aging components. If this is not acceptable, the cache can be disabled by
2635 setting this parameter to 0.
2636
Willy Tarreaubd9a0a72011-10-23 21:14:29 +02002637tune.pipesize <number>
2638 Sets the kernel pipe buffer size to this size (in bytes). By default, pipes
2639 are the default size for the system. But sometimes when using TCP splicing,
2640 it can improve performance to increase pipe sizes, especially if it is
2641 suspected that pipes are not filled and that many calls to splice() are
2642 performed. This has an impact on the kernel's memory footprint, so this must
2643 not be changed if impacts are not understood.
2644
Olivier Houchard88698d92019-04-16 19:07:22 +02002645tune.pool-high-fd-ratio <number>
2646 This setting sets the max number of file descriptors (in percentage) used by
Daniel Corbett9f0843f2021-05-08 10:50:37 -04002647 HAProxy globally against the maximum number of file descriptors HAProxy can
Olivier Houchard88698d92019-04-16 19:07:22 +02002648 use before we start killing idle connections when we can't reuse a connection
2649 and we have to create a new one. The default is 25 (one quarter of the file
2650 descriptor will mean that roughly half of the maximum front connections can
2651 keep an idle connection behind, anything beyond this probably doesn't make
John Roeslerfb2fce12019-07-10 15:45:51 -05002652 much sense in the general case when targeting connection reuse).
Olivier Houchard88698d92019-04-16 19:07:22 +02002653
Willy Tarreau83ca3052020-07-01 18:30:16 +02002654tune.pool-low-fd-ratio <number>
2655 This setting sets the max number of file descriptors (in percentage) used by
Daniel Corbett9f0843f2021-05-08 10:50:37 -04002656 HAProxy globally against the maximum number of file descriptors HAProxy can
Willy Tarreau83ca3052020-07-01 18:30:16 +02002657 use before we stop putting connection into the idle pool for reuse. The
2658 default is 20.
2659
Willy Tarreaue803de22010-01-21 17:43:04 +01002660tune.rcvbuf.client <number>
2661tune.rcvbuf.server <number>
2662 Forces the kernel socket receive buffer size on the client or the server side
2663 to the specified value in bytes. This value applies to all TCP/HTTP frontends
2664 and backends. It should normally never be set, and the default size (0) lets
John Roeslerfb2fce12019-07-10 15:45:51 -05002665 the kernel auto-tune this value depending on the amount of available memory.
Davor Ocelice9ed2812017-12-25 17:49:28 +01002666 However it can sometimes help to set it to very low values (e.g. 4096) in
Willy Tarreaue803de22010-01-21 17:43:04 +01002667 order to save kernel memory by preventing it from buffering too large amounts
2668 of received data. Lower values will significantly increase CPU usage though.
2669
Willy Tarreaub22fc302015-12-14 12:04:35 +01002670tune.recv_enough <number>
Davor Ocelice9ed2812017-12-25 17:49:28 +01002671 HAProxy uses some hints to detect that a short read indicates the end of the
Willy Tarreaub22fc302015-12-14 12:04:35 +01002672 socket buffers. One of them is that a read returns more than <recv_enough>
2673 bytes, which defaults to 10136 (7 segments of 1448 each). This default value
2674 may be changed by this setting to better deal with workloads involving lots
2675 of short messages such as telnet or SSH sessions.
2676
Olivier Houchard1599b802018-05-24 18:59:04 +02002677tune.runqueue-depth <number>
John Roeslerfb2fce12019-07-10 15:45:51 -05002678 Sets the maximum amount of task that can be processed at once when running
Willy Tarreau060a7612021-03-10 11:06:26 +01002679 tasks. The default value depends on the number of threads but sits between 35
2680 and 280, which tend to show the highest request rates and lowest latencies.
2681 Increasing it may incur latency when dealing with I/Os, making it too small
2682 can incur extra overhead. Higher thread counts benefit from lower values.
2683 When experimenting with much larger values, it may be useful to also enable
2684 tune.sched.low-latency and possibly tune.fd.edge-triggered to limit the
2685 maximum latency to the lowest possible.
Willy Tarreaue7723bd2020-06-24 11:11:02 +02002686
2687tune.sched.low-latency { on | off }
2688 Enables ('on') or disables ('off') the low-latency task scheduler. By default
Daniel Corbett9f0843f2021-05-08 10:50:37 -04002689 HAProxy processes tasks from several classes one class at a time as this is
Willy Tarreaue7723bd2020-06-24 11:11:02 +02002690 the most efficient. But when running with large values of tune.runqueue-depth
2691 this can have a measurable effect on request or connection latency. When this
2692 low-latency setting is enabled, tasks of lower priority classes will always
2693 be executed before other ones if they exist. This will permit to lower the
2694 maximum latency experienced by new requests or connections in the middle of
2695 massive traffic, at the expense of a higher impact on this large traffic.
2696 For regular usage it is better to leave this off. The default value is off.
Olivier Houchard1599b802018-05-24 18:59:04 +02002697
Willy Tarreaue803de22010-01-21 17:43:04 +01002698tune.sndbuf.client <number>
2699tune.sndbuf.server <number>
2700 Forces the kernel socket send buffer size on the client or the server side to
2701 the specified value in bytes. This value applies to all TCP/HTTP frontends
2702 and backends. It should normally never be set, and the default size (0) lets
John Roeslerfb2fce12019-07-10 15:45:51 -05002703 the kernel auto-tune this value depending on the amount of available memory.
Davor Ocelice9ed2812017-12-25 17:49:28 +01002704 However it can sometimes help to set it to very low values (e.g. 4096) in
Willy Tarreaue803de22010-01-21 17:43:04 +01002705 order to save kernel memory by preventing it from buffering too large amounts
2706 of received data. Lower values will significantly increase CPU usage though.
2707 Another use case is to prevent write timeouts with extremely slow clients due
2708 to the kernel waiting for a large part of the buffer to be read before
Daniel Corbett9f0843f2021-05-08 10:50:37 -04002709 notifying HAProxy again.
Willy Tarreaue803de22010-01-21 17:43:04 +01002710
Willy Tarreau6ec58db2012-11-16 16:32:15 +01002711tune.ssl.cachesize <number>
Emeric Brunaf9619d2012-11-28 18:47:52 +01002712 Sets the size of the global SSL session cache, in a number of blocks. A block
William Dauchy9a4bbfe2021-02-12 15:58:46 +01002713 is large enough to contain an encoded session without peer certificate. An
2714 encoded session with peer certificate is stored in multiple blocks depending
2715 on the size of the peer certificate. A block uses approximately 200 bytes of
2716 memory (based on `sizeof(struct sh_ssl_sess_hdr) + SHSESS_BLOCK_MIN_SIZE`
2717 calculation used for `shctx_init` function). The default value may be forced
2718 at build time, otherwise defaults to 20000. When the cache is full, the most
2719 idle entries are purged and reassigned. Higher values reduce the occurrence
2720 of such a purge, hence the number of CPU-intensive SSL handshakes by ensuring
2721 that all users keep their session as long as possible. All entries are
2722 pre-allocated upon startup and are shared between all processes if "nbproc"
2723 is greater than 1. Setting this value to 0 disables the SSL session cache.
Willy Tarreau6ec58db2012-11-16 16:32:15 +01002724
Emeric Brun8dc60392014-05-09 13:52:00 +02002725tune.ssl.force-private-cache
Lukas Tribus27935782018-10-01 02:00:16 +02002726 This option disables SSL session cache sharing between all processes. It
Emeric Brun8dc60392014-05-09 13:52:00 +02002727 should normally not be used since it will force many renegotiations due to
2728 clients hitting a random process. But it may be required on some operating
2729 systems where none of the SSL cache synchronization method may be used. In
2730 this case, adding a first layer of hash-based load balancing before the SSL
2731 layer might limit the impact of the lack of session sharing.
2732
William Lallemand7d42ef52020-07-06 11:41:30 +02002733tune.ssl.keylog { on | off }
2734 This option activates the logging of the TLS keys. It should be used with
2735 care as it will consume more memory per SSL session and could decrease
2736 performances. This is disabled by default.
2737
2738 These sample fetches should be used to generate the SSLKEYLOGFILE that is
2739 required to decipher traffic with wireshark.
2740
2741 https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format
2742
2743 The SSLKEYLOG is a series of lines which are formatted this way:
2744
2745 <Label> <space> <ClientRandom> <space> <Secret>
2746
2747 The ClientRandom is provided by the %[ssl_fc_client_random,hex] sample
2748 fetch, the secret and the Label could be find in the array below. You need
2749 to generate a SSLKEYLOGFILE with all the labels in this array.
2750
2751 The following sample fetches are hexadecimal strings and does not need to be
2752 converted.
2753
2754 SSLKEYLOGFILE Label | Sample fetches for the Secrets
2755 --------------------------------|-----------------------------------------
2756 CLIENT_EARLY_TRAFFIC_SECRET | %[ssl_fc_client_early_traffic_secret]
2757 CLIENT_HANDSHAKE_TRAFFIC_SECRET | %[ssl_fc_client_handshake_traffic_secret]
2758 SERVER_HANDSHAKE_TRAFFIC_SECRET | %[ssl_fc_server_handshake_traffic_secret]
2759 CLIENT_TRAFFIC_SECRET_0 | %[ssl_fc_client_traffic_secret_0]
2760 SERVER_TRAFFIC_SECRET_0 | %[ssl_fc_server_traffic_secret_0]
William Lallemandd742b6c2020-07-07 10:14:56 +02002761 EXPORTER_SECRET | %[ssl_fc_exporter_secret]
2762 EARLY_EXPORTER_SECRET | %[ssl_fc_early_exporter_secret]
William Lallemand7d42ef52020-07-06 11:41:30 +02002763
2764 This is only available with OpenSSL 1.1.1, and useful with TLS1.3 session.
2765
2766 If you want to generate the content of a SSLKEYLOGFILE with TLS < 1.3, you
2767 only need this line:
2768
2769 "CLIENT_RANDOM %[ssl_fc_client_random,hex] %[ssl_fc_session_key,hex]"
2770
Emeric Brun4f65bff2012-11-16 15:11:00 +01002771tune.ssl.lifetime <timeout>
2772 Sets how long a cached SSL session may remain valid. This time is expressed
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03002773 in seconds and defaults to 300 (5 min). It is important to understand that it
Emeric Brun4f65bff2012-11-16 15:11:00 +01002774 does not guarantee that sessions will last that long, because if the cache is
2775 full, the longest idle sessions will be purged despite their configured
2776 lifetime. The real usefulness of this setting is to prevent sessions from
2777 being used for too long.
2778
Willy Tarreaubfd59462013-02-21 07:46:09 +01002779tune.ssl.maxrecord <number>
2780 Sets the maximum amount of bytes passed to SSL_write() at a time. Default
2781 value 0 means there is no limit. Over SSL/TLS, the client can decipher the
2782 data only once it has received a full record. With large records, it means
2783 that clients might have to download up to 16kB of data before starting to
2784 process them. Limiting the value can improve page load times on browsers
2785 located over high latency or low bandwidth networks. It is suggested to find
2786 optimal values which fit into 1 or 2 TCP segments (generally 1448 bytes over
2787 Ethernet with TCP timestamps enabled, or 1460 when timestamps are disabled),
2788 keeping in mind that SSL/TLS add some overhead. Typical values of 1419 and
2789 2859 gave good results during tests. Use "strace -e trace=write" to find the
Davor Ocelice9ed2812017-12-25 17:49:28 +01002790 best value. HAProxy will automatically switch to this setting after an idle
Willy Tarreau7e312732014-02-12 16:35:14 +01002791 stream has been detected (see tune.idletimer above).
Willy Tarreaubfd59462013-02-21 07:46:09 +01002792
Remi Gacognef46cd6e2014-06-12 14:58:40 +02002793tune.ssl.default-dh-param <number>
2794 Sets the maximum size of the Diffie-Hellman parameters used for generating
2795 the ephemeral/temporary Diffie-Hellman key in case of DHE key exchange. The
2796 final size will try to match the size of the server's RSA (or DSA) key (e.g,
2797 a 2048 bits temporary DH key for a 2048 bits RSA key), but will not exceed
Willy Tarreau3ba77d22020-05-08 09:31:18 +02002798 this maximum value. Default value if 2048. Only 1024 or higher values are
Remi Gacognef46cd6e2014-06-12 14:58:40 +02002799 allowed. Higher values will increase the CPU load, and values greater than
2800 1024 bits are not supported by Java 7 and earlier clients. This value is not
Remi Gacogne47783ef2015-05-29 15:53:22 +02002801 used if static Diffie-Hellman parameters are supplied either directly
2802 in the certificate file or by using the ssl-dh-param-file parameter.
Remi Gacognef46cd6e2014-06-12 14:58:40 +02002803
Christopher Faulet31af49d2015-06-09 17:29:50 +02002804tune.ssl.ssl-ctx-cache-size <number>
2805 Sets the size of the cache used to store generated certificates to <number>
2806 entries. This is a LRU cache. Because generating a SSL certificate
2807 dynamically is expensive, they are cached. The default cache size is set to
2808 1000 entries.
2809
Thierry FOURNIER5bf77322017-02-25 12:45:22 +01002810tune.ssl.capture-cipherlist-size <number>
2811 Sets the maximum size of the buffer used for capturing client-hello cipher
2812 list. If the value is 0 (default value) the capture is disabled, otherwise
2813 a buffer is allocated for each SSL/TLS connection.
2814
Thierry FOURNIER4834bc72015-06-06 19:29:07 +02002815tune.vars.global-max-size <size>
Christopher Fauletff2613e2016-11-09 11:36:17 +01002816tune.vars.proc-max-size <size>
Thierry FOURNIER4834bc72015-06-06 19:29:07 +02002817tune.vars.reqres-max-size <size>
2818tune.vars.sess-max-size <size>
2819tune.vars.txn-max-size <size>
Christopher Fauletff2613e2016-11-09 11:36:17 +01002820 These five tunes help to manage the maximum amount of memory used by the
2821 variables system. "global" limits the overall amount of memory available for
2822 all scopes. "proc" limits the memory for the process scope, "sess" limits the
2823 memory for the session scope, "txn" for the transaction scope, and "reqres"
2824 limits the memory for each request or response processing.
2825 Memory accounting is hierarchical, meaning more coarse grained limits include
2826 the finer grained ones: "proc" includes "sess", "sess" includes "txn", and
2827 "txn" includes "reqres".
Thierry FOURNIER4834bc72015-06-06 19:29:07 +02002828
Daniel Schneller0b547052016-03-21 20:46:57 +01002829 For example, when "tune.vars.sess-max-size" is limited to 100,
2830 "tune.vars.txn-max-size" and "tune.vars.reqres-max-size" cannot exceed
2831 100 either. If we create a variable "txn.var" that contains 100 bytes,
2832 all available space is consumed.
2833 Notice that exceeding the limits at runtime will not result in an error
2834 message, but values might be cut off or corrupted. So make sure to accurately
2835 plan for the amount of space needed to store all your variables.
Thierry FOURNIER4834bc72015-06-06 19:29:07 +02002836
William Lallemanda509e4c2012-11-07 16:54:34 +01002837tune.zlib.memlevel <number>
2838 Sets the memLevel parameter in zlib initialization for each session. It
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03002839 defines how much memory should be allocated for the internal compression
William Lallemanda509e4c2012-11-07 16:54:34 +01002840 state. A value of 1 uses minimum memory but is slow and reduces compression
Davor Ocelice9ed2812017-12-25 17:49:28 +01002841 ratio, a value of 9 uses maximum memory for optimal speed. Can be a value
William Lallemanda509e4c2012-11-07 16:54:34 +01002842 between 1 and 9. The default value is 8.
2843
2844tune.zlib.windowsize <number>
2845 Sets the window size (the size of the history buffer) as a parameter of the
2846 zlib initialization for each session. Larger values of this parameter result
Davor Ocelice9ed2812017-12-25 17:49:28 +01002847 in better compression at the expense of memory usage. Can be a value between
2848 8 and 15. The default value is 15.
Willy Tarreau6a06a402007-07-15 20:15:28 +02002849
Willy Tarreauc57f0e22009-05-10 13:12:33 +020028503.3. Debugging
2851--------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02002852
Willy Tarreau6a06a402007-07-15 20:15:28 +02002853quiet
2854 Do not display any message during startup. It is equivalent to the command-
2855 line argument "-q".
2856
Willy Tarreau3eb10b82020-04-15 16:42:39 +02002857zero-warning
Daniel Corbett9f0843f2021-05-08 10:50:37 -04002858 When this option is set, HAProxy will refuse to start if any warning was
Willy Tarreau3eb10b82020-04-15 16:42:39 +02002859 emitted while processing the configuration. It is highly recommended to set
2860 this option on configurations that are not changed often, as it helps detect
2861 subtle mistakes and keep the configuration clean and forward-compatible. Note
2862 that "haproxy -c" will also report errors in such a case. This option is
2863 equivalent to command line argument "-dW".
2864
Emeric Brunf099e792010-09-27 12:05:28 +02002865
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +010028663.4. Userlists
2867--------------
2868It is possible to control access to frontend/backend/listen sections or to
2869http stats by allowing only authenticated and authorized users. To do this,
2870it is required to create at least one userlist and to define users.
2871
2872userlist <listname>
Cyril Bonté78caf842010-03-10 22:41:43 +01002873 Creates new userlist with name <listname>. Many independent userlists can be
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002874 used to store authentication & authorization data for independent customers.
2875
2876group <groupname> [users <user>,<user>,(...)]
Cyril Bonté78caf842010-03-10 22:41:43 +01002877 Adds group <groupname> to the current userlist. It is also possible to
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002878 attach users to this group by using a comma separated list of names
2879 proceeded by "users" keyword.
2880
Cyril Bontéf0c60612010-02-06 14:44:47 +01002881user <username> [password|insecure-password <password>]
2882 [groups <group>,<group>,(...)]
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002883 Adds user <username> to the current userlist. Both secure (encrypted) and
2884 insecure (unencrypted) passwords can be used. Encrypted passwords are
Daniel Schnellerd06f31c2017-11-06 16:51:04 +01002885 evaluated using the crypt(3) function, so depending on the system's
2886 capabilities, different algorithms are supported. For example, modern Glibc
2887 based Linux systems support MD5, SHA-256, SHA-512, and, of course, the
2888 classic DES-based method of encrypting passwords.
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002889
Daniel Schnellerd06f31c2017-11-06 16:51:04 +01002890 Attention: Be aware that using encrypted passwords might cause significantly
2891 increased CPU usage, depending on the number of requests, and the algorithm
2892 used. For any of the hashed variants, the password for each request must
2893 be processed through the chosen algorithm, before it can be compared to the
2894 value specified in the config file. Most current algorithms are deliberately
2895 designed to be expensive to compute to achieve resistance against brute
2896 force attacks. They do not simply salt/hash the clear text password once,
Daniel Corbett9f0843f2021-05-08 10:50:37 -04002897 but thousands of times. This can quickly become a major factor in HAProxy's
Daniel Schnellerd06f31c2017-11-06 16:51:04 +01002898 overall CPU consumption!
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002899
2900 Example:
Cyril Bontéf0c60612010-02-06 14:44:47 +01002901 userlist L1
2902 group G1 users tiger,scott
2903 group G2 users xdb,scott
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002904
Cyril Bontéf0c60612010-02-06 14:44:47 +01002905 user tiger password $6$k6y3o.eP$JlKBx9za9667qe4(...)xHSwRv6J.C0/D7cV91
2906 user scott insecure-password elgato
2907 user xdb insecure-password hello
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002908
Cyril Bontéf0c60612010-02-06 14:44:47 +01002909 userlist L2
2910 group G1
2911 group G2
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002912
Cyril Bontéf0c60612010-02-06 14:44:47 +01002913 user tiger password $6$k6y3o.eP$JlKBx(...)xHSwRv6J.C0/D7cV91 groups G1
2914 user scott insecure-password elgato groups G1,G2
2915 user xdb insecure-password hello groups G2
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002916
2917 Please note that both lists are functionally identical.
Willy Tarreau6a06a402007-07-15 20:15:28 +02002918
Emeric Brunf099e792010-09-27 12:05:28 +02002919
29203.5. Peers
Cyril Bontédc4d9032012-04-08 21:57:39 +02002921----------
Emeric Brun94900952015-06-11 18:25:54 +02002922It is possible to propagate entries of any data-types in stick-tables between
Daniel Corbett9f0843f2021-05-08 10:50:37 -04002923several HAProxy instances over TCP connections in a multi-master fashion. Each
Emeric Brun94900952015-06-11 18:25:54 +02002924instance pushes its local updates and insertions to remote peers. The pushed
2925values overwrite remote ones without aggregation. Interrupted exchanges are
2926automatically detected and recovered from the last known point.
2927In addition, during a soft restart, the old process connects to the new one
2928using such a TCP connection to push all its entries before the new process
2929tries to connect to other peers. That ensures very fast replication during a
2930reload, it typically takes a fraction of a second even for large tables.
2931Note that Server IDs are used to identify servers remotely, so it is important
2932that configurations look similar or at least that the same IDs are forced on
2933each server on all participants.
Emeric Brunf099e792010-09-27 12:05:28 +02002934
2935peers <peersect>
Jamie Gloudon801a0a32012-08-25 00:18:33 -04002936 Creates a new peer list with name <peersect>. It is an independent section,
Emeric Brunf099e792010-09-27 12:05:28 +02002937 which is referenced by one or more stick-tables.
2938
Frédéric Lécaille2f167b32019-01-11 14:13:54 +01002939bind [<address>]:<port_range> [, ...] [param*]
2940 Defines the binding parameters of the local peer of this "peers" section.
2941 Such lines are not supported with "peer" line in the same "peers" section.
2942
Willy Tarreau77e4bd12015-05-01 20:02:17 +02002943disabled
2944 Disables a peers section. It disables both listening and any synchronization
2945 related to this section. This is provided to disable synchronization of stick
2946 tables without having to comment out all "peers" references.
2947
Frédéric Lécaille2f167b32019-01-11 14:13:54 +01002948default-bind [param*]
2949 Defines the binding parameters for the local peer, excepted its address.
2950
2951default-server [param*]
2952 Change default options for a server in a "peers" section.
2953
2954 Arguments:
2955 <param*> is a list of parameters for this server. The "default-server"
2956 keyword accepts an important number of options and has a complete
2957 section dedicated to it. Please refer to section 5 for more
2958 details.
2959
2960
2961 See also: "server" and section 5 about server options
2962
Willy Tarreau77e4bd12015-05-01 20:02:17 +02002963enable
2964 This re-enables a disabled peers section which was previously disabled.
2965
Jan Wagner3e678602020-12-17 22:22:32 +01002966log <address> [len <length>] [format <format>] [sample <ranges>:<sample_size>]
Frédéric Lécailleb6f759b2019-11-05 09:57:45 +01002967 <facility> [<level> [<minlevel>]]
2968 "peers" sections support the same "log" keyword as for the proxies to
2969 log information about the "peers" listener. See "log" option for proxies for
2970 more details.
2971
Frédéric Lécaille2f167b32019-01-11 14:13:54 +01002972peer <peername> <ip>:<port> [param*]
Emeric Brunf099e792010-09-27 12:05:28 +02002973 Defines a peer inside a peers section.
2974 If <peername> is set to the local peer name (by default hostname, or forced
Dragan Dosen13cd54c2020-06-18 18:24:05 +02002975 using "-L" command line option or "localpeer" global configuration setting),
Daniel Corbett9f0843f2021-05-08 10:50:37 -04002976 HAProxy will listen for incoming remote peer connection on <ip>:<port>.
Dragan Dosen13cd54c2020-06-18 18:24:05 +02002977 Otherwise, <ip>:<port> defines where to connect to in order to join the
2978 remote peer, and <peername> is used at the protocol level to identify and
2979 validate the remote peer on the server side.
Emeric Brunf099e792010-09-27 12:05:28 +02002980
2981 During a soft restart, local peer <ip>:<port> is used by the old instance to
2982 connect the new one and initiate a complete replication (teaching process).
2983
2984 It is strongly recommended to have the exact same peers declaration on all
Dragan Dosen13cd54c2020-06-18 18:24:05 +02002985 peers and to only rely on the "-L" command line argument or the "localpeer"
2986 global configuration setting to change the local peer name. This makes it
2987 easier to maintain coherent configuration files across all peers.
Emeric Brunf099e792010-09-27 12:05:28 +02002988
William Lallemandb2f07452015-05-12 14:27:13 +02002989 You may want to reference some environment variables in the address
2990 parameter, see section 2.3 about environment variables.
Willy Tarreaudad36a32013-03-11 01:20:04 +01002991
Frédéric Lécaille2f167b32019-01-11 14:13:54 +01002992 Note: "peer" keyword may transparently be replaced by "server" keyword (see
2993 "server" keyword explanation below).
2994
2995server <peername> [<ip>:<port>] [param*]
Michael Prokop4438c602019-05-24 10:25:45 +02002996 As previously mentioned, "peer" keyword may be replaced by "server" keyword
Frédéric Lécaille2f167b32019-01-11 14:13:54 +01002997 with a support for all "server" parameters found in 5.2 paragraph.
2998 If the underlying peer is local, <ip>:<port> parameters must not be present.
2999 These parameters must be provided on a "bind" line (see "bind" keyword
3000 of this "peers" section).
3001 Some of these parameters are irrelevant for "peers" sections.
3002
3003
Cyril Bontédc4d9032012-04-08 21:57:39 +02003004 Example:
Frédéric Lécaille2f167b32019-01-11 14:13:54 +01003005 # The old way.
Emeric Brunf099e792010-09-27 12:05:28 +02003006 peers mypeers
Willy Tarreauf7b30a92010-12-06 22:59:17 +01003007 peer haproxy1 192.168.0.1:1024
3008 peer haproxy2 192.168.0.2:1024
3009 peer haproxy3 10.2.0.1:1024
Emeric Brunf099e792010-09-27 12:05:28 +02003010
3011 backend mybackend
3012 mode tcp
3013 balance roundrobin
3014 stick-table type ip size 20k peers mypeers
3015 stick on src
3016
Willy Tarreauf7b30a92010-12-06 22:59:17 +01003017 server srv1 192.168.0.30:80
3018 server srv2 192.168.0.31:80
Emeric Brunf099e792010-09-27 12:05:28 +02003019
Frédéric Lécaille2f167b32019-01-11 14:13:54 +01003020 Example:
3021 peers mypeers
3022 bind 127.0.0.11:10001 ssl crt mycerts/pem
3023 default-server ssl verify none
3024 server hostA 127.0.0.10:10000
3025 server hostB #local peer
Emeric Brunf099e792010-09-27 12:05:28 +02003026
Frédéric Lécaille4f5b77c2019-03-18 14:05:58 +01003027
3028table <tablename> type {ip | integer | string [len <length>] | binary [len <length>]}
3029 size <size> [expire <expire>] [nopurge] [store <data_type>]*
3030
3031 Configure a stickiness table for the current section. This line is parsed
3032 exactly the same way as the "stick-table" keyword in others section, except
John Roeslerfb2fce12019-07-10 15:45:51 -05003033 for the "peers" argument which is not required here and with an additional
Frédéric Lécaille4f5b77c2019-03-18 14:05:58 +01003034 mandatory first parameter to designate the stick-table. Contrary to others
3035 sections, there may be several "table" lines in "peers" sections (see also
3036 "stick-table" keyword).
3037
3038 Also be aware of the fact that "peers" sections have their own stick-table
3039 namespaces to avoid collisions between stick-table names identical in
3040 different "peers" section. This is internally handled prepending the "peers"
3041 sections names to the name of the stick-tables followed by a '/' character.
3042 If somewhere else in the configuration file you have to refer to such
3043 stick-tables declared in "peers" sections you must use the prefixed version
3044 of the stick-table name as follows:
3045
3046 peers mypeers
3047 peer A ...
3048 peer B ...
3049 table t1 ...
3050
3051 frontend fe1
3052 tcp-request content track-sc0 src table mypeers/t1
3053
3054 This is also this prefixed version of the stick-table names which must be
3055 used to refer to stick-tables through the CLI.
3056
3057 About "peers" protocol, as only "peers" belonging to the same section may
3058 communicate with each others, there is no need to do such a distinction.
3059 Several "peers" sections may declare stick-tables with the same name.
3060 This is shorter version of the stick-table name which is sent over the network.
3061 There is only a '/' character as prefix to avoid stick-table name collisions between
3062 stick-tables declared as backends and stick-table declared in "peers" sections
3063 as follows in this weird but supported configuration:
3064
3065 peers mypeers
3066 peer A ...
3067 peer B ...
3068 table t1 type string size 10m store gpc0
3069
3070 backend t1
3071 stick-table type string size 10m store gpc0 peers mypeers
3072
Daniel Corbett67a82712020-07-06 23:01:19 -04003073 Here "t1" table declared in "mypeers" section has "mypeers/t1" as global name.
Frédéric Lécaille4f5b77c2019-03-18 14:05:58 +01003074 "t1" table declared as a backend as "t1" as global name. But at peer protocol
3075 level the former table is named "/t1", the latter is again named "t1".
3076
Simon Horman51a1cf62015-02-03 13:00:44 +090030773.6. Mailers
3078------------
3079It is possible to send email alerts when the state of servers changes.
3080If configured email alerts are sent to each mailer that is configured
3081in a mailers section. Email is sent to mailers using SMTP.
3082
Pieter Baauw386a1272015-08-16 15:26:24 +02003083mailers <mailersect>
Simon Horman51a1cf62015-02-03 13:00:44 +09003084 Creates a new mailer list with the name <mailersect>. It is an
3085 independent section which is referenced by one or more proxies.
3086
3087mailer <mailername> <ip>:<port>
3088 Defines a mailer inside a mailers section.
3089
3090 Example:
3091 mailers mymailers
3092 mailer smtp1 192.168.0.1:587
3093 mailer smtp2 192.168.0.2:587
3094
3095 backend mybackend
3096 mode tcp
3097 balance roundrobin
3098
3099 email-alert mailers mymailers
3100 email-alert from test1@horms.org
3101 email-alert to test2@horms.org
3102
3103 server srv1 192.168.0.30:80
3104 server srv2 192.168.0.31:80
3105
Pieter Baauw235fcfc2016-02-13 15:33:40 +01003106timeout mail <time>
3107 Defines the time available for a mail/connection to be made and send to
3108 the mail-server. If not defined the default value is 10 seconds. To allow
3109 for at least two SYN-ACK packets to be send during initial TCP handshake it
3110 is advised to keep this value above 4 seconds.
3111
3112 Example:
3113 mailers mymailers
3114 timeout mail 20s
3115 mailer smtp1 192.168.0.1:587
Simon Horman51a1cf62015-02-03 13:00:44 +09003116
William Lallemandc9515522019-06-12 16:32:11 +020031173.7. Programs
3118-------------
3119In master-worker mode, it is possible to launch external binaries with the
3120master, these processes are called programs. These programs are launched and
3121managed the same way as the workers.
3122
3123During a reload of HAProxy, those processes are dealing with the same
3124sequence as a worker:
3125
3126 - the master is re-executed
3127 - the master sends a SIGUSR1 signal to the program
3128 - if "option start-on-reload" is not disabled, the master launches a new
3129 instance of the program
3130
3131During a stop, or restart, a SIGTERM is sent to the programs.
3132
3133program <name>
3134 This is a new program section, this section will create an instance <name>
3135 which is visible in "show proc" on the master CLI. (See "9.4. Master CLI" in
3136 the management guide).
3137
3138command <command> [arguments*]
3139 Define the command to start with optional arguments. The command is looked
3140 up in the current PATH if it does not include an absolute path. This is a
3141 mandatory option of the program section. Arguments containing spaces must
3142 be enclosed in quotes or double quotes or be prefixed by a backslash.
3143
Andrew Heberle97236962019-07-12 11:50:26 +08003144user <user name>
3145 Changes the executed command user ID to the <user name> from /etc/passwd.
3146 See also "group".
3147
3148group <group name>
3149 Changes the executed command group ID to the <group name> from /etc/group.
3150 See also "user".
3151
William Lallemandc9515522019-06-12 16:32:11 +02003152option start-on-reload
3153no option start-on-reload
3154 Start (or not) a new instance of the program upon a reload of the master.
3155 The default is to start a new instance. This option may only be used in a
3156 program section.
3157
3158
Christopher Faulet76edc0f2020-01-13 15:52:01 +010031593.8. HTTP-errors
3160----------------
3161
3162It is possible to globally declare several groups of HTTP errors, to be
3163imported afterwards in any proxy section. Same group may be referenced at
3164several places and can be fully or partially imported.
3165
3166http-errors <name>
3167 Create a new http-errors group with the name <name>. It is an independent
3168 section that may be referenced by one or more proxies using its name.
3169
3170errorfile <code> <file>
3171 Associate a file contents to an HTTP error code
3172
3173 Arguments :
3174 <code> is the HTTP status code. Currently, HAProxy is capable of
Christopher Faulet612f2ea2020-05-27 09:57:28 +02003175 generating codes 200, 400, 401, 403, 404, 405, 407, 408, 410,
Christopher Faulete095f312020-12-07 11:22:24 +01003176 425, 429, 500, 501, 502, 503, and 504.
Christopher Faulet76edc0f2020-01-13 15:52:01 +01003177
3178 <file> designates a file containing the full HTTP response. It is
3179 recommended to follow the common practice of appending ".http" to
3180 the filename so that people do not confuse the response with HTML
3181 error pages, and to use absolute paths, since files are read
3182 before any chroot is performed.
3183
3184 Please referrers to "errorfile" keyword in section 4 for details.
3185
3186 Example:
3187 http-errors website-1
3188 errorfile 400 /etc/haproxy/errorfiles/site1/400.http
3189 errorfile 404 /etc/haproxy/errorfiles/site1/404.http
3190 errorfile 408 /dev/null # work around Chrome pre-connect bug
3191
3192 http-errors website-2
3193 errorfile 400 /etc/haproxy/errorfiles/site2/400.http
3194 errorfile 404 /etc/haproxy/errorfiles/site2/404.http
3195 errorfile 408 /dev/null # work around Chrome pre-connect bug
3196
Emeric Brun99c453d2020-05-25 15:01:04 +020031973.9. Rings
3198----------
3199
3200It is possible to globally declare ring-buffers, to be used as target for log
3201servers or traces.
3202
3203ring <ringname>
3204 Creates a new ring-buffer with name <ringname>.
3205
3206description <text>
Daniel Corbett67a82712020-07-06 23:01:19 -04003207 The description is an optional description string of the ring. It will
Emeric Brun99c453d2020-05-25 15:01:04 +02003208 appear on CLI. By default, <name> is reused to fill this field.
3209
3210format <format>
3211 Format used to store events into the ring buffer.
3212
3213 Arguments:
3214 <format> is the log format used when generating syslog messages. It may be
3215 one of the following :
3216
3217 iso A message containing only the ISO date, followed by the text.
3218 The PID, process name and system name are omitted. This is
3219 designed to be used with a local log server.
3220
Emeric Brun0237c4e2020-11-27 16:24:34 +01003221 local Analog to rfc3164 syslog message format except that hostname
3222 field is stripped. This is the default.
3223 Note: option "log-send-hostname" switches the default to
3224 rfc3164.
3225
Emeric Brun99c453d2020-05-25 15:01:04 +02003226 raw A message containing only the text. The level, PID, date, time,
3227 process name and system name are omitted. This is designed to be
3228 used in containers or during development, where the severity
3229 only depends on the file descriptor used (stdout/stderr). This
3230 is the default.
3231
Emeric Brun0237c4e2020-11-27 16:24:34 +01003232 rfc3164 The RFC3164 syslog message format.
Emeric Brun99c453d2020-05-25 15:01:04 +02003233 (https://tools.ietf.org/html/rfc3164)
3234
3235 rfc5424 The RFC5424 syslog message format.
3236 (https://tools.ietf.org/html/rfc5424)
3237
3238 short A message containing only a level between angle brackets such as
3239 '<3>', followed by the text. The PID, date, time, process name
3240 and system name are omitted. This is designed to be used with a
3241 local log server. This format is compatible with what the systemd
3242 logger consumes.
3243
Emeric Brun54648852020-07-06 15:54:06 +02003244 priority A message containing only a level plus syslog facility between angle
3245 brackets such as '<63>', followed by the text. The PID, date, time,
3246 process name and system name are omitted. This is designed to be used
3247 with a local log server.
3248
Emeric Brun99c453d2020-05-25 15:01:04 +02003249 timed A message containing only a level between angle brackets such as
3250 '<3>', followed by ISO date and by the text. The PID, process
3251 name and system name are omitted. This is designed to be
3252 used with a local log server.
3253
3254maxlen <length>
3255 The maximum length of an event message stored into the ring,
3256 including formatted header. If an event message is longer than
3257 <length>, it will be truncated to this length.
3258
Emeric Brun494c5052020-05-28 11:13:15 +02003259server <name> <address> [param*]
3260 Used to configure a syslog tcp server to forward messages from ring buffer.
3261 This supports for all "server" parameters found in 5.2 paragraph. Some of
3262 these parameters are irrelevant for "ring" sections. Important point: there
3263 is little reason to add more than one server to a ring, because all servers
3264 will receive the exact same copy of the ring contents, and as such the ring
3265 will progress at the speed of the slowest server. If one server does not
3266 respond, it will prevent old messages from being purged and may block new
3267 messages from being inserted into the ring. The proper way to send messages
3268 to multiple servers is to use one distinct ring per log server, not to
Emeric Brun97556472020-05-30 01:42:45 +02003269 attach multiple servers to the same ring. Note that specific server directive
3270 "log-proto" is used to set the protocol used to send messages.
Emeric Brun494c5052020-05-28 11:13:15 +02003271
Emeric Brun99c453d2020-05-25 15:01:04 +02003272size <size>
3273 This is the optional size in bytes for the ring-buffer. Default value is
3274 set to BUFSIZE.
3275
Emeric Brun494c5052020-05-28 11:13:15 +02003276timeout connect <timeout>
3277 Set the maximum time to wait for a connection attempt to a server to succeed.
3278
3279 Arguments :
3280 <timeout> is the timeout value specified in milliseconds by default, but
3281 can be in any other unit if the number is suffixed by the unit,
3282 as explained at the top of this document.
3283
3284timeout server <timeout>
3285 Set the maximum time for pending data staying into output buffer.
3286
3287 Arguments :
3288 <timeout> is the timeout value specified in milliseconds by default, but
3289 can be in any other unit if the number is suffixed by the unit,
3290 as explained at the top of this document.
3291
Emeric Brun99c453d2020-05-25 15:01:04 +02003292 Example:
3293 global
3294 log ring@myring local7
3295
3296 ring myring
3297 description "My local buffer"
3298 format rfc3164
3299 maxlen 1200
3300 size 32764
Emeric Brun494c5052020-05-28 11:13:15 +02003301 timeout connect 5s
3302 timeout server 10s
Emeric Brun97556472020-05-30 01:42:45 +02003303 server mysyslogsrv 127.0.0.1:6514 log-proto octet-count
Emeric Brun99c453d2020-05-25 15:01:04 +02003304
Emeric Brun12941c82020-07-07 14:19:42 +020033053.10. Log forwarding
3306-------------------
3307
3308It is possible to declare one or multiple log forwarding section,
Daniel Corbett9f0843f2021-05-08 10:50:37 -04003309HAProxy will forward all received log messages to a log servers list.
Emeric Brun12941c82020-07-07 14:19:42 +02003310
3311log-forward <name>
3312 Creates a new log forwarder proxy identified as <name>.
3313
Emeric Bruncbb7bf72020-10-05 14:39:35 +02003314backlog <conns>
3315 Give hints to the system about the approximate listen backlog desired size
3316 on connections accept.
3317
3318bind <addr> [param*]
3319 Used to configure a stream log listener to receive messages to forward.
Emeric Brunda46c1c2020-10-08 08:39:02 +02003320 This supports the "bind" parameters found in 5.1 paragraph including
3321 those about ssl but some statements such as "alpn" may be irrelevant for
3322 syslog protocol over TCP.
3323 Those listeners support both "Octet Counting" and "Non-Transparent-Framing"
Emeric Bruncbb7bf72020-10-05 14:39:35 +02003324 modes as defined in rfc-6587.
3325
Willy Tarreau76aaa7f2020-09-16 15:07:22 +02003326dgram-bind <addr> [param*]
Emeric Bruncbb7bf72020-10-05 14:39:35 +02003327 Used to configure a datagram log listener to receive messages to forward.
3328 Addresses must be in IPv4 or IPv6 form,followed by a port. This supports
3329 for some of the "bind" parameters found in 5.1 paragraph among which
3330 "interface", "namespace" or "transparent", the other ones being
Willy Tarreau26ff5da2020-09-16 15:22:19 +02003331 silently ignored as irrelevant for UDP/syslog case.
Emeric Brun12941c82020-07-07 14:19:42 +02003332
3333log global
Jan Wagner3e678602020-12-17 22:22:32 +01003334log <address> [len <length>] [format <format>] [sample <ranges>:<sample_size>]
Emeric Brun12941c82020-07-07 14:19:42 +02003335 <facility> [<level> [<minlevel>]]
3336 Used to configure target log servers. See more details on proxies
3337 documentation.
Daniel Corbett9f0843f2021-05-08 10:50:37 -04003338 If no format specified, HAProxy tries to keep the incoming log format.
Emeric Brun12941c82020-07-07 14:19:42 +02003339 Configured facility is ignored, except if incoming message does not
3340 present a facility but one is mandatory on the outgoing format.
3341 If there is no timestamp available in the input format, but the field
Daniel Corbett9f0843f2021-05-08 10:50:37 -04003342 exists in output format, HAProxy will use the local date.
Emeric Brun12941c82020-07-07 14:19:42 +02003343
3344 Example:
3345 global
3346 log stderr format iso local7
3347
3348 ring myring
3349 description "My local buffer"
3350 format rfc5424
3351 maxlen 1200
3352 size 32764
3353 timeout connect 5s
3354 timeout server 10s
3355 # syslog tcp server
3356 server mysyslogsrv 127.0.0.1:514 log-proto octet-count
3357
3358 log-forward sylog-loadb
Emeric Bruncbb7bf72020-10-05 14:39:35 +02003359 dgram-bind 127.0.0.1:1514
3360 bind 127.0.0.1:1514
Emeric Brun12941c82020-07-07 14:19:42 +02003361 # all messages on stderr
3362 log global
3363 # all messages on local tcp syslog server
3364 log ring@myring local0
3365 # load balance messages on 4 udp syslog servers
3366 log 127.0.0.1:10001 sample 1:4 local0
3367 log 127.0.0.1:10002 sample 2:4 local0
3368 log 127.0.0.1:10003 sample 3:4 local0
3369 log 127.0.0.1:10004 sample 4:4 local0
Christopher Faulet76edc0f2020-01-13 15:52:01 +01003370
Emeric Bruncbb7bf72020-10-05 14:39:35 +02003371maxconn <conns>
3372 Fix the maximum number of concurrent connections on a log forwarder.
3373 10 is the default.
3374
3375timeout client <timeout>
3376 Set the maximum inactivity time on the client side.
3377
Willy Tarreauc57f0e22009-05-10 13:12:33 +020033784. Proxies
Willy Tarreau6a06a402007-07-15 20:15:28 +02003379----------
Willy Tarreau0ba27502007-12-24 16:55:16 +01003380
Willy Tarreau6a06a402007-07-15 20:15:28 +02003381Proxy configuration can be located in a set of sections :
Willy Tarreau7c0b4d82021-02-12 14:58:08 +01003382 - defaults [<name>] [ from <defaults_name> ]
3383 - frontend <name> [ from <defaults_name> ]
3384 - backend <name> [ from <defaults_name> ]
3385 - listen <name> [ from <defaults_name> ]
Willy Tarreau6a06a402007-07-15 20:15:28 +02003386
3387A "frontend" section describes a set of listening sockets accepting client
3388connections.
3389
3390A "backend" section describes a set of servers to which the proxy will connect
3391to forward incoming connections.
3392
3393A "listen" section defines a complete proxy with its frontend and backend
3394parts combined in one section. It is generally useful for TCP-only traffic.
3395
Willy Tarreau7c0b4d82021-02-12 14:58:08 +01003396A "defaults" section resets all settings to the documented ones and presets new
3397ones for use by subsequent sections. All of "frontend", "backend" and "listen"
3398sections always take their initial settings from a defaults section, by default
3399the latest one that appears before the newly created section. It is possible to
3400explicitly designate a specific "defaults" section to load the initial settings
3401from by indicating its name on the section line after the optional keyword
3402"from". While "defaults" section do not impose a name, this use is encouraged
3403for better readability. It is also the only way to designate a specific section
3404to use instead of the default previous one. Since "defaults" section names are
3405optional, by default a very permissive check is applied on their name and these
3406are even permitted to overlap. However if a "defaults" section is referenced by
3407any other section, its name must comply with the syntax imposed on all proxy
3408names, and this name must be unique among the defaults sections. Please note
3409that regardless of what is currently permitted, it is recommended to avoid
3410duplicate section names in general and to respect the same syntax as for proxy
3411names. This rule might be enforced in a future version.
3412
3413Note that it is even possible for a defaults section to take its initial
3414settings from another one, and as such, inherit settings across multiple levels
3415of defaults sections. This can be convenient to establish certain configuration
3416profiles to carry groups of default settings (e.g. TCP vs HTTP or short vs long
3417timeouts) but can quickly become confusing to follow.
3418
Willy Tarreau0ba27502007-12-24 16:55:16 +01003419All proxy names must be formed from upper and lower case letters, digits,
3420'-' (dash), '_' (underscore) , '.' (dot) and ':' (colon). ACL names are
3421case-sensitive, which means that "www" and "WWW" are two different proxies.
3422
3423Historically, all proxy names could overlap, it just caused troubles in the
3424logs. Since the introduction of content switching, it is mandatory that two
3425proxies with overlapping capabilities (frontend/backend) have different names.
3426However, it is still permitted that a frontend and a backend share the same
3427name, as this configuration seems to be commonly encountered.
3428
3429Right now, two major proxy modes are supported : "tcp", also known as layer 4,
3430and "http", also known as layer 7. In layer 4 mode, HAProxy simply forwards
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003431bidirectional traffic between two sides. In layer 7 mode, HAProxy analyzes the
Willy Tarreau0ba27502007-12-24 16:55:16 +01003432protocol, and can interact with it by allowing, blocking, switching, adding,
3433modifying, or removing arbitrary contents in requests or responses, based on
3434arbitrary criteria.
3435
Willy Tarreau70dffda2014-01-30 03:07:23 +01003436In HTTP mode, the processing applied to requests and responses flowing over
3437a connection depends in the combination of the frontend's HTTP options and
Julien Pivotto21ad3152019-12-10 13:11:17 +01003438the backend's. HAProxy supports 3 connection modes :
Willy Tarreau70dffda2014-01-30 03:07:23 +01003439
3440 - KAL : keep alive ("option http-keep-alive") which is the default mode : all
3441 requests and responses are processed, and connections remain open but idle
3442 between responses and new requests.
3443
Willy Tarreau70dffda2014-01-30 03:07:23 +01003444 - SCL: server close ("option http-server-close") : the server-facing
3445 connection is closed after the end of the response is received, but the
3446 client-facing connection remains open.
3447
Christopher Faulet315b39c2018-09-21 16:26:19 +02003448 - CLO: close ("option httpclose"): the connection is closed after the end of
3449 the response and "Connection: close" appended in both directions.
Willy Tarreau70dffda2014-01-30 03:07:23 +01003450
3451The effective mode that will be applied to a connection passing through a
3452frontend and a backend can be determined by both proxy modes according to the
3453following matrix, but in short, the modes are symmetric, keep-alive is the
Christopher Faulet315b39c2018-09-21 16:26:19 +02003454weakest option and close is the strongest.
Willy Tarreau70dffda2014-01-30 03:07:23 +01003455
Christopher Faulet315b39c2018-09-21 16:26:19 +02003456 Backend mode
Willy Tarreau70dffda2014-01-30 03:07:23 +01003457
Christopher Faulet315b39c2018-09-21 16:26:19 +02003458 | KAL | SCL | CLO
3459 ----+-----+-----+----
3460 KAL | KAL | SCL | CLO
3461 ----+-----+-----+----
Christopher Faulet315b39c2018-09-21 16:26:19 +02003462 mode SCL | SCL | SCL | CLO
3463 ----+-----+-----+----
3464 CLO | CLO | CLO | CLO
Willy Tarreau70dffda2014-01-30 03:07:23 +01003465
Christopher Faulet4d37e532021-03-26 14:44:00 +01003466It is possible to chain a TCP frontend to an HTTP backend. It is pointless if
Daniel Corbett9f0843f2021-05-08 10:50:37 -04003467only HTTP traffic is handled. But it may be used to handle several protocols
3468within the same frontend. In this case, the client's connection is first handled
Christopher Faulet4d37e532021-03-26 14:44:00 +01003469as a raw tcp connection before being upgraded to HTTP. Before the upgrade, the
Daniel Corbett9f0843f2021-05-08 10:50:37 -04003470content processings are performend on raw data. Once upgraded, data is parsed
Christopher Faulet4d37e532021-03-26 14:44:00 +01003471and stored using an internal representation called HTX and it is no longer
3472possible to rely on raw representation. There is no way to go back.
Willy Tarreau0ba27502007-12-24 16:55:16 +01003473
Christopher Faulet4d37e532021-03-26 14:44:00 +01003474There are two kind of upgrades, in-place upgrades and destructive upgrades. The
Daniel Corbett9f0843f2021-05-08 10:50:37 -04003475first ones involves a TCP to HTTP/1 upgrade. In HTTP/1, the request
Christopher Faulet4d37e532021-03-26 14:44:00 +01003476processings are serialized, thus the applicative stream can be preserved. The
Daniel Corbett9f0843f2021-05-08 10:50:37 -04003477second one involves a TCP to HTTP/2 upgrade. Because it is a multiplexed
Christopher Faulet4d37e532021-03-26 14:44:00 +01003478protocol, the applicative stream cannot be associated to any HTTP/2 stream and
3479is destroyed. New applicative streams are then created when HAProxy receives
3480new HTTP/2 streams at the lower level, in the H2 multiplexer. It is important
Daniel Corbett9f0843f2021-05-08 10:50:37 -04003481to understand this difference because that drastically changes the way to
Christopher Faulet4d37e532021-03-26 14:44:00 +01003482process data. When an HTTP/1 upgrade is performed, the content processings
3483already performed on raw data are neither lost nor reexecuted while for an
3484HTTP/2 upgrade, applicative streams are distinct and all frontend rules are
3485evaluated systematically on each one. And as said, the first stream, the TCP
3486one, is destroyed, but only after the frontend rules were evaluated.
3487
3488There is another importnat point to understand when HTTP processings are
3489performed from a TCP proxy. While HAProxy is able to parse HTTP/1 in-fly from
3490tcp-request content rules, it is not possible for HTTP/2. Only the HTTP/2
3491preface can be parsed. This is a huge limitation regarding the HTTP content
3492analysis in TCP. Concretely it is only possible to know if received data are
3493HTTP. For instance, it is not possible to choose a backend based on the Host
3494header value while it is trivial in HTTP/1. Hopefully, there is a solution to
3495mitigate this drawback.
3496
Daniel Corbett9f0843f2021-05-08 10:50:37 -04003497There are two ways to perform an HTTP upgrade. The first one, the historical
Christopher Faulet4d37e532021-03-26 14:44:00 +01003498method, is to select an HTTP backend. The upgrade happens when the backend is
3499set. Thus, for in-place upgrades, only the backend configuration is considered
3500in the HTTP data processing. For destructive upgrades, the applicative stream
3501is destroyed, thus its processing is stopped. With this method, possibilities
3502to choose a backend with an HTTP/2 connection are really limited, as mentioned
3503above, and a bit useless because the stream is destroyed. The second method is
3504to upgrade during the tcp-request content rules evaluation, thanks to the
3505"switch-mode http" action. In this case, the upgrade is performed in the
3506frontend context and it is possible to define HTTP directives in this
3507frontend. For in-place upgrades, it offers all the power of the HTTP analysis
3508as soon as possible. It is not that far from an HTTP frontend. For destructive
3509upgrades, it does not change anything except it is useless to choose a backend
3510on limited information. It is of course the recommended method. Thus, testing
3511the request protocol from the tcp-request content rules to perform an HTTP
3512upgrade is enough. All the remaining HTTP manipulation may be moved to the
3513frontend http-request ruleset. But keep in mind that tcp-request content rules
3514remains evaluated on each streams, that can't be changed.
Willy Tarreau70dffda2014-01-30 03:07:23 +01003515
Willy Tarreauc57f0e22009-05-10 13:12:33 +020035164.1. Proxy keywords matrix
3517--------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +01003518
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003519The following list of keywords is supported. Most of them may only be used in a
3520limited set of section types. Some of them are marked as "deprecated" because
3521they are inherited from an old syntax which may be confusing or functionally
3522limited, and there are new recommended keywords to replace them. Keywords
Davor Ocelice9ed2812017-12-25 17:49:28 +01003523marked with "(*)" can be optionally inverted using the "no" prefix, e.g. "no
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003524option contstats". This makes sense when the option has been enabled by default
Willy Tarreau3842f002009-06-14 11:39:52 +02003525and must be disabled for a specific instance. Such options may also be prefixed
3526with "default" in order to restore default settings regardless of what has been
3527specified in a previous "defaults" section.
Willy Tarreau0ba27502007-12-24 16:55:16 +01003528
Willy Tarreau6a06a402007-07-15 20:15:28 +02003529
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003530 keyword defaults frontend listen backend
3531------------------------------------+----------+----------+---------+---------
3532acl - X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003533backlog X X X -
3534balance X - X X
3535bind - X X -
3536bind-process X X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003537capture cookie - X X -
3538capture request header - X X -
3539capture response header - X X -
MIZUTA Takeshib24bc0d2020-07-09 11:13:20 +09003540clitcpka-cnt X X X -
3541clitcpka-idle X X X -
3542clitcpka-intvl X X X -
William Lallemand82fe75c2012-10-23 10:25:10 +02003543compression X X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003544cookie X - X X
Thierry FOURNIERa0a1b752015-05-26 17:44:32 +02003545declare capture - X X -
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003546default-server X - X X
3547default_backend X X X -
3548description - X X X
3549disabled X X X X
3550dispatch - - X X
Simon Horman51a1cf62015-02-03 13:00:44 +09003551email-alert from X X X X
Simon Horman64e34162015-02-06 11:11:57 +09003552email-alert level X X X X
Simon Horman51a1cf62015-02-03 13:00:44 +09003553email-alert mailers X X X X
3554email-alert myhostname X X X X
3555email-alert to X X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003556enabled X X X X
3557errorfile X X X X
Christopher Faulet76edc0f2020-01-13 15:52:01 +01003558errorfiles X X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003559errorloc X X X X
3560errorloc302 X X X X
3561-- keyword -------------------------- defaults - frontend - listen -- backend -
3562errorloc303 X X X X
Cyril Bonté4288c5a2018-03-12 22:02:59 +01003563force-persist - - X X
Christopher Fauletc3fe5332016-04-07 15:30:10 +02003564filter - X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003565fullconn X - X X
3566grace X X X X
3567hash-type X - X X
Christopher Faulet6d0c3df2020-01-22 09:26:35 +01003568http-after-response - X X X
Christopher Faulet4f5c2e22020-04-23 15:22:33 +02003569http-check comment X - X X
Christopher Faulete5870d82020-04-15 11:32:03 +02003570http-check connect X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003571http-check disable-on-404 X - X X
Christopher Faulete5870d82020-04-15 11:32:03 +02003572http-check expect X - X X
Peter Gervai8912ae62020-06-11 18:26:36 +02003573http-check send X - X X
Willy Tarreau7ab6aff2010-10-12 06:30:16 +02003574http-check send-state X - X X
Christopher Faulete5870d82020-04-15 11:32:03 +02003575http-check set-var X - X X
3576http-check unset-var X - X X
Christopher Faulet3b967c12020-05-15 15:47:44 +02003577http-error X X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003578http-request - X X X
Willy Tarreaue365c0b2013-06-11 16:06:12 +02003579http-response - X X X
Willy Tarreau30631952015-08-06 15:05:24 +02003580http-reuse X - X X
Baptiste Assmann2c42ef52013-10-09 21:57:02 +02003581http-send-name-header - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003582id - X X X
Cyril Bonté4288c5a2018-03-12 22:02:59 +01003583ignore-persist - - X X
Baptiste Assmann01c6cc32015-08-23 11:45:29 +02003584load-server-state-from-file X - X X
William Lallemand0f99e342011-10-12 17:50:54 +02003585log (*) X X X X
Willy Tarreaufb4e7ea2015-01-07 14:55:17 +01003586log-format X X X -
Dragan Dosen7ad31542015-09-28 17:16:47 +02003587log-format-sd X X X -
Willy Tarreau094af4e2015-01-07 15:03:42 +01003588log-tag X X X X
Willy Tarreauc35362a2014-04-25 13:58:37 +02003589max-keep-alive-queue X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003590maxconn X X X -
3591mode X X X X
3592monitor fail - X X -
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003593monitor-uri X X X -
3594option abortonclose (*) X - X X
3595option accept-invalid-http-request (*) X X X -
3596option accept-invalid-http-response (*) X - X X
3597option allbackups (*) X - X X
3598option checkcache (*) X - X X
3599option clitcpka (*) X X X -
3600option contstats (*) X X X -
Christopher Faulet89aed322020-06-02 17:33:56 +02003601option disable-h2-upgrade (*) X X X -
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003602option dontlog-normal (*) X X X -
3603option dontlognull (*) X X X -
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003604-- keyword -------------------------- defaults - frontend - listen -- backend -
3605option forwardfor X X X X
Christopher Faulet98fbe952019-07-22 16:18:24 +02003606option h1-case-adjust-bogus-client (*) X X X -
3607option h1-case-adjust-bogus-server (*) X - X X
Willy Tarreau9fbe18e2015-05-01 22:42:08 +02003608option http-buffer-request (*) X X X X
Willy Tarreau82649f92015-05-01 22:40:51 +02003609option http-ignore-probes (*) X X X -
Willy Tarreau16bfb022010-01-16 19:48:41 +01003610option http-keep-alive (*) X X X X
Willy Tarreau96e31212011-05-30 18:10:30 +02003611option http-no-delay (*) X X X X
Christopher Faulet98db9762018-09-21 10:25:19 +02003612option http-pretend-keepalive (*) X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003613option http-server-close (*) X X X X
3614option http-use-proxy-header (*) X X X -
3615option httpchk X - X X
3616option httpclose (*) X X X X
Freddy Spierenburge88b7732019-03-25 14:35:17 +01003617option httplog X X X -
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003618option http_proxy (*) X X X X
Jamie Gloudon801a0a32012-08-25 00:18:33 -04003619option independent-streams (*) X X X X
Gabor Lekenyb4c81e42010-09-29 18:17:05 +02003620option ldap-check X - X X
Simon Horman98637e52014-06-20 12:30:16 +09003621option external-check X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003622option log-health-checks (*) X - X X
3623option log-separate-errors (*) X X X -
3624option logasap (*) X X X -
3625option mysql-check X - X X
3626option nolinger (*) X X X X
3627option originalto X X X X
3628option persist (*) X - X X
Baptiste Assmann809e22a2015-10-12 20:22:55 +02003629option pgsql-check X - X X
3630option prefer-last-server (*) X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003631option redispatch (*) X - X X
Hervé COMMOWICKec032d62011-08-05 16:23:48 +02003632option redis-check X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003633option smtpchk X - X X
3634option socket-stats (*) X X X -
3635option splice-auto (*) X X X X
3636option splice-request (*) X X X X
3637option splice-response (*) X X X X
Christopher Fauletba7bc162016-11-07 21:07:38 +01003638option spop-check - - - X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003639option srvtcpka (*) X - X X
3640option ssl-hello-chk X - X X
3641-- keyword -------------------------- defaults - frontend - listen -- backend -
Willy Tarreaued179852013-12-16 01:07:00 +01003642option tcp-check X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003643option tcp-smart-accept (*) X X X -
3644option tcp-smart-connect (*) X - X X
3645option tcpka X X X X
3646option tcplog X X X X
3647option transparent (*) X - X X
Simon Horman98637e52014-06-20 12:30:16 +09003648external-check command X - X X
3649external-check path X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003650persist rdp-cookie X - X X
3651rate-limit sessions X X X -
3652redirect - X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003653-- keyword -------------------------- defaults - frontend - listen -- backend -
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003654retries X - X X
Olivier Houcharda254a372019-04-05 15:30:12 +02003655retry-on X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003656server - - X X
Baptiste Assmann01c6cc32015-08-23 11:45:29 +02003657server-state-file-name X - X X
Frédéric Lécaillecb4502e2017-04-20 13:36:25 +02003658server-template - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003659source X - X X
MIZUTA Takeshib24bc0d2020-07-09 11:13:20 +09003660srvtcpka-cnt X - X X
3661srvtcpka-idle X - X X
3662srvtcpka-intvl X - X X
Baptiste Assmann5a549212015-10-12 20:30:24 +02003663stats admin - X X X
3664stats auth X X X X
3665stats enable X X X X
3666stats hide-version X X X X
3667stats http-request - X X X
3668stats realm X X X X
3669stats refresh X X X X
3670stats scope X X X X
3671stats show-desc X X X X
3672stats show-legends X X X X
3673stats show-node X X X X
3674stats uri X X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003675-- keyword -------------------------- defaults - frontend - listen -- backend -
3676stick match - - X X
3677stick on - - X X
3678stick store-request - - X X
Willy Tarreaud8dc99f2011-07-01 11:33:25 +02003679stick store-response - - X X
Adam Spiers68af3c12017-04-06 16:31:39 +01003680stick-table - X X X
Christopher Faulet4f5c2e22020-04-23 15:22:33 +02003681tcp-check comment X - X X
Christopher Faulet404f9192020-04-09 23:13:54 +02003682tcp-check connect X - X X
3683tcp-check expect X - X X
3684tcp-check send X - X X
Christopher Fauletb50b3e62020-05-05 18:43:43 +02003685tcp-check send-lf X - X X
Christopher Faulet404f9192020-04-09 23:13:54 +02003686tcp-check send-binary X - X X
Christopher Fauletb50b3e62020-05-05 18:43:43 +02003687tcp-check send-binary-lf X - X X
Christopher Faulet404f9192020-04-09 23:13:54 +02003688tcp-check set-var X - X X
3689tcp-check unset-var X - X X
Willy Tarreaue9656522010-08-17 15:40:09 +02003690tcp-request connection - X X -
3691tcp-request content - X X X
Willy Tarreaua56235c2010-09-14 11:31:36 +02003692tcp-request inspect-delay - X X X
Willy Tarreau4f614292016-10-21 17:49:36 +02003693tcp-request session - X X -
Emeric Brun0a3b67f2010-09-24 15:34:53 +02003694tcp-response content - - X X
3695tcp-response inspect-delay - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003696timeout check X - X X
3697timeout client X X X -
Willy Tarreau05cdd962014-05-10 14:30:07 +02003698timeout client-fin X X X -
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003699timeout connect X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003700timeout http-keep-alive X X X X
3701timeout http-request X X X X
3702timeout queue X - X X
3703timeout server X - X X
Willy Tarreau05cdd962014-05-10 14:30:07 +02003704timeout server-fin X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003705timeout tarpit X X X X
Willy Tarreauce887fd2012-05-12 12:50:00 +02003706timeout tunnel X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003707transparent (deprecated) X - X X
William Lallemanda73203e2012-03-12 12:48:57 +01003708unique-id-format X X X -
3709unique-id-header X X X -
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003710use_backend - X X -
Christopher Fauletb30b3102019-09-12 23:03:09 +02003711use-fcgi-app - - X X
Willy Tarreau4a5cade2012-04-05 21:09:48 +02003712use-server - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01003713------------------------------------+----------+----------+---------+---------
3714 keyword defaults frontend listen backend
Willy Tarreau6a06a402007-07-15 20:15:28 +02003715
Willy Tarreau0ba27502007-12-24 16:55:16 +01003716
Willy Tarreauc57f0e22009-05-10 13:12:33 +020037174.2. Alphabetically sorted keywords reference
3718---------------------------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +01003719
3720This section provides a description of each keyword and its usage.
3721
3722
3723acl <aclname> <criterion> [flags] [operator] <value> ...
3724 Declare or complete an access list.
3725 May be used in sections : defaults | frontend | listen | backend
3726 no | yes | yes | yes
3727 Example:
3728 acl invalid_src src 0.0.0.0/7 224.0.0.0/3
3729 acl invalid_src src_port 0:1023
3730 acl local_dst hdr(host) -i localhost
3731
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003732 See section 7 about ACL usage.
Willy Tarreau0ba27502007-12-24 16:55:16 +01003733
3734
Willy Tarreauc73ce2b2008-01-06 10:55:10 +01003735backlog <conns>
3736 Give hints to the system about the approximate listen backlog desired size
3737 May be used in sections : defaults | frontend | listen | backend
3738 yes | yes | yes | no
3739 Arguments :
3740 <conns> is the number of pending connections. Depending on the operating
3741 system, it may represent the number of already acknowledged
Cyril Bontédc4d9032012-04-08 21:57:39 +02003742 connections, of non-acknowledged ones, or both.
Willy Tarreauc73ce2b2008-01-06 10:55:10 +01003743
3744 In order to protect against SYN flood attacks, one solution is to increase
3745 the system's SYN backlog size. Depending on the system, sometimes it is just
3746 tunable via a system parameter, sometimes it is not adjustable at all, and
3747 sometimes the system relies on hints given by the application at the time of
3748 the listen() syscall. By default, HAProxy passes the frontend's maxconn value
3749 to the listen() syscall. On systems which can make use of this value, it can
3750 sometimes be useful to be able to specify a different value, hence this
3751 backlog parameter.
3752
3753 On Linux 2.4, the parameter is ignored by the system. On Linux 2.6, it is
3754 used as a hint and the system accepts up to the smallest greater power of
3755 two, and never more than some limits (usually 32768).
3756
3757 See also : "maxconn" and the target operating system's tuning guide.
3758
3759
Willy Tarreau0ba27502007-12-24 16:55:16 +01003760balance <algorithm> [ <arguments> ]
Willy Tarreau226071e2014-04-10 11:55:45 +02003761balance url_param <param> [check_post]
Willy Tarreau0ba27502007-12-24 16:55:16 +01003762 Define the load balancing algorithm to be used in a backend.
3763 May be used in sections : defaults | frontend | listen | backend
3764 yes | no | yes | yes
3765 Arguments :
3766 <algorithm> is the algorithm used to select a server when doing load
3767 balancing. This only applies when no persistence information
3768 is available, or when a connection is redispatched to another
3769 server. <algorithm> may be one of the following :
3770
3771 roundrobin Each server is used in turns, according to their weights.
3772 This is the smoothest and fairest algorithm when the server's
3773 processing time remains equally distributed. This algorithm
3774 is dynamic, which means that server weights may be adjusted
Willy Tarreau9757a382009-10-03 12:56:50 +02003775 on the fly for slow starts for instance. It is limited by
Godbacha34bdc02013-07-22 07:44:53 +08003776 design to 4095 active servers per backend. Note that in some
Willy Tarreau9757a382009-10-03 12:56:50 +02003777 large farms, when a server becomes up after having been down
3778 for a very short time, it may sometimes take a few hundreds
3779 requests for it to be re-integrated into the farm and start
3780 receiving traffic. This is normal, though very rare. It is
3781 indicated here in case you would have the chance to observe
3782 it, so that you don't worry.
3783
3784 static-rr Each server is used in turns, according to their weights.
3785 This algorithm is as similar to roundrobin except that it is
3786 static, which means that changing a server's weight on the
3787 fly will have no effect. On the other hand, it has no design
3788 limitation on the number of servers, and when a server goes
3789 up, it is always immediately reintroduced into the farm, once
3790 the full map is recomputed. It also uses slightly less CPU to
3791 run (around -1%).
Willy Tarreau0ba27502007-12-24 16:55:16 +01003792
Willy Tarreau2d2a7f82008-03-17 12:07:56 +01003793 leastconn The server with the lowest number of connections receives the
3794 connection. Round-robin is performed within groups of servers
3795 of the same load to ensure that all servers will be used. Use
3796 of this algorithm is recommended where very long sessions are
3797 expected, such as LDAP, SQL, TSE, etc... but is not very well
3798 suited for protocols using short sessions such as HTTP. This
3799 algorithm is dynamic, which means that server weights may be
Willy Tarreau8c855f62020-10-22 17:41:45 +02003800 adjusted on the fly for slow starts for instance. It will
3801 also consider the number of queued connections in addition to
3802 the established ones in order to minimize queuing.
Willy Tarreau2d2a7f82008-03-17 12:07:56 +01003803
Willy Tarreauf09c6602012-02-13 17:12:08 +01003804 first The first server with available connection slots receives the
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03003805 connection. The servers are chosen from the lowest numeric
Willy Tarreauf09c6602012-02-13 17:12:08 +01003806 identifier to the highest (see server parameter "id"), which
3807 defaults to the server's position in the farm. Once a server
Willy Tarreau64559c52012-04-07 09:08:45 +02003808 reaches its maxconn value, the next server is used. It does
Willy Tarreauf09c6602012-02-13 17:12:08 +01003809 not make sense to use this algorithm without setting maxconn.
3810 The purpose of this algorithm is to always use the smallest
3811 number of servers so that extra servers can be powered off
3812 during non-intensive hours. This algorithm ignores the server
3813 weight, and brings more benefit to long session such as RDP
Willy Tarreau64559c52012-04-07 09:08:45 +02003814 or IMAP than HTTP, though it can be useful there too. In
3815 order to use this algorithm efficiently, it is recommended
3816 that a cloud controller regularly checks server usage to turn
3817 them off when unused, and regularly checks backend queue to
3818 turn new servers on when the queue inflates. Alternatively,
3819 using "http-check send-state" may inform servers on the load.
Willy Tarreauf09c6602012-02-13 17:12:08 +01003820
Willy Tarreau0ba27502007-12-24 16:55:16 +01003821 source The source IP address is hashed and divided by the total
3822 weight of the running servers to designate which server will
3823 receive the request. This ensures that the same client IP
3824 address will always reach the same server as long as no
3825 server goes down or up. If the hash result changes due to the
3826 number of running servers changing, many clients will be
3827 directed to a different server. This algorithm is generally
3828 used in TCP mode where no cookie may be inserted. It may also
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003829 be used on the Internet to provide a best-effort stickiness
Willy Tarreau0ba27502007-12-24 16:55:16 +01003830 to clients which refuse session cookies. This algorithm is
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02003831 static by default, which means that changing a server's
3832 weight on the fly will have no effect, but this can be
3833 changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01003834
Oskar Stolc8dc41842012-05-19 10:19:54 +01003835 uri This algorithm hashes either the left part of the URI (before
3836 the question mark) or the whole URI (if the "whole" parameter
3837 is present) and divides the hash value by the total weight of
3838 the running servers. The result designates which server will
3839 receive the request. This ensures that the same URI will
3840 always be directed to the same server as long as no server
3841 goes up or down. This is used with proxy caches and
3842 anti-virus proxies in order to maximize the cache hit rate.
3843 Note that this algorithm may only be used in an HTTP backend.
3844 This algorithm is static by default, which means that
3845 changing a server's weight on the fly will have no effect,
3846 but this can be changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01003847
Oskar Stolc8dc41842012-05-19 10:19:54 +01003848 This algorithm supports two optional parameters "len" and
Marek Majkowski9c30fc12008-04-27 23:25:55 +02003849 "depth", both followed by a positive integer number. These
3850 options may be helpful when it is needed to balance servers
3851 based on the beginning of the URI only. The "len" parameter
3852 indicates that the algorithm should only consider that many
3853 characters at the beginning of the URI to compute the hash.
3854 Note that having "len" set to 1 rarely makes sense since most
3855 URIs start with a leading "/".
3856
3857 The "depth" parameter indicates the maximum directory depth
3858 to be used to compute the hash. One level is counted for each
3859 slash in the request. If both parameters are specified, the
3860 evaluation stops when either is reached.
3861
Willy Tarreau57a37412020-09-23 08:56:29 +02003862 A "path-only" parameter indicates that the hashing key starts
3863 at the first '/' of the path. This can be used to ignore the
3864 authority part of absolute URIs, and to make sure that HTTP/1
3865 and HTTP/2 URIs will provide the same hash.
3866
Willy Tarreau0ba27502007-12-24 16:55:16 +01003867 url_param The URL parameter specified in argument will be looked up in
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02003868 the query string of each HTTP GET request.
3869
3870 If the modifier "check_post" is used, then an HTTP POST
Cyril Bontédc4d9032012-04-08 21:57:39 +02003871 request entity will be searched for the parameter argument,
3872 when it is not found in a query string after a question mark
Willy Tarreau226071e2014-04-10 11:55:45 +02003873 ('?') in the URL. The message body will only start to be
3874 analyzed once either the advertised amount of data has been
3875 received or the request buffer is full. In the unlikely event
3876 that chunked encoding is used, only the first chunk is
Cyril Bontédc4d9032012-04-08 21:57:39 +02003877 scanned. Parameter values separated by a chunk boundary, may
Willy Tarreau226071e2014-04-10 11:55:45 +02003878 be randomly balanced if at all. This keyword used to support
3879 an optional <max_wait> parameter which is now ignored.
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02003880
3881 If the parameter is found followed by an equal sign ('=') and
3882 a value, then the value is hashed and divided by the total
3883 weight of the running servers. The result designates which
3884 server will receive the request.
3885
3886 This is used to track user identifiers in requests and ensure
3887 that a same user ID will always be sent to the same server as
3888 long as no server goes up or down. If no value is found or if
3889 the parameter is not found, then a round robin algorithm is
3890 applied. Note that this algorithm may only be used in an HTTP
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02003891 backend. This algorithm is static by default, which means
3892 that changing a server's weight on the fly will have no
3893 effect, but this can be changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01003894
Cyril Bontédc4d9032012-04-08 21:57:39 +02003895 hdr(<name>) The HTTP header <name> will be looked up in each HTTP
3896 request. Just as with the equivalent ACL 'hdr()' function,
3897 the header name in parenthesis is not case sensitive. If the
3898 header is absent or if it does not contain any value, the
3899 roundrobin algorithm is applied instead.
Benoitaffb4812009-03-25 13:02:10 +01003900
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003901 An optional 'use_domain_only' parameter is available, for
Benoitaffb4812009-03-25 13:02:10 +01003902 reducing the hash algorithm to the main domain part with some
3903 specific headers such as 'Host'. For instance, in the Host
3904 value "haproxy.1wt.eu", only "1wt" will be considered.
3905
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02003906 This algorithm is static by default, which means that
3907 changing a server's weight on the fly will have no effect,
3908 but this can be changed using "hash-type".
3909
Willy Tarreau21c741a2019-01-14 18:14:27 +01003910 random
3911 random(<draws>)
3912 A random number will be used as the key for the consistent
Willy Tarreau760e81d2018-05-03 07:20:40 +02003913 hashing function. This means that the servers' weights are
3914 respected, dynamic weight changes immediately take effect, as
3915 well as new server additions. Random load balancing can be
3916 useful with large farms or when servers are frequently added
Willy Tarreau21c741a2019-01-14 18:14:27 +01003917 or removed as it may avoid the hammering effect that could
3918 result from roundrobin or leastconn in this situation. The
3919 hash-balance-factor directive can be used to further improve
3920 fairness of the load balancing, especially in situations
3921 where servers show highly variable response times. When an
3922 argument <draws> is present, it must be an integer value one
3923 or greater, indicating the number of draws before selecting
3924 the least loaded of these servers. It was indeed demonstrated
3925 that picking the least loaded of two servers is enough to
3926 significantly improve the fairness of the algorithm, by
3927 always avoiding to pick the most loaded server within a farm
3928 and getting rid of any bias that could be induced by the
3929 unfair distribution of the consistent list. Higher values N
3930 will take away N-1 of the highest loaded servers at the
3931 expense of performance. With very high values, the algorithm
3932 will converge towards the leastconn's result but much slower.
3933 The default value is 2, which generally shows very good
3934 distribution and performance. This algorithm is also known as
3935 the Power of Two Random Choices and is described here :
3936 http://www.eecs.harvard.edu/~michaelm/postscripts/handbook2001.pdf
Willy Tarreau760e81d2018-05-03 07:20:40 +02003937
Emeric Brun736aa232009-06-30 17:56:00 +02003938 rdp-cookie
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02003939 rdp-cookie(<name>)
Emeric Brun736aa232009-06-30 17:56:00 +02003940 The RDP cookie <name> (or "mstshash" if omitted) will be
3941 looked up and hashed for each incoming TCP request. Just as
3942 with the equivalent ACL 'req_rdp_cookie()' function, the name
3943 is not case-sensitive. This mechanism is useful as a degraded
3944 persistence mode, as it makes it possible to always send the
3945 same user (or the same session ID) to the same server. If the
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003946 cookie is not found, the normal roundrobin algorithm is
Emeric Brun736aa232009-06-30 17:56:00 +02003947 used instead.
3948
3949 Note that for this to work, the frontend must ensure that an
3950 RDP cookie is already present in the request buffer. For this
3951 you must use 'tcp-request content accept' rule combined with
3952 a 'req_rdp_cookie_cnt' ACL.
3953
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02003954 This algorithm is static by default, which means that
3955 changing a server's weight on the fly will have no effect,
3956 but this can be changed using "hash-type".
3957
Cyril Bontédc4d9032012-04-08 21:57:39 +02003958 See also the rdp_cookie pattern fetch function.
Simon Hormanab814e02011-06-24 14:50:20 +09003959
Willy Tarreau0ba27502007-12-24 16:55:16 +01003960 <arguments> is an optional list of arguments which may be needed by some
Marek Majkowski9c30fc12008-04-27 23:25:55 +02003961 algorithms. Right now, only "url_param" and "uri" support an
3962 optional argument.
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02003963
Willy Tarreau3cd9af22009-03-15 14:06:41 +01003964 The load balancing algorithm of a backend is set to roundrobin when no other
3965 algorithm, mode nor option have been set. The algorithm may only be set once
3966 for each backend.
Willy Tarreau0ba27502007-12-24 16:55:16 +01003967
Lukas Tribus80512b12018-10-27 20:07:40 +02003968 With authentication schemes that require the same connection like NTLM, URI
John Roeslerfb2fce12019-07-10 15:45:51 -05003969 based algorithms must not be used, as they would cause subsequent requests
Lukas Tribus80512b12018-10-27 20:07:40 +02003970 to be routed to different backend servers, breaking the invalid assumptions
3971 NTLM relies on.
3972
Willy Tarreau0ba27502007-12-24 16:55:16 +01003973 Examples :
3974 balance roundrobin
3975 balance url_param userid
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02003976 balance url_param session_id check_post 64
Benoitaffb4812009-03-25 13:02:10 +01003977 balance hdr(User-Agent)
3978 balance hdr(host)
3979 balance hdr(Host) use_domain_only
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02003980
3981 Note: the following caveats and limitations on using the "check_post"
3982 extension with "url_param" must be considered :
3983
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003984 - all POST requests are eligible for consideration, because there is no way
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02003985 to determine if the parameters will be found in the body or entity which
3986 may contain binary data. Therefore another method may be required to
3987 restrict consideration of POST requests that have no URL parameters in
Christopher Faulet87f1f3d2019-07-18 14:51:20 +02003988 the body. (see acl http_end)
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02003989
3990 - using a <max_wait> value larger than the request buffer size does not
3991 make sense and is useless. The buffer size is set at build time, and
3992 defaults to 16 kB.
3993
3994 - Content-Encoding is not supported, the parameter search will probably
3995 fail; and load balancing will fall back to Round Robin.
3996
3997 - Expect: 100-continue is not supported, load balancing will fall back to
3998 Round Robin.
3999
Lukas Tribus23953682017-04-28 13:24:30 +00004000 - Transfer-Encoding (RFC7230 3.3.1) is only supported in the first chunk.
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02004001 If the entire parameter value is not present in the first chunk, the
4002 selection of server is undefined (actually, defined by how little
4003 actually appeared in the first chunk).
4004
4005 - This feature does not support generation of a 100, 411 or 501 response.
4006
4007 - In some cases, requesting "check_post" MAY attempt to scan the entire
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01004008 contents of a message body. Scanning normally terminates when linear
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02004009 white space or control characters are found, indicating the end of what
4010 might be a URL parameter list. This is probably not a concern with SGML
4011 type message bodies.
Willy Tarreau0ba27502007-12-24 16:55:16 +01004012
Willy Tarreau294d0f02015-08-10 19:40:12 +02004013 See also : "dispatch", "cookie", "transparent", "hash-type" and "http_proxy".
Willy Tarreau0ba27502007-12-24 16:55:16 +01004014
4015
Willy Tarreaub6205fd2012-09-24 12:27:33 +02004016bind [<address>]:<port_range> [, ...] [param*]
4017bind /<path> [, ...] [param*]
Willy Tarreau0ba27502007-12-24 16:55:16 +01004018 Define one or several listening addresses and/or ports in a frontend.
4019 May be used in sections : defaults | frontend | listen | backend
4020 no | yes | yes | no
4021 Arguments :
Willy Tarreaub1e52e82008-01-13 14:49:51 +01004022 <address> is optional and can be a host name, an IPv4 address, an IPv6
4023 address, or '*'. It designates the address the frontend will
4024 listen on. If unset, all IPv4 addresses of the system will be
4025 listened on. The same will apply for '*' or the system's
David du Colombier9c938da2011-03-17 10:40:27 +01004026 special address "0.0.0.0". The IPv6 equivalent is '::'.
Willy Tarreau24709282013-03-10 21:32:12 +01004027 Optionally, an address family prefix may be used before the
4028 address to force the family regardless of the address format,
4029 which can be useful to specify a path to a unix socket with
4030 no slash ('/'). Currently supported prefixes are :
4031 - 'ipv4@' -> address is always IPv4
4032 - 'ipv6@' -> address is always IPv6
Emeric Brun3835c0d2020-07-07 09:46:09 +02004033 - 'udp@' -> address is resolved as IPv4 or IPv6 and
Emeric Brun12941c82020-07-07 14:19:42 +02004034 protocol UDP is used. Currently those listeners are
4035 supported only in log-forward sections.
Emeric Brun3835c0d2020-07-07 09:46:09 +02004036 - 'udp4@' -> address is always IPv4 and protocol UDP
Emeric Brun12941c82020-07-07 14:19:42 +02004037 is used. Currently those listeners are supported
4038 only in log-forward sections.
Emeric Brun3835c0d2020-07-07 09:46:09 +02004039 - 'udp6@' -> address is always IPv6 and protocol UDP
Emeric Brun12941c82020-07-07 14:19:42 +02004040 is used. Currently those listeners are supported
4041 only in log-forward sections.
Willy Tarreau24709282013-03-10 21:32:12 +01004042 - 'unix@' -> address is a path to a local unix socket
Willy Tarreau70f72e02014-07-08 00:37:50 +02004043 - 'abns@' -> address is in abstract namespace (Linux only).
4044 Note: since abstract sockets are not "rebindable", they
4045 do not cope well with multi-process mode during
4046 soft-restart, so it is better to avoid them if
4047 nbproc is greater than 1. The effect is that if the
4048 new process fails to start, only one of the old ones
4049 will be able to rebind to the socket.
Willy Tarreau40aa0702013-03-10 23:51:38 +01004050 - 'fd@<n>' -> use file descriptor <n> inherited from the
4051 parent. The fd must be bound and may or may not already
4052 be listening.
William Lallemand2fe7dd02018-09-11 16:51:29 +02004053 - 'sockpair@<n>'-> like fd@ but you must use the fd of a
4054 connected unix socket or of a socketpair. The bind waits
4055 to receive a FD over the unix socket and uses it as if it
4056 was the FD of an accept(). Should be used carefully.
William Lallemandb2f07452015-05-12 14:27:13 +02004057 You may want to reference some environment variables in the
4058 address parameter, see section 2.3 about environment
4059 variables.
Willy Tarreaub1e52e82008-01-13 14:49:51 +01004060
Willy Tarreauc5011ca2010-03-22 11:53:56 +01004061 <port_range> is either a unique TCP port, or a port range for which the
4062 proxy will accept connections for the IP address specified
Willy Tarreauceb24bc2010-11-09 12:46:41 +01004063 above. The port is mandatory for TCP listeners. Note that in
4064 the case of an IPv6 address, the port is always the number
4065 after the last colon (':'). A range can either be :
Willy Tarreauc5011ca2010-03-22 11:53:56 +01004066 - a numerical port (ex: '80')
4067 - a dash-delimited ports range explicitly stating the lower
4068 and upper bounds (ex: '2000-2100') which are included in
4069 the range.
4070
4071 Particular care must be taken against port ranges, because
4072 every <address:port> couple consumes one socket (= a file
4073 descriptor), so it's easy to consume lots of descriptors
4074 with a simple range, and to run out of sockets. Also, each
4075 <address:port> couple must be used only once among all
4076 instances running on a same system. Please note that binding
4077 to ports lower than 1024 generally require particular
Jamie Gloudon801a0a32012-08-25 00:18:33 -04004078 privileges to start the program, which are independent of
Willy Tarreauc5011ca2010-03-22 11:53:56 +01004079 the 'uid' parameter.
Willy Tarreau0ba27502007-12-24 16:55:16 +01004080
Willy Tarreauceb24bc2010-11-09 12:46:41 +01004081 <path> is a UNIX socket path beginning with a slash ('/'). This is
Davor Ocelice9ed2812017-12-25 17:49:28 +01004082 alternative to the TCP listening port. HAProxy will then
Willy Tarreauceb24bc2010-11-09 12:46:41 +01004083 receive UNIX connections on the socket located at this place.
4084 The path must begin with a slash and by default is absolute.
4085 It can be relative to the prefix defined by "unix-bind" in
4086 the global section. Note that the total length of the prefix
4087 followed by the socket path cannot exceed some system limits
4088 for UNIX sockets, which commonly are set to 107 characters.
4089
Willy Tarreaub6205fd2012-09-24 12:27:33 +02004090 <param*> is a list of parameters common to all sockets declared on the
4091 same line. These numerous parameters depend on OS and build
4092 options and have a complete section dedicated to them. Please
4093 refer to section 5 to for more details.
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02004094
Willy Tarreau0ba27502007-12-24 16:55:16 +01004095 It is possible to specify a list of address:port combinations delimited by
4096 commas. The frontend will then listen on all of these addresses. There is no
4097 fixed limit to the number of addresses and ports which can be listened on in
4098 a frontend, as well as there is no limit to the number of "bind" statements
4099 in a frontend.
4100
4101 Example :
4102 listen http_proxy
4103 bind :80,:443
4104 bind 10.0.0.1:10080,10.0.0.1:10443
Willy Tarreauceb24bc2010-11-09 12:46:41 +01004105 bind /var/run/ssl-frontend.sock user root mode 600 accept-proxy
Willy Tarreau0ba27502007-12-24 16:55:16 +01004106
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02004107 listen http_https_proxy
4108 bind :80
Cyril Bonté0d44fc62012-10-09 22:45:33 +02004109 bind :443 ssl crt /etc/haproxy/site.pem
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02004110
Willy Tarreau24709282013-03-10 21:32:12 +01004111 listen http_https_proxy_explicit
4112 bind ipv6@:80
4113 bind ipv4@public_ssl:443 ssl crt /etc/haproxy/site.pem
4114 bind unix@ssl-frontend.sock user root mode 600 accept-proxy
4115
Willy Tarreaudad36a32013-03-11 01:20:04 +01004116 listen external_bind_app1
William Lallemandb2f07452015-05-12 14:27:13 +02004117 bind "fd@${FD_APP1}"
Willy Tarreaudad36a32013-03-11 01:20:04 +01004118
Willy Tarreau55dcaf62015-09-27 15:03:15 +02004119 Note: regarding Linux's abstract namespace sockets, HAProxy uses the whole
4120 sun_path length is used for the address length. Some other programs
4121 such as socat use the string length only by default. Pass the option
4122 ",unix-tightsocklen=0" to any abstract socket definition in socat to
4123 make it compatible with HAProxy's.
4124
Willy Tarreauceb24bc2010-11-09 12:46:41 +01004125 See also : "source", "option forwardfor", "unix-bind" and the PROXY protocol
Willy Tarreaub6205fd2012-09-24 12:27:33 +02004126 documentation, and section 5 about bind options.
Willy Tarreau0ba27502007-12-24 16:55:16 +01004127
4128
Christopher Fauletff4121f2017-11-22 16:38:49 +01004129bind-process [ all | odd | even | <process_num>[-[<process_num>]] ] ...
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01004130 Limit visibility of an instance to a certain set of processes numbers.
4131 May be used in sections : defaults | frontend | listen | backend
4132 yes | yes | yes | yes
4133 Arguments :
4134 all All process will see this instance. This is the default. It
4135 may be used to override a default value.
4136
Willy Tarreaua9db57e2013-01-18 11:29:29 +01004137 odd This instance will be enabled on processes 1,3,5,...63. This
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01004138 option may be combined with other numbers.
4139
Willy Tarreaua9db57e2013-01-18 11:29:29 +01004140 even This instance will be enabled on processes 2,4,6,...64. This
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01004141 option may be combined with other numbers. Do not use it
4142 with less than 2 processes otherwise some instances might be
4143 missing from all processes.
4144
Christopher Fauletff4121f2017-11-22 16:38:49 +01004145 process_num The instance will be enabled on this process number or range,
Willy Tarreaua9db57e2013-01-18 11:29:29 +01004146 whose values must all be between 1 and 32 or 64 depending on
Christopher Fauletff4121f2017-11-22 16:38:49 +01004147 the machine's word size. Ranges can be partially defined. The
4148 higher bound can be omitted. In such case, it is replaced by
4149 the corresponding maximum value. If a proxy is bound to
4150 process numbers greater than the configured global.nbproc, it
4151 will either be forced to process #1 if a single process was
Willy Tarreau102df612014-05-07 23:56:38 +02004152 specified, or to all processes otherwise.
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01004153
4154 This keyword limits binding of certain instances to certain processes. This
4155 is useful in order not to have too many processes listening to the same
4156 ports. For instance, on a dual-core machine, it might make sense to set
4157 'nbproc 2' in the global section, then distributes the listeners among 'odd'
4158 and 'even' instances.
4159
Willy Tarreaua9db57e2013-01-18 11:29:29 +01004160 At the moment, it is not possible to reference more than 32 or 64 processes
4161 using this keyword, but this should be more than enough for most setups.
4162 Please note that 'all' really means all processes regardless of the machine's
4163 word size, and is not limited to the first 32 or 64.
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01004164
Willy Tarreau6ae1ba62014-05-07 19:01:58 +02004165 Each "bind" line may further be limited to a subset of the proxy's processes,
4166 please consult the "process" bind keyword in section 5.1.
4167
Willy Tarreaub369a042014-09-16 13:21:03 +02004168 When a frontend has no explicit "bind-process" line, it tries to bind to all
4169 the processes referenced by its "bind" lines. That means that frontends can
4170 easily adapt to their listeners' processes.
4171
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01004172 If some backends are referenced by frontends bound to other processes, the
4173 backend automatically inherits the frontend's processes.
4174
4175 Example :
4176 listen app_ip1
4177 bind 10.0.0.1:80
Willy Tarreaubfcd3112010-10-23 11:22:08 +02004178 bind-process odd
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01004179
4180 listen app_ip2
4181 bind 10.0.0.2:80
Willy Tarreaubfcd3112010-10-23 11:22:08 +02004182 bind-process even
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01004183
4184 listen management
4185 bind 10.0.0.3:80
Willy Tarreaubfcd3112010-10-23 11:22:08 +02004186 bind-process 1 2 3 4
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01004187
Willy Tarreau110ecc12012-11-15 17:50:01 +01004188 listen management
4189 bind 10.0.0.4:80
4190 bind-process 1-4
4191
Willy Tarreau6ae1ba62014-05-07 19:01:58 +02004192 See also : "nbproc" in global section, and "process" in section 5.1.
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01004193
4194
Willy Tarreau0ba27502007-12-24 16:55:16 +01004195capture cookie <name> len <length>
4196 Capture and log a cookie in the request and in the response.
4197 May be used in sections : defaults | frontend | listen | backend
4198 no | yes | yes | no
4199 Arguments :
4200 <name> is the beginning of the name of the cookie to capture. In order
4201 to match the exact name, simply suffix the name with an equal
4202 sign ('='). The full name will appear in the logs, which is
4203 useful with application servers which adjust both the cookie name
Davor Ocelice9ed2812017-12-25 17:49:28 +01004204 and value (e.g. ASPSESSIONXXX).
Willy Tarreau0ba27502007-12-24 16:55:16 +01004205
4206 <length> is the maximum number of characters to report in the logs, which
4207 include the cookie name, the equal sign and the value, all in the
4208 standard "name=value" form. The string will be truncated on the
4209 right if it exceeds <length>.
4210
4211 Only the first cookie is captured. Both the "cookie" request headers and the
4212 "set-cookie" response headers are monitored. This is particularly useful to
4213 check for application bugs causing session crossing or stealing between
4214 users, because generally the user's cookies can only change on a login page.
4215
4216 When the cookie was not presented by the client, the associated log column
4217 will report "-". When a request does not cause a cookie to be assigned by the
4218 server, a "-" is reported in the response column.
4219
4220 The capture is performed in the frontend only because it is necessary that
4221 the log format does not change for a given frontend depending on the
4222 backends. This may change in the future. Note that there can be only one
Willy Tarreau193b8c62012-11-22 00:17:38 +01004223 "capture cookie" statement in a frontend. The maximum capture length is set
4224 by the global "tune.http.cookielen" setting and defaults to 63 characters. It
4225 is not possible to specify a capture in a "defaults" section.
Willy Tarreau0ba27502007-12-24 16:55:16 +01004226
4227 Example:
4228 capture cookie ASPSESSION len 32
4229
4230 See also : "capture request header", "capture response header" as well as
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004231 section 8 about logging.
Willy Tarreau0ba27502007-12-24 16:55:16 +01004232
4233
4234capture request header <name> len <length>
Willy Tarreau4460d032012-11-21 23:37:37 +01004235 Capture and log the last occurrence of the specified request header.
Willy Tarreau0ba27502007-12-24 16:55:16 +01004236 May be used in sections : defaults | frontend | listen | backend
4237 no | yes | yes | no
4238 Arguments :
4239 <name> is the name of the header to capture. The header names are not
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01004240 case-sensitive, but it is a common practice to write them as they
Willy Tarreau0ba27502007-12-24 16:55:16 +01004241 appear in the requests, with the first letter of each word in
4242 upper case. The header name will not appear in the logs, only the
4243 value is reported, but the position in the logs is respected.
4244
4245 <length> is the maximum number of characters to extract from the value and
4246 report in the logs. The string will be truncated on the right if
4247 it exceeds <length>.
4248
Willy Tarreau4460d032012-11-21 23:37:37 +01004249 The complete value of the last occurrence of the header is captured. The
Willy Tarreau0ba27502007-12-24 16:55:16 +01004250 value will be added to the logs between braces ('{}'). If multiple headers
4251 are captured, they will be delimited by a vertical bar ('|') and will appear
Willy Tarreaucc6c8912009-02-22 10:53:55 +01004252 in the same order they were declared in the configuration. Non-existent
4253 headers will be logged just as an empty string. Common uses for request
4254 header captures include the "Host" field in virtual hosting environments, the
4255 "Content-length" when uploads are supported, "User-agent" to quickly
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01004256 differentiate between real users and robots, and "X-Forwarded-For" in proxied
Willy Tarreaucc6c8912009-02-22 10:53:55 +01004257 environments to find where the request came from.
4258
4259 Note that when capturing headers such as "User-agent", some spaces may be
4260 logged, making the log analysis more difficult. Thus be careful about what
4261 you log if you know your log parser is not smart enough to rely on the
4262 braces.
Willy Tarreau0ba27502007-12-24 16:55:16 +01004263
Willy Tarreau0900abb2012-11-22 00:21:46 +01004264 There is no limit to the number of captured request headers nor to their
4265 length, though it is wise to keep them low to limit memory usage per session.
4266 In order to keep log format consistent for a same frontend, header captures
4267 can only be declared in a frontend. It is not possible to specify a capture
4268 in a "defaults" section.
Willy Tarreau0ba27502007-12-24 16:55:16 +01004269
4270 Example:
4271 capture request header Host len 15
4272 capture request header X-Forwarded-For len 15
Cyril Bontéd1b0f7c2015-10-26 22:37:39 +01004273 capture request header Referer len 15
Willy Tarreau0ba27502007-12-24 16:55:16 +01004274
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004275 See also : "capture cookie", "capture response header" as well as section 8
Willy Tarreau0ba27502007-12-24 16:55:16 +01004276 about logging.
4277
4278
4279capture response header <name> len <length>
Willy Tarreau4460d032012-11-21 23:37:37 +01004280 Capture and log the last occurrence of the specified response header.
Willy Tarreau0ba27502007-12-24 16:55:16 +01004281 May be used in sections : defaults | frontend | listen | backend
4282 no | yes | yes | no
4283 Arguments :
4284 <name> is the name of the header to capture. The header names are not
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01004285 case-sensitive, but it is a common practice to write them as they
Willy Tarreau0ba27502007-12-24 16:55:16 +01004286 appear in the response, with the first letter of each word in
4287 upper case. The header name will not appear in the logs, only the
4288 value is reported, but the position in the logs is respected.
4289
4290 <length> is the maximum number of characters to extract from the value and
4291 report in the logs. The string will be truncated on the right if
4292 it exceeds <length>.
4293
Willy Tarreau4460d032012-11-21 23:37:37 +01004294 The complete value of the last occurrence of the header is captured. The
Willy Tarreau0ba27502007-12-24 16:55:16 +01004295 result will be added to the logs between braces ('{}') after the captured
4296 request headers. If multiple headers are captured, they will be delimited by
4297 a vertical bar ('|') and will appear in the same order they were declared in
Willy Tarreaucc6c8912009-02-22 10:53:55 +01004298 the configuration. Non-existent headers will be logged just as an empty
4299 string. Common uses for response header captures include the "Content-length"
4300 header which indicates how many bytes are expected to be returned, the
4301 "Location" header to track redirections.
Willy Tarreau0ba27502007-12-24 16:55:16 +01004302
Willy Tarreau0900abb2012-11-22 00:21:46 +01004303 There is no limit to the number of captured response headers nor to their
4304 length, though it is wise to keep them low to limit memory usage per session.
4305 In order to keep log format consistent for a same frontend, header captures
4306 can only be declared in a frontend. It is not possible to specify a capture
4307 in a "defaults" section.
Willy Tarreau0ba27502007-12-24 16:55:16 +01004308
4309 Example:
4310 capture response header Content-length len 9
4311 capture response header Location len 15
4312
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004313 See also : "capture cookie", "capture request header" as well as section 8
Willy Tarreau0ba27502007-12-24 16:55:16 +01004314 about logging.
4315
4316
MIZUTA Takeshib24bc0d2020-07-09 11:13:20 +09004317clitcpka-cnt <count>
4318 Sets the maximum number of keepalive probes TCP should send before dropping
4319 the connection on the client side.
4320 May be used in sections : defaults | frontend | listen | backend
4321 yes | yes | yes | no
4322 Arguments :
4323 <count> is the maximum number of keepalive probes.
4324
4325 This keyword corresponds to the socket option TCP_KEEPCNT. If this keyword
4326 is not specified, system-wide TCP parameter (tcp_keepalive_probes) is used.
Willy Tarreau52543212020-07-09 05:58:51 +02004327 The availability of this setting depends on the operating system. It is
4328 known to work on Linux.
MIZUTA Takeshib24bc0d2020-07-09 11:13:20 +09004329
4330 See also : "option clitcpka", "clitcpka-idle", "clitcpka-intvl".
4331
4332
4333clitcpka-idle <timeout>
4334 Sets the time the connection needs to remain idle before TCP starts sending
4335 keepalive probes, if enabled the sending of TCP keepalive packets on the
4336 client side.
4337 May be used in sections : defaults | frontend | listen | backend
4338 yes | yes | yes | no
4339 Arguments :
4340 <timeout> is the time the connection needs to remain idle before TCP starts
4341 sending keepalive probes. It is specified in seconds by default,
4342 but can be in any other unit if the number is suffixed by the
4343 unit, as explained at the top of this document.
4344
4345 This keyword corresponds to the socket option TCP_KEEPIDLE. If this keyword
4346 is not specified, system-wide TCP parameter (tcp_keepalive_time) is used.
Willy Tarreau52543212020-07-09 05:58:51 +02004347 The availability of this setting depends on the operating system. It is
4348 known to work on Linux.
MIZUTA Takeshib24bc0d2020-07-09 11:13:20 +09004349
4350 See also : "option clitcpka", "clitcpka-cnt", "clitcpka-intvl".
4351
4352
4353clitcpka-intvl <timeout>
4354 Sets the time between individual keepalive probes on the client side.
4355 May be used in sections : defaults | frontend | listen | backend
4356 yes | yes | yes | no
4357 Arguments :
4358 <timeout> is the time between individual keepalive probes. It is specified
4359 in seconds by default, but can be in any other unit if the number
4360 is suffixed by the unit, as explained at the top of this
4361 document.
4362
4363 This keyword corresponds to the socket option TCP_KEEPINTVL. If this keyword
4364 is not specified, system-wide TCP parameter (tcp_keepalive_intvl) is used.
Willy Tarreau52543212020-07-09 05:58:51 +02004365 The availability of this setting depends on the operating system. It is
4366 known to work on Linux.
MIZUTA Takeshib24bc0d2020-07-09 11:13:20 +09004367
4368 See also : "option clitcpka", "clitcpka-cnt", "clitcpka-idle".
4369
4370
Cyril Bonté316a8cf2012-11-11 13:38:27 +01004371compression algo <algorithm> ...
4372compression type <mime type> ...
Willy Tarreau70737d12012-10-27 00:34:28 +02004373compression offload
William Lallemand82fe75c2012-10-23 10:25:10 +02004374 Enable HTTP compression.
4375 May be used in sections : defaults | frontend | listen | backend
4376 yes | yes | yes | yes
4377 Arguments :
Cyril Bonté316a8cf2012-11-11 13:38:27 +01004378 algo is followed by the list of supported compression algorithms.
4379 type is followed by the list of MIME types that will be compressed.
Daniel Corbett9f0843f2021-05-08 10:50:37 -04004380 offload makes HAProxy work as a compression offloader only (see notes).
Cyril Bonté316a8cf2012-11-11 13:38:27 +01004381
4382 The currently supported algorithms are :
Willy Tarreauc91840a2015-03-28 17:00:39 +01004383 identity this is mostly for debugging, and it was useful for developing
4384 the compression feature. Identity does not apply any change on
4385 data.
Cyril Bonté316a8cf2012-11-11 13:38:27 +01004386
Willy Tarreauc91840a2015-03-28 17:00:39 +01004387 gzip applies gzip compression. This setting is only available when
Baptiste Assmannf085d632015-12-21 17:57:32 +01004388 support for zlib or libslz was built in.
Willy Tarreauc91840a2015-03-28 17:00:39 +01004389
4390 deflate same as "gzip", but with deflate algorithm and zlib format.
4391 Note that this algorithm has ambiguous support on many
4392 browsers and no support at all from recent ones. It is
4393 strongly recommended not to use it for anything else than
4394 experimentation. This setting is only available when support
Baptiste Assmannf085d632015-12-21 17:57:32 +01004395 for zlib or libslz was built in.
Cyril Bonté316a8cf2012-11-11 13:38:27 +01004396
Willy Tarreauc91840a2015-03-28 17:00:39 +01004397 raw-deflate same as "deflate" without the zlib wrapper, and used as an
4398 alternative when the browser wants "deflate". All major
4399 browsers understand it and despite violating the standards,
4400 it is known to work better than "deflate", at least on MSIE
4401 and some versions of Safari. Do not use it in conjunction
4402 with "deflate", use either one or the other since both react
4403 to the same Accept-Encoding token. This setting is only
Baptiste Assmannf085d632015-12-21 17:57:32 +01004404 available when support for zlib or libslz was built in.
Cyril Bonté316a8cf2012-11-11 13:38:27 +01004405
Dmitry Sivachenko87c208b2012-11-22 20:03:26 +04004406 Compression will be activated depending on the Accept-Encoding request
Cyril Bonté316a8cf2012-11-11 13:38:27 +01004407 header. With identity, it does not take care of that header.
Dmitry Sivachenkoc9f3b452012-11-28 17:47:11 +04004408 If backend servers support HTTP compression, these directives
Daniel Corbett9f0843f2021-05-08 10:50:37 -04004409 will be no-op: HAProxy will see the compressed response and will not
Dmitry Sivachenkoc9f3b452012-11-28 17:47:11 +04004410 compress again. If backend servers do not support HTTP compression and
Daniel Corbett9f0843f2021-05-08 10:50:37 -04004411 there is Accept-Encoding header in request, HAProxy will compress the
Dmitry Sivachenkoc9f3b452012-11-28 17:47:11 +04004412 matching response.
Willy Tarreau70737d12012-10-27 00:34:28 +02004413
Daniel Corbett9f0843f2021-05-08 10:50:37 -04004414 The "offload" setting makes HAProxy remove the Accept-Encoding header to
Willy Tarreau70737d12012-10-27 00:34:28 +02004415 prevent backend servers from compressing responses. It is strongly
4416 recommended not to do this because this means that all the compression work
Daniel Corbett9f0843f2021-05-08 10:50:37 -04004417 will be done on the single point where HAProxy is located. However in some
4418 deployment scenarios, HAProxy may be installed in front of a buggy gateway
Dmitry Sivachenkoc9f3b452012-11-28 17:47:11 +04004419 with broken HTTP compression implementation which can't be turned off.
Daniel Corbett9f0843f2021-05-08 10:50:37 -04004420 In that case HAProxy can be used to prevent that gateway from emitting
Dmitry Sivachenkoc9f3b452012-11-28 17:47:11 +04004421 invalid payloads. In this case, simply removing the header in the
4422 configuration does not work because it applies before the header is parsed,
Daniel Corbett9f0843f2021-05-08 10:50:37 -04004423 so that prevents HAProxy from compressing. The "offload" setting should
Willy Tarreauffea9fd2014-07-12 16:37:02 +02004424 then be used for such scenarios. Note: for now, the "offload" setting is
4425 ignored when set in a defaults section.
William Lallemand82fe75c2012-10-23 10:25:10 +02004426
William Lallemand05097442012-11-20 12:14:28 +01004427 Compression is disabled when:
Baptiste Assmann650d53d2013-01-05 15:44:44 +01004428 * the request does not advertise a supported compression algorithm in the
4429 "Accept-Encoding" header
Julien Pivottoff80c822021-03-29 12:41:40 +02004430 * the response message is not HTTP/1.1 or above
Tim Duesterhusbb48c9a2019-01-30 23:46:04 +01004431 * HTTP status code is not one of 200, 201, 202, or 203
Baptiste Assmann650d53d2013-01-05 15:44:44 +01004432 * response contain neither a "Content-Length" header nor a
4433 "Transfer-Encoding" whose last value is "chunked"
4434 * response contains a "Content-Type" header whose first value starts with
4435 "multipart"
4436 * the response contains the "no-transform" value in the "Cache-control"
4437 header
4438 * User-Agent matches "Mozilla/4" unless it is MSIE 6 with XP SP2, or MSIE 7
4439 and later
4440 * The response contains a "Content-Encoding" header, indicating that the
4441 response is already compressed (see compression offload)
Tim Duesterhusbb48c9a2019-01-30 23:46:04 +01004442 * The response contains an invalid "ETag" header or multiple ETag headers
William Lallemand05097442012-11-20 12:14:28 +01004443
Tim Duesterhusb229f012019-01-29 16:38:56 +01004444 Note: The compression does not emit the Warning header.
William Lallemand05097442012-11-20 12:14:28 +01004445
William Lallemand82fe75c2012-10-23 10:25:10 +02004446 Examples :
4447 compression algo gzip
4448 compression type text/html text/plain
Willy Tarreau0ba27502007-12-24 16:55:16 +01004449
Christopher Fauletc3fe5332016-04-07 15:30:10 +02004450
Willy Tarreau55165fe2009-05-10 12:02:55 +02004451cookie <name> [ rewrite | insert | prefix ] [ indirect ] [ nocache ]
Willy Tarreau4992dd22012-05-31 21:02:17 +02004452 [ postonly ] [ preserve ] [ httponly ] [ secure ]
4453 [ domain <domain> ]* [ maxidle <idle> ] [ maxlife <life> ]
Christopher Faulet2f533902020-01-21 11:06:48 +01004454 [ dynamic ] [ attr <value> ]*
Willy Tarreau0ba27502007-12-24 16:55:16 +01004455 Enable cookie-based persistence in a backend.
4456 May be used in sections : defaults | frontend | listen | backend
4457 yes | no | yes | yes
4458 Arguments :
4459 <name> is the name of the cookie which will be monitored, modified or
4460 inserted in order to bring persistence. This cookie is sent to
4461 the client via a "Set-Cookie" header in the response, and is
4462 brought back by the client in a "Cookie" header in all requests.
4463 Special care should be taken to choose a name which does not
4464 conflict with any likely application cookie. Also, if the same
Davor Ocelice9ed2812017-12-25 17:49:28 +01004465 backends are subject to be used by the same clients (e.g.
Willy Tarreau0ba27502007-12-24 16:55:16 +01004466 HTTP/HTTPS), care should be taken to use different cookie names
4467 between all backends if persistence between them is not desired.
4468
4469 rewrite This keyword indicates that the cookie will be provided by the
Daniel Corbett9f0843f2021-05-08 10:50:37 -04004470 server and that HAProxy will have to modify its value to set the
Willy Tarreau0ba27502007-12-24 16:55:16 +01004471 server's identifier in it. This mode is handy when the management
4472 of complex combinations of "Set-cookie" and "Cache-control"
4473 headers is left to the application. The application can then
4474 decide whether or not it is appropriate to emit a persistence
Lukas Tribusf01a9cd2016-02-03 18:09:37 +01004475 cookie. Since all responses should be monitored, this mode
4476 doesn't work in HTTP tunnel mode. Unless the application
Davor Ocelice9ed2812017-12-25 17:49:28 +01004477 behavior is very complex and/or broken, it is advised not to
Lukas Tribusf01a9cd2016-02-03 18:09:37 +01004478 start with this mode for new deployments. This keyword is
4479 incompatible with "insert" and "prefix".
Willy Tarreau0ba27502007-12-24 16:55:16 +01004480
4481 insert This keyword indicates that the persistence cookie will have to
Daniel Corbett9f0843f2021-05-08 10:50:37 -04004482 be inserted by HAProxy in server responses if the client did not
Willy Tarreauba4c5be2010-10-23 12:46:42 +02004483
Willy Tarreaua79094d2010-08-31 22:54:15 +02004484 already have a cookie that would have permitted it to access this
Willy Tarreauba4c5be2010-10-23 12:46:42 +02004485 server. When used without the "preserve" option, if the server
Michael Prokop4438c602019-05-24 10:25:45 +02004486 emits a cookie with the same name, it will be removed before
Davor Ocelice9ed2812017-12-25 17:49:28 +01004487 processing. For this reason, this mode can be used to upgrade
Willy Tarreauba4c5be2010-10-23 12:46:42 +02004488 existing configurations running in the "rewrite" mode. The cookie
4489 will only be a session cookie and will not be stored on the
4490 client's disk. By default, unless the "indirect" option is added,
4491 the server will see the cookies emitted by the client. Due to
4492 caching effects, it is generally wise to add the "nocache" or
4493 "postonly" keywords (see below). The "insert" keyword is not
4494 compatible with "rewrite" and "prefix".
Willy Tarreau0ba27502007-12-24 16:55:16 +01004495
4496 prefix This keyword indicates that instead of relying on a dedicated
4497 cookie for the persistence, an existing one will be completed.
4498 This may be needed in some specific environments where the client
4499 does not support more than one single cookie and the application
4500 already needs it. In this case, whenever the server sets a cookie
4501 named <name>, it will be prefixed with the server's identifier
4502 and a delimiter. The prefix will be removed from all client
4503 requests so that the server still finds the cookie it emitted.
4504 Since all requests and responses are subject to being modified,
Lukas Tribusf01a9cd2016-02-03 18:09:37 +01004505 this mode doesn't work with tunnel mode. The "prefix" keyword is
Willy Tarreau37229df2011-10-17 12:24:55 +02004506 not compatible with "rewrite" and "insert". Note: it is highly
4507 recommended not to use "indirect" with "prefix", otherwise server
4508 cookie updates would not be sent to clients.
Willy Tarreau0ba27502007-12-24 16:55:16 +01004509
Willy Tarreaua79094d2010-08-31 22:54:15 +02004510 indirect When this option is specified, no cookie will be emitted to a
4511 client which already has a valid one for the server which has
4512 processed the request. If the server sets such a cookie itself,
Willy Tarreauba4c5be2010-10-23 12:46:42 +02004513 it will be removed, unless the "preserve" option is also set. In
4514 "insert" mode, this will additionally remove cookies from the
4515 requests transmitted to the server, making the persistence
4516 mechanism totally transparent from an application point of view.
Willy Tarreau37229df2011-10-17 12:24:55 +02004517 Note: it is highly recommended not to use "indirect" with
4518 "prefix", otherwise server cookie updates would not be sent to
4519 clients.
Willy Tarreau0ba27502007-12-24 16:55:16 +01004520
4521 nocache This option is recommended in conjunction with the insert mode
4522 when there is a cache between the client and HAProxy, as it
4523 ensures that a cacheable response will be tagged non-cacheable if
4524 a cookie needs to be inserted. This is important because if all
4525 persistence cookies are added on a cacheable home page for
4526 instance, then all customers will then fetch the page from an
4527 outer cache and will all share the same persistence cookie,
4528 leading to one server receiving much more traffic than others.
4529 See also the "insert" and "postonly" options.
4530
4531 postonly This option ensures that cookie insertion will only be performed
4532 on responses to POST requests. It is an alternative to the
4533 "nocache" option, because POST responses are not cacheable, so
4534 this ensures that the persistence cookie will never get cached.
4535 Since most sites do not need any sort of persistence before the
4536 first POST which generally is a login request, this is a very
4537 efficient method to optimize caching without risking to find a
4538 persistence cookie in the cache.
4539 See also the "insert" and "nocache" options.
4540
Willy Tarreauba4c5be2010-10-23 12:46:42 +02004541 preserve This option may only be used with "insert" and/or "indirect". It
4542 allows the server to emit the persistence cookie itself. In this
Daniel Corbett9f0843f2021-05-08 10:50:37 -04004543 case, if a cookie is found in the response, HAProxy will leave it
Willy Tarreauba4c5be2010-10-23 12:46:42 +02004544 untouched. This is useful in order to end persistence after a
4545 logout request for instance. For this, the server just has to
Davor Ocelice9ed2812017-12-25 17:49:28 +01004546 emit a cookie with an invalid value (e.g. empty) or with a date in
Willy Tarreauba4c5be2010-10-23 12:46:42 +02004547 the past. By combining this mechanism with the "disable-on-404"
4548 check option, it is possible to perform a completely graceful
4549 shutdown because users will definitely leave the server after
4550 they logout.
4551
Daniel Corbett9f0843f2021-05-08 10:50:37 -04004552 httponly This option tells HAProxy to add an "HttpOnly" cookie attribute
Willy Tarreau4992dd22012-05-31 21:02:17 +02004553 when a cookie is inserted. This attribute is used so that a
4554 user agent doesn't share the cookie with non-HTTP components.
4555 Please check RFC6265 for more information on this attribute.
4556
Daniel Corbett9f0843f2021-05-08 10:50:37 -04004557 secure This option tells HAProxy to add a "Secure" cookie attribute when
Willy Tarreau4992dd22012-05-31 21:02:17 +02004558 a cookie is inserted. This attribute is used so that a user agent
4559 never emits this cookie over non-secure channels, which means
4560 that a cookie learned with this flag will be presented only over
4561 SSL/TLS connections. Please check RFC6265 for more information on
4562 this attribute.
4563
Krzysztof Piotr Oledzkiefe3b6f2008-05-23 23:49:32 +02004564 domain This option allows to specify the domain at which a cookie is
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01004565 inserted. It requires exactly one parameter: a valid domain
Willy Tarreau68a897b2009-12-03 23:28:34 +01004566 name. If the domain begins with a dot, the browser is allowed to
4567 use it for any host ending with that name. It is also possible to
4568 specify several domain names by invoking this option multiple
4569 times. Some browsers might have small limits on the number of
4570 domains, so be careful when doing that. For the record, sending
4571 10 domains to MSIE 6 or Firefox 2 works as expected.
Krzysztof Piotr Oledzkiefe3b6f2008-05-23 23:49:32 +02004572
Willy Tarreau996a92c2010-10-13 19:30:47 +02004573 maxidle This option allows inserted cookies to be ignored after some idle
4574 time. It only works with insert-mode cookies. When a cookie is
4575 sent to the client, the date this cookie was emitted is sent too.
4576 Upon further presentations of this cookie, if the date is older
4577 than the delay indicated by the parameter (in seconds), it will
4578 be ignored. Otherwise, it will be refreshed if needed when the
4579 response is sent to the client. This is particularly useful to
4580 prevent users who never close their browsers from remaining for
Davor Ocelice9ed2812017-12-25 17:49:28 +01004581 too long on the same server (e.g. after a farm size change). When
Willy Tarreau996a92c2010-10-13 19:30:47 +02004582 this option is set and a cookie has no date, it is always
4583 accepted, but gets refreshed in the response. This maintains the
4584 ability for admins to access their sites. Cookies that have a
4585 date in the future further than 24 hours are ignored. Doing so
4586 lets admins fix timezone issues without risking kicking users off
4587 the site.
4588
4589 maxlife This option allows inserted cookies to be ignored after some life
4590 time, whether they're in use or not. It only works with insert
4591 mode cookies. When a cookie is first sent to the client, the date
4592 this cookie was emitted is sent too. Upon further presentations
4593 of this cookie, if the date is older than the delay indicated by
4594 the parameter (in seconds), it will be ignored. If the cookie in
4595 the request has no date, it is accepted and a date will be set.
4596 Cookies that have a date in the future further than 24 hours are
4597 ignored. Doing so lets admins fix timezone issues without risking
4598 kicking users off the site. Contrary to maxidle, this value is
4599 not refreshed, only the first visit date counts. Both maxidle and
4600 maxlife may be used at the time. This is particularly useful to
4601 prevent users who never close their browsers from remaining for
Davor Ocelice9ed2812017-12-25 17:49:28 +01004602 too long on the same server (e.g. after a farm size change). This
Willy Tarreau996a92c2010-10-13 19:30:47 +02004603 is stronger than the maxidle method in that it forces a
4604 redispatch after some absolute delay.
4605
Olivier Houchard4e694042017-03-14 20:01:29 +01004606 dynamic Activate dynamic cookies. When used, a session cookie is
4607 dynamically created for each server, based on the IP and port
4608 of the server, and a secret key, specified in the
4609 "dynamic-cookie-key" backend directive.
4610 The cookie will be regenerated each time the IP address change,
4611 and is only generated for IPv4/IPv6.
4612
Daniel Corbett9f0843f2021-05-08 10:50:37 -04004613 attr This option tells HAProxy to add an extra attribute when a
Christopher Faulet2f533902020-01-21 11:06:48 +01004614 cookie is inserted. The attribute value can contain any
4615 characters except control ones or ";". This option may be
4616 repeated.
4617
Willy Tarreau0ba27502007-12-24 16:55:16 +01004618 There can be only one persistence cookie per HTTP backend, and it can be
4619 declared in a defaults section. The value of the cookie will be the value
4620 indicated after the "cookie" keyword in a "server" statement. If no cookie
4621 is declared for a given server, the cookie is not set.
Willy Tarreau6a06a402007-07-15 20:15:28 +02004622
Willy Tarreau0ba27502007-12-24 16:55:16 +01004623 Examples :
4624 cookie JSESSIONID prefix
4625 cookie SRV insert indirect nocache
4626 cookie SRV insert postonly indirect
Willy Tarreau996a92c2010-10-13 19:30:47 +02004627 cookie SRV insert indirect nocache maxidle 30m maxlife 8h
Willy Tarreau0ba27502007-12-24 16:55:16 +01004628
Willy Tarreau294d0f02015-08-10 19:40:12 +02004629 See also : "balance source", "capture cookie", "server" and "ignore-persist".
Willy Tarreau0ba27502007-12-24 16:55:16 +01004630
Willy Tarreau983e01e2010-01-11 18:42:06 +01004631
Thierry FOURNIERa0a1b752015-05-26 17:44:32 +02004632declare capture [ request | response ] len <length>
4633 Declares a capture slot.
4634 May be used in sections : defaults | frontend | listen | backend
4635 no | yes | yes | no
4636 Arguments:
4637 <length> is the length allowed for the capture.
4638
4639 This declaration is only available in the frontend or listen section, but the
4640 reserved slot can be used in the backends. The "request" keyword allocates a
4641 capture slot for use in the request, and "response" allocates a capture slot
4642 for use in the response.
4643
4644 See also: "capture-req", "capture-res" (sample converters),
Baptiste Assmann5ac425c2015-10-21 23:13:46 +02004645 "capture.req.hdr", "capture.res.hdr" (sample fetches),
Thierry FOURNIERa0a1b752015-05-26 17:44:32 +02004646 "http-request capture" and "http-response capture".
4647
4648
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01004649default-server [param*]
4650 Change default options for a server in a backend
4651 May be used in sections : defaults | frontend | listen | backend
4652 yes | no | yes | yes
4653 Arguments:
Willy Tarreau983e01e2010-01-11 18:42:06 +01004654 <param*> is a list of parameters for this server. The "default-server"
4655 keyword accepts an important number of options and has a complete
4656 section dedicated to it. Please refer to section 5 for more
4657 details.
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01004658
Willy Tarreau983e01e2010-01-11 18:42:06 +01004659 Example :
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01004660 default-server inter 1000 weight 13
4661
4662 See also: "server" and section 5 about server options
Willy Tarreau0ba27502007-12-24 16:55:16 +01004663
Willy Tarreau983e01e2010-01-11 18:42:06 +01004664
Willy Tarreau0ba27502007-12-24 16:55:16 +01004665default_backend <backend>
4666 Specify the backend to use when no "use_backend" rule has been matched.
4667 May be used in sections : defaults | frontend | listen | backend
4668 yes | yes | yes | no
4669 Arguments :
4670 <backend> is the name of the backend to use.
4671
4672 When doing content-switching between frontend and backends using the
4673 "use_backend" keyword, it is often useful to indicate which backend will be
4674 used when no rule has matched. It generally is the dynamic backend which
4675 will catch all undetermined requests.
4676
Willy Tarreau0ba27502007-12-24 16:55:16 +01004677 Example :
4678
4679 use_backend dynamic if url_dyn
4680 use_backend static if url_css url_img extension_img
4681 default_backend dynamic
4682
Willy Tarreau98d04852015-05-26 12:18:29 +02004683 See also : "use_backend"
Willy Tarreau2769aa02007-12-27 18:26:09 +01004684
Willy Tarreau0ba27502007-12-24 16:55:16 +01004685
Baptiste Assmann27f51342013-10-09 06:51:49 +02004686description <string>
4687 Describe a listen, frontend or backend.
4688 May be used in sections : defaults | frontend | listen | backend
4689 no | yes | yes | yes
4690 Arguments : string
4691
4692 Allows to add a sentence to describe the related object in the HAProxy HTML
4693 stats page. The description will be printed on the right of the object name
4694 it describes.
4695 No need to backslash spaces in the <string> arguments.
4696
4697
Willy Tarreau0ba27502007-12-24 16:55:16 +01004698disabled
4699 Disable a proxy, frontend or backend.
4700 May be used in sections : defaults | frontend | listen | backend
4701 yes | yes | yes | yes
4702 Arguments : none
4703
4704 The "disabled" keyword is used to disable an instance, mainly in order to
4705 liberate a listening port or to temporarily disable a service. The instance
4706 will still be created and its configuration will be checked, but it will be
4707 created in the "stopped" state and will appear as such in the statistics. It
4708 will not receive any traffic nor will it send any health-checks or logs. It
4709 is possible to disable many instances at once by adding the "disabled"
4710 keyword in a "defaults" section.
4711
4712 See also : "enabled"
4713
4714
Willy Tarreau5ce94572010-06-07 14:35:41 +02004715dispatch <address>:<port>
4716 Set a default server address
4717 May be used in sections : defaults | frontend | listen | backend
4718 no | no | yes | yes
Cyril Bonté108cf6e2012-04-21 23:30:29 +02004719 Arguments :
Willy Tarreau5ce94572010-06-07 14:35:41 +02004720
4721 <address> is the IPv4 address of the default server. Alternatively, a
4722 resolvable hostname is supported, but this name will be resolved
4723 during start-up.
4724
4725 <ports> is a mandatory port specification. All connections will be sent
4726 to this port, and it is not permitted to use port offsets as is
4727 possible with normal servers.
4728
Willy Tarreau787aed52011-04-15 06:45:37 +02004729 The "dispatch" keyword designates a default server for use when no other
Willy Tarreau5ce94572010-06-07 14:35:41 +02004730 server can take the connection. In the past it was used to forward non
4731 persistent connections to an auxiliary load balancer. Due to its simple
4732 syntax, it has also been used for simple TCP relays. It is recommended not to
4733 use it for more clarity, and to use the "server" directive instead.
4734
4735 See also : "server"
4736
Olivier Houchard4e694042017-03-14 20:01:29 +01004737
4738dynamic-cookie-key <string>
4739 Set the dynamic cookie secret key for a backend.
4740 May be used in sections : defaults | frontend | listen | backend
4741 yes | no | yes | yes
4742 Arguments : The secret key to be used.
4743
4744 When dynamic cookies are enabled (see the "dynamic" directive for cookie),
Davor Ocelice9ed2812017-12-25 17:49:28 +01004745 a dynamic cookie is created for each server (unless one is explicitly
Olivier Houchard4e694042017-03-14 20:01:29 +01004746 specified on the "server" line), using a hash of the IP address of the
4747 server, the TCP port, and the secret key.
Davor Ocelice9ed2812017-12-25 17:49:28 +01004748 That way, we can ensure session persistence across multiple load-balancers,
Olivier Houchard4e694042017-03-14 20:01:29 +01004749 even if servers are dynamically added or removed.
Willy Tarreau5ce94572010-06-07 14:35:41 +02004750
Willy Tarreau0ba27502007-12-24 16:55:16 +01004751enabled
4752 Enable a proxy, frontend or backend.
4753 May be used in sections : defaults | frontend | listen | backend
4754 yes | yes | yes | yes
4755 Arguments : none
4756
4757 The "enabled" keyword is used to explicitly enable an instance, when the
4758 defaults has been set to "disabled". This is very rarely used.
4759
4760 See also : "disabled"
4761
4762
4763errorfile <code> <file>
4764 Return a file contents instead of errors generated by HAProxy
4765 May be used in sections : defaults | frontend | listen | backend
4766 yes | yes | yes | yes
4767 Arguments :
4768 <code> is the HTTP status code. Currently, HAProxy is capable of
Christopher Faulet612f2ea2020-05-27 09:57:28 +02004769 generating codes 200, 400, 401, 403, 404, 405, 407, 408, 410,
Christopher Faulete095f312020-12-07 11:22:24 +01004770 413, 425, 429, 500, 501, 502, 503, and 504.
Willy Tarreau0ba27502007-12-24 16:55:16 +01004771
4772 <file> designates a file containing the full HTTP response. It is
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01004773 recommended to follow the common practice of appending ".http" to
Willy Tarreau0ba27502007-12-24 16:55:16 +01004774 the filename so that people do not confuse the response with HTML
Willy Tarreau59140a22009-02-22 12:02:30 +01004775 error pages, and to use absolute paths, since files are read
4776 before any chroot is performed.
Willy Tarreau0ba27502007-12-24 16:55:16 +01004777
4778 It is important to understand that this keyword is not meant to rewrite
4779 errors returned by the server, but errors detected and returned by HAProxy.
4780 This is why the list of supported errors is limited to a small set.
4781
Willy Tarreauae94d4d2011-05-11 16:28:49 +02004782 Code 200 is emitted in response to requests matching a "monitor-uri" rule.
4783
Christopher Faulet70170672020-05-18 17:42:48 +02004784 The files are parsed when HAProxy starts and must be valid according to the
4785 HTTP specification. They should not exceed the configured buffer size
4786 (BUFSIZE), which generally is 16 kB, otherwise an internal error will be
4787 returned. It is also wise not to put any reference to local contents
4788 (e.g. images) in order to avoid loops between the client and HAProxy when all
4789 servers are down, causing an error to be returned instead of an
4790 image. Finally, The response cannot exceed (tune.bufsize - tune.maxrewrite)
4791 so that "http-after-response" rules still have room to operate (see
4792 "tune.maxrewrite").
Willy Tarreau59140a22009-02-22 12:02:30 +01004793
Willy Tarreau0ba27502007-12-24 16:55:16 +01004794 The files are read at the same time as the configuration and kept in memory.
4795 For this reason, the errors continue to be returned even when the process is
4796 chrooted, and no file change is considered while the process is running. A
Willy Tarreauc27debf2008-01-06 08:57:02 +01004797 simple method for developing those files consists in associating them to the
Willy Tarreau0ba27502007-12-24 16:55:16 +01004798 403 status code and interrogating a blocked URL.
4799
Christopher Faulet3b967c12020-05-15 15:47:44 +02004800 See also : "http-error", "errorloc", "errorloc302", "errorloc303"
Willy Tarreau0ba27502007-12-24 16:55:16 +01004801
Willy Tarreau59140a22009-02-22 12:02:30 +01004802 Example :
4803 errorfile 400 /etc/haproxy/errorfiles/400badreq.http
Willy Tarreau989222a2016-01-15 10:26:26 +01004804 errorfile 408 /dev/null # work around Chrome pre-connect bug
Willy Tarreau59140a22009-02-22 12:02:30 +01004805 errorfile 403 /etc/haproxy/errorfiles/403forbid.http
4806 errorfile 503 /etc/haproxy/errorfiles/503sorry.http
4807
Willy Tarreau2769aa02007-12-27 18:26:09 +01004808
Christopher Faulet76edc0f2020-01-13 15:52:01 +01004809errorfiles <name> [<code> ...]
4810 Import, fully or partially, the error files defined in the <name> http-errors
4811 section.
4812 May be used in sections : defaults | frontend | listen | backend
4813 yes | yes | yes | yes
4814 Arguments :
4815 <name> is the name of an existing http-errors section.
4816
4817 <code> is a HTTP status code. Several status code may be listed.
Christopher Faulet612f2ea2020-05-27 09:57:28 +02004818 Currently, HAProxy is capable of generating codes 200, 400, 401,
Christopher Faulete095f312020-12-07 11:22:24 +01004819 403, 404, 405, 407, 408, 410, 413, 425, 429, 500, 501, 502, 503,
4820 and 504.
Christopher Faulet76edc0f2020-01-13 15:52:01 +01004821
4822 Errors defined in the http-errors section with the name <name> are imported
4823 in the current proxy. If no status code is specified, all error files of the
4824 http-errors section are imported. Otherwise, only error files associated to
4825 the listed status code are imported. Those error files override the already
4826 defined custom errors for the proxy. And they may be overridden by following
Daniel Corbett67a82712020-07-06 23:01:19 -04004827 ones. Functionally, it is exactly the same as declaring all error files by
Christopher Faulet76edc0f2020-01-13 15:52:01 +01004828 hand using "errorfile" directives.
4829
Christopher Faulet3b967c12020-05-15 15:47:44 +02004830 See also : "http-error", "errorfile", "errorloc", "errorloc302" ,
4831 "errorloc303" and section 3.8 about http-errors.
Christopher Faulet76edc0f2020-01-13 15:52:01 +01004832
4833 Example :
4834 errorfiles generic
4835 errorfiles site-1 403 404
4836
4837
Willy Tarreau2769aa02007-12-27 18:26:09 +01004838errorloc <code> <url>
4839errorloc302 <code> <url>
4840 Return an HTTP redirection to a URL instead of errors generated by HAProxy
4841 May be used in sections : defaults | frontend | listen | backend
4842 yes | yes | yes | yes
4843 Arguments :
4844 <code> is the HTTP status code. Currently, HAProxy is capable of
Christopher Faulet612f2ea2020-05-27 09:57:28 +02004845 generating codes 200, 400, 401, 403, 404, 405, 407, 408, 410,
Christopher Faulete095f312020-12-07 11:22:24 +01004846 413, 425, 429, 500, 501, 502, 503, and 504.
Willy Tarreau2769aa02007-12-27 18:26:09 +01004847
4848 <url> it is the exact contents of the "Location" header. It may contain
4849 either a relative URI to an error page hosted on the same site,
4850 or an absolute URI designating an error page on another site.
4851 Special care should be given to relative URIs to avoid redirect
Davor Ocelice9ed2812017-12-25 17:49:28 +01004852 loops if the URI itself may generate the same error (e.g. 500).
Willy Tarreau2769aa02007-12-27 18:26:09 +01004853
4854 It is important to understand that this keyword is not meant to rewrite
4855 errors returned by the server, but errors detected and returned by HAProxy.
4856 This is why the list of supported errors is limited to a small set.
4857
Willy Tarreauae94d4d2011-05-11 16:28:49 +02004858 Code 200 is emitted in response to requests matching a "monitor-uri" rule.
4859
Willy Tarreau2769aa02007-12-27 18:26:09 +01004860 Note that both keyword return the HTTP 302 status code, which tells the
4861 client to fetch the designated URL using the same HTTP method. This can be
4862 quite problematic in case of non-GET methods such as POST, because the URL
4863 sent to the client might not be allowed for something other than GET. To
Willy Tarreau989222a2016-01-15 10:26:26 +01004864 work around this problem, please use "errorloc303" which send the HTTP 303
Willy Tarreau2769aa02007-12-27 18:26:09 +01004865 status code, indicating to the client that the URL must be fetched with a GET
4866 request.
4867
Christopher Faulet3b967c12020-05-15 15:47:44 +02004868 See also : "http-error", "errorfile", "errorloc303"
Willy Tarreau2769aa02007-12-27 18:26:09 +01004869
4870
4871errorloc303 <code> <url>
4872 Return an HTTP redirection to a URL instead of errors generated by HAProxy
4873 May be used in sections : defaults | frontend | listen | backend
4874 yes | yes | yes | yes
4875 Arguments :
4876 <code> is the HTTP status code. Currently, HAProxy is capable of
Christopher Faulet612f2ea2020-05-27 09:57:28 +02004877 generating codes 200, 400, 401, 403, 404, 405, 407, 408, 410,
Christopher Faulete095f312020-12-07 11:22:24 +01004878 413, 425, 429, 500, 501, 502, 503, and 504.
Willy Tarreau2769aa02007-12-27 18:26:09 +01004879
4880 <url> it is the exact contents of the "Location" header. It may contain
4881 either a relative URI to an error page hosted on the same site,
4882 or an absolute URI designating an error page on another site.
4883 Special care should be given to relative URIs to avoid redirect
Davor Ocelice9ed2812017-12-25 17:49:28 +01004884 loops if the URI itself may generate the same error (e.g. 500).
Willy Tarreau2769aa02007-12-27 18:26:09 +01004885
4886 It is important to understand that this keyword is not meant to rewrite
4887 errors returned by the server, but errors detected and returned by HAProxy.
4888 This is why the list of supported errors is limited to a small set.
4889
Willy Tarreauae94d4d2011-05-11 16:28:49 +02004890 Code 200 is emitted in response to requests matching a "monitor-uri" rule.
4891
Willy Tarreau2769aa02007-12-27 18:26:09 +01004892 Note that both keyword return the HTTP 303 status code, which tells the
4893 client to fetch the designated URL using the same HTTP GET method. This
4894 solves the usual problems associated with "errorloc" and the 302 code. It is
4895 possible that some very old browsers designed before HTTP/1.1 do not support
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01004896 it, but no such problem has been reported till now.
Willy Tarreau2769aa02007-12-27 18:26:09 +01004897
Christopher Faulet3b967c12020-05-15 15:47:44 +02004898 See also : "http-error", "errorfile", "errorloc", "errorloc302"
Willy Tarreau2769aa02007-12-27 18:26:09 +01004899
4900
Simon Horman51a1cf62015-02-03 13:00:44 +09004901email-alert from <emailaddr>
4902 Declare the from email address to be used in both the envelope and header
Davor Ocelice9ed2812017-12-25 17:49:28 +01004903 of email alerts. This is the address that email alerts are sent from.
Simon Horman51a1cf62015-02-03 13:00:44 +09004904 May be used in sections: defaults | frontend | listen | backend
4905 yes | yes | yes | yes
4906
4907 Arguments :
4908
4909 <emailaddr> is the from email address to use when sending email alerts
4910
4911 Also requires "email-alert mailers" and "email-alert to" to be set
4912 and if so sending email alerts is enabled for the proxy.
4913
Simon Horman64e34162015-02-06 11:11:57 +09004914 See also : "email-alert level", "email-alert mailers",
Cyril Bonté307ee1e2015-09-28 23:16:06 +02004915 "email-alert myhostname", "email-alert to", section 3.6 about
4916 mailers.
Simon Horman64e34162015-02-06 11:11:57 +09004917
4918
4919email-alert level <level>
4920 Declare the maximum log level of messages for which email alerts will be
4921 sent. This acts as a filter on the sending of email alerts.
4922 May be used in sections: defaults | frontend | listen | backend
4923 yes | yes | yes | yes
4924
4925 Arguments :
4926
4927 <level> One of the 8 syslog levels:
4928 emerg alert crit err warning notice info debug
4929 The above syslog levels are ordered from lowest to highest.
4930
4931 By default level is alert
4932
4933 Also requires "email-alert from", "email-alert mailers" and
4934 "email-alert to" to be set and if so sending email alerts is enabled
4935 for the proxy.
4936
Simon Horman1421e212015-04-30 13:10:35 +09004937 Alerts are sent when :
4938
4939 * An un-paused server is marked as down and <level> is alert or lower
4940 * A paused server is marked as down and <level> is notice or lower
4941 * A server is marked as up or enters the drain state and <level>
4942 is notice or lower
4943 * "option log-health-checks" is enabled, <level> is info or lower,
4944 and a health check status update occurs
4945
Simon Horman64e34162015-02-06 11:11:57 +09004946 See also : "email-alert from", "email-alert mailers",
4947 "email-alert myhostname", "email-alert to",
Simon Horman51a1cf62015-02-03 13:00:44 +09004948 section 3.6 about mailers.
4949
4950
4951email-alert mailers <mailersect>
4952 Declare the mailers to be used when sending email alerts
4953 May be used in sections: defaults | frontend | listen | backend
4954 yes | yes | yes | yes
4955
4956 Arguments :
4957
4958 <mailersect> is the name of the mailers section to send email alerts.
4959
4960 Also requires "email-alert from" and "email-alert to" to be set
4961 and if so sending email alerts is enabled for the proxy.
4962
Simon Horman64e34162015-02-06 11:11:57 +09004963 See also : "email-alert from", "email-alert level", "email-alert myhostname",
4964 "email-alert to", section 3.6 about mailers.
Simon Horman51a1cf62015-02-03 13:00:44 +09004965
4966
4967email-alert myhostname <hostname>
4968 Declare the to hostname address to be used when communicating with
4969 mailers.
4970 May be used in sections: defaults | frontend | listen | backend
4971 yes | yes | yes | yes
4972
4973 Arguments :
4974
Baptiste Assmann738bad92015-12-21 15:27:53 +01004975 <hostname> is the hostname to use when communicating with mailers
Simon Horman51a1cf62015-02-03 13:00:44 +09004976
4977 By default the systems hostname is used.
4978
4979 Also requires "email-alert from", "email-alert mailers" and
4980 "email-alert to" to be set and if so sending email alerts is enabled
4981 for the proxy.
4982
Simon Horman64e34162015-02-06 11:11:57 +09004983 See also : "email-alert from", "email-alert level", "email-alert mailers",
4984 "email-alert to", section 3.6 about mailers.
Simon Horman51a1cf62015-02-03 13:00:44 +09004985
4986
4987email-alert to <emailaddr>
Davor Ocelice9ed2812017-12-25 17:49:28 +01004988 Declare both the recipient address in the envelope and to address in the
Simon Horman51a1cf62015-02-03 13:00:44 +09004989 header of email alerts. This is the address that email alerts are sent to.
4990 May be used in sections: defaults | frontend | listen | backend
4991 yes | yes | yes | yes
4992
4993 Arguments :
4994
4995 <emailaddr> is the to email address to use when sending email alerts
4996
4997 Also requires "email-alert mailers" and "email-alert to" to be set
4998 and if so sending email alerts is enabled for the proxy.
4999
Simon Horman64e34162015-02-06 11:11:57 +09005000 See also : "email-alert from", "email-alert level", "email-alert mailers",
Simon Horman51a1cf62015-02-03 13:00:44 +09005001 "email-alert myhostname", section 3.6 about mailers.
5002
5003
Willy Tarreau4de91492010-01-22 19:10:05 +01005004force-persist { if | unless } <condition>
5005 Declare a condition to force persistence on down servers
5006 May be used in sections: defaults | frontend | listen | backend
Cyril Bonté4288c5a2018-03-12 22:02:59 +01005007 no | no | yes | yes
Willy Tarreau4de91492010-01-22 19:10:05 +01005008
5009 By default, requests are not dispatched to down servers. It is possible to
5010 force this using "option persist", but it is unconditional and redispatches
5011 to a valid server if "option redispatch" is set. That leaves with very little
5012 possibilities to force some requests to reach a server which is artificially
5013 marked down for maintenance operations.
5014
5015 The "force-persist" statement allows one to declare various ACL-based
5016 conditions which, when met, will cause a request to ignore the down status of
5017 a server and still try to connect to it. That makes it possible to start a
5018 server, still replying an error to the health checks, and run a specially
5019 configured browser to test the service. Among the handy methods, one could
5020 use a specific source IP address, or a specific cookie. The cookie also has
5021 the advantage that it can easily be added/removed on the browser from a test
5022 page. Once the service is validated, it is then possible to open the service
5023 to the world by returning a valid response to health checks.
5024
5025 The forced persistence is enabled when an "if" condition is met, or unless an
5026 "unless" condition is met. The final redispatch is always disabled when this
5027 is used.
5028
Cyril Bonté0d4bf012010-04-25 23:21:46 +02005029 See also : "option redispatch", "ignore-persist", "persist",
Cyril Bontéa8e7bbc2010-04-25 22:29:29 +02005030 and section 7 about ACL usage.
Willy Tarreau4de91492010-01-22 19:10:05 +01005031
Christopher Fauletc3fe5332016-04-07 15:30:10 +02005032
5033filter <name> [param*]
5034 Add the filter <name> in the filter list attached to the proxy.
5035 May be used in sections : defaults | frontend | listen | backend
5036 no | yes | yes | yes
5037 Arguments :
5038 <name> is the name of the filter. Officially supported filters are
5039 referenced in section 9.
5040
Tim Düsterhus4896c442016-11-29 02:15:19 +01005041 <param*> is a list of parameters accepted by the filter <name>. The
Christopher Fauletc3fe5332016-04-07 15:30:10 +02005042 parsing of these parameters are the responsibility of the
Tim Düsterhus4896c442016-11-29 02:15:19 +01005043 filter. Please refer to the documentation of the corresponding
5044 filter (section 9) for all details on the supported parameters.
Christopher Fauletc3fe5332016-04-07 15:30:10 +02005045
5046 Multiple occurrences of the filter line can be used for the same proxy. The
5047 same filter can be referenced many times if needed.
5048
5049 Example:
5050 listen
5051 bind *:80
5052
5053 filter trace name BEFORE-HTTP-COMP
5054 filter compression
5055 filter trace name AFTER-HTTP-COMP
5056
5057 compression algo gzip
5058 compression offload
5059
5060 server srv1 192.168.0.1:80
5061
5062 See also : section 9.
5063
Willy Tarreau4de91492010-01-22 19:10:05 +01005064
Willy Tarreau2769aa02007-12-27 18:26:09 +01005065fullconn <conns>
5066 Specify at what backend load the servers will reach their maxconn
5067 May be used in sections : defaults | frontend | listen | backend
5068 yes | no | yes | yes
5069 Arguments :
5070 <conns> is the number of connections on the backend which will make the
5071 servers use the maximal number of connections.
5072
Willy Tarreau198a7442008-01-17 12:05:32 +01005073 When a server has a "maxconn" parameter specified, it means that its number
Willy Tarreau2769aa02007-12-27 18:26:09 +01005074 of concurrent connections will never go higher. Additionally, if it has a
Willy Tarreau198a7442008-01-17 12:05:32 +01005075 "minconn" parameter, it indicates a dynamic limit following the backend's
Willy Tarreau2769aa02007-12-27 18:26:09 +01005076 load. The server will then always accept at least <minconn> connections,
5077 never more than <maxconn>, and the limit will be on the ramp between both
5078 values when the backend has less than <conns> concurrent connections. This
5079 makes it possible to limit the load on the servers during normal loads, but
5080 push it further for important loads without overloading the servers during
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01005081 exceptional loads.
Willy Tarreau2769aa02007-12-27 18:26:09 +01005082
Daniel Corbett9f0843f2021-05-08 10:50:37 -04005083 Since it's hard to get this value right, HAProxy automatically sets it to
Willy Tarreaufbb78422011-06-05 15:38:35 +02005084 10% of the sum of the maxconns of all frontends that may branch to this
Bertrand Jacquin702d44f2013-11-19 11:43:06 +01005085 backend (based on "use_backend" and "default_backend" rules). That way it's
5086 safe to leave it unset. However, "use_backend" involving dynamic names are
5087 not counted since there is no way to know if they could match or not.
Willy Tarreaufbb78422011-06-05 15:38:35 +02005088
Willy Tarreau2769aa02007-12-27 18:26:09 +01005089 Example :
5090 # The servers will accept between 100 and 1000 concurrent connections each
5091 # and the maximum of 1000 will be reached when the backend reaches 10000
5092 # connections.
5093 backend dynamic
5094 fullconn 10000
5095 server srv1 dyn1:80 minconn 100 maxconn 1000
5096 server srv2 dyn2:80 minconn 100 maxconn 1000
5097
5098 See also : "maxconn", "server"
5099
5100
Willy Tarreauab0a5192020-10-09 19:07:01 +02005101grace <time> (deprecated)
Willy Tarreau2769aa02007-12-27 18:26:09 +01005102 Maintain a proxy operational for some time after a soft stop
5103 May be used in sections : defaults | frontend | listen | backend
Cyril Bonté99ed3272010-01-24 23:29:44 +01005104 yes | yes | yes | yes
Willy Tarreau2769aa02007-12-27 18:26:09 +01005105 Arguments :
5106 <time> is the time (by default in milliseconds) for which the instance
5107 will remain operational with the frontend sockets still listening
5108 when a soft-stop is received via the SIGUSR1 signal.
