blob: 88752333b35e6aae59d0d093d2d22d2d52c696a6 [file] [log] [blame]
Willy Tarreau6a06a402007-07-15 20:15:28 +02001 ----------------------
2 HAProxy
3 Configuration Manual
4 ----------------------
Willy Tarreau79158882009-06-09 11:59:08 +02005 version 1.4
Willy Tarreau6a06a402007-07-15 20:15:28 +02006 willy tarreau
Willy Tarreaub05613d2010-02-02 10:18:28 +01007 2010/02/02
Willy Tarreau6a06a402007-07-15 20:15:28 +02008
9
10This document covers the configuration language as implemented in the version
11specified above. It does not provide any hint, example or advice. For such
Willy Tarreau0ba27502007-12-24 16:55:16 +010012documentation, please refer to the Reference Manual or the Architecture Manual.
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013The summary below is meant to help you search sections by name and navigate
14through the document.
Willy Tarreau6a06a402007-07-15 20:15:28 +020015
Willy Tarreauc57f0e22009-05-10 13:12:33 +020016Note to documentation contributors :
17 This document is formated with 80 columns per line, with even number of
18 spaces for indentation and without tabs. Please follow these rules strictly
19 so that it remains easily printable everywhere. If a line needs to be
20 printed verbatim and does not fit, please end each line with a backslash
21 ('\') and continue on next line. If you add sections, please update the
22 summary below for easier searching.
23
24
25Summary
26-------
27
281. Quick reminder about HTTP
291.1. The HTTP transaction model
301.2. HTTP request
311.2.1. The Request line
321.2.2. The request headers
331.3. HTTP response
341.3.1. The Response line
351.3.2. The response headers
36
372. Configuring HAProxy
382.1. Configuration file format
392.2. Time format
40
413. Global parameters
423.1. Process management and security
433.2. Performance tuning
443.3. Debugging
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100453.4. Userlists
Willy Tarreauc57f0e22009-05-10 13:12:33 +020046
474. Proxies
484.1. Proxy keywords matrix
494.2. Alphabetically sorted keywords reference
50
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +0100515. Server and default-server options
Willy Tarreauc57f0e22009-05-10 13:12:33 +020052
536. HTTP header manipulation
54
Cyril Bonté7d38afb2010-02-03 20:41:26 +0100557. Using ACLs and pattern extraction
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200567.1. Matching integers
577.2. Matching strings
587.3. Matching regular expressions (regexes)
597.4. Matching IPv4 addresses
607.5. Available matching criteria
617.5.1. Matching at Layer 4 and below
627.5.2. Matching contents at Layer 4
637.5.3. Matching at Layer 7
647.6. Pre-defined ACLs
657.7. Using ACLs to form conditions
Cyril Bonté7d38afb2010-02-03 20:41:26 +0100667.8. Pattern extraction
Willy Tarreauc57f0e22009-05-10 13:12:33 +020067
688. Logging
698.1. Log levels
708.2. Log formats
718.2.1. Default log format
728.2.2. TCP log format
738.2.3. HTTP log format
748.3. Advanced logging options
758.3.1. Disabling logging of external tests
768.3.2. Logging before waiting for the session to terminate
778.3.3. Raising log level upon errors
788.3.4. Disabling logging of successful connections
798.4. Timing events
808.5. Session state at disconnection
818.6. Non-printable characters
828.7. Capturing HTTP cookies
838.8. Capturing HTTP headers
848.9. Examples of logs
85
869. Statistics and monitoring
879.1. CSV format
889.2. Unix Socket commands
89
90
911. Quick reminder about HTTP
92----------------------------
93
94When haproxy is running in HTTP mode, both the request and the response are
95fully analyzed and indexed, thus it becomes possible to build matching criteria
96on almost anything found in the contents.
97
98However, it is important to understand how HTTP requests and responses are
99formed, and how HAProxy decomposes them. It will then become easier to write
100correct rules and to debug existing configurations.
101
102
1031.1. The HTTP transaction model
104-------------------------------
105
106The HTTP protocol is transaction-driven. This means that each request will lead
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100107to one and only one response. Traditionally, a TCP connection is established
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200108from the client to the server, a request is sent by the client on the
109connection, the server responds and the connection is closed. A new request
110will involve a new connection :
111
112 [CON1] [REQ1] ... [RESP1] [CLO1] [CON2] [REQ2] ... [RESP2] [CLO2] ...
113
114In this mode, called the "HTTP close" mode, there are as many connection
115establishments as there are HTTP transactions. Since the connection is closed
116by the server after the response, the client does not need to know the content
117length.
118
119Due to the transactional nature of the protocol, it was possible to improve it
120to avoid closing a connection between two subsequent transactions. In this mode
121however, it is mandatory that the server indicates the content length for each
122response so that the client does not wait indefinitely. For this, a special
123header is used: "Content-length". This mode is called the "keep-alive" mode :
124
125 [CON] [REQ1] ... [RESP1] [REQ2] ... [RESP2] [CLO] ...
126
127Its advantages are a reduced latency between transactions, and less processing
128power required on the server side. It is generally better than the close mode,
129but not always because the clients often limit their concurrent connections to
130a smaller value. HAProxy currently does not support the HTTP keep-alive mode,
131but knows how to transform it to the close mode.
132
133A last improvement in the communications is the pipelining mode. It still uses
134keep-alive, but the client does not wait for the first response to send the
135second request. This is useful for fetching large number of images composing a
136page :
137
138 [CON] [REQ1] [REQ2] ... [RESP1] [RESP2] [CLO] ...
139
140This can obviously have a tremendous benefit on performance because the network
141latency is eliminated between subsequent requests. Many HTTP agents do not
142correctly support pipelining since there is no way to associate a response with
143the corresponding request in HTTP. For this reason, it is mandatory for the
144server to reply in the exact same order as the requests were received.
145
146Right now, HAProxy only supports the first mode (HTTP close) if it needs to
147process the request. This means that for each request, there will be one TCP
148connection. If keep-alive or pipelining are required, HAProxy will still
149support them, but will only see the first request and the first response of
150each transaction. While this is generally problematic with regards to logs,
151content switching or filtering, it most often causes no problem for persistence
152with cookie insertion.
153
154
1551.2. HTTP request
156-----------------
157
158First, let's consider this HTTP request :
159
160 Line Contents
Willy Tarreaud72758d2010-01-12 10:42:19 +0100161 number
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200162 1 GET /serv/login.php?lang=en&profile=2 HTTP/1.1
163 2 Host: www.mydomain.com
164 3 User-agent: my small browser
165 4 Accept: image/jpeg, image/gif
166 5 Accept: image/png
167
168
1691.2.1. The Request line
170-----------------------
171
172Line 1 is the "request line". It is always composed of 3 fields :
173
174 - a METHOD : GET
175 - a URI : /serv/login.php?lang=en&profile=2
176 - a version tag : HTTP/1.1
177
178All of them are delimited by what the standard calls LWS (linear white spaces),
179which are commonly spaces, but can also be tabs or line feeds/carriage returns
180followed by spaces/tabs. The method itself cannot contain any colon (':') and
181is limited to alphabetic letters. All those various combinations make it
182desirable that HAProxy performs the splitting itself rather than leaving it to
183the user to write a complex or inaccurate regular expression.
184
185The URI itself can have several forms :
186
187 - A "relative URI" :
188
189 /serv/login.php?lang=en&profile=2
190
191 It is a complete URL without the host part. This is generally what is
192 received by servers, reverse proxies and transparent proxies.
193
194 - An "absolute URI", also called a "URL" :
195
196 http://192.168.0.12:8080/serv/login.php?lang=en&profile=2
197
198 It is composed of a "scheme" (the protocol name followed by '://'), a host
199 name or address, optionally a colon (':') followed by a port number, then
200 a relative URI beginning at the first slash ('/') after the address part.
201 This is generally what proxies receive, but a server supporting HTTP/1.1
202 must accept this form too.
203
204 - a star ('*') : this form is only accepted in association with the OPTIONS
205 method and is not relayable. It is used to inquiry a next hop's
206 capabilities.
Willy Tarreaud72758d2010-01-12 10:42:19 +0100207
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200208 - an address:port combination : 192.168.0.12:80
209 This is used with the CONNECT method, which is used to establish TCP
210 tunnels through HTTP proxies, generally for HTTPS, but sometimes for
211 other protocols too.
212
213In a relative URI, two sub-parts are identified. The part before the question
214mark is called the "path". It is typically the relative path to static objects
215on the server. The part after the question mark is called the "query string".
216It is mostly used with GET requests sent to dynamic scripts and is very
217specific to the language, framework or application in use.
218
219
2201.2.2. The request headers
221--------------------------
222
223The headers start at the second line. They are composed of a name at the
224beginning of the line, immediately followed by a colon (':'). Traditionally,
225an LWS is added after the colon but that's not required. Then come the values.
226Multiple identical headers may be folded into one single line, delimiting the
227values with commas, provided that their order is respected. This is commonly
228encountered in the "Cookie:" field. A header may span over multiple lines if
229the subsequent lines begin with an LWS. In the example in 1.2, lines 4 and 5
230define a total of 3 values for the "Accept:" header.
231
232Contrary to a common mis-conception, header names are not case-sensitive, and
233their values are not either if they refer to other header names (such as the
234"Connection:" header).
235
236The end of the headers is indicated by the first empty line. People often say
237that it's a double line feed, which is not exact, even if a double line feed
238is one valid form of empty line.
239
240Fortunately, HAProxy takes care of all these complex combinations when indexing
241headers, checking values and counting them, so there is no reason to worry
242about the way they could be written, but it is important not to accuse an
243application of being buggy if it does unusual, valid things.
244
245Important note:
246 As suggested by RFC2616, HAProxy normalizes headers by replacing line breaks
247 in the middle of headers by LWS in order to join multi-line headers. This
248 is necessary for proper analysis and helps less capable HTTP parsers to work
249 correctly and not to be fooled by such complex constructs.
250
251
2521.3. HTTP response
253------------------
254
255An HTTP response looks very much like an HTTP request. Both are called HTTP
256messages. Let's consider this HTTP response :
257
258 Line Contents
Willy Tarreaud72758d2010-01-12 10:42:19 +0100259 number
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200260 1 HTTP/1.1 200 OK
261 2 Content-length: 350
262 3 Content-Type: text/html
263
Willy Tarreau816b9792009-09-15 21:25:21 +0200264As a special case, HTTP supports so called "Informational responses" as status
265codes 1xx. These messages are special in that they don't convey any part of the
266response, they're just used as sort of a signaling message to ask a client to
Willy Tarreau5843d1a2010-02-01 15:13:32 +0100267continue to post its request for instance. In the case of a status 100 response
268the requested information will be carried by the next non-100 response message
269following the informational one. This implies that multiple responses may be
270sent to a single request, and that this only works when keep-alive is enabled
271(1xx messages are HTTP/1.1 only). HAProxy handles these messages and is able to
272correctly forward and skip them, and only process the next non-100 response. As
273such, these messages are neither logged nor transformed, unless explicitly
274state otherwise. Status 101 messages indicate that the protocol is changing
275over the same connection and that haproxy must switch to tunnel mode, just as
276if a CONNECT had occurred. Then the Upgrade header would contain additional
277information about the type of protocol the connection is switching to.