5109
5110 This may be used to ensure that the services disappear in a certain order.
5111 This was designed so that frontends which are dedicated to monitoring by an
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01005112 external equipment fail immediately while other ones remain up for the time
Willy Tarreau2769aa02007-12-27 18:26:09 +01005113 needed by the equipment to detect the failure.
5114
5115 Note that currently, there is very little benefit in using this parameter,
5116 and it may in fact complicate the soft-reconfiguration process more than
5117 simplify it.
5118
Willy Tarreau0ba27502007-12-24 16:55:16 +01005119
Andrew Rodland17be45e2016-10-25 17:04:12 -04005120hash-balance-factor <factor>
5121 Specify the balancing factor for bounded-load consistent hashing
5122 May be used in sections : defaults | frontend | listen | backend
5123 yes | no | no | yes
5124 Arguments :
5125 <factor> is the control for the maximum number of concurrent requests to
5126 send to a server, expressed as a percentage of the average number
Frédéric Lécaille93d33162019-03-06 09:35:59 +01005127 of concurrent requests across all of the active servers.
Andrew Rodland17be45e2016-10-25 17:04:12 -04005128
5129 Specifying a "hash-balance-factor" for a server with "hash-type consistent"
5130 enables an algorithm that prevents any one server from getting too many
5131 requests at once, even if some hash buckets receive many more requests than
5132 others. Setting <factor> to 0 (the default) disables the feature. Otherwise,
5133 <factor> is a percentage greater than 100. For example, if <factor> is 150,
5134 then no server will be allowed to have a load more than 1.5 times the average.
5135 If server weights are used, they will be respected.
5136
5137 If the first-choice server is disqualified, the algorithm will choose another
5138 server based on the request hash, until a server with additional capacity is
5139 found. A higher <factor> allows more imbalance between the servers, while a
5140 lower <factor> means that more servers will be checked on average, affecting
5141 performance. Reasonable values are from 125 to 200.
5142
Willy Tarreau760e81d2018-05-03 07:20:40 +02005143 This setting is also used by "balance random" which internally relies on the
5144 consistent hashing mechanism.
5145
Andrew Rodland17be45e2016-10-25 17:04:12 -04005146 See also : "balance" and "hash-type".
5147
5148
Bhaskar Maddalab6c0ac92013-11-05 11:54:02 -05005149hash-type <method> <function> <modifier>
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02005150 Specify a method to use for mapping hashes to servers
5151 May be used in sections : defaults | frontend | listen | backend
5152 yes | no | yes | yes
5153 Arguments :
Bhaskar98634f02013-10-29 23:30:51 -04005154 <method> is the method used to select a server from the hash computed by
5155 the <function> :
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02005156
Bhaskar98634f02013-10-29 23:30:51 -04005157 map-based the hash table is a static array containing all alive servers.
5158 The hashes will be very smooth, will consider weights, but
5159 will be static in that weight changes while a server is up
5160 will be ignored. This means that there will be no slow start.
5161 Also, since a server is selected by its position in the array,
5162 most mappings are changed when the server count changes. This
5163 means that when a server goes up or down, or when a server is
5164 added to a farm, most connections will be redistributed to
5165 different servers. This can be inconvenient with caches for
5166 instance.
Willy Tarreau798a39c2010-11-24 15:04:29 +01005167
Bhaskar98634f02013-10-29 23:30:51 -04005168 consistent the hash table is a tree filled with many occurrences of each
5169 server. The hash key is looked up in the tree and the closest
5170 server is chosen. This hash is dynamic, it supports changing
5171 weights while the servers are up, so it is compatible with the
5172 slow start feature. It has the advantage that when a server
5173 goes up or down, only its associations are moved. When a
5174 server is added to the farm, only a few part of the mappings
5175 are redistributed, making it an ideal method for caches.
5176 However, due to its principle, the distribution will never be
5177 very smooth and it may sometimes be necessary to adjust a
5178 server's weight or its ID to get a more balanced distribution.
5179 In order to get the same distribution on multiple load
5180 balancers, it is important that all servers have the exact
Bhaskar Maddalab6c0ac92013-11-05 11:54:02 -05005181 same IDs. Note: consistent hash uses sdbm and avalanche if no
5182 hash function is specified.
Bhaskar98634f02013-10-29 23:30:51 -04005183
5184 <function> is the hash function to be used :
5185
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03005186 sdbm this function was created initially for sdbm (a public-domain
Bhaskar98634f02013-10-29 23:30:51 -04005187 reimplementation of ndbm) database library. It was found to do
5188 well in scrambling bits, causing better distribution of the keys
5189 and fewer splits. It also happens to be a good general hashing
Bhaskar Maddalab6c0ac92013-11-05 11:54:02 -05005190 function with good distribution, unless the total server weight
5191 is a multiple of 64, in which case applying the avalanche
5192 modifier may help.
Bhaskar98634f02013-10-29 23:30:51 -04005193
5194 djb2 this function was first proposed by Dan Bernstein many years ago
5195 on comp.lang.c. Studies have shown that for certain workload this
Bhaskar Maddalab6c0ac92013-11-05 11:54:02 -05005196 function provides a better distribution than sdbm. It generally
5197 works well with text-based inputs though it can perform extremely
5198 poorly with numeric-only input or when the total server weight is
5199 a multiple of 33, unless the avalanche modifier is also used.
5200
Daniel Corbett9f0843f2021-05-08 10:50:37 -04005201 wt6 this function was designed for HAProxy while testing other
Willy Tarreaua0f42712013-11-14 14:30:35 +01005202 functions in the past. It is not as smooth as the other ones, but
5203 is much less sensible to the input data set or to the number of
5204 servers. It can make sense as an alternative to sdbm+avalanche or
5205 djb2+avalanche for consistent hashing or when hashing on numeric
5206 data such as a source IP address or a visitor identifier in a URL
5207 parameter.
5208
Willy Tarreau324f07f2015-01-20 19:44:50 +01005209 crc32 this is the most common CRC32 implementation as used in Ethernet,
5210 gzip, PNG, etc. It is slower than the other ones but may provide
5211 a better distribution or less predictable results especially when
5212 used on strings.
5213
Bhaskar Maddalab6c0ac92013-11-05 11:54:02 -05005214 <modifier> indicates an optional method applied after hashing the key :
5215
5216 avalanche This directive indicates that the result from the hash
5217 function above should not be used in its raw form but that
5218 a 4-byte full avalanche hash must be applied first. The
5219 purpose of this step is to mix the resulting bits from the
5220 previous hash in order to avoid any undesired effect when
5221 the input contains some limited values or when the number of
5222 servers is a multiple of one of the hash's components (64
5223 for SDBM, 33 for DJB2). Enabling avalanche tends to make the
5224 result less predictable, but it's also not as smooth as when
5225 using the original function. Some testing might be needed
5226 with some workloads. This hash is one of the many proposed
5227 by Bob Jenkins.
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02005228
Bhaskar98634f02013-10-29 23:30:51 -04005229 The default hash type is "map-based" and is recommended for most usages. The
5230 default function is "sdbm", the selection of a function should be based on
5231 the range of the values being hashed.
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02005232
Andrew Rodland17be45e2016-10-25 17:04:12 -04005233 See also : "balance", "hash-balance-factor", "server"
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02005234
5235
Christopher Faulet6d0c3df2020-01-22 09:26:35 +01005236http-after-response <action> <options...> [ { if | unless } <condition> ]
5237 Access control for all Layer 7 responses (server, applet/service and internal
5238 ones).
5239
5240 May be used in sections: defaults | frontend | listen | backend
5241 no | yes | yes | yes
5242
5243 The http-after-response statement defines a set of rules which apply to layer
5244 7 processing. The rules are evaluated in their declaration order when they
5245 are met in a frontend, listen or backend section. Any rule may optionally be
5246 followed by an ACL-based condition, in which case it will only be evaluated
5247 if the condition is true. Since these rules apply on responses, the backend
5248 rules are applied first, followed by the frontend's rules.
5249
5250 Unlike http-response rules, these ones are applied on all responses, the
5251 server ones but also to all responses generated by HAProxy. These rules are
5252 evaluated at the end of the responses analysis, before the data forwarding.
5253
5254 The first keyword is the rule's action. The supported actions are described
5255 below.
5256
5257 There is no limit to the number of http-after-response statements per
5258 instance.
5259
Christopher Fauletd5ac6de2020-12-02 08:40:14 +01005260 Note: Errors emitted in early stage of the request parsing are handled by the
5261 multiplexer at a lower level, before any http analysis. Thus no
5262 http-after-response ruleset is evaluated on these errors.
5263
Christopher Faulet6d0c3df2020-01-22 09:26:35 +01005264 Example:
5265 http-after-response set-header Strict-Transport-Security "max-age=31536000"
5266 http-after-response set-header Cache-Control "no-store,no-cache,private"
5267 http-after-response set-header Pragma "no-cache"
5268
5269http-after-response add-header <name> <fmt> [ { if | unless } <condition> ]
5270
5271 This appends an HTTP header field whose name is specified in <name> and whose
5272 value is defined by <fmt> which follows the log-format rules (see Custom Log
5273 Format in section 8.2.4). This may be used to send a cookie to a client for
5274 example, or to pass some internal information.
5275 This rule is not final, so it is possible to add other similar rules.
5276 Note that header addition is performed immediately, so one rule might reuse
5277 the resulting header from a previous rule.
5278
5279http-after-response allow [ { if | unless } <condition> ]
5280
5281 This stops the evaluation of the rules and lets the response pass the check.
5282 No further "http-after-response" rules are evaluated.
5283
Maciej Zdebebdd4c52020-11-20 13:58:48 +00005284http-after-response del-header <name> [ -m <meth> ] [ { if | unless } <condition> ]
Christopher Faulet6d0c3df2020-01-22 09:26:35 +01005285
Maciej Zdebebdd4c52020-11-20 13:58:48 +00005286 This removes all HTTP header fields whose name is specified in <name>. <meth>
5287 is the matching method, applied on the header name. Supported matching methods
5288 are "str" (exact match), "beg" (prefix match), "end" (suffix match), "sub"
5289 (substring match) and "reg" (regex match). If not specified, exact matching
5290 method is used.
Christopher Faulet6d0c3df2020-01-22 09:26:35 +01005291
5292http-after-response replace-header <name> <regex-match> <replace-fmt>
5293 [ { if | unless } <condition> ]
5294
5295 This works like "http-response replace-header".
5296
5297 Example:
5298 http-after-response replace-header Set-Cookie (C=[^;]*);(.*) \1;ip=%bi;\2
5299
5300 # applied to:
5301 Set-Cookie: C=1; expires=Tue, 14-Jun-2016 01:40:45 GMT
5302
5303 # outputs:
5304 Set-Cookie: C=1;ip=192.168.1.20; expires=Tue, 14-Jun-2016 01:40:45 GMT
5305
5306 # assuming the backend IP is 192.168.1.20.
5307
5308http-after-response replace-value <name> <regex-match> <replace-fmt>
5309 [ { if | unless } <condition> ]
5310
5311 This works like "http-response replace-value".
5312
5313 Example:
5314 http-after-response replace-value Cache-control ^public$ private
5315
5316 # applied to:
5317 Cache-Control: max-age=3600, public
5318
5319 # outputs:
5320 Cache-Control: max-age=3600, private
5321
5322http-after-response set-header <name> <fmt> [ { if | unless } <condition> ]
5323
5324 This does the same as "add-header" except that the header name is first
5325 removed if it existed. This is useful when passing security information to
5326 the server, where the header must not be manipulated by external users.
5327
5328http-after-response set-status <status> [reason <str>]
5329 [ { if | unless } <condition> ]
5330
5331 This replaces the response status code with <status> which must be an integer
5332 between 100 and 999. Optionally, a custom reason text can be provided defined
5333 by <str>, or the default reason for the specified code will be used as a
5334 fallback.
5335
5336 Example:
5337 # return "431 Request Header Fields Too Large"
5338 http-response set-status 431
5339 # return "503 Slow Down", custom reason
5340 http-response set-status 503 reason "Slow Down"
5341
5342http-after-response set-var(<var-name>) <expr> [ { if | unless } <condition> ]
5343
5344 This is used to set the contents of a variable. The variable is declared
5345 inline.
5346
5347 Arguments:
5348 <var-name> The name of the variable starts with an indication about its
5349 scope. The scopes allowed are:
5350 "proc" : the variable is shared with the whole process
5351 "sess" : the variable is shared with the whole session
5352 "txn" : the variable is shared with the transaction
5353 (request and response)
5354 "req" : the variable is shared only during request
5355 processing
5356 "res" : the variable is shared only during response
5357 processing
5358 This prefix is followed by a name. The separator is a '.'.
5359 The name may only contain characters 'a-z', 'A-Z', '0-9', '.'
5360 and '_'.
5361
5362 <expr> Is a standard HAProxy expression formed by a sample-fetch
5363 followed by some converters.
5364
5365 Example:
5366 http-after-response set-var(sess.last_redir) res.hdr(location)
5367
5368http-after-response strict-mode { on | off }
5369
5370 This enables or disables the strict rewriting mode for following rules. It
5371 does not affect rules declared before it and it is only applicable on rules
5372 performing a rewrite on the responses. When the strict mode is enabled, any
5373 rewrite failure triggers an internal error. Otherwise, such errors are
5374 silently ignored. The purpose of the strict rewriting mode is to make some
Ilya Shipitsin8525fd92020-02-29 12:34:59 +05005375 rewrites optional while others must be performed to continue the response
Christopher Faulet6d0c3df2020-01-22 09:26:35 +01005376 processing.
5377
5378 By default, the strict rewriting mode is enabled. Its value is also reset
5379 when a ruleset evaluation ends. So, for instance, if you change the mode on
Daniel Corbett67a82712020-07-06 23:01:19 -04005380 the backend, the default mode is restored when HAProxy starts the frontend
Christopher Faulet6d0c3df2020-01-22 09:26:35 +01005381 rules evaluation.
5382
5383http-after-response unset-var(<var-name>) [ { if | unless } <condition> ]
5384
5385 This is used to unset a variable. See "http-after-response set-var" for
5386 details about <var-name>.
5387
5388 Example:
5389 http-after-response unset-var(sess.last_redir)
5390
Christopher Faulet4f5c2e22020-04-23 15:22:33 +02005391
5392http-check comment <string>
5393 Defines a comment for the following the http-check rule, reported in logs if
5394 it fails.
5395 May be used in sections : defaults | frontend | listen | backend
5396 yes | no | yes | yes
5397
Christopher Faulet4f5c2e22020-04-23 15:22:33 +02005398 Arguments :
5399 <string> is the comment message to add in logs if the following http-check
5400 rule fails.
5401
Christopher Fauletc52ea4d2020-04-23 15:43:35 +02005402 It only works for connect, send and expect rules. It is useful to make
5403 user-friendly error reporting.
5404
Daniel Corbett67a82712020-07-06 23:01:19 -04005405 See also : "option httpchk", "http-check connect", "http-check send" and
Christopher Faulet4f5c2e22020-04-23 15:22:33 +02005406 "http-check expect".
5407
5408
Christopher Fauletc52ea4d2020-04-23 15:43:35 +02005409http-check connect [default] [port <expr>] [addr <ip>] [send-proxy]
5410 [via-socks4] [ssl] [sni <sni>] [alpn <alpn>] [linger]
Christopher Fauletedc6ed92020-04-23 16:27:59 +02005411 [proto <name>] [comment <msg>]
Christopher Faulete5870d82020-04-15 11:32:03 +02005412 Opens a new connection to perform an HTTP health check
5413 May be used in sections : defaults | frontend | listen | backend
5414 yes | no | yes | yes
5415
Christopher Fauletc52ea4d2020-04-23 15:43:35 +02005416 Arguments :
Christopher Faulet4f5c2e22020-04-23 15:22:33 +02005417 comment <msg> defines a message to report if the rule evaluation fails.
5418
Christopher Faulete5870d82020-04-15 11:32:03 +02005419 default Use default options of the server line to do the health
Daniel Corbett67a82712020-07-06 23:01:19 -04005420 checks. The server options are used only if not redefined.
Christopher Faulete5870d82020-04-15 11:32:03 +02005421
5422 port <expr> if not set, check port or server port is used.
5423 It tells HAProxy where to open the connection to.
5424 <port> must be a valid TCP port source integer, from 1 to
5425 65535 or an sample-fetch expression.
5426
5427 addr <ip> defines the IP address to do the health check.
5428
5429 send-proxy send a PROXY protocol string
5430
5431 via-socks4 enables outgoing health checks using upstream socks4 proxy.
5432
5433 ssl opens a ciphered connection
5434
5435 sni <sni> specifies the SNI to use to do health checks over SSL.
5436
5437 alpn <alpn> defines which protocols to advertise with ALPN. The protocol
5438 list consists in a comma-delimited list of protocol names,
5439 for instance: "h2,http/1.1". If it is not set, the server ALPN
5440 is used.
5441
Christopher Fauletedc6ed92020-04-23 16:27:59 +02005442 proto <name> forces the multiplexer's protocol to use for this connection.
5443 It must be an HTTP mux protocol and it must be usable on the
5444 backend side. The list of available protocols is reported in
5445 haproxy -vv.
5446
Christopher Faulete5870d82020-04-15 11:32:03 +02005447 linger cleanly close the connection instead of using a single RST.
5448
Christopher Fauletc52ea4d2020-04-23 15:43:35 +02005449 Just like tcp-check health checks, it is possible to configure the connection
5450 to use to perform HTTP health check. This directive should also be used to
5451 describe a scenario involving several request/response exchanges, possibly on
5452 different ports or with different servers.
5453
5454 When there are no TCP port configured on the server line neither server port
5455 directive, then the first step of the http-check sequence must be to specify
5456 the port with a "http-check connect".
5457
5458 In an http-check ruleset a 'connect' is required, it is also mandatory to start
5459 the ruleset with a 'connect' rule. Purpose is to ensure admin know what they
5460 do.
5461
5462 When a connect must start the ruleset, if may still be preceded by set-var,
5463 unset-var or comment rules.
5464
5465 Examples :
Christopher Faulete5870d82020-04-15 11:32:03 +02005466 # check HTTP and HTTPs services on a server.
5467 # first open port 80 thanks to server line port directive, then
5468 # tcp-check opens port 443, ciphered and run a request on it:
5469 option httpchk
5470
5471 http-check connect
Christopher Fauleta5c14ef2020-04-29 14:19:13 +02005472 http-check send meth GET uri / ver HTTP/1.1 hdr host haproxy.1wt.eu
Christopher Faulet8021a5f2020-04-24 13:53:12 +02005473 http-check expect status 200-399
Christopher Faulete5870d82020-04-15 11:32:03 +02005474 http-check connect port 443 ssl sni haproxy.1wt.eu
Christopher Fauleta5c14ef2020-04-29 14:19:13 +02005475 http-check send meth GET uri / ver HTTP/1.1 hdr host haproxy.1wt.eu
Christopher Faulet8021a5f2020-04-24 13:53:12 +02005476 http-check expect status 200-399
Christopher Faulete5870d82020-04-15 11:32:03 +02005477
5478 server www 10.0.0.1 check port 80
5479
5480 See also : "option httpchk", "http-check send", "http-check expect"
Christopher Faulet6d0c3df2020-01-22 09:26:35 +01005481
Christopher Fauletc52ea4d2020-04-23 15:43:35 +02005482
Willy Tarreau0ba27502007-12-24 16:55:16 +01005483http-check disable-on-404
5484 Enable a maintenance mode upon HTTP/404 response to health-checks
5485 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau2769aa02007-12-27 18:26:09 +01005486 yes | no | yes | yes
Willy Tarreau0ba27502007-12-24 16:55:16 +01005487 Arguments : none
5488
5489 When this option is set, a server which returns an HTTP code 404 will be
5490 excluded from further load-balancing, but will still receive persistent
5491 connections. This provides a very convenient method for Web administrators
5492 to perform a graceful shutdown of their servers. It is also important to note
5493 that a server which is detected as failed while it was in this mode will not
5494 generate an alert, just a notice. If the server responds 2xx or 3xx again, it
5495 will immediately be reinserted into the farm. The status on the stats page
5496 reports "NOLB" for a server in this mode. It is important to note that this
Willy Tarreaubd741542010-03-16 18:46:54 +01005497 option only works in conjunction with the "httpchk" option. If this option
5498 is used with "http-check expect", then it has precedence over it so that 404
Christopher Fauletfa8b89a2020-11-20 18:54:13 +01005499 responses will still be considered as soft-stop. Note also that a stopped
5500 server will stay stopped even if it replies 404s. This option is only
5501 evaluated for running servers.
Willy Tarreaubd741542010-03-16 18:46:54 +01005502
Christopher Fauletc52ea4d2020-04-23 15:43:35 +02005503 See also : "option httpchk" and "http-check expect".
Willy Tarreaubd741542010-03-16 18:46:54 +01005504
5505
Christopher Faulet4f5c2e22020-04-23 15:22:33 +02005506http-check expect [min-recv <int>] [comment <msg>]
Christopher Faulete5870d82020-04-15 11:32:03 +02005507 [ok-status <st>] [error-status <st>] [tout-status <st>]
5508 [on-success <fmt>] [on-error <fmt>] [status-code <expr>]
5509 [!] <match> <pattern>
Jamie Gloudonaaa21002012-08-25 00:18:33 -04005510 Make HTTP health checks consider response contents or specific status codes
Willy Tarreaubd741542010-03-16 18:46:54 +01005511 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau1ee51a62011-08-19 20:04:17 +02005512 yes | no | yes | yes
Christopher Faulete5870d82020-04-15 11:32:03 +02005513
Willy Tarreaubd741542010-03-16 18:46:54 +01005514 Arguments :
Christopher Faulet4f5c2e22020-04-23 15:22:33 +02005515 comment <msg> defines a message to report if the rule evaluation fails.
5516
Christopher Faulete5870d82020-04-15 11:32:03 +02005517 min-recv is optional and can define the minimum amount of data required to
5518 evaluate the current expect rule. If the number of received bytes
5519 is under this limit, the check will wait for more data. This
5520 option can be used to resolve some ambiguous matching rules or to
5521 avoid executing costly regex matches on content known to be still
5522 incomplete. If an exact string is used, the minimum between the
5523 string length and this parameter is used. This parameter is
5524 ignored if it is set to -1. If the expect rule does not match,
5525 the check will wait for more data. If set to 0, the evaluation
5526 result is always conclusive.
5527
5528 ok-status <st> is optional and can be used to set the check status if
5529 the expect rule is successfully evaluated and if it is
5530 the last rule in the tcp-check ruleset. "L7OK", "L7OKC",
Christopher Fauletd888f0f2020-05-07 07:40:17 +02005531 "L6OK" and "L4OK" are supported :
5532 - L7OK : check passed on layer 7
Christopher Faulet83662b52020-11-20 17:47:47 +01005533 - L7OKC : check conditionally passed on layer 7, set
5534 server to NOLB state.
Christopher Fauletd888f0f2020-05-07 07:40:17 +02005535 - L6OK : check passed on layer 6
5536 - L4OK : check passed on layer 4
5537 By default "L7OK" is used.
Christopher Faulete5870d82020-04-15 11:32:03 +02005538
5539 error-status <st> is optional and can be used to set the check status if
5540 an error occurred during the expect rule evaluation.
Christopher Faulet83662b52020-11-20 17:47:47 +01005541 "L7OKC", "L7RSP", "L7STS", "L6RSP" and "L4CON" are
5542 supported :
5543 - L7OKC : check conditionally passed on layer 7, set
5544 server to NOLB state.
Christopher Fauletd888f0f2020-05-07 07:40:17 +02005545 - L7RSP : layer 7 invalid response - protocol error
5546 - L7STS : layer 7 response error, for example HTTP 5xx
5547 - L6RSP : layer 6 invalid response - protocol error
5548 - L4CON : layer 1-4 connection problem
5549 By default "L7RSP" is used.
Christopher Faulete5870d82020-04-15 11:32:03 +02005550
5551 tout-status <st> is optional and can be used to set the check status if
5552 a timeout occurred during the expect rule evaluation.
Christopher Fauletd888f0f2020-05-07 07:40:17 +02005553 "L7TOUT", "L6TOUT", and "L4TOUT" are supported :
5554 - L7TOUT : layer 7 (HTTP/SMTP) timeout
5555 - L6TOUT : layer 6 (SSL) timeout
5556 - L4TOUT : layer 1-4 timeout
Christopher Faulete5870d82020-04-15 11:32:03 +02005557 By default "L7TOUT" is used.
5558
5559 on-success <fmt> is optional and can be used to customize the
5560 informational message reported in logs if the expect
5561 rule is successfully evaluated and if it is the last rule
5562 in the tcp-check ruleset. <fmt> is a log-format string.
5563
5564 on-error <fmt> is optional and can be used to customize the
5565 informational message reported in logs if an error
5566 occurred during the expect rule evaluation. <fmt> is a
5567 log-format string.
5568
Willy Tarreaubd741542010-03-16 18:46:54 +01005569 <match> is a keyword indicating how to look for a specific pattern in the
Christopher Fauletb5594262020-05-05 20:23:13 +02005570 response. The keyword may be one of "status", "rstatus", "hdr",
5571 "fhdr", "string", or "rstring". The keyword may be preceded by an
Willy Tarreaubd741542010-03-16 18:46:54 +01005572 exclamation mark ("!") to negate the match. Spaces are allowed
5573 between the exclamation mark and the keyword. See below for more
5574 details on the supported keywords.
5575
Christopher Faulet39708192020-05-05 10:47:36 +02005576 <pattern> is the pattern to look for. It may be a string, a regular
5577 expression or a more complex pattern with several arguments. If
5578 the string pattern contains spaces, they must be escaped with the
5579 usual backslash ('\').
Willy Tarreaubd741542010-03-16 18:46:54 +01005580
5581 By default, "option httpchk" considers that response statuses 2xx and 3xx
5582 are valid, and that others are invalid. When "http-check expect" is used,
5583 it defines what is considered valid or invalid. Only one "http-check"
5584 statement is supported in a backend. If a server fails to respond or times
5585 out, the check obviously fails. The available matches are :
5586
Christopher Faulet8021a5f2020-04-24 13:53:12 +02005587 status <codes> : test the status codes found parsing <codes> string. it
5588 must be a comma-separated list of status codes or range
5589 codes. A health check response will be considered as
5590 valid if the response's status code matches any status
5591 code or is inside any range of the list. If the "status"
5592 keyword is prefixed with "!", then the response will be
5593 considered invalid if the status code matches.
Willy Tarreaubd741542010-03-16 18:46:54 +01005594
5595 rstatus <regex> : test a regular expression for the HTTP status code.
Jamie Gloudonaaa21002012-08-25 00:18:33 -04005596 A health check response will be considered valid if the
Willy Tarreaubd741542010-03-16 18:46:54 +01005597 response's status code matches the expression. If the
5598 "rstatus" keyword is prefixed with "!", then the response
5599 will be considered invalid if the status code matches.
5600 This is mostly used to check for multiple codes.
5601
Christopher Fauletb5594262020-05-05 20:23:13 +02005602 hdr { name | name-lf } [ -m <meth> ] <name>
5603 [ { value | value-lf } [ -m <meth> ] <value> :
Christopher Faulet39708192020-05-05 10:47:36 +02005604 test the specified header pattern on the HTTP response
5605 headers. The name pattern is mandatory but the value
5606 pattern is optional. If not specified, only the header
5607 presence is verified. <meth> is the matching method,
5608 applied on the header name or the header value. Supported
5609 matching methods are "str" (exact match), "beg" (prefix
5610 match), "end" (suffix match), "sub" (substring match) or
5611 "reg" (regex match). If not specified, exact matching
Christopher Fauletb5594262020-05-05 20:23:13 +02005612 method is used. If the "name-lf" parameter is used,
5613 <name> is evaluated as a log-format string. If "value-lf"
5614 parameter is used, <value> is evaluated as a log-format
5615 string. These parameters cannot be used with the regex
5616 matching method. Finally, the header value is considered
5617 as comma-separated list. Note that matchings are case
5618 insensitive on the header names.
5619
5620 fhdr { name | name-lf } [ -m <meth> ] <name>
5621 [ { value | value-lf } [ -m <meth> ] <value> :
5622 test the specified full header pattern on the HTTP
5623 response headers. It does exactly the same than "hdr"
5624 keyword, except the full header value is tested, commas
5625 are not considered as delimiters.
Christopher Faulet39708192020-05-05 10:47:36 +02005626
Willy Tarreaubd741542010-03-16 18:46:54 +01005627 string <string> : test the exact string match in the HTTP response body.
Jamie Gloudonaaa21002012-08-25 00:18:33 -04005628 A health check response will be considered valid if the
Willy Tarreaubd741542010-03-16 18:46:54 +01005629 response's body contains this exact string. If the
5630 "string" keyword is prefixed with "!", then the response
5631 will be considered invalid if the body contains this
5632 string. This can be used to look for a mandatory word at
5633 the end of a dynamic page, or to detect a failure when a
Davor Ocelice9ed2812017-12-25 17:49:28 +01005634 specific error appears on the check page (e.g. a stack
Willy Tarreaubd741542010-03-16 18:46:54 +01005635 trace).
5636
5637 rstring <regex> : test a regular expression on the HTTP response body.
Jamie Gloudonaaa21002012-08-25 00:18:33 -04005638 A health check response will be considered valid if the
Willy Tarreaubd741542010-03-16 18:46:54 +01005639 response's body matches this expression. If the "rstring"
5640 keyword is prefixed with "!", then the response will be
5641 considered invalid if the body matches the expression.
5642 This can be used to look for a mandatory word at the end
5643 of a dynamic page, or to detect a failure when a specific
Davor Ocelice9ed2812017-12-25 17:49:28 +01005644 error appears on the check page (e.g. a stack trace).
Willy Tarreaubd741542010-03-16 18:46:54 +01005645
Christopher Fauletaaab0832020-05-05 15:54:22 +02005646 string-lf <fmt> : test a log-format string match in the HTTP response body.
5647 A health check response will be considered valid if the
5648 response's body contains the string resulting of the
5649 evaluation of <fmt>, which follows the log-format rules.
5650 If prefixed with "!", then the response will be
5651 considered invalid if the body contains the string.
5652
Willy Tarreaubd741542010-03-16 18:46:54 +01005653 It is important to note that the responses will be limited to a certain size
Christopher Fauletbb9fb8b2020-11-25 17:20:57 +01005654 defined by the global "tune.bufsize" option, which defaults to 16384 bytes.
Willy Tarreaubd741542010-03-16 18:46:54 +01005655 Thus, too large responses may not contain the mandatory pattern when using
5656 "string" or "rstring". If a large response is absolutely required, it is
5657 possible to change the default max size by setting the global variable.
5658 However, it is worth keeping in mind that parsing very large responses can
5659 waste some CPU cycles, especially when regular expressions are used, and that
5660 it is always better to focus the checks on smaller resources.
5661
Christopher Faulete5870d82020-04-15 11:32:03 +02005662 In an http-check ruleset, the last expect rule may be implicit. If no expect
5663 rule is specified after the last "http-check send", an implicit expect rule
5664 is defined to match on 2xx or 3xx status codes. It means this rule is also
5665 defined if there is no "http-check" rule at all, when only "option httpchk"
5666 is set.
Cyril Bonté32602d22015-01-30 00:07:07 +01005667
Willy Tarreaubd741542010-03-16 18:46:54 +01005668 Last, if "http-check expect" is combined with "http-check disable-on-404",
5669 then this last one has precedence when the server responds with 404.
5670
5671 Examples :
5672 # only accept status 200 as valid
Christopher Faulet8021a5f2020-04-24 13:53:12 +02005673 http-check expect status 200,201,300-310
Willy Tarreaubd741542010-03-16 18:46:54 +01005674
Christopher Faulet39708192020-05-05 10:47:36 +02005675 # be sure a sessid coookie is set
5676 http-check expect header name "set-cookie" value -m beg "sessid="
5677
Willy Tarreaubd741542010-03-16 18:46:54 +01005678 # consider SQL errors as errors
Willy Tarreau8f2a1e72011-01-06 16:36:10 +01005679 http-check expect ! string SQL\ Error
Willy Tarreaubd741542010-03-16 18:46:54 +01005680
5681 # consider status 5xx only as errors
Willy Tarreau8f2a1e72011-01-06 16:36:10 +01005682 http-check expect ! rstatus ^5
Willy Tarreaubd741542010-03-16 18:46:54 +01005683
5684 # check that we have a correct hexadecimal tag before /html
Jarno Huuskonene5ae7022017-04-03 14:36:21 +03005685 http-check expect rstring <!--tag:[0-9a-f]*--></html>
Willy Tarreau0ba27502007-12-24 16:55:16 +01005686
Christopher Faulete5870d82020-04-15 11:32:03 +02005687 See also : "option httpchk", "http-check connect", "http-check disable-on-404"
Christopher Fauletc52ea4d2020-04-23 15:43:35 +02005688 and "http-check send".
Willy Tarreau2769aa02007-12-27 18:26:09 +01005689
5690
Christopher Faulet7c95f5f2020-05-06 15:06:34 +02005691http-check send [meth <method>] [{ uri <uri> | uri-lf <fmt> }>] [ver <version>]
Christopher Faulet574e7bd2020-05-06 15:38:58 +02005692 [hdr <name> <fmt>]* [{ body <string> | body-lf <fmt> }]
5693 [comment <msg>]
Christopher Faulet8acb1282020-04-09 08:44:06 +02005694 Add a possible list of headers and/or a body to the request sent during HTTP
5695 health checks.
5696 May be used in sections : defaults | frontend | listen | backend
5697 yes | no | yes | yes
5698 Arguments :
Christopher Faulet4f5c2e22020-04-23 15:22:33 +02005699 comment <msg> defines a message to report if the rule evaluation fails.
5700
Christopher Faulete5870d82020-04-15 11:32:03 +02005701 meth <method> is the optional HTTP method used with the requests. When not
5702 set, the "OPTIONS" method is used, as it generally requires
5703 low server processing and is easy to filter out from the
5704 logs. Any method may be used, though it is not recommended
5705 to invent non-standard ones.
5706
Christopher Faulet7c95f5f2020-05-06 15:06:34 +02005707 uri <uri> is optional and set the URI referenced in the HTTP requests
5708 to the string <uri>. It defaults to "/" which is accessible
5709 by default on almost any server, but may be changed to any
5710 other URI. Query strings are permitted.
5711
5712 uri-lf <fmt> is optional and set the URI referenced in the HTTP requests
5713 using the log-format string <fmt>. It defaults to "/" which
5714 is accessible by default on almost any server, but may be
5715 changed to any other URI. Query strings are permitted.
Christopher Faulet8acb1282020-04-09 08:44:06 +02005716
Christopher Faulet907701b2020-04-28 09:37:00 +02005717 ver <version> is the optional HTTP version string. It defaults to
Christopher Faulete5870d82020-04-15 11:32:03 +02005718 "HTTP/1.0" but some servers might behave incorrectly in HTTP
Daniel Corbett67a82712020-07-06 23:01:19 -04005719 1.0, so turning it to HTTP/1.1 may sometimes help. Note that
Christopher Faulete5870d82020-04-15 11:32:03 +02005720 the Host field is mandatory in HTTP/1.1, use "hdr" argument
5721 to add it.
5722
5723 hdr <name> <fmt> adds the HTTP header field whose name is specified in
5724 <name> and whose value is defined by <fmt>, which follows
5725 to the log-format rules.
5726
5727 body <string> add the body defined by <string> to the request sent during
5728 HTTP health checks. If defined, the "Content-Length" header
5729 is thus automatically added to the request.
Christopher Faulet8acb1282020-04-09 08:44:06 +02005730
Christopher Faulet574e7bd2020-05-06 15:38:58 +02005731 body-lf <fmt> add the body defined by the log-format string <fmt> to the
5732 request sent during HTTP health checks. If defined, the
5733 "Content-Length" header is thus automatically added to the
5734 request.
5735
Christopher Faulet8acb1282020-04-09 08:44:06 +02005736 In addition to the request line defined by the "option httpchk" directive,
5737 this one is the valid way to add some headers and optionally a body to the
5738 request sent during HTTP health checks. If a body is defined, the associate
Christopher Faulet9df910c2020-04-29 14:20:47 +02005739 "Content-Length" header is automatically added. Thus, this header or
5740 "Transfer-encoding" header should not be present in the request provided by
5741 "http-check send". If so, it will be ignored. The old trick consisting to add
5742 headers after the version string on the "option httpchk" line is now
Amaury Denoyelle6d975f02020-12-22 14:08:52 +01005743 deprecated.
Christopher Faulet8acb1282020-04-09 08:44:06 +02005744
Christopher Faulete5870d82020-04-15 11:32:03 +02005745 Also "http-check send" doesn't support HTTP keep-alive. Keep in mind that it
Amaury Denoyelle6d975f02020-12-22 14:08:52 +01005746 will automatically append a "Connection: close" header, unless a Connection
5747 header has already already been configured via a hdr entry.
Christopher Faulet9df910c2020-04-29 14:20:47 +02005748
5749 Note that the Host header and the request authority, when both defined, are
5750 automatically synchronized. It means when the HTTP request is sent, when a
5751 Host is inserted in the request, the request authority is accordingly
5752 updated. Thus, don't be surprised if the Host header value overwrites the
5753 configured request authority.
5754
5755 Note also for now, no Host header is automatically added in HTTP/1.1 or above
5756 requests. You should add it explicitly.
Christopher Faulete5870d82020-04-15 11:32:03 +02005757
Christopher Fauletc52ea4d2020-04-23 15:43:35 +02005758 See also : "option httpchk", "http-check send-state" and "http-check expect".
Christopher Faulet8acb1282020-04-09 08:44:06 +02005759
5760
Willy Tarreauef781042010-01-27 11:53:01 +01005761http-check send-state
5762 Enable emission of a state header with HTTP health checks
5763 May be used in sections : defaults | frontend | listen | backend
5764 yes | no | yes | yes
5765 Arguments : none
5766
Daniel Corbett9f0843f2021-05-08 10:50:37 -04005767 When this option is set, HAProxy will systematically send a special header
Willy Tarreauef781042010-01-27 11:53:01 +01005768 "X-Haproxy-Server-State" with a list of parameters indicating to each server
Daniel Corbett9f0843f2021-05-08 10:50:37 -04005769 how they are seen by HAProxy. This can be used for instance when a server is
5770 manipulated without access to HAProxy and the operator needs to know whether
5771 HAProxy still sees it up or not, or if the server is the last one in a farm.
Willy Tarreauef781042010-01-27 11:53:01 +01005772
5773 The header is composed of fields delimited by semi-colons, the first of which
5774 is a word ("UP", "DOWN", "NOLB"), possibly followed by a number of valid
5775 checks on the total number before transition, just as appears in the stats
5776 interface. Next headers are in the form "<variable>=<value>", indicating in
5777 no specific order some values available in the stats interface :
Joseph Lynch514061c2015-01-15 17:52:59 -08005778 - a variable "address", containing the address of the backend server.
5779 This corresponds to the <address> field in the server declaration. For
5780 unix domain sockets, it will read "unix".
5781
5782 - a variable "port", containing the port of the backend server. This
5783 corresponds to the <port> field in the server declaration. For unix
5784 domain sockets, it will read "unix".
5785
Willy Tarreauef781042010-01-27 11:53:01 +01005786 - a variable "name", containing the name of the backend followed by a slash
5787 ("/") then the name of the server. This can be used when a server is
5788 checked in multiple backends.
5789
Daniel Corbett9f0843f2021-05-08 10:50:37 -04005790 - a variable "node" containing the name of the HAProxy node, as set in the
Willy Tarreauef781042010-01-27 11:53:01 +01005791 global "node" variable, otherwise the system's hostname if unspecified.
5792
5793 - a variable "weight" indicating the weight of the server, a slash ("/")
5794 and the total weight of the farm (just counting usable servers). This
5795 helps to know if other servers are available to handle the load when this
5796 one fails.
5797
5798 - a variable "scur" indicating the current number of concurrent connections
5799 on the server, followed by a slash ("/") then the total number of
5800 connections on all servers of the same backend.
5801
5802 - a variable "qcur" indicating the current number of requests in the
5803 server's queue.
5804
5805 Example of a header received by the application server :
5806 >>> X-Haproxy-Server-State: UP 2/3; name=bck/srv2; node=lb1; weight=1/2; \
5807 scur=13/22; qcur=0
5808
Christopher Fauletc52ea4d2020-04-23 15:43:35 +02005809 See also : "option httpchk", "http-check disable-on-404" and
5810 "http-check send".
Willy Tarreauef781042010-01-27 11:53:01 +01005811
Christopher Faulete5870d82020-04-15 11:32:03 +02005812
5813http-check set-var(<var-name>) <expr>
Christopher Faulete5870d82020-04-15 11:32:03 +02005814 This operation sets the content of a variable. The variable is declared inline.
Christopher Faulete5870d82020-04-15 11:32:03 +02005815 May be used in sections: defaults | frontend | listen | backend
5816 yes | no | yes | yes
5817
Christopher Fauletc52ea4d2020-04-23 15:43:35 +02005818 Arguments :
Christopher Faulete5870d82020-04-15 11:32:03 +02005819 <var-name> The name of the variable starts with an indication about its
5820 scope. The scopes allowed for http-check are:
5821 "proc" : the variable is shared with the whole process.
5822 "sess" : the variable is shared with the tcp-check session.
5823 "check": the variable is declared for the lifetime of the tcp-check.
5824 This prefix is followed by a name. The separator is a '.'.
5825 The name may only contain characters 'a-z', 'A-Z', '0-9', '.',
5826 and '-'.
5827
5828 <expr> Is a sample-fetch expression potentially followed by converters.
5829
Christopher Fauletc52ea4d2020-04-23 15:43:35 +02005830 Examples :
5831 http-check set-var(check.port) int(1234)
Christopher Faulete5870d82020-04-15 11:32:03 +02005832
5833
5834http-check unset-var(<var-name>)
Christopher Faulete5870d82020-04-15 11:32:03 +02005835 Free a reference to a variable within its scope.
Christopher Faulete5870d82020-04-15 11:32:03 +02005836 May be used in sections: defaults | frontend | listen | backend
5837 yes | no | yes | yes
5838
Christopher Fauletc52ea4d2020-04-23 15:43:35 +02005839 Arguments :
Christopher Faulete5870d82020-04-15 11:32:03 +02005840 <var-name> The name of the variable starts with an indication about its
5841 scope. The scopes allowed for http-check are:
5842 "proc" : the variable is shared with the whole process.
5843 "sess" : the variable is shared with the tcp-check session.
5844 "check": the variable is declared for the lifetime of the tcp-check.
5845 This prefix is followed by a name. The separator is a '.'.
5846 The name may only contain characters 'a-z', 'A-Z', '0-9', '.',
5847 and '-'.
5848
Christopher Fauletc52ea4d2020-04-23 15:43:35 +02005849 Examples :
5850 http-check unset-var(check.port)
Christopher Faulete5870d82020-04-15 11:32:03 +02005851
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005852
Christopher Faulet3b967c12020-05-15 15:47:44 +02005853http-error status <code> [content-type <type>]
5854 [ { default-errorfiles | errorfile <file> | errorfiles <name> |
5855 file <file> | lf-file <file> | string <str> | lf-string <fmt> } ]
5856 [ hdr <name> <fmt> ]*
5857 Defines a custom error message to use instead of errors generated by HAProxy.
5858 May be used in sections : defaults | frontend | listen | backend
5859 yes | yes | yes | yes
5860 Arguments :
Ilya Shipitsin11057a32020-06-21 21:18:27 +05005861 status <code> is the HTTP status code. It must be specified.
Christopher Faulet3b967c12020-05-15 15:47:44 +02005862 Currently, HAProxy is capable of generating codes
Anthonin Bonnefoy85048f82020-06-22 09:17:01 +02005863 200, 400, 401, 403, 404, 405, 407, 408, 410, 413, 425,
Christopher Faulete095f312020-12-07 11:22:24 +01005864 429, 500, 501, 502, 503, and 504.
Christopher Faulet3b967c12020-05-15 15:47:44 +02005865
5866 content-type <type> is the response content type, for instance
5867 "text/plain". This parameter is ignored and should be
5868 omitted when an errorfile is configured or when the
5869 payload is empty. Otherwise, it must be defined.
5870
5871 default-errorfiles Reset the previously defined error message for current
5872 proxy for the status <code>. If used on a backend, the
5873 frontend error message is used, if defined. If used on
5874 a frontend, the default error message is used.
5875
5876 errorfile <file> designates a file containing the full HTTP response.
5877 It is recommended to follow the common practice of
5878 appending ".http" to the filename so that people do
5879 not confuse the response with HTML error pages, and to
5880 use absolute paths, since files are read before any
5881 chroot is performed.
5882
5883 errorfiles <name> designates the http-errors section to use to import
5884 the error message with the status code <code>. If no
5885 such message is found, the proxy's error messages are
5886 considered.
5887
5888 file <file> specifies the file to use as response payload. If the
5889 file is not empty, its content-type must be set as
5890 argument to "content-type", otherwise, any
5891 "content-type" argument is ignored. <file> is
5892 considered as a raw string.
5893
5894 string <str> specifies the raw string to use as response payload.
5895 The content-type must always be set as argument to
5896 "content-type".
5897
5898 lf-file <file> specifies the file to use as response payload. If the
5899 file is not empty, its content-type must be set as
5900 argument to "content-type", otherwise, any
5901 "content-type" argument is ignored. <file> is
5902 evaluated as a log-format string.
5903
5904 lf-string <str> specifies the log-format string to use as response
5905 payload. The content-type must always be set as
5906 argument to "content-type".
5907
5908 hdr <name> <fmt> adds to the response the HTTP header field whose name
5909 is specified in <name> and whose value is defined by
5910 <fmt>, which follows to the log-format rules.
5911 This parameter is ignored if an errorfile is used.
5912
5913 This directive may be used instead of "errorfile", to define a custom error
5914 message. As "errorfile" directive, it is used for errors detected and
5915 returned by HAProxy. If an errorfile is defined, it is parsed when HAProxy
5916 starts and must be valid according to the HTTP standards. The generated
5917 response must not exceed the configured buffer size (BUFFSIZE), otherwise an
5918 internal error will be returned. Finally, if you consider to use some
5919 http-after-response rules to rewrite these errors, the reserved buffer space
5920 should be available (see "tune.maxrewrite").
5921
5922 The files are read at the same time as the configuration and kept in memory.
5923 For this reason, the errors continue to be returned even when the process is
5924 chrooted, and no file change is considered while the process is running.
5925
Christopher Fauletd5ac6de2020-12-02 08:40:14 +01005926 Note: 400/408/500 errors emitted in early stage of the request parsing are
5927 handled by the multiplexer at a lower level. No custom formatting is
5928 supported at this level. Thus only static error messages, defined with
5929 "errorfile" directive, are supported. However, this limitation only
5930 exists during the request headers parsing or between two transactions.
5931
Christopher Faulet3b967c12020-05-15 15:47:44 +02005932 See also : "errorfile", "errorfiles", "errorloc", "errorloc302",
5933 "errorloc303" and section 3.8 about http-errors.
5934
5935
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005936http-request <action> [options...] [ { if | unless } <condition> ]
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01005937 Access control for Layer 7 requests
5938
5939 May be used in sections: defaults | frontend | listen | backend
5940 no | yes | yes | yes
5941
Willy Tarreau20b0de52012-12-24 15:45:22 +01005942 The http-request statement defines a set of rules which apply to layer 7
5943 processing. The rules are evaluated in their declaration order when they are
5944 met in a frontend, listen or backend section. Any rule may optionally be
5945 followed by an ACL-based condition, in which case it will only be evaluated
5946 if the condition is true.
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01005947
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005948 The first keyword is the rule's action. The supported actions are described
5949 below.
Willy Tarreau20b0de52012-12-24 15:45:22 +01005950
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005951 There is no limit to the number of http-request statements per instance.
Willy Tarreau20b0de52012-12-24 15:45:22 +01005952
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005953 Example:
5954 acl nagios src 192.168.129.3
5955 acl local_net src 192.168.0.0/16
5956 acl auth_ok http_auth(L1)
Willy Tarreau20b0de52012-12-24 15:45:22 +01005957
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005958 http-request allow if nagios
5959 http-request allow if local_net auth_ok
5960 http-request auth realm Gimme if local_net auth_ok
5961 http-request deny
Willy Tarreau81499eb2012-12-27 12:19:02 +01005962
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005963 Example:
5964 acl key req.hdr(X-Add-Acl-Key) -m found
5965 acl add path /addacl
5966 acl del path /delacl
Willy Tarreau20b0de52012-12-24 15:45:22 +01005967
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005968 acl myhost hdr(Host) -f myhost.lst
Willy Tarreau20b0de52012-12-24 15:45:22 +01005969
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005970 http-request add-acl(myhost.lst) %[req.hdr(X-Add-Acl-Key)] if key add
5971 http-request del-acl(myhost.lst) %[req.hdr(X-Add-Acl-Key)] if key del
Thierry FOURNIERdad3d1d2014-04-22 18:07:25 +02005972
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005973 Example:
5974 acl value req.hdr(X-Value) -m found
5975 acl setmap path /setmap
5976 acl delmap path /delmap
Sasha Pachev218f0642014-06-16 12:05:59 -06005977
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005978 use_backend bk_appli if { hdr(Host),map_str(map.lst) -m found }
Sasha Pachev218f0642014-06-16 12:05:59 -06005979
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005980 http-request set-map(map.lst) %[src] %[req.hdr(X-Value)] if setmap value
5981 http-request del-map(map.lst) %[src] if delmap
Sasha Pachev218f0642014-06-16 12:05:59 -06005982
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005983 See also : "stats http-request", section 3.4 about userlists and section 7
5984 about ACL usage.
Sasha Pachev218f0642014-06-16 12:05:59 -06005985
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005986http-request add-acl(<file-name>) <key fmt> [ { if | unless } <condition> ]
Sasha Pachev218f0642014-06-16 12:05:59 -06005987
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005988 This is used to add a new entry into an ACL. The ACL must be loaded from a
5989 file (even a dummy empty file). The file name of the ACL to be updated is
5990 passed between parentheses. It takes one argument: <key fmt>, which follows
5991 log-format rules, to collect content of the new entry. It performs a lookup
5992 in the ACL before insertion, to avoid duplicated (or more) values. This
5993 lookup is done by a linear search and can be expensive with large lists!
5994 It is the equivalent of the "add acl" command from the stats socket, but can
5995 be triggered by an HTTP request.
Sasha Pachev218f0642014-06-16 12:05:59 -06005996
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005997http-request add-header <name> <fmt> [ { if | unless } <condition> ]
Sasha Pachev218f0642014-06-16 12:05:59 -06005998
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02005999 This appends an HTTP header field whose name is specified in <name> and
6000 whose value is defined by <fmt> which follows the log-format rules (see
6001 Custom Log Format in section 8.2.4). This is particularly useful to pass
6002 connection-specific information to the server (e.g. the client's SSL
6003 certificate), or to combine several headers into one. This rule is not
6004 final, so it is possible to add other similar rules. Note that header
6005 addition is performed immediately, so one rule might reuse the resulting
6006 header from a previous rule.
Sasha Pachev218f0642014-06-16 12:05:59 -06006007
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006008http-request allow [ { if | unless } <condition> ]
Sasha Pachev218f0642014-06-16 12:05:59 -06006009
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006010 This stops the evaluation of the rules and lets the request pass the check.
6011 No further "http-request" rules are evaluated.
Sasha Pachev218f0642014-06-16 12:05:59 -06006012
Sasha Pachev218f0642014-06-16 12:05:59 -06006013
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006014http-request auth [realm <realm>] [ { if | unless } <condition> ]
Sasha Pachev218f0642014-06-16 12:05:59 -06006015
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006016 This stops the evaluation of the rules and immediately responds with an
6017 HTTP 401 or 407 error code to invite the user to present a valid user name
6018 and password. No further "http-request" rules are evaluated. An optional
6019 "realm" parameter is supported, it sets the authentication realm that is
6020 returned with the response (typically the application's name).
Sasha Pachev218f0642014-06-16 12:05:59 -06006021
Christopher Faulet612f2ea2020-05-27 09:57:28 +02006022 The corresponding proxy's error message is used. It may be customized using
6023 an "errorfile" or an "http-error" directive. For 401 responses, all
6024 occurrences of the WWW-Authenticate header are removed and replaced by a new
6025 one with a basic authentication challenge for realm "<realm>". For 407
6026 responses, the same is done on the Proxy-Authenticate header. If the error
6027 message must not be altered, consider to use "http-request return" rule
6028 instead.
6029
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006030 Example:
6031 acl auth_ok http_auth_group(L1) G1
6032 http-request auth unless auth_ok
Sasha Pachev218f0642014-06-16 12:05:59 -06006033
Jarno Huuskonen251a6b72019-01-04 14:05:02 +02006034http-request cache-use <name> [ { if | unless } <condition> ]
Sasha Pachev218f0642014-06-16 12:05:59 -06006035
Christopher Faulet87f1f3d2019-07-18 14:51:20 +02006036 See section 6.2 about cache setup.
Willy Tarreaua0dc23f2015-01-22 20:46:11 +01006037
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006038http-request capture <sample> [ len <length> | id <id> ]
6039 [ { if | unless } <condition> ]
Willy Tarreaua0dc23f2015-01-22 20:46:11 +01006040
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006041 This captures sample expression <sample> from the request buffer, and
6042 converts it to a string of at most <len> characters. The resulting string is
6043 stored into the next request "capture" slot, so it will possibly appear next
6044 to some captured HTTP headers. It will then automatically appear in the logs,
6045 and it will be possible to extract it using sample fetch rules to feed it
6046 into headers or anything. The length should be limited given that this size
6047 will be allocated for each capture during the whole session life.
6048 Please check section 7.3 (Fetching samples) and "capture request header" for
6049 more information.
Willy Tarreaua0dc23f2015-01-22 20:46:11 +01006050
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006051 If the keyword "id" is used instead of "len", the action tries to store the
6052 captured string in a previously declared capture slot. This is useful to run
6053 captures in backends. The slot id can be declared by a previous directive
Baptiste Assmann19a69b32020-01-16 14:34:22 +01006054 "http-request capture" or with the "declare capture" keyword.
6055
6056 When using this action in a backend, double check that the relevant
6057 frontend(s) have the required capture slots otherwise, this rule will be
6058 ignored at run time. This can't be detected at configuration parsing time
6059 due to HAProxy's ability to dynamically resolve backend name at runtime.
Willy Tarreaua0dc23f2015-01-22 20:46:11 +01006060
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006061http-request del-acl(<file-name>) <key fmt> [ { if | unless } <condition> ]
Willy Tarreaua0dc23f2015-01-22 20:46:11 +01006062
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006063 This is used to delete an entry from an ACL. The ACL must be loaded from a
6064 file (even a dummy empty file). The file name of the ACL to be updated is
6065 passed between parentheses. It takes one argument: <key fmt>, which follows
6066 log-format rules, to collect content of the entry to delete.
6067 It is the equivalent of the "del acl" command from the stats socket, but can
6068 be triggered by an HTTP request.
Willy Tarreaua0dc23f2015-01-22 20:46:11 +01006069
Maciej Zdebebdd4c52020-11-20 13:58:48 +00006070http-request del-header <name> [ -m <meth> ] [ { if | unless } <condition> ]
Willy Tarreauf4c43c12013-06-11 17:01:13 +02006071
Maciej Zdebebdd4c52020-11-20 13:58:48 +00006072 This removes all HTTP header fields whose name is specified in <name>. <meth>
6073 is the matching method, applied on the header name. Supported matching methods
6074 are "str" (exact match), "beg" (prefix match), "end" (suffix match), "sub"
6075 (substring match) and "reg" (regex match). If not specified, exact matching
6076 method is used.
Willy Tarreau9a355ec2013-06-11 17:45:46 +02006077
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006078http-request del-map(<file-name>) <key fmt> [ { if | unless } <condition> ]
Willy Tarreau42cf39e2013-06-11 18:51:32 +02006079
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006080 This is used to delete an entry from a MAP. The MAP must be loaded from a
6081 file (even a dummy empty file). The file name of the MAP to be updated is
6082 passed between parentheses. It takes one argument: <key fmt>, which follows
6083 log-format rules, to collect content of the entry to delete.
6084 It takes one argument: "file name" It is the equivalent of the "del map"
6085 command from the stats socket, but can be triggered by an HTTP request.
Willy Tarreau51347ed2013-06-11 19:34:13 +02006086
Christopher Faulet5cb513a2020-05-13 17:56:56 +02006087http-request deny [deny_status <status>] [ { if | unless } <condition> ]
6088http-request deny [ { status | deny_status } <code>] [content-type <type>]
6089 [ { default-errorfiles | errorfile <file> | errorfiles <name> |
6090 file <file> | lf-file <file> | string <str> | lf-string <fmt> } ]
6091 [ hdr <name> <fmt> ]*
6092 [ { if | unless } <condition> ]
Patrick Hemmer268a7072018-05-11 12:52:31 -04006093
Christopher Faulet5cb513a2020-05-13 17:56:56 +02006094 This stops the evaluation of the rules and immediately rejects the request.
6095 By default an HTTP 403 error is returned. But the response may be customized
6096 using same syntax than "http-request return" rules. Thus, see "http-request
Ilya Shipitsin11057a32020-06-21 21:18:27 +05006097 return" for details. For compatibility purpose, when no argument is defined,
Christopher Faulet5cb513a2020-05-13 17:56:56 +02006098 or only "deny_status", the argument "default-errorfiles" is implied. It means
6099 "http-request deny [deny_status <status>]" is an alias of
6100 "http-request deny [status <status>] default-errorfiles".
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006101 No further "http-request" rules are evaluated.
Christopher Faulet5cb513a2020-05-13 17:56:56 +02006102 See also "http-request return".
Patrick Hemmer268a7072018-05-11 12:52:31 -04006103
Olivier Houchard602bf7d2019-05-10 13:59:15 +02006104http-request disable-l7-retry [ { if | unless } <condition> ]
6105 This disables any attempt to retry the request if it fails for any other
6106 reason than a connection failure. This can be useful for example to make
6107 sure POST requests aren't retried on failure.
6108
Baptiste Assmann333939c2019-01-21 08:34:50 +01006109http-request do-resolve(<var>,<resolvers>,[ipv4,ipv6]) <expr> :
6110
6111 This action performs a DNS resolution of the output of <expr> and stores
6112 the result in the variable <var>. It uses the DNS resolvers section
6113 pointed by <resolvers>.
6114 It is possible to choose a resolution preference using the optional
6115 arguments 'ipv4' or 'ipv6'.
6116 When performing the DNS resolution, the client side connection is on
6117 pause waiting till the end of the resolution.
6118 If an IP address can be found, it is stored into <var>. If any kind of
6119 error occurs, then <var> is not set.
6120 One can use this action to discover a server IP address at run time and
6121 based on information found in the request (IE a Host header).
6122 If this action is used to find the server's IP address (using the
6123 "set-dst" action), then the server IP address in the backend must be set
6124 to 0.0.0.0.
6125
6126 Example:
6127 resolvers mydns
6128 nameserver local 127.0.0.53:53
6129 nameserver google 8.8.8.8:53
6130 timeout retry 1s
6131 hold valid 10s
6132 hold nx 3s
6133 hold other 3s
6134 hold obsolete 0s
6135 accepted_payload_size 8192
6136
6137 frontend fe
6138 bind 10.42.0.1:80
6139 http-request do-resolve(txn.myip,mydns,ipv4) hdr(Host),lower
6140 http-request capture var(txn.myip) len 40
6141
6142 # return 503 when the variable is not set,
6143 # which mean DNS resolution error
6144 use_backend b_503 unless { var(txn.myip) -m found }
6145
6146 default_backend be
6147
6148 backend b_503
6149 # dummy backend used to return 503.
6150 # one can use the errorfile directive to send a nice
6151 # 503 error page to end users
6152
6153 backend be
6154 # rule to prevent HAProxy from reconnecting to services
6155 # on the local network (forged DNS name used to scan the network)
6156 http-request deny if { var(txn.myip) -m ip 127.0.0.0/8 10.0.0.0/8 }
6157 http-request set-dst var(txn.myip)
6158 server clear 0.0.0.0:0
6159
6160 NOTE: Don't forget to set the "protection" rules to ensure HAProxy won't
6161 be used to scan the network or worst won't loop over itself...
6162
Frédéric Lécaille06f5b642018-11-12 11:01:10 +01006163http-request early-hint <name> <fmt> [ { if | unless } <condition> ]
6164
6165 This is used to build an HTTP 103 Early Hints response prior to any other one.
6166 This appends an HTTP header field to this response whose name is specified in
6167 <name> and whose value is defined by <fmt> which follows the log-format rules
6168 (see Custom Log Format in section 8.2.4). This is particularly useful to pass
Frédéric Lécaille3aac1062018-11-13 09:42:13 +01006169 to the client some Link headers to preload resources required to render the
6170 HTML documents.
Frédéric Lécaille06f5b642018-11-12 11:01:10 +01006171
6172 See RFC 8297 for more information.
6173
Tim Duesterhusd371e992021-04-15 21:45:58 +02006174http-request normalize-uri <normalizer> [ { if | unless } <condition> ]
Tim Duesterhusdec1c362021-05-10 17:28:26 +02006175http-request normalize-uri fragment-encode [ { if | unless } <condition> ]
Tim Duesterhusc9e05ab2021-05-10 17:28:25 +02006176http-request normalize-uri fragment-strip [ { if | unless } <condition> ]
Tim Duesterhus5be6ab22021-04-17 11:21:10 +02006177http-request normalize-uri path-merge-slashes [ { if | unless } <condition> ]
Maximilian Maderff3bb8b2021-04-21 00:22:50 +02006178http-request normalize-uri path-strip-dot [ { if | unless } <condition> ]
Tim Duesterhus5be6ab22021-04-17 11:21:10 +02006179http-request normalize-uri path-strip-dotdot [ full ] [ { if | unless } <condition> ]
Tim Duesterhus2e4a18e2021-04-21 21:20:36 +02006180http-request normalize-uri percent-decode-unreserved [ strict ] [ { if | unless } <condition> ]
Tim Duesterhus5be6ab22021-04-17 11:21:10 +02006181http-request normalize-uri percent-to-uppercase [ strict ] [ { if | unless } <condition> ]
6182http-request normalize-uri query-sort-by-name [ { if | unless } <condition> ]
Tim Duesterhusd371e992021-04-15 21:45:58 +02006183
Tim Duesterhusb918a4a2021-04-16 23:52:29 +02006184 Performs normalization of the request's URI.
6185
Tim Duesterhus2963fd32021-04-17 00:24:56 +02006186 URI normalization in HAProxy 2.4 is currently available as an experimental
Amaury Denoyellea9e639a2021-05-06 15:50:12 +02006187 technical preview. As such, it requires the global directive
6188 'expose-experimental-directives' first to be able to invoke it. You should be
6189 prepared that the behavior of normalizers might change to fix possible
6190 issues, possibly breaking proper request processing in your infrastructure.
Tim Duesterhus2963fd32021-04-17 00:24:56 +02006191
Tim Duesterhusb918a4a2021-04-16 23:52:29 +02006192 Each normalizer handles a single type of normalization to allow for a
6193 fine-grained selection of the level of normalization that is appropriate for
6194 the supported backend.
6195
6196 As an example the "path-strip-dotdot" normalizer might be useful for a static
6197 fileserver that directly maps the requested URI to the path within the local
6198 filesystem. However it might break routing of an API that expects a specific
6199 number of segments in the path.
6200
Tim Duesterhus2e4a18e2021-04-21 21:20:36 +02006201 It is important to note that some normalizers might result in unsafe
6202 transformations for broken URIs. It might also be possible that a combination
6203 of normalizers that are safe by themselves results in unsafe transformations
6204 when improperly combined.
6205
6206 As an example the "percent-decode-unreserved" normalizer might result in
6207 unexpected results when a broken URI includes bare percent characters. One
6208 such a broken URI is "/%%36%36" which would be decoded to "/%66" which in
6209 turn is equivalent to "/f". By specifying the "strict" option requests to
6210 such a broken URI would safely be rejected.
6211
Tim Duesterhusb918a4a2021-04-16 23:52:29 +02006212 The following normalizers are available:
Tim Duesterhusd371e992021-04-15 21:45:58 +02006213
Tim Duesterhusdec1c362021-05-10 17:28:26 +02006214 - fragment-encode: Encodes "#" as "%23".
6215
6216 The "fragment-strip" normalizer should be preferred, unless it is known
6217 that broken clients do not correctly encode '#' within the path component.
6218
6219 Example:
6220 - /#foo -> /%23foo
6221
Tim Duesterhusc9e05ab2021-05-10 17:28:25 +02006222 - fragment-strip: Removes the URI's "fragment" component.
6223
6224 According to RFC 3986#3.5 the "fragment" component of an URI should not
6225 be sent, but handled by the User Agent after retrieving a resource.
6226
6227 This normalizer should be applied first to ensure that the fragment is
6228 not interpreted as part of the request's path component.
6229
6230 Example:
6231 - /#foo -> /
6232
Tim Duesterhusd6d33de2021-04-21 21:20:35 +02006233 - path-strip-dot: Removes "/./" segments within the "path" component
6234 (RFC 3986#6.2.2.3).
Maximilian Maderff3bb8b2021-04-21 00:22:50 +02006235
Tim Duesterhus2e4a18e2021-04-21 21:20:36 +02006236 Segments including percent encoded dots ("%2E") will not be detected. Use
6237 the "percent-decode-unreserved" normalizer first if this is undesired.
6238
Tim Duesterhus7a95f412021-04-21 21:20:33 +02006239 Example:
6240 - /. -> /
6241 - /./bar/ -> /bar/
6242 - /a/./a -> /a/a
6243 - /.well-known/ -> /.well-known/ (no change)
Maximilian Maderff3bb8b2021-04-21 00:22:50 +02006244
Tim Duesterhusd6d33de2021-04-21 21:20:35 +02006245 - path-strip-dotdot: Normalizes "/../" segments within the "path" component
6246 (RFC 3986#6.2.2.3).
6247
Tim Duesterhus5be6ab22021-04-17 11:21:10 +02006248 This merges segments that attempt to access the parent directory with
Tim Duesterhus2e4a18e2021-04-21 21:20:36 +02006249 their preceding segment.
6250
6251 Empty segments do not receive special treatment. Use the "merge-slashes"
6252 normalizer first if this is undesired.
6253
6254 Segments including percent encoded dots ("%2E") will not be detected. Use
6255 the "percent-decode-unreserved" normalizer first if this is undesired.
Tim Duesterhus9982fc22021-04-15 21:45:59 +02006256
6257 Example:
6258 - /foo/../ -> /
6259 - /foo/../bar/ -> /bar/
6260 - /foo/bar/../ -> /foo/
6261 - /../bar/ -> /../bar/
Tim Duesterhus560e1a62021-04-15 21:46:00 +02006262 - /bar/../../ -> /../
Tim Duesterhus9982fc22021-04-15 21:45:59 +02006263 - /foo//../ -> /foo/
Tim Duesterhus2e4a18e2021-04-21 21:20:36 +02006264 - /foo/%2E%2E/ -> /foo/%2E%2E/
Tim Duesterhus9982fc22021-04-15 21:45:59 +02006265
Tim Duesterhus560e1a62021-04-15 21:46:00 +02006266 If the "full" option is specified then "../" at the beginning will be
6267 removed as well:
6268
6269 Example:
6270 - /../bar/ -> /bar/
6271 - /bar/../../ -> /
6272
Tim Duesterhus5be6ab22021-04-17 11:21:10 +02006273 - path-merge-slashes: Merges adjacent slashes within the "path" component
6274 into a single slash.
Tim Duesterhusd371e992021-04-15 21:45:58 +02006275
6276 Example:
6277 - // -> /
6278 - /foo//bar -> /foo/bar
6279
Tim Duesterhus2e4a18e2021-04-21 21:20:36 +02006280 - percent-decode-unreserved: Decodes unreserved percent encoded characters to
6281 their representation as a regular character (RFC 3986#6.2.2.2).
6282
6283 The set of unreserved characters includes all letters, all digits, "-",
6284 ".", "_", and "~".
6285
6286 Example:
6287 - /%61dmin -> /admin
6288 - /foo%3Fbar=baz -> /foo%3Fbar=baz (no change)
6289 - /%%36%36 -> /%66 (unsafe)
6290 - /%ZZ -> /%ZZ
6291
6292 If the "strict" option is specified then invalid sequences will result
6293 in a HTTP 400 Bad Request being returned.
6294
6295 Example:
6296 - /%%36%36 -> HTTP 400
6297 - /%ZZ -> HTTP 400
6298
Tim Duesterhus5be6ab22021-04-17 11:21:10 +02006299 - percent-to-uppercase: Uppercases letters within percent-encoded sequences
Tim Duesterhusc315efd2021-04-21 21:20:34 +02006300 (RFC 3986#6.2.2.1).
Tim Duesterhusa4071932021-04-15 21:46:02 +02006301
6302 Example:
6303 - /%6f -> /%6F
6304 - /%zz -> /%zz
6305
6306 If the "strict" option is specified then invalid sequences will result
6307 in a HTTP 400 Bad Request being returned.
6308
6309 Example:
6310 - /%zz -> HTTP 400
6311
Tim Duesterhus5be6ab22021-04-17 11:21:10 +02006312 - query-sort-by-name: Sorts the query string parameters by parameter name.
Tim Duesterhusd7b89be2021-04-15 21:46:01 +02006313 Parameters are assumed to be delimited by '&'. Shorter names sort before
6314 longer names and identical parameter names maintain their relative order.
6315
6316 Example:
6317 - /?c=3&a=1&b=2 -> /?a=1&b=2&c=3
6318 - /?aaa=3&a=1&aa=2 -> /?a=1&aa=2&aaa=3
6319 - /?a=3&b=4&a=1&b=5&a=2 -> /?a=3&a=1&a=2&b=4&b=5
6320
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006321http-request redirect <rule> [ { if | unless } <condition> ]
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02006322
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006323 This performs an HTTP redirection based on a redirect rule. This is exactly
6324 the same as the "redirect" statement except that it inserts a redirect rule
6325 which can be processed in the middle of other "http-request" rules and that
6326 these rules use the "log-format" strings. See the "redirect" keyword for the
6327 rule's syntax.
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02006328
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006329http-request reject [ { if | unless } <condition> ]
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02006330
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006331 This stops the evaluation of the rules and immediately closes the connection
6332 without sending any response. It acts similarly to the
6333 "tcp-request content reject" rules. It can be useful to force an immediate
6334 connection closure on HTTP/2 connections.
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02006335
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006336http-request replace-header <name> <match-regex> <replace-fmt>
6337 [ { if | unless } <condition> ]
Willy Tarreaua9083d02015-05-08 15:27:59 +02006338
Ilya Shipitsin8525fd92020-02-29 12:34:59 +05006339 This matches the value of all occurrences of header field <name> against
Tim Duesterhus2252beb2019-10-29 00:05:13 +01006340 <match-regex>. Matching is performed case-sensitively. Matching values are
6341 completely replaced by <replace-fmt>. Format characters are allowed in
6342 <replace-fmt> and work like <fmt> arguments in "http-request add-header".
6343 Standard back-references using the backslash ('\') followed by a number are
6344 supported.
Thierry FOURNIER82bf70d2015-05-26 17:58:29 +02006345
Tim Duesterhus2252beb2019-10-29 00:05:13 +01006346 This action acts on whole header lines, regardless of the number of values
6347 they may contain. Thus it is well-suited to process headers naturally
6348 containing commas in their value, such as If-Modified-Since. Headers that
6349 contain a comma-separated list of values, such as Accept, should be processed
6350 using "http-request replace-value".
William Lallemand86d0df02017-11-24 21:36:45 +01006351
Tim Duesterhus2252beb2019-10-29 00:05:13 +01006352 Example:
6353 http-request replace-header Cookie foo=([^;]*);(.*) foo=\1;ip=%bi;\2
6354
6355 # applied to:
6356 Cookie: foo=foobar; expires=Tue, 14-Jun-2016 01:40:45 GMT;
6357
6358 # outputs:
6359 Cookie: foo=foobar;ip=192.168.1.20; expires=Tue, 14-Jun-2016 01:40:45 GMT;
6360
6361 # assuming the backend IP is 192.168.1.20
Willy Tarreau09448f72014-06-25 18:12:15 +02006362
Tim Duesterhus2252beb2019-10-29 00:05:13 +01006363 http-request replace-header User-Agent curl foo
6364
6365 # applied to:
6366 User-Agent: curl/7.47.0
Willy Tarreau09448f72014-06-25 18:12:15 +02006367
Tim Duesterhus2252beb2019-10-29 00:05:13 +01006368 # outputs:
6369 User-Agent: foo
Willy Tarreau09448f72014-06-25 18:12:15 +02006370
Willy Tarreau262c3f12019-12-17 06:52:51 +01006371http-request replace-path <match-regex> <replace-fmt>
6372 [ { if | unless } <condition> ]
6373
6374 This works like "replace-header" except that it works on the request's path
6375 component instead of a header. The path component starts at the first '/'
Christopher Faulet82c83322020-09-02 14:16:59 +02006376 after an optional scheme+authority and ends before the question mark. Thus,
6377 the replacement does not modify the scheme, the authority and the
6378 query-string.
Willy Tarreau262c3f12019-12-17 06:52:51 +01006379
6380 It is worth noting that regular expressions may be more expensive to evaluate
6381 than certain ACLs, so rare replacements may benefit from a condition to avoid
6382 performing the evaluation at all if it does not match.
6383
6384 Example:
6385 # prefix /foo : turn /bar?q=1 into /foo/bar?q=1 :
6386 http-request replace-path (.*) /foo\1
6387
Willy Tarreau262c3f12019-12-17 06:52:51 +01006388 # strip /foo : turn /foo/bar?q=1 into /bar?q=1
6389 http-request replace-path /foo/(.*) /\1
6390 # or more efficient if only some requests match :
6391 http-request replace-path /foo/(.*) /\1 if { url_beg /foo/ }
6392
Christopher Faulet312294f2020-09-02 17:17:44 +02006393http-request replace-pathq <match-regex> <replace-fmt>
6394 [ { if | unless } <condition> ]
6395
6396 This does the same as "http-request replace-path" except that the path
6397 contains the query-string if any is present. Thus, the path and the
6398 query-string are replaced.
6399
6400 Example:
6401 # suffix /foo : turn /bar?q=1 into /bar/foo?q=1 :
6402 http-request replace-pathq ([^?]*)(\?(.*))? \1/foo\2
6403
Willy Tarreau33810222019-06-12 17:44:02 +02006404http-request replace-uri <match-regex> <replace-fmt>
6405 [ { if | unless } <condition> ]
6406
Tim Duesterhus2252beb2019-10-29 00:05:13 +01006407 This works like "replace-header" except that it works on the request's URI part
6408 instead of a header. The URI part may contain an optional scheme, authority or
6409 query string. These are considered to be part of the value that is matched
6410 against.
6411
6412 It is worth noting that regular expressions may be more expensive to evaluate
6413 than certain ACLs, so rare replacements may benefit from a condition to avoid
6414 performing the evaluation at all if it does not match.
Willy Tarreau33810222019-06-12 17:44:02 +02006415
Willy Tarreau62b59132019-12-17 06:51:20 +01006416 IMPORTANT NOTE: historically in HTTP/1.x, the vast majority of requests sent
6417 by browsers use the "origin form", which differs from the "absolute form" in
6418 that they do not contain a scheme nor authority in the URI portion. Mostly
6419 only requests sent to proxies, those forged by hand and some emitted by
6420 certain applications use the absolute form. As such, "replace-uri" usually
6421 works fine most of the time in HTTP/1.x with rules starting with a "/". But
6422 with HTTP/2, clients are encouraged to send absolute URIs only, which look
6423 like the ones HTTP/1 clients use to talk to proxies. Such partial replace-uri
6424 rules may then fail in HTTP/2 when they work in HTTP/1. Either the rules need
Willy Tarreau262c3f12019-12-17 06:52:51 +01006425 to be adapted to optionally match a scheme and authority, or replace-path
6426 should be used.
Willy Tarreau33810222019-06-12 17:44:02 +02006427
Willy Tarreau62b59132019-12-17 06:51:20 +01006428 Example:
6429 # rewrite all "http" absolute requests to "https":
6430 http-request replace-uri ^http://(.*) https://\1
Willy Tarreau33810222019-06-12 17:44:02 +02006431
Willy Tarreau62b59132019-12-17 06:51:20 +01006432 # prefix /foo : turn /bar?q=1 into /foo/bar?q=1 :
6433 http-request replace-uri ([^/:]*://[^/]*)?(.*) \1/foo\2
Willy Tarreau33810222019-06-12 17:44:02 +02006434
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006435http-request replace-value <name> <match-regex> <replace-fmt>
6436 [ { if | unless } <condition> ]
Willy Tarreau09448f72014-06-25 18:12:15 +02006437
Tim Duesterhus2252beb2019-10-29 00:05:13 +01006438 This works like "replace-header" except that it matches the regex against
6439 every comma-delimited value of the header field <name> instead of the
6440 entire header. This is suited for all headers which are allowed to carry
6441 more than one value. An example could be the Accept header.
Willy Tarreau09448f72014-06-25 18:12:15 +02006442
Tim Duesterhus2252beb2019-10-29 00:05:13 +01006443 Example:
6444 http-request replace-value X-Forwarded-For ^192\.168\.(.*)$ 172.16.\1
Thierry FOURNIER236657b2015-08-19 08:25:14 +02006445
Tim Duesterhus2252beb2019-10-29 00:05:13 +01006446 # applied to:
6447 X-Forwarded-For: 192.168.10.1, 192.168.13.24, 10.0.0.37
Thierry FOURNIERe0627bd2015-08-04 08:20:33 +02006448
Tim Duesterhus2252beb2019-10-29 00:05:13 +01006449 # outputs:
6450 X-Forwarded-For: 172.16.10.1, 172.16.13.24, 10.0.0.37
Frédéric Lécaille6778b272018-01-29 15:22:53 +01006451
Christopher Faulet24231ab2020-01-24 17:44:23 +01006452http-request return [status <code>] [content-type <type>]
6453 [ { default-errorfiles | errorfile <file> | errorfiles <name> |
6454 file <file> | lf-file <file> | string <str> | lf-string <fmt> } ]
Christopher Faulet4a2c1422020-01-31 17:36:01 +01006455 [ hdr <name> <fmt> ]*
Christopher Faulet24231ab2020-01-24 17:44:23 +01006456 [ { if | unless } <condition> ]
6457
Ilya Shipitsin8525fd92020-02-29 12:34:59 +05006458 This stops the evaluation of the rules and immediately returns a response. The
Christopher Faulet24231ab2020-01-24 17:44:23 +01006459 default status code used for the response is 200. It can be optionally
6460 specified as an arguments to "status". The response content-type may also be
Daniel Corbett67a82712020-07-06 23:01:19 -04006461 specified as an argument to "content-type". Finally the response itself may
Sébastien Grossab877122020-10-08 10:06:03 +02006462 be defined. It can be a full HTTP response specifying the errorfile to use,
Ilya Shipitsin8525fd92020-02-29 12:34:59 +05006463 or the response payload specifying the file or the string to use. These rules
Christopher Faulet24231ab2020-01-24 17:44:23 +01006464 are followed to create the response :
6465
6466 * If neither the errorfile nor the payload to use is defined, a dummy
6467 response is returned. Only the "status" argument is considered. It can be
6468 any code in the range [200, 599]. The "content-type" argument, if any, is
6469 ignored.
6470
6471 * If "default-errorfiles" argument is set, the proxy's errorfiles are
6472 considered. If the "status" argument is defined, it must be one of the
Daniel Corbett9f0843f2021-05-08 10:50:37 -04006473 status code handled by HAProxy (200, 400, 403, 404, 405, 408, 410, 413,
Christopher Faulete095f312020-12-07 11:22:24 +01006474 425, 429, 500, 501, 502, 503, and 504). The "content-type" argument, if
6475 any, is ignored.
Christopher Faulet24231ab2020-01-24 17:44:23 +01006476
6477 * If a specific errorfile is defined, with an "errorfile" argument, the
6478 corresponding file, containing a full HTTP response, is returned. Only the
6479 "status" argument is considered. It must be one of the status code handled
Daniel Corbett9f0843f2021-05-08 10:50:37 -04006480 by HAProxy (200, 400, 403, 404, 405, 408, 410, 413, 425, 429, 500, 501,
Christopher Faulete095f312020-12-07 11:22:24 +01006481 502, 503, and 504). The "content-type" argument, if any, is ignored.
Christopher Faulet24231ab2020-01-24 17:44:23 +01006482
6483 * If an http-errors section is defined, with an "errorfiles" argument, the
6484 corresponding file in the specified http-errors section, containing a full
6485 HTTP response, is returned. Only the "status" argument is considered. It
Daniel Corbett9f0843f2021-05-08 10:50:37 -04006486 must be one of the status code handled by HAProxy (200, 400, 403, 404, 405,
Christopher Faulete095f312020-12-07 11:22:24 +01006487 408, 410, 413, 425, 429, 500, 501, 502, 503, and 504). The "content-type"
Anthonin Bonnefoy85048f82020-06-22 09:17:01 +02006488 argument, if any, is ignored.
Christopher Faulet24231ab2020-01-24 17:44:23 +01006489
6490 * If a "file" or a "lf-file" argument is specified, the file's content is
6491 used as the response payload. If the file is not empty, its content-type
6492 must be set as argument to "content-type". Otherwise, any "content-type"
6493 argument is ignored. With a "lf-file" argument, the file's content is
6494 evaluated as a log-format string. With a "file" argument, it is considered
6495 as a raw content.
6496
6497 * If a "string" or "lf-string" argument is specified, the defined string is
6498 used as the response payload. The content-type must always be set as
6499 argument to "content-type". With a "lf-string" argument, the string is
6500 evaluated as a log-format string. With a "string" argument, it is
6501 considered as a raw string.
6502
Sébastien Grossab877122020-10-08 10:06:03 +02006503 When the response is not based on an errorfile, it is possible to append HTTP
Christopher Faulet4a2c1422020-01-31 17:36:01 +01006504 header fields to the response using "hdr" arguments. Otherwise, all "hdr"
6505 arguments are ignored. For each one, the header name is specified in <name>
6506 and its value is defined by <fmt> which follows the log-format rules.
6507
Christopher Faulet24231ab2020-01-24 17:44:23 +01006508 Note that the generated response must be smaller than a buffer. And to avoid
6509 any warning, when an errorfile or a raw file is loaded, the buffer space
Sébastien Grossab877122020-10-08 10:06:03 +02006510 reserved for the headers rewriting should also be free.
Christopher Faulet24231ab2020-01-24 17:44:23 +01006511
6512 No further "http-request" rules are evaluated.
6513
6514 Example:
Daniel Corbett67a82712020-07-06 23:01:19 -04006515 http-request return errorfile /etc/haproxy/errorfiles/200.http \
Christopher Faulet24231ab2020-01-24 17:44:23 +01006516 if { path /ping }
6517
6518 http-request return content-type image/x-icon file /var/www/favicon.ico \
6519 if { path /favicon.ico }
6520
6521 http-request return status 403 content-type text/plain \
6522 lf-string "Access denied. IP %[src] is blacklisted." \
6523 if { src -f /etc/haproxy/blacklist.lst }
6524
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006525http-request sc-inc-gpc0(<sc-id>) [ { if | unless } <condition> ]
6526http-request sc-inc-gpc1(<sc-id>) [ { if | unless } <condition> ]
Thierry FOURNIER4834bc72015-06-06 19:29:07 +02006527
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006528 This actions increments the GPC0 or GPC1 counter according with the sticky
6529 counter designated by <sc-id>. If an error occurs, this action silently fails
6530 and the actions evaluation continues.
Thierry FOURNIER4834bc72015-06-06 19:29:07 +02006531
Cédric Dufour0d7712d2019-11-06 18:38:53 +01006532http-request sc-set-gpt0(<sc-id>) { <int> | <expr> }
6533 [ { if | unless } <condition> ]
Thierry FOURNIER4834bc72015-06-06 19:29:07 +02006534
Cédric Dufour0d7712d2019-11-06 18:38:53 +01006535 This action sets the 32-bit unsigned GPT0 tag according to the sticky counter
6536 designated by <sc-id> and the value of <int>/<expr>. The expected result is a
6537 boolean. If an error occurs, this action silently fails and the actions
6538 evaluation continues.
Thierry FOURNIER4834bc72015-06-06 19:29:07 +02006539
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006540http-request set-dst <expr> [ { if | unless } <condition> ]
Thierry FOURNIER4834bc72015-06-06 19:29:07 +02006541
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006542 This is used to set the destination IP address to the value of specified
6543 expression. Useful when a proxy in front of HAProxy rewrites destination IP,
6544 but provides the correct IP in a HTTP header; or you want to mask the IP for
6545 privacy. If you want to connect to the new address/port, use '0.0.0.0:0' as a
6546 server address in the backend.
Christopher Faulet85d79c92016-11-09 16:54:56 +01006547
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006548 Arguments:
6549 <expr> Is a standard HAProxy expression formed by a sample-fetch followed
6550 by some converters.
Christopher Faulet85d79c92016-11-09 16:54:56 +01006551
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006552 Example:
6553 http-request set-dst hdr(x-dst)
6554 http-request set-dst dst,ipmask(24)
Christopher Faulet85d79c92016-11-09 16:54:56 +01006555
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006556 When possible, set-dst preserves the original destination port as long as the
6557 address family allows it, otherwise the destination port is set to 0.
Adis Nezirovic2fbcafc2015-07-06 15:44:30 +02006558
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006559http-request set-dst-port <expr> [ { if | unless } <condition> ]
Adis Nezirovic2fbcafc2015-07-06 15:44:30 +02006560
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006561 This is used to set the destination port address to the value of specified
6562 expression. If you want to connect to the new address/port, use '0.0.0.0:0'
6563 as a server address in the backend.
Adis Nezirovic2fbcafc2015-07-06 15:44:30 +02006564
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006565 Arguments:
6566 <expr> Is a standard HAProxy expression formed by a sample-fetch
6567 followed by some converters.
Adis Nezirovic2fbcafc2015-07-06 15:44:30 +02006568
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006569 Example:
6570 http-request set-dst-port hdr(x-port)
6571 http-request set-dst-port int(4000)
Adis Nezirovic2fbcafc2015-07-06 15:44:30 +02006572
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006573 When possible, set-dst-port preserves the original destination address as
6574 long as the address family supports a port, otherwise it forces the
6575 destination address to IPv4 "0.0.0.0" before rewriting the port.
William Lallemand44be6402016-05-25 01:51:35 +02006576
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006577http-request set-header <name> <fmt> [ { if | unless } <condition> ]
William Lallemand44be6402016-05-25 01:51:35 +02006578
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006579 This does the same as "http-request add-header" except that the header name
6580 is first removed if it existed. This is useful when passing security
6581 information to the server, where the header must not be manipulated by
6582 external users. Note that the new value is computed before the removal so it
6583 is possible to concatenate a value to an existing header.
William Lallemand44be6402016-05-25 01:51:35 +02006584
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006585 Example:
6586 http-request set-header X-Haproxy-Current-Date %T
6587 http-request set-header X-SSL %[ssl_fc]
6588 http-request set-header X-SSL-Session_ID %[ssl_fc_session_id,hex]
6589 http-request set-header X-SSL-Client-Verify %[ssl_c_verify]
6590 http-request set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn]
6591 http-request set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
6592 http-request set-header X-SSL-Issuer %{+Q}[ssl_c_i_dn]
6593 http-request set-header X-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore]
6594 http-request set-header X-SSL-Client-NotAfter %{+Q}[ssl_c_notafter]
William Lallemand44be6402016-05-25 01:51:35 +02006595
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006596http-request set-log-level <level> [ { if | unless } <condition> ]
William Lallemand44be6402016-05-25 01:51:35 +02006597
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006598 This is used to change the log level of the current request when a certain
6599 condition is met. Valid levels are the 8 syslog levels (see the "log"
6600 keyword) plus the special level "silent" which disables logging for this
6601 request. This rule is not final so the last matching rule wins. This rule
6602 can be useful to disable health checks coming from another equipment.
William Lallemand13e9b0c2016-05-25 02:34:07 +02006603
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006604http-request set-map(<file-name>) <key fmt> <value fmt>
6605 [ { if | unless } <condition> ]
William Lallemand13e9b0c2016-05-25 02:34:07 +02006606
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006607 This is used to add a new entry into a MAP. The MAP must be loaded from a
6608 file (even a dummy empty file). The file name of the MAP to be updated is
6609 passed between parentheses. It takes 2 arguments: <key fmt>, which follows
6610 log-format rules, used to collect MAP key, and <value fmt>, which follows
6611 log-format rules, used to collect content for the new entry.
6612 It performs a lookup in the MAP before insertion, to avoid duplicated (or
6613 more) values. This lookup is done by a linear search and can be expensive
6614 with large lists! It is the equivalent of the "set map" command from the
6615 stats socket, but can be triggered by an HTTP request.
William Lallemand13e9b0c2016-05-25 02:34:07 +02006616
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006617http-request set-mark <mark> [ { if | unless } <condition> ]
William Lallemand13e9b0c2016-05-25 02:34:07 +02006618
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006619 This is used to set the Netfilter MARK on all packets sent to the client to
6620 the value passed in <mark> on platforms which support it. This value is an
6621 unsigned 32 bit value which can be matched by netfilter and by the routing
6622 table. It can be expressed both in decimal or hexadecimal format (prefixed by
6623 "0x"). This can be useful to force certain packets to take a different route
6624 (for example a cheaper network path for bulk downloads). This works on Linux
6625 kernels 2.6.32 and above and requires admin privileges.
Willy Tarreau00005ce2016-10-21 15:07:45 +02006626
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006627http-request set-method <fmt> [ { if | unless } <condition> ]
William Lallemand13e9b0c2016-05-25 02:34:07 +02006628
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006629 This rewrites the request method with the result of the evaluation of format
6630 string <fmt>. There should be very few valid reasons for having to do so as
6631 this is more likely to break something than to fix it.
William Lallemand13e9b0c2016-05-25 02:34:07 +02006632
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006633http-request set-nice <nice> [ { if | unless } <condition> ]
William Lallemand13e9b0c2016-05-25 02:34:07 +02006634
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006635 This sets the "nice" factor of the current request being processed. It only
6636 has effect against the other requests being processed at the same time.
6637 The default value is 0, unless altered by the "nice" setting on the "bind"
6638 line. The accepted range is -1024..1024. The higher the value, the nicest
6639 the request will be. Lower values will make the request more important than
6640 other ones. This can be useful to improve the speed of some requests, or
6641 lower the priority of non-important requests. Using this setting without
6642 prior experimentation can cause some major slowdown.
William Lallemand13e9b0c2016-05-25 02:34:07 +02006643
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006644http-request set-path <fmt> [ { if | unless } <condition> ]
Willy Tarreau00005ce2016-10-21 15:07:45 +02006645
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006646 This rewrites the request path with the result of the evaluation of format
6647 string <fmt>. The query string, if any, is left intact. If a scheme and
6648 authority is found before the path, they are left intact as well. If the
6649 request doesn't have a path ("*"), this one is replaced with the format.
6650 This can be used to prepend a directory component in front of a path for
6651 example. See also "http-request set-query" and "http-request set-uri".
Willy Tarreau2d392c22015-08-24 01:43:45 +02006652
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006653 Example :
6654 # prepend the host name before the path
6655 http-request set-path /%[hdr(host)]%[path]
Christopher Faulet76c09ef2017-09-21 11:03:52 +02006656
Christopher Faulet312294f2020-09-02 17:17:44 +02006657http-request set-pathq <fmt> [ { if | unless } <condition> ]
6658
6659 This does the same as "http-request set-path" except that the query-string is
6660 also rewritten. It may be used to remove the query-string, including the
6661 question mark (it is not possible using "http-request set-query").
6662
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006663http-request set-priority-class <expr> [ { if | unless } <condition> ]
Olivier Houchardccaa7de2017-10-02 11:51:03 +02006664
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006665 This is used to set the queue priority class of the current request.
6666 The value must be a sample expression which converts to an integer in the
6667 range -2047..2047. Results outside this range will be truncated.
6668 The priority class determines the order in which queued requests are
6669 processed. Lower values have higher priority.
Christopher Faulet76c09ef2017-09-21 11:03:52 +02006670
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006671http-request set-priority-offset <expr> [ { if | unless } <condition> ]
Christopher Faulet76c09ef2017-09-21 11:03:52 +02006672
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006673 This is used to set the queue priority timestamp offset of the current
6674 request. The value must be a sample expression which converts to an integer
6675 in the range -524287..524287. Results outside this range will be truncated.
6676 When a request is queued, it is ordered first by the priority class, then by
6677 the current timestamp adjusted by the given offset in milliseconds. Lower
6678 values have higher priority.
6679 Note that the resulting timestamp is is only tracked with enough precision
6680 for 524,287ms (8m44s287ms). If the request is queued long enough to where the
6681 adjusted timestamp exceeds this value, it will be misidentified as highest
6682 priority. Thus it is important to set "timeout queue" to a value, where when
6683 combined with the offset, does not exceed this limit.
Christopher Faulet76c09ef2017-09-21 11:03:52 +02006684
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006685http-request set-query <fmt> [ { if | unless } <condition> ]
Willy Tarreau20b0de52012-12-24 15:45:22 +01006686
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006687 This rewrites the request's query string which appears after the first
6688 question mark ("?") with the result of the evaluation of format string <fmt>.
6689 The part prior to the question mark is left intact. If the request doesn't
6690 contain a question mark and the new value is not empty, then one is added at
6691 the end of the URI, followed by the new value. If a question mark was
6692 present, it will never be removed even if the value is empty. This can be
6693 used to add or remove parameters from the query string.
Ruoshan Huangeb5a3632015-12-08 21:00:23 +08006694
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006695 See also "http-request set-query" and "http-request set-uri".
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01006696
6697 Example:
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006698 # replace "%3D" with "=" in the query string
6699 http-request set-query %[query,regsub(%3D,=,g)]
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01006700
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006701http-request set-src <expr> [ { if | unless } <condition> ]
6702 This is used to set the source IP address to the value of specified
6703 expression. Useful when a proxy in front of HAProxy rewrites source IP, but
6704 provides the correct IP in a HTTP header; or you want to mask source IP for
Olivier Doucet56e31202020-04-21 09:32:56 +02006705 privacy. All subsequent calls to "src" fetch will return this value
6706 (see example).
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006707
6708 Arguments :
6709 <expr> Is a standard HAProxy expression formed by a sample-fetch followed
6710 by some converters.
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01006711
Olivier Doucet56e31202020-04-21 09:32:56 +02006712 See also "option forwardfor".
6713
Cyril Bonté78caf842010-03-10 22:41:43 +01006714 Example:
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006715 http-request set-src hdr(x-forwarded-for)
6716 http-request set-src src,ipmask(24)
6717
Olivier Doucet56e31202020-04-21 09:32:56 +02006718 # After the masking this will track connections
6719 # based on the IP address with the last byte zeroed out.
6720 http-request track-sc0 src
6721
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006722 When possible, set-src preserves the original source port as long as the
6723 address family allows it, otherwise the source port is set to 0.
6724
6725http-request set-src-port <expr> [ { if | unless } <condition> ]
6726
6727 This is used to set the source port address to the value of specified
6728 expression.
6729
6730 Arguments:
6731 <expr> Is a standard HAProxy expression formed by a sample-fetch followed
6732 by some converters.
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01006733
Willy Tarreau20b0de52012-12-24 15:45:22 +01006734 Example:
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006735 http-request set-src-port hdr(x-port)
6736 http-request set-src-port int(4000)
6737
6738 When possible, set-src-port preserves the original source address as long as
6739 the address family supports a port, otherwise it forces the source address to
6740 IPv4 "0.0.0.0" before rewriting the port.
6741
Alex59c53352021-04-27 12:57:07 +02006742http-request set-timeout { server | tunnel } { <timeout> | <expr> }
Amaury Denoyelle8d228232020-12-10 13:43:54 +01006743 [ { if | unless } <condition> ]
6744
6745 This action overrides the specified "server" or "tunnel" timeout for the
6746 current stream only. The timeout can be specified in millisecond or with any
6747 other unit if the number is suffixed by the unit as explained at the top of
6748 this document. It is also possible to write an expression which must returns
6749 a number interpreted as a timeout in millisecond.
6750
6751 Note that the server/tunnel timeouts are only relevant on the backend side
6752 and thus this rule is only available for the proxies with backend
6753 capabilities. Also the timeout value must be non-null to obtain the expected
6754 results.
6755
6756 Example:
Alex59c53352021-04-27 12:57:07 +02006757 http-request set-timeout tunnel 5s
6758 http-request set-timeout server req.hdr(host),map_int(host.lst)
Amaury Denoyelle8d228232020-12-10 13:43:54 +01006759
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006760http-request set-tos <tos> [ { if | unless } <condition> ]
6761
6762 This is used to set the TOS or DSCP field value of packets sent to the client
6763 to the value passed in <tos> on platforms which support this. This value
6764 represents the whole 8 bits of the IP TOS field, and can be expressed both in
6765 decimal or hexadecimal format (prefixed by "0x"). Note that only the 6 higher
6766 bits are used in DSCP or TOS, and the two lower bits are always 0. This can
6767 be used to adjust some routing behavior on border routers based on some
6768 information from the request.
6769
6770 See RFC 2474, 2597, 3260 and 4594 for more information.
6771
6772http-request set-uri <fmt> [ { if | unless } <condition> ]
6773
6774 This rewrites the request URI with the result of the evaluation of format
6775 string <fmt>. The scheme, authority, path and query string are all replaced
6776 at once. This can be used to rewrite hosts in front of proxies, or to
6777 perform complex modifications to the URI such as moving parts between the
6778 path and the query string.
6779 See also "http-request set-path" and "http-request set-query".
6780
6781http-request set-var(<var-name>) <expr> [ { if | unless } <condition> ]
6782
6783 This is used to set the contents of a variable. The variable is declared
6784 inline.
6785
6786 Arguments:
6787 <var-name> The name of the variable starts with an indication about its
6788 scope. The scopes allowed are:
6789 "proc" : the variable is shared with the whole process
6790 "sess" : the variable is shared with the whole session
6791 "txn" : the variable is shared with the transaction
6792 (request and response)
6793 "req" : the variable is shared only during request
6794 processing
6795 "res" : the variable is shared only during response
6796 processing
6797 This prefix is followed by a name. The separator is a '.'.
6798 The name may only contain characters 'a-z', 'A-Z', '0-9'
6799 and '_'.
6800
6801 <expr> Is a standard HAProxy expression formed by a sample-fetch
6802 followed by some converters.
Willy Tarreau20b0de52012-12-24 15:45:22 +01006803
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02006804 Example:
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006805 http-request set-var(req.my_var) req.fhdr(user-agent),lower
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02006806
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006807http-request send-spoe-group <engine-name> <group-name>
6808 [ { if | unless } <condition> ]
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02006809
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006810 This action is used to trigger sending of a group of SPOE messages. To do so,
6811 the SPOE engine used to send messages must be defined, as well as the SPOE
6812 group to send. Of course, the SPOE engine must refer to an existing SPOE
6813 filter. If not engine name is provided on the SPOE filter line, the SPOE
6814 agent name must be used.
6815
6816 Arguments:
6817 <engine-name> The SPOE engine name.
6818
6819 <group-name> The SPOE group name as specified in the engine
6820 configuration.
6821
6822http-request silent-drop [ { if | unless } <condition> ]
6823
6824 This stops the evaluation of the rules and makes the client-facing connection
6825 suddenly disappear using a system-dependent way that tries to prevent the
6826 client from being notified. The effect it then that the client still sees an
6827 established connection while there's none on HAProxy. The purpose is to
6828 achieve a comparable effect to "tarpit" except that it doesn't use any local
6829 resource at all on the machine running HAProxy. It can resist much higher
6830 loads than "tarpit", and slow down stronger attackers. It is important to
6831 understand the impact of using this mechanism. All stateful equipment placed
6832 between the client and HAProxy (firewalls, proxies, load balancers) will also
6833 keep the established connection for a long time and may suffer from this
6834 action.
6835 On modern Linux systems running with enough privileges, the TCP_REPAIR socket
6836 option is used to block the emission of a TCP reset. On other systems, the
6837 socket's TTL is reduced to 1 so that the TCP reset doesn't pass the first
6838 router, though it's still delivered to local networks. Do not use it unless
6839 you fully understand how it works.
6840
Christopher Faulet46f95542019-12-20 10:07:22 +01006841http-request strict-mode { on | off }
6842
6843 This enables or disables the strict rewriting mode for following rules. It
6844 does not affect rules declared before it and it is only applicable on rules
6845 performing a rewrite on the requests. When the strict mode is enabled, any
6846 rewrite failure triggers an internal error. Otherwise, such errors are
6847 silently ignored. The purpose of the strict rewriting mode is to make some
Ilya Shipitsin8525fd92020-02-29 12:34:59 +05006848 rewrites optional while others must be performed to continue the request
Christopher Faulet46f95542019-12-20 10:07:22 +01006849 processing.
6850
Christopher Faulet1aea50e2020-01-17 16:03:53 +01006851 By default, the strict rewriting mode is enabled. Its value is also reset
Christopher Faulet46f95542019-12-20 10:07:22 +01006852 when a ruleset evaluation ends. So, for instance, if you change the mode on
6853 the frontend, the default mode is restored when HAProxy starts the backend
6854 rules evaluation.
6855
Christopher Faulet5cb513a2020-05-13 17:56:56 +02006856http-request tarpit [deny_status <status>] [ { if | unless } <condition> ]
6857http-request tarpit [ { status | deny_status } <code>] [content-type <type>]
6858 [ { default-errorfiles | errorfile <file> | errorfiles <name> |
6859 file <file> | lf-file <file> | string <str> | lf-string <fmt> } ]
6860 [ hdr <name> <fmt> ]*
6861 [ { if | unless } <condition> ]
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006862
6863 This stops the evaluation of the rules and immediately blocks the request
6864 without responding for a delay specified by "timeout tarpit" or
6865 "timeout connect" if the former is not set. After that delay, if the client
Christopher Faulet5cb513a2020-05-13 17:56:56 +02006866 is still connected, a response is returned so that the client does not
6867 suspect it has been tarpitted. Logs will report the flags "PT". The goal of
6868 the tarpit rule is to slow down robots during an attack when they're limited
6869 on the number of concurrent requests. It can be very efficient against very
6870 dumb robots, and will significantly reduce the load on firewalls compared to
6871 a "deny" rule. But when facing "correctly" developed robots, it can make
Daniel Corbett9f0843f2021-05-08 10:50:37 -04006872 things worse by forcing HAProxy and the front firewall to support insane
Christopher Faulet5cb513a2020-05-13 17:56:56 +02006873 number of concurrent connections. By default an HTTP error 500 is returned.
6874 But the response may be customized using same syntax than
6875 "http-request return" rules. Thus, see "http-request return" for details.
Ilya Shipitsin11057a32020-06-21 21:18:27 +05006876 For compatibility purpose, when no argument is defined, or only "deny_status",
Christopher Faulet5cb513a2020-05-13 17:56:56 +02006877 the argument "default-errorfiles" is implied. It means
6878 "http-request tarpit [deny_status <status>]" is an alias of
6879 "http-request tarpit [status <status>] default-errorfiles".
6880 No further "http-request" rules are evaluated.
6881 See also "http-request return" and "http-request silent-drop".
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006882
6883http-request track-sc0 <key> [table <table>] [ { if | unless } <condition> ]
6884http-request track-sc1 <key> [table <table>] [ { if | unless } <condition> ]
6885http-request track-sc2 <key> [table <table>] [ { if | unless } <condition> ]
6886
6887 This enables tracking of sticky counters from current request. These rules do
6888 not stop evaluation and do not change default action. The number of counters
6889 that may be simultaneously tracked by the same connection is set in
6890 MAX_SESS_STKCTR at build time (reported in haproxy -vv) which defaults to 3,
Matteo Contrini1857b8c2020-10-16 17:35:54 +02006891 so the track-sc number is between 0 and (MAX_SESS_STKCTR-1). The first
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006892 "track-sc0" rule executed enables tracking of the counters of the specified
6893 table as the first set. The first "track-sc1" rule executed enables tracking
6894 of the counters of the specified table as the second set. The first
6895 "track-sc2" rule executed enables tracking of the counters of the specified
6896 table as the third set. It is a recommended practice to use the first set of
6897 counters for the per-frontend counters and the second set for the per-backend
6898 ones. But this is just a guideline, all may be used everywhere.
6899
6900 Arguments :
6901 <key> is mandatory, and is a sample expression rule as described in
6902 section 7.3. It describes what elements of the incoming request or
6903 connection will be analyzed, extracted, combined, and used to
6904 select which table entry to update the counters.
6905
6906 <table> is an optional table to be used instead of the default one, which
6907 is the stick-table declared in the current proxy. All the counters
6908 for the matches and updates for the key will then be performed in
6909 that table until the session ends.
6910
6911 Once a "track-sc*" rule is executed, the key is looked up in the table and if
6912 it is not found, an entry is allocated for it. Then a pointer to that entry
6913 is kept during all the session's life, and this entry's counters are updated
6914 as often as possible, every time the session's counters are updated, and also
6915 systematically when the session ends. Counters are only updated for events
6916 that happen after the tracking has been started. As an exception, connection
6917 counters and request counters are systematically updated so that they reflect
6918 useful information.
6919
6920 If the entry tracks concurrent connection counters, one connection is counted
6921 for as long as the entry is tracked, and the entry will not expire during
6922 that time. Tracking counters also provides a performance advantage over just
6923 checking the keys, because only one table lookup is performed for all ACL
6924 checks that make use of it.
6925
6926http-request unset-var(<var-name>) [ { if | unless } <condition> ]
6927
6928 This is used to unset a variable. See above for details about <var-name>.
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02006929
6930 Example:
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006931 http-request unset-var(req.my_var)
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02006932
Christopher Faulet579d83b2019-11-22 15:34:17 +01006933http-request use-service <service-name> [ { if | unless } <condition> ]
6934
6935 This directive executes the configured HTTP service to reply to the request
6936 and stops the evaluation of the rules. An HTTP service may choose to reply by
6937 sending any valid HTTP response or it may immediately close the connection
6938 without sending any response. Outside natives services, for instance the
6939 Prometheus exporter, it is possible to write your own services in Lua. No
6940 further "http-request" rules are evaluated.
6941
6942 Arguments :
6943 <service-name> is mandatory. It is the service to call
6944
6945 Example:
6946 http-request use-service prometheus-exporter if { path /metrics }
6947
Christopher Faulet021a8e42021-03-29 10:46:38 +02006948http-request wait-for-body time <time> [ at-least <bytes> ]
6949 [ { if | unless } <condition> ]
6950
6951 This will delay the processing of the request waiting for the payload for at
6952 most <time> milliseconds. if "at-least" argument is specified, HAProxy stops
6953 to wait the payload when the first <bytes> bytes are received. 0 means no
6954 limit, it is the default value. Regardless the "at-least" argument value,
6955 HAProxy stops to wait if the whole payload is received or if the request
6956 buffer is full. This action may be used as a replacement to "option
6957 http-buffer-request".
6958
6959 Arguments :
6960
6961 <time> is mandatory. It is the maximum time to wait for the body. It
6962 follows the HAProxy time format and is expressed in milliseconds.
6963
6964 <bytes> is optional. It is the minimum payload size to receive to stop to
Ilya Shipitsinb2be9a12021-04-24 13:25:42 +05006965 wait. It follows the HAProxy size format and is expressed in
Christopher Faulet021a8e42021-03-29 10:46:38 +02006966 bytes.
6967
6968 Example:
6969 http-request wait-for-body time 1s at-least 1k if METH_POST
6970
6971 See also : "option http-buffer-request"
6972
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006973http-request wait-for-handshake [ { if | unless } <condition> ]
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02006974
Cyril Bontéc6ad23b2018-10-17 00:14:50 +02006975 This will delay the processing of the request until the SSL handshake
6976 happened. This is mostly useful to delay processing early data until we're
6977 sure they are valid.
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02006978
Willy Tarreauef781042010-01-27 11:53:01 +01006979
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006980http-response <action> <options...> [ { if | unless } <condition> ]
Willy Tarreaue365c0b2013-06-11 16:06:12 +02006981 Access control for Layer 7 responses
6982
6983 May be used in sections: defaults | frontend | listen | backend
6984 no | yes | yes | yes
6985
6986 The http-response statement defines a set of rules which apply to layer 7
6987 processing. The rules are evaluated in their declaration order when they are
6988 met in a frontend, listen or backend section. Any rule may optionally be
6989 followed by an ACL-based condition, in which case it will only be evaluated
6990 if the condition is true. Since these rules apply on responses, the backend
6991 rules are applied first, followed by the frontend's rules.
6992
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006993 The first keyword is the rule's action. The supported actions are described
6994 below.
Willy Tarreaue365c0b2013-06-11 16:06:12 +02006995
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006996 There is no limit to the number of http-response statements per instance.
Willy Tarreaue365c0b2013-06-11 16:06:12 +02006997
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02006998 Example:
6999 acl key_acl res.hdr(X-Acl-Key) -m found
Thierry FOURNIERdad3d1d2014-04-22 18:07:25 +02007000
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007001 acl myhost hdr(Host) -f myhost.lst
Sasha Pachev218f0642014-06-16 12:05:59 -06007002
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007003 http-response add-acl(myhost.lst) %[res.hdr(X-Acl-Key)] if key_acl
7004 http-response del-acl(myhost.lst) %[res.hdr(X-Acl-Key)] if key_acl
Sasha Pachev218f0642014-06-16 12:05:59 -06007005
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007006 Example:
7007 acl value res.hdr(X-Value) -m found
Sasha Pachev218f0642014-06-16 12:05:59 -06007008
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007009 use_backend bk_appli if { hdr(Host),map_str(map.lst) -m found }
Sasha Pachev218f0642014-06-16 12:05:59 -06007010
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007011 http-response set-map(map.lst) %[src] %[res.hdr(X-Value)] if value
7012 http-response del-map(map.lst) %[src] if ! value
Sasha Pachev218f0642014-06-16 12:05:59 -06007013
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007014 See also : "http-request", section 3.4 about userlists and section 7 about
7015 ACL usage.
Sasha Pachev218f0642014-06-16 12:05:59 -06007016
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007017http-response add-acl(<file-name>) <key fmt> [ { if | unless } <condition> ]
Sasha Pachev218f0642014-06-16 12:05:59 -06007018
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007019 This is used to add a new entry into an ACL. The ACL must be loaded from a
7020 file (even a dummy empty file). The file name of the ACL to be updated is
7021 passed between parentheses. It takes one argument: <key fmt>, which follows
7022 log-format rules, to collect content of the new entry. It performs a lookup
7023 in the ACL before insertion, to avoid duplicated (or more) values.
7024 This lookup is done by a linear search and can be expensive with large lists!
7025 It is the equivalent of the "add acl" command from the stats socket, but can
7026 be triggered by an HTTP response.
Sasha Pachev218f0642014-06-16 12:05:59 -06007027
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007028http-response add-header <name> <fmt> [ { if | unless } <condition> ]
Sasha Pachev218f0642014-06-16 12:05:59 -06007029
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007030 This appends an HTTP header field whose name is specified in <name> and whose
7031 value is defined by <fmt> which follows the log-format rules (see Custom Log
7032 Format in section 8.2.4). This may be used to send a cookie to a client for
7033 example, or to pass some internal information.
7034 This rule is not final, so it is possible to add other similar rules.
7035 Note that header addition is performed immediately, so one rule might reuse
7036 the resulting header from a previous rule.
Sasha Pachev218f0642014-06-16 12:05:59 -06007037
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007038http-response allow [ { if | unless } <condition> ]
Sasha Pachev218f0642014-06-16 12:05:59 -06007039
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007040 This stops the evaluation of the rules and lets the response pass the check.
7041 No further "http-response" rules are evaluated for the current section.
Sasha Pachev218f0642014-06-16 12:05:59 -06007042
Jarno Huuskonen251a6b72019-01-04 14:05:02 +02007043http-response cache-store <name> [ { if | unless } <condition> ]
Sasha Pachev218f0642014-06-16 12:05:59 -06007044
Christopher Faulet87f1f3d2019-07-18 14:51:20 +02007045 See section 6.2 about cache setup.
Sasha Pachev218f0642014-06-16 12:05:59 -06007046
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007047http-response capture <sample> id <id> [ { if | unless } <condition> ]
Sasha Pachev218f0642014-06-16 12:05:59 -06007048
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007049 This captures sample expression <sample> from the response buffer, and
7050 converts it to a string. The resulting string is stored into the next request
7051 "capture" slot, so it will possibly appear next to some captured HTTP
7052 headers. It will then automatically appear in the logs, and it will be
7053 possible to extract it using sample fetch rules to feed it into headers or
7054 anything. Please check section 7.3 (Fetching samples) and
7055 "capture response header" for more information.
Thierry FOURNIER35d70ef2015-08-26 16:21:56 +02007056
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007057 The keyword "id" is the id of the capture slot which is used for storing the
7058 string. The capture slot must be defined in an associated frontend.
7059 This is useful to run captures in backends. The slot id can be declared by a
7060 previous directive "http-response capture" or with the "declare capture"
7061 keyword.
Baptiste Assmann19a69b32020-01-16 14:34:22 +01007062
7063 When using this action in a backend, double check that the relevant
7064 frontend(s) have the required capture slots otherwise, this rule will be
7065 ignored at run time. This can't be detected at configuration parsing time
7066 due to HAProxy's ability to dynamically resolve backend name at runtime.
Thierry FOURNIER35d70ef2015-08-26 16:21:56 +02007067
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007068http-response del-acl(<file-name>) <key fmt> [ { if | unless } <condition> ]
Thierry FOURNIER35d70ef2015-08-26 16:21:56 +02007069
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007070 This is used to delete an entry from an ACL. The ACL must be loaded from a
7071 file (even a dummy empty file). The file name of the ACL to be updated is
7072 passed between parentheses. It takes one argument: <key fmt>, which follows
7073 log-format rules, to collect content of the entry to delete.
7074 It is the equivalent of the "del acl" command from the stats socket, but can
7075 be triggered by an HTTP response.
Willy Tarreauf4c43c12013-06-11 17:01:13 +02007076
Maciej Zdebebdd4c52020-11-20 13:58:48 +00007077http-response del-header <name> [ -m <meth> ] [ { if | unless } <condition> ]
Willy Tarreau9a355ec2013-06-11 17:45:46 +02007078
Maciej Zdebebdd4c52020-11-20 13:58:48 +00007079 This removes all HTTP header fields whose name is specified in <name>. <meth>
7080 is the matching method, applied on the header name. Supported matching methods
7081 are "str" (exact match), "beg" (prefix match), "end" (suffix match), "sub"
7082 (substring match) and "reg" (regex match). If not specified, exact matching
7083 method is used.
Willy Tarreau42cf39e2013-06-11 18:51:32 +02007084
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007085http-response del-map(<file-name>) <key fmt> [ { if | unless } <condition> ]
Willy Tarreau51347ed2013-06-11 19:34:13 +02007086
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007087 This is used to delete an entry from a MAP. The MAP must be loaded from a
7088 file (even a dummy empty file). The file name of the MAP to be updated is
7089 passed between parentheses. It takes one argument: <key fmt>, which follows
7090 log-format rules, to collect content of the entry to delete.
7091 It takes one argument: "file name" It is the equivalent of the "del map"
7092 command from the stats socket, but can be triggered by an HTTP response.
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02007093
Christopher Faulet5cb513a2020-05-13 17:56:56 +02007094http-response deny [deny_status <status>] [ { if | unless } <condition> ]
7095http-response deny [ { status | deny_status } <code>] [content-type <type>]
7096 [ { default-errorfiles | errorfile <file> | errorfiles <name> |
7097 file <file> | lf-file <file> | string <str> | lf-string <fmt> } ]
7098 [ hdr <name> <fmt> ]*
7099 [ { if | unless } <condition> ]
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02007100
Christopher Faulet5cb513a2020-05-13 17:56:56 +02007101 This stops the evaluation of the rules and immediately rejects the response.
7102 By default an HTTP 502 error is returned. But the response may be customized
7103 using same syntax than "http-response return" rules. Thus, see
Ilya Shipitsin11057a32020-06-21 21:18:27 +05007104 "http-response return" for details. For compatibility purpose, when no
Christopher Faulet5cb513a2020-05-13 17:56:56 +02007105 argument is defined, or only "deny_status", the argument "default-errorfiles"
7106 is implied. It means "http-response deny [deny_status <status>]" is an alias
7107 of "http-response deny [status <status>] default-errorfiles".
Christopher Faulet040c8cd2020-01-13 16:43:45 +01007108 No further "http-response" rules are evaluated.
Christopher Faulet5cb513a2020-05-13 17:56:56 +02007109 See also "http-response return".
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02007110
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007111http-response redirect <rule> [ { if | unless } <condition> ]
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02007112
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007113 This performs an HTTP redirection based on a redirect rule.
7114 This supports a format string similarly to "http-request redirect" rules,
7115 with the exception that only the "location" type of redirect is possible on
7116 the response. See the "redirect" keyword for the rule's syntax. When a
7117 redirect rule is applied during a response, connections to the server are
7118 closed so that no data can be forwarded from the server to the client.
Thierry FOURNIERe80fada2015-05-26 18:06:31 +02007119
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007120http-response replace-header <name> <regex-match> <replace-fmt>
7121 [ { if | unless } <condition> ]
Thierry FOURNIERe80fada2015-05-26 18:06:31 +02007122
Tim Duesterhus2252beb2019-10-29 00:05:13 +01007123 This works like "http-request replace-header" except that it works on the
7124 server's response instead of the client's request.
William Lallemand86d0df02017-11-24 21:36:45 +01007125
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007126 Example:
7127 http-response replace-header Set-Cookie (C=[^;]*);(.*) \1;ip=%bi;\2
Willy Tarreau51d861a2015-05-22 17:30:48 +02007128
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007129 # applied to:
7130 Set-Cookie: C=1; expires=Tue, 14-Jun-2016 01:40:45 GMT
Thierry FOURNIER4834bc72015-06-06 19:29:07 +02007131
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007132 # outputs:
7133 Set-Cookie: C=1;ip=192.168.1.20; expires=Tue, 14-Jun-2016 01:40:45 GMT
Thierry FOURNIER4834bc72015-06-06 19:29:07 +02007134
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007135 # assuming the backend IP is 192.168.1.20.
Thierry FOURNIER4834bc72015-06-06 19:29:07 +02007136
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007137http-response replace-value <name> <regex-match> <replace-fmt>
7138 [ { if | unless } <condition> ]
Thierry FOURNIER4834bc72015-06-06 19:29:07 +02007139
Tim Duesterhus6bd909b2020-01-17 15:53:18 +01007140 This works like "http-request replace-value" except that it works on the
Tim Duesterhus2252beb2019-10-29 00:05:13 +01007141 server's response instead of the client's request.
Thierry FOURNIER4834bc72015-06-06 19:29:07 +02007142
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007143 Example:
7144 http-response replace-value Cache-control ^public$ private
Christopher Faulet85d79c92016-11-09 16:54:56 +01007145
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007146 # applied to:
7147 Cache-Control: max-age=3600, public
Christopher Faulet85d79c92016-11-09 16:54:56 +01007148
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007149 # outputs:
7150 Cache-Control: max-age=3600, private
Christopher Faulet85d79c92016-11-09 16:54:56 +01007151
Christopher Faulet24231ab2020-01-24 17:44:23 +01007152http-response return [status <code>] [content-type <type>]
7153 [ { default-errorfiles | errorfile <file> | errorfiles <name> |
7154 file <file> | lf-file <file> | string <str> | lf-string <fmt> } ]
Christopher Faulet4a2c1422020-01-31 17:36:01 +01007155 [ hdr <name> <value> ]*
Christopher Faulet24231ab2020-01-24 17:44:23 +01007156 [ { if | unless } <condition> ]
7157
Ilya Shipitsin8525fd92020-02-29 12:34:59 +05007158 This stops the evaluation of the rules and immediately returns a response. The
Christopher Faulet24231ab2020-01-24 17:44:23 +01007159 default status code used for the response is 200. It can be optionally
7160 specified as an arguments to "status". The response content-type may also be
Daniel Corbett67a82712020-07-06 23:01:19 -04007161 specified as an argument to "content-type". Finally the response itself may
Christopher Faulet24231ab2020-01-24 17:44:23 +01007162 be defined. If can be a full HTTP response specifying the errorfile to use,
Ilya Shipitsin8525fd92020-02-29 12:34:59 +05007163 or the response payload specifying the file or the string to use. These rules
Christopher Faulet24231ab2020-01-24 17:44:23 +01007164 are followed to create the response :
7165
7166 * If neither the errorfile nor the payload to use is defined, a dummy
7167 response is returned. Only the "status" argument is considered. It can be
7168 any code in the range [200, 599]. The "content-type" argument, if any, is
7169 ignored.
7170
7171 * If "default-errorfiles" argument is set, the proxy's errorfiles are
7172 considered. If the "status" argument is defined, it must be one of the
Daniel Corbett9f0843f2021-05-08 10:50:37 -04007173 status code handled by HAProxy (200, 400, 403, 404, 405, 408, 410, 413,
Christopher Faulete095f312020-12-07 11:22:24 +01007174 425, 429, 500, 501, 502, 503, and 504). The "content-type" argument, if
7175 any, is ignored.
Christopher Faulet24231ab2020-01-24 17:44:23 +01007176
7177 * If a specific errorfile is defined, with an "errorfile" argument, the
7178 corresponding file, containing a full HTTP response, is returned. Only the
7179 "status" argument is considered. It must be one of the status code handled
Daniel Corbett9f0843f2021-05-08 10:50:37 -04007180 by HAProxy (200, 400, 403, 404, 405, 408, 410, 413, 425, 429, 500, 501,
Christopher Faulete095f312020-12-07 11:22:24 +01007181 502, 503, and 504). The "content-type" argument, if any, is ignored.
Christopher Faulet24231ab2020-01-24 17:44:23 +01007182
7183 * If an http-errors section is defined, with an "errorfiles" argument, the
7184 corresponding file in the specified http-errors section, containing a full
7185 HTTP response, is returned. Only the "status" argument is considered. It
Daniel Corbett9f0843f2021-05-08 10:50:37 -04007186 must be one of the status code handled by HAProxy (200, 400, 403, 404, 405,
Christopher Faulete095f312020-12-07 11:22:24 +01007187 408, 410, 413, 425, 429, 500, 501, 502, 503, and 504). The "content-type"
Anthonin Bonnefoy85048f82020-06-22 09:17:01 +02007188 argument, if any, is ignored.
Christopher Faulet24231ab2020-01-24 17:44:23 +01007189
7190 * If a "file" or a "lf-file" argument is specified, the file's content is
7191 used as the response payload. If the file is not empty, its content-type
7192 must be set as argument to "content-type". Otherwise, any "content-type"
7193 argument is ignored. With a "lf-file" argument, the file's content is
7194 evaluated as a log-format string. With a "file" argument, it is considered
7195 as a raw content.
7196
7197 * If a "string" or "lf-string" argument is specified, the defined string is
7198 used as the response payload. The content-type must always be set as
7199 argument to "content-type". With a "lf-string" argument, the string is
7200 evaluated as a log-format string. With a "string" argument, it is
7201 considered as a raw string.
7202
Christopher Faulet4a2c1422020-01-31 17:36:01 +01007203 When the response is not based an errorfile, it is possible to appends HTTP
7204 header fields to the response using "hdr" arguments. Otherwise, all "hdr"
7205 arguments are ignored. For each one, the header name is specified in <name>
7206 and its value is defined by <fmt> which follows the log-format rules.
7207
Christopher Faulet24231ab2020-01-24 17:44:23 +01007208 Note that the generated response must be smaller than a buffer. And to avoid
7209 any warning, when an errorfile or a raw file is loaded, the buffer space
Ilya Shipitsin11057a32020-06-21 21:18:27 +05007210 reserved to the headers rewriting should also be free.
Christopher Faulet24231ab2020-01-24 17:44:23 +01007211
7212 No further "http-response" rules are evaluated.
7213
7214 Example:
Daniel Corbett67a82712020-07-06 23:01:19 -04007215 http-response return errorfile /etc/haproxy/errorfiles/200.http \
Christopher Faulet24231ab2020-01-24 17:44:23 +01007216 if { status eq 404 }
7217
7218 http-response return content-type text/plain \
7219 string "This is the end !" \
7220 if { status eq 500 }
7221
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007222http-response sc-inc-gpc0(<sc-id>) [ { if | unless } <condition> ]
7223http-response sc-inc-gpc1(<sc-id>) [ { if | unless } <condition> ]
Ruoshan Huange4edc6b2016-07-14 15:07:45 +08007224
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007225 This action increments the GPC0 or GPC1 counter according with the sticky
7226 counter designated by <sc-id>. If an error occurs, this action silently fails
7227 and the actions evaluation continues.
Thierry FOURNIER236657b2015-08-19 08:25:14 +02007228
Cédric Dufour0d7712d2019-11-06 18:38:53 +01007229http-response sc-set-gpt0(<sc-id>) { <int> | <expr> }
7230 [ { if | unless } <condition> ]
Thierry FOURNIERe0627bd2015-08-04 08:20:33 +02007231
Cédric Dufour0d7712d2019-11-06 18:38:53 +01007232 This action sets the 32-bit unsigned GPT0 tag according to the sticky counter
7233 designated by <sc-id> and the value of <int>/<expr>. The expected result is a
7234 boolean. If an error occurs, this action silently fails and the actions
7235 evaluation continues.
Frédéric Lécaille6778b272018-01-29 15:22:53 +01007236
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007237http-response send-spoe-group [ { if | unless } <condition> ]
Willy Tarreau2d392c22015-08-24 01:43:45 +02007238
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007239 This action is used to trigger sending of a group of SPOE messages. To do so,
7240 the SPOE engine used to send messages must be defined, as well as the SPOE
7241 group to send. Of course, the SPOE engine must refer to an existing SPOE
7242 filter. If not engine name is provided on the SPOE filter line, the SPOE
7243 agent name must be used.
Christopher Faulet76c09ef2017-09-21 11:03:52 +02007244
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007245 Arguments:
7246 <engine-name> The SPOE engine name.
Christopher Faulet76c09ef2017-09-21 11:03:52 +02007247
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007248 <group-name> The SPOE group name as specified in the engine
7249 configuration.
Christopher Faulet76c09ef2017-09-21 11:03:52 +02007250
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007251http-response set-header <name> <fmt> [ { if | unless } <condition> ]
Willy Tarreaue365c0b2013-06-11 16:06:12 +02007252
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007253 This does the same as "add-header" except that the header name is first
7254 removed if it existed. This is useful when passing security information to
7255 the server, where the header must not be manipulated by external users.
Willy Tarreaue365c0b2013-06-11 16:06:12 +02007256
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007257http-response set-log-level <level> [ { if | unless } <condition> ]
7258
7259 This is used to change the log level of the current request when a certain
7260 condition is met. Valid levels are the 8 syslog levels (see the "log"
7261 keyword) plus the special level "silent" which disables logging for this
7262 request. This rule is not final so the last matching rule wins. This rule can
7263 be useful to disable health checks coming from another equipment.
7264
7265http-response set-map(<file-name>) <key fmt> <value fmt>
7266
7267 This is used to add a new entry into a MAP. The MAP must be loaded from a
7268 file (even a dummy empty file). The file name of the MAP to be updated is
7269 passed between parentheses. It takes 2 arguments: <key fmt>, which follows
7270 log-format rules, used to collect MAP key, and <value fmt>, which follows
7271 log-format rules, used to collect content for the new entry. It performs a
7272 lookup in the MAP before insertion, to avoid duplicated (or more) values.
7273 This lookup is done by a linear search and can be expensive with large lists!
7274 It is the equivalent of the "set map" command from the stats socket, but can
7275 be triggered by an HTTP response.
7276
7277http-response set-mark <mark> [ { if | unless } <condition> ]
7278
7279 This is used to set the Netfilter MARK on all packets sent to the client to
7280 the value passed in <mark> on platforms which support it. This value is an
7281 unsigned 32 bit value which can be matched by netfilter and by the routing
7282 table. It can be expressed both in decimal or hexadecimal format (prefixed
7283 by "0x"). This can be useful to force certain packets to take a different
7284 route (for example a cheaper network path for bulk downloads). This works on
7285 Linux kernels 2.6.32 and above and requires admin privileges.
7286
7287http-response set-nice <nice> [ { if | unless } <condition> ]
7288
7289 This sets the "nice" factor of the current request being processed.
7290 It only has effect against the other requests being processed at the same
7291 time. The default value is 0, unless altered by the "nice" setting on the
7292 "bind" line. The accepted range is -1024..1024. The higher the value, the
7293 nicest the request will be. Lower values will make the request more important
7294 than other ones. This can be useful to improve the speed of some requests, or
7295 lower the priority of non-important requests. Using this setting without
7296 prior experimentation can cause some major slowdown.
7297
7298http-response set-status <status> [reason <str>]
7299 [ { if | unless } <condition> ]
7300
7301 This replaces the response status code with <status> which must be an integer
7302 between 100 and 999. Optionally, a custom reason text can be provided defined
7303 by <str>, or the default reason for the specified code will be used as a
7304 fallback.
Ruoshan Huangeb5a3632015-12-08 21:00:23 +08007305
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02007306 Example:
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007307 # return "431 Request Header Fields Too Large"
7308 http-response set-status 431
7309 # return "503 Slow Down", custom reason
7310 http-response set-status 503 reason "Slow Down".
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02007311
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007312http-response set-tos <tos> [ { if | unless } <condition> ]
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02007313
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007314 This is used to set the TOS or DSCP field value of packets sent to the client
7315 to the value passed in <tos> on platforms which support this.
7316 This value represents the whole 8 bits of the IP TOS field, and can be
7317 expressed both in decimal or hexadecimal format (prefixed by "0x"). Note that
7318 only the 6 higher bits are used in DSCP or TOS, and the two lower bits are
7319 always 0. This can be used to adjust some routing behavior on border routers
7320 based on some information from the request.
7321
7322 See RFC 2474, 2597, 3260 and 4594 for more information.
7323
7324http-response set-var(<var-name>) <expr> [ { if | unless } <condition> ]
7325
7326 This is used to set the contents of a variable. The variable is declared
7327 inline.
7328
7329 Arguments:
7330 <var-name> The name of the variable starts with an indication about its
7331 scope. The scopes allowed are:
7332 "proc" : the variable is shared with the whole process
7333 "sess" : the variable is shared with the whole session
7334 "txn" : the variable is shared with the transaction
7335 (request and response)
7336 "req" : the variable is shared only during request
7337 processing
7338 "res" : the variable is shared only during response
7339 processing
7340 This prefix is followed by a name. The separator is a '.'.
7341 The name may only contain characters 'a-z', 'A-Z', '0-9', '.'
7342 and '_'.
7343
7344 <expr> Is a standard HAProxy expression formed by a sample-fetch
7345 followed by some converters.
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02007346
7347 Example:
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007348 http-response set-var(sess.last_redir) res.hdr(location)
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02007349
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007350http-response silent-drop [ { if | unless } <condition> ]
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02007351
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007352 This stops the evaluation of the rules and makes the client-facing connection
7353 suddenly disappear using a system-dependent way that tries to prevent the
7354 client from being notified. The effect it then that the client still sees an
7355 established connection while there's none on HAProxy. The purpose is to
7356 achieve a comparable effect to "tarpit" except that it doesn't use any local
7357 resource at all on the machine running HAProxy. It can resist much higher
7358 loads than "tarpit", and slow down stronger attackers. It is important to
7359 understand the impact of using this mechanism. All stateful equipment placed
7360 between the client and HAProxy (firewalls, proxies, load balancers) will also
7361 keep the established connection for a long time and may suffer from this
7362 action.
7363 On modern Linux systems running with enough privileges, the TCP_REPAIR socket
7364 option is used to block the emission of a TCP reset. On other systems, the
7365 socket's TTL is reduced to 1 so that the TCP reset doesn't pass the first
7366 router, though it's still delivered to local networks. Do not use it unless
7367 you fully understand how it works.
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02007368
Christopher Faulet46f95542019-12-20 10:07:22 +01007369http-response strict-mode { on | off }
7370
7371 This enables or disables the strict rewriting mode for following rules. It
7372 does not affect rules declared before it and it is only applicable on rules
7373 performing a rewrite on the responses. When the strict mode is enabled, any
7374 rewrite failure triggers an internal error. Otherwise, such errors are
7375 silently ignored. The purpose of the strict rewriting mode is to make some
Ilya Shipitsin8525fd92020-02-29 12:34:59 +05007376 rewrites optional while others must be performed to continue the response
Christopher Faulet46f95542019-12-20 10:07:22 +01007377 processing.
7378
Christopher Faulet1aea50e2020-01-17 16:03:53 +01007379 By default, the strict rewriting mode is enabled. Its value is also reset
Christopher Faulet46f95542019-12-20 10:07:22 +01007380 when a ruleset evaluation ends. So, for instance, if you change the mode on
Daniel Corbett67a82712020-07-06 23:01:19 -04007381 the backend, the default mode is restored when HAProxy starts the frontend
Christopher Faulet46f95542019-12-20 10:07:22 +01007382 rules evaluation.
7383
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007384http-response track-sc0 <key> [table <table>] [ { if | unless } <condition> ]
7385http-response track-sc1 <key> [table <table>] [ { if | unless } <condition> ]
7386http-response track-sc2 <key> [table <table>] [ { if | unless } <condition> ]
Willy Tarreaue365c0b2013-06-11 16:06:12 +02007387
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007388 This enables tracking of sticky counters from current response. Please refer
7389 to "http-request track-sc" for a complete description. The only difference
7390 from "http-request track-sc" is the <key> sample expression can only make use
7391 of samples in response (e.g. res.*, status etc.) and samples below Layer 6
7392 (e.g. SSL-related samples, see section 7.3.4). If the sample is not
Daniel Corbett9f0843f2021-05-08 10:50:37 -04007393 supported, HAProxy will fail and warn while parsing the config.
Cyril Bonté6c81d5f2018-10-17 00:14:51 +02007394
7395http-response unset-var(<var-name>) [ { if | unless } <condition> ]
7396
7397 This is used to unset a variable. See "http-response set-var" for details
7398 about <var-name>.
7399
7400 Example:
7401 http-response unset-var(sess.last_redir)
7402
Christopher Faulet021a8e42021-03-29 10:46:38 +02007403http-response wait-for-body time <time> [ at-least <bytes> ]
7404 [ { if | unless } <condition> ]
7405
7406 This will delay the processing of the response waiting for the payload for at
7407 most <time> milliseconds. if "at-least" argument is specified, HAProxy stops
7408 to wait the payload when the first <bytes> bytes are received. 0 means no
7409 limit, it is the default value. Regardless the "at-least" argument value,
7410 HAProxy stops to wait if the whole payload is received or if the response
7411 buffer is full.
7412
7413 Arguments :
7414
7415 <time> is mandatory. It is the maximum time to wait for the body. It
7416 follows the HAProxy time format and is expressed in milliseconds.
7417
7418 <bytes> is optional. It is the minimum payload size to receive to stop to
Ilya Shipitsinb2be9a12021-04-24 13:25:42 +05007419 wait. It follows the HAProxy size format and is expressed in
Christopher Faulet021a8e42021-03-29 10:46:38 +02007420 bytes.
7421
7422 Example:
7423 http-response wait-for-body time 1s at-least 10k
Baptiste Assmann5ecb77f2013-10-06 23:24:13 +02007424
Willy Tarreau30631952015-08-06 15:05:24 +02007425http-reuse { never | safe | aggressive | always }
7426 Declare how idle HTTP connections may be shared between requests
7427
7428 May be used in sections: defaults | frontend | listen | backend
7429 yes | no | yes | yes
7430
Daniel Corbett9f0843f2021-05-08 10:50:37 -04007431 By default, a connection established between HAProxy and the backend server
Olivier Houchard86006a52018-12-14 19:37:49 +01007432 which is considered safe for reuse is moved back to the server's idle
7433 connections pool so that any other request can make use of it. This is the
7434 "safe" strategy below.
Willy Tarreau30631952015-08-06 15:05:24 +02007435
7436 The argument indicates the desired connection reuse strategy :
7437
Olivier Houchard86006a52018-12-14 19:37:49 +01007438 - "never" : idle connections are never shared between sessions. This mode
7439 may be enforced to cancel a different strategy inherited from
7440 a defaults section or for troubleshooting. For example, if an
7441 old bogus application considers that multiple requests over
7442 the same connection come from the same client and it is not
7443 possible to fix the application, it may be desirable to
7444 disable connection sharing in a single backend. An example of
Daniel Corbett9f0843f2021-05-08 10:50:37 -04007445 such an application could be an old HAProxy using cookie
Olivier Houchard86006a52018-12-14 19:37:49 +01007446 insertion in tunnel mode and not checking any request past the
7447 first one.
Willy Tarreau30631952015-08-06 15:05:24 +02007448
Olivier Houchard86006a52018-12-14 19:37:49 +01007449 - "safe" : this is the default and the recommended strategy. The first
7450 request of a session is always sent over its own connection,
7451 and only subsequent requests may be dispatched over other
7452 existing connections. This ensures that in case the server
7453 closes the connection when the request is being sent, the
7454 browser can decide to silently retry it. Since it is exactly
7455 equivalent to regular keep-alive, there should be no side
Amaury Denoyelle27179652020-10-14 18:17:12 +02007456 effects. There is also a special handling for the connections
7457 using protocols subject to Head-of-line blocking (backend with
7458 h2 or fcgi). In this case, when at least one stream is
7459 processed, the used connection is reserved to handle streams
7460 of the same session. When no more streams are processed, the
7461 connection is released and can be reused.
Willy Tarreau30631952015-08-06 15:05:24 +02007462
7463 - "aggressive" : this mode may be useful in webservices environments where
7464 all servers are not necessarily known and where it would be
7465 appreciable to deliver most first requests over existing
7466 connections. In this case, first requests are only delivered
7467 over existing connections that have been reused at least once,
7468 proving that the server correctly supports connection reuse.
7469 It should only be used when it's sure that the client can
7470 retry a failed request once in a while and where the benefit
Michael Prokop4438c602019-05-24 10:25:45 +02007471 of aggressive connection reuse significantly outweighs the
Willy Tarreau30631952015-08-06 15:05:24 +02007472 downsides of rare connection failures.
7473
7474 - "always" : this mode is only recommended when the path to the server is
7475 known for never breaking existing connections quickly after
7476 releasing them. It allows the first request of a session to be
7477 sent to an existing connection. This can provide a significant
7478 performance increase over the "safe" strategy when the backend
7479 is a cache farm, since such components tend to show a
Davor Ocelice9ed2812017-12-25 17:49:28 +01007480 consistent behavior and will benefit from the connection
Willy Tarreau30631952015-08-06 15:05:24 +02007481 sharing. It is recommended that the "http-keep-alive" timeout
7482 remains low in this mode so that no dead connections remain
7483 usable. In most cases, this will lead to the same performance
7484 gains as "aggressive" but with more risks. It should only be
7485 used when it improves the situation over "aggressive".
7486
7487 When http connection sharing is enabled, a great care is taken to respect the
Amaury Denoyelled773a4e2021-01-29 15:18:49 +01007488 connection properties and compatibility. Indeed, some properties are specific
7489 and it is not possibly to reuse it blindly. Those are the SSL SNI, source
7490 and destination address and proxy protocol block. A connection is reused only
7491 if it shares the same set of properties with the request.
Willy Tarreau30631952015-08-06 15:05:24 +02007492
Amaury Denoyelled773a4e2021-01-29 15:18:49 +01007493 Also note that connections with certain bogus authentication schemes (relying
7494 on the connection) like NTLM are marked private and never shared.
Willy Tarreau30631952015-08-06 15:05:24 +02007495
Lukas Tribuse8adfeb2019-11-06 11:50:25 +01007496 A connection pool is involved and configurable with "pool-max-conn".
Willy Tarreau30631952015-08-06 15:05:24 +02007497
7498 Note: connection reuse improves the accuracy of the "server maxconn" setting,
7499 because almost no new connection will be established while idle connections
7500 remain available. This is particularly true with the "always" strategy.
7501
7502 See also : "option http-keep-alive", "server maxconn"
7503
7504
Mark Lamourinec2247f02012-01-04 13:02:01 -05007505http-send-name-header [<header>]
7506 Add the server name to a request. Use the header string given by <header>
Mark Lamourinec2247f02012-01-04 13:02:01 -05007507 May be used in sections: defaults | frontend | listen | backend
7508 yes | no | yes | yes
Mark Lamourinec2247f02012-01-04 13:02:01 -05007509 Arguments :
Mark Lamourinec2247f02012-01-04 13:02:01 -05007510 <header> The header string to use to send the server name
7511
Willy Tarreau81bef7e2019-10-07 14:58:02 +02007512 The "http-send-name-header" statement causes the header field named <header>
7513 to be set to the name of the target server at the moment the request is about
7514 to be sent on the wire. Any existing occurrences of this header are removed.
7515 Upon retries and redispatches, the header field is updated to always reflect
7516 the server being attempted to connect to. Given that this header is modified
7517 very late in the connection setup, it may have unexpected effects on already
7518 modified headers. For example using it with transport-level header such as
7519 connection, content-length, transfer-encoding and so on will likely result in
7520 invalid requests being sent to the server. Additionally it has been reported
7521 that this directive is currently being used as a way to overwrite the Host
7522 header field in outgoing requests; while this trick has been known to work
7523 as a side effect of the feature for some time, it is not officially supported
7524 and might possibly not work anymore in a future version depending on the
7525 technical difficulties this feature induces. A long-term solution instead
7526 consists in fixing the application which required this trick so that it binds
7527 to the correct host name.
Mark Lamourinec2247f02012-01-04 13:02:01 -05007528
7529 See also : "server"
7530
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01007531id <value>
Willy Tarreau53fb4ae2009-10-04 23:04:08 +02007532 Set a persistent ID to a proxy.
7533 May be used in sections : defaults | frontend | listen | backend
7534 no | yes | yes | yes
7535 Arguments : none
7536
7537 Set a persistent ID for the proxy. This ID must be unique and positive.
7538 An unused ID will automatically be assigned if unset. The first assigned
7539 value will be 1. This ID is currently only returned in statistics.
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01007540
7541
Cyril Bonté0d4bf012010-04-25 23:21:46 +02007542ignore-persist { if | unless } <condition>
7543 Declare a condition to ignore persistence
7544 May be used in sections: defaults | frontend | listen | backend
Cyril Bonté4288c5a2018-03-12 22:02:59 +01007545 no | no | yes | yes
Cyril Bonté0d4bf012010-04-25 23:21:46 +02007546
7547 By default, when cookie persistence is enabled, every requests containing
7548 the cookie are unconditionally persistent (assuming the target server is up
7549 and running).
7550
7551 The "ignore-persist" statement allows one to declare various ACL-based
7552 conditions which, when met, will cause a request to ignore persistence.
7553 This is sometimes useful to load balance requests for static files, which
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03007554 often don't require persistence. This can also be used to fully disable
Cyril Bonté0d4bf012010-04-25 23:21:46 +02007555 persistence for a specific User-Agent (for example, some web crawler bots).
7556
Cyril Bonté0d4bf012010-04-25 23:21:46 +02007557 The persistence is ignored when an "if" condition is met, or unless an
7558 "unless" condition is met.
7559
Jarno Huuskonene5ae7022017-04-03 14:36:21 +03007560 Example:
7561 acl url_static path_beg /static /images /img /css
7562 acl url_static path_end .gif .png .jpg .css .js
7563 ignore-persist if url_static
7564
Cyril Bonté0d4bf012010-04-25 23:21:46 +02007565 See also : "force-persist", "cookie", and section 7 about ACL usage.
7566
Baptiste Assmann01c6cc32015-08-23 11:45:29 +02007567load-server-state-from-file { global | local | none }
7568 Allow seamless reload of HAProxy
7569 May be used in sections: defaults | frontend | listen | backend
7570 yes | no | yes | yes
7571
7572 This directive points HAProxy to a file where server state from previous
7573 running process has been saved. That way, when starting up, before handling
7574 traffic, the new process can apply old states to servers exactly has if no
Davor Ocelice9ed2812017-12-25 17:49:28 +01007575 reload occurred. The purpose of the "load-server-state-from-file" directive is
Daniel Corbett9f0843f2021-05-08 10:50:37 -04007576 to tell HAProxy which file to use. For now, only 2 arguments to either prevent
Baptiste Assmann01c6cc32015-08-23 11:45:29 +02007577 loading state or load states from a file containing all backends and servers.
7578 The state file can be generated by running the command "show servers state"
7579 over the stats socket and redirect output.
7580
Davor Ocelice9ed2812017-12-25 17:49:28 +01007581 The format of the file is versioned and is very specific. To understand it,
Baptiste Assmann01c6cc32015-08-23 11:45:29 +02007582 please read the documentation of the "show servers state" command (chapter
Willy Tarreau1af20c72017-06-23 16:01:14 +02007583 9.3 of Management Guide).
Baptiste Assmann01c6cc32015-08-23 11:45:29 +02007584
7585 Arguments:
7586 global load the content of the file pointed by the global directive
7587 named "server-state-file".
7588
7589 local load the content of the file pointed by the directive
7590 "server-state-file-name" if set. If not set, then the backend
7591 name is used as a file name.
7592
7593 none don't load any stat for this backend
7594
7595 Notes:
Willy Tarreaue5a60682016-11-09 14:54:53 +01007596 - server's IP address is preserved across reloads by default, but the
7597 order can be changed thanks to the server's "init-addr" setting. This
7598 means that an IP address change performed on the CLI at run time will
Davor Ocelice9ed2812017-12-25 17:49:28 +01007599 be preserved, and that any change to the local resolver (e.g. /etc/hosts)
Willy Tarreaue5a60682016-11-09 14:54:53 +01007600 will possibly not have any effect if the state file is in use.
Baptiste Assmann01c6cc32015-08-23 11:45:29 +02007601
7602 - server's weight is applied from previous running process unless it has
7603 has changed between previous and new configuration files.