Willy Tarreau816b9792009-09-15 21:25:21 +0200278
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200279
2801.3.1. The Response line
281------------------------
282
283Line 1 is the "response line". It is always composed of 3 fields :
284
285 - a version tag : HTTP/1.1
286 - a status code : 200
287 - a reason : OK
288
289The status code is always 3-digit. The first digit indicates a general status :
Willy Tarreau816b9792009-09-15 21:25:21 +0200290 - 1xx = informational message to be skipped (eg: 100, 101)
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200291 - 2xx = OK, content is following (eg: 200, 206)
292 - 3xx = OK, no content following (eg: 302, 304)
293 - 4xx = error caused by the client (eg: 401, 403, 404)
294 - 5xx = error caused by the server (eg: 500, 502, 503)
295
296Please refer to RFC2616 for the detailed meaning of all such codes. The
Willy Tarreaud72758d2010-01-12 10:42:19 +0100297"reason" field is just a hint, but is not parsed by clients. Anything can be
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200298found there, but it's a common practice to respect the well-established
299messages. It can be composed of one or multiple words, such as "OK", "Found",
300or "Authentication Required".
301
302Haproxy may emit the following status codes by itself :
303
304 Code When / reason
305 200 access to stats page, and when replying to monitoring requests
306 301 when performing a redirection, depending on the configured code
307 302 when performing a redirection, depending on the configured code
308 303 when performing a redirection, depending on the configured code
309 400 for an invalid or too large request
310 401 when an authentication is required to perform the action (when
311 accessing the stats page)
312 403 when a request is forbidden by a "block" ACL or "reqdeny" filter
313 408 when the request timeout strikes before the request is complete
314 500 when haproxy encounters an unrecoverable internal error, such as a
315 memory allocation failure, which should never happen
316 502 when the server returns an empty, invalid or incomplete response, or
317 when an "rspdeny" filter blocks the response.
318 503 when no server was available to handle the request, or in response to
319 monitoring requests which match the "monitor fail" condition
320 504 when the response timeout strikes before the server responds
321
322The error 4xx and 5xx codes above may be customized (see "errorloc" in section
3234.2).
324
325
3261.3.2. The response headers
327---------------------------
328
329Response headers work exactly like request headers, and as such, HAProxy uses
330the same parsing function for both. Please refer to paragraph 1.2.2 for more
331details.
332
333
3342. Configuring HAProxy
335----------------------
336
3372.1. Configuration file format
338------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +0200339
340HAProxy's configuration process involves 3 major sources of parameters :
341
342 - the arguments from the command-line, which always take precedence
343 - the "global" section, which sets process-wide parameters
344 - the proxies sections which can take form of "defaults", "listen",
345 "frontend" and "backend".
346
Willy Tarreau0ba27502007-12-24 16:55:16 +0100347The configuration file syntax consists in lines beginning with a keyword
348referenced in this manual, optionally followed by one or several parameters
349delimited by spaces. If spaces have to be entered in strings, then they must be
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100350preceded by a backslash ('\') to be escaped. Backslashes also have to be
Willy Tarreau0ba27502007-12-24 16:55:16 +0100351escaped by doubling them.
352
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200353
3542.2. Time format
355----------------
356
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100357Some parameters involve values representing time, such as timeouts. These
Willy Tarreau0ba27502007-12-24 16:55:16 +0100358values are generally expressed in milliseconds (unless explicitly stated
359otherwise) but may be expressed in any other unit by suffixing the unit to the
360numeric value. It is important to consider this because it will not be repeated
361for every keyword. Supported units are :
362
363 - us : microseconds. 1 microsecond = 1/1000000 second
364 - ms : milliseconds. 1 millisecond = 1/1000 second. This is the default.
365 - s : seconds. 1s = 1000ms
366 - m : minutes. 1m = 60s = 60000ms
367 - h : hours. 1h = 60m = 3600s = 3600000ms
368 - d : days. 1d = 24h = 1440m = 86400s = 86400000ms
369
370
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003713. Global parameters
Willy Tarreau6a06a402007-07-15 20:15:28 +0200372--------------------
373
374Parameters in the "global" section are process-wide and often OS-specific. They
375are generally set once for all and do not need being changed once correct. Some
376of them have command-line equivalents.
377
378The following keywords are supported in the "global" section :
379
380 * Process management and security
381 - chroot
382 - daemon
383 - gid
384 - group
385 - log
386 - nbproc
387 - pidfile
388 - uid
389 - ulimit-n
390 - user
Willy Tarreaufbee7132007-10-18 13:53:22 +0200391 - stats
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +0200392 - node
393 - description
Willy Tarreaud72758d2010-01-12 10:42:19 +0100394
Willy Tarreau6a06a402007-07-15 20:15:28 +0200395 * Performance tuning
396 - maxconn
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100397 - maxpipes
Willy Tarreau6a06a402007-07-15 20:15:28 +0200398 - noepoll
399 - nokqueue
400 - nopoll
401 - nosepoll
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100402 - nosplice
Willy Tarreaufe255b72007-10-14 23:09:26 +0200403 - spread-checks
Willy Tarreau27a674e2009-08-17 07:23:33 +0200404 - tune.bufsize
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100405 - tune.maxaccept
406 - tune.maxpollevents
Willy Tarreau27a674e2009-08-17 07:23:33 +0200407 - tune.maxrewrite
Willy Tarreaue803de22010-01-21 17:43:04 +0100408 - tune.rcvbuf.client
409 - tune.rcvbuf.server
410 - tune.sndbuf.client
411 - tune.sndbuf.server
Willy Tarreaud72758d2010-01-12 10:42:19 +0100412
Willy Tarreau6a06a402007-07-15 20:15:28 +0200413 * Debugging
414 - debug
415 - quiet
Willy Tarreau6a06a402007-07-15 20:15:28 +0200416
417
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004183.1. Process management and security
Willy Tarreau6a06a402007-07-15 20:15:28 +0200419------------------------------------
420
421chroot <jail dir>
422 Changes current directory to <jail dir> and performs a chroot() there before
423 dropping privileges. This increases the security level in case an unknown
424 vulnerability would be exploited, since it would make it very hard for the
425 attacker to exploit the system. This only works when the process is started
426 with superuser privileges. It is important to ensure that <jail_dir> is both
427 empty and unwritable to anyone.
Willy Tarreaud72758d2010-01-12 10:42:19 +0100428
Willy Tarreau6a06a402007-07-15 20:15:28 +0200429daemon
430 Makes the process fork into background. This is the recommended mode of
431 operation. It is equivalent to the command line "-D" argument. It can be
432 disabled by the command line "-db" argument.
433
434gid <number>
435 Changes the process' group ID to <number>. It is recommended that the group
436 ID is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
437 be started with a user belonging to this group, or with superuser privileges.
438 See also "group" and "uid".
Willy Tarreaud72758d2010-01-12 10:42:19 +0100439
Willy Tarreau6a06a402007-07-15 20:15:28 +0200440group <group name>
441 Similar to "gid" but uses the GID of group name <group name> from /etc/group.
442 See also "gid" and "user".
Willy Tarreaud72758d2010-01-12 10:42:19 +0100443
Willy Tarreauf7edefa2009-05-10 17:20:05 +0200444log <address> <facility> [max level [min level]]
Willy Tarreau6a06a402007-07-15 20:15:28 +0200445 Adds a global syslog server. Up to two global servers can be defined. They
446 will receive logs for startups and exits, as well as all logs from proxies
Robert Tsai81ae1952007-12-05 10:47:29 +0100447 configured with "log global".
448
449 <address> can be one of:
450
Willy Tarreau2769aa02007-12-27 18:26:09 +0100451 - An IPv4 address optionally followed by a colon and a UDP port. If
Robert Tsai81ae1952007-12-05 10:47:29 +0100452 no port is specified, 514 is used by default (the standard syslog
453 port).
454
455 - A filesystem path to a UNIX domain socket, keeping in mind
456 considerations for chroot (be sure the path is accessible inside
457 the chroot) and uid/gid (be sure the path is appropriately
458 writeable).
459
460 <facility> must be one of the 24 standard syslog facilities :
Willy Tarreau6a06a402007-07-15 20:15:28 +0200461
462 kern user mail daemon auth syslog lpr news
463 uucp cron auth2 ftp ntp audit alert cron2
464 local0 local1 local2 local3 local4 local5 local6 local7
465
466 An optional level can be specified to filter outgoing messages. By default,
Willy Tarreauf7edefa2009-05-10 17:20:05 +0200467 all messages are sent. If a maximum level is specified, only messages with a
468 severity at least as important as this level will be sent. An optional minimum
469 level can be specified. If it is set, logs emitted with a more severe level
470 than this one will be capped to this level. This is used to avoid sending
471 "emerg" messages on all terminals on some default syslog configurations.
472 Eight levels are known :
Willy Tarreau6a06a402007-07-15 20:15:28 +0200473
474 emerg alert crit err warning notice info debug
475
476nbproc <number>
477 Creates <number> processes when going daemon. This requires the "daemon"
478 mode. By default, only one process is created, which is the recommended mode
479 of operation. For systems limited to small sets of file descriptors per
480 process, it may be needed to fork multiple daemons. USING MULTIPLE PROCESSES
481 IS HARDER TO DEBUG AND IS REALLY DISCOURAGED. See also "daemon".
482
483pidfile <pidfile>
484 Writes pids of all daemons into file <pidfile>. This option is equivalent to
485 the "-p" command line argument. The file must be accessible to the user
486 starting the process. See also "daemon".
487
Willy Tarreaufbee7132007-10-18 13:53:22 +0200488stats socket <path> [{uid | user} <uid>] [{gid | group} <gid>] [mode <mode>]
Willy Tarreau6162db22009-10-10 17:13:00 +0200489 [level <level>]
490
Willy Tarreaufbee7132007-10-18 13:53:22 +0200491 Creates a UNIX socket in stream mode at location <path>. Any previously
492 existing socket will be backed up then replaced. Connections to this socket
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100493 will return various statistics outputs and even allow some commands to be
Willy Tarreau6162db22009-10-10 17:13:00 +0200494 issued. Please consult section 9.2 "Unix Socket commands" for more details.
495
496 An optional "level" parameter can be specified to restrict the nature of
497 the commands that can be issued on the socket :
498 - "user" is the least privileged level ; only non-sensitive stats can be
499 read, and no change is allowed. It would make sense on systems where it
500 is not easy to restrict access to the socket.
501
502 - "operator" is the default level and fits most common uses. All data can
503 be read, and only non-sensible changes are permitted (eg: clear max
504 counters).
505
506 - "admin" should be used with care, as everything is permitted (eg: clear
507 all counters).
Willy Tarreaua8efd362008-01-03 10:19:15 +0100508
509 On platforms which support it, it is possible to restrict access to this
510 socket by specifying numerical IDs after "uid" and "gid", or valid user and
511 group names after the "user" and "group" keywords. It is also possible to
512 restrict permissions on the socket by passing an octal value after the "mode"
513 keyword (same syntax as chmod). Depending on the platform, the permissions on
514 the socket will be inherited from the directory which hosts it, or from the
515 user the process is started with.