7604
Olivier Doucetaa1ea8a2016-08-05 17:15:20 +02007605 Example: Minimal configuration
Baptiste Assmann01c6cc32015-08-23 11:45:29 +02007606
Olivier Doucetaa1ea8a2016-08-05 17:15:20 +02007607 global
7608 stats socket /tmp/socket
7609 server-state-file /tmp/server_state
Baptiste Assmann01c6cc32015-08-23 11:45:29 +02007610
Olivier Doucetaa1ea8a2016-08-05 17:15:20 +02007611 defaults
7612 load-server-state-from-file global
Baptiste Assmann01c6cc32015-08-23 11:45:29 +02007613
Olivier Doucetaa1ea8a2016-08-05 17:15:20 +02007614 backend bk
7615 server s1 127.0.0.1:22 check weight 11
7616 server s2 127.0.0.1:22 check weight 12
Baptiste Assmann01c6cc32015-08-23 11:45:29 +02007617
Baptiste Assmann01c6cc32015-08-23 11:45:29 +02007618
7619 Then one can run :
7620
7621 socat /tmp/socket - <<< "show servers state" > /tmp/server_state
7622
7623 Content of the file /tmp/server_state would be like this:
7624
7625 1
7626 # <field names skipped for the doc example>
7627 1 bk 1 s1 127.0.0.1 2 0 11 11 4 6 3 4 6 0 0
7628 1 bk 2 s2 127.0.0.1 2 0 12 12 4 6 3 4 6 0 0
7629
Olivier Doucetaa1ea8a2016-08-05 17:15:20 +02007630 Example: Minimal configuration
Baptiste Assmann01c6cc32015-08-23 11:45:29 +02007631
7632 global
7633 stats socket /tmp/socket
7634 server-state-base /etc/haproxy/states
7635
7636 defaults
7637 load-server-state-from-file local
7638
7639 backend bk
7640 server s1 127.0.0.1:22 check weight 11
7641 server s2 127.0.0.1:22 check weight 12
7642
Olivier Doucetaa1ea8a2016-08-05 17:15:20 +02007643
Baptiste Assmann01c6cc32015-08-23 11:45:29 +02007644 Then one can run :
7645
7646 socat /tmp/socket - <<< "show servers state bk" > /etc/haproxy/states/bk
7647
7648 Content of the file /etc/haproxy/states/bk would be like this:
7649
7650 1
7651 # <field names skipped for the doc example>
7652 1 bk 1 s1 127.0.0.1 2 0 11 11 4 6 3 4 6 0 0
7653 1 bk 2 s2 127.0.0.1 2 0 12 12 4 6 3 4 6 0 0
7654
7655 See also: "server-state-file", "server-state-file-name", and
7656 "show servers state"
7657
Cyril Bonté0d4bf012010-04-25 23:21:46 +02007658
Willy Tarreau2769aa02007-12-27 18:26:09 +01007659log global
Jan Wagner3e678602020-12-17 22:22:32 +01007660log <address> [len <length>] [format <format>] [sample <ranges>:<sample_size>]
Frédéric Lécailled690dfa2019-04-25 10:52:17 +02007661 <facility> [<level> [<minlevel>]]
William Lallemand0f99e342011-10-12 17:50:54 +02007662no log
Willy Tarreau2769aa02007-12-27 18:26:09 +01007663 Enable per-instance logging of events and traffic.
7664 May be used in sections : defaults | frontend | listen | backend
7665 yes | yes | yes | yes
William Lallemand0f99e342011-10-12 17:50:54 +02007666
7667 Prefix :
7668 no should be used when the logger list must be flushed. For example,
7669 if you don't want to inherit from the default logger list. This
7670 prefix does not allow arguments.
7671
Willy Tarreau2769aa02007-12-27 18:26:09 +01007672 Arguments :
7673 global should be used when the instance's logging parameters are the
7674 same as the global ones. This is the most common usage. "global"
7675 replaces <address>, <facility> and <level> with those of the log
7676 entries found in the "global" section. Only one "log global"
7677 statement may be used per instance, and this form takes no other
7678 parameter.
7679
7680 <address> indicates where to send the logs. It takes the same format as
7681 for the "global" section's logs, and can be one of :
7682
7683 - An IPv4 address optionally followed by a colon (':') and a UDP
7684 port. If no port is specified, 514 is used by default (the
7685 standard syslog port).
7686
David du Colombier24bb5f52011-03-17 10:40:23 +01007687 - An IPv6 address followed by a colon (':') and optionally a UDP
7688 port. If no port is specified, 514 is used by default (the
7689 standard syslog port).
7690
Willy Tarreau2769aa02007-12-27 18:26:09 +01007691 - A filesystem path to a UNIX domain socket, keeping in mind
7692 considerations for chroot (be sure the path is accessible
7693 inside the chroot) and uid/gid (be sure the path is
Davor Ocelice9ed2812017-12-25 17:49:28 +01007694 appropriately writable).
Willy Tarreau2769aa02007-12-27 18:26:09 +01007695
Willy Tarreau5a32ecc2018-11-12 07:34:59 +01007696 - A file descriptor number in the form "fd@<number>", which may
7697 point to a pipe, terminal, or socket. In this case unbuffered
7698 logs are used and one writev() call per log is performed. This
7699 is a bit expensive but acceptable for most workloads. Messages
7700 sent this way will not be truncated but may be dropped, in
7701 which case the DroppedLogs counter will be incremented. The
7702 writev() call is atomic even on pipes for messages up to
7703 PIPE_BUF size, which POSIX recommends to be at least 512 and
7704 which is 4096 bytes on most modern operating systems. Any
7705 larger message may be interleaved with messages from other
7706 processes. Exceptionally for debugging purposes the file
7707 descriptor may also be directed to a file, but doing so will
Daniel Corbett9f0843f2021-05-08 10:50:37 -04007708 significantly slow HAProxy down as non-blocking calls will be
Willy Tarreau5a32ecc2018-11-12 07:34:59 +01007709 ignored. Also there will be no way to purge nor rotate this
7710 file without restarting the process. Note that the configured
7711 syslog format is preserved, so the output is suitable for use
Willy Tarreauc1b06452018-11-12 11:57:56 +01007712 with a TCP syslog server. See also the "short" and "raw"
7713 formats below.
Willy Tarreau5a32ecc2018-11-12 07:34:59 +01007714
7715 - "stdout" / "stderr", which are respectively aliases for "fd@1"
7716 and "fd@2", see above.
7717
Willy Tarreauc046d162019-08-30 15:24:59 +02007718 - A ring buffer in the form "ring@<name>", which will correspond
7719 to an in-memory ring buffer accessible over the CLI using the
7720 "show events" command, which will also list existing rings and
7721 their sizes. Such buffers are lost on reload or restart but
7722 when used as a complement this can help troubleshooting by
7723 having the logs instantly available.
7724
Emeric Brun94aab062021-04-02 10:41:36 +02007725 - An explicit stream address prefix such as "tcp@","tcp6@",
7726 "tcp4@" or "uxst@" will allocate an implicit ring buffer with
7727 a stream forward server targeting the given address.
7728
Willy Tarreau5a32ecc2018-11-12 07:34:59 +01007729 You may want to reference some environment variables in the
7730 address parameter, see section 2.3 about environment variables.
Willy Tarreaudad36a32013-03-11 01:20:04 +01007731
Willy Tarreau18324f52014-06-27 18:10:07 +02007732 <length> is an optional maximum line length. Log lines larger than this
7733 value will be truncated before being sent. The reason is that
7734 syslog servers act differently on log line length. All servers
7735 support the default value of 1024, but some servers simply drop
7736 larger lines while others do log them. If a server supports long
7737 lines, it may make sense to set this value here in order to avoid
7738 truncating long lines. Similarly, if a server drops long lines,
7739 it is preferable to truncate them before sending them. Accepted
7740 values are 80 to 65535 inclusive. The default value of 1024 is
7741 generally fine for all standard usages. Some specific cases of
Davor Ocelice9ed2812017-12-25 17:49:28 +01007742 long captures or JSON-formatted logs may require larger values.
Willy Tarreau18324f52014-06-27 18:10:07 +02007743
Frédéric Lécailled690dfa2019-04-25 10:52:17 +02007744 <ranges> A list of comma-separated ranges to identify the logs to sample.
7745 This is used to balance the load of the logs to send to the log
7746 server. The limits of the ranges cannot be null. They are numbered
7747 from 1. The size or period (in number of logs) of the sample must
7748 be set with <sample_size> parameter.
7749
7750 <sample_size>
7751 The size of the sample in number of logs to consider when balancing
7752 their logging loads. It is used to balance the load of the logs to
7753 send to the syslog server. This size must be greater or equal to the
7754 maximum of the high limits of the ranges.
7755 (see also <ranges> parameter).
7756
Willy Tarreauadb345d2018-11-12 07:56:13 +01007757 <format> is the log format used when generating syslog messages. It may be
7758 one of the following :
7759
Emeric Brun0237c4e2020-11-27 16:24:34 +01007760 local Analog to rfc3164 syslog message format except that hostname
7761 field is stripped. This is the default.
7762 Note: option "log-send-hostname" switches the default to
7763 rfc3164.
7764
7765 rfc3164 The RFC3164 syslog message format.
Willy Tarreauadb345d2018-11-12 07:56:13 +01007766 (https://tools.ietf.org/html/rfc3164)
7767
7768 rfc5424 The RFC5424 syslog message format.
7769 (https://tools.ietf.org/html/rfc5424)
7770
Emeric Brun54648852020-07-06 15:54:06 +02007771 priority A message containing only a level plus syslog facility between
7772 angle brackets such as '<63>', followed by the text. The PID,
7773 date, time, process name and system name are omitted. This is
7774 designed to be used with a local log server.
7775
Willy Tarreaue8746a02018-11-12 08:45:00 +01007776 short A message containing only a level between angle brackets such as
7777 '<3>', followed by the text. The PID, date, time, process name
7778 and system name are omitted. This is designed to be used with a
7779 local log server. This format is compatible with what the
7780 systemd logger consumes.
7781
Emeric Brun54648852020-07-06 15:54:06 +02007782 timed A message containing only a level between angle brackets such as
7783 '<3>', followed by ISO date and by the text. The PID, process
7784 name and system name are omitted. This is designed to be
7785 used with a local log server.
7786
7787 iso A message containing only the ISO date, followed by the text.
7788 The PID, process name and system name are omitted. This is
7789 designed to be used with a local log server.
7790
Willy Tarreauc1b06452018-11-12 11:57:56 +01007791 raw A message containing only the text. The level, PID, date, time,
7792 process name and system name are omitted. This is designed to
7793 be used in containers or during development, where the severity
7794 only depends on the file descriptor used (stdout/stderr).
7795
Willy Tarreau2769aa02007-12-27 18:26:09 +01007796 <facility> must be one of the 24 standard syslog facilities :
7797
Willy Tarreaue8746a02018-11-12 08:45:00 +01007798 kern user mail daemon auth syslog lpr news
7799 uucp cron auth2 ftp ntp audit alert cron2
7800 local0 local1 local2 local3 local4 local5 local6 local7
7801
Willy Tarreauc1b06452018-11-12 11:57:56 +01007802 Note that the facility is ignored for the "short" and "raw"
7803 formats, but still required as a positional field. It is
7804 recommended to use "daemon" in this case to make it clear that
7805 it's only supposed to be used locally.
Willy Tarreau2769aa02007-12-27 18:26:09 +01007806
7807 <level> is optional and can be specified to filter outgoing messages. By
7808 default, all messages are sent. If a level is specified, only
7809 messages with a severity at least as important as this level
Willy Tarreauf7edefa2009-05-10 17:20:05 +02007810 will be sent. An optional minimum level can be specified. If it
7811 is set, logs emitted with a more severe level than this one will
7812 be capped to this level. This is used to avoid sending "emerg"
7813 messages on all terminals on some default syslog configurations.
7814 Eight levels are known :
Willy Tarreau2769aa02007-12-27 18:26:09 +01007815
7816 emerg alert crit err warning notice info debug
7817
William Lallemand0f99e342011-10-12 17:50:54 +02007818 It is important to keep in mind that it is the frontend which decides what to
7819 log from a connection, and that in case of content switching, the log entries
7820 from the backend will be ignored. Connections are logged at level "info".
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007821
7822 However, backend log declaration define how and where servers status changes
7823 will be logged. Level "notice" will be used to indicate a server going up,
7824 "warning" will be used for termination signals and definitive service
7825 termination, and "alert" will be used for when a server goes down.
7826
7827 Note : According to RFC3164, messages are truncated to 1024 bytes before
7828 being emitted.
Willy Tarreau2769aa02007-12-27 18:26:09 +01007829
7830 Example :
7831 log global
Willy Tarreauc1b06452018-11-12 11:57:56 +01007832 log stdout format short daemon # send log to systemd
7833 log stdout format raw daemon # send everything to stdout
7834 log stderr format raw daemon notice # send important events to stderr
Willy Tarreauf7edefa2009-05-10 17:20:05 +02007835 log 127.0.0.1:514 local0 notice # only send important events
Emeric Brun94aab062021-04-02 10:41:36 +02007836 log tcp@127.0.0.1:514 local0 notice notice # same but limit output
7837 # level and send in tcp
William Lallemandb2f07452015-05-12 14:27:13 +02007838 log "${LOCAL_SYSLOG}:514" local0 notice # send to local server
Willy Tarreaudad36a32013-03-11 01:20:04 +01007839
Willy Tarreau2769aa02007-12-27 18:26:09 +01007840
William Lallemand48940402012-01-30 16:47:22 +01007841log-format <string>
Willy Tarreaufb4e7ea2015-01-07 14:55:17 +01007842 Specifies the log format string to use for traffic logs
7843 May be used in sections: defaults | frontend | listen | backend
7844 yes | yes | yes | no
William Lallemand48940402012-01-30 16:47:22 +01007845
Willy Tarreaufb4e7ea2015-01-07 14:55:17 +01007846 This directive specifies the log format string that will be used for all logs
7847 resulting from traffic passing through the frontend using this line. If the
7848 directive is used in a defaults section, all subsequent frontends will use
7849 the same log format. Please see section 8.2.4 which covers the log format
7850 string in depth.
William Lallemand48940402012-01-30 16:47:22 +01007851
Guillaume de Lafond29f45602017-03-31 19:52:15 +02007852 "log-format" directive overrides previous "option tcplog", "log-format" and
7853 "option httplog" directives.
7854
Dragan Dosen7ad31542015-09-28 17:16:47 +02007855log-format-sd <string>
7856 Specifies the RFC5424 structured-data log format string
7857 May be used in sections: defaults | frontend | listen | backend
7858 yes | yes | yes | no
7859
7860 This directive specifies the RFC5424 structured-data log format string that
7861 will be used for all logs resulting from traffic passing through the frontend
7862 using this line. If the directive is used in a defaults section, all
7863 subsequent frontends will use the same log format. Please see section 8.2.4
7864 which covers the log format string in depth.
7865
7866 See https://tools.ietf.org/html/rfc5424#section-6.3 for more information
7867 about the RFC5424 structured-data part.
7868
7869 Note : This log format string will be used only for loggers that have set
7870 log format to "rfc5424".
7871
7872 Example :
7873 log-format-sd [exampleSDID@1234\ bytes=\"%B\"\ status=\"%ST\"]
7874
7875
Willy Tarreau094af4e2015-01-07 15:03:42 +01007876log-tag <string>
7877 Specifies the log tag to use for all outgoing logs
7878 May be used in sections: defaults | frontend | listen | backend
7879 yes | yes | yes | yes
7880
7881 Sets the tag field in the syslog header to this string. It defaults to the
7882 log-tag set in the global section, otherwise the program name as launched
Daniel Corbett9f0843f2021-05-08 10:50:37 -04007883 from the command line, which usually is "HAProxy". Sometimes it can be useful
Willy Tarreau094af4e2015-01-07 15:03:42 +01007884 to differentiate between multiple processes running on the same host, or to
7885 differentiate customer instances running in the same process. In the backend,
7886 logs about servers up/down will use this tag. As a hint, it can be convenient
7887 to set a log-tag related to a hosted customer in a defaults section then put
7888 all the frontends and backends for that customer, then start another customer
7889 in a new defaults section. See also the global "log-tag" directive.
Willy Tarreau2769aa02007-12-27 18:26:09 +01007890
Willy Tarreauc35362a2014-04-25 13:58:37 +02007891max-keep-alive-queue <value>
7892 Set the maximum server queue size for maintaining keep-alive connections
7893 May be used in sections: defaults | frontend | listen | backend
7894 yes | no | yes | yes
7895
7896 HTTP keep-alive tries to reuse the same server connection whenever possible,
7897 but sometimes it can be counter-productive, for example if a server has a lot
7898 of connections while other ones are idle. This is especially true for static
7899 servers.
7900
7901 The purpose of this setting is to set a threshold on the number of queued
Daniel Corbett9f0843f2021-05-08 10:50:37 -04007902 connections at which HAProxy stops trying to reuse the same server and prefers
Willy Tarreauc35362a2014-04-25 13:58:37 +02007903 to find another one. The default value, -1, means there is no limit. A value
7904 of zero means that keep-alive requests will never be queued. For very close
7905 servers which can be reached with a low latency and which are not sensible to
Davor Ocelice9ed2812017-12-25 17:49:28 +01007906 breaking keep-alive, a low value is recommended (e.g. local static server can
Willy Tarreauc35362a2014-04-25 13:58:37 +02007907 use a value of 10 or less). For remote servers suffering from a high latency,
7908 higher values might be needed to cover for the latency and/or the cost of
7909 picking a different server.
7910
7911 Note that this has no impact on responses which are maintained to the same
7912 server consecutively to a 401 response. They will still go to the same server
7913 even if they have to be queued.
7914
7915 See also : "option http-server-close", "option prefer-last-server", server
7916 "maxconn" and cookie persistence.
7917
Olivier Houcharda4d4fdf2018-12-14 19:27:06 +01007918max-session-srv-conns <nb>
7919 Set the maximum number of outgoing connections we can keep idling for a given
7920 client session. The default is 5 (it precisely equals MAX_SRV_LIST which is
7921 defined at build time).
Willy Tarreauc35362a2014-04-25 13:58:37 +02007922
Willy Tarreau2769aa02007-12-27 18:26:09 +01007923maxconn <conns>
7924 Fix the maximum number of concurrent connections on a frontend
7925 May be used in sections : defaults | frontend | listen | backend
7926 yes | yes | yes | no
7927 Arguments :
7928 <conns> is the maximum number of concurrent connections the frontend will
7929 accept to serve. Excess connections will be queued by the system
7930 in the socket's listen queue and will be served once a connection
7931 closes.
7932
7933 If the system supports it, it can be useful on big sites to raise this limit
Daniel Corbett9f0843f2021-05-08 10:50:37 -04007934 very high so that HAProxy manages connection queues, instead of leaving the
Willy Tarreau2769aa02007-12-27 18:26:09 +01007935 clients with unanswered connection attempts. This value should not exceed the
7936 global maxconn. Also, keep in mind that a connection contains two buffers
Baptiste Assmann79fb45d2016-03-06 23:34:31 +01007937 of tune.bufsize (16kB by default) each, as well as some other data resulting
7938 in about 33 kB of RAM being consumed per established connection. That means
7939 that a medium system equipped with 1GB of RAM can withstand around
7940 20000-25000 concurrent connections if properly tuned.
Willy Tarreau2769aa02007-12-27 18:26:09 +01007941
7942 Also, when <conns> is set to large values, it is possible that the servers
7943 are not sized to accept such loads, and for this reason it is generally wise
7944 to assign them some reasonable connection limits.
7945
Willy Tarreauc8d5b952019-02-27 17:25:52 +01007946 When this value is set to zero, which is the default, the global "maxconn"
7947 value is used.
Vincent Bernat6341be52012-06-27 17:18:30 +02007948
Willy Tarreau2769aa02007-12-27 18:26:09 +01007949 See also : "server", global section's "maxconn", "fullconn"
7950
7951
Willy Tarreau77e0dae2020-10-14 15:44:27 +02007952mode { tcp|http }
Willy Tarreau2769aa02007-12-27 18:26:09 +01007953 Set the running mode or protocol of the instance
7954 May be used in sections : defaults | frontend | listen | backend
7955 yes | yes | yes | yes
7956 Arguments :
7957 tcp The instance will work in pure TCP mode. A full-duplex connection
7958 will be established between clients and servers, and no layer 7
7959 examination will be performed. This is the default mode. It
7960 should be used for SSL, SSH, SMTP, ...
7961
7962 http The instance will work in HTTP mode. The client request will be
7963 analyzed in depth before connecting to any server. Any request
7964 which is not RFC-compliant will be rejected. Layer 7 filtering,
7965 processing and switching will be possible. This is the mode which
7966 brings HAProxy most of its value.
7967
Cyril Bonté108cf6e2012-04-21 23:30:29 +02007968 When doing content switching, it is mandatory that the frontend and the
7969 backend are in the same mode (generally HTTP), otherwise the configuration
7970 will be refused.
Willy Tarreau2769aa02007-12-27 18:26:09 +01007971
Cyril Bonté108cf6e2012-04-21 23:30:29 +02007972 Example :
Willy Tarreau2769aa02007-12-27 18:26:09 +01007973 defaults http_instances
7974 mode http
7975
Willy Tarreau0ba27502007-12-24 16:55:16 +01007976
Cyril Bontéf0c60612010-02-06 14:44:47 +01007977monitor fail { if | unless } <condition>
Willy Tarreau2769aa02007-12-27 18:26:09 +01007978 Add a condition to report a failure to a monitor HTTP request.
Willy Tarreau0ba27502007-12-24 16:55:16 +01007979 May be used in sections : defaults | frontend | listen | backend
7980 no | yes | yes | no
Willy Tarreau0ba27502007-12-24 16:55:16 +01007981 Arguments :
7982 if <cond> the monitor request will fail if the condition is satisfied,
7983 and will succeed otherwise. The condition should describe a
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01007984 combined test which must induce a failure if all conditions
Willy Tarreau0ba27502007-12-24 16:55:16 +01007985 are met, for instance a low number of servers both in a
7986 backend and its backup.
7987
7988 unless <cond> the monitor request will succeed only if the condition is
7989 satisfied, and will fail otherwise. Such a condition may be
7990 based on a test on the presence of a minimum number of active
7991 servers in a list of backends.
7992
7993 This statement adds a condition which can force the response to a monitor
7994 request to report a failure. By default, when an external component queries
7995 the URI dedicated to monitoring, a 200 response is returned. When one of the
Daniel Corbett9f0843f2021-05-08 10:50:37 -04007996 conditions above is met, HAProxy will return 503 instead of 200. This is
Willy Tarreau0ba27502007-12-24 16:55:16 +01007997 very useful to report a site failure to an external component which may base
7998 routing advertisements between multiple sites on the availability reported by
Daniel Corbett9f0843f2021-05-08 10:50:37 -04007999 HAProxy. In this case, one would rely on an ACL involving the "nbsrv"
Willy Tarreauae94d4d2011-05-11 16:28:49 +02008000 criterion. Note that "monitor fail" only works in HTTP mode. Both status
8001 messages may be tweaked using "errorfile" or "errorloc" if needed.
Willy Tarreau0ba27502007-12-24 16:55:16 +01008002
8003 Example:
8004 frontend www
Willy Tarreau2769aa02007-12-27 18:26:09 +01008005 mode http
Willy Tarreau0ba27502007-12-24 16:55:16 +01008006 acl site_dead nbsrv(dynamic) lt 2
8007 acl site_dead nbsrv(static) lt 2
8008 monitor-uri /site_alive
8009 monitor fail if site_dead
8010
Willy Tarreau9e9919d2020-10-14 15:55:23 +02008011 See also : "monitor-uri", "errorfile", "errorloc"
Willy Tarreau2769aa02007-12-27 18:26:09 +01008012
8013
Willy Tarreau2769aa02007-12-27 18:26:09 +01008014monitor-uri <uri>
8015 Intercept a URI used by external components' monitor requests
8016 May be used in sections : defaults | frontend | listen | backend
8017 yes | yes | yes | no
8018 Arguments :
8019 <uri> is the exact URI which we want to intercept to return HAProxy's
8020 health status instead of forwarding the request.
8021
8022 When an HTTP request referencing <uri> will be received on a frontend,
8023 HAProxy will not forward it nor log it, but instead will return either
8024 "HTTP/1.0 200 OK" or "HTTP/1.0 503 Service unavailable", depending on failure
8025 conditions defined with "monitor fail". This is normally enough for any
8026 front-end HTTP probe to detect that the service is UP and running without
8027 forwarding the request to a backend server. Note that the HTTP method, the
8028 version and all headers are ignored, but the request must at least be valid
8029 at the HTTP level. This keyword may only be used with an HTTP-mode frontend.
8030
Willy Tarreau721d8e02017-12-01 18:25:08 +01008031 Monitor requests are processed very early, just after the request is parsed
Christopher Faulet87f1f3d2019-07-18 14:51:20 +02008032 and even before any "http-request". The only rulesets applied before are the
8033 tcp-request ones. They cannot be logged either, and it is the intended
8034 purpose. They are only used to report HAProxy's health to an upper component,
8035 nothing more. However, it is possible to add any number of conditions using
8036 "monitor fail" and ACLs so that the result can be adjusted to whatever check
8037 can be imagined (most often the number of available servers in a backend).
Willy Tarreau2769aa02007-12-27 18:26:09 +01008038
Christopher Faulet6072beb2020-02-18 15:34:58 +01008039 Note: if <uri> starts by a slash ('/'), the matching is performed against the
8040 request's path instead of the request's uri. It is a workaround to let
8041 the HTTP/2 requests match the monitor-uri. Indeed, in HTTP/2, clients
8042 are encouraged to send absolute URIs only.
8043
Willy Tarreau2769aa02007-12-27 18:26:09 +01008044 Example :
Daniel Corbett9f0843f2021-05-08 10:50:37 -04008045 # Use /haproxy_test to report HAProxy's status
Willy Tarreau2769aa02007-12-27 18:26:09 +01008046 frontend www
8047 mode http
8048 monitor-uri /haproxy_test
8049
Willy Tarreau9e9919d2020-10-14 15:55:23 +02008050 See also : "monitor fail"
Willy Tarreau2769aa02007-12-27 18:26:09 +01008051
Willy Tarreau0ba27502007-12-24 16:55:16 +01008052
Willy Tarreaubf1f8162007-12-28 17:42:56 +01008053option abortonclose
8054no option abortonclose
8055 Enable or disable early dropping of aborted requests pending in queues.
8056 May be used in sections : defaults | frontend | listen | backend
8057 yes | no | yes | yes
8058 Arguments : none
8059
8060 In presence of very high loads, the servers will take some time to respond.
8061 The per-instance connection queue will inflate, and the response time will
8062 increase respective to the size of the queue times the average per-session
8063 response time. When clients will wait for more than a few seconds, they will
Willy Tarreau198a7442008-01-17 12:05:32 +01008064 often hit the "STOP" button on their browser, leaving a useless request in
Willy Tarreaubf1f8162007-12-28 17:42:56 +01008065 the queue, and slowing down other users, and the servers as well, because the
8066 request will eventually be served, then aborted at the first error
8067 encountered while delivering the response.
8068
8069 As there is no way to distinguish between a full STOP and a simple output
8070 close on the client side, HTTP agents should be conservative and consider
8071 that the client might only have closed its output channel while waiting for
8072 the response. However, this introduces risks of congestion when lots of users
8073 do the same, and is completely useless nowadays because probably no client at
8074 all will close the session while waiting for the response. Some HTTP agents
Davor Ocelice9ed2812017-12-25 17:49:28 +01008075 support this behavior (Squid, Apache, HAProxy), and others do not (TUX, most
Willy Tarreaubf1f8162007-12-28 17:42:56 +01008076 hardware-based load balancers). So the probability for a closed input channel
Willy Tarreau198a7442008-01-17 12:05:32 +01008077 to represent a user hitting the "STOP" button is close to 100%, and the risk
Willy Tarreaubf1f8162007-12-28 17:42:56 +01008078 of being the single component to break rare but valid traffic is extremely
8079 low, which adds to the temptation to be able to abort a session early while
8080 still not served and not pollute the servers.
8081
Davor Ocelice9ed2812017-12-25 17:49:28 +01008082 In HAProxy, the user can choose the desired behavior using the option
8083 "abortonclose". By default (without the option) the behavior is HTTP
Willy Tarreaubf1f8162007-12-28 17:42:56 +01008084 compliant and aborted requests will be served. But when the option is
8085 specified, a session with an incoming channel closed will be aborted while
8086 it is still possible, either pending in the queue for a connection slot, or
8087 during the connection establishment if the server has not yet acknowledged
8088 the connection request. This considerably reduces the queue size and the load
8089 on saturated servers when users are tempted to click on STOP, which in turn
Willy Tarreaud72758d2010-01-12 10:42:19 +01008090 reduces the response time for other users.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01008091
8092 If this option has been enabled in a "defaults" section, it can be disabled
8093 in a specific instance by prepending the "no" keyword before it.
8094
8095 See also : "timeout queue" and server's "maxconn" and "maxqueue" parameters
8096
8097
Willy Tarreau4076a152009-04-02 15:18:36 +02008098option accept-invalid-http-request
8099no option accept-invalid-http-request
8100 Enable or disable relaxing of HTTP request parsing
8101 May be used in sections : defaults | frontend | listen | backend
8102 yes | yes | yes | no
8103 Arguments : none
8104
Willy Tarreau91852eb2015-05-01 13:26:00 +02008105 By default, HAProxy complies with RFC7230 in terms of message parsing. This
Willy Tarreau4076a152009-04-02 15:18:36 +02008106 means that invalid characters in header names are not permitted and cause an
Davor Ocelice9ed2812017-12-25 17:49:28 +01008107 error to be returned to the client. This is the desired behavior as such
Willy Tarreau4076a152009-04-02 15:18:36 +02008108 forbidden characters are essentially used to build attacks exploiting server
8109 weaknesses, and bypass security filtering. Sometimes, a buggy browser or
8110 server will emit invalid header names for whatever reason (configuration,
8111 implementation) and the issue will not be immediately fixed. In such a case,
8112 it is possible to relax HAProxy's header name parser to accept any character
Willy Tarreau422246e2012-01-07 23:54:13 +01008113 even if that does not make sense, by specifying this option. Similarly, the
8114 list of characters allowed to appear in a URI is well defined by RFC3986, and
8115 chars 0-31, 32 (space), 34 ('"'), 60 ('<'), 62 ('>'), 92 ('\'), 94 ('^'), 96
8116 ('`'), 123 ('{'), 124 ('|'), 125 ('}'), 127 (delete) and anything above are
Davor Ocelice9ed2812017-12-25 17:49:28 +01008117 not allowed at all. HAProxy always blocks a number of them (0..32, 127). The
Willy Tarreau91852eb2015-05-01 13:26:00 +02008118 remaining ones are blocked by default unless this option is enabled. This
Willy Tarreau13317662015-05-01 13:47:08 +02008119 option also relaxes the test on the HTTP version, it allows HTTP/0.9 requests
8120 to pass through (no version specified) and multiple digits for both the major
8121 and the minor version.
Willy Tarreau4076a152009-04-02 15:18:36 +02008122
8123 This option should never be enabled by default as it hides application bugs
8124 and open security breaches. It should only be deployed after a problem has
8125 been confirmed.
8126
8127 When this option is enabled, erroneous header names will still be accepted in
8128 requests, but the complete request will be captured in order to permit later
Willy Tarreau422246e2012-01-07 23:54:13 +01008129 analysis using the "show errors" request on the UNIX stats socket. Similarly,
8130 requests containing invalid chars in the URI part will be logged. Doing this
Willy Tarreau4076a152009-04-02 15:18:36 +02008131 also helps confirming that the issue has been solved.
8132
8133 If this option has been enabled in a "defaults" section, it can be disabled
8134 in a specific instance by prepending the "no" keyword before it.
8135
8136 See also : "option accept-invalid-http-response" and "show errors" on the
8137 stats socket.
8138
8139
8140option accept-invalid-http-response
8141no option accept-invalid-http-response
8142 Enable or disable relaxing of HTTP response parsing
8143 May be used in sections : defaults | frontend | listen | backend
8144 yes | no | yes | yes
8145 Arguments : none
8146
Willy Tarreau91852eb2015-05-01 13:26:00 +02008147 By default, HAProxy complies with RFC7230 in terms of message parsing. This
Willy Tarreau4076a152009-04-02 15:18:36 +02008148 means that invalid characters in header names are not permitted and cause an
Davor Ocelice9ed2812017-12-25 17:49:28 +01008149 error to be returned to the client. This is the desired behavior as such
Willy Tarreau4076a152009-04-02 15:18:36 +02008150 forbidden characters are essentially used to build attacks exploiting server
8151 weaknesses, and bypass security filtering. Sometimes, a buggy browser or
8152 server will emit invalid header names for whatever reason (configuration,
8153 implementation) and the issue will not be immediately fixed. In such a case,
8154 it is possible to relax HAProxy's header name parser to accept any character
Willy Tarreau91852eb2015-05-01 13:26:00 +02008155 even if that does not make sense, by specifying this option. This option also
8156 relaxes the test on the HTTP version format, it allows multiple digits for
8157 both the major and the minor version.
Willy Tarreau4076a152009-04-02 15:18:36 +02008158
8159 This option should never be enabled by default as it hides application bugs
8160 and open security breaches. It should only be deployed after a problem has
8161 been confirmed.
8162
8163 When this option is enabled, erroneous header names will still be accepted in
8164 responses, but the complete response will be captured in order to permit
8165 later analysis using the "show errors" request on the UNIX stats socket.
8166 Doing this also helps confirming that the issue has been solved.
8167
8168 If this option has been enabled in a "defaults" section, it can be disabled
8169 in a specific instance by prepending the "no" keyword before it.
8170
8171 See also : "option accept-invalid-http-request" and "show errors" on the
8172 stats socket.
8173
8174
Willy Tarreaubf1f8162007-12-28 17:42:56 +01008175option allbackups
8176no option allbackups
8177 Use either all backup servers at a time or only the first one
8178 May be used in sections : defaults | frontend | listen | backend
8179 yes | no | yes | yes
8180 Arguments : none
8181
8182 By default, the first operational backup server gets all traffic when normal
8183 servers are all down. Sometimes, it may be preferred to use multiple backups
8184 at once, because one will not be enough. When "option allbackups" is enabled,
8185 the load balancing will be performed among all backup servers when all normal
8186 ones are unavailable. The same load balancing algorithm will be used and the
8187 servers' weights will be respected. Thus, there will not be any priority
8188 order between the backup servers anymore.
8189
8190 This option is mostly used with static server farms dedicated to return a
8191 "sorry" page when an application is completely offline.
8192
8193 If this option has been enabled in a "defaults" section, it can be disabled
8194 in a specific instance by prepending the "no" keyword before it.
8195
8196
8197option checkcache
8198no option checkcache
Godbach7056a352013-12-11 20:01:07 +08008199 Analyze all server responses and block responses with cacheable cookies
Willy Tarreaubf1f8162007-12-28 17:42:56 +01008200 May be used in sections : defaults | frontend | listen | backend
8201 yes | no | yes | yes
8202 Arguments : none
8203
8204 Some high-level frameworks set application cookies everywhere and do not
8205 always let enough control to the developer to manage how the responses should
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01008206 be cached. When a session cookie is returned on a cacheable object, there is a
Willy Tarreaubf1f8162007-12-28 17:42:56 +01008207 high risk of session crossing or stealing between users traversing the same
8208 caches. In some situations, it is better to block the response than to let
Willy Tarreau3c92c5f2011-08-28 09:45:47 +02008209 some sensitive session information go in the wild.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01008210
8211 The option "checkcache" enables deep inspection of all server responses for
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01008212 strict compliance with HTTP specification in terms of cacheability. It
Willy Tarreau198a7442008-01-17 12:05:32 +01008213 carefully checks "Cache-control", "Pragma" and "Set-cookie" headers in server
Willy Tarreaubf1f8162007-12-28 17:42:56 +01008214 response to check if there's a risk of caching a cookie on a client-side
8215 proxy. When this option is enabled, the only responses which can be delivered
Willy Tarreau198a7442008-01-17 12:05:32 +01008216 to the client are :
Davor Ocelice9ed2812017-12-25 17:49:28 +01008217 - all those without "Set-Cookie" header;
Willy Tarreauc55ddce2017-12-21 11:41:38 +01008218 - all those with a return code other than 200, 203, 204, 206, 300, 301,
8219 404, 405, 410, 414, 501, provided that the server has not set a
Davor Ocelice9ed2812017-12-25 17:49:28 +01008220 "Cache-control: public" header field;
Willy Tarreau24ea0bc2017-12-21 11:32:55 +01008221 - all those that result from a request using a method other than GET, HEAD,
8222 OPTIONS, TRACE, provided that the server has not set a 'Cache-Control:
Davor Ocelice9ed2812017-12-25 17:49:28 +01008223 public' header field;
Willy Tarreaubf1f8162007-12-28 17:42:56 +01008224 - those with a 'Pragma: no-cache' header
8225 - those with a 'Cache-control: private' header
8226 - those with a 'Cache-control: no-store' header
8227 - those with a 'Cache-control: max-age=0' header
8228 - those with a 'Cache-control: s-maxage=0' header
8229 - those with a 'Cache-control: no-cache' header
8230 - those with a 'Cache-control: no-cache="set-cookie"' header
8231 - those with a 'Cache-control: no-cache="set-cookie,' header
8232 (allowing other fields after set-cookie)
8233
8234 If a response doesn't respect these requirements, then it will be blocked
Christopher Faulet87f1f3d2019-07-18 14:51:20 +02008235 just as if it was from an "http-response deny" rule, with an "HTTP 502 bad
8236 gateway". The session state shows "PH--" meaning that the proxy blocked the
8237 response during headers processing. Additionally, an alert will be sent in
8238 the logs so that admins are informed that there's something to be fixed.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01008239
8240 Due to the high impact on the application, the application should be tested
8241 in depth with the option enabled before going to production. It is also a
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01008242 good practice to always activate it during tests, even if it is not used in
Davor Ocelice9ed2812017-12-25 17:49:28 +01008243 production, as it will report potentially dangerous application behaviors.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01008244
8245 If this option has been enabled in a "defaults" section, it can be disabled
8246 in a specific instance by prepending the "no" keyword before it.
8247
8248
8249option clitcpka
8250no option clitcpka
8251 Enable or disable the sending of TCP keepalive packets on the client side
8252 May be used in sections : defaults | frontend | listen | backend
8253 yes | yes | yes | no
8254 Arguments : none
8255
8256 When there is a firewall or any session-aware component between a client and
8257 a server, and when the protocol involves very long sessions with long idle
Davor Ocelice9ed2812017-12-25 17:49:28 +01008258 periods (e.g. remote desktops), there is a risk that one of the intermediate
Willy Tarreaubf1f8162007-12-28 17:42:56 +01008259 components decides to expire a session which has remained idle for too long.
8260
8261 Enabling socket-level TCP keep-alives makes the system regularly send packets
8262 to the other end of the connection, leaving it active. The delay between
8263 keep-alive probes is controlled by the system only and depends both on the
8264 operating system and its tuning parameters.
8265
8266 It is important to understand that keep-alive packets are neither emitted nor
8267 received at the application level. It is only the network stacks which sees
8268 them. For this reason, even if one side of the proxy already uses keep-alives
8269 to maintain its connection alive, those keep-alive packets will not be
8270 forwarded to the other side of the proxy.
8271
8272 Please note that this has nothing to do with HTTP keep-alive.
8273
8274 Using option "clitcpka" enables the emission of TCP keep-alive probes on the
8275 client side of a connection, which should help when session expirations are
8276 noticed between HAProxy and a client.
8277
8278 If this option has been enabled in a "defaults" section, it can be disabled
8279 in a specific instance by prepending the "no" keyword before it.
8280
8281 See also : "option srvtcpka", "option tcpka"
8282
8283
Willy Tarreau0ba27502007-12-24 16:55:16 +01008284option contstats
8285 Enable continuous traffic statistics updates
8286 May be used in sections : defaults | frontend | listen | backend
8287 yes | yes | yes | no
8288 Arguments : none
8289
8290 By default, counters used for statistics calculation are incremented
8291 only when a session finishes. It works quite well when serving small
8292 objects, but with big ones (for example large images or archives) or
Daniel Corbett9f0843f2021-05-08 10:50:37 -04008293 with A/V streaming, a graph generated from HAProxy counters looks like
Willy Tarreaudef0d222016-11-08 22:03:00 +01008294 a hedgehog. With this option enabled counters get incremented frequently
8295 along the session, typically every 5 seconds, which is often enough to
8296 produce clean graphs. Recounting touches a hotpath directly so it is not
8297 not enabled by default, as it can cause a lot of wakeups for very large
8298 session counts and cause a small performance drop.
Willy Tarreau0ba27502007-12-24 16:55:16 +01008299
Christopher Faulet89aed322020-06-02 17:33:56 +02008300option disable-h2-upgrade
8301no option disable-h2-upgrade
8302 Enable or disable the implicit HTTP/2 upgrade from an HTTP/1.x client
8303 connection.
8304 May be used in sections : defaults | frontend | listen | backend
8305 yes | yes | yes | no
8306 Arguments : none
8307
8308 By default, HAProxy is able to implicitly upgrade an HTTP/1.x client
8309 connection to an HTTP/2 connection if the first request it receives from a
8310 given HTTP connection matches the HTTP/2 connection preface (i.e. the string
8311 "PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n"). This way, it is possible to support
Christopher Faulet982e17d2021-03-26 14:44:18 +01008312 HTTP/1.x and HTTP/2 clients on a non-SSL connections. This option must be
8313 used to disable the implicit upgrade. Note this implicit upgrade is only
8314 supported for HTTP proxies, thus this option too. Note also it is possible to
8315 force the HTTP/2 on clear connections by specifying "proto h2" on the bind
8316 line. Finally, this option is applied on all bind lines. To disable implicit
8317 HTTP/2 upgrades for a specific bind line, it is possible to use "proto h1".
Christopher Faulet89aed322020-06-02 17:33:56 +02008318
8319 If this option has been enabled in a "defaults" section, it can be disabled
8320 in a specific instance by prepending the "no" keyword before it.
Willy Tarreau0ba27502007-12-24 16:55:16 +01008321
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02008322option dontlog-normal
8323no option dontlog-normal
8324 Enable or disable logging of normal, successful connections
8325 May be used in sections : defaults | frontend | listen | backend
8326 yes | yes | yes | no
8327 Arguments : none
8328
8329 There are large sites dealing with several thousand connections per second
8330 and for which logging is a major pain. Some of them are even forced to turn
8331 logs off and cannot debug production issues. Setting this option ensures that
8332 normal connections, those which experience no error, no timeout, no retry nor
8333 redispatch, will not be logged. This leaves disk space for anomalies. In HTTP
8334 mode, the response status code is checked and return codes 5xx will still be
8335 logged.
8336
8337 It is strongly discouraged to use this option as most of the time, the key to
8338 complex issues is in the normal logs which will not be logged here. If you
8339 need to separate logs, see the "log-separate-errors" option instead.
8340
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008341 See also : "log", "dontlognull", "log-separate-errors" and section 8 about
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02008342 logging.
8343
8344
Willy Tarreaubf1f8162007-12-28 17:42:56 +01008345option dontlognull
8346no option dontlognull
8347 Enable or disable logging of null connections
8348 May be used in sections : defaults | frontend | listen | backend
8349 yes | yes | yes | no
8350 Arguments : none
8351
8352 In certain environments, there are components which will regularly connect to
8353 various systems to ensure that they are still alive. It can be the case from
8354 another load balancer as well as from monitoring systems. By default, even a
8355 simple port probe or scan will produce a log. If those connections pollute
8356 the logs too much, it is possible to enable option "dontlognull" to indicate
8357 that a connection on which no data has been transferred will not be logged,
Willy Tarreau0f228a02015-05-01 15:37:53 +02008358 which typically corresponds to those probes. Note that errors will still be
8359 returned to the client and accounted for in the stats. If this is not what is
8360 desired, option http-ignore-probes can be used instead.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01008361
8362 It is generally recommended not to use this option in uncontrolled
Davor Ocelice9ed2812017-12-25 17:49:28 +01008363 environments (e.g. internet), otherwise scans and other malicious activities
Willy Tarreaubf1f8162007-12-28 17:42:56 +01008364 would not be logged.
8365
8366 If this option has been enabled in a "defaults" section, it can be disabled
8367 in a specific instance by prepending the "no" keyword before it.
8368
Willy Tarreau9e9919d2020-10-14 15:55:23 +02008369 See also : "log", "http-ignore-probes", "monitor-uri", and
Willy Tarreau0f228a02015-05-01 15:37:53 +02008370 section 8 about logging.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01008371
Willy Tarreaubf1f8162007-12-28 17:42:56 +01008372
Willy Tarreau87cf5142011-08-19 22:57:24 +02008373option forwardfor [ except <network> ] [ header <name> ] [ if-none ]
Willy Tarreauc27debf2008-01-06 08:57:02 +01008374 Enable insertion of the X-Forwarded-For header to requests sent to servers
8375 May be used in sections : defaults | frontend | listen | backend
8376 yes | yes | yes | yes
8377 Arguments :
8378 <network> is an optional argument used to disable this option for sources
8379 matching <network>
Ross Westaf72a1d2008-08-03 10:51:45 +02008380 <name> an optional argument to specify a different "X-Forwarded-For"
Willy Tarreaud72758d2010-01-12 10:42:19 +01008381 header name.
Willy Tarreauc27debf2008-01-06 08:57:02 +01008382
8383 Since HAProxy works in reverse-proxy mode, the servers see its IP address as
8384 their client address. This is sometimes annoying when the client's IP address
8385 is expected in server logs. To solve this problem, the well-known HTTP header
8386 "X-Forwarded-For" may be added by HAProxy to all requests sent to the server.
8387 This header contains a value representing the client's IP address. Since this
8388 header is always appended at the end of the existing header list, the server
8389 must be configured to always use the last occurrence of this header only. See
Ross Westaf72a1d2008-08-03 10:51:45 +02008390 the server's manual to find how to enable use of this standard header. Note
8391 that only the last occurrence of the header must be used, since it is really
8392 possible that the client has already brought one.
8393
Willy Tarreaud72758d2010-01-12 10:42:19 +01008394 The keyword "header" may be used to supply a different header name to replace
Ross Westaf72a1d2008-08-03 10:51:45 +02008395 the default "X-Forwarded-For". This can be useful where you might already
Davor Ocelice9ed2812017-12-25 17:49:28 +01008396 have a "X-Forwarded-For" header from a different application (e.g. stunnel),
Willy Tarreaud72758d2010-01-12 10:42:19 +01008397 and you need preserve it. Also if your backend server doesn't use the
Davor Ocelice9ed2812017-12-25 17:49:28 +01008398 "X-Forwarded-For" header and requires different one (e.g. Zeus Web Servers
Ross Westaf72a1d2008-08-03 10:51:45 +02008399 require "X-Cluster-Client-IP").
Willy Tarreauc27debf2008-01-06 08:57:02 +01008400
8401 Sometimes, a same HAProxy instance may be shared between a direct client
8402 access and a reverse-proxy access (for instance when an SSL reverse-proxy is
8403 used to decrypt HTTPS traffic). It is possible to disable the addition of the
8404 header for a known source address or network by adding the "except" keyword
8405 followed by the network address. In this case, any source IP matching the
8406 network will not cause an addition of this header. Most common uses are with
Christopher Faulet5d1def62021-02-26 09:19:15 +01008407 private networks or 127.0.0.1. IPv4 and IPv6 are both supported.
Willy Tarreauc27debf2008-01-06 08:57:02 +01008408
Willy Tarreau87cf5142011-08-19 22:57:24 +02008409 Alternatively, the keyword "if-none" states that the header will only be
8410 added if it is not present. This should only be used in perfectly trusted
Daniel Corbett9f0843f2021-05-08 10:50:37 -04008411 environment, as this might cause a security issue if headers reaching HAProxy
Willy Tarreau87cf5142011-08-19 22:57:24 +02008412 are under the control of the end-user.
8413
Willy Tarreauc27debf2008-01-06 08:57:02 +01008414 This option may be specified either in the frontend or in the backend. If at
Ross Westaf72a1d2008-08-03 10:51:45 +02008415 least one of them uses it, the header will be added. Note that the backend's
8416 setting of the header subargument takes precedence over the frontend's if
Willy Tarreau87cf5142011-08-19 22:57:24 +02008417 both are defined. In the case of the "if-none" argument, if at least one of
8418 the frontend or the backend does not specify it, it wants the addition to be
8419 mandatory, so it wins.
Willy Tarreauc27debf2008-01-06 08:57:02 +01008420
Olivier Doucetaa1ea8a2016-08-05 17:15:20 +02008421 Example :
Willy Tarreauc27debf2008-01-06 08:57:02 +01008422 # Public HTTP address also used by stunnel on the same machine
8423 frontend www
8424 mode http
8425 option forwardfor except 127.0.0.1 # stunnel already adds the header
8426
Ross Westaf72a1d2008-08-03 10:51:45 +02008427 # Those servers want the IP Address in X-Client
8428 backend www
8429 mode http
8430 option forwardfor header X-Client
8431
Willy Tarreau87cf5142011-08-19 22:57:24 +02008432 See also : "option httpclose", "option http-server-close",
Christopher Faulet315b39c2018-09-21 16:26:19 +02008433 "option http-keep-alive"
Willy Tarreauc27debf2008-01-06 08:57:02 +01008434
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02008435
Christopher Faulet98fbe952019-07-22 16:18:24 +02008436option h1-case-adjust-bogus-client
8437no option h1-case-adjust-bogus-client
8438 Enable or disable the case adjustment of HTTP/1 headers sent to bogus clients
8439 May be used in sections : defaults | frontend | listen | backend
8440 yes | yes | yes | no
8441 Arguments : none
8442
8443 There is no standard case for header names because, as stated in RFC7230,
8444 they are case-insensitive. So applications must handle them in a case-
8445 insensitive manner. But some bogus applications violate the standards and
8446 erroneously rely on the cases most commonly used by browsers. This problem
8447 becomes critical with HTTP/2 because all header names must be exchanged in
8448 lower case, and HAProxy follows the same convention. All header names are
8449 sent in lower case to clients and servers, regardless of the HTTP version.
8450
8451 When HAProxy receives an HTTP/1 response, its header names are converted to
8452 lower case and manipulated and sent this way to the clients. If a client is
8453 known to violate the HTTP standards and to fail to process a response coming
8454 from HAProxy, it is possible to transform the lower case header names to a
8455 different format when the response is formatted and sent to the client, by
8456 enabling this option and specifying the list of headers to be reformatted
8457 using the global directives "h1-case-adjust" or "h1-case-adjust-file". This
8458 must only be a temporary workaround for the time it takes the client to be
8459 fixed, because clients which require such workarounds might be vulnerable to
8460 content smuggling attacks and must absolutely be fixed.
8461
8462 Please note that this option will not affect standards-compliant clients.
8463
8464 If this option has been enabled in a "defaults" section, it can be disabled
8465 in a specific instance by prepending the "no" keyword before it.
8466
8467 See also: "option h1-case-adjust-bogus-server", "h1-case-adjust",
8468 "h1-case-adjust-file".
8469
8470
8471option h1-case-adjust-bogus-server
8472no option h1-case-adjust-bogus-server
8473 Enable or disable the case adjustment of HTTP/1 headers sent to bogus servers
8474 May be used in sections : defaults | frontend | listen | backend
8475 yes | no | yes | yes
8476 Arguments : none
8477
8478 There is no standard case for header names because, as stated in RFC7230,
8479 they are case-insensitive. So applications must handle them in a case-
8480 insensitive manner. But some bogus applications violate the standards and
8481 erroneously rely on the cases most commonly used by browsers. This problem
8482 becomes critical with HTTP/2 because all header names must be exchanged in
8483 lower case, and HAProxy follows the same convention. All header names are
8484 sent in lower case to clients and servers, regardless of the HTTP version.
8485
8486 When HAProxy receives an HTTP/1 request, its header names are converted to
8487 lower case and manipulated and sent this way to the servers. If a server is
8488 known to violate the HTTP standards and to fail to process a request coming
8489 from HAProxy, it is possible to transform the lower case header names to a
8490 different format when the request is formatted and sent to the server, by
8491 enabling this option and specifying the list of headers to be reformatted
8492 using the global directives "h1-case-adjust" or "h1-case-adjust-file". This
8493 must only be a temporary workaround for the time it takes the server to be
8494 fixed, because servers which require such workarounds might be vulnerable to
8495 content smuggling attacks and must absolutely be fixed.
8496
8497 Please note that this option will not affect standards-compliant servers.
8498
8499 If this option has been enabled in a "defaults" section, it can be disabled
8500 in a specific instance by prepending the "no" keyword before it.
8501
8502 See also: "option h1-case-adjust-bogus-client", "h1-case-adjust",
8503 "h1-case-adjust-file".
8504
8505
Willy Tarreau9fbe18e2015-05-01 22:42:08 +02008506option http-buffer-request
8507no option http-buffer-request
8508 Enable or disable waiting for whole HTTP request body before proceeding
8509 May be used in sections : defaults | frontend | listen | backend
8510 yes | yes | yes | yes
8511 Arguments : none
8512
8513 It is sometimes desirable to wait for the body of an HTTP request before
8514 taking a decision. This is what is being done by "balance url_param" for
8515 example. The first use case is to buffer requests from slow clients before
8516 connecting to the server. Another use case consists in taking the routing
8517 decision based on the request body's contents. This option placed in a
8518 frontend or backend forces the HTTP processing to wait until either the whole
Christopher Faulet6db8a2e2019-11-19 16:27:25 +01008519 body is received or the request buffer is full. It can have undesired side
8520 effects with some applications abusing HTTP by expecting unbuffered
8521 transmissions between the frontend and the backend, so this should definitely
8522 not be used by default.
Willy Tarreau9fbe18e2015-05-01 22:42:08 +02008523
Christopher Faulet021a8e42021-03-29 10:46:38 +02008524 See also : "option http-no-delay", "timeout http-request",
8525 "http-request wait-for-body"
Willy Tarreau9fbe18e2015-05-01 22:42:08 +02008526
8527
Willy Tarreau0f228a02015-05-01 15:37:53 +02008528option http-ignore-probes
8529no option http-ignore-probes
8530 Enable or disable logging of null connections and request timeouts
8531 May be used in sections : defaults | frontend | listen | backend
8532 yes | yes | yes | no
8533 Arguments : none
8534
8535 Recently some browsers started to implement a "pre-connect" feature
8536 consisting in speculatively connecting to some recently visited web sites
8537 just in case the user would like to visit them. This results in many
8538 connections being established to web sites, which end up in 408 Request
8539 Timeout if the timeout strikes first, or 400 Bad Request when the browser
8540 decides to close them first. These ones pollute the log and feed the error
8541 counters. There was already "option dontlognull" but it's insufficient in
8542 this case. Instead, this option does the following things :
8543 - prevent any 400/408 message from being sent to the client if nothing
Davor Ocelice9ed2812017-12-25 17:49:28 +01008544 was received over a connection before it was closed;
8545 - prevent any log from being emitted in this situation;
Willy Tarreau0f228a02015-05-01 15:37:53 +02008546 - prevent any error counter from being incremented
8547
8548 That way the empty connection is silently ignored. Note that it is better
8549 not to use this unless it is clear that it is needed, because it will hide
8550 real problems. The most common reason for not receiving a request and seeing
8551 a 408 is due to an MTU inconsistency between the client and an intermediary
8552 element such as a VPN, which blocks too large packets. These issues are
8553 generally seen with POST requests as well as GET with large cookies. The logs
8554 are often the only way to detect them.
8555
8556 If this option has been enabled in a "defaults" section, it can be disabled
8557 in a specific instance by prepending the "no" keyword before it.
8558
8559 See also : "log", "dontlognull", "errorfile", and section 8 about logging.
8560
8561
Willy Tarreau16bfb022010-01-16 19:48:41 +01008562option http-keep-alive
8563no option http-keep-alive
8564 Enable or disable HTTP keep-alive from client to server
8565 May be used in sections : defaults | frontend | listen | backend
8566 yes | yes | yes | yes
8567 Arguments : none
8568
Willy Tarreau70dffda2014-01-30 03:07:23 +01008569 By default HAProxy operates in keep-alive mode with regards to persistent
8570 connections: for each connection it processes each request and response, and
Christopher Faulet315b39c2018-09-21 16:26:19 +02008571 leaves the connection idle on both sides between the end of a response and
8572 the start of a new request. This mode may be changed by several options such
Christopher Faulet159e6672019-07-16 15:09:52 +02008573 as "option http-server-close" or "option httpclose". This option allows to
8574 set back the keep-alive mode, which can be useful when another mode was used
8575 in a defaults section.
Willy Tarreau70dffda2014-01-30 03:07:23 +01008576
8577 Setting "option http-keep-alive" enables HTTP keep-alive mode on the client-
8578 and server- sides. This provides the lowest latency on the client side (slow
Willy Tarreau16bfb022010-01-16 19:48:41 +01008579 network) and the fastest session reuse on the server side at the expense
8580 of maintaining idle connections to the servers. In general, it is possible
8581 with this option to achieve approximately twice the request rate that the
8582 "http-server-close" option achieves on small objects. There are mainly two
8583 situations where this option may be useful :
8584
8585 - when the server is non-HTTP compliant and authenticates the connection
Davor Ocelice9ed2812017-12-25 17:49:28 +01008586 instead of requests (e.g. NTLM authentication)
Willy Tarreau16bfb022010-01-16 19:48:41 +01008587
8588 - when the cost of establishing the connection to the server is significant
8589 compared to the cost of retrieving the associated object from the server.
8590
8591 This last case can happen when the server is a fast static server of cache.
8592 In this case, the server will need to be properly tuned to support high enough
8593 connection counts because connections will last until the client sends another
8594 request.
8595
8596 If the client request has to go to another backend or another server due to
8597 content switching or the load balancing algorithm, the idle connection will
Willy Tarreau9420b122013-12-15 18:58:25 +01008598 immediately be closed and a new one re-opened. Option "prefer-last-server" is
8599 available to try optimize server selection so that if the server currently
8600 attached to an idle connection is usable, it will be used.
Willy Tarreau16bfb022010-01-16 19:48:41 +01008601
Willy Tarreau16bfb022010-01-16 19:48:41 +01008602 At the moment, logs will not indicate whether requests came from the same
8603 session or not. The accept date reported in the logs corresponds to the end
8604 of the previous request, and the request time corresponds to the time spent
8605 waiting for a new request. The keep-alive request time is still bound to the
8606 timeout defined by "timeout http-keep-alive" or "timeout http-request" if
8607 not set.
8608
Christopher Faulet159e6672019-07-16 15:09:52 +02008609 This option disables and replaces any previous "option httpclose" or "option
8610 http-server-close". When backend and frontend options differ, all of these 4
8611 options have precedence over "option http-keep-alive".
Willy Tarreau16bfb022010-01-16 19:48:41 +01008612
Christopher Faulet315b39c2018-09-21 16:26:19 +02008613 See also : "option httpclose",, "option http-server-close",
Willy Tarreau9420b122013-12-15 18:58:25 +01008614 "option prefer-last-server", "option http-pretend-keepalive",
Frédéric Lécaille93d33162019-03-06 09:35:59 +01008615 and "1.1. The HTTP transaction model".
Willy Tarreau16bfb022010-01-16 19:48:41 +01008616
8617
Willy Tarreau96e31212011-05-30 18:10:30 +02008618option http-no-delay
8619no option http-no-delay
8620 Instruct the system to favor low interactive delays over performance in HTTP
8621 May be used in sections : defaults | frontend | listen | backend
8622 yes | yes | yes | yes
8623 Arguments : none
8624
8625 In HTTP, each payload is unidirectional and has no notion of interactivity.
8626 Any agent is expected to queue data somewhat for a reasonably low delay.
8627 There are some very rare server-to-server applications that abuse the HTTP
8628 protocol and expect the payload phase to be highly interactive, with many
8629 interleaved data chunks in both directions within a single request. This is
8630 absolutely not supported by the HTTP specification and will not work across
8631 most proxies or servers. When such applications attempt to do this through
Daniel Corbett9f0843f2021-05-08 10:50:37 -04008632 HAProxy, it works but they will experience high delays due to the network
Willy Tarreau96e31212011-05-30 18:10:30 +02008633 optimizations which favor performance by instructing the system to wait for
8634 enough data to be available in order to only send full packets. Typical
8635 delays are around 200 ms per round trip. Note that this only happens with
8636 abnormal uses. Normal uses such as CONNECT requests nor WebSockets are not
8637 affected.
8638
8639 When "option http-no-delay" is present in either the frontend or the backend
8640 used by a connection, all such optimizations will be disabled in order to
8641 make the exchanges as fast as possible. Of course this offers no guarantee on
8642 the functionality, as it may break at any other place. But if it works via
8643 HAProxy, it will work as fast as possible. This option should never be used
8644 by default, and should never be used at all unless such a buggy application
8645 is discovered. The impact of using this option is an increase of bandwidth
8646 usage and CPU usage, which may significantly lower performance in high
8647 latency environments.
8648
Willy Tarreau9fbe18e2015-05-01 22:42:08 +02008649 See also : "option http-buffer-request"
8650
Willy Tarreau96e31212011-05-30 18:10:30 +02008651
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02008652option http-pretend-keepalive
8653no option http-pretend-keepalive
Daniel Corbett9f0843f2021-05-08 10:50:37 -04008654 Define whether HAProxy will announce keepalive to the server or not
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02008655 May be used in sections : defaults | frontend | listen | backend
Christopher Faulet98db9762018-09-21 10:25:19 +02008656 yes | no | yes | yes
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02008657 Arguments : none
8658
Daniel Corbett9f0843f2021-05-08 10:50:37 -04008659 When running with "option http-server-close" or "option httpclose", HAProxy
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02008660 adds a "Connection: close" header to the request forwarded to the server.
8661 Unfortunately, when some servers see this header, they automatically refrain
8662 from using the chunked encoding for responses of unknown length, while this
Daniel Corbett9f0843f2021-05-08 10:50:37 -04008663 is totally unrelated. The immediate effect is that this prevents HAProxy from
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02008664 maintaining the client connection alive. A second effect is that a client or
8665 a cache could receive an incomplete response without being aware of it, and
8666 consider the response complete.
8667
Daniel Corbett9f0843f2021-05-08 10:50:37 -04008668 By setting "option http-pretend-keepalive", HAProxy will make the server
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02008669 believe it will keep the connection alive. The server will then not fall back
Daniel Corbett9f0843f2021-05-08 10:50:37 -04008670 to the abnormal undesired above. When HAProxy gets the whole response, it
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02008671 will close the connection with the server just as it would do with the
Christopher Faulet315b39c2018-09-21 16:26:19 +02008672 "option httpclose". That way the client gets a normal response and the
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02008673 connection is correctly closed on the server side.
8674
8675 It is recommended not to enable this option by default, because most servers
8676 will more efficiently close the connection themselves after the last packet,
8677 and release its buffers slightly earlier. Also, the added packet on the
8678 network could slightly reduce the overall peak performance. However it is
Daniel Corbett9f0843f2021-05-08 10:50:37 -04008679 worth noting that when this option is enabled, HAProxy will have slightly
8680 less work to do. So if HAProxy is the bottleneck on the whole architecture,
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02008681 enabling this option might save a few CPU cycles.
8682
Christopher Faulet98db9762018-09-21 10:25:19 +02008683 This option may be set in backend and listen sections. Using it in a frontend
8684 section will be ignored and a warning will be reported during startup. It is
8685 a backend related option, so there is no real reason to set it on a
8686 frontend. This option may be combined with "option httpclose", which will
8687 cause keepalive to be announced to the server and close to be announced to
8688 the client. This practice is discouraged though.
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02008689
8690 If this option has been enabled in a "defaults" section, it can be disabled
8691 in a specific instance by prepending the "no" keyword before it.
8692
Christopher Faulet315b39c2018-09-21 16:26:19 +02008693 See also : "option httpclose", "option http-server-close", and
Willy Tarreau16bfb022010-01-16 19:48:41 +01008694 "option http-keep-alive"
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02008695
Willy Tarreauc27debf2008-01-06 08:57:02 +01008696
Willy Tarreaub608feb2010-01-02 22:47:18 +01008697option http-server-close
8698no option http-server-close
8699 Enable or disable HTTP connection closing on the server side
8700 May be used in sections : defaults | frontend | listen | backend
8701 yes | yes | yes | yes
8702 Arguments : none
8703
Willy Tarreau70dffda2014-01-30 03:07:23 +01008704 By default HAProxy operates in keep-alive mode with regards to persistent
8705 connections: for each connection it processes each request and response, and
8706 leaves the connection idle on both sides between the end of a response and
8707 the start of a new request. This mode may be changed by several options such
Christopher Faulet159e6672019-07-16 15:09:52 +02008708 as "option http-server-close" or "option httpclose". Setting "option
8709 http-server-close" enables HTTP connection-close mode on the server side
8710 while keeping the ability to support HTTP keep-alive and pipelining on the
8711 client side. This provides the lowest latency on the client side (slow
8712 network) and the fastest session reuse on the server side to save server
8713 resources, similarly to "option httpclose". It also permits non-keepalive
8714 capable servers to be served in keep-alive mode to the clients if they
8715 conform to the requirements of RFC7230. Please note that some servers do not
8716 always conform to those requirements when they see "Connection: close" in the
8717 request. The effect will be that keep-alive will never be used. A workaround
8718 consists in enabling "option http-pretend-keepalive".
Willy Tarreaub608feb2010-01-02 22:47:18 +01008719
8720 At the moment, logs will not indicate whether requests came from the same
8721 session or not. The accept date reported in the logs corresponds to the end
8722 of the previous request, and the request time corresponds to the time spent
8723 waiting for a new request. The keep-alive request time is still bound to the
Willy Tarreaub16a5742010-01-10 14:46:16 +01008724 timeout defined by "timeout http-keep-alive" or "timeout http-request" if
8725 not set.
Willy Tarreaub608feb2010-01-02 22:47:18 +01008726
8727 This option may be set both in a frontend and in a backend. It is enabled if
8728 at least one of the frontend or backend holding a connection has it enabled.
Christopher Faulet159e6672019-07-16 15:09:52 +02008729 It disables and replaces any previous "option httpclose" or "option
8730 http-keep-alive". Please check section 4 ("Proxies") to see how this option
8731 combines with others when frontend and backend options differ.
Willy Tarreaub608feb2010-01-02 22:47:18 +01008732
8733 If this option has been enabled in a "defaults" section, it can be disabled
8734 in a specific instance by prepending the "no" keyword before it.
8735
Christopher Faulet315b39c2018-09-21 16:26:19 +02008736 See also : "option httpclose", "option http-pretend-keepalive",
8737 "option http-keep-alive", and "1.1. The HTTP transaction model".
Willy Tarreaub608feb2010-01-02 22:47:18 +01008738
Willy Tarreau88d349d2010-01-25 12:15:43 +01008739option http-use-proxy-header
Cyril Bontéf0c60612010-02-06 14:44:47 +01008740no option http-use-proxy-header
Willy Tarreau88d349d2010-01-25 12:15:43 +01008741 Make use of non-standard Proxy-Connection header instead of Connection
8742 May be used in sections : defaults | frontend | listen | backend
8743 yes | yes | yes | no
8744 Arguments : none
8745
Lukas Tribus23953682017-04-28 13:24:30 +00008746 While RFC7230 explicitly states that HTTP/1.1 agents must use the
Willy Tarreau88d349d2010-01-25 12:15:43 +01008747 Connection header to indicate their wish of persistent or non-persistent
8748 connections, both browsers and proxies ignore this header for proxied
8749 connections and make use of the undocumented, non-standard Proxy-Connection
8750 header instead. The issue begins when trying to put a load balancer between
8751 browsers and such proxies, because there will be a difference between what
Daniel Corbett9f0843f2021-05-08 10:50:37 -04008752 HAProxy understands and what the client and the proxy agree on.
Willy Tarreau88d349d2010-01-25 12:15:43 +01008753
Daniel Corbett9f0843f2021-05-08 10:50:37 -04008754 By setting this option in a frontend, HAProxy can automatically switch to use
Willy Tarreau88d349d2010-01-25 12:15:43 +01008755 that non-standard header if it sees proxied requests. A proxied request is
Lukas Tribusf01a9cd2016-02-03 18:09:37 +01008756 defined here as one where the URI begins with neither a '/' nor a '*'. This
8757 is incompatible with the HTTP tunnel mode. Note that this option can only be
8758 specified in a frontend and will affect the request along its whole life.
Willy Tarreau88d349d2010-01-25 12:15:43 +01008759
Willy Tarreau844a7e72010-01-31 21:46:18 +01008760 Also, when this option is set, a request which requires authentication will
8761 automatically switch to use proxy authentication headers if it is itself a
8762 proxied request. That makes it possible to check or enforce authentication in
8763 front of an existing proxy.
8764
Willy Tarreau88d349d2010-01-25 12:15:43 +01008765 This option should normally never be used, except in front of a proxy.
8766
Christopher Faulet315b39c2018-09-21 16:26:19 +02008767 See also : "option httpclose", and "option http-server-close".
Willy Tarreau88d349d2010-01-25 12:15:43 +01008768
Willy Tarreaud63335a2010-02-26 12:56:52 +01008769option httpchk
8770option httpchk <uri>
8771option httpchk <method> <uri>
8772option httpchk <method> <uri> <version>
Christopher Fauletc52ea4d2020-04-23 15:43:35 +02008773 Enables HTTP protocol to check on the servers health
Willy Tarreaud63335a2010-02-26 12:56:52 +01008774 May be used in sections : defaults | frontend | listen | backend
8775 yes | no | yes | yes
8776 Arguments :
8777 <method> is the optional HTTP method used with the requests. When not set,
8778 the "OPTIONS" method is used, as it generally requires low server
8779 processing and is easy to filter out from the logs. Any method
8780 may be used, though it is not recommended to invent non-standard
8781 ones.
8782
8783 <uri> is the URI referenced in the HTTP requests. It defaults to " / "
8784 which is accessible by default on almost any server, but may be
8785 changed to any other URI. Query strings are permitted.
8786
8787 <version> is the optional HTTP version string. It defaults to "HTTP/1.0"
8788 but some servers might behave incorrectly in HTTP 1.0, so turning
8789 it to HTTP/1.1 may sometimes help. Note that the Host field is
Christopher Faulet8acb1282020-04-09 08:44:06 +02008790 mandatory in HTTP/1.1, use "http-check send" directive to add it.
Willy Tarreaud63335a2010-02-26 12:56:52 +01008791
8792 By default, server health checks only consist in trying to establish a TCP
8793 connection. When "option httpchk" is specified, a complete HTTP request is
8794 sent once the TCP connection is established, and responses 2xx and 3xx are
8795 considered valid, while all other ones indicate a server failure, including
8796 the lack of any response.
8797
Christopher Faulete5870d82020-04-15 11:32:03 +02008798 Combined with "http-check" directives, it is possible to customize the
8799 request sent during the HTTP health checks or the matching rules on the
8800 response. It is also possible to configure a send/expect sequence, just like
8801 with the directive "tcp-check" for TCP health checks.
8802
8803 The server configuration is used by default to open connections to perform
8804 HTTP health checks. By it is also possible to overwrite server parameters
8805 using "http-check connect" rules.
Willy Tarreaud63335a2010-02-26 12:56:52 +01008806
Christopher Faulete5870d82020-04-15 11:32:03 +02008807 "httpchk" option does not necessarily require an HTTP backend, it also works
8808 with plain TCP backends. This is particularly useful to check simple scripts
Christopher Faulet14cd3162020-04-16 14:50:06 +02008809 bound to some dedicated ports using the inetd daemon. However, it will always
Daniel Corbett67a82712020-07-06 23:01:19 -04008810 internally relies on an HTX multiplexer. Thus, it means the request
Christopher Faulet14cd3162020-04-16 14:50:06 +02008811 formatting and the response parsing will be strict.
Willy Tarreaud63335a2010-02-26 12:56:52 +01008812
Christopher Faulet8acb1282020-04-09 08:44:06 +02008813 Note : For a while, there was no way to add headers or body in the request
8814 used for HTTP health checks. So a workaround was to hide it at the end
8815 of the version string with a "\r\n" after the version. It is now
8816 deprecated. The directive "http-check send" must be used instead.
8817
Willy Tarreaud63335a2010-02-26 12:56:52 +01008818 Examples :
Christopher Fauletc52ea4d2020-04-23 15:43:35 +02008819 # Relay HTTPS traffic to Apache instance and check service availability
8820 # using HTTP request "OPTIONS * HTTP/1.1" on port 80.
8821 backend https_relay
8822 mode tcp
8823 option httpchk OPTIONS * HTTP/1.1
8824 http-check send hdr Host www
8825 server apache1 192.168.1.1:443 check port 80
Willy Tarreaud63335a2010-02-26 12:56:52 +01008826
Simon Hormanafc47ee2013-11-25 10:46:35 +09008827 See also : "option ssl-hello-chk", "option smtpchk", "option mysql-check",
8828 "option pgsql-check", "http-check" and the "check", "port" and
8829 "inter" server options.
Willy Tarreaud63335a2010-02-26 12:56:52 +01008830
8831
Willy Tarreauc27debf2008-01-06 08:57:02 +01008832option httpclose
8833no option httpclose
Christopher Faulet315b39c2018-09-21 16:26:19 +02008834 Enable or disable HTTP connection closing
Willy Tarreauc27debf2008-01-06 08:57:02 +01008835 May be used in sections : defaults | frontend | listen | backend
8836 yes | yes | yes | yes
8837 Arguments : none
8838
Willy Tarreau70dffda2014-01-30 03:07:23 +01008839 By default HAProxy operates in keep-alive mode with regards to persistent
8840 connections: for each connection it processes each request and response, and
8841 leaves the connection idle on both sides between the end of a response and
8842 the start of a new request. This mode may be changed by several options such
Christopher Faulet159e6672019-07-16 15:09:52 +02008843 as "option http-server-close" or "option httpclose".
Willy Tarreau70dffda2014-01-30 03:07:23 +01008844
Christopher Faulet315b39c2018-09-21 16:26:19 +02008845 If "option httpclose" is set, HAProxy will close connections with the server
8846 and the client as soon as the request and the response are received. It will
John Roeslerfb2fce12019-07-10 15:45:51 -05008847 also check if a "Connection: close" header is already set in each direction,
Christopher Faulet315b39c2018-09-21 16:26:19 +02008848 and will add one if missing. Any "Connection" header different from "close"
8849 will also be removed.
Willy Tarreauc27debf2008-01-06 08:57:02 +01008850
Christopher Faulet315b39c2018-09-21 16:26:19 +02008851 This option may also be combined with "option http-pretend-keepalive", which
8852 will disable sending of the "Connection: close" header, but will still cause
8853 the connection to be closed once the whole response is received.
Willy Tarreauc27debf2008-01-06 08:57:02 +01008854
8855 This option may be set both in a frontend and in a backend. It is enabled if
8856 at least one of the frontend or backend holding a connection has it enabled.
Christopher Faulet159e6672019-07-16 15:09:52 +02008857 It disables and replaces any previous "option http-server-close" or "option
8858 http-keep-alive". Please check section 4 ("Proxies") to see how this option
8859 combines with others when frontend and backend options differ.
Willy Tarreauc27debf2008-01-06 08:57:02 +01008860
8861 If this option has been enabled in a "defaults" section, it can be disabled
8862 in a specific instance by prepending the "no" keyword before it.
8863
Christopher Faulet315b39c2018-09-21 16:26:19 +02008864 See also : "option http-server-close" and "1.1. The HTTP transaction model".
Willy Tarreauc27debf2008-01-06 08:57:02 +01008865
8866
Emeric Brun3a058f32009-06-30 18:26:00 +02008867option httplog [ clf ]
Willy Tarreauc27debf2008-01-06 08:57:02 +01008868 Enable logging of HTTP request, session state and timers
8869 May be used in sections : defaults | frontend | listen | backend
Tim Duesterhus9ad9f352018-02-05 20:52:27 +01008870 yes | yes | yes | no
Emeric Brun3a058f32009-06-30 18:26:00 +02008871 Arguments :
8872 clf if the "clf" argument is added, then the output format will be
8873 the CLF format instead of HAProxy's default HTTP format. You can
8874 use this when you need to feed HAProxy's logs through a specific
Davor Ocelice9ed2812017-12-25 17:49:28 +01008875 log analyzer which only support the CLF format and which is not
Emeric Brun3a058f32009-06-30 18:26:00 +02008876 extensible.
Willy Tarreauc27debf2008-01-06 08:57:02 +01008877
8878 By default, the log output format is very poor, as it only contains the
8879 source and destination addresses, and the instance name. By specifying
8880 "option httplog", each log line turns into a much richer format including,
8881 but not limited to, the HTTP request, the connection timers, the session
8882 status, the connections numbers, the captured headers and cookies, the
8883 frontend, backend and server name, and of course the source address and
8884 ports.
8885
PiBa-NLbd556bf2014-12-11 21:31:54 +01008886 Specifying only "option httplog" will automatically clear the 'clf' mode
8887 if it was set by default.
Emeric Brun3a058f32009-06-30 18:26:00 +02008888
Guillaume de Lafond29f45602017-03-31 19:52:15 +02008889 "option httplog" overrides any previous "log-format" directive.
8890
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008891 See also : section 8 about logging.
Willy Tarreauc27debf2008-01-06 08:57:02 +01008892
Willy Tarreau55165fe2009-05-10 12:02:55 +02008893
8894option http_proxy
8895no option http_proxy
8896 Enable or disable plain HTTP proxy mode
8897 May be used in sections : defaults | frontend | listen | backend
8898 yes | yes | yes | yes
8899 Arguments : none
8900
8901 It sometimes happens that people need a pure HTTP proxy which understands
8902 basic proxy requests without caching nor any fancy feature. In this case,
8903 it may be worth setting up an HAProxy instance with the "option http_proxy"
8904 set. In this mode, no server is declared, and the connection is forwarded to
8905 the IP address and port found in the URL after the "http://" scheme.
8906
8907 No host address resolution is performed, so this only works when pure IP
8908 addresses are passed. Since this option's usage perimeter is rather limited,
Lukas Tribusf01a9cd2016-02-03 18:09:37 +01008909 it will probably be used only by experts who know they need exactly it. This
8910 is incompatible with the HTTP tunnel mode.
Willy Tarreau55165fe2009-05-10 12:02:55 +02008911
8912 If this option has been enabled in a "defaults" section, it can be disabled
8913 in a specific instance by prepending the "no" keyword before it.
8914
8915 Example :
8916 # this backend understands HTTP proxy requests and forwards them directly.
8917 backend direct_forward
8918 option httpclose
8919 option http_proxy
8920
8921 See also : "option httpclose"
8922
Willy Tarreau211ad242009-10-03 21:45:07 +02008923
Jamie Gloudon801a0a32012-08-25 00:18:33 -04008924option independent-streams
8925no option independent-streams
8926 Enable or disable independent timeout processing for both directions
Willy Tarreauf27b5ea2009-10-03 22:01:18 +02008927 May be used in sections : defaults | frontend | listen | backend
8928 yes | yes | yes | yes
8929 Arguments : none
8930
8931 By default, when data is sent over a socket, both the write timeout and the
8932 read timeout for that socket are refreshed, because we consider that there is
8933 activity on that socket, and we have no other means of guessing if we should
8934 receive data or not.
8935
Davor Ocelice9ed2812017-12-25 17:49:28 +01008936 While this default behavior is desirable for almost all applications, there
Willy Tarreauf27b5ea2009-10-03 22:01:18 +02008937 exists a situation where it is desirable to disable it, and only refresh the
8938 read timeout if there are incoming data. This happens on sessions with large
8939 timeouts and low amounts of exchanged data such as telnet session. If the
8940 server suddenly disappears, the output data accumulates in the system's
8941 socket buffers, both timeouts are correctly refreshed, and there is no way
8942 to know the server does not receive them, so we don't timeout. However, when
8943 the underlying protocol always echoes sent data, it would be enough by itself
8944 to detect the issue using the read timeout. Note that this problem does not
8945 happen with more verbose protocols because data won't accumulate long in the
8946 socket buffers.
8947
8948 When this option is set on the frontend, it will disable read timeout updates
8949 on data sent to the client. There probably is little use of this case. When
8950 the option is set on the backend, it will disable read timeout updates on
8951 data sent to the server. Doing so will typically break large HTTP posts from
8952 slow lines, so use it with caution.
8953
Willy Tarreauce887fd2012-05-12 12:50:00 +02008954 See also : "timeout client", "timeout server" and "timeout tunnel"
Willy Tarreauf27b5ea2009-10-03 22:01:18 +02008955
8956
Gabor Lekenyb4c81e42010-09-29 18:17:05 +02008957option ldap-check
8958 Use LDAPv3 health checks for server testing
8959 May be used in sections : defaults | frontend | listen | backend
8960 yes | no | yes | yes
8961 Arguments : none
8962
8963 It is possible to test that the server correctly talks LDAPv3 instead of just
8964 testing that it accepts the TCP connection. When this option is set, an
8965 LDAPv3 anonymous simple bind message is sent to the server, and the response
8966 is analyzed to find an LDAPv3 bind response message.
8967
8968 The server is considered valid only when the LDAP response contains success
8969 resultCode (http://tools.ietf.org/html/rfc4511#section-4.1.9).
8970
8971 Logging of bind requests is server dependent see your documentation how to
8972 configure it.
8973
8974 Example :
8975 option ldap-check
8976
8977 See also : "option httpchk"
8978
8979
Simon Horman98637e52014-06-20 12:30:16 +09008980option external-check
8981 Use external processes for server health checks
8982 May be used in sections : defaults | frontend | listen | backend
8983 yes | no | yes | yes
8984
8985 It is possible to test the health of a server using an external command.
8986 This is achieved by running the executable set using "external-check
8987 command".
8988
8989 Requires the "external-check" global to be set.
8990
8991 See also : "external-check", "external-check command", "external-check path"
8992
8993
Willy Tarreau211ad242009-10-03 21:45:07 +02008994option log-health-checks
8995no option log-health-checks
Willy Tarreaubef1b322014-05-13 21:01:39 +02008996 Enable or disable logging of health checks status updates
Willy Tarreau211ad242009-10-03 21:45:07 +02008997 May be used in sections : defaults | frontend | listen | backend
8998 yes | no | yes | yes
8999 Arguments : none
9000
Willy Tarreaubef1b322014-05-13 21:01:39 +02009001 By default, failed health check are logged if server is UP and successful
9002 health checks are logged if server is DOWN, so the amount of additional
9003 information is limited.
Willy Tarreau211ad242009-10-03 21:45:07 +02009004
Willy Tarreaubef1b322014-05-13 21:01:39 +02009005 When this option is enabled, any change of the health check status or to
9006 the server's health will be logged, so that it becomes possible to know
9007 that a server was failing occasional checks before crashing, or exactly when
9008 it failed to respond a valid HTTP status, then when the port started to
9009 reject connections, then when the server stopped responding at all.
9010
Davor Ocelice9ed2812017-12-25 17:49:28 +01009011 Note that status changes not caused by health checks (e.g. enable/disable on
Willy Tarreaubef1b322014-05-13 21:01:39 +02009012 the CLI) are intentionally not logged by this option.
Willy Tarreau211ad242009-10-03 21:45:07 +02009013
Willy Tarreaubef1b322014-05-13 21:01:39 +02009014 See also: "option httpchk", "option ldap-check", "option mysql-check",
9015 "option pgsql-check", "option redis-check", "option smtpchk",
9016 "option tcp-check", "log" and section 8 about logging.
Willy Tarreau211ad242009-10-03 21:45:07 +02009017
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02009018
9019option log-separate-errors
9020no option log-separate-errors
9021 Change log level for non-completely successful connections
9022 May be used in sections : defaults | frontend | listen | backend
9023 yes | yes | yes | no
9024 Arguments : none
9025
Daniel Corbett9f0843f2021-05-08 10:50:37 -04009026 Sometimes looking for errors in logs is not easy. This option makes HAProxy
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02009027 raise the level of logs containing potentially interesting information such
9028 as errors, timeouts, retries, redispatches, or HTTP status codes 5xx. The
9029 level changes from "info" to "err". This makes it possible to log them
9030 separately to a different file with most syslog daemons. Be careful not to
9031 remove them from the original file, otherwise you would lose ordering which
9032 provides very important information.
9033
9034 Using this option, large sites dealing with several thousand connections per
9035 second may log normal traffic to a rotating buffer and only archive smaller
9036 error logs.
9037
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009038 See also : "log", "dontlognull", "dontlog-normal" and section 8 about
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02009039 logging.
9040
Willy Tarreauc27debf2008-01-06 08:57:02 +01009041
9042option logasap
9043no option logasap
Jerome Magnin95fb57b2020-04-23 19:01:17 +02009044 Enable or disable early logging.
Willy Tarreauc27debf2008-01-06 08:57:02 +01009045 May be used in sections : defaults | frontend | listen | backend
9046 yes | yes | yes | no
9047 Arguments : none
9048
Jerome Magnin95fb57b2020-04-23 19:01:17 +02009049 By default, logs are emitted when all the log format variables and sample
9050 fetches used in the definition of the log-format string return a value, or
9051 when the session is terminated. This allows the built in log-format strings
9052 to account for the transfer time, or the number of bytes in log messages.
9053
9054 When handling long lived connections such as large file transfers or RDP,
9055 it may take a while for the request or connection to appear in the logs.
9056 Using "option logasap", the log message is created as soon as the server
9057 connection is established in mode tcp, or as soon as the server sends the
9058 complete headers in mode http. Missing information in the logs will be the
Ilya Shipitsin4329a9a2020-05-05 21:17:10 +05009059 total number of bytes which will only indicate the amount of data transferred
Jerome Magnin95fb57b2020-04-23 19:01:17 +02009060 before the message was created and the total time which will not take the
9061 remainder of the connection life or transfer time into account. For the case
9062 of HTTP, it is good practice to capture the Content-Length response header
9063 so that the logs at least indicate how many bytes are expected to be
Ilya Shipitsin4329a9a2020-05-05 21:17:10 +05009064 transferred.
Willy Tarreauc27debf2008-01-06 08:57:02 +01009065
Willy Tarreaucc6c8912009-02-22 10:53:55 +01009066 Examples :
9067 listen http_proxy 0.0.0.0:80
9068 mode http
9069 option httplog
9070 option logasap
9071 log 192.168.2.200 local3
9072
9073 >>> Feb 6 12:14:14 localhost \
9074 haproxy[14389]: 10.0.1.2:33317 [06/Feb/2009:12:14:14.655] http-in \
9075 static/srv1 9/10/7/14/+30 200 +243 - - ---- 3/1/1/1/0 1/0 \
9076 "GET /image.iso HTTP/1.0"
9077
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009078 See also : "option httplog", "capture response header", and section 8 about
Willy Tarreauc27debf2008-01-06 08:57:02 +01009079 logging.
9080
9081
Christopher Faulet62f79fe2020-05-18 18:13:03 +02009082option mysql-check [ user <username> [ { post-41 | pre-41 } ] ]
Hervé COMMOWICK8776f1b2010-10-18 15:58:36 +02009083 Use MySQL health checks for server testing
Hervé COMMOWICK698ae002010-01-12 09:25:13 +01009084 May be used in sections : defaults | frontend | listen | backend
9085 yes | no | yes | yes
Hervé COMMOWICK8776f1b2010-10-18 15:58:36 +02009086 Arguments :
Cyril Bonté108cf6e2012-04-21 23:30:29 +02009087 <username> This is the username which will be used when connecting to MySQL
9088 server.
Christopher Faulet62f79fe2020-05-18 18:13:03 +02009089 post-41 Send post v4.1 client compatible checks (the default)
9090 pre-41 Send pre v4.1 client compatible checks
Hervé COMMOWICK8776f1b2010-10-18 15:58:36 +02009091
9092 If you specify a username, the check consists of sending two MySQL packet,
9093 one Client Authentication packet, and one QUIT packet, to correctly close
Davor Ocelice9ed2812017-12-25 17:49:28 +01009094 MySQL session. We then parse the MySQL Handshake Initialization packet and/or
Hervé COMMOWICK8776f1b2010-10-18 15:58:36 +02009095 Error packet. It is a basic but useful test which does not produce error nor
9096 aborted connect on the server. However, it requires adding an authorization
9097 in the MySQL table, like this :
9098
9099 USE mysql;
9100 INSERT INTO user (Host,User) values ('<ip_of_haproxy>','<username>');
9101 FLUSH PRIVILEGES;
9102
9103 If you don't specify a username (it is deprecated and not recommended), the
Davor Ocelice9ed2812017-12-25 17:49:28 +01009104 check only consists in parsing the Mysql Handshake Initialization packet or
Hervé COMMOWICK8776f1b2010-10-18 15:58:36 +02009105 Error packet, we don't send anything in this mode. It was reported that it
9106 can generate lockout if check is too frequent and/or if there is not enough
9107 traffic. In fact, you need in this case to check MySQL "max_connect_errors"
9108 value as if a connection is established successfully within fewer than MySQL
9109 "max_connect_errors" attempts after a previous connection was interrupted,
9110 the error count for the host is cleared to zero. If HAProxy's server get
9111 blocked, the "FLUSH HOSTS" statement is the only way to unblock it.
9112
9113 Remember that this does not check database presence nor database consistency.
9114 To do this, you can use an external check with xinetd for example.
Hervé COMMOWICK698ae002010-01-12 09:25:13 +01009115
Hervé COMMOWICK212f7782011-06-10 14:05:59 +02009116 The check requires MySQL >=3.22, for older version, please use TCP check.
Hervé COMMOWICK698ae002010-01-12 09:25:13 +01009117
9118 Most often, an incoming MySQL server needs to see the client's IP address for
9119 various purposes, including IP privilege matching and connection logging.
9120 When possible, it is often wise to masquerade the client's IP address when
9121 connecting to the server using the "usesrc" argument of the "source" keyword,
Willy Tarreau29fbe512015-08-20 19:35:14 +02009122 which requires the transparent proxy feature to be compiled in, and the MySQL
Daniel Corbett9f0843f2021-05-08 10:50:37 -04009123 server to route the client via the machine hosting HAProxy.
Hervé COMMOWICK698ae002010-01-12 09:25:13 +01009124
9125 See also: "option httpchk"
9126
9127
Willy Tarreaua453bdd2008-01-08 19:50:52 +01009128option nolinger
9129no option nolinger
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01009130 Enable or disable immediate session resource cleaning after close
Willy Tarreaua453bdd2008-01-08 19:50:52 +01009131 May be used in sections: defaults | frontend | listen | backend
9132 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01009133 Arguments : none
Willy Tarreaua453bdd2008-01-08 19:50:52 +01009134
Davor Ocelice9ed2812017-12-25 17:49:28 +01009135 When clients or servers abort connections in a dirty way (e.g. they are
Willy Tarreaua453bdd2008-01-08 19:50:52 +01009136 physically disconnected), the session timeouts triggers and the session is
9137 closed. But it will remain in FIN_WAIT1 state for some time in the system,
9138 using some resources and possibly limiting the ability to establish newer
9139 connections.
9140
9141 When this happens, it is possible to activate "option nolinger" which forces
9142 the system to immediately remove any socket's pending data on close. Thus,
Willy Tarreau4a321032020-10-16 04:55:19 +02009143 a TCP RST is emitted, any pending data are truncated, and the session is
9144 instantly purged from the system's tables. The generally visible effect for
9145 a client is that responses are truncated if the close happens with a last
9146 block of data (e.g. on a redirect or error response). On the server side,
9147 it may help release the source ports immediately when forwarding a client
9148 aborts in tunnels. In both cases, TCP resets are emitted and given that
9149 the session is instantly destroyed, there will be no retransmit. On a lossy
9150 network this can increase problems, especially when there is a firewall on
9151 the lossy side, because the firewall might see and process the reset (hence
9152 purge its session) and block any further traffic for this session,, including
9153 retransmits from the other side. So if the other side doesn't receive it,
9154 it will never receive any RST again, and the firewall might log many blocked
9155 packets.
Willy Tarreaua453bdd2008-01-08 19:50:52 +01009156
Willy Tarreau4a321032020-10-16 04:55:19 +02009157 For all these reasons, it is strongly recommended NOT to use this option,
9158 unless absolutely needed as a last resort. In most situations, using the
9159 "client-fin" or "server-fin" timeouts achieves similar results with a more
9160 reliable behavior. On Linux it's also possible to use the "tcp-ut" bind or
9161 server setting.
Willy Tarreaua453bdd2008-01-08 19:50:52 +01009162
9163 This option may be used both on frontends and backends, depending on the side
9164 where it is required. Use it on the frontend for clients, and on the backend
Willy Tarreau4a321032020-10-16 04:55:19 +02009165 for servers. While this option is technically supported in "defaults"
Ilya Shipitsin2272d8a2020-12-21 01:22:40 +05009166 sections, it must really not be used there as it risks to accidentally
Willy Tarreau4a321032020-10-16 04:55:19 +02009167 propagate to sections that must no use it and to cause problems there.
Willy Tarreaua453bdd2008-01-08 19:50:52 +01009168
9169 If this option has been enabled in a "defaults" section, it can be disabled
9170 in a specific instance by prepending the "no" keyword before it.
9171
Willy Tarreau4a321032020-10-16 04:55:19 +02009172 See also: "timeout client-fin", "timeout server-fin", "tcp-ut" bind or server
9173 keywords.
Willy Tarreaua453bdd2008-01-08 19:50:52 +01009174
Willy Tarreau55165fe2009-05-10 12:02:55 +02009175option originalto [ except <network> ] [ header <name> ]
9176 Enable insertion of the X-Original-To header to requests sent to servers
9177 May be used in sections : defaults | frontend | listen | backend
9178 yes | yes | yes | yes
9179 Arguments :
9180 <network> is an optional argument used to disable this option for sources
9181 matching <network>
9182 <name> an optional argument to specify a different "X-Original-To"
9183 header name.
9184
9185 Since HAProxy can work in transparent mode, every request from a client can
9186 be redirected to the proxy and HAProxy itself can proxy every request to a
9187 complex SQUID environment and the destination host from SO_ORIGINAL_DST will
9188 be lost. This is annoying when you want access rules based on destination ip
9189 addresses. To solve this problem, a new HTTP header "X-Original-To" may be
9190 added by HAProxy to all requests sent to the server. This header contains a
9191 value representing the original destination IP address. Since this must be
9192 configured to always use the last occurrence of this header only. Note that
9193 only the last occurrence of the header must be used, since it is really
9194 possible that the client has already brought one.
9195
9196 The keyword "header" may be used to supply a different header name to replace
9197 the default "X-Original-To". This can be useful where you might already
9198 have a "X-Original-To" header from a different application, and you need
9199 preserve it. Also if your backend server doesn't use the "X-Original-To"
9200 header and requires different one.
9201
9202 Sometimes, a same HAProxy instance may be shared between a direct client
9203 access and a reverse-proxy access (for instance when an SSL reverse-proxy is
9204 used to decrypt HTTPS traffic). It is possible to disable the addition of the
Amaury Denoyellef8b42922021-03-04 18:41:14 +01009205 header for a known destination address or network by adding the "except"
9206 keyword followed by the network address. In this case, any destination IP
9207 matching the network will not cause an addition of this header. Most common
9208 uses are with private networks or 127.0.0.1. IPv4 and IPv6 are both
9209 supported.
Willy Tarreau55165fe2009-05-10 12:02:55 +02009210
9211 This option may be specified either in the frontend or in the backend. If at
9212 least one of them uses it, the header will be added. Note that the backend's
9213 setting of the header subargument takes precedence over the frontend's if
9214 both are defined.
9215
Willy Tarreau55165fe2009-05-10 12:02:55 +02009216 Examples :
9217 # Original Destination address
9218 frontend www
9219 mode http
9220 option originalto except 127.0.0.1
9221
9222 # Those servers want the IP Address in X-Client-Dst
9223 backend www
9224 mode http
9225 option originalto header X-Client-Dst
9226
Christopher Faulet315b39c2018-09-21 16:26:19 +02009227 See also : "option httpclose", "option http-server-close".
Willy Tarreau55165fe2009-05-10 12:02:55 +02009228
9229
Willy Tarreaua453bdd2008-01-08 19:50:52 +01009230option persist
9231no option persist
9232 Enable or disable forced persistence on down servers
9233 May be used in sections: defaults | frontend | listen | backend
9234 yes | no | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01009235 Arguments : none
Willy Tarreaua453bdd2008-01-08 19:50:52 +01009236
9237 When an HTTP request reaches a backend with a cookie which references a dead
9238 server, by default it is redispatched to another server. It is possible to
9239 force the request to be sent to the dead server first using "option persist"
9240 if absolutely needed. A common use case is when servers are under extreme
9241 load and spend their time flapping. In this case, the users would still be
9242 directed to the server they opened the session on, in the hope they would be
9243 correctly served. It is recommended to use "option redispatch" in conjunction
9244 with this option so that in the event it would not be possible to connect to
9245 the server at all (server definitely dead), the client would finally be
9246 redirected to another valid server.
9247
9248 If this option has been enabled in a "defaults" section, it can be disabled
9249 in a specific instance by prepending the "no" keyword before it.
9250
Willy Tarreau4de91492010-01-22 19:10:05 +01009251 See also : "option redispatch", "retries", "force-persist"
Willy Tarreaua453bdd2008-01-08 19:50:52 +01009252
9253
Willy Tarreau0c122822013-12-15 18:49:01 +01009254option pgsql-check [ user <username> ]
9255 Use PostgreSQL health checks for server testing
9256 May be used in sections : defaults | frontend | listen | backend
9257 yes | no | yes | yes
9258 Arguments :
9259 <username> This is the username which will be used when connecting to
9260 PostgreSQL server.
9261
9262 The check sends a PostgreSQL StartupMessage and waits for either
9263 Authentication request or ErrorResponse message. It is a basic but useful
9264 test which does not produce error nor aborted connect on the server.
9265 This check is identical with the "mysql-check".
9266
9267 See also: "option httpchk"
9268
9269
Willy Tarreau9420b122013-12-15 18:58:25 +01009270option prefer-last-server
9271no option prefer-last-server
9272 Allow multiple load balanced requests to remain on the same server
9273 May be used in sections: defaults | frontend | listen | backend
9274 yes | no | yes | yes
9275 Arguments : none
9276
9277 When the load balancing algorithm in use is not deterministic, and a previous
Daniel Corbett9f0843f2021-05-08 10:50:37 -04009278 request was sent to a server to which HAProxy still holds a connection, it is
Willy Tarreau9420b122013-12-15 18:58:25 +01009279 sometimes desirable that subsequent requests on a same session go to the same
9280 server as much as possible. Note that this is different from persistence, as
Daniel Corbett9f0843f2021-05-08 10:50:37 -04009281 we only indicate a preference which HAProxy tries to apply without any form
Willy Tarreau9420b122013-12-15 18:58:25 +01009282 of warranty. The real use is for keep-alive connections sent to servers. When
Daniel Corbett9f0843f2021-05-08 10:50:37 -04009283 this option is used, HAProxy will try to reuse the same connection that is
Willy Tarreau9420b122013-12-15 18:58:25 +01009284 attached to the server instead of rebalancing to another server, causing a
9285 close of the connection. This can make sense for static file servers. It does
Willy Tarreau068621e2013-12-23 15:11:25 +01009286 not make much sense to use this in combination with hashing algorithms. Note,
Daniel Corbett9f0843f2021-05-08 10:50:37 -04009287 HAProxy already automatically tries to stick to a server which sends a 401 or
Lukas Tribus80512b12018-10-27 20:07:40 +02009288 to a proxy which sends a 407 (authentication required), when the load
9289 balancing algorithm is not deterministic. This is mandatory for use with the
9290 broken NTLM authentication challenge, and significantly helps in
Willy Tarreau068621e2013-12-23 15:11:25 +01009291 troubleshooting some faulty applications. Option prefer-last-server might be
9292 desirable in these environments as well, to avoid redistributing the traffic
9293 after every other response.
Willy Tarreau9420b122013-12-15 18:58:25 +01009294
9295 If this option has been enabled in a "defaults" section, it can be disabled
9296 in a specific instance by prepending the "no" keyword before it.
9297
9298 See also: "option http-keep-alive"
9299
9300
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01009301option redispatch
Joseph Lynch726ab712015-05-11 23:25:34 -07009302option redispatch <interval>
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01009303no option redispatch
9304 Enable or disable session redistribution in case of connection failure
9305 May be used in sections: defaults | frontend | listen | backend
9306 yes | no | yes | yes
Joseph Lynch726ab712015-05-11 23:25:34 -07009307 Arguments :
9308 <interval> The optional integer value that controls how often redispatches
9309 occur when retrying connections. Positive value P indicates a
9310 redispatch is desired on every Pth retry, and negative value
Davor Ocelice9ed2812017-12-25 17:49:28 +01009311 N indicate a redispatch is desired on the Nth retry prior to the
Joseph Lynch726ab712015-05-11 23:25:34 -07009312 last retry. For example, the default of -1 preserves the
Davor Ocelice9ed2812017-12-25 17:49:28 +01009313 historical behavior of redispatching on the last retry, a
Joseph Lynch726ab712015-05-11 23:25:34 -07009314 positive value of 1 would indicate a redispatch on every retry,
9315 and a positive value of 3 would indicate a redispatch on every
9316 third retry. You can disable redispatches with a value of 0.
9317
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01009318
9319 In HTTP mode, if a server designated by a cookie is down, clients may
9320 definitely stick to it because they cannot flush the cookie, so they will not
9321 be able to access the service anymore.
9322
Willy Tarreau59884a62019-01-02 14:48:31 +01009323 Specifying "option redispatch" will allow the proxy to break cookie or
9324 consistent hash based persistence and redistribute them to a working server.
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01009325
Olivier Carrère6e6f59b2020-04-15 11:30:18 +02009326 Active servers are selected from a subset of the list of available
9327 servers. Active servers that are not down or in maintenance (i.e., whose
9328 health is not checked or that have been checked as "up"), are selected in the
9329 following order:
9330
9331 1. Any active, non-backup server, if any, or,
9332
9333 2. If the "allbackups" option is not set, the first backup server in the
9334 list, or
9335
9336 3. If the "allbackups" option is set, any backup server.
9337
9338 When a retry occurs, HAProxy tries to select another server than the last
9339 one. The new server is selected from the current list of servers.
9340
9341 Sometimes, if the list is updated between retries (e.g., if numerous retries
9342 occur and last longer than the time needed to check that a server is down,
9343 remove it from the list and fall back on the list of backup servers),
9344 connections may be redirected to a backup server, though.
9345
Joseph Lynch726ab712015-05-11 23:25:34 -07009346 It also allows to retry connections to another server in case of multiple
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01009347 connection failures. Of course, it requires having "retries" set to a nonzero
9348 value.
Willy Tarreaud72758d2010-01-12 10:42:19 +01009349
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01009350 If this option has been enabled in a "defaults" section, it can be disabled
9351 in a specific instance by prepending the "no" keyword before it.
9352
Christopher Faulet87f1f3d2019-07-18 14:51:20 +02009353 See also : "retries", "force-persist"
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01009354
Willy Tarreaua453bdd2008-01-08 19:50:52 +01009355
Hervé COMMOWICKec032d62011-08-05 16:23:48 +02009356option redis-check
9357 Use redis health checks for server testing
9358 May be used in sections : defaults | frontend | listen | backend
9359 yes | no | yes | yes
9360 Arguments : none
9361
9362 It is possible to test that the server correctly talks REDIS protocol instead
9363 of just testing that it accepts the TCP connection. When this option is set,
9364 a PING redis command is sent to the server, and the response is analyzed to
9365 find the "+PONG" response message.
9366
9367 Example :
9368 option redis-check
9369
Jarno Huuskonene5ae7022017-04-03 14:36:21 +03009370 See also : "option httpchk", "option tcp-check", "tcp-check expect"
Hervé COMMOWICKec032d62011-08-05 16:23:48 +02009371
9372
Willy Tarreaua453bdd2008-01-08 19:50:52 +01009373option smtpchk
9374option smtpchk <hello> <domain>
9375 Use SMTP health checks for server testing
9376 May be used in sections : defaults | frontend | listen | backend
9377 yes | no | yes | yes
Willy Tarreaud72758d2010-01-12 10:42:19 +01009378 Arguments :
Willy Tarreaua453bdd2008-01-08 19:50:52 +01009379 <hello> is an optional argument. It is the "hello" command to use. It can
Lukas Tribus27935782018-10-01 02:00:16 +02009380 be either "HELO" (for SMTP) or "EHLO" (for ESMTP). All other
Willy Tarreaua453bdd2008-01-08 19:50:52 +01009381 values will be turned into the default command ("HELO").
9382
9383 <domain> is the domain name to present to the server. It may only be
9384 specified (and is mandatory) if the hello command has been
9385 specified. By default, "localhost" is used.
9386
9387 When "option smtpchk" is set, the health checks will consist in TCP
9388 connections followed by an SMTP command. By default, this command is
9389 "HELO localhost". The server's return code is analyzed and only return codes
9390 starting with a "2" will be considered as valid. All other responses,
9391 including a lack of response will constitute an error and will indicate a
9392 dead server.
9393
9394 This test is meant to be used with SMTP servers or relays. Depending on the
9395 request, it is possible that some servers do not log each connection attempt,
Davor Ocelice9ed2812017-12-25 17:49:28 +01009396 so you may want to experiment to improve the behavior. Using telnet on port
Willy Tarreaua453bdd2008-01-08 19:50:52 +01009397 25 is often easier than adjusting the configuration.
9398
9399 Most often, an incoming SMTP server needs to see the client's IP address for
9400 various purposes, including spam filtering, anti-spoofing and logging. When
9401 possible, it is often wise to masquerade the client's IP address when
9402 connecting to the server using the "usesrc" argument of the "source" keyword,
Willy Tarreau29fbe512015-08-20 19:35:14 +02009403 which requires the transparent proxy feature to be compiled in.
Willy Tarreaua453bdd2008-01-08 19:50:52 +01009404
9405 Example :
9406 option smtpchk HELO mydomain.org
9407
9408 See also : "option httpchk", "source"
9409
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01009410
Krzysztof Piotr Oledzkiaeebf9b2009-10-04 15:43:17 +02009411option socket-stats
9412no option socket-stats
9413
9414 Enable or disable collecting & providing separate statistics for each socket.
9415 May be used in sections : defaults | frontend | listen | backend
9416 yes | yes | yes | no
9417
9418 Arguments : none
9419
9420
Willy Tarreauff4f82d2009-02-06 11:28:13 +01009421option splice-auto
9422no option splice-auto
9423 Enable or disable automatic kernel acceleration on sockets in both directions
9424 May be used in sections : defaults | frontend | listen | backend
9425 yes | yes | yes | yes
9426 Arguments : none
9427
Daniel Corbett9f0843f2021-05-08 10:50:37 -04009428 When this option is enabled either on a frontend or on a backend, HAProxy
Willy Tarreauff4f82d2009-02-06 11:28:13 +01009429 will automatically evaluate the opportunity to use kernel tcp splicing to
Davor Ocelice9ed2812017-12-25 17:49:28 +01009430 forward data between the client and the server, in either direction. HAProxy
Willy Tarreauff4f82d2009-02-06 11:28:13 +01009431 uses heuristics to estimate if kernel splicing might improve performance or
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01009432 not. Both directions are handled independently. Note that the heuristics used
Willy Tarreauff4f82d2009-02-06 11:28:13 +01009433 are not much aggressive in order to limit excessive use of splicing. This
9434 option requires splicing to be enabled at compile time, and may be globally
9435 disabled with the global option "nosplice". Since splice uses pipes, using it
9436 requires that there are enough spare pipes.
9437
9438 Important note: kernel-based TCP splicing is a Linux-specific feature which
9439 first appeared in kernel 2.6.25. It offers kernel-based acceleration to
9440 transfer data between sockets without copying these data to user-space, thus
9441 providing noticeable performance gains and CPU cycles savings. Since many
9442 early implementations are buggy, corrupt data and/or are inefficient, this
9443 feature is not enabled by default, and it should be used with extreme care.
9444 While it is not possible to detect the correctness of an implementation,
9445 2.6.29 is the first version offering a properly working implementation. In
9446 case of doubt, splicing may be globally disabled using the global "nosplice"
9447 keyword.
9448
9449 Example :
9450 option splice-auto
9451
9452 If this option has been enabled in a "defaults" section, it can be disabled
9453 in a specific instance by prepending the "no" keyword before it.
9454
9455 See also : "option splice-request", "option splice-response", and global
9456 options "nosplice" and "maxpipes"
9457
9458
9459option splice-request
9460no option splice-request
9461 Enable or disable automatic kernel acceleration on sockets for requests
9462 May be used in sections : defaults | frontend | listen | backend
9463 yes | yes | yes | yes
9464 Arguments : none
9465
Daniel Corbett9f0843f2021-05-08 10:50:37 -04009466 When this option is enabled either on a frontend or on a backend, HAProxy
Jamie Gloudonaaa21002012-08-25 00:18:33 -04009467 will use kernel tcp splicing whenever possible to forward data going from
Willy Tarreauff4f82d2009-02-06 11:28:13 +01009468 the client to the server. It might still use the recv/send scheme if there
9469 are no spare pipes left. This option requires splicing to be enabled at
9470 compile time, and may be globally disabled with the global option "nosplice".
9471 Since splice uses pipes, using it requires that there are enough spare pipes.
9472
9473 Important note: see "option splice-auto" for usage limitations.
9474
9475 Example :
9476 option splice-request
9477
9478 If this option has been enabled in a "defaults" section, it can be disabled
9479 in a specific instance by prepending the "no" keyword before it.
9480
9481 See also : "option splice-auto", "option splice-response", and global options
9482 "nosplice" and "maxpipes"
9483
9484
9485option splice-response
9486no option splice-response
9487 Enable or disable automatic kernel acceleration on sockets for responses
9488 May be used in sections : defaults | frontend | listen | backend
9489 yes | yes | yes | yes
9490 Arguments : none
9491
Daniel Corbett9f0843f2021-05-08 10:50:37 -04009492 When this option is enabled either on a frontend or on a backend, HAProxy
Jamie Gloudonaaa21002012-08-25 00:18:33 -04009493 will use kernel tcp splicing whenever possible to forward data going from
Willy Tarreauff4f82d2009-02-06 11:28:13 +01009494 the server to the client. It might still use the recv/send scheme if there
9495 are no spare pipes left. This option requires splicing to be enabled at
9496 compile time, and may be globally disabled with the global option "nosplice".
9497 Since splice uses pipes, using it requires that there are enough spare pipes.
9498
9499 Important note: see "option splice-auto" for usage limitations.
9500
9501 Example :
9502 option splice-response
9503
9504 If this option has been enabled in a "defaults" section, it can be disabled
9505 in a specific instance by prepending the "no" keyword before it.
9506
9507 See also : "option splice-auto", "option splice-request", and global options
9508 "nosplice" and "maxpipes"
9509
9510
Christopher Fauletba7bc162016-11-07 21:07:38 +01009511option spop-check
9512 Use SPOP health checks for server testing
9513 May be used in sections : defaults | frontend | listen | backend
9514 no | no | no | yes
9515 Arguments : none
9516
9517 It is possible to test that the server correctly talks SPOP protocol instead
9518 of just testing that it accepts the TCP connection. When this option is set,
9519 a HELLO handshake is performed between HAProxy and the server, and the
9520 response is analyzed to check no error is reported.
9521
9522 Example :
9523 option spop-check
9524
9525 See also : "option httpchk"
9526
9527
Willy Tarreaubf1f8162007-12-28 17:42:56 +01009528option srvtcpka
9529no option srvtcpka
9530 Enable or disable the sending of TCP keepalive packets on the server side
9531 May be used in sections : defaults | frontend | listen | backend
9532 yes | no | yes | yes
9533 Arguments : none
9534
9535 When there is a firewall or any session-aware component between a client and
9536 a server, and when the protocol involves very long sessions with long idle
Davor Ocelice9ed2812017-12-25 17:49:28 +01009537 periods (e.g. remote desktops), there is a risk that one of the intermediate
Willy Tarreaubf1f8162007-12-28 17:42:56 +01009538 components decides to expire a session which has remained idle for too long.
9539
9540 Enabling socket-level TCP keep-alives makes the system regularly send packets
9541 to the other end of the connection, leaving it active. The delay between
9542 keep-alive probes is controlled by the system only and depends both on the
9543 operating system and its tuning parameters.
9544
9545 It is important to understand that keep-alive packets are neither emitted nor
9546 received at the application level. It is only the network stacks which sees
9547 them. For this reason, even if one side of the proxy already uses keep-alives
9548 to maintain its connection alive, those keep-alive packets will not be
9549 forwarded to the other side of the proxy.
9550
9551 Please note that this has nothing to do with HTTP keep-alive.
9552
9553 Using option "srvtcpka" enables the emission of TCP keep-alive probes on the
9554 server side of a connection, which should help when session expirations are
9555 noticed between HAProxy and a server.
9556
9557 If this option has been enabled in a "defaults" section, it can be disabled
9558 in a specific instance by prepending the "no" keyword before it.
9559
9560 See also : "option clitcpka", "option tcpka"
9561
9562
Willy Tarreaua453bdd2008-01-08 19:50:52 +01009563option ssl-hello-chk
9564 Use SSLv3 client hello health checks for server testing
9565 May be used in sections : defaults | frontend | listen | backend
9566 yes | no | yes | yes
9567 Arguments : none
9568
9569 When some SSL-based protocols are relayed in TCP mode through HAProxy, it is
9570 possible to test that the server correctly talks SSL instead of just testing
9571 that it accepts the TCP connection. When "option ssl-hello-chk" is set, pure
9572 SSLv3 client hello messages are sent once the connection is established to
9573 the server, and the response is analyzed to find an SSL server hello message.
9574 The server is considered valid only when the response contains this server
9575 hello message.
9576
9577 All servers tested till there correctly reply to SSLv3 client hello messages,
9578 and most servers tested do not even log the requests containing only hello
9579 messages, which is appreciable.
9580
Daniel Corbett9f0843f2021-05-08 10:50:37 -04009581 Note that this check works even when SSL support was not built into HAProxy
Willy Tarreau763a95b2012-10-04 23:15:39 +02009582 because it forges the SSL message. When SSL support is available, it is best
9583 to use native SSL health checks instead of this one.
Willy Tarreaua453bdd2008-01-08 19:50:52 +01009584
Willy Tarreau763a95b2012-10-04 23:15:39 +02009585 See also: "option httpchk", "check-ssl"
9586
Willy Tarreaua453bdd2008-01-08 19:50:52 +01009587
Willy Tarreaued179852013-12-16 01:07:00 +01009588option tcp-check
9589 Perform health checks using tcp-check send/expect sequences
9590 May be used in sections: defaults | frontend | listen | backend
9591 yes | no | yes | yes
9592
9593 This health check method is intended to be combined with "tcp-check" command
9594 lists in order to support send/expect types of health check sequences.
9595
9596 TCP checks currently support 4 modes of operations :
9597 - no "tcp-check" directive : the health check only consists in a connection
9598 attempt, which remains the default mode.
9599
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03009600 - "tcp-check send" or "tcp-check send-binary" only is mentioned : this is
Willy Tarreaued179852013-12-16 01:07:00 +01009601 used to send a string along with a connection opening. With some
9602 protocols, it helps sending a "QUIT" message for example that prevents
9603 the server from logging a connection error for each health check. The
9604 check result will still be based on the ability to open the connection
9605 only.
9606
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03009607 - "tcp-check expect" only is mentioned : this is used to test a banner.
Daniel Corbett9f0843f2021-05-08 10:50:37 -04009608 The connection is opened and HAProxy waits for the server to present some
Willy Tarreaued179852013-12-16 01:07:00 +01009609 contents which must validate some rules. The check result will be based
9610 on the matching between the contents and the rules. This is suited for
9611 POP, IMAP, SMTP, FTP, SSH, TELNET.
9612
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03009613 - both "tcp-check send" and "tcp-check expect" are mentioned : this is
Davor Ocelice9ed2812017-12-25 17:49:28 +01009614 used to test a hello-type protocol. HAProxy sends a message, the server
9615 responds and its response is analyzed. the check result will be based on
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03009616 the matching between the response contents and the rules. This is often
Willy Tarreaued179852013-12-16 01:07:00 +01009617 suited for protocols which require a binding or a request/response model.
9618 LDAP, MySQL, Redis and SSL are example of such protocols, though they
9619 already all have their dedicated checks with a deeper understanding of
9620 the respective protocols.
9621 In this mode, many questions may be sent and many answers may be
Davor Ocelice9ed2812017-12-25 17:49:28 +01009622 analyzed.
Willy Tarreaued179852013-12-16 01:07:00 +01009623
Christopher Fauletc52ea4d2020-04-23 15:43:35 +02009624 A fifth mode can be used to insert comments in different steps of the script.
Baptiste Assmannd60a9e52015-04-25 16:27:23 +02009625
Christopher Fauletc52ea4d2020-04-23 15:43:35 +02009626 For each tcp-check rule you create, you can add a "comment" directive,
9627 followed by a string. This string will be reported in the log and stderr in
9628 debug mode. It is useful to make user-friendly error reporting. The
9629 "comment" is of course optional.
Baptiste Assmannd60a9e52015-04-25 16:27:23 +02009630
Christopher Fauletc52ea4d2020-04-23 15:43:35 +02009631 During the execution of a health check, a variable scope is made available to
9632 store data samples, using the "tcp-check set-var" operation. Freeing those
9633 variable is possible using "tcp-check unset-var".
Gaetan Rivet0c39ecc2020-02-24 17:34:11 +01009634
Baptiste Assmannd60a9e52015-04-25 16:27:23 +02009635
Willy Tarreaued179852013-12-16 01:07:00 +01009636 Examples :
Davor Ocelice9ed2812017-12-25 17:49:28 +01009637 # perform a POP check (analyze only server's banner)
Willy Tarreaued179852013-12-16 01:07:00 +01009638 option tcp-check
Baptiste Assmannd60a9e52015-04-25 16:27:23 +02009639 tcp-check expect string +OK\ POP3\ ready comment POP\ protocol
Willy Tarreaued179852013-12-16 01:07:00 +01009640
Davor Ocelice9ed2812017-12-25 17:49:28 +01009641 # perform an IMAP check (analyze only server's banner)
Willy Tarreaued179852013-12-16 01:07:00 +01009642 option tcp-check
Baptiste Assmannd60a9e52015-04-25 16:27:23 +02009643 tcp-check expect string *\ OK\ IMAP4\ ready comment IMAP\ protocol
Willy Tarreaued179852013-12-16 01:07:00 +01009644
9645 # look for the redis master server after ensuring it speaks well
9646 # redis protocol, then it exits properly.
Davor Ocelice9ed2812017-12-25 17:49:28 +01009647 # (send a command then analyze the response 3 times)
Willy Tarreaued179852013-12-16 01:07:00 +01009648 option tcp-check
Baptiste Assmannd60a9e52015-04-25 16:27:23 +02009649 tcp-check comment PING\ phase
Willy Tarreaued179852013-12-16 01:07:00 +01009650 tcp-check send PING\r\n
Baptiste Assmanna3322992015-08-04 10:12:18 +02009651 tcp-check expect string +PONG
Baptiste Assmannd60a9e52015-04-25 16:27:23 +02009652 tcp-check comment role\ check
Willy Tarreaued179852013-12-16 01:07:00 +01009653 tcp-check send info\ replication\r\n
9654 tcp-check expect string role:master
Baptiste Assmannd60a9e52015-04-25 16:27:23 +02009655 tcp-check comment QUIT\ phase
Willy Tarreaued179852013-12-16 01:07:00 +01009656 tcp-check send QUIT\r\n
9657 tcp-check expect string +OK
9658
Davor Ocelice9ed2812017-12-25 17:49:28 +01009659 forge a HTTP request, then analyze the response
Willy Tarreaued179852013-12-16 01:07:00 +01009660 (send many headers before analyzing)
9661 option tcp-check
Baptiste Assmannd60a9e52015-04-25 16:27:23 +02009662 tcp-check comment forge\ and\ send\ HTTP\ request
Willy Tarreaued179852013-12-16 01:07:00 +01009663 tcp-check send HEAD\ /\ HTTP/1.1\r\n
9664 tcp-check send Host:\ www.mydomain.com\r\n
9665 tcp-check send User-Agent:\ HAProxy\ tcpcheck\r\n
9666 tcp-check send \r\n
Baptiste Assmannd60a9e52015-04-25 16:27:23 +02009667 tcp-check expect rstring HTTP/1\..\ (2..|3..) comment check\ HTTP\ response
Willy Tarreaued179852013-12-16 01:07:00 +01009668
9669
Christopher Fauletc52ea4d2020-04-23 15:43:35 +02009670 See also : "tcp-check connect", "tcp-check expect" and "tcp-check send".
Willy Tarreaued179852013-12-16 01:07:00 +01009671
9672
Willy Tarreau9ea05a72009-06-14 12:07:01 +02009673option tcp-smart-accept
9674no option tcp-smart-accept
9675 Enable or disable the saving of one ACK packet during the accept sequence
9676 May be used in sections : defaults | frontend | listen | backend
9677 yes | yes | yes | no
9678 Arguments : none
9679
9680 When an HTTP connection request comes in, the system acknowledges it on
9681 behalf of HAProxy, then the client immediately sends its request, and the
9682 system acknowledges it too while it is notifying HAProxy about the new
9683 connection. HAProxy then reads the request and responds. This means that we
9684 have one TCP ACK sent by the system for nothing, because the request could
9685 very well be acknowledged by HAProxy when it sends its response.
9686
9687 For this reason, in HTTP mode, HAProxy automatically asks the system to avoid
9688 sending this useless ACK on platforms which support it (currently at least
9689 Linux). It must not cause any problem, because the system will send it anyway
9690 after 40 ms if the response takes more time than expected to come.
9691
9692 During complex network debugging sessions, it may be desirable to disable
9693 this optimization because delayed ACKs can make troubleshooting more complex
9694 when trying to identify where packets are delayed. It is then possible to
Davor Ocelice9ed2812017-12-25 17:49:28 +01009695 fall back to normal behavior by specifying "no option tcp-smart-accept".
Willy Tarreau9ea05a72009-06-14 12:07:01 +02009696
9697 It is also possible to force it for non-HTTP proxies by simply specifying
9698 "option tcp-smart-accept". For instance, it can make sense with some services
9699 such as SMTP where the server speaks first.
9700
9701 It is recommended to avoid forcing this option in a defaults section. In case
9702 of doubt, consider setting it back to automatic values by prepending the
9703 "default" keyword before it, or disabling it using the "no" keyword.
9704
Willy Tarreaud88edf22009-06-14 15:48:17 +02009705 See also : "option tcp-smart-connect"
9706
9707
9708option tcp-smart-connect
9709no option tcp-smart-connect
9710 Enable or disable the saving of one ACK packet during the connect sequence
9711 May be used in sections : defaults | frontend | listen | backend
9712 yes | no | yes | yes
9713 Arguments : none
9714
9715 On certain systems (at least Linux), HAProxy can ask the kernel not to
9716 immediately send an empty ACK upon a connection request, but to directly
9717 send the buffer request instead. This saves one packet on the network and
9718 thus boosts performance. It can also be useful for some servers, because they
9719 immediately get the request along with the incoming connection.
9720
9721 This feature is enabled when "option tcp-smart-connect" is set in a backend.
9722 It is not enabled by default because it makes network troubleshooting more
9723 complex.
9724
9725 It only makes sense to enable it with protocols where the client speaks first
9726 such as HTTP. In other situations, if there is no data to send in place of
9727 the ACK, a normal ACK is sent.
9728
9729 If this option has been enabled in a "defaults" section, it can be disabled
9730 in a specific instance by prepending the "no" keyword before it.
9731
9732 See also : "option tcp-smart-accept"
9733
Willy Tarreau9ea05a72009-06-14 12:07:01 +02009734
Willy Tarreaubf1f8162007-12-28 17:42:56 +01009735option tcpka
9736 Enable or disable the sending of TCP keepalive packets on both sides
9737 May be used in sections : defaults | frontend | listen | backend
9738 yes | yes | yes | yes
9739 Arguments : none
9740
9741 When there is a firewall or any session-aware component between a client and
9742 a server, and when the protocol involves very long sessions with long idle
Davor Ocelice9ed2812017-12-25 17:49:28 +01009743 periods (e.g. remote desktops), there is a risk that one of the intermediate
Willy Tarreaubf1f8162007-12-28 17:42:56 +01009744 components decides to expire a session which has remained idle for too long.
9745
9746 Enabling socket-level TCP keep-alives makes the system regularly send packets
9747 to the other end of the connection, leaving it active. The delay between
9748 keep-alive probes is controlled by the system only and depends both on the
9749 operating system and its tuning parameters.
9750
9751 It is important to understand that keep-alive packets are neither emitted nor
9752 received at the application level. It is only the network stacks which sees
9753 them. For this reason, even if one side of the proxy already uses keep-alives
9754 to maintain its connection alive, those keep-alive packets will not be
9755 forwarded to the other side of the proxy.
9756
9757 Please note that this has nothing to do with HTTP keep-alive.
9758
9759 Using option "tcpka" enables the emission of TCP keep-alive probes on both
9760 the client and server sides of a connection. Note that this is meaningful
9761 only in "defaults" or "listen" sections. If this option is used in a
9762 frontend, only the client side will get keep-alives, and if this option is
9763 used in a backend, only the server side will get keep-alives. For this
9764 reason, it is strongly recommended to explicitly use "option clitcpka" and
9765 "option srvtcpka" when the configuration is split between frontends and
9766 backends.
9767
9768 See also : "option clitcpka", "option srvtcpka"
9769
Willy Tarreau844e3c52008-01-11 16:28:18 +01009770
9771option tcplog
9772 Enable advanced logging of TCP connections with session state and timers
9773 May be used in sections : defaults | frontend | listen | backend
Tim Duesterhus9ad9f352018-02-05 20:52:27 +01009774 yes | yes | yes | no
Willy Tarreau844e3c52008-01-11 16:28:18 +01009775 Arguments : none
9776
9777 By default, the log output format is very poor, as it only contains the
9778 source and destination addresses, and the instance name. By specifying
9779 "option tcplog", each log line turns into a much richer format including, but
9780 not limited to, the connection timers, the session status, the connections
9781 numbers, the frontend, backend and server name, and of course the source
9782 address and ports. This option is useful for pure TCP proxies in order to
9783 find which of the client or server disconnects or times out. For normal HTTP
9784 proxies, it's better to use "option httplog" which is even more complete.
9785
Guillaume de Lafond29f45602017-03-31 19:52:15 +02009786 "option tcplog" overrides any previous "log-format" directive.
9787
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009788 See also : "option httplog", and section 8 about logging.
Willy Tarreau844e3c52008-01-11 16:28:18 +01009789
9790
Willy Tarreau844e3c52008-01-11 16:28:18 +01009791option transparent
9792no option transparent
9793 Enable client-side transparent proxying
9794 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau4b1f8592008-12-23 23:13:55 +01009795 yes | no | yes | yes
Willy Tarreau844e3c52008-01-11 16:28:18 +01009796 Arguments : none
9797
9798 This option was introduced in order to provide layer 7 persistence to layer 3
9799 load balancers. The idea is to use the OS's ability to redirect an incoming
9800 connection for a remote address to a local process (here HAProxy), and let
9801 this process know what address was initially requested. When this option is
9802 used, sessions without cookies will be forwarded to the original destination
9803 IP address of the incoming request (which should match that of another
9804 equipment), while requests with cookies will still be forwarded to the
9805 appropriate server.
9806
9807 Note that contrary to a common belief, this option does NOT make HAProxy
9808 present the client's IP to the server when establishing the connection.
9809
Willy Tarreaua1146052011-03-01 09:51:54 +01009810 See also: the "usesrc" argument of the "source" keyword, and the
Willy Tarreaueabeafa2008-01-16 16:17:06 +01009811 "transparent" option of the "bind" keyword.
Willy Tarreau844e3c52008-01-11 16:28:18 +01009812
Willy Tarreaubf1f8162007-12-28 17:42:56 +01009813
Simon Horman98637e52014-06-20 12:30:16 +09009814external-check command <command>
9815 Executable to run when performing an external-check
9816 May be used in sections : defaults | frontend | listen | backend
9817 yes | no | yes | yes
9818
9819 Arguments :
9820 <command> is the external command to run
9821
Simon Horman98637e52014-06-20 12:30:16 +09009822 The arguments passed to the to the command are:
9823
Cyril Bonté777be862014-12-02 21:21:35 +01009824 <proxy_address> <proxy_port> <server_address> <server_port>
Simon Horman98637e52014-06-20 12:30:16 +09009825
Cyril Bonté777be862014-12-02 21:21:35 +01009826 The <proxy_address> and <proxy_port> are derived from the first listener
9827 that is either IPv4, IPv6 or a UNIX socket. In the case of a UNIX socket
9828 listener the proxy_address will be the path of the socket and the
9829 <proxy_port> will be the string "NOT_USED". In a backend section, it's not
9830 possible to determine a listener, and both <proxy_address> and <proxy_port>
9831 will have the string value "NOT_USED".
Simon Horman98637e52014-06-20 12:30:16 +09009832
Cyril Bonté72cda2a2014-12-27 22:28:39 +01009833 Some values are also provided through environment variables.
9834
9835 Environment variables :
9836 HAPROXY_PROXY_ADDR The first bind address if available (or empty if not
9837 applicable, for example in a "backend" section).
9838
9839 HAPROXY_PROXY_ID The backend id.
9840
9841 HAPROXY_PROXY_NAME The backend name.
9842
9843 HAPROXY_PROXY_PORT The first bind port if available (or empty if not
9844 applicable, for example in a "backend" section or
9845 for a UNIX socket).
9846
9847 HAPROXY_SERVER_ADDR The server address.
9848
9849 HAPROXY_SERVER_CURCONN The current number of connections on the server.
9850
9851 HAPROXY_SERVER_ID The server id.
9852
9853 HAPROXY_SERVER_MAXCONN The server max connections.
9854
9855 HAPROXY_SERVER_NAME The server name.
9856
9857 HAPROXY_SERVER_PORT The server port if available (or empty for a UNIX
9858 socket).
9859
9860 PATH The PATH environment variable used when executing
9861 the command may be set using "external-check path".
9862
William Lallemand4d03e432019-06-14 15:35:37 +02009863 See also "2.3. Environment variables" for other variables.
9864
Simon Horman98637e52014-06-20 12:30:16 +09009865 If the command executed and exits with a zero status then the check is
9866 considered to have passed, otherwise the check is considered to have
9867 failed.
9868
9869 Example :
9870 external-check command /bin/true
9871
9872 See also : "external-check", "option external-check", "external-check path"
9873
9874
9875external-check path <path>
9876 The value of the PATH environment variable used when running an external-check
9877 May be used in sections : defaults | frontend | listen | backend
9878 yes | no | yes | yes
9879
9880 Arguments :
9881 <path> is the path used when executing external command to run
9882
9883 The default path is "".
9884
9885 Example :
9886 external-check path "/usr/bin:/bin"
9887
9888 See also : "external-check", "option external-check",
9889 "external-check command"
9890
9891
Emeric Brun647caf12009-06-30 17:57:00 +02009892persist rdp-cookie
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02009893persist rdp-cookie(<name>)
Emeric Brun647caf12009-06-30 17:57:00 +02009894 Enable RDP cookie-based persistence
9895 May be used in sections : defaults | frontend | listen | backend
9896 yes | no | yes | yes
9897 Arguments :
9898 <name> is the optional name of the RDP cookie to check. If omitted, the
Willy Tarreau61e28f22010-05-16 22:31:05 +02009899 default cookie name "msts" will be used. There currently is no
9900 valid reason to change this name.
Emeric Brun647caf12009-06-30 17:57:00 +02009901
9902 This statement enables persistence based on an RDP cookie. The RDP cookie
9903 contains all information required to find the server in the list of known
Davor Ocelice9ed2812017-12-25 17:49:28 +01009904 servers. So when this option is set in the backend, the request is analyzed
Emeric Brun647caf12009-06-30 17:57:00 +02009905 and if an RDP cookie is found, it is decoded. If it matches a known server
9906 which is still UP (or if "option persist" is set), then the connection is
9907 forwarded to this server.
9908
9909 Note that this only makes sense in a TCP backend, but for this to work, the
9910 frontend must have waited long enough to ensure that an RDP cookie is present
9911 in the request buffer. This is the same requirement as with the "rdp-cookie"
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01009912 load-balancing method. Thus it is highly recommended to put all statements in
Emeric Brun647caf12009-06-30 17:57:00 +02009913 a single "listen" section.
9914
Willy Tarreau61e28f22010-05-16 22:31:05 +02009915 Also, it is important to understand that the terminal server will emit this
9916 RDP cookie only if it is configured for "token redirection mode", which means
9917 that the "IP address redirection" option is disabled.
9918
Emeric Brun647caf12009-06-30 17:57:00 +02009919 Example :
9920 listen tse-farm
9921 bind :3389
9922 # wait up to 5s for an RDP cookie in the request
9923 tcp-request inspect-delay 5s
9924 tcp-request content accept if RDP_COOKIE
9925 # apply RDP cookie persistence
9926 persist rdp-cookie
9927 # if server is unknown, let's balance on the same cookie.
Cyril Bontédc4d9032012-04-08 21:57:39 +02009928 # alternatively, "balance leastconn" may be useful too.
Emeric Brun647caf12009-06-30 17:57:00 +02009929 balance rdp-cookie
9930 server srv1 1.1.1.1:3389
9931 server srv2 1.1.1.2:3389
9932
Simon Hormanab814e02011-06-24 14:50:20 +09009933 See also : "balance rdp-cookie", "tcp-request", the "req_rdp_cookie" ACL and
9934 the rdp_cookie pattern fetch function.
Emeric Brun647caf12009-06-30 17:57:00 +02009935
9936
Willy Tarreau3a7d2072009-03-05 23:48:25 +01009937rate-limit sessions <rate>
9938 Set a limit on the number of new sessions accepted per second on a frontend
9939 May be used in sections : defaults | frontend | listen | backend
9940 yes | yes | yes | no
9941 Arguments :
9942 <rate> The <rate> parameter is an integer designating the maximum number
9943 of new sessions per second to accept on the frontend.
9944
9945 When the frontend reaches the specified number of new sessions per second, it
9946 stops accepting new connections until the rate drops below the limit again.
9947 During this time, the pending sessions will be kept in the socket's backlog
Daniel Corbett9f0843f2021-05-08 10:50:37 -04009948 (in system buffers) and HAProxy will not even be aware that sessions are
Willy Tarreau3a7d2072009-03-05 23:48:25 +01009949 pending. When applying very low limit on a highly loaded service, it may make
9950 sense to increase the socket's backlog using the "backlog" keyword.
9951
9952 This feature is particularly efficient at blocking connection-based attacks
9953 or service abuse on fragile servers. Since the session rate is measured every
9954 millisecond, it is extremely accurate. Also, the limit applies immediately,
9955 no delay is needed at all to detect the threshold.
9956
9957 Example : limit the connection rate on SMTP to 10 per second max
9958 listen smtp
9959 mode tcp
9960 bind :25
9961 rate-limit sessions 10
Panagiotis Panagiotopoulos7282d8e2016-02-11 16:37:15 +02009962 server smtp1 127.0.0.1:1025
Willy Tarreau3a7d2072009-03-05 23:48:25 +01009963
Willy Tarreaua17c2d92011-07-25 08:16:20 +02009964 Note : when the maximum rate is reached, the frontend's status is not changed
9965 but its sockets appear as "WAITING" in the statistics if the
9966 "socket-stats" option is enabled.
Willy Tarreau3a7d2072009-03-05 23:48:25 +01009967
9968 See also : the "backlog" keyword and the "fe_sess_rate" ACL criterion.
9969
9970
Willy Tarreau2e1dca82012-09-12 08:43:15 +02009971redirect location <loc> [code <code>] <option> [{if | unless} <condition>]
9972redirect prefix <pfx> [code <code>] <option> [{if | unless} <condition>]
9973redirect scheme <sch> [code <code>] <option> [{if | unless} <condition>]
Willy Tarreaub463dfb2008-06-07 23:08:56 +02009974 Return an HTTP redirection if/unless a condition is matched
9975 May be used in sections : defaults | frontend | listen | backend
9976 no | yes | yes | yes
9977
9978 If/unless the condition is matched, the HTTP request will lead to a redirect
Willy Tarreauf285f542010-01-03 20:03:03 +01009979 response. If no condition is specified, the redirect applies unconditionally.
Willy Tarreaub463dfb2008-06-07 23:08:56 +02009980
Willy Tarreau0140f252008-11-19 21:07:09 +01009981 Arguments :
Willy Tarreau2e1dca82012-09-12 08:43:15 +02009982 <loc> With "redirect location", the exact value in <loc> is placed into
Thierry FOURNIERd18cd0f2013-11-29 12:15:45 +01009983 the HTTP "Location" header. When used in an "http-request" rule,
9984 <loc> value follows the log-format rules and can include some
9985 dynamic values (see Custom Log Format in section 8.2.4).
Willy Tarreau2e1dca82012-09-12 08:43:15 +02009986
9987 <pfx> With "redirect prefix", the "Location" header is built from the
9988 concatenation of <pfx> and the complete URI path, including the
9989 query string, unless the "drop-query" option is specified (see
9990 below). As a special case, if <pfx> equals exactly "/", then
9991 nothing is inserted before the original URI. It allows one to
Thierry FOURNIERd18cd0f2013-11-29 12:15:45 +01009992 redirect to the same URL (for instance, to insert a cookie). When
9993 used in an "http-request" rule, <pfx> value follows the log-format
9994 rules and can include some dynamic values (see Custom Log Format
9995 in section 8.2.4).
Willy Tarreau2e1dca82012-09-12 08:43:15 +02009996
9997 <sch> With "redirect scheme", then the "Location" header is built by
9998 concatenating <sch> with "://" then the first occurrence of the
9999 "Host" header, and then the URI path, including the query string
10000 unless the "drop-query" option is specified (see below). If no
10001 path is found or if the path is "*", then "/" is used instead. If
10002 no "Host" header is found, then an empty host component will be
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030010003 returned, which most recent browsers interpret as redirecting to
Willy Tarreau2e1dca82012-09-12 08:43:15 +020010004 the same host. This directive is mostly used to redirect HTTP to
Thierry FOURNIERd18cd0f2013-11-29 12:15:45 +010010005 HTTPS. When used in an "http-request" rule, <sch> value follows
10006 the log-format rules and can include some dynamic values (see
10007 Custom Log Format in section 8.2.4).
Willy Tarreau0140f252008-11-19 21:07:09 +010010008
10009 <code> The code is optional. It indicates which type of HTTP redirection
Willy Tarreaub67fdc42013-03-29 19:28:11 +010010010 is desired. Only codes 301, 302, 303, 307 and 308 are supported,
10011 with 302 used by default if no code is specified. 301 means
10012 "Moved permanently", and a browser may cache the Location. 302
Baptiste Assmannea849c02015-08-03 11:42:50 +020010013 means "Moved temporarily" and means that the browser should not
Willy Tarreaub67fdc42013-03-29 19:28:11 +010010014 cache the redirection. 303 is equivalent to 302 except that the
10015 browser will fetch the location with a GET method. 307 is just
10016 like 302 but makes it clear that the same method must be reused.
10017 Likewise, 308 replaces 301 if the same method must be used.
Willy Tarreau0140f252008-11-19 21:07:09 +010010018
10019 <option> There are several options which can be specified to adjust the
Davor Ocelice9ed2812017-12-25 17:49:28 +010010020 expected behavior of a redirection :
Willy Tarreau0140f252008-11-19 21:07:09 +010010021
10022 - "drop-query"
10023 When this keyword is used in a prefix-based redirection, then the
10024 location will be set without any possible query-string, which is useful
10025 for directing users to a non-secure page for instance. It has no effect
10026 with a location-type redirect.
10027
Willy Tarreau81e3b4f2010-01-10 00:42:19 +010010028 - "append-slash"
10029 This keyword may be used in conjunction with "drop-query" to redirect
10030 users who use a URL not ending with a '/' to the same one with the '/'.
10031 It can be useful to ensure that search engines will only see one URL.
10032 For this, a return code 301 is preferred.
10033
Willy Tarreau0140f252008-11-19 21:07:09 +010010034 - "set-cookie NAME[=value]"
10035 A "Set-Cookie" header will be added with NAME (and optionally "=value")
10036 to the response. This is sometimes used to indicate that a user has
10037 been seen, for instance to protect against some types of DoS. No other
10038 cookie option is added, so the cookie will be a session cookie. Note
10039 that for a browser, a sole cookie name without an equal sign is
10040 different from a cookie with an equal sign.
10041
10042 - "clear-cookie NAME[=]"
10043 A "Set-Cookie" header will be added with NAME (and optionally "="), but
10044 with the "Max-Age" attribute set to zero. This will tell the browser to
10045 delete this cookie. It is useful for instance on logout pages. It is
10046 important to note that clearing the cookie "NAME" will not remove a
10047 cookie set with "NAME=value". You have to clear the cookie "NAME=" for
10048 that, because the browser makes the difference.
Willy Tarreaub463dfb2008-06-07 23:08:56 +020010049
10050 Example: move the login URL only to HTTPS.
10051 acl clear dst_port 80
10052 acl secure dst_port 8080
10053 acl login_page url_beg /login
Willy Tarreau0140f252008-11-19 21:07:09 +010010054 acl logout url_beg /logout
Willy Tarreau79da4692008-11-19 20:03:04 +010010055 acl uid_given url_reg /login?userid=[^&]+
Willy Tarreau0140f252008-11-19 21:07:09 +010010056 acl cookie_set hdr_sub(cookie) SEEN=1
10057
10058 redirect prefix https://mysite.com set-cookie SEEN=1 if !cookie_set
Willy Tarreau79da4692008-11-19 20:03:04 +010010059 redirect prefix https://mysite.com if login_page !secure
10060 redirect prefix http://mysite.com drop-query if login_page !uid_given
10061 redirect location http://mysite.com/ if !login_page secure
Willy Tarreau0140f252008-11-19 21:07:09 +010010062 redirect location / clear-cookie USERID= if logout
Willy Tarreaub463dfb2008-06-07 23:08:56 +020010063
Willy Tarreau81e3b4f2010-01-10 00:42:19 +010010064 Example: send redirects for request for articles without a '/'.
10065 acl missing_slash path_reg ^/article/[^/]*$
10066 redirect code 301 prefix / drop-query append-slash if missing_slash
10067
Daniel Corbett9f0843f2021-05-08 10:50:37 -040010068 Example: redirect all HTTP traffic to HTTPS when SSL is handled by HAProxy.
David BERARDe7153042012-11-03 00:11:31 +010010069 redirect scheme https if !{ ssl_fc }
Willy Tarreau2e1dca82012-09-12 08:43:15 +020010070
Thierry FOURNIERd18cd0f2013-11-29 12:15:45 +010010071 Example: append 'www.' prefix in front of all hosts not having it
Coen Rosdorff596659b2016-04-11 11:33:49 +020010072 http-request redirect code 301 location \
10073 http://www.%[hdr(host)]%[capture.req.uri] \
10074 unless { hdr_beg(host) -i www }
Thierry FOURNIERd18cd0f2013-11-29 12:15:45 +010010075
Willy Tarreauc57f0e22009-05-10 13:12:33 +020010076 See section 7 about ACL usage.
Willy Tarreaub463dfb2008-06-07 23:08:56 +020010077
Willy Tarreau303c0352008-01-17 19:01:39 +010010078
Willy Tarreaue5c5ce92008-06-20 17:27:19 +020010079retries <value>
10080 Set the number of retries to perform on a server after a connection failure
10081 May be used in sections: defaults | frontend | listen | backend
10082 yes | no | yes | yes
10083 Arguments :
10084 <value> is the number of times a connection attempt should be retried on
10085 a server when a connection either is refused or times out. The
10086 default value is 3.
10087
10088 It is important to understand that this value applies to the number of
10089 connection attempts, not full requests. When a connection has effectively
10090 been established to a server, there will be no more retry.
10091
10092 In order to avoid immediate reconnections to a server which is restarting,
Joseph Lynch726ab712015-05-11 23:25:34 -070010093 a turn-around timer of min("timeout connect", one second) is applied before
10094 a retry occurs.
Willy Tarreaue5c5ce92008-06-20 17:27:19 +020010095
10096 When "option redispatch" is set, the last retry may be performed on another
10097 server even if a cookie references a different server.
10098
10099 See also : "option redispatch"
10100
10101
Olivier Houcharda254a372019-04-05 15:30:12 +020010102retry-on [list of keywords]
Jerome Magnin5ce3c142020-05-13 20:09:57 +020010103 Specify when to attempt to automatically retry a failed request.
10104 This setting is only valid when "mode" is set to http and is silently ignored
10105 otherwise.
Olivier Houcharda254a372019-04-05 15:30:12 +020010106 May be used in sections: defaults | frontend | listen | backend
10107 yes | no | yes | yes
10108 Arguments :
10109 <keywords> is a list of keywords or HTTP status codes, each representing a
10110 type of failure event on which an attempt to retry the request
10111 is desired. Please read the notes at the bottom before changing
10112 this setting. The following keywords are supported :
10113
10114 none never retry
10115
10116 conn-failure retry when the connection or the SSL handshake failed
10117 and the request could not be sent. This is the default.
10118
10119 empty-response retry when the server connection was closed after part
10120 of the request was sent, and nothing was received from
10121 the server. This type of failure may be caused by the
10122 request timeout on the server side, poor network
10123 condition, or a server crash or restart while
10124 processing the request.
10125
Olivier Houcharde3249a92019-05-03 23:01:47 +020010126 junk-response retry when the server returned something not looking
10127 like a complete HTTP response. This includes partial
10128 responses headers as well as non-HTTP contents. It
10129 usually is a bad idea to retry on such events, which
10130 may be caused a configuration issue (wrong server port)
10131 or by the request being harmful to the server (buffer
10132 overflow attack for example).
10133
Olivier Houcharda254a372019-04-05 15:30:12 +020010134 response-timeout the server timeout stroke while waiting for the server
10135 to respond to the request. This may be caused by poor
10136 network condition, the reuse of an idle connection
10137 which has expired on the path, or by the request being
10138 extremely expensive to process. It generally is a bad
10139 idea to retry on such events on servers dealing with
10140 heavy database processing (full scans, etc) as it may
10141 amplify denial of service attacks.
10142
Olivier Houchard865d8392019-05-03 22:46:27 +020010143 0rtt-rejected retry requests which were sent over early data and were
10144 rejected by the server. These requests are generally
10145 considered to be safe to retry.
10146
Julien Pivotto2de240a2020-11-12 11:14:05 +010010147 <status> any HTTP status code among "401" (Unauthorized), "403"
10148 (Forbidden), "404" (Not Found), "408" (Request Timeout),
10149 "425" (Too Early), "500" (Server Error), "501" (Not
10150 Implemented), "502" (Bad Gateway), "503" (Service
10151 Unavailable), "504" (Gateway Timeout).
Olivier Houcharda254a372019-04-05 15:30:12 +020010152
Olivier Houchardddf0e032019-05-10 18:05:40 +020010153 all-retryable-errors
10154 retry request for any error that are considered
10155 retryable. This currently activates "conn-failure",
10156 "empty-response", "junk-response", "response-timeout",
10157 "0rtt-rejected", "500", "502", "503", and "504".
10158
Olivier Houcharda254a372019-04-05 15:30:12 +020010159 Using this directive replaces any previous settings with the new ones; it is
10160 not cumulative.
10161
10162 Please note that using anything other than "none" and "conn-failure" requires
10163 to allocate a buffer and copy the whole request into it, so it has memory and
10164 performance impacts. Requests not fitting in a single buffer will never be
10165 retried (see the global tune.bufsize setting).
10166
10167 You have to make sure the application has a replay protection mechanism built
10168 in such as a unique transaction IDs passed in requests, or that replaying the
10169 same request has no consequence, or it is very dangerous to use any retry-on
10170 value beside "conn-failure" and "none". Static file servers and caches are
10171 generally considered safe against any type of retry. Using a status code can
10172 be useful to quickly leave a server showing an abnormal behavior (out of
10173 memory, file system issues, etc), but in this case it may be a good idea to
10174 immediately redispatch the connection to another server (please see "option
10175 redispatch" for this). Last, it is important to understand that most causes
10176 of failures are the requests themselves and that retrying a request causing a
10177 server to misbehave will often make the situation even worse for this server,
10178 or for the whole service in case of redispatch.
10179
10180 Unless you know exactly how the application deals with replayed requests, you
10181 should not use this directive.
10182
10183 The default is "conn-failure".
10184
10185 See also: "retries", "option redispatch", "tune.bufsize"
10186
David du Colombier486df472011-03-17 10:40:26 +010010187server <name> <address>[:[port]] [param*]
Willy Tarreaueabeafa2008-01-16 16:17:06 +010010188 Declare a server in a backend
10189 May be used in sections : defaults | frontend | listen | backend
10190 no | no | yes | yes
10191 Arguments :
10192 <name> is the internal name assigned to this server. This name will
Davor Ocelice9ed2812017-12-25 17:49:28 +010010193 appear in logs and alerts. If "http-send-name-header" is
Mark Lamourinec2247f02012-01-04 13:02:01 -050010194 set, it will be added to the request header sent to the server.
Willy Tarreaueabeafa2008-01-16 16:17:06 +010010195
David du Colombier486df472011-03-17 10:40:26 +010010196 <address> is the IPv4 or IPv6 address of the server. Alternatively, a
10197 resolvable hostname is supported, but this name will be resolved
10198 during start-up. Address "0.0.0.0" or "*" has a special meaning.
10199 It indicates that the connection will be forwarded to the same IP
Willy Tarreaud669a4f2010-07-13 14:49:50 +020010200 address as the one from the client connection. This is useful in
10201 transparent proxy architectures where the client's connection is
Daniel Corbett9f0843f2021-05-08 10:50:37 -040010202 intercepted and HAProxy must forward to the original destination
Willy Tarreaud669a4f2010-07-13 14:49:50 +020010203 address. This is more or less what the "transparent" keyword does
10204 except that with a server it's possible to limit concurrency and
Willy Tarreau24709282013-03-10 21:32:12 +010010205 to report statistics. Optionally, an address family prefix may be
10206 used before the address to force the family regardless of the
10207 address format, which can be useful to specify a path to a unix
10208 socket with no slash ('/'). Currently supported prefixes are :
10209 - 'ipv4@' -> address is always IPv4
10210 - 'ipv6@' -> address is always IPv6
10211 - 'unix@' -> address is a path to a local unix socket
Willy Tarreauccfccef2014-05-10 01:49:15 +020010212 - 'abns@' -> address is in abstract namespace (Linux only)
William Lallemand2fe7dd02018-09-11 16:51:29 +020010213 - 'sockpair@' -> address is the FD of a connected unix
10214 socket or of a socketpair. During a connection, the
10215 backend creates a pair of connected sockets, and passes
10216 one of them over the FD. The bind part will use the
10217 received socket as the client FD. Should be used
10218 carefully.
William Lallemandb2f07452015-05-12 14:27:13 +020010219 You may want to reference some environment variables in the
10220 address parameter, see section 2.3 about environment
Willy Tarreau6a031d12016-11-07 19:42:35 +010010221 variables. The "init-addr" setting can be used to modify the way
10222 IP addresses should be resolved upon startup.
Willy Tarreaueabeafa2008-01-16 16:17:06 +010010223
Willy Tarreaub6205fd2012-09-24 12:27:33 +020010224 <port> is an optional port specification. If set, all connections will
Willy Tarreaueabeafa2008-01-16 16:17:06 +010010225 be sent to this port. If unset, the same port the client
10226 connected to will be used. The port may also be prefixed by a "+"
10227 or a "-". In this case, the server's port will be determined by
10228 adding this value to the client's port.
10229
10230 <param*> is a list of parameters for this server. The "server" keywords
10231 accepts an important number of options and has a complete section
Willy Tarreauc57f0e22009-05-10 13:12:33 +020010232 dedicated to it. Please refer to section 5 for more details.
Willy Tarreaueabeafa2008-01-16 16:17:06 +010010233
10234 Examples :
10235 server first 10.1.1.1:1080 cookie first check inter 1000
10236 server second 10.1.1.2:1080 cookie second check inter 1000
Willy Tarreau24709282013-03-10 21:32:12 +010010237 server transp ipv4@
William Lallemandb2f07452015-05-12 14:27:13 +020010238 server backup "${SRV_BACKUP}:1080" backup
10239 server www1_dc1 "${LAN_DC1}.101:80"
10240 server www1_dc2 "${LAN_DC2}.101:80"
Willy Tarreaueabeafa2008-01-16 16:17:06 +010010241
Willy Tarreau55dcaf62015-09-27 15:03:15 +020010242 Note: regarding Linux's abstract namespace sockets, HAProxy uses the whole
10243 sun_path length is used for the address length. Some other programs
10244 such as socat use the string length only by default. Pass the option
10245 ",unix-tightsocklen=0" to any abstract socket definition in socat to
10246 make it compatible with HAProxy's.
10247
Mark Lamourinec2247f02012-01-04 13:02:01 -050010248 See also: "default-server", "http-send-name-header" and section 5 about
10249 server options
Willy Tarreaueabeafa2008-01-16 16:17:06 +010010250
Christopher Faulet583b6de2021-02-12 09:27:10 +010010251server-state-file-name [ { use-backend-name | <file> } ]
Baptiste Assmann01c6cc32015-08-23 11:45:29 +020010252 Set the server state file to read, load and apply to servers available in
Christopher Faulet583b6de2021-02-12 09:27:10 +010010253 this backend.
10254 May be used in sections: defaults | frontend | listen | backend
10255 no | no | yes | yes
10256
10257 It only applies when the directive "load-server-state-from-file" is set to
10258 "local". When <file> is not provided, if "use-backend-name" is used or if
10259 this directive is not set, then backend name is used. If <file> starts with a
10260 slash '/', then it is considered as an absolute path. Otherwise, <file> is
10261 concatenated to the global directive "server-state-base".
Baptiste Assmann01c6cc32015-08-23 11:45:29 +020010262
10263 Example: the minimal configuration below would make HAProxy look for the
10264 state server file '/etc/haproxy/states/bk':
10265
10266 global
10267 server-state-file-base /etc/haproxy/states
10268
Willy Tarreauc9c6cdb2020-03-05 16:03:58 +010010269 backend bk
Baptiste Assmann01c6cc32015-08-23 11:45:29 +020010270 load-server-state-from-file
10271
Christopher Faulet583b6de2021-02-12 09:27:10 +010010272 See also: "server-state-base", "load-server-state-from-file", and
Baptiste Assmann01c6cc32015-08-23 11:45:29 +020010273 "show servers state"
Willy Tarreaueabeafa2008-01-16 16:17:06 +010010274
Frédéric Lécaillecb4502e2017-04-20 13:36:25 +020010275server-template <prefix> <num | range> <fqdn>[:<port>] [params*]
10276 Set a template to initialize servers with shared parameters.
10277 The names of these servers are built from <prefix> and <num | range> parameters.
10278 May be used in sections : defaults | frontend | listen | backend
10279 no | no | yes | yes
10280
10281 Arguments:
10282 <prefix> A prefix for the server names to be built.
10283
10284 <num | range>
10285 If <num> is provided, this template initializes <num> servers
10286 with 1 up to <num> as server name suffixes. A range of numbers
10287 <num_low>-<num_high> may also be used to use <num_low> up to
10288 <num_high> as server name suffixes.
10289
10290 <fqdn> A FQDN for all the servers this template initializes.
10291
10292 <port> Same meaning as "server" <port> argument (see "server" keyword).
10293
10294 <params*>
10295 Remaining server parameters among all those supported by "server"
10296 keyword.
10297
10298 Examples:
10299 # Initializes 3 servers with srv1, srv2 and srv3 as names,
10300 # google.com as FQDN, and health-check enabled.
10301 server-template srv 1-3 google.com:80 check
10302
10303 # or
10304 server-template srv 3 google.com:80 check
10305
10306 # would be equivalent to:
10307 server srv1 google.com:80 check
10308 server srv2 google.com:80 check
10309 server srv3 google.com:80 check
10310
10311
10312
Willy Tarreaueabeafa2008-01-16 16:17:06 +010010313source <addr>[:<port>] [usesrc { <addr2>[:<port2>] | client | clientip } ]
Willy Tarreaubce70882009-09-07 11:51:47 +020010314source <addr>[:<port>] [usesrc { <addr2>[:<port2>] | hdr_ip(<hdr>[,<occ>]) } ]
Willy Tarreaud53f96b2009-02-04 18:46:54 +010010315source <addr>[:<port>] [interface <name>]
Willy Tarreaueabeafa2008-01-16 16:17:06 +010010316 Set the source address for outgoing connections
10317 May be used in sections : defaults | frontend | listen | backend
10318 yes | no | yes | yes
10319 Arguments :
10320 <addr> is the IPv4 address HAProxy will bind to before connecting to a
10321 server. This address is also used as a source for health checks.
Willy Tarreau24709282013-03-10 21:32:12 +010010322
Willy Tarreaueabeafa2008-01-16 16:17:06 +010010323 The default value of 0.0.0.0 means that the system will select
Willy Tarreau24709282013-03-10 21:32:12 +010010324 the most appropriate address to reach its destination. Optionally
10325 an address family prefix may be used before the address to force
10326 the family regardless of the address format, which can be useful
10327 to specify a path to a unix socket with no slash ('/'). Currently
10328 supported prefixes are :
10329 - 'ipv4@' -> address is always IPv4
10330 - 'ipv6@' -> address is always IPv6
10331 - 'unix@' -> address is a path to a local unix socket
Willy Tarreauccfccef2014-05-10 01:49:15 +020010332 - 'abns@' -> address is in abstract namespace (Linux only)
Cyril Bonté307ee1e2015-09-28 23:16:06 +020010333 You may want to reference some environment variables in the
10334 address parameter, see section 2.3 about environment variables.
Willy Tarreaueabeafa2008-01-16 16:17:06 +010010335
10336 <port> is an optional port. It is normally not needed but may be useful
10337 in some very specific contexts. The default value of zero means
Willy Tarreauc6f4ce82009-06-10 11:09:37 +020010338 the system will select a free port. Note that port ranges are not
10339 supported in the backend. If you want to force port ranges, you
10340 have to specify them on each "server" line.
Willy Tarreaueabeafa2008-01-16 16:17:06 +010010341
10342 <addr2> is the IP address to present to the server when connections are
10343 forwarded in full transparent proxy mode. This is currently only
10344 supported on some patched Linux kernels. When this address is
10345 specified, clients connecting to the server will be presented
10346 with this address, while health checks will still use the address
10347 <addr>.
10348
10349 <port2> is the optional port to present to the server when connections
10350 are forwarded in full transparent proxy mode (see <addr2> above).
10351 The default value of zero means the system will select a free
10352 port.
10353
Willy Tarreaubce70882009-09-07 11:51:47 +020010354 <hdr> is the name of a HTTP header in which to fetch the IP to bind to.
10355 This is the name of a comma-separated header list which can
10356 contain multiple IP addresses. By default, the last occurrence is
10357 used. This is designed to work with the X-Forwarded-For header
Baptiste Assmannea3e73b2013-02-02 23:47:49 +010010358 and to automatically bind to the client's IP address as seen
Willy Tarreaubce70882009-09-07 11:51:47 +020010359 by previous proxy, typically Stunnel. In order to use another
10360 occurrence from the last one, please see the <occ> parameter
10361 below. When the header (or occurrence) is not found, no binding
10362 is performed so that the proxy's default IP address is used. Also
10363 keep in mind that the header name is case insensitive, as for any
10364 HTTP header.
10365
10366 <occ> is the occurrence number of a value to be used in a multi-value
10367 header. This is to be used in conjunction with "hdr_ip(<hdr>)",
Jamie Gloudonaaa21002012-08-25 00:18:33 -040010368 in order to specify which occurrence to use for the source IP
Willy Tarreaubce70882009-09-07 11:51:47 +020010369 address. Positive values indicate a position from the first
10370 occurrence, 1 being the first one. Negative values indicate
10371 positions relative to the last one, -1 being the last one. This
10372 is helpful for situations where an X-Forwarded-For header is set
10373 at the entry point of an infrastructure and must be used several
10374 proxy layers away. When this value is not specified, -1 is
10375 assumed. Passing a zero here disables the feature.
10376
Willy Tarreaud53f96b2009-02-04 18:46:54 +010010377 <name> is an optional interface name to which to bind to for outgoing
10378 traffic. On systems supporting this features (currently, only
10379 Linux), this allows one to bind all traffic to the server to
10380 this interface even if it is not the one the system would select
10381 based on routing tables. This should be used with extreme care.
10382 Note that using this option requires root privileges.
10383
Willy Tarreaueabeafa2008-01-16 16:17:06 +010010384 The "source" keyword is useful in complex environments where a specific
10385 address only is allowed to connect to the servers. It may be needed when a
10386 private address must be used through a public gateway for instance, and it is
10387 known that the system cannot determine the adequate source address by itself.
10388
10389 An extension which is available on certain patched Linux kernels may be used
10390 through the "usesrc" optional keyword. It makes it possible to connect to the
10391 servers with an IP address which does not belong to the system itself. This
10392 is called "full transparent proxy mode". For this to work, the destination
10393 servers have to route their traffic back to this address through the machine
10394 running HAProxy, and IP forwarding must generally be enabled on this machine.
10395
10396 In this "full transparent proxy" mode, it is possible to force a specific IP
10397 address to be presented to the servers. This is not much used in fact. A more
10398 common use is to tell HAProxy to present the client's IP address. For this,
10399 there are two methods :
10400
10401 - present the client's IP and port addresses. This is the most transparent
10402 mode, but it can cause problems when IP connection tracking is enabled on
10403 the machine, because a same connection may be seen twice with different
10404 states. However, this solution presents the huge advantage of not
10405 limiting the system to the 64k outgoing address+port couples, because all
10406 of the client ranges may be used.
10407
10408 - present only the client's IP address and select a spare port. This
10409 solution is still quite elegant but slightly less transparent (downstream
10410 firewalls logs will not match upstream's). It also presents the downside
10411 of limiting the number of concurrent connections to the usual 64k ports.
10412 However, since the upstream and downstream ports are different, local IP
10413 connection tracking on the machine will not be upset by the reuse of the
10414 same session.
10415
Willy Tarreaueabeafa2008-01-16 16:17:06 +010010416 This option sets the default source for all servers in the backend. It may
10417 also be specified in a "defaults" section. Finer source address specification
10418 is possible at the server level using the "source" server option. Refer to
Willy Tarreauc57f0e22009-05-10 13:12:33 +020010419 section 5 for more information.
Willy Tarreaueabeafa2008-01-16 16:17:06 +010010420
Baptiste Assmann91bd3372015-07-17 21:59:42 +020010421 In order to work, "usesrc" requires root privileges.
10422
Willy Tarreaueabeafa2008-01-16 16:17:06 +010010423 Examples :
10424 backend private
10425 # Connect to the servers using our 192.168.1.200 source address
10426 source 192.168.1.200
10427
10428 backend transparent_ssl1
10429 # Connect to the SSL farm from the client's source address
10430 source 192.168.1.200 usesrc clientip
10431
10432 backend transparent_ssl2
10433 # Connect to the SSL farm from the client's source address and port
10434 # not recommended if IP conntrack is present on the local machine.
10435 source 192.168.1.200 usesrc client
10436
10437 backend transparent_ssl3
10438 # Connect to the SSL farm from the client's source address. It
10439 # is more conntrack-friendly.
10440 source 192.168.1.200 usesrc clientip
10441
10442 backend transparent_smtp
10443 # Connect to the SMTP farm from the client's source address/port
10444 # with Tproxy version 4.
10445 source 0.0.0.0 usesrc clientip
10446
Willy Tarreaubce70882009-09-07 11:51:47 +020010447 backend transparent_http
10448 # Connect to the servers using the client's IP as seen by previous
10449 # proxy.
10450 source 0.0.0.0 usesrc hdr_ip(x-forwarded-for,-1)
10451
Willy Tarreauc57f0e22009-05-10 13:12:33 +020010452 See also : the "source" server option in section 5, the Tproxy patches for
Willy Tarreaueabeafa2008-01-16 16:17:06 +010010453 the Linux kernel on www.balabit.com, the "bind" keyword.
10454
Willy Tarreau844e3c52008-01-11 16:28:18 +010010455
MIZUTA Takeshib24bc0d2020-07-09 11:13:20 +090010456srvtcpka-cnt <count>
10457 Sets the maximum number of keepalive probes TCP should send before dropping
10458 the connection on the server side.
10459 May be used in sections : defaults | frontend | listen | backend
10460 yes | no | yes | yes
10461 Arguments :
10462 <count> is the maximum number of keepalive probes.
10463
10464 This keyword corresponds to the socket option TCP_KEEPCNT. If this keyword
10465 is not specified, system-wide TCP parameter (tcp_keepalive_probes) is used.
Willy Tarreau52543212020-07-09 05:58:51 +020010466 The availability of this setting depends on the operating system. It is
10467 known to work on Linux.
MIZUTA Takeshib24bc0d2020-07-09 11:13:20 +090010468
10469 See also : "option srvtcpka", "srvtcpka-idle", "srvtcpka-intvl".
10470
10471
10472srvtcpka-idle <timeout>
10473 Sets the time the connection needs to remain idle before TCP starts sending
10474 keepalive probes, if enabled the sending of TCP keepalive packets on the
10475 server side.
10476 May be used in sections : defaults | frontend | listen | backend
10477 yes | no | yes | yes
10478 Arguments :
10479 <timeout> is the time the connection needs to remain idle before TCP starts
10480 sending keepalive probes. It is specified in seconds by default,
10481 but can be in any other unit if the number is suffixed by the
10482 unit, as explained at the top of this document.
10483
10484 This keyword corresponds to the socket option TCP_KEEPIDLE. If this keyword
10485 is not specified, system-wide TCP parameter (tcp_keepalive_time) is used.
Willy Tarreau52543212020-07-09 05:58:51 +020010486 The availability of this setting depends on the operating system. It is
10487 known to work on Linux.
MIZUTA Takeshib24bc0d2020-07-09 11:13:20 +090010488
10489 See also : "option srvtcpka", "srvtcpka-cnt", "srvtcpka-intvl".
10490
10491
10492srvtcpka-intvl <timeout>
10493 Sets the time between individual keepalive probes on the server side.
10494 May be used in sections : defaults | frontend | listen | backend
10495 yes | no | yes | yes
10496 Arguments :
10497 <timeout> is the time between individual keepalive probes. It is specified
10498 in seconds by default, but can be in any other unit if the number
10499 is suffixed by the unit, as explained at the top of this
10500 document.
10501
10502 This keyword corresponds to the socket option TCP_KEEPINTVL. If this keyword
10503 is not specified, system-wide TCP parameter (tcp_keepalive_intvl) is used.
Willy Tarreau52543212020-07-09 05:58:51 +020010504 The availability of this setting depends on the operating system. It is
10505 known to work on Linux.
MIZUTA Takeshib24bc0d2020-07-09 11:13:20 +090010506
10507 See also : "option srvtcpka", "srvtcpka-cnt", "srvtcpka-idle".
10508
10509
Cyril Bonté66c327d2010-10-12 00:14:37 +020010510stats admin { if | unless } <cond>
10511 Enable statistics admin level if/unless a condition is matched
10512 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +020010513 no | yes | yes | yes
Cyril Bonté66c327d2010-10-12 00:14:37 +020010514
10515 This statement enables the statistics admin level if/unless a condition is
10516 matched.
10517
10518 The admin level allows to enable/disable servers from the web interface. By
10519 default, statistics page is read-only for security reasons.
10520
Cyril Bonté02ff8ef2010-12-14 22:48:49 +010010521 Note : Consider not using this feature in multi-process mode (nbproc > 1)
10522 unless you know what you do : memory is not shared between the
Davor Ocelice9ed2812017-12-25 17:49:28 +010010523 processes, which can result in random behaviors.
Cyril Bonté02ff8ef2010-12-14 22:48:49 +010010524
Cyril Bonté23b39d92011-02-10 22:54:44 +010010525 Currently, the POST request is limited to the buffer size minus the reserved
10526 buffer space, which means that if the list of servers is too long, the
10527 request won't be processed. It is recommended to alter few servers at a
10528 time.
Cyril Bonté66c327d2010-10-12 00:14:37 +020010529
10530 Example :
10531 # statistics admin level only for localhost
10532 backend stats_localhost
10533 stats enable
10534 stats admin if LOCALHOST
10535
10536 Example :
10537 # statistics admin level always enabled because of the authentication
10538 backend stats_auth
10539 stats enable
10540 stats auth admin:AdMiN123
10541 stats admin if TRUE
10542
10543 Example :
10544 # statistics admin level depends on the authenticated user
10545 userlist stats-auth
10546 group admin users admin
10547 user admin insecure-password AdMiN123
10548 group readonly users haproxy
10549 user haproxy insecure-password haproxy
10550
10551 backend stats_auth
10552 stats enable
10553 acl AUTH http_auth(stats-auth)
10554 acl AUTH_ADMIN http_auth_group(stats-auth) admin
10555 stats http-request auth unless AUTH
10556 stats admin if AUTH_ADMIN
10557
Cyril Bonté02ff8ef2010-12-14 22:48:49 +010010558 See also : "stats enable", "stats auth", "stats http-request", "nbproc",
10559 "bind-process", section 3.4 about userlists and section 7 about
10560 ACL usage.
Cyril Bonté66c327d2010-10-12 00:14:37 +020010561
10562
Willy Tarreaueabeafa2008-01-16 16:17:06 +010010563stats auth <user>:<passwd>
10564 Enable statistics with authentication and grant access to an account
10565 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +020010566 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +010010567 Arguments :
10568 <user> is a user name to grant access to
10569
10570 <passwd> is the cleartext password associated to this user
10571
10572 This statement enables statistics with default settings, and restricts access
10573 to declared users only. It may be repeated as many times as necessary to
10574 allow as many users as desired. When a user tries to access the statistics
10575 without a valid account, a "401 Forbidden" response will be returned so that
10576 the browser asks the user to provide a valid user and password. The real
10577 which will be returned to the browser is configurable using "stats realm".
10578
10579 Since the authentication method is HTTP Basic Authentication, the passwords
10580 circulate in cleartext on the network. Thus, it was decided that the
10581 configuration file would also use cleartext passwords to remind the users
Willy Tarreau3c92c5f2011-08-28 09:45:47 +020010582 that those ones should not be sensitive and not shared with any other account.
Willy Tarreaueabeafa2008-01-16 16:17:06 +010010583
10584 It is also possible to reduce the scope of the proxies which appear in the
10585 report using "stats scope".
10586
10587 Though this statement alone is enough to enable statistics reporting, it is
10588 recommended to set all other settings in order to avoid relying on default
10589 unobvious parameters.
10590
10591 Example :
10592 # public access (limited to this backend only)
10593 backend public_www
10594 server srv1 192.168.0.1:80
10595 stats enable
10596 stats hide-version
10597 stats scope .
10598 stats uri /admin?stats
Davor Ocelice9ed2812017-12-25 17:49:28 +010010599 stats realm HAProxy\ Statistics
Willy Tarreaueabeafa2008-01-16 16:17:06 +010010600 stats auth admin1:AdMiN123
10601 stats auth admin2:AdMiN321
10602
10603 # internal monitoring access (unlimited)
10604 backend private_monitoring
10605 stats enable
10606 stats uri /admin?stats
10607 stats refresh 5s
10608
10609 See also : "stats enable", "stats realm", "stats scope", "stats uri"
10610
10611
10612stats enable
10613 Enable statistics reporting with default settings
10614 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +020010615 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +010010616 Arguments : none
10617
10618 This statement enables statistics reporting with default settings defined
10619 at build time. Unless stated otherwise, these settings are used :
10620 - stats uri : /haproxy?stats
10621 - stats realm : "HAProxy Statistics"
10622 - stats auth : no authentication
10623 - stats scope : no restriction
10624
10625 Though this statement alone is enough to enable statistics reporting, it is
10626 recommended to set all other settings in order to avoid relying on default
10627 unobvious parameters.
10628
10629 Example :
10630 # public access (limited to this backend only)
10631 backend public_www
10632 server srv1 192.168.0.1:80
10633 stats enable
10634 stats hide-version
10635 stats scope .
10636 stats uri /admin?stats
Davor Ocelice9ed2812017-12-25 17:49:28 +010010637 stats realm HAProxy\ Statistics
Willy Tarreaueabeafa2008-01-16 16:17:06 +010010638 stats auth admin1:AdMiN123
10639 stats auth admin2:AdMiN321
10640
10641 # internal monitoring access (unlimited)
10642 backend private_monitoring
10643 stats enable
10644 stats uri /admin?stats
10645 stats refresh 5s
10646
10647 See also : "stats auth", "stats realm", "stats uri"
10648
10649
Willy Tarreaud63335a2010-02-26 12:56:52 +010010650stats hide-version
10651 Enable statistics and hide HAProxy version reporting
Willy Tarreau1d45b7c2009-08-16 10:29:18 +020010652 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +020010653 yes | yes | yes | yes
Willy Tarreaud63335a2010-02-26 12:56:52 +010010654 Arguments : none
Willy Tarreau1d45b7c2009-08-16 10:29:18 +020010655
Willy Tarreaud63335a2010-02-26 12:56:52 +010010656 By default, the stats page reports some useful status information along with
10657 the statistics. Among them is HAProxy's version. However, it is generally
10658 considered dangerous to report precise version to anyone, as it can help them
10659 target known weaknesses with specific attacks. The "stats hide-version"
10660 statement removes the version from the statistics report. This is recommended
10661 for public sites or any site with a weak login/password.
Willy Tarreau1d45b7c2009-08-16 10:29:18 +020010662
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +020010663 Though this statement alone is enough to enable statistics reporting, it is
10664 recommended to set all other settings in order to avoid relying on default
10665 unobvious parameters.
10666
Willy Tarreaud63335a2010-02-26 12:56:52 +010010667 Example :
10668 # public access (limited to this backend only)
10669 backend public_www
10670 server srv1 192.168.0.1:80
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +020010671 stats enable
Willy Tarreaud63335a2010-02-26 12:56:52 +010010672 stats hide-version
10673 stats scope .
10674 stats uri /admin?stats
Davor Ocelice9ed2812017-12-25 17:49:28 +010010675 stats realm HAProxy\ Statistics
Willy Tarreaud63335a2010-02-26 12:56:52 +010010676 stats auth admin1:AdMiN123
10677 stats auth admin2:AdMiN321
Willy Tarreau1d45b7c2009-08-16 10:29:18 +020010678
Willy Tarreau1d45b7c2009-08-16 10:29:18 +020010679 # internal monitoring access (unlimited)
10680 backend private_monitoring
10681 stats enable
Willy Tarreaud63335a2010-02-26 12:56:52 +010010682 stats uri /admin?stats
10683 stats refresh 5s
Krzysztof Piotr Oledzki15514c22010-01-04 16:03:09 +010010684
Willy Tarreaud63335a2010-02-26 12:56:52 +010010685 See also : "stats auth", "stats enable", "stats realm", "stats uri"
Willy Tarreau1d45b7c2009-08-16 10:29:18 +020010686
Willy Tarreau983e01e2010-01-11 18:42:06 +010010687
Cyril Bonté2be1b3f2010-09-30 23:46:30 +020010688stats http-request { allow | deny | auth [realm <realm>] }
10689 [ { if | unless } <condition> ]
10690 Access control for statistics
10691
10692 May be used in sections: defaults | frontend | listen | backend
10693 no | no | yes | yes
10694
10695 As "http-request", these set of options allow to fine control access to
10696 statistics. Each option may be followed by if/unless and acl.
10697 First option with matched condition (or option without condition) is final.
10698 For "deny" a 403 error will be returned, for "allow" normal processing is
10699 performed, for "auth" a 401/407 error code is returned so the client
10700 should be asked to enter a username and password.
10701
10702 There is no fixed limit to the number of http-request statements per
10703 instance.
10704
10705 See also : "http-request", section 3.4 about userlists and section 7
10706 about ACL usage.
10707
10708
Willy Tarreaueabeafa2008-01-16 16:17:06 +010010709stats realm <realm>
10710 Enable statistics and set authentication realm
10711 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +020010712 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +010010713 Arguments :
10714 <realm> is the name of the HTTP Basic Authentication realm reported to
10715 the browser. The browser uses it to display it in the pop-up
10716 inviting the user to enter a valid username and password.
10717
10718 The realm is read as a single word, so any spaces in it should be escaped
10719 using a backslash ('\').
10720
10721 This statement is useful only in conjunction with "stats auth" since it is
10722 only related to authentication.
10723
10724 Though this statement alone is enough to enable statistics reporting, it is
10725 recommended to set all other settings in order to avoid relying on default
10726 unobvious parameters.
10727
10728 Example :
10729 # public access (limited to this backend only)
10730 backend public_www
10731 server srv1 192.168.0.1:80
10732 stats enable
10733 stats hide-version
10734 stats scope .
10735 stats uri /admin?stats
Davor Ocelice9ed2812017-12-25 17:49:28 +010010736 stats realm HAProxy\ Statistics
Willy Tarreaueabeafa2008-01-16 16:17:06 +010010737 stats auth admin1:AdMiN123
10738 stats auth admin2:AdMiN321
10739
10740 # internal monitoring access (unlimited)
10741 backend private_monitoring
10742 stats enable
10743 stats uri /admin?stats
10744 stats refresh 5s
10745
10746 See also : "stats auth", "stats enable", "stats uri"
10747
10748
10749stats refresh <delay>
10750 Enable statistics with automatic refresh
10751 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +020010752 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +010010753 Arguments :
10754 <delay> is the suggested refresh delay, specified in seconds, which will
10755 be returned to the browser consulting the report page. While the
10756 browser is free to apply any delay, it will generally respect it
10757 and refresh the page this every seconds. The refresh interval may
10758 be specified in any other non-default time unit, by suffixing the
10759 unit after the value, as explained at the top of this document.
10760
10761 This statement is useful on monitoring displays with a permanent page
10762 reporting the load balancer's activity. When set, the HTML report page will
10763 include a link "refresh"/"stop refresh" so that the user can select whether
Jackie Tapia749f74c2020-07-22 18:59:40 -050010764 they want automatic refresh of the page or not.
Willy Tarreaueabeafa2008-01-16 16:17:06 +010010765
10766 Though this statement alone is enough to enable statistics reporting, it is
10767 recommended to set all other settings in order to avoid relying on default
10768 unobvious parameters.
10769
10770 Example :
10771 # public access (limited to this backend only)
10772 backend public_www
10773 server srv1 192.168.0.1:80
10774 stats enable
10775 stats hide-version
10776 stats scope .
10777 stats uri /admin?stats
Davor Ocelice9ed2812017-12-25 17:49:28 +010010778 stats realm HAProxy\ Statistics
Willy Tarreaueabeafa2008-01-16 16:17:06 +010010779 stats auth admin1:AdMiN123
10780 stats auth admin2:AdMiN321
10781
10782 # internal monitoring access (unlimited)
10783 backend private_monitoring
10784 stats enable
10785 stats uri /admin?stats
10786 stats refresh 5s
10787
10788 See also : "stats auth", "stats enable", "stats realm", "stats uri"
10789
10790
10791stats scope { <name> | "." }
10792 Enable statistics and limit access scope
10793 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +020010794 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +010010795 Arguments :
10796 <name> is the name of a listen, frontend or backend section to be
10797 reported. The special name "." (a single dot) designates the
10798 section in which the statement appears.
10799
10800 When this statement is specified, only the sections enumerated with this
10801 statement will appear in the report. All other ones will be hidden. This
10802 statement may appear as many times as needed if multiple sections need to be
10803 reported. Please note that the name checking is performed as simple string
10804 comparisons, and that it is never checked that a give section name really
10805 exists.
10806
10807 Though this statement alone is enough to enable statistics reporting, it is
10808 recommended to set all other settings in order to avoid relying on default
10809 unobvious parameters.
10810
10811 Example :
10812 # public access (limited to this backend only)
10813 backend public_www
10814 server srv1 192.168.0.1:80
10815 stats enable
10816 stats hide-version
10817 stats scope .
10818 stats uri /admin?stats
Davor Ocelice9ed2812017-12-25 17:49:28 +010010819 stats realm HAProxy\ Statistics
Willy Tarreaueabeafa2008-01-16 16:17:06 +010010820 stats auth admin1:AdMiN123
10821 stats auth admin2:AdMiN321
10822
10823 # internal monitoring access (unlimited)
10824 backend private_monitoring
10825 stats enable
10826 stats uri /admin?stats
10827 stats refresh 5s
10828
10829 See also : "stats auth", "stats enable", "stats realm", "stats uri"
10830
Willy Tarreaud63335a2010-02-26 12:56:52 +010010831
Willy Tarreauc9705a12010-07-27 20:05:50 +020010832stats show-desc [ <desc> ]
Willy Tarreaud63335a2010-02-26 12:56:52 +010010833 Enable reporting of a description on the statistics page.
10834 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +020010835 yes | yes | yes | yes
Willy Tarreaud63335a2010-02-26 12:56:52 +010010836
Willy Tarreauc9705a12010-07-27 20:05:50 +020010837 <desc> is an optional description to be reported. If unspecified, the
Willy Tarreaud63335a2010-02-26 12:56:52 +010010838 description from global section is automatically used instead.
10839
10840 This statement is useful for users that offer shared services to their
10841 customers, where node or description should be different for each customer.
10842
10843 Though this statement alone is enough to enable statistics reporting, it is
10844 recommended to set all other settings in order to avoid relying on default
Davor Ocelice9ed2812017-12-25 17:49:28 +010010845 unobvious parameters. By default description is not shown.
Willy Tarreaud63335a2010-02-26 12:56:52 +010010846
10847 Example :
10848 # internal monitoring access (unlimited)
10849 backend private_monitoring
10850 stats enable
10851 stats show-desc Master node for Europe, Asia, Africa
10852 stats uri /admin?stats
10853 stats refresh 5s
10854
10855 See also: "show-node", "stats enable", "stats uri" and "description" in
10856 global section.
10857
10858
10859stats show-legends
Willy Tarreaued2119c2014-04-24 22:10:39 +020010860 Enable reporting additional information on the statistics page
10861 May be used in sections : defaults | frontend | listen | backend
10862 yes | yes | yes | yes
10863 Arguments : none
10864
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030010865 Enable reporting additional information on the statistics page :
Willy Tarreaud63335a2010-02-26 12:56:52 +010010866 - cap: capabilities (proxy)
10867 - mode: one of tcp, http or health (proxy)
10868 - id: SNMP ID (proxy, socket, server)
10869 - IP (socket, server)
10870 - cookie (backend, server)
10871
10872 Though this statement alone is enough to enable statistics reporting, it is
10873 recommended to set all other settings in order to avoid relying on default
Davor Ocelice9ed2812017-12-25 17:49:28 +010010874 unobvious parameters. Default behavior is not to show this information.
Willy Tarreaud63335a2010-02-26 12:56:52 +010010875
10876 See also: "stats enable", "stats uri".
10877
10878
Amaury Denoyelle0b70a8a2020-10-05 11:49:45 +020010879stats show-modules
10880 Enable display of extra statistics module on the statistics page
10881 May be used in sections : defaults | frontend | listen | backend
10882 yes | yes | yes | yes
10883 Arguments : none
10884
10885 New columns are added at the end of the line containing the extra statistics
10886 values as a tooltip.
10887
10888 Though this statement alone is enough to enable statistics reporting, it is
10889 recommended to set all other settings in order to avoid relying on default
10890 unobvious parameters. Default behavior is not to show this information.
10891
10892 See also: "stats enable", "stats uri".
10893
10894
Willy Tarreaud63335a2010-02-26 12:56:52 +010010895stats show-node [ <name> ]
10896 Enable reporting of a host name on the statistics page.
10897 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +020010898 yes | yes | yes | yes
Willy Tarreaud63335a2010-02-26 12:56:52 +010010899 Arguments:
10900 <name> is an optional name to be reported. If unspecified, the
10901 node name from global section is automatically used instead.
10902
10903 This statement is useful for users that offer shared services to their
10904 customers, where node or description might be different on a stats page
Davor Ocelice9ed2812017-12-25 17:49:28 +010010905 provided for each customer. Default behavior is not to show host name.
Willy Tarreaud63335a2010-02-26 12:56:52 +010010906
10907 Though this statement alone is enough to enable statistics reporting, it is
10908 recommended to set all other settings in order to avoid relying on default
10909 unobvious parameters.
10910
10911 Example:
10912 # internal monitoring access (unlimited)
10913 backend private_monitoring
10914 stats enable
10915 stats show-node Europe-1
10916 stats uri /admin?stats
10917 stats refresh 5s
10918
10919 See also: "show-desc", "stats enable", "stats uri", and "node" in global
10920 section.
10921
Willy Tarreaueabeafa2008-01-16 16:17:06 +010010922
10923stats uri <prefix>
10924 Enable statistics and define the URI prefix to access them
10925 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +020010926 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +010010927 Arguments :
10928 <prefix> is the prefix of any URI which will be redirected to stats. This
10929 prefix may contain a question mark ('?') to indicate part of a
10930 query string.
10931
10932 The statistics URI is intercepted on the relayed traffic, so it appears as a
10933 page within the normal application. It is strongly advised to ensure that the
10934 selected URI will never appear in the application, otherwise it will never be
10935 possible to reach it in the application.
10936
Daniel Corbett9f0843f2021-05-08 10:50:37 -040010937 The default URI compiled in HAProxy is "/haproxy?stats", but this may be
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010010938 changed at build time, so it's better to always explicitly specify it here.
Willy Tarreaueabeafa2008-01-16 16:17:06 +010010939 It is generally a good idea to include a question mark in the URI so that
10940 intermediate proxies refrain from caching the results. Also, since any string
10941 beginning with the prefix will be accepted as a stats request, the question
10942 mark helps ensuring that no valid URI will begin with the same words.
10943
10944 It is sometimes very convenient to use "/" as the URI prefix, and put that
10945 statement in a "listen" instance of its own. That makes it easy to dedicate
10946 an address or a port to statistics only.
10947
10948 Though this statement alone is enough to enable statistics reporting, it is
10949 recommended to set all other settings in order to avoid relying on default
10950 unobvious parameters.
10951
10952 Example :
10953 # public access (limited to this backend only)
10954 backend public_www
10955 server srv1 192.168.0.1:80
10956 stats enable
10957 stats hide-version
10958 stats scope .
10959 stats uri /admin?stats
Davor Ocelice9ed2812017-12-25 17:49:28 +010010960 stats realm HAProxy\ Statistics
Willy Tarreaueabeafa2008-01-16 16:17:06 +010010961 stats auth admin1:AdMiN123
10962 stats auth admin2:AdMiN321
10963
10964 # internal monitoring access (unlimited)
10965 backend private_monitoring
10966 stats enable
10967 stats uri /admin?stats
10968 stats refresh 5s
10969
10970 See also : "stats auth", "stats enable", "stats realm"
10971
10972
Willy Tarreaud63335a2010-02-26 12:56:52 +010010973stick match <pattern> [table <table>] [{if | unless} <cond>]
10974 Define a request pattern matching condition to stick a user to a server
Willy Tarreaueabeafa2008-01-16 16:17:06 +010010975 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaud63335a2010-02-26 12:56:52 +010010976 no | no | yes | yes
Willy Tarreaub937b7e2010-01-12 15:27:54 +010010977
10978 Arguments :
Willy Tarreaube722a22014-06-13 16:31:59 +020010979 <pattern> is a sample expression rule as described in section 7.3. It
Willy Tarreaub937b7e2010-01-12 15:27:54 +010010980 describes what elements of the incoming request or connection
Davor Ocelice9ed2812017-12-25 17:49:28 +010010981 will be analyzed in the hope to find a matching entry in a
Willy Tarreaub937b7e2010-01-12 15:27:54 +010010982 stickiness table. This rule is mandatory.
10983
10984 <table> is an optional stickiness table name. If unspecified, the same
10985 backend's table is used. A stickiness table is declared using
10986 the "stick-table" statement.
10987
10988 <cond> is an optional matching condition. It makes it possible to match
10989 on a certain criterion only when other conditions are met (or
10990 not met). For instance, it could be used to match on a source IP
10991 address except when a request passes through a known proxy, in
10992 which case we'd match on a header containing that IP address.
10993
10994 Some protocols or applications require complex stickiness rules and cannot
10995 always simply rely on cookies nor hashing. The "stick match" statement
10996 describes a rule to extract the stickiness criterion from an incoming request
10997 or connection. See section 7 for a complete list of possible patterns and
10998 transformation rules.
10999
11000 The table has to be declared using the "stick-table" statement. It must be of
11001 a type compatible with the pattern. By default it is the one which is present
11002 in the same backend. It is possible to share a table with other backends by
11003 referencing it using the "table" keyword. If another table is referenced,
11004 the server's ID inside the backends are used. By default, all server IDs
11005 start at 1 in each backend, so the server ordering is enough. But in case of
11006 doubt, it is highly recommended to force server IDs using their "id" setting.
11007
11008 It is possible to restrict the conditions where a "stick match" statement
11009 will apply, using "if" or "unless" followed by a condition. See section 7 for
11010 ACL based conditions.
11011
11012 There is no limit on the number of "stick match" statements. The first that
11013 applies and matches will cause the request to be directed to the same server
11014 as was used for the request which created the entry. That way, multiple
11015 matches can be used as fallbacks.
11016
11017 The stick rules are checked after the persistence cookies, so they will not
11018 affect stickiness if a cookie has already been used to select a server. That
11019 way, it becomes very easy to insert cookies and match on IP addresses in
11020 order to maintain stickiness between HTTP and HTTPS.
11021
Cyril Bonté02ff8ef2010-12-14 22:48:49 +010011022 Note : Consider not using this feature in multi-process mode (nbproc > 1)
11023 unless you know what you do : memory is not shared between the
Davor Ocelice9ed2812017-12-25 17:49:28 +010011024 processes, which can result in random behaviors.
Cyril Bonté02ff8ef2010-12-14 22:48:49 +010011025
Willy Tarreaub937b7e2010-01-12 15:27:54 +010011026 Example :
11027 # forward SMTP users to the same server they just used for POP in the
11028 # last 30 minutes
11029 backend pop
11030 mode tcp
11031 balance roundrobin
11032 stick store-request src
11033 stick-table type ip size 200k expire 30m
11034 server s1 192.168.1.1:110
11035 server s2 192.168.1.1:110
11036
11037 backend smtp
11038 mode tcp
11039 balance roundrobin
11040 stick match src table pop
11041 server s1 192.168.1.1:25
11042 server s2 192.168.1.1:25
11043
Cyril Bonté02ff8ef2010-12-14 22:48:49 +010011044 See also : "stick-table", "stick on", "nbproc", "bind-process" and section 7
Willy Tarreaube722a22014-06-13 16:31:59 +020011045 about ACLs and samples fetching.
Willy Tarreaub937b7e2010-01-12 15:27:54 +010011046
11047
11048stick on <pattern> [table <table>] [{if | unless} <condition>]
11049 Define a request pattern to associate a user to a server
11050 May be used in sections : defaults | frontend | listen | backend
11051 no | no | yes | yes
11052
11053 Note : This form is exactly equivalent to "stick match" followed by
11054 "stick store-request", all with the same arguments. Please refer
11055 to both keywords for details. It is only provided as a convenience
11056 for writing more maintainable configurations.
11057
Cyril Bonté02ff8ef2010-12-14 22:48:49 +010011058 Note : Consider not using this feature in multi-process mode (nbproc > 1)
11059 unless you know what you do : memory is not shared between the
Davor Ocelice9ed2812017-12-25 17:49:28 +010011060 processes, which can result in random behaviors.
Cyril Bonté02ff8ef2010-12-14 22:48:49 +010011061
Willy Tarreaub937b7e2010-01-12 15:27:54 +010011062 Examples :
11063 # The following form ...
Willy Tarreauec579d82010-02-26 19:15:04 +010011064 stick on src table pop if !localhost
Willy Tarreaub937b7e2010-01-12 15:27:54 +010011065
11066 # ...is strictly equivalent to this one :
11067 stick match src table pop if !localhost
11068 stick store-request src table pop if !localhost
11069
11070
11071 # Use cookie persistence for HTTP, and stick on source address for HTTPS as
11072 # well as HTTP without cookie. Share the same table between both accesses.
11073 backend http
11074 mode http
11075 balance roundrobin
11076 stick on src table https
11077 cookie SRV insert indirect nocache
11078 server s1 192.168.1.1:80 cookie s1
11079 server s2 192.168.1.1:80 cookie s2
11080
11081 backend https
11082 mode tcp
11083 balance roundrobin
11084 stick-table type ip size 200k expire 30m
11085 stick on src
11086 server s1 192.168.1.1:443
11087 server s2 192.168.1.1:443
11088
Cyril Bonté02ff8ef2010-12-14 22:48:49 +010011089 See also : "stick match", "stick store-request", "nbproc" and "bind-process".
Willy Tarreaub937b7e2010-01-12 15:27:54 +010011090
11091
11092stick store-request <pattern> [table <table>] [{if | unless} <condition>]
11093 Define a request pattern used to create an entry in a stickiness table
11094 May be used in sections : defaults | frontend | listen | backend
11095 no | no | yes | yes
11096
11097 Arguments :
Willy Tarreaube722a22014-06-13 16:31:59 +020011098 <pattern> is a sample expression rule as described in section 7.3. It
Willy Tarreaub937b7e2010-01-12 15:27:54 +010011099 describes what elements of the incoming request or connection
Davor Ocelice9ed2812017-12-25 17:49:28 +010011100 will be analyzed, extracted and stored in the table once a
Willy Tarreaub937b7e2010-01-12 15:27:54 +010011101 server is selected.
11102
11103 <table> is an optional stickiness table name. If unspecified, the same
11104 backend's table is used. A stickiness table is declared using
11105 the "stick-table" statement.
11106
11107 <cond> is an optional storage condition. It makes it possible to store
11108 certain criteria only when some conditions are met (or not met).
11109 For instance, it could be used to store the source IP address
11110 except when the request passes through a known proxy, in which
11111 case we'd store a converted form of a header containing that IP
11112 address.
11113
11114 Some protocols or applications require complex stickiness rules and cannot
11115 always simply rely on cookies nor hashing. The "stick store-request" statement
11116 describes a rule to decide what to extract from the request and when to do
11117 it, in order to store it into a stickiness table for further requests to
11118 match it using the "stick match" statement. Obviously the extracted part must
11119 make sense and have a chance to be matched in a further request. Storing a
11120 client's IP address for instance often makes sense. Storing an ID found in a
11121 URL parameter also makes sense. Storing a source port will almost never make
11122 any sense because it will be randomly matched. See section 7 for a complete
11123 list of possible patterns and transformation rules.
11124
11125 The table has to be declared using the "stick-table" statement. It must be of
11126 a type compatible with the pattern. By default it is the one which is present
11127 in the same backend. It is possible to share a table with other backends by
11128 referencing it using the "table" keyword. If another table is referenced,
11129 the server's ID inside the backends are used. By default, all server IDs
11130 start at 1 in each backend, so the server ordering is enough. But in case of
11131 doubt, it is highly recommended to force server IDs using their "id" setting.
11132
11133 It is possible to restrict the conditions where a "stick store-request"
11134 statement will apply, using "if" or "unless" followed by a condition. This
11135 condition will be evaluated while parsing the request, so any criteria can be
11136 used. See section 7 for ACL based conditions.
11137
11138 There is no limit on the number of "stick store-request" statements, but
11139 there is a limit of 8 simultaneous stores per request or response. This
11140 makes it possible to store up to 8 criteria, all extracted from either the
11141 request or the response, regardless of the number of rules. Only the 8 first
11142 ones which match will be kept. Using this, it is possible to feed multiple
11143 tables at once in the hope to increase the chance to recognize a user on
Willy Tarreau9667a802013-12-09 12:52:13 +010011144 another protocol or access method. Using multiple store-request rules with
11145 the same table is possible and may be used to find the best criterion to rely
11146 on, by arranging the rules by decreasing preference order. Only the first
11147 extracted criterion for a given table will be stored. All subsequent store-
11148 request rules referencing the same table will be skipped and their ACLs will
11149 not be evaluated.
Willy Tarreaub937b7e2010-01-12 15:27:54 +010011150
11151 The "store-request" rules are evaluated once the server connection has been
11152 established, so that the table will contain the real server that processed
11153 the request.
11154
Cyril Bonté02ff8ef2010-12-14 22:48:49 +010011155 Note : Consider not using this feature in multi-process mode (nbproc > 1)
11156 unless you know what you do : memory is not shared between the
Davor Ocelice9ed2812017-12-25 17:49:28 +010011157 processes, which can result in random behaviors.
Cyril Bonté02ff8ef2010-12-14 22:48:49 +010011158
Willy Tarreaub937b7e2010-01-12 15:27:54 +010011159 Example :
11160 # forward SMTP users to the same server they just used for POP in the
11161 # last 30 minutes
11162 backend pop
11163 mode tcp
11164 balance roundrobin
11165 stick store-request src
11166 stick-table type ip size 200k expire 30m
11167 server s1 192.168.1.1:110
11168 server s2 192.168.1.1:110
11169
11170 backend smtp
11171 mode tcp
11172 balance roundrobin
11173 stick match src table pop
11174 server s1 192.168.1.1:25
11175 server s2 192.168.1.1:25
11176
Cyril Bonté02ff8ef2010-12-14 22:48:49 +010011177 See also : "stick-table", "stick on", "nbproc", "bind-process" and section 7
Willy Tarreaube722a22014-06-13 16:31:59 +020011178 about ACLs and sample fetching.
Willy Tarreaub937b7e2010-01-12 15:27:54 +010011179
11180
Emeric Brun7c6b82e2010-09-24 16:34:28 +020011181stick-table type {ip | integer | string [len <length>] | binary [len <length>]}
Thayne McCombs92149f92020-11-20 01:28:26 -070011182 size <size> [expire <expire>] [nopurge] [peers <peersect>] [srvkey <srvkey>]
Emeric Brunf099e792010-09-27 12:05:28 +020011183 [store <data_type>]*
Godbach64cef792013-12-04 16:08:22 +080011184 Configure the stickiness table for the current section
Willy Tarreaub937b7e2010-01-12 15:27:54 +010011185 May be used in sections : defaults | frontend | listen | backend
Willy Tarreauc00cdc22010-06-06 16:48:26 +020011186 no | yes | yes | yes
Willy Tarreaub937b7e2010-01-12 15:27:54 +010011187
11188 Arguments :
11189 ip a table declared with "type ip" will only store IPv4 addresses.
11190 This form is very compact (about 50 bytes per entry) and allows
11191 very fast entry lookup and stores with almost no overhead. This
11192 is mainly used to store client source IP addresses.
11193
David du Colombier9a6d3c92011-03-17 10:40:24 +010011194 ipv6 a table declared with "type ipv6" will only store IPv6 addresses.
11195 This form is very compact (about 60 bytes per entry) and allows
11196 very fast entry lookup and stores with almost no overhead. This
11197 is mainly used to store client source IP addresses.
11198
Willy Tarreaub937b7e2010-01-12 15:27:54 +010011199 integer a table declared with "type integer" will store 32bit integers
11200 which can represent a client identifier found in a request for
11201 instance.
11202
11203 string a table declared with "type string" will store substrings of up
11204 to <len> characters. If the string provided by the pattern
11205 extractor is larger than <len>, it will be truncated before
11206 being stored. During matching, at most <len> characters will be
11207 compared between the string in the table and the extracted
11208 pattern. When not specified, the string is automatically limited
Emeric Brun7c6b82e2010-09-24 16:34:28 +020011209 to 32 characters.
11210
11211 binary a table declared with "type binary" will store binary blocks
11212 of <len> bytes. If the block provided by the pattern
11213 extractor is larger than <len>, it will be truncated before
Willy Tarreaube722a22014-06-13 16:31:59 +020011214 being stored. If the block provided by the sample expression
Emeric Brun7c6b82e2010-09-24 16:34:28 +020011215 is shorter than <len>, it will be padded by 0. When not
11216 specified, the block is automatically limited to 32 bytes.
Willy Tarreaub937b7e2010-01-12 15:27:54 +010011217
11218 <length> is the maximum number of characters that will be stored in a
Emeric Brun7c6b82e2010-09-24 16:34:28 +020011219 "string" type table (See type "string" above). Or the number
11220 of bytes of the block in "binary" type table. Be careful when
Willy Tarreaub937b7e2010-01-12 15:27:54 +010011221 changing this parameter as memory usage will proportionally
11222 increase.
11223
11224 <size> is the maximum number of entries that can fit in the table. This
Cyril Bonté78caf842010-03-10 22:41:43 +010011225 value directly impacts memory usage. Count approximately
11226 50 bytes per entry, plus the size of a string if any. The size
11227 supports suffixes "k", "m", "g" for 2^10, 2^20 and 2^30 factors.
Willy Tarreaub937b7e2010-01-12 15:27:54 +010011228
11229 [nopurge] indicates that we refuse to purge older entries when the table
Daniel Corbett9f0843f2021-05-08 10:50:37 -040011230 is full. When not specified and the table is full when HAProxy
Willy Tarreaub937b7e2010-01-12 15:27:54 +010011231 wants to store an entry in it, it will flush a few of the oldest
11232 entries in order to release some space for the new ones. This is
Davor Ocelice9ed2812017-12-25 17:49:28 +010011233 most often the desired behavior. In some specific cases, it
Willy Tarreaub937b7e2010-01-12 15:27:54 +010011234 be desirable to refuse new entries instead of purging the older
11235 ones. That may be the case when the amount of data to store is
11236 far above the hardware limits and we prefer not to offer access
11237 to new clients than to reject the ones already connected. When
11238 using this parameter, be sure to properly set the "expire"
11239 parameter (see below).
11240
Emeric Brunf099e792010-09-27 12:05:28 +020011241 <peersect> is the name of the peers section to use for replication. Entries
11242 which associate keys to server IDs are kept synchronized with
11243 the remote peers declared in this section. All entries are also
11244 automatically learned from the local peer (old process) during a
11245 soft restart.
11246
Willy Tarreau1abc6732015-05-01 19:21:02 +020011247 NOTE : each peers section may be referenced only by tables
11248 belonging to the same unique process.
Cyril Bonté02ff8ef2010-12-14 22:48:49 +010011249
Willy Tarreaub937b7e2010-01-12 15:27:54 +010011250 <expire> defines the maximum duration of an entry in the table since it
11251 was last created, refreshed or matched. The expiration delay is
11252 defined using the standard time format, similarly as the various
11253 timeouts. The maximum duration is slightly above 24 days. See
Willy Tarreau4b103022021-02-12 17:59:10 +010011254 section 2.5 for more information. If this delay is not specified,
Cyril Bontédc4d9032012-04-08 21:57:39 +020011255 the session won't automatically expire, but older entries will
Willy Tarreaub937b7e2010-01-12 15:27:54 +010011256 be removed once full. Be sure not to use the "nopurge" parameter
11257 if not expiration delay is specified.
11258
Thayne McCombs92149f92020-11-20 01:28:26 -070011259 <srvkey> specifies how each server is identified for the purposes of the
11260 stick table. The valid values are "name" and "addr". If "name" is
11261 given, then <name> argument for the server (may be generated by
11262 a template). If "addr" is given, then the server is identified
11263 by its current network address, including the port. "addr" is
11264 especially useful if you are using service discovery to generate
11265 the addresses for servers with peered stick-tables and want
11266 to consistently use the same host across peers for a stickiness
11267 token.
11268
Willy Tarreau08d5f982010-06-06 13:34:54 +020011269 <data_type> is used to store additional information in the stick-table. This
11270 may be used by ACLs in order to control various criteria related
11271 to the activity of the client matching the stick-table. For each
11272 item specified here, the size of each entry will be inflated so
Willy Tarreauc9705a12010-07-27 20:05:50 +020011273 that the additional data can fit. Several data types may be
11274 stored with an entry. Multiple data types may be specified after
11275 the "store" keyword, as a comma-separated list. Alternatively,
11276 it is possible to repeat the "store" keyword followed by one or
11277 several data types. Except for the "server_id" type which is
11278 automatically detected and enabled, all data types must be
11279 explicitly declared to be stored. If an ACL references a data
11280 type which is not stored, the ACL will simply not match. Some
11281 data types require an argument which must be passed just after
11282 the type between parenthesis. See below for the supported data
11283 types and their arguments.
11284
11285 The data types that can be stored with an entry are the following :
11286 - server_id : this is an integer which holds the numeric ID of the server a
11287 request was assigned to. It is used by the "stick match", "stick store",
11288 and "stick on" rules. It is automatically enabled when referenced.
11289
11290 - gpc0 : first General Purpose Counter. It is a positive 32-bit integer
11291 integer which may be used for anything. Most of the time it will be used
11292 to put a special tag on some entries, for instance to note that a
Davor Ocelice9ed2812017-12-25 17:49:28 +010011293 specific behavior was detected and must be known for future matches.
Willy Tarreauc9705a12010-07-27 20:05:50 +020011294
Willy Tarreauba2ffd12013-05-29 15:54:14 +020011295 - gpc0_rate(<period>) : increment rate of the first General Purpose Counter
11296 over a period. It is a positive 32-bit integer integer which may be used
11297 for anything. Just like <gpc0>, it counts events, but instead of keeping
Davor Ocelice9ed2812017-12-25 17:49:28 +010011298 a cumulative number, it maintains the rate at which the counter is
Willy Tarreauba2ffd12013-05-29 15:54:14 +020011299 incremented. Most of the time it will be used to measure the frequency of
Davor Ocelice9ed2812017-12-25 17:49:28 +010011300 occurrence of certain events (e.g. requests to a specific URL).
Willy Tarreauba2ffd12013-05-29 15:54:14 +020011301
Frédéric Lécaille6778b272018-01-29 15:22:53 +010011302 - gpc1 : second General Purpose Counter. It is a positive 32-bit integer
11303 integer which may be used for anything. Most of the time it will be used
11304 to put a special tag on some entries, for instance to note that a
11305 specific behavior was detected and must be known for future matches.
11306
11307 - gpc1_rate(<period>) : increment rate of the second General Purpose Counter
11308 over a period. It is a positive 32-bit integer integer which may be used
11309 for anything. Just like <gpc1>, it counts events, but instead of keeping
11310 a cumulative number, it maintains the rate at which the counter is
11311 incremented. Most of the time it will be used to measure the frequency of
11312 occurrence of certain events (e.g. requests to a specific URL).
11313
Willy Tarreauc9705a12010-07-27 20:05:50 +020011314 - conn_cnt : Connection Count. It is a positive 32-bit integer which counts
11315 the absolute number of connections received from clients which matched
11316 this entry. It does not mean the connections were accepted, just that
11317 they were received.
11318
11319 - conn_cur : Current Connections. It is a positive 32-bit integer which
11320 stores the concurrent connection counts for the entry. It is incremented
11321 once an incoming connection matches the entry, and decremented once the
11322 connection leaves. That way it is possible to know at any time the exact
11323 number of concurrent connections for an entry.
11324
11325 - conn_rate(<period>) : frequency counter (takes 12 bytes). It takes an
11326 integer parameter <period> which indicates in milliseconds the length
11327 of the period over which the average is measured. It reports the average
11328 incoming connection rate over that period, in connections per period. The
11329 result is an integer which can be matched using ACLs.
11330
11331 - sess_cnt : Session Count. It is a positive 32-bit integer which counts
11332 the absolute number of sessions received from clients which matched this
11333 entry. A session is a connection that was accepted by the layer 4 rules.
11334
11335 - sess_rate(<period>) : frequency counter (takes 12 bytes). It takes an
11336 integer parameter <period> which indicates in milliseconds the length
11337 of the period over which the average is measured. It reports the average
11338 incoming session rate over that period, in sessions per period. The
11339 result is an integer which can be matched using ACLs.
11340
11341 - http_req_cnt : HTTP request Count. It is a positive 32-bit integer which
11342 counts the absolute number of HTTP requests received from clients which
11343 matched this entry. It does not matter whether they are valid requests or
11344 not. Note that this is different from sessions when keep-alive is used on
11345 the client side.
11346
11347 - http_req_rate(<period>) : frequency counter (takes 12 bytes). It takes an
11348 integer parameter <period> which indicates in milliseconds the length
11349 of the period over which the average is measured. It reports the average
11350 HTTP request rate over that period, in requests per period. The result is
11351 an integer which can be matched using ACLs. It does not matter whether
11352 they are valid requests or not. Note that this is different from sessions
11353 when keep-alive is used on the client side.
11354
11355 - http_err_cnt : HTTP Error Count. It is a positive 32-bit integer which
11356 counts the absolute number of HTTP requests errors induced by clients
11357 which matched this entry. Errors are counted on invalid and truncated
11358 requests, as well as on denied or tarpitted requests, and on failed
11359 authentications. If the server responds with 4xx, then the request is
11360 also counted as an error since it's an error triggered by the client
Davor Ocelice9ed2812017-12-25 17:49:28 +010011361 (e.g. vulnerability scan).
Willy Tarreauc9705a12010-07-27 20:05:50 +020011362
11363 - http_err_rate(<period>) : frequency counter (takes 12 bytes). It takes an
11364 integer parameter <period> which indicates in milliseconds the length
11365 of the period over which the average is measured. It reports the average
11366 HTTP request error rate over that period, in requests per period (see
11367 http_err_cnt above for what is accounted as an error). The result is an
11368 integer which can be matched using ACLs.
11369
Willy Tarreau826f3ab2021-02-10 12:07:15 +010011370 - http_fail_cnt : HTTP Failure Count. It is a positive 32-bit integer which
11371 counts the absolute number of HTTP response failures induced by servers
11372 which matched this entry. Errors are counted on invalid and truncated
11373 responses, as well as any 5xx response other than 501 or 505. It aims at
11374 being used combined with path or URI to detect service failures.
11375
11376 - http_fail_rate(<period>) : frequency counter (takes 12 bytes). It takes
11377 an integer parameter <period> which indicates in milliseconds the length
11378 of the period over which the average is measured. It reports the average
11379 HTTP response failure rate over that period, in requests per period (see
11380 http_fail_cnt above for what is accounted as a failure). The result is an
11381 integer which can be matched using ACLs.
11382
Willy Tarreauc9705a12010-07-27 20:05:50 +020011383 - bytes_in_cnt : client to server byte count. It is a positive 64-bit
Davor Ocelice9ed2812017-12-25 17:49:28 +010011384 integer which counts the cumulative number of bytes received from clients
Willy Tarreauc9705a12010-07-27 20:05:50 +020011385 which matched this entry. Headers are included in the count. This may be
11386 used to limit abuse of upload features on photo or video servers.
11387
11388 - bytes_in_rate(<period>) : frequency counter (takes 12 bytes). It takes an
11389 integer parameter <period> which indicates in milliseconds the length
11390 of the period over which the average is measured. It reports the average
11391 incoming bytes rate over that period, in bytes per period. It may be used
11392 to detect users which upload too much and too fast. Warning: with large
11393 uploads, it is possible that the amount of uploaded data will be counted
11394 once upon termination, thus causing spikes in the average transfer speed
11395 instead of having a smooth one. This may partially be smoothed with
11396 "option contstats" though this is not perfect yet. Use of byte_in_cnt is
11397 recommended for better fairness.
11398
11399 - bytes_out_cnt : server to client byte count. It is a positive 64-bit
Davor Ocelice9ed2812017-12-25 17:49:28 +010011400 integer which counts the cumulative number of bytes sent to clients which
Willy Tarreauc9705a12010-07-27 20:05:50 +020011401 matched this entry. Headers are included in the count. This may be used
11402 to limit abuse of bots sucking the whole site.
11403
11404 - bytes_out_rate(<period>) : frequency counter (takes 12 bytes). It takes
11405 an integer parameter <period> which indicates in milliseconds the length
11406 of the period over which the average is measured. It reports the average
11407 outgoing bytes rate over that period, in bytes per period. It may be used
11408 to detect users which download too much and too fast. Warning: with large
11409 transfers, it is possible that the amount of transferred data will be
11410 counted once upon termination, thus causing spikes in the average
11411 transfer speed instead of having a smooth one. This may partially be
11412 smoothed with "option contstats" though this is not perfect yet. Use of
11413 byte_out_cnt is recommended for better fairness.
Willy Tarreau08d5f982010-06-06 13:34:54 +020011414
Willy Tarreauc00cdc22010-06-06 16:48:26 +020011415 There is only one stick-table per proxy. At the moment of writing this doc,
11416 it does not seem useful to have multiple tables per proxy. If this happens
Willy Tarreaub937b7e2010-01-12 15:27:54 +010011417 to be required, simply create a dummy backend with a stick-table in it and
11418 reference it.
11419
11420 It is important to understand that stickiness based on learning information
11421 has some limitations, including the fact that all learned associations are
Baptiste Assmann123ff042016-03-06 23:29:28 +010011422 lost upon restart unless peers are properly configured to transfer such
11423 information upon restart (recommended). In general it can be good as a
11424 complement but not always as an exclusive stickiness.
Willy Tarreaub937b7e2010-01-12 15:27:54 +010011425
Willy Tarreauc9705a12010-07-27 20:05:50 +020011426 Last, memory requirements may be important when storing many data types.
11427 Indeed, storing all indicators above at once in each entry requires 116 bytes
11428 per entry, or 116 MB for a 1-million entries table. This is definitely not
11429 something that can be ignored.
11430
11431 Example:
11432 # Keep track of counters of up to 1 million IP addresses over 5 minutes
11433 # and store a general purpose counter and the average connection rate
11434 # computed over a sliding window of 30 seconds.
11435 stick-table type ip size 1m expire 5m store gpc0,conn_rate(30s)
11436
Willy Tarreau4b103022021-02-12 17:59:10 +010011437 See also : "stick match", "stick on", "stick store-request", section 2.5
David du Colombiera13d1b92011-03-17 10:40:22 +010011438 about time format and section 7 about ACLs.
Willy Tarreaub937b7e2010-01-12 15:27:54 +010011439
11440
Emeric Brun6a1cefa2010-09-24 18:15:17 +020011441stick store-response <pattern> [table <table>] [{if | unless} <condition>]
Baptiste Assmann2f2d2ec2016-03-06 23:27:24 +010011442 Define a response pattern used to create an entry in a stickiness table
Emeric Brun6a1cefa2010-09-24 18:15:17 +020011443 May be used in sections : defaults | frontend | listen | backend
11444 no | no | yes | yes
11445
11446 Arguments :
Willy Tarreaube722a22014-06-13 16:31:59 +020011447 <pattern> is a sample expression rule as described in section 7.3. It
Emeric Brun6a1cefa2010-09-24 18:15:17 +020011448 describes what elements of the response or connection will
Davor Ocelice9ed2812017-12-25 17:49:28 +010011449 be analyzed, extracted and stored in the table once a
Emeric Brun6a1cefa2010-09-24 18:15:17 +020011450 server is selected.
11451
11452 <table> is an optional stickiness table name. If unspecified, the same
11453 backend's table is used. A stickiness table is declared using
11454 the "stick-table" statement.
11455
11456 <cond> is an optional storage condition. It makes it possible to store
11457 certain criteria only when some conditions are met (or not met).
11458 For instance, it could be used to store the SSL session ID only
11459 when the response is a SSL server hello.
11460
11461 Some protocols or applications require complex stickiness rules and cannot
11462 always simply rely on cookies nor hashing. The "stick store-response"
11463 statement describes a rule to decide what to extract from the response and
11464 when to do it, in order to store it into a stickiness table for further
11465 requests to match it using the "stick match" statement. Obviously the
11466 extracted part must make sense and have a chance to be matched in a further
Cyril Bonté108cf6e2012-04-21 23:30:29 +020011467 request. Storing an ID found in a header of a response makes sense.
Emeric Brun6a1cefa2010-09-24 18:15:17 +020011468 See section 7 for a complete list of possible patterns and transformation
11469 rules.
11470
11471 The table has to be declared using the "stick-table" statement. It must be of
11472 a type compatible with the pattern. By default it is the one which is present
11473 in the same backend. It is possible to share a table with other backends by
11474 referencing it using the "table" keyword. If another table is referenced,
11475 the server's ID inside the backends are used. By default, all server IDs
11476 start at 1 in each backend, so the server ordering is enough. But in case of
11477 doubt, it is highly recommended to force server IDs using their "id" setting.
11478
11479 It is possible to restrict the conditions where a "stick store-response"
11480 statement will apply, using "if" or "unless" followed by a condition. This
11481 condition will be evaluated while parsing the response, so any criteria can
11482 be used. See section 7 for ACL based conditions.
11483
11484 There is no limit on the number of "stick store-response" statements, but
11485 there is a limit of 8 simultaneous stores per request or response. This
11486 makes it possible to store up to 8 criteria, all extracted from either the
11487 request or the response, regardless of the number of rules. Only the 8 first
11488 ones which match will be kept. Using this, it is possible to feed multiple
11489 tables at once in the hope to increase the chance to recognize a user on
Willy Tarreau9667a802013-12-09 12:52:13 +010011490 another protocol or access method. Using multiple store-response rules with
11491 the same table is possible and may be used to find the best criterion to rely
11492 on, by arranging the rules by decreasing preference order. Only the first
11493 extracted criterion for a given table will be stored. All subsequent store-
11494 response rules referencing the same table will be skipped and their ACLs will
11495 not be evaluated. However, even if a store-request rule references a table, a
11496 store-response rule may also use the same table. This means that each table
11497 may learn exactly one element from the request and one element from the
11498 response at once.
Emeric Brun6a1cefa2010-09-24 18:15:17 +020011499
11500 The table will contain the real server that processed the request.
11501
11502 Example :
11503 # Learn SSL session ID from both request and response and create affinity.
11504 backend https
11505 mode tcp
11506 balance roundrobin
Cyril Bontédc4d9032012-04-08 21:57:39 +020011507 # maximum SSL session ID length is 32 bytes.
Emeric Brun6a1cefa2010-09-24 18:15:17 +020011508 stick-table type binary len 32 size 30k expire 30m
Cyril Bonté108cf6e2012-04-21 23:30:29 +020011509
Emeric Brun6a1cefa2010-09-24 18:15:17 +020011510 acl clienthello req_ssl_hello_type 1
11511 acl serverhello rep_ssl_hello_type 2
11512
11513 # use tcp content accepts to detects ssl client and server hello.
11514 tcp-request inspect-delay 5s
11515 tcp-request content accept if clienthello
11516
11517 # no timeout on response inspect delay by default.
11518 tcp-response content accept if serverhello
Cyril Bonté108cf6e2012-04-21 23:30:29 +020011519
Emeric Brun6a1cefa2010-09-24 18:15:17 +020011520 # SSL session ID (SSLID) may be present on a client or server hello.
11521 # Its length is coded on 1 byte at offset 43 and its value starts
11522 # at offset 44.
11523
11524 # Match and learn on request if client hello.
11525 stick on payload_lv(43,1) if clienthello
11526
11527 # Learn on response if server hello.
11528 stick store-response payload_lv(43,1) if serverhello
Cyril Bontédc4d9032012-04-08 21:57:39 +020011529
Emeric Brun6a1cefa2010-09-24 18:15:17 +020011530 server s1 192.168.1.1:443
11531 server s2 192.168.1.1:443
11532
11533 See also : "stick-table", "stick on", and section 7 about ACLs and pattern
11534 extraction.
11535
11536
Christopher Faulet4f5c2e22020-04-23 15:22:33 +020011537tcp-check comment <string>
11538 Defines a comment for the following the tcp-check rule, reported in logs if
11539 it fails.
11540 May be used in sections : defaults | frontend | listen | backend
11541 yes | no | yes | yes
11542
Christopher Faulet4f5c2e22020-04-23 15:22:33 +020011543 Arguments :
11544 <string> is the comment message to add in logs if the following tcp-check
11545 rule fails.
11546
Christopher Fauletc52ea4d2020-04-23 15:43:35 +020011547 It only works for connect, send and expect rules. It is useful to make
11548 user-friendly error reporting.
11549
Christopher Faulet4f5c2e22020-04-23 15:22:33 +020011550 See also : "option tcp-check", "tcp-check connect", "tcp-check send" and
11551 "tcp-check expect".
11552
11553
Christopher Fauletc52ea4d2020-04-23 15:43:35 +020011554tcp-check connect [default] [port <expr>] [addr <ip>] [send-proxy] [via-socks4]
11555 [ssl] [sni <sni>] [alpn <alpn>] [linger]
Christopher Fauletedc6ed92020-04-23 16:27:59 +020011556 [proto <name>] [comment <msg>]
Willy Tarreau938c7fe2014-04-25 14:21:39 +020011557 Opens a new connection
11558 May be used in sections: defaults | frontend | listen | backend
Christopher Faulet404f9192020-04-09 23:13:54 +020011559 yes | no | yes | yes
Willy Tarreau938c7fe2014-04-25 14:21:39 +020011560
Christopher Fauletc52ea4d2020-04-23 15:43:35 +020011561 Arguments :
Christopher Faulet4f5c2e22020-04-23 15:22:33 +020011562 comment <msg> defines a message to report if the rule evaluation fails.
11563
Christopher Faulet4dce5922020-03-30 13:54:42 +020011564 default Use default options of the server line to do the health
Daniel Corbett67a82712020-07-06 23:01:19 -040011565 checks. The server options are used only if not redefined.
Christopher Faulet4dce5922020-03-30 13:54:42 +020011566
Christopher Fauletb7d30092020-03-30 15:19:03 +020011567 port <expr> if not set, check port or server port is used.
Christopher Faulet5c288742020-03-31 08:15:58 +020011568 It tells HAProxy where to open the connection to.
11569 <port> must be a valid TCP port source integer, from 1 to
Christopher Fauletb7d30092020-03-30 15:19:03 +020011570 65535 or an sample-fetch expression.
Christopher Faulet5c288742020-03-31 08:15:58 +020011571
11572 addr <ip> defines the IP address to do the health check.
Willy Tarreau938c7fe2014-04-25 14:21:39 +020011573
11574 send-proxy send a PROXY protocol string
11575
Christopher Faulet085426a2020-03-30 13:07:02 +020011576 via-socks4 enables outgoing health checks using upstream socks4 proxy.
11577
Willy Tarreau938c7fe2014-04-25 14:21:39 +020011578 ssl opens a ciphered connection
11579
Christopher Faulet79b31d42020-03-30 13:00:05 +020011580 sni <sni> specifies the SNI to use to do health checks over SSL.
11581
Christopher Faulet98572322020-03-30 13:16:44 +020011582 alpn <alpn> defines which protocols to advertise with ALPN. The protocol
11583 list consists in a comma-delimited list of protocol names,
11584 for instance: "http/1.1,http/1.0" (without quotes).
11585 If it is not set, the server ALPN is used.
11586
Christopher Fauletedc6ed92020-04-23 16:27:59 +020011587 proto <name> forces the multiplexer's protocol to use for this connection.
11588 It must be a TCP mux protocol and it must be usable on the
11589 backend side. The list of available protocols is reported in
11590 haproxy -vv.
11591
Christopher Faulet5c288742020-03-31 08:15:58 +020011592 linger cleanly close the connection instead of using a single RST.
Gaetan Rivetf8ba6772020-02-07 15:37:17 +010011593
Christopher Fauletc52ea4d2020-04-23 15:43:35 +020011594 When an application lies on more than a single TCP port or when HAProxy
11595 load-balance many services in a single backend, it makes sense to probe all
11596 the services individually before considering a server as operational.
11597
11598 When there are no TCP port configured on the server line neither server port
11599 directive, then the 'tcp-check connect port <port>' must be the first step
11600 of the sequence.
11601
11602 In a tcp-check ruleset a 'connect' is required, it is also mandatory to start
11603 the ruleset with a 'connect' rule. Purpose is to ensure admin know what they
11604 do.
11605
11606 When a connect must start the ruleset, if may still be preceded by set-var,
11607 unset-var or comment rules.
11608
11609 Examples :
Willy Tarreau938c7fe2014-04-25 14:21:39 +020011610 # check HTTP and HTTPs services on a server.
11611 # first open port 80 thanks to server line port directive, then
11612 # tcp-check opens port 443, ciphered and run a request on it:
11613 option tcp-check
11614 tcp-check connect
11615 tcp-check send GET\ /\ HTTP/1.0\r\n
11616 tcp-check send Host:\ haproxy.1wt.eu\r\n
11617 tcp-check send \r\n
11618 tcp-check expect rstring (2..|3..)
11619 tcp-check connect port 443 ssl
11620 tcp-check send GET\ /\ HTTP/1.0\r\n
11621 tcp-check send Host:\ haproxy.1wt.eu\r\n
11622 tcp-check send \r\n
11623 tcp-check expect rstring (2..|3..)
11624 server www 10.0.0.1 check port 80
11625
11626 # check both POP and IMAP from a single server:
11627 option tcp-check
Gaetan Rivetf8ba6772020-02-07 15:37:17 +010011628 tcp-check connect port 110 linger
Willy Tarreau938c7fe2014-04-25 14:21:39 +020011629 tcp-check expect string +OK\ POP3\ ready
11630 tcp-check connect port 143
11631 tcp-check expect string *\ OK\ IMAP4\ ready
11632 server mail 10.0.0.1 check
11633
11634 See also : "option tcp-check", "tcp-check send", "tcp-check expect"
11635
11636
Christopher Faulet4f5c2e22020-04-23 15:22:33 +020011637tcp-check expect [min-recv <int>] [comment <msg>]
Christopher Fauletec07e382020-04-07 14:56:26 +020011638 [ok-status <st>] [error-status <st>] [tout-status <st>]
Christopher Faulet98cc57c2020-04-01 20:52:31 +020011639 [on-success <fmt>] [on-error <fmt>] [status-code <expr>]
Christopher Fauletcf80f2f2020-04-01 11:04:52 +020011640 [!] <match> <pattern>
Davor Ocelice9ed2812017-12-25 17:49:28 +010011641 Specify data to be collected and analyzed during a generic health check
Willy Tarreau938c7fe2014-04-25 14:21:39 +020011642 May be used in sections: defaults | frontend | listen | backend
Christopher Faulet404f9192020-04-09 23:13:54 +020011643 yes | no | yes | yes
Willy Tarreau938c7fe2014-04-25 14:21:39 +020011644
11645 Arguments :
Christopher Faulet4f5c2e22020-04-23 15:22:33 +020011646 comment <msg> defines a message to report if the rule evaluation fails.
11647
Gaetan Rivet1afd8262020-02-07 15:37:17 +010011648 min-recv is optional and can define the minimum amount of data required to
11649 evaluate the current expect rule. If the number of received bytes
11650 is under this limit, the check will wait for more data. This
11651 option can be used to resolve some ambiguous matching rules or to
11652 avoid executing costly regex matches on content known to be still
11653 incomplete. If an exact string (string or binary) is used, the
11654 minimum between the string length and this parameter is used.
11655 This parameter is ignored if it is set to -1. If the expect rule
11656 does not match, the check will wait for more data. If set to 0,
11657 the evaluation result is always conclusive.
11658
Willy Tarreau938c7fe2014-04-25 14:21:39 +020011659 <match> is a keyword indicating how to look for a specific pattern in the
Gaetan Rivetefab6c62020-02-07 15:37:17 +010011660 response. The keyword may be one of "string", "rstring", "binary" or
11661 "rbinary".
Willy Tarreau938c7fe2014-04-25 14:21:39 +020011662 The keyword may be preceded by an exclamation mark ("!") to negate
11663 the match. Spaces are allowed between the exclamation mark and the
11664 keyword. See below for more details on the supported keywords.
11665
Christopher Fauletec07e382020-04-07 14:56:26 +020011666 ok-status <st> is optional and can be used to set the check status if
11667 the expect rule is successfully evaluated and if it is
11668 the last rule in the tcp-check ruleset. "L7OK", "L7OKC",
Christopher Fauletd888f0f2020-05-07 07:40:17 +020011669 "L6OK" and "L4OK" are supported :
11670 - L7OK : check passed on layer 7
Christopher Faulet83662b52020-11-20 17:47:47 +010011671 - L7OKC : check conditionally passed on layer 7, set
11672 server to NOLB state.
Christopher Fauletd888f0f2020-05-07 07:40:17 +020011673 - L6OK : check passed on layer 6
11674 - L4OK : check passed on layer 4
Christopher Fauletec07e382020-04-07 14:56:26 +020011675 By default "L7OK" is used.
11676
Christopher Fauletcf80f2f2020-04-01 11:04:52 +020011677 error-status <st> is optional and can be used to set the check status if
11678 an error occurred during the expect rule evaluation.
Christopher Faulet83662b52020-11-20 17:47:47 +010011679 "L7OKC", "L7RSP", "L7STS", "L6RSP" and "L4CON" are
11680 supported :
11681 - L7OKC : check conditionally passed on layer 7, set
11682 server to NOLB state.
Christopher Fauletd888f0f2020-05-07 07:40:17 +020011683 - L7RSP : layer 7 invalid response - protocol error
11684 - L7STS : layer 7 response error, for example HTTP 5xx
11685 - L6RSP : layer 6 invalid response - protocol error
11686 - L4CON : layer 1-4 connection problem
11687 By default "L7RSP" is used.
Christopher Fauletcf80f2f2020-04-01 11:04:52 +020011688
Christopher Fauletec07e382020-04-07 14:56:26 +020011689 tout-status <st> is optional and can be used to set the check status if
Christopher Fauletcf80f2f2020-04-01 11:04:52 +020011690 a timeout occurred during the expect rule evaluation.
Christopher Fauletd888f0f2020-05-07 07:40:17 +020011691 "L7TOUT", "L6TOUT", and "L4TOUT" are supported :
11692 - L7TOUT : layer 7 (HTTP/SMTP) timeout
11693 - L6TOUT : layer 6 (SSL) timeout
11694 - L4TOUT : layer 1-4 timeout
Christopher Fauletcf80f2f2020-04-01 11:04:52 +020011695 By default "L7TOUT" is used.
11696
Christopher Fauletbe52b4d2020-04-01 16:30:22 +020011697 on-success <fmt> is optional and can be used to customize the
11698 informational message reported in logs if the expect
11699 rule is successfully evaluated and if it is the last rule
11700 in the tcp-check ruleset. <fmt> is a log-format string.
11701
11702 on-error <fmt> is optional and can be used to customize the
11703 informational message reported in logs if an error
11704 occurred during the expect rule evaluation. <fmt> is a
11705 log-format string.
11706
Christopher Faulet98cc57c2020-04-01 20:52:31 +020011707 status-code <expr> is optional and can be used to set the check status code
11708 reported in logs, on success or on error. <expr> is a
11709 standard HAProxy expression formed by a sample-fetch
11710 followed by some converters.
11711
Willy Tarreau938c7fe2014-04-25 14:21:39 +020011712 <pattern> is the pattern to look for. It may be a string or a regular
11713 expression. If the pattern contains spaces, they must be escaped
11714 with the usual backslash ('\').
11715 If the match is set to binary, then the pattern must be passed as
Davor Ocelice9ed2812017-12-25 17:49:28 +010011716 a series of hexadecimal digits in an even number. Each sequence of
Willy Tarreau938c7fe2014-04-25 14:21:39 +020011717 two digits will represent a byte. The hexadecimal digits may be
11718 used upper or lower case.
11719
Willy Tarreau938c7fe2014-04-25 14:21:39 +020011720 The available matches are intentionally similar to their http-check cousins :
11721
11722 string <string> : test the exact string matches in the response buffer.
11723 A health check response will be considered valid if the
11724 response's buffer contains this exact string. If the
11725 "string" keyword is prefixed with "!", then the response
11726 will be considered invalid if the body contains this
11727 string. This can be used to look for a mandatory pattern
11728 in a protocol response, or to detect a failure when a
11729 specific error appears in a protocol banner.
11730
11731 rstring <regex> : test a regular expression on the response buffer.
11732 A health check response will be considered valid if the
11733 response's buffer matches this expression. If the
11734 "rstring" keyword is prefixed with "!", then the response
11735 will be considered invalid if the body matches the
11736 expression.
11737
Christopher Fauletaaab0832020-05-05 15:54:22 +020011738 string-lf <fmt> : test a log-format string match in the response's buffer.
11739 A health check response will be considered valid if the
11740 response's buffer contains the string resulting of the
11741 evaluation of <fmt>, which follows the log-format rules.
11742 If prefixed with "!", then the response will be
11743 considered invalid if the buffer contains the string.
11744
Willy Tarreau938c7fe2014-04-25 14:21:39 +020011745 binary <hexstring> : test the exact string in its hexadecimal form matches
11746 in the response buffer. A health check response will
11747 be considered valid if the response's buffer contains
11748 this exact hexadecimal string.
11749 Purpose is to match data on binary protocols.
11750
Gaetan Rivetefab6c62020-02-07 15:37:17 +010011751 rbinary <regex> : test a regular expression on the response buffer, like
11752 "rstring". However, the response buffer is transformed
11753 into its hexadecimal form, including NUL-bytes. This
11754 allows using all regex engines to match any binary
11755 content. The hexadecimal transformation takes twice the
11756 size of the original response. As such, the expected
11757 pattern should work on at-most half the response buffer
11758 size.
11759
Christopher Fauletaaab0832020-05-05 15:54:22 +020011760 binary-lf <hexfmt> : test a log-format string in its hexadecimal form
11761 match in the response's buffer. A health check response
11762 will be considered valid if the response's buffer
11763 contains the hexadecimal string resulting of the
11764 evaluation of <fmt>, which follows the log-format
11765 rules. If prefixed with "!", then the response will be
11766 considered invalid if the buffer contains the
11767 hexadecimal string. The hexadecimal string is converted
11768 in a binary string before matching the response's
11769 buffer.
11770
Willy Tarreau938c7fe2014-04-25 14:21:39 +020011771 It is important to note that the responses will be limited to a certain size
Christopher Fauletbb9fb8b2020-11-25 17:20:57 +010011772 defined by the global "tune.bufsize" option, which defaults to 16384 bytes.
Willy Tarreau938c7fe2014-04-25 14:21:39 +020011773 Thus, too large responses may not contain the mandatory pattern when using
11774 "string", "rstring" or binary. If a large response is absolutely required, it
11775 is possible to change the default max size by setting the global variable.
11776 However, it is worth keeping in mind that parsing very large responses can
11777 waste some CPU cycles, especially when regular expressions are used, and that
11778 it is always better to focus the checks on smaller resources. Also, in its
11779 current state, the check will not find any string nor regex past a null
11780 character in the response. Similarly it is not possible to request matching
11781 the null character.
11782
11783 Examples :
11784 # perform a POP check
11785 option tcp-check
11786 tcp-check expect string +OK\ POP3\ ready
11787
11788 # perform an IMAP check
11789 option tcp-check
11790 tcp-check expect string *\ OK\ IMAP4\ ready
11791
11792 # look for the redis master server
11793 option tcp-check
11794 tcp-check send PING\r\n
Baptiste Assmanna3322992015-08-04 10:12:18 +020011795 tcp-check expect string +PONG
Willy Tarreau938c7fe2014-04-25 14:21:39 +020011796 tcp-check send info\ replication\r\n
11797 tcp-check expect string role:master
11798 tcp-check send QUIT\r\n
11799 tcp-check expect string +OK
11800
11801
11802 See also : "option tcp-check", "tcp-check connect", "tcp-check send",
Christopher Fauletbb9fb8b2020-11-25 17:20:57 +010011803 "tcp-check send-binary", "http-check expect", tune.bufsize
Willy Tarreau938c7fe2014-04-25 14:21:39 +020011804
11805
Christopher Fauletb50b3e62020-05-05 18:43:43 +020011806tcp-check send <data> [comment <msg>]
11807tcp-check send-lf <fmt> [comment <msg>]
11808 Specify a string or a log-format string to be sent as a question during a
11809 generic health check
Willy Tarreau938c7fe2014-04-25 14:21:39 +020011810 May be used in sections: defaults | frontend | listen | backend
Christopher Faulet404f9192020-04-09 23:13:54 +020011811 yes | no | yes | yes
Willy Tarreau938c7fe2014-04-25 14:21:39 +020011812
Christopher Faulet4f5c2e22020-04-23 15:22:33 +020011813 Arguments :
11814 comment <msg> defines a message to report if the rule evaluation fails.
11815
Christopher Fauletb50b3e62020-05-05 18:43:43 +020011816 <data> is the string that will be sent during a generic health
11817 check session.
Christopher Faulet16fff672020-04-30 07:50:54 +020011818
Christopher Fauletb50b3e62020-05-05 18:43:43 +020011819 <fmt> is the log-format string that will be sent, once evaluated,
11820 during a generic health check session.
Willy Tarreau938c7fe2014-04-25 14:21:39 +020011821
11822 Examples :
11823 # look for the redis master server
11824 option tcp-check
11825 tcp-check send info\ replication\r\n
11826 tcp-check expect string role:master
11827
11828 See also : "option tcp-check", "tcp-check connect", "tcp-check expect",
Christopher Fauletbb9fb8b2020-11-25 17:20:57 +010011829 "tcp-check send-binary", tune.bufsize
Willy Tarreau938c7fe2014-04-25 14:21:39 +020011830
11831
Christopher Fauletb50b3e62020-05-05 18:43:43 +020011832tcp-check send-binary <hexstring> [comment <msg>]
11833tcp-check send-binary-lf <hexfmt> [comment <msg>]
11834 Specify an hex digits string or an hex digits log-format string to be sent as
11835 a binary question during a raw tcp health check
Willy Tarreau938c7fe2014-04-25 14:21:39 +020011836 May be used in sections: defaults | frontend | listen | backend
Christopher Faulet404f9192020-04-09 23:13:54 +020011837 yes | no | yes | yes
Willy Tarreau938c7fe2014-04-25 14:21:39 +020011838
Christopher Faulet4f5c2e22020-04-23 15:22:33 +020011839 Arguments :
11840 comment <msg> defines a message to report if the rule evaluation fails.
Christopher Fauletc52ea4d2020-04-23 15:43:35 +020011841
Christopher Fauletb50b3e62020-05-05 18:43:43 +020011842 <hexstring> is the hexadecimal string that will be send, once converted
11843 to binary, during a generic health check session.
Christopher Faulet16fff672020-04-30 07:50:54 +020011844
Christopher Fauletb50b3e62020-05-05 18:43:43 +020011845 <hexfmt> is the hexadecimal log-format string that will be send, once
11846 evaluated and converted to binary, during a generic health
11847 check session.
Willy Tarreau938c7fe2014-04-25 14:21:39 +020011848
11849 Examples :
11850 # redis check in binary
11851 option tcp-check
11852 tcp-check send-binary 50494e470d0a # PING\r\n
11853 tcp-check expect binary 2b504F4e47 # +PONG
11854
11855
11856 See also : "option tcp-check", "tcp-check connect", "tcp-check expect",
Christopher Fauletbb9fb8b2020-11-25 17:20:57 +010011857 "tcp-check send", tune.bufsize
Willy Tarreau938c7fe2014-04-25 14:21:39 +020011858
11859
Gaetan Rivet0c39ecc2020-02-24 17:34:11 +010011860tcp-check set-var(<var-name>) <expr>
Gaetan Rivet0c39ecc2020-02-24 17:34:11 +010011861 This operation sets the content of a variable. The variable is declared inline.
Gaetan Rivet0c39ecc2020-02-24 17:34:11 +010011862 May be used in sections: defaults | frontend | listen | backend
Christopher Faulet404f9192020-04-09 23:13:54 +020011863 yes | no | yes | yes
Gaetan Rivet0c39ecc2020-02-24 17:34:11 +010011864
Christopher Fauletc52ea4d2020-04-23 15:43:35 +020011865 Arguments :
Gaetan Rivet0c39ecc2020-02-24 17:34:11 +010011866 <var-name> The name of the variable starts with an indication about its
11867 scope. The scopes allowed for tcp-check are:
11868 "proc" : the variable is shared with the whole process.
11869 "sess" : the variable is shared with the tcp-check session.
11870 "check": the variable is declared for the lifetime of the tcp-check.
11871 This prefix is followed by a name. The separator is a '.'.
11872 The name may only contain characters 'a-z', 'A-Z', '0-9', '.',
11873 and '-'.
11874
11875 <expr> Is a sample-fetch expression potentially followed by converters.
11876
Christopher Fauletc52ea4d2020-04-23 15:43:35 +020011877 Examples :
Gaetan Rivet0c39ecc2020-02-24 17:34:11 +010011878 tcp-check set-var(check.port) int(1234)
11879
11880
11881tcp-check unset-var(<var-name>)
Gaetan Rivet0c39ecc2020-02-24 17:34:11 +010011882 Free a reference to a variable within its scope.
Gaetan Rivet0c39ecc2020-02-24 17:34:11 +010011883 May be used in sections: defaults | frontend | listen | backend
Christopher Faulet404f9192020-04-09 23:13:54 +020011884 yes | no | yes | yes
Gaetan Rivet0c39ecc2020-02-24 17:34:11 +010011885
Christopher Fauletc52ea4d2020-04-23 15:43:35 +020011886 Arguments :
Gaetan Rivet0c39ecc2020-02-24 17:34:11 +010011887 <var-name> The name of the variable starts with an indication about its
11888 scope. The scopes allowed for tcp-check are:
11889 "proc" : the variable is shared with the whole process.
11890 "sess" : the variable is shared with the tcp-check session.
11891 "check": the variable is declared for the lifetime of the tcp-check.
11892 This prefix is followed by a name. The separator is a '.'.
11893 The name may only contain characters 'a-z', 'A-Z', '0-9', '.',
11894 and '-'.
11895
Christopher Fauletc52ea4d2020-04-23 15:43:35 +020011896 Examples :
Gaetan Rivet0c39ecc2020-02-24 17:34:11 +010011897 tcp-check unset-var(check.port)
11898
11899
Willy Tarreaue9656522010-08-17 15:40:09 +020011900tcp-request connection <action> [{if | unless} <condition>]
11901 Perform an action on an incoming connection depending on a layer 4 condition
Willy Tarreau1a687942010-05-23 22:40:30 +020011902 May be used in sections : defaults | frontend | listen | backend
11903 no | yes | yes | no
Willy Tarreaue9656522010-08-17 15:40:09 +020011904 Arguments :
Willy Tarreauc870bfd2015-09-28 18:47:38 +020011905 <action> defines the action to perform if the condition applies. See
11906 below.
Willy Tarreau1a687942010-05-23 22:40:30 +020011907
Willy Tarreaue9656522010-08-17 15:40:09 +020011908 <condition> is a standard layer4-only ACL-based condition (see section 7).
Willy Tarreau68c03ab2010-08-06 15:08:45 +020011909
11910 Immediately after acceptance of a new incoming connection, it is possible to
11911 evaluate some conditions to decide whether this connection must be accepted
Willy Tarreaue9656522010-08-17 15:40:09 +020011912 or dropped or have its counters tracked. Those conditions cannot make use of
11913 any data contents because the connection has not been read from yet, and the
11914 buffers are not yet allocated. This is used to selectively and very quickly
11915 accept or drop connections from various sources with a very low overhead. If
11916 some contents need to be inspected in order to take the decision, the
11917 "tcp-request content" statements must be used instead.
Willy Tarreau68c03ab2010-08-06 15:08:45 +020011918
Willy Tarreaue9656522010-08-17 15:40:09 +020011919 The "tcp-request connection" rules are evaluated in their exact declaration
11920 order. If no rule matches or if there is no rule, the default action is to
11921 accept the incoming connection. There is no specific limit to the number of
11922 rules which may be inserted.
Willy Tarreau68c03ab2010-08-06 15:08:45 +020011923
Willy Tarreaua9083d02015-05-08 15:27:59 +020011924 Four types of actions are supported :
Willy Tarreaue9656522010-08-17 15:40:09 +020011925 - accept :
11926 accepts the connection if the condition is true (when used with "if")
11927 or false (when used with "unless"). The first such rule executed ends
11928 the rules evaluation.
Willy Tarreau68c03ab2010-08-06 15:08:45 +020011929
Willy Tarreaue9656522010-08-17 15:40:09 +020011930 - reject :
11931 rejects the connection if the condition is true (when used with "if")
11932 or false (when used with "unless"). The first such rule executed ends
11933 the rules evaluation. Rejected connections do not even become a
11934 session, which is why they are accounted separately for in the stats,
11935 as "denied connections". They are not considered for the session
11936 rate-limit and are not logged either. The reason is that these rules
11937 should only be used to filter extremely high connection rates such as
11938 the ones encountered during a massive DDoS attack. Under these extreme
11939 conditions, the simple action of logging each event would make the
11940 system collapse and would considerably lower the filtering capacity. If
11941 logging is absolutely desired, then "tcp-request content" rules should
Willy Tarreau4f614292016-10-21 17:49:36 +020011942 be used instead, as "tcp-request session" rules will not log either.
Willy Tarreau68c03ab2010-08-06 15:08:45 +020011943
Willy Tarreau4f0d9192013-06-11 20:40:55 +020011944 - expect-proxy layer4 :
11945 configures the client-facing connection to receive a PROXY protocol
11946 header before any byte is read from the socket. This is equivalent to
11947 having the "accept-proxy" keyword on the "bind" line, except that using
11948 the TCP rule allows the PROXY protocol to be accepted only for certain
11949 IP address ranges using an ACL. This is convenient when multiple layers
11950 of load balancers are passed through by traffic coming from public
11951 hosts.
11952
Bertrand Jacquin90759682016-06-06 15:35:39 +010011953 - expect-netscaler-cip layer4 :
11954 configures the client-facing connection to receive a NetScaler Client
11955 IP insertion protocol header before any byte is read from the socket.
11956 This is equivalent to having the "accept-netscaler-cip" keyword on the
11957 "bind" line, except that using the TCP rule allows the PROXY protocol
11958 to be accepted only for certain IP address ranges using an ACL. This
11959 is convenient when multiple layers of load balancers are passed
11960 through by traffic coming from public hosts.
11961
Willy Tarreau18bf01e2014-06-13 16:18:52 +020011962 - capture <sample> len <length> :
11963 This only applies to "tcp-request content" rules. It captures sample
11964 expression <sample> from the request buffer, and converts it to a
11965 string of at most <len> characters. The resulting string is stored into
11966 the next request "capture" slot, so it will possibly appear next to
11967 some captured HTTP headers. It will then automatically appear in the
11968 logs, and it will be possible to extract it using sample fetch rules to
11969 feed it into headers or anything. The length should be limited given
11970 that this size will be allocated for each capture during the whole
Willy Tarreaua9083d02015-05-08 15:27:59 +020011971 session life. Please check section 7.3 (Fetching samples) and "capture
11972 request header" for more information.
Willy Tarreau18bf01e2014-06-13 16:18:52 +020011973
Willy Tarreaube4a3ef2013-06-17 15:04:07 +020011974 - { track-sc0 | track-sc1 | track-sc2 } <key> [table <table>] :
Willy Tarreaue9656522010-08-17 15:40:09 +020011975 enables tracking of sticky counters from current connection. These
Moemen MHEDHBI9cf46342018-09-25 17:50:53 +020011976 rules do not stop evaluation and do not change default action. The
11977 number of counters that may be simultaneously tracked by the same
11978 connection is set in MAX_SESS_STKCTR at build time (reported in
John Roeslerfb2fce12019-07-10 15:45:51 -050011979 haproxy -vv) which defaults to 3, so the track-sc number is between 0
Matteo Contrini1857b8c2020-10-16 17:35:54 +020011980 and (MAX_SESS_STKCTR-1). The first "track-sc0" rule executed enables
Moemen MHEDHBI9cf46342018-09-25 17:50:53 +020011981 tracking of the counters of the specified table as the first set. The
11982 first "track-sc1" rule executed enables tracking of the counters of the
11983 specified table as the second set. The first "track-sc2" rule executed
11984 enables tracking of the counters of the specified table as the third
11985 set. It is a recommended practice to use the first set of counters for
11986 the per-frontend counters and the second set for the per-backend ones.
11987 But this is just a guideline, all may be used everywhere.
Willy Tarreau68c03ab2010-08-06 15:08:45 +020011988
Willy Tarreaue9656522010-08-17 15:40:09 +020011989 These actions take one or two arguments :
Willy Tarreaube722a22014-06-13 16:31:59 +020011990 <key> is mandatory, and is a sample expression rule as described
Willy Tarreau74ca5042013-06-11 23:12:07 +020011991 in section 7.3. It describes what elements of the incoming
Davor Ocelice9ed2812017-12-25 17:49:28 +010011992 request or connection will be analyzed, extracted, combined,
Willy Tarreau5d5b5d82012-12-09 12:00:04 +010011993 and used to select which table entry to update the counters.
11994 Note that "tcp-request connection" cannot use content-based
11995 fetches.
Willy Tarreau68c03ab2010-08-06 15:08:45 +020011996
Willy Tarreaue9656522010-08-17 15:40:09 +020011997 <table> is an optional table to be used instead of the default one,
11998 which is the stick-table declared in the current proxy. All
11999 the counters for the matches and updates for the key will
12000 then be performed in that table until the session ends.
Willy Tarreau68c03ab2010-08-06 15:08:45 +020012001
Willy Tarreaue9656522010-08-17 15:40:09 +020012002 Once a "track-sc*" rule is executed, the key is looked up in the table
12003 and if it is not found, an entry is allocated for it. Then a pointer to
12004 that entry is kept during all the session's life, and this entry's
12005 counters are updated as often as possible, every time the session's
12006 counters are updated, and also systematically when the session ends.
Willy Tarreau5d5b5d82012-12-09 12:00:04 +010012007 Counters are only updated for events that happen after the tracking has
12008 been started. For example, connection counters will not be updated when
12009 tracking layer 7 information, since the connection event happens before
12010 layer7 information is extracted.
12011
Willy Tarreaue9656522010-08-17 15:40:09 +020012012 If the entry tracks concurrent connection counters, one connection is
12013 counted for as long as the entry is tracked, and the entry will not
12014 expire during that time. Tracking counters also provides a performance
12015 advantage over just checking the keys, because only one table lookup is
12016 performed for all ACL checks that make use of it.
Willy Tarreau68c03ab2010-08-06 15:08:45 +020012017
Thierry FOURNIERe0627bd2015-08-04 08:20:33 +020012018 - sc-inc-gpc0(<sc-id>):
12019 The "sc-inc-gpc0" increments the GPC0 counter according to the sticky
12020 counter designated by <sc-id>. If an error occurs, this action silently
12021 fails and the actions evaluation continues.
12022
Frédéric Lécaille6778b272018-01-29 15:22:53 +010012023 - sc-inc-gpc1(<sc-id>):
12024 The "sc-inc-gpc1" increments the GPC1 counter according to the sticky
12025 counter designated by <sc-id>. If an error occurs, this action silently
12026 fails and the actions evaluation continues.
12027
Cédric Dufour0d7712d2019-11-06 18:38:53 +010012028 - sc-set-gpt0(<sc-id>) { <int> | <expr> }:
12029 This action sets the 32-bit unsigned GPT0 tag according to the sticky
12030 counter designated by <sc-id> and the value of <int>/<expr>. The
12031 expected result is a boolean. If an error occurs, this action silently
12032 fails and the actions evaluation continues.
Thierry FOURNIER236657b2015-08-19 08:25:14 +020012033
William Lallemand2e785f22016-05-25 01:48:42 +020012034 - set-src <expr> :
12035 Is used to set the source IP address to the value of specified
12036 expression. Useful if you want to mask source IP for privacy.
12037 If you want to provide an IP from a HTTP header use "http-request
Cyril Bonté6c81d5f2018-10-17 00:14:51 +020012038 set-src".
William Lallemand2e785f22016-05-25 01:48:42 +020012039
Cyril Bonté6c81d5f2018-10-17 00:14:51 +020012040 Arguments:
12041 <expr> Is a standard HAProxy expression formed by a sample-fetch
12042 followed by some converters.
William Lallemand2e785f22016-05-25 01:48:42 +020012043
12044 Example:
William Lallemand2e785f22016-05-25 01:48:42 +020012045 tcp-request connection set-src src,ipmask(24)
12046
Willy Tarreau0c630532016-10-21 17:52:58 +020012047 When possible, set-src preserves the original source port as long as the
12048 address family allows it, otherwise the source port is set to 0.
William Lallemand2e785f22016-05-25 01:48:42 +020012049
William Lallemand44be6402016-05-25 01:51:35 +020012050 - set-src-port <expr> :
12051 Is used to set the source port address to the value of specified
12052 expression.
12053
Cyril Bonté6c81d5f2018-10-17 00:14:51 +020012054 Arguments:
12055 <expr> Is a standard HAProxy expression formed by a sample-fetch
12056 followed by some converters.
William Lallemand44be6402016-05-25 01:51:35 +020012057
12058 Example:
William Lallemand44be6402016-05-25 01:51:35 +020012059 tcp-request connection set-src-port int(4000)
12060
Willy Tarreau0c630532016-10-21 17:52:58 +020012061 When possible, set-src-port preserves the original source address as long
12062 as the address family supports a port, otherwise it forces the source
12063 address to IPv4 "0.0.0.0" before rewriting the port.
William Lallemand44be6402016-05-25 01:51:35 +020012064
William Lallemand13e9b0c2016-05-25 02:34:07 +020012065 - set-dst <expr> :
12066 Is used to set the destination IP address to the value of specified
12067 expression. Useful if you want to mask IP for privacy in log.
12068 If you want to provide an IP from a HTTP header use "http-request
12069 set-dst". If you want to connect to the new address/port, use
12070 '0.0.0.0:0' as a server address in the backend.
12071
12072 <expr> Is a standard HAProxy expression formed by a sample-fetch
12073 followed by some converters.
12074
12075 Example:
12076
12077 tcp-request connection set-dst dst,ipmask(24)
12078 tcp-request connection set-dst ipv4(10.0.0.1)
12079
Willy Tarreau0c630532016-10-21 17:52:58 +020012080 When possible, set-dst preserves the original destination port as long as
12081 the address family allows it, otherwise the destination port is set to 0.
12082
William Lallemand13e9b0c2016-05-25 02:34:07 +020012083 - set-dst-port <expr> :
12084 Is used to set the destination port address to the value of specified
12085 expression. If you want to connect to the new address/port, use
12086 '0.0.0.0:0' as a server address in the backend.
12087
12088
12089 <expr> Is a standard HAProxy expression formed by a sample-fetch
12090 followed by some converters.
12091
12092 Example:
12093
12094 tcp-request connection set-dst-port int(4000)
12095
Willy Tarreau0c630532016-10-21 17:52:58 +020012096 When possible, set-dst-port preserves the original destination address as
12097 long as the address family supports a port, otherwise it forces the
12098 destination address to IPv4 "0.0.0.0" before rewriting the port.
12099
Willy Tarreau2d392c22015-08-24 01:43:45 +020012100 - "silent-drop" :
12101 This stops the evaluation of the rules and makes the client-facing
Davor Ocelice9ed2812017-12-25 17:49:28 +010012102 connection suddenly disappear using a system-dependent way that tries
Willy Tarreau2d392c22015-08-24 01:43:45 +020012103 to prevent the client from being notified. The effect it then that the
12104 client still sees an established connection while there's none on
12105 HAProxy. The purpose is to achieve a comparable effect to "tarpit"
12106 except that it doesn't use any local resource at all on the machine
12107 running HAProxy. It can resist much higher loads than "tarpit", and
Davor Ocelice9ed2812017-12-25 17:49:28 +010012108 slow down stronger attackers. It is important to understand the impact
12109 of using this mechanism. All stateful equipment placed between the
Willy Tarreau2d392c22015-08-24 01:43:45 +020012110 client and HAProxy (firewalls, proxies, load balancers) will also keep
12111 the established connection for a long time and may suffer from this
Davor Ocelice9ed2812017-12-25 17:49:28 +010012112 action. On modern Linux systems running with enough privileges, the
Willy Tarreau2d392c22015-08-24 01:43:45 +020012113 TCP_REPAIR socket option is used to block the emission of a TCP
12114 reset. On other systems, the socket's TTL is reduced to 1 so that the
12115 TCP reset doesn't pass the first router, though it's still delivered to
12116 local networks. Do not use it unless you fully understand how it works.
12117
Willy Tarreaue9656522010-08-17 15:40:09 +020012118 Note that the "if/unless" condition is optional. If no condition is set on
12119 the action, it is simply performed unconditionally. That can be useful for
12120 "track-sc*" actions as well as for changing the default action to a reject.
Willy Tarreau68c03ab2010-08-06 15:08:45 +020012121
Willy Tarreaue9656522010-08-17 15:40:09 +020012122 Example: accept all connections from white-listed hosts, reject too fast
12123 connection without counting them, and track accepted connections.
12124 This results in connection rate being capped from abusive sources.
Willy Tarreau68c03ab2010-08-06 15:08:45 +020012125
Willy Tarreaue9656522010-08-17 15:40:09 +020012126 tcp-request connection accept if { src -f /etc/haproxy/whitelist.lst }
Willy Tarreau68c03ab2010-08-06 15:08:45 +020012127 tcp-request connection reject if { src_conn_rate gt 10 }
Willy Tarreaube4a3ef2013-06-17 15:04:07 +020012128 tcp-request connection track-sc0 src
Willy Tarreau68c03ab2010-08-06 15:08:45 +020012129
Willy Tarreaue9656522010-08-17 15:40:09 +020012130 Example: accept all connections from white-listed hosts, count all other
12131 connections and reject too fast ones. This results in abusive ones
12132 being blocked as long as they don't slow down.
Willy Tarreau68c03ab2010-08-06 15:08:45 +020012133
Willy Tarreaue9656522010-08-17 15:40:09 +020012134 tcp-request connection accept if { src -f /etc/haproxy/whitelist.lst }
Willy Tarreaube4a3ef2013-06-17 15:04:07 +020012135 tcp-request connection track-sc0 src
12136 tcp-request connection reject if { sc0_conn_rate gt 10 }
Willy Tarreau68c03ab2010-08-06 15:08:45 +020012137
Willy Tarreau4f0d9192013-06-11 20:40:55 +020012138 Example: enable the PROXY protocol for traffic coming from all known proxies.
12139
12140 tcp-request connection expect-proxy layer4 if { src -f proxies.lst }
12141
Willy Tarreau68c03ab2010-08-06 15:08:45 +020012142 See section 7 about ACL usage.
12143
Willy Tarreau4f614292016-10-21 17:49:36 +020012144 See also : "tcp-request session", "tcp-request content", "stick-table"
Willy Tarreau68c03ab2010-08-06 15:08:45 +020012145
12146
Willy Tarreaue9656522010-08-17 15:40:09 +020012147tcp-request content <action> [{if | unless} <condition>]
12148 Perform an action on a new session depending on a layer 4-7 condition
Willy Tarreau62644772008-07-16 18:36:06 +020012149 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaufb356202010-08-03 14:02:05 +020012150 no | yes | yes | yes
Willy Tarreaue9656522010-08-17 15:40:09 +020012151 Arguments :
Willy Tarreauc870bfd2015-09-28 18:47:38 +020012152 <action> defines the action to perform if the condition applies. See
12153 below.
Willy Tarreau62644772008-07-16 18:36:06 +020012154
Willy Tarreaue9656522010-08-17 15:40:09 +020012155 <condition> is a standard layer 4-7 ACL-based condition (see section 7).
Willy Tarreau62644772008-07-16 18:36:06 +020012156
Davor Ocelice9ed2812017-12-25 17:49:28 +010012157 A request's contents can be analyzed at an early stage of request processing
Willy Tarreaue9656522010-08-17 15:40:09 +020012158 called "TCP content inspection". During this stage, ACL-based rules are
12159 evaluated every time the request contents are updated, until either an
Christopher Fauletae863c62021-03-15 12:03:44 +010012160 "accept", a "reject" or a "switch-mode" rule matches, or the TCP request
12161 inspection delay expires with no matching rule.
Willy Tarreau62644772008-07-16 18:36:06 +020012162
Willy Tarreaue9656522010-08-17 15:40:09 +020012163 The first difference between these rules and "tcp-request connection" rules
12164 is that "tcp-request content" rules can make use of contents to take a
12165 decision. Most often, these decisions will consider a protocol recognition or
12166 validity. The second difference is that content-based rules can be used in
Willy Tarreauf3338342014-01-28 21:40:28 +010012167 both frontends and backends. In case of HTTP keep-alive with the client, all
Daniel Corbett9f0843f2021-05-08 10:50:37 -040012168 tcp-request content rules are evaluated again, so HAProxy keeps a record of
Willy Tarreauf3338342014-01-28 21:40:28 +010012169 what sticky counters were assigned by a "tcp-request connection" versus a
12170 "tcp-request content" rule, and flushes all the content-related ones after
12171 processing an HTTP request, so that they may be evaluated again by the rules
12172 being evaluated again for the next request. This is of particular importance
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030012173 when the rule tracks some L7 information or when it is conditioned by an
Willy Tarreauf3338342014-01-28 21:40:28 +010012174 L7-based ACL, since tracking may change between requests.
Willy Tarreau62644772008-07-16 18:36:06 +020012175
Willy Tarreaue9656522010-08-17 15:40:09 +020012176 Content-based rules are evaluated in their exact declaration order. If no
12177 rule matches or if there is no rule, the default action is to accept the
12178 contents. There is no specific limit to the number of rules which may be
12179 inserted.
Willy Tarreau62644772008-07-16 18:36:06 +020012180
Thierry FOURNIER236657b2015-08-19 08:25:14 +020012181 Several types of actions are supported :
Willy Tarreau18bf01e2014-06-13 16:18:52 +020012182 - accept : the request is accepted
Baptiste Assmann333939c2019-01-21 08:34:50 +010012183 - do-resolve: perform a DNS resolution
Willy Tarreau18bf01e2014-06-13 16:18:52 +020012184 - reject : the request is rejected and the connection is closed
12185 - capture : the specified sample expression is captured
Patrick Hemmer268a7072018-05-11 12:52:31 -040012186 - set-priority-class <expr> | set-priority-offset <expr>
Willy Tarreaube4a3ef2013-06-17 15:04:07 +020012187 - { track-sc0 | track-sc1 | track-sc2 } <key> [table <table>]
Thierry FOURNIERe0627bd2015-08-04 08:20:33 +020012188 - sc-inc-gpc0(<sc-id>)
Frédéric Lécaille6778b272018-01-29 15:22:53 +010012189 - sc-inc-gpc1(<sc-id>)
Cédric Dufour0d7712d2019-11-06 18:38:53 +010012190 - sc-set-gpt0(<sc-id>) { <int> | <expr> }
Baptiste Assmanne1afd4f2019-04-18 16:21:13 +020012191 - set-dst <expr>
12192 - set-dst-port <expr>
Thierry FOURNIER4834bc72015-06-06 19:29:07 +020012193 - set-var(<var-name>) <expr>
Christopher Fauletae863c62021-03-15 12:03:44 +010012194 - switch-mode http [ proto <name> ]
Christopher Faulet85d79c92016-11-09 16:54:56 +010012195 - unset-var(<var-name>)
Willy Tarreau2d392c22015-08-24 01:43:45 +020012196 - silent-drop
Davor Ocelice9ed2812017-12-25 17:49:28 +010012197 - send-spoe-group <engine-name> <group-name>
Christopher Faulet579d83b2019-11-22 15:34:17 +010012198 - use-service <service-name>
Willy Tarreau62644772008-07-16 18:36:06 +020012199
Willy Tarreaue9656522010-08-17 15:40:09 +020012200 They have the same meaning as their counter-parts in "tcp-request connection"
12201 so please refer to that section for a complete description.
Baptiste Assmann333939c2019-01-21 08:34:50 +010012202 For "do-resolve" action, please check the "http-request do-resolve"
12203 configuration section.
Willy Tarreau62644772008-07-16 18:36:06 +020012204
Willy Tarreauf3338342014-01-28 21:40:28 +010012205 While there is nothing mandatory about it, it is recommended to use the
12206 track-sc0 in "tcp-request connection" rules, track-sc1 for "tcp-request
12207 content" rules in the frontend, and track-sc2 for "tcp-request content"
12208 rules in the backend, because that makes the configuration more readable
12209 and easier to troubleshoot, but this is just a guideline and all counters
12210 may be used everywhere.
Willy Tarreau62644772008-07-16 18:36:06 +020012211
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010012212 Note that the "if/unless" condition is optional. If no condition is set on
Willy Tarreaue9656522010-08-17 15:40:09 +020012213 the action, it is simply performed unconditionally. That can be useful for
12214 "track-sc*" actions as well as for changing the default action to a reject.
Willy Tarreau62644772008-07-16 18:36:06 +020012215
Christopher Faulet2079a4a2020-10-02 11:48:57 +020012216 Note also that it is recommended to use a "tcp-request session" rule to track
12217 information that does *not* depend on Layer 7 contents, especially for HTTP
12218 frontends. Some HTTP processing are performed at the session level and may
12219 lead to an early rejection of the requests. Thus, the tracking at the content
12220 level may be disturbed in such case. A warning is emitted during startup to
12221 prevent, as far as possible, such unreliable usage.
12222
Willy Tarreaue9656522010-08-17 15:40:09 +020012223 It is perfectly possible to match layer 7 contents with "tcp-request content"
Christopher Faulet7ea509e2020-10-02 11:38:46 +020012224 rules from a TCP proxy, since HTTP-specific ACL matches are able to
12225 preliminarily parse the contents of a buffer before extracting the required
12226 data. If the buffered contents do not parse as a valid HTTP message, then the
12227 ACL does not match. The parser which is involved there is exactly the same
12228 as for all other HTTP processing, so there is no risk of parsing something
12229 differently. In an HTTP frontend or an HTTP backend, it is guaranteed that
12230 HTTP contents will always be immediately present when the rule is evaluated
12231 first because the HTTP parsing is performed in the early stages of the
12232 connection processing, at the session level. But for such proxies, using
12233 "http-request" rules is much more natural and recommended.
Willy Tarreau62644772008-07-16 18:36:06 +020012234
Willy Tarreau5d5b5d82012-12-09 12:00:04 +010012235 Tracking layer7 information is also possible provided that the information
Willy Tarreau4d54c7c2014-09-16 15:48:15 +020012236 are present when the rule is processed. The rule processing engine is able to
12237 wait until the inspect delay expires when the data to be tracked is not yet
12238 available.
Willy Tarreau5d5b5d82012-12-09 12:00:04 +010012239
Baptiste Assmanne1afd4f2019-04-18 16:21:13 +020012240 The "set-dst" and "set-dst-port" are used to set respectively the destination
12241 IP and port. More information on how to use it at "http-request set-dst".
12242
Thierry FOURNIER4834bc72015-06-06 19:29:07 +020012243 The "set-var" is used to set the content of a variable. The variable is
Willy Tarreau4f614292016-10-21 17:49:36 +020012244 declared inline. For "tcp-request session" rules, only session-level
12245 variables can be used, without any layer7 contents.
Thierry FOURNIER4834bc72015-06-06 19:29:07 +020012246
Daniel Schneller0b547052016-03-21 20:46:57 +010012247 <var-name> The name of the variable starts with an indication about
12248 its scope. The scopes allowed are:
Christopher Fauletff2613e2016-11-09 11:36:17 +010012249 "proc" : the variable is shared with the whole process
Daniel Schneller0b547052016-03-21 20:46:57 +010012250 "sess" : the variable is shared with the whole session
12251 "txn" : the variable is shared with the transaction
Thierry FOURNIER4834bc72015-06-06 19:29:07 +020012252 (request and response)
Daniel Schneller0b547052016-03-21 20:46:57 +010012253 "req" : the variable is shared only during request
Thierry FOURNIER4834bc72015-06-06 19:29:07 +020012254 processing
Daniel Schneller0b547052016-03-21 20:46:57 +010012255 "res" : the variable is shared only during response
12256 processing
Thierry FOURNIER4834bc72015-06-06 19:29:07 +020012257 This prefix is followed by a name. The separator is a '.'.
Christopher Fauletb71557a2016-10-31 10:49:03 +010012258 The name may only contain characters 'a-z', 'A-Z', '0-9',
12259 '.' and '_'.
Thierry FOURNIER4834bc72015-06-06 19:29:07 +020012260
12261 <expr> Is a standard HAProxy expression formed by a sample-fetch
12262 followed by some converters.
12263
Daniel Corbett9f0843f2021-05-08 10:50:37 -040012264 The "switch-mode" is used to perform a connection upgrade. Only HTTP
Christopher Fauletae863c62021-03-15 12:03:44 +010012265 upgrades are supported for now. The protocol may optionally be
12266 specified. This action is only available for a proxy with the frontend
12267 capability. The connection upgrade is immediately performed, following
12268 "tcp-request content" rules are not evaluated. This upgrade method should be
12269 preferred to the implicit one consisting to rely on the backend mode. When
12270 used, it is possible to set HTTP directives in a frontend without any
Ilya Shipitsin3df59892021-05-10 12:50:00 +050012271 warning. These directives will be conditionally evaluated if the HTTP upgrade
Christopher Fauletae863c62021-03-15 12:03:44 +010012272 is performed. However, an HTTP backend must still be selected. It remains
12273 unsupported to route an HTTP connection (upgraded or not) to a TCP server.
12274
Christopher Faulet4d37e532021-03-26 14:44:00 +010012275 See section 4 about Proxies for more details on HTTP upgrades.
12276
Christopher Faulet85d79c92016-11-09 16:54:56 +010012277 The "unset-var" is used to unset a variable. See above for details about
12278 <var-name>.
12279
Patrick Hemmer268a7072018-05-11 12:52:31 -040012280 The "set-priority-class" is used to set the queue priority class of the
12281 current request. The value must be a sample expression which converts to an
12282 integer in the range -2047..2047. Results outside this range will be
12283 truncated. The priority class determines the order in which queued requests
12284 are processed. Lower values have higher priority.
12285
12286 The "set-priority-offset" is used to set the queue priority timestamp offset
12287 of the current request. The value must be a sample expression which converts
12288 to an integer in the range -524287..524287. Results outside this range will be
12289 truncated. When a request is queued, it is ordered first by the priority
12290 class, then by the current timestamp adjusted by the given offset in
12291 milliseconds. Lower values have higher priority.
12292 Note that the resulting timestamp is is only tracked with enough precision for
12293 524,287ms (8m44s287ms). If the request is queued long enough to where the
12294 adjusted timestamp exceeds this value, it will be misidentified as highest
12295 priority. Thus it is important to set "timeout queue" to a value, where when
12296 combined with the offset, does not exceed this limit.
12297
Christopher Faulet76c09ef2017-09-21 11:03:52 +020012298 The "send-spoe-group" is used to trigger sending of a group of SPOE
12299 messages. To do so, the SPOE engine used to send messages must be defined, as
12300 well as the SPOE group to send. Of course, the SPOE engine must refer to an
12301 existing SPOE filter. If not engine name is provided on the SPOE filter line,
12302 the SPOE agent name must be used.
12303
12304 <engine-name> The SPOE engine name.
12305
12306 <group-name> The SPOE group name as specified in the engine configuration.
12307
Christopher Faulet579d83b2019-11-22 15:34:17 +010012308 The "use-service" is used to executes a TCP service which will reply to the
12309 request and stop the evaluation of the rules. This service may choose to
12310 reply by sending any valid response or it may immediately close the
12311 connection without sending anything. Outside natives services, it is possible
12312 to write your own services in Lua. No further "tcp-request" rules are
12313 evaluated.
12314
12315 Example:
12316 tcp-request content use-service lua.deny { src -f /etc/haproxy/blacklist.lst }
12317
Thierry FOURNIER4834bc72015-06-06 19:29:07 +020012318 Example:
12319
12320 tcp-request content set-var(sess.my_var) src
Christopher Faulet85d79c92016-11-09 16:54:56 +010012321 tcp-request content unset-var(sess.my_var2)
Thierry FOURNIER4834bc72015-06-06 19:29:07 +020012322
Willy Tarreau62644772008-07-16 18:36:06 +020012323 Example:
Willy Tarreaue9656522010-08-17 15:40:09 +020012324 # Accept HTTP requests containing a Host header saying "example.com"
Christopher Fauletae863c62021-03-15 12:03:44 +010012325 # and reject everything else. (Only works for HTTP/1 connections)
Willy Tarreaue9656522010-08-17 15:40:09 +020012326 acl is_host_com hdr(Host) -i example.com
12327 tcp-request inspect-delay 30s
Willy Tarreauc0239e02012-04-16 14:42:55 +020012328 tcp-request content accept if is_host_com
Willy Tarreaue9656522010-08-17 15:40:09 +020012329 tcp-request content reject
12330
Christopher Fauletae863c62021-03-15 12:03:44 +010012331 # Accept HTTP requests containing a Host header saying "example.com"
12332 # and reject everything else. (works for HTTP/1 and HTTP/2 connections)
12333 acl is_host_com hdr(Host) -i example.com
12334 tcp-request inspect-delay 5s
12335 tcp-request switch-mode http if HTTP
12336 tcp-request reject # non-HTTP traffic is implicit here
12337 ...
12338 http-request reject unless is_host_com
12339
Willy Tarreaue9656522010-08-17 15:40:09 +020012340 Example:
Willy Tarreau62644772008-07-16 18:36:06 +020012341 # reject SMTP connection if client speaks first
12342 tcp-request inspect-delay 30s
12343 acl content_present req_len gt 0
Willy Tarreau68c03ab2010-08-06 15:08:45 +020012344 tcp-request content reject if content_present
Willy Tarreau62644772008-07-16 18:36:06 +020012345
12346 # Forward HTTPS connection only if client speaks
12347 tcp-request inspect-delay 30s
12348 acl content_present req_len gt 0
Willy Tarreau68c03ab2010-08-06 15:08:45 +020012349 tcp-request content accept if content_present
Willy Tarreaue9656522010-08-17 15:40:09 +020012350 tcp-request content reject
12351
Willy Tarreau5d5b5d82012-12-09 12:00:04 +010012352 Example:
Jarno Huuskonene5ae7022017-04-03 14:36:21 +030012353 # Track the last IP(stick-table type string) from X-Forwarded-For
Willy Tarreau5d5b5d82012-12-09 12:00:04 +010012354 tcp-request inspect-delay 10s
Willy Tarreau4d54c7c2014-09-16 15:48:15 +020012355 tcp-request content track-sc0 hdr(x-forwarded-for,-1)
Jarno Huuskonene5ae7022017-04-03 14:36:21 +030012356 # Or track the last IP(stick-table type ip|ipv6) from X-Forwarded-For
12357 tcp-request content track-sc0 req.hdr_ip(x-forwarded-for,-1)
Willy Tarreau5d5b5d82012-12-09 12:00:04 +010012358
12359 Example:
12360 # track request counts per "base" (concatenation of Host+URL)
12361 tcp-request inspect-delay 10s
Willy Tarreau4d54c7c2014-09-16 15:48:15 +020012362 tcp-request content track-sc0 base table req-rate
Willy Tarreau5d5b5d82012-12-09 12:00:04 +010012363
Willy Tarreaue9656522010-08-17 15:40:09 +020012364 Example: track per-frontend and per-backend counters, block abusers at the
Jarno Huuskonene5ae7022017-04-03 14:36:21 +030012365 frontend when the backend detects abuse(and marks gpc0).
Willy Tarreaue9656522010-08-17 15:40:09 +020012366
12367 frontend http
Davor Ocelice9ed2812017-12-25 17:49:28 +010012368 # Use General Purpose Counter 0 in SC0 as a global abuse counter
Willy Tarreaue9656522010-08-17 15:40:09 +020012369 # protecting all our sites
12370 stick-table type ip size 1m expire 5m store gpc0
Willy Tarreaube4a3ef2013-06-17 15:04:07 +020012371 tcp-request connection track-sc0 src
12372 tcp-request connection reject if { sc0_get_gpc0 gt 0 }
Willy Tarreaue9656522010-08-17 15:40:09 +020012373 ...
12374 use_backend http_dynamic if { path_end .php }
12375
12376 backend http_dynamic
12377 # if a source makes too fast requests to this dynamic site (tracked
Willy Tarreaube4a3ef2013-06-17 15:04:07 +020012378 # by SC1), block it globally in the frontend.
Willy Tarreaue9656522010-08-17 15:40:09 +020012379 stick-table type ip size 1m expire 5m store http_req_rate(10s)
Willy Tarreaube4a3ef2013-06-17 15:04:07 +020012380 acl click_too_fast sc1_http_req_rate gt 10
Jarno Huuskonene5ae7022017-04-03 14:36:21 +030012381 acl mark_as_abuser sc0_inc_gpc0(http) gt 0
Willy Tarreaube4a3ef2013-06-17 15:04:07 +020012382 tcp-request content track-sc1 src
Willy Tarreaue9656522010-08-17 15:40:09 +020012383 tcp-request content reject if click_too_fast mark_as_abuser
Willy Tarreau62644772008-07-16 18:36:06 +020012384
Willy Tarreauc57f0e22009-05-10 13:12:33 +020012385 See section 7 about ACL usage.
Willy Tarreau62644772008-07-16 18:36:06 +020012386
Jarno Huuskonen95b012b2017-04-06 13:59:14 +030012387 See also : "tcp-request connection", "tcp-request session",
12388 "tcp-request inspect-delay", and "http-request".
Willy Tarreau62644772008-07-16 18:36:06 +020012389
12390
12391tcp-request inspect-delay <timeout>
12392 Set the maximum allowed time to wait for data during content inspection
12393 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaufb356202010-08-03 14:02:05 +020012394 no | yes | yes | yes
Willy Tarreau62644772008-07-16 18:36:06 +020012395 Arguments :
12396 <timeout> is the timeout value specified in milliseconds by default, but
12397 can be in any other unit if the number is suffixed by the unit,
12398 as explained at the top of this document.
12399
Daniel Corbett9f0843f2021-05-08 10:50:37 -040012400 People using HAProxy primarily as a TCP relay are often worried about the
Willy Tarreau62644772008-07-16 18:36:06 +020012401 risk of passing any type of protocol to a server without any analysis. In
12402 order to be able to analyze the request contents, we must first withhold
12403 the data then analyze them. This statement simply enables withholding of
12404 data for at most the specified amount of time.
12405
Willy Tarreaufb356202010-08-03 14:02:05 +020012406 TCP content inspection applies very early when a connection reaches a
12407 frontend, then very early when the connection is forwarded to a backend. This
12408 means that a connection may experience a first delay in the frontend and a
12409 second delay in the backend if both have tcp-request rules.
12410
Daniel Corbett9f0843f2021-05-08 10:50:37 -040012411 Note that when performing content inspection, HAProxy will evaluate the whole
Willy Tarreau62644772008-07-16 18:36:06 +020012412 rules for every new chunk which gets in, taking into account the fact that
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010012413 those data are partial. If no rule matches before the aforementioned delay,
Willy Tarreau62644772008-07-16 18:36:06 +020012414 a last check is performed upon expiration, this time considering that the
Daniel Corbett9f0843f2021-05-08 10:50:37 -040012415 contents are definitive. If no delay is set, HAProxy will not wait at all
Willy Tarreaud869b242009-03-15 14:43:58 +010012416 and will immediately apply a verdict based on the available information.
12417 Obviously this is unlikely to be very useful and might even be racy, so such
12418 setups are not recommended.
Willy Tarreau62644772008-07-16 18:36:06 +020012419
12420 As soon as a rule matches, the request is released and continues as usual. If
12421 the timeout is reached and no rule matches, the default policy will be to let
12422 it pass through unaffected.
12423
12424 For most protocols, it is enough to set it to a few seconds, as most clients
12425 send the full request immediately upon connection. Add 3 or more seconds to
12426 cover TCP retransmits but that's all. For some protocols, it may make sense
Willy Tarreaud72758d2010-01-12 10:42:19 +010012427 to use large values, for instance to ensure that the client never talks
Davor Ocelice9ed2812017-12-25 17:49:28 +010012428 before the server (e.g. SMTP), or to wait for a client to talk before passing
12429 data to the server (e.g. SSL). Note that the client timeout must cover at
Willy Tarreaub824b002010-09-29 16:36:16 +020012430 least the inspection delay, otherwise it will expire first. If the client
12431 closes the connection or if the buffer is full, the delay immediately expires
12432 since the contents will not be able to change anymore.
Willy Tarreau62644772008-07-16 18:36:06 +020012433
Willy Tarreau55165fe2009-05-10 12:02:55 +020012434 See also : "tcp-request content accept", "tcp-request content reject",
Willy Tarreau62644772008-07-16 18:36:06 +020012435 "timeout client".
12436
12437
Emeric Brun0a3b67f2010-09-24 15:34:53 +020012438tcp-response content <action> [{if | unless} <condition>]
12439 Perform an action on a session response depending on a layer 4-7 condition
12440 May be used in sections : defaults | frontend | listen | backend
12441 no | no | yes | yes
12442 Arguments :
Willy Tarreauc870bfd2015-09-28 18:47:38 +020012443 <action> defines the action to perform if the condition applies. See
12444 below.
Emeric Brun0a3b67f2010-09-24 15:34:53 +020012445
12446 <condition> is a standard layer 4-7 ACL-based condition (see section 7).
12447
Davor Ocelice9ed2812017-12-25 17:49:28 +010012448 Response contents can be analyzed at an early stage of response processing
Emeric Brun0a3b67f2010-09-24 15:34:53 +020012449 called "TCP content inspection". During this stage, ACL-based rules are
12450 evaluated every time the response contents are updated, until either an
Willy Tarreaucc1e04b2013-09-11 23:20:29 +020012451 "accept", "close" or a "reject" rule matches, or a TCP response inspection
12452 delay is set and expires with no matching rule.
Emeric Brun0a3b67f2010-09-24 15:34:53 +020012453
12454 Most often, these decisions will consider a protocol recognition or validity.
12455
12456 Content-based rules are evaluated in their exact declaration order. If no
12457 rule matches or if there is no rule, the default action is to accept the
12458 contents. There is no specific limit to the number of rules which may be
12459 inserted.
12460
Thierry FOURNIER236657b2015-08-19 08:25:14 +020012461 Several types of actions are supported :
Emeric Brun0a3b67f2010-09-24 15:34:53 +020012462 - accept :
12463 accepts the response if the condition is true (when used with "if")
12464 or false (when used with "unless"). The first such rule executed ends
12465 the rules evaluation.
12466
Willy Tarreaucc1e04b2013-09-11 23:20:29 +020012467 - close :
12468 immediately closes the connection with the server if the condition is
12469 true (when used with "if"), or false (when used with "unless"). The
12470 first such rule executed ends the rules evaluation. The main purpose of
12471 this action is to force a connection to be finished between a client
12472 and a server after an exchange when the application protocol expects
12473 some long time outs to elapse first. The goal is to eliminate idle
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030012474 connections which take significant resources on servers with certain
Willy Tarreaucc1e04b2013-09-11 23:20:29 +020012475 protocols.
12476
Emeric Brun0a3b67f2010-09-24 15:34:53 +020012477 - reject :
12478 rejects the response if the condition is true (when used with "if")
12479 or false (when used with "unless"). The first such rule executed ends
Jamie Gloudonaaa21002012-08-25 00:18:33 -040012480 the rules evaluation. Rejected session are immediately closed.
Emeric Brun0a3b67f2010-09-24 15:34:53 +020012481
Thierry FOURNIER4834bc72015-06-06 19:29:07 +020012482 - set-var(<var-name>) <expr>
12483 Sets a variable.
12484
Christopher Faulet85d79c92016-11-09 16:54:56 +010012485 - unset-var(<var-name>)
12486 Unsets a variable.
12487
Thierry FOURNIERe0627bd2015-08-04 08:20:33 +020012488 - sc-inc-gpc0(<sc-id>):
12489 This action increments the GPC0 counter according to the sticky
12490 counter designated by <sc-id>. If an error occurs, this action fails
12491 silently and the actions evaluation continues.
12492
Frédéric Lécaille6778b272018-01-29 15:22:53 +010012493 - sc-inc-gpc1(<sc-id>):
12494 This action increments the GPC1 counter according to the sticky
12495 counter designated by <sc-id>. If an error occurs, this action fails
12496 silently and the actions evaluation continues.
12497
Cédric Dufour0d7712d2019-11-06 18:38:53 +010012498 - sc-set-gpt0(<sc-id>) { <int> | <expr> }
12499 This action sets the 32-bit unsigned GPT0 tag according to the sticky
12500 counter designated by <sc-id> and the value of <int>/<expr>. The
12501 expected result is a boolean. If an error occurs, this action silently
12502 fails and the actions evaluation continues.
Thierry FOURNIER236657b2015-08-19 08:25:14 +020012503
Willy Tarreau2d392c22015-08-24 01:43:45 +020012504 - "silent-drop" :
12505 This stops the evaluation of the rules and makes the client-facing
Davor Ocelice9ed2812017-12-25 17:49:28 +010012506 connection suddenly disappear using a system-dependent way that tries
Willy Tarreau2d392c22015-08-24 01:43:45 +020012507 to prevent the client from being notified. The effect it then that the
12508 client still sees an established connection while there's none on
12509 HAProxy. The purpose is to achieve a comparable effect to "tarpit"
12510 except that it doesn't use any local resource at all on the machine
12511 running HAProxy. It can resist much higher loads than "tarpit", and
Davor Ocelice9ed2812017-12-25 17:49:28 +010012512 slow down stronger attackers. It is important to understand the impact
12513 of using this mechanism. All stateful equipment placed between the
Willy Tarreau2d392c22015-08-24 01:43:45 +020012514 client and HAProxy (firewalls, proxies, load balancers) will also keep
12515 the established connection for a long time and may suffer from this
Davor Ocelice9ed2812017-12-25 17:49:28 +010012516 action. On modern Linux systems running with enough privileges, the
Willy Tarreau2d392c22015-08-24 01:43:45 +020012517 TCP_REPAIR socket option is used to block the emission of a TCP
12518 reset. On other systems, the socket's TTL is reduced to 1 so that the
12519 TCP reset doesn't pass the first router, though it's still delivered to
12520 local networks. Do not use it unless you fully understand how it works.
12521
Christopher Faulet76c09ef2017-09-21 11:03:52 +020012522 - send-spoe-group <engine-name> <group-name>
12523 Send a group of SPOE messages.
12524
Emeric Brun0a3b67f2010-09-24 15:34:53 +020012525 Note that the "if/unless" condition is optional. If no condition is set on
12526 the action, it is simply performed unconditionally. That can be useful for
12527 for changing the default action to a reject.
12528
Jamie Gloudonaaa21002012-08-25 00:18:33 -040012529 It is perfectly possible to match layer 7 contents with "tcp-response
12530 content" rules, but then it is important to ensure that a full response has
12531 been buffered, otherwise no contents will match. In order to achieve this,
12532 the best solution involves detecting the HTTP protocol during the inspection
Emeric Brun0a3b67f2010-09-24 15:34:53 +020012533 period.
12534
Thierry FOURNIER4834bc72015-06-06 19:29:07 +020012535 The "set-var" is used to set the content of a variable. The variable is
12536 declared inline.
12537
Daniel Schneller0b547052016-03-21 20:46:57 +010012538 <var-name> The name of the variable starts with an indication about
12539 its scope. The scopes allowed are:
Christopher Fauletff2613e2016-11-09 11:36:17 +010012540 "proc" : the variable is shared with the whole process
Daniel Schneller0b547052016-03-21 20:46:57 +010012541 "sess" : the variable is shared with the whole session
12542 "txn" : the variable is shared with the transaction
Thierry FOURNIER4834bc72015-06-06 19:29:07 +020012543 (request and response)
Daniel Schneller0b547052016-03-21 20:46:57 +010012544 "req" : the variable is shared only during request
Thierry FOURNIER4834bc72015-06-06 19:29:07 +020012545 processing
Daniel Schneller0b547052016-03-21 20:46:57 +010012546 "res" : the variable is shared only during response
12547 processing
Thierry FOURNIER4834bc72015-06-06 19:29:07 +020012548 This prefix is followed by a name. The separator is a '.'.
Christopher Fauletb71557a2016-10-31 10:49:03 +010012549 The name may only contain characters 'a-z', 'A-Z', '0-9',
12550 '.' and '_'.
Thierry FOURNIER4834bc72015-06-06 19:29:07 +020012551
12552 <expr> Is a standard HAProxy expression formed by a sample-fetch
12553 followed by some converters.
12554
12555 Example:
12556
12557 tcp-request content set-var(sess.my_var) src
12558
Christopher Faulet85d79c92016-11-09 16:54:56 +010012559 The "unset-var" is used to unset a variable. See above for details about
12560 <var-name>.
12561
12562 Example:
12563
12564 tcp-request content unset-var(sess.my_var)
12565
Christopher Faulet76c09ef2017-09-21 11:03:52 +020012566 The "send-spoe-group" is used to trigger sending of a group of SPOE
12567 messages. To do so, the SPOE engine used to send messages must be defined, as
12568 well as the SPOE group to send. Of course, the SPOE engine must refer to an
12569 existing SPOE filter. If not engine name is provided on the SPOE filter line,
12570 the SPOE agent name must be used.
12571
12572 <engine-name> The SPOE engine name.
12573
12574 <group-name> The SPOE group name as specified in the engine configuration.
12575
Emeric Brun0a3b67f2010-09-24 15:34:53 +020012576 See section 7 about ACL usage.
12577
12578 See also : "tcp-request content", "tcp-response inspect-delay"
12579
12580
Willy Tarreau4f614292016-10-21 17:49:36 +020012581tcp-request session <action> [{if | unless} <condition>]
12582 Perform an action on a validated session depending on a layer 5 condition
12583 May be used in sections : defaults | frontend | listen | backend
12584 no | yes | yes | no
12585 Arguments :
12586 <action> defines the action to perform if the condition applies. See
12587 below.
12588
12589 <condition> is a standard layer5-only ACL-based condition (see section 7).
12590
Davor Ocelice9ed2812017-12-25 17:49:28 +010012591 Once a session is validated, (i.e. after all handshakes have been completed),
Willy Tarreau4f614292016-10-21 17:49:36 +020012592 it is possible to evaluate some conditions to decide whether this session
12593 must be accepted or dropped or have its counters tracked. Those conditions
12594 cannot make use of any data contents because no buffers are allocated yet and
12595 the processing cannot wait at this stage. The main use case it to copy some
12596 early information into variables (since variables are accessible in the
12597 session), or to keep track of some information collected after the handshake,
12598 such as SSL-level elements (SNI, ciphers, client cert's CN) or information
Davor Ocelice9ed2812017-12-25 17:49:28 +010012599 from the PROXY protocol header (e.g. track a source forwarded this way). The
Willy Tarreau4f614292016-10-21 17:49:36 +020012600 extracted information can thus be copied to a variable or tracked using
12601 "track-sc" rules. Of course it is also possible to decide to accept/reject as
12602 with other rulesets. Most operations performed here could also be performed
12603 in "tcp-request content" rules, except that in HTTP these rules are evaluated
12604 for each new request, and that might not always be acceptable. For example a
12605 rule might increment a counter on each evaluation. It would also be possible
12606 that a country is resolved by geolocation from the source IP address,
12607 assigned to a session-wide variable, then the source address rewritten from
12608 an HTTP header for all requests. If some contents need to be inspected in
12609 order to take the decision, the "tcp-request content" statements must be used
12610 instead.
12611
12612 The "tcp-request session" rules are evaluated in their exact declaration
12613 order. If no rule matches or if there is no rule, the default action is to
12614 accept the incoming session. There is no specific limit to the number of
12615 rules which may be inserted.
12616
12617 Several types of actions are supported :
12618 - accept : the request is accepted
12619 - reject : the request is rejected and the connection is closed
12620 - { track-sc0 | track-sc1 | track-sc2 } <key> [table <table>]
12621 - sc-inc-gpc0(<sc-id>)
Frédéric Lécaille6778b272018-01-29 15:22:53 +010012622 - sc-inc-gpc1(<sc-id>)
Cédric Dufour0d7712d2019-11-06 18:38:53 +010012623 - sc-set-gpt0(<sc-id>) { <int> | <expr> }
Willy Tarreau4f614292016-10-21 17:49:36 +020012624 - set-var(<var-name>) <expr>
Christopher Faulet85d79c92016-11-09 16:54:56 +010012625 - unset-var(<var-name>)
Willy Tarreau4f614292016-10-21 17:49:36 +020012626 - silent-drop
12627
12628 These actions have the same meaning as their respective counter-parts in
12629 "tcp-request connection" and "tcp-request content", so please refer to these
12630 sections for a complete description.
12631
12632 Note that the "if/unless" condition is optional. If no condition is set on
12633 the action, it is simply performed unconditionally. That can be useful for
12634 "track-sc*" actions as well as for changing the default action to a reject.
12635
12636 Example: track the original source address by default, or the one advertised
12637 in the PROXY protocol header for connection coming from the local
12638 proxies. The first connection-level rule enables receipt of the
12639 PROXY protocol for these ones, the second rule tracks whatever
12640 address we decide to keep after optional decoding.
12641
12642 tcp-request connection expect-proxy layer4 if { src -f proxies.lst }
12643 tcp-request session track-sc0 src
12644
12645 Example: accept all sessions from white-listed hosts, reject too fast
12646 sessions without counting them, and track accepted sessions.
12647 This results in session rate being capped from abusive sources.
12648
12649 tcp-request session accept if { src -f /etc/haproxy/whitelist.lst }
12650 tcp-request session reject if { src_sess_rate gt 10 }
12651 tcp-request session track-sc0 src
12652
12653 Example: accept all sessions from white-listed hosts, count all other
12654 sessions and reject too fast ones. This results in abusive ones
12655 being blocked as long as they don't slow down.
12656
12657 tcp-request session accept if { src -f /etc/haproxy/whitelist.lst }
12658 tcp-request session track-sc0 src
12659 tcp-request session reject if { sc0_sess_rate gt 10 }
12660
12661 See section 7 about ACL usage.
12662
12663 See also : "tcp-request connection", "tcp-request content", "stick-table"
12664
12665
Emeric Brun0a3b67f2010-09-24 15:34:53 +020012666tcp-response inspect-delay <timeout>
12667 Set the maximum allowed time to wait for a response during content inspection
12668 May be used in sections : defaults | frontend | listen | backend
12669 no | no | yes | yes
12670 Arguments :
12671 <timeout> is the timeout value specified in milliseconds by default, but
12672 can be in any other unit if the number is suffixed by the unit,
12673 as explained at the top of this document.