Willy Tarreaufbee7132007-10-18 13:53:22 +0200516
517stats timeout <timeout, in milliseconds>
518 The default timeout on the stats socket is set to 10 seconds. It is possible
519 to change this value with "stats timeout". The value must be passed in
Willy Tarreaubefdff12007-12-02 22:27:38 +0100520 milliseconds, or be suffixed by a time unit among { us, ms, s, m, h, d }.
Willy Tarreaufbee7132007-10-18 13:53:22 +0200521
522stats maxconn <connections>
523 By default, the stats socket is limited to 10 concurrent connections. It is
524 possible to change this value with "stats maxconn".
525
Willy Tarreau6a06a402007-07-15 20:15:28 +0200526uid <number>
527 Changes the process' user ID to <number>. It is recommended that the user ID
528 is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
529 be started with superuser privileges in order to be able to switch to another
530 one. See also "gid" and "user".
531
532ulimit-n <number>
533 Sets the maximum number of per-process file-descriptors to <number>. By
534 default, it is automatically computed, so it is recommended not to use this
535 option.
536
537user <user name>
538 Similar to "uid" but uses the UID of user name <user name> from /etc/passwd.
539 See also "uid" and "group".
540
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +0200541node <name>
542 Only letters, digits, hyphen and underscore are allowed, like in DNS names.
543
544 This statement is useful in HA configurations where two or more processes or
545 servers share the same IP address. By setting a different node-name on all
546 nodes, it becomes easy to immediately spot what server is handling the
547 traffic.
548
549description <text>
550 Add a text that describes the instance.
551
552 Please note that it is required to escape certain characters (# for example)
553 and this text is inserted into a html page so you should avoid using
554 "<" and ">" characters.
555
Willy Tarreau6a06a402007-07-15 20:15:28 +0200556
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005573.2. Performance tuning
Willy Tarreau6a06a402007-07-15 20:15:28 +0200558-----------------------
559
560maxconn <number>
561 Sets the maximum per-process number of concurrent connections to <number>. It
562 is equivalent to the command-line argument "-n". Proxies will stop accepting
563 connections when this limit is reached. The "ulimit-n" parameter is
564 automatically adjusted according to this value. See also "ulimit-n".
565
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100566maxpipes <number>
567 Sets the maximum per-process number of pipes to <number>. Currently, pipes
568 are only used by kernel-based tcp splicing. Since a pipe contains two file
569 descriptors, the "ulimit-n" value will be increased accordingly. The default
570 value is maxconn/4, which seems to be more than enough for most heavy usages.
571 The splice code dynamically allocates and releases pipes, and can fall back
572 to standard copy, so setting this value too low may only impact performance.
573
Willy Tarreau6a06a402007-07-15 20:15:28 +0200574noepoll
575 Disables the use of the "epoll" event polling system on Linux. It is
576 equivalent to the command-line argument "-de". The next polling system
577 used will generally be "poll". See also "nosepoll", and "nopoll".
578
579nokqueue
580 Disables the use of the "kqueue" event polling system on BSD. It is
581 equivalent to the command-line argument "-dk". The next polling system
582 used will generally be "poll". See also "nopoll".
583
584nopoll
585 Disables the use of the "poll" event polling system. It is equivalent to the
586 command-line argument "-dp". The next polling system used will be "select".
Willy Tarreau0ba27502007-12-24 16:55:16 +0100587 It should never be needed to disable "poll" since it's available on all
Willy Tarreau6a06a402007-07-15 20:15:28 +0200588 platforms supported by HAProxy. See also "nosepoll", and "nopoll" and
589 "nokqueue".
590
591nosepoll
592 Disables the use of the "speculative epoll" event polling system on Linux. It
593 is equivalent to the command-line argument "-ds". The next polling system
594 used will generally be "epoll". See also "nosepoll", and "nopoll".
595
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100596nosplice
597 Disables the use of kernel tcp splicing between sockets on Linux. It is
598 equivalent to the command line argument "-dS". Data will then be copied
599 using conventional and more portable recv/send calls. Kernel tcp splicing is
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100600 limited to some very recent instances of kernel 2.6. Most versions between
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100601 2.6.25 and 2.6.28 are buggy and will forward corrupted data, so they must not
602 be used. This option makes it easier to globally disable kernel splicing in
603 case of doubt. See also "option splice-auto", "option splice-request" and
604 "option splice-response".
605
Willy Tarreaufe255b72007-10-14 23:09:26 +0200606spread-checks <0..50, in percent>
607 Sometimes it is desirable to avoid sending health checks to servers at exact
608 intervals, for instance when many logical servers are located on the same
609 physical server. With the help of this parameter, it becomes possible to add
610 some randomness in the check interval between 0 and +/- 50%. A value between
611 2 and 5 seems to show good results. The default value remains at 0.
612
Willy Tarreau27a674e2009-08-17 07:23:33 +0200613tune.bufsize <number>
614 Sets the buffer size to this size (in bytes). Lower values allow more
615 sessions to coexist in the same amount of RAM, and higher values allow some
616 applications with very large cookies to work. The default value is 16384 and
617 can be changed at build time. It is strongly recommended not to change this
618 from the default value, as very low values will break some services such as
619 statistics, and values larger than default size will increase memory usage,
620 possibly causing the system to run out of memory. At least the global maxconn
621 parameter should be decreased by the same factor as this one is increased.
622
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100623tune.maxaccept <number>
624 Sets the maximum number of consecutive accepts that a process may perform on
625 a single wake up. High values give higher priority to high connection rates,
626 while lower values give higher priority to already established connections.
Willy Tarreauf49d1df2009-03-01 08:35:41 +0100627 This value is limited to 100 by default in single process mode. However, in
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100628 multi-process mode (nbproc > 1), it defaults to 8 so that when one process
629 wakes up, it does not take all incoming connections for itself and leaves a
Willy Tarreauf49d1df2009-03-01 08:35:41 +0100630 part of them to other processes. Setting this value to -1 completely disables
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100631 the limitation. It should normally not be needed to tweak this value.
632
633tune.maxpollevents <number>
634 Sets the maximum amount of events that can be processed at once in a call to
635 the polling system. The default value is adapted to the operating system. It
636 has been noticed that reducing it below 200 tends to slightly decrease
637 latency at the expense of network bandwidth, and increasing it above 200
638 tends to trade latency for slightly increased bandwidth.
639
Willy Tarreau27a674e2009-08-17 07:23:33 +0200640tune.maxrewrite <number>
641 Sets the reserved buffer space to this size in bytes. The reserved space is
642 used for header rewriting or appending. The first reads on sockets will never
643 fill more than bufsize-maxrewrite. Historically it has defaulted to half of
644 bufsize, though that does not make much sense since there are rarely large
645 numbers of headers to add. Setting it too high prevents processing of large
646 requests or responses. Setting it too low prevents addition of new headers
647 to already large requests or to POST requests. It is generally wise to set it
648 to about 1024. It is automatically readjusted to half of bufsize if it is
649 larger than that. This means you don't have to worry about it when changing
650 bufsize.
651
Willy Tarreaue803de22010-01-21 17:43:04 +0100652tune.rcvbuf.client <number>
653tune.rcvbuf.server <number>
654 Forces the kernel socket receive buffer size on the client or the server side
655 to the specified value in bytes. This value applies to all TCP/HTTP frontends
656 and backends. It should normally never be set, and the default size (0) lets
657 the kernel autotune this value depending on the amount of available memory.
658 However it can sometimes help to set it to very low values (eg: 4096) in
659 order to save kernel memory by preventing it from buffering too large amounts
660 of received data. Lower values will significantly increase CPU usage though.
661
662tune.sndbuf.client <number>
663tune.sndbuf.server <number>
664 Forces the kernel socket send buffer size on the client or the server side to
665 the specified value in bytes. This value applies to all TCP/HTTP frontends
666 and backends. It should normally never be set, and the default size (0) lets
667 the kernel autotune this value depending on the amount of available memory.
668 However it can sometimes help to set it to very low values (eg: 4096) in
669 order to save kernel memory by preventing it from buffering too large amounts
670 of received data. Lower values will significantly increase CPU usage though.
671 Another use case is to prevent write timeouts with extremely slow clients due
672 to the kernel waiting for a large part of the buffer to be read before
673 notifying haproxy again.
674
Willy Tarreau6a06a402007-07-15 20:15:28 +0200675
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006763.3. Debugging
677--------------
Willy Tarreau6a06a402007-07-15 20:15:28 +0200678
679debug
680 Enables debug mode which dumps to stdout all exchanges, and disables forking
681 into background. It is the equivalent of the command-line argument "-d". It
682 should never be used in a production configuration since it may prevent full
683 system startup.
684
685quiet
686 Do not display any message during startup. It is equivalent to the command-
687 line argument "-q".
688
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01006893.4. Userlists
690--------------
691It is possible to control access to frontend/backend/listen sections or to
692http stats by allowing only authenticated and authorized users. To do this,
693it is required to create at least one userlist and to define users.
694
695userlist <listname>
696 Creates new userlist with name <listname>. Many indepenend userlists can be
697 used to store authentication & authorization data for independent customers.
698
699group <groupname> [users <user>,<user>,(...)]
700 Adds group <gropname> to the current userlist. It is also possible to
701 attach users to this group by using a comma separated list of names
702 proceeded by "users" keyword.
703
704user <username> [password|insecure-password <password>] [groups <group>,<group>,(...)]
705 Adds user <username> to the current userlist. Both secure (encrypted) and
706 insecure (unencrypted) passwords can be used. Encrypted passwords are
707 evaluated using the crypt(3) function so dependig of the system's
708 capabilities, different algoritms are supported. For example modern Glibc
709 based Linux system supports MD5, SHA-256, SHA-512 and of course classic,
710 DES-based method of crypting passwords.
711
712
713 Example:
714 userlist L1
715 group G1 users tiger,scott
716 group G2 users xdb,scott
717
718 user tiger password $6$k6y3o.eP$JlKBx9za966ud67qe45NSQYf8Nw.XFuk8QVRevoLh1XPCQDCBPjcU2JtGBSS0MOQW2PFxHSwRv6J.C0/D7cV91
719 user scott insecure-password elgato
720 user xdb insecure-password hello
721
722 userlist L2
723 group G1
724 group G2
725
726 user tiger password $6$k6y3o.eP$JlKBx9za966ud67qe45NSQYf8Nw.XFuk8QVRevoLh1XPCQDCBPjcU2JtGBSS0MOQW2PFxHSwRv6J.C0/D7cV91 groups G1
727 user scott insecure-password elgato groups G1,G2
728 user xdb insecure-password hello groups G2
729
730 Please note that both lists are functionally identical.
Willy Tarreau6a06a402007-07-15 20:15:28 +0200731
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007324. Proxies
Willy Tarreau6a06a402007-07-15 20:15:28 +0200733----------
Willy Tarreau0ba27502007-12-24 16:55:16 +0100734
Willy Tarreau6a06a402007-07-15 20:15:28 +0200735Proxy configuration can be located in a set of sections :
736 - defaults <name>
737 - frontend <name>
738 - backend <name>
739 - listen <name>
740
741A "defaults" section sets default parameters for all other sections following
742its declaration. Those default parameters are reset by the next "defaults"
743section. See below for the list of parameters which can be set in a "defaults"
Willy Tarreau0ba27502007-12-24 16:55:16 +0100744section. The name is optional but its use is encouraged for better readability.