12674
12675 See also : "tcp-response content", "tcp-request inspect-delay".
12676
12677
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +010012678timeout check <timeout>
12679 Set additional check timeout, but only after a connection has been already
12680 established.
12681
12682 May be used in sections: defaults | frontend | listen | backend
12683 yes | no | yes | yes
12684 Arguments:
12685 <timeout> is the timeout value specified in milliseconds by default, but
12686 can be in any other unit if the number is suffixed by the unit,
12687 as explained at the top of this document.
12688
Daniel Corbett9f0843f2021-05-08 10:50:37 -040012689 If set, HAProxy uses min("timeout connect", "inter") as a connect timeout
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +010012690 for check and "timeout check" as an additional read timeout. The "min" is
Davor Ocelice9ed2812017-12-25 17:49:28 +010012691 used so that people running with *very* long "timeout connect" (e.g. those
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +010012692 who needed this due to the queue or tarpit) do not slow down their checks.
Willy Tarreaud7550a22010-02-10 05:10:19 +010012693 (Please also note that there is no valid reason to have such long connect
12694 timeouts, because "timeout queue" and "timeout tarpit" can always be used to
12695 avoid that).
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +010012696
Daniel Corbett9f0843f2021-05-08 10:50:37 -040012697 If "timeout check" is not set HAProxy uses "inter" for complete check
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +010012698 timeout (connect + read) exactly like all <1.3.15 version.
12699
12700 In most cases check request is much simpler and faster to handle than normal
12701 requests and people may want to kick out laggy servers so this timeout should
Willy Tarreau41a340d2008-01-22 12:25:31 +010012702 be smaller than "timeout server".
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +010012703
12704 This parameter is specific to backends, but can be specified once for all in
12705 "defaults" sections. This is in fact one of the easiest solutions not to
12706 forget about it.
12707
Willy Tarreau41a340d2008-01-22 12:25:31 +010012708 See also: "timeout connect", "timeout queue", "timeout server",
12709 "timeout tarpit".
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +010012710
12711
Willy Tarreau0ba27502007-12-24 16:55:16 +010012712timeout client <timeout>
Willy Tarreau0ba27502007-12-24 16:55:16 +010012713 Set the maximum inactivity time on the client side.
12714 May be used in sections : defaults | frontend | listen | backend
12715 yes | yes | yes | no
12716 Arguments :
Willy Tarreau844e3c52008-01-11 16:28:18 +010012717 <timeout> is the timeout value specified in milliseconds by default, but
Willy Tarreau0ba27502007-12-24 16:55:16 +010012718 can be in any other unit if the number is suffixed by the unit,
12719 as explained at the top of this document.
12720
12721 The inactivity timeout applies when the client is expected to acknowledge or
12722 send data. In HTTP mode, this timeout is particularly important to consider
12723 during the first phase, when the client sends the request, and during the
Baptiste Assmann2e1941e2016-03-06 23:24:12 +010012724 response while it is reading data sent by the server. That said, for the
12725 first phase, it is preferable to set the "timeout http-request" to better
12726 protect HAProxy from Slowloris like attacks. The value is specified in
12727 milliseconds by default, but can be in any other unit if the number is
Willy Tarreau0ba27502007-12-24 16:55:16 +010012728 suffixed by the unit, as specified at the top of this document. In TCP mode
12729 (and to a lesser extent, in HTTP mode), it is highly recommended that the
12730 client timeout remains equal to the server timeout in order to avoid complex
Willy Tarreaud2a4aa22008-01-31 15:28:22 +010012731 situations to debug. It is a good practice to cover one or several TCP packet
Willy Tarreau0ba27502007-12-24 16:55:16 +010012732 losses by specifying timeouts that are slightly above multiples of 3 seconds
Davor Ocelice9ed2812017-12-25 17:49:28 +010012733 (e.g. 4 or 5 seconds). If some long-lived sessions are mixed with short-lived
12734 sessions (e.g. WebSocket and HTTP), it's worth considering "timeout tunnel",
Willy Tarreau05cdd962014-05-10 14:30:07 +020012735 which overrides "timeout client" and "timeout server" for tunnels, as well as
12736 "timeout client-fin" for half-closed connections.
Willy Tarreau0ba27502007-12-24 16:55:16 +010012737
12738 This parameter is specific to frontends, but can be specified once for all in
12739 "defaults" sections. This is in fact one of the easiest solutions not to
12740 forget about it. An unspecified timeout results in an infinite timeout, which
12741 is not recommended. Such a usage is accepted and works but reports a warning
John Roeslerfb2fce12019-07-10 15:45:51 -050012742 during startup because it may result in accumulation of expired sessions in
Willy Tarreau0ba27502007-12-24 16:55:16 +010012743 the system if the system's timeouts are not configured either.
12744
Willy Tarreau95c4e142017-11-26 12:18:55 +010012745 This also applies to HTTP/2 connections, which will be closed with GOAWAY.
Lukas Tribus75df9d72017-11-24 19:05:12 +010012746
Tim Duesterhus86e6b6e2019-05-14 20:57:59 +020012747 See also : "timeout server", "timeout tunnel", "timeout http-request".
Willy Tarreau0ba27502007-12-24 16:55:16 +010012748
Willy Tarreau0ba27502007-12-24 16:55:16 +010012749
Willy Tarreau05cdd962014-05-10 14:30:07 +020012750timeout client-fin <timeout>
12751 Set the inactivity timeout on the client side for half-closed connections.
12752 May be used in sections : defaults | frontend | listen | backend
12753 yes | yes | yes | no
12754 Arguments :
12755 <timeout> is the timeout value specified in milliseconds by default, but
12756 can be in any other unit if the number is suffixed by the unit,
12757 as explained at the top of this document.
12758
12759 The inactivity timeout applies when the client is expected to acknowledge or
12760 send data while one direction is already shut down. This timeout is different
12761 from "timeout client" in that it only applies to connections which are closed
12762 in one direction. This is particularly useful to avoid keeping connections in
12763 FIN_WAIT state for too long when clients do not disconnect cleanly. This
12764 problem is particularly common long connections such as RDP or WebSocket.
12765 Note that this timeout can override "timeout tunnel" when a connection shuts
Willy Tarreau599391a2017-11-24 10:16:00 +010012766 down in one direction. It is applied to idle HTTP/2 connections once a GOAWAY
12767 frame was sent, often indicating an expectation that the connection quickly
12768 ends.
Willy Tarreau05cdd962014-05-10 14:30:07 +020012769
12770 This parameter is specific to frontends, but can be specified once for all in
12771 "defaults" sections. By default it is not set, so half-closed connections
12772 will use the other timeouts (timeout.client or timeout.tunnel).
12773
12774 See also : "timeout client", "timeout server-fin", and "timeout tunnel".
12775
12776
Willy Tarreau0ba27502007-12-24 16:55:16 +010012777timeout connect <timeout>
Willy Tarreau0ba27502007-12-24 16:55:16 +010012778 Set the maximum time to wait for a connection attempt to a server to succeed.
12779 May be used in sections : defaults | frontend | listen | backend
12780 yes | no | yes | yes
12781 Arguments :
Willy Tarreau844e3c52008-01-11 16:28:18 +010012782 <timeout> is the timeout value specified in milliseconds by default, but
Willy Tarreau0ba27502007-12-24 16:55:16 +010012783 can be in any other unit if the number is suffixed by the unit,
12784 as explained at the top of this document.
12785
Daniel Corbett9f0843f2021-05-08 10:50:37 -040012786 If the server is located on the same LAN as HAProxy, the connection should be
Willy Tarreaud2a4aa22008-01-31 15:28:22 +010012787 immediate (less than a few milliseconds). Anyway, it is a good practice to
Willy Tarreaud72758d2010-01-12 10:42:19 +010012788 cover one or several TCP packet losses by specifying timeouts that are
Davor Ocelice9ed2812017-12-25 17:49:28 +010012789 slightly above multiples of 3 seconds (e.g. 4 or 5 seconds). By default, the
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +010012790 connect timeout also presets both queue and tarpit timeouts to the same value
12791 if these have not been specified.
Willy Tarreau0ba27502007-12-24 16:55:16 +010012792
12793 This parameter is specific to backends, but can be specified once for all in
12794 "defaults" sections. This is in fact one of the easiest solutions not to
12795 forget about it. An unspecified timeout results in an infinite timeout, which
12796 is not recommended. Such a usage is accepted and works but reports a warning
John Roeslerfb2fce12019-07-10 15:45:51 -050012797 during startup because it may result in accumulation of failed sessions in
Willy Tarreau0ba27502007-12-24 16:55:16 +010012798 the system if the system's timeouts are not configured either.
12799
Tim Duesterhus86e6b6e2019-05-14 20:57:59 +020012800 See also: "timeout check", "timeout queue", "timeout server", "timeout tarpit".
Willy Tarreau0ba27502007-12-24 16:55:16 +010012801
Willy Tarreau0ba27502007-12-24 16:55:16 +010012802
Willy Tarreaub16a5742010-01-10 14:46:16 +010012803timeout http-keep-alive <timeout>
12804 Set the maximum allowed time to wait for a new HTTP request to appear
12805 May be used in sections : defaults | frontend | listen | backend
12806 yes | yes | yes | yes
12807 Arguments :
12808 <timeout> is the timeout value specified in milliseconds by default, but
12809 can be in any other unit if the number is suffixed by the unit,
12810 as explained at the top of this document.
12811
12812 By default, the time to wait for a new request in case of keep-alive is set
12813 by "timeout http-request". However this is not always convenient because some
12814 people want very short keep-alive timeouts in order to release connections
12815 faster, and others prefer to have larger ones but still have short timeouts
12816 once the request has started to present itself.
12817
12818 The "http-keep-alive" timeout covers these needs. It will define how long to
12819 wait for a new HTTP request to start coming after a response was sent. Once
12820 the first byte of request has been seen, the "http-request" timeout is used
12821 to wait for the complete request to come. Note that empty lines prior to a
12822 new request do not refresh the timeout and are not counted as a new request.
12823
12824 There is also another difference between the two timeouts : when a connection
12825 expires during timeout http-keep-alive, no error is returned, the connection
12826 just closes. If the connection expires in "http-request" while waiting for a
12827 connection to complete, a HTTP 408 error is returned.
12828
12829 In general it is optimal to set this value to a few tens to hundreds of
12830 milliseconds, to allow users to fetch all objects of a page at once but
Davor Ocelice9ed2812017-12-25 17:49:28 +010012831 without waiting for further clicks. Also, if set to a very small value (e.g.
Willy Tarreaub16a5742010-01-10 14:46:16 +010012832 1 millisecond) it will probably only accept pipelined requests but not the
12833 non-pipelined ones. It may be a nice trade-off for very large sites running
Patrick Mézard2382ad62010-05-09 10:43:32 +020012834 with tens to hundreds of thousands of clients.
Willy Tarreaub16a5742010-01-10 14:46:16 +010012835
12836 If this parameter is not set, the "http-request" timeout applies, and if both
12837 are not set, "timeout client" still applies at the lower level. It should be
12838 set in the frontend to take effect, unless the frontend is in TCP mode, in
12839 which case the HTTP backend's timeout will be used.
12840
Willy Tarreau95c4e142017-11-26 12:18:55 +010012841 When using HTTP/2 "timeout client" is applied instead. This is so we can keep
12842 using short keep-alive timeouts in HTTP/1.1 while using longer ones in HTTP/2
Lukas Tribus75df9d72017-11-24 19:05:12 +010012843 (where we only have one connection per client and a connection setup).
12844
Willy Tarreaub16a5742010-01-10 14:46:16 +010012845 See also : "timeout http-request", "timeout client".
12846
12847
Willy Tarreau036fae02008-01-06 13:24:40 +010012848timeout http-request <timeout>
12849 Set the maximum allowed time to wait for a complete HTTP request
12850 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaucd7afc02009-07-12 10:03:17 +020012851 yes | yes | yes | yes
Willy Tarreau036fae02008-01-06 13:24:40 +010012852 Arguments :
Willy Tarreau844e3c52008-01-11 16:28:18 +010012853 <timeout> is the timeout value specified in milliseconds by default, but
Willy Tarreau036fae02008-01-06 13:24:40 +010012854 can be in any other unit if the number is suffixed by the unit,
12855 as explained at the top of this document.
12856
12857 In order to offer DoS protection, it may be required to lower the maximum
12858 accepted time to receive a complete HTTP request without affecting the client
12859 timeout. This helps protecting against established connections on which
12860 nothing is sent. The client timeout cannot offer a good protection against
12861 this abuse because it is an inactivity timeout, which means that if the
12862 attacker sends one character every now and then, the timeout will not
12863 trigger. With the HTTP request timeout, no matter what speed the client
Willy Tarreau2705a612014-05-23 17:38:34 +020012864 types, the request will be aborted if it does not complete in time. When the
12865 timeout expires, an HTTP 408 response is sent to the client to inform it
12866 about the problem, and the connection is closed. The logs will report
12867 termination codes "cR". Some recent browsers are having problems with this
Davor Ocelice9ed2812017-12-25 17:49:28 +010012868 standard, well-documented behavior, so it might be needed to hide the 408
Willy Tarreau0f228a02015-05-01 15:37:53 +020012869 code using "option http-ignore-probes" or "errorfile 408 /dev/null". See
12870 more details in the explanations of the "cR" termination code in section 8.5.
Willy Tarreau036fae02008-01-06 13:24:40 +010012871
Baptiste Assmanneccdf432015-10-28 13:49:01 +010012872 By default, this timeout only applies to the header part of the request,
12873 and not to any data. As soon as the empty line is received, this timeout is
12874 not used anymore. When combined with "option http-buffer-request", this
12875 timeout also applies to the body of the request..
12876 It is used again on keep-alive connections to wait for a second
Willy Tarreaub16a5742010-01-10 14:46:16 +010012877 request if "timeout http-keep-alive" is not set.
Willy Tarreau036fae02008-01-06 13:24:40 +010012878
12879 Generally it is enough to set it to a few seconds, as most clients send the
12880 full request immediately upon connection. Add 3 or more seconds to cover TCP
Davor Ocelice9ed2812017-12-25 17:49:28 +010012881 retransmits but that's all. Setting it to very low values (e.g. 50 ms) will
Willy Tarreau036fae02008-01-06 13:24:40 +010012882 generally work on local networks as long as there are no packet losses. This
12883 will prevent people from sending bare HTTP requests using telnet.
12884
12885 If this parameter is not set, the client timeout still applies between each
Willy Tarreaucd7afc02009-07-12 10:03:17 +020012886 chunk of the incoming request. It should be set in the frontend to take
12887 effect, unless the frontend is in TCP mode, in which case the HTTP backend's
12888 timeout will be used.
Willy Tarreau036fae02008-01-06 13:24:40 +010012889
Willy Tarreau0f228a02015-05-01 15:37:53 +020012890 See also : "errorfile", "http-ignore-probes", "timeout http-keep-alive", and
Baptiste Assmanneccdf432015-10-28 13:49:01 +010012891 "timeout client", "option http-buffer-request".
Willy Tarreau036fae02008-01-06 13:24:40 +010012892
Willy Tarreau844e3c52008-01-11 16:28:18 +010012893
12894timeout queue <timeout>
12895 Set the maximum time to wait in the queue for a connection slot to be free
12896 May be used in sections : defaults | frontend | listen | backend
12897 yes | no | yes | yes
12898 Arguments :
12899 <timeout> is the timeout value specified in milliseconds by default, but
12900 can be in any other unit if the number is suffixed by the unit,
12901 as explained at the top of this document.
12902
12903 When a server's maxconn is reached, connections are left pending in a queue
12904 which may be server-specific or global to the backend. In order not to wait
12905 indefinitely, a timeout is applied to requests pending in the queue. If the
12906 timeout is reached, it is considered that the request will almost never be
12907 served, so it is dropped and a 503 error is returned to the client.
12908
12909 The "timeout queue" statement allows to fix the maximum time for a request to
12910 be left pending in a queue. If unspecified, the same value as the backend's
12911 connection timeout ("timeout connect") is used, for backwards compatibility
12912 with older versions with no "timeout queue" parameter.
12913
Tim Duesterhus86e6b6e2019-05-14 20:57:59 +020012914 See also : "timeout connect".
Willy Tarreau844e3c52008-01-11 16:28:18 +010012915
12916
12917timeout server <timeout>
Willy Tarreau844e3c52008-01-11 16:28:18 +010012918 Set the maximum inactivity time on the server side.
12919 May be used in sections : defaults | frontend | listen | backend
12920 yes | no | yes | yes
12921 Arguments :
12922 <timeout> is the timeout value specified in milliseconds by default, but
12923 can be in any other unit if the number is suffixed by the unit,
12924 as explained at the top of this document.
12925
12926 The inactivity timeout applies when the server is expected to acknowledge or
12927 send data. In HTTP mode, this timeout is particularly important to consider
12928 during the first phase of the server's response, when it has to send the
12929 headers, as it directly represents the server's processing time for the
12930 request. To find out what value to put there, it's often good to start with
12931 what would be considered as unacceptable response times, then check the logs
12932 to observe the response time distribution, and adjust the value accordingly.
12933
12934 The value is specified in milliseconds by default, but can be in any other
12935 unit if the number is suffixed by the unit, as specified at the top of this
12936 document. In TCP mode (and to a lesser extent, in HTTP mode), it is highly
12937 recommended that the client timeout remains equal to the server timeout in
12938 order to avoid complex situations to debug. Whatever the expected server
Willy Tarreaud2a4aa22008-01-31 15:28:22 +010012939 response times, it is a good practice to cover at least one or several TCP
Willy Tarreau844e3c52008-01-11 16:28:18 +010012940 packet losses by specifying timeouts that are slightly above multiples of 3
Davor Ocelice9ed2812017-12-25 17:49:28 +010012941 seconds (e.g. 4 or 5 seconds minimum). If some long-lived sessions are mixed
12942 with short-lived sessions (e.g. WebSocket and HTTP), it's worth considering
Willy Tarreauce887fd2012-05-12 12:50:00 +020012943 "timeout tunnel", which overrides "timeout client" and "timeout server" for
12944 tunnels.
Willy Tarreau844e3c52008-01-11 16:28:18 +010012945
12946 This parameter is specific to backends, but can be specified once for all in
12947 "defaults" sections. This is in fact one of the easiest solutions not to
12948 forget about it. An unspecified timeout results in an infinite timeout, which
12949 is not recommended. Such a usage is accepted and works but reports a warning
John Roeslerfb2fce12019-07-10 15:45:51 -050012950 during startup because it may result in accumulation of expired sessions in
Willy Tarreau844e3c52008-01-11 16:28:18 +010012951 the system if the system's timeouts are not configured either.
12952
Tim Duesterhus86e6b6e2019-05-14 20:57:59 +020012953 See also : "timeout client" and "timeout tunnel".
Willy Tarreau844e3c52008-01-11 16:28:18 +010012954
Willy Tarreau05cdd962014-05-10 14:30:07 +020012955
12956timeout server-fin <timeout>
12957 Set the inactivity timeout on the server side for half-closed connections.
12958 May be used in sections : defaults | frontend | listen | backend
12959 yes | no | yes | yes
12960 Arguments :
12961 <timeout> is the timeout value specified in milliseconds by default, but
12962 can be in any other unit if the number is suffixed by the unit,
12963 as explained at the top of this document.
12964
12965 The inactivity timeout applies when the server is expected to acknowledge or
12966 send data while one direction is already shut down. This timeout is different
12967 from "timeout server" in that it only applies to connections which are closed
12968 in one direction. This is particularly useful to avoid keeping connections in
12969 FIN_WAIT state for too long when a remote server does not disconnect cleanly.
12970 This problem is particularly common long connections such as RDP or WebSocket.
12971 Note that this timeout can override "timeout tunnel" when a connection shuts
12972 down in one direction. This setting was provided for completeness, but in most
12973 situations, it should not be needed.
12974
12975 This parameter is specific to backends, but can be specified once for all in
12976 "defaults" sections. By default it is not set, so half-closed connections
12977 will use the other timeouts (timeout.server or timeout.tunnel).
12978
12979 See also : "timeout client-fin", "timeout server", and "timeout tunnel".
12980
Willy Tarreau844e3c52008-01-11 16:28:18 +010012981
12982timeout tarpit <timeout>
Cyril Bonté78caf842010-03-10 22:41:43 +010012983 Set the duration for which tarpitted connections will be maintained
Willy Tarreau844e3c52008-01-11 16:28:18 +010012984 May be used in sections : defaults | frontend | listen | backend
12985 yes | yes | yes | yes
12986 Arguments :
12987 <timeout> is the tarpit duration specified in milliseconds by default, but
12988 can be in any other unit if the number is suffixed by the unit,
12989 as explained at the top of this document.
12990
Christopher Faulet87f1f3d2019-07-18 14:51:20 +020012991 When a connection is tarpitted using "http-request tarpit", it is maintained
12992 open with no activity for a certain amount of time, then closed. "timeout
12993 tarpit" defines how long it will be maintained open.
Willy Tarreau844e3c52008-01-11 16:28:18 +010012994
12995 The value is specified in milliseconds by default, but can be in any other
12996 unit if the number is suffixed by the unit, as specified at the top of this
12997 document. If unspecified, the same value as the backend's connection timeout
12998 ("timeout connect") is used, for backwards compatibility with older versions
Cyril Bonté78caf842010-03-10 22:41:43 +010012999 with no "timeout tarpit" parameter.
Willy Tarreau844e3c52008-01-11 16:28:18 +010013000
Tim Duesterhus86e6b6e2019-05-14 20:57:59 +020013001 See also : "timeout connect".
Willy Tarreau844e3c52008-01-11 16:28:18 +010013002
13003
Willy Tarreauce887fd2012-05-12 12:50:00 +020013004timeout tunnel <timeout>
13005 Set the maximum inactivity time on the client and server side for tunnels.
13006 May be used in sections : defaults | frontend | listen | backend
13007 yes | no | yes | yes
13008 Arguments :
13009 <timeout> is the timeout value specified in milliseconds by default, but
13010 can be in any other unit if the number is suffixed by the unit,
13011 as explained at the top of this document.
13012
Jamie Gloudonaaa21002012-08-25 00:18:33 -040013013 The tunnel timeout applies when a bidirectional connection is established
Willy Tarreauce887fd2012-05-12 12:50:00 +020013014 between a client and a server, and the connection remains inactive in both
13015 directions. This timeout supersedes both the client and server timeouts once
13016 the connection becomes a tunnel. In TCP, this timeout is used as soon as no
Davor Ocelice9ed2812017-12-25 17:49:28 +010013017 analyzer remains attached to either connection (e.g. tcp content rules are
13018 accepted). In HTTP, this timeout is used when a connection is upgraded (e.g.
Willy Tarreauce887fd2012-05-12 12:50:00 +020013019 when switching to the WebSocket protocol, or forwarding a CONNECT request
13020 to a proxy), or after the first response when no keepalive/close option is
13021 specified.
13022
Willy Tarreau05cdd962014-05-10 14:30:07 +020013023 Since this timeout is usually used in conjunction with long-lived connections,
13024 it usually is a good idea to also set "timeout client-fin" to handle the
13025 situation where a client suddenly disappears from the net and does not
13026 acknowledge a close, or sends a shutdown and does not acknowledge pending
13027 data anymore. This can happen in lossy networks where firewalls are present,
13028 and is detected by the presence of large amounts of sessions in a FIN_WAIT
13029 state.
13030
Willy Tarreauce887fd2012-05-12 12:50:00 +020013031 The value is specified in milliseconds by default, but can be in any other
13032 unit if the number is suffixed by the unit, as specified at the top of this
13033 document. Whatever the expected normal idle time, it is a good practice to
13034 cover at least one or several TCP packet losses by specifying timeouts that
Davor Ocelice9ed2812017-12-25 17:49:28 +010013035 are slightly above multiples of 3 seconds (e.g. 4 or 5 seconds minimum).
Willy Tarreauce887fd2012-05-12 12:50:00 +020013036
13037 This parameter is specific to backends, but can be specified once for all in
13038 "defaults" sections. This is in fact one of the easiest solutions not to
13039 forget about it.
13040
13041 Example :
13042 defaults http
13043 option http-server-close
13044 timeout connect 5s
13045 timeout client 30s
Willy Tarreau05cdd962014-05-10 14:30:07 +020013046 timeout client-fin 30s
Willy Tarreauce887fd2012-05-12 12:50:00 +020013047 timeout server 30s
13048 timeout tunnel 1h # timeout to use with WebSocket and CONNECT
13049
Willy Tarreau05cdd962014-05-10 14:30:07 +020013050 See also : "timeout client", "timeout client-fin", "timeout server".
Willy Tarreauce887fd2012-05-12 12:50:00 +020013051
13052
Willy Tarreau844e3c52008-01-11 16:28:18 +010013053transparent (deprecated)
13054 Enable client-side transparent proxying
13055 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau4b1f8592008-12-23 23:13:55 +010013056 yes | no | yes | yes
Willy Tarreau844e3c52008-01-11 16:28:18 +010013057 Arguments : none
13058
13059 This keyword was introduced in order to provide layer 7 persistence to layer
13060 3 load balancers. The idea is to use the OS's ability to redirect an incoming
13061 connection for a remote address to a local process (here HAProxy), and let
13062 this process know what address was initially requested. When this option is
13063 used, sessions without cookies will be forwarded to the original destination
13064 IP address of the incoming request (which should match that of another
13065 equipment), while requests with cookies will still be forwarded to the
13066 appropriate server.
13067
13068 The "transparent" keyword is deprecated, use "option transparent" instead.
13069
13070 Note that contrary to a common belief, this option does NOT make HAProxy
13071 present the client's IP to the server when establishing the connection.
13072
Willy Tarreau844e3c52008-01-11 16:28:18 +010013073 See also: "option transparent"
13074
William Lallemanda73203e2012-03-12 12:48:57 +010013075unique-id-format <string>
13076 Generate a unique ID for each request.
13077 May be used in sections : defaults | frontend | listen | backend
13078 yes | yes | yes | no
13079 Arguments :
13080 <string> is a log-format string.
13081
Cyril Bonté108cf6e2012-04-21 23:30:29 +020013082 This keyword creates a ID for each request using the custom log format. A
13083 unique ID is useful to trace a request passing through many components of
13084 a complex infrastructure. The newly created ID may also be logged using the
13085 %ID tag the log-format string.
William Lallemanda73203e2012-03-12 12:48:57 +010013086
Cyril Bonté108cf6e2012-04-21 23:30:29 +020013087 The format should be composed from elements that are guaranteed to be
Daniel Corbett9f0843f2021-05-08 10:50:37 -040013088 unique when combined together. For instance, if multiple HAProxy instances
Cyril Bonté108cf6e2012-04-21 23:30:29 +020013089 are involved, it might be important to include the node name. It is often
13090 needed to log the incoming connection's source and destination addresses
13091 and ports. Note that since multiple requests may be performed over the same
13092 connection, including a request counter may help differentiate them.
13093 Similarly, a timestamp may protect against a rollover of the counter.
13094 Logging the process ID will avoid collisions after a service restart.
William Lallemanda73203e2012-03-12 12:48:57 +010013095
Cyril Bonté108cf6e2012-04-21 23:30:29 +020013096 It is recommended to use hexadecimal notation for many fields since it
13097 makes them more compact and saves space in logs.
William Lallemanda73203e2012-03-12 12:48:57 +010013098
Cyril Bonté108cf6e2012-04-21 23:30:29 +020013099 Example:
William Lallemanda73203e2012-03-12 12:48:57 +010013100
Julien Vehentf21be322014-03-07 08:27:34 -050013101 unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid
William Lallemanda73203e2012-03-12 12:48:57 +010013102
13103 will generate:
13104
13105 7F000001:8296_7F00001E:1F90_4F7B0A69_0003:790A
13106
13107 See also: "unique-id-header"
13108
13109unique-id-header <name>
13110 Add a unique ID header in the HTTP request.
13111 May be used in sections : defaults | frontend | listen | backend
13112 yes | yes | yes | no
13113 Arguments :
13114 <name> is the name of the header.
13115
Cyril Bonté108cf6e2012-04-21 23:30:29 +020013116 Add a unique-id header in the HTTP request sent to the server, using the
13117 unique-id-format. It can't work if the unique-id-format doesn't exist.
William Lallemanda73203e2012-03-12 12:48:57 +010013118
Cyril Bonté108cf6e2012-04-21 23:30:29 +020013119 Example:
William Lallemanda73203e2012-03-12 12:48:57 +010013120
Julien Vehentf21be322014-03-07 08:27:34 -050013121 unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid
William Lallemanda73203e2012-03-12 12:48:57 +010013122 unique-id-header X-Unique-ID
13123
13124 will generate:
13125
13126 X-Unique-ID: 7F000001:8296_7F00001E:1F90_4F7B0A69_0003:790A
13127
13128 See also: "unique-id-format"
Willy Tarreau844e3c52008-01-11 16:28:18 +010013129
Willy Tarreauf51658d2014-04-23 01:21:56 +020013130use_backend <backend> [{if | unless} <condition>]
Willy Tarreau1d0dfb12009-07-07 15:10:31 +020013131 Switch to a specific backend if/unless an ACL-based condition is matched.
Willy Tarreau844e3c52008-01-11 16:28:18 +010013132 May be used in sections : defaults | frontend | listen | backend
13133 no | yes | yes | no
13134 Arguments :
Bertrand Jacquin702d44f2013-11-19 11:43:06 +010013135 <backend> is the name of a valid backend or "listen" section, or a
13136 "log-format" string resolving to a backend name.
Willy Tarreau844e3c52008-01-11 16:28:18 +010013137
Willy Tarreauf51658d2014-04-23 01:21:56 +020013138 <condition> is a condition composed of ACLs, as described in section 7. If
13139 it is omitted, the rule is unconditionally applied.
Willy Tarreau844e3c52008-01-11 16:28:18 +010013140
13141 When doing content-switching, connections arrive on a frontend and are then
13142 dispatched to various backends depending on a number of conditions. The
13143 relation between the conditions and the backends is described with the
Willy Tarreau1d0dfb12009-07-07 15:10:31 +020013144 "use_backend" keyword. While it is normally used with HTTP processing, it can
Davor Ocelice9ed2812017-12-25 17:49:28 +010013145 also be used in pure TCP, either without content using stateless ACLs (e.g.
Willy Tarreau1d0dfb12009-07-07 15:10:31 +020013146 source address validation) or combined with a "tcp-request" rule to wait for
13147 some payload.
Willy Tarreau844e3c52008-01-11 16:28:18 +010013148
13149 There may be as many "use_backend" rules as desired. All of these rules are
13150 evaluated in their declaration order, and the first one which matches will
13151 assign the backend.
13152
13153 In the first form, the backend will be used if the condition is met. In the
13154 second form, the backend will be used if the condition is not met. If no
13155 condition is valid, the backend defined with "default_backend" will be used.
13156 If no default backend is defined, either the servers in the same section are
13157 used (in case of a "listen" section) or, in case of a frontend, no server is
13158 used and a 503 service unavailable response is returned.
13159
Willy Tarreau51aecc72009-07-12 09:47:04 +020013160 Note that it is possible to switch from a TCP frontend to an HTTP backend. In
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010013161 this case, either the frontend has already checked that the protocol is HTTP,
Willy Tarreau51aecc72009-07-12 09:47:04 +020013162 and backend processing will immediately follow, or the backend will wait for
13163 a complete HTTP request to get in. This feature is useful when a frontend
13164 must decode several protocols on a unique port, one of them being HTTP.
13165
Bertrand Jacquin702d44f2013-11-19 11:43:06 +010013166 When <backend> is a simple name, it is resolved at configuration time, and an
13167 error is reported if the specified backend does not exist. If <backend> is
13168 a log-format string instead, no check may be done at configuration time, so
13169 the backend name is resolved dynamically at run time. If the resulting
13170 backend name does not correspond to any valid backend, no other rule is
13171 evaluated, and the default_backend directive is applied instead. Note that
13172 when using dynamic backend names, it is highly recommended to use a prefix
13173 that no other backend uses in order to ensure that an unauthorized backend
13174 cannot be forced from the request.
13175
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030013176 It is worth mentioning that "use_backend" rules with an explicit name are
Bertrand Jacquin702d44f2013-11-19 11:43:06 +010013177 used to detect the association between frontends and backends to compute the
13178 backend's "fullconn" setting. This cannot be done for dynamic names.
13179
13180 See also: "default_backend", "tcp-request", "fullconn", "log-format", and
13181 section 7 about ACLs.
Willy Tarreaud72758d2010-01-12 10:42:19 +010013182
Christopher Fauletb30b3102019-09-12 23:03:09 +020013183use-fcgi-app <name>
13184 Defines the FastCGI application to use for the backend.
13185 May be used in sections : defaults | frontend | listen | backend
13186 no | no | yes | yes
13187 Arguments :
13188 <name> is the name of the FastCGI application to use.
13189
13190 See section 10.1 about FastCGI application setup for details.
Willy Tarreau036fae02008-01-06 13:24:40 +010013191
Willy Tarreau4a5cade2012-04-05 21:09:48 +020013192use-server <server> if <condition>
13193use-server <server> unless <condition>
13194 Only use a specific server if/unless an ACL-based condition is matched.
13195 May be used in sections : defaults | frontend | listen | backend
13196 no | no | yes | yes
13197 Arguments :
Jerome Magnin824186b2020-03-29 09:37:12 +020013198 <server> is the name of a valid server in the same backend section
13199 or a "log-format" string resolving to a server name.
Willy Tarreau4a5cade2012-04-05 21:09:48 +020013200
13201 <condition> is a condition composed of ACLs, as described in section 7.
13202
13203 By default, connections which arrive to a backend are load-balanced across
13204 the available servers according to the configured algorithm, unless a
13205 persistence mechanism such as a cookie is used and found in the request.
13206
13207 Sometimes it is desirable to forward a particular request to a specific
13208 server without having to declare a dedicated backend for this server. This
13209 can be achieved using the "use-server" rules. These rules are evaluated after
13210 the "redirect" rules and before evaluating cookies, and they have precedence
13211 on them. There may be as many "use-server" rules as desired. All of these
13212 rules are evaluated in their declaration order, and the first one which
13213 matches will assign the server.
13214
13215 If a rule designates a server which is down, and "option persist" is not used
13216 and no force-persist rule was validated, it is ignored and evaluation goes on
13217 with the next rules until one matches.
13218
13219 In the first form, the server will be used if the condition is met. In the
13220 second form, the server will be used if the condition is not met. If no
13221 condition is valid, the processing continues and the server will be assigned
13222 according to other persistence mechanisms.
13223
13224 Note that even if a rule is matched, cookie processing is still performed but
13225 does not assign the server. This allows prefixed cookies to have their prefix
13226 stripped.
13227
13228 The "use-server" statement works both in HTTP and TCP mode. This makes it
13229 suitable for use with content-based inspection. For instance, a server could
Lukas Tribusa267b5d2020-07-19 00:25:06 +020013230 be selected in a farm according to the TLS SNI field when using protocols with
13231 implicit TLS (also see "req_ssl_sni"). And if these servers have their weight
13232 set to zero, they will not be used for other traffic.
Willy Tarreau4a5cade2012-04-05 21:09:48 +020013233
13234 Example :
13235 # intercept incoming TLS requests based on the SNI field
13236 use-server www if { req_ssl_sni -i www.example.com }
13237 server www 192.168.0.1:443 weight 0
13238 use-server mail if { req_ssl_sni -i mail.example.com }
Lukas Tribusa267b5d2020-07-19 00:25:06 +020013239 server mail 192.168.0.1:465 weight 0
Willy Tarreau4a5cade2012-04-05 21:09:48 +020013240 use-server imap if { req_ssl_sni -i imap.example.com }
Lukas Tribus98a3e3f2017-03-26 12:55:35 +000013241 server imap 192.168.0.1:993 weight 0
Willy Tarreau4a5cade2012-04-05 21:09:48 +020013242 # all the rest is forwarded to this server
13243 server default 192.168.0.2:443 check
13244
Jerome Magnin824186b2020-03-29 09:37:12 +020013245 When <server> is a simple name, it is checked against existing servers in the
13246 configuration and an error is reported if the specified server does not exist.
13247 If it is a log-format, no check is performed when parsing the configuration,
13248 and if we can't resolve a valid server name at runtime but the use-server rule
Ilya Shipitsin11057a32020-06-21 21:18:27 +050013249 was conditioned by an ACL returning true, no other use-server rule is applied
Jerome Magnin824186b2020-03-29 09:37:12 +020013250 and we fall back to load balancing.
13251
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030013252 See also: "use_backend", section 5 about server and section 7 about ACLs.
Willy Tarreau4a5cade2012-04-05 21:09:48 +020013253
Willy Tarreaub6205fd2012-09-24 12:27:33 +020013254
Davor Ocelice9ed2812017-12-25 17:49:28 +0100132555. Bind and server options
Willy Tarreaub6205fd2012-09-24 12:27:33 +020013256--------------------------
13257
13258The "bind", "server" and "default-server" keywords support a number of settings
13259depending on some build options and on the system HAProxy was built on. These
13260settings generally each consist in one word sometimes followed by a value,
13261written on the same line as the "bind" or "server" line. All these options are
13262described in this section.
13263
13264
132655.1. Bind options
13266-----------------
13267
13268The "bind" keyword supports a certain number of settings which are all passed
13269as arguments on the same line. The order in which those arguments appear makes
13270no importance, provided that they appear after the bind address. All of these
13271parameters are optional. Some of them consist in a single words (booleans),
13272while other ones expect a value after them. In this case, the value must be
13273provided immediately after the setting name.
13274
13275The currently supported settings are the following ones.
13276
Bertrand Jacquin93b227d2016-06-04 15:11:10 +010013277accept-netscaler-cip <magic number>
13278 Enforces the use of the NetScaler Client IP insertion protocol over any
13279 connection accepted by any of the TCP sockets declared on the same line. The
13280 NetScaler Client IP insertion protocol dictates the layer 3/4 addresses of
13281 the incoming connection to be used everywhere an address is used, with the
13282 only exception of "tcp-request connection" rules which will only see the
13283 real connection address. Logs will reflect the addresses indicated in the
13284 protocol, unless it is violated, in which case the real address will still
13285 be used. This keyword combined with support from external components can be
13286 used as an efficient and reliable alternative to the X-Forwarded-For
Bertrand Jacquin90759682016-06-06 15:35:39 +010013287 mechanism which is not always reliable and not even always usable. See also
13288 "tcp-request connection expect-netscaler-cip" for a finer-grained setting of
13289 which client is allowed to use the protocol.
Bertrand Jacquin93b227d2016-06-04 15:11:10 +010013290
Willy Tarreaub6205fd2012-09-24 12:27:33 +020013291accept-proxy
13292 Enforces the use of the PROXY protocol over any connection accepted by any of
Willy Tarreau77992672014-06-14 11:06:17 +020013293 the sockets declared on the same line. Versions 1 and 2 of the PROXY protocol
13294 are supported and correctly detected. The PROXY protocol dictates the layer
Willy Tarreaub6205fd2012-09-24 12:27:33 +020013295 3/4 addresses of the incoming connection to be used everywhere an address is
13296 used, with the only exception of "tcp-request connection" rules which will
13297 only see the real connection address. Logs will reflect the addresses
13298 indicated in the protocol, unless it is violated, in which case the real
Davor Ocelice9ed2812017-12-25 17:49:28 +010013299 address will still be used. This keyword combined with support from external
Willy Tarreaub6205fd2012-09-24 12:27:33 +020013300 components can be used as an efficient and reliable alternative to the
13301 X-Forwarded-For mechanism which is not always reliable and not even always
Willy Tarreau4f0d9192013-06-11 20:40:55 +020013302 usable. See also "tcp-request connection expect-proxy" for a finer-grained
13303 setting of which client is allowed to use the protocol.
Willy Tarreaub6205fd2012-09-24 12:27:33 +020013304
Olivier Houchardc2aae742017-09-22 18:26:28 +020013305allow-0rtt
Bertrand Jacquina25282b2018-08-14 00:56:13 +010013306 Allow receiving early data when using TLSv1.3. This is disabled by default,
Olivier Houchard69752962019-01-08 15:35:32 +010013307 due to security considerations. Because it is vulnerable to replay attacks,
John Roeslerfb2fce12019-07-10 15:45:51 -050013308 you should only allow if for requests that are safe to replay, i.e. requests
Olivier Houchard69752962019-01-08 15:35:32 +010013309 that are idempotent. You can use the "wait-for-handshake" action for any
13310 request that wouldn't be safe with early data.
Olivier Houchardc2aae742017-09-22 18:26:28 +020013311
Willy Tarreauab861d32013-04-02 02:30:41 +020013312alpn <protocols>
13313 This enables the TLS ALPN extension and advertises the specified protocol
13314 list as supported on top of ALPN. The protocol list consists in a comma-
13315 delimited list of protocol names, for instance: "http/1.1,http/1.0" (without
John Roeslerfb2fce12019-07-10 15:45:51 -050013316 quotes). This requires that the SSL library is built with support for TLS
Willy Tarreauab861d32013-04-02 02:30:41 +020013317 extensions enabled (check with haproxy -vv). The ALPN extension replaces the
Willy Tarreau95c4e142017-11-26 12:18:55 +010013318 initial NPN extension. ALPN is required to enable HTTP/2 on an HTTP frontend.
13319 Versions of OpenSSL prior to 1.0.2 didn't support ALPN and only supposed the
13320 now obsolete NPN extension. At the time of writing this, most browsers still
13321 support both ALPN and NPN for HTTP/2 so a fallback to NPN may still work for
13322 a while. But ALPN must be used whenever possible. If both HTTP/2 and HTTP/1.1
13323 are expected to be supported, both versions can be advertised, in order of
13324 preference, like below :
13325
13326 bind :443 ssl crt pub.pem alpn h2,http/1.1
Willy Tarreauab861d32013-04-02 02:30:41 +020013327
Willy Tarreaub6205fd2012-09-24 12:27:33 +020013328backlog <backlog>
Willy Tarreaue2711c72019-02-27 15:39:41 +010013329 Sets the socket's backlog to this value. If unspecified or 0, the frontend's
Willy Tarreaub6205fd2012-09-24 12:27:33 +020013330 backlog is used instead, which generally defaults to the maxconn value.
13331
Emmanuel Hocdete7f2b732017-01-09 16:15:54 +010013332curves <curves>
13333 This setting is only available when support for OpenSSL was built in. It sets
13334 the string describing the list of elliptic curves algorithms ("curve suite")
13335 that are negotiated during the SSL/TLS handshake with ECDHE. The format of the
13336 string is a colon-delimited list of curve name.
13337 Example: "X25519:P-256" (without quote)
13338 When "curves" is set, "ecdhe" parameter is ignored.
13339
Emeric Brun7fb34422012-09-28 15:26:15 +020013340ecdhe <named curve>
13341 This setting is only available when support for OpenSSL was built in. It sets
Emeric Brun6924ef82013-03-06 14:08:53 +010013342 the named curve (RFC 4492) used to generate ECDH ephemeral keys. By default,
13343 used named curve is prime256v1.
Emeric Brun7fb34422012-09-28 15:26:15 +020013344
Emeric Brunfd33a262012-10-11 16:28:27 +020013345ca-file <cafile>
Emeric Brun1a073b42012-09-28 17:07:34 +020013346 This setting is only available when support for OpenSSL was built in. It
13347 designates a PEM file from which to load CA certificates used to verify
13348 client's certificate.
13349
Emeric Brunb6dc9342012-09-28 17:55:37 +020013350ca-ignore-err [all|<errorID>,...]
13351 This setting is only available when support for OpenSSL was built in.
13352 Sets a comma separated list of errorIDs to ignore during verify at depth > 0.
13353 If set to 'all', all errors are ignored. SSL handshake is not aborted if an
13354 error is ignored.
13355
Christopher Faulet31af49d2015-06-09 17:29:50 +020013356ca-sign-file <cafile>
13357 This setting is only available when support for OpenSSL was built in. It
13358 designates a PEM file containing both the CA certificate and the CA private
13359 key used to create and sign server's certificates. This is a mandatory
13360 setting when the dynamic generation of certificates is enabled. See
13361 'generate-certificates' for details.
13362
Bertrand Jacquind4d0a232016-11-13 16:37:12 +000013363ca-sign-pass <passphrase>
Christopher Faulet31af49d2015-06-09 17:29:50 +020013364 This setting is only available when support for OpenSSL was built in. It is
13365 the CA private key passphrase. This setting is optional and used only when
13366 the dynamic generation of certificates is enabled. See
13367 'generate-certificates' for details.
13368
Emmanuel Hocdet842e94e2019-12-16 16:39:17 +010013369ca-verify-file <cafile>
13370 This setting designates a PEM file from which to load CA certificates used to
13371 verify client's certificate. It designates CA certificates which must not be
13372 included in CA names sent in server hello message. Typically, "ca-file" must
13373 be defined with intermediate certificates, and "ca-verify-file" with
13374 certificates to ending the chain, like root CA.
13375
Willy Tarreaub6205fd2012-09-24 12:27:33 +020013376ciphers <ciphers>
13377 This setting is only available when support for OpenSSL was built in. It sets
13378 the string describing the list of cipher algorithms ("cipher suite") that are
Bertrand Jacquin8cf7c1e2019-02-03 18:35:25 +000013379 negotiated during the SSL/TLS handshake up to TLSv1.2. The format of the
Bertrand Jacquin4f03ab02019-02-03 18:48:49 +000013380 string is defined in "man 1 ciphers" from OpenSSL man pages. For background
Dirkjan Bussink415150f2018-09-14 11:14:21 +020013381 information and recommendations see e.g.
13382 (https://wiki.mozilla.org/Security/Server_Side_TLS) and
13383 (https://mozilla.github.io/server-side-tls/ssl-config-generator/). For TLSv1.3
13384 cipher configuration, please check the "ciphersuites" keyword.
13385
13386ciphersuites <ciphersuites>
13387 This setting is only available when support for OpenSSL was built in and
13388 OpenSSL 1.1.1 or later was used to build HAProxy. It sets the string describing
13389 the list of cipher algorithms ("cipher suite") that are negotiated during the
13390 TLSv1.3 handshake. The format of the string is defined in "man 1 ciphers" from
Bertrand Jacquin4f03ab02019-02-03 18:48:49 +000013391 OpenSSL man pages under the "ciphersuites" section. For cipher configuration
13392 for TLSv1.2 and earlier, please check the "ciphers" keyword.
Willy Tarreaub6205fd2012-09-24 12:27:33 +020013393
Emeric Brunfd33a262012-10-11 16:28:27 +020013394crl-file <crlfile>
Emeric Brun1a073b42012-09-28 17:07:34 +020013395 This setting is only available when support for OpenSSL was built in. It
13396 designates a PEM file from which to load certificate revocation list used
Remi Tricot-Le Breton02bd6842021-05-04 12:22:34 +020013397 to verify client's certificate. You need to provide a certificate revocation
13398 list for every certificate of your certificate authority chain.
Emeric Brun1a073b42012-09-28 17:07:34 +020013399
Willy Tarreaub6205fd2012-09-24 12:27:33 +020013400crt <cert>
Alex Davies0fbf0162013-03-02 16:04:50 +000013401 This setting is only available when support for OpenSSL was built in. It
13402 designates a PEM file containing both the required certificates and any
13403 associated private keys. This file can be built by concatenating multiple
13404 PEM files into one (e.g. cat cert.pem key.pem > combined.pem). If your CA
13405 requires an intermediate certificate, this can also be concatenated into this
Emmanuel Hocdet70df7bf2019-01-04 11:08:20 +010013406 file. Intermediate certificate can also be shared in a directory via
13407 "issuers-chain-path" directive.
Alex Davies0fbf0162013-03-02 16:04:50 +000013408
William Lallemand4c5adbf2020-02-24 14:23:22 +010013409 If the file does not contain a private key, HAProxy will try to load
13410 the key at the same path suffixed by a ".key".
13411
Alex Davies0fbf0162013-03-02 16:04:50 +000013412 If the OpenSSL used supports Diffie-Hellman, parameters present in this file
13413 are loaded.
13414
13415 If a directory name is used instead of a PEM file, then all files found in
William Lallemand3f25ae32020-02-24 16:30:12 +010013416 that directory will be loaded in alphabetic order unless their name ends
13417 with '.key', '.issuer', '.ocsp' or '.sctl' (reserved extensions). This
13418 directive may be specified multiple times in order to load certificates from
13419 multiple files or directories. The certificates will be presented to clients
13420 who provide a valid TLS Server Name Indication field matching one of their
13421 CN or alt subjects. Wildcards are supported, where a wildcard character '*'
13422 is used instead of the first hostname component (e.g. *.example.org matches
Janusz Dziemidowicz2c701b52015-03-07 23:03:59 +010013423 www.example.org but not www.sub.example.org).
Alex Davies0fbf0162013-03-02 16:04:50 +000013424
13425 If no SNI is provided by the client or if the SSL library does not support
13426 TLS extensions, or if the client provides an SNI hostname which does not
13427 match any certificate, then the first loaded certificate will be presented.
13428 This means that when loading certificates from a directory, it is highly
Cyril Bonté3180f7b2015-01-25 00:16:08 +010013429 recommended to load the default one first as a file or to ensure that it will
13430 always be the first one in the directory.
Alex Davies0fbf0162013-03-02 16:04:50 +000013431
Emeric Brune032bfa2012-09-28 13:01:45 +020013432 Note that the same cert may be loaded multiple times without side effects.
Willy Tarreaub6205fd2012-09-24 12:27:33 +020013433
Davor Ocelice9ed2812017-12-25 17:49:28 +010013434 Some CAs (such as GoDaddy) offer a drop down list of server types that do not
Alex Davies0fbf0162013-03-02 16:04:50 +000013435 include HAProxy when obtaining a certificate. If this happens be sure to
Davor Ocelice9ed2812017-12-25 17:49:28 +010013436 choose a web server that the CA believes requires an intermediate CA (for
13437 GoDaddy, selection Apache Tomcat will get the correct bundle, but many
Alex Davies0fbf0162013-03-02 16:04:50 +000013438 others, e.g. nginx, result in a wrong bundle that will not work for some
13439 clients).
13440
Daniel Corbett9f0843f2021-05-08 10:50:37 -040013441 For each PEM file, HAProxy checks for the presence of file at the same path
Emeric Brun4147b2e2014-06-16 18:36:30 +020013442 suffixed by ".ocsp". If such file is found, support for the TLS Certificate
13443 Status Request extension (also known as "OCSP stapling") is automatically
13444 enabled. The content of this file is optional. If not empty, it must contain
13445 a valid OCSP Response in DER format. In order to be valid an OCSP Response
13446 must comply with the following rules: it has to indicate a good status,
13447 it has to be a single response for the certificate of the PEM file, and it
13448 has to be valid at the moment of addition. If these rules are not respected
13449 the OCSP Response is ignored and a warning is emitted. In order to identify
13450 which certificate an OCSP Response applies to, the issuer's certificate is
13451 necessary. If the issuer's certificate is not found in the PEM file, it will
13452 be loaded from a file at the same path as the PEM file suffixed by ".issuer"
13453 if it exists otherwise it will fail with an error.
13454
Daniel Corbett9f0843f2021-05-08 10:50:37 -040013455 For each PEM file, HAProxy also checks for the presence of file at the same
Janusz Dziemidowicz2c701b52015-03-07 23:03:59 +010013456 path suffixed by ".sctl". If such file is found, support for Certificate
13457 Transparency (RFC6962) TLS extension is enabled. The file must contain a
13458 valid Signed Certificate Timestamp List, as described in RFC. File is parsed
13459 to check basic syntax, but no signatures are verified.
13460
yanbzhu6c25e9e2016-01-05 12:52:02 -050013461 There are cases where it is desirable to support multiple key types, e.g. RSA
13462 and ECDSA in the cipher suites offered to the clients. This allows clients
13463 that support EC certificates to be able to use EC ciphers, while
13464 simultaneously supporting older, RSA only clients.
yanbzhud19630c2015-12-14 15:10:25 -050013465
William Lallemandf9ff3ec2020-10-02 17:57:44 +020013466 To achieve this, OpenSSL 1.1.1 is required, you can configure this behavior
13467 by providing one crt entry per certificate type, or by configuring a "cert
13468 bundle" like it was required before HAProxy 1.8. See "ssl-load-extra-files".
yanbzhud19630c2015-12-14 15:10:25 -050013469
Emeric Brunb6dc9342012-09-28 17:55:37 +020013470crt-ignore-err <errors>
Alex Davies0fbf0162013-03-02 16:04:50 +000013471 This setting is only available when support for OpenSSL was built in. Sets a
Davor Ocelice9ed2812017-12-25 17:49:28 +010013472 comma separated list of errorIDs to ignore during verify at depth == 0. If
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030013473 set to 'all', all errors are ignored. SSL handshake is not aborted if an error
Alex Davies0fbf0162013-03-02 16:04:50 +000013474 is ignored.
Emeric Brunb6dc9342012-09-28 17:55:37 +020013475
Emmanuel Hocdetfe616562013-01-22 15:31:15 +010013476crt-list <file>
13477 This setting is only available when support for OpenSSL was built in. It
Emmanuel Hocdet98263292016-12-29 18:26:15 +010013478 designates a list of PEM file with an optional ssl configuration and a SNI
13479 filter per certificate, with the following format for each line :
Emmanuel Hocdetfe616562013-01-22 15:31:15 +010013480
Emmanuel Hocdet98263292016-12-29 18:26:15 +010013481 <crtfile> [\[<sslbindconf> ...\]] [[!]<snifilter> ...]
13482
William Lallemand5d036392020-06-30 16:11:36 +020013483 sslbindconf supports "allow-0rtt", "alpn", "ca-file", "ca-verify-file",
13484 "ciphers", "ciphersuites", "crl-file", "curves", "ecdhe", "no-ca-names",
13485 "npn", "verify" configuration. With BoringSSL and Openssl >= 1.1.1
13486 "ssl-min-ver" and "ssl-max-ver" are also supported. It overrides the
13487 configuration set in bind line for the certificate.
Emmanuel Hocdetfe616562013-01-22 15:31:15 +010013488
Emmanuel Hocdet7c41a1b2013-05-07 20:20:06 +020013489 Wildcards are supported in the SNI filter. Negative filter are also supported,
Joao Moraise51fab02020-11-21 07:42:20 -030013490 useful in combination with a wildcard filter to exclude a particular SNI, or
13491 after the first certificate to exclude a pattern from its CN or Subject Alt
13492 Name (SAN). The certificates will be presented to clients who provide a valid
13493 TLS Server Name Indication field matching one of the SNI filters. If no SNI
13494 filter is specified, the CN and SAN are used. This directive may be specified
Emmanuel Hocdet7c41a1b2013-05-07 20:20:06 +020013495 multiple times. See the "crt" option for more information. The default
13496 certificate is still needed to meet OpenSSL expectations. If it is not used,
13497 the 'strict-sni' option may be used.
Emmanuel Hocdetfe616562013-01-22 15:31:15 +010013498
William Lallemandf9ff3ec2020-10-02 17:57:44 +020013499 Multi-cert bundling (see "ssl-load-extra-files") is supported with crt-list,
13500 as long as only the base name is given in the crt-list. SNI filter will do
13501 the same work on all bundled certificates.
yanbzhud19630c2015-12-14 15:10:25 -050013502
William Lallemand7c26ed72020-06-03 17:34:48 +020013503 Empty lines as well as lines beginning with a hash ('#') will be ignored.
13504
Joao Moraisaa8fcc42020-11-24 08:24:30 -030013505 The first declared certificate of a bind line is used as the default
Daniel Corbett9f0843f2021-05-08 10:50:37 -040013506 certificate, either from crt or crt-list option, which HAProxy should use in
Joao Moraisaa8fcc42020-11-24 08:24:30 -030013507 the TLS handshake if no other certificate matches. This certificate will also
13508 be used if the provided SNI matches its CN or SAN, even if a matching SNI
13509 filter is found on any crt-list. The SNI filter !* can be used after the first
13510 declared certificate to not include its CN and SAN in the SNI tree, so it will
13511 never match except if no other certificate matches. This way the first
13512 declared certificate act as a fallback.
Joao Moraise51fab02020-11-21 07:42:20 -030013513
Emmanuel Hocdet98263292016-12-29 18:26:15 +010013514 crt-list file example:
Joao Moraise51fab02020-11-21 07:42:20 -030013515 cert1.pem !*
William Lallemand7c26ed72020-06-03 17:34:48 +020013516 # comment
Emmanuel Hocdet05942112017-02-20 16:11:50 +010013517 cert2.pem [alpn h2,http/1.1]
Emmanuel Hocdet98263292016-12-29 18:26:15 +010013518 certW.pem *.domain.tld !secure.domain.tld
Emmanuel Hocdet05942112017-02-20 16:11:50 +010013519 certS.pem [curves X25519:P-256 ciphers ECDHE-ECDSA-AES256-GCM-SHA384] secure.domain.tld
Emmanuel Hocdet98263292016-12-29 18:26:15 +010013520
Willy Tarreaub6205fd2012-09-24 12:27:33 +020013521defer-accept
13522 Is an optional keyword which is supported only on certain Linux kernels. It
13523 states that a connection will only be accepted once some data arrive on it,
13524 or at worst after the first retransmit. This should be used only on protocols
Davor Ocelice9ed2812017-12-25 17:49:28 +010013525 for which the client talks first (e.g. HTTP). It can slightly improve
Willy Tarreaub6205fd2012-09-24 12:27:33 +020013526 performance by ensuring that most of the request is already available when
13527 the connection is accepted. On the other hand, it will not be able to detect
13528 connections which don't talk. It is important to note that this option is
13529 broken in all kernels up to 2.6.31, as the connection is never accepted until
13530 the client talks. This can cause issues with front firewalls which would see
13531 an established connection while the proxy will only see it in SYN_RECV. This
13532 option is only supported on TCPv4/TCPv6 sockets and ignored by other ones.
13533
William Lallemandf6975e92017-05-26 17:42:10 +020013534expose-fd listeners
13535 This option is only usable with the stats socket. It gives your stats socket
13536 the capability to pass listeners FD to another HAProxy process.
William Lallemande202b1e2017-06-01 17:38:56 +020013537 During a reload with the master-worker mode, the process is automatically
13538 reexecuted adding -x and one of the stats socket with this option.
Davor Ocelice9ed2812017-12-25 17:49:28 +010013539 See also "-x" in the management guide.
William Lallemandf6975e92017-05-26 17:42:10 +020013540
Emeric Brun2cb7ae52012-10-05 14:14:21 +020013541force-sslv3
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030013542 This option enforces use of SSLv3 only on SSL connections instantiated from
Emeric Brun2cb7ae52012-10-05 14:14:21 +020013543 this listener. SSLv3 is generally less expensive than the TLS counterparts
Emeric Brun2c86cbf2014-10-30 15:56:50 +010013544 for high connection rates. This option is also available on global statement
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020013545 "ssl-default-bind-options". See also "ssl-min-ver" and "ssl-max-ver".
Emeric Brun2cb7ae52012-10-05 14:14:21 +020013546
13547force-tlsv10
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030013548 This option enforces use of TLSv1.0 only on SSL connections instantiated from
Emeric Brun2c86cbf2014-10-30 15:56:50 +010013549 this listener. This option is also available on global statement
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020013550 "ssl-default-bind-options". See also "ssl-min-ver" and "ssl-max-ver".
Emeric Brun2cb7ae52012-10-05 14:14:21 +020013551
13552force-tlsv11
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030013553 This option enforces use of TLSv1.1 only on SSL connections instantiated from
Emeric Brun2c86cbf2014-10-30 15:56:50 +010013554 this listener. This option is also available on global statement
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020013555 "ssl-default-bind-options". See also "ssl-min-ver" and "ssl-max-ver".
Emeric Brun2cb7ae52012-10-05 14:14:21 +020013556
13557force-tlsv12
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030013558 This option enforces use of TLSv1.2 only on SSL connections instantiated from
Emeric Brun2c86cbf2014-10-30 15:56:50 +010013559 this listener. This option is also available on global statement
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020013560 "ssl-default-bind-options". See also "ssl-min-ver" and "ssl-max-ver".
Emeric Brun2cb7ae52012-10-05 14:14:21 +020013561
Emmanuel Hocdet42fb9802017-03-30 19:29:39 +020013562force-tlsv13
13563 This option enforces use of TLSv1.3 only on SSL connections instantiated from
13564 this listener. This option is also available on global statement
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020013565 "ssl-default-bind-options". See also "ssl-min-ver" and "ssl-max-ver".
Emmanuel Hocdet42fb9802017-03-30 19:29:39 +020013566
Christopher Faulet31af49d2015-06-09 17:29:50 +020013567generate-certificates
13568 This setting is only available when support for OpenSSL was built in. It
13569 enables the dynamic SSL certificates generation. A CA certificate and its
13570 private key are necessary (see 'ca-sign-file'). When HAProxy is configured as
13571 a transparent forward proxy, SSL requests generate errors because of a common
13572 name mismatch on the certificate presented to the client. With this option
13573 enabled, HAProxy will try to forge a certificate using the SNI hostname
13574 indicated by the client. This is done only if no certificate matches the SNI
13575 hostname (see 'crt-list'). If an error occurs, the default certificate is
13576 used, else the 'strict-sni' option is set.
13577 It can also be used when HAProxy is configured as a reverse proxy to ease the
13578 deployment of an architecture with many backends.
13579
13580 Creating a SSL certificate is an expensive operation, so a LRU cache is used
13581 to store forged certificates (see 'tune.ssl.ssl-ctx-cache-size'). It
Davor Ocelice9ed2812017-12-25 17:49:28 +010013582 increases the HAProxy's memory footprint to reduce latency when the same
Christopher Faulet31af49d2015-06-09 17:29:50 +020013583 certificate is used many times.
13584
Willy Tarreaub6205fd2012-09-24 12:27:33 +020013585gid <gid>
13586 Sets the group of the UNIX sockets to the designated system gid. It can also
13587 be set by default in the global section's "unix-bind" statement. Note that
13588 some platforms simply ignore this. This setting is equivalent to the "group"
13589 setting except that the group ID is used instead of its name. This setting is
13590 ignored by non UNIX sockets.
13591
13592group <group>
13593 Sets the group of the UNIX sockets to the designated system group. It can
13594 also be set by default in the global section's "unix-bind" statement. Note
13595 that some platforms simply ignore this. This setting is equivalent to the
13596 "gid" setting except that the group name is used instead of its gid. This
13597 setting is ignored by non UNIX sockets.
13598
13599id <id>
13600 Fixes the socket ID. By default, socket IDs are automatically assigned, but
13601 sometimes it is more convenient to fix them to ease monitoring. This value
13602 must be strictly positive and unique within the listener/frontend. This
13603 option can only be used when defining only a single socket.
13604
13605interface <interface>
Lukas Tribusfce2e962013-02-12 22:13:19 +010013606 Restricts the socket to a specific interface. When specified, only packets
13607 received from that particular interface are processed by the socket. This is
13608 currently only supported on Linux. The interface must be a primary system
13609 interface, not an aliased interface. It is also possible to bind multiple
13610 frontends to the same address if they are bound to different interfaces. Note
13611 that binding to a network interface requires root privileges. This parameter
Jérôme Magnin61275192018-02-07 11:39:58 +010013612 is only compatible with TCPv4/TCPv6 sockets. When specified, return traffic
13613 uses the same interface as inbound traffic, and its associated routing table,
13614 even if there are explicit routes through different interfaces configured.
13615 This can prove useful to address asymmetric routing issues when the same
13616 client IP addresses need to be able to reach frontends hosted on different
13617 interfaces.
Willy Tarreaub6205fd2012-09-24 12:27:33 +020013618
Willy Tarreauabb175f2012-09-24 12:43:26 +020013619level <level>
13620 This setting is used with the stats sockets only to restrict the nature of
13621 the commands that can be issued on the socket. It is ignored by other
13622 sockets. <level> can be one of :
Davor Ocelice9ed2812017-12-25 17:49:28 +010013623 - "user" is the least privileged level; only non-sensitive stats can be
Willy Tarreauabb175f2012-09-24 12:43:26 +020013624 read, and no change is allowed. It would make sense on systems where it
13625 is not easy to restrict access to the socket.
13626 - "operator" is the default level and fits most common uses. All data can
Davor Ocelice9ed2812017-12-25 17:49:28 +010013627 be read, and only non-sensitive changes are permitted (e.g. clear max
Willy Tarreauabb175f2012-09-24 12:43:26 +020013628 counters).
Davor Ocelice9ed2812017-12-25 17:49:28 +010013629 - "admin" should be used with care, as everything is permitted (e.g. clear
Willy Tarreauabb175f2012-09-24 12:43:26 +020013630 all counters).
13631
Andjelko Iharosc4df59e2017-07-20 11:59:48 +020013632severity-output <format>
13633 This setting is used with the stats sockets only to configure severity
13634 level output prepended to informational feedback messages. Severity
13635 level of messages can range between 0 and 7, conforming to syslog
13636 rfc5424. Valid and successful socket commands requesting data
13637 (i.e. "show map", "get acl foo" etc.) will never have a severity level
13638 prepended. It is ignored by other sockets. <format> can be one of :
13639 - "none" (default) no severity level is prepended to feedback messages.
13640 - "number" severity level is prepended as a number.
13641 - "string" severity level is prepended as a string following the
13642 rfc5424 convention.
13643
Willy Tarreaub6205fd2012-09-24 12:27:33 +020013644maxconn <maxconn>
13645 Limits the sockets to this number of concurrent connections. Extraneous
13646 connections will remain in the system's backlog until a connection is
13647 released. If unspecified, the limit will be the same as the frontend's
13648 maxconn. Note that in case of port ranges or multiple addresses, the same
13649 value will be applied to each socket. This setting enables different
13650 limitations on expensive sockets, for instance SSL entries which may easily
13651 eat all memory.
13652
13653mode <mode>
13654 Sets the octal mode used to define access permissions on the UNIX socket. It
13655 can also be set by default in the global section's "unix-bind" statement.
13656 Note that some platforms simply ignore this. This setting is ignored by non
13657 UNIX sockets.
13658
13659mss <maxseg>
13660 Sets the TCP Maximum Segment Size (MSS) value to be advertised on incoming
13661 connections. This can be used to force a lower MSS for certain specific
13662 ports, for instance for connections passing through a VPN. Note that this
13663 relies on a kernel feature which is theoretically supported under Linux but
13664 was buggy in all versions prior to 2.6.28. It may or may not work on other
13665 operating systems. It may also not change the advertised value but change the
13666 effective size of outgoing segments. The commonly advertised value for TCPv4
13667 over Ethernet networks is 1460 = 1500(MTU) - 40(IP+TCP). If this value is
13668 positive, it will be used as the advertised MSS. If it is negative, it will
13669 indicate by how much to reduce the incoming connection's advertised MSS for
13670 outgoing segments. This parameter is only compatible with TCP v4/v6 sockets.
13671
13672name <name>
13673 Sets an optional name for these sockets, which will be reported on the stats
13674 page.
13675
Willy Tarreaud72f0f32015-10-13 14:50:22 +020013676namespace <name>
13677 On Linux, it is possible to specify which network namespace a socket will
13678 belong to. This directive makes it possible to explicitly bind a listener to
13679 a namespace different from the default one. Please refer to your operating
13680 system's documentation to find more details about network namespaces.
13681
Willy Tarreaub6205fd2012-09-24 12:27:33 +020013682nice <nice>
13683 Sets the 'niceness' of connections initiated from the socket. Value must be
13684 in the range -1024..1024 inclusive, and defaults to zero. Positive values
13685 means that such connections are more friendly to others and easily offer
13686 their place in the scheduler. On the opposite, negative values mean that
13687 connections want to run with a higher priority than others. The difference
13688 only happens under high loads when the system is close to saturation.
13689 Negative values are appropriate for low-latency or administration services,
13690 and high values are generally recommended for CPU intensive tasks such as SSL
13691 processing or bulk transfers which are less sensible to latency. For example,
13692 it may make sense to use a positive value for an SMTP socket and a negative
13693 one for an RDP socket.
13694
Emmanuel Hocdet174dfe52017-07-28 15:01:05 +020013695no-ca-names
13696 This setting is only available when support for OpenSSL was built in. It
13697 prevents from send CA names in server hello message when ca-file is used.
Emmanuel Hocdet842e94e2019-12-16 16:39:17 +010013698 Use "ca-verify-file" instead of "ca-file" with "no-ca-names".
Emmanuel Hocdet174dfe52017-07-28 15:01:05 +020013699
Emeric Brun9b3009b2012-10-05 11:55:06 +020013700no-sslv3
Willy Tarreaub6205fd2012-09-24 12:27:33 +020013701 This setting is only available when support for OpenSSL was built in. It
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030013702 disables support for SSLv3 on any sockets instantiated from the listener when
Willy Tarreaub6205fd2012-09-24 12:27:33 +020013703 SSL is supported. Note that SSLv2 is forced disabled in the code and cannot
Emeric Brun2c86cbf2014-10-30 15:56:50 +010013704 be enabled using any configuration option. This option is also available on
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020013705 global statement "ssl-default-bind-options". Use "ssl-min-ver" and
13706 "ssl-max-ver" instead.
Willy Tarreaub6205fd2012-09-24 12:27:33 +020013707
Emeric Brun90ad8722012-10-02 14:00:59 +020013708no-tls-tickets
13709 This setting is only available when support for OpenSSL was built in. It
13710 disables the stateless session resumption (RFC 5077 TLS Ticket
13711 extension) and force to use stateful session resumption. Stateless
Emeric Brun2c86cbf2014-10-30 15:56:50 +010013712 session resumption is more expensive in CPU usage. This option is also
13713 available on global statement "ssl-default-bind-options".
Lukas Tribusbdb386d2020-03-10 00:56:09 +010013714 The TLS ticket mechanism is only used up to TLS 1.2.
13715 Forward Secrecy is compromised with TLS tickets, unless ticket keys
13716 are periodically rotated (via reload or by using "tls-ticket-keys").
Emeric Brun90ad8722012-10-02 14:00:59 +020013717
Emeric Brun9b3009b2012-10-05 11:55:06 +020013718no-tlsv10
Willy Tarreaub6205fd2012-09-24 12:27:33 +020013719 This setting is only available when support for OpenSSL was built in. It
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030013720 disables support for TLSv1.0 on any sockets instantiated from the listener
Emeric Brun2cb7ae52012-10-05 14:14:21 +020013721 when SSL is supported. Note that SSLv2 is forced disabled in the code and
Emeric Brun2c86cbf2014-10-30 15:56:50 +010013722 cannot be enabled using any configuration option. This option is also
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020013723 available on global statement "ssl-default-bind-options". Use "ssl-min-ver"
13724 and "ssl-max-ver" instead.
Willy Tarreaub6205fd2012-09-24 12:27:33 +020013725
Emeric Brun9b3009b2012-10-05 11:55:06 +020013726no-tlsv11
Emeric Brunf5da4932012-09-28 19:42:54 +020013727 This setting is only available when support for OpenSSL was built in. It
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030013728 disables support for TLSv1.1 on any sockets instantiated from the listener
Emeric Brun2cb7ae52012-10-05 14:14:21 +020013729 when SSL is supported. Note that SSLv2 is forced disabled in the code and
Emeric Brun2c86cbf2014-10-30 15:56:50 +010013730 cannot be enabled using any configuration option. This option is also
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020013731 available on global statement "ssl-default-bind-options". Use "ssl-min-ver"
13732 and "ssl-max-ver" instead.
Emeric Brunf5da4932012-09-28 19:42:54 +020013733
Emeric Brun9b3009b2012-10-05 11:55:06 +020013734no-tlsv12
Emeric Brunf5da4932012-09-28 19:42:54 +020013735 This setting is only available when support for OpenSSL was built in. It
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030013736 disables support for TLSv1.2 on any sockets instantiated from the listener
Emeric Brun2cb7ae52012-10-05 14:14:21 +020013737 when SSL is supported. Note that SSLv2 is forced disabled in the code and
Emeric Brun2c86cbf2014-10-30 15:56:50 +010013738 cannot be enabled using any configuration option. This option is also
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020013739 available on global statement "ssl-default-bind-options". Use "ssl-min-ver"
13740 and "ssl-max-ver" instead.
Emeric Brunf5da4932012-09-28 19:42:54 +020013741
Emmanuel Hocdet42fb9802017-03-30 19:29:39 +020013742no-tlsv13
13743 This setting is only available when support for OpenSSL was built in. It
13744 disables support for TLSv1.3 on any sockets instantiated from the listener
13745 when SSL is supported. Note that SSLv2 is forced disabled in the code and
13746 cannot be enabled using any configuration option. This option is also
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020013747 available on global statement "ssl-default-bind-options". Use "ssl-min-ver"
13748 and "ssl-max-ver" instead.
Emmanuel Hocdet42fb9802017-03-30 19:29:39 +020013749
Willy Tarreau6c9a3d52012-10-18 18:57:14 +020013750npn <protocols>
13751 This enables the NPN TLS extension and advertises the specified protocol list
13752 as supported on top of NPN. The protocol list consists in a comma-delimited
13753 list of protocol names, for instance: "http/1.1,http/1.0" (without quotes).
John Roeslerfb2fce12019-07-10 15:45:51 -050013754 This requires that the SSL library is built with support for TLS extensions
Willy Tarreauab861d32013-04-02 02:30:41 +020013755 enabled (check with haproxy -vv). Note that the NPN extension has been
Willy Tarreau95c4e142017-11-26 12:18:55 +010013756 replaced with the ALPN extension (see the "alpn" keyword), though this one is
13757 only available starting with OpenSSL 1.0.2. If HTTP/2 is desired on an older
13758 version of OpenSSL, NPN might still be used as most clients still support it
13759 at the time of writing this. It is possible to enable both NPN and ALPN
13760 though it probably doesn't make any sense out of testing.
Willy Tarreau6c9a3d52012-10-18 18:57:14 +020013761
Lukas Tribus53ae85c2017-05-04 15:45:40 +000013762prefer-client-ciphers
13763 Use the client's preference when selecting the cipher suite, by default
13764 the server's preference is enforced. This option is also available on
13765 global statement "ssl-default-bind-options".
Lukas Tribus926594f2018-05-18 17:55:57 +020013766 Note that with OpenSSL >= 1.1.1 ChaCha20-Poly1305 is reprioritized anyway
13767 (without setting this option), if a ChaCha20-Poly1305 cipher is at the top of
13768 the client cipher list.
Lukas Tribus53ae85c2017-05-04 15:45:40 +000013769
Christopher Fauletc644fa92017-11-23 22:44:11 +010013770process <process-set>[/<thread-set>]
Willy Tarreaua36b3242019-02-02 13:14:34 +010013771 This restricts the list of processes or threads on which this listener is
Christopher Fauletc644fa92017-11-23 22:44:11 +010013772 allowed to run. It does not enforce any process but eliminates those which do
Davor Ocelice9ed2812017-12-25 17:49:28 +010013773 not match. If the frontend uses a "bind-process" setting, the intersection
Christopher Fauletc644fa92017-11-23 22:44:11 +010013774 between the two is applied. If in the end the listener is not allowed to run
13775 on any remaining process, a warning is emitted, and the listener will either
13776 run on the first process of the listener if a single process was specified,
13777 or on all of its processes if multiple processes were specified. If a thread
Davor Ocelice9ed2812017-12-25 17:49:28 +010013778 set is specified, it limits the threads allowed to process incoming
Willy Tarreaua36b3242019-02-02 13:14:34 +010013779 connections for this listener, for the the process set. If multiple processes
13780 and threads are configured, a warning is emitted, as it either results from a
13781 configuration error or a misunderstanding of these models. For the unlikely
13782 case where several ranges are needed, this directive may be repeated.
13783 <process-set> and <thread-set> must use the format
Christopher Fauletc644fa92017-11-23 22:44:11 +010013784
13785 all | odd | even | number[-[number]]
13786
13787 Ranges can be partially defined. The higher bound can be omitted. In such
13788 case, it is replaced by the corresponding maximum value. The main purpose of
13789 this directive is to be used with the stats sockets and have one different
13790 socket per process. The second purpose is to have multiple bind lines sharing
13791 the same IP:port but not the same process in a listener, so that the system
13792 can distribute the incoming connections into multiple queues and allow a
13793 smoother inter-process load balancing. Currently Linux 3.9 and above is known
13794 for supporting this. See also "bind-process" and "nbproc".
Willy Tarreau6ae1ba62014-05-07 19:01:58 +020013795
Christopher Fauleta717b992018-04-10 14:43:00 +020013796proto <name>
13797 Forces the multiplexer's protocol to use for the incoming connections. It
13798 must be compatible with the mode of the frontend (TCP or HTTP). It must also
13799 be usable on the frontend side. The list of available protocols is reported
Christopher Faulet982e17d2021-03-26 14:44:18 +010013800 in haproxy -vv. The protocols properties are reported : the mode (TCP/HTTP),
13801 the side (FE/BE), the mux name and its flags.
13802
13803 Some protocols report errors on aborts (flag=CLEAN_ABRT). Some others are
13804 subject to the head-of-line blocking on server side (flag=HOL_RISK). Finally
13805 some protocols don't support upgrades (flag=NO_UPG). The HTX compatibility is
13806 also reported (flag=HTX).
13807
13808 Here are the protocols that may be used as argument to a "proto" directive on
13809 a bind line :
13810
13811 h2 : mode=HTTP side=FE|BE mux=H2 flags=HTX|CLEAN_ABRT|HOL_RISK|NO_UPG
13812 h1 : mode=HTTP side=FE|BE mux=H1 flags=HTX|NO_UPG
13813 none : mode=TCP side=FE|BE mux=PASS flags=NO_UPG
13814
Daniel Corbett67a82712020-07-06 23:01:19 -040013815 Idea behind this option is to bypass the selection of the best multiplexer's
Christopher Fauleta717b992018-04-10 14:43:00 +020013816 protocol for all connections instantiated from this listening socket. For
Joseph Herlant71b4b152018-11-13 16:55:16 -080013817 instance, it is possible to force the http/2 on clear TCP by specifying "proto
Christopher Fauleta717b992018-04-10 14:43:00 +020013818 h2" on the bind line.
13819
Willy Tarreaub6205fd2012-09-24 12:27:33 +020013820ssl
13821 This setting is only available when support for OpenSSL was built in. It
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030013822 enables SSL deciphering on connections instantiated from this listener. A
Willy Tarreaub6205fd2012-09-24 12:27:33 +020013823 certificate is necessary (see "crt" above). All contents in the buffers will
13824 appear in clear text, so that ACLs and HTTP processing will only have access
Emmanuel Hocdetbd695fe2017-05-15 15:53:41 +020013825 to deciphered contents. SSLv3 is disabled per default, use "ssl-min-ver SSLv3"
13826 to enable it.
Willy Tarreaub6205fd2012-09-24 12:27:33 +020013827
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020013828ssl-max-ver [ SSLv3 | TLSv1.0 | TLSv1.1 | TLSv1.2 | TLSv1.3 ]
13829 This option enforces use of <version> or lower on SSL connections instantiated
William Lallemand50df1cb2020-06-02 10:52:24 +020013830 from this listener. Using this setting without "ssl-min-ver" can be
13831 ambiguous because the default ssl-min-ver value could change in future HAProxy
13832 versions. This option is also available on global statement
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020013833 "ssl-default-bind-options". See also "ssl-min-ver".
13834
13835ssl-min-ver [ SSLv3 | TLSv1.0 | TLSv1.1 | TLSv1.2 | TLSv1.3 ]
William Lallemand50df1cb2020-06-02 10:52:24 +020013836 This option enforces use of <version> or upper on SSL connections
13837 instantiated from this listener. The default value is "TLSv1.2". This option
13838 is also available on global statement "ssl-default-bind-options".
13839 See also "ssl-max-ver".
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020013840
Emmanuel Hocdet65623372013-01-24 17:17:15 +010013841strict-sni
13842 This setting is only available when support for OpenSSL was built in. The
13843 SSL/TLS negotiation is allow only if the client provided an SNI which match
13844 a certificate. The default certificate is not used.
13845 See the "crt" option for more information.
13846
Willy Tarreau2af207a2015-02-04 00:45:58 +010013847tcp-ut <delay>
Tim Düsterhus4896c442016-11-29 02:15:19 +010013848 Sets the TCP User Timeout for all incoming connections instantiated from this
Willy Tarreau2af207a2015-02-04 00:45:58 +010013849 listening socket. This option is available on Linux since version 2.6.37. It
Daniel Corbett9f0843f2021-05-08 10:50:37 -040013850 allows HAProxy to configure a timeout for sockets which contain data not
Davor Ocelice9ed2812017-12-25 17:49:28 +010013851 receiving an acknowledgment for the configured delay. This is especially
Willy Tarreau2af207a2015-02-04 00:45:58 +010013852 useful on long-lived connections experiencing long idle periods such as
13853 remote terminals or database connection pools, where the client and server
13854 timeouts must remain high to allow a long period of idle, but where it is
13855 important to detect that the client has disappeared in order to release all
13856 resources associated with its connection (and the server's session). The
13857 argument is a delay expressed in milliseconds by default. This only works
13858 for regular TCP connections, and is ignored for other protocols.
13859
Willy Tarreau1c862c52012-10-05 16:21:00 +020013860tfo
Lukas Tribus0defb902013-02-13 23:35:39 +010013861 Is an optional keyword which is supported only on Linux kernels >= 3.7. It
Willy Tarreau1c862c52012-10-05 16:21:00 +020013862 enables TCP Fast Open on the listening socket, which means that clients which
13863 support this feature will be able to send a request and receive a response
13864 during the 3-way handshake starting from second connection, thus saving one
13865 round-trip after the first connection. This only makes sense with protocols
13866 that use high connection rates and where each round trip matters. This can
13867 possibly cause issues with many firewalls which do not accept data on SYN
13868 packets, so this option should only be enabled once well tested. This option
Lukas Tribus0999f762013-04-02 16:43:24 +020013869 is only supported on TCPv4/TCPv6 sockets and ignored by other ones. You may
13870 need to build HAProxy with USE_TFO=1 if your libc doesn't define
13871 TCP_FASTOPEN.
Willy Tarreau1c862c52012-10-05 16:21:00 +020013872
Nenad Merdanovic188ad3e2015-02-27 19:56:50 +010013873tls-ticket-keys <keyfile>
13874 Sets the TLS ticket keys file to load the keys from. The keys need to be 48
Emeric Brun9e754772019-01-10 17:51:55 +010013875 or 80 bytes long, depending if aes128 or aes256 is used, encoded with base64
13876 with one line per key (ex. openssl rand 80 | openssl base64 -A | xargs echo).
13877 The first key determines the key length used for next keys: you can't mix
13878 aes128 and aes256 keys. Number of keys is specified by the TLS_TICKETS_NO
13879 build option (default 3) and at least as many keys need to be present in
13880 the file. Last TLS_TICKETS_NO keys will be used for decryption and the
13881 penultimate one for encryption. This enables easy key rotation by just
13882 appending new key to the file and reloading the process. Keys must be
13883 periodically rotated (ex. every 12h) or Perfect Forward Secrecy is
13884 compromised. It is also a good idea to keep the keys off any permanent
Nenad Merdanovic188ad3e2015-02-27 19:56:50 +010013885 storage such as hard drives (hint: use tmpfs and don't swap those files).
13886 Lifetime hint can be changed using tune.ssl.timeout.
13887
Willy Tarreaub6205fd2012-09-24 12:27:33 +020013888transparent
13889 Is an optional keyword which is supported only on certain Linux kernels. It
13890 indicates that the addresses will be bound even if they do not belong to the
13891 local machine, and that packets targeting any of these addresses will be
13892 intercepted just as if the addresses were locally configured. This normally
13893 requires that IP forwarding is enabled. Caution! do not use this with the
13894 default address '*', as it would redirect any traffic for the specified port.
13895 This keyword is available only when HAProxy is built with USE_LINUX_TPROXY=1.
13896 This parameter is only compatible with TCPv4 and TCPv6 sockets, depending on
13897 kernel version. Some distribution kernels include backports of the feature,
13898 so check for support with your vendor.
13899
Willy Tarreau77e3af92012-11-24 15:07:23 +010013900v4v6
13901 Is an optional keyword which is supported only on most recent systems
13902 including Linux kernels >= 2.4.21. It is used to bind a socket to both IPv4
13903 and IPv6 when it uses the default address. Doing so is sometimes necessary
13904 on systems which bind to IPv6 only by default. It has no effect on non-IPv6
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030013905 sockets, and is overridden by the "v6only" option.
Willy Tarreau77e3af92012-11-24 15:07:23 +010013906
Willy Tarreau9b6700f2012-11-24 11:55:28 +010013907v6only
13908 Is an optional keyword which is supported only on most recent systems
13909 including Linux kernels >= 2.4.21. It is used to bind a socket to IPv6 only
13910 when it uses the default address. Doing so is sometimes preferred to doing it
Willy Tarreau77e3af92012-11-24 15:07:23 +010013911 system-wide as it is per-listener. It has no effect on non-IPv6 sockets and
13912 has precedence over the "v4v6" option.
Willy Tarreau9b6700f2012-11-24 11:55:28 +010013913
Willy Tarreaub6205fd2012-09-24 12:27:33 +020013914uid <uid>
13915 Sets the owner of the UNIX sockets to the designated system uid. It can also
13916 be set by default in the global section's "unix-bind" statement. Note that
13917 some platforms simply ignore this. This setting is equivalent to the "user"
13918 setting except that the user numeric ID is used instead of its name. This
13919 setting is ignored by non UNIX sockets.
13920
13921user <user>
13922 Sets the owner of the UNIX sockets to the designated system user. It can also
13923 be set by default in the global section's "unix-bind" statement. Note that
13924 some platforms simply ignore this. This setting is equivalent to the "uid"
13925 setting except that the user name is used instead of its uid. This setting is
13926 ignored by non UNIX sockets.
13927
Emeric Brun1a073b42012-09-28 17:07:34 +020013928verify [none|optional|required]
13929 This setting is only available when support for OpenSSL was built in. If set
13930 to 'none', client certificate is not requested. This is the default. In other
13931 cases, a client certificate is requested. If the client does not provide a
13932 certificate after the request and if 'verify' is set to 'required', then the
13933 handshake is aborted, while it would have succeeded if set to 'optional'. The
Emeric Brunfd33a262012-10-11 16:28:27 +020013934 certificate provided by the client is always verified using CAs from
13935 'ca-file' and optional CRLs from 'crl-file'. On verify failure the handshake
13936 is aborted, regardless of the 'verify' option, unless the error code exactly
13937 matches one of those listed with 'ca-ignore-err' or 'crt-ignore-err'.
Willy Tarreau4a5cade2012-04-05 21:09:48 +020013938
Willy Tarreaub6205fd2012-09-24 12:27:33 +0200139395.2. Server and default-server options
Cyril Bontéf0c60612010-02-06 14:44:47 +010013940------------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +020013941
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +010013942The "server" and "default-server" keywords support a certain number of settings
13943which are all passed as arguments on the server line. The order in which those
13944arguments appear does not count, and they are all optional. Some of those
13945settings are single words (booleans) while others expect one or several values
13946after them. In this case, the values must immediately follow the setting name.
13947Except default-server, all those settings must be specified after the server's
13948address if they are used:
Willy Tarreau6a06a402007-07-15 20:15:28 +020013949
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013950 server <name> <address>[:port] [settings ...]
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +010013951 default-server [settings ...]
Willy Tarreau6a06a402007-07-15 20:15:28 +020013952
Frédéric Lécailled2376272017-03-21 18:52:12 +010013953Note that all these settings are supported both by "server" and "default-server"
13954keywords, except "id" which is only supported by "server".
13955
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010013956The currently supported settings are the following ones.
Willy Tarreau0ba27502007-12-24 16:55:16 +010013957
Willy Tarreauceb4ac92012-04-28 00:41:46 +020013958addr <ipv4|ipv6>
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013959 Using the "addr" parameter, it becomes possible to use a different IP address
Baptiste Assmann13f83532016-03-06 23:14:36 +010013960 to send health-checks or to probe the agent-check. On some servers, it may be
13961 desirable to dedicate an IP address to specific component able to perform
13962 complex tests which are more suitable to health-checks than the application.
13963 This parameter is ignored if the "check" parameter is not set. See also the
13964 "port" parameter.
Willy Tarreau6a06a402007-07-15 20:15:28 +020013965
Simon Hormand60d6912013-11-25 10:46:36 +090013966agent-check
13967 Enable an auxiliary agent check which is run independently of a regular
Willy Tarreau81f5d942013-12-09 20:51:51 +010013968 health check. An agent health check is performed by making a TCP connection
Willy Tarreau7a0139e2018-12-16 08:42:56 +010013969 to the port set by the "agent-port" parameter and reading an ASCII string
13970 terminated by the first '\r' or '\n' met. The string is made of a series of
13971 words delimited by spaces, tabs or commas in any order, each consisting of :
Simon Hormand60d6912013-11-25 10:46:36 +090013972
Willy Tarreau81f5d942013-12-09 20:51:51 +010013973 - An ASCII representation of a positive integer percentage, e.g. "75%".
Simon Hormand60d6912013-11-25 10:46:36 +090013974 Values in this format will set the weight proportional to the initial
Daniel Corbett9f0843f2021-05-08 10:50:37 -040013975 weight of a server as configured when HAProxy starts. Note that a zero
Willy Tarreauc5af3a62014-10-07 15:27:33 +020013976 weight is reported on the stats page as "DRAIN" since it has the same
13977 effect on the server (it's removed from the LB farm).
Simon Hormand60d6912013-11-25 10:46:36 +090013978
Davor Ocelice9ed2812017-12-25 17:49:28 +010013979 - The string "maxconn:" followed by an integer (no space between). Values
13980 in this format will set the maxconn of a server. The maximum number of
13981 connections advertised needs to be multiplied by the number of load
13982 balancers and different backends that use this health check to get the
13983 total number of connections the server might receive. Example: maxconn:30
Nenad Merdanovic174dd372016-04-24 23:10:06 +020013984
Willy Tarreau81f5d942013-12-09 20:51:51 +010013985 - The word "ready". This will turn the server's administrative state to the
Davor Ocelice9ed2812017-12-25 17:49:28 +010013986 READY mode, thus canceling any DRAIN or MAINT state
Simon Hormand60d6912013-11-25 10:46:36 +090013987
Willy Tarreau81f5d942013-12-09 20:51:51 +010013988 - The word "drain". This will turn the server's administrative state to the
13989 DRAIN mode, thus it will not accept any new connections other than those
13990 that are accepted via persistence.
Simon Hormand60d6912013-11-25 10:46:36 +090013991
Willy Tarreau81f5d942013-12-09 20:51:51 +010013992 - The word "maint". This will turn the server's administrative state to the
13993 MAINT mode, thus it will not accept any new connections at all, and health
13994 checks will be stopped.
Simon Hormand60d6912013-11-25 10:46:36 +090013995
William Dauchyf8e795c2020-09-26 13:35:51 +020013996 - The words "down", "fail", or "stopped", optionally followed by a
Willy Tarreau81f5d942013-12-09 20:51:51 +010013997 description string after a sharp ('#'). All of these mark the server's
13998 operating state as DOWN, but since the word itself is reported on the stats
13999 page, the difference allows an administrator to know if the situation was
14000 expected or not : the service may intentionally be stopped, may appear up
Davor Ocelice9ed2812017-12-25 17:49:28 +010014001 but fail some validity tests, or may be seen as down (e.g. missing process,
Willy Tarreau81f5d942013-12-09 20:51:51 +010014002 or port not responding).
Simon Hormand60d6912013-11-25 10:46:36 +090014003
Willy Tarreau81f5d942013-12-09 20:51:51 +010014004 - The word "up" sets back the server's operating state as UP if health checks
14005 also report that the service is accessible.
Simon Hormand60d6912013-11-25 10:46:36 +090014006
Willy Tarreau81f5d942013-12-09 20:51:51 +010014007 Parameters which are not advertised by the agent are not changed. For
14008 example, an agent might be designed to monitor CPU usage and only report a
14009 relative weight and never interact with the operating status. Similarly, an
14010 agent could be designed as an end-user interface with 3 radio buttons
14011 allowing an administrator to change only the administrative state. However,
14012 it is important to consider that only the agent may revert its own actions,
14013 so if a server is set to DRAIN mode or to DOWN state using the agent, the
14014 agent must implement the other equivalent actions to bring the service into
14015 operations again.
Simon Hormand60d6912013-11-25 10:46:36 +090014016
Simon Horman2f1f9552013-11-25 10:46:37 +090014017 Failure to connect to the agent is not considered an error as connectivity
14018 is tested by the regular health check which is enabled by the "check"
Willy Tarreau81f5d942013-12-09 20:51:51 +010014019 parameter. Warning though, it is not a good idea to stop an agent after it
14020 reports "down", since only an agent reporting "up" will be able to turn the
14021 server up again. Note that the CLI on the Unix stats socket is also able to
Willy Tarreau989222a2016-01-15 10:26:26 +010014022 force an agent's result in order to work around a bogus agent if needed.
Simon Horman2f1f9552013-11-25 10:46:37 +090014023
Willy Tarreau81f5d942013-12-09 20:51:51 +010014024 Requires the "agent-port" parameter to be set. See also the "agent-inter"
Frédéric Lécailled2376272017-03-21 18:52:12 +010014025 and "no-agent-check" parameters.
Simon Hormand60d6912013-11-25 10:46:36 +090014026
James Brown55f9ff12015-10-21 18:19:05 -070014027agent-send <string>
Daniel Corbett9f0843f2021-05-08 10:50:37 -040014028 If this option is specified, HAProxy will send the given string (verbatim)
James Brown55f9ff12015-10-21 18:19:05 -070014029 to the agent server upon connection. You could, for example, encode
14030 the backend name into this string, which would enable your agent to send
14031 different responses based on the backend. Make sure to include a '\n' if
14032 you want to terminate your request with a newline.
14033
Simon Hormand60d6912013-11-25 10:46:36 +090014034agent-inter <delay>
14035 The "agent-inter" parameter sets the interval between two agent checks
14036 to <delay> milliseconds. If left unspecified, the delay defaults to 2000 ms.
14037
14038 Just as with every other time-based parameter, it may be entered in any
14039 other explicit unit among { us, ms, s, m, h, d }. The "agent-inter"
14040 parameter also serves as a timeout for agent checks "timeout check" is
14041 not set. In order to reduce "resonance" effects when multiple servers are
14042 hosted on the same hardware, the agent and health checks of all servers
14043 are started with a small time offset between them. It is also possible to
14044 add some random noise in the agent and health checks interval using the
14045 global "spread-checks" keyword. This makes sense for instance when a lot
14046 of backends use the same servers.
14047
14048 See also the "agent-check" and "agent-port" parameters.
14049
Misiek768d8602017-01-09 09:52:43 +010014050agent-addr <addr>
14051 The "agent-addr" parameter sets address for agent check.
14052
14053 You can offload agent-check to another target, so you can make single place
Daniel Corbett9f0843f2021-05-08 10:50:37 -040014054 managing status and weights of servers defined in HAProxy in case you can't
Misiek768d8602017-01-09 09:52:43 +010014055 make self-aware and self-managing services. You can specify both IP or
14056 hostname, it will be resolved.
14057
Simon Hormand60d6912013-11-25 10:46:36 +090014058agent-port <port>
14059 The "agent-port" parameter sets the TCP port used for agent checks.
14060
14061 See also the "agent-check" and "agent-inter" parameters.
14062
Olivier Houchard8cb2d2e2019-05-06 18:58:48 +020014063allow-0rtt
14064 Allow sending early data to the server when using TLS 1.3.
Olivier Houchard22c9b442019-05-06 19:01:04 +020014065 Note that early data will be sent only if the client used early data, or
14066 if the backend uses "retry-on" with the "0rtt-rejected" keyword.
Olivier Houchard8cb2d2e2019-05-06 18:58:48 +020014067
Olivier Houchardc7566002018-11-20 23:33:50 +010014068alpn <protocols>
14069 This enables the TLS ALPN extension and advertises the specified protocol
14070 list as supported on top of ALPN. The protocol list consists in a comma-
14071 delimited list of protocol names, for instance: "http/1.1,http/1.0" (without
John Roeslerfb2fce12019-07-10 15:45:51 -050014072 quotes). This requires that the SSL library is built with support for TLS
Olivier Houchardc7566002018-11-20 23:33:50 +010014073 extensions enabled (check with haproxy -vv). The ALPN extension replaces the
14074 initial NPN extension. ALPN is required to connect to HTTP/2 servers.
14075 Versions of OpenSSL prior to 1.0.2 didn't support ALPN and only supposed the
14076 now obsolete NPN extension.
14077 If both HTTP/2 and HTTP/1.1 are expected to be supported, both versions can
14078 be advertised, in order of preference, like below :
14079
14080 server 127.0.0.1:443 ssl crt pub.pem alpn h2,http/1.1
14081
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014082backup
14083 When "backup" is present on a server line, the server is only used in load
14084 balancing when all other non-backup servers are unavailable. Requests coming
14085 with a persistence cookie referencing the server will always be served
14086 though. By default, only the first operational backup server is used, unless
Frédéric Lécailled2376272017-03-21 18:52:12 +010014087 the "allbackups" option is set in the backend. See also the "no-backup" and
14088 "allbackups" options.
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010014089
Emeric Brunef42d922012-10-11 16:11:36 +020014090ca-file <cafile>
14091 This setting is only available when support for OpenSSL was built in. It
14092 designates a PEM file from which to load CA certificates used to verify
14093 server's certificate.
14094
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014095check
Jerome Magnin90702bc2020-04-26 14:23:04 +020014096 This option enables health checks on a server:
14097 - when not set, no health checking is performed, and the server is always
14098 considered available.
14099 - when set and no other check method is configured, the server is considered
14100 available when a connection can be established at the highest configured
14101 transport layer. This means TCP by default, or SSL/TLS when "ssl" or
14102 "check-ssl" are set, both possibly combined with connection prefixes such
14103 as a PROXY protocol header when "send-proxy" or "check-send-proxy" are
14104 set.
14105 - when set and an application-level health check is defined, the
14106 application-level exchanges are performed on top of the configured
14107 transport layer and the server is considered available if all of the
14108 exchanges succeed.
14109
14110 By default, health checks are performed on the same address and port as
14111 configured on the server, using the same encapsulation parameters (SSL/TLS,
14112 proxy-protocol header, etc... ). It is possible to change the destination
14113 address using "addr" and the port using "port". When done, it is assumed the
14114 server isn't checked on the service port, and configured encapsulation
Ilya Shipitsin4329a9a2020-05-05 21:17:10 +050014115 parameters are not reused. One must explicitly set "check-send-proxy" to send
Jerome Magnin90702bc2020-04-26 14:23:04 +020014116 connection headers, "check-ssl" to use SSL/TLS.
14117
14118 When "sni" or "alpn" are set on the server line, their value is not used for
14119 health checks and one must use "check-sni" or "check-alpn".
14120
14121 The default source address for health check traffic is the same as the one
14122 defined in the backend. It can be changed with the "source" keyword.
14123
14124 The interval between checks can be set using the "inter" keyword, and the
14125 "rise" and "fall" keywords can be used to define how many successful or
14126 failed health checks are required to flag a server available or not
14127 available.
14128
14129 Optional application-level health checks can be configured with "option
14130 httpchk", "option mysql-check" "option smtpchk", "option pgsql-check",
14131 "option ldap-check", or "option redis-check".
14132
14133 Example:
14134 # simple tcp check
14135 backend foo
14136 server s1 192.168.0.1:80 check
14137 # this does a tcp connect + tls handshake
14138 backend foo
14139 server s1 192.168.0.1:443 ssl check
14140 # simple tcp check is enough for check success
14141 backend foo
14142 option tcp-check
14143 tcp-check connect
14144 server s1 192.168.0.1:443 ssl check
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010014145
Willy Tarreau6c16adc2012-10-05 00:04:16 +020014146check-send-proxy
14147 This option forces emission of a PROXY protocol line with outgoing health
14148 checks, regardless of whether the server uses send-proxy or not for the
14149 normal traffic. By default, the PROXY protocol is enabled for health checks
14150 if it is already enabled for normal traffic and if no "port" nor "addr"
14151 directive is present. However, if such a directive is present, the
14152 "check-send-proxy" option needs to be used to force the use of the
14153 protocol. See also the "send-proxy" option for more information.
14154
Olivier Houchard92150142018-12-21 19:47:01 +010014155check-alpn <protocols>
14156 Defines which protocols to advertise with ALPN. The protocol list consists in
14157 a comma-delimited list of protocol names, for instance: "http/1.1,http/1.0"
14158 (without quotes). If it is not set, the server ALPN is used.
14159
Christopher Fauletedc6ed92020-04-23 16:27:59 +020014160check-proto <name>
14161 Forces the multiplexer's protocol to use for the server's health-check
14162 connections. It must be compatible with the health-check type (TCP or
14163 HTTP). It must also be usable on the backend side. The list of available
Christopher Faulet982e17d2021-03-26 14:44:18 +010014164 protocols is reported in haproxy -vv. The protocols properties are
14165 reported : the mode (TCP/HTTP), the side (FE/BE), the mux name and its flags.
14166
14167 Some protocols report errors on aborts (flag=CLEAN_ABRT). Some others are
14168 subject to the head-of-line blocking on server side (flag=HOL_RISK). Finally
14169 some protocols don't support upgrades (flag=NO_UPG). The HTX compatibility is
14170 also reported (flag=HTX).
14171
14172 Here are the protocols that may be used as argument to a "check-proto"
14173 directive on a server line:
14174
14175 h2 : mode=HTTP side=FE|BE mux=H2 flags=HTX|CLEAN_ABRT|HOL_RISK|NO_UPG
14176 fcgi : mode=HTTP side=BE mux=FCGI flags=HTX|HOL_RISK|NO_UPG
14177 h1 : mode=HTTP side=FE|BE mux=H1 flags=HTX|NO_UPG
14178 none : mode=TCP side=FE|BE mux=PASS flags=NO_UPG
14179
Daniel Corbett67a82712020-07-06 23:01:19 -040014180 Idea behind this option is to bypass the selection of the best multiplexer's
Christopher Fauletedc6ed92020-04-23 16:27:59 +020014181 protocol for health-check connections established to this server.
14182 If not defined, the server one will be used, if set.
14183
Jérôme Magninae9bb762018-12-09 16:08:26 +010014184check-sni <sni>
Olivier Houchard9130a962017-10-17 17:33:43 +020014185 This option allows you to specify the SNI to be used when doing health checks
Jérôme Magninae9bb762018-12-09 16:08:26 +010014186 over SSL. It is only possible to use a string to set <sni>. If you want to
14187 set a SNI for proxied traffic, see "sni".
Olivier Houchard9130a962017-10-17 17:33:43 +020014188
Willy Tarreau763a95b2012-10-04 23:15:39 +020014189check-ssl
14190 This option forces encryption of all health checks over SSL, regardless of
14191 whether the server uses SSL or not for the normal traffic. This is generally
14192 used when an explicit "port" or "addr" directive is specified and SSL health
14193 checks are not inherited. It is important to understand that this option
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030014194 inserts an SSL transport layer below the checks, so that a simple TCP connect
Willy Tarreau763a95b2012-10-04 23:15:39 +020014195 check becomes an SSL connect, which replaces the old ssl-hello-chk. The most
14196 common use is to send HTTPS checks by combining "httpchk" with SSL checks.
Davor Ocelice9ed2812017-12-25 17:49:28 +010014197 All SSL settings are common to health checks and traffic (e.g. ciphers).
Frédéric Lécailled2376272017-03-21 18:52:12 +010014198 See the "ssl" option for more information and "no-check-ssl" to disable
14199 this option.
Willy Tarreau763a95b2012-10-04 23:15:39 +020014200
Alexander Liu2a54bb72019-05-22 19:44:48 +080014201check-via-socks4
John Roeslerfb2fce12019-07-10 15:45:51 -050014202 This option enables outgoing health checks using upstream socks4 proxy. By
Alexander Liu2a54bb72019-05-22 19:44:48 +080014203 default, the health checks won't go through socks tunnel even it was enabled
14204 for normal traffic.
14205
Willy Tarreaua0ee1d02012-09-10 09:01:23 +020014206ciphers <ciphers>
Dirkjan Bussink415150f2018-09-14 11:14:21 +020014207 This setting is only available when support for OpenSSL was built in. This
14208 option sets the string describing the list of cipher algorithms that is
14209 negotiated during the SSL/TLS handshake with the server. The format of the
Bertrand Jacquin4f03ab02019-02-03 18:48:49 +000014210 string is defined in "man 1 ciphers" from OpenSSL man pages. For background
14211 information and recommendations see e.g.
14212 (https://wiki.mozilla.org/Security/Server_Side_TLS) and
14213 (https://mozilla.github.io/server-side-tls/ssl-config-generator/). For TLSv1.3
14214 cipher configuration, please check the "ciphersuites" keyword.
Willy Tarreaua0ee1d02012-09-10 09:01:23 +020014215
Dirkjan Bussink415150f2018-09-14 11:14:21 +020014216ciphersuites <ciphersuites>
14217 This setting is only available when support for OpenSSL was built in and
14218 OpenSSL 1.1.1 or later was used to build HAProxy. This option sets the string
14219 describing the list of cipher algorithms that is negotiated during the TLS
14220 1.3 handshake with the server. The format of the string is defined in
Bertrand Jacquin4f03ab02019-02-03 18:48:49 +000014221 "man 1 ciphers" from OpenSSL man pages under the "ciphersuites" section.
14222 For cipher configuration for TLSv1.2 and earlier, please check the "ciphers"
14223 keyword.
Dirkjan Bussink415150f2018-09-14 11:14:21 +020014224
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014225cookie <value>
14226 The "cookie" parameter sets the cookie value assigned to the server to
14227 <value>. This value will be checked in incoming requests, and the first
14228 operational server possessing the same value will be selected. In return, in
14229 cookie insertion or rewrite modes, this value will be assigned to the cookie
14230 sent to the client. There is nothing wrong in having several servers sharing
14231 the same cookie value, and it is in fact somewhat common between normal and
14232 backup servers. See also the "cookie" keyword in backend section.
14233
Emeric Brunef42d922012-10-11 16:11:36 +020014234crl-file <crlfile>
14235 This setting is only available when support for OpenSSL was built in. It
14236 designates a PEM file from which to load certificate revocation list used
14237 to verify server's certificate.
14238
Emeric Bruna7aa3092012-10-26 12:58:00 +020014239crt <cert>
14240 This setting is only available when support for OpenSSL was built in.
14241 It designates a PEM file from which to load both a certificate and the
14242 associated private key. This file can be built by concatenating both PEM
14243 files into one. This certificate will be sent if the server send a client
14244 certificate request.
14245
Remi Tricot-Le Breton7c980df2021-05-07 15:28:08 +020014246 If the file does not contain a private key, HAProxy will try to load the key
14247 at the same path suffixed by a ".key" (provided the "ssl-load-extra-files"
14248 option is set accordingly).
14249
Willy Tarreau96839092010-03-29 10:02:24 +020014250disabled
14251 The "disabled" keyword starts the server in the "disabled" state. That means
14252 that it is marked down in maintenance mode, and no connection other than the
14253 ones allowed by persist mode will reach it. It is very well suited to setup
14254 new servers, because normal traffic will never reach them, while it is still
14255 possible to test the service by making use of the force-persist mechanism.
Frédéric Lécailled2376272017-03-21 18:52:12 +010014256 See also "enabled" setting.
Willy Tarreau96839092010-03-29 10:02:24 +020014257
Frédéric Lécailled2376272017-03-21 18:52:12 +010014258enabled
14259 This option may be used as 'server' setting to reset any 'disabled'
14260 setting which would have been inherited from 'default-server' directive as
14261 default value.
14262 It may also be used as 'default-server' setting to reset any previous
14263 'default-server' 'disabled' setting.
Willy Tarreau96839092010-03-29 10:02:24 +020014264
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010014265error-limit <count>
Willy Tarreau983e01e2010-01-11 18:42:06 +010014266 If health observing is enabled, the "error-limit" parameter specifies the
14267 number of consecutive errors that triggers event selected by the "on-error"
14268 option. By default it is set to 10 consecutive errors.
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +010014269
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010014270 See also the "check", "error-limit" and "on-error".
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +010014271
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010014272fall <count>
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014273 The "fall" parameter states that a server will be considered as dead after
14274 <count> consecutive unsuccessful health checks. This value defaults to 3 if
14275 unspecified. See also the "check", "inter" and "rise" parameters.
14276
Emeric Brun8694b9a2012-10-05 14:39:07 +020014277force-sslv3
14278 This option enforces use of SSLv3 only when SSL is used to communicate with
14279 the server. SSLv3 is generally less expensive than the TLS counterparts for
Emeric Brun2c86cbf2014-10-30 15:56:50 +010014280 high connection rates. This option is also available on global statement
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020014281 "ssl-default-server-options". See also "ssl-min-ver" and ssl-max-ver".
Emeric Brun8694b9a2012-10-05 14:39:07 +020014282
14283force-tlsv10
14284 This option enforces use of TLSv1.0 only when SSL is used to communicate with
Emeric Brun2c86cbf2014-10-30 15:56:50 +010014285 the server. This option is also available on global statement
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020014286 "ssl-default-server-options". See also "ssl-min-ver" and ssl-max-ver".
Emeric Brun8694b9a2012-10-05 14:39:07 +020014287
14288force-tlsv11
14289 This option enforces use of TLSv1.1 only when SSL is used to communicate with
Emeric Brun2c86cbf2014-10-30 15:56:50 +010014290 the server. This option is also available on global statement
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020014291 "ssl-default-server-options". See also "ssl-min-ver" and ssl-max-ver".
Emeric Brun8694b9a2012-10-05 14:39:07 +020014292
14293force-tlsv12
14294 This option enforces use of TLSv1.2 only when SSL is used to communicate with
Emeric Brun2c86cbf2014-10-30 15:56:50 +010014295 the server. This option is also available on global statement
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020014296 "ssl-default-server-options". See also "ssl-min-ver" and ssl-max-ver".
Emeric Brun8694b9a2012-10-05 14:39:07 +020014297
Emmanuel Hocdet42fb9802017-03-30 19:29:39 +020014298force-tlsv13
14299 This option enforces use of TLSv1.3 only when SSL is used to communicate with
14300 the server. This option is also available on global statement
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020014301 "ssl-default-server-options". See also "ssl-min-ver" and ssl-max-ver".
Emmanuel Hocdet42fb9802017-03-30 19:29:39 +020014302
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014303id <value>
Willy Tarreau53fb4ae2009-10-04 23:04:08 +020014304 Set a persistent ID for the server. This ID must be positive and unique for
14305 the proxy. An unused ID will automatically be assigned if unset. The first
14306 assigned value will be 1. This ID is currently only returned in statistics.
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014307
Willy Tarreau6a031d12016-11-07 19:42:35 +010014308init-addr {last | libc | none | <ip>},[...]*
14309 Indicate in what order the server's address should be resolved upon startup
14310 if it uses an FQDN. Attempts are made to resolve the address by applying in
Davor Ocelice9ed2812017-12-25 17:49:28 +010014311 turn each of the methods mentioned in the comma-delimited list. The first
Willy Tarreau6a031d12016-11-07 19:42:35 +010014312 method which succeeds is used. If the end of the list is reached without
14313 finding a working method, an error is thrown. Method "last" suggests to pick
14314 the address which appears in the state file (see "server-state-file"). Method
14315 "libc" uses the libc's internal resolver (gethostbyname() or getaddrinfo()
14316 depending on the operating system and build options). Method "none"
14317 specifically indicates that the server should start without any valid IP
14318 address in a down state. It can be useful to ignore some DNS issues upon
14319 startup, waiting for the situation to get fixed later. Finally, an IP address
14320 (IPv4 or IPv6) may be provided. It can be the currently known address of the
Davor Ocelice9ed2812017-12-25 17:49:28 +010014321 server (e.g. filled by a configuration generator), or the address of a dummy
Willy Tarreau6a031d12016-11-07 19:42:35 +010014322 server used to catch old sessions and present them with a decent error
14323 message for example. When the "first" load balancing algorithm is used, this
14324 IP address could point to a fake server used to trigger the creation of new
14325 instances on the fly. This option defaults to "last,libc" indicating that the
14326 previous address found in the state file (if any) is used first, otherwise
14327 the libc's resolver is used. This ensures continued compatibility with the
Davor Ocelice9ed2812017-12-25 17:49:28 +010014328 historic behavior.
Willy Tarreau6a031d12016-11-07 19:42:35 +010014329
14330 Example:
14331 defaults
14332 # never fail on address resolution
14333 default-server init-addr last,libc,none
14334
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010014335inter <delay>
14336fastinter <delay>
14337downinter <delay>
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014338 The "inter" parameter sets the interval between two consecutive health checks
14339 to <delay> milliseconds. If left unspecified, the delay defaults to 2000 ms.
14340 It is also possible to use "fastinter" and "downinter" to optimize delays
14341 between checks depending on the server state :
14342
Pieter Baauw44fc9df2015-09-17 21:30:46 +020014343 Server state | Interval used
14344 ----------------------------------------+----------------------------------
14345 UP 100% (non-transitional) | "inter"
14346 ----------------------------------------+----------------------------------
14347 Transitionally UP (going down "fall"), | "fastinter" if set,
14348 Transitionally DOWN (going up "rise"), | "inter" otherwise.
14349 or yet unchecked. |
14350 ----------------------------------------+----------------------------------
14351 DOWN 100% (non-transitional) | "downinter" if set,
14352 | "inter" otherwise.
14353 ----------------------------------------+----------------------------------
Willy Tarreaud72758d2010-01-12 10:42:19 +010014354
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014355 Just as with every other time-based parameter, they can be entered in any
14356 other explicit unit among { us, ms, s, m, h, d }. The "inter" parameter also
14357 serves as a timeout for health checks sent to servers if "timeout check" is
14358 not set. In order to reduce "resonance" effects when multiple servers are
Simon Hormand60d6912013-11-25 10:46:36 +090014359 hosted on the same hardware, the agent and health checks of all servers
14360 are started with a small time offset between them. It is also possible to
14361 add some random noise in the agent and health checks interval using the
14362 global "spread-checks" keyword. This makes sense for instance when a lot
14363 of backends use the same servers.
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014364
Emeric Brun97556472020-05-30 01:42:45 +020014365log-proto <logproto>
14366 The "log-proto" specifies the protocol used to forward event messages to
14367 a server configured in a ring section. Possible values are "legacy"
14368 and "octet-count" corresponding respectively to "Non-transparent-framing"
14369 and "Octet counting" in rfc6587. "legacy" is the default.
14370
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010014371maxconn <maxconn>
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014372 The "maxconn" parameter specifies the maximal number of concurrent
14373 connections that will be sent to this server. If the number of incoming
Tim Duesterhuscefbbd92019-11-27 22:35:27 +010014374 concurrent connections goes higher than this value, they will be queued,
14375 waiting for a slot to be released. This parameter is very important as it can
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014376 save fragile servers from going down under extreme loads. If a "minconn"
14377 parameter is specified, the limit becomes dynamic. The default value is "0"
14378 which means unlimited. See also the "minconn" and "maxqueue" parameters, and
14379 the backend's "fullconn" keyword.
14380
Tim Duesterhuscefbbd92019-11-27 22:35:27 +010014381 In HTTP mode this parameter limits the number of concurrent requests instead
14382 of the number of connections. Multiple requests might be multiplexed over a
14383 single TCP connection to the server. As an example if you specify a maxconn
14384 of 50 you might see between 1 and 50 actual server connections, but no more
14385 than 50 concurrent requests.
14386
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010014387maxqueue <maxqueue>
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014388 The "maxqueue" parameter specifies the maximal number of connections which
14389 will wait in the queue for this server. If this limit is reached, next
14390 requests will be redispatched to other servers instead of indefinitely
14391 waiting to be served. This will break persistence but may allow people to
Willy Tarreau8ae8c482020-10-22 17:19:07 +020014392 quickly re-log in when the server they try to connect to is dying. Some load
14393 balancing algorithms such as leastconn take this into account and accept to
14394 add requests into a server's queue up to this value if it is explicitly set
14395 to a value greater than zero, which often allows to better smooth the load
14396 when dealing with single-digit maxconn values. The default value is "0" which
14397 means the queue is unlimited. See also the "maxconn" and "minconn" parameters
14398 and "balance leastconn".
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014399
Willy Tarreau9c538e02019-01-23 10:21:49 +010014400max-reuse <count>
14401 The "max-reuse" argument indicates the HTTP connection processors that they
14402 should not reuse a server connection more than this number of times to send
14403 new requests. Permitted values are -1 (the default), which disables this
14404 limit, or any positive value. Value zero will effectively disable keep-alive.
14405 This is only used to work around certain server bugs which cause them to leak
14406 resources over time. The argument is not necessarily respected by the lower
14407 layers as there might be technical limitations making it impossible to
14408 enforce. At least HTTP/2 connections to servers will respect it.
14409
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010014410minconn <minconn>
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014411 When the "minconn" parameter is set, the maxconn limit becomes a dynamic
14412 limit following the backend's load. The server will always accept at least
14413 <minconn> connections, never more than <maxconn>, and the limit will be on
14414 the ramp between both values when the backend has less than <fullconn>
14415 concurrent connections. This makes it possible to limit the load on the
14416 server during normal loads, but push it further for important loads without
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010014417 overloading the server during exceptional loads. See also the "maxconn"
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014418 and "maxqueue" parameters, as well as the "fullconn" backend keyword.
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +010014419
Willy Tarreaud72f0f32015-10-13 14:50:22 +020014420namespace <name>
14421 On Linux, it is possible to specify which network namespace a socket will
14422 belong to. This directive makes it possible to explicitly bind a server to
14423 a namespace different from the default one. Please refer to your operating
14424 system's documentation to find more details about network namespaces.
14425
Frédéric Lécailled2376272017-03-21 18:52:12 +010014426no-agent-check
14427 This option may be used as "server" setting to reset any "agent-check"
14428 setting which would have been inherited from "default-server" directive as
14429 default value.
14430 It may also be used as "default-server" setting to reset any previous
14431 "default-server" "agent-check" setting.
14432
14433no-backup
14434 This option may be used as "server" setting to reset any "backup"
14435 setting which would have been inherited from "default-server" directive as
14436 default value.
14437 It may also be used as "default-server" setting to reset any previous
14438 "default-server" "backup" setting.
14439
14440no-check
14441 This option may be used as "server" setting to reset any "check"
14442 setting which would have been inherited from "default-server" directive as
14443 default value.
14444 It may also be used as "default-server" setting to reset any previous
14445 "default-server" "check" setting.
14446
14447no-check-ssl
14448 This option may be used as "server" setting to reset any "check-ssl"
14449 setting which would have been inherited from "default-server" directive as
14450 default value.
14451 It may also be used as "default-server" setting to reset any previous
14452 "default-server" "check-ssl" setting.
14453
Frédéric Lécailled2376272017-03-21 18:52:12 +010014454no-send-proxy
14455 This option may be used as "server" setting to reset any "send-proxy"
14456 setting which would have been inherited from "default-server" directive as
14457 default value.
14458 It may also be used as "default-server" setting to reset any previous
14459 "default-server" "send-proxy" setting.
14460
14461no-send-proxy-v2
14462 This option may be used as "server" setting to reset any "send-proxy-v2"
14463 setting which would have been inherited from "default-server" directive as
14464 default value.
14465 It may also be used as "default-server" setting to reset any previous
14466 "default-server" "send-proxy-v2" setting.
14467
14468no-send-proxy-v2-ssl
14469 This option may be used as "server" setting to reset any "send-proxy-v2-ssl"
14470 setting which would have been inherited from "default-server" directive as
14471 default value.
14472 It may also be used as "default-server" setting to reset any previous
14473 "default-server" "send-proxy-v2-ssl" setting.
14474
14475no-send-proxy-v2-ssl-cn
14476 This option may be used as "server" setting to reset any "send-proxy-v2-ssl-cn"
14477 setting which would have been inherited from "default-server" directive as
14478 default value.
14479 It may also be used as "default-server" setting to reset any previous
14480 "default-server" "send-proxy-v2-ssl-cn" setting.
14481
14482no-ssl
14483 This option may be used as "server" setting to reset any "ssl"
14484 setting which would have been inherited from "default-server" directive as
14485 default value.
14486 It may also be used as "default-server" setting to reset any previous
14487 "default-server" "ssl" setting.
14488
William Dauchyf6370442020-11-14 19:25:33 +010014489 Note that using `default-server ssl` setting and `no-ssl` on server will
14490 however init SSL connection, so it can be later be enabled through the
14491 runtime API: see `set server` commands in management doc.
14492
Willy Tarreau2a3fb1c2015-02-05 16:47:07 +010014493no-ssl-reuse
14494 This option disables SSL session reuse when SSL is used to communicate with
14495 the server. It will force the server to perform a full handshake for every
14496 new connection. It's probably only useful for benchmarking, troubleshooting,
14497 and for paranoid users.
14498
Emeric Brun9b3009b2012-10-05 11:55:06 +020014499no-sslv3
Willy Tarreaua0ee1d02012-09-10 09:01:23 +020014500 This option disables support for SSLv3 when SSL is used to communicate with
14501 the server. Note that SSLv2 is disabled in the code and cannot be enabled
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020014502 using any configuration option. Use "ssl-min-ver" and "ssl-max-ver" instead.
Willy Tarreaua0ee1d02012-09-10 09:01:23 +020014503
Emmanuel Hocdet6cb2d1e2017-03-30 14:43:31 +020014504 Supported in default-server: No
14505
Emeric Brunf9c5c472012-10-11 15:28:34 +020014506no-tls-tickets
14507 This setting is only available when support for OpenSSL was built in. It
14508 disables the stateless session resumption (RFC 5077 TLS Ticket
14509 extension) and force to use stateful session resumption. Stateless
Emeric Brun2c86cbf2014-10-30 15:56:50 +010014510 session resumption is more expensive in CPU usage for servers. This option
14511 is also available on global statement "ssl-default-server-options".
Lukas Tribusbdb386d2020-03-10 00:56:09 +010014512 The TLS ticket mechanism is only used up to TLS 1.2.
14513 Forward Secrecy is compromised with TLS tickets, unless ticket keys
14514 are periodically rotated (via reload or by using "tls-ticket-keys").
Frédéric Lécailled2376272017-03-21 18:52:12 +010014515 See also "tls-tickets".
Emeric Brunf9c5c472012-10-11 15:28:34 +020014516
Emeric Brun9b3009b2012-10-05 11:55:06 +020014517no-tlsv10
Emeric Brun8694b9a2012-10-05 14:39:07 +020014518 This option disables support for TLSv1.0 when SSL is used to communicate with
Emeric Brunf5da4932012-09-28 19:42:54 +020014519 the server. Note that SSLv2 is disabled in the code and cannot be enabled
14520 using any configuration option. TLSv1 is more expensive than SSLv3 so it
Emeric Brun2c86cbf2014-10-30 15:56:50 +010014521 often makes sense to disable it when communicating with local servers. This
14522 option is also available on global statement "ssl-default-server-options".
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020014523 Use "ssl-min-ver" and "ssl-max-ver" instead.
Willy Tarreau763a95b2012-10-04 23:15:39 +020014524
Emmanuel Hocdet6cb2d1e2017-03-30 14:43:31 +020014525 Supported in default-server: No
14526
Emeric Brun9b3009b2012-10-05 11:55:06 +020014527no-tlsv11
Emeric Brun8694b9a2012-10-05 14:39:07 +020014528 This option disables support for TLSv1.1 when SSL is used to communicate with
Emeric Brunf5da4932012-09-28 19:42:54 +020014529 the server. Note that SSLv2 is disabled in the code and cannot be enabled
14530 using any configuration option. TLSv1 is more expensive than SSLv3 so it
Emeric Brun2c86cbf2014-10-30 15:56:50 +010014531 often makes sense to disable it when communicating with local servers. This
14532 option is also available on global statement "ssl-default-server-options".
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020014533 Use "ssl-min-ver" and "ssl-max-ver" instead.
Willy Tarreau763a95b2012-10-04 23:15:39 +020014534
Emmanuel Hocdet6cb2d1e2017-03-30 14:43:31 +020014535 Supported in default-server: No
14536
Emeric Brun9b3009b2012-10-05 11:55:06 +020014537no-tlsv12
Emeric Brun8694b9a2012-10-05 14:39:07 +020014538 This option disables support for TLSv1.2 when SSL is used to communicate with
Willy Tarreaua0ee1d02012-09-10 09:01:23 +020014539 the server. Note that SSLv2 is disabled in the code and cannot be enabled
14540 using any configuration option. TLSv1 is more expensive than SSLv3 so it
Emeric Brun2c86cbf2014-10-30 15:56:50 +010014541 often makes sense to disable it when communicating with local servers. This
14542 option is also available on global statement "ssl-default-server-options".
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020014543 Use "ssl-min-ver" and "ssl-max-ver" instead.
Emmanuel Hocdet42fb9802017-03-30 19:29:39 +020014544
14545 Supported in default-server: No
14546
14547no-tlsv13
14548 This option disables support for TLSv1.3 when SSL is used to communicate with
14549 the server. Note that SSLv2 is disabled in the code and cannot be enabled
14550 using any configuration option. TLSv1 is more expensive than SSLv3 so it
14551 often makes sense to disable it when communicating with local servers. This
14552 option is also available on global statement "ssl-default-server-options".
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020014553 Use "ssl-min-ver" and "ssl-max-ver" instead.
Willy Tarreaua0ee1d02012-09-10 09:01:23 +020014554
Emmanuel Hocdet6cb2d1e2017-03-30 14:43:31 +020014555 Supported in default-server: No
14556
Frédéric Lécailled2376272017-03-21 18:52:12 +010014557no-verifyhost
14558 This option may be used as "server" setting to reset any "verifyhost"
14559 setting which would have been inherited from "default-server" directive as
14560 default value.
14561 It may also be used as "default-server" setting to reset any previous
14562 "default-server" "verifyhost" setting.
Willy Tarreau763a95b2012-10-04 23:15:39 +020014563
Frédéric Lécaille1b9423d2019-07-04 14:19:06 +020014564no-tfo
14565 This option may be used as "server" setting to reset any "tfo"
14566 setting which would have been inherited from "default-server" directive as
14567 default value.
14568 It may also be used as "default-server" setting to reset any previous
14569 "default-server" "tfo" setting.
14570
Simon Hormanfa461682011-06-25 09:39:49 +090014571non-stick
14572 Never add connections allocated to this sever to a stick-table.
14573 This may be used in conjunction with backup to ensure that
14574 stick-table persistence is disabled for backup servers.
14575
Olivier Houchardc7566002018-11-20 23:33:50 +010014576npn <protocols>
14577 This enables the NPN TLS extension and advertises the specified protocol list
14578 as supported on top of NPN. The protocol list consists in a comma-delimited
14579 list of protocol names, for instance: "http/1.1,http/1.0" (without quotes).
John Roeslerfb2fce12019-07-10 15:45:51 -050014580 This requires that the SSL library is built with support for TLS extensions
Olivier Houchardc7566002018-11-20 23:33:50 +010014581 enabled (check with haproxy -vv). Note that the NPN extension has been
14582 replaced with the ALPN extension (see the "alpn" keyword), though this one is
14583 only available starting with OpenSSL 1.0.2.
14584
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +010014585observe <mode>
14586 This option enables health adjusting based on observing communication with
14587 the server. By default this functionality is disabled and enabling it also
14588 requires to enable health checks. There are two supported modes: "layer4" and
14589 "layer7". In layer4 mode, only successful/unsuccessful tcp connections are
14590 significant. In layer7, which is only allowed for http proxies, responses
14591 received from server are verified, like valid/wrong http code, unparsable
Willy Tarreau150d1462012-03-10 08:19:02 +010014592 headers, a timeout, etc. Valid status codes include 100 to 499, 501 and 505.
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +010014593
14594 See also the "check", "on-error" and "error-limit".
14595
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010014596on-error <mode>
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +010014597 Select what should happen when enough consecutive errors are detected.
14598 Currently, four modes are available:
14599 - fastinter: force fastinter
14600 - fail-check: simulate a failed check, also forces fastinter (default)
14601 - sudden-death: simulate a pre-fatal failed health check, one more failed
14602 check will mark a server down, forces fastinter
14603 - mark-down: mark the server immediately down and force fastinter
14604
14605 See also the "check", "observe" and "error-limit".
14606
Simon Hormane0d1bfb2011-06-21 14:34:58 +090014607on-marked-down <action>
14608 Modify what occurs when a server is marked down.
14609 Currently one action is available:
Justin Karnegeseb2c24a2012-05-24 15:28:52 -070014610 - shutdown-sessions: Shutdown peer sessions. When this setting is enabled,
14611 all connections to the server are immediately terminated when the server
14612 goes down. It might be used if the health check detects more complex cases
14613 than a simple connection status, and long timeouts would cause the service
14614 to remain unresponsive for too long a time. For instance, a health check
14615 might detect that a database is stuck and that there's no chance to reuse
14616 existing connections anymore. Connections killed this way are logged with
14617 a 'D' termination code (for "Down").
Simon Hormane0d1bfb2011-06-21 14:34:58 +090014618
14619 Actions are disabled by default
14620
Justin Karnegeseb2c24a2012-05-24 15:28:52 -070014621on-marked-up <action>
14622 Modify what occurs when a server is marked up.
14623 Currently one action is available:
14624 - shutdown-backup-sessions: Shutdown sessions on all backup servers. This is
14625 done only if the server is not in backup state and if it is not disabled
14626 (it must have an effective weight > 0). This can be used sometimes to force
14627 an active server to take all the traffic back after recovery when dealing
Davor Ocelice9ed2812017-12-25 17:49:28 +010014628 with long sessions (e.g. LDAP, SQL, ...). Doing this can cause more trouble
14629 than it tries to solve (e.g. incomplete transactions), so use this feature
Justin Karnegeseb2c24a2012-05-24 15:28:52 -070014630 with extreme care. Sessions killed because a server comes up are logged
14631 with an 'U' termination code (for "Up").
14632
14633 Actions are disabled by default
14634
Willy Tarreau2f3f4d32020-07-01 07:43:51 +020014635pool-low-conn <max>
14636 Set a low threshold on the number of idling connections for a server, below
14637 which a thread will not try to steal a connection from another thread. This
14638 can be useful to improve CPU usage patterns in scenarios involving many very
14639 fast servers, in order to ensure all threads will keep a few idle connections
14640 all the time instead of letting them accumulate over one thread and migrating
14641 them from thread to thread. Typical values of twice the number of threads
14642 seem to show very good performance already with sub-millisecond response
14643 times. The default is zero, indicating that any idle connection can be used
14644 at any time. It is the recommended setting for normal use. This only applies
14645 to connections that can be shared according to the same principles as those
Willy Tarreau0784db82021-02-19 11:45:22 +010014646 applying to "http-reuse". In case connection sharing between threads would
14647 be disabled via "tune.idle-pool.shared", it can become very important to use
14648 this setting to make sure each thread always has a few connections, or the
14649 connection reuse rate will decrease as thread count increases.
Willy Tarreau2f3f4d32020-07-01 07:43:51 +020014650
Olivier Houchard006e3102018-12-10 18:30:32 +010014651pool-max-conn <max>
14652 Set the maximum number of idling connections for a server. -1 means unlimited
14653 connections, 0 means no idle connections. The default is -1. When idle
14654 connections are enabled, orphaned idle connections which do not belong to any
14655 client session anymore are moved to a dedicated pool so that they remain
14656 usable by future clients. This only applies to connections that can be shared
14657 according to the same principles as those applying to "http-reuse".
14658
Olivier Houchardb7b3faa2018-12-14 18:15:36 +010014659pool-purge-delay <delay>
14660 Sets the delay to start purging idle connections. Each <delay> interval, half
Olivier Houcharda56eebf2019-03-19 16:44:02 +010014661 of the idle connections are closed. 0 means we don't keep any idle connection.
Willy Tarreaufb553652019-06-04 14:06:31 +020014662 The default is 5s.
Olivier Houchardb7b3faa2018-12-14 18:15:36 +010014663
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010014664port <port>
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014665 Using the "port" parameter, it becomes possible to use a different port to
William Dauchy4858fb22021-02-03 22:30:09 +010014666 send health-checks or to probe the agent-check. On some servers, it may be
14667 desirable to dedicate a port to a specific component able to perform complex
14668 tests which are more suitable to health-checks than the application. It is
14669 common to run a simple script in inetd for instance. This parameter is
14670 ignored if the "check" parameter is not set. See also the "addr" parameter.
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014671
Christopher Faulet8ed0a3e2018-04-10 14:45:45 +020014672proto <name>
Christopher Faulet8ed0a3e2018-04-10 14:45:45 +020014673 Forces the multiplexer's protocol to use for the outgoing connections to this
14674 server. It must be compatible with the mode of the backend (TCP or HTTP). It
14675 must also be usable on the backend side. The list of available protocols is
Christopher Faulet982e17d2021-03-26 14:44:18 +010014676 reported in haproxy -vv.The protocols properties are reported : the mode
14677 (TCP/HTTP), the side (FE/BE), the mux name and its flags.
14678
14679 Some protocols report errors on aborts (flag=CLEAN_ABRT). Some others are
14680 subject to the head-of-line blocking on server side (flag=HOL_RISK). Finally
14681 some protocols don't support upgrades (flag=NO_UPG). The HTX compatibility is
14682 also reported (flag=HTX).
14683
14684 Here are the protocols that may be used as argument to a "proto" directive on
14685 a server line :
14686
14687 h2 : mode=HTTP side=FE|BE mux=H2 flags=HTX|CLEAN_ABRT|HOL_RISK|NO_UPG
14688 fcgi : mode=HTTP side=BE mux=FCGI flags=HTX|HOL_RISK|NO_UPG
14689 h1 : mode=HTTP side=FE|BE mux=H1 flags=HTX|NO_UPG
14690 none : mode=TCP side=FE|BE mux=PASS flags=NO_UPG
14691
Daniel Corbett67a82712020-07-06 23:01:19 -040014692 Idea behind this option is to bypass the selection of the best multiplexer's
Christopher Faulet8ed0a3e2018-04-10 14:45:45 +020014693 protocol for all connections established to this server.
14694
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014695redir <prefix>
14696 The "redir" parameter enables the redirection mode for all GET and HEAD
14697 requests addressing this server. This means that instead of having HAProxy
14698 forward the request to the server, it will send an "HTTP 302" response with
14699 the "Location" header composed of this prefix immediately followed by the
14700 requested URI beginning at the leading '/' of the path component. That means
14701 that no trailing slash should be used after <prefix>. All invalid requests
14702 will be rejected, and all non-GET or HEAD requests will be normally served by
14703 the server. Note that since the response is completely forged, no header
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010014704 mangling nor cookie insertion is possible in the response. However, cookies in
Davor Ocelice9ed2812017-12-25 17:49:28 +010014705 requests are still analyzed, making this solution completely usable to direct
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014706 users to a remote location in case of local disaster. Main use consists in
14707 increasing bandwidth for static servers by having the clients directly
14708 connect to them. Note: never use a relative location here, it would cause a
14709 loop between the client and HAProxy!
14710
14711 Example : server srv1 192.168.1.1:80 redir http://image1.mydomain.com check
14712
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010014713rise <count>
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014714 The "rise" parameter states that a server will be considered as operational
14715 after <count> consecutive successful health checks. This value defaults to 2
14716 if unspecified. See also the "check", "inter" and "fall" parameters.
14717
Baptiste Assmann8e2d9432018-06-22 15:04:43 +020014718resolve-opts <option>,<option>,...
14719 Comma separated list of options to apply to DNS resolution linked to this
14720 server.
14721
14722 Available options:
14723
14724 * allow-dup-ip
14725 By default, HAProxy prevents IP address duplication in a backend when DNS
14726 resolution at runtime is in operation.
14727 That said, for some cases, it makes sense that two servers (in the same
14728 backend, being resolved by the same FQDN) have the same IP address.
14729 For such case, simply enable this option.
14730 This is the opposite of prevent-dup-ip.
14731
Daniel Corbettf8716912019-11-17 09:48:56 -050014732 * ignore-weight
14733 Ignore any weight that is set within an SRV record. This is useful when
14734 you would like to control the weights using an alternate method, such as
14735 using an "agent-check" or through the runtime api.
14736
Baptiste Assmann8e2d9432018-06-22 15:04:43 +020014737 * prevent-dup-ip
14738 Ensure HAProxy's default behavior is enforced on a server: prevent re-using
14739 an IP address already set to a server in the same backend and sharing the
14740 same fqdn.
14741 This is the opposite of allow-dup-ip.
14742
14743 Example:
14744 backend b_myapp
14745 default-server init-addr none resolvers dns
14746 server s1 myapp.example.com:80 check resolve-opts allow-dup-ip
14747 server s2 myapp.example.com:81 check resolve-opts allow-dup-ip
14748
14749 With the option allow-dup-ip set:
14750 * if the nameserver returns a single IP address, then both servers will use
14751 it
14752 * If the nameserver returns 2 IP addresses, then each server will pick up a
14753 different address
14754
14755 Default value: not set
14756
Baptiste Assmann1fa66662015-04-14 00:28:47 +020014757resolve-prefer <family>
14758 When DNS resolution is enabled for a server and multiple IP addresses from
14759 different families are returned, HAProxy will prefer using an IP address
14760 from the family mentioned in the "resolve-prefer" parameter.
14761 Available families: "ipv4" and "ipv6"
14762
Baptiste Assmannc4aabae2015-08-04 22:43:06 +020014763 Default value: ipv6
14764
Olivier Doucetaa1ea8a2016-08-05 17:15:20 +020014765 Example:
14766
14767 server s1 app1.domain.com:80 resolvers mydns resolve-prefer ipv6
Baptiste Assmann1fa66662015-04-14 00:28:47 +020014768
Thierry Fournierac88cfe2016-02-17 22:05:30 +010014769resolve-net <network>[,<network[,...]]
John Roeslerfb2fce12019-07-10 15:45:51 -050014770 This option prioritizes the choice of an ip address matching a network. This is
Thierry Fournierac88cfe2016-02-17 22:05:30 +010014771 useful with clouds to prefer a local ip. In some cases, a cloud high
Tim Düsterhus4896c442016-11-29 02:15:19 +010014772 availability service can be announced with many ip addresses on many
Davor Ocelice9ed2812017-12-25 17:49:28 +010014773 different datacenters. The latency between datacenter is not negligible, so
14774 this patch permits to prefer a local datacenter. If no address matches the
Thierry Fournierac88cfe2016-02-17 22:05:30 +010014775 configured network, another address is selected.
14776
Olivier Doucetaa1ea8a2016-08-05 17:15:20 +020014777 Example:
14778
14779 server s1 app1.domain.com:80 resolvers mydns resolve-net 10.0.0.0/8
Thierry Fournierac88cfe2016-02-17 22:05:30 +010014780
Baptiste Assmann1fa66662015-04-14 00:28:47 +020014781resolvers <id>
14782 Points to an existing "resolvers" section to resolve current server's
14783 hostname.
14784
Olivier Doucetaa1ea8a2016-08-05 17:15:20 +020014785 Example:
14786
14787 server s1 app1.domain.com:80 check resolvers mydns
Baptiste Assmann1fa66662015-04-14 00:28:47 +020014788
Olivier Doucetaa1ea8a2016-08-05 17:15:20 +020014789 See also section 5.3
Baptiste Assmann1fa66662015-04-14 00:28:47 +020014790
Willy Tarreau5ab04ec2011-03-20 10:32:26 +010014791send-proxy
14792 The "send-proxy" parameter enforces use of the PROXY protocol over any
14793 connection established to this server. The PROXY protocol informs the other
14794 end about the layer 3/4 addresses of the incoming connection, so that it can
14795 know the client's address or the public address it accessed to, whatever the
Bertrand Jacquin93b227d2016-06-04 15:11:10 +010014796 upper layer protocol. For connections accepted by an "accept-proxy" or
14797 "accept-netscaler-cip" listener, the advertised address will be used. Only
14798 TCPv4 and TCPv6 address families are supported. Other families such as
14799 Unix sockets, will report an UNKNOWN family. Servers using this option can
Daniel Corbett9f0843f2021-05-08 10:50:37 -040014800 fully be chained to another instance of HAProxy listening with an
Bertrand Jacquin93b227d2016-06-04 15:11:10 +010014801 "accept-proxy" setting. This setting must not be used if the server isn't
14802 aware of the protocol. When health checks are sent to the server, the PROXY
14803 protocol is automatically used when this option is set, unless there is an
14804 explicit "port" or "addr" directive, in which case an explicit
14805 "check-send-proxy" directive would also be needed to use the PROXY protocol.
Frédéric Lécailled2376272017-03-21 18:52:12 +010014806 See also the "no-send-proxy" option of this section and "accept-proxy" and
14807 "accept-netscaler-cip" option of the "bind" keyword.
Willy Tarreau5ab04ec2011-03-20 10:32:26 +010014808
David Safb76832014-05-08 23:42:08 -040014809send-proxy-v2
14810 The "send-proxy-v2" parameter enforces use of the PROXY protocol version 2
14811 over any connection established to this server. The PROXY protocol informs
14812 the other end about the layer 3/4 addresses of the incoming connection, so
14813 that it can know the client's address or the public address it accessed to,
Emmanuel Hocdet404d9782017-10-24 10:55:14 +020014814 whatever the upper layer protocol. It also send ALPN information if an alpn
14815 have been negotiated. This setting must not be used if the server isn't aware
14816 of this version of the protocol. See also the "no-send-proxy-v2" option of
14817 this section and send-proxy" option of the "bind" keyword.
David Safb76832014-05-08 23:42:08 -040014818
Emmanuel Hocdetf643b802018-02-01 15:20:32 +010014819proxy-v2-options <option>[,<option>]*
Tim Duesterhuscf6e0c82020-03-13 12:34:24 +010014820 The "proxy-v2-options" parameter add options to send in PROXY protocol
14821 version 2 when "send-proxy-v2" is used. Options available are:
14822
14823 - ssl : See also "send-proxy-v2-ssl".
14824 - cert-cn : See also "send-proxy-v2-ssl-cn".
14825 - ssl-cipher: Name of the used cipher.
14826 - cert-sig : Signature algorithm of the used certificate.
14827 - cert-key : Key algorithm of the used certificate
14828 - authority : Host name value passed by the client (only SNI from a TLS
14829 connection is supported).
14830 - crc32c : Checksum of the PROXYv2 header.
14831 - unique-id : Send a unique ID generated using the frontend's
14832 "unique-id-format" within the PROXYv2 header.
14833 This unique-id is primarily meant for "mode tcp". It can
14834 lead to unexpected results in "mode http", because the
14835 generated unique ID is also used for the first HTTP request
14836 within a Keep-Alive connection.
Emmanuel Hocdetf643b802018-02-01 15:20:32 +010014837
David Safb76832014-05-08 23:42:08 -040014838send-proxy-v2-ssl
14839 The "send-proxy-v2-ssl" parameter enforces use of the PROXY protocol version
14840 2 over any connection established to this server. The PROXY protocol informs
14841 the other end about the layer 3/4 addresses of the incoming connection, so
14842 that it can know the client's address or the public address it accessed to,
14843 whatever the upper layer protocol. In addition, the SSL information extension
14844 of the PROXY protocol is added to the PROXY protocol header. This setting
14845 must not be used if the server isn't aware of this version of the protocol.
Frédéric Lécailled2376272017-03-21 18:52:12 +010014846 See also the "no-send-proxy-v2-ssl" option of this section and the
14847 "send-proxy-v2" option of the "bind" keyword.
David Safb76832014-05-08 23:42:08 -040014848
14849send-proxy-v2-ssl-cn
14850 The "send-proxy-v2-ssl" parameter enforces use of the PROXY protocol version
14851 2 over any connection established to this server. The PROXY protocol informs
14852 the other end about the layer 3/4 addresses of the incoming connection, so
14853 that it can know the client's address or the public address it accessed to,
14854 whatever the upper layer protocol. In addition, the SSL information extension
14855 of the PROXY protocol, along along with the Common Name from the subject of
14856 the client certificate (if any), is added to the PROXY protocol header. This
14857 setting must not be used if the server isn't aware of this version of the
Davor Ocelice9ed2812017-12-25 17:49:28 +010014858 protocol. See also the "no-send-proxy-v2-ssl-cn" option of this section and
14859 the "send-proxy-v2" option of the "bind" keyword.
David Safb76832014-05-08 23:42:08 -040014860
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010014861slowstart <start_time_in_ms>
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014862 The "slowstart" parameter for a server accepts a value in milliseconds which
14863 indicates after how long a server which has just come back up will run at
14864 full speed. Just as with every other time-based parameter, it can be entered
14865 in any other explicit unit among { us, ms, s, m, h, d }. The speed grows
14866 linearly from 0 to 100% during this time. The limitation applies to two
14867 parameters :
14868
14869 - maxconn: the number of connections accepted by the server will grow from 1
14870 to 100% of the usual dynamic limit defined by (minconn,maxconn,fullconn).
14871
14872 - weight: when the backend uses a dynamic weighted algorithm, the weight
14873 grows linearly from 1 to 100%. In this case, the weight is updated at every
14874 health-check. For this reason, it is important that the "inter" parameter
14875 is smaller than the "slowstart", in order to maximize the number of steps.
14876
Daniel Corbett9f0843f2021-05-08 10:50:37 -040014877 The slowstart never applies when HAProxy starts, otherwise it would cause
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014878 trouble to running servers. It only applies when a server has been previously
14879 seen as failed.
14880
Willy Tarreau732eac42015-07-09 11:40:25 +020014881sni <expression>
14882 The "sni" parameter evaluates the sample fetch expression, converts it to a
14883 string and uses the result as the host name sent in the SNI TLS extension to
14884 the server. A typical use case is to send the SNI received from the client in
14885 a bridged HTTPS scenario, using the "ssl_fc_sni" sample fetch for the
Willy Tarreau2ab88672017-07-05 18:23:03 +020014886 expression, though alternatives such as req.hdr(host) can also make sense. If
14887 "verify required" is set (which is the recommended setting), the resulting
Willy Tarreauad92a9a2017-07-28 11:38:41 +020014888 name will also be matched against the server certificate's names. See the
Jérôme Magninb36a6d22018-12-09 16:03:40 +010014889 "verify" directive for more details. If you want to set a SNI for health
14890 checks, see the "check-sni" directive for more details.
Willy Tarreau732eac42015-07-09 11:40:25 +020014891
Willy Tarreauc6f4ce82009-06-10 11:09:37 +020014892source <addr>[:<pl>[-<ph>]] [usesrc { <addr2>[:<port2>] | client | clientip } ]
Willy Tarreaubce70882009-09-07 11:51:47 +020014893source <addr>[:<port>] [usesrc { <addr2>[:<port2>] | hdr_ip(<hdr>[,<occ>]) } ]
Willy Tarreauc6f4ce82009-06-10 11:09:37 +020014894source <addr>[:<pl>[-<ph>]] [interface <name>] ...
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014895 The "source" parameter sets the source address which will be used when
14896 connecting to the server. It follows the exact same parameters and principle
14897 as the backend "source" keyword, except that it only applies to the server
14898 referencing it. Please consult the "source" keyword for details.
14899
Willy Tarreauc6f4ce82009-06-10 11:09:37 +020014900 Additionally, the "source" statement on a server line allows one to specify a
14901 source port range by indicating the lower and higher bounds delimited by a
14902 dash ('-'). Some operating systems might require a valid IP address when a
14903 source port range is specified. It is permitted to have the same IP/range for
14904 several servers. Doing so makes it possible to bypass the maximum of 64k
14905 total concurrent connections. The limit will then reach 64k connections per
14906 server.
14907
Lukas Tribus7d56c6d2016-09-13 09:51:15 +000014908 Since Linux 4.2/libc 2.23 IP_BIND_ADDRESS_NO_PORT is set for connections
14909 specifying the source address without port(s).
14910
Willy Tarreaua0ee1d02012-09-10 09:01:23 +020014911ssl
Willy Tarreau44f65392013-06-25 07:56:20 +020014912 This option enables SSL ciphering on outgoing connections to the server. It
14913 is critical to verify server certificates using "verify" when using SSL to
14914 connect to servers, otherwise the communication is prone to trivial man in
14915 the-middle attacks rendering SSL useless. When this option is used, health
14916 checks are automatically sent in SSL too unless there is a "port" or an
14917 "addr" directive indicating the check should be sent to a different location.
Frédéric Lécailled2376272017-03-21 18:52:12 +010014918 See the "no-ssl" to disable "ssl" option and "check-ssl" option to force
14919 SSL health checks.
Willy Tarreau763a95b2012-10-04 23:15:39 +020014920
Emmanuel Hocdete1c722b2017-03-31 15:02:54 +020014921ssl-max-ver [ SSLv3 | TLSv1.0 | TLSv1.1 | TLSv1.2 | TLSv1.3 ]
14922 This option enforces use of <version> or lower when SSL is used to communicate
14923 with the server. This option is also available on global statement
14924 "ssl-default-server-options". See also "ssl-min-ver".
14925
14926ssl-min-ver [ SSLv3 | TLSv1.0 | TLSv1.1 | TLSv1.2 | TLSv1.3 ]
14927 This option enforces use of <version> or upper when SSL is used to communicate
14928 with the server. This option is also available on global statement
14929 "ssl-default-server-options". See also "ssl-max-ver".
14930
Frédéric Lécailled2376272017-03-21 18:52:12 +010014931ssl-reuse
14932 This option may be used as "server" setting to reset any "no-ssl-reuse"
14933 setting which would have been inherited from "default-server" directive as
14934 default value.
14935 It may also be used as "default-server" setting to reset any previous
14936 "default-server" "no-ssl-reuse" setting.
14937
14938stick
14939 This option may be used as "server" setting to reset any "non-stick"
14940 setting which would have been inherited from "default-server" directive as
14941 default value.
14942 It may also be used as "default-server" setting to reset any previous
14943 "default-server" "non-stick" setting.
Willy Tarreaua0ee1d02012-09-10 09:01:23 +020014944
Alexander Liu2a54bb72019-05-22 19:44:48 +080014945socks4 <addr>:<port>
John Roeslerfb2fce12019-07-10 15:45:51 -050014946 This option enables upstream socks4 tunnel for outgoing connections to the
Alexander Liu2a54bb72019-05-22 19:44:48 +080014947 server. Using this option won't force the health check to go via socks4 by
14948 default. You will have to use the keyword "check-via-socks4" to enable it.
14949
Willy Tarreau163d4622015-10-13 16:16:41 +020014950tcp-ut <delay>
14951 Sets the TCP User Timeout for all outgoing connections to this server. This
Daniel Corbett9f0843f2021-05-08 10:50:37 -040014952 option is available on Linux since version 2.6.37. It allows HAProxy to
Willy Tarreau163d4622015-10-13 16:16:41 +020014953 configure a timeout for sockets which contain data not receiving an
Davor Ocelice9ed2812017-12-25 17:49:28 +010014954 acknowledgment for the configured delay. This is especially useful on
Willy Tarreau163d4622015-10-13 16:16:41 +020014955 long-lived connections experiencing long idle periods such as remote
14956 terminals or database connection pools, where the client and server timeouts
14957 must remain high to allow a long period of idle, but where it is important to
14958 detect that the server has disappeared in order to release all resources
14959 associated with its connection (and the client's session). One typical use
14960 case is also to force dead server connections to die when health checks are
14961 too slow or during a soft reload since health checks are then disabled. The
14962 argument is a delay expressed in milliseconds by default. This only works for
14963 regular TCP connections, and is ignored for other protocols.
14964
Willy Tarreau034c88c2017-01-23 23:36:45 +010014965tfo
14966 This option enables using TCP fast open when connecting to servers, on
14967 systems that support it (currently only the Linux kernel >= 4.11).
14968 See the "tfo" bind option for more information about TCP fast open.
14969 Please note that when using tfo, you should also use the "conn-failure",
Daniel Corbett9f0843f2021-05-08 10:50:37 -040014970 "empty-response" and "response-timeout" keywords for "retry-on", or HAProxy
Frédéric Lécaille1b9423d2019-07-04 14:19:06 +020014971 won't be able to retry the connection on failure. See also "no-tfo".
Willy Tarreau034c88c2017-01-23 23:36:45 +010014972
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014973track [<proxy>/]<server>
Willy Tarreau32091232014-05-16 13:52:00 +020014974 This option enables ability to set the current state of the server by tracking
14975 another one. It is possible to track a server which itself tracks another
14976 server, provided that at the end of the chain, a server has health checks
14977 enabled. If <proxy> is omitted the current one is used. If disable-on-404 is
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014978 used, it has to be enabled on both proxies.
14979
Frédéric Lécailled2376272017-03-21 18:52:12 +010014980tls-tickets
14981 This option may be used as "server" setting to reset any "no-tls-tickets"
14982 setting which would have been inherited from "default-server" directive as
14983 default value.
Lukas Tribusbdb386d2020-03-10 00:56:09 +010014984 The TLS ticket mechanism is only used up to TLS 1.2.
14985 Forward Secrecy is compromised with TLS tickets, unless ticket keys
14986 are periodically rotated (via reload or by using "tls-ticket-keys").
Frédéric Lécailled2376272017-03-21 18:52:12 +010014987 It may also be used as "default-server" setting to reset any previous
Bjoern Jacke5ab7eb62020-02-13 14:16:16 +010014988 "default-server" "no-tls-tickets" setting.
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010014989
Emeric Brunef42d922012-10-11 16:11:36 +020014990verify [none|required]
14991 This setting is only available when support for OpenSSL was built in. If set
Emeric Brun850efd52014-01-29 12:24:34 +010014992 to 'none', server certificate is not verified. In the other case, The
Willy Tarreauad92a9a2017-07-28 11:38:41 +020014993 certificate provided by the server is verified using CAs from 'ca-file' and
14994 optional CRLs from 'crl-file' after having checked that the names provided in
Davor Ocelice9ed2812017-12-25 17:49:28 +010014995 the certificate's subject and subjectAlternateNames attributes match either
Willy Tarreauad92a9a2017-07-28 11:38:41 +020014996 the name passed using the "sni" directive, or if not provided, the static
14997 host name passed using the "verifyhost" directive. When no name is found, the
14998 certificate's names are ignored. For this reason, without SNI it's important
14999 to use "verifyhost". On verification failure the handshake is aborted. It is
15000 critically important to verify server certificates when using SSL to connect
15001 to servers, otherwise the communication is prone to trivial man-in-the-middle
15002 attacks rendering SSL totally useless. Unless "ssl_server_verify" appears in
15003 the global section, "verify" is set to "required" by default.
Emeric Brunef42d922012-10-11 16:11:36 +020015004
Evan Broderbe554312013-06-27 00:05:25 -070015005verifyhost <hostname>
15006 This setting is only available when support for OpenSSL was built in, and
Willy Tarreauad92a9a2017-07-28 11:38:41 +020015007 only takes effect if 'verify required' is also specified. This directive sets
15008 a default static hostname to check the server's certificate against when no
15009 SNI was used to connect to the server. If SNI is not used, this is the only
15010 way to enable hostname verification. This static hostname, when set, will
15011 also be used for health checks (which cannot provide an SNI value). If none
15012 of the hostnames in the certificate match the specified hostname, the
15013 handshake is aborted. The hostnames in the server-provided certificate may
15014 include wildcards. See also "verify", "sni" and "no-verifyhost" options.
Evan Broderbe554312013-06-27 00:05:25 -070015015
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +010015016weight <weight>
Willy Tarreauc57f0e22009-05-10 13:12:33 +020015017 The "weight" parameter is used to adjust the server's weight relative to
15018 other servers. All servers will receive a load proportional to their weight
15019 relative to the sum of all weights, so the higher the weight, the higher the
Willy Tarreau6704d672009-06-15 10:56:05 +020015020 load. The default weight is 1, and the maximal value is 256. A value of 0
15021 means the server will not participate in load-balancing but will still accept
15022 persistent connections. If this parameter is used to distribute the load
15023 according to server's capacity, it is recommended to start with values which
15024 can both grow and shrink, for instance between 10 and 100 to leave enough
15025 room above and below for later adjustments.
Willy Tarreauc57f0e22009-05-10 13:12:33 +020015026
15027
Cyril Bonté46175dd2015-07-02 22:45:32 +0200150285.3. Server IP address resolution using DNS
15029-------------------------------------------
Baptiste Assmann1fa66662015-04-14 00:28:47 +020015030
Baptiste Assmann62b75b42015-09-09 01:11:36 +020015031HAProxy allows using a host name on the server line to retrieve its IP address
15032using name servers. By default, HAProxy resolves the name when parsing the
Thayne McCombscdbcca92021-01-07 21:24:41 -070015033configuration file, at startup and cache the result for the process's life.
Baptiste Assmann1fa66662015-04-14 00:28:47 +020015034This is not sufficient in some cases, such as in Amazon where a server's IP
15035can change after a reboot or an ELB Virtual IP can change based on current
15036workload.
15037This chapter describes how HAProxy can be configured to process server's name
15038resolution at run time.
15039Whether run time server name resolution has been enable or not, HAProxy will
15040carry on doing the first resolution when parsing the configuration.
15041
15042
Cyril Bonté46175dd2015-07-02 22:45:32 +0200150435.3.1. Global overview
15044----------------------
Baptiste Assmann1fa66662015-04-14 00:28:47 +020015045
15046As we've seen in introduction, name resolution in HAProxy occurs at two
15047different steps of the process life:
15048
15049 1. when starting up, HAProxy parses the server line definition and matches a
15050 host name. It uses libc functions to get the host name resolved. This
15051 resolution relies on /etc/resolv.conf file.
15052
Christopher Faulet67957bd2017-09-27 11:00:59 +020015053 2. at run time, HAProxy performs periodically name resolutions for servers
15054 requiring DNS resolutions.
Baptiste Assmann1fa66662015-04-14 00:28:47 +020015055
15056A few other events can trigger a name resolution at run time:
15057 - when a server's health check ends up in a connection timeout: this may be
15058 because the server has a new IP address. So we need to trigger a name
15059 resolution to know this new IP.
15060
Christopher Faulet67957bd2017-09-27 11:00:59 +020015061When using resolvers, the server name can either be a hostname, or a SRV label.
Davor Ocelice9ed2812017-12-25 17:49:28 +010015062HAProxy considers anything that starts with an underscore as a SRV label. If a
Christopher Faulet67957bd2017-09-27 11:00:59 +020015063SRV label is specified, then the corresponding SRV records will be retrieved
15064from the DNS server, and the provided hostnames will be used. The SRV label
Daniel Corbett9f0843f2021-05-08 10:50:37 -040015065will be checked periodically, and if any server are added or removed, HAProxy
Christopher Faulet67957bd2017-09-27 11:00:59 +020015066will automatically do the same.
Olivier Houchardecfa18d2017-08-07 17:30:03 +020015067
Baptiste Assmann1fa66662015-04-14 00:28:47 +020015068A few things important to notice:
John Roeslerfb2fce12019-07-10 15:45:51 -050015069 - all the name servers are queried in the meantime. HAProxy will process the
Baptiste Assmann1fa66662015-04-14 00:28:47 +020015070 first valid response.
15071
15072 - a resolution is considered as invalid (NX, timeout, refused), when all the
15073 servers return an error.
15074
15075
Cyril Bonté46175dd2015-07-02 22:45:32 +0200150765.3.2. The resolvers section
15077----------------------------
Baptiste Assmann1fa66662015-04-14 00:28:47 +020015078
15079This section is dedicated to host information related to name resolution in
Christopher Faulet67957bd2017-09-27 11:00:59 +020015080HAProxy. There can be as many as resolvers section as needed. Each section can
15081contain many name servers.
Baptiste Assmann1fa66662015-04-14 00:28:47 +020015082
Baptiste Assmann62b75b42015-09-09 01:11:36 +020015083When multiple name servers are configured in a resolvers section, then HAProxy
15084uses the first valid response. In case of invalid responses, only the last one
15085is treated. Purpose is to give the chance to a slow server to deliver a valid
15086answer after a fast faulty or outdated server.
15087
15088When each server returns a different error type, then only the last error is
Christopher Faulet67957bd2017-09-27 11:00:59 +020015089used by HAProxy. The following processing is applied on this error:
Baptiste Assmann62b75b42015-09-09 01:11:36 +020015090
Christopher Faulet67957bd2017-09-27 11:00:59 +020015091 1. HAProxy retries the same DNS query with a new query type. The A queries are
15092 switch to AAAA or the opposite. SRV queries are not concerned here. Timeout
15093 errors are also excluded.
Baptiste Assmann62b75b42015-09-09 01:11:36 +020015094
Christopher Faulet67957bd2017-09-27 11:00:59 +020015095 2. When the fallback on the query type was done (or not applicable), HAProxy
15096 retries the original DNS query, with the preferred query type.
Baptiste Assmann62b75b42015-09-09 01:11:36 +020015097
Christopher Faulet67957bd2017-09-27 11:00:59 +020015098 3. HAProxy retries previous steps <resolve_retires> times. If no valid
15099 response is received after that, it stops the DNS resolution and reports
15100 the error.
Baptiste Assmann62b75b42015-09-09 01:11:36 +020015101
Christopher Faulet67957bd2017-09-27 11:00:59 +020015102For example, with 2 name servers configured in a resolvers section, the
15103following scenarios are possible:
15104
15105 - First response is valid and is applied directly, second response is
15106 ignored
15107
15108 - First response is invalid and second one is valid, then second response is
15109 applied
15110
15111 - First response is a NX domain and second one a truncated response, then
15112 HAProxy retries the query with a new type
15113
15114 - First response is a NX domain and second one is a timeout, then HAProxy
15115 retries the query with a new type
15116
15117 - Query timed out for both name servers, then HAProxy retries it with the
15118 same query type
Baptiste Assmann62b75b42015-09-09 01:11:36 +020015119
Daniel Corbett9f0843f2021-05-08 10:50:37 -040015120As a DNS server may not answer all the IPs in one DNS request, HAProxy keeps
Olivier Houcharda8c6db82017-07-06 18:46:47 +020015121a cache of previous answers, an answer will be considered obsolete after
Christopher Faulet67957bd2017-09-27 11:00:59 +020015122<hold obsolete> seconds without the IP returned.
Olivier Houcharda8c6db82017-07-06 18:46:47 +020015123
Baptiste Assmann62b75b42015-09-09 01:11:36 +020015124
Baptiste Assmann1fa66662015-04-14 00:28:47 +020015125resolvers <resolvers id>
Davor Ocelice9ed2812017-12-25 17:49:28 +010015126 Creates a new name server list labeled <resolvers id>
Baptiste Assmann1fa66662015-04-14 00:28:47 +020015127
15128A resolvers section accept the following parameters:
15129
Baptiste Assmann2af08fe2017-08-14 00:13:01 +020015130accepted_payload_size <nb>
Davor Ocelice9ed2812017-12-25 17:49:28 +010015131 Defines the maximum payload size accepted by HAProxy and announced to all the
Christopher Faulet67957bd2017-09-27 11:00:59 +020015132 name servers configured in this resolvers section.
Baptiste Assmann2af08fe2017-08-14 00:13:01 +020015133 <nb> is in bytes. If not set, HAProxy announces 512. (minimal value defined
15134 by RFC 6891)
15135
Emeric Brun4c751952021-03-08 16:41:29 +010015136 Note: the maximum allowed value is 65535. Recommended value for UDP is
15137 4096 and it is not recommended to exceed 8192 except if you are sure
15138 that your system and network can handle this (over 65507 makes no sense
15139 since is the maximum UDP payload size). If you are using only TCP
15140 nameservers to handle huge DNS responses, you should put this value
15141 to the max: 65535.
Baptiste Assmann9d8dbbc2017-08-18 23:35:08 +020015142
Emeric Brunc8f3e452021-04-07 16:04:54 +020015143nameserver <name> <address>[:port] [param*]
15144 Used to configure a nameserver. <name> of the nameserver should ne unique.
15145 By default the <address> is considered of type datagram. This means if an
15146 IPv4 or IPv6 is configured without special address prefixes (paragraph 11.)
15147 the UDP protocol will be used. If an stream protocol address prefix is used,
15148 the nameserver will be considered as a stream server (TCP for instance) and
15149 "server" parameters found in 5.2 paragraph which are relevant for DNS
15150 resolving will be considered. Note: currently, in TCP mode, 4 queries are
15151 pipelined on the same connections. A batch of idle connections are removed
15152 every 5 seconds. "maxconn" can be configured to limit the amount of those
Emeric Brun56fc5d92021-02-12 20:05:45 +010015153 concurrent connections and TLS should also usable if the server supports.
15154
Ben Draut44e609b2018-05-29 15:40:08 -060015155parse-resolv-conf
15156 Adds all nameservers found in /etc/resolv.conf to this resolvers nameservers
15157 list. Ordered as if each nameserver in /etc/resolv.conf was individually
15158 placed in the resolvers section in place of this directive.
15159
Baptiste Assmann1fa66662015-04-14 00:28:47 +020015160hold <status> <period>
15161 Defines <period> during which the last name resolution should be kept based
15162 on last resolution <status>
Baptiste Assmann987e16d2016-11-02 22:23:31 +010015163 <status> : last name resolution status. Acceptable values are "nx",
Olivier Houcharda8c6db82017-07-06 18:46:47 +020015164 "other", "refused", "timeout", "valid", "obsolete".
Baptiste Assmann1fa66662015-04-14 00:28:47 +020015165 <period> : interval between two successive name resolution when the last
15166 answer was in <status>. It follows the HAProxy time format.
15167 <period> is in milliseconds by default.
15168
Baptiste Assmann686408b2017-08-18 10:15:42 +020015169 Default value is 10s for "valid", 0s for "obsolete" and 30s for others.
Baptiste Assmann1fa66662015-04-14 00:28:47 +020015170
Baptiste Assmann1fa66662015-04-14 00:28:47 +020015171resolve_retries <nb>
15172 Defines the number <nb> of queries to send to resolve a server name before
15173 giving up.
15174 Default value: 3
15175
Baptiste Assmann62b75b42015-09-09 01:11:36 +020015176 A retry occurs on name server timeout or when the full sequence of DNS query
15177 type failover is over and we need to start up from the default ANY query
15178 type.
15179
Baptiste Assmann1fa66662015-04-14 00:28:47 +020015180timeout <event> <time>
15181 Defines timeouts related to name resolution
15182 <event> : the event on which the <time> timeout period applies to.
15183 events available are:
Frédéric Lécaille93d33162019-03-06 09:35:59 +010015184 - resolve : default time to trigger name resolutions when no
15185 other time applied.
Christopher Faulet67957bd2017-09-27 11:00:59 +020015186 Default value: 1s
15187 - retry : time between two DNS queries, when no valid response
Frédéric Lécaille93d33162019-03-06 09:35:59 +010015188 have been received.
Christopher Faulet67957bd2017-09-27 11:00:59 +020015189 Default value: 1s
Baptiste Assmann1fa66662015-04-14 00:28:47 +020015190 <time> : time related to the event. It follows the HAProxy time format.
15191 <time> is expressed in milliseconds.
15192
Olivier Doucetaa1ea8a2016-08-05 17:15:20 +020015193 Example:
Baptiste Assmann1fa66662015-04-14 00:28:47 +020015194
15195 resolvers mydns
15196 nameserver dns1 10.0.0.1:53
15197 nameserver dns2 10.0.0.2:53
Emeric Brunc8f3e452021-04-07 16:04:54 +020015198 nameserver dns3 tcp@10.0.0.3:53
Ben Draut44e609b2018-05-29 15:40:08 -060015199 parse-resolv-conf
Baptiste Assmann1fa66662015-04-14 00:28:47 +020015200 resolve_retries 3
Christopher Faulet67957bd2017-09-27 11:00:59 +020015201 timeout resolve 1s
Baptiste Assmann1fa66662015-04-14 00:28:47 +020015202 timeout retry 1s
Baptiste Assmann987e16d2016-11-02 22:23:31 +010015203 hold other 30s
15204 hold refused 30s
15205 hold nx 30s
15206 hold timeout 30s
Baptiste Assmann1fa66662015-04-14 00:28:47 +020015207 hold valid 10s
Olivier Houcharda8c6db82017-07-06 18:46:47 +020015208 hold obsolete 30s
Baptiste Assmann1fa66662015-04-14 00:28:47 +020015209
15210
Christopher Faulet87f1f3d2019-07-18 14:51:20 +0200152116. Cache
15212---------
15213
15214HAProxy provides a cache, which was designed to perform cache on small objects
15215(favicon, css...). This is a minimalist low-maintenance cache which runs in
15216RAM.
15217
15218The cache is based on a memory which is shared between processes and threads,
15219this memory is split in blocks of 1k.
15220
15221If an object is not used anymore, it can be deleted to store a new object
15222independently of its expiration date. The oldest objects are deleted first
15223when we try to allocate a new one.
15224
15225The cache uses a hash of the host header and the URI as the key.
15226
15227It's possible to view the status of a cache using the Unix socket command
15228"show cache" consult section 9.3 "Unix Socket commands" of Management Guide
15229for more details.
15230
15231When an object is delivered from the cache, the server name in the log is
15232replaced by "<CACHE>".
15233
15234
152356.1. Limitation
15236----------------
15237
15238The cache won't store and won't deliver objects in these cases:
15239
15240- If the response is not a 200
Remi Tricot-Le Breton4f730832020-11-26 15:51:50 +010015241- If the response contains a Vary header and either the process-vary option is
15242 disabled, or a currently unmanaged header is specified in the Vary value (only
15243 accept-encoding and referer are managed for now)
Christopher Faulet87f1f3d2019-07-18 14:51:20 +020015244- If the Content-Length + the headers size is greater than "max-object-size"
15245- If the response is not cacheable
Remi Tricot-Le Bretond493bc82020-11-26 15:51:29 +010015246- If the response does not have an explicit expiration time (s-maxage or max-age
15247 Cache-Control directives or Expires header) or a validator (ETag or Last-Modified
15248 headers)
Remi Tricot-Le Breton5853c0c2020-12-10 17:58:43 +010015249- If the process-vary option is enabled and there are already max-secondary-entries
15250 entries with the same primary key as the current response
Remi Tricot-Le Breton6ca89162021-01-07 14:50:51 +010015251- If the process-vary option is enabled and the response has an unknown encoding (not
15252 mentioned in https://www.iana.org/assignments/http-parameters/http-parameters.xhtml)
15253 while varying on the accept-encoding client header
Christopher Faulet87f1f3d2019-07-18 14:51:20 +020015254
15255- If the request is not a GET
15256- If the HTTP version of the request is smaller than 1.1
15257- If the request contains an Authorization header
15258
15259
152606.2. Setup
15261-----------
15262
15263To setup a cache, you must define a cache section and use it in a proxy with
15264the corresponding http-request and response actions.
15265
15266
152676.2.1. Cache section
15268---------------------
15269
15270cache <name>
15271 Declare a cache section, allocate a shared cache memory named <name>, the
15272 size of cache is mandatory.
15273
15274total-max-size <megabytes>
15275 Define the size in RAM of the cache in megabytes. This size is split in
15276 blocks of 1kB which are used by the cache entries. Its maximum value is 4095.
15277
15278max-object-size <bytes>
15279 Define the maximum size of the objects to be cached. Must not be greater than
15280 an half of "total-max-size". If not set, it equals to a 256th of the cache size.
15281 All objects with sizes larger than "max-object-size" will not be cached.
15282
15283max-age <seconds>
Remi Tricot-Le Breton5853c0c2020-12-10 17:58:43 +010015284 Define the maximum expiration duration. The expiration is set as the lowest
Christopher Faulet87f1f3d2019-07-18 14:51:20 +020015285 value between the s-maxage or max-age (in this order) directive in the
15286 Cache-Control response header and this value. The default value is 60
15287 seconds, which means that you can't cache an object more than 60 seconds by
15288 default.
15289
Remi Tricot-Le Bretone6cc5b52020-12-23 18:13:53 +010015290process-vary <on/off>
15291 Enable or disable the processing of the Vary header. When disabled, a response
Remi Tricot-Le Breton754b2422020-11-16 15:56:10 +010015292 containing such a header will never be cached. When enabled, we need to calculate
15293 a preliminary hash for a subset of request headers on all the incoming requests
15294 (which might come with a cpu cost) which will be used to build a secondary key
Remi Tricot-Le Bretone6cc5b52020-12-23 18:13:53 +010015295 for a given request (see RFC 7234#4.1). The default value is off (disabled).
Remi Tricot-Le Breton754b2422020-11-16 15:56:10 +010015296
Remi Tricot-Le Breton5853c0c2020-12-10 17:58:43 +010015297max-secondary-entries <number>
15298 Define the maximum number of simultaneous secondary entries with the same primary
15299 key in the cache. This needs the vary support to be enabled. Its default value is 10
15300 and should be passed a strictly positive integer.
15301
Christopher Faulet87f1f3d2019-07-18 14:51:20 +020015302
153036.2.2. Proxy section
15304---------------------
15305
15306http-request cache-use <name> [ { if | unless } <condition> ]
15307 Try to deliver a cached object from the cache <name>. This directive is also
15308 mandatory to store the cache as it calculates the cache hash. If you want to
15309 use a condition for both storage and delivering that's a good idea to put it
15310 after this one.
15311
15312http-response cache-store <name> [ { if | unless } <condition> ]
15313 Store an http-response within the cache. The storage of the response headers
15314 is done at this step, which means you can use others http-response actions
15315 to modify headers before or after the storage of the response. This action
15316 is responsible for the setup of the cache storage filter.
15317
15318
15319Example:
15320
15321 backend bck1
15322 mode http
15323
15324 http-request cache-use foobar
15325 http-response cache-store foobar
15326 server srv1 127.0.0.1:80
15327
15328 cache foobar
15329 total-max-size 4
15330 max-age 240
15331
15332
Willy Tarreau74ca5042013-06-11 23:12:07 +0200153337. Using ACLs and fetching samples
15334----------------------------------
15335
Davor Ocelice9ed2812017-12-25 17:49:28 +010015336HAProxy is capable of extracting data from request or response streams, from
Willy Tarreau74ca5042013-06-11 23:12:07 +020015337client or server information, from tables, environmental information etc...
15338The action of extracting such data is called fetching a sample. Once retrieved,
15339these samples may be used for various purposes such as a key to a stick-table,
15340but most common usages consist in matching them against predefined constant
15341data called patterns.
15342
15343
153447.1. ACL basics
15345---------------
Willy Tarreauc57f0e22009-05-10 13:12:33 +020015346
15347The use of Access Control Lists (ACL) provides a flexible solution to perform
15348content switching and generally to take decisions based on content extracted
15349from the request, the response or any environmental status. The principle is
15350simple :
15351
Willy Tarreau74ca5042013-06-11 23:12:07 +020015352 - extract a data sample from a stream, table or the environment
Willy Tarreaue6b11e42013-11-26 19:02:32 +010015353 - optionally apply some format conversion to the extracted sample
Willy Tarreau74ca5042013-06-11 23:12:07 +020015354 - apply one or multiple pattern matching methods on this sample
15355 - perform actions only when a pattern matches the sample
Willy Tarreauc57f0e22009-05-10 13:12:33 +020015356
Willy Tarreau74ca5042013-06-11 23:12:07 +020015357The actions generally consist in blocking a request, selecting a backend, or
15358adding a header.
Willy Tarreauc57f0e22009-05-10 13:12:33 +020015359
15360In order to define a test, the "acl" keyword is used. The syntax is :
15361
Willy Tarreau74ca5042013-06-11 23:12:07 +020015362 acl <aclname> <criterion> [flags] [operator] [<value>] ...
Willy Tarreauc57f0e22009-05-10 13:12:33 +020015363
15364This creates a new ACL <aclname> or completes an existing one with new tests.
15365Those tests apply to the portion of request/response specified in <criterion>
15366and may be adjusted with optional flags [flags]. Some criteria also support
Willy Tarreaue6b11e42013-11-26 19:02:32 +010015367an operator which may be specified before the set of values. Optionally some
15368conversion operators may be applied to the sample, and they will be specified
15369as a comma-delimited list of keywords just after the first keyword. The values
15370are of the type supported by the criterion, and are separated by spaces.
Willy Tarreauc57f0e22009-05-10 13:12:33 +020015371
15372ACL names must be formed from upper and lower case letters, digits, '-' (dash),
15373'_' (underscore) , '.' (dot) and ':' (colon). ACL names are case-sensitive,
15374which means that "my_acl" and "My_Acl" are two different ACLs.
15375
15376There is no enforced limit to the number of ACLs. The unused ones do not affect
15377performance, they just consume a small amount of memory.
15378
Willy Tarreau74ca5042013-06-11 23:12:07 +020015379The criterion generally is the name of a sample fetch method, or one of its ACL
15380specific declinations. The default test method is implied by the output type of
15381this sample fetch method. The ACL declinations can describe alternate matching
Willy Tarreaue6b11e42013-11-26 19:02:32 +010015382methods of a same sample fetch method. The sample fetch methods are the only
15383ones supporting a conversion.
Willy Tarreau74ca5042013-06-11 23:12:07 +020015384
15385Sample fetch methods return data which can be of the following types :
15386 - boolean
15387 - integer (signed or unsigned)
15388 - IPv4 or IPv6 address
15389 - string
15390 - data block
15391
Willy Tarreaue6b11e42013-11-26 19:02:32 +010015392Converters transform any of these data into any of these. For example, some
15393converters might convert a string to a lower-case string while other ones
15394would turn a string to an IPv4 address, or apply a netmask to an IP address.
15395The resulting sample is of the type of the last converter applied to the list,
15396which defaults to the type of the sample fetch method.
15397
Thierry FOURNIER2a06e392014-05-11 15:49:55 +020015398Each sample or converter returns data of a specific type, specified with its
15399keyword in this documentation. When an ACL is declared using a standard sample
15400fetch method, certain types automatically involved a default matching method
15401which are summarized in the table below :
15402
15403 +---------------------+-----------------+
15404 | Sample or converter | Default |
15405 | output type | matching method |
15406 +---------------------+-----------------+
15407 | boolean | bool |
15408 +---------------------+-----------------+
15409 | integer | int |
15410 +---------------------+-----------------+
15411 | ip | ip |
15412 +---------------------+-----------------+
15413 | string | str |
15414 +---------------------+-----------------+
15415 | binary | none, use "-m" |
15416 +---------------------+-----------------+
15417
15418Note that in order to match a binary samples, it is mandatory to specify a
15419matching method, see below.
15420
Willy Tarreau74ca5042013-06-11 23:12:07 +020015421The ACL engine can match these types against patterns of the following types :
15422 - boolean
15423 - integer or integer range
15424 - IP address / network
15425 - string (exact, substring, suffix, prefix, subdir, domain)
15426 - regular expression
15427 - hex block
15428
Willy Tarreauc57f0e22009-05-10 13:12:33 +020015429The following ACL flags are currently supported :
15430
Willy Tarreau2b5285d2010-05-09 23:45:24 +020015431 -i : ignore case during matching of all subsequent patterns.
15432 -f : load patterns from a file.
Willy Tarreau74ca5042013-06-11 23:12:07 +020015433 -m : use a specific pattern matching method
Thierry FOURNIERb7729c92014-02-11 16:24:41 +010015434 -n : forbid the DNS resolutions
Thierry FOURNIER9860c412014-01-29 14:23:29 +010015435 -M : load the file pointed by -f like a map file.
Thierry FOURNIER3534d882014-01-20 17:01:44 +010015436 -u : force the unique id of the ACL
Willy Tarreau6a06a402007-07-15 20:15:28 +020015437 -- : force end of flags. Useful when a string looks like one of the flags.
15438
Willy Tarreau74ca5042013-06-11 23:12:07 +020015439The "-f" flag is followed by the name of a file from which all lines will be
15440read as individual values. It is even possible to pass multiple "-f" arguments
15441if the patterns are to be loaded from multiple files. Empty lines as well as
15442lines beginning with a sharp ('#') will be ignored. All leading spaces and tabs
15443will be stripped. If it is absolutely necessary to insert a valid pattern
15444beginning with a sharp, just prefix it with a space so that it is not taken for
Daniel Corbett9f0843f2021-05-08 10:50:37 -040015445a comment. Depending on the data type and match method, HAProxy may load the
Willy Tarreau74ca5042013-06-11 23:12:07 +020015446lines into a binary tree, allowing very fast lookups. This is true for IPv4 and
15447exact string matching. In this case, duplicates will automatically be removed.
15448
Thierry FOURNIER9860c412014-01-29 14:23:29 +010015449The "-M" flag allows an ACL to use a map file. If this flag is set, the file is
15450parsed as two column file. The first column contains the patterns used by the
15451ACL, and the second column contain the samples. The sample can be used later by
15452a map. This can be useful in some rare cases where an ACL would just be used to
15453check for the existence of a pattern in a map before a mapping is applied.
15454
Thierry FOURNIER3534d882014-01-20 17:01:44 +010015455The "-u" flag forces the unique id of the ACL. This unique id is used with the
15456socket interface to identify ACL and dynamically change its values. Note that a
15457file is always identified by its name even if an id is set.
15458
Willy Tarreau74ca5042013-06-11 23:12:07 +020015459Also, note that the "-i" flag applies to subsequent entries and not to entries
15460loaded from files preceding it. For instance :
15461
15462 acl valid-ua hdr(user-agent) -f exact-ua.lst -i -f generic-ua.lst test
15463
15464In this example, each line of "exact-ua.lst" will be exactly matched against
15465the "user-agent" header of the request. Then each line of "generic-ua" will be
15466case-insensitively matched. Then the word "test" will be insensitively matched
15467as well.
15468
15469The "-m" flag is used to select a specific pattern matching method on the input
15470sample. All ACL-specific criteria imply a pattern matching method and generally
15471do not need this flag. However, this flag is useful with generic sample fetch
15472methods to describe how they're going to be matched against the patterns. This
15473is required for sample fetches which return data type for which there is no
Davor Ocelice9ed2812017-12-25 17:49:28 +010015474obvious matching method (e.g. string or binary). When "-m" is specified and
Willy Tarreau74ca5042013-06-11 23:12:07 +020015475followed by a pattern matching method name, this method is used instead of the
15476default one for the criterion. This makes it possible to match contents in ways
15477that were not initially planned, or with sample fetch methods which return a
15478string. The matching method also affects the way the patterns are parsed.
15479
Thierry FOURNIERb7729c92014-02-11 16:24:41 +010015480The "-n" flag forbids the dns resolutions. It is used with the load of ip files.
15481By default, if the parser cannot parse ip address it considers that the parsed
15482string is maybe a domain name and try dns resolution. The flag "-n" disable this
15483resolution. It is useful for detecting malformed ip lists. Note that if the DNS
Daniel Corbett9f0843f2021-05-08 10:50:37 -040015484server is not reachable, the HAProxy configuration parsing may last many minutes
John Roeslerfb2fce12019-07-10 15:45:51 -050015485waiting for the timeout. During this time no error messages are displayed. The
Thierry FOURNIERb7729c92014-02-11 16:24:41 +010015486flag "-n" disable this behavior. Note also that during the runtime, this
15487function is disabled for the dynamic acl modifications.
15488
Willy Tarreau74ca5042013-06-11 23:12:07 +020015489There are some restrictions however. Not all methods can be used with all
15490sample fetch methods. Also, if "-m" is used in conjunction with "-f", it must
15491be placed first. The pattern matching method must be one of the following :
Willy Tarreau5adeda12013-03-31 22:13:34 +020015492
15493 - "found" : only check if the requested sample could be found in the stream,
15494 but do not compare it against any pattern. It is recommended not
Willy Tarreau74ca5042013-06-11 23:12:07 +020015495 to pass any pattern to avoid confusion. This matching method is
15496 particularly useful to detect presence of certain contents such
15497 as headers, cookies, etc... even if they are empty and without
15498 comparing them to anything nor counting them.
Willy Tarreau5adeda12013-03-31 22:13:34 +020015499
15500 - "bool" : check the value as a boolean. It can only be applied to fetches
15501 which return a boolean or integer value, and takes no pattern.
Willy Tarreau74ca5042013-06-11 23:12:07 +020015502 Value zero or false does not match, all other values do match.
Willy Tarreau5adeda12013-03-31 22:13:34 +020015503
15504 - "int" : match the value as an integer. It can be used with integer and
Willy Tarreau74ca5042013-06-11 23:12:07 +020015505 boolean samples. Boolean false is integer 0, true is integer 1.
Willy Tarreau5adeda12013-03-31 22:13:34 +020015506
15507 - "ip" : match the value as an IPv4 or IPv6 address. It is compatible
Willy Tarreau74ca5042013-06-11 23:12:07 +020015508 with IP address samples only, so it is implied and never needed.
Willy Tarreau5adeda12013-03-31 22:13:34 +020015509
Davor Ocelice9ed2812017-12-25 17:49:28 +010015510 - "bin" : match the contents against a hexadecimal string representing a
Willy Tarreau5adeda12013-03-31 22:13:34 +020015511 binary sequence. This may be used with binary or string samples.
15512
15513 - "len" : match the sample's length as an integer. This may be used with
15514 binary or string samples.
15515
Willy Tarreau74ca5042013-06-11 23:12:07 +020015516 - "str" : exact match : match the contents against a string. This may be
15517 used with binary or string samples.
Willy Tarreau5adeda12013-03-31 22:13:34 +020015518
Willy Tarreau74ca5042013-06-11 23:12:07 +020015519 - "sub" : substring match : check that the contents contain at least one of
15520 the provided string patterns. This may be used with binary or
15521 string samples.
Willy Tarreau5adeda12013-03-31 22:13:34 +020015522
Willy Tarreau74ca5042013-06-11 23:12:07 +020015523 - "reg" : regex match : match the contents against a list of regular
15524 expressions. This may be used with binary or string samples.
Willy Tarreau5adeda12013-03-31 22:13:34 +020015525
Willy Tarreau74ca5042013-06-11 23:12:07 +020015526 - "beg" : prefix match : check that the contents begin like the provided
15527 string patterns. This may be used with binary or string samples.
Willy Tarreau5adeda12013-03-31 22:13:34 +020015528
Willy Tarreau74ca5042013-06-11 23:12:07 +020015529 - "end" : suffix match : check that the contents end like the provided
15530 string patterns. This may be used with binary or string samples.
Willy Tarreau5adeda12013-03-31 22:13:34 +020015531
Willy Tarreau74ca5042013-06-11 23:12:07 +020015532 - "dir" : subdir match : check that a slash-delimited portion of the
15533 contents exactly matches one of the provided string patterns.
Willy Tarreau5adeda12013-03-31 22:13:34 +020015534 This may be used with binary or string samples.
15535
Willy Tarreau74ca5042013-06-11 23:12:07 +020015536 - "dom" : domain match : check that a dot-delimited portion of the contents
15537 exactly match one of the provided string patterns. This may be
15538 used with binary or string samples.
Willy Tarreau5adeda12013-03-31 22:13:34 +020015539
15540For example, to quickly detect the presence of cookie "JSESSIONID" in an HTTP
15541request, it is possible to do :
15542
15543 acl jsess_present cook(JSESSIONID) -m found
15544
15545In order to apply a regular expression on the 500 first bytes of data in the
15546buffer, one would use the following acl :
15547
15548 acl script_tag payload(0,500) -m reg -i <script>
15549
Willy Tarreaue6b11e42013-11-26 19:02:32 +010015550On systems where the regex library is much slower when using "-i", it is
15551possible to convert the sample to lowercase before matching, like this :
15552
15553 acl script_tag payload(0,500),lower -m reg <script>
15554
Willy Tarreau74ca5042013-06-11 23:12:07 +020015555All ACL-specific criteria imply a default matching method. Most often, these
15556criteria are composed by concatenating the name of the original sample fetch
15557method and the matching method. For example, "hdr_beg" applies the "beg" match
15558to samples retrieved using the "hdr" fetch method. Since all ACL-specific
15559criteria rely on a sample fetch method, it is always possible instead to use
15560the original sample fetch method and the explicit matching method using "-m".
Willy Tarreau2b5285d2010-05-09 23:45:24 +020015561
Willy Tarreau74ca5042013-06-11 23:12:07 +020015562If an alternate match is specified using "-m" on an ACL-specific criterion,
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030015563the matching method is simply applied to the underlying sample fetch method.
15564For example, all ACLs below are exact equivalent :
Willy Tarreau2b5285d2010-05-09 23:45:24 +020015565
Willy Tarreau74ca5042013-06-11 23:12:07 +020015566 acl short_form hdr_beg(host) www.
15567 acl alternate1 hdr_beg(host) -m beg www.
15568 acl alternate2 hdr_dom(host) -m beg www.
15569 acl alternate3 hdr(host) -m beg www.
Willy Tarreau2b5285d2010-05-09 23:45:24 +020015570
Willy Tarreau2b5285d2010-05-09 23:45:24 +020015571
Thierry FOURNIER2a06e392014-05-11 15:49:55 +020015572The table below summarizes the compatibility matrix between sample or converter
15573types and the pattern types to fetch against. It indicates for each compatible
15574combination the name of the matching method to be used, surrounded with angle
15575brackets ">" and "<" when the method is the default one and will work by
15576default without "-m".
Willy Tarreau0ba27502007-12-24 16:55:16 +010015577
Willy Tarreau74ca5042013-06-11 23:12:07 +020015578 +-------------------------------------------------+
15579 | Input sample type |
15580 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIER2a06e392014-05-11 15:49:55 +020015581 | pattern type | boolean | integer | ip | string | binary |
Willy Tarreau74ca5042013-06-11 23:12:07 +020015582 +----------------------+---------+---------+---------+---------+---------+
15583 | none (presence only) | found | found | found | found | found |
15584 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIER2a06e392014-05-11 15:49:55 +020015585 | none (boolean value) |> bool <| bool | | bool | |
Willy Tarreau74ca5042013-06-11 23:12:07 +020015586 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIER2a06e392014-05-11 15:49:55 +020015587 | integer (value) | int |> int <| int | int | |
Willy Tarreau74ca5042013-06-11 23:12:07 +020015588 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIERe3ded592013-12-06 15:36:54 +010015589 | integer (length) | len | len | len | len | len |
Willy Tarreau74ca5042013-06-11 23:12:07 +020015590 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIER2a06e392014-05-11 15:49:55 +020015591 | IP address | | |> ip <| ip | ip |
Willy Tarreau74ca5042013-06-11 23:12:07 +020015592 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIER2a06e392014-05-11 15:49:55 +020015593 | exact string | str | str | str |> str <| str |
Willy Tarreau74ca5042013-06-11 23:12:07 +020015594 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIERe3ded592013-12-06 15:36:54 +010015595 | prefix | beg | beg | beg | beg | beg |
Willy Tarreau74ca5042013-06-11 23:12:07 +020015596 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIERe3ded592013-12-06 15:36:54 +010015597 | suffix | end | end | end | end | end |
Willy Tarreau74ca5042013-06-11 23:12:07 +020015598 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIERe3ded592013-12-06 15:36:54 +010015599 | substring | sub | sub | sub | sub | sub |
Willy Tarreau74ca5042013-06-11 23:12:07 +020015600 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIERe3ded592013-12-06 15:36:54 +010015601 | subdir | dir | dir | dir | dir | dir |
Willy Tarreau74ca5042013-06-11 23:12:07 +020015602 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIERe3ded592013-12-06 15:36:54 +010015603 | domain | dom | dom | dom | dom | dom |
Willy Tarreau74ca5042013-06-11 23:12:07 +020015604 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIERe3ded592013-12-06 15:36:54 +010015605 | regex | reg | reg | reg | reg | reg |
Willy Tarreau74ca5042013-06-11 23:12:07 +020015606 +----------------------+---------+---------+---------+---------+---------+
15607 | hex block | | | | bin | bin |
15608 +----------------------+---------+---------+---------+---------+---------+
Willy Tarreau6a06a402007-07-15 20:15:28 +020015609
15610
Willy Tarreau74ca5042013-06-11 23:12:07 +0200156117.1.1. Matching booleans
15612------------------------
15613
15614In order to match a boolean, no value is needed and all values are ignored.
15615Boolean matching is used by default for all fetch methods of type "boolean".
15616When boolean matching is used, the fetched value is returned as-is, which means
15617that a boolean "true" will always match and a boolean "false" will never match.
15618
15619Boolean matching may also be enforced using "-m bool" on fetch methods which
15620return an integer value. Then, integer value 0 is converted to the boolean
15621"false" and all other values are converted to "true".
15622
Willy Tarreau6a06a402007-07-15 20:15:28 +020015623
Willy Tarreau74ca5042013-06-11 23:12:07 +0200156247.1.2. Matching integers
15625------------------------
15626
15627Integer matching applies by default to integer fetch methods. It can also be
15628enforced on boolean fetches using "-m int". In this case, "false" is converted
15629to the integer 0, and "true" is converted to the integer 1.
15630
15631Integer matching also supports integer ranges and operators. Note that integer
15632matching only applies to positive values. A range is a value expressed with a
15633lower and an upper bound separated with a colon, both of which may be omitted.
Willy Tarreau6a06a402007-07-15 20:15:28 +020015634
15635For instance, "1024:65535" is a valid range to represent a range of
15636unprivileged ports, and "1024:" would also work. "0:1023" is a valid
15637representation of privileged ports, and ":1023" would also work.
15638
Willy Tarreau62644772008-07-16 18:36:06 +020015639As a special case, some ACL functions support decimal numbers which are in fact
15640two integers separated by a dot. This is used with some version checks for
15641instance. All integer properties apply to those decimal numbers, including
15642ranges and operators.
15643
Willy Tarreau6a06a402007-07-15 20:15:28 +020015644For an easier usage, comparison operators are also supported. Note that using
Willy Tarreau0ba27502007-12-24 16:55:16 +010015645operators with ranges does not make much sense and is strongly discouraged.
15646Similarly, it does not make much sense to perform order comparisons with a set
15647of values.
Willy Tarreau6a06a402007-07-15 20:15:28 +020015648
Willy Tarreau0ba27502007-12-24 16:55:16 +010015649Available operators for integer matching are :
Willy Tarreau6a06a402007-07-15 20:15:28 +020015650
15651 eq : true if the tested value equals at least one value
15652 ge : true if the tested value is greater than or equal to at least one value
15653 gt : true if the tested value is greater than at least one value
15654 le : true if the tested value is less than or equal to at least one value
15655 lt : true if the tested value is less than at least one value
15656
Willy Tarreau0ba27502007-12-24 16:55:16 +010015657For instance, the following ACL matches any negative Content-Length header :
Willy Tarreau6a06a402007-07-15 20:15:28 +020015658
15659 acl negative-length hdr_val(content-length) lt 0
15660
Willy Tarreau62644772008-07-16 18:36:06 +020015661This one matches SSL versions between 3.0 and 3.1 (inclusive) :
15662
15663 acl sslv3 req_ssl_ver 3:3.1
15664
Willy Tarreau6a06a402007-07-15 20:15:28 +020015665
Willy Tarreau74ca5042013-06-11 23:12:07 +0200156667.1.3. Matching strings
15667-----------------------
15668
15669String matching applies to string or binary fetch methods, and exists in 6
15670different forms :
15671
15672 - exact match (-m str) : the extracted string must exactly match the
Davor Ocelice9ed2812017-12-25 17:49:28 +010015673 patterns;
Willy Tarreau74ca5042013-06-11 23:12:07 +020015674
15675 - substring match (-m sub) : the patterns are looked up inside the
Davor Ocelice9ed2812017-12-25 17:49:28 +010015676 extracted string, and the ACL matches if any of them is found inside;
Willy Tarreau74ca5042013-06-11 23:12:07 +020015677
15678 - prefix match (-m beg) : the patterns are compared with the beginning of
15679 the extracted string, and the ACL matches if any of them matches.
15680
15681 - suffix match (-m end) : the patterns are compared with the end of the
15682 extracted string, and the ACL matches if any of them matches.
15683
Baptiste Assmann33db6002016-03-06 23:32:10 +010015684 - subdir match (-m dir) : the patterns are looked up inside the extracted
Willy Tarreau74ca5042013-06-11 23:12:07 +020015685 string, delimited with slashes ("/"), and the ACL matches if any of them
15686 matches.
15687
15688 - domain match (-m dom) : the patterns are looked up inside the extracted
15689 string, delimited with dots ("."), and the ACL matches if any of them
15690 matches.
Willy Tarreau6a06a402007-07-15 20:15:28 +020015691
15692String matching applies to verbatim strings as they are passed, with the
15693exception of the backslash ("\") which makes it possible to escape some
15694characters such as the space. If the "-i" flag is passed before the first
15695string, then the matching will be performed ignoring the case. In order
15696to match the string "-i", either set it second, or pass the "--" flag
Willy Tarreau0ba27502007-12-24 16:55:16 +010015697before the first string. Same applies of course to match the string "--".
Willy Tarreau6a06a402007-07-15 20:15:28 +020015698
Mathias Weiersmuellercb250fc2019-12-02 09:43:40 +010015699Do not use string matches for binary fetches which might contain null bytes
15700(0x00), as the comparison stops at the occurrence of the first null byte.
15701Instead, convert the binary fetch to a hex string with the hex converter first.
15702
15703Example:
15704 # matches if the string <tag> is present in the binary sample
15705 acl tag_found req.payload(0,0),hex -m sub 3C7461673E
15706
Willy Tarreau6a06a402007-07-15 20:15:28 +020015707
Willy Tarreau74ca5042013-06-11 23:12:07 +0200157087.1.4. Matching regular expressions (regexes)
15709---------------------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +020015710
15711Just like with string matching, regex matching applies to verbatim strings as
15712they are passed, with the exception of the backslash ("\") which makes it
15713possible to escape some characters such as the space. If the "-i" flag is
15714passed before the first regex, then the matching will be performed ignoring
15715the case. In order to match the string "-i", either set it second, or pass
Willy Tarreau0ba27502007-12-24 16:55:16 +010015716the "--" flag before the first string. Same principle applies of course to
15717match the string "--".
Willy Tarreau6a06a402007-07-15 20:15:28 +020015718
15719
Willy Tarreau74ca5042013-06-11 23:12:07 +0200157207.1.5. Matching arbitrary data blocks
15721-------------------------------------
15722
15723It is possible to match some extracted samples against a binary block which may
15724not safely be represented as a string. For this, the patterns must be passed as
15725a series of hexadecimal digits in an even number, when the match method is set
15726to binary. Each sequence of two digits will represent a byte. The hexadecimal
15727digits may be used upper or lower case.
15728
15729Example :
15730 # match "Hello\n" in the input stream (\x48 \x65 \x6c \x6c \x6f \x0a)
15731 acl hello payload(0,6) -m bin 48656c6c6f0a
15732
15733
157347.1.6. Matching IPv4 and IPv6 addresses
15735---------------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +020015736
15737IPv4 addresses values can be specified either as plain addresses or with a
15738netmask appended, in which case the IPv4 address matches whenever it is
15739within the network. Plain addresses may also be replaced with a resolvable
Willy Tarreaud2a4aa22008-01-31 15:28:22 +010015740host name, but this practice is generally discouraged as it makes it more
Willy Tarreau0ba27502007-12-24 16:55:16 +010015741difficult to read and debug configurations. If hostnames are used, you should
15742at least ensure that they are present in /etc/hosts so that the configuration
15743does not depend on any random DNS match at the moment the configuration is
15744parsed.
Willy Tarreau6a06a402007-07-15 20:15:28 +020015745
Daniel Schnellereba56342016-04-13 00:26:52 +020015746The dotted IPv4 address notation is supported in both regular as well as the
15747abbreviated form with all-0-octets omitted:
15748
15749 +------------------+------------------+------------------+
15750 | Example 1 | Example 2 | Example 3 |
15751 +------------------+------------------+------------------+
15752 | 192.168.0.1 | 10.0.0.12 | 127.0.0.1 |
15753 | 192.168.1 | 10.12 | 127.1 |
15754 | 192.168.0.1/22 | 10.0.0.12/8 | 127.0.0.1/8 |
15755 | 192.168.1/22 | 10.12/8 | 127.1/8 |
15756 +------------------+------------------+------------------+
15757
15758Notice that this is different from RFC 4632 CIDR address notation in which
15759192.168.42/24 would be equivalent to 192.168.42.0/24.
15760
Willy Tarreauceb4ac92012-04-28 00:41:46 +020015761IPv6 may be entered in their usual form, with or without a netmask appended.
15762Only bit counts are accepted for IPv6 netmasks. In order to avoid any risk of
15763trouble with randomly resolved IP addresses, host names are never allowed in
15764IPv6 patterns.
15765
15766HAProxy is also able to match IPv4 addresses with IPv6 addresses in the
15767following situations :
15768 - tested address is IPv4, pattern address is IPv4, the match applies
15769 in IPv4 using the supplied mask if any.
15770 - tested address is IPv6, pattern address is IPv6, the match applies
15771 in IPv6 using the supplied mask if any.
15772 - tested address is IPv6, pattern address is IPv4, the match applies in IPv4
15773 using the pattern's mask if the IPv6 address matches with 2002:IPV4::,
15774 ::IPV4 or ::ffff:IPV4, otherwise it fails.
15775 - tested address is IPv4, pattern address is IPv6, the IPv4 address is first
15776 converted to IPv6 by prefixing ::ffff: in front of it, then the match is
15777 applied in IPv6 using the supplied IPv6 mask.
15778
Willy Tarreau74ca5042013-06-11 23:12:07 +020015779
157807.2. Using ACLs to form conditions
15781----------------------------------
15782
15783Some actions are only performed upon a valid condition. A condition is a
15784combination of ACLs with operators. 3 operators are supported :
15785
15786 - AND (implicit)
15787 - OR (explicit with the "or" keyword or the "||" operator)
15788 - Negation with the exclamation mark ("!")
Willy Tarreau6a06a402007-07-15 20:15:28 +020015789
Willy Tarreau74ca5042013-06-11 23:12:07 +020015790A condition is formed as a disjunctive form:
Willy Tarreau6a06a402007-07-15 20:15:28 +020015791
Willy Tarreau74ca5042013-06-11 23:12:07 +020015792 [!]acl1 [!]acl2 ... [!]acln { or [!]acl1 [!]acl2 ... [!]acln } ...
Willy Tarreaubef91e72013-03-31 23:14:46 +020015793
Willy Tarreau74ca5042013-06-11 23:12:07 +020015794Such conditions are generally used after an "if" or "unless" statement,
15795indicating when the condition will trigger the action.
Willy Tarreaubef91e72013-03-31 23:14:46 +020015796
Willy Tarreau74ca5042013-06-11 23:12:07 +020015797For instance, to block HTTP requests to the "*" URL with methods other than
15798"OPTIONS", as well as POST requests without content-length, and GET or HEAD
15799requests with a content-length greater than 0, and finally every request which
15800is not either GET/HEAD/POST/OPTIONS !
15801
15802 acl missing_cl hdr_cnt(Content-length) eq 0
Jarno Huuskonen84c51ec2017-04-03 14:20:34 +030015803 http-request deny if HTTP_URL_STAR !METH_OPTIONS || METH_POST missing_cl
15804 http-request deny if METH_GET HTTP_CONTENT
15805 http-request deny unless METH_GET or METH_POST or METH_OPTIONS
Willy Tarreau74ca5042013-06-11 23:12:07 +020015806
15807To select a different backend for requests to static contents on the "www" site
15808and to every request on the "img", "video", "download" and "ftp" hosts :
15809
15810 acl url_static path_beg /static /images /img /css
15811 acl url_static path_end .gif .png .jpg .css .js
15812 acl host_www hdr_beg(host) -i www
15813 acl host_static hdr_beg(host) -i img. video. download. ftp.
15814
Davor Ocelice9ed2812017-12-25 17:49:28 +010015815 # now use backend "static" for all static-only hosts, and for static URLs
Willy Tarreau74ca5042013-06-11 23:12:07 +020015816 # of host "www". Use backend "www" for the rest.
15817 use_backend static if host_static or host_www url_static
15818 use_backend www if host_www
15819
15820It is also possible to form rules using "anonymous ACLs". Those are unnamed ACL
15821expressions that are built on the fly without needing to be declared. They must
15822be enclosed between braces, with a space before and after each brace (because
15823the braces must be seen as independent words). Example :
15824
15825 The following rule :
15826
15827 acl missing_cl hdr_cnt(Content-length) eq 0
Jarno Huuskonen84c51ec2017-04-03 14:20:34 +030015828 http-request deny if METH_POST missing_cl
Willy Tarreau74ca5042013-06-11 23:12:07 +020015829
15830 Can also be written that way :
15831
Jarno Huuskonen84c51ec2017-04-03 14:20:34 +030015832 http-request deny if METH_POST { hdr_cnt(Content-length) eq 0 }
Willy Tarreau74ca5042013-06-11 23:12:07 +020015833
15834It is generally not recommended to use this construct because it's a lot easier
15835to leave errors in the configuration when written that way. However, for very
15836simple rules matching only one source IP address for instance, it can make more
15837sense to use them than to declare ACLs with random names. Another example of
15838good use is the following :
15839
15840 With named ACLs :
15841
15842 acl site_dead nbsrv(dynamic) lt 2
15843 acl site_dead nbsrv(static) lt 2
15844 monitor fail if site_dead
15845
15846 With anonymous ACLs :
15847
15848 monitor fail if { nbsrv(dynamic) lt 2 } || { nbsrv(static) lt 2 }
15849
Jarno Huuskonen84c51ec2017-04-03 14:20:34 +030015850See section 4.2 for detailed help on the "http-request deny" and "use_backend"
15851keywords.
Willy Tarreau74ca5042013-06-11 23:12:07 +020015852
15853
158547.3. Fetching samples
15855---------------------
15856
15857Historically, sample fetch methods were only used to retrieve data to match
15858against patterns using ACLs. With the arrival of stick-tables, a new class of
15859sample fetch methods was created, most often sharing the same syntax as their
15860ACL counterpart. These sample fetch methods are also known as "fetches". As
15861of now, ACLs and fetches have converged. All ACL fetch methods have been made
15862available as fetch methods, and ACLs may use any sample fetch method as well.
15863
15864This section details all available sample fetch methods and their output type.
15865Some sample fetch methods have deprecated aliases that are used to maintain
15866compatibility with existing configurations. They are then explicitly marked as
15867deprecated and should not be used in new setups.
15868
15869The ACL derivatives are also indicated when available, with their respective
15870matching methods. These ones all have a well defined default pattern matching
15871method, so it is never necessary (though allowed) to pass the "-m" option to
15872indicate how the sample will be matched using ACLs.
15873
15874As indicated in the sample type versus matching compatibility matrix above,
15875when using a generic sample fetch method in an ACL, the "-m" option is
15876mandatory unless the sample type is one of boolean, integer, IPv4 or IPv6. When
15877the same keyword exists as an ACL keyword and as a standard fetch method, the
15878ACL engine will automatically pick the ACL-only one by default.
15879
15880Some of these keywords support one or multiple mandatory arguments, and one or
15881multiple optional arguments. These arguments are strongly typed and are checked
15882when the configuration is parsed so that there is no risk of running with an
Davor Ocelice9ed2812017-12-25 17:49:28 +010015883incorrect argument (e.g. an unresolved backend name). Fetch function arguments
15884are passed between parenthesis and are delimited by commas. When an argument
Willy Tarreau74ca5042013-06-11 23:12:07 +020015885is optional, it will be indicated below between square brackets ('[ ]'). When
15886all arguments are optional, the parenthesis may be omitted.
15887
15888Thus, the syntax of a standard sample fetch method is one of the following :
15889 - name
15890 - name(arg1)
15891 - name(arg1,arg2)
15892
Thierry FOURNIER060762e2014-04-23 13:29:15 +020015893
158947.3.1. Converters
15895-----------------
15896
Willy Tarreaue6b11e42013-11-26 19:02:32 +010015897Sample fetch methods may be combined with transformations to be applied on top
15898of the fetched sample (also called "converters"). These combinations form what
15899is called "sample expressions" and the result is a "sample". Initially this
15900was only supported by "stick on" and "stick store-request" directives but this
Davor Ocelice9ed2812017-12-25 17:49:28 +010015901has now be extended to all places where samples may be used (ACLs, log-format,
Willy Tarreaue6b11e42013-11-26 19:02:32 +010015902unique-id-format, add-header, ...).
15903
15904These transformations are enumerated as a series of specific keywords after the
15905sample fetch method. These keywords may equally be appended immediately after
15906the fetch keyword's argument, delimited by a comma. These keywords can also
Davor Ocelice9ed2812017-12-25 17:49:28 +010015907support some arguments (e.g. a netmask) which must be passed in parenthesis.
Willy Tarreau0ba27502007-12-24 16:55:16 +010015908
Willy Tarreau97707872015-01-27 15:12:13 +010015909A certain category of converters are bitwise and arithmetic operators which
15910support performing basic operations on integers. Some bitwise operations are
15911supported (and, or, xor, cpl) and some arithmetic operations are supported
15912(add, sub, mul, div, mod, neg). Some comparators are provided (odd, even, not,
15913bool) which make it possible to report a match without having to write an ACL.
15914
Willy Tarreau74ca5042013-06-11 23:12:07 +020015915The currently available list of transformation keywords include :
Willy Tarreau0ba27502007-12-24 16:55:16 +010015916
Ben Shillitof25e8e52016-12-02 14:25:37 +00001591751d.single(<prop>[,<prop>*])
15918 Returns values for the properties requested as a string, where values are
15919 separated by the delimiter specified with "51degrees-property-separator".
15920 The device is identified using the User-Agent header passed to the
15921 converter. The function can be passed up to five property names, and if a
15922 property name can't be found, the value "NoData" is returned.
15923
15924 Example :
Davor Ocelice9ed2812017-12-25 17:49:28 +010015925 # Here the header "X-51D-DeviceTypeMobileTablet" is added to the request,
15926 # containing values for the three properties requested by using the
Ben Shillitof25e8e52016-12-02 14:25:37 +000015927 # User-Agent passed to the converter.
15928 frontend http-in
15929 bind *:8081
15930 default_backend servers
15931 http-request set-header X-51D-DeviceTypeMobileTablet \
15932 %[req.fhdr(User-Agent),51d.single(DeviceType,IsMobile,IsTablet)]
15933
Willy Tarreau97707872015-01-27 15:12:13 +010015934add(<value>)
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +020015935 Adds <value> to the input value of type signed integer, and returns the
Thierry FOURNIER5d86fae2015-07-07 21:10:16 +020015936 result as a signed integer. <value> can be a numeric value or a variable
Daniel Schneller0b547052016-03-21 20:46:57 +010015937 name. The name of the variable starts with an indication about its scope. The
15938 scopes allowed are:
Christopher Fauletff2613e2016-11-09 11:36:17 +010015939 "proc" : the variable is shared with the whole process
Daniel Schneller0b547052016-03-21 20:46:57 +010015940 "sess" : the variable is shared with the whole session
15941 "txn" : the variable is shared with the transaction (request and response)
15942 "req" : the variable is shared only during request processing
15943 "res" : the variable is shared only during response processing
Davor Ocelice9ed2812017-12-25 17:49:28 +010015944 This prefix is followed by a name. The separator is a '.'. The name may only
Christopher Fauletb71557a2016-10-31 10:49:03 +010015945 contain characters 'a-z', 'A-Z', '0-9', '.' and '_'.
Willy Tarreau97707872015-01-27 15:12:13 +010015946
Nenad Merdanovicc31499d2019-03-23 11:00:32 +010015947aes_gcm_dec(<bits>,<nonce>,<key>,<aead_tag>)
15948 Decrypts the raw byte input using the AES128-GCM, AES192-GCM or
15949 AES256-GCM algorithm, depending on the <bits> parameter. All other parameters
15950 need to be base64 encoded and the returned result is in raw byte format.
15951 If the <aead_tag> validation fails, the converter doesn't return any data.
15952 The <nonce>, <key> and <aead_tag> can either be strings or variables. This
15953 converter requires at least OpenSSL 1.0.1.
15954
15955 Example:
15956 http-response set-header X-Decrypted-Text %[var(txn.enc),\
15957 aes_gcm_dec(128,txn.nonce,Zm9vb2Zvb29mb29wZm9vbw==,txn.aead_tag)]
15958
Willy Tarreau97707872015-01-27 15:12:13 +010015959and(<value>)
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +020015960 Performs a bitwise "AND" between <value> and the input value of type signed
Thierry FOURNIER5d86fae2015-07-07 21:10:16 +020015961 integer, and returns the result as an signed integer. <value> can be a
Daniel Schneller0b547052016-03-21 20:46:57 +010015962 numeric value or a variable name. The name of the variable starts with an
15963 indication about its scope. The scopes allowed are:
Christopher Fauletff2613e2016-11-09 11:36:17 +010015964 "proc" : the variable is shared with the whole process
Daniel Schneller0b547052016-03-21 20:46:57 +010015965 "sess" : the variable is shared with the whole session
15966 "txn" : the variable is shared with the transaction (request and response)
15967 "req" : the variable is shared only during request processing
15968 "res" : the variable is shared only during response processing
Davor Ocelice9ed2812017-12-25 17:49:28 +010015969 This prefix is followed by a name. The separator is a '.'. The name may only
Christopher Fauletb71557a2016-10-31 10:49:03 +010015970 contain characters 'a-z', 'A-Z', '0-9', '.' and '_'.
Willy Tarreau97707872015-01-27 15:12:13 +010015971
Holger Just1bfc24b2017-05-06 00:56:53 +020015972b64dec
15973 Converts (decodes) a base64 encoded input string to its binary
15974 representation. It performs the inverse operation of base64().
Moemen MHEDHBI92f7d432021-04-01 20:53:59 +020015975 For base64url("URL and Filename Safe Alphabet" (RFC 4648)) variant
15976 see "ub64dec".
Holger Just1bfc24b2017-05-06 00:56:53 +020015977
Emeric Brun53d1a982014-04-30 18:21:37 +020015978base64
15979 Converts a binary input sample to a base64 string. It is used to log or
Davor Ocelice9ed2812017-12-25 17:49:28 +010015980 transfer binary content in a way that can be reliably transferred (e.g.
Moemen MHEDHBI92f7d432021-04-01 20:53:59 +020015981 an SSL ID can be copied in a header). For base64url("URL and Filename
15982 Safe Alphabet" (RFC 4648)) variant see "ub64enc".
Emeric Brun53d1a982014-04-30 18:21:37 +020015983
Willy Tarreau97707872015-01-27 15:12:13 +010015984bool
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +020015985 Returns a boolean TRUE if the input value of type signed integer is
Willy Tarreau97707872015-01-27 15:12:13 +010015986 non-null, otherwise returns FALSE. Used in conjunction with and(), it can be
Davor Ocelice9ed2812017-12-25 17:49:28 +010015987 used to report true/false for bit testing on input values (e.g. verify the
Willy Tarreau97707872015-01-27 15:12:13 +010015988 presence of a flag).
15989
Emeric Brun54c4ac82014-11-03 15:32:43 +010015990bytes(<offset>[,<length>])
15991 Extracts some bytes from an input binary sample. The result is a binary
15992 sample starting at an offset (in bytes) of the original sample and
Tim Düsterhus4896c442016-11-29 02:15:19 +010015993 optionally truncated at the given length.
Emeric Brun54c4ac82014-11-03 15:32:43 +010015994
Willy Tarreau280f42b2018-02-19 15:34:12 +010015995concat([<start>],[<var>],[<end>])
15996 Concatenates up to 3 fields after the current sample which is then turned to
15997 a string. The first one, <start>, is a constant string, that will be appended
15998 immediately after the existing sample. It may be omitted if not used. The
15999 second one, <var>, is a variable name. The variable will be looked up, its
16000 contents converted to a string, and it will be appended immediately after the
16001 <first> part. If the variable is not found, nothing is appended. It may be
16002 omitted as well. The third field, <end> is a constant string that will be
16003 appended after the variable. It may also be omitted. Together, these elements
16004 allow to concatenate variables with delimiters to an existing set of
16005 variables. This can be used to build new variables made of a succession of
Willy Tarreauef21fac2020-02-14 13:37:20 +010016006 other variables, such as colon-delimited values. If commas or closing
Daniel Corbett67a82712020-07-06 23:01:19 -040016007 parenthesis are needed as delimiters, they must be protected by quotes or
Willy Tarreauef21fac2020-02-14 13:37:20 +010016008 backslashes, themselves protected so that they are not stripped by the first
16009 level parser. See examples below.
Willy Tarreau280f42b2018-02-19 15:34:12 +010016010
16011 Example:
16012 tcp-request session set-var(sess.src) src
16013 tcp-request session set-var(sess.dn) ssl_c_s_dn
16014 tcp-request session set-var(txn.sig) str(),concat(<ip=,sess.ip,>),concat(<dn=,sess.dn,>)
Willy Tarreauef21fac2020-02-14 13:37:20 +010016015 tcp-request session set-var(txn.ipport) "str(),concat('addr=(',sess.ip),concat(',',sess.port,')')"
Willy Tarreau280f42b2018-02-19 15:34:12 +010016016 http-request set-header x-hap-sig %[var(txn.sig)]
16017
Willy Tarreau97707872015-01-27 15:12:13 +010016018cpl
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +020016019 Takes the input value of type signed integer, applies a ones-complement
16020 (flips all bits) and returns the result as an signed integer.
Willy Tarreau97707872015-01-27 15:12:13 +010016021
Willy Tarreau80599772015-01-20 19:35:24 +010016022crc32([<avalanche>])
16023 Hashes a binary input sample into an unsigned 32-bit quantity using the CRC32
16024 hash function. Optionally, it is possible to apply a full avalanche hash
16025 function to the output if the optional <avalanche> argument equals 1. This
16026 converter uses the same functions as used by the various hash-based load
16027 balancing algorithms, so it will provide exactly the same results. It is
16028 provided for compatibility with other software which want a CRC32 to be
16029 computed on some input keys, so it follows the most common implementation as
16030 found in Ethernet, Gzip, PNG, etc... It is slower than the other algorithms
16031 but may provide a better or at least less predictable distribution. It must
16032 not be used for security purposes as a 32-bit hash is trivial to break. See
Emmanuel Hocdet50791a72018-03-21 11:19:01 +010016033 also "djb2", "sdbm", "wt6", "crc32c" and the "hash-type" directive.
16034
16035crc32c([<avalanche>])
16036 Hashes a binary input sample into an unsigned 32-bit quantity using the CRC32C
16037 hash function. Optionally, it is possible to apply a full avalanche hash
16038 function to the output if the optional <avalanche> argument equals 1. This
16039 converter uses the same functions as described in RFC4960, Appendix B [8].
16040 It is provided for compatibility with other software which want a CRC32C to be
16041 computed on some input keys. It is slower than the other algorithms and it must
16042 not be used for security purposes as a 32-bit hash is trivial to break. See
16043 also "djb2", "sdbm", "wt6", "crc32" and the "hash-type" directive.
Willy Tarreau80599772015-01-20 19:35:24 +010016044
Christopher Fauletea159d62020-04-01 16:21:44 +020016045cut_crlf
16046 Cuts the string representation of the input sample on the first carriage
16047 return ('\r') or newline ('\n') character found. Only the string length is
16048 updated.
16049
David Carlier29b3ca32015-09-25 14:09:21 +010016050da-csv-conv(<prop>[,<prop>*])
David Carlier4542b102015-06-01 13:54:29 +020016051 Asks the DeviceAtlas converter to identify the User Agent string passed on
16052 input, and to emit a string made of the concatenation of the properties
16053 enumerated in argument, delimited by the separator defined by the global
16054 keyword "deviceatlas-property-separator", or by default the pipe character
Daniel Corbett9f0843f2021-05-08 10:50:37 -040016055 ('|'). There's a limit of 12 different properties imposed by the HAProxy
David Carlier4542b102015-06-01 13:54:29 +020016056 configuration language.
16057
16058 Example:
16059 frontend www
Cyril Bonté307ee1e2015-09-28 23:16:06 +020016060 bind *:8881
16061 default_backend servers
David Carlier840b0242016-03-16 10:09:55 +000016062 http-request set-header X-DeviceAtlas-Data %[req.fhdr(User-Agent),da-csv(primaryHardwareType,osName,osVersion,browserName,browserVersion,browserRenderingEngine)]
David Carlier4542b102015-06-01 13:54:29 +020016063
Willy Tarreau0851fd52019-12-17 10:07:25 +010016064debug([<prefix][,<destination>])
16065 This converter is used as debug tool. It takes a capture of the input sample
16066 and sends it to event sink <destination>, which may designate a ring buffer
16067 such as "buf0", as well as "stdout", or "stderr". Available sinks may be
16068 checked at run time by issuing "show events" on the CLI. When not specified,
16069 the output will be "buf0", which may be consulted via the CLI's "show events"
16070 command. An optional prefix <prefix> may be passed to help distinguish
16071 outputs from multiple expressions. It will then appear before the colon in
16072 the output message. The input sample is passed as-is on the output, so that
16073 it is safe to insert the debug converter anywhere in a chain, even with non-
16074 printable sample types.
16075
16076 Example:
16077 tcp-request connection track-sc0 src,debug(track-sc)
Thierry FOURNIER9687c772015-05-07 15:46:29 +020016078
Patrick Gansterer8e366512020-04-22 16:47:57 +020016079digest(<algorithm>)
16080 Converts a binary input sample to a message digest. The result is a binary
16081 sample. The <algorithm> must be an OpenSSL message digest name (e.g. sha256).
16082
Daniel Corbett9f0843f2021-05-08 10:50:37 -040016083 Please note that this converter is only available when HAProxy has been
Patrick Gansterer8e366512020-04-22 16:47:57 +020016084 compiled with USE_OPENSSL.
16085
Willy Tarreau97707872015-01-27 15:12:13 +010016086div(<value>)
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +020016087 Divides the input value of type signed integer by <value>, and returns the
16088 result as an signed integer. If <value> is null, the largest unsigned
Thierry FOURNIER5d86fae2015-07-07 21:10:16 +020016089 integer is returned (typically 2^63-1). <value> can be a numeric value or a
Daniel Schneller0b547052016-03-21 20:46:57 +010016090 variable name. The name of the variable starts with an indication about its
16091 scope. The scopes allowed are:
Christopher Fauletff2613e2016-11-09 11:36:17 +010016092 "proc" : the variable is shared with the whole process
Daniel Schneller0b547052016-03-21 20:46:57 +010016093 "sess" : the variable is shared with the whole session
16094 "txn" : the variable is shared with the transaction (request and response)
16095 "req" : the variable is shared only during request processing
16096 "res" : the variable is shared only during response processing
Davor Ocelice9ed2812017-12-25 17:49:28 +010016097 This prefix is followed by a name. The separator is a '.'. The name may only
Christopher Fauletb71557a2016-10-31 10:49:03 +010016098 contain characters 'a-z', 'A-Z', '0-9', '.' and '_'.
Willy Tarreau97707872015-01-27 15:12:13 +010016099
Willy Tarreau23ec4ca2014-07-15 20:15:37 +020016100djb2([<avalanche>])
16101 Hashes a binary input sample into an unsigned 32-bit quantity using the DJB2
16102 hash function. Optionally, it is possible to apply a full avalanche hash
16103 function to the output if the optional <avalanche> argument equals 1. This
16104 converter uses the same functions as used by the various hash-based load
16105 balancing algorithms, so it will provide exactly the same results. It is
16106 mostly intended for debugging, but can be used as a stick-table entry to
16107 collect rough statistics. It must not be used for security purposes as a
Emmanuel Hocdet50791a72018-03-21 11:19:01 +010016108 32-bit hash is trivial to break. See also "crc32", "sdbm", "wt6", "crc32c",
16109 and the "hash-type" directive.
Willy Tarreau23ec4ca2014-07-15 20:15:37 +020016110
Willy Tarreau97707872015-01-27 15:12:13 +010016111even
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +020016112 Returns a boolean TRUE if the input value of type signed integer is even
Willy Tarreau97707872015-01-27 15:12:13 +010016113 otherwise returns FALSE. It is functionally equivalent to "not,and(1),bool".
16114
Marcin Deranek9631a282018-04-16 14:30:46 +020016115field(<index>,<delimiters>[,<count>])
16116 Extracts the substring at the given index counting from the beginning
16117 (positive index) or from the end (negative index) considering given delimiters
16118 from an input string. Indexes start at 1 or -1 and delimiters are a string
16119 formatted list of chars. Optionally you can specify <count> of fields to
16120 extract (default: 1). Value of 0 indicates extraction of all remaining
16121 fields.
16122
16123 Example :
16124 str(f1_f2_f3__f5),field(5,_) # f5
16125 str(f1_f2_f3__f5),field(2,_,0) # f2_f3__f5
16126 str(f1_f2_f3__f5),field(2,_,2) # f2_f3
16127 str(f1_f2_f3__f5),field(-2,_,3) # f2_f3_
16128 str(f1_f2_f3__f5),field(-3,_,0) # f1_f2_f3
Emeric Brunf399b0d2014-11-03 17:07:03 +010016129
Baptiste Assmanne138dda2020-10-22 15:39:03 +020016130fix_is_valid
16131 Parses a binary payload and performs sanity checks regarding FIX (Financial
16132 Information eXchange):
16133
16134 - checks that all tag IDs and values are not empty and the tags IDs are well
16135 numeric
Ilya Shipitsin2272d8a2020-12-21 01:22:40 +050016136 - checks the BeginString tag is the first tag with a valid FIX version
Baptiste Assmanne138dda2020-10-22 15:39:03 +020016137 - checks the BodyLength tag is the second one with the right body length
Christopher Fauleted4bef72021-03-18 17:40:56 +010016138 - checks the MsgType tag is the third tag.
Baptiste Assmanne138dda2020-10-22 15:39:03 +020016139 - checks that last tag in the message is the CheckSum tag with a valid
16140 checksum
16141
16142 Due to current HAProxy design, only the first message sent by the client and
16143 the server can be parsed.
16144
16145 This converter returns a boolean, true if the payload contains a valid FIX
16146 message, false if not.
16147
16148 See also the fix_tag_value converter.
16149
16150 Example:
16151 tcp-request inspect-delay 10s
16152 tcp-request content reject unless { req.payload(0,0),fix_is_valid }
16153
16154fix_tag_value(<tag>)
16155 Parses a FIX (Financial Information eXchange) message and extracts the value
16156 from the tag <tag>. <tag> can be a string or an integer pointing to the
16157 desired tag. Any integer value is accepted, but only the following strings
16158 are translated into their integer equivalent: BeginString, BodyLength,
Daniel Corbettbefef702021-03-09 23:00:34 -050016159 MsgType, SenderCompID, TargetCompID, CheckSum. More tag names can be easily
Baptiste Assmanne138dda2020-10-22 15:39:03 +020016160 added.
16161
16162 Due to current HAProxy design, only the first message sent by the client and
16163 the server can be parsed. No message validation is performed by this
16164 converter. It is highly recommended to validate the message first using
16165 fix_is_valid converter.
16166
16167 See also the fix_is_valid converter.
16168
16169 Example:
16170 tcp-request inspect-delay 10s
16171 tcp-request content reject unless { req.payload(0,0),fix_is_valid }
16172 # MsgType tag ID is 35, so both lines below will return the same content
16173 tcp-request content set-var(txn.foo) req.payload(0,0),fix_tag_value(35)
16174 tcp-request content set-var(txn.bar) req.payload(0,0),fix_tag_value(MsgType)
16175
Thierry FOURNIER060762e2014-04-23 13:29:15 +020016176hex
Davor Ocelice9ed2812017-12-25 17:49:28 +010016177 Converts a binary input sample to a hex string containing two hex digits per
Thierry FOURNIER060762e2014-04-23 13:29:15 +020016178 input byte. It is used to log or transfer hex dumps of some binary input data
Davor Ocelice9ed2812017-12-25 17:49:28 +010016179 in a way that can be reliably transferred (e.g. an SSL ID can be copied in a
Thierry FOURNIER060762e2014-04-23 13:29:15 +020016180 header).
Thierry FOURNIER2f49d6d2014-03-12 15:01:52 +010016181
Dragan Dosen3f957b22017-10-24 09:27:34 +020016182hex2i
16183 Converts a hex string containing two hex digits per input byte to an
John Roeslerfb2fce12019-07-10 15:45:51 -050016184 integer. If the input value cannot be converted, then zero is returned.
Dragan Dosen3f957b22017-10-24 09:27:34 +020016185
Christopher Faulet4ccc12f2020-04-01 09:08:32 +020016186htonl
16187 Converts the input integer value to its 32-bit binary representation in the
16188 network byte order. Because sample fetches own signed 64-bit integer, when
16189 this converter is used, the input integer value is first casted to an
16190 unsigned 32-bit integer.
16191
Tim Duesterhusa3082092021-01-21 17:40:49 +010016192hmac(<algorithm>,<key>)
Patrick Gansterer8e366512020-04-22 16:47:57 +020016193 Converts a binary input sample to a message authentication code with the given
16194 key. The result is a binary sample. The <algorithm> must be one of the
16195 registered OpenSSL message digest names (e.g. sha256). The <key> parameter must
16196 be base64 encoded and can either be a string or a variable.
16197
Daniel Corbett9f0843f2021-05-08 10:50:37 -040016198 Please note that this converter is only available when HAProxy has been
Patrick Gansterer8e366512020-04-22 16:47:57 +020016199 compiled with USE_OPENSSL.
16200
Cyril Bonté6bcd1822019-11-05 23:13:59 +010016201http_date([<offset],[<unit>])
Thierry FOURNIER060762e2014-04-23 13:29:15 +020016202 Converts an integer supposed to contain a date since epoch to a string
16203 representing this date in a format suitable for use in HTTP header fields. If
Damien Claisseae6f1252019-10-30 15:57:28 +000016204 an offset value is specified, then it is added to the date before the
16205 conversion is operated. This is particularly useful to emit Date header fields,
16206 Expires values in responses when combined with a positive offset, or
16207 Last-Modified values when the offset is negative.
16208 If a unit value is specified, then consider the timestamp as either
16209 "s" for seconds (default behavior), "ms" for milliseconds, or "us" for
16210 microseconds since epoch. Offset is assumed to have the same unit as
16211 input timestamp.
Willy Tarreau74ca5042013-06-11 23:12:07 +020016212
Tim Duesterhus3943e4f2020-09-11 14:25:23 +020016213iif(<true>,<false>)
16214 Returns the <true> string if the input value is true. Returns the <false>
16215 string otherwise.
16216
16217 Example:
Tim Duesterhus870713b2020-09-11 17:13:12 +020016218 http-request set-header x-forwarded-proto %[ssl_fc,iif(https,http)]
Tim Duesterhus3943e4f2020-09-11 14:25:23 +020016219
Willy Tarreaud9f316a2014-07-10 14:03:38 +020016220in_table(<table>)
16221 Uses the string representation of the input sample to perform a look up in
16222 the specified table. If the key is not found in the table, a boolean false
16223 is returned. Otherwise a boolean true is returned. This can be used to verify
Davor Ocelice9ed2812017-12-25 17:49:28 +010016224 the presence of a certain key in a table tracking some elements (e.g. whether
Willy Tarreaud9f316a2014-07-10 14:03:38 +020016225 or not a source IP address or an Authorization header was already seen).
16226
Tim Duesterhusa3082092021-01-21 17:40:49 +010016227ipmask(<mask4>,[<mask6>])
Tim Duesterhus1478aa72018-01-25 16:24:51 +010016228 Apply a mask to an IP address, and use the result for lookups and storage.
Willy Tarreauffcb2e42014-07-10 16:29:08 +020016229 This can be used to make all hosts within a certain mask to share the same
Tim Duesterhus1478aa72018-01-25 16:24:51 +010016230 table entries and as such use the same server. The mask4 can be passed in
16231 dotted form (e.g. 255.255.255.0) or in CIDR form (e.g. 24). The mask6 can
16232 be passed in quadruplet form (e.g. ffff:ffff::) or in CIDR form (e.g. 64).
16233 If no mask6 is given IPv6 addresses will fail to convert for backwards
16234 compatibility reasons.
Willy Tarreauffcb2e42014-07-10 16:29:08 +020016235
Thierry FOURNIER317e1c42014-08-12 10:20:47 +020016236json([<input-code>])
Davor Ocelice9ed2812017-12-25 17:49:28 +010016237 Escapes the input string and produces an ASCII output string ready to use as a
Thierry FOURNIER317e1c42014-08-12 10:20:47 +020016238 JSON string. The converter tries to decode the input string according to the
Herve COMMOWICK8dfe8632016-08-05 12:01:20 +020016239 <input-code> parameter. It can be "ascii", "utf8", "utf8s", "utf8p" or
Thierry FOURNIER317e1c42014-08-12 10:20:47 +020016240 "utf8ps". The "ascii" decoder never fails. The "utf8" decoder detects 3 types
16241 of errors:
16242 - bad UTF-8 sequence (lone continuation byte, bad number of continuation
16243 bytes, ...)
16244 - invalid range (the decoded value is within a UTF-8 prohibited range),
16245 - code overlong (the value is encoded with more bytes than necessary).
16246
16247 The UTF-8 JSON encoding can produce a "too long value" error when the UTF-8
16248 character is greater than 0xffff because the JSON string escape specification
16249 only authorizes 4 hex digits for the value encoding. The UTF-8 decoder exists
16250 in 4 variants designated by a combination of two suffix letters : "p" for
16251 "permissive" and "s" for "silently ignore". The behaviors of the decoders
16252 are :
Davor Ocelice9ed2812017-12-25 17:49:28 +010016253 - "ascii" : never fails;
16254 - "utf8" : fails on any detected errors;
16255 - "utf8s" : never fails, but removes characters corresponding to errors;
Thierry FOURNIER317e1c42014-08-12 10:20:47 +020016256 - "utf8p" : accepts and fixes the overlong errors, but fails on any other
Davor Ocelice9ed2812017-12-25 17:49:28 +010016257 error;
Thierry FOURNIER317e1c42014-08-12 10:20:47 +020016258 - "utf8ps" : never fails, accepts and fixes the overlong errors, but removes
16259 characters corresponding to the other errors.
16260
16261 This converter is particularly useful for building properly escaped JSON for
Davor Ocelice9ed2812017-12-25 17:49:28 +010016262 logging to servers which consume JSON-formatted traffic logs.
Thierry FOURNIER317e1c42014-08-12 10:20:47 +020016263
16264 Example:
Thierry FOURNIER317e1c42014-08-12 10:20:47 +020016265 capture request header Host len 15
Herve COMMOWICK8dfe8632016-08-05 12:01:20 +020016266 capture request header user-agent len 150
16267 log-format '{"ip":"%[src]","user-agent":"%[capture.req.hdr(1),json(utf8s)]"}'
Thierry FOURNIER317e1c42014-08-12 10:20:47 +020016268
16269 Input request from client 127.0.0.1:
16270 GET / HTTP/1.0
16271 User-Agent: Very "Ugly" UA 1/2
16272
16273 Output log:
16274 {"ip":"127.0.0.1","user-agent":"Very \"Ugly\" UA 1\/2"}
16275
Alex51c8ad42021-04-15 16:45:15 +020016276json_query(<json_path>,[<output_type>])
16277 The json_query converter supports the JSON types string, boolean and
16278 number. Floating point numbers will be returned as a string. By
16279 specifying the output_type 'int' the value will be converted to an
16280 Integer. If conversion is not possible the json_query converter fails.
16281
16282 <json_path> must be a valid JSON Path string as defined in
16283 https://datatracker.ietf.org/doc/draft-ietf-jsonpath-base/
16284
16285 Example:
16286 # get a integer value from the request body
16287 # "{"integer":4}" => 5
16288 http-request set-var(txn.pay_int) req.body,json_query('$.integer','int'),add(1)
16289
16290 # get a key with '.' in the name
16291 # {"my.key":"myvalue"} => myvalue
16292 http-request set-var(txn.pay_mykey) req.body,json_query('$.my\\.key')
16293
16294 # {"boolean-false":false} => 0
16295 http-request set-var(txn.pay_boolean_false) req.body,json_query('$.boolean-false')
16296
16297 # get the value of the key 'iss' from a JWT Bearer token
16298 http-request set-var(txn.token_payload) req.hdr(Authorization),word(2,.),ub64dec,json_query('$.iss')
16299
Thierry FOURNIER060762e2014-04-23 13:29:15 +020016300language(<value>[,<default>])
16301 Returns the value with the highest q-factor from a list as extracted from the
16302 "accept-language" header using "req.fhdr". Values with no q-factor have a
16303 q-factor of 1. Values with a q-factor of 0 are dropped. Only values which
16304 belong to the list of semi-colon delimited <values> will be considered. The
16305 argument <value> syntax is "lang[;lang[;lang[;...]]]". If no value matches the
16306 given list and a default value is provided, it is returned. Note that language
16307 names may have a variant after a dash ('-'). If this variant is present in the
16308 list, it will be matched, but if it is not, only the base language is checked.
16309 The match is case-sensitive, and the output string is always one of those
Davor Ocelice9ed2812017-12-25 17:49:28 +010016310 provided in arguments. The ordering of arguments is meaningless, only the
Thierry FOURNIER060762e2014-04-23 13:29:15 +020016311 ordering of the values in the request counts, as the first value among
16312 multiple sharing the same q-factor is used.
Thierry FOURNIERad903512014-04-11 17:51:01 +020016313
Thierry FOURNIER060762e2014-04-23 13:29:15 +020016314 Example :
Thierry FOURNIERad903512014-04-11 17:51:01 +020016315
Thierry FOURNIER060762e2014-04-23 13:29:15 +020016316 # this configuration switches to the backend matching a
16317 # given language based on the request :
Thierry FOURNIERad903512014-04-11 17:51:01 +020016318
Thierry FOURNIER060762e2014-04-23 13:29:15 +020016319 acl es req.fhdr(accept-language),language(es;fr;en) -m str es
16320 acl fr req.fhdr(accept-language),language(es;fr;en) -m str fr
16321 acl en req.fhdr(accept-language),language(es;fr;en) -m str en
16322 use_backend spanish if es
16323 use_backend french if fr
16324 use_backend english if en
16325 default_backend choose_your_language
Thierry FOURNIERad903512014-04-11 17:51:01 +020016326
Willy Tarreau60a2ee72017-12-15 07:13:48 +010016327length
Etienne Carriereed0d24e2017-12-13 13:41:34 +010016328 Get the length of the string. This can only be placed after a string
16329 sample fetch function or after a transformation keyword returning a string
16330 type. The result is of type integer.
16331
Willy Tarreauffcb2e42014-07-10 16:29:08 +020016332lower
16333 Convert a string sample to lower case. This can only be placed after a string
16334 sample fetch function or after a transformation keyword returning a string
16335 type. The result is of type string.
16336
Willy Tarreau0dbfdba2014-07-10 16:37:47 +020016337ltime(<format>[,<offset>])
16338 Converts an integer supposed to contain a date since epoch to a string
16339 representing this date in local time using a format defined by the <format>
16340 string using strftime(3). The purpose is to allow any date format to be used
16341 in logs. An optional <offset> in seconds may be applied to the input date
16342 (positive or negative). See the strftime() man page for the format supported
16343 by your operating system. See also the utime converter.
16344
16345 Example :
16346
16347 # Emit two colons, one with the local time and another with ip:port
Davor Ocelice9ed2812017-12-25 17:49:28 +010016348 # e.g. 20140710162350 127.0.0.1:57325
Willy Tarreau0dbfdba2014-07-10 16:37:47 +020016349 log-format %[date,ltime(%Y%m%d%H%M%S)]\ %ci:%cp
16350
Christopher Faulet51fc9d12020-04-01 17:24:41 +020016351ltrim(<chars>)
16352 Skips any characters from <chars> from the beginning of the string
16353 representation of the input sample.
16354
Thierry FOURNIER060762e2014-04-23 13:29:15 +020016355map(<map_file>[,<default_value>])
16356map_<match_type>(<map_file>[,<default_value>])
16357map_<match_type>_<output_type>(<map_file>[,<default_value>])
16358 Search the input value from <map_file> using the <match_type> matching method,
16359 and return the associated value converted to the type <output_type>. If the
16360 input value cannot be found in the <map_file>, the converter returns the
16361 <default_value>. If the <default_value> is not set, the converter fails and
16362 acts as if no input value could be fetched. If the <match_type> is not set, it
16363 defaults to "str". Likewise, if the <output_type> is not set, it defaults to
16364 "str". For convenience, the "map" keyword is an alias for "map_str" and maps a
16365 string to another string.
Thierry FOURNIERd5f624d2013-11-26 11:52:33 +010016366
Thierry FOURNIER060762e2014-04-23 13:29:15 +020016367 It is important to avoid overlapping between the keys : IP addresses and
16368 strings are stored in trees, so the first of the finest match will be used.
16369 Other keys are stored in lists, so the first matching occurrence will be used.
Thierry FOURNIERd5f624d2013-11-26 11:52:33 +010016370
Tim Düsterhus4896c442016-11-29 02:15:19 +010016371 The following array contains the list of all map functions available sorted by
Thierry FOURNIER060762e2014-04-23 13:29:15 +020016372 input type, match type and output type.
Thierry FOURNIERd5f624d2013-11-26 11:52:33 +010016373
Thierry FOURNIER060762e2014-04-23 13:29:15 +020016374 input type | match method | output type str | output type int | output type ip
16375 -----------+--------------+-----------------+-----------------+---------------
16376 str | str | map_str | map_str_int | map_str_ip
16377 -----------+--------------+-----------------+-----------------+---------------
Willy Tarreau787a4c02014-05-10 07:55:30 +020016378 str | beg | map_beg | map_beg_int | map_end_ip
16379 -----------+--------------+-----------------+-----------------+---------------
Thierry FOURNIER060762e2014-04-23 13:29:15 +020016380 str | sub | map_sub | map_sub_int | map_sub_ip
16381 -----------+--------------+-----------------+-----------------+---------------
16382 str | dir | map_dir | map_dir_int | map_dir_ip
16383 -----------+--------------+-----------------+-----------------+---------------
16384 str | dom | map_dom | map_dom_int | map_dom_ip
16385 -----------+--------------+-----------------+-----------------+---------------
16386 str | end | map_end | map_end_int | map_end_ip
16387 -----------+--------------+-----------------+-----------------+---------------
Ruoshan Huang3c5e3742016-12-02 16:25:31 +080016388 str | reg | map_reg | map_reg_int | map_reg_ip
16389 -----------+--------------+-----------------+-----------------+---------------
16390 str | reg | map_regm | map_reg_int | map_reg_ip
Thierry FOURNIER060762e2014-04-23 13:29:15 +020016391 -----------+--------------+-----------------+-----------------+---------------
16392 int | int | map_int | map_int_int | map_int_ip
16393 -----------+--------------+-----------------+-----------------+---------------
16394 ip | ip | map_ip | map_ip_int | map_ip_ip
16395 -----------+--------------+-----------------+-----------------+---------------
Thierry FOURNIERd5f624d2013-11-26 11:52:33 +010016396
Thierry Fournier8feaa662016-02-10 22:55:20 +010016397 The special map called "map_regm" expect matching zone in the regular
16398 expression and modify the output replacing back reference (like "\1") by
16399 the corresponding match text.
16400
Thierry FOURNIER060762e2014-04-23 13:29:15 +020016401 The file contains one key + value per line. Lines which start with '#' are
16402 ignored, just like empty lines. Leading tabs and spaces are stripped. The key
16403 is then the first "word" (series of non-space/tabs characters), and the value
16404 is what follows this series of space/tab till the end of the line excluding
16405 trailing spaces/tabs.
Thierry FOURNIERd5f624d2013-11-26 11:52:33 +010016406
Thierry FOURNIER060762e2014-04-23 13:29:15 +020016407 Example :
16408
16409 # this is a comment and is ignored
16410 2.22.246.0/23 United Kingdom \n
16411 <-><-----------><--><------------><---->
16412 | | | | `- trailing spaces ignored
16413 | | | `---------- value
16414 | | `-------------------- middle spaces ignored
16415 | `---------------------------- key
16416 `------------------------------------ leading spaces ignored
16417
Willy Tarreau97707872015-01-27 15:12:13 +010016418mod(<value>)
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +020016419 Divides the input value of type signed integer by <value>, and returns the
16420 remainder as an signed integer. If <value> is null, then zero is returned.
Thierry FOURNIER5d86fae2015-07-07 21:10:16 +020016421 <value> can be a numeric value or a variable name. The name of the variable
Daniel Schneller0b547052016-03-21 20:46:57 +010016422 starts with an indication about its scope. The scopes allowed are:
Christopher Fauletff2613e2016-11-09 11:36:17 +010016423 "proc" : the variable is shared with the whole process
Daniel Schneller0b547052016-03-21 20:46:57 +010016424 "sess" : the variable is shared with the whole session
16425 "txn" : the variable is shared with the transaction (request and response)
16426 "req" : the variable is shared only during request processing
16427 "res" : the variable is shared only during response processing
Davor Ocelice9ed2812017-12-25 17:49:28 +010016428 This prefix is followed by a name. The separator is a '.'. The name may only
Christopher Fauletb71557a2016-10-31 10:49:03 +010016429 contain characters 'a-z', 'A-Z', '0-9', '.' and '_'.
Willy Tarreau97707872015-01-27 15:12:13 +010016430
Alexbf1bd5a2021-04-24 13:02:21 +020016431mqtt_field_value(<packettype>,<fieldname_or_property_ID>)
Baptiste Assmanne279ca62020-10-27 18:10:06 +010016432 Returns value of <fieldname> found in input MQTT payload of type
16433 <packettype>.
16434 <packettype> can be either a string (case insensitive matching) or a numeric
16435 value corresponding to the type of packet we're supposed to extract data
16436 from.
16437 Supported string and integers can be found here:
16438 https://docs.oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt-v3.1.1-os.html#_Toc398718021
16439 https://docs.oasis-open.org/mqtt/mqtt/v5.0/os/mqtt-v5.0-os.html#_Toc3901022
16440
16441 <fieldname> depends on <packettype> and can be any of the following below.
16442 (note that <fieldname> matching is case insensitive).
16443 <property id> can only be found in MQTT v5.0 streams. check this table:
16444 https://docs.oasis-open.org/mqtt/mqtt/v5.0/os/mqtt-v5.0-os.html#_Toc3901029
16445
16446 - CONNECT (or 1): flags, protocol_name, protocol_version, client_identifier,
16447 will_topic, will_payload, username, password, keepalive
16448 OR any property ID as a numeric value (for MQTT v5.0
16449 packets only):
16450 17: Session Expiry Interval
16451 33: Receive Maximum
16452 39: Maximum Packet Size
16453 34: Topic Alias Maximum
16454 25: Request Response Information
16455 23: Request Problem Information
16456 21: Authentication Method
16457 22: Authentication Data
16458 18: Will Delay Interval
16459 1: Payload Format Indicator
16460 2: Message Expiry Interval
16461 3: Content Type
16462 8: Response Topic
16463 9: Correlation Data
16464 Not supported yet:
16465 38: User Property
16466
16467 - CONNACK (or 2): flags, protocol_version, reason_code
16468 OR any property ID as a numeric value (for MQTT v5.0
16469 packets only):
16470 17: Session Expiry Interval
16471 33: Receive Maximum
16472 36: Maximum QoS
16473 37: Retain Available
16474 39: Maximum Packet Size
16475 18: Assigned Client Identifier
16476 34: Topic Alias Maximum
16477 31: Reason String
16478 40; Wildcard Subscription Available
16479 41: Subscription Identifiers Available
16480 42: Shared Subscription Available
16481 19: Server Keep Alive
16482 26: Response Information
16483 28: Server Reference
16484 21: Authentication Method
16485 22: Authentication Data
16486 Not supported yet:
16487 38: User Property
16488
16489 Due to current HAProxy design, only the first message sent by the client and
16490 the server can be parsed. Thus this converter can extract data only from
16491 CONNECT and CONNACK packet types. CONNECT is the first message sent by the
16492 client and CONNACK is the first response sent by the server.
16493
16494 Example:
16495
16496 acl data_in_buffer req.len ge 4
16497 tcp-request content set-var(txn.username) \
16498 req.payload(0,0),mqtt_field_value(connect,protocol_name) \
16499 if data_in_buffer
16500 # do the same as above
16501 tcp-request content set-var(txn.username) \
16502 req.payload(0,0),mqtt_field_value(1,protocol_name) \
16503 if data_in_buffer
16504
16505mqtt_is_valid
16506 Checks that the binary input is a valid MQTT packet. It returns a boolean.
16507
16508 Due to current HAProxy design, only the first message sent by the client and
16509 the server can be parsed. Thus this converter can extract data only from
16510 CONNECT and CONNACK packet types. CONNECT is the first message sent by the
16511 client and CONNACK is the first response sent by the server.
16512
16513 Example:
16514
16515 acl data_in_buffer req.len ge 4
Daniel Corbettcc9d9b02021-05-13 10:46:07 -040016516 tcp-request content reject unless { req.payload(0,0),mqtt_is_valid }
Baptiste Assmanne279ca62020-10-27 18:10:06 +010016517
Willy Tarreau97707872015-01-27 15:12:13 +010016518mul(<value>)
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +020016519 Multiplies the input value of type signed integer by <value>, and returns
Thierry FOURNIER00c005c2015-07-08 01:10:21 +020016520 the product as an signed integer. In case of overflow, the largest possible
16521 value for the sign is returned so that the operation doesn't wrap around.
Thierry FOURNIER5d86fae2015-07-07 21:10:16 +020016522 <value> can be a numeric value or a variable name. The name of the variable
Daniel Schneller0b547052016-03-21 20:46:57 +010016523 starts with an indication about its scope. The scopes allowed are:
Christopher Fauletff2613e2016-11-09 11:36:17 +010016524 "proc" : the variable is shared with the whole process
Daniel Schneller0b547052016-03-21 20:46:57 +010016525 "sess" : the variable is shared with the whole session
16526 "txn" : the variable is shared with the transaction (request and response)
16527 "req" : the variable is shared only during request processing
16528 "res" : the variable is shared only during response processing
Davor Ocelice9ed2812017-12-25 17:49:28 +010016529 This prefix is followed by a name. The separator is a '.'. The name may only
Christopher Fauletb71557a2016-10-31 10:49:03 +010016530 contain characters 'a-z', 'A-Z', '0-9', '.' and '_'.
Willy Tarreau97707872015-01-27 15:12:13 +010016531
Nenad Merdanovicb7e7c472017-03-12 21:56:55 +010016532nbsrv
16533 Takes an input value of type string, interprets it as a backend name and
16534 returns the number of usable servers in that backend. Can be used in places
16535 where we want to look up a backend from a dynamic name, like a result of a
16536 map lookup.
16537
Willy Tarreau97707872015-01-27 15:12:13 +010016538neg
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +020016539 Takes the input value of type signed integer, computes the opposite value,
16540 and returns the remainder as an signed integer. 0 is identity. This operator
16541 is provided for reversed subtracts : in order to subtract the input from a
16542 constant, simply perform a "neg,add(value)".
Willy Tarreau97707872015-01-27 15:12:13 +010016543
16544not
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +020016545 Returns a boolean FALSE if the input value of type signed integer is
Willy Tarreau97707872015-01-27 15:12:13 +010016546 non-null, otherwise returns TRUE. Used in conjunction with and(), it can be
Davor Ocelice9ed2812017-12-25 17:49:28 +010016547 used to report true/false for bit testing on input values (e.g. verify the
Willy Tarreau97707872015-01-27 15:12:13 +010016548 absence of a flag).
16549
16550odd
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +020016551 Returns a boolean TRUE if the input value of type signed integer is odd
Willy Tarreau97707872015-01-27 15:12:13 +010016552 otherwise returns FALSE. It is functionally equivalent to "and(1),bool".
16553
16554or(<value>)
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +020016555 Performs a bitwise "OR" between <value> and the input value of type signed
Thierry FOURNIER5d86fae2015-07-07 21:10:16 +020016556 integer, and returns the result as an signed integer. <value> can be a
Daniel Schneller0b547052016-03-21 20:46:57 +010016557 numeric value or a variable name. The name of the variable starts with an
16558 indication about its scope. The scopes allowed are:
Christopher Fauletff2613e2016-11-09 11:36:17 +010016559 "proc" : the variable is shared with the whole process
Daniel Schneller0b547052016-03-21 20:46:57 +010016560 "sess" : the variable is shared with the whole session
16561 "txn" : the variable is shared with the transaction (request and response)
16562 "req" : the variable is shared only during request processing
16563 "res" : the variable is shared only during response processing
Davor Ocelice9ed2812017-12-25 17:49:28 +010016564 This prefix is followed by a name. The separator is a '.'. The name may only
Christopher Fauletb71557a2016-10-31 10:49:03 +010016565 contain characters 'a-z', 'A-Z', '0-9', '.' and '_'.
Willy Tarreau97707872015-01-27 15:12:13 +010016566
Frédéric Lécaillebfe61382019-03-06 14:34:36 +010016567protobuf(<field_number>,[<field_type>])
16568 This extracts the protocol buffers message field in raw mode of an input binary
16569 sample representation of a protocol buffer message with <field_number> as field
16570 number (dotted notation) if <field_type> is not present, or as an integer sample
16571 if this field is present (see also "ungrpc" below).
16572 The list of the authorized types is the following one: "int32", "int64", "uint32",
16573 "uint64", "sint32", "sint64", "bool", "enum" for the "varint" wire type 0
16574 "fixed64", "sfixed64", "double" for the 64bit wire type 1, "fixed32", "sfixed32",
16575 "float" for the wire type 5. Note that "string" is considered as a length-delimited
16576 type, so it does not require any <field_type> argument to be extracted.
16577 More information may be found here about the protocol buffers message field types:
16578 https://developers.google.com/protocol-buffers/docs/encoding
16579
Willy Tarreauc4dc3502015-01-23 20:39:28 +010016580regsub(<regex>,<subst>[,<flags>])
Willy Tarreau7eda8492015-01-20 19:47:06 +010016581 Applies a regex-based substitution to the input string. It does the same
16582 operation as the well-known "sed" utility with "s/<regex>/<subst>/". By
16583 default it will replace in the input string the first occurrence of the
16584 largest part matching the regular expression <regex> with the substitution
16585 string <subst>. It is possible to replace all occurrences instead by adding
16586 the flag "g" in the third argument <flags>. It is also possible to make the
16587 regex case insensitive by adding the flag "i" in <flags>. Since <flags> is a
16588 string, it is made up from the concatenation of all desired flags. Thus if
16589 both "i" and "g" are desired, using "gi" or "ig" will have the same effect.
Willy Tarreauef21fac2020-02-14 13:37:20 +010016590 The first use of this converter is to replace certain characters or sequence
16591 of characters with other ones.
16592
16593 It is highly recommended to enclose the regex part using protected quotes to
16594 improve clarity and never have a closing parenthesis from the regex mixed up
16595 with the parenthesis from the function. Just like in Bourne shell, the first
16596 level of quotes is processed when delimiting word groups on the line, a
16597 second level is usable for argument. It is recommended to use single quotes
16598 outside since these ones do not try to resolve backslashes nor dollar signs.
Willy Tarreau7eda8492015-01-20 19:47:06 +010016599
Willy Tarreaucd0d2ed2020-02-14 17:33:06 +010016600 Examples:
Willy Tarreau7eda8492015-01-20 19:47:06 +010016601
16602 # de-duplicate "/" in header "x-path".
16603 # input: x-path: /////a///b/c/xzxyz/
16604 # output: x-path: /a/b/c/xzxyz/
Willy Tarreauef21fac2020-02-14 13:37:20 +010016605 http-request set-header x-path "%[hdr(x-path),regsub('/+','/','g')]"
Willy Tarreau7eda8492015-01-20 19:47:06 +010016606
Willy Tarreaucd0d2ed2020-02-14 17:33:06 +010016607 # copy query string to x-query and drop all leading '?', ';' and '&'
16608 http-request set-header x-query "%[query,regsub([?;&]*,'')]"
16609
Jerome Magnin07e1e3c2020-02-16 19:20:19 +010016610 # capture groups and backreferences
16611 # both lines do the same.
Willy Tarreau465dc7d2020-10-08 18:05:56 +020016612 http-request redirect location %[url,'regsub("(foo|bar)([0-9]+)?","\2\1",i)']
Jerome Magnin07e1e3c2020-02-16 19:20:19 +010016613 http-request redirect location %[url,regsub(\"(foo|bar)([0-9]+)?\",\"\2\1\",i)]
16614
Thierry FOURNIER35ab2752015-05-28 13:22:03 +020016615capture-req(<id>)
16616 Capture the string entry in the request slot <id> and returns the entry as
16617 is. If the slot doesn't exist, the capture fails silently.
16618
16619 See also: "declare capture", "http-request capture",
Baptiste Assmann5ac425c2015-10-21 23:13:46 +020016620 "http-response capture", "capture.req.hdr" and
16621 "capture.res.hdr" (sample fetches).
Thierry FOURNIER35ab2752015-05-28 13:22:03 +020016622
16623capture-res(<id>)
16624 Capture the string entry in the response slot <id> and returns the entry as
16625 is. If the slot doesn't exist, the capture fails silently.
16626
16627 See also: "declare capture", "http-request capture",
Baptiste Assmann5ac425c2015-10-21 23:13:46 +020016628 "http-response capture", "capture.req.hdr" and
16629 "capture.res.hdr" (sample fetches).
Thierry FOURNIER35ab2752015-05-28 13:22:03 +020016630
Christopher Faulet568415a2020-04-01 17:24:47 +020016631rtrim(<chars>)
16632 Skips any characters from <chars> from the end of the string representation
16633 of the input sample.
16634
Willy Tarreau23ec4ca2014-07-15 20:15:37 +020016635sdbm([<avalanche>])
16636 Hashes a binary input sample into an unsigned 32-bit quantity using the SDBM
16637 hash function. Optionally, it is possible to apply a full avalanche hash
16638 function to the output if the optional <avalanche> argument equals 1. This
16639 converter uses the same functions as used by the various hash-based load
16640 balancing algorithms, so it will provide exactly the same results. It is
16641 mostly intended for debugging, but can be used as a stick-table entry to
16642 collect rough statistics. It must not be used for security purposes as a
Emmanuel Hocdet50791a72018-03-21 11:19:01 +010016643 32-bit hash is trivial to break. See also "crc32", "djb2", "wt6", "crc32c",
16644 and the "hash-type" directive.
Willy Tarreau23ec4ca2014-07-15 20:15:37 +020016645
Tim Duesterhusf38175c2020-06-09 11:48:42 +020016646secure_memcmp(<var>)
16647 Compares the contents of <var> with the input value. Both values are treated
16648 as a binary string. Returns a boolean indicating whether both binary strings
16649 match.
16650
16651 If both binary strings have the same length then the comparison will be
16652 performed in constant time.
16653
Daniel Corbett9f0843f2021-05-08 10:50:37 -040016654 Please note that this converter is only available when HAProxy has been
Tim Duesterhusf38175c2020-06-09 11:48:42 +020016655 compiled with USE_OPENSSL.
16656
16657 Example :
16658
16659 http-request set-var(txn.token) hdr(token)
16660 # Check whether the token sent by the client matches the secret token
16661 # value, without leaking the contents using a timing attack.
16662 acl token_given str(my_secret_token),secure_memcmp(txn.token)
16663
Tim Duesterhusef4e45c2021-01-21 17:40:50 +010016664set-var(<var>)
Davor Ocelice9ed2812017-12-25 17:49:28 +010016665 Sets a variable with the input content and returns the content on the output
16666 as-is. The variable keeps the value and the associated input type. The name of
16667 the variable starts with an indication about its scope. The scopes allowed are:
Christopher Fauletff2613e2016-11-09 11:36:17 +010016668 "proc" : the variable is shared with the whole process
Daniel Schneller0b547052016-03-21 20:46:57 +010016669 "sess" : the variable is shared with the whole session
16670 "txn" : the variable is shared with the transaction (request and
Thierry FOURNIER4834bc72015-06-06 19:29:07 +020016671 response),
Daniel Schneller0b547052016-03-21 20:46:57 +010016672 "req" : the variable is shared only during request processing,
16673 "res" : the variable is shared only during response processing.
Thierry FOURNIER4834bc72015-06-06 19:29:07 +020016674 This prefix is followed by a name. The separator is a '.'. The name may only
Christopher Fauletb71557a2016-10-31 10:49:03 +010016675 contain characters 'a-z', 'A-Z', '0-9', '.' and '_'.
Thierry FOURNIER4834bc72015-06-06 19:29:07 +020016676
Dragan Dosen6e5a9ca2017-10-24 09:18:23 +020016677sha1
Tim Duesterhusd4376302019-06-17 12:41:44 +020016678 Converts a binary input sample to a SHA-1 digest. The result is a binary
Dragan Dosen6e5a9ca2017-10-24 09:18:23 +020016679 sample with length of 20 bytes.
16680
Tim Duesterhusd4376302019-06-17 12:41:44 +020016681sha2([<bits>])
16682 Converts a binary input sample to a digest in the SHA-2 family. The result
16683 is a binary sample with length of <bits>/8 bytes.
16684
16685 Valid values for <bits> are 224, 256, 384, 512, each corresponding to
16686 SHA-<bits>. The default value is 256.
16687
Daniel Corbett9f0843f2021-05-08 10:50:37 -040016688 Please note that this converter is only available when HAProxy has been
Tim Duesterhusd4376302019-06-17 12:41:44 +020016689 compiled with USE_OPENSSL.
16690
Nenad Merdanovic177adc92019-08-27 01:58:13 +020016691srv_queue
16692 Takes an input value of type string, either a server name or <backend>/<server>
16693 format and returns the number of queued sessions on that server. Can be used
16694 in places where we want to look up queued sessions from a dynamic name, like a
16695 cookie value (e.g. req.cook(SRVID),srv_queue) and then make a decision to break
16696 persistence or direct a request elsewhere.
16697
Tim Duesterhusca097c12018-04-27 21:18:45 +020016698strcmp(<var>)
16699 Compares the contents of <var> with the input value of type string. Returns
16700 the result as a signed integer compatible with strcmp(3): 0 if both strings
16701 are identical. A value less than 0 if the left string is lexicographically
16702 smaller than the right string or if the left string is shorter. A value greater
16703 than 0 otherwise (right string greater than left string or the right string is
16704 shorter).
16705
Tim Duesterhusf38175c2020-06-09 11:48:42 +020016706 See also the secure_memcmp converter if you need to compare two binary
16707 strings in constant time.
16708
Tim Duesterhusca097c12018-04-27 21:18:45 +020016709 Example :
16710
16711 http-request set-var(txn.host) hdr(host)
16712 # Check whether the client is attempting domain fronting.
16713 acl ssl_sni_http_host_match ssl_fc_sni,strcmp(txn.host) eq 0
16714
16715
Willy Tarreau97707872015-01-27 15:12:13 +010016716sub(<value>)
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +020016717 Subtracts <value> from the input value of type signed integer, and returns
16718 the result as an signed integer. Note: in order to subtract the input from
Thierry FOURNIER5d86fae2015-07-07 21:10:16 +020016719 a constant, simply perform a "neg,add(value)". <value> can be a numeric value
Daniel Schneller0b547052016-03-21 20:46:57 +010016720 or a variable name. The name of the variable starts with an indication about
16721 its scope. The scopes allowed are:
Christopher Fauletff2613e2016-11-09 11:36:17 +010016722 "proc" : the variable is shared with the whole process
Daniel Schneller0b547052016-03-21 20:46:57 +010016723 "sess" : the variable is shared with the whole session
16724 "txn" : the variable is shared with the transaction (request and
Thierry FOURNIER5d86fae2015-07-07 21:10:16 +020016725 response),
Daniel Schneller0b547052016-03-21 20:46:57 +010016726 "req" : the variable is shared only during request processing,
16727 "res" : the variable is shared only during response processing.
Thierry FOURNIER5d86fae2015-07-07 21:10:16 +020016728 This prefix is followed by a name. The separator is a '.'. The name may only
Christopher Fauletb71557a2016-10-31 10:49:03 +010016729 contain characters 'a-z', 'A-Z', '0-9', '.' and '_'.
Willy Tarreau97707872015-01-27 15:12:13 +010016730
Willy Tarreaud9f316a2014-07-10 14:03:38 +020016731table_bytes_in_rate(<table>)
16732 Uses the string representation of the input sample to perform a look up in
16733 the specified table. If the key is not found in the table, integer value zero
16734 is returned. Otherwise the converter returns the average client-to-server
16735 bytes rate associated with the input sample in the designated table, measured
16736 in amount of bytes over the period configured in the table. See also the
16737 sc_bytes_in_rate sample fetch keyword.
16738
16739
16740table_bytes_out_rate(<table>)
16741 Uses the string representation of the input sample to perform a look up in
16742 the specified table. If the key is not found in the table, integer value zero
16743 is returned. Otherwise the converter returns the average server-to-client
16744 bytes rate associated with the input sample in the designated table, measured
16745 in amount of bytes over the period configured in the table. See also the
16746 sc_bytes_out_rate sample fetch keyword.
16747
16748table_conn_cnt(<table>)
16749 Uses the string representation of the input sample to perform a look up in
16750 the specified table. If the key is not found in the table, integer value zero
Davor Ocelice9ed2812017-12-25 17:49:28 +010016751 is returned. Otherwise the converter returns the cumulative number of incoming
Willy Tarreaud9f316a2014-07-10 14:03:38 +020016752 connections associated with the input sample in the designated table. See
16753 also the sc_conn_cnt sample fetch keyword.
16754
16755table_conn_cur(<table>)
16756 Uses the string representation of the input sample to perform a look up in
16757 the specified table. If the key is not found in the table, integer value zero
16758 is returned. Otherwise the converter returns the current amount of concurrent
16759 tracked connections associated with the input sample in the designated table.
16760 See also the sc_conn_cur sample fetch keyword.
16761
16762table_conn_rate(<table>)
16763 Uses the string representation of the input sample to perform a look up in
16764 the specified table. If the key is not found in the table, integer value zero
16765 is returned. Otherwise the converter returns the average incoming connection
16766 rate associated with the input sample in the designated table. See also the
16767 sc_conn_rate sample fetch keyword.
16768
Thierry FOURNIER236657b2015-08-19 08:25:14 +020016769table_gpt0(<table>)
16770 Uses the string representation of the input sample to perform a look up in
16771 the specified table. If the key is not found in the table, boolean value zero
16772 is returned. Otherwise the converter returns the current value of the first
16773 general purpose tag associated with the input sample in the designated table.
16774 See also the sc_get_gpt0 sample fetch keyword.
16775
Willy Tarreaud9f316a2014-07-10 14:03:38 +020016776table_gpc0(<table>)
16777 Uses the string representation of the input sample to perform a look up in
16778 the specified table. If the key is not found in the table, integer value zero
16779 is returned. Otherwise the converter returns the current value of the first
16780 general purpose counter associated with the input sample in the designated
16781 table. See also the sc_get_gpc0 sample fetch keyword.
16782
16783table_gpc0_rate(<table>)
16784 Uses the string representation of the input sample to perform a look up in
16785 the specified table. If the key is not found in the table, integer value zero
16786 is returned. Otherwise the converter returns the frequency which the gpc0
16787 counter was incremented over the configured period in the table, associated
16788 with the input sample in the designated table. See also the sc_get_gpc0_rate
16789 sample fetch keyword.
16790
Frédéric Lécaille6778b272018-01-29 15:22:53 +010016791table_gpc1(<table>)
16792 Uses the string representation of the input sample to perform a look up in
16793 the specified table. If the key is not found in the table, integer value zero
16794 is returned. Otherwise the converter returns the current value of the second
16795 general purpose counter associated with the input sample in the designated
16796 table. See also the sc_get_gpc1 sample fetch keyword.
16797
16798table_gpc1_rate(<table>)
16799 Uses the string representation of the input sample to perform a look up in
16800 the specified table. If the key is not found in the table, integer value zero
16801 is returned. Otherwise the converter returns the frequency which the gpc1
16802 counter was incremented over the configured period in the table, associated
16803 with the input sample in the designated table. See also the sc_get_gpc1_rate
16804 sample fetch keyword.
16805
Willy Tarreaud9f316a2014-07-10 14:03:38 +020016806table_http_err_cnt(<table>)
16807 Uses the string representation of the input sample to perform a look up in
16808 the specified table. If the key is not found in the table, integer value zero
Davor Ocelice9ed2812017-12-25 17:49:28 +010016809 is returned. Otherwise the converter returns the cumulative number of HTTP
Willy Tarreaud9f316a2014-07-10 14:03:38 +020016810 errors associated with the input sample in the designated table. See also the
16811 sc_http_err_cnt sample fetch keyword.
16812
16813table_http_err_rate(<table>)
16814 Uses the string representation of the input sample to perform a look up in
16815 the specified table. If the key is not found in the table, integer value zero
16816 is returned. Otherwise the average rate of HTTP errors associated with the
16817 input sample in the designated table, measured in amount of errors over the
16818 period configured in the table. See also the sc_http_err_rate sample fetch
16819 keyword.
16820
Willy Tarreau826f3ab2021-02-10 12:07:15 +010016821table_http_fail_cnt(<table>)
16822 Uses the string representation of the input sample to perform a look up in
16823 the specified table. If the key is not found in the table, integer value zero
16824 is returned. Otherwise the converter returns the cumulative number of HTTP
16825 failures associated with the input sample in the designated table. See also
16826 the sc_http_fail_cnt sample fetch keyword.
16827
16828table_http_fail_rate(<table>)
16829 Uses the string representation of the input sample to perform a look up in
16830 the specified table. If the key is not found in the table, integer value zero
16831 is returned. Otherwise the average rate of HTTP failures associated with the
16832 input sample in the designated table, measured in amount of failures over the
16833 period configured in the table. See also the sc_http_fail_rate sample fetch
16834 keyword.
16835
Willy Tarreaud9f316a2014-07-10 14:03:38 +020016836table_http_req_cnt(<table>)
16837 Uses the string representation of the input sample to perform a look up in
16838 the specified table. If the key is not found in the table, integer value zero
Davor Ocelice9ed2812017-12-25 17:49:28 +010016839 is returned. Otherwise the converter returns the cumulative number of HTTP
Willy Tarreaud9f316a2014-07-10 14:03:38 +020016840 requests associated with the input sample in the designated table. See also
16841 the sc_http_req_cnt sample fetch keyword.
16842
16843table_http_req_rate(<table>)
16844 Uses the string representation of the input sample to perform a look up in
16845 the specified table. If the key is not found in the table, integer value zero
16846 is returned. Otherwise the average rate of HTTP requests associated with the
16847 input sample in the designated table, measured in amount of requests over the
16848 period configured in the table. See also the sc_http_req_rate sample fetch
16849 keyword.
16850
16851table_kbytes_in(<table>)
16852 Uses the string representation of the input sample to perform a look up in
16853 the specified table. If the key is not found in the table, integer value zero
Davor Ocelice9ed2812017-12-25 17:49:28 +010016854 is returned. Otherwise the converter returns the cumulative number of client-
Willy Tarreaud9f316a2014-07-10 14:03:38 +020016855 to-server data associated with the input sample in the designated table,
16856 measured in kilobytes. The test is currently performed on 32-bit integers,
16857 which limits values to 4 terabytes. See also the sc_kbytes_in sample fetch
16858 keyword.
16859
16860table_kbytes_out(<table>)
16861 Uses the string representation of the input sample to perform a look up in
16862 the specified table. If the key is not found in the table, integer value zero
Davor Ocelice9ed2812017-12-25 17:49:28 +010016863 is returned. Otherwise the converter returns the cumulative number of server-
Willy Tarreaud9f316a2014-07-10 14:03:38 +020016864 to-client data associated with the input sample in the designated table,
16865 measured in kilobytes. The test is currently performed on 32-bit integers,
16866 which limits values to 4 terabytes. See also the sc_kbytes_out sample fetch
16867 keyword.
16868
16869table_server_id(<table>)
16870 Uses the string representation of the input sample to perform a look up in
16871 the specified table. If the key is not found in the table, integer value zero
16872 is returned. Otherwise the converter returns the server ID associated with
16873 the input sample in the designated table. A server ID is associated to a
16874 sample by a "stick" rule when a connection to a server succeeds. A server ID
16875 zero means that no server is associated with this key.
16876
16877table_sess_cnt(<table>)
16878 Uses the string representation of the input sample to perform a look up in
16879 the specified table. If the key is not found in the table, integer value zero
Davor Ocelice9ed2812017-12-25 17:49:28 +010016880 is returned. Otherwise the converter returns the cumulative number of incoming
Willy Tarreaud9f316a2014-07-10 14:03:38 +020016881 sessions associated with the input sample in the designated table. Note that
16882 a session here refers to an incoming connection being accepted by the
16883 "tcp-request connection" rulesets. See also the sc_sess_cnt sample fetch
16884 keyword.
16885
16886table_sess_rate(<table>)
16887 Uses the string representation of the input sample to perform a look up in
16888 the specified table. If the key is not found in the table, integer value zero
16889 is returned. Otherwise the converter returns the average incoming session
16890 rate associated with the input sample in the designated table. Note that a
16891 session here refers to an incoming connection being accepted by the
16892 "tcp-request connection" rulesets. See also the sc_sess_rate sample fetch
16893 keyword.
16894
16895table_trackers(<table>)
16896 Uses the string representation of the input sample to perform a look up in
16897 the specified table. If the key is not found in the table, integer value zero
16898 is returned. Otherwise the converter returns the current amount of concurrent
16899 connections tracking the same key as the input sample in the designated
16900 table. It differs from table_conn_cur in that it does not rely on any stored
16901 information but on the table's reference count (the "use" value which is
16902 returned by "show table" on the CLI). This may sometimes be more suited for
16903 layer7 tracking. It can be used to tell a server how many concurrent
16904 connections there are from a given address for example. See also the
16905 sc_trackers sample fetch keyword.
16906
Moemen MHEDHBI92f7d432021-04-01 20:53:59 +020016907ub64dec
16908 This converter is the base64url variant of b64dec converter. base64url
16909 encoding is the "URL and Filename Safe Alphabet" variant of base64 encoding.
16910 It is also the encoding used in JWT (JSON Web Token) standard.
16911
16912 Example:
16913 # Decoding a JWT payload:
16914 http-request set-var(txn.token_payload) req.hdr(Authorization),word(2,.),ub64dec
16915
16916ub64enc
16917 This converter is the base64url variant of base64 converter.
16918
Willy Tarreauffcb2e42014-07-10 16:29:08 +020016919upper
16920 Convert a string sample to upper case. This can only be placed after a string
16921 sample fetch function or after a transformation keyword returning a string
16922 type. The result is of type string.
16923
Willy Tarreau62ba9ba2020-04-23 17:54:47 +020016924url_dec([<in_form>])
16925 Takes an url-encoded string provided as input and returns the decoded version
16926 as output. The input and the output are of type string. If the <in_form>
16927 argument is set to a non-zero integer value, the input string is assumed to
16928 be part of a form or query string and the '+' character will be turned into a
16929 space (' '). Otherwise this will only happen after a question mark indicating
16930 a query string ('?').
Thierry FOURNIER82ff3c92015-05-07 15:46:20 +020016931
William Dauchy888b0ae2021-01-06 23:39:50 +010016932url_enc([<enc_type>])
16933 Takes a string provided as input and returns the encoded version as output.
16934 The input and the output are of type string. By default the type of encoding
16935 is meant for `query` type. There is no other type supported for now but the
16936 optional argument is here for future changes.
16937
Frédéric Lécaille756d97f2019-03-04 19:03:48 +010016938ungrpc(<field_number>,[<field_type>])
Frédéric Lécaille50290fb2019-02-27 14:34:51 +010016939 This extracts the protocol buffers message field in raw mode of an input binary
Frédéric Lécaillebfe61382019-03-06 14:34:36 +010016940 sample representation of a gRPC message with <field_number> as field number
16941 (dotted notation) if <field_type> is not present, or as an integer sample if this
16942 field is present.
Frédéric Lécaille756d97f2019-03-04 19:03:48 +010016943 The list of the authorized types is the following one: "int32", "int64", "uint32",
16944 "uint64", "sint32", "sint64", "bool", "enum" for the "varint" wire type 0
16945 "fixed64", "sfixed64", "double" for the 64bit wire type 1, "fixed32", "sfixed32",
16946 "float" for the wire type 5. Note that "string" is considered as a length-delimited
Frédéric Lécaille93d33162019-03-06 09:35:59 +010016947 type, so it does not require any <field_type> argument to be extracted.
Frédéric Lécaille756d97f2019-03-04 19:03:48 +010016948 More information may be found here about the protocol buffers message field types:
16949 https://developers.google.com/protocol-buffers/docs/encoding
Frédéric Lécaille50290fb2019-02-27 14:34:51 +010016950
16951 Example:
16952 // with such a protocol buffer .proto file content adapted from
16953 // https://github.com/grpc/grpc/blob/master/examples/protos/route_guide.proto
16954
16955 message Point {
16956 int32 latitude = 1;
16957 int32 longitude = 2;
16958 }
16959
16960 message PPoint {
16961 Point point = 59;
16962 }
16963
16964 message Rectangle {
16965 // One corner of the rectangle.
16966 PPoint lo = 48;
16967 // The other corner of the rectangle.
16968 PPoint hi = 49;
16969 }
16970
Peter Gervaidf4c9d22020-06-11 18:05:11 +020016971 let's say a body request is made of a "Rectangle" object value (two PPoint
16972 protocol buffers messages), the four protocol buffers fields could be
16973 extracted with these "ungrpc" directives:
Frédéric Lécaille50290fb2019-02-27 14:34:51 +010016974
Frédéric Lécaille756d97f2019-03-04 19:03:48 +010016975 req.body,ungrpc(48.59.1,int32) # "latitude" of "lo" first PPoint
16976 req.body,ungrpc(48.59.2,int32) # "longitude" of "lo" first PPoint
John Roeslerfb2fce12019-07-10 15:45:51 -050016977 req.body,ungrpc(49.59.1,int32) # "latitude" of "hi" second PPoint
Frédéric Lécaille756d97f2019-03-04 19:03:48 +010016978 req.body,ungrpc(49.59.2,int32) # "longitude" of "hi" second PPoint
16979
Peter Gervaidf4c9d22020-06-11 18:05:11 +020016980 We could also extract the intermediary 48.59 field as a binary sample as follows:
Frédéric Lécaille756d97f2019-03-04 19:03:48 +010016981
Frédéric Lécaille93d33162019-03-06 09:35:59 +010016982 req.body,ungrpc(48.59)
Frédéric Lécaille756d97f2019-03-04 19:03:48 +010016983
Peter Gervaidf4c9d22020-06-11 18:05:11 +020016984 As a gRPC message is always made of a gRPC header followed by protocol buffers
16985 messages, in the previous example the "latitude" of "lo" first PPoint
16986 could be extracted with these equivalent directives:
Frédéric Lécaillebfe61382019-03-06 14:34:36 +010016987
16988 req.body,ungrpc(48.59),protobuf(1,int32)
16989 req.body,ungrpc(48),protobuf(59.1,int32)
16990 req.body,ungrpc(48),protobuf(59),protobuf(1,int32)
16991
Peter Gervaidf4c9d22020-06-11 18:05:11 +020016992 Note that the first convert must be "ungrpc", the remaining ones must be
16993 "protobuf" and only the last one may have or not a second argument to
16994 interpret the previous binary sample.
Frédéric Lécaillebfe61382019-03-06 14:34:36 +010016995
Frédéric Lécaille50290fb2019-02-27 14:34:51 +010016996
Tim Duesterhusef4e45c2021-01-21 17:40:50 +010016997unset-var(<var>)
Christopher Faulet85d79c92016-11-09 16:54:56 +010016998 Unsets a variable if the input content is defined. The name of the variable
16999 starts with an indication about its scope. The scopes allowed are:
17000 "proc" : the variable is shared with the whole process
17001 "sess" : the variable is shared with the whole session
17002 "txn" : the variable is shared with the transaction (request and
17003 response),
17004 "req" : the variable is shared only during request processing,
17005 "res" : the variable is shared only during response processing.
17006 This prefix is followed by a name. The separator is a '.'. The name may only
17007 contain characters 'a-z', 'A-Z', '0-9', '.' and '_'.
17008
Willy Tarreau0dbfdba2014-07-10 16:37:47 +020017009utime(<format>[,<offset>])
17010 Converts an integer supposed to contain a date since epoch to a string
17011 representing this date in UTC time using a format defined by the <format>
17012 string using strftime(3). The purpose is to allow any date format to be used
17013 in logs. An optional <offset> in seconds may be applied to the input date
17014 (positive or negative). See the strftime() man page for the format supported
17015 by your operating system. See also the ltime converter.
17016
17017 Example :
17018
17019 # Emit two colons, one with the UTC time and another with ip:port
Davor Ocelice9ed2812017-12-25 17:49:28 +010017020 # e.g. 20140710162350 127.0.0.1:57325
Willy Tarreau0dbfdba2014-07-10 16:37:47 +020017021 log-format %[date,utime(%Y%m%d%H%M%S)]\ %ci:%cp
17022
Marcin Deranek9631a282018-04-16 14:30:46 +020017023word(<index>,<delimiters>[,<count>])
17024 Extracts the nth word counting from the beginning (positive index) or from
17025 the end (negative index) considering given delimiters from an input string.
17026 Indexes start at 1 or -1 and delimiters are a string formatted list of chars.
Jerome Magnin88209322020-01-28 13:33:44 +010017027 Delimiters at the beginning or end of the input string are ignored.
Marcin Deranek9631a282018-04-16 14:30:46 +020017028 Optionally you can specify <count> of words to extract (default: 1).
17029 Value of 0 indicates extraction of all remaining words.
17030
17031 Example :
17032 str(f1_f2_f3__f5),word(4,_) # f5
17033 str(f1_f2_f3__f5),word(2,_,0) # f2_f3__f5
17034 str(f1_f2_f3__f5),word(3,_,2) # f3__f5
17035 str(f1_f2_f3__f5),word(-2,_,3) # f1_f2_f3
17036 str(f1_f2_f3__f5),word(-3,_,0) # f1_f2
Jerome Magnin88209322020-01-28 13:33:44 +010017037 str(/f1/f2/f3/f4),word(1,/) # f1
Emeric Brunc9a0f6d2014-11-25 14:09:01 +010017038
Willy Tarreau23ec4ca2014-07-15 20:15:37 +020017039wt6([<avalanche>])
17040 Hashes a binary input sample into an unsigned 32-bit quantity using the WT6
17041 hash function. Optionally, it is possible to apply a full avalanche hash
17042 function to the output if the optional <avalanche> argument equals 1. This
17043 converter uses the same functions as used by the various hash-based load
17044 balancing algorithms, so it will provide exactly the same results. It is
17045 mostly intended for debugging, but can be used as a stick-table entry to
17046 collect rough statistics. It must not be used for security purposes as a
Emmanuel Hocdet50791a72018-03-21 11:19:01 +010017047 32-bit hash is trivial to break. See also "crc32", "djb2", "sdbm", "crc32c",
17048 and the "hash-type" directive.
Willy Tarreau23ec4ca2014-07-15 20:15:37 +020017049
Willy Tarreau97707872015-01-27 15:12:13 +010017050xor(<value>)
17051 Performs a bitwise "XOR" (exclusive OR) between <value> and the input value
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +020017052 of type signed integer, and returns the result as an signed integer.
Thierry FOURNIER5d86fae2015-07-07 21:10:16 +020017053 <value> can be a numeric value or a variable name. The name of the variable
Daniel Schneller0b547052016-03-21 20:46:57 +010017054 starts with an indication about its scope. The scopes allowed are:
Christopher Fauletff2613e2016-11-09 11:36:17 +010017055 "proc" : the variable is shared with the whole process
Daniel Schneller0b547052016-03-21 20:46:57 +010017056 "sess" : the variable is shared with the whole session
17057 "txn" : the variable is shared with the transaction (request and
Thierry FOURNIER5d86fae2015-07-07 21:10:16 +020017058 response),
Daniel Schneller0b547052016-03-21 20:46:57 +010017059 "req" : the variable is shared only during request processing,
17060 "res" : the variable is shared only during response processing.
Thierry FOURNIER5d86fae2015-07-07 21:10:16 +020017061 This prefix is followed by a name. The separator is a '.'. The name may only
Christopher Fauletb71557a2016-10-31 10:49:03 +010017062 contain characters 'a-z', 'A-Z', '0-9', '.' and '_'.
Willy Tarreau97707872015-01-27 15:12:13 +010017063
Dragan Dosen04bf0cc2020-12-22 21:44:33 +010017064xxh3([<seed>])
17065 Hashes a binary input sample into a signed 64-bit quantity using the XXH3
17066 64-bit variant of the XXhash hash function. This hash supports a seed which
17067 defaults to zero but a different value maybe passed as the <seed> argument.
17068 This hash is known to be very good and very fast so it can be used to hash
17069 URLs and/or URL parameters for use as stick-table keys to collect statistics
17070 with a low collision rate, though care must be taken as the algorithm is not
17071 considered as cryptographically secure.
17072
Thierry FOURNIER01e09742016-12-26 11:46:11 +010017073xxh32([<seed>])
17074 Hashes a binary input sample into an unsigned 32-bit quantity using the 32-bit
17075 variant of the XXHash hash function. This hash supports a seed which defaults
17076 to zero but a different value maybe passed as the <seed> argument. This hash
17077 is known to be very good and very fast so it can be used to hash URLs and/or
17078 URL parameters for use as stick-table keys to collect statistics with a low
17079 collision rate, though care must be taken as the algorithm is not considered
17080 as cryptographically secure.
17081
17082xxh64([<seed>])
17083 Hashes a binary input sample into a signed 64-bit quantity using the 64-bit
17084 variant of the XXHash hash function. This hash supports a seed which defaults
17085 to zero but a different value maybe passed as the <seed> argument. This hash
17086 is known to be very good and very fast so it can be used to hash URLs and/or
17087 URL parameters for use as stick-table keys to collect statistics with a low
17088 collision rate, though care must be taken as the algorithm is not considered
17089 as cryptographically secure.
17090
Thierry FOURNIERd5f624d2013-11-26 11:52:33 +010017091
Thierry FOURNIER060762e2014-04-23 13:29:15 +0200170927.3.2. Fetching samples from internal states
Willy Tarreau74ca5042013-06-11 23:12:07 +020017093--------------------------------------------
17094
17095A first set of sample fetch methods applies to internal information which does
17096not even relate to any client information. These ones are sometimes used with
17097"monitor-fail" directives to report an internal status to external watchers.
17098The sample fetch methods described in this section are usable anywhere.
17099
17100always_false : boolean
17101 Always returns the boolean "false" value. It may be used with ACLs as a
17102 temporary replacement for another one when adjusting configurations.
17103
17104always_true : boolean
17105 Always returns the boolean "true" value. It may be used with ACLs as a
17106 temporary replacement for another one when adjusting configurations.
17107
17108avg_queue([<backend>]) : integer
Willy Tarreaud63335a2010-02-26 12:56:52 +010017109 Returns the total number of queued connections of the designated backend
Willy Tarreau74ca5042013-06-11 23:12:07 +020017110 divided by the number of active servers. The current backend is used if no
17111 backend is specified. This is very similar to "queue" except that the size of
17112 the farm is considered, in order to give a more accurate measurement of the
17113 time it may take for a new connection to be processed. The main usage is with
17114 ACL to return a sorry page to new users when it becomes certain they will get
17115 a degraded service, or to pass to the backend servers in a header so that
17116 they decide to work in degraded mode or to disable some functions to speed up
17117 the processing a bit. Note that in the event there would not be any active
17118 server anymore, twice the number of queued connections would be considered as
17119 the measured value. This is a fair estimate, as we expect one server to get
17120 back soon anyway, but we still prefer to send new traffic to another backend
17121 if in better shape. See also the "queue", "be_conn", and "be_sess_rate"
17122 sample fetches.
Krzysztof Piotr Oledzki346f76d2010-01-12 21:59:30 +010017123
Willy Tarreau74ca5042013-06-11 23:12:07 +020017124be_conn([<backend>]) : integer
Willy Tarreaua36af912009-10-10 12:02:45 +020017125 Applies to the number of currently established connections on the backend,
17126 possibly including the connection being evaluated. If no backend name is
17127 specified, the current one is used. But it is also possible to check another
17128 backend. It can be used to use a specific farm when the nominal one is full.
Patrick Hemmer4cdf3ab2018-06-14 17:10:27 -040017129 See also the "fe_conn", "queue", "be_conn_free", and "be_sess_rate" criteria.
17130
17131be_conn_free([<backend>]) : integer
17132 Returns an integer value corresponding to the number of available connections
17133 across available servers in the backend. Queue slots are not included. Backup
17134 servers are also not included, unless all other servers are down. If no
17135 backend name is specified, the current one is used. But it is also possible
17136 to check another backend. It can be used to use a specific farm when the
Patrick Hemmer155e93e2018-06-14 18:01:35 -040017137 nominal one is full. See also the "be_conn", "connslots", and "srv_conn_free"
17138 criteria.
Patrick Hemmer4cdf3ab2018-06-14 17:10:27 -040017139
17140 OTHER CAVEATS AND NOTES: if any of the server maxconn, or maxqueue is 0
17141 (meaning unlimited), then this fetch clearly does not make sense, in which
17142 case the value returned will be -1.
Willy Tarreau6a06a402007-07-15 20:15:28 +020017143
Willy Tarreau74ca5042013-06-11 23:12:07 +020017144be_sess_rate([<backend>]) : integer
17145 Returns an integer value corresponding to the sessions creation rate on the
17146 backend, in number of new sessions per second. This is used with ACLs to
17147 switch to an alternate backend when an expensive or fragile one reaches too
Davor Ocelice9ed2812017-12-25 17:49:28 +010017148 high a session rate, or to limit abuse of service (e.g. prevent sucking of an
Willy Tarreau74ca5042013-06-11 23:12:07 +020017149 online dictionary). It can also be useful to add this element to logs using a
17150 log-format directive.
Willy Tarreaud63335a2010-02-26 12:56:52 +010017151
17152 Example :
17153 # Redirect to an error page if the dictionary is requested too often
17154 backend dynamic
17155 mode http
17156 acl being_scanned be_sess_rate gt 100
17157 redirect location /denied.html if being_scanned
Willy Tarreau0ba27502007-12-24 16:55:16 +010017158
Davor Ocelice9ed2812017-12-25 17:49:28 +010017159bin(<hex>) : bin
Thierry FOURNIERcc103292015-06-06 19:30:17 +020017160 Returns a binary chain. The input is the hexadecimal representation
17161 of the string.
17162
17163bool(<bool>) : bool
17164 Returns a boolean value. <bool> can be 'true', 'false', '1' or '0'.
17165 'false' and '0' are the same. 'true' and '1' are the same.
17166
Willy Tarreau74ca5042013-06-11 23:12:07 +020017167connslots([<backend>]) : integer
17168 Returns an integer value corresponding to the number of connection slots
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030017169 still available in the backend, by totaling the maximum amount of
Willy Tarreau74ca5042013-06-11 23:12:07 +020017170 connections on all servers and the maximum queue size. This is probably only
17171 used with ACLs.
Tait Clarridge7896d522012-12-05 21:39:31 -050017172
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +080017173 The basic idea here is to be able to measure the number of connection "slots"
Willy Tarreau55165fe2009-05-10 12:02:55 +020017174 still available (connection + queue), so that anything beyond that (intended
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +080017175 usage; see "use_backend" keyword) can be redirected to a different backend.
17176
Willy Tarreau55165fe2009-05-10 12:02:55 +020017177 'connslots' = number of available server connection slots, + number of
17178 available server queue slots.
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +080017179
Willy Tarreaua36af912009-10-10 12:02:45 +020017180 Note that while "fe_conn" may be used, "connslots" comes in especially
Willy Tarreau55165fe2009-05-10 12:02:55 +020017181 useful when you have a case of traffic going to one single ip, splitting into
Willy Tarreau74ca5042013-06-11 23:12:07 +020017182 multiple backends (perhaps using ACLs to do name-based load balancing) and
Willy Tarreau55165fe2009-05-10 12:02:55 +020017183 you want to be able to differentiate between different backends, and their
Davor Ocelice9ed2812017-12-25 17:49:28 +010017184 available "connslots". Also, whereas "nbsrv" only measures servers that are
Willy Tarreau74ca5042013-06-11 23:12:07 +020017185 actually *down*, this fetch is more fine-grained and looks into the number of
Willy Tarreaua36af912009-10-10 12:02:45 +020017186 available connection slots as well. See also "queue" and "avg_queue".
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +080017187
Willy Tarreau55165fe2009-05-10 12:02:55 +020017188 OTHER CAVEATS AND NOTES: at this point in time, the code does not take care
17189 of dynamic connections. Also, if any of the server maxconn, or maxqueue is 0,
Willy Tarreau74ca5042013-06-11 23:12:07 +020017190 then this fetch clearly does not make sense, in which case the value returned
Willy Tarreau55165fe2009-05-10 12:02:55 +020017191 will be -1.
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +080017192
Willy Tarreau70fe9442018-11-22 16:07:39 +010017193cpu_calls : integer
17194 Returns the number of calls to the task processing the stream or current
17195 request since it was allocated. This number is reset for each new request on
17196 the same connections in case of HTTP keep-alive. This value should usually be
17197 low and stable (around 2 calls for a typically simple request) but may become
17198 high if some processing (compression, caching or analysis) is performed. This
17199 is purely for performance monitoring purposes.
17200
17201cpu_ns_avg : integer
17202 Returns the average number of nanoseconds spent in each call to the task
17203 processing the stream or current request. This number is reset for each new
17204 request on the same connections in case of HTTP keep-alive. This value
17205 indicates the overall cost of processing the request or the connection for
17206 each call. There is no good nor bad value but the time spent in a call
17207 automatically causes latency for other processing (see lat_ns_avg below),
17208 and may affect other connection's apparent response time. Certain operations
17209 like compression, complex regex matching or heavy Lua operations may directly
17210 affect this value, and having it in the logs will make it easier to spot the
17211 faulty processing that needs to be fixed to recover decent performance.