Willy Tarreau6a06a402007-07-15 20:15:28 +0200745
746A "frontend" section describes a set of listening sockets accepting client
747connections.
748
749A "backend" section describes a set of servers to which the proxy will connect
750to forward incoming connections.
751
752A "listen" section defines a complete proxy with its frontend and backend
753parts combined in one section. It is generally useful for TCP-only traffic.
754
Willy Tarreau0ba27502007-12-24 16:55:16 +0100755All proxy names must be formed from upper and lower case letters, digits,
756'-' (dash), '_' (underscore) , '.' (dot) and ':' (colon). ACL names are
757case-sensitive, which means that "www" and "WWW" are two different proxies.
758
759Historically, all proxy names could overlap, it just caused troubles in the
760logs. Since the introduction of content switching, it is mandatory that two
761proxies with overlapping capabilities (frontend/backend) have different names.
762However, it is still permitted that a frontend and a backend share the same
763name, as this configuration seems to be commonly encountered.
764
765Right now, two major proxy modes are supported : "tcp", also known as layer 4,
766and "http", also known as layer 7. In layer 4 mode, HAProxy simply forwards
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100767bidirectional traffic between two sides. In layer 7 mode, HAProxy analyzes the
Willy Tarreau0ba27502007-12-24 16:55:16 +0100768protocol, and can interact with it by allowing, blocking, switching, adding,
769modifying, or removing arbitrary contents in requests or responses, based on
770arbitrary criteria.
771
Willy Tarreau0ba27502007-12-24 16:55:16 +0100772
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007734.1. Proxy keywords matrix
774--------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +0100775
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200776The following list of keywords is supported. Most of them may only be used in a
777limited set of section types. Some of them are marked as "deprecated" because
778they are inherited from an old syntax which may be confusing or functionally
779limited, and there are new recommended keywords to replace them. Keywords
Willy Tarreau3842f002009-06-14 11:39:52 +0200780listed with [no] can be optionally inverted using the "no" prefix, eg. "no
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200781option contstats". This makes sense when the option has been enabled by default
Willy Tarreau3842f002009-06-14 11:39:52 +0200782and must be disabled for a specific instance. Such options may also be prefixed
783with "default" in order to restore default settings regardless of what has been
784specified in a previous "defaults" section.
Willy Tarreau0ba27502007-12-24 16:55:16 +0100785
Willy Tarreau6a06a402007-07-15 20:15:28 +0200786
787keyword defaults frontend listen backend
788----------------------+----------+----------+---------+---------
Willy Tarreaud72758d2010-01-12 10:42:19 +0100789acl - X X X
790appsession - - X X
Willy Tarreauc73ce2b2008-01-06 10:55:10 +0100791backlog X X X -
Willy Tarreaud72758d2010-01-12 10:42:19 +0100792balance X - X X
793bind - X X -
794bind-process X X X X
Willy Tarreau6a06a402007-07-15 20:15:28 +0200795block - X X X
Willy Tarreau0ba27502007-12-24 16:55:16 +0100796capture cookie - X X -
797capture request header - X X -
798capture response header - X X -
Willy Tarreaue219db72007-12-03 01:30:13 +0100799clitimeout X X X - (deprecated)
Willy Tarreau0ba27502007-12-24 16:55:16 +0100800contimeout X - X X (deprecated)
Willy Tarreau6a06a402007-07-15 20:15:28 +0200801cookie X - X X
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +0100802default-server X - X X
Cyril Bonté99ed3272010-01-24 23:29:44 +0100803default_backend X X X -
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +0200804description - X X X
Willy Tarreau0ba27502007-12-24 16:55:16 +0100805disabled X X X X
Willy Tarreau6a06a402007-07-15 20:15:28 +0200806dispatch - - X X
Willy Tarreau0ba27502007-12-24 16:55:16 +0100807enabled X X X X
Willy Tarreau6a06a402007-07-15 20:15:28 +0200808errorfile X X X X
809errorloc X X X X
810errorloc302 X X X X
811errorloc303 X X X X
812fullconn X - X X
Cyril Bonté99ed3272010-01-24 23:29:44 +0100813grace X X X X
Willy Tarreau6b2e11b2009-10-01 07:52:15 +0200814hash-type X - X X
Willy Tarreaudbc36f62007-11-30 12:29:11 +0100815http-check disable-on-404 X - X X
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100816http-request - X X X
Willy Tarreau53fb4ae2009-10-04 23:04:08 +0200817id - X X X
Willy Tarreau6a06a402007-07-15 20:15:28 +0200818log X X X X
819maxconn X X X -
820mode X X X X
Willy Tarreauc7246fc2007-12-02 17:31:20 +0100821monitor fail - X X -
Willy Tarreau6a06a402007-07-15 20:15:28 +0200822monitor-net X X X -
823monitor-uri X X X -
Krzysztof Oledzki336d4752007-12-25 02:40:22 +0100824[no] option abortonclose X - X X
Willy Tarreau4076a152009-04-02 15:18:36 +0200825[no] option accept-invalid-
826 http-request X X X -
827[no] option accept-invalid-
828 http-response X - X X
Krzysztof Oledzki336d4752007-12-25 02:40:22 +0100829[no] option allbackups X - X X
830[no] option checkcache X - X X
831[no] option clitcpka X X X -
832[no] option contstats X X X -
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +0200833[no] option dontlog-normal X X X -
Krzysztof Oledzki336d4752007-12-25 02:40:22 +0100834[no] option dontlognull X X X -
Willy Tarreaua31e5df2009-12-30 01:10:35 +0100835[no] option forceclose X X X X
Willy Tarreau6a06a402007-07-15 20:15:28 +0200836option forwardfor X X X X
837option httpchk X - X X
Willy Tarreaub608feb2010-01-02 22:47:18 +0100838[no] option http-server-
839 close X X X X
Willy Tarreau88d349d2010-01-25 12:15:43 +0100840[no] option http-use-proxy-
841 header X X X -
Krzysztof Oledzki336d4752007-12-25 02:40:22 +0100842[no] option httpclose X X X X
Willy Tarreau6a06a402007-07-15 20:15:28 +0200843option httplog X X X X
Willy Tarreau55165fe2009-05-10 12:02:55 +0200844[no] option http_proxy X X X X
Willy Tarreauf27b5ea2009-10-03 22:01:18 +0200845[no] option independant-
846 streams X X X X
Krzysztof Piotr Oledzki213014e2009-09-27 15:50:02 +0200847[no] option log-health- X - X X
848 checks
Willy Tarreau211ad242009-10-03 21:45:07 +0200849[no] option log-separate-
850 errors X X X -
Krzysztof Oledzki336d4752007-12-25 02:40:22 +0100851[no] option logasap X X X -
Hervé COMMOWICK698ae002010-01-12 09:25:13 +0100852option mysql-check X - X X
Krzysztof Oledzki336d4752007-12-25 02:40:22 +0100853[no] option nolinger X X X X
Willy Tarreau55165fe2009-05-10 12:02:55 +0200854option originalto X X X X
Krzysztof Oledzki336d4752007-12-25 02:40:22 +0100855[no] option persist X - X X
856[no] option redispatch X - X X
Willy Tarreau6a06a402007-07-15 20:15:28 +0200857option smtpchk X - X X
Krzysztof Piotr Oledzkiaeebf9b2009-10-04 15:43:17 +0200858[no] option socket-stats X X X -
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100859[no] option splice-auto X X X X
860[no] option splice-request X X X X
861[no] option splice-response X X X X
Krzysztof Oledzki336d4752007-12-25 02:40:22 +0100862[no] option srvtcpka X - X X
Willy Tarreau6a06a402007-07-15 20:15:28 +0200863option ssl-hello-chk X - X X
Willy Tarreau9ea05a72009-06-14 12:07:01 +0200864[no] option tcp-smart-
865 accept X X X -
Willy Tarreau39bb9be2009-10-17 16:04:09 +0200866[no] option tcp-smart-
867 connect X - X X
Willy Tarreau6a06a402007-07-15 20:15:28 +0200868option tcpka X X X X
869option tcplog X X X X
Willy Tarreau4b1f8592008-12-23 23:13:55 +0100870[no] option transparent X - X X
Emeric Brun647caf12009-06-30 17:57:00 +0200871persist rdp-cookie X - X X
Willy Tarreau3a7d2072009-03-05 23:48:25 +0100872rate-limit sessions X X X -
Willy Tarreaub463dfb2008-06-07 23:08:56 +0200873redirect - X X X
Krzysztof Oledzki336d4752007-12-25 02:40:22 +0100874redisp X - X X (deprecated)
875redispatch X - X X (deprecated)
Willy Tarreau6a06a402007-07-15 20:15:28 +0200876reqadd - X X X
877reqallow - X X X
878reqdel - X X X
879reqdeny - X X X
880reqiallow - X X X
881reqidel - X X X
882reqideny - X X X
883reqipass - X X X
884reqirep - X X X
885reqisetbe - X X X
886reqitarpit - X X X
887reqpass - X X X
888reqrep - X X X
889reqsetbe - X X X
890reqtarpit - X X X
891retries X - X X
892rspadd - X X X
893rspdel - X X X
894rspdeny - X X X
895rspidel - X X X
896rspideny - X X X
897rspirep - X X X
898rsprep - X X X
899server - - X X
900source X - X X
Willy Tarreaue219db72007-12-03 01:30:13 +0100901srvtimeout X - X X (deprecated)
Willy Tarreau24e779b2007-07-24 23:43:37 +0200902stats auth X - X X
903stats enable X - X X
904stats realm X - X X
Willy Tarreaubbd42122007-07-25 07:26:38 +0200905stats refresh X - X X
Willy Tarreau24e779b2007-07-24 23:43:37 +0200906stats scope X - X X
907stats uri X - X X
Krzysztof Oledzkid9db9272007-10-15 10:05:11 +0200908stats hide-version X - X X
Willy Tarreau62644772008-07-16 18:36:06 +0200909tcp-request content accept - X X -
910tcp-request content reject - X X -
911tcp-request inspect-delay - X X -
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +0100912timeout check X - X X
Willy Tarreaue219db72007-12-03 01:30:13 +0100913timeout client X X X -
914timeout clitimeout X X X - (deprecated)
915timeout connect X - X X
916timeout contimeout X - X X (deprecated)
Willy Tarreaub16a5742010-01-10 14:46:16 +0100917timeout http-keep-alive X X X X
Willy Tarreaucd7afc02009-07-12 10:03:17 +0200918timeout http-request X X X X
Willy Tarreaue219db72007-12-03 01:30:13 +0100919timeout queue X - X X
920timeout server X - X X
921timeout srvtimeout X - X X (deprecated)
Willy Tarreau51c9bde2008-01-06 13:40:03 +0100922timeout tarpit X X X X
Willy Tarreau4b1f8592008-12-23 23:13:55 +0100923transparent X - X X (deprecated)
Willy Tarreau6a06a402007-07-15 20:15:28 +0200924use_backend - X X -
Willy Tarreau6a06a402007-07-15 20:15:28 +0200925----------------------+----------+----------+---------+---------
926keyword defaults frontend listen backend
927
Willy Tarreau0ba27502007-12-24 16:55:16 +0100928
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009294.2. Alphabetically sorted keywords reference
930---------------------------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +0100931
932This section provides a description of each keyword and its usage.
933
934
935acl <aclname> <criterion> [flags] [operator] <value> ...
936 Declare or complete an access list.
937 May be used in sections : defaults | frontend | listen | backend
938 no | yes | yes | yes
939 Example:
940 acl invalid_src src 0.0.0.0/7 224.0.0.0/3
941 acl invalid_src src_port 0:1023
942 acl local_dst hdr(host) -i localhost
943
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200944 See section 7 about ACL usage.
Willy Tarreau0ba27502007-12-24 16:55:16 +0100945
946
Cyril Bontéb21570a2009-11-29 20:04:48 +0100947appsession <cookie> len <length> timeout <holdtime>
948 [request-learn] [prefix] [mode <path-parameters|query-string>]
Willy Tarreau0ba27502007-12-24 16:55:16 +0100949 Define session stickiness on an existing application cookie.
950 May be used in sections : defaults | frontend | listen | backend
951 no | no | yes | yes
952 Arguments :
953 <cookie> this is the name of the cookie used by the application and which
954 HAProxy will have to learn for each new session.
955
Cyril Bontéb21570a2009-11-29 20:04:48 +0100956 <length> this is the max number of characters that will be memorized and
Willy Tarreau0ba27502007-12-24 16:55:16 +0100957 checked in each cookie value.
958
959 <holdtime> this is the time after which the cookie will be removed from
960 memory if unused. If no unit is specified, this time is in
961 milliseconds.
962
Cyril Bontébf47aeb2009-10-15 00:15:40 +0200963 request-learn
964 If this option is specified, then haproxy will be able to learn
965 the cookie found in the request in case the server does not
966 specify any in response. This is typically what happens with
967 PHPSESSID cookies, or when haproxy's session expires before
968 the application's session and the correct server is selected.
969 It is recommended to specify this option to improve reliability.
970
Cyril Bontéb21570a2009-11-29 20:04:48 +0100971 prefix When this option is specified, haproxy will match on the cookie
972 prefix (or URL parameter prefix). The appsession value is the
973 data following this prefix.
974
975 Example :
976 appsession ASPSESSIONID len 64 timeout 3h prefix
977
978 This will match the cookie ASPSESSIONIDXXXX=XXXXX,
979 the appsession value will be XXXX=XXXXX.
980
981 mode This option allows to change the URL parser mode.
982 2 modes are currently supported :
983 - path-parameters :
984 The parser looks for the appsession in the path parameters
985 part (each parameter is separated by a semi-colon), which is
986 convenient for JSESSIONID for example.
987 This is the default mode if the option is not set.
988 - query-string :
989 In this mode, the parser will look for the appsession in the
990 query string.
991
Willy Tarreau0ba27502007-12-24 16:55:16 +0100992 When an application cookie is defined in a backend, HAProxy will check when
993 the server sets such a cookie, and will store its value in a table, and
994 associate it with the server's identifier. Up to <length> characters from
995 the value will be retained. On each connection, haproxy will look for this
Cyril Bontéb21570a2009-11-29 20:04:48 +0100996 cookie both in the "Cookie:" headers, and as a URL parameter (depending on
997 the mode used). If a known value is found, the client will be directed to the
998 server associated with this value. Otherwise, the load balancing algorithm is
Willy Tarreau0ba27502007-12-24 16:55:16 +0100999 applied. Cookies are automatically removed from memory when they have been
1000 unused for a duration longer than <holdtime>.
1001
1002 The definition of an application cookie is limited to one per backend.
1003
1004 Example :
1005 appsession JSESSIONID len 52 timeout 3h
1006
Willy Tarreaub937b7e2010-01-12 15:27:54 +01001007 See also : "cookie", "capture cookie", "balance", "stick" and "stick-table".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001008
1009
Willy Tarreauc73ce2b2008-01-06 10:55:10 +01001010backlog <conns>
1011 Give hints to the system about the approximate listen backlog desired size
1012 May be used in sections : defaults | frontend | listen | backend
1013 yes | yes | yes | no
1014 Arguments :
1015 <conns> is the number of pending connections. Depending on the operating
1016 system, it may represent the number of already acknowledged
1017 connections, of non-acknowledged ones, or both.
1018
1019 In order to protect against SYN flood attacks, one solution is to increase
1020 the system's SYN backlog size. Depending on the system, sometimes it is just
1021 tunable via a system parameter, sometimes it is not adjustable at all, and
1022 sometimes the system relies on hints given by the application at the time of
1023 the listen() syscall. By default, HAProxy passes the frontend's maxconn value
1024 to the listen() syscall. On systems which can make use of this value, it can
1025 sometimes be useful to be able to specify a different value, hence this
1026 backlog parameter.
1027
1028 On Linux 2.4, the parameter is ignored by the system. On Linux 2.6, it is
1029 used as a hint and the system accepts up to the smallest greater power of
1030 two, and never more than some limits (usually 32768).
1031
1032 See also : "maxconn" and the target operating system's tuning guide.
1033
1034
Willy Tarreau0ba27502007-12-24 16:55:16 +01001035balance <algorithm> [ <arguments> ]
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001036balance url_param <param> [check_post [<max_wait>]]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001037 Define the load balancing algorithm to be used in a backend.
1038 May be used in sections : defaults | frontend | listen | backend
1039 yes | no | yes | yes
1040 Arguments :
1041 <algorithm> is the algorithm used to select a server when doing load
1042 balancing. This only applies when no persistence information
1043 is available, or when a connection is redispatched to another
1044 server. <algorithm> may be one of the following :
1045
1046 roundrobin Each server is used in turns, according to their weights.
1047 This is the smoothest and fairest algorithm when the server's
1048 processing time remains equally distributed. This algorithm
1049 is dynamic, which means that server weights may be adjusted
Willy Tarreau9757a382009-10-03 12:56:50 +02001050 on the fly for slow starts for instance. It is limited by
1051 design to 4128 active servers per backend. Note that in some
1052 large farms, when a server becomes up after having been down
1053 for a very short time, it may sometimes take a few hundreds
1054 requests for it to be re-integrated into the farm and start
1055 receiving traffic. This is normal, though very rare. It is
1056 indicated here in case you would have the chance to observe
1057 it, so that you don't worry.
1058
1059 static-rr Each server is used in turns, according to their weights.
1060 This algorithm is as similar to roundrobin except that it is
1061 static, which means that changing a server's weight on the
1062 fly will have no effect. On the other hand, it has no design
1063 limitation on the number of servers, and when a server goes
1064 up, it is always immediately reintroduced into the farm, once
1065 the full map is recomputed. It also uses slightly less CPU to
1066 run (around -1%).
Willy Tarreau0ba27502007-12-24 16:55:16 +01001067
Willy Tarreau2d2a7f82008-03-17 12:07:56 +01001068 leastconn The server with the lowest number of connections receives the
1069 connection. Round-robin is performed within groups of servers
1070 of the same load to ensure that all servers will be used. Use
1071 of this algorithm is recommended where very long sessions are
1072 expected, such as LDAP, SQL, TSE, etc... but is not very well
1073 suited for protocols using short sessions such as HTTP. This
1074 algorithm is dynamic, which means that server weights may be
1075 adjusted on the fly for slow starts for instance.
1076
Willy Tarreau0ba27502007-12-24 16:55:16 +01001077 source The source IP address is hashed and divided by the total
1078 weight of the running servers to designate which server will
1079 receive the request. This ensures that the same client IP
1080 address will always reach the same server as long as no
1081 server goes down or up. If the hash result changes due to the
1082 number of running servers changing, many clients will be
1083 directed to a different server. This algorithm is generally
1084 used in TCP mode where no cookie may be inserted. It may also
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001085 be used on the Internet to provide a best-effort stickiness
Willy Tarreau0ba27502007-12-24 16:55:16 +01001086 to clients which refuse session cookies. This algorithm is
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001087 static by default, which means that changing a server's
1088 weight on the fly will have no effect, but this can be
1089 changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001090
1091 uri The left part of the URI (before the question mark) is hashed
1092 and divided by the total weight of the running servers. The
1093 result designates which server will receive the request. This
1094 ensures that a same URI will always be directed to the same
1095 server as long as no server goes up or down. This is used
1096 with proxy caches and anti-virus proxies in order to maximize
1097 the cache hit rate. Note that this algorithm may only be used
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001098 in an HTTP backend. This algorithm is static by default,
1099 which means that changing a server's weight on the fly will
1100 have no effect, but this can be changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001101
Marek Majkowski9c30fc12008-04-27 23:25:55 +02001102 This algorithm support two optional parameters "len" and
1103 "depth", both followed by a positive integer number. These
1104 options may be helpful when it is needed to balance servers
1105 based on the beginning of the URI only. The "len" parameter
1106 indicates that the algorithm should only consider that many
1107 characters at the beginning of the URI to compute the hash.
1108 Note that having "len" set to 1 rarely makes sense since most
1109 URIs start with a leading "/".
1110
1111 The "depth" parameter indicates the maximum directory depth
1112 to be used to compute the hash. One level is counted for each
1113 slash in the request. If both parameters are specified, the
1114 evaluation stops when either is reached.
1115
Willy Tarreau0ba27502007-12-24 16:55:16 +01001116 url_param The URL parameter specified in argument will be looked up in
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001117 the query string of each HTTP GET request.
1118
1119 If the modifier "check_post" is used, then an HTTP POST
1120 request entity will be searched for the parameter argument,
1121 when the question mark indicating a query string ('?') is not
1122 present in the URL. Optionally, specify a number of octets to
1123 wait for before attempting to search the message body. If the
1124 entity can not be searched, then round robin is used for each
1125 request. For instance, if your clients always send the LB
1126 parameter in the first 128 bytes, then specify that. The
1127 default is 48. The entity data will not be scanned until the
1128 required number of octets have arrived at the gateway, this
1129 is the minimum of: (default/max_wait, Content-Length or first
1130 chunk length). If Content-Length is missing or zero, it does
1131 not need to wait for more data than the client promised to
1132 send. When Content-Length is present and larger than
1133 <max_wait>, then waiting is limited to <max_wait> and it is
1134 assumed that this will be enough data to search for the
1135 presence of the parameter. In the unlikely event that
1136 Transfer-Encoding: chunked is used, only the first chunk is
1137 scanned. Parameter values separated by a chunk boundary, may
1138 be randomly balanced if at all.
1139
1140 If the parameter is found followed by an equal sign ('=') and
1141 a value, then the value is hashed and divided by the total
1142 weight of the running servers. The result designates which
1143 server will receive the request.
1144
1145 This is used to track user identifiers in requests and ensure
1146 that a same user ID will always be sent to the same server as
1147 long as no server goes up or down. If no value is found or if
1148 the parameter is not found, then a round robin algorithm is
1149 applied. Note that this algorithm may only be used in an HTTP
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001150 backend. This algorithm is static by default, which means
1151 that changing a server's weight on the fly will have no
1152 effect, but this can be changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001153
Benoitaffb4812009-03-25 13:02:10 +01001154 hdr(name) The HTTP header <name> will be looked up in each HTTP request.
1155 Just as with the equivalent ACL 'hdr()' function, the header
1156 name in parenthesis is not case sensitive. If the header is
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001157 absent or if it does not contain any value, the roundrobin
Benoitaffb4812009-03-25 13:02:10 +01001158 algorithm is applied instead.
1159
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001160 An optional 'use_domain_only' parameter is available, for
Benoitaffb4812009-03-25 13:02:10 +01001161 reducing the hash algorithm to the main domain part with some
1162 specific headers such as 'Host'. For instance, in the Host
1163 value "haproxy.1wt.eu", only "1wt" will be considered.
1164
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001165 This algorithm is static by default, which means that
1166 changing a server's weight on the fly will have no effect,
1167 but this can be changed using "hash-type".
1168
Emeric Brun736aa232009-06-30 17:56:00 +02001169 rdp-cookie
1170 rdp-cookie(name)
1171 The RDP cookie <name> (or "mstshash" if omitted) will be
1172 looked up and hashed for each incoming TCP request. Just as
1173 with the equivalent ACL 'req_rdp_cookie()' function, the name
1174 is not case-sensitive. This mechanism is useful as a degraded
1175 persistence mode, as it makes it possible to always send the
1176 same user (or the same session ID) to the same server. If the
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001177 cookie is not found, the normal roundrobin algorithm is
Emeric Brun736aa232009-06-30 17:56:00 +02001178 used instead.
1179
1180 Note that for this to work, the frontend must ensure that an
1181 RDP cookie is already present in the request buffer. For this
1182 you must use 'tcp-request content accept' rule combined with
1183 a 'req_rdp_cookie_cnt' ACL.
1184
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001185 This algorithm is static by default, which means that
1186 changing a server's weight on the fly will have no effect,
1187 but this can be changed using "hash-type".
1188
Willy Tarreau0ba27502007-12-24 16:55:16 +01001189 <arguments> is an optional list of arguments which may be needed by some
Marek Majkowski9c30fc12008-04-27 23:25:55 +02001190 algorithms. Right now, only "url_param" and "uri" support an
1191 optional argument.
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001192
Marek Majkowski9c30fc12008-04-27 23:25:55 +02001193 balance uri [len <len>] [depth <depth>]
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001194 balance url_param <param> [check_post [<max_wait>]]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001195
Willy Tarreau3cd9af22009-03-15 14:06:41 +01001196 The load balancing algorithm of a backend is set to roundrobin when no other
1197 algorithm, mode nor option have been set. The algorithm may only be set once
1198 for each backend.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001199
1200 Examples :
1201 balance roundrobin
1202 balance url_param userid
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001203 balance url_param session_id check_post 64
Benoitaffb4812009-03-25 13:02:10 +01001204 balance hdr(User-Agent)
1205 balance hdr(host)
1206 balance hdr(Host) use_domain_only
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001207
1208 Note: the following caveats and limitations on using the "check_post"
1209 extension with "url_param" must be considered :
1210
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001211 - all POST requests are eligible for consideration, because there is no way
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001212 to determine if the parameters will be found in the body or entity which
1213 may contain binary data. Therefore another method may be required to
1214 restrict consideration of POST requests that have no URL parameters in
1215 the body. (see acl reqideny http_end)
1216
1217 - using a <max_wait> value larger than the request buffer size does not
1218 make sense and is useless. The buffer size is set at build time, and
1219 defaults to 16 kB.
1220
1221 - Content-Encoding is not supported, the parameter search will probably
1222 fail; and load balancing will fall back to Round Robin.
1223
1224 - Expect: 100-continue is not supported, load balancing will fall back to
1225 Round Robin.
1226
1227 - Transfer-Encoding (RFC2616 3.6.1) is only supported in the first chunk.
1228 If the entire parameter value is not present in the first chunk, the
1229 selection of server is undefined (actually, defined by how little
1230 actually appeared in the first chunk).
1231
1232 - This feature does not support generation of a 100, 411 or 501 response.
1233
1234 - In some cases, requesting "check_post" MAY attempt to scan the entire
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001235 contents of a message body. Scanning normally terminates when linear
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001236 white space or control characters are found, indicating the end of what
1237 might be a URL parameter list. This is probably not a concern with SGML
1238 type message bodies.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001239
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001240 See also : "dispatch", "cookie", "appsession", "transparent", "hash-type" and
1241 "http_proxy".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001242
1243
1244bind [<address>]:<port> [, ...]
Willy Tarreau5e6e2042009-02-04 17:19:29 +01001245bind [<address>]:<port> [, ...] interface <interface>
Willy Tarreaube1b9182009-06-14 18:48:19 +02001246bind [<address>]:<port> [, ...] mss <maxseg>
Willy Tarreaub1e52e82008-01-13 14:49:51 +01001247bind [<address>]:<port> [, ...] transparent
Krzysztof Piotr Oledzkiaeebf9b2009-10-04 15:43:17 +02001248bind [<address>]:<port> [, ...] id <id>
1249bind [<address>]:<port> [, ...] name <name>
Willy Tarreau53319c92009-11-28 08:21:29 +01001250bind [<address>]:<port> [, ...] defer-accept
Willy Tarreau0ba27502007-12-24 16:55:16 +01001251 Define one or several listening addresses and/or ports in a frontend.
1252 May be used in sections : defaults | frontend | listen | backend
1253 no | yes | yes | no
1254 Arguments :
Willy Tarreaub1e52e82008-01-13 14:49:51 +01001255 <address> is optional and can be a host name, an IPv4 address, an IPv6
1256 address, or '*'. It designates the address the frontend will
1257 listen on. If unset, all IPv4 addresses of the system will be
1258 listened on. The same will apply for '*' or the system's
1259 special address "0.0.0.0".
1260
1261 <port> is the TCP port number the proxy will listen on. The port is
1262 mandatory. Note that in the case of an IPv6 address, the port
1263 is always the number after the last colon (':').
Willy Tarreau0ba27502007-12-24 16:55:16 +01001264
Willy Tarreau5e6e2042009-02-04 17:19:29 +01001265 <interface> is an optional physical interface name. This is currently
1266 only supported on Linux. The interface must be a physical
1267 interface, not an aliased interface. When specified, all
1268 addresses on the same line will only be accepted if the
1269 incoming packet physically come through the designated
1270 interface. It is also possible to bind multiple frontends to
1271 the same address if they are bound to different interfaces.
1272 Note that binding to a physical interface requires root
1273 privileges.
1274
Willy Tarreaube1b9182009-06-14 18:48:19 +02001275 <maxseg> is an optional TCP Maximum Segment Size (MSS) value to be
1276 advertised on incoming connections. This can be used to force
1277 a lower MSS for certain specific ports, for instance for
1278 connections passing through a VPN. Note that this relies on a
1279 kernel feature which is theorically supported under Linux but
1280 was buggy in all versions prior to 2.6.28. It may or may not
1281 work on other operating systems. The commonly advertised
1282 value on Ethernet networks is 1460 = 1500(MTU) - 40(IP+TCP).
1283
Willy Tarreau53fb4ae2009-10-04 23:04:08 +02001284 <id> is a persistent value for socket ID. Must be positive and
1285 unique in the proxy. An unused value will automatically be
1286 assigned if unset. Can only be used when defining only a
1287 single socket.
Krzysztof Piotr Oledzkiaeebf9b2009-10-04 15:43:17 +02001288
1289 <name> is an optional name provided for stats
1290
Willy Tarreaub1e52e82008-01-13 14:49:51 +01001291 transparent is an optional keyword which is supported only on certain
1292 Linux kernels. It indicates that the addresses will be bound
1293 even if they do not belong to the local machine. Any packet
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001294 targeting any of these addresses will be caught just as if
Willy Tarreaub1e52e82008-01-13 14:49:51 +01001295 the address was locally configured. This normally requires
1296 that IP forwarding is enabled. Caution! do not use this with
1297 the default address '*', as it would redirect any traffic for
1298 the specified port. This keyword is available only when
1299 HAProxy is built with USE_LINUX_TPROXY=1.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001300
Willy Tarreaucb6cd432009-10-13 07:34:14 +02001301 defer_accept is an optional keyword which is supported only on certain
1302 Linux kernels. It states that a connection will only be
1303 accepted once some data arrive on it, or at worst after the
1304 first retransmit. This should be used only on protocols for
1305 which the client talks first (eg: HTTP). It can slightly
1306 improve performance by ensuring that most of the request is
1307 already available when the connection is accepted. On the
1308 other hand, it will not be able to detect connections which
1309 don't talk. It is important to note that this option is
1310 broken in all kernels up to 2.6.31, as the connection is
1311 never accepted until the client talks. This can cause issues
1312 with front firewalls which would see an established
1313 connection while the proxy will only see it in SYN_RECV.
1314
Willy Tarreau0ba27502007-12-24 16:55:16 +01001315 It is possible to specify a list of address:port combinations delimited by
1316 commas. The frontend will then listen on all of these addresses. There is no
1317 fixed limit to the number of addresses and ports which can be listened on in
1318 a frontend, as well as there is no limit to the number of "bind" statements
1319 in a frontend.
1320
1321 Example :
1322 listen http_proxy
1323 bind :80,:443
1324 bind 10.0.0.1:10080,10.0.0.1:10443
1325
1326 See also : "source".
1327
1328
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001329bind-process [ all | odd | even | <number 1-32> ] ...
1330 Limit visibility of an instance to a certain set of processes numbers.
1331 May be used in sections : defaults | frontend | listen | backend
1332 yes | yes | yes | yes
1333 Arguments :
1334 all All process will see this instance. This is the default. It
1335 may be used to override a default value.
1336
1337 odd This instance will be enabled on processes 1,3,5,...31. This
1338 option may be combined with other numbers.
1339
1340 even This instance will be enabled on processes 2,4,6,...32. This
1341 option may be combined with other numbers. Do not use it
1342 with less than 2 processes otherwise some instances might be
1343 missing from all processes.
1344
1345 number The instance will be enabled on this process number, between
1346 1 and 32. You must be careful not to reference a process
1347 number greater than the configured global.nbproc, otherwise
1348 some instances might be missing from all processes.
1349
1350 This keyword limits binding of certain instances to certain processes. This
1351 is useful in order not to have too many processes listening to the same
1352 ports. For instance, on a dual-core machine, it might make sense to set
1353 'nbproc 2' in the global section, then distributes the listeners among 'odd'
1354 and 'even' instances.
1355
1356 At the moment, it is not possible to reference more than 32 processes using
1357 this keyword, but this should be more than enough for most setups. Please
1358 note that 'all' really means all processes and is not limited to the first
1359 32.