17212 Note: this value is exactly cpu_ns_tot divided by cpu_calls.
17213
17214cpu_ns_tot : integer
17215 Returns the total number of nanoseconds spent in each call to the task
17216 processing the stream or current request. This number is reset for each new
17217 request on the same connections in case of HTTP keep-alive. This value
17218 indicates the overall cost of processing the request or the connection for
17219 each call. There is no good nor bad value but the time spent in a call
17220 automatically causes latency for other processing (see lat_ns_avg below),
17221 induces CPU costs on the machine, and may affect other connection's apparent
17222 response time. Certain operations like compression, complex regex matching or
17223 heavy Lua operations may directly affect this value, and having it in the
17224 logs will make it easier to spot the faulty processing that needs to be fixed
17225 to recover decent performance. The value may be artificially high due to a
17226 high cpu_calls count, for example when processing many HTTP chunks, and for
17227 this reason it is often preferred to log cpu_ns_avg instead.
17228
Cyril Bonté6bcd1822019-11-05 23:13:59 +010017229date([<offset>],[<unit>]) : integer
Willy Tarreau6236d3a2013-07-25 14:28:25 +020017230 Returns the current date as the epoch (number of seconds since 01/01/1970).
Damien Claisseae6f1252019-10-30 15:57:28 +000017231
17232 If an offset value is specified, then it is added to the current date before
17233 returning the value. This is particularly useful to compute relative dates,
17234 as both positive and negative offsets are allowed.
Willy Tarreau276fae92013-07-25 14:36:01 +020017235 It is useful combined with the http_date converter.
17236
Damien Claisseae6f1252019-10-30 15:57:28 +000017237 <unit> is facultative, and can be set to "s" for seconds (default behavior),
17238 "ms" for milliseconds or "us" for microseconds.
17239 If unit is set, return value is an integer reflecting either seconds,
17240 milliseconds or microseconds since epoch, plus offset.
17241 It is useful when a time resolution of less than a second is needed.
17242
Willy Tarreau276fae92013-07-25 14:36:01 +020017243 Example :
17244
17245 # set an expires header to now+1 hour in every response
17246 http-response set-header Expires %[date(3600),http_date]
Willy Tarreau6236d3a2013-07-25 14:28:25 +020017247
Damien Claisseae6f1252019-10-30 15:57:28 +000017248 # set an expires header to now+1 hour in every response, with
17249 # millisecond granularity
17250 http-response set-header Expires %[date(3600000,ms),http_date(0,ms)]
17251
Etienne Carrierea792a0a2018-01-17 13:43:24 +010017252date_us : integer
17253 Return the microseconds part of the date (the "second" part is returned by
17254 date sample). This sample is coherent with the date sample as it is comes
17255 from the same timeval structure.
17256
Willy Tarreaud716f9b2017-10-13 11:03:15 +020017257distcc_body(<token>[,<occ>]) : binary
17258 Parses a distcc message and returns the body associated to occurrence #<occ>
17259 of the token <token>. Occurrences start at 1, and when unspecified, any may
17260 match though in practice only the first one is checked for now. This can be
17261 used to extract file names or arguments in files built using distcc through
Daniel Corbett9f0843f2021-05-08 10:50:37 -040017262 HAProxy. Please refer to distcc's protocol documentation for the complete
Willy Tarreaud716f9b2017-10-13 11:03:15 +020017263 list of supported tokens.
17264
17265distcc_param(<token>[,<occ>]) : integer
17266 Parses a distcc message and returns the parameter associated to occurrence
17267 #<occ> of the token <token>. Occurrences start at 1, and when unspecified,
17268 any may match though in practice only the first one is checked for now. This
17269 can be used to extract certain information such as the protocol version, the
Daniel Corbett9f0843f2021-05-08 10:50:37 -040017270 file size or the argument in files built using distcc through HAProxy.
Willy Tarreaud716f9b2017-10-13 11:03:15 +020017271 Another use case consists in waiting for the start of the preprocessed file
17272 contents before connecting to the server to avoid keeping idle connections.
17273 Please refer to distcc's protocol documentation for the complete list of
17274 supported tokens.
17275
17276 Example :
17277 # wait up to 20s for the pre-processed file to be uploaded
17278 tcp-request inspect-delay 20s
17279 tcp-request content accept if { distcc_param(DOTI) -m found }
17280 # send large files to the big farm
17281 use_backend big_farm if { distcc_param(DOTI) gt 1000000 }
17282
Willy Tarreau595ec542013-06-12 21:34:28 +020017283env(<name>) : string
17284 Returns a string containing the value of environment variable <name>. As a
17285 reminder, environment variables are per-process and are sampled when the
17286 process starts. This can be useful to pass some information to a next hop
17287 server, or with ACLs to take specific action when the process is started a
17288 certain way.
17289
17290 Examples :
17291 # Pass the Via header to next hop with the local hostname in it
17292 http-request add-header Via 1.1\ %[env(HOSTNAME)]
17293
17294 # reject cookie-less requests when the STOP environment variable is set
17295 http-request deny if !{ cook(SESSIONID) -m found } { env(STOP) -m found }
17296
Willy Tarreau74ca5042013-06-11 23:12:07 +020017297fe_conn([<frontend>]) : integer
17298 Returns the number of currently established connections on the frontend,
Willy Tarreaud63335a2010-02-26 12:56:52 +010017299 possibly including the connection being evaluated. If no frontend name is
17300 specified, the current one is used. But it is also possible to check another
Willy Tarreau74ca5042013-06-11 23:12:07 +020017301 frontend. It can be used to return a sorry page before hard-blocking, or to
17302 use a specific backend to drain new requests when the farm is considered
Davor Ocelice9ed2812017-12-25 17:49:28 +010017303 full. This is mostly used with ACLs but can also be used to pass some
Willy Tarreau74ca5042013-06-11 23:12:07 +020017304 statistics to servers in HTTP headers. See also the "dst_conn", "be_conn",
17305 "fe_sess_rate" fetches.
Willy Tarreaua36af912009-10-10 12:02:45 +020017306
Nenad Merdanovicad9a7e92016-10-03 04:57:37 +020017307fe_req_rate([<frontend>]) : integer
17308 Returns an integer value corresponding to the number of HTTP requests per
17309 second sent to a frontend. This number can differ from "fe_sess_rate" in
17310 situations where client-side keep-alive is enabled.
17311
Willy Tarreau74ca5042013-06-11 23:12:07 +020017312fe_sess_rate([<frontend>]) : integer
17313 Returns an integer value corresponding to the sessions creation rate on the
17314 frontend, in number of new sessions per second. This is used with ACLs to
17315 limit the incoming session rate to an acceptable range in order to prevent
17316 abuse of service at the earliest moment, for example when combined with other
17317 layer 4 ACLs in order to force the clients to wait a bit for the rate to go
17318 down below the limit. It can also be useful to add this element to logs using
17319 a log-format directive. See also the "rate-limit sessions" directive for use
17320 in frontends.
Willy Tarreau079ff0a2009-03-05 21:34:28 +010017321
17322 Example :
17323 # This frontend limits incoming mails to 10/s with a max of 100
17324 # concurrent connections. We accept any connection below 10/s, and
17325 # force excess clients to wait for 100 ms. Since clients are limited to
17326 # 100 max, there cannot be more than 10 incoming mails per second.
17327 frontend mail
17328 bind :25
17329 mode tcp
17330 maxconn 100
17331 acl too_fast fe_sess_rate ge 10
17332 tcp-request inspect-delay 100ms
17333 tcp-request content accept if ! too_fast
17334 tcp-request content accept if WAIT_END
Willy Tarreaud72758d2010-01-12 10:42:19 +010017335
Nenad Merdanovic807a6e72017-03-12 22:00:00 +010017336hostname : string
17337 Returns the system hostname.
17338
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +020017339int(<integer>) : signed integer
17340 Returns a signed integer.
17341
Thierry FOURNIERcc103292015-06-06 19:30:17 +020017342ipv4(<ipv4>) : ipv4
17343 Returns an ipv4.
17344
17345ipv6(<ipv6>) : ipv6
17346 Returns an ipv6.
17347
Willy Tarreau70fe9442018-11-22 16:07:39 +010017348lat_ns_avg : integer
17349 Returns the average number of nanoseconds spent between the moment the task
17350 handling the stream is woken up and the moment it is effectively called. This
17351 number is reset for each new request on the same connections in case of HTTP
17352 keep-alive. This value indicates the overall latency inflicted to the current
17353 request by all other requests being processed in parallel, and is a direct
17354 indicator of perceived performance due to noisy neighbours. In order to keep
17355 the value low, it is possible to reduce the scheduler's run queue depth using
17356 "tune.runqueue-depth", to reduce the number of concurrent events processed at
17357 once using "tune.maxpollevents", to decrease the stream's nice value using
Willy Tarreaue7723bd2020-06-24 11:11:02 +020017358 the "nice" option on the "bind" lines or in the frontend, to enable low
17359 latency scheduling using "tune.sched.low-latency", or to look for other heavy
17360 requests in logs (those exhibiting large values of "cpu_ns_avg"), whose
17361 processing needs to be adjusted or fixed. Compression of large buffers could
17362 be a culprit, like heavy regex or long lists of regex. Note: this value is
17363 exactly lat_ns_tot divided by cpu_calls.
Willy Tarreau70fe9442018-11-22 16:07:39 +010017364
17365lat_ns_tot : integer
17366 Returns the total number of nanoseconds spent between the moment the task
17367 handling the stream is woken up and the moment it is effectively called. This
17368 number is reset for each new request on the same connections in case of HTTP
17369 keep-alive. This value indicates the overall latency inflicted to the current
17370 request by all other requests being processed in parallel, and is a direct
17371 indicator of perceived performance due to noisy neighbours. In order to keep
17372 the value low, it is possible to reduce the scheduler's run queue depth using
17373 "tune.runqueue-depth", to reduce the number of concurrent events processed at
17374 once using "tune.maxpollevents", to decrease the stream's nice value using
Willy Tarreaue7723bd2020-06-24 11:11:02 +020017375 the "nice" option on the "bind" lines or in the frontend, to enable low
17376 latency scheduling using "tune.sched.low-latency", or to look for other heavy
17377 requests in logs (those exhibiting large values of "cpu_ns_avg"), whose
17378 processing needs to be adjusted or fixed. Compression of large buffers could
17379 be a culprit, like heavy regex or long lists of regex. Note: while it
Willy Tarreau70fe9442018-11-22 16:07:39 +010017380 may intuitively seem that the total latency adds to a transfer time, it is
17381 almost never true because while a task waits for the CPU, network buffers
17382 continue to fill up and the next call will process more at once. The value
17383 may be artificially high due to a high cpu_calls count, for example when
17384 processing many HTTP chunks, and for this reason it is often preferred to log
17385 lat_ns_avg instead, which is a more relevant performance indicator.
17386
Thierry FOURNIERcc103292015-06-06 19:30:17 +020017387meth(<method>) : method
17388 Returns a method.
17389
Willy Tarreau0f30d262014-11-24 16:02:05 +010017390nbproc : integer
17391 Returns an integer value corresponding to the number of processes that were
17392 started (it equals the global "nbproc" setting). This is useful for logging
17393 and debugging purposes.
17394
Willy Tarreau74ca5042013-06-11 23:12:07 +020017395nbsrv([<backend>]) : integer
17396 Returns an integer value corresponding to the number of usable servers of
17397 either the current backend or the named backend. This is mostly used with
17398 ACLs but can also be useful when added to logs. This is normally used to
Willy Tarreaud63335a2010-02-26 12:56:52 +010017399 switch to an alternate backend when the number of servers is too low to
17400 to handle some load. It is useful to report a failure when combined with
17401 "monitor fail".
Willy Tarreau079ff0a2009-03-05 21:34:28 +010017402
Patrick Hemmerfabb24f2018-08-13 14:07:57 -040017403prio_class : integer
17404 Returns the priority class of the current session for http mode or connection
17405 for tcp mode. The value will be that set by the last call to "http-request
17406 set-priority-class" or "tcp-request content set-priority-class".
17407
17408prio_offset : integer
17409 Returns the priority offset of the current session for http mode or
17410 connection for tcp mode. The value will be that set by the last call to
17411 "http-request set-priority-offset" or "tcp-request content
17412 set-priority-offset".
17413
Willy Tarreau0f30d262014-11-24 16:02:05 +010017414proc : integer
17415 Returns an integer value corresponding to the position of the process calling
17416 the function, between 1 and global.nbproc. This is useful for logging and
17417 debugging purposes.
17418
Willy Tarreau74ca5042013-06-11 23:12:07 +020017419queue([<backend>]) : integer
Willy Tarreaud63335a2010-02-26 12:56:52 +010017420 Returns the total number of queued connections of the designated backend,
17421 including all the connections in server queues. If no backend name is
17422 specified, the current one is used, but it is also possible to check another
Willy Tarreau74ca5042013-06-11 23:12:07 +020017423 one. This is useful with ACLs or to pass statistics to backend servers. This
17424 can be used to take actions when queuing goes above a known level, generally
17425 indicating a surge of traffic or a massive slowdown on the servers. One
17426 possible action could be to reject new users but still accept old ones. See
17427 also the "avg_queue", "be_conn", and "be_sess_rate" fetches.
17428
Willy Tarreau84310e22014-02-14 11:59:04 +010017429rand([<range>]) : integer
17430 Returns a random integer value within a range of <range> possible values,
17431 starting at zero. If the range is not specified, it defaults to 2^32, which
17432 gives numbers between 0 and 4294967295. It can be useful to pass some values
17433 needed to take some routing decisions for example, or just for debugging
17434 purposes. This random must not be used for security purposes.
17435
Willy Tarreau74ca5042013-06-11 23:12:07 +020017436srv_conn([<backend>/]<server>) : integer
17437 Returns an integer value corresponding to the number of currently established
17438 connections on the designated server, possibly including the connection being
17439 evaluated. If <backend> is omitted, then the server is looked up in the
17440 current backend. It can be used to use a specific farm when one server is
17441 full, or to inform the server about our view of the number of active
Patrick Hemmer155e93e2018-06-14 18:01:35 -040017442 connections with it. See also the "fe_conn", "be_conn", "queue", and
17443 "srv_conn_free" fetch methods.
17444
17445srv_conn_free([<backend>/]<server>) : integer
17446 Returns an integer value corresponding to the number of available connections
17447 on the designated server, possibly including the connection being evaluated.
17448 The value does not include queue slots. If <backend> is omitted, then the
17449 server is looked up in the current backend. It can be used to use a specific
17450 farm when one server is full, or to inform the server about our view of the
17451 number of active connections with it. See also the "be_conn_free" and
17452 "srv_conn" fetch methods.
17453
17454 OTHER CAVEATS AND NOTES: If the server maxconn is 0, then this fetch clearly
17455 does not make sense, in which case the value returned will be -1.
Willy Tarreau74ca5042013-06-11 23:12:07 +020017456
17457srv_is_up([<backend>/]<server>) : boolean
17458 Returns true when the designated server is UP, and false when it is either
17459 DOWN or in maintenance mode. If <backend> is omitted, then the server is
17460 looked up in the current backend. It is mainly used to take action based on
Davor Ocelice9ed2812017-12-25 17:49:28 +010017461 an external status reported via a health check (e.g. a geographical site's
Willy Tarreau74ca5042013-06-11 23:12:07 +020017462 availability). Another possible use which is more of a hack consists in
17463 using dummy servers as boolean variables that can be enabled or disabled from
17464 the CLI, so that rules depending on those ACLs can be tweaked in realtime.
17465
Willy Tarreauff2b7af2017-10-13 11:46:26 +020017466srv_queue([<backend>/]<server>) : integer
17467 Returns an integer value corresponding to the number of connections currently
17468 pending in the designated server's queue. If <backend> is omitted, then the
17469 server is looked up in the current backend. It can sometimes be used together
17470 with the "use-server" directive to force to use a known faster server when it
17471 is not much loaded. See also the "srv_conn", "avg_queue" and "queue" sample
17472 fetch methods.
17473
Willy Tarreau74ca5042013-06-11 23:12:07 +020017474srv_sess_rate([<backend>/]<server>) : integer
17475 Returns an integer corresponding to the sessions creation rate on the
17476 designated server, in number of new sessions per second. If <backend> is
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030017477 omitted, then the server is looked up in the current backend. This is mostly
Willy Tarreau74ca5042013-06-11 23:12:07 +020017478 used with ACLs but can make sense with logs too. This is used to switch to an
17479 alternate backend when an expensive or fragile one reaches too high a session
Davor Ocelice9ed2812017-12-25 17:49:28 +010017480 rate, or to limit abuse of service (e.g. prevent latent requests from
Willy Tarreau74ca5042013-06-11 23:12:07 +020017481 overloading servers).
17482
17483 Example :
17484 # Redirect to a separate back
17485 acl srv1_full srv_sess_rate(be1/srv1) gt 50
17486 acl srv2_full srv_sess_rate(be1/srv2) gt 50
17487 use_backend be2 if srv1_full or srv2_full
17488
Alexbf1bd5a2021-04-24 13:02:21 +020017489srv_iweight([<backend>/]<server>) : integer
Christopher Faulet1bea8652020-07-10 16:03:45 +020017490 Returns an integer corresponding to the server's initial weight. If <backend>
17491 is omitted, then the server is looked up in the current backend. See also
17492 "srv_weight" and "srv_uweight".
17493
Alexbf1bd5a2021-04-24 13:02:21 +020017494srv_uweight([<backend>/]<server>) : integer
Christopher Faulet1bea8652020-07-10 16:03:45 +020017495 Returns an integer corresponding to the user visible server's weight. If
17496 <backend> is omitted, then the server is looked up in the current
17497 backend. See also "srv_weight" and "srv_iweight".
17498
Alexbf1bd5a2021-04-24 13:02:21 +020017499srv_weight([<backend>/]<server>) : integer
Christopher Faulet1bea8652020-07-10 16:03:45 +020017500 Returns an integer corresponding to the current (or effective) server's
17501 weight. If <backend> is omitted, then the server is looked up in the current
17502 backend. See also "srv_iweight" and "srv_uweight".
17503
Willy Tarreau0f30d262014-11-24 16:02:05 +010017504stopping : boolean
17505 Returns TRUE if the process calling the function is currently stopping. This
17506 can be useful for logging, or for relaxing certain checks or helping close
17507 certain connections upon graceful shutdown.
17508
Thierry FOURNIERcc103292015-06-06 19:30:17 +020017509str(<string>) : string
17510 Returns a string.
17511
Willy Tarreau74ca5042013-06-11 23:12:07 +020017512table_avl([<table>]) : integer
17513 Returns the total number of available entries in the current proxy's
17514 stick-table or in the designated stick-table. See also table_cnt.
17515
17516table_cnt([<table>]) : integer
17517 Returns the total number of entries currently in use in the current proxy's
17518 stick-table or in the designated stick-table. See also src_conn_cnt and
17519 table_avl for other entry counting methods.
17520
Christopher Faulet34adb2a2017-11-21 21:45:38 +010017521thread : integer
17522 Returns an integer value corresponding to the position of the thread calling
17523 the function, between 0 and (global.nbthread-1). This is useful for logging
17524 and debugging purposes.
17525
Alexandar Lazica429ad32021-06-01 00:27:01 +020017526uuid([<version>]) : string
17527 Returns a UUID following the RFC4122 standard. If the version is not
17528 specified, a UUID version 4 (fully random) is returned.
17529 Currently, only version 4 is supported.
17530
Thierry FOURNIER4834bc72015-06-06 19:29:07 +020017531var(<var-name>) : undefined
17532 Returns a variable with the stored type. If the variable is not set, the
Daniel Schneller0b547052016-03-21 20:46:57 +010017533 sample fetch fails. The name of the variable starts with an indication
17534 about its scope. The scopes allowed are:
Christopher Fauletff2613e2016-11-09 11:36:17 +010017535 "proc" : the variable is shared with the whole process
Daniel Schneller0b547052016-03-21 20:46:57 +010017536 "sess" : the variable is shared with the whole session
17537 "txn" : the variable is shared with the transaction (request and
Thierry FOURNIER4834bc72015-06-06 19:29:07 +020017538 response),
Daniel Schneller0b547052016-03-21 20:46:57 +010017539 "req" : the variable is shared only during request processing,
17540 "res" : the variable is shared only during response processing.
Thierry FOURNIER4834bc72015-06-06 19:29:07 +020017541 This prefix is followed by a name. The separator is a '.'. The name may only
Christopher Fauletb71557a2016-10-31 10:49:03 +010017542 contain characters 'a-z', 'A-Z', '0-9', '.' and '_'.
Thierry FOURNIER4834bc72015-06-06 19:29:07 +020017543
Thierry FOURNIER060762e2014-04-23 13:29:15 +0200175447.3.3. Fetching samples at Layer 4
Willy Tarreau74ca5042013-06-11 23:12:07 +020017545----------------------------------
17546
Daniel Corbett9f0843f2021-05-08 10:50:37 -040017547The layer 4 usually describes just the transport layer which in HAProxy is
Willy Tarreau74ca5042013-06-11 23:12:07 +020017548closest to the connection, where no content is yet made available. The fetch
17549methods described here are usable as low as the "tcp-request connection" rule
17550sets unless they require some future information. Those generally include
17551TCP/IP addresses and ports, as well as elements from stick-tables related to
Willy Tarreau4d4149c2013-07-23 19:33:46 +020017552the incoming connection. For retrieving a value from a sticky counters, the
17553counter number can be explicitly set as 0, 1, or 2 using the pre-defined
Moemen MHEDHBI9cf46342018-09-25 17:50:53 +020017554"sc0_", "sc1_", or "sc2_" prefix. These three pre-defined prefixes can only be
17555used if MAX_SESS_STKCTR value does not exceed 3, otherwise the counter number
17556can be specified as the first integer argument when using the "sc_" prefix.
17557Starting from "sc_0" to "sc_N" where N is (MAX_SESS_STKCTR-1). An optional
17558table may be specified with the "sc*" form, in which case the currently
17559tracked key will be looked up into this alternate table instead of the table
17560currently being tracked.
Willy Tarreau74ca5042013-06-11 23:12:07 +020017561
Christopher Faulet7d081f02021-04-15 09:38:37 +020017562bc_dst : ip
17563 This is the destination ip address of the connection on the server side,
17564 which is the server address HAProxy connected to. It is of type IP and works
17565 on both IPv4 and IPv6 tables. On IPv6 tables, IPv4 address is mapped to its
17566 IPv6 equivalent, according to RFC 4291.
17567
17568bc_dst_port : integer
17569 Returns an integer value corresponding to the destination TCP port of the
Daniel Corbett9f0843f2021-05-08 10:50:37 -040017570 connection on the server side, which is the port HAProxy connected to.
Christopher Faulet7d081f02021-04-15 09:38:37 +020017571
Jérôme Magnin35e53a62019-01-16 14:38:37 +010017572bc_http_major : integer
Jérôme Magnin86577422018-12-07 09:03:11 +010017573 Returns the backend connection's HTTP major version encoding, which may be 1
17574 for HTTP/0.9 to HTTP/1.1 or 2 for HTTP/2. Note, this is based on the on-wire
17575 encoding and not the version present in the request header.
17576
Christopher Faulet7d081f02021-04-15 09:38:37 +020017577bc_src : ip
17578 This is the source ip address of the connection on the server side, which is
Daniel Corbett9f0843f2021-05-08 10:50:37 -040017579 the server address HAProxy connected from. It is of type IP and works on both
Christopher Faulet7d081f02021-04-15 09:38:37 +020017580 IPv4 and IPv6 tables. On IPv6 tables, IPv4 addresses are mapped to their IPv6
17581 equivalent, according to RFC 4291.
17582
17583bc_src_port : integer
17584 Returns an integer value corresponding to the TCP source port of the
Daniel Corbett9f0843f2021-05-08 10:50:37 -040017585 connection on the server side, which is the port HAProxy connected from.
Christopher Faulet7d081f02021-04-15 09:38:37 +020017586
Willy Tarreau74ca5042013-06-11 23:12:07 +020017587be_id : integer
17588 Returns an integer containing the current backend's id. It can be used in
Christopher Fauletd1b44642020-04-30 09:51:15 +020017589 frontends with responses to check which backend processed the request. It can
17590 also be used in a tcp-check or an http-check ruleset.
Willy Tarreau74ca5042013-06-11 23:12:07 +020017591
Marcin Deranekd2471c22016-12-12 14:08:05 +010017592be_name : string
17593 Returns a string containing the current backend's name. It can be used in
Christopher Fauletd1b44642020-04-30 09:51:15 +020017594 frontends with responses to check which backend processed the request. It can
17595 also be used in a tcp-check or an http-check ruleset.
Marcin Deranekd2471c22016-12-12 14:08:05 +010017596
Amaury Denoyelled91d7792020-12-10 13:43:56 +010017597be_server_timeout : integer
17598 Returns the configuration value in millisecond for the server timeout of the
17599 current backend. This timeout can be overwritten by a "set-timeout" rule. See
17600 also the "cur_server_timeout".
17601
17602be_tunnel_timeout : integer
17603 Returns the configuration value in millisecond for the tunnel timeout of the
17604 current backend. This timeout can be overwritten by a "set-timeout" rule. See
17605 also the "cur_tunnel_timeout".
17606
Amaury Denoyellef7719a22020-12-10 13:43:58 +010017607cur_server_timeout : integer
17608 Returns the currently applied server timeout in millisecond for the stream.
17609 In the default case, this will be equal to be_server_timeout unless a
17610 "set-timeout" rule has been applied. See also "be_server_timeout".
17611
17612cur_tunnel_timeout : integer
17613 Returns the currently applied tunnel timeout in millisecond for the stream.
17614 In the default case, this will be equal to be_tunnel_timeout unless a
17615 "set-timeout" rule has been applied. See also "be_tunnel_timeout".
17616
Willy Tarreau74ca5042013-06-11 23:12:07 +020017617dst : ip
17618 This is the destination IPv4 address of the connection on the client side,
17619 which is the address the client connected to. It can be useful when running
17620 in transparent mode. It is of type IP and works on both IPv4 and IPv6 tables.
17621 On IPv6 tables, IPv4 address is mapped to its IPv6 equivalent, according to
Willy Tarreau64ded3d2019-01-23 10:02:15 +010017622 RFC 4291. When the incoming connection passed through address translation or
17623 redirection involving connection tracking, the original destination address
17624 before the redirection will be reported. On Linux systems, the source and
17625 destination may seldom appear reversed if the nf_conntrack_tcp_loose sysctl
17626 is set, because a late response may reopen a timed out connection and switch
17627 what is believed to be the source and the destination.
Willy Tarreau74ca5042013-06-11 23:12:07 +020017628
17629dst_conn : integer
17630 Returns an integer value corresponding to the number of currently established
17631 connections on the same socket including the one being evaluated. It is
17632 normally used with ACLs but can as well be used to pass the information to
17633 servers in an HTTP header or in logs. It can be used to either return a sorry
17634 page before hard-blocking, or to use a specific backend to drain new requests
17635 when the socket is considered saturated. This offers the ability to assign
17636 different limits to different listening ports or addresses. See also the
17637 "fe_conn" and "be_conn" fetches.
Willy Tarreaud63335a2010-02-26 12:56:52 +010017638
Willy Tarreau16e01562016-08-09 16:46:18 +020017639dst_is_local : boolean
17640 Returns true if the destination address of the incoming connection is local
17641 to the system, or false if the address doesn't exist on the system, meaning
17642 that it was intercepted in transparent mode. It can be useful to apply
17643 certain rules by default to forwarded traffic and other rules to the traffic
Davor Ocelice9ed2812017-12-25 17:49:28 +010017644 targeting the real address of the machine. For example the stats page could
Willy Tarreau16e01562016-08-09 16:46:18 +020017645 be delivered only on this address, or SSH access could be locally redirected.
17646 Please note that the check involves a few system calls, so it's better to do
17647 it only once per connection.
17648
Willy Tarreau74ca5042013-06-11 23:12:07 +020017649dst_port : integer
17650 Returns an integer value corresponding to the destination TCP port of the
17651 connection on the client side, which is the port the client connected to.
17652 This might be used when running in transparent mode, when assigning dynamic
17653 ports to some clients for a whole application session, to stick all users to
17654 a same server, or to pass the destination port information to a server using
17655 an HTTP header.
17656
Willy Tarreau60ca10a2017-08-18 15:26:54 +020017657fc_http_major : integer
17658 Reports the front connection's HTTP major version encoding, which may be 1
17659 for HTTP/0.9 to HTTP/1.1 or 2 for HTTP/2. Note, this is based on the on-wire
17660 encoding and not on the version present in the request header.
17661
Geoff Simmons7185b782019-08-27 18:31:16 +020017662fc_pp_authority : string
17663 Returns the authority TLV sent by the client in the PROXY protocol header,
17664 if any.
17665
Tim Duesterhusd1b15b62020-03-13 12:34:23 +010017666fc_pp_unique_id : string
17667 Returns the unique ID TLV sent by the client in the PROXY protocol header,
17668 if any.
17669
Emeric Brun4f603012017-01-05 15:11:44 +010017670fc_rcvd_proxy : boolean
17671 Returns true if the client initiated the connection with a PROXY protocol
17672 header.
17673
Thierry Fournier / OZON.IO6310bef2016-07-24 20:16:50 +020017674fc_rtt(<unit>) : integer
17675 Returns the Round Trip Time (RTT) measured by the kernel for the client
17676 connection. <unit> is facultative, by default the unit is milliseconds. <unit>
17677 can be set to "ms" for milliseconds or "us" for microseconds. If the server
17678 connection is not established, if the connection is not TCP or if the
17679 operating system does not support TCP_INFO, for example Linux kernels before
17680 2.4, the sample fetch fails.
17681
17682fc_rttvar(<unit>) : integer
17683 Returns the Round Trip Time (RTT) variance measured by the kernel for the
17684 client connection. <unit> is facultative, by default the unit is milliseconds.
17685 <unit> can be set to "ms" for milliseconds or "us" for microseconds. If the
17686 server connection is not established, if the connection is not TCP or if the
17687 operating system does not support TCP_INFO, for example Linux kernels before
17688 2.4, the sample fetch fails.
17689
Christopher Fauletba0c53e2019-10-17 14:40:48 +020017690fc_unacked : integer
Joe Williams30fcd392016-08-10 07:06:44 -070017691 Returns the unacked counter measured by the kernel for the client connection.
17692 If the server connection is not established, if the connection is not TCP or
17693 if the operating system does not support TCP_INFO, for example Linux kernels
17694 before 2.4, the sample fetch fails.
17695
Christopher Fauletba0c53e2019-10-17 14:40:48 +020017696fc_sacked : integer
Joe Williams30fcd392016-08-10 07:06:44 -070017697 Returns the sacked counter measured by the kernel for the client connection.
17698 If the server connection is not established, if the connection is not TCP or
17699 if the operating system does not support TCP_INFO, for example Linux kernels
17700 before 2.4, the sample fetch fails.
17701
Christopher Fauletba0c53e2019-10-17 14:40:48 +020017702fc_retrans : integer
Joe Williams30fcd392016-08-10 07:06:44 -070017703 Returns the retransmits counter measured by the kernel for the client
17704 connection. If the server connection is not established, if the connection is
17705 not TCP or if the operating system does not support TCP_INFO, for example
17706 Linux kernels before 2.4, the sample fetch fails.
17707
Christopher Fauletba0c53e2019-10-17 14:40:48 +020017708fc_fackets : integer
Joe Williams30fcd392016-08-10 07:06:44 -070017709 Returns the fack counter measured by the kernel for the client
17710 connection. If the server connection is not established, if the connection is
17711 not TCP or if the operating system does not support TCP_INFO, for example
17712 Linux kernels before 2.4, the sample fetch fails.
17713
Christopher Fauletba0c53e2019-10-17 14:40:48 +020017714fc_lost : integer
Joe Williams30fcd392016-08-10 07:06:44 -070017715 Returns the lost counter measured by the kernel for the client
17716 connection. If the server connection is not established, if the connection is
17717 not TCP or if the operating system does not support TCP_INFO, for example
17718 Linux kernels before 2.4, the sample fetch fails.
17719
Christopher Fauletba0c53e2019-10-17 14:40:48 +020017720fc_reordering : integer
Joe Williams30fcd392016-08-10 07:06:44 -070017721 Returns the reordering counter measured by the kernel for the client
17722 connection. If the server connection is not established, if the connection is
17723 not TCP or if the operating system does not support TCP_INFO, for example
17724 Linux kernels before 2.4, the sample fetch fails.
17725
Marcin Deranek9a66dfb2018-04-13 14:37:50 +020017726fe_defbe : string
17727 Returns a string containing the frontend's default backend name. It can be
17728 used in frontends to check which backend will handle requests by default.
17729
Willy Tarreau74ca5042013-06-11 23:12:07 +020017730fe_id : integer
17731 Returns an integer containing the current frontend's id. It can be used in
Marcin Deranek6e413ed2016-12-13 12:40:01 +010017732 backends to check from which frontend it was called, or to stick all users
Willy Tarreau74ca5042013-06-11 23:12:07 +020017733 coming via a same frontend to the same server.
17734
Marcin Deranekd2471c22016-12-12 14:08:05 +010017735fe_name : string
17736 Returns a string containing the current frontend's name. It can be used in
17737 backends to check from which frontend it was called, or to stick all users
17738 coming via a same frontend to the same server.
17739
Amaury Denoyelleda184d52020-12-10 13:43:55 +010017740fe_client_timeout : integer
17741 Returns the configuration value in millisecond for the client timeout of the
17742 current frontend.
17743
Cyril Bonté62ba8702014-04-22 23:52:25 +020017744sc_bytes_in_rate(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020017745sc0_bytes_in_rate([<table>]) : integer
17746sc1_bytes_in_rate([<table>]) : integer
17747sc2_bytes_in_rate([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020017748 Returns the average client-to-server bytes rate from the currently tracked
17749 counters, measured in amount of bytes over the period configured in the
17750 table. See also src_bytes_in_rate.
17751
Cyril Bonté62ba8702014-04-22 23:52:25 +020017752sc_bytes_out_rate(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020017753sc0_bytes_out_rate([<table>]) : integer
17754sc1_bytes_out_rate([<table>]) : integer
17755sc2_bytes_out_rate([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020017756 Returns the average server-to-client bytes rate from the currently tracked
17757 counters, measured in amount of bytes over the period configured in the
17758 table. See also src_bytes_out_rate.
17759
Cyril Bonté62ba8702014-04-22 23:52:25 +020017760sc_clr_gpc0(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020017761sc0_clr_gpc0([<table>]) : integer
17762sc1_clr_gpc0([<table>]) : integer
17763sc2_clr_gpc0([<table>]) : integer
Willy Tarreauf73cd112011-08-13 01:45:16 +020017764 Clears the first General Purpose Counter associated to the currently tracked
17765 counters, and returns its previous value. Before the first invocation, the
Willy Tarreau869948b2013-01-04 14:14:57 +010017766 stored value is zero, so first invocation will always return zero. This is
17767 typically used as a second ACL in an expression in order to mark a connection
17768 when a first ACL was verified :
Willy Tarreauf73cd112011-08-13 01:45:16 +020017769
Jarno Huuskonen676f6222017-03-30 09:19:45 +030017770 Example:
Willy Tarreauf73cd112011-08-13 01:45:16 +020017771 # block if 5 consecutive requests continue to come faster than 10 sess
17772 # per second, and reset the counter as soon as the traffic slows down.
Willy Tarreaube4a3ef2013-06-17 15:04:07 +020017773 acl abuse sc0_http_req_rate gt 10
17774 acl kill sc0_inc_gpc0 gt 5
17775 acl save sc0_clr_gpc0 ge 0
Willy Tarreauf73cd112011-08-13 01:45:16 +020017776 tcp-request connection accept if !abuse save
17777 tcp-request connection reject if abuse kill
17778
Frédéric Lécaille6778b272018-01-29 15:22:53 +010017779sc_clr_gpc1(<ctr>[,<table>]) : integer
17780sc0_clr_gpc1([<table>]) : integer
17781sc1_clr_gpc1([<table>]) : integer
17782sc2_clr_gpc1([<table>]) : integer
17783 Clears the second General Purpose Counter associated to the currently tracked
17784 counters, and returns its previous value. Before the first invocation, the
17785 stored value is zero, so first invocation will always return zero. This is
17786 typically used as a second ACL in an expression in order to mark a connection
17787 when a first ACL was verified.
17788
Cyril Bonté62ba8702014-04-22 23:52:25 +020017789sc_conn_cnt(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020017790sc0_conn_cnt([<table>]) : integer
17791sc1_conn_cnt([<table>]) : integer
17792sc2_conn_cnt([<table>]) : integer
Davor Ocelice9ed2812017-12-25 17:49:28 +010017793 Returns the cumulative number of incoming connections from currently tracked
Willy Tarreaue9656522010-08-17 15:40:09 +020017794 counters. See also src_conn_cnt.
17795
Cyril Bonté62ba8702014-04-22 23:52:25 +020017796sc_conn_cur(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020017797sc0_conn_cur([<table>]) : integer
17798sc1_conn_cur([<table>]) : integer
17799sc2_conn_cur([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020017800 Returns the current amount of concurrent connections tracking the same
17801 tracked counters. This number is automatically incremented when tracking
17802 begins and decremented when tracking stops. See also src_conn_cur.
17803
Cyril Bonté62ba8702014-04-22 23:52:25 +020017804sc_conn_rate(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020017805sc0_conn_rate([<table>]) : integer
17806sc1_conn_rate([<table>]) : integer
17807sc2_conn_rate([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020017808 Returns the average connection rate from the currently tracked counters,
17809 measured in amount of connections over the period configured in the table.
17810 See also src_conn_rate.
17811
Cyril Bonté62ba8702014-04-22 23:52:25 +020017812sc_get_gpc0(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020017813sc0_get_gpc0([<table>]) : integer
17814sc1_get_gpc0([<table>]) : integer
17815sc2_get_gpc0([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020017816 Returns the value of the first General Purpose Counter associated to the
Willy Tarreau4d4149c2013-07-23 19:33:46 +020017817 currently tracked counters. See also src_get_gpc0 and sc/sc0/sc1/sc2_inc_gpc0.
Willy Tarreauba2ffd12013-05-29 15:54:14 +020017818
Frédéric Lécaille6778b272018-01-29 15:22:53 +010017819sc_get_gpc1(<ctr>[,<table>]) : integer
17820sc0_get_gpc1([<table>]) : integer
17821sc1_get_gpc1([<table>]) : integer
17822sc2_get_gpc1([<table>]) : integer
17823 Returns the value of the second General Purpose Counter associated to the
17824 currently tracked counters. See also src_get_gpc1 and sc/sc0/sc1/sc2_inc_gpc1.
17825
Thierry FOURNIER236657b2015-08-19 08:25:14 +020017826sc_get_gpt0(<ctr>[,<table>]) : integer
17827sc0_get_gpt0([<table>]) : integer
17828sc1_get_gpt0([<table>]) : integer
17829sc2_get_gpt0([<table>]) : integer
17830 Returns the value of the first General Purpose Tag associated to the
17831 currently tracked counters. See also src_get_gpt0.
17832
Cyril Bonté62ba8702014-04-22 23:52:25 +020017833sc_gpc0_rate(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020017834sc0_gpc0_rate([<table>]) : integer
17835sc1_gpc0_rate([<table>]) : integer
17836sc2_gpc0_rate([<table>]) : integer
Willy Tarreauba2ffd12013-05-29 15:54:14 +020017837 Returns the average increment rate of the first General Purpose Counter
17838 associated to the currently tracked counters. It reports the frequency
17839 which the gpc0 counter was incremented over the configured period. See also
Willy Tarreau4d4149c2013-07-23 19:33:46 +020017840 src_gpc0_rate, sc/sc0/sc1/sc2_get_gpc0, and sc/sc0/sc1/sc2_inc_gpc0. Note
17841 that the "gpc0_rate" counter must be stored in the stick-table for a value to
17842 be returned, as "gpc0" only holds the event count.
Willy Tarreaue9656522010-08-17 15:40:09 +020017843
Frédéric Lécaille6778b272018-01-29 15:22:53 +010017844sc_gpc1_rate(<ctr>[,<table>]) : integer
17845sc0_gpc1_rate([<table>]) : integer
17846sc1_gpc1_rate([<table>]) : integer
17847sc2_gpc1_rate([<table>]) : integer
17848 Returns the average increment rate of the second General Purpose Counter
17849 associated to the currently tracked counters. It reports the frequency
17850 which the gpc1 counter was incremented over the configured period. See also
17851 src_gpcA_rate, sc/sc0/sc1/sc2_get_gpc1, and sc/sc0/sc1/sc2_inc_gpc1. Note
17852 that the "gpc1_rate" counter must be stored in the stick-table for a value to
17853 be returned, as "gpc1" only holds the event count.
17854
Cyril Bonté62ba8702014-04-22 23:52:25 +020017855sc_http_err_cnt(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020017856sc0_http_err_cnt([<table>]) : integer
17857sc1_http_err_cnt([<table>]) : integer
17858sc2_http_err_cnt([<table>]) : integer
Davor Ocelice9ed2812017-12-25 17:49:28 +010017859 Returns the cumulative number of HTTP errors from the currently tracked
Willy Tarreaue9656522010-08-17 15:40:09 +020017860 counters. This includes the both request errors and 4xx error responses.
17861 See also src_http_err_cnt.
17862
Cyril Bonté62ba8702014-04-22 23:52:25 +020017863sc_http_err_rate(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020017864sc0_http_err_rate([<table>]) : integer
17865sc1_http_err_rate([<table>]) : integer
17866sc2_http_err_rate([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020017867 Returns the average rate of HTTP errors from the currently tracked counters,
17868 measured in amount of errors over the period configured in the table. This
17869 includes the both request errors and 4xx error responses. See also
17870 src_http_err_rate.
17871
Willy Tarreau826f3ab2021-02-10 12:07:15 +010017872sc_http_fail_cnt(<ctr>[,<table>]) : integer
17873sc0_http_fail_cnt([<table>]) : integer
17874sc1_http_fail_cnt([<table>]) : integer
17875sc2_http_fail_cnt([<table>]) : integer
17876 Returns the cumulative number of HTTP response failures from the currently
17877 tracked counters. This includes the both response errors and 5xx status codes
17878 other than 501 and 505. See also src_http_fail_cnt.
17879
17880sc_http_fail_rate(<ctr>[,<table>]) : integer
17881sc0_http_fail_rate([<table>]) : integer
17882sc1_http_fail_rate([<table>]) : integer
17883sc2_http_fail_rate([<table>]) : integer
17884 Returns the average rate of HTTP response failures from the currently tracked
17885 counters, measured in amount of failures over the period configured in the
17886 table. This includes the both response errors and 5xx status codes other than
17887 501 and 505. See also src_http_fail_rate.
17888
Cyril Bonté62ba8702014-04-22 23:52:25 +020017889sc_http_req_cnt(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020017890sc0_http_req_cnt([<table>]) : integer
17891sc1_http_req_cnt([<table>]) : integer
17892sc2_http_req_cnt([<table>]) : integer
Davor Ocelice9ed2812017-12-25 17:49:28 +010017893 Returns the cumulative number of HTTP requests from the currently tracked
Willy Tarreaue9656522010-08-17 15:40:09 +020017894 counters. This includes every started request, valid or not. See also
17895 src_http_req_cnt.
17896
Cyril Bonté62ba8702014-04-22 23:52:25 +020017897sc_http_req_rate(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020017898sc0_http_req_rate([<table>]) : integer
17899sc1_http_req_rate([<table>]) : integer
17900sc2_http_req_rate([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020017901 Returns the average rate of HTTP requests from the currently tracked
17902 counters, measured in amount of requests over the period configured in
17903 the table. This includes every started request, valid or not. See also
17904 src_http_req_rate.
17905
Cyril Bonté62ba8702014-04-22 23:52:25 +020017906sc_inc_gpc0(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020017907sc0_inc_gpc0([<table>]) : integer
17908sc1_inc_gpc0([<table>]) : integer
17909sc2_inc_gpc0([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020017910 Increments the first General Purpose Counter associated to the currently
Willy Tarreau869948b2013-01-04 14:14:57 +010017911 tracked counters, and returns its new value. Before the first invocation,
17912 the stored value is zero, so first invocation will increase it to 1 and will
17913 return 1. This is typically used as a second ACL in an expression in order
17914 to mark a connection when a first ACL was verified :
Willy Tarreaue9656522010-08-17 15:40:09 +020017915
Jarno Huuskonen676f6222017-03-30 09:19:45 +030017916 Example:
Willy Tarreaube4a3ef2013-06-17 15:04:07 +020017917 acl abuse sc0_http_req_rate gt 10
17918 acl kill sc0_inc_gpc0 gt 0
Willy Tarreaue9656522010-08-17 15:40:09 +020017919 tcp-request connection reject if abuse kill
17920
Frédéric Lécaille6778b272018-01-29 15:22:53 +010017921sc_inc_gpc1(<ctr>[,<table>]) : integer
17922sc0_inc_gpc1([<table>]) : integer
17923sc1_inc_gpc1([<table>]) : integer
17924sc2_inc_gpc1([<table>]) : integer
17925 Increments the second General Purpose Counter associated to the currently
17926 tracked counters, and returns its new value. Before the first invocation,
17927 the stored value is zero, so first invocation will increase it to 1 and will
17928 return 1. This is typically used as a second ACL in an expression in order
17929 to mark a connection when a first ACL was verified.
17930
Cyril Bonté62ba8702014-04-22 23:52:25 +020017931sc_kbytes_in(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020017932sc0_kbytes_in([<table>]) : integer
17933sc1_kbytes_in([<table>]) : integer
17934sc2_kbytes_in([<table>]) : integer
Willy Tarreaua01b9742014-07-10 15:29:24 +020017935 Returns the total amount of client-to-server data from the currently tracked
17936 counters, measured in kilobytes. The test is currently performed on 32-bit
17937 integers, which limits values to 4 terabytes. See also src_kbytes_in.
Willy Tarreaue9656522010-08-17 15:40:09 +020017938
Cyril Bonté62ba8702014-04-22 23:52:25 +020017939sc_kbytes_out(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020017940sc0_kbytes_out([<table>]) : integer
17941sc1_kbytes_out([<table>]) : integer
17942sc2_kbytes_out([<table>]) : integer
Willy Tarreaua01b9742014-07-10 15:29:24 +020017943 Returns the total amount of server-to-client data from the currently tracked
17944 counters, measured in kilobytes. The test is currently performed on 32-bit
17945 integers, which limits values to 4 terabytes. See also src_kbytes_out.
Willy Tarreaue9656522010-08-17 15:40:09 +020017946
Cyril Bonté62ba8702014-04-22 23:52:25 +020017947sc_sess_cnt(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020017948sc0_sess_cnt([<table>]) : integer
17949sc1_sess_cnt([<table>]) : integer
17950sc2_sess_cnt([<table>]) : integer
Davor Ocelice9ed2812017-12-25 17:49:28 +010017951 Returns the cumulative number of incoming connections that were transformed
Willy Tarreaue9656522010-08-17 15:40:09 +020017952 into sessions, which means that they were accepted by a "tcp-request
17953 connection" rule, from the currently tracked counters. A backend may count
17954 more sessions than connections because each connection could result in many
Jamie Gloudonaaa21002012-08-25 00:18:33 -040017955 backend sessions if some HTTP keep-alive is performed over the connection
Willy Tarreaue9656522010-08-17 15:40:09 +020017956 with the client. See also src_sess_cnt.
17957
Cyril Bonté62ba8702014-04-22 23:52:25 +020017958sc_sess_rate(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020017959sc0_sess_rate([<table>]) : integer
17960sc1_sess_rate([<table>]) : integer
17961sc2_sess_rate([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020017962 Returns the average session rate from the currently tracked counters,
17963 measured in amount of sessions over the period configured in the table. A
17964 session is a connection that got past the early "tcp-request connection"
17965 rules. A backend may count more sessions than connections because each
17966 connection could result in many backend sessions if some HTTP keep-alive is
Jamie Gloudonaaa21002012-08-25 00:18:33 -040017967 performed over the connection with the client. See also src_sess_rate.
Willy Tarreaue9656522010-08-17 15:40:09 +020017968
Cyril Bonté62ba8702014-04-22 23:52:25 +020017969sc_tracked(<ctr>[,<table>]) : boolean
Willy Tarreau0f791d42013-07-23 19:56:43 +020017970sc0_tracked([<table>]) : boolean
17971sc1_tracked([<table>]) : boolean
17972sc2_tracked([<table>]) : boolean
Willy Tarreau6f1615f2013-06-03 15:15:22 +020017973 Returns true if the designated session counter is currently being tracked by
17974 the current session. This can be useful when deciding whether or not we want
17975 to set some values in a header passed to the server.
17976
Cyril Bonté62ba8702014-04-22 23:52:25 +020017977sc_trackers(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020017978sc0_trackers([<table>]) : integer
17979sc1_trackers([<table>]) : integer
17980sc2_trackers([<table>]) : integer
Willy Tarreau2406db42012-12-09 12:16:43 +010017981 Returns the current amount of concurrent connections tracking the same
17982 tracked counters. This number is automatically incremented when tracking
Willy Tarreaube4a3ef2013-06-17 15:04:07 +020017983 begins and decremented when tracking stops. It differs from sc0_conn_cur in
Willy Tarreau2406db42012-12-09 12:16:43 +010017984 that it does not rely on any stored information but on the table's reference
17985 count (the "use" value which is returned by "show table" on the CLI). This
Willy Tarreau74ca5042013-06-11 23:12:07 +020017986 may sometimes be more suited for layer7 tracking. It can be used to tell a
17987 server how many concurrent connections there are from a given address for
17988 example.
Willy Tarreau2406db42012-12-09 12:16:43 +010017989
Willy Tarreau74ca5042013-06-11 23:12:07 +020017990so_id : integer
17991 Returns an integer containing the current listening socket's id. It is useful
17992 in frontends involving many "bind" lines, or to stick all users coming via a
17993 same socket to the same server.
Willy Tarreaud63335a2010-02-26 12:56:52 +010017994
Jerome Magnineb421b22020-03-27 22:08:40 +010017995so_name : string
17996 Returns a string containing the current listening socket's name, as defined
17997 with name on a "bind" line. It can serve the same purposes as so_id but with
17998 strings instead of integers.
17999
Willy Tarreau74ca5042013-06-11 23:12:07 +020018000src : ip
Davor Ocelice9ed2812017-12-25 17:49:28 +010018001 This is the source IPv4 address of the client of the session. It is of type
Willy Tarreau74ca5042013-06-11 23:12:07 +020018002 IP and works on both IPv4 and IPv6 tables. On IPv6 tables, IPv4 addresses are
18003 mapped to their IPv6 equivalent, according to RFC 4291. Note that it is the
18004 TCP-level source address which is used, and not the address of a client
Bertrand Jacquin93b227d2016-06-04 15:11:10 +010018005 behind a proxy. However if the "accept-proxy" or "accept-netscaler-cip" bind
18006 directive is used, it can be the address of a client behind another
18007 PROXY-protocol compatible component for all rule sets except
Willy Tarreau64ded3d2019-01-23 10:02:15 +010018008 "tcp-request connection" which sees the real address. When the incoming
18009 connection passed through address translation or redirection involving
18010 connection tracking, the original destination address before the redirection
18011 will be reported. On Linux systems, the source and destination may seldom
18012 appear reversed if the nf_conntrack_tcp_loose sysctl is set, because a late
18013 response may reopen a timed out connection and switch what is believed to be
18014 the source and the destination.
Willy Tarreaud63335a2010-02-26 12:56:52 +010018015
Thierry FOURNIERd5f624d2013-11-26 11:52:33 +010018016 Example:
18017 # add an HTTP header in requests with the originating address' country
18018 http-request set-header X-Country %[src,map_ip(geoip.lst)]
18019
Willy Tarreau74ca5042013-06-11 23:12:07 +020018020src_bytes_in_rate([<table>]) : integer
18021 Returns the average bytes rate from the incoming connection's source address
18022 in the current proxy's stick-table or in the designated stick-table, measured
18023 in amount of bytes over the period configured in the table. If the address is
Willy Tarreau4d4149c2013-07-23 19:33:46 +020018024 not found, zero is returned. See also sc/sc0/sc1/sc2_bytes_in_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +020018025
Willy Tarreau74ca5042013-06-11 23:12:07 +020018026src_bytes_out_rate([<table>]) : integer
18027 Returns the average bytes rate to the incoming connection's source address in
18028 the current proxy's stick-table or in the designated stick-table, measured in
Willy Tarreauc9705a12010-07-27 20:05:50 +020018029 amount of bytes over the period configured in the table. If the address is
Willy Tarreau4d4149c2013-07-23 19:33:46 +020018030 not found, zero is returned. See also sc/sc0/sc1/sc2_bytes_out_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +020018031
Willy Tarreau74ca5042013-06-11 23:12:07 +020018032src_clr_gpc0([<table>]) : integer
18033 Clears the first General Purpose Counter associated to the incoming
18034 connection's source address in the current proxy's stick-table or in the
18035 designated stick-table, and returns its previous value. If the address is not
18036 found, an entry is created and 0 is returned. This is typically used as a
18037 second ACL in an expression in order to mark a connection when a first ACL
18038 was verified :
Willy Tarreauf73cd112011-08-13 01:45:16 +020018039
Jarno Huuskonen676f6222017-03-30 09:19:45 +030018040 Example:
Willy Tarreauf73cd112011-08-13 01:45:16 +020018041 # block if 5 consecutive requests continue to come faster than 10 sess
18042 # per second, and reset the counter as soon as the traffic slows down.
18043 acl abuse src_http_req_rate gt 10
18044 acl kill src_inc_gpc0 gt 5
Willy Tarreau869948b2013-01-04 14:14:57 +010018045 acl save src_clr_gpc0 ge 0
Willy Tarreauf73cd112011-08-13 01:45:16 +020018046 tcp-request connection accept if !abuse save
18047 tcp-request connection reject if abuse kill
18048
Frédéric Lécaille6778b272018-01-29 15:22:53 +010018049src_clr_gpc1([<table>]) : integer
18050 Clears the second General Purpose Counter associated to the incoming
18051 connection's source address in the current proxy's stick-table or in the
18052 designated stick-table, and returns its previous value. If the address is not
18053 found, an entry is created and 0 is returned. This is typically used as a
18054 second ACL in an expression in order to mark a connection when a first ACL
18055 was verified.
18056
Willy Tarreau74ca5042013-06-11 23:12:07 +020018057src_conn_cnt([<table>]) : integer
Davor Ocelice9ed2812017-12-25 17:49:28 +010018058 Returns the cumulative number of connections initiated from the current
Willy Tarreau74ca5042013-06-11 23:12:07 +020018059 incoming connection's source address in the current proxy's stick-table or in
Willy Tarreauc9705a12010-07-27 20:05:50 +020018060 the designated stick-table. If the address is not found, zero is returned.
Willy Tarreau4d4149c2013-07-23 19:33:46 +020018061 See also sc/sc0/sc1/sc2_conn_cnt.
Willy Tarreauc9705a12010-07-27 20:05:50 +020018062
Willy Tarreau74ca5042013-06-11 23:12:07 +020018063src_conn_cur([<table>]) : integer
Willy Tarreauc9705a12010-07-27 20:05:50 +020018064 Returns the current amount of concurrent connections initiated from the
Willy Tarreau74ca5042013-06-11 23:12:07 +020018065 current incoming connection's source address in the current proxy's
18066 stick-table or in the designated stick-table. If the address is not found,
Willy Tarreau4d4149c2013-07-23 19:33:46 +020018067 zero is returned. See also sc/sc0/sc1/sc2_conn_cur.
Willy Tarreauc9705a12010-07-27 20:05:50 +020018068
Willy Tarreau74ca5042013-06-11 23:12:07 +020018069src_conn_rate([<table>]) : integer
18070 Returns the average connection rate from the incoming connection's source
18071 address in the current proxy's stick-table or in the designated stick-table,
18072 measured in amount of connections over the period configured in the table. If
Willy Tarreau4d4149c2013-07-23 19:33:46 +020018073 the address is not found, zero is returned. See also sc/sc0/sc1/sc2_conn_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +020018074
Willy Tarreau74ca5042013-06-11 23:12:07 +020018075src_get_gpc0([<table>]) : integer
Willy Tarreauc9705a12010-07-27 20:05:50 +020018076 Returns the value of the first General Purpose Counter associated to the
Willy Tarreau74ca5042013-06-11 23:12:07 +020018077 incoming connection's source address in the current proxy's stick-table or in
Willy Tarreauc9705a12010-07-27 20:05:50 +020018078 the designated stick-table. If the address is not found, zero is returned.
Willy Tarreau4d4149c2013-07-23 19:33:46 +020018079 See also sc/sc0/sc1/sc2_get_gpc0 and src_inc_gpc0.
Willy Tarreauc9705a12010-07-27 20:05:50 +020018080
Frédéric Lécaille6778b272018-01-29 15:22:53 +010018081src_get_gpc1([<table>]) : integer
18082 Returns the value of the second General Purpose Counter associated to the
18083 incoming connection's source address in the current proxy's stick-table or in
18084 the designated stick-table. If the address is not found, zero is returned.
18085 See also sc/sc0/sc1/sc2_get_gpc1 and src_inc_gpc1.
18086
Thierry FOURNIER236657b2015-08-19 08:25:14 +020018087src_get_gpt0([<table>]) : integer
18088 Returns the value of the first General Purpose Tag associated to the
18089 incoming connection's source address in the current proxy's stick-table or in
18090 the designated stick-table. If the address is not found, zero is returned.
18091 See also sc/sc0/sc1/sc2_get_gpt0.
18092
Willy Tarreau74ca5042013-06-11 23:12:07 +020018093src_gpc0_rate([<table>]) : integer
Willy Tarreauba2ffd12013-05-29 15:54:14 +020018094 Returns the average increment rate of the first General Purpose Counter
Willy Tarreau74ca5042013-06-11 23:12:07 +020018095 associated to the incoming connection's source address in the current proxy's
Willy Tarreauba2ffd12013-05-29 15:54:14 +020018096 stick-table or in the designated stick-table. It reports the frequency
18097 which the gpc0 counter was incremented over the configured period. See also
Willy Tarreau4d4149c2013-07-23 19:33:46 +020018098 sc/sc0/sc1/sc2_gpc0_rate, src_get_gpc0, and sc/sc0/sc1/sc2_inc_gpc0. Note
18099 that the "gpc0_rate" counter must be stored in the stick-table for a value to
18100 be returned, as "gpc0" only holds the event count.
Willy Tarreauba2ffd12013-05-29 15:54:14 +020018101
Frédéric Lécaille6778b272018-01-29 15:22:53 +010018102src_gpc1_rate([<table>]) : integer
18103 Returns the average increment rate of the second General Purpose Counter
18104 associated to the incoming connection's source address in the current proxy's
18105 stick-table or in the designated stick-table. It reports the frequency
18106 which the gpc1 counter was incremented over the configured period. See also
18107 sc/sc0/sc1/sc2_gpc1_rate, src_get_gpc1, and sc/sc0/sc1/sc2_inc_gpc1. Note
18108 that the "gpc1_rate" counter must be stored in the stick-table for a value to
18109 be returned, as "gpc1" only holds the event count.
18110
Willy Tarreau74ca5042013-06-11 23:12:07 +020018111src_http_err_cnt([<table>]) : integer
Davor Ocelice9ed2812017-12-25 17:49:28 +010018112 Returns the cumulative number of HTTP errors from the incoming connection's
Willy Tarreau74ca5042013-06-11 23:12:07 +020018113 source address in the current proxy's stick-table or in the designated
Willy Tarreauc9705a12010-07-27 20:05:50 +020018114 stick-table. This includes the both request errors and 4xx error responses.
Willy Tarreau4d4149c2013-07-23 19:33:46 +020018115 See also sc/sc0/sc1/sc2_http_err_cnt. If the address is not found, zero is
Willy Tarreau74ca5042013-06-11 23:12:07 +020018116 returned.
Willy Tarreauc9705a12010-07-27 20:05:50 +020018117
Willy Tarreau74ca5042013-06-11 23:12:07 +020018118src_http_err_rate([<table>]) : integer
18119 Returns the average rate of HTTP errors from the incoming connection's source
18120 address in the current proxy's stick-table or in the designated stick-table,
18121 measured in amount of errors over the period configured in the table. This
18122 includes the both request errors and 4xx error responses. If the address is
Willy Tarreau4d4149c2013-07-23 19:33:46 +020018123 not found, zero is returned. See also sc/sc0/sc1/sc2_http_err_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +020018124
Willy Tarreau826f3ab2021-02-10 12:07:15 +010018125src_http_fail_cnt([<table>]) : integer
18126 Returns the cumulative number of HTTP response failures triggered by the
18127 incoming connection's source address in the current proxy's stick-table or in
Ilya Shipitsin0de36ad2021-02-20 00:23:36 +050018128 the designated stick-table. This includes the both response errors and 5xx
Willy Tarreau826f3ab2021-02-10 12:07:15 +010018129 status codes other than 501 and 505. See also sc/sc0/sc1/sc2_http_fail_cnt.
18130 If the address is not found, zero is returned.
18131
18132src_http_fail_rate([<table>]) : integer
18133 Returns the average rate of HTTP response failures triggered by the incoming
18134 connection's source address in the current proxy's stick-table or in the
18135 designated stick-table, measured in amount of failures over the period
18136 configured in the table. This includes the both response errors and 5xx
18137 status codes other than 501 and 505. If the address is not found, zero is
18138 returned. See also sc/sc0/sc1/sc2_http_fail_rate.
18139
Willy Tarreau74ca5042013-06-11 23:12:07 +020018140src_http_req_cnt([<table>]) : integer
Davor Ocelice9ed2812017-12-25 17:49:28 +010018141 Returns the cumulative number of HTTP requests from the incoming connection's
Willy Tarreau74ca5042013-06-11 23:12:07 +020018142 source address in the current proxy's stick-table or in the designated stick-
18143 table. This includes every started request, valid or not. If the address is
Willy Tarreau4d4149c2013-07-23 19:33:46 +020018144 not found, zero is returned. See also sc/sc0/sc1/sc2_http_req_cnt.
Willy Tarreauc9705a12010-07-27 20:05:50 +020018145
Willy Tarreau74ca5042013-06-11 23:12:07 +020018146src_http_req_rate([<table>]) : integer
18147 Returns the average rate of HTTP requests from the incoming connection's
18148 source address in the current proxy's stick-table or in the designated stick-
18149 table, measured in amount of requests over the period configured in the
Willy Tarreauc9705a12010-07-27 20:05:50 +020018150 table. This includes every started request, valid or not. If the address is
Willy Tarreau4d4149c2013-07-23 19:33:46 +020018151 not found, zero is returned. See also sc/sc0/sc1/sc2_http_req_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +020018152
Willy Tarreau74ca5042013-06-11 23:12:07 +020018153src_inc_gpc0([<table>]) : integer
18154 Increments the first General Purpose Counter associated to the incoming
18155 connection's source address in the current proxy's stick-table or in the
18156 designated stick-table, and returns its new value. If the address is not
Willy Tarreaube4a3ef2013-06-17 15:04:07 +020018157 found, an entry is created and 1 is returned. See also sc0/sc2/sc2_inc_gpc0.
Willy Tarreau74ca5042013-06-11 23:12:07 +020018158 This is typically used as a second ACL in an expression in order to mark a
18159 connection when a first ACL was verified :
Willy Tarreauc9705a12010-07-27 20:05:50 +020018160
Jarno Huuskonen676f6222017-03-30 09:19:45 +030018161 Example:
Willy Tarreauc9705a12010-07-27 20:05:50 +020018162 acl abuse src_http_req_rate gt 10
Willy Tarreau869948b2013-01-04 14:14:57 +010018163 acl kill src_inc_gpc0 gt 0
Willy Tarreaue9656522010-08-17 15:40:09 +020018164 tcp-request connection reject if abuse kill
Willy Tarreauc9705a12010-07-27 20:05:50 +020018165
Frédéric Lécaille6778b272018-01-29 15:22:53 +010018166src_inc_gpc1([<table>]) : integer
18167 Increments the second General Purpose Counter associated to the incoming
18168 connection's source address in the current proxy's stick-table or in the
18169 designated stick-table, and returns its new value. If the address is not
18170 found, an entry is created and 1 is returned. See also sc0/sc2/sc2_inc_gpc1.
18171 This is typically used as a second ACL in an expression in order to mark a
18172 connection when a first ACL was verified.
18173
Willy Tarreau16e01562016-08-09 16:46:18 +020018174src_is_local : boolean
18175 Returns true if the source address of the incoming connection is local to the
18176 system, or false if the address doesn't exist on the system, meaning that it
18177 comes from a remote machine. Note that UNIX addresses are considered local.
18178 It can be useful to apply certain access restrictions based on where the
Davor Ocelice9ed2812017-12-25 17:49:28 +010018179 client comes from (e.g. require auth or https for remote machines). Please
Willy Tarreau16e01562016-08-09 16:46:18 +020018180 note that the check involves a few system calls, so it's better to do it only
18181 once per connection.
18182
Willy Tarreau74ca5042013-06-11 23:12:07 +020018183src_kbytes_in([<table>]) : integer
Willy Tarreaua01b9742014-07-10 15:29:24 +020018184 Returns the total amount of data received from the incoming connection's
18185 source address in the current proxy's stick-table or in the designated
18186 stick-table, measured in kilobytes. If the address is not found, zero is
18187 returned. The test is currently performed on 32-bit integers, which limits
18188 values to 4 terabytes. See also sc/sc0/sc1/sc2_kbytes_in.
Willy Tarreauc9705a12010-07-27 20:05:50 +020018189
Willy Tarreau74ca5042013-06-11 23:12:07 +020018190src_kbytes_out([<table>]) : integer
Willy Tarreaua01b9742014-07-10 15:29:24 +020018191 Returns the total amount of data sent to the incoming connection's source
18192 address in the current proxy's stick-table or in the designated stick-table,
18193 measured in kilobytes. If the address is not found, zero is returned. The
18194 test is currently performed on 32-bit integers, which limits values to 4
18195 terabytes. See also sc/sc0/sc1/sc2_kbytes_out.
Willy Tarreaua975b8f2010-06-05 19:13:27 +020018196
Willy Tarreau74ca5042013-06-11 23:12:07 +020018197src_port : integer
18198 Returns an integer value corresponding to the TCP source port of the
18199 connection on the client side, which is the port the client connected from.
18200 Usage of this function is very limited as modern protocols do not care much
18201 about source ports nowadays.
Willy Tarreau079ff0a2009-03-05 21:34:28 +010018202
Willy Tarreau74ca5042013-06-11 23:12:07 +020018203src_sess_cnt([<table>]) : integer
Davor Ocelice9ed2812017-12-25 17:49:28 +010018204 Returns the cumulative number of connections initiated from the incoming
Willy Tarreauc9705a12010-07-27 20:05:50 +020018205 connection's source IPv4 address in the current proxy's stick-table or in the
18206 designated stick-table, that were transformed into sessions, which means that
18207 they were accepted by "tcp-request" rules. If the address is not found, zero
Willy Tarreau4d4149c2013-07-23 19:33:46 +020018208 is returned. See also sc/sc0/sc1/sc2_sess_cnt.
Willy Tarreauc9705a12010-07-27 20:05:50 +020018209
Willy Tarreau74ca5042013-06-11 23:12:07 +020018210src_sess_rate([<table>]) : integer
18211 Returns the average session rate from the incoming connection's source
18212 address in the current proxy's stick-table or in the designated stick-table,
18213 measured in amount of sessions over the period configured in the table. A
18214 session is a connection that went past the early "tcp-request" rules. If the
Willy Tarreau4d4149c2013-07-23 19:33:46 +020018215 address is not found, zero is returned. See also sc/sc0/sc1/sc2_sess_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +020018216
Willy Tarreau74ca5042013-06-11 23:12:07 +020018217src_updt_conn_cnt([<table>]) : integer
18218 Creates or updates the entry associated to the incoming connection's source
18219 address in the current proxy's stick-table or in the designated stick-table.
18220 This table must be configured to store the "conn_cnt" data type, otherwise
18221 the match will be ignored. The current count is incremented by one, and the
18222 expiration timer refreshed. The updated count is returned, so this match
18223 can't return zero. This was used to reject service abusers based on their
18224 source address. Note: it is recommended to use the more complete "track-sc*"
18225 actions in "tcp-request" rules instead.
Willy Tarreaua975b8f2010-06-05 19:13:27 +020018226
18227 Example :
18228 # This frontend limits incoming SSH connections to 3 per 10 second for
18229 # each source address, and rejects excess connections until a 10 second
18230 # silence is observed. At most 20 addresses are tracked.
18231 listen ssh
18232 bind :22
18233 mode tcp
18234 maxconn 100
Willy Tarreauc9705a12010-07-27 20:05:50 +020018235 stick-table type ip size 20 expire 10s store conn_cnt
Willy Tarreau74ca5042013-06-11 23:12:07 +020018236 tcp-request content reject if { src_updt_conn_cnt gt 3 }
Willy Tarreaua975b8f2010-06-05 19:13:27 +020018237 server local 127.0.0.1:22
18238
Willy Tarreau74ca5042013-06-11 23:12:07 +020018239srv_id : integer
18240 Returns an integer containing the server's id when processing the response.
18241 While it's almost only used with ACLs, it may be used for logging or
Christopher Fauletd1b44642020-04-30 09:51:15 +020018242 debugging. It can also be used in a tcp-check or an http-check ruleset.
Hervé COMMOWICKdaa824e2011-08-05 12:09:44 +020018243
vkill1dfd1652019-10-30 16:58:14 +080018244srv_name : string
18245 Returns a string containing the server's name when processing the response.
18246 While it's almost only used with ACLs, it may be used for logging or
Christopher Fauletd1b44642020-04-30 09:51:15 +020018247 debugging. It can also be used in a tcp-check or an http-check ruleset.
vkill1dfd1652019-10-30 16:58:14 +080018248
Thierry FOURNIER060762e2014-04-23 13:29:15 +0200182497.3.4. Fetching samples at Layer 5
Willy Tarreau74ca5042013-06-11 23:12:07 +020018250----------------------------------
Willy Tarreau0b1cd942010-05-16 22:18:27 +020018251
Daniel Corbett9f0843f2021-05-08 10:50:37 -040018252The layer 5 usually describes just the session layer which in HAProxy is
Willy Tarreau74ca5042013-06-11 23:12:07 +020018253closest to the session once all the connection handshakes are finished, but
18254when no content is yet made available. The fetch methods described here are
18255usable as low as the "tcp-request content" rule sets unless they require some
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030018256future information. Those generally include the results of SSL negotiations.
Willy Tarreauc735a072011-03-29 00:57:02 +020018257
Ben Shillitof25e8e52016-12-02 14:25:37 +00001825851d.all(<prop>[,<prop>*]) : string
18259 Returns values for the properties requested as a string, where values are
18260 separated by the delimiter specified with "51degrees-property-separator".
18261 The device is identified using all the important HTTP headers from the
18262 request. The function can be passed up to five property names, and if a
18263 property name can't be found, the value "NoData" is returned.
18264
18265 Example :
18266 # Here the header "X-51D-DeviceTypeMobileTablet" is added to the request
18267 # containing the three properties requested using all relevant headers from
18268 # the request.
18269 frontend http-in
18270 bind *:8081
18271 default_backend servers
18272 http-request set-header X-51D-DeviceTypeMobileTablet \
18273 %[51d.all(DeviceType,IsMobile,IsTablet)]
18274
Emeric Brun645ae792014-04-30 14:21:06 +020018275ssl_bc : boolean
18276 Returns true when the back connection was made via an SSL/TLS transport
18277 layer and is locally deciphered. This means the outgoing connection was made
Christopher Fauletd92ea7f2020-04-30 10:03:55 +020018278 other a server with the "ssl" option. It can be used in a tcp-check or an
18279 http-check ruleset.
Emeric Brun645ae792014-04-30 14:21:06 +020018280
18281ssl_bc_alg_keysize : integer
18282 Returns the symmetric cipher key size supported in bits when the outgoing
Christopher Fauletd92ea7f2020-04-30 10:03:55 +020018283 connection was made over an SSL/TLS transport layer. It can be used in a
18284 tcp-check or an http-check ruleset.
Emeric Brun645ae792014-04-30 14:21:06 +020018285
Olivier Houchard6b77f492018-11-22 18:18:29 +010018286ssl_bc_alpn : string
18287 This extracts the Application Layer Protocol Negotiation field from an
18288 outgoing connection made via a TLS transport layer.
Michael Prokop4438c602019-05-24 10:25:45 +020018289 The result is a string containing the protocol name negotiated with the
Olivier Houchard6b77f492018-11-22 18:18:29 +010018290 server. The SSL library must have been built with support for TLS
18291 extensions enabled (check haproxy -vv). Note that the TLS ALPN extension is
18292 not advertised unless the "alpn" keyword on the "server" line specifies a
18293 protocol list. Also, nothing forces the server to pick a protocol from this
18294 list, any other one may be requested. The TLS ALPN extension is meant to
Christopher Fauletd92ea7f2020-04-30 10:03:55 +020018295 replace the TLS NPN extension. See also "ssl_bc_npn". It can be used in a
18296 tcp-check or an http-check ruleset.
Olivier Houchard6b77f492018-11-22 18:18:29 +010018297
Emeric Brun645ae792014-04-30 14:21:06 +020018298ssl_bc_cipher : string
18299 Returns the name of the used cipher when the outgoing connection was made
Christopher Fauletd92ea7f2020-04-30 10:03:55 +020018300 over an SSL/TLS transport layer. It can be used in a tcp-check or an
18301 http-check ruleset.
Emeric Brun645ae792014-04-30 14:21:06 +020018302
Patrick Hemmer65674662019-06-04 08:13:03 -040018303ssl_bc_client_random : binary
18304 Returns the client random of the back connection when the incoming connection
18305 was made over an SSL/TLS transport layer. It is useful to to decrypt traffic
18306 sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or BoringSSL.
Christopher Fauletd92ea7f2020-04-30 10:03:55 +020018307 It can be used in a tcp-check or an http-check ruleset.
Patrick Hemmer65674662019-06-04 08:13:03 -040018308
Emeric Brun74f7ffa2018-02-19 16:14:12 +010018309ssl_bc_is_resumed : boolean
18310 Returns true when the back connection was made over an SSL/TLS transport
18311 layer and the newly created SSL session was resumed using a cached
Christopher Fauletd92ea7f2020-04-30 10:03:55 +020018312 session or a TLS ticket. It can be used in a tcp-check or an http-check
18313 ruleset.
Emeric Brun74f7ffa2018-02-19 16:14:12 +010018314
Olivier Houchard6b77f492018-11-22 18:18:29 +010018315ssl_bc_npn : string
18316 This extracts the Next Protocol Negotiation field from an outgoing connection
18317 made via a TLS transport layer. The result is a string containing the
Michael Prokop4438c602019-05-24 10:25:45 +020018318 protocol name negotiated with the server . The SSL library must have been
Olivier Houchard6b77f492018-11-22 18:18:29 +010018319 built with support for TLS extensions enabled (check haproxy -vv). Note that
18320 the TLS NPN extension is not advertised unless the "npn" keyword on the
18321 "server" line specifies a protocol list. Also, nothing forces the server to
18322 pick a protocol from this list, any other one may be used. Please note that
Christopher Fauletd92ea7f2020-04-30 10:03:55 +020018323 the TLS NPN extension was replaced with ALPN. It can be used in a tcp-check
18324 or an http-check ruleset.
Olivier Houchard6b77f492018-11-22 18:18:29 +010018325
Emeric Brun645ae792014-04-30 14:21:06 +020018326ssl_bc_protocol : string
18327 Returns the name of the used protocol when the outgoing connection was made
Christopher Fauletd92ea7f2020-04-30 10:03:55 +020018328 over an SSL/TLS transport layer. It can be used in a tcp-check or an
18329 http-check ruleset.
Emeric Brun645ae792014-04-30 14:21:06 +020018330
Emeric Brunb73a9b02014-04-30 18:49:19 +020018331ssl_bc_unique_id : binary
Emeric Brun645ae792014-04-30 14:21:06 +020018332 When the outgoing connection was made over an SSL/TLS transport layer,
Emeric Brunb73a9b02014-04-30 18:49:19 +020018333 returns the TLS unique ID as defined in RFC5929 section 3. The unique id
Christopher Fauletd92ea7f2020-04-30 10:03:55 +020018334 can be encoded to base64 using the converter: "ssl_bc_unique_id,base64". It
18335 can be used in a tcp-check or an http-check ruleset.
Emeric Brun645ae792014-04-30 14:21:06 +020018336
Patrick Hemmer65674662019-06-04 08:13:03 -040018337ssl_bc_server_random : binary
18338 Returns the server random of the back connection when the incoming connection
18339 was made over an SSL/TLS transport layer. It is useful to to decrypt traffic
18340 sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or BoringSSL.
Christopher Fauletd92ea7f2020-04-30 10:03:55 +020018341 It can be used in a tcp-check or an http-check ruleset.
Patrick Hemmer65674662019-06-04 08:13:03 -040018342
Emeric Brun645ae792014-04-30 14:21:06 +020018343ssl_bc_session_id : binary
18344 Returns the SSL ID of the back connection when the outgoing connection was
18345 made over an SSL/TLS transport layer. It is useful to log if we want to know
Christopher Fauletd92ea7f2020-04-30 10:03:55 +020018346 if session was reused or not. It can be used in a tcp-check or an http-check
18347 ruleset.
Emeric Brun645ae792014-04-30 14:21:06 +020018348
Patrick Hemmere0275472018-04-28 19:15:51 -040018349ssl_bc_session_key : binary
18350 Returns the SSL session master key of the back connection when the outgoing
18351 connection was made over an SSL/TLS transport layer. It is useful to decrypt
18352 traffic sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or
Christopher Fauletd92ea7f2020-04-30 10:03:55 +020018353 BoringSSL. It can be used in a tcp-check or an http-check ruleset.
Patrick Hemmere0275472018-04-28 19:15:51 -040018354
Emeric Brun645ae792014-04-30 14:21:06 +020018355ssl_bc_use_keysize : integer
18356 Returns the symmetric cipher key size used in bits when the outgoing
Christopher Fauletd92ea7f2020-04-30 10:03:55 +020018357 connection was made over an SSL/TLS transport layer. It can be used in a
18358 tcp-check or an http-check ruleset.
Emeric Brun645ae792014-04-30 14:21:06 +020018359
Willy Tarreau74ca5042013-06-11 23:12:07 +020018360ssl_c_ca_err : integer
18361 When the incoming connection was made over an SSL/TLS transport layer,
18362 returns the ID of the first error detected during verification of the client
18363 certificate at depth > 0, or 0 if no error was encountered during this
18364 verification process. Please refer to your SSL library's documentation to
18365 find the exhaustive list of error codes.
Willy Tarreauc735a072011-03-29 00:57:02 +020018366
Willy Tarreau74ca5042013-06-11 23:12:07 +020018367ssl_c_ca_err_depth : integer
18368 When the incoming connection was made over an SSL/TLS transport layer,
18369 returns the depth in the CA chain of the first error detected during the
18370 verification of the client certificate. If no error is encountered, 0 is
18371 returned.
Willy Tarreau0ba27502007-12-24 16:55:16 +010018372
Christopher Faulet70d10d12020-11-06 12:10:33 +010018373ssl_c_chain_der : binary
William Dauchya598b502020-08-06 18:11:38 +020018374 Returns the DER formatted chain certificate presented by the client when the
18375 incoming connection was made over an SSL/TLS transport layer. When used for
18376 an ACL, the value(s) to match against can be passed in hexadecimal form. One
Ilya Shipitsin2272d8a2020-12-21 01:22:40 +050018377 can parse the result with any lib accepting ASN.1 DER data. It currently
William Dauchya598b502020-08-06 18:11:38 +020018378 does not support resumed sessions.
18379
Christopher Faulet70d10d12020-11-06 12:10:33 +010018380ssl_c_der : binary
18381 Returns the DER formatted certificate presented by the client when the
18382 incoming connection was made over an SSL/TLS transport layer. When used for
18383 an ACL, the value(s) to match against can be passed in hexadecimal form.
18384
Willy Tarreau74ca5042013-06-11 23:12:07 +020018385ssl_c_err : integer
18386 When the incoming connection was made over an SSL/TLS transport layer,
18387 returns the ID of the first error detected during verification at depth 0, or
18388 0 if no error was encountered during this verification process. Please refer
18389 to your SSL library's documentation to find the exhaustive list of error
18390 codes.
Willy Tarreau62644772008-07-16 18:36:06 +020018391
Elliot Otchet71f82972020-01-15 08:12:14 -050018392ssl_c_i_dn([<entry>[,<occ>[,<format>]]]) : string
Willy Tarreau74ca5042013-06-11 23:12:07 +020018393 When the incoming connection was made over an SSL/TLS transport layer,
18394 returns the full distinguished name of the issuer of the certificate
18395 presented by the client when no <entry> is specified, or the value of the
18396 first given entry found from the beginning of the DN. If a positive/negative
18397 occurrence number is specified as the optional second argument, it returns
18398 the value of the nth given entry value from the beginning/end of the DN.
18399 For instance, "ssl_c_i_dn(OU,2)" the second organization unit, and
18400 "ssl_c_i_dn(CN)" retrieves the common name.
Elliot Otchet71f82972020-01-15 08:12:14 -050018401 The <format> parameter allows you to receive the DN suitable for
18402 consumption by different protocols. Currently supported is rfc2253 for
18403 LDAP v3.
18404 If you'd like to modify the format only you can specify an empty string
18405 and zero for the first two parameters. Example: ssl_c_i_dn(,0,rfc2253)
Willy Tarreau62644772008-07-16 18:36:06 +020018406
Willy Tarreau74ca5042013-06-11 23:12:07 +020018407ssl_c_key_alg : string
18408 Returns the name of the algorithm used to generate the key of the certificate
18409 presented by the client when the incoming connection was made over an SSL/TLS
18410 transport layer.
Willy Tarreau62644772008-07-16 18:36:06 +020018411
Willy Tarreau74ca5042013-06-11 23:12:07 +020018412ssl_c_notafter : string
18413 Returns the end date presented by the client as a formatted string
18414 YYMMDDhhmmss[Z] when the incoming connection was made over an SSL/TLS
18415 transport layer.
Emeric Brunbede3d02009-06-30 17:54:00 +020018416
Willy Tarreau74ca5042013-06-11 23:12:07 +020018417ssl_c_notbefore : string
18418 Returns the start date presented by the client as a formatted string
18419 YYMMDDhhmmss[Z] when the incoming connection was made over an SSL/TLS
18420 transport layer.
Willy Tarreaub6672b52011-12-12 17:23:41 +010018421
Elliot Otchet71f82972020-01-15 08:12:14 -050018422ssl_c_s_dn([<entry>[,<occ>[,<format>]]]) : string
Willy Tarreau74ca5042013-06-11 23:12:07 +020018423 When the incoming connection was made over an SSL/TLS transport layer,
18424 returns the full distinguished name of the subject of the certificate
18425 presented by the client when no <entry> is specified, or the value of the
18426 first given entry found from the beginning of the DN. If a positive/negative
18427 occurrence number is specified as the optional second argument, it returns
18428 the value of the nth given entry value from the beginning/end of the DN.
18429 For instance, "ssl_c_s_dn(OU,2)" the second organization unit, and
18430 "ssl_c_s_dn(CN)" retrieves the common name.
Elliot Otchet71f82972020-01-15 08:12:14 -050018431 The <format> parameter allows you to receive the DN suitable for
18432 consumption by different protocols. Currently supported is rfc2253 for
18433 LDAP v3.
18434 If you'd like to modify the format only you can specify an empty string
18435 and zero for the first two parameters. Example: ssl_c_s_dn(,0,rfc2253)
Willy Tarreaub6672b52011-12-12 17:23:41 +010018436
Willy Tarreau74ca5042013-06-11 23:12:07 +020018437ssl_c_serial : binary
18438 Returns the serial of the certificate presented by the client when the
18439 incoming connection was made over an SSL/TLS transport layer. When used for
18440 an ACL, the value(s) to match against can be passed in hexadecimal form.
Emeric Brun2525b6b2012-10-18 15:59:43 +020018441
Willy Tarreau74ca5042013-06-11 23:12:07 +020018442ssl_c_sha1 : binary
18443 Returns the SHA-1 fingerprint of the certificate presented by the client when
18444 the incoming connection was made over an SSL/TLS transport layer. This can be
18445 used to stick a client to a server, or to pass this information to a server.
Willy Tarreau2d0caa32014-07-02 19:01:22 +020018446 Note that the output is binary, so if you want to pass that signature to the
18447 server, you need to encode it in hex or base64, such as in the example below:
18448
Jarno Huuskonen676f6222017-03-30 09:19:45 +030018449 Example:
Willy Tarreau2d0caa32014-07-02 19:01:22 +020018450 http-request set-header X-SSL-Client-SHA1 %[ssl_c_sha1,hex]
Emeric Brun2525b6b2012-10-18 15:59:43 +020018451
Willy Tarreau74ca5042013-06-11 23:12:07 +020018452ssl_c_sig_alg : string
18453 Returns the name of the algorithm used to sign the certificate presented by
18454 the client when the incoming connection was made over an SSL/TLS transport
18455 layer.
Emeric Brun87855892012-10-17 17:39:35 +020018456
Willy Tarreau74ca5042013-06-11 23:12:07 +020018457ssl_c_used : boolean
18458 Returns true if current SSL session uses a client certificate even if current
18459 connection uses SSL session resumption. See also "ssl_fc_has_crt".
Emeric Brun7f56e742012-10-19 18:15:40 +020018460
Willy Tarreau74ca5042013-06-11 23:12:07 +020018461ssl_c_verify : integer
18462 Returns the verify result error ID when the incoming connection was made over
18463 an SSL/TLS transport layer, otherwise zero if no error is encountered. Please
18464 refer to your SSL library's documentation for an exhaustive list of error
18465 codes.
Emeric Brunce5ad802012-10-22 14:11:22 +020018466
Willy Tarreau74ca5042013-06-11 23:12:07 +020018467ssl_c_version : integer
18468 Returns the version of the certificate presented by the client when the
18469 incoming connection was made over an SSL/TLS transport layer.
Emeric Brunce5ad802012-10-22 14:11:22 +020018470
Emeric Brun43e79582014-10-29 19:03:26 +010018471ssl_f_der : binary
18472 Returns the DER formatted certificate presented by the frontend when the
18473 incoming connection was made over an SSL/TLS transport layer. When used for
18474 an ACL, the value(s) to match against can be passed in hexadecimal form.
18475
Elliot Otchet71f82972020-01-15 08:12:14 -050018476ssl_f_i_dn([<entry>[,<occ>[,<format>]]]) : string
Willy Tarreau74ca5042013-06-11 23:12:07 +020018477 When the incoming connection was made over an SSL/TLS transport layer,
18478 returns the full distinguished name of the issuer of the certificate
18479 presented by the frontend when no <entry> is specified, or the value of the
18480 first given entry found from the beginning of the DN. If a positive/negative
Emeric Brun87855892012-10-17 17:39:35 +020018481 occurrence number is specified as the optional second argument, it returns
Willy Tarreau74ca5042013-06-11 23:12:07 +020018482 the value of the nth given entry value from the beginning/end of the DN.
18483 For instance, "ssl_f_i_dn(OU,2)" the second organization unit, and
18484 "ssl_f_i_dn(CN)" retrieves the common name.
Elliot Otchet71f82972020-01-15 08:12:14 -050018485 The <format> parameter allows you to receive the DN suitable for
18486 consumption by different protocols. Currently supported is rfc2253 for
18487 LDAP v3.
18488 If you'd like to modify the format only you can specify an empty string
18489 and zero for the first two parameters. Example: ssl_f_i_dn(,0,rfc2253)
Emeric Brun87855892012-10-17 17:39:35 +020018490
Willy Tarreau74ca5042013-06-11 23:12:07 +020018491ssl_f_key_alg : string
18492 Returns the name of the algorithm used to generate the key of the certificate
18493 presented by the frontend when the incoming connection was made over an
18494 SSL/TLS transport layer.
Emeric Brun7f56e742012-10-19 18:15:40 +020018495
Willy Tarreau74ca5042013-06-11 23:12:07 +020018496ssl_f_notafter : string
18497 Returns the end date presented by the frontend as a formatted string
18498 YYMMDDhhmmss[Z] when the incoming connection was made over an SSL/TLS
18499 transport layer.
Emeric Brun2525b6b2012-10-18 15:59:43 +020018500
Willy Tarreau74ca5042013-06-11 23:12:07 +020018501ssl_f_notbefore : string
18502 Returns the start date presented by the frontend as a formatted string
18503 YYMMDDhhmmss[Z] when the incoming connection was made over an SSL/TLS
18504 transport layer.
Emeric Brun87855892012-10-17 17:39:35 +020018505
Elliot Otchet71f82972020-01-15 08:12:14 -050018506ssl_f_s_dn([<entry>[,<occ>[,<format>]]]) : string
Willy Tarreau74ca5042013-06-11 23:12:07 +020018507 When the incoming connection was made over an SSL/TLS transport layer,
18508 returns the full distinguished name of the subject of the certificate
18509 presented by the frontend when no <entry> is specified, or the value of the
18510 first given entry found from the beginning of the DN. If a positive/negative
18511 occurrence number is specified as the optional second argument, it returns
18512 the value of the nth given entry value from the beginning/end of the DN.
18513 For instance, "ssl_f_s_dn(OU,2)" the second organization unit, and
18514 "ssl_f_s_dn(CN)" retrieves the common name.
Elliot Otchet71f82972020-01-15 08:12:14 -050018515 The <format> parameter allows you to receive the DN suitable for
18516 consumption by different protocols. Currently supported is rfc2253 for
18517 LDAP v3.
18518 If you'd like to modify the format only you can specify an empty string
18519 and zero for the first two parameters. Example: ssl_f_s_dn(,0,rfc2253)
Emeric Brunce5ad802012-10-22 14:11:22 +020018520
Willy Tarreau74ca5042013-06-11 23:12:07 +020018521ssl_f_serial : binary
18522 Returns the serial of the certificate presented by the frontend when the
18523 incoming connection was made over an SSL/TLS transport layer. When used for
18524 an ACL, the value(s) to match against can be passed in hexadecimal form.
Emeric Brun87855892012-10-17 17:39:35 +020018525
Emeric Brun55f4fa82014-04-30 17:11:25 +020018526ssl_f_sha1 : binary
18527 Returns the SHA-1 fingerprint of the certificate presented by the frontend
18528 when the incoming connection was made over an SSL/TLS transport layer. This
18529 can be used to know which certificate was chosen using SNI.
18530
Willy Tarreau74ca5042013-06-11 23:12:07 +020018531ssl_f_sig_alg : string
18532 Returns the name of the algorithm used to sign the certificate presented by
18533 the frontend when the incoming connection was made over an SSL/TLS transport
18534 layer.
Emeric Brun7f56e742012-10-19 18:15:40 +020018535
Willy Tarreau74ca5042013-06-11 23:12:07 +020018536ssl_f_version : integer
18537 Returns the version of the certificate presented by the frontend when the
18538 incoming connection was made over an SSL/TLS transport layer.
18539
18540ssl_fc : boolean
Emeric Brun2525b6b2012-10-18 15:59:43 +020018541 Returns true when the front connection was made via an SSL/TLS transport
18542 layer and is locally deciphered. This means it has matched a socket declared
18543 with a "bind" line having the "ssl" option.
18544
Willy Tarreau74ca5042013-06-11 23:12:07 +020018545 Example :
18546 # This passes "X-Proto: https" to servers when client connects over SSL
18547 listen http-https
18548 bind :80
18549 bind :443 ssl crt /etc/haproxy.pem
18550 http-request add-header X-Proto https if { ssl_fc }
18551
18552ssl_fc_alg_keysize : integer
18553 Returns the symmetric cipher key size supported in bits when the incoming
18554 connection was made over an SSL/TLS transport layer.
18555
18556ssl_fc_alpn : string
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030018557 This extracts the Application Layer Protocol Negotiation field from an
Willy Tarreau74ca5042013-06-11 23:12:07 +020018558 incoming connection made via a TLS transport layer and locally deciphered by
Daniel Corbett9f0843f2021-05-08 10:50:37 -040018559 HAProxy. The result is a string containing the protocol name advertised by
Willy Tarreau74ca5042013-06-11 23:12:07 +020018560 the client. The SSL library must have been built with support for TLS
18561 extensions enabled (check haproxy -vv). Note that the TLS ALPN extension is
18562 not advertised unless the "alpn" keyword on the "bind" line specifies a
18563 protocol list. Also, nothing forces the client to pick a protocol from this
18564 list, any other one may be requested. The TLS ALPN extension is meant to
18565 replace the TLS NPN extension. See also "ssl_fc_npn".
18566
Willy Tarreau74ca5042013-06-11 23:12:07 +020018567ssl_fc_cipher : string
18568 Returns the name of the used cipher when the incoming connection was made
18569 over an SSL/TLS transport layer.
Willy Tarreauab861d32013-04-02 02:30:41 +020018570
Thierry FOURNIER5bf77322017-02-25 12:45:22 +010018571ssl_fc_cipherlist_bin : binary
18572 Returns the binary form of the client hello cipher list. The maximum returned
18573 value length is according with the value of
Emmanuel Hocdetaaee7502017-03-07 18:34:58 +010018574 "tune.ssl.capture-cipherlist-size".
Thierry FOURNIER5bf77322017-02-25 12:45:22 +010018575
18576ssl_fc_cipherlist_hex : string
18577 Returns the binary form of the client hello cipher list encoded as
18578 hexadecimal. The maximum returned value length is according with the value of
Emmanuel Hocdetaaee7502017-03-07 18:34:58 +010018579 "tune.ssl.capture-cipherlist-size".
Thierry FOURNIER5bf77322017-02-25 12:45:22 +010018580
18581ssl_fc_cipherlist_str : string
18582 Returns the decoded text form of the client hello cipher list. The maximum
18583 number of ciphers returned is according with the value of
18584 "tune.ssl.capture-cipherlist-size". Note that this sample-fetch is only
Davor Ocelice9ed2812017-12-25 17:49:28 +010018585 available with OpenSSL >= 1.0.2. If the function is not enabled, this
Emmanuel Hocdetddcde192017-09-01 17:32:08 +020018586 sample-fetch returns the hash like "ssl_fc_cipherlist_xxh".
Thierry FOURNIER5bf77322017-02-25 12:45:22 +010018587
18588ssl_fc_cipherlist_xxh : integer
18589 Returns a xxh64 of the cipher list. This hash can be return only is the value
18590 "tune.ssl.capture-cipherlist-size" is set greater than 0, however the hash
Emmanuel Hocdetaaee7502017-03-07 18:34:58 +010018591 take in account all the data of the cipher list.
Thierry FOURNIER5bf77322017-02-25 12:45:22 +010018592
Patrick Hemmer65674662019-06-04 08:13:03 -040018593ssl_fc_client_random : binary
18594 Returns the client random of the front connection when the incoming connection
18595 was made over an SSL/TLS transport layer. It is useful to to decrypt traffic
18596 sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or BoringSSL.
18597
William Lallemand7d42ef52020-07-06 11:41:30 +020018598ssl_fc_client_early_traffic_secret : string
18599 Return the CLIENT_EARLY_TRAFFIC_SECRET as an hexadecimal string for the
18600 front connection when the incoming connection was made over a TLS 1.3
18601 transport layer.
18602 Require OpenSSL >= 1.1.1. This is one of the keys dumped by the OpenSSL
18603 keylog callback to generate the SSLKEYLOGFILE. The SSL Key logging must be
18604 activated with "tune.ssl.keylog on" in the global section. See also
18605 "tune.ssl.keylog"
18606
18607ssl_fc_client_handshake_traffic_secret : string
18608 Return the CLIENT_HANDSHAKE_TRAFFIC_SECRET as an hexadecimal string for the
18609 front connection when the incoming connection was made over a TLS 1.3
18610 transport layer.
18611 Require OpenSSL >= 1.1.1. This is one of the keys dumped by the OpenSSL
18612 keylog callback to generate the SSLKEYLOGFILE. The SSL Key logging must be
18613 activated with "tune.ssl.keylog on" in the global section. See also
18614 "tune.ssl.keylog"
18615
18616ssl_fc_client_traffic_secret_0 : string
18617 Return the CLIENT_TRAFFIC_SECRET_0 as an hexadecimal string for the
18618 front connection when the incoming connection was made over a TLS 1.3
18619 transport layer.
18620 Require OpenSSL >= 1.1.1. This is one of the keys dumped by the OpenSSL
18621 keylog callback to generate the SSLKEYLOGFILE. The SSL Key logging must be
18622 activated with "tune.ssl.keylog on" in the global section. See also
18623 "tune.ssl.keylog"
18624
18625ssl_fc_exporter_secret : string
18626 Return the EXPORTER_SECRET as an hexadecimal string for the
18627 front connection when the incoming connection was made over a TLS 1.3
18628 transport layer.
18629 Require OpenSSL >= 1.1.1. This is one of the keys dumped by the OpenSSL
18630 keylog callback to generate the SSLKEYLOGFILE. The SSL Key logging must be
18631 activated with "tune.ssl.keylog on" in the global section. See also
18632 "tune.ssl.keylog"
18633
18634ssl_fc_early_exporter_secret : string
18635 Return the EARLY_EXPORTER_SECRET as an hexadecimal string for the
18636 front connection when the incoming connection was made over an TLS 1.3
18637 transport layer.
18638 Require OpenSSL >= 1.1.1. This is one of the keys dumped by the OpenSSL
18639 keylog callback to generate the SSLKEYLOGFILE. The SSL Key logging must be
18640 activated with "tune.ssl.keylog on" in the global section. See also
18641 "tune.ssl.keylog"
18642
Willy Tarreau74ca5042013-06-11 23:12:07 +020018643ssl_fc_has_crt : boolean
Emeric Brun2525b6b2012-10-18 15:59:43 +020018644 Returns true if a client certificate is present in an incoming connection over
18645 SSL/TLS transport layer. Useful if 'verify' statement is set to 'optional'.
Emeric Brun9143d372012-12-20 15:44:16 +010018646 Note: on SSL session resumption with Session ID or TLS ticket, client
18647 certificate is not present in the current connection but may be retrieved
18648 from the cache or the ticket. So prefer "ssl_c_used" if you want to check if
18649 current SSL session uses a client certificate.
Emeric Brun2525b6b2012-10-18 15:59:43 +020018650
Olivier Houchardccaa7de2017-10-02 11:51:03 +020018651ssl_fc_has_early : boolean
18652 Returns true if early data were sent, and the handshake didn't happen yet. As
18653 it has security implications, it is useful to be able to refuse those, or
18654 wait until the handshake happened.
18655
Willy Tarreau74ca5042013-06-11 23:12:07 +020018656ssl_fc_has_sni : boolean
18657 This checks for the presence of a Server Name Indication TLS extension (SNI)
Willy Tarreauf7bc57c2012-10-03 00:19:48 +020018658 in an incoming connection was made over an SSL/TLS transport layer. Returns
18659 true when the incoming connection presents a TLS SNI field. This requires
John Roeslerfb2fce12019-07-10 15:45:51 -050018660 that the SSL library is built with support for TLS extensions enabled (check
Willy Tarreauf7bc57c2012-10-03 00:19:48 +020018661 haproxy -vv).
Willy Tarreau7875d092012-09-10 08:20:03 +020018662
Nenad Merdanovic1516fe32016-05-17 03:31:21 +020018663ssl_fc_is_resumed : boolean
Nenad Merdanovic26ea8222015-05-18 02:28:57 +020018664 Returns true if the SSL/TLS session has been resumed through the use of
Jérôme Magnin4a326cb2018-01-15 14:01:17 +010018665 SSL session cache or TLS tickets on an incoming connection over an SSL/TLS
18666 transport layer.
Nenad Merdanovic26ea8222015-05-18 02:28:57 +020018667
Willy Tarreau74ca5042013-06-11 23:12:07 +020018668ssl_fc_npn : string
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030018669 This extracts the Next Protocol Negotiation field from an incoming connection
Daniel Corbett9f0843f2021-05-08 10:50:37 -040018670 made via a TLS transport layer and locally deciphered by HAProxy. The result
Willy Tarreau74ca5042013-06-11 23:12:07 +020018671 is a string containing the protocol name advertised by the client. The SSL
18672 library must have been built with support for TLS extensions enabled (check
18673 haproxy -vv). Note that the TLS NPN extension is not advertised unless the
18674 "npn" keyword on the "bind" line specifies a protocol list. Also, nothing
18675 forces the client to pick a protocol from this list, any other one may be
18676 requested. Please note that the TLS NPN extension was replaced with ALPN.
Willy Tarreaua33c6542012-10-15 13:19:06 +020018677
Willy Tarreau74ca5042013-06-11 23:12:07 +020018678ssl_fc_protocol : string
18679 Returns the name of the used protocol when the incoming connection was made
18680 over an SSL/TLS transport layer.
Willy Tarreau7875d092012-09-10 08:20:03 +020018681
Emeric Brunb73a9b02014-04-30 18:49:19 +020018682ssl_fc_unique_id : binary
David Sc1ad52e2014-04-08 18:48:47 -040018683 When the incoming connection was made over an SSL/TLS transport layer,
Emeric Brunb73a9b02014-04-30 18:49:19 +020018684 returns the TLS unique ID as defined in RFC5929 section 3. The unique id
18685 can be encoded to base64 using the converter: "ssl_bc_unique_id,base64".
David Sc1ad52e2014-04-08 18:48:47 -040018686
William Lallemand7d42ef52020-07-06 11:41:30 +020018687ssl_fc_server_handshake_traffic_secret : string
18688 Return the SERVER_HANDSHAKE_TRAFFIC_SECRET as an hexadecimal string for the
18689 front connection when the incoming connection was made over a TLS 1.3
18690 transport layer.
18691 Require OpenSSL >= 1.1.1. This is one of the keys dumped by the OpenSSL
18692 keylog callback to generate the SSLKEYLOGFILE. The SSL Key logging must be
18693 activated with "tune.ssl.keylog on" in the global section. See also
18694 "tune.ssl.keylog"
18695
18696ssl_fc_server_traffic_secret_0 : string
18697 Return the SERVER_TRAFFIC_SECRET_0 as an hexadecimal string for the
18698 front connection when the incoming connection was made over an TLS 1.3
18699 transport layer.
18700 Require OpenSSL >= 1.1.1. This is one of the keys dumped by the OpenSSL
18701 keylog callback to generate the SSLKEYLOGFILE. The SSL Key logging must be
18702 activated with "tune.ssl.keylog on" in the global section. See also
18703 "tune.ssl.keylog"
18704
Patrick Hemmer65674662019-06-04 08:13:03 -040018705ssl_fc_server_random : binary
18706 Returns the server random of the front connection when the incoming connection
18707 was made over an SSL/TLS transport layer. It is useful to to decrypt traffic
18708 sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or BoringSSL.
18709
Willy Tarreau74ca5042013-06-11 23:12:07 +020018710ssl_fc_session_id : binary
18711 Returns the SSL ID of the front connection when the incoming connection was
18712 made over an SSL/TLS transport layer. It is useful to stick a given client to
18713 a server. It is important to note that some browsers refresh their session ID
18714 every few minutes.
Willy Tarreau7875d092012-09-10 08:20:03 +020018715
Patrick Hemmere0275472018-04-28 19:15:51 -040018716ssl_fc_session_key : binary
18717 Returns the SSL session master key of the front connection when the incoming
18718 connection was made over an SSL/TLS transport layer. It is useful to decrypt
18719 traffic sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or
18720 BoringSSL.
18721
18722
Willy Tarreau74ca5042013-06-11 23:12:07 +020018723ssl_fc_sni : string
18724 This extracts the Server Name Indication TLS extension (SNI) field from an
18725 incoming connection made via an SSL/TLS transport layer and locally
Daniel Corbett9f0843f2021-05-08 10:50:37 -040018726 deciphered by HAProxy. The result (when present) typically is a string
Willy Tarreau74ca5042013-06-11 23:12:07 +020018727 matching the HTTPS host name (253 chars or less). The SSL library must have
18728 been built with support for TLS extensions enabled (check haproxy -vv).
18729
18730 This fetch is different from "req_ssl_sni" above in that it applies to the
Daniel Corbett9f0843f2021-05-08 10:50:37 -040018731 connection being deciphered by HAProxy and not to SSL contents being blindly
Willy Tarreau74ca5042013-06-11 23:12:07 +020018732 forwarded. See also "ssl_fc_sni_end" and "ssl_fc_sni_reg" below. This
John Roeslerfb2fce12019-07-10 15:45:51 -050018733 requires that the SSL library is built with support for TLS extensions
Cyril Bonté9c1eb1e2012-10-09 22:45:34 +020018734 enabled (check haproxy -vv).
Willy Tarreau62644772008-07-16 18:36:06 +020018735
Willy Tarreau74ca5042013-06-11 23:12:07 +020018736 ACL derivatives :
Willy Tarreau74ca5042013-06-11 23:12:07 +020018737 ssl_fc_sni_end : suffix match
18738 ssl_fc_sni_reg : regex match
Emeric Brun589fcad2012-10-16 14:13:26 +020018739
Willy Tarreau74ca5042013-06-11 23:12:07 +020018740ssl_fc_use_keysize : integer
18741 Returns the symmetric cipher key size used in bits when the incoming
18742 connection was made over an SSL/TLS transport layer.
Willy Tarreaub6fb4202008-07-20 11:18:28 +020018743
William Lallemandbfa3e812020-06-25 20:07:18 +020018744ssl_s_der : binary
18745 Returns the DER formatted certificate presented by the server when the
18746 outgoing connection was made over an SSL/TLS transport layer. When used for
18747 an ACL, the value(s) to match against can be passed in hexadecimal form.
18748
William Dauchya598b502020-08-06 18:11:38 +020018749ssl_s_chain_der : binary
18750 Returns the DER formatted chain certificate presented by the server when the
18751 outgoing connection was made over an SSL/TLS transport layer. When used for
18752 an ACL, the value(s) to match against can be passed in hexadecimal form. One
Ilya Shipitsin2272d8a2020-12-21 01:22:40 +050018753 can parse the result with any lib accepting ASN.1 DER data. It currently
William Dauchya598b502020-08-06 18:11:38 +020018754 does not support resumed sessions.
18755
William Lallemandbfa3e812020-06-25 20:07:18 +020018756ssl_s_key_alg : string
18757 Returns the name of the algorithm used to generate the key of the certificate
18758 presented by the server when the outgoing connection was made over an
18759 SSL/TLS transport layer.
18760
18761ssl_s_notafter : string
18762 Returns the end date presented by the server as a formatted string
18763 YYMMDDhhmmss[Z] when the outgoing connection was made over an SSL/TLS
18764 transport layer.
18765
18766ssl_s_notbefore : string
18767 Returns the start date presented by the server as a formatted string
18768 YYMMDDhhmmss[Z] when the outgoing connection was made over an SSL/TLS
18769 transport layer.
18770
18771ssl_s_i_dn([<entry>[,<occ>[,<format>]]]) : string
18772 When the outgoing connection was made over an SSL/TLS transport layer,
18773 returns the full distinguished name of the issuer of the certificate
18774 presented by the server when no <entry> is specified, or the value of the
18775 first given entry found from the beginning of the DN. If a positive/negative
18776 occurrence number is specified as the optional second argument, it returns
18777 the value of the nth given entry value from the beginning/end of the DN.
William Lallemand8f600c82020-06-26 09:55:06 +020018778 For instance, "ssl_s_i_dn(OU,2)" the second organization unit, and
18779 "ssl_s_i_dn(CN)" retrieves the common name.
William Lallemandbfa3e812020-06-25 20:07:18 +020018780 The <format> parameter allows you to receive the DN suitable for
18781 consumption by different protocols. Currently supported is rfc2253 for
18782 LDAP v3.
18783 If you'd like to modify the format only you can specify an empty string
18784 and zero for the first two parameters. Example: ssl_s_i_dn(,0,rfc2253)
18785
18786ssl_s_s_dn([<entry>[,<occ>[,<format>]]]) : string
18787 When the outgoing connection was made over an SSL/TLS transport layer,
18788 returns the full distinguished name of the subject of the certificate
18789 presented by the server when no <entry> is specified, or the value of the
18790 first given entry found from the beginning of the DN. If a positive/negative
18791 occurrence number is specified as the optional second argument, it returns
18792 the value of the nth given entry value from the beginning/end of the DN.
William Lallemand8f600c82020-06-26 09:55:06 +020018793 For instance, "ssl_s_s_dn(OU,2)" the second organization unit, and
18794 "ssl_s_s_dn(CN)" retrieves the common name.
William Lallemandbfa3e812020-06-25 20:07:18 +020018795 The <format> parameter allows you to receive the DN suitable for
18796 consumption by different protocols. Currently supported is rfc2253 for
18797 LDAP v3.
18798 If you'd like to modify the format only you can specify an empty string
18799 and zero for the first two parameters. Example: ssl_s_s_dn(,0,rfc2253)
18800
18801ssl_s_serial : binary
18802 Returns the serial of the certificate presented by the server when the
18803 outgoing connection was made over an SSL/TLS transport layer. When used for
18804 an ACL, the value(s) to match against can be passed in hexadecimal form.
18805
18806ssl_s_sha1 : binary
18807 Returns the SHA-1 fingerprint of the certificate presented by the server
18808 when the outgoing connection was made over an SSL/TLS transport layer. This
18809 can be used to know which certificate was chosen using SNI.
18810
18811ssl_s_sig_alg : string
18812 Returns the name of the algorithm used to sign the certificate presented by
18813 the server when the outgoing connection was made over an SSL/TLS transport
18814 layer.
18815
18816ssl_s_version : integer
18817 Returns the version of the certificate presented by the server when the
18818 outgoing connection was made over an SSL/TLS transport layer.
Willy Tarreaub6fb4202008-07-20 11:18:28 +020018819
Thierry FOURNIER060762e2014-04-23 13:29:15 +0200188207.3.5. Fetching samples from buffer contents (Layer 6)
Willy Tarreau74ca5042013-06-11 23:12:07 +020018821------------------------------------------------------
Willy Tarreaub6fb4202008-07-20 11:18:28 +020018822
Willy Tarreau74ca5042013-06-11 23:12:07 +020018823Fetching samples from buffer contents is a bit different from the previous
18824sample fetches above because the sampled data are ephemeral. These data can
18825only be used when they're available and will be lost when they're forwarded.
18826For this reason, samples fetched from buffer contents during a request cannot
18827be used in a response for example. Even while the data are being fetched, they
18828can change. Sometimes it is necessary to set some delays or combine multiple
18829sample fetch methods to ensure that the expected data are complete and usable,
18830for example through TCP request content inspection. Please see the "tcp-request
18831content" keyword for more detailed information on the subject.
Willy Tarreau62644772008-07-16 18:36:06 +020018832
Christopher Fauleta434a002021-03-25 11:58:51 +010018833Warning : Following sample fetches are ignored if used from HTTP proxies. They
18834 only deal with raw contents found in the buffers. On their side,
Daniel Corbett9f0843f2021-05-08 10:50:37 -040018835 HTTP proxies use structured content. Thus raw representation of
Christopher Fauleta434a002021-03-25 11:58:51 +010018836 these data are meaningless. A warning is emitted if an ACL relies on
18837 one of the following sample fetches. But it is not possible to detect
18838 all invalid usage (for instance inside a log-format string or a
18839 sample expression). So be careful.
18840
Willy Tarreau74ca5042013-06-11 23:12:07 +020018841payload(<offset>,<length>) : binary (deprecated)
Davor Ocelice9ed2812017-12-25 17:49:28 +010018842 This is an alias for "req.payload" when used in the context of a request (e.g.
Willy Tarreau74ca5042013-06-11 23:12:07 +020018843 "stick on", "stick match"), and for "res.payload" when used in the context of
18844 a response such as in "stick store response".
Willy Tarreau0ba27502007-12-24 16:55:16 +010018845
Willy Tarreau74ca5042013-06-11 23:12:07 +020018846payload_lv(<offset1>,<length>[,<offset2>]) : binary (deprecated)
18847 This is an alias for "req.payload_lv" when used in the context of a request
Davor Ocelice9ed2812017-12-25 17:49:28 +010018848 (e.g. "stick on", "stick match"), and for "res.payload_lv" when used in the
Willy Tarreau74ca5042013-06-11 23:12:07 +020018849 context of a response such as in "stick store response".
Willy Tarreau0ba27502007-12-24 16:55:16 +010018850
Willy Tarreau74ca5042013-06-11 23:12:07 +020018851req.len : integer
18852req_len : integer (deprecated)
18853 Returns an integer value corresponding to the number of bytes present in the
18854 request buffer. This is mostly used in ACL. It is important to understand
18855 that this test does not return false as long as the buffer is changing. This
18856 means that a check with equality to zero will almost always immediately match
18857 at the beginning of the session, while a test for more data will wait for
Daniel Corbett9f0843f2021-05-08 10:50:37 -040018858 that data to come in and return false only when HAProxy is certain that no
Willy Tarreau74ca5042013-06-11 23:12:07 +020018859 more data will come in. This test was designed to be used with TCP request
18860 content inspection.
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020018861
Willy Tarreau74ca5042013-06-11 23:12:07 +020018862req.payload(<offset>,<length>) : binary
18863 This extracts a binary block of <length> bytes and starting at byte <offset>
Willy Tarreau00f00842013-08-02 11:07:32 +020018864 in the request buffer. As a special case, if the <length> argument is zero,
18865 the the whole buffer from <offset> to the end is extracted. This can be used
18866 with ACLs in order to check for the presence of some content in a buffer at
18867 any location.
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020018868
Willy Tarreau74ca5042013-06-11 23:12:07 +020018869 ACL alternatives :
18870 payload(<offset>,<length>) : hex binary match
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020018871
Willy Tarreau74ca5042013-06-11 23:12:07 +020018872req.payload_lv(<offset1>,<length>[,<offset2>]) : binary
18873 This extracts a binary block whose size is specified at <offset1> for <length>
18874 bytes, and which starts at <offset2> if specified or just after the length in
18875 the request buffer. The <offset2> parameter also supports relative offsets if
18876 prepended with a '+' or '-' sign.
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020018877
Willy Tarreau74ca5042013-06-11 23:12:07 +020018878 ACL alternatives :
18879 payload_lv(<offset1>,<length>[,<offset2>]) : hex binary match
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020018880
Willy Tarreau74ca5042013-06-11 23:12:07 +020018881 Example : please consult the example from the "stick store-response" keyword.
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020018882
Willy Tarreau74ca5042013-06-11 23:12:07 +020018883req.proto_http : boolean
18884req_proto_http : boolean (deprecated)
18885 Returns true when data in the request buffer look like HTTP and correctly
18886 parses as such. It is the same parser as the common HTTP request parser which
18887 is used so there should be no surprises. The test does not match until the
18888 request is complete, failed or timed out. This test may be used to report the
18889 protocol in TCP logs, but the biggest use is to block TCP request analysis
18890 until a complete HTTP request is present in the buffer, for example to track
18891 a header.
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020018892
Willy Tarreau74ca5042013-06-11 23:12:07 +020018893 Example:
18894 # track request counts per "base" (concatenation of Host+URL)
18895 tcp-request inspect-delay 10s
18896 tcp-request content reject if !HTTP
Willy Tarreaube4a3ef2013-06-17 15:04:07 +020018897 tcp-request content track-sc0 base table req-rate
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020018898
Willy Tarreau74ca5042013-06-11 23:12:07 +020018899req.rdp_cookie([<name>]) : string
18900rdp_cookie([<name>]) : string (deprecated)
18901 When the request buffer looks like the RDP protocol, extracts the RDP cookie
18902 <name>, or any cookie if unspecified. The parser only checks for the first
18903 cookie, as illustrated in the RDP protocol specification. The cookie name is
18904 case insensitive. Generally the "MSTS" cookie name will be used, as it can
18905 contain the user name of the client connecting to the server if properly
18906 configured on the client. The "MSTSHASH" cookie is often used as well for
18907 session stickiness to servers.
Willy Tarreau04aa6a92012-04-06 18:57:55 +020018908
Willy Tarreau74ca5042013-06-11 23:12:07 +020018909 This differs from "balance rdp-cookie" in that any balancing algorithm may be
18910 used and thus the distribution of clients to backend servers is not linked to
18911 a hash of the RDP cookie. It is envisaged that using a balancing algorithm
18912 such as "balance roundrobin" or "balance leastconn" will lead to a more even
18913 distribution of clients to backend servers than the hash used by "balance
18914 rdp-cookie".
Willy Tarreau04aa6a92012-04-06 18:57:55 +020018915
Willy Tarreau74ca5042013-06-11 23:12:07 +020018916 ACL derivatives :
18917 req_rdp_cookie([<name>]) : exact string match
Willy Tarreau04aa6a92012-04-06 18:57:55 +020018918
Willy Tarreau74ca5042013-06-11 23:12:07 +020018919 Example :
18920 listen tse-farm
18921 bind 0.0.0.0:3389
18922 # wait up to 5s for an RDP cookie in the request
18923 tcp-request inspect-delay 5s
18924 tcp-request content accept if RDP_COOKIE
18925 # apply RDP cookie persistence
18926 persist rdp-cookie
18927 # Persist based on the mstshash cookie
18928 # This is only useful makes sense if
18929 # balance rdp-cookie is not used
18930 stick-table type string size 204800
18931 stick on req.rdp_cookie(mstshash)
18932 server srv1 1.1.1.1:3389
18933 server srv1 1.1.1.2:3389
Willy Tarreau04aa6a92012-04-06 18:57:55 +020018934
Willy Tarreau74ca5042013-06-11 23:12:07 +020018935 See also : "balance rdp-cookie", "persist rdp-cookie", "tcp-request" and the
18936 "req_rdp_cookie" ACL.
Willy Tarreau04aa6a92012-04-06 18:57:55 +020018937
Willy Tarreau74ca5042013-06-11 23:12:07 +020018938req.rdp_cookie_cnt([name]) : integer
18939rdp_cookie_cnt([name]) : integer (deprecated)
18940 Tries to parse the request buffer as RDP protocol, then returns an integer
18941 corresponding to the number of RDP cookies found. If an optional cookie name
18942 is passed, only cookies matching this name are considered. This is mostly
18943 used in ACL.
Willy Tarreau04aa6a92012-04-06 18:57:55 +020018944
Willy Tarreau74ca5042013-06-11 23:12:07 +020018945 ACL derivatives :
18946 req_rdp_cookie_cnt([<name>]) : integer match
Willy Tarreau04aa6a92012-04-06 18:57:55 +020018947
Alex Zorin4afdd132018-12-30 13:56:28 +110018948req.ssl_alpn : string
18949 Returns a string containing the values of the Application-Layer Protocol
18950 Negotiation (ALPN) TLS extension (RFC7301), sent by the client within the SSL
18951 ClientHello message. Note that this only applies to raw contents found in the
18952 request buffer and not to the contents deciphered via an SSL data layer, so
18953 this will not work with "bind" lines having the "ssl" option. This is useful
18954 in ACL to make a routing decision based upon the ALPN preferences of a TLS
Jarno Huuskonene504f812019-01-03 07:56:49 +020018955 client, like in the example below. See also "ssl_fc_alpn".
Alex Zorin4afdd132018-12-30 13:56:28 +110018956
18957 Examples :
18958 # Wait for a client hello for at most 5 seconds
18959 tcp-request inspect-delay 5s
18960 tcp-request content accept if { req_ssl_hello_type 1 }
Jarno Huuskonene504f812019-01-03 07:56:49 +020018961 use_backend bk_acme if { req.ssl_alpn acme-tls/1 }
Alex Zorin4afdd132018-12-30 13:56:28 +110018962 default_backend bk_default
18963
Nenad Merdanovic5fc7d7e2015-07-07 22:00:17 +020018964req.ssl_ec_ext : boolean
18965 Returns a boolean identifying if client sent the Supported Elliptic Curves
18966 Extension as defined in RFC4492, section 5.1. within the SSL ClientHello
Cyril Bonté307ee1e2015-09-28 23:16:06 +020018967 message. This can be used to present ECC compatible clients with EC
18968 certificate and to use RSA for all others, on the same IP address. Note that
18969 this only applies to raw contents found in the request buffer and not to
18970 contents deciphered via an SSL data layer, so this will not work with "bind"
18971 lines having the "ssl" option.
Nenad Merdanovic5fc7d7e2015-07-07 22:00:17 +020018972
Willy Tarreau74ca5042013-06-11 23:12:07 +020018973req.ssl_hello_type : integer
18974req_ssl_hello_type : integer (deprecated)
18975 Returns an integer value containing the type of the SSL hello message found
18976 in the request buffer if the buffer contains data that parse as a complete
18977 SSL (v3 or superior) client hello message. Note that this only applies to raw
18978 contents found in the request buffer and not to contents deciphered via an
18979 SSL data layer, so this will not work with "bind" lines having the "ssl"
18980 option. This is mostly used in ACL to detect presence of an SSL hello message
18981 that is supposed to contain an SSL session ID usable for stickiness.
Willy Tarreau04aa6a92012-04-06 18:57:55 +020018982
Willy Tarreau74ca5042013-06-11 23:12:07 +020018983req.ssl_sni : string
18984req_ssl_sni : string (deprecated)
18985 Returns a string containing the value of the Server Name TLS extension sent
18986 by a client in a TLS stream passing through the request buffer if the buffer
18987 contains data that parse as a complete SSL (v3 or superior) client hello
18988 message. Note that this only applies to raw contents found in the request
18989 buffer and not to contents deciphered via an SSL data layer, so this will not
Lukas Tribusa267b5d2020-07-19 00:25:06 +020018990 work with "bind" lines having the "ssl" option. This will only work for actual
18991 implicit TLS based protocols like HTTPS (443), IMAPS (993), SMTPS (465),
18992 however it will not work for explicit TLS based protocols, like SMTP (25/587)
18993 or IMAP (143). SNI normally contains the name of the host the client tries to
18994 connect to (for recent browsers). SNI is useful for allowing or denying access
18995 to certain hosts when SSL/TLS is used by the client. This test was designed to
18996 be used with TCP request content inspection. If content switching is needed,
18997 it is recommended to first wait for a complete client hello (type 1), like in
18998 the example below. See also "ssl_fc_sni".
Willy Tarreau04aa6a92012-04-06 18:57:55 +020018999
Willy Tarreau74ca5042013-06-11 23:12:07 +020019000 ACL derivatives :
19001 req_ssl_sni : exact string match
Willy Tarreau04aa6a92012-04-06 18:57:55 +020019002
Willy Tarreau74ca5042013-06-11 23:12:07 +020019003 Examples :
19004 # Wait for a client hello for at most 5 seconds
19005 tcp-request inspect-delay 5s
19006 tcp-request content accept if { req_ssl_hello_type 1 }
19007 use_backend bk_allow if { req_ssl_sni -f allowed_sites }
19008 default_backend bk_sorry_page
Willy Tarreau04aa6a92012-04-06 18:57:55 +020019009
Pradeep Jindalbb2acf52015-09-29 10:12:57 +053019010req.ssl_st_ext : integer
19011 Returns 0 if the client didn't send a SessionTicket TLS Extension (RFC5077)
19012 Returns 1 if the client sent SessionTicket TLS Extension
19013 Returns 2 if the client also sent non-zero length TLS SessionTicket
19014 Note that this only applies to raw contents found in the request buffer and
19015 not to contents deciphered via an SSL data layer, so this will not work with
19016 "bind" lines having the "ssl" option. This can for example be used to detect
19017 whether the client sent a SessionTicket or not and stick it accordingly, if
19018 no SessionTicket then stick on SessionID or don't stick as there's no server
19019 side state is there when SessionTickets are in use.
19020
Willy Tarreau74ca5042013-06-11 23:12:07 +020019021req.ssl_ver : integer
19022req_ssl_ver : integer (deprecated)
19023 Returns an integer value containing the version of the SSL/TLS protocol of a
19024 stream present in the request buffer. Both SSLv2 hello messages and SSLv3
19025 messages are supported. TLSv1 is announced as SSL version 3.1. The value is
19026 composed of the major version multiplied by 65536, added to the minor
19027 version. Note that this only applies to raw contents found in the request
19028 buffer and not to contents deciphered via an SSL data layer, so this will not
19029 work with "bind" lines having the "ssl" option. The ACL version of the test
Davor Ocelice9ed2812017-12-25 17:49:28 +010019030 matches against a decimal notation in the form MAJOR.MINOR (e.g. 3.1). This
Willy Tarreau74ca5042013-06-11 23:12:07 +020019031 fetch is mostly used in ACL.
Willy Tarreaud63335a2010-02-26 12:56:52 +010019032
Willy Tarreau74ca5042013-06-11 23:12:07 +020019033 ACL derivatives :
19034 req_ssl_ver : decimal match
Willy Tarreaud63335a2010-02-26 12:56:52 +010019035
Willy Tarreau47e8eba2013-09-11 23:28:46 +020019036res.len : integer
19037 Returns an integer value corresponding to the number of bytes present in the
19038 response buffer. This is mostly used in ACL. It is important to understand
19039 that this test does not return false as long as the buffer is changing. This
19040 means that a check with equality to zero will almost always immediately match
19041 at the beginning of the session, while a test for more data will wait for
Daniel Corbett9f0843f2021-05-08 10:50:37 -040019042 that data to come in and return false only when HAProxy is certain that no
Willy Tarreau47e8eba2013-09-11 23:28:46 +020019043 more data will come in. This test was designed to be used with TCP response
Christopher Faulete596d182020-05-05 17:46:34 +020019044 content inspection. But it may also be used in tcp-check based expect rules.
Willy Tarreau47e8eba2013-09-11 23:28:46 +020019045
Willy Tarreau74ca5042013-06-11 23:12:07 +020019046res.payload(<offset>,<length>) : binary
19047 This extracts a binary block of <length> bytes and starting at byte <offset>
Willy Tarreau00f00842013-08-02 11:07:32 +020019048 in the response buffer. As a special case, if the <length> argument is zero,
Christopher Faulete596d182020-05-05 17:46:34 +020019049 the whole buffer from <offset> to the end is extracted. This can be used
Willy Tarreau00f00842013-08-02 11:07:32 +020019050 with ACLs in order to check for the presence of some content in a buffer at
Christopher Faulete596d182020-05-05 17:46:34 +020019051 any location. It may also be used in tcp-check based expect rules.
Willy Tarreaud63335a2010-02-26 12:56:52 +010019052
Willy Tarreau74ca5042013-06-11 23:12:07 +020019053res.payload_lv(<offset1>,<length>[,<offset2>]) : binary
19054 This extracts a binary block whose size is specified at <offset1> for <length>
19055 bytes, and which starts at <offset2> if specified or just after the length in
19056 the response buffer. The <offset2> parameter also supports relative offsets
Christopher Faulete596d182020-05-05 17:46:34 +020019057 if prepended with a '+' or '-' sign. It may also be used in tcp-check based
19058 expect rules.
Willy Tarreaud63335a2010-02-26 12:56:52 +010019059
Willy Tarreau74ca5042013-06-11 23:12:07 +020019060 Example : please consult the example from the "stick store-response" keyword.
Willy Tarreaud63335a2010-02-26 12:56:52 +010019061
Willy Tarreau971f7b62015-09-29 14:06:59 +020019062res.ssl_hello_type : integer
19063rep_ssl_hello_type : integer (deprecated)
19064 Returns an integer value containing the type of the SSL hello message found
19065 in the response buffer if the buffer contains data that parses as a complete
19066 SSL (v3 or superior) hello message. Note that this only applies to raw
19067 contents found in the response buffer and not to contents deciphered via an
19068 SSL data layer, so this will not work with "server" lines having the "ssl"
19069 option. This is mostly used in ACL to detect presence of an SSL hello message
19070 that is supposed to contain an SSL session ID usable for stickiness.
19071
Willy Tarreau74ca5042013-06-11 23:12:07 +020019072wait_end : boolean
19073 This fetch either returns true when the inspection period is over, or does
19074 not fetch. It is only used in ACLs, in conjunction with content analysis to
Davor Ocelice9ed2812017-12-25 17:49:28 +010019075 avoid returning a wrong verdict early. It may also be used to delay some
Willy Tarreau74ca5042013-06-11 23:12:07 +020019076 actions, such as a delayed reject for some special addresses. Since it either
19077 stops the rules evaluation or immediately returns true, it is recommended to
Davor Ocelice9ed2812017-12-25 17:49:28 +010019078 use this acl as the last one in a rule. Please note that the default ACL
Willy Tarreau74ca5042013-06-11 23:12:07 +020019079 "WAIT_END" is always usable without prior declaration. This test was designed
19080 to be used with TCP request content inspection.
Willy Tarreaud63335a2010-02-26 12:56:52 +010019081
Willy Tarreau74ca5042013-06-11 23:12:07 +020019082 Examples :
19083 # delay every incoming request by 2 seconds
19084 tcp-request inspect-delay 2s
19085 tcp-request content accept if WAIT_END
Willy Tarreaud63335a2010-02-26 12:56:52 +010019086
Willy Tarreau74ca5042013-06-11 23:12:07 +020019087 # don't immediately tell bad guys they are rejected
19088 tcp-request inspect-delay 10s
19089 acl goodguys src 10.0.0.0/24
19090 acl badguys src 10.0.1.0/24
19091 tcp-request content accept if goodguys
19092 tcp-request content reject if badguys WAIT_END
19093 tcp-request content reject
19094
19095
Thierry FOURNIER060762e2014-04-23 13:29:15 +0200190967.3.6. Fetching HTTP samples (Layer 7)
Willy Tarreau74ca5042013-06-11 23:12:07 +020019097--------------------------------------
19098
19099It is possible to fetch samples from HTTP contents, requests and responses.
19100This application layer is also called layer 7. It is only possible to fetch the
19101data in this section when a full HTTP request or response has been parsed from
19102its respective request or response buffer. This is always the case with all
19103HTTP specific rules and for sections running with "mode http". When using TCP
19104content inspection, it may be necessary to support an inspection delay in order
19105to let the request or response come in first. These fetches may require a bit
19106more CPU resources than the layer 4 ones, but not much since the request and
19107response are indexed.
19108
Christopher Faulet4d37e532021-03-26 14:44:00 +010019109Note : Regarding HTTP processing from the tcp-request content rules, everything
19110 will work as expected from an HTTP proxy. However, from a TCP proxy,
19111 without an HTTP upgrade, it will only work for HTTP/1 content. For
19112 HTTP/2 content, only the preface is visible. Thus, it is only possible
19113 to rely to "req.proto_http", "req.ver" and eventually "method" sample
19114 fetches. All other L7 sample fetches will fail. After an HTTP upgrade,
19115 they will work in the same manner than from an HTTP proxy.
19116
Willy Tarreau74ca5042013-06-11 23:12:07 +020019117base : string
19118 This returns the concatenation of the first Host header and the path part of
19119 the request, which starts at the first slash and ends before the question
19120 mark. It can be useful in virtual hosted environments to detect URL abuses as
19121 well as to improve shared caches efficiency. Using this with a limited size
19122 stick table also allows one to collect statistics about most commonly
19123 requested objects by host/path. With ACLs it can allow simple content
19124 switching rules involving the host and the path at the same time, such as
19125 "www.example.com/favicon.ico". See also "path" and "uri".
19126
19127 ACL derivatives :
19128 base : exact string match
19129 base_beg : prefix match
19130 base_dir : subdir match
19131 base_dom : domain match
19132 base_end : suffix match
19133 base_len : length match
19134 base_reg : regex match
19135 base_sub : substring match
19136
19137base32 : integer
19138 This returns a 32-bit hash of the value returned by the "base" fetch method
19139 above. This is useful to track per-URL activity on high traffic sites without
19140 having to store all URLs. Instead a shorter hash is stored, saving a lot of
Willy Tarreau23ec4ca2014-07-15 20:15:37 +020019141 memory. The output type is an unsigned integer. The hash function used is
19142 SDBM with full avalanche on the output. Technically, base32 is exactly equal
19143 to "base,sdbm(1)".
Willy Tarreau74ca5042013-06-11 23:12:07 +020019144
19145base32+src : binary
19146 This returns the concatenation of the base32 fetch above and the src fetch
19147 below. The resulting type is of type binary, with a size of 8 or 20 bytes
19148 depending on the source address family. This can be used to track per-IP,
19149 per-URL counters.
19150
Yves Lafonb4d37082021-02-11 11:01:28 +010019151baseq : string
19152 This returns the concatenation of the first Host header and the path part of
19153 the request with the query-string, which starts at the first slash. Using this
19154 instead of "base" allows one to properly identify the target resource, for
19155 statistics or caching use cases. See also "path", "pathq" and "base".
19156
William Lallemand65ad6e12014-01-31 15:08:02 +010019157capture.req.hdr(<idx>) : string
19158 This extracts the content of the header captured by the "capture request
19159 header", idx is the position of the capture keyword in the configuration.
19160 The first entry is an index of 0. See also: "capture request header".
19161
19162capture.req.method : string
19163 This extracts the METHOD of an HTTP request. It can be used in both request
19164 and response. Unlike "method", it can be used in both request and response
19165 because it's allocated.
19166
19167capture.req.uri : string
19168 This extracts the request's URI, which starts at the first slash and ends
19169 before the first space in the request (without the host part). Unlike "path"
19170 and "url", it can be used in both request and response because it's
19171 allocated.
19172
Willy Tarreau3c1b5ec2014-04-24 23:41:57 +020019173capture.req.ver : string
19174 This extracts the request's HTTP version and returns either "HTTP/1.0" or
19175 "HTTP/1.1". Unlike "req.ver", it can be used in both request, response, and
19176 logs because it relies on a persistent flag.
19177
William Lallemand65ad6e12014-01-31 15:08:02 +010019178capture.res.hdr(<idx>) : string
19179 This extracts the content of the header captured by the "capture response
19180 header", idx is the position of the capture keyword in the configuration.
19181 The first entry is an index of 0.
19182 See also: "capture response header"
19183
Willy Tarreau3c1b5ec2014-04-24 23:41:57 +020019184capture.res.ver : string
19185 This extracts the response's HTTP version and returns either "HTTP/1.0" or
19186 "HTTP/1.1". Unlike "res.ver", it can be used in logs because it relies on a
19187 persistent flag.
19188
Willy Tarreaua5910cc2015-05-02 00:46:08 +020019189req.body : binary
Christopher Fauletaf4dc4c2020-05-05 17:33:25 +020019190 This returns the HTTP request's available body as a block of data. It is
19191 recommended to use "option http-buffer-request" to be sure to wait, as much
19192 as possible, for the request's body.
Willy Tarreaua5910cc2015-05-02 00:46:08 +020019193
Thierry FOURNIER9826c772015-05-20 15:50:54 +020019194req.body_param([<name>) : string
19195 This fetch assumes that the body of the POST request is url-encoded. The user
19196 can check if the "content-type" contains the value
19197 "application/x-www-form-urlencoded". This extracts the first occurrence of the
19198 parameter <name> in the body, which ends before '&'. The parameter name is
19199 case-sensitive. If no name is given, any parameter will match, and the first
19200 one will be returned. The result is a string corresponding to the value of the
19201 parameter <name> as presented in the request body (no URL decoding is
19202 performed). Note that the ACL version of this fetch iterates over multiple
19203 parameters and will iteratively report all parameters values if no name is
19204 given.
19205
Willy Tarreaua5910cc2015-05-02 00:46:08 +020019206req.body_len : integer
19207 This returns the length of the HTTP request's available body in bytes. It may
19208 be lower than the advertised length if the body is larger than the buffer. It
Christopher Fauletaf4dc4c2020-05-05 17:33:25 +020019209 is recommended to use "option http-buffer-request" to be sure to wait, as
19210 much as possible, for the request's body.
Willy Tarreaua5910cc2015-05-02 00:46:08 +020019211
19212req.body_size : integer
19213 This returns the advertised length of the HTTP request's body in bytes. It
Christopher Fauletaf4dc4c2020-05-05 17:33:25 +020019214 will represent the advertised Content-Length header, or the size of the
19215 available data in case of chunked encoding.
Willy Tarreaua5910cc2015-05-02 00:46:08 +020019216
Willy Tarreau74ca5042013-06-11 23:12:07 +020019217req.cook([<name>]) : string
19218cook([<name>]) : string (deprecated)
19219 This extracts the last occurrence of the cookie name <name> on a "Cookie"
19220 header line from the request, and returns its value as string. If no name is
19221 specified, the first cookie value is returned. When used with ACLs, all
19222 matching cookies are evaluated. Spaces around the name and the value are
19223 ignored as requested by the Cookie header specification (RFC6265). The cookie
19224 name is case-sensitive. Empty cookies are valid, so an empty cookie may very
19225 well return an empty value if it is present. Use the "found" match to detect
19226 presence. Use the res.cook() variant for response cookies sent by the server.
19227
19228 ACL derivatives :
19229 cook([<name>]) : exact string match
19230 cook_beg([<name>]) : prefix match
19231 cook_dir([<name>]) : subdir match
19232 cook_dom([<name>]) : domain match
19233 cook_end([<name>]) : suffix match
19234 cook_len([<name>]) : length match
19235 cook_reg([<name>]) : regex match
19236 cook_sub([<name>]) : substring match
Willy Tarreaud63335a2010-02-26 12:56:52 +010019237
Willy Tarreau74ca5042013-06-11 23:12:07 +020019238req.cook_cnt([<name>]) : integer
19239cook_cnt([<name>]) : integer (deprecated)
19240 Returns an integer value representing the number of occurrences of the cookie
19241 <name> in the request, or all cookies if <name> is not specified.
Willy Tarreaud63335a2010-02-26 12:56:52 +010019242
Willy Tarreau74ca5042013-06-11 23:12:07 +020019243req.cook_val([<name>]) : integer
19244cook_val([<name>]) : integer (deprecated)
19245 This extracts the last occurrence of the cookie name <name> on a "Cookie"
19246 header line from the request, and converts its value to an integer which is
19247 returned. If no name is specified, the first cookie value is returned. When
19248 used in ACLs, all matching names are iterated over until a value matches.
Willy Tarreau0e698542011-09-16 08:32:32 +020019249
Willy Tarreau74ca5042013-06-11 23:12:07 +020019250cookie([<name>]) : string (deprecated)
19251 This extracts the last occurrence of the cookie name <name> on a "Cookie"
19252 header line from the request, or a "Set-Cookie" header from the response, and
19253 returns its value as a string. A typical use is to get multiple clients
19254 sharing a same profile use the same server. This can be similar to what
Willy Tarreau294d0f02015-08-10 19:40:12 +020019255 "appsession" did with the "request-learn" statement, but with support for
Willy Tarreau74ca5042013-06-11 23:12:07 +020019256 multi-peer synchronization and state keeping across restarts. If no name is
19257 specified, the first cookie value is returned. This fetch should not be used
19258 anymore and should be replaced by req.cook() or res.cook() instead as it
19259 ambiguously uses the direction based on the context where it is used.
Willy Tarreaud63335a2010-02-26 12:56:52 +010019260
Willy Tarreau74ca5042013-06-11 23:12:07 +020019261hdr([<name>[,<occ>]]) : string
19262 This is equivalent to req.hdr() when used on requests, and to res.hdr() when
19263 used on responses. Please refer to these respective fetches for more details.
19264 In case of doubt about the fetch direction, please use the explicit ones.
19265 Note that contrary to the hdr() sample fetch method, the hdr_* ACL keywords
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030019266 unambiguously apply to the request headers.
Willy Tarreaud63335a2010-02-26 12:56:52 +010019267
Willy Tarreau74ca5042013-06-11 23:12:07 +020019268req.fhdr(<name>[,<occ>]) : string
Tim Duesterhus27c70ae2021-01-23 17:50:21 +010019269 This returns the full value of the last occurrence of header <name> in an
19270 HTTP request. It differs from req.hdr() in that any commas present in the
19271 value are returned and are not used as delimiters. This is sometimes useful
19272 with headers such as User-Agent.
19273
19274 When used from an ACL, all occurrences are iterated over until a match is
19275 found.
19276
Willy Tarreau74ca5042013-06-11 23:12:07 +020019277 Optionally, a specific occurrence might be specified as a position number.
19278 Positive values indicate a position from the first occurrence, with 1 being
19279 the first one. Negative values indicate positions relative to the last one,
Tim Duesterhus27c70ae2021-01-23 17:50:21 +010019280 with -1 being the last one.
Willy Tarreaud63335a2010-02-26 12:56:52 +010019281
Willy Tarreau74ca5042013-06-11 23:12:07 +020019282req.fhdr_cnt([<name>]) : integer
19283 Returns an integer value representing the number of occurrences of request
19284 header field name <name>, or the total number of header fields if <name> is
Tim Duesterhus27c70ae2021-01-23 17:50:21 +010019285 not specified. Like req.fhdr() it differs from res.hdr_cnt() by not splitting
19286 headers at commas.
Willy Tarreaud63335a2010-02-26 12:56:52 +010019287
Willy Tarreau74ca5042013-06-11 23:12:07 +020019288req.hdr([<name>[,<occ>]]) : string
Tim Duesterhus27c70ae2021-01-23 17:50:21 +010019289 This returns the last comma-separated value of the header <name> in an HTTP
19290 request. The fetch considers any comma as a delimiter for distinct values.
19291 This is useful if you need to process headers that are defined to be a list
19292 of values, such as Accept, or X-Forwarded-For. If full-line headers are
19293 desired instead, use req.fhdr(). Please carefully check RFC 7231 to know how
19294 certain headers are supposed to be parsed. Also, some of them are case
19295 insensitive (e.g. Connection).
19296
19297 When used from an ACL, all occurrences are iterated over until a match is
19298 found.
19299
Willy Tarreau74ca5042013-06-11 23:12:07 +020019300 Optionally, a specific occurrence might be specified as a position number.
19301 Positive values indicate a position from the first occurrence, with 1 being
19302 the first one. Negative values indicate positions relative to the last one,
Tim Duesterhus27c70ae2021-01-23 17:50:21 +010019303 with -1 being the last one.
19304
19305 A typical use is with the X-Forwarded-For header once converted to IP,
19306 associated with an IP stick-table.
Willy Tarreaud63335a2010-02-26 12:56:52 +010019307
Willy Tarreau74ca5042013-06-11 23:12:07 +020019308 ACL derivatives :
19309 hdr([<name>[,<occ>]]) : exact string match
19310 hdr_beg([<name>[,<occ>]]) : prefix match
19311 hdr_dir([<name>[,<occ>]]) : subdir match
19312 hdr_dom([<name>[,<occ>]]) : domain match
19313 hdr_end([<name>[,<occ>]]) : suffix match
19314 hdr_len([<name>[,<occ>]]) : length match
19315 hdr_reg([<name>[,<occ>]]) : regex match
19316 hdr_sub([<name>[,<occ>]]) : substring match
19317
19318req.hdr_cnt([<name>]) : integer
19319hdr_cnt([<header>]) : integer (deprecated)
19320 Returns an integer value representing the number of occurrences of request
19321 header field name <name>, or the total number of header field values if
Tim Duesterhus27c70ae2021-01-23 17:50:21 +010019322 <name> is not specified. Like req.hdr() it counts each comma separated
19323 part of the header's value. If counting of full-line headers is desired,
19324 then req.fhdr_cnt() should be used instead.
19325
19326 With ACLs, it can be used to detect presence, absence or abuse of a specific
19327 header, as well as to block request smuggling attacks by rejecting requests
19328 which contain more than one of certain headers.
19329
19330 Refer to req.hdr() for more information on header matching.
Willy Tarreau74ca5042013-06-11 23:12:07 +020019331
19332req.hdr_ip([<name>[,<occ>]]) : ip
19333hdr_ip([<name>[,<occ>]]) : ip (deprecated)
19334 This extracts the last occurrence of header <name> in an HTTP request,
19335 converts it to an IPv4 or IPv6 address and returns this address. When used
19336 with ACLs, all occurrences are checked, and if <name> is omitted, every value
Willy Tarreau7b0e00d2021-03-25 14:12:29 +010019337 of every header is checked. The parser strictly adheres to the format
19338 described in RFC7239, with the extension that IPv4 addresses may optionally
19339 be followed by a colon (':') and a valid decimal port number (0 to 65535),
19340 which will be silently dropped. All other forms will not match and will
19341 cause the address to be ignored.
Tim Duesterhus27c70ae2021-01-23 17:50:21 +010019342
19343 The <occ> parameter is processed as with req.hdr().
19344
19345 A typical use is with the X-Forwarded-For and X-Client-IP headers.
Willy Tarreau74ca5042013-06-11 23:12:07 +020019346
19347req.hdr_val([<name>[,<occ>]]) : integer
19348hdr_val([<name>[,<occ>]]) : integer (deprecated)
19349 This extracts the last occurrence of header <name> in an HTTP request, and
19350 converts it to an integer value. When used with ACLs, all occurrences are
19351 checked, and if <name> is omitted, every value of every header is checked.
Tim Duesterhus27c70ae2021-01-23 17:50:21 +010019352
19353 The <occ> parameter is processed as with req.hdr().
19354
19355 A typical use is with the X-Forwarded-For header.
Willy Tarreau74ca5042013-06-11 23:12:07 +020019356
Christopher Faulet687a68e2020-11-24 17:13:24 +010019357req.hdrs : string
19358 Returns the current request headers as string including the last empty line
19359 separating headers from the request body. The last empty line can be used to
19360 detect a truncated header block. This sample fetch is useful for some SPOE
19361 headers analyzers and for advanced logging.
19362
19363req.hdrs_bin : binary
19364 Returns the current request headers contained in preparsed binary form. This
19365 is useful for offloading some processing with SPOE. Each string is described
19366 by a length followed by the number of bytes indicated in the length. The
19367 length is represented using the variable integer encoding detailed in the
19368 SPOE documentation. The end of the list is marked by a couple of empty header
19369 names and values (length of 0 for both).
19370
19371 *(<str:header-name><str:header-value>)<empty string><empty string>
Frédéric Lécailleec891192019-02-26 15:02:35 +010019372
Christopher Faulet687a68e2020-11-24 17:13:24 +010019373 int: refer to the SPOE documentation for the encoding
19374 str: <int:length><bytes>
Frédéric Lécailleec891192019-02-26 15:02:35 +010019375
Willy Tarreau74ca5042013-06-11 23:12:07 +020019376http_auth(<userlist>) : boolean
19377 Returns a boolean indicating whether the authentication data received from
19378 the client match a username & password stored in the specified userlist. This
19379 fetch function is not really useful outside of ACLs. Currently only http
19380 basic auth is supported.
19381
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +010019382http_auth_group(<userlist>) : string
19383 Returns a string corresponding to the user name found in the authentication
19384 data received from the client if both the user name and password are valid
19385 according to the specified userlist. The main purpose is to use it in ACLs
19386 where it is then checked whether the user belongs to any group within a list.
Willy Tarreau74ca5042013-06-11 23:12:07 +020019387 This fetch function is not really useful outside of ACLs. Currently only http
19388 basic auth is supported.
19389
19390 ACL derivatives :
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +010019391 http_auth_group(<userlist>) : group ...