1360
1361 If some backends are referenced by frontends bound to other processes, the
1362 backend automatically inherits the frontend's processes.
1363
1364 Example :
1365 listen app_ip1
1366 bind 10.0.0.1:80
1367 bind_process odd
1368
1369 listen app_ip2
1370 bind 10.0.0.2:80
1371 bind_process even
1372
1373 listen management
1374 bind 10.0.0.3:80
1375 bind_process 1 2 3 4
1376
1377 See also : "nbproc" in global section.
1378
1379
Willy Tarreau0ba27502007-12-24 16:55:16 +01001380block { if | unless } <condition>
1381 Block a layer 7 request if/unless a condition is matched
1382 May be used in sections : defaults | frontend | listen | backend
1383 no | yes | yes | yes
1384
1385 The HTTP request will be blocked very early in the layer 7 processing
1386 if/unless <condition> is matched. A 403 error will be returned if the request
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001387 is blocked. The condition has to reference ACLs (see section 7). This is
Willy Tarreau0ba27502007-12-24 16:55:16 +01001388 typically used to deny access to certain sensible resources if some
1389 conditions are met or not met. There is no fixed limit to the number of
1390 "block" statements per instance.
1391
1392 Example:
1393 acl invalid_src src 0.0.0.0/7 224.0.0.0/3
1394 acl invalid_src src_port 0:1023
1395 acl local_dst hdr(host) -i localhost
1396 block if invalid_src || local_dst
1397
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001398 See section 7 about ACL usage.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001399
1400
1401capture cookie <name> len <length>
1402 Capture and log a cookie in the request and in the response.
1403 May be used in sections : defaults | frontend | listen | backend
1404 no | yes | yes | no
1405 Arguments :
1406 <name> is the beginning of the name of the cookie to capture. In order
1407 to match the exact name, simply suffix the name with an equal
1408 sign ('='). The full name will appear in the logs, which is
1409 useful with application servers which adjust both the cookie name
1410 and value (eg: ASPSESSIONXXXXX).
1411
1412 <length> is the maximum number of characters to report in the logs, which
1413 include the cookie name, the equal sign and the value, all in the
1414 standard "name=value" form. The string will be truncated on the
1415 right if it exceeds <length>.
1416
1417 Only the first cookie is captured. Both the "cookie" request headers and the
1418 "set-cookie" response headers are monitored. This is particularly useful to
1419 check for application bugs causing session crossing or stealing between
1420 users, because generally the user's cookies can only change on a login page.
1421
1422 When the cookie was not presented by the client, the associated log column
1423 will report "-". When a request does not cause a cookie to be assigned by the
1424 server, a "-" is reported in the response column.
1425
1426 The capture is performed in the frontend only because it is necessary that
1427 the log format does not change for a given frontend depending on the
1428 backends. This may change in the future. Note that there can be only one
1429 "capture cookie" statement in a frontend. The maximum capture length is
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001430 configured in the sources by default to 64 characters. It is not possible to
Willy Tarreau0ba27502007-12-24 16:55:16 +01001431 specify a capture in a "defaults" section.
1432
1433 Example:
1434 capture cookie ASPSESSION len 32
1435
1436 See also : "capture request header", "capture response header" as well as
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001437 section 8 about logging.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001438
1439
1440capture request header <name> len <length>
1441 Capture and log the first occurrence of the specified request header.
1442 May be used in sections : defaults | frontend | listen | backend
1443 no | yes | yes | no
1444 Arguments :
1445 <name> is the name of the header to capture. The header names are not
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001446 case-sensitive, but it is a common practice to write them as they
Willy Tarreau0ba27502007-12-24 16:55:16 +01001447 appear in the requests, with the first letter of each word in
1448 upper case. The header name will not appear in the logs, only the
1449 value is reported, but the position in the logs is respected.
1450
1451 <length> is the maximum number of characters to extract from the value and
1452 report in the logs. The string will be truncated on the right if
1453 it exceeds <length>.
1454
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001455 Only the first value of the last occurrence of the header is captured. The
Willy Tarreau0ba27502007-12-24 16:55:16 +01001456 value will be added to the logs between braces ('{}'). If multiple headers
1457 are captured, they will be delimited by a vertical bar ('|') and will appear
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001458 in the same order they were declared in the configuration. Non-existent
1459 headers will be logged just as an empty string. Common uses for request
1460 header captures include the "Host" field in virtual hosting environments, the
1461 "Content-length" when uploads are supported, "User-agent" to quickly
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001462 differentiate between real users and robots, and "X-Forwarded-For" in proxied
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001463 environments to find where the request came from.
1464
1465 Note that when capturing headers such as "User-agent", some spaces may be
1466 logged, making the log analysis more difficult. Thus be careful about what
1467 you log if you know your log parser is not smart enough to rely on the
1468 braces.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001469
1470 There is no limit to the number of captured request headers, but each capture
1471 is limited to 64 characters. In order to keep log format consistent for a
1472 same frontend, header captures can only be declared in a frontend. It is not
1473 possible to specify a capture in a "defaults" section.
1474
1475 Example:
1476 capture request header Host len 15
1477 capture request header X-Forwarded-For len 15
1478 capture request header Referrer len 15
1479
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001480 See also : "capture cookie", "capture response header" as well as section 8
Willy Tarreau0ba27502007-12-24 16:55:16 +01001481 about logging.
1482
1483
1484capture response header <name> len <length>
1485 Capture and log the first occurrence of the specified response header.
1486 May be used in sections : defaults | frontend | listen | backend
1487 no | yes | yes | no
1488 Arguments :
1489 <name> is the name of the header to capture. The header names are not
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001490 case-sensitive, but it is a common practice to write them as they
Willy Tarreau0ba27502007-12-24 16:55:16 +01001491 appear in the response, with the first letter of each word in
1492 upper case. The header name will not appear in the logs, only the
1493 value is reported, but the position in the logs is respected.
1494
1495 <length> is the maximum number of characters to extract from the value and
1496 report in the logs. The string will be truncated on the right if
1497 it exceeds <length>.
1498
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001499 Only the first value of the last occurrence of the header is captured. The
Willy Tarreau0ba27502007-12-24 16:55:16 +01001500 result will be added to the logs between braces ('{}') after the captured
1501 request headers. If multiple headers are captured, they will be delimited by
1502 a vertical bar ('|') and will appear in the same order they were declared in
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001503 the configuration. Non-existent headers will be logged just as an empty
1504 string. Common uses for response header captures include the "Content-length"
1505 header which indicates how many bytes are expected to be returned, the
1506 "Location" header to track redirections.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001507
1508 There is no limit to the number of captured response headers, but each
1509 capture is limited to 64 characters. In order to keep log format consistent
1510 for a same frontend, header captures can only be declared in a frontend. It
1511 is not possible to specify a capture in a "defaults" section.
1512
1513 Example:
1514 capture response header Content-length len 9
1515 capture response header Location len 15
1516
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001517 See also : "capture cookie", "capture request header" as well as section 8
Willy Tarreau0ba27502007-12-24 16:55:16 +01001518 about logging.
1519
1520
1521clitimeout <timeout>
1522 Set the maximum inactivity time on the client side.
1523 May be used in sections : defaults | frontend | listen | backend
1524 yes | yes | yes | no
1525 Arguments :
1526 <timeout> is the timeout value is specified in milliseconds by default, but
1527 can be in any other unit if the number is suffixed by the unit,
1528 as explained at the top of this document.
1529
1530 The inactivity timeout applies when the client is expected to acknowledge or
1531 send data. In HTTP mode, this timeout is particularly important to consider
1532 during the first phase, when the client sends the request, and during the
1533 response while it is reading data sent by the server. The value is specified
1534 in milliseconds by default, but can be in any other unit if the number is
1535 suffixed by the unit, as specified at the top of this document. In TCP mode
1536 (and to a lesser extent, in HTTP mode), it is highly recommended that the
1537 client timeout remains equal to the server timeout in order to avoid complex
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001538 situations to debug. It is a good practice to cover one or several TCP packet
Willy Tarreau0ba27502007-12-24 16:55:16 +01001539 losses by specifying timeouts that are slightly above multiples of 3 seconds
1540 (eg: 4 or 5 seconds).
1541
1542 This parameter is specific to frontends, but can be specified once for all in
1543 "defaults" sections. This is in fact one of the easiest solutions not to
1544 forget about it. An unspecified timeout results in an infinite timeout, which
1545 is not recommended. Such a usage is accepted and works but reports a warning
1546 during startup because it may results in accumulation of expired sessions in
1547 the system if the system's timeouts are not configured either.
1548
1549 This parameter is provided for compatibility but is currently deprecated.
1550 Please use "timeout client" instead.
1551
Willy Tarreau036fae02008-01-06 13:24:40 +01001552 See also : "timeout client", "timeout http-request", "timeout server", and
1553 "srvtimeout".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001554
1555
1556contimeout <timeout>
1557 Set the maximum time to wait for a connection attempt to a server to succeed.
1558 May be used in sections : defaults | frontend | listen | backend
1559 yes | no | yes | yes
1560 Arguments :
1561 <timeout> is the timeout value is specified in milliseconds by default, but
1562 can be in any other unit if the number is suffixed by the unit,
1563 as explained at the top of this document.
1564
1565 If the server is located on the same LAN as haproxy, the connection should be
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001566 immediate (less than a few milliseconds). Anyway, it is a good practice to
Willy Tarreaud72758d2010-01-12 10:42:19 +01001567 cover one or several TCP packet losses by specifying timeouts that are
Willy Tarreau0ba27502007-12-24 16:55:16 +01001568 slightly above multiples of 3 seconds (eg: 4 or 5 seconds). By default, the
1569 connect timeout also presets the queue timeout to the same value if this one
1570 has not been specified. Historically, the contimeout was also used to set the
1571 tarpit timeout in a listen section, which is not possible in a pure frontend.
1572
1573 This parameter is specific to backends, but can be specified once for all in
1574 "defaults" sections. This is in fact one of the easiest solutions not to
1575 forget about it. An unspecified timeout results in an infinite timeout, which
1576 is not recommended. Such a usage is accepted and works but reports a warning
1577 during startup because it may results in accumulation of failed sessions in
1578 the system if the system's timeouts are not configured either.
1579
1580 This parameter is provided for backwards compatibility but is currently
1581 deprecated. Please use "timeout connect", "timeout queue" or "timeout tarpit"
1582 instead.
1583
1584 See also : "timeout connect", "timeout queue", "timeout tarpit",
1585 "timeout server", "contimeout".
1586
1587
Willy Tarreau55165fe2009-05-10 12:02:55 +02001588cookie <name> [ rewrite | insert | prefix ] [ indirect ] [ nocache ]
Willy Tarreau68a897b2009-12-03 23:28:34 +01001589 [ postonly ] [ domain <domain> ]*
Willy Tarreau0ba27502007-12-24 16:55:16 +01001590 Enable cookie-based persistence in a backend.
1591 May be used in sections : defaults | frontend | listen | backend
1592 yes | no | yes | yes
1593 Arguments :
1594 <name> is the name of the cookie which will be monitored, modified or
1595 inserted in order to bring persistence. This cookie is sent to
1596 the client via a "Set-Cookie" header in the response, and is
1597 brought back by the client in a "Cookie" header in all requests.
1598 Special care should be taken to choose a name which does not
1599 conflict with any likely application cookie. Also, if the same
1600 backends are subject to be used by the same clients (eg:
1601 HTTP/HTTPS), care should be taken to use different cookie names
1602 between all backends if persistence between them is not desired.
1603
1604 rewrite This keyword indicates that the cookie will be provided by the
1605 server and that haproxy will have to modify its value to set the
1606 server's identifier in it. This mode is handy when the management
1607 of complex combinations of "Set-cookie" and "Cache-control"
1608 headers is left to the application. The application can then
1609 decide whether or not it is appropriate to emit a persistence
1610 cookie. Since all responses should be monitored, this mode only
1611 works in HTTP close mode. Unless the application behaviour is
1612 very complex and/or broken, it is advised not to start with this
1613 mode for new deployments. This keyword is incompatible with
1614 "insert" and "prefix".
1615
1616 insert This keyword indicates that the persistence cookie will have to
1617 be inserted by haproxy in the responses. If the server emits a
1618 cookie with the same name, it will be replaced anyway. For this
1619 reason, this mode can be used to upgrade existing configurations
1620 running in the "rewrite" mode. The cookie will only be a session
1621 cookie and will not be stored on the client's disk. Due to
1622 caching effects, it is generally wise to add the "indirect" and
1623 "nocache" or "postonly" keywords (see below). The "insert"
1624 keyword is not compatible with "rewrite" and "prefix".
1625
1626 prefix This keyword indicates that instead of relying on a dedicated
1627 cookie for the persistence, an existing one will be completed.
1628 This may be needed in some specific environments where the client
1629 does not support more than one single cookie and the application
1630 already needs it. In this case, whenever the server sets a cookie
1631 named <name>, it will be prefixed with the server's identifier
1632 and a delimiter. The prefix will be removed from all client
1633 requests so that the server still finds the cookie it emitted.
1634 Since all requests and responses are subject to being modified,
1635 this mode requires the HTTP close mode. The "prefix" keyword is
1636 not compatible with "rewrite" and "insert".
1637
1638 indirect When this option is specified in insert mode, cookies will only
1639 be added when the server was not reached after a direct access,
1640 which means that only when a server is elected after applying a
1641 load-balancing algorithm, or after a redispatch, then the cookie
1642 will be inserted. If the client has all the required information
1643 to connect to the same server next time, no further cookie will
1644 be inserted. In all cases, when the "indirect" option is used in
1645 insert mode, the cookie is always removed from the requests
1646 transmitted to the server. The persistence mechanism then becomes
1647 totally transparent from the application point of view.
1648
1649 nocache This option is recommended in conjunction with the insert mode
1650 when there is a cache between the client and HAProxy, as it
1651 ensures that a cacheable response will be tagged non-cacheable if
1652 a cookie needs to be inserted. This is important because if all
1653 persistence cookies are added on a cacheable home page for
1654 instance, then all customers will then fetch the page from an
1655 outer cache and will all share the same persistence cookie,
1656 leading to one server receiving much more traffic than others.
1657 See also the "insert" and "postonly" options.
1658
1659 postonly This option ensures that cookie insertion will only be performed
1660 on responses to POST requests. It is an alternative to the
1661 "nocache" option, because POST responses are not cacheable, so
1662 this ensures that the persistence cookie will never get cached.
1663 Since most sites do not need any sort of persistence before the
1664 first POST which generally is a login request, this is a very
1665 efficient method to optimize caching without risking to find a
1666 persistence cookie in the cache.
1667 See also the "insert" and "nocache" options.
1668
Krzysztof Piotr Oledzkiefe3b6f2008-05-23 23:49:32 +02001669 domain This option allows to specify the domain at which a cookie is
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001670 inserted. It requires exactly one parameter: a valid domain
Willy Tarreau68a897b2009-12-03 23:28:34 +01001671 name. If the domain begins with a dot, the browser is allowed to
1672 use it for any host ending with that name. It is also possible to
1673 specify several domain names by invoking this option multiple
1674 times. Some browsers might have small limits on the number of
1675 domains, so be careful when doing that. For the record, sending
1676 10 domains to MSIE 6 or Firefox 2 works as expected.
Krzysztof Piotr Oledzkiefe3b6f2008-05-23 23:49:32 +02001677
Willy Tarreau0ba27502007-12-24 16:55:16 +01001678 There can be only one persistence cookie per HTTP backend, and it can be
1679 declared in a defaults section. The value of the cookie will be the value
1680 indicated after the "cookie" keyword in a "server" statement. If no cookie
1681 is declared for a given server, the cookie is not set.
Willy Tarreau6a06a402007-07-15 20:15:28 +02001682
Willy Tarreau0ba27502007-12-24 16:55:16 +01001683 Examples :
1684 cookie JSESSIONID prefix
1685 cookie SRV insert indirect nocache
1686 cookie SRV insert postonly indirect
1687
1688 See also : "appsession", "balance source", "capture cookie", "server".
1689
Willy Tarreau983e01e2010-01-11 18:42:06 +01001690
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01001691default-server [param*]
1692 Change default options for a server in a backend
1693 May be used in sections : defaults | frontend | listen | backend
1694 yes | no | yes | yes
1695 Arguments:
Willy Tarreau983e01e2010-01-11 18:42:06 +01001696 <param*> is a list of parameters for this server. The "default-server"
1697 keyword accepts an important number of options and has a complete
1698 section dedicated to it. Please refer to section 5 for more
1699 details.
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01001700
Willy Tarreau983e01e2010-01-11 18:42:06 +01001701 Example :
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01001702 default-server inter 1000 weight 13
1703
1704 See also: "server" and section 5 about server options
Willy Tarreau0ba27502007-12-24 16:55:16 +01001705
Willy Tarreau983e01e2010-01-11 18:42:06 +01001706
Willy Tarreau0ba27502007-12-24 16:55:16 +01001707default_backend <backend>
1708 Specify the backend to use when no "use_backend" rule has been matched.
1709 May be used in sections : defaults | frontend | listen | backend
1710 yes | yes | yes | no
1711 Arguments :
1712 <backend> is the name of the backend to use.
1713
1714 When doing content-switching between frontend and backends using the
1715 "use_backend" keyword, it is often useful to indicate which backend will be
1716 used when no rule has matched. It generally is the dynamic backend which
1717 will catch all undetermined requests.
1718
Willy Tarreau0ba27502007-12-24 16:55:16 +01001719 Example :
1720
1721 use_backend dynamic if url_dyn
1722 use_backend static if url_css url_img extension_img
1723 default_backend dynamic
1724
Willy Tarreau2769aa02007-12-27 18:26:09 +01001725 See also : "use_backend", "reqsetbe", "reqisetbe"
1726
Willy Tarreau0ba27502007-12-24 16:55:16 +01001727
1728disabled
1729 Disable a proxy, frontend or backend.
1730 May be used in sections : defaults | frontend | listen | backend
1731 yes | yes | yes | yes
1732 Arguments : none
1733
1734 The "disabled" keyword is used to disable an instance, mainly in order to
1735 liberate a listening port or to temporarily disable a service. The instance
1736 will still be created and its configuration will be checked, but it will be
1737 created in the "stopped" state and will appear as such in the statistics. It
1738 will not receive any traffic nor will it send any health-checks or logs. It
1739 is possible to disable many instances at once by adding the "disabled"
1740 keyword in a "defaults" section.
1741
1742 See also : "enabled"
1743
1744
1745enabled
1746 Enable a proxy, frontend or backend.
1747 May be used in sections : defaults | frontend | listen | backend
1748 yes | yes | yes | yes
1749 Arguments : none
1750
1751 The "enabled" keyword is used to explicitly enable an instance, when the
1752 defaults has been set to "disabled". This is very rarely used.
1753
1754 See also : "disabled"
1755
1756
1757errorfile <code> <file>
1758 Return a file contents instead of errors generated by HAProxy
1759 May be used in sections : defaults | frontend | listen | backend
1760 yes | yes | yes | yes
1761 Arguments :
1762 <code> is the HTTP status code. Currently, HAProxy is capable of
1763 generating codes 400, 403, 408, 500, 502, 503, and 504.
1764
1765 <file> designates a file containing the full HTTP response. It is
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001766 recommended to follow the common practice of appending ".http" to
Willy Tarreau0ba27502007-12-24 16:55:16 +01001767 the filename so that people do not confuse the response with HTML
Willy Tarreau59140a22009-02-22 12:02:30 +01001768 error pages, and to use absolute paths, since files are read
1769 before any chroot is performed.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001770
1771 It is important to understand that this keyword is not meant to rewrite
1772 errors returned by the server, but errors detected and returned by HAProxy.
1773 This is why the list of supported errors is limited to a small set.
1774
1775 The files are returned verbatim on the TCP socket. This allows any trick such
1776 as redirections to another URL or site, as well as tricks to clean cookies,
1777 force enable or disable caching, etc... The package provides default error
1778 files returning the same contents as default errors.
1779
Willy Tarreau59140a22009-02-22 12:02:30 +01001780 The files should not exceed the configured buffer size (BUFSIZE), which
1781 generally is 8 or 16 kB, otherwise they will be truncated. It is also wise
1782 not to put any reference to local contents (eg: images) in order to avoid
1783 loops between the client and HAProxy when all servers are down, causing an
1784 error to be returned instead of an image. For better HTTP compliance, it is
1785 recommended that all header lines end with CR-LF and not LF alone.
1786
Willy Tarreau0ba27502007-12-24 16:55:16 +01001787 The files are read at the same time as the configuration and kept in memory.
1788 For this reason, the errors continue to be returned even when the process is
1789 chrooted, and no file change is considered while the process is running. A
Willy Tarreauc27debf2008-01-06 08:57:02 +01001790 simple method for developing those files consists in associating them to the
Willy Tarreau0ba27502007-12-24 16:55:16 +01001791 403 status code and interrogating a blocked URL.
1792
1793 See also : "errorloc", "errorloc302", "errorloc303"
1794
Willy Tarreau59140a22009-02-22 12:02:30 +01001795 Example :
1796 errorfile 400 /etc/haproxy/errorfiles/400badreq.http
1797 errorfile 403 /etc/haproxy/errorfiles/403forbid.http
1798 errorfile 503 /etc/haproxy/errorfiles/503sorry.http
1799
Willy Tarreau2769aa02007-12-27 18:26:09 +01001800
1801errorloc <code> <url>
1802errorloc302 <code> <url>
1803 Return an HTTP redirection to a URL instead of errors generated by HAProxy
1804 May be used in sections : defaults | frontend | listen | backend
1805 yes | yes | yes | yes
1806 Arguments :
1807 <code> is the HTTP status code. Currently, HAProxy is capable of
1808 generating codes 400, 403, 408, 500, 502, 503, and 504.
1809
1810 <url> it is the exact contents of the "Location" header. It may contain
1811 either a relative URI to an error page hosted on the same site,
1812 or an absolute URI designating an error page on another site.
1813 Special care should be given to relative URIs to avoid redirect
1814 loops if the URI itself