19392 Returns true when the user extracted from the request and whose password is
19393 valid according to the specified userlist belongs to at least one of the
19394 groups.
Willy Tarreau74ca5042013-06-11 23:12:07 +020019395
Christopher Fauleta4063562019-08-02 11:51:37 +020019396http_auth_pass : string
Willy Tarreauc9c6cdb2020-03-05 16:03:58 +010019397 Returns the user's password found in the authentication data received from
19398 the client, as supplied in the Authorization header. Not checks are
19399 performed by this sample fetch. Only Basic authentication is supported.
Christopher Fauleta4063562019-08-02 11:51:37 +020019400
19401http_auth_type : string
Willy Tarreauc9c6cdb2020-03-05 16:03:58 +010019402 Returns the authentication method found in the authentication data received from
19403 the client, as supplied in the Authorization header. Not checks are
19404 performed by this sample fetch. Only Basic authentication is supported.
Christopher Fauleta4063562019-08-02 11:51:37 +020019405
19406http_auth_user : string
Willy Tarreauc9c6cdb2020-03-05 16:03:58 +010019407 Returns the user name found in the authentication data received from the
19408 client, as supplied in the Authorization header. Not checks are performed by
19409 this sample fetch. Only Basic authentication is supported.
Christopher Fauleta4063562019-08-02 11:51:37 +020019410
Willy Tarreau74ca5042013-06-11 23:12:07 +020019411http_first_req : boolean
Willy Tarreau7f18e522010-10-22 20:04:13 +020019412 Returns true when the request being processed is the first one of the
19413 connection. This can be used to add or remove headers that may be missing
Willy Tarreau74ca5042013-06-11 23:12:07 +020019414 from some requests when a request is not the first one, or to help grouping
19415 requests in the logs.
Willy Tarreau7f18e522010-10-22 20:04:13 +020019416
Willy Tarreau74ca5042013-06-11 23:12:07 +020019417method : integer + string
19418 Returns an integer value corresponding to the method in the HTTP request. For
19419 example, "GET" equals 1 (check sources to establish the matching). Value 9
19420 means "other method" and may be converted to a string extracted from the
19421 stream. This should not be used directly as a sample, this is only meant to
19422 be used from ACLs, which transparently convert methods from patterns to these
19423 integer + string values. Some predefined ACL already check for most common
19424 methods.
Willy Tarreau6a06a402007-07-15 20:15:28 +020019425
Willy Tarreau74ca5042013-06-11 23:12:07 +020019426 ACL derivatives :
19427 method : case insensitive method match
Willy Tarreau6a06a402007-07-15 20:15:28 +020019428
Willy Tarreau74ca5042013-06-11 23:12:07 +020019429 Example :
19430 # only accept GET and HEAD requests
19431 acl valid_method method GET HEAD
19432 http-request deny if ! valid_method
Willy Tarreau6a06a402007-07-15 20:15:28 +020019433
Willy Tarreau74ca5042013-06-11 23:12:07 +020019434path : string
19435 This extracts the request's URL path, which starts at the first slash and
19436 ends before the question mark (without the host part). A typical use is with
19437 prefetch-capable caches, and with portals which need to aggregate multiple
19438 information from databases and keep them in caches. Note that with outgoing
19439 caches, it would be wiser to use "url" instead. With ACLs, it's typically
Davor Ocelice9ed2812017-12-25 17:49:28 +010019440 used to match exact file names (e.g. "/login.php"), or directory parts using
Willy Tarreau74ca5042013-06-11 23:12:07 +020019441 the derivative forms. See also the "url" and "base" fetch methods.
Willy Tarreau6a06a402007-07-15 20:15:28 +020019442
Willy Tarreau74ca5042013-06-11 23:12:07 +020019443 ACL derivatives :
19444 path : exact string match
19445 path_beg : prefix match
19446 path_dir : subdir match
19447 path_dom : domain match
19448 path_end : suffix match
19449 path_len : length match
19450 path_reg : regex match
19451 path_sub : substring match
Willy Tarreau6a06a402007-07-15 20:15:28 +020019452
Christopher Faulete720c322020-09-02 17:25:18 +020019453pathq : string
19454 This extracts the request's URL path with the query-string, which starts at
19455 the first slash. This sample fetch is pretty handy to always retrieve a
19456 relative URI, excluding the scheme and the authority part, if any. Indeed,
19457 while it is the common representation for an HTTP/1.1 request target, in
19458 HTTP/2, an absolute URI is often used. This sample fetch will return the same
19459 result in both cases.
19460
Willy Tarreau49ad95c2015-01-19 15:06:26 +010019461query : string
19462 This extracts the request's query string, which starts after the first
19463 question mark. If no question mark is present, this fetch returns nothing. If
19464 a question mark is present but nothing follows, it returns an empty string.
19465 This means it's possible to easily know whether a query string is present
Tim Düsterhus4896c442016-11-29 02:15:19 +010019466 using the "found" matching method. This fetch is the complement of "path"
Willy Tarreau49ad95c2015-01-19 15:06:26 +010019467 which stops before the question mark.
19468
Willy Tarreaueb27ec72015-02-20 13:55:29 +010019469req.hdr_names([<delim>]) : string
19470 This builds a string made from the concatenation of all header names as they
19471 appear in the request when the rule is evaluated. The default delimiter is
19472 the comma (',') but it may be overridden as an optional argument <delim>. In
19473 this case, only the first character of <delim> is considered.
19474
Willy Tarreau74ca5042013-06-11 23:12:07 +020019475req.ver : string
19476req_ver : string (deprecated)
19477 Returns the version string from the HTTP request, for example "1.1". This can
19478 be useful for logs, but is mostly there for ACL. Some predefined ACL already
19479 check for versions 1.0 and 1.1.
Willy Tarreaud63335a2010-02-26 12:56:52 +010019480
Willy Tarreau74ca5042013-06-11 23:12:07 +020019481 ACL derivatives :
19482 req_ver : exact string match
Willy Tarreau0e698542011-09-16 08:32:32 +020019483
Christopher Faulete596d182020-05-05 17:46:34 +020019484res.body : binary
19485 This returns the HTTP response's available body as a block of data. Unlike
19486 the request side, there is no directive to wait for the response's body. This
Tim Duesterhus27c70ae2021-01-23 17:50:21 +010019487 sample fetch is really useful (and usable) in the health-check context.
19488
19489 It may be used in tcp-check based expect rules.
Christopher Faulete596d182020-05-05 17:46:34 +020019490
19491res.body_len : integer
19492 This returns the length of the HTTP response available body in bytes. Unlike
19493 the request side, there is no directive to wait for the response's body. This
Tim Duesterhus27c70ae2021-01-23 17:50:21 +010019494 sample fetch is really useful (and usable) in the health-check context.
19495
19496 It may be used in tcp-check based expect rules.
Christopher Faulete596d182020-05-05 17:46:34 +020019497
19498res.body_size : integer
19499 This returns the advertised length of the HTTP response body in bytes. It
19500 will represent the advertised Content-Length header, or the size of the
19501 available data in case of chunked encoding. Unlike the request side, there is
19502 no directive to wait for the response body. This sample fetch is really
Tim Duesterhus27c70ae2021-01-23 17:50:21 +010019503 useful (and usable) in the health-check context.
19504
19505 It may be used in tcp-check based expect rules.
Christopher Faulete596d182020-05-05 17:46:34 +020019506
Remi Tricot-Le Bretonbf971212020-10-27 11:55:57 +010019507res.cache_hit : boolean
19508 Returns the boolean "true" value if the response has been built out of an
19509 HTTP cache entry, otherwise returns boolean "false".
19510
19511res.cache_name : string
19512 Returns a string containing the name of the HTTP cache that was used to
19513 build the HTTP response if res.cache_hit is true, otherwise returns an
19514 empty string.
19515
Willy Tarreau74ca5042013-06-11 23:12:07 +020019516res.comp : boolean
19517 Returns the boolean "true" value if the response has been compressed by
19518 HAProxy, otherwise returns boolean "false". This may be used to add
19519 information in the logs.
Willy Tarreau6a06a402007-07-15 20:15:28 +020019520
Willy Tarreau74ca5042013-06-11 23:12:07 +020019521res.comp_algo : string
19522 Returns a string containing the name of the algorithm used if the response
19523 was compressed by HAProxy, for example : "deflate". This may be used to add
19524 some information in the logs.
Willy Tarreaud63335a2010-02-26 12:56:52 +010019525
Willy Tarreau74ca5042013-06-11 23:12:07 +020019526res.cook([<name>]) : string
19527scook([<name>]) : string (deprecated)
19528 This extracts the last occurrence of the cookie name <name> on a "Set-Cookie"
19529 header line from the response, and returns its value as string. If no name is
Tim Duesterhus27c70ae2021-01-23 17:50:21 +010019530 specified, the first cookie value is returned.
19531
19532 It may be used in tcp-check based expect rules.
Willy Tarreau0ce3aa02012-04-25 18:46:33 +020019533
Willy Tarreau74ca5042013-06-11 23:12:07 +020019534 ACL derivatives :
19535 scook([<name>] : exact string match
Willy Tarreau0ce3aa02012-04-25 18:46:33 +020019536
Willy Tarreau74ca5042013-06-11 23:12:07 +020019537res.cook_cnt([<name>]) : integer
19538scook_cnt([<name>]) : integer (deprecated)
19539 Returns an integer value representing the number of occurrences of the cookie
19540 <name> in the response, or all cookies if <name> is not specified. This is
Tim Duesterhus27c70ae2021-01-23 17:50:21 +010019541 mostly useful when combined with ACLs to detect suspicious responses.
19542
19543 It may be used in tcp-check based expect rules.
Willy Tarreaud63335a2010-02-26 12:56:52 +010019544
Willy Tarreau74ca5042013-06-11 23:12:07 +020019545res.cook_val([<name>]) : integer
19546scook_val([<name>]) : integer (deprecated)
19547 This extracts the last occurrence of the cookie name <name> on a "Set-Cookie"
19548 header line from the response, and converts its value to an integer which is
Tim Duesterhus27c70ae2021-01-23 17:50:21 +010019549 returned. If no name is specified, the first cookie value is returned.
19550
19551 It may be used in tcp-check based expect rules.
Willy Tarreaud63335a2010-02-26 12:56:52 +010019552
Willy Tarreau74ca5042013-06-11 23:12:07 +020019553res.fhdr([<name>[,<occ>]]) : string
Tim Duesterhus27c70ae2021-01-23 17:50:21 +010019554 This fetch works like the req.fhdr() fetch with the difference that it acts
19555 on the headers within an HTTP response.
19556
19557 Like req.fhdr() the res.fhdr() fetch returns full values. If the header is
19558 defined to be a list you should use res.hdr().
19559
19560 This fetch is sometimes useful with headers such as Date or Expires.
19561
19562 It may be used in tcp-check based expect rules.
Willy Tarreau6a06a402007-07-15 20:15:28 +020019563
Willy Tarreau74ca5042013-06-11 23:12:07 +020019564res.fhdr_cnt([<name>]) : integer
Tim Duesterhus27c70ae2021-01-23 17:50:21 +010019565 This fetch works like the req.fhdr_cnt() fetch with the difference that it
19566 acts on the headers within an HTTP response.
19567
19568 Like req.fhdr_cnt() the res.fhdr_cnt() fetch acts on full values. If the
19569 header is defined to be a list you should use res.hdr_cnt().
19570
19571 It may be used in tcp-check based expect rules.
Willy Tarreau6a06a402007-07-15 20:15:28 +020019572
Willy Tarreau74ca5042013-06-11 23:12:07 +020019573res.hdr([<name>[,<occ>]]) : string
19574shdr([<name>[,<occ>]]) : string (deprecated)
Tim Duesterhus27c70ae2021-01-23 17:50:21 +010019575 This fetch works like the req.hdr() fetch with the difference that it acts
19576 on the headers within an HTTP response.
19577
Ilya Shipitsinacf84592021-02-06 22:29:08 +050019578 Like req.hdr() the res.hdr() fetch considers the comma to be a delimiter. If
Tim Duesterhus27c70ae2021-01-23 17:50:21 +010019579 this is not desired res.fhdr() should be used.
19580
19581 It may be used in tcp-check based expect rules.
Willy Tarreau6a06a402007-07-15 20:15:28 +020019582
Willy Tarreau74ca5042013-06-11 23:12:07 +020019583 ACL derivatives :
19584 shdr([<name>[,<occ>]]) : exact string match
19585 shdr_beg([<name>[,<occ>]]) : prefix match
19586 shdr_dir([<name>[,<occ>]]) : subdir match
19587 shdr_dom([<name>[,<occ>]]) : domain match
19588 shdr_end([<name>[,<occ>]]) : suffix match
19589 shdr_len([<name>[,<occ>]]) : length match
19590 shdr_reg([<name>[,<occ>]]) : regex match
19591 shdr_sub([<name>[,<occ>]]) : substring match
19592
19593res.hdr_cnt([<name>]) : integer
19594shdr_cnt([<name>]) : integer (deprecated)
Tim Duesterhus27c70ae2021-01-23 17:50:21 +010019595 This fetch works like the req.hdr_cnt() fetch with the difference that it
19596 acts on the headers within an HTTP response.
19597
19598 Like req.hdr_cnt() the res.hdr_cnt() fetch considers the comma to be a
Ilya Shipitsinacf84592021-02-06 22:29:08 +050019599 delimiter. If this is not desired res.fhdr_cnt() should be used.
Tim Duesterhus27c70ae2021-01-23 17:50:21 +010019600
19601 It may be used in tcp-check based expect rules.
Willy Tarreau6a06a402007-07-15 20:15:28 +020019602
Willy Tarreau74ca5042013-06-11 23:12:07 +020019603res.hdr_ip([<name>[,<occ>]]) : ip
19604shdr_ip([<name>[,<occ>]]) : ip (deprecated)
Tim Duesterhus27c70ae2021-01-23 17:50:21 +010019605 This fetch works like the req.hdr_ip() fetch with the difference that it
19606 acts on the headers within an HTTP response.
19607
19608 This can be useful to learn some data into a stick table.
19609
19610 It may be used in tcp-check based expect rules.
Willy Tarreau6a06a402007-07-15 20:15:28 +020019611
Willy Tarreaueb27ec72015-02-20 13:55:29 +010019612res.hdr_names([<delim>]) : string
19613 This builds a string made from the concatenation of all header names as they
19614 appear in the response when the rule is evaluated. The default delimiter is
19615 the comma (',') but it may be overridden as an optional argument <delim>. In
Tim Duesterhus27c70ae2021-01-23 17:50:21 +010019616 this case, only the first character of <delim> is considered.
19617
19618 It may be used in tcp-check based expect rules.
Willy Tarreaueb27ec72015-02-20 13:55:29 +010019619
Willy Tarreau74ca5042013-06-11 23:12:07 +020019620res.hdr_val([<name>[,<occ>]]) : integer
19621shdr_val([<name>[,<occ>]]) : integer (deprecated)
Tim Duesterhus27c70ae2021-01-23 17:50:21 +010019622 This fetch works like the req.hdr_val() fetch with the difference that it
19623 acts on the headers within an HTTP response.
19624
19625 This can be useful to learn some data into a stick table.
19626
19627 It may be used in tcp-check based expect rules.
Christopher Faulete596d182020-05-05 17:46:34 +020019628
19629res.hdrs : string
19630 Returns the current response headers as string including the last empty line
19631 separating headers from the request body. The last empty line can be used to
19632 detect a truncated header block. This sample fetch is useful for some SPOE
Tim Duesterhus27c70ae2021-01-23 17:50:21 +010019633 headers analyzers and for advanced logging.
19634
19635 It may also be used in tcp-check based expect rules.
Christopher Faulete596d182020-05-05 17:46:34 +020019636
19637res.hdrs_bin : binary
19638 Returns the current response headers contained in preparsed binary form. This
19639 is useful for offloading some processing with SPOE. It may be used in
19640 tcp-check based expect rules. Each string is described by a length followed
19641 by the number of bytes indicated in the length. The length is represented
19642 using the variable integer encoding detailed in the SPOE documentation. The
19643 end of the list is marked by a couple of empty header names and values
19644 (length of 0 for both).
19645
19646 *(<str:header-name><str:header-value>)<empty string><empty string>
19647
19648 int: refer to the SPOE documentation for the encoding
19649 str: <int:length><bytes>
Alexandre Cassen5eb1a902007-11-29 15:43:32 +010019650
Willy Tarreau74ca5042013-06-11 23:12:07 +020019651res.ver : string
19652resp_ver : string (deprecated)
19653 Returns the version string from the HTTP response, for example "1.1". This
Tim Duesterhus27c70ae2021-01-23 17:50:21 +010019654 can be useful for logs, but is mostly there for ACL.
19655
19656 It may be used in tcp-check based expect rules.
Willy Tarreau0e698542011-09-16 08:32:32 +020019657
Willy Tarreau74ca5042013-06-11 23:12:07 +020019658 ACL derivatives :
19659 resp_ver : exact string match
Alexandre Cassen5eb1a902007-11-29 15:43:32 +010019660
Willy Tarreau74ca5042013-06-11 23:12:07 +020019661set-cookie([<name>]) : string (deprecated)
19662 This extracts the last occurrence of the cookie name <name> on a "Set-Cookie"
19663 header line from the response and uses the corresponding value to match. This
Willy Tarreau294d0f02015-08-10 19:40:12 +020019664 can be comparable to what "appsession" did with default options, but with
Willy Tarreau74ca5042013-06-11 23:12:07 +020019665 support for multi-peer synchronization and state keeping across restarts.
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +010019666
Willy Tarreau74ca5042013-06-11 23:12:07 +020019667 This fetch function is deprecated and has been superseded by the "res.cook"
19668 fetch. This keyword will disappear soon.
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +010019669
Willy Tarreau74ca5042013-06-11 23:12:07 +020019670status : integer
19671 Returns an integer containing the HTTP status code in the HTTP response, for
19672 example, 302. It is mostly used within ACLs and integer ranges, for example,
Tim Duesterhus27c70ae2021-01-23 17:50:21 +010019673 to remove any Location header if the response is not a 3xx.
19674
19675 It may be used in tcp-check based expect rules.
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020019676
Thierry Fournier0e00dca2016-04-07 15:47:40 +020019677unique-id : string
19678 Returns the unique-id attached to the request. The directive
19679 "unique-id-format" must be set. If it is not set, the unique-id sample fetch
19680 fails. Note that the unique-id is usually used with HTTP requests, however this
19681 sample fetch can be used with other protocols. Obviously, if it is used with
19682 other protocols than HTTP, the unique-id-format directive must not contain
19683 HTTP parts. See: unique-id-format and unique-id-header
19684
Willy Tarreau74ca5042013-06-11 23:12:07 +020019685url : string
19686 This extracts the request's URL as presented in the request. A typical use is
19687 with prefetch-capable caches, and with portals which need to aggregate
19688 multiple information from databases and keep them in caches. With ACLs, using
19689 "path" is preferred over using "url", because clients may send a full URL as
19690 is normally done with proxies. The only real use is to match "*" which does
19691 not match in "path", and for which there is already a predefined ACL. See
19692 also "path" and "base".
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020019693
Willy Tarreau74ca5042013-06-11 23:12:07 +020019694 ACL derivatives :
19695 url : exact string match
19696 url_beg : prefix match
19697 url_dir : subdir match
19698 url_dom : domain match
19699 url_end : suffix match
19700 url_len : length match
19701 url_reg : regex match
19702 url_sub : substring match
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020019703
Willy Tarreau74ca5042013-06-11 23:12:07 +020019704url_ip : ip
19705 This extracts the IP address from the request's URL when the host part is
19706 presented as an IP address. Its use is very limited. For instance, a
19707 monitoring system might use this field as an alternative for the source IP in
19708 order to test what path a given source address would follow, or to force an
19709 entry in a table for a given source address. With ACLs it can be used to
19710 restrict access to certain systems through a proxy, for example when combined
19711 with option "http_proxy".
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020019712
Willy Tarreau74ca5042013-06-11 23:12:07 +020019713url_port : integer
19714 This extracts the port part from the request's URL. Note that if the port is
19715 not specified in the request, port 80 is assumed. With ACLs it can be used to
19716 restrict access to certain systems through a proxy, for example when combined
19717 with option "http_proxy".
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020019718
Willy Tarreau1ede1da2015-05-07 16:06:18 +020019719urlp([<name>[,<delim>]]) : string
19720url_param([<name>[,<delim>]]) : string
Willy Tarreau74ca5042013-06-11 23:12:07 +020019721 This extracts the first occurrence of the parameter <name> in the query
19722 string, which begins after either '?' or <delim>, and which ends before '&',
Willy Tarreau1ede1da2015-05-07 16:06:18 +020019723 ';' or <delim>. The parameter name is case-sensitive. If no name is given,
19724 any parameter will match, and the first one will be returned. The result is
19725 a string corresponding to the value of the parameter <name> as presented in
19726 the request (no URL decoding is performed). This can be used for session
Willy Tarreau74ca5042013-06-11 23:12:07 +020019727 stickiness based on a client ID, to extract an application cookie passed as a
19728 URL parameter, or in ACLs to apply some checks. Note that the ACL version of
Willy Tarreau1ede1da2015-05-07 16:06:18 +020019729 this fetch iterates over multiple parameters and will iteratively report all
19730 parameters values if no name is given
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020019731
Willy Tarreau74ca5042013-06-11 23:12:07 +020019732 ACL derivatives :
19733 urlp(<name>[,<delim>]) : exact string match
19734 urlp_beg(<name>[,<delim>]) : prefix match
19735 urlp_dir(<name>[,<delim>]) : subdir match
19736 urlp_dom(<name>[,<delim>]) : domain match
19737 urlp_end(<name>[,<delim>]) : suffix match
19738 urlp_len(<name>[,<delim>]) : length match
19739 urlp_reg(<name>[,<delim>]) : regex match
19740 urlp_sub(<name>[,<delim>]) : substring match
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020019741
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020019742
Willy Tarreau74ca5042013-06-11 23:12:07 +020019743 Example :
19744 # match http://example.com/foo?PHPSESSIONID=some_id
19745 stick on urlp(PHPSESSIONID)
19746 # match http://example.com/foo;JSESSIONID=some_id
19747 stick on urlp(JSESSIONID,;)
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020019748
Jarno Huuskonen676f6222017-03-30 09:19:45 +030019749urlp_val([<name>[,<delim>]]) : integer
Willy Tarreau74ca5042013-06-11 23:12:07 +020019750 See "urlp" above. This one extracts the URL parameter <name> in the request
19751 and converts it to an integer value. This can be used for session stickiness
19752 based on a user ID for example, or with ACLs to match a page number or price.
Willy Tarreaua9fddca2012-07-31 07:51:48 +020019753
Dragan Dosen0070cd52016-06-16 12:19:49 +020019754url32 : integer
19755 This returns a 32-bit hash of the value obtained by concatenating the first
19756 Host header and the whole URL including parameters (not only the path part of
19757 the request, as in the "base32" fetch above). This is useful to track per-URL
19758 activity. A shorter hash is stored, saving a lot of memory. The output type
19759 is an unsigned integer.
19760
19761url32+src : binary
19762 This returns the concatenation of the "url32" fetch and the "src" fetch. The
19763 resulting type is of type binary, with a size of 8 or 20 bytes depending on
19764 the source address family. This can be used to track per-IP, per-URL counters.
19765
Christopher Faulet16032ab2020-04-30 11:30:00 +020019766
Christopher Faulete596d182020-05-05 17:46:34 +0200197677.3.7. Fetching samples for developers
Christopher Fauletd47941d2020-01-08 14:40:19 +010019768---------------------------------------
19769
19770This set of sample fetch methods is reserved to developers and must never be
19771used on a production environment, except on developer demand, for debugging
19772purposes. Moreover, no special care will be taken on backwards compatibility.
19773There is no warranty the following sample fetches will never change, be renamed
19774or simply removed. So be really careful if you should use one of them. To avoid
19775any ambiguity, these sample fetches are placed in the dedicated scope "internal",
19776for instance "internal.strm.is_htx".
19777
19778internal.htx.data : integer
19779 Returns the size in bytes used by data in the HTX message associated to a
19780 channel. The channel is chosen depending on the sample direction.
19781
19782internal.htx.free : integer
19783 Returns the free space (size - used) in bytes in the HTX message associated
19784 to a channel. The channel is chosen depending on the sample direction.
19785
19786internal.htx.free_data : integer
19787 Returns the free space for the data in bytes in the HTX message associated to
19788 a channel. The channel is chosen depending on the sample direction.
19789
19790internal.htx.has_eom : boolean
Christopher Fauletd1ac2b92020-12-02 19:12:22 +010019791 Returns true if the HTX message associated to a channel contains the
19792 end-of-message flag (EOM). Otherwise, it returns false. The channel is chosen
19793 depending on the sample direction.
Christopher Fauletd47941d2020-01-08 14:40:19 +010019794
19795internal.htx.nbblks : integer
19796 Returns the number of blocks present in the HTX message associated to a
19797 channel. The channel is chosen depending on the sample direction.
19798
19799internal.htx.size : integer
19800 Returns the total size in bytes of the HTX message associated to a
19801 channel. The channel is chosen depending on the sample direction.
19802
19803internal.htx.used : integer
19804 Returns the total size used in bytes (data + metadata) in the HTX message
19805 associated to a channel. The channel is chosen depending on the sample
19806 direction.
19807
19808internal.htx_blk.size(<idx>) : integer
19809 Returns the size of the block at the position <idx> in the HTX message
19810 associated to a channel or 0 if it does not exist. The channel is chosen
19811 depending on the sample direction. <idx> may be any positive integer or one
19812 of the special value :
19813 * head : The oldest inserted block
19814 * tail : The newest inserted block
Ilya Shipitsin8525fd92020-02-29 12:34:59 +050019815 * first : The first block where to (re)start the analysis
Christopher Fauletd47941d2020-01-08 14:40:19 +010019816
19817internal.htx_blk.type(<idx>) : string
19818 Returns the type of the block at the position <idx> in the HTX message
19819 associated to a channel or "HTX_BLK_UNUSED" if it does not exist. The channel
19820 is chosen depending on the sample direction. <idx> may be any positive
19821 integer or one of the special value :
19822 * head : The oldest inserted block
19823 * tail : The newest inserted block
Ilya Shipitsin8525fd92020-02-29 12:34:59 +050019824 * first : The first block where to (re)start the analysis
Christopher Fauletd47941d2020-01-08 14:40:19 +010019825
19826internal.htx_blk.data(<idx>) : binary
19827 Returns the value of the DATA block at the position <idx> in the HTX message
19828 associated to a channel or an empty string if it does not exist or if it is
19829 not a DATA block. The channel is chosen depending on the sample direction.
19830 <idx> may be any positive integer or one of the special value :
19831
19832 * head : The oldest inserted block
19833 * tail : The newest inserted block
Ilya Shipitsin8525fd92020-02-29 12:34:59 +050019834 * first : The first block where to (re)start the analysis
Christopher Fauletd47941d2020-01-08 14:40:19 +010019835
19836internal.htx_blk.hdrname(<idx>) : string
19837 Returns the header name of the HEADER block at the position <idx> in the HTX
19838 message associated to a channel or an empty string if it does not exist or if
19839 it is not an HEADER block. The channel is chosen depending on the sample
19840 direction. <idx> may be any positive integer or one of the special value :
19841
19842 * head : The oldest inserted block
19843 * tail : The newest inserted block
Ilya Shipitsin8525fd92020-02-29 12:34:59 +050019844 * first : The first block where to (re)start the analysis
Christopher Fauletd47941d2020-01-08 14:40:19 +010019845
19846internal.htx_blk.hdrval(<idx>) : string
19847 Returns the header value of the HEADER block at the position <idx> in the HTX
19848 message associated to a channel or an empty string if it does not exist or if
19849 it is not an HEADER block. The channel is chosen depending on the sample
19850 direction. <idx> may be any positive integer or one of the special value :
19851
19852 * head : The oldest inserted block
19853 * tail : The newest inserted block
Ilya Shipitsin8525fd92020-02-29 12:34:59 +050019854 * first : The first block where to (re)start the analysis
Christopher Fauletd47941d2020-01-08 14:40:19 +010019855
19856internal.htx_blk.start_line(<idx>) : string
19857 Returns the value of the REQ_SL or RES_SL block at the position <idx> in the
19858 HTX message associated to a channel or an empty string if it does not exist
19859 or if it is not a SL block. The channel is chosen depending on the sample
19860 direction. <idx> may be any positive integer or one of the special value :
19861
19862 * head : The oldest inserted block
19863 * tail : The newest inserted block
Ilya Shipitsin8525fd92020-02-29 12:34:59 +050019864 * first : The first block where to (re)start the analysis
Christopher Fauletd47941d2020-01-08 14:40:19 +010019865
19866internal.strm.is_htx : boolean
19867 Returns true if the current stream is an HTX stream. It means the data in the
19868 channels buffers are stored using the internal HTX representation. Otherwise,
19869 it returns false.
19870
19871
Willy Tarreau74ca5042013-06-11 23:12:07 +0200198727.4. Pre-defined ACLs
Willy Tarreauc57f0e22009-05-10 13:12:33 +020019873---------------------
Willy Tarreauced27012008-01-17 20:35:34 +010019874
Willy Tarreauc57f0e22009-05-10 13:12:33 +020019875Some predefined ACLs are hard-coded so that they do not have to be declared in
19876every frontend which needs them. They all have their names in upper case in
Patrick Mézard2382ad62010-05-09 10:43:32 +020019877order to avoid confusion. Their equivalence is provided below.
Willy Tarreauced27012008-01-17 20:35:34 +010019878
Willy Tarreauc57f0e22009-05-10 13:12:33 +020019879ACL name Equivalent to Usage
Christopher Faulet779184e2021-04-01 17:24:04 +020019880---------------+----------------------------------+------------------------------------------------------
19881FALSE always_false never match
19882HTTP req.proto_http match if request protocol is valid HTTP
19883HTTP_1.0 req.ver 1.0 match if HTTP request version is 1.0
19884HTTP_1.1 req.ver 1.1 match if HTTP request version is 1.1
Christopher Faulet8043e832021-03-26 16:00:54 +010019885HTTP_2.0 req.ver 2.0 match if HTTP request version is 2.0
Christopher Faulet779184e2021-04-01 17:24:04 +020019886HTTP_CONTENT req.hdr_val(content-length) gt 0 match an existing content-length in the HTTP request
19887HTTP_URL_ABS url_reg ^[^/:]*:// match absolute URL with scheme
19888HTTP_URL_SLASH url_beg / match URL beginning with "/"
19889HTTP_URL_STAR url * match URL equal to "*"
19890LOCALHOST src 127.0.0.1/8 match connection from local host
19891METH_CONNECT method CONNECT match HTTP CONNECT method
19892METH_DELETE method DELETE match HTTP DELETE method
19893METH_GET method GET HEAD match HTTP GET or HEAD method
19894METH_HEAD method HEAD match HTTP HEAD method
19895METH_OPTIONS method OPTIONS match HTTP OPTIONS method
19896METH_POST method POST match HTTP POST method
19897METH_PUT method PUT match HTTP PUT method
19898METH_TRACE method TRACE match HTTP TRACE method
19899RDP_COOKIE req.rdp_cookie_cnt gt 0 match presence of an RDP cookie in the request buffer
19900REQ_CONTENT req.len gt 0 match data in the request buffer
19901TRUE always_true always match
19902WAIT_END wait_end wait for end of content analysis
19903---------------+----------------------------------+------------------------------------------------------
Willy Tarreauced27012008-01-17 20:35:34 +010019904
Willy Tarreaub937b7e2010-01-12 15:27:54 +010019905
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200199068. Logging
19907----------
Willy Tarreau844e3c52008-01-11 16:28:18 +010019908
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019909One of HAProxy's strong points certainly lies is its precise logs. It probably
19910provides the finest level of information available for such a product, which is
19911very important for troubleshooting complex environments. Standard information
19912provided in logs include client ports, TCP/HTTP state timers, precise session
19913state at termination and precise termination cause, information about decisions
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010019914to direct traffic to a server, and of course the ability to capture arbitrary
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019915headers.
19916
19917In order to improve administrators reactivity, it offers a great transparency
19918about encountered problems, both internal and external, and it is possible to
19919send logs to different sources at the same time with different level filters :
19920
19921 - global process-level logs (system errors, start/stop, etc..)
19922 - per-instance system and internal errors (lack of resource, bugs, ...)
19923 - per-instance external troubles (servers up/down, max connections)
19924 - per-instance activity (client connections), either at the establishment or
19925 at the termination.
Davor Ocelice9ed2812017-12-25 17:49:28 +010019926 - per-request control of log-level, e.g.
Jim Freeman9e8714b2015-05-26 09:16:34 -060019927 http-request set-log-level silent if sensitive_request
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019928
19929The ability to distribute different levels of logs to different log servers
19930allow several production teams to interact and to fix their problems as soon
19931as possible. For example, the system team might monitor system-wide errors,
19932while the application team might be monitoring the up/down for their servers in
19933real time, and the security team might analyze the activity logs with one hour
19934delay.
19935
19936
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200199378.1. Log levels
19938---------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019939
Simon Hormandf791f52011-05-29 15:01:10 +090019940TCP and HTTP connections can be logged with information such as the date, time,
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019941source IP address, destination address, connection duration, response times,
Simon Hormandf791f52011-05-29 15:01:10 +090019942HTTP request, HTTP return code, number of bytes transmitted, conditions
19943in which the session ended, and even exchanged cookies values. For example
19944track a particular user's problems. All messages may be sent to up to two
19945syslog servers. Check the "log" keyword in section 4.2 for more information
19946about log facilities.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019947
19948
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200199498.2. Log formats
19950----------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019951
William Lallemand48940402012-01-30 16:47:22 +010019952HAProxy supports 5 log formats. Several fields are common between these formats
Simon Hormandf791f52011-05-29 15:01:10 +090019953and will be detailed in the following sections. A few of them may vary
19954slightly with the configuration, due to indicators specific to certain
19955options. The supported formats are as follows :
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019956
19957 - the default format, which is very basic and very rarely used. It only
19958 provides very basic information about the incoming connection at the moment
19959 it is accepted : source IP:port, destination IP:port, and frontend-name.
19960 This mode will eventually disappear so it will not be described to great
19961 extents.
19962
19963 - the TCP format, which is more advanced. This format is enabled when "option
19964 tcplog" is set on the frontend. HAProxy will then usually wait for the
19965 connection to terminate before logging. This format provides much richer
19966 information, such as timers, connection counts, queue size, etc... This
19967 format is recommended for pure TCP proxies.
19968
19969 - the HTTP format, which is the most advanced for HTTP proxying. This format
19970 is enabled when "option httplog" is set on the frontend. It provides the
19971 same information as the TCP format with some HTTP-specific fields such as
19972 the request, the status code, and captures of headers and cookies. This
19973 format is recommended for HTTP proxies.
19974
Emeric Brun3a058f32009-06-30 18:26:00 +020019975 - the CLF HTTP format, which is equivalent to the HTTP format, but with the
19976 fields arranged in the same order as the CLF format. In this mode, all
19977 timers, captures, flags, etc... appear one per field after the end of the
19978 common fields, in the same order they appear in the standard HTTP format.
19979
William Lallemand48940402012-01-30 16:47:22 +010019980 - the custom log format, allows you to make your own log line.
19981
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019982Next sections will go deeper into details for each of these formats. Format
19983specification will be performed on a "field" basis. Unless stated otherwise, a
19984field is a portion of text delimited by any number of spaces. Since syslog
19985servers are susceptible of inserting fields at the beginning of a line, it is
19986always assumed that the first field is the one containing the process name and
19987identifier.
19988
19989Note : Since log lines may be quite long, the log examples in sections below
19990 might be broken into multiple lines. The example log lines will be
19991 prefixed with 3 closing angle brackets ('>>>') and each time a log is
19992 broken into multiple lines, each non-final line will end with a
19993 backslash ('\') and the next line will start indented by two characters.
19994
19995
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200199968.2.1. Default log format
19997-------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010019998
19999This format is used when no specific option is set. The log is emitted as soon
20000as the connection is accepted. One should note that this currently is the only
20001format which logs the request's destination IP and ports.
20002
20003 Example :
20004 listen www
20005 mode http
20006 log global
20007 server srv1 127.0.0.1:8000
20008
20009 >>> Feb 6 12:12:09 localhost \
20010 haproxy[14385]: Connect from 10.0.1.2:33312 to 10.0.3.31:8012 \
20011 (www/HTTP)
20012
20013 Field Format Extract from the example above
20014 1 process_name '[' pid ']:' haproxy[14385]:
20015 2 'Connect from' Connect from
20016 3 source_ip ':' source_port 10.0.1.2:33312
20017 4 'to' to
20018 5 destination_ip ':' destination_port 10.0.3.31:8012
20019 6 '(' frontend_name '/' mode ')' (www/HTTP)
20020
20021Detailed fields description :
20022 - "source_ip" is the IP address of the client which initiated the connection.
20023 - "source_port" is the TCP port of the client which initiated the connection.
20024 - "destination_ip" is the IP address the client connected to.
20025 - "destination_port" is the TCP port the client connected to.
20026 - "frontend_name" is the name of the frontend (or listener) which received
20027 and processed the connection.
20028 - "mode is the mode the frontend is operating (TCP or HTTP).
20029
Willy Tarreauceb24bc2010-11-09 12:46:41 +010020030In case of a UNIX socket, the source and destination addresses are marked as
20031"unix:" and the ports reflect the internal ID of the socket which accepted the
20032connection (the same ID as reported in the stats).
20033
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020034It is advised not to use this deprecated format for newer installations as it
20035will eventually disappear.
20036
20037
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200200388.2.2. TCP log format
20039---------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020040
20041The TCP format is used when "option tcplog" is specified in the frontend, and
20042is the recommended format for pure TCP proxies. It provides a lot of precious
20043information for troubleshooting. Since this format includes timers and byte
20044counts, the log is normally emitted at the end of the session. It can be
20045emitted earlier if "option logasap" is specified, which makes sense in most
20046environments with long sessions such as remote terminals. Sessions which match
20047the "monitor" rules are never logged. It is also possible not to emit logs for
20048sessions for which no data were exchanged between the client and the server, by
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +020020049specifying "option dontlognull" in the frontend. Successful connections will
20050not be logged if "option dontlog-normal" is specified in the frontend. A few
20051fields may slightly vary depending on some configuration options, those are
20052marked with a star ('*') after the field name below.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020053
20054 Example :
20055 frontend fnt
20056 mode tcp
20057 option tcplog
20058 log global
20059 default_backend bck
20060
20061 backend bck
20062 server srv1 127.0.0.1:8000
20063
20064 >>> Feb 6 12:12:56 localhost \
20065 haproxy[14387]: 10.0.1.2:33313 [06/Feb/2009:12:12:51.443] fnt \
20066 bck/srv1 0/0/5007 212 -- 0/0/0/0/3 0/0
20067
20068 Field Format Extract from the example above
20069 1 process_name '[' pid ']:' haproxy[14387]:
20070 2 client_ip ':' client_port 10.0.1.2:33313
20071 3 '[' accept_date ']' [06/Feb/2009:12:12:51.443]
20072 4 frontend_name fnt
20073 5 backend_name '/' server_name bck/srv1
20074 6 Tw '/' Tc '/' Tt* 0/0/5007
20075 7 bytes_read* 212
20076 8 termination_state --
20077 9 actconn '/' feconn '/' beconn '/' srv_conn '/' retries* 0/0/0/0/3
20078 10 srv_queue '/' backend_queue 0/0
20079
20080Detailed fields description :
20081 - "client_ip" is the IP address of the client which initiated the TCP
Daniel Corbett9f0843f2021-05-08 10:50:37 -040020082 connection to HAProxy. If the connection was accepted on a UNIX socket
Willy Tarreauceb24bc2010-11-09 12:46:41 +010020083 instead, the IP address would be replaced with the word "unix". Note that
20084 when the connection is accepted on a socket configured with "accept-proxy"
Bertrand Jacquin93b227d2016-06-04 15:11:10 +010020085 and the PROXY protocol is correctly used, or with a "accept-netscaler-cip"
Davor Ocelice9ed2812017-12-25 17:49:28 +010020086 and the NetScaler Client IP insertion protocol is correctly used, then the
Bertrand Jacquin93b227d2016-06-04 15:11:10 +010020087 logs will reflect the forwarded connection's information.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020088
20089 - "client_port" is the TCP port of the client which initiated the connection.
Willy Tarreauceb24bc2010-11-09 12:46:41 +010020090 If the connection was accepted on a UNIX socket instead, the port would be
20091 replaced with the ID of the accepting socket, which is also reported in the
20092 stats interface.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020093
Daniel Corbett9f0843f2021-05-08 10:50:37 -040020094 - "accept_date" is the exact date when the connection was received by HAProxy
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020095 (which might be very slightly different from the date observed on the
20096 network if there was some queuing in the system's backlog). This is usually
Willy Tarreau590a0512018-09-05 11:56:48 +020020097 the same date which may appear in any upstream firewall's log. When used in
20098 HTTP mode, the accept_date field will be reset to the first moment the
20099 connection is ready to receive a new request (end of previous response for
20100 HTTP/1, immediately after previous request for HTTP/2).
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020101
20102 - "frontend_name" is the name of the frontend (or listener) which received
20103 and processed the connection.
20104
20105 - "backend_name" is the name of the backend (or listener) which was selected
20106 to manage the connection to the server. This will be the same as the
20107 frontend if no switching rule has been applied, which is common for TCP
20108 applications.
20109
20110 - "server_name" is the name of the last server to which the connection was
20111 sent, which might differ from the first one if there were connection errors
20112 and a redispatch occurred. Note that this server belongs to the backend
20113 which processed the request. If the connection was aborted before reaching
20114 a server, "<NOSRV>" is indicated instead of a server name.
20115
20116 - "Tw" is the total time in milliseconds spent waiting in the various queues.
20117 It can be "-1" if the connection was aborted before reaching the queue.
20118 See "Timers" below for more details.
20119
20120 - "Tc" is the total time in milliseconds spent waiting for the connection to
20121 establish to the final server, including retries. It can be "-1" if the
20122 connection was aborted before a connection could be established. See
20123 "Timers" below for more details.
20124
20125 - "Tt" is the total time in milliseconds elapsed between the accept and the
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030020126 last close. It covers all possible processing. There is one exception, if
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020127 "option logasap" was specified, then the time counting stops at the moment
20128 the log is emitted. In this case, a '+' sign is prepended before the value,
20129 indicating that the final one will be larger. See "Timers" below for more
20130 details.
20131
20132 - "bytes_read" is the total number of bytes transmitted from the server to
20133 the client when the log is emitted. If "option logasap" is specified, the
20134 this value will be prefixed with a '+' sign indicating that the final one
20135 may be larger. Please note that this value is a 64-bit counter, so log
20136 analysis tools must be able to handle it without overflowing.
20137
20138 - "termination_state" is the condition the session was in when the session
20139 ended. This indicates the session state, which side caused the end of
20140 session to happen, and for what reason (timeout, error, ...). The normal
20141 flags should be "--", indicating the session was closed by either end with
20142 no data remaining in buffers. See below "Session state at disconnection"
20143 for more details.
20144
20145 - "actconn" is the total number of concurrent connections on the process when
Jamie Gloudonaaa21002012-08-25 00:18:33 -040020146 the session was logged. It is useful to detect when some per-process system
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020147 limits have been reached. For instance, if actconn is close to 512 when
20148 multiple connection errors occur, chances are high that the system limits
20149 the process to use a maximum of 1024 file descriptors and that all of them
Willy Tarreauc57f0e22009-05-10 13:12:33 +020020150 are used. See section 3 "Global parameters" to find how to tune the system.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020151
20152 - "feconn" is the total number of concurrent connections on the frontend when
20153 the session was logged. It is useful to estimate the amount of resource
20154 required to sustain high loads, and to detect when the frontend's "maxconn"
20155 has been reached. Most often when this value increases by huge jumps, it is
20156 because there is congestion on the backend servers, but sometimes it can be
20157 caused by a denial of service attack.
20158
20159 - "beconn" is the total number of concurrent connections handled by the
20160 backend when the session was logged. It includes the total number of
20161 concurrent connections active on servers as well as the number of
20162 connections pending in queues. It is useful to estimate the amount of
20163 additional servers needed to support high loads for a given application.
20164 Most often when this value increases by huge jumps, it is because there is
20165 congestion on the backend servers, but sometimes it can be caused by a
20166 denial of service attack.
20167
20168 - "srv_conn" is the total number of concurrent connections still active on
20169 the server when the session was logged. It can never exceed the server's
20170 configured "maxconn" parameter. If this value is very often close or equal
20171 to the server's "maxconn", it means that traffic regulation is involved a
20172 lot, meaning that either the server's maxconn value is too low, or that
20173 there aren't enough servers to process the load with an optimal response
20174 time. When only one of the server's "srv_conn" is high, it usually means
20175 that this server has some trouble causing the connections to take longer to
20176 be processed than on other servers.
20177
20178 - "retries" is the number of connection retries experienced by this session
20179 when trying to connect to the server. It must normally be zero, unless a
20180 server is being stopped at the same moment the connection was attempted.
20181 Frequent retries generally indicate either a network problem between
Daniel Corbett9f0843f2021-05-08 10:50:37 -040020182 HAProxy and the server, or a misconfigured system backlog on the server
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020183 preventing new connections from being queued. This field may optionally be
20184 prefixed with a '+' sign, indicating that the session has experienced a
20185 redispatch after the maximal retry count has been reached on the initial
20186 server. In this case, the server name appearing in the log is the one the
20187 connection was redispatched to, and not the first one, though both may
20188 sometimes be the same in case of hashing for instance. So as a general rule
20189 of thumb, when a '+' is present in front of the retry count, this count
20190 should not be attributed to the logged server.
20191
20192 - "srv_queue" is the total number of requests which were processed before
20193 this one in the server queue. It is zero when the request has not gone
20194 through the server queue. It makes it possible to estimate the approximate
20195 server's response time by dividing the time spent in queue by the number of
20196 requests in the queue. It is worth noting that if a session experiences a
20197 redispatch and passes through two server queues, their positions will be
Davor Ocelice9ed2812017-12-25 17:49:28 +010020198 cumulative. A request should not pass through both the server queue and the
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020199 backend queue unless a redispatch occurs.
20200
20201 - "backend_queue" is the total number of requests which were processed before
20202 this one in the backend's global queue. It is zero when the request has not
20203 gone through the global queue. It makes it possible to estimate the average
20204 queue length, which easily translates into a number of missing servers when
20205 divided by a server's "maxconn" parameter. It is worth noting that if a
20206 session experiences a redispatch, it may pass twice in the backend's queue,
Davor Ocelice9ed2812017-12-25 17:49:28 +010020207 and then both positions will be cumulative. A request should not pass
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020208 through both the server queue and the backend queue unless a redispatch
20209 occurs.
20210
20211
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200202128.2.3. HTTP log format
20213----------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020214
20215The HTTP format is the most complete and the best suited for HTTP proxies. It
20216is enabled by when "option httplog" is specified in the frontend. It provides
20217the same level of information as the TCP format with additional features which
20218are specific to the HTTP protocol. Just like the TCP format, the log is usually
20219emitted at the end of the session, unless "option logasap" is specified, which
20220generally only makes sense for download sites. A session which matches the
20221"monitor" rules will never logged. It is also possible not to log sessions for
20222which no data were sent by the client by specifying "option dontlognull" in the
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +020020223frontend. Successful connections will not be logged if "option dontlog-normal"
20224is specified in the frontend.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020225
20226Most fields are shared with the TCP log, some being different. A few fields may
20227slightly vary depending on some configuration options. Those ones are marked
20228with a star ('*') after the field name below.
20229
20230 Example :
20231 frontend http-in
20232 mode http
20233 option httplog
20234 log global
20235 default_backend bck
20236
20237 backend static
20238 server srv1 127.0.0.1:8000
20239
20240 >>> Feb 6 12:14:14 localhost \
20241 haproxy[14389]: 10.0.1.2:33317 [06/Feb/2009:12:14:14.655] http-in \
20242 static/srv1 10/0/30/69/109 200 2750 - - ---- 1/1/1/1/0 0/0 {1wt.eu} \
Willy Tarreaud72758d2010-01-12 10:42:19 +010020243 {} "GET /index.html HTTP/1.1"
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020244
20245 Field Format Extract from the example above
20246 1 process_name '[' pid ']:' haproxy[14389]:
20247 2 client_ip ':' client_port 10.0.1.2:33317
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020020248 3 '[' request_date ']' [06/Feb/2009:12:14:14.655]
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020249 4 frontend_name http-in
20250 5 backend_name '/' server_name static/srv1
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020020251 6 TR '/' Tw '/' Tc '/' Tr '/' Ta* 10/0/30/69/109
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020252 7 status_code 200
20253 8 bytes_read* 2750
20254 9 captured_request_cookie -
20255 10 captured_response_cookie -
20256 11 termination_state ----
20257 12 actconn '/' feconn '/' beconn '/' srv_conn '/' retries* 1/1/1/1/0
20258 13 srv_queue '/' backend_queue 0/0
20259 14 '{' captured_request_headers* '}' {haproxy.1wt.eu}
20260 15 '{' captured_response_headers* '}' {}
20261 16 '"' http_request '"' "GET /index.html HTTP/1.1"
Willy Tarreaud72758d2010-01-12 10:42:19 +010020262
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020263Detailed fields description :
20264 - "client_ip" is the IP address of the client which initiated the TCP
Daniel Corbett9f0843f2021-05-08 10:50:37 -040020265 connection to HAProxy. If the connection was accepted on a UNIX socket
Willy Tarreauceb24bc2010-11-09 12:46:41 +010020266 instead, the IP address would be replaced with the word "unix". Note that
20267 when the connection is accepted on a socket configured with "accept-proxy"
Bertrand Jacquin93b227d2016-06-04 15:11:10 +010020268 and the PROXY protocol is correctly used, or with a "accept-netscaler-cip"
Davor Ocelice9ed2812017-12-25 17:49:28 +010020269 and the NetScaler Client IP insertion protocol is correctly used, then the
Bertrand Jacquin93b227d2016-06-04 15:11:10 +010020270 logs will reflect the forwarded connection's information.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020271
20272 - "client_port" is the TCP port of the client which initiated the connection.
Willy Tarreauceb24bc2010-11-09 12:46:41 +010020273 If the connection was accepted on a UNIX socket instead, the port would be
20274 replaced with the ID of the accepting socket, which is also reported in the
20275 stats interface.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020276
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020020277 - "request_date" is the exact date when the first byte of the HTTP request
Daniel Corbett9f0843f2021-05-08 10:50:37 -040020278 was received by HAProxy (log field %tr).
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020279
20280 - "frontend_name" is the name of the frontend (or listener) which received
20281 and processed the connection.
20282
20283 - "backend_name" is the name of the backend (or listener) which was selected
20284 to manage the connection to the server. This will be the same as the
20285 frontend if no switching rule has been applied.
20286
20287 - "server_name" is the name of the last server to which the connection was
20288 sent, which might differ from the first one if there were connection errors
20289 and a redispatch occurred. Note that this server belongs to the backend
20290 which processed the request. If the request was aborted before reaching a
20291 server, "<NOSRV>" is indicated instead of a server name. If the request was
20292 intercepted by the stats subsystem, "<STATS>" is indicated instead.
20293
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020020294 - "TR" is the total time in milliseconds spent waiting for a full HTTP
20295 request from the client (not counting body) after the first byte was
20296 received. It can be "-1" if the connection was aborted before a complete
John Roeslerfb2fce12019-07-10 15:45:51 -050020297 request could be received or a bad request was received. It should
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020020298 always be very small because a request generally fits in one single packet.
20299 Large times here generally indicate network issues between the client and
Daniel Corbett9f0843f2021-05-08 10:50:37 -040020300 HAProxy or requests being typed by hand. See section 8.4 "Timing Events"
Willy Tarreau590a0512018-09-05 11:56:48 +020020301 for more details.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020302
20303 - "Tw" is the total time in milliseconds spent waiting in the various queues.
20304 It can be "-1" if the connection was aborted before reaching the queue.
Willy Tarreau590a0512018-09-05 11:56:48 +020020305 See section 8.4 "Timing Events" for more details.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020306
20307 - "Tc" is the total time in milliseconds spent waiting for the connection to
20308 establish to the final server, including retries. It can be "-1" if the
Willy Tarreau590a0512018-09-05 11:56:48 +020020309 request was aborted before a connection could be established. See section
20310 8.4 "Timing Events" for more details.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020311
20312 - "Tr" is the total time in milliseconds spent waiting for the server to send
20313 a full HTTP response, not counting data. It can be "-1" if the request was
20314 aborted before a complete response could be received. It generally matches
20315 the server's processing time for the request, though it may be altered by
20316 the amount of data sent by the client to the server. Large times here on
Willy Tarreau590a0512018-09-05 11:56:48 +020020317 "GET" requests generally indicate an overloaded server. See section 8.4
20318 "Timing Events" for more details.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020319
Daniel Corbett9f0843f2021-05-08 10:50:37 -040020320 - "Ta" is the time the request remained active in HAProxy, which is the total
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020020321 time in milliseconds elapsed between the first byte of the request was
20322 received and the last byte of response was sent. It covers all possible
20323 processing except the handshake (see Th) and idle time (see Ti). There is
20324 one exception, if "option logasap" was specified, then the time counting
20325 stops at the moment the log is emitted. In this case, a '+' sign is
20326 prepended before the value, indicating that the final one will be larger.
Willy Tarreau590a0512018-09-05 11:56:48 +020020327 See section 8.4 "Timing Events" for more details.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020328
20329 - "status_code" is the HTTP status code returned to the client. This status
Daniel Corbett9f0843f2021-05-08 10:50:37 -040020330 is generally set by the server, but it might also be set by HAProxy when
20331 the server cannot be reached or when its response is blocked by HAProxy.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020332
20333 - "bytes_read" is the total number of bytes transmitted to the client when
20334 the log is emitted. This does include HTTP headers. If "option logasap" is
John Roeslerfb2fce12019-07-10 15:45:51 -050020335 specified, this value will be prefixed with a '+' sign indicating that
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020336 the final one may be larger. Please note that this value is a 64-bit
20337 counter, so log analysis tools must be able to handle it without
20338 overflowing.
20339
20340 - "captured_request_cookie" is an optional "name=value" entry indicating that
20341 the client had this cookie in the request. The cookie name and its maximum
20342 length are defined by the "capture cookie" statement in the frontend
20343 configuration. The field is a single dash ('-') when the option is not
20344 set. Only one cookie may be captured, it is generally used to track session
20345 ID exchanges between a client and a server to detect session crossing
20346 between clients due to application bugs. For more details, please consult
20347 the section "Capturing HTTP headers and cookies" below.
20348
20349 - "captured_response_cookie" is an optional "name=value" entry indicating
20350 that the server has returned a cookie with its response. The cookie name
20351 and its maximum length are defined by the "capture cookie" statement in the
20352 frontend configuration. The field is a single dash ('-') when the option is
20353 not set. Only one cookie may be captured, it is generally used to track
20354 session ID exchanges between a client and a server to detect session
20355 crossing between clients due to application bugs. For more details, please
20356 consult the section "Capturing HTTP headers and cookies" below.
20357
20358 - "termination_state" is the condition the session was in when the session
20359 ended. This indicates the session state, which side caused the end of
20360 session to happen, for what reason (timeout, error, ...), just like in TCP
20361 logs, and information about persistence operations on cookies in the last
20362 two characters. The normal flags should begin with "--", indicating the
20363 session was closed by either end with no data remaining in buffers. See
20364 below "Session state at disconnection" for more details.
20365
20366 - "actconn" is the total number of concurrent connections on the process when
Jamie Gloudonaaa21002012-08-25 00:18:33 -040020367 the session was logged. It is useful to detect when some per-process system
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020368 limits have been reached. For instance, if actconn is close to 512 or 1024
20369 when multiple connection errors occur, chances are high that the system
20370 limits the process to use a maximum of 1024 file descriptors and that all
Willy Tarreauc57f0e22009-05-10 13:12:33 +020020371 of them are used. See section 3 "Global parameters" to find how to tune the
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020372 system.
20373
20374 - "feconn" is the total number of concurrent connections on the frontend when
20375 the session was logged. It is useful to estimate the amount of resource
20376 required to sustain high loads, and to detect when the frontend's "maxconn"
20377 has been reached. Most often when this value increases by huge jumps, it is
20378 because there is congestion on the backend servers, but sometimes it can be
20379 caused by a denial of service attack.
20380
20381 - "beconn" is the total number of concurrent connections handled by the
20382 backend when the session was logged. It includes the total number of
20383 concurrent connections active on servers as well as the number of
20384 connections pending in queues. It is useful to estimate the amount of
20385 additional servers needed to support high loads for a given application.
20386 Most often when this value increases by huge jumps, it is because there is
20387 congestion on the backend servers, but sometimes it can be caused by a
20388 denial of service attack.
20389
20390 - "srv_conn" is the total number of concurrent connections still active on
20391 the server when the session was logged. It can never exceed the server's
20392 configured "maxconn" parameter. If this value is very often close or equal
20393 to the server's "maxconn", it means that traffic regulation is involved a
20394 lot, meaning that either the server's maxconn value is too low, or that
20395 there aren't enough servers to process the load with an optimal response
20396 time. When only one of the server's "srv_conn" is high, it usually means
20397 that this server has some trouble causing the requests to take longer to be
20398 processed than on other servers.
20399
20400 - "retries" is the number of connection retries experienced by this session
20401 when trying to connect to the server. It must normally be zero, unless a
20402 server is being stopped at the same moment the connection was attempted.
20403 Frequent retries generally indicate either a network problem between
Daniel Corbett9f0843f2021-05-08 10:50:37 -040020404 HAProxy and the server, or a misconfigured system backlog on the server
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020405 preventing new connections from being queued. This field may optionally be
20406 prefixed with a '+' sign, indicating that the session has experienced a
20407 redispatch after the maximal retry count has been reached on the initial
20408 server. In this case, the server name appearing in the log is the one the
20409 connection was redispatched to, and not the first one, though both may
20410 sometimes be the same in case of hashing for instance. So as a general rule
20411 of thumb, when a '+' is present in front of the retry count, this count
20412 should not be attributed to the logged server.
20413
20414 - "srv_queue" is the total number of requests which were processed before
20415 this one in the server queue. It is zero when the request has not gone
20416 through the server queue. It makes it possible to estimate the approximate
20417 server's response time by dividing the time spent in queue by the number of
20418 requests in the queue. It is worth noting that if a session experiences a
20419 redispatch and passes through two server queues, their positions will be
Davor Ocelice9ed2812017-12-25 17:49:28 +010020420 cumulative. A request should not pass through both the server queue and the
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020421 backend queue unless a redispatch occurs.
20422
20423 - "backend_queue" is the total number of requests which were processed before
20424 this one in the backend's global queue. It is zero when the request has not
20425 gone through the global queue. It makes it possible to estimate the average
20426 queue length, which easily translates into a number of missing servers when
20427 divided by a server's "maxconn" parameter. It is worth noting that if a
20428 session experiences a redispatch, it may pass twice in the backend's queue,
Davor Ocelice9ed2812017-12-25 17:49:28 +010020429 and then both positions will be cumulative. A request should not pass
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020430 through both the server queue and the backend queue unless a redispatch
20431 occurs.
20432
20433 - "captured_request_headers" is a list of headers captured in the request due
20434 to the presence of the "capture request header" statement in the frontend.
20435 Multiple headers can be captured, they will be delimited by a vertical bar
20436 ('|'). When no capture is enabled, the braces do not appear, causing a
20437 shift of remaining fields. It is important to note that this field may
20438 contain spaces, and that using it requires a smarter log parser than when
20439 it's not used. Please consult the section "Capturing HTTP headers and
20440 cookies" below for more details.
20441
20442 - "captured_response_headers" is a list of headers captured in the response
20443 due to the presence of the "capture response header" statement in the
20444 frontend. Multiple headers can be captured, they will be delimited by a
20445 vertical bar ('|'). When no capture is enabled, the braces do not appear,
20446 causing a shift of remaining fields. It is important to note that this
20447 field may contain spaces, and that using it requires a smarter log parser
20448 than when it's not used. Please consult the section "Capturing HTTP headers
20449 and cookies" below for more details.
20450
20451 - "http_request" is the complete HTTP request line, including the method,
20452 request and HTTP version string. Non-printable characters are encoded (see
20453 below the section "Non-printable characters"). This is always the last
20454 field, and it is always delimited by quotes and is the only one which can
20455 contain quotes. If new fields are added to the log format, they will be
20456 added before this field. This field might be truncated if the request is
20457 huge and does not fit in the standard syslog buffer (1024 characters). This
20458 is the reason why this field must always remain the last one.
20459
20460
Cyril Bontédc4d9032012-04-08 21:57:39 +0200204618.2.4. Custom log format
20462------------------------
William Lallemand48940402012-01-30 16:47:22 +010020463
Willy Tarreau2beef582012-12-20 17:22:52 +010020464The directive log-format allows you to customize the logs in http mode and tcp
William Lallemandbddd4fd2012-02-27 11:23:10 +010020465mode. It takes a string as argument.
William Lallemand48940402012-01-30 16:47:22 +010020466
Davor Ocelice9ed2812017-12-25 17:49:28 +010020467HAProxy understands some log format variables. % precedes log format variables.
William Lallemand48940402012-01-30 16:47:22 +010020468Variables can take arguments using braces ('{}'), and multiple arguments are
20469separated by commas within the braces. Flags may be added or removed by
20470prefixing them with a '+' or '-' sign.
20471
20472Special variable "%o" may be used to propagate its flags to all other
20473variables on the same format string. This is particularly handy with quoted
Dragan Dosen835b9212016-02-12 13:23:03 +010020474("Q") and escaped ("E") string formats.
William Lallemand48940402012-01-30 16:47:22 +010020475
Willy Tarreauc8368452012-12-21 00:09:23 +010020476If a variable is named between square brackets ('[' .. ']') then it is used
Willy Tarreaube722a22014-06-13 16:31:59 +020020477as a sample expression rule (see section 7.3). This it useful to add some
Willy Tarreauc8368452012-12-21 00:09:23 +010020478less common information such as the client's SSL certificate's DN, or to log
20479the key that would be used to store an entry into a stick table.
20480
Dragan Dosen1e3b16f2020-06-23 18:16:44 +020020481Note: spaces must be escaped. In configuration directives "log-format",
20482"log-format-sd" and "unique-id-format", spaces are considered as
20483delimiters and are merged. In order to emit a verbatim '%', it must be
20484preceded by another '%' resulting in '%%'.
William Lallemand48940402012-01-30 16:47:22 +010020485
Dragan Dosen835b9212016-02-12 13:23:03 +010020486Note: when using the RFC5424 syslog message format, the characters '"',
20487'\' and ']' inside PARAM-VALUE should be escaped with '\' as prefix (see
20488https://tools.ietf.org/html/rfc5424#section-6.3.3 for more details). In
20489such cases, the use of the flag "E" should be considered.
20490
William Lallemand48940402012-01-30 16:47:22 +010020491Flags are :
20492 * Q: quote a string
Jamie Gloudonaaa21002012-08-25 00:18:33 -040020493 * X: hexadecimal representation (IPs, Ports, %Ts, %rt, %pid)
Dragan Dosen835b9212016-02-12 13:23:03 +010020494 * E: escape characters '"', '\' and ']' in a string with '\' as prefix
20495 (intended purpose is for the RFC5424 structured-data log formats)
William Lallemand48940402012-01-30 16:47:22 +010020496
20497 Example:
20498
20499 log-format %T\ %t\ Some\ Text
20500 log-format %{+Q}o\ %t\ %s\ %{-Q}r
20501
Dragan Dosen835b9212016-02-12 13:23:03 +010020502 log-format-sd %{+Q,+E}o\ [exampleSDID@1234\ header=%[capture.req.hdr(0)]]
20503
William Lallemand48940402012-01-30 16:47:22 +010020504At the moment, the default HTTP format is defined this way :
20505
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020020506 log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \
20507 %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
William Lallemand48940402012-01-30 16:47:22 +010020508
William Lallemandbddd4fd2012-02-27 11:23:10 +010020509the default CLF format is defined this way :
William Lallemand48940402012-01-30 16:47:22 +010020510
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020020511 log-format "%{+Q}o %{-Q}ci - - [%trg] %r %ST %B \"\" \"\" %cp \
20512 %ms %ft %b %s %TR %Tw %Tc %Tr %Ta %tsc %ac %fc \
20513 %bc %sc %rc %sq %bq %CC %CS %hrl %hsl"
William Lallemand48940402012-01-30 16:47:22 +010020514
William Lallemandbddd4fd2012-02-27 11:23:10 +010020515and the default TCP format is defined this way :
20516
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020020517 log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts \
20518 %ac/%fc/%bc/%sc/%rc %sq/%bq"
William Lallemandbddd4fd2012-02-27 11:23:10 +010020519
William Lallemand48940402012-01-30 16:47:22 +010020520Please refer to the table below for currently defined variables :
20521
William Lallemandbddd4fd2012-02-27 11:23:10 +010020522 +---+------+-----------------------------------------------+-------------+
Willy Tarreauffc3fcd2012-10-12 20:17:54 +020020523 | R | var | field name (8.2.2 and 8.2.3 for description) | type |
William Lallemandbddd4fd2012-02-27 11:23:10 +010020524 +---+------+-----------------------------------------------+-------------+
20525 | | %o | special variable, apply flags on all next var | |
20526 +---+------+-----------------------------------------------+-------------+
Willy Tarreau2beef582012-12-20 17:22:52 +010020527 | | %B | bytes_read (from server to client) | numeric |
20528 | H | %CC | captured_request_cookie | string |
20529 | H | %CS | captured_response_cookie | string |
William Lallemand5f232402012-04-05 18:02:55 +020020530 | | %H | hostname | string |
Andrew Hayworth0ebc55f2015-04-27 21:37:03 +000020531 | H | %HM | HTTP method (ex: POST) | string |
Maciej Zdeb21acc332020-11-26 10:45:52 +000020532 | H | %HP | HTTP request URI without query string | string |
Maciej Zdebfcdfd852020-11-30 18:27:47 +000020533 | H | %HPO | HTTP path only (without host nor query string)| string |
Andrew Hayworthe63ac872015-07-31 16:14:16 +000020534 | H | %HQ | HTTP request URI query string (ex: ?bar=baz) | string |
Andrew Hayworth0ebc55f2015-04-27 21:37:03 +000020535 | H | %HU | HTTP request URI (ex: /foo?bar=baz) | string |
20536 | H | %HV | HTTP version (ex: HTTP/1.0) | string |
William Lallemanda73203e2012-03-12 12:48:57 +010020537 | | %ID | unique-id | string |
Willy Tarreau4bf99632014-06-13 12:21:40 +020020538 | | %ST | status_code | numeric |
William Lallemand5f232402012-04-05 18:02:55 +020020539 | | %T | gmt_date_time | date |
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020020540 | | %Ta | Active time of the request (from TR to end) | numeric |
William Lallemandbddd4fd2012-02-27 11:23:10 +010020541 | | %Tc | Tc | numeric |
Willy Tarreau27b639d2016-05-17 17:55:27 +020020542 | | %Td | Td = Tt - (Tq + Tw + Tc + Tr) | numeric |
Yuxans Yao4e25b012012-10-19 10:36:09 +080020543 | | %Tl | local_date_time | date |
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020020544 | | %Th | connection handshake time (SSL, PROXY proto) | numeric |
20545 | H | %Ti | idle time before the HTTP request | numeric |
20546 | H | %Tq | Th + Ti + TR | numeric |
20547 | H | %TR | time to receive the full request from 1st byte| numeric |
20548 | H | %Tr | Tr (response time) | numeric |
William Lallemand5f232402012-04-05 18:02:55 +020020549 | | %Ts | timestamp | numeric |
William Lallemandbddd4fd2012-02-27 11:23:10 +010020550 | | %Tt | Tt | numeric |
Damien Claisse57c8eb92020-04-28 12:09:19 +000020551 | | %Tu | Tu | numeric |
William Lallemandbddd4fd2012-02-27 11:23:10 +010020552 | | %Tw | Tw | numeric |
Willy Tarreau2beef582012-12-20 17:22:52 +010020553 | | %U | bytes_uploaded (from client to server) | numeric |
William Lallemandbddd4fd2012-02-27 11:23:10 +010020554 | | %ac | actconn | numeric |
20555 | | %b | backend_name | string |
Willy Tarreau2beef582012-12-20 17:22:52 +010020556 | | %bc | beconn (backend concurrent connections) | numeric |
20557 | | %bi | backend_source_ip (connecting address) | IP |
20558 | | %bp | backend_source_port (connecting address) | numeric |
William Lallemandbddd4fd2012-02-27 11:23:10 +010020559 | | %bq | backend_queue | numeric |
Willy Tarreau2beef582012-12-20 17:22:52 +010020560 | | %ci | client_ip (accepted address) | IP |
20561 | | %cp | client_port (accepted address) | numeric |
William Lallemandbddd4fd2012-02-27 11:23:10 +010020562 | | %f | frontend_name | string |
Willy Tarreau2beef582012-12-20 17:22:52 +010020563 | | %fc | feconn (frontend concurrent connections) | numeric |
20564 | | %fi | frontend_ip (accepting address) | IP |
20565 | | %fp | frontend_port (accepting address) | numeric |
Willy Tarreau773d65f2012-10-12 14:56:11 +020020566 | | %ft | frontend_name_transport ('~' suffix for SSL) | string |
Willy Tarreau7346acb2014-08-28 15:03:15 +020020567 | | %lc | frontend_log_counter | numeric |
Willy Tarreaud9ed3d22014-06-13 12:23:06 +020020568 | | %hr | captured_request_headers default style | string |
20569 | | %hrl | captured_request_headers CLF style | string list |
20570 | | %hs | captured_response_headers default style | string |
20571 | | %hsl | captured_response_headers CLF style | string list |
Willy Tarreau812c88e2015-08-09 10:56:35 +020020572 | | %ms | accept date milliseconds (left-padded with 0) | numeric |
William Lallemand5f232402012-04-05 18:02:55 +020020573 | | %pid | PID | numeric |
Willy Tarreauffc3fcd2012-10-12 20:17:54 +020020574 | H | %r | http_request | string |
William Lallemandbddd4fd2012-02-27 11:23:10 +010020575 | | %rc | retries | numeric |
Willy Tarreau1f0da242014-01-25 11:01:50 +010020576 | | %rt | request_counter (HTTP req or TCP session) | numeric |
William Lallemandbddd4fd2012-02-27 11:23:10 +010020577 | | %s | server_name | string |
Willy Tarreau2beef582012-12-20 17:22:52 +010020578 | | %sc | srv_conn (server concurrent connections) | numeric |
20579 | | %si | server_IP (target address) | IP |
20580 | | %sp | server_port (target address) | numeric |
William Lallemandbddd4fd2012-02-27 11:23:10 +010020581 | | %sq | srv_queue | numeric |
Willy Tarreauffc3fcd2012-10-12 20:17:54 +020020582 | S | %sslc| ssl_ciphers (ex: AES-SHA) | string |
20583 | S | %sslv| ssl_version (ex: TLSv1) | string |
Willy Tarreau2beef582012-12-20 17:22:52 +010020584 | | %t | date_time (with millisecond resolution) | date |
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020020585 | H | %tr | date_time of HTTP request | date |
20586 | H | %trg | gmt_date_time of start of HTTP request | date |
Jens Bissinger15c64ff2018-08-23 14:11:27 +020020587 | H | %trl | local_date_time of start of HTTP request | date |
William Lallemandbddd4fd2012-02-27 11:23:10 +010020588 | | %ts | termination_state | string |
Willy Tarreauffc3fcd2012-10-12 20:17:54 +020020589 | H | %tsc | termination_state with cookie status | string |
William Lallemandbddd4fd2012-02-27 11:23:10 +010020590 +---+------+-----------------------------------------------+-------------+
William Lallemand48940402012-01-30 16:47:22 +010020591
Willy Tarreauffc3fcd2012-10-12 20:17:54 +020020592 R = Restrictions : H = mode http only ; S = SSL only
William Lallemand48940402012-01-30 16:47:22 +010020593
Willy Tarreau5f51e1a2012-12-03 18:40:10 +010020594
205958.2.5. Error log format
20596-----------------------
20597
20598When an incoming connection fails due to an SSL handshake or an invalid PROXY
Daniel Corbett9f0843f2021-05-08 10:50:37 -040020599protocol header, HAProxy will log the event using a shorter, fixed line format.
Willy Tarreau5f51e1a2012-12-03 18:40:10 +010020600By default, logs are emitted at the LOG_INFO level, unless the option
20601"log-separate-errors" is set in the backend, in which case the LOG_ERR level
Davor Ocelice9ed2812017-12-25 17:49:28 +010020602will be used. Connections on which no data are exchanged (e.g. probes) are not
Willy Tarreau5f51e1a2012-12-03 18:40:10 +010020603logged if the "dontlognull" option is set.
20604
20605The format looks like this :
20606
20607 >>> Dec 3 18:27:14 localhost \
20608 haproxy[6103]: 127.0.0.1:56059 [03/Dec/2012:17:35:10.380] frt/f1: \
20609 Connection error during SSL handshake
20610
20611 Field Format Extract from the example above
20612 1 process_name '[' pid ']:' haproxy[6103]:
20613 2 client_ip ':' client_port 127.0.0.1:56059
20614 3 '[' accept_date ']' [03/Dec/2012:17:35:10.380]
20615 4 frontend_name "/" bind_name ":" frt/f1:
20616 5 message Connection error during SSL handshake
20617
20618These fields just provide minimal information to help debugging connection
20619failures.
20620
20621
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200206228.3. Advanced logging options
20623-----------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020624
20625Some advanced logging options are often looked for but are not easy to find out
20626just by looking at the various options. Here is an entry point for the few
20627options which can enable better logging. Please refer to the keywords reference
20628for more information about their usage.
20629
20630
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200206318.3.1. Disabling logging of external tests
20632------------------------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020633
20634It is quite common to have some monitoring tools perform health checks on
Daniel Corbett9f0843f2021-05-08 10:50:37 -040020635HAProxy. Sometimes it will be a layer 3 load-balancer such as LVS or any
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020636commercial load-balancer, and sometimes it will simply be a more complete
20637monitoring system such as Nagios. When the tests are very frequent, users often
20638ask how to disable logging for those checks. There are three possibilities :
20639
20640 - if connections come from everywhere and are just TCP probes, it is often
20641 desired to simply disable logging of connections without data exchange, by
20642 setting "option dontlognull" in the frontend. It also disables logging of
20643 port scans, which may or may not be desired.
20644
Willy Tarreau9e9919d2020-10-14 15:55:23 +020020645 - it is possible to use the "http-request set-log-level silent" action using
20646 a variety of conditions (source networks, paths, user-agents, etc).
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020647
20648 - if the tests are performed on a known URI, use "monitor-uri" to declare
20649 this URI as dedicated to monitoring. Any host sending this request will
20650 only get the result of a health-check, and the request will not be logged.
20651
20652
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200206538.3.2. Logging before waiting for the session to terminate
20654----------------------------------------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020655
20656The problem with logging at end of connection is that you have no clue about
20657what is happening during very long sessions, such as remote terminal sessions
20658or large file downloads. This problem can be worked around by specifying
Davor Ocelice9ed2812017-12-25 17:49:28 +010020659"option logasap" in the frontend. HAProxy will then log as soon as possible,
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020660just before data transfer begins. This means that in case of TCP, it will still
20661log the connection status to the server, and in case of HTTP, it will log just
20662after processing the server headers. In this case, the number of bytes reported
20663is the number of header bytes sent to the client. In order to avoid confusion
20664with normal logs, the total time field and the number of bytes are prefixed
20665with a '+' sign which means that real numbers are certainly larger.
20666
20667
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200206688.3.3. Raising log level upon errors
20669------------------------------------
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +020020670
20671Sometimes it is more convenient to separate normal traffic from errors logs,
20672for instance in order to ease error monitoring from log files. When the option
20673"log-separate-errors" is used, connections which experience errors, timeouts,
20674retries, redispatches or HTTP status codes 5xx will see their syslog level
20675raised from "info" to "err". This will help a syslog daemon store the log in
20676a separate file. It is very important to keep the errors in the normal traffic
20677file too, so that log ordering is not altered. You should also be careful if
20678you already have configured your syslog daemon to store all logs higher than
20679"notice" in an "admin" file, because the "err" level is higher than "notice".
20680
20681
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200206828.3.4. Disabling logging of successful connections
20683--------------------------------------------------
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +020020684
20685Although this may sound strange at first, some large sites have to deal with
20686multiple thousands of logs per second and are experiencing difficulties keeping
20687them intact for a long time or detecting errors within them. If the option
20688"dontlog-normal" is set on the frontend, all normal connections will not be
20689logged. In this regard, a normal connection is defined as one without any
20690error, timeout, retry nor redispatch. In HTTP, the status code is checked too,
20691and a response with a status 5xx is not considered normal and will be logged
20692too. Of course, doing is is really discouraged as it will remove most of the
20693useful information from the logs. Do this only if you have no other
20694alternative.
20695
20696
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200206978.4. Timing events
20698------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020699
20700Timers provide a great help in troubleshooting network problems. All values are
20701reported in milliseconds (ms). These timers should be used in conjunction with
20702the session termination flags. In TCP mode with "option tcplog" set on the
20703frontend, 3 control points are reported under the form "Tw/Tc/Tt", and in HTTP
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020020704mode, 5 control points are reported under the form "TR/Tw/Tc/Tr/Ta". In
20705addition, three other measures are provided, "Th", "Ti", and "Tq".
20706
Guillaume de Lafondf27cddc2016-12-23 17:32:43 +010020707Timings events in HTTP mode:
20708
20709 first request 2nd request
20710 |<-------------------------------->|<-------------- ...
20711 t tr t tr ...
20712 ---|----|----|----|----|----|----|----|----|--
20713 : Th Ti TR Tw Tc Tr Td : Ti ...
20714 :<---- Tq ---->: :
20715 :<-------------- Tt -------------->:
Damien Claisse57c8eb92020-04-28 12:09:19 +000020716 :<-- -----Tu--------------->:
Guillaume de Lafondf27cddc2016-12-23 17:32:43 +010020717 :<--------- Ta --------->:
20718
20719Timings events in TCP mode:
20720
20721 TCP session
20722 |<----------------->|
20723 t t
20724 ---|----|----|----|----|---
20725 | Th Tw Tc Td |
20726 |<------ Tt ------->|
20727
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020020728 - Th: total time to accept tcp connection and execute handshakes for low level
Davor Ocelice9ed2812017-12-25 17:49:28 +010020729 protocols. Currently, these protocols are proxy-protocol and SSL. This may
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020020730 only happen once during the whole connection's lifetime. A large time here
20731 may indicate that the client only pre-established the connection without
20732 speaking, that it is experiencing network issues preventing it from
Davor Ocelice9ed2812017-12-25 17:49:28 +010020733 completing a handshake in a reasonable time (e.g. MTU issues), or that an
Willy Tarreau590a0512018-09-05 11:56:48 +020020734 SSL handshake was very expensive to compute. Please note that this time is
20735 reported only before the first request, so it is safe to average it over
20736 all request to calculate the amortized value. The second and subsequent
20737 request will always report zero here.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020738
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020020739 - Ti: is the idle time before the HTTP request (HTTP mode only). This timer
20740 counts between the end of the handshakes and the first byte of the HTTP
20741 request. When dealing with a second request in keep-alive mode, it starts
Willy Tarreau590a0512018-09-05 11:56:48 +020020742 to count after the end of the transmission the previous response. When a
20743 multiplexed protocol such as HTTP/2 is used, it starts to count immediately
20744 after the previous request. Some browsers pre-establish connections to a
20745 server in order to reduce the latency of a future request, and keep them
20746 pending until they need it. This delay will be reported as the idle time. A
20747 value of -1 indicates that nothing was received on the connection.
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020020748
20749 - TR: total time to get the client request (HTTP mode only). It's the time
20750 elapsed between the first bytes received and the moment the proxy received
20751 the empty line marking the end of the HTTP headers. The value "-1"
20752 indicates that the end of headers has never been seen. This happens when
20753 the client closes prematurely or times out. This time is usually very short
20754 since most requests fit in a single packet. A large time may indicate a
20755 request typed by hand during a test.
20756
20757 - Tq: total time to get the client request from the accept date or since the
20758 emission of the last byte of the previous response (HTTP mode only). It's
Davor Ocelice9ed2812017-12-25 17:49:28 +010020759 exactly equal to Th + Ti + TR unless any of them is -1, in which case it
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020020760 returns -1 as well. This timer used to be very useful before the arrival of
20761 HTTP keep-alive and browsers' pre-connect feature. It's recommended to drop
20762 it in favor of TR nowadays, as the idle time adds a lot of noise to the
20763 reports.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020764
20765 - Tw: total time spent in the queues waiting for a connection slot. It
20766 accounts for backend queue as well as the server queues, and depends on the
20767 queue size, and the time needed for the server to complete previous
20768 requests. The value "-1" means that the request was killed before reaching
20769 the queue, which is generally what happens with invalid or denied requests.
20770
20771 - Tc: total time to establish the TCP connection to the server. It's the time
20772 elapsed between the moment the proxy sent the connection request, and the
20773 moment it was acknowledged by the server, or between the TCP SYN packet and
20774 the matching SYN/ACK packet in return. The value "-1" means that the
20775 connection never established.
20776
20777 - Tr: server response time (HTTP mode only). It's the time elapsed between
20778 the moment the TCP connection was established to the server and the moment
20779 the server sent its complete response headers. It purely shows its request
20780 processing time, without the network overhead due to the data transmission.
20781 It is worth noting that when the client has data to send to the server, for
20782 instance during a POST request, the time already runs, and this can distort
20783 apparent response time. For this reason, it's generally wise not to trust
20784 too much this field for POST requests initiated from clients behind an
20785 untrusted network. A value of "-1" here means that the last the response
20786 header (empty line) was never seen, most likely because the server timeout
20787 stroke before the server managed to process the request.
20788
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020020789 - Ta: total active time for the HTTP request, between the moment the proxy
20790 received the first byte of the request header and the emission of the last
20791 byte of the response body. The exception is when the "logasap" option is
20792 specified. In this case, it only equals (TR+Tw+Tc+Tr), and is prefixed with
20793 a '+' sign. From this field, we can deduce "Td", the data transmission time,
20794 by subtracting other timers when valid :
20795
20796 Td = Ta - (TR + Tw + Tc + Tr)
20797
20798 Timers with "-1" values have to be excluded from this equation. Note that
20799 "Ta" can never be negative.
20800
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020801 - Tt: total session duration time, between the moment the proxy accepted it
20802 and the moment both ends were closed. The exception is when the "logasap"
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020020803 option is specified. In this case, it only equals (Th+Ti+TR+Tw+Tc+Tr), and
20804 is prefixed with a '+' sign. From this field, we can deduce "Td", the data
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030020805 transmission time, by subtracting other timers when valid :
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020806
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020020807 Td = Tt - (Th + Ti + TR + Tw + Tc + Tr)
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020808
20809 Timers with "-1" values have to be excluded from this equation. In TCP
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020020810 mode, "Ti", "Tq" and "Tr" have to be excluded too. Note that "Tt" can never
20811 be negative and that for HTTP, Tt is simply equal to (Th+Ti+Ta).
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020812
Damien Claisse57c8eb92020-04-28 12:09:19 +000020813 - Tu: total estimated time as seen from client, between the moment the proxy
20814 accepted it and the moment both ends were closed, without idle time.
20815 This is useful to roughly measure end-to-end time as a user would see it,
20816 without idle time pollution from keep-alive time between requests. This
20817 timer in only an estimation of time seen by user as it assumes network
20818 latency is the same in both directions. The exception is when the "logasap"
20819 option is specified. In this case, it only equals (Th+TR+Tw+Tc+Tr), and is
20820 prefixed with a '+' sign.
20821
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020822These timers provide precious indications on trouble causes. Since the TCP
20823protocol defines retransmit delays of 3, 6, 12... seconds, we know for sure
20824that timers close to multiples of 3s are nearly always related to lost packets
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020020825due to network problems (wires, negotiation, congestion). Moreover, if "Ta" or
20826"Tt" is close to a timeout value specified in the configuration, it often means
20827that a session has been aborted on timeout.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020828
20829Most common cases :
20830
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020020831 - If "Th" or "Ti" are close to 3000, a packet has probably been lost between
20832 the client and the proxy. This is very rare on local networks but might
20833 happen when clients are on far remote networks and send large requests. It
20834 may happen that values larger than usual appear here without any network
20835 cause. Sometimes, during an attack or just after a resource starvation has
Daniel Corbett9f0843f2021-05-08 10:50:37 -040020836 ended, HAProxy may accept thousands of connections in a few milliseconds.
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020020837 The time spent accepting these connections will inevitably slightly delay
20838 processing of other connections, and it can happen that request times in the
20839 order of a few tens of milliseconds are measured after a few thousands of
20840 new connections have been accepted at once. Using one of the keep-alive
20841 modes may display larger idle times since "Ti" measures the time spent
Patrick Mezard105faca2010-06-12 17:02:46 +020020842 waiting for additional requests.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020843
20844 - If "Tc" is close to 3000, a packet has probably been lost between the
20845 server and the proxy during the server connection phase. This value should
20846 always be very low, such as 1 ms on local networks and less than a few tens
20847 of ms on remote networks.
20848
Willy Tarreau55165fe2009-05-10 12:02:55 +020020849 - If "Tr" is nearly always lower than 3000 except some rare values which seem
20850 to be the average majored by 3000, there are probably some packets lost
20851 between the proxy and the server.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020852
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020020853 - If "Ta" is large even for small byte counts, it generally is because
20854 neither the client nor the server decides to close the connection while
Daniel Corbett9f0843f2021-05-08 10:50:37 -040020855 HAProxy is running in tunnel mode and both have agreed on a keep-alive
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020020856 connection mode. In order to solve this issue, it will be needed to specify
20857 one of the HTTP options to manipulate keep-alive or close options on either
20858 the frontend or the backend. Having the smallest possible 'Ta' or 'Tt' is
20859 important when connection regulation is used with the "maxconn" option on
20860 the servers, since no new connection will be sent to the server until
20861 another one is released.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020862
20863Other noticeable HTTP log cases ('xx' means any value to be ignored) :
20864
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020020865 TR/Tw/Tc/Tr/+Ta The "option logasap" is present on the frontend and the log
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020866 was emitted before the data phase. All the timers are valid
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020020867 except "Ta" which is shorter than reality.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020868
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020020869 -1/xx/xx/xx/Ta The client was not able to send a complete request in time
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020870 or it aborted too early. Check the session termination flags
20871 then "timeout http-request" and "timeout client" settings.
20872
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020020873 TR/-1/xx/xx/Ta It was not possible to process the request, maybe because
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020874 servers were out of order, because the request was invalid
20875 or forbidden by ACL rules. Check the session termination
20876 flags.
20877
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020020878 TR/Tw/-1/xx/Ta The connection could not establish on the server. Either it
20879 actively refused it or it timed out after Ta-(TR+Tw) ms.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020880 Check the session termination flags, then check the
20881 "timeout connect" setting. Note that the tarpit action might
20882 return similar-looking patterns, with "Tw" equal to the time
20883 the client connection was maintained open.
20884
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020020885 TR/Tw/Tc/-1/Ta The server has accepted the connection but did not return
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030020886 a complete response in time, or it closed its connection
Thierry FOURNIER / OZON.IO4cac3592016-07-28 17:19:45 +020020887 unexpectedly after Ta-(TR+Tw+Tc) ms. Check the session
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020888 termination flags, then check the "timeout server" setting.
20889
20890
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200208918.5. Session state at disconnection
20892-----------------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020893
20894TCP and HTTP logs provide a session termination indicator in the
20895"termination_state" field, just before the number of active connections. It is
208962-characters long in TCP mode, and is extended to 4 characters in HTTP mode,
20897each of which has a special meaning :
20898
20899 - On the first character, a code reporting the first event which caused the
20900 session to terminate :
20901
20902 C : the TCP session was unexpectedly aborted by the client.
20903
20904 S : the TCP session was unexpectedly aborted by the server, or the
20905 server explicitly refused it.
20906
20907 P : the session was prematurely aborted by the proxy, because of a
20908 connection limit enforcement, because a DENY filter was matched,
20909 because of a security check which detected and blocked a dangerous
20910 error in server response which might have caused information leak
Davor Ocelice9ed2812017-12-25 17:49:28 +010020911 (e.g. cacheable cookie).
Willy Tarreau570f2212013-06-10 16:42:09 +020020912
Daniel Corbett9f0843f2021-05-08 10:50:37 -040020913 L : the session was locally processed by HAProxy and was not passed to
Willy Tarreau570f2212013-06-10 16:42:09 +020020914 a server. This is what happens for stats and redirects.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020915
20916 R : a resource on the proxy has been exhausted (memory, sockets, source
20917 ports, ...). Usually, this appears during the connection phase, and
20918 system logs should contain a copy of the precise error. If this
20919 happens, it must be considered as a very serious anomaly which
20920 should be fixed as soon as possible by any means.
20921
20922 I : an internal error was identified by the proxy during a self-check.
20923 This should NEVER happen, and you are encouraged to report any log
20924 containing this, because this would almost certainly be a bug. It
20925 would be wise to preventively restart the process after such an
20926 event too, in case it would be caused by memory corruption.
20927
Daniel Corbett9f0843f2021-05-08 10:50:37 -040020928 D : the session was killed by HAProxy because the server was detected
Simon Horman752dc4a2011-06-21 14:34:59 +090020929 as down and was configured to kill all connections when going down.
20930
Daniel Corbett9f0843f2021-05-08 10:50:37 -040020931 U : the session was killed by HAProxy on this backup server because an
Justin Karnegeseb2c24a2012-05-24 15:28:52 -070020932 active server was detected as up and was configured to kill all
20933 backup connections when going up.
20934
Daniel Corbett9f0843f2021-05-08 10:50:37 -040020935 K : the session was actively killed by an admin operating on HAProxy.
Willy Tarreaua2a64e92011-09-07 23:01:56 +020020936
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020937 c : the client-side timeout expired while waiting for the client to
20938 send or receive data.
20939
20940 s : the server-side timeout expired while waiting for the server to
20941 send or receive data.
20942
20943 - : normal session completion, both the client and the server closed
20944 with nothing left in the buffers.
20945
20946 - on the second character, the TCP or HTTP session state when it was closed :
20947
Willy Tarreauf7b30a92010-12-06 22:59:17 +010020948 R : the proxy was waiting for a complete, valid REQUEST from the client
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020949 (HTTP mode only). Nothing was sent to any server.
20950
20951 Q : the proxy was waiting in the QUEUE for a connection slot. This can
20952 only happen when servers have a 'maxconn' parameter set. It can
20953 also happen in the global queue after a redispatch consecutive to
20954 a failed attempt to connect to a dying server. If no redispatch is
20955 reported, then no connection attempt was made to any server.
20956
20957 C : the proxy was waiting for the CONNECTION to establish on the
20958 server. The server might at most have noticed a connection attempt.
20959
20960 H : the proxy was waiting for complete, valid response HEADERS from the
20961 server (HTTP only).
20962
20963 D : the session was in the DATA phase.
20964
20965 L : the proxy was still transmitting LAST data to the client while the
20966 server had already finished. This one is very rare as it can only
20967 happen when the client dies while receiving the last packets.
20968
20969 T : the request was tarpitted. It has been held open with the client
20970 during the whole "timeout tarpit" duration or until the client
20971 closed, both of which will be reported in the "Tw" timer.
20972
20973 - : normal session completion after end of data transfer.
20974
20975 - the third character tells whether the persistence cookie was provided by
20976 the client (only in HTTP mode) :
20977
20978 N : the client provided NO cookie. This is usually the case for new
20979 visitors, so counting the number of occurrences of this flag in the
20980 logs generally indicate a valid trend for the site frequentation.
20981
20982 I : the client provided an INVALID cookie matching no known server.
20983 This might be caused by a recent configuration change, mixed
Cyril Bontéa8e7bbc2010-04-25 22:29:29 +020020984 cookies between HTTP/HTTPS sites, persistence conditionally
20985 ignored, or an attack.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020986
20987 D : the client provided a cookie designating a server which was DOWN,
20988 so either "option persist" was used and the client was sent to
20989 this server, or it was not set and the client was redispatched to
20990 another server.
20991
Willy Tarreau996a92c2010-10-13 19:30:47 +020020992 V : the client provided a VALID cookie, and was sent to the associated
Willy Tarreaucc6c8912009-02-22 10:53:55 +010020993 server.
20994
Willy Tarreau996a92c2010-10-13 19:30:47 +020020995 E : the client provided a valid cookie, but with a last date which was
20996 older than what is allowed by the "maxidle" cookie parameter, so
20997 the cookie is consider EXPIRED and is ignored. The request will be
20998 redispatched just as if there was no cookie.
20999
21000 O : the client provided a valid cookie, but with a first date which was
21001 older than what is allowed by the "maxlife" cookie parameter, so
21002 the cookie is consider too OLD and is ignored. The request will be
21003 redispatched just as if there was no cookie.
21004
Willy Tarreauc89ccb62012-04-05 21:18:22 +020021005 U : a cookie was present but was not used to select the server because
21006 some other server selection mechanism was used instead (typically a
21007 "use-server" rule).
21008
Willy Tarreaucc6c8912009-02-22 10:53:55 +010021009 - : does not apply (no cookie set in configuration).
21010
21011 - the last character reports what operations were performed on the persistence
21012 cookie returned by the server (only in HTTP mode) :
21013
21014 N : NO cookie was provided by the server, and none was inserted either.
21015
21016 I : no cookie was provided by the server, and the proxy INSERTED one.
21017 Note that in "cookie insert" mode, if the server provides a cookie,
21018 it will still be overwritten and reported as "I" here.
21019
Willy Tarreau996a92c2010-10-13 19:30:47 +020021020 U : the proxy UPDATED the last date in the cookie that was presented by
21021 the client. This can only happen in insert mode with "maxidle". It
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030021022 happens every time there is activity at a different date than the
Willy Tarreau996a92c2010-10-13 19:30:47 +020021023 date indicated in the cookie. If any other change happens, such as
21024 a redispatch, then the cookie will be marked as inserted instead.
21025
Willy Tarreaucc6c8912009-02-22 10:53:55 +010021026 P : a cookie was PROVIDED by the server and transmitted as-is.
21027
21028 R : the cookie provided by the server was REWRITTEN by the proxy, which
21029 happens in "cookie rewrite" or "cookie prefix" modes.
21030
21031 D : the cookie provided by the server was DELETED by the proxy.
21032
21033 - : does not apply (no cookie set in configuration).
21034
Willy Tarreau996a92c2010-10-13 19:30:47 +020021035The combination of the two first flags gives a lot of information about what
21036was happening when the session terminated, and why it did terminate. It can be
Willy Tarreaucc6c8912009-02-22 10:53:55 +010021037helpful to detect server saturation, network troubles, local system resource
21038starvation, attacks, etc...
21039
21040The most common termination flags combinations are indicated below. They are
21041alphabetically sorted, with the lowercase set just after the upper case for
21042easier finding and understanding.
21043
21044 Flags Reason
21045
21046 -- Normal termination.
21047
21048 CC The client aborted before the connection could be established to the
Daniel Corbett9f0843f2021-05-08 10:50:37 -040021049 server. This can happen when HAProxy tries to connect to a recently
21050 dead (or unchecked) server, and the client aborts while HAProxy is
Willy Tarreaucc6c8912009-02-22 10:53:55 +010021051 waiting for the server to respond or for "timeout connect" to expire.
21052
21053 CD The client unexpectedly aborted during data transfer. This can be
21054 caused by a browser crash, by an intermediate equipment between the
Daniel Corbett9f0843f2021-05-08 10:50:37 -040021055 client and HAProxy which decided to actively break the connection,
21056 by network routing issues between the client and HAProxy, or by a
Willy Tarreaucc6c8912009-02-22 10:53:55 +010021057 keep-alive session between the server and the client terminated first
21058 by the client.
Willy Tarreaud72758d2010-01-12 10:42:19 +010021059
Willy Tarreaucc6c8912009-02-22 10:53:55 +010021060 cD The client did not send nor acknowledge any data for as long as the
21061 "timeout client" delay. This is often caused by network failures on
Cyril Bontédc4d9032012-04-08 21:57:39 +020021062 the client side, or the client simply leaving the net uncleanly.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010021063
21064 CH The client aborted while waiting for the server to start responding.
21065 It might be the server taking too long to respond or the client
21066 clicking the 'Stop' button too fast.
21067
21068 cH The "timeout client" stroke while waiting for client data during a
21069 POST request. This is sometimes caused by too large TCP MSS values
21070 for PPPoE networks which cannot transport full-sized packets. It can
21071 also happen when client timeout is smaller than server timeout and
21072 the server takes too long to respond.
21073
21074 CQ The client aborted while its session was queued, waiting for a server
21075 with enough empty slots to accept it. It might be that either all the
21076 servers were saturated or that the assigned server was taking too
21077 long a time to respond.
21078
21079 CR The client aborted before sending a full HTTP request. Most likely
21080 the request was typed by hand using a telnet client, and aborted
21081 too early. The HTTP status code is likely a 400 here. Sometimes this
Daniel Corbett9f0843f2021-05-08 10:50:37 -040021082 might also be caused by an IDS killing the connection between HAProxy
Willy Tarreau0f228a02015-05-01 15:37:53 +020021083 and the client. "option http-ignore-probes" can be used to ignore
21084 connections without any data transfer.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010021085
21086 cR The "timeout http-request" stroke before the client sent a full HTTP
21087 request. This is sometimes caused by too large TCP MSS values on the
21088 client side for PPPoE networks which cannot transport full-sized
21089 packets, or by clients sending requests by hand and not typing fast
21090 enough, or forgetting to enter the empty line at the end of the
Willy Tarreau2705a612014-05-23 17:38:34 +020021091 request. The HTTP status code is likely a 408 here. Note: recently,
Willy Tarreau0f228a02015-05-01 15:37:53 +020021092 some browsers started to implement a "pre-connect" feature consisting
21093 in speculatively connecting to some recently visited web sites just
21094 in case the user would like to visit them. This results in many
21095 connections being established to web sites, which end up in 408
21096 Request Timeout if the timeout strikes first, or 400 Bad Request when
21097 the browser decides to close them first. These ones pollute the log
21098 and feed the error counters. Some versions of some browsers have even
21099 been reported to display the error code. It is possible to work
Davor Ocelice9ed2812017-12-25 17:49:28 +010021100 around the undesirable effects of this behavior by adding "option
Willy Tarreau0f228a02015-05-01 15:37:53 +020021101 http-ignore-probes" in the frontend, resulting in connections with
21102 zero data transfer to be totally ignored. This will definitely hide
21103 the errors of people experiencing connectivity issues though.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010021104
21105 CT The client aborted while its session was tarpitted. It is important to
21106 check if this happens on valid requests, in order to be sure that no
Willy Tarreau55165fe2009-05-10 12:02:55 +020021107 wrong tarpit rules have been written. If a lot of them happen, it
21108 might make sense to lower the "timeout tarpit" value to something
21109 closer to the average reported "Tw" timer, in order not to consume
21110 resources for just a few attackers.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010021111
Daniel Corbett9f0843f2021-05-08 10:50:37 -040021112 LR The request was intercepted and locally handled by HAProxy. Generally
Willy Tarreau570f2212013-06-10 16:42:09 +020021113 it means that this was a redirect or a stats request.
21114
Daniel Corbett9f0843f2021-05-08 10:50:37 -040021115 SC The server or an equipment between it and HAProxy explicitly refused
Willy Tarreaucc6c8912009-02-22 10:53:55 +010021116 the TCP connection (the proxy received a TCP RST or an ICMP message
21117 in return). Under some circumstances, it can also be the network
Davor Ocelice9ed2812017-12-25 17:49:28 +010021118 stack telling the proxy that the server is unreachable (e.g. no route,
Willy Tarreaucc6c8912009-02-22 10:53:55 +010021119 or no ARP response on local network). When this happens in HTTP mode,
21120 the status code is likely a 502 or 503 here.
21121
21122 sC The "timeout connect" stroke before a connection to the server could
21123 complete. When this happens in HTTP mode, the status code is likely a
21124 503 or 504 here.
21125
21126 SD The connection to the server died with an error during the data
Daniel Corbett9f0843f2021-05-08 10:50:37 -040021127 transfer. This usually means that HAProxy has received an RST from
Willy Tarreaucc6c8912009-02-22 10:53:55 +010021128 the server or an ICMP message from an intermediate equipment while
21129 exchanging data with the server. This can be caused by a server crash
21130 or by a network issue on an intermediate equipment.
21131
21132 sD The server did not send nor acknowledge any data for as long as the
21133 "timeout server" setting during the data phase. This is often caused
Davor Ocelice9ed2812017-12-25 17:49:28 +010021134 by too short timeouts on L4 equipment before the server (firewalls,
Willy Tarreaucc6c8912009-02-22 10:53:55 +010021135 load-balancers, ...), as well as keep-alive sessions maintained
Daniel Corbett9f0843f2021-05-08 10:50:37 -040021136 between the client and the server expiring first on HAProxy.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010021137
21138 SH The server aborted before sending its full HTTP response headers, or
21139 it crashed while processing the request. Since a server aborting at
21140 this moment is very rare, it would be wise to inspect its logs to
21141 control whether it crashed and why. The logged request may indicate a
21142 small set of faulty requests, demonstrating bugs in the application.
21143 Sometimes this might also be caused by an IDS killing the connection
Daniel Corbett9f0843f2021-05-08 10:50:37 -040021144 between HAProxy and the server.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010021145
21146 sH The "timeout server" stroke before the server could return its
21147 response headers. This is the most common anomaly, indicating too
21148 long transactions, probably caused by server or database saturation.
21149 The immediate workaround consists in increasing the "timeout server"
21150 setting, but it is important to keep in mind that the user experience
21151 will suffer from these long response times. The only long term
21152 solution is to fix the application.
21153
21154 sQ The session spent too much time in queue and has been expired. See
21155 the "timeout queue" and "timeout connect" settings to find out how to
21156 fix this if it happens too often. If it often happens massively in
21157 short periods, it may indicate general problems on the affected
21158 servers due to I/O or database congestion, or saturation caused by
21159 external attacks.
21160
21161 PC The proxy refused to establish a connection to the server because the
Thayne McCombscdbcca92021-01-07 21:24:41 -070021162 process's socket limit has been reached while attempting to connect.
Cyril Bontédc4d9032012-04-08 21:57:39 +020021163 The global "maxconn" parameter may be increased in the configuration
Willy Tarreaucc6c8912009-02-22 10:53:55 +010021164 so that it does not happen anymore. This status is very rare and
21165 might happen when the global "ulimit-n" parameter is forced by hand.
21166
Willy Tarreaued2fd2d2010-12-29 11:23:27 +010021167 PD The proxy blocked an incorrectly formatted chunked encoded message in
21168 a request or a response, after the server has emitted its headers. In
21169 most cases, this will indicate an invalid message from the server to
Davor Ocelice9ed2812017-12-25 17:49:28 +010021170 the client. HAProxy supports chunk sizes of up to 2GB - 1 (2147483647
Willy Tarreauf3a3e132013-08-31 08:16:26 +020021171 bytes). Any larger size will be considered as an error.
Willy Tarreaued2fd2d2010-12-29 11:23:27 +010021172
Willy Tarreaucc6c8912009-02-22 10:53:55 +010021173 PH The proxy blocked the server's response, because it was invalid,
21174 incomplete, dangerous (cache control), or matched a security filter.
21175 In any case, an HTTP 502 error is sent to the client. One possible
21176 cause for this error is an invalid syntax in an HTTP header name
Willy Tarreaued2fd2d2010-12-29 11:23:27 +010021177 containing unauthorized characters. It is also possible but quite
21178 rare, that the proxy blocked a chunked-encoding request from the
21179 client due to an invalid syntax, before the server responded. In this
21180 case, an HTTP 400 error is sent to the client and reported in the
21181 logs.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010021182
21183 PR The proxy blocked the client's HTTP request, either because of an
21184 invalid HTTP syntax, in which case it returned an HTTP 400 error to
21185 the client, or because a deny filter matched, in which case it
21186 returned an HTTP 403 error.
21187
21188 PT The proxy blocked the client's request and has tarpitted its
21189 connection before returning it a 500 server error. Nothing was sent
21190 to the server. The connection was maintained open for as long as
21191 reported by the "Tw" timer field.
21192
21193 RC A local resource has been exhausted (memory, sockets, source ports)
21194 preventing the connection to the server from establishing. The error
21195 logs will tell precisely what was missing. This is very rare and can
21196 only be solved by proper system tuning.
21197
Willy Tarreau996a92c2010-10-13 19:30:47 +020021198The combination of the two last flags gives a lot of information about how
Daniel Corbett9f0843f2021-05-08 10:50:37 -040021199persistence was handled by the client, the server and by HAProxy. This is very
Willy Tarreau996a92c2010-10-13 19:30:47 +020021200important to troubleshoot disconnections, when users complain they have to
21201re-authenticate. The commonly encountered flags are :
21202
21203 -- Persistence cookie is not enabled.
21204
21205 NN No cookie was provided by the client, none was inserted in the
21206 response. For instance, this can be in insert mode with "postonly"
21207 set on a GET request.
21208
21209 II A cookie designating an invalid server was provided by the client,
21210 a valid one was inserted in the response. This typically happens when
Jamie Gloudonaaa21002012-08-25 00:18:33 -040021211 a "server" entry is removed from the configuration, since its cookie
Willy Tarreau996a92c2010-10-13 19:30:47 +020021212 value can be presented by a client when no other server knows it.
21213
21214 NI No cookie was provided by the client, one was inserted in the
21215 response. This typically happens for first requests from every user
21216 in "insert" mode, which makes it an easy way to count real users.
21217
21218 VN A cookie was provided by the client, none was inserted in the
21219 response. This happens for most responses for which the client has
21220 already got a cookie.
21221
21222 VU A cookie was provided by the client, with a last visit date which is
21223 not completely up-to-date, so an updated cookie was provided in
21224 response. This can also happen if there was no date at all, or if
21225 there was a date but the "maxidle" parameter was not set, so that the
21226 cookie can be switched to unlimited time.
21227
21228 EI A cookie was provided by the client, with a last visit date which is
21229 too old for the "maxidle" parameter, so the cookie was ignored and a
21230 new cookie was inserted in the response.
21231
21232 OI A cookie was provided by the client, with a first visit date which is
21233 too old for the "maxlife" parameter, so the cookie was ignored and a
21234 new cookie was inserted in the response.
21235
21236 DI The server designated by the cookie was down, a new server was
21237 selected and a new cookie was emitted in the response.
21238
21239 VI The server designated by the cookie was not marked dead but could not
21240 be reached. A redispatch happened and selected another one, which was
21241 then advertised in the response.
21242
Willy Tarreaucc6c8912009-02-22 10:53:55 +010021243
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200212448.6. Non-printable characters
21245-----------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010021246
21247In order not to cause trouble to log analysis tools or terminals during log
21248consulting, non-printable characters are not sent as-is into log files, but are
21249converted to the two-digits hexadecimal representation of their ASCII code,
21250prefixed by the character '#'. The only characters that can be logged without
21251being escaped are comprised between 32 and 126 (inclusive). Obviously, the
21252escape character '#' itself is also encoded to avoid any ambiguity ("#23"). It
21253is the same for the character '"' which becomes "#22", as well as '{', '|' and
21254'}' when logging headers.
21255
21256Note that the space character (' ') is not encoded in headers, which can cause
21257issues for tools relying on space count to locate fields. A typical header
21258containing spaces is "User-Agent".
21259
21260Last, it has been observed that some syslog daemons such as syslog-ng escape
21261the quote ('"') with a backslash ('\'). The reverse operation can safely be
21262performed since no quote may appear anywhere else in the logs.
21263
21264
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200212658.7. Capturing HTTP cookies
21266---------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010021267
21268Cookie capture simplifies the tracking a complete user session. This can be
21269achieved using the "capture cookie" statement in the frontend. Please refer to
Willy Tarreauc57f0e22009-05-10 13:12:33 +020021270section 4.2 for more details. Only one cookie can be captured, and the same
Willy Tarreaucc6c8912009-02-22 10:53:55 +010021271cookie will simultaneously be checked in the request ("Cookie:" header) and in
21272the response ("Set-Cookie:" header). The respective values will be reported in
21273the HTTP logs at the "captured_request_cookie" and "captured_response_cookie"
Willy Tarreauc57f0e22009-05-10 13:12:33 +020021274locations (see section 8.2.3 about HTTP log format). When either cookie is
Willy Tarreaucc6c8912009-02-22 10:53:55 +010021275not seen, a dash ('-') replaces the value. This way, it's easy to detect when a
21276user switches to a new session for example, because the server will reassign it
21277a new cookie. It is also possible to detect if a server unexpectedly sets a
21278wrong cookie to a client, leading to session crossing.
21279
21280 Examples :
21281 # capture the first cookie whose name starts with "ASPSESSION"
21282 capture cookie ASPSESSION len 32
21283
21284 # capture the first cookie whose name is exactly "vgnvisitor"
21285 capture cookie vgnvisitor= len 32
21286
21287
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200212888.8. Capturing HTTP headers
21289---------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010021290
21291Header captures are useful to track unique request identifiers set by an upper
21292proxy, virtual host names, user-agents, POST content-length, referrers, etc. In
21293the response, one can search for information about the response length, how the
21294server asked the cache to behave, or an object location during a redirection.
21295
21296Header captures are performed using the "capture request header" and "capture
21297response header" statements in the frontend. Please consult their definition in
Willy Tarreauc57f0e22009-05-10 13:12:33 +020021298section 4.2 for more details.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010021299
21300It is possible to include both request headers and response headers at the same
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010021301time. Non-existent headers are logged as empty strings, and if one header
21302appears more than once, only its last occurrence will be logged. Request headers
Willy Tarreaucc6c8912009-02-22 10:53:55 +010021303are grouped within braces '{' and '}' in the same order as they were declared,
21304and delimited with a vertical bar '|' without any space. Response headers
21305follow the same representation, but are displayed after a space following the
21306request headers block. These blocks are displayed just before the HTTP request
21307in the logs.
21308
Willy Tarreaud9ed3d22014-06-13 12:23:06 +020021309As a special case, it is possible to specify an HTTP header capture in a TCP
21310frontend. The purpose is to enable logging of headers which will be parsed in
21311an HTTP backend if the request is then switched to this HTTP backend.
21312
Willy Tarreaucc6c8912009-02-22 10:53:55 +010021313 Example :
21314 # This instance chains to the outgoing proxy
21315 listen proxy-out
21316 mode http
21317 option httplog
21318 option logasap
21319 log global
21320 server cache1 192.168.1.1:3128
21321
21322 # log the name of the virtual server
21323 capture request header Host len 20
21324
21325 # log the amount of data uploaded during a POST
21326 capture request header Content-Length len 10
21327
21328 # log the beginning of the referrer
21329 capture request header Referer len 20
21330
21331 # server name (useful for outgoing proxies only)
21332 capture response header Server len 20
21333
21334 # logging the content-length is useful with "option logasap"
21335 capture response header Content-Length len 10
21336
Davor Ocelice9ed2812017-12-25 17:49:28 +010021337 # log the expected cache behavior on the response
Willy Tarreaucc6c8912009-02-22 10:53:55 +010021338 capture response header Cache-Control len 8
21339
21340 # the Via header will report the next proxy's name
21341 capture response header Via len 20
21342
21343 # log the URL location during a redirection
21344 capture response header Location len 20
21345
21346 >>> Aug 9 20:26:09 localhost \
21347 haproxy[2022]: 127.0.0.1:34014 [09/Aug/2004:20:26:09] proxy-out \
21348 proxy-out/cache1 0/0/0/162/+162 200 +350 - - ---- 0/0/0/0/0 0/0 \
21349 {fr.adserver.yahoo.co||http://fr.f416.mail.} {|864|private||} \
21350 "GET http://fr.adserver.yahoo.com/"
21351
21352 >>> Aug 9 20:30:46 localhost \
21353 haproxy[2022]: 127.0.0.1:34020 [09/Aug/2004:20:30:46] proxy-out \
21354 proxy-out/cache1 0/0/0/182/+182 200 +279 - - ---- 0/0/0/0/0 0/0 \
21355 {w.ods.org||} {Formilux/0.1.8|3495|||} \
Willy Tarreaud72758d2010-01-12 10:42:19 +010021356 "GET http://trafic.1wt.eu/ HTTP/1.1"
Willy Tarreaucc6c8912009-02-22 10:53:55 +010021357
21358 >>> Aug 9 20:30:46 localhost \
21359 haproxy[2022]: 127.0.0.1:34028 [09/Aug/2004:20:30:46] proxy-out \
21360 proxy-out/cache1 0/0/2/126/+128 301 +223 - - ---- 0/0/0/0/0 0/0 \
21361 {www.sytadin.equipement.gouv.fr||http://trafic.1wt.eu/} \
21362 {Apache|230|||http://www.sytadin.} \
Willy Tarreaud72758d2010-01-12 10:42:19 +010021363 "GET http://www.sytadin.equipement.gouv.fr/ HTTP/1.1"
Willy Tarreaucc6c8912009-02-22 10:53:55 +010021364
21365
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200213668.9. Examples of logs
21367---------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010021368
21369These are real-world examples of logs accompanied with an explanation. Some of
21370them have been made up by hand. The syslog part has been removed for better
21371reading. Their sole purpose is to explain how to decipher them.
21372
21373 >>> haproxy[674]: 127.0.0.1:33318 [15/Oct/2003:08:31:57.130] px-http \
21374 px-http/srv1 6559/0/7/147/6723 200 243 - - ---- 5/3/3/1/0 0/0 \
21375 "HEAD / HTTP/1.0"
21376
21377 => long request (6.5s) entered by hand through 'telnet'. The server replied
21378 in 147 ms, and the session ended normally ('----')
21379
21380 >>> haproxy[674]: 127.0.0.1:33319 [15/Oct/2003:08:31:57.149] px-http \
21381 px-http/srv1 6559/1230/7/147/6870 200 243 - - ---- 324/239/239/99/0 \
21382 0/9 "HEAD / HTTP/1.0"
21383
21384 => Idem, but the request was queued in the global queue behind 9 other
21385 requests, and waited there for 1230 ms.
21386
21387 >>> haproxy[674]: 127.0.0.1:33320 [15/Oct/2003:08:32:17.654] px-http \
21388 px-http/srv1 9/0/7/14/+30 200 +243 - - ---- 3/3/3/1/0 0/0 \
21389 "GET /image.iso HTTP/1.0"
21390
21391 => request for a long data transfer. The "logasap" option was specified, so
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010021392 the log was produced just before transferring data. The server replied in
Willy Tarreaucc6c8912009-02-22 10:53:55 +010021393 14 ms, 243 bytes of headers were sent to the client, and total time from
21394 accept to first data byte is 30 ms.
21395
21396 >>> haproxy[674]: 127.0.0.1:33320 [15/Oct/2003:08:32:17.925] px-http \
21397 px-http/srv1 9/0/7/14/30 502 243 - - PH-- 3/2/2/0/0 0/0 \
21398 "GET /cgi-bin/bug.cgi? HTTP/1.0"
21399
Christopher Faulet87f1f3d2019-07-18 14:51:20 +020021400 => the proxy blocked a server response either because of an "http-response
21401 deny" rule, or because the response was improperly formatted and not
21402 HTTP-compliant, or because it blocked sensitive information which risked
21403 being cached. In this case, the response is replaced with a "502 bad
Daniel Corbett9f0843f2021-05-08 10:50:37 -040021404 gateway". The flags ("PH--") tell us that it was HAProxy who decided to
Christopher Faulet87f1f3d2019-07-18 14:51:20 +020021405 return the 502 and not the server.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010021406
21407 >>> haproxy[18113]: 127.0.0.1:34548 [15/Oct/2003:15:18:55.798] px-http \
Willy Tarreaud72758d2010-01-12 10:42:19 +010021408 px-http/<NOSRV> -1/-1/-1/-1/8490 -1 0 - - CR-- 2/2/2/0/0 0/0 ""
Willy Tarreaucc6c8912009-02-22 10:53:55 +010021409
21410 => the client never completed its request and aborted itself ("C---") after
21411 8.5s, while the proxy was waiting for the request headers ("-R--").
21412 Nothing was sent to any server.
21413
21414 >>> haproxy[18113]: 127.0.0.1:34549 [15/Oct/2003:15:19:06.103] px-http \
21415 px-http/<NOSRV> -1/-1/-1/-1/50001 408 0 - - cR-- 2/2/2/0/0 0/0 ""
21416
21417 => The client never completed its request, which was aborted by the
21418 time-out ("c---") after 50s, while the proxy was waiting for the request
Davor Ocelice9ed2812017-12-25 17:49:28 +010021419 headers ("-R--"). Nothing was sent to any server, but the proxy could
Willy Tarreaucc6c8912009-02-22 10:53:55 +010021420 send a 408 return code to the client.
21421
21422 >>> haproxy[18989]: 127.0.0.1:34550 [15/Oct/2003:15:24:28.312] px-tcp \
21423 px-tcp/srv1 0/0/5007 0 cD 0/0/0/0/0 0/0
21424
21425 => This log was produced with "option tcplog". The client timed out after
21426 5 seconds ("c----").
21427
21428 >>> haproxy[18989]: 10.0.0.1:34552 [15/Oct/2003:15:26:31.462] px-http \
21429 px-http/srv1 3183/-1/-1/-1/11215 503 0 - - SC-- 205/202/202/115/3 \
Willy Tarreaud72758d2010-01-12 10:42:19 +010021430 0/0 "HEAD / HTTP/1.0"
Willy Tarreaucc6c8912009-02-22 10:53:55 +010021431
21432 => The request took 3s to complete (probably a network problem), and the
Willy Tarreauc57f0e22009-05-10 13:12:33 +020021433 connection to the server failed ('SC--') after 4 attempts of 2 seconds
Willy Tarreaucc6c8912009-02-22 10:53:55 +010021434 (config says 'retries 3'), and no redispatch (otherwise we would have
21435 seen "/+3"). Status code 503 was returned to the client. There were 115
21436 connections on this server, 202 connections on this proxy, and 205 on
21437 the global process. It is possible that the server refused the
21438 connection because of too many already established.
Willy Tarreau844e3c52008-01-11 16:28:18 +010021439
Willy Tarreau52b2d222011-09-07 23:48:48 +020021440
Christopher Fauletc3fe5332016-04-07 15:30:10 +0200214419. Supported filters
21442--------------------
21443
21444Here are listed officially supported filters with the list of parameters they
21445accept. Depending on compile options, some of these filters might be
21446unavailable. The list of available filters is reported in haproxy -vv.
21447
21448See also : "filter"
21449
214509.1. Trace
21451----------
21452
Christopher Fauletc41d8bd2020-11-17 10:43:26 +010021453filter trace [name <name>] [random-forwarding] [hexdump]
Christopher Fauletc3fe5332016-04-07 15:30:10 +020021454
21455 Arguments:
21456 <name> is an arbitrary name that will be reported in
21457 messages. If no name is provided, "TRACE" is used.
21458
Christopher Faulet96a577a2020-11-17 10:45:05 +010021459 <quiet> inhibits trace messages.
Christopher Fauletc3fe5332016-04-07 15:30:10 +020021460
Davor Ocelice9ed2812017-12-25 17:49:28 +010021461 <random-forwarding> enables the random forwarding of parsed data. By
Christopher Fauletc3fe5332016-04-07 15:30:10 +020021462 default, this filter forwards all previously parsed
21463 data. With this parameter, it only forwards a random
21464 amount of the parsed data.
21465
Davor Ocelice9ed2812017-12-25 17:49:28 +010021466 <hexdump> dumps all forwarded data to the server and the client.
Christopher Faulet31bfe1f2016-12-09 17:42:38 +010021467
Christopher Fauletc3fe5332016-04-07 15:30:10 +020021468This filter can be used as a base to develop new filters. It defines all
21469callbacks and print a message on the standard error stream (stderr) with useful
21470information for all of them. It may be useful to debug the activity of other
21471filters or, quite simply, HAProxy's activity.
21472
21473Using <random-parsing> and/or <random-forwarding> parameters is a good way to
21474tests the behavior of a filter that parses data exchanged between a client and
21475a server by adding some latencies in the processing.
21476
21477
214789.2. HTTP compression
21479---------------------
21480
21481filter compression
21482
21483The HTTP compression has been moved in a filter in HAProxy 1.7. "compression"
21484keyword must still be used to enable and configure the HTTP compression. And
Christopher Fauletb30b3102019-09-12 23:03:09 +020021485when no other filter is used, it is enough. When used with the cache or the
21486fcgi-app enabled, it is also enough. In this case, the compression is always
21487done after the response is stored in the cache. But it is mandatory to
21488explicitly use a filter line to enable the HTTP compression when at least one
21489filter other than the cache or the fcgi-app is used for the same
21490listener/frontend/backend. This is important to know the filters evaluation
21491order.
Christopher Fauletc3fe5332016-04-07 15:30:10 +020021492
Christopher Fauletb30b3102019-09-12 23:03:09 +020021493See also : "compression", section 9.4 about the cache filter and section 9.5
21494 about the fcgi-app filter.
Christopher Fauletc3fe5332016-04-07 15:30:10 +020021495
21496
Christopher Fauletf7e4e7e2016-10-27 22:29:49 +0200214979.3. Stream Processing Offload Engine (SPOE)
21498--------------------------------------------
21499
21500filter spoe [engine <name>] config <file>
21501
21502 Arguments :
21503
21504 <name> is the engine name that will be used to find the right scope in
21505 the configuration file. If not provided, all the file will be
21506 parsed.
21507
21508 <file> is the path of the engine configuration file. This file can
21509 contain configuration of several engines. In this case, each
21510 part must be placed in its own scope.
21511
21512The Stream Processing Offload Engine (SPOE) is a filter communicating with
21513external components. It allows the offload of some specifics processing on the
Davor Ocelice9ed2812017-12-25 17:49:28 +010021514streams in tiered applications. These external components and information
Christopher Fauletf7e4e7e2016-10-27 22:29:49 +020021515exchanged with them are configured in dedicated files, for the main part. It
21516also requires dedicated backends, defined in HAProxy configuration.
21517
21518SPOE communicates with external components using an in-house binary protocol,
21519the Stream Processing Offload Protocol (SPOP).
21520
Tim Düsterhus4896c442016-11-29 02:15:19 +010021521For all information about the SPOE configuration and the SPOP specification, see
Christopher Fauletf7e4e7e2016-10-27 22:29:49 +020021522"doc/SPOE.txt".
21523
Christopher Faulet99a17a22018-12-11 09:18:27 +0100215249.4. Cache
21525----------
21526
21527filter cache <name>
21528
21529 Arguments :
21530
21531 <name> is name of the cache section this filter will use.
21532
21533The cache uses a filter to store cacheable responses. The HTTP rules
21534"cache-store" and "cache-use" must be used to define how and when to use a
John Roeslerfb2fce12019-07-10 15:45:51 -050021535cache. By default the corresponding filter is implicitly defined. And when no
Christopher Fauletb30b3102019-09-12 23:03:09 +020021536other filters than fcgi-app or compression are used, it is enough. In such
21537case, the compression filter is always evaluated after the cache filter. But it
21538is mandatory to explicitly use a filter line to use a cache when at least one
21539filter other than the compression or the fcgi-app is used for the same
Christopher Faulet27d93c32018-12-15 22:32:02 +010021540listener/frontend/backend. This is important to know the filters evaluation
21541order.
Christopher Faulet99a17a22018-12-11 09:18:27 +010021542
Christopher Fauletb30b3102019-09-12 23:03:09 +020021543See also : section 9.2 about the compression filter, section 9.5 about the
21544 fcgi-app filter and section 6 about cache.
21545
21546
215479.5. Fcgi-app
21548-------------
21549
Daniel Corbett67a82712020-07-06 23:01:19 -040021550filter fcgi-app <name>
Christopher Fauletb30b3102019-09-12 23:03:09 +020021551
21552 Arguments :
21553
21554 <name> is name of the fcgi-app section this filter will use.
21555
21556The FastCGI application uses a filter to evaluate all custom parameters on the
21557request path, and to process the headers on the response path. the <name> must
21558reference an existing fcgi-app section. The directive "use-fcgi-app" should be
21559used to define the application to use. By default the corresponding filter is
21560implicitly defined. And when no other filters than cache or compression are
21561used, it is enough. But it is mandatory to explicitly use a filter line to a
21562fcgi-app when at least one filter other than the compression or the cache is
21563used for the same backend. This is important to know the filters evaluation
21564order.
21565
21566See also: "use-fcgi-app", section 9.2 about the compression filter, section 9.4
21567 about the cache filter and section 10 about FastCGI application.
21568
21569
Miroslav Zagoracdc32cd92020-12-13 18:32:57 +0100215709.6. OpenTracing
21571----------------
21572
21573The OpenTracing filter adds native support for using distributed tracing in
21574HAProxy. This is enabled by sending an OpenTracing compliant request to one
21575of the supported tracers such as Datadog, Jaeger, Lightstep and Zipkin tracers.
21576Please note: tracers are not listed by any preference, but alphabetically.
21577
Daniel Corbett9f0843f2021-05-08 10:50:37 -040021578This feature is only enabled when HAProxy was built with USE_OT=1.
Miroslav Zagoracdc32cd92020-12-13 18:32:57 +010021579
21580The OpenTracing filter activation is done explicitly by specifying it in the
21581HAProxy configuration. If this is not done, the OpenTracing filter in no way
21582participates in the work of HAProxy.
21583
21584filter opentracing [id <id>] config <file>
21585
21586 Arguments :
21587
21588 <id> is the OpenTracing filter id that will be used to find the
21589 right scope in the configuration file. If no filter id is
21590 specified, 'ot-filter' is used as default. If scope is not
21591 specified in the configuration file, it applies to all defined
21592 OpenTracing filters.
21593
21594 <file> is the path of the OpenTracing configuration file. The same
21595 file can contain configurations for multiple OpenTracing
21596 filters simultaneously. In that case we do not need to define
21597 scope so the same configuration applies to all filters or each
21598 filter must have its own scope defined.
21599
21600More detailed documentation related to the operation, configuration and use
Willy Tarreaua63d1a02021-04-02 17:16:46 +020021601of the filter can be found in the addons/ot directory.
Miroslav Zagoracdc32cd92020-12-13 18:32:57 +010021602
21603
Christopher Fauletb30b3102019-09-12 23:03:09 +02002160410. FastCGI applications
21605-------------------------
21606
21607HAProxy is able to send HTTP requests to Responder FastCGI applications. This
21608feature was added in HAProxy 2.1. To do so, servers must be configured to use
21609the FastCGI protocol (using the keyword "proto fcgi" on the server line) and a
21610FastCGI application must be configured and used by the backend managing these
21611servers (using the keyword "use-fcgi-app" into the proxy section). Several
21612FastCGI applications may be defined, but only one can be used at a time by a
21613backend.
21614
21615HAProxy implements all features of the FastCGI specification for Responder
21616application. Especially it is able to multiplex several requests on a simple
21617connection.
21618
2161910.1. Setup
21620-----------
21621
2162210.1.1. Fcgi-app section
21623--------------------------
21624
21625fcgi-app <name>
21626 Declare a FastCGI application named <name>. To be valid, at least the
21627 document root must be defined.
21628
21629acl <aclname> <criterion> [flags] [operator] <value> ...
21630 Declare or complete an access list.
21631
21632 See "acl" keyword in section 4.2 and section 7 about ACL usage for
21633 details. ACLs defined for a FastCGI application are private. They cannot be
21634 used by any other application or by any proxy. In the same way, ACLs defined
21635 in any other section are not usable by a FastCGI application. However,
21636 Pre-defined ACLs are available.
21637
21638docroot <path>
21639 Define the document root on the remote host. <path> will be used to build
21640 the default value of FastCGI parameters SCRIPT_FILENAME and
21641 PATH_TRANSLATED. It is a mandatory setting.
21642
21643index <script-name>
21644 Define the script name that will be appended after an URI that ends with a
21645 slash ("/") to set the default value of the FastCGI parameter SCRIPT_NAME. It
21646 is an optional setting.
21647
21648 Example :
21649 index index.php
21650
21651log-stderr global
21652log-stderr <address> [len <length>] [format <format>]
Jan Wagner3e678602020-12-17 22:22:32 +010021653 [sample <ranges>:<sample_size>] <facility> [<level> [<minlevel>]]
Christopher Fauletb30b3102019-09-12 23:03:09 +020021654 Enable logging of STDERR messages reported by the FastCGI application.
21655
21656 See "log" keyword in section 4.2 for details. It is an optional setting. By
21657 default STDERR messages are ignored.
21658
21659pass-header <name> [ { if | unless } <condition> ]
21660 Specify the name of a request header which will be passed to the FastCGI
21661 application. It may optionally be followed by an ACL-based condition, in
21662 which case it will only be evaluated if the condition is true.
21663
21664 Most request headers are already available to the FastCGI application,
21665 prefixed with "HTTP_". Thus, this directive is only required to pass headers
21666 that are purposefully omitted. Currently, the headers "Authorization",
21667 "Proxy-Authorization" and hop-by-hop headers are omitted.
21668
21669 Note that the headers "Content-type" and "Content-length" are never passed to
21670 the FastCGI application because they are already converted into parameters.
21671
21672path-info <regex>
Christopher Faulet28cb3662020-02-14 14:47:37 +010021673 Define a regular expression to extract the script-name and the path-info from
Christopher Faulet6c57f2d2020-02-14 16:55:52 +010021674 the URL-decoded path. Thus, <regex> may have two captures: the first one to
21675 capture the script name and the second one to capture the path-info. The
21676 first one is mandatory, the second one is optional. This way, it is possible
21677 to extract the script-name from the path ignoring the path-info. It is an
21678 optional setting. If it is not defined, no matching is performed on the
21679 path. and the FastCGI parameters PATH_INFO and PATH_TRANSLATED are not
21680 filled.
Christopher Faulet28cb3662020-02-14 14:47:37 +010021681
21682 For security reason, when this regular expression is defined, the newline and
Ilya Shipitsin8525fd92020-02-29 12:34:59 +050021683 the null characters are forbidden from the path, once URL-decoded. The reason
Christopher Faulet28cb3662020-02-14 14:47:37 +010021684 to such limitation is because otherwise the matching always fails (due to a
21685 limitation one the way regular expression are executed in HAProxy). So if one
21686 of these two characters is found in the URL-decoded path, an error is
21687 returned to the client. The principle of least astonishment is applied here.
Christopher Fauletb30b3102019-09-12 23:03:09 +020021688
21689 Example :
Christopher Faulet6c57f2d2020-02-14 16:55:52 +010021690 path-info ^(/.+\.php)(/.*)?$ # both script-name and path-info may be set
21691 path-info ^(/.+\.php) # the path-info is ignored
Christopher Fauletb30b3102019-09-12 23:03:09 +020021692
21693option get-values
21694no option get-values
21695 Enable or disable the retrieve of variables about connection management.
21696
Daniel Corbett67a82712020-07-06 23:01:19 -040021697 HAProxy is able to send the record FCGI_GET_VALUES on connection
Christopher Fauletb30b3102019-09-12 23:03:09 +020021698 establishment to retrieve the value for following variables:
21699
21700 * FCGI_MAX_REQS The maximum number of concurrent requests this
21701 application will accept.
21702
William Lallemand93e548e2019-09-30 13:54:02 +020021703 * FCGI_MPXS_CONNS "0" if this application does not multiplex connections,
21704 "1" otherwise.
Christopher Fauletb30b3102019-09-12 23:03:09 +020021705
21706 Some FastCGI applications does not support this feature. Some others close
Ilya Shipitsin11057a32020-06-21 21:18:27 +050021707 the connection immediately after sending their response. So, by default, this
Christopher Fauletb30b3102019-09-12 23:03:09 +020021708 option is disabled.
21709
21710 Note that the maximum number of concurrent requests accepted by a FastCGI
21711 application is a connection variable. It only limits the number of streams
21712 per connection. If the global load must be limited on the application, the
21713 server parameters "maxconn" and "pool-max-conn" must be set. In addition, if
21714 an application does not support connection multiplexing, the maximum number
21715 of concurrent requests is automatically set to 1.
21716
21717option keep-conn
21718no option keep-conn
21719 Instruct the FastCGI application to keep the connection open or not after
21720 sending a response.
21721
21722 If disabled, the FastCGI application closes the connection after responding
21723 to this request. By default, this option is enabled.
21724
21725option max-reqs <reqs>
21726 Define the maximum number of concurrent requests this application will
21727 accept.
21728
21729 This option may be overwritten if the variable FCGI_MAX_REQS is retrieved
21730 during connection establishment. Furthermore, if the application does not
21731 support connection multiplexing, this option will be ignored. By default set
21732 to 1.
21733
21734option mpxs-conns
21735no option mpxs-conns
21736 Enable or disable the support of connection multiplexing.
21737
21738 This option may be overwritten if the variable FCGI_MPXS_CONNS is retrieved
21739 during connection establishment. It is disabled by default.
21740
21741set-param <name> <fmt> [ { if | unless } <condition> ]
21742 Set a FastCGI parameter that should be passed to this application. Its
21743 value, defined by <fmt> must follows the log-format rules (see section 8.2.4
21744 "Custom Log format"). It may optionally be followed by an ACL-based
21745 condition, in which case it will only be evaluated if the condition is true.
21746
21747 With this directive, it is possible to overwrite the value of default FastCGI
21748 parameters. If the value is evaluated to an empty string, the rule is
21749 ignored. These directives are evaluated in their declaration order.
21750
21751 Example :
21752 # PHP only, required if PHP was built with --enable-force-cgi-redirect
21753 set-param REDIRECT_STATUS 200
21754
21755 set-param PHP_AUTH_DIGEST %[req.hdr(Authorization)]
21756
21757
2175810.1.2. Proxy section
21759---------------------
21760
21761use-fcgi-app <name>
21762 Define the FastCGI application to use for the backend.
21763
21764 Arguments :
21765 <name> is the name of the FastCGI application to use.
21766
21767 This keyword is only available for HTTP proxies with the backend capability
21768 and with at least one FastCGI server. However, FastCGI servers can be mixed
21769 with HTTP servers. But except there is a good reason to do so, it is not
21770 recommended (see section 10.3 about the limitations for details). Only one
21771 application may be defined at a time per backend.
21772
21773 Note that, once a FastCGI application is referenced for a backend, depending
21774 on the configuration some processing may be done even if the request is not
21775 sent to a FastCGI server. Rules to set parameters or pass headers to an
21776 application are evaluated.
21777
21778
2177910.1.3. Example
21780---------------
21781
21782 frontend front-http
21783 mode http
21784 bind *:80
21785 bind *:
21786
21787 use_backend back-dynamic if { path_reg ^/.+\.php(/.*)?$ }
21788 default_backend back-static
21789
21790 backend back-static
21791 mode http
21792 server www A.B.C.D:80
21793
21794 backend back-dynamic
21795 mode http
21796 use-fcgi-app php-fpm
21797 server php-fpm A.B.C.D:9000 proto fcgi
21798
21799 fcgi-app php-fpm
21800 log-stderr global
21801 option keep-conn
21802
21803 docroot /var/www/my-app
21804 index index.php
21805 path-info ^(/.+\.php)(/.*)?$
21806
21807
2180810.2. Default parameters
21809------------------------
21810
21811A Responder FastCGI application has the same purpose as a CGI/1.1 program. In
21812the CGI/1.1 specification (RFC3875), several variables must be passed to the
Ilya Shipitsin8525fd92020-02-29 12:34:59 +050021813script. So HAProxy set them and some others commonly used by FastCGI
Christopher Fauletb30b3102019-09-12 23:03:09 +020021814applications. All these variables may be overwritten, with caution though.
21815
21816 +-------------------+-----------------------------------------------------+
21817 | AUTH_TYPE | Identifies the mechanism, if any, used by HAProxy |
21818 | | to authenticate the user. Concretely, only the |
21819 | | BASIC authentication mechanism is supported. |
21820 | | |
21821 +-------------------+-----------------------------------------------------+
21822 | CONTENT_LENGTH | Contains the size of the message-body attached to |
21823 | | the request. It means only requests with a known |
21824 | | size are considered as valid and sent to the |
21825 | | application. |
21826 | | |
21827 +-------------------+-----------------------------------------------------+
21828 | CONTENT_TYPE | Contains the type of the message-body attached to |
21829 | | the request. It may not be set. |
21830 | | |
21831 +-------------------+-----------------------------------------------------+
21832 | DOCUMENT_ROOT | Contains the document root on the remote host under |
21833 | | which the script should be executed, as defined in |
21834 | | the application's configuration. |
21835 | | |
21836 +-------------------+-----------------------------------------------------+
21837 | GATEWAY_INTERFACE | Contains the dialect of CGI being used by HAProxy |
21838 | | to communicate with the FastCGI application. |
21839 | | Concretely, it is set to "CGI/1.1". |
21840 | | |
21841 +-------------------+-----------------------------------------------------+
21842 | PATH_INFO | Contains the portion of the URI path hierarchy |
21843 | | following the part that identifies the script |
21844 | | itself. To be set, the directive "path-info" must |
21845 | | be defined. |
21846 | | |
21847 +-------------------+-----------------------------------------------------+
21848 | PATH_TRANSLATED | If PATH_INFO is set, it is its translated version. |
21849 | | It is the concatenation of DOCUMENT_ROOT and |
21850 | | PATH_INFO. If PATH_INFO is not set, this parameters |
21851 | | is not set too. |
21852 | | |
21853 +-------------------+-----------------------------------------------------+
21854 | QUERY_STRING | Contains the request's query string. It may not be |
21855 | | set. |
21856 | | |
21857 +-------------------+-----------------------------------------------------+
21858 | REMOTE_ADDR | Contains the network address of the client sending |
21859 | | the request. |
21860 | | |
21861 +-------------------+-----------------------------------------------------+
21862 | REMOTE_USER | Contains the user identification string supplied by |
21863 | | client as part of user authentication. |
21864 | | |
21865 +-------------------+-----------------------------------------------------+
21866 | REQUEST_METHOD | Contains the method which should be used by the |
21867 | | script to process the request. |
21868 | | |
21869 +-------------------+-----------------------------------------------------+
21870 | REQUEST_URI | Contains the request's URI. |
21871 | | |
21872 +-------------------+-----------------------------------------------------+
21873 | SCRIPT_FILENAME | Contains the absolute pathname of the script. it is |
21874 | | the concatenation of DOCUMENT_ROOT and SCRIPT_NAME. |
21875 | | |
21876 +-------------------+-----------------------------------------------------+
21877 | SCRIPT_NAME | Contains the name of the script. If the directive |
21878 | | "path-info" is defined, it is the first part of the |
21879 | | URI path hierarchy, ending with the script name. |
21880 | | Otherwise, it is the entire URI path. |
21881 | | |
21882 +-------------------+-----------------------------------------------------+
21883 | SERVER_NAME | Contains the name of the server host to which the |
21884 | | client request is directed. It is the value of the |
21885 | | header "Host", if defined. Otherwise, the |
21886 | | destination address of the connection on the client |
21887 | | side. |
21888 | | |
21889 +-------------------+-----------------------------------------------------+
21890 | SERVER_PORT | Contains the destination TCP port of the connection |
21891 | | on the client side, which is the port the client |
21892 | | connected to. |
21893 | | |
21894 +-------------------+-----------------------------------------------------+
21895 | SERVER_PROTOCOL | Contains the request's protocol. |
21896 | | |
21897 +-------------------+-----------------------------------------------------+
21898 | HTTPS | Set to a non-empty value ("on") if the script was |
21899 | | queried through the HTTPS protocol. |
21900 | | |
21901 +-------------------+-----------------------------------------------------+
21902
21903
2190410.3. Limitations
21905------------------
21906
21907The current implementation have some limitations. The first one is about the
21908way some request headers are hidden to the FastCGI applications. This happens
21909during the headers analysis, on the backend side, before the connection
21910establishment. At this stage, HAProxy know the backend is using a FastCGI
21911application but it don't know if the request will be routed to a FastCGI server
21912or not. But to hide request headers, it simply removes them from the HTX
21913message. So, if the request is finally routed to an HTTP server, it never see
21914these headers. For this reason, it is not recommended to mix FastCGI servers
21915and HTTP servers under the same backend.
21916
21917Similarly, the rules "set-param" and "pass-header" are evaluated during the
21918request headers analysis. So the evaluation is always performed, even if the
21919requests is finally forwarded to an HTTP server.
21920
21921About the rules "set-param", when a rule is applied, a pseudo header is added
21922into the HTX message. So, the same way than for HTTP header rewrites, it may
21923fail if the buffer is full. The rules "set-param" will compete with
21924"http-request" ones.
21925
21926Finally, all FastCGI params and HTTP headers are sent into a unique record
21927FCGI_PARAM. Encoding of this record must be done in one pass, otherwise a
21928processing error is returned. It means the record FCGI_PARAM, once encoded,
21929must not exceeds the size of a buffer. However, there is no reserve to respect
21930here.
William Lallemand86d0df02017-11-24 21:36:45 +010021931
Emeric Brunce325c42021-04-02 17:05:09 +020021932
2193311. Address formats
21934-------------------
21935
21936Several statements as "bind, "server", "nameserver" and "log" requires an
21937address.
21938
21939This address can be a host name, an IPv4 address, an IPv6 address, or '*'.
21940The '*' is equal to the special address "0.0.0.0" and can be used, in the case
21941of "bind" or "dgram-bind" to listen on all IPv4 of the system.The IPv6
21942equivalent is '::'.
21943
21944Depending of the statement, a port or port range follows the IP address. This
21945is mandatory on 'bind' statement, optional on 'server'.
21946
21947This address can also begin with a slash '/'. It is considered as the "unix"
21948family, and '/' and following characters must be present the path.
21949
21950Default socket type or transport method "datagram" or "stream" depends on the
21951configuration statement showing the address. Indeed, 'bind' and 'server' will
21952use a "stream" socket type by default whereas 'log', 'nameserver' or
21953'dgram-bind' will use a "datagram".
21954
21955Optionally, a prefix could be used to force the address family and/or the
21956socket type and the transport method.
21957
21958
2195911.1 Address family prefixes
21960----------------------------
21961
21962'abns@<name>' following <name> is an abstract namespace (Linux only).
21963
21964'fd@<n>' following address is a file descriptor <n> inherited from the
21965 parent. The fd must be bound and may or may not already be
21966 listening.
21967
21968'ip@<address>[:port1[-port2]]' following <address> is considered as an IPv4 or
21969 IPv6 address depending on the syntax. Depending
21970 on the statement using this address, a port or
21971 a port range may or must be specified.
21972
21973'ipv4@<address>[:port1[-port2]]' following <address> is always considered as
21974 an IPv4 address. Depending on the statement
21975 using this address, a port or a port range
21976 may or must be specified.
21977
21978'ipv6@<address>[:port1[-port2]]' following <address> is always considered as
21979 an IPv6 address. Depending on the statement
21980 using this address, a port or a port range
21981 may or must be specified.
21982
21983'sockpair@<n>' following address is the file descriptor of a connected unix
21984 socket or of a socketpair. During a connection, the initiator
21985 creates a pair of connected sockets, and passes one of them
21986 over the FD to the other end. The listener waits to receive
21987 the FD from the unix socket and uses it as if it were the FD
21988 of an accept(). Should be used carefully.
21989
21990'unix@<path>' following string is considered as a UNIX socket <path>. this
21991 prefix is useful to declare an UNIX socket path which don't
21992 start by slash '/'.
21993
21994
2199511.2 Socket type prefixes
21996-------------------------
21997
21998Previous "Address family prefixes" can also be prefixed to force the socket
21999type and the transport method. The default depends of the statement using
22000this address but in some cases the user may force it to a different one.
22001This is the case for "log" statement where the default is syslog over UDP
22002but we could force to use syslog over TCP.
22003
22004Those prefixes were designed for internal purpose and users should
22005instead use aliases of the next section "11.5.3 Protocol prefixes".
22006
22007If users need one those prefixes to perform what they expect because
22008they can not configure the same using the protocol prefixes, they should
22009report this to the maintainers.
22010
22011'stream+<family>@<address>' forces socket type and transport method
22012 to "stream"
22013
22014'dgram+<family>@<address>' forces socket type and transport method
22015 to "datagram".
22016
22017
2201811.3 Protocol prefixes
22019----------------------
22020
22021'tcp@<address>[:port1[-port2]]' following <address> is considered as an IPv4
22022 or IPv6 address depending of the syntax but
22023 socket type and transport method is forced to
22024 "stream". Depending on the statement using
22025 this address, a port or a port range can or
22026 must be specified. It is considered as an alias
22027 of 'stream+ip@'.
22028
22029'tcp4@<address>[:port1[-port2]]' following <address> is always considered as
22030 an IPv4 address but socket type and transport
22031 method is forced to "stream". Depending on the
22032 statement using this address, a port or port
22033 range can or must be specified.
22034 It is considered as an alias of 'stream+ipv4@'.
22035
22036'tcp6@<address>[:port1[-port2]]' following <address> is always considered as
22037 an IPv6 address but socket type and transport
22038 method is forced to "stream". Depending on the
22039 statement using this address, a port or port
22040 range can or must be specified.
22041 It is considered as an alias of 'stream+ipv4@'.
22042
22043'udp@<address>[:port1[-port2]]' following <address> is considered as an IPv4
22044 or IPv6 address depending of the syntax but
22045 socket type and transport method is forced to
22046 "datagram". Depending on the statement using
22047 this address, a port or a port range can or
22048 must be specified. It is considered as an alias
22049 of 'dgram+ip@'.
22050
22051'udp4@<address>[:port1[-port2]]' following <address> is always considered as
22052 an IPv4 address but socket type and transport
22053 method is forced to "datagram". Depending on
22054 the statement using this address, a port or
22055 port range can or must be specified.
22056 It is considered as an alias of 'stream+ipv4@'.
22057
22058'udp6@<address>[:port1[-port2]]' following <address> is always considered as
22059 an IPv6 address but socket type and transport
22060 method is forced to "datagram". Depending on
22061 the statement using this address, a port or
22062 port range can or must be specified.
22063 It is considered as an alias of 'stream+ipv4@'.
22064
22065'uxdg@<path>' following string is considered as a unix socket <path> but
22066 transport method is forced to "datagram". It is considered as
22067 an alias of 'dgram+unix@'.
22068
22069'uxst@<path>' following string is considered as a unix socket <path> but
22070 transport method is forced to "stream". It is considered as
22071 an alias of 'stream+unix@'.
22072
22073In future versions, other prefixes could be used to specify protocols like
22074QUIC which proposes stream transport based on socket of type "datagram".
22075
Willy Tarreau0ba27502007-12-24 16:55:16 +010022076/*
22077 * Local variables:
22078 * fill-column: 79
22079 * End:
22080 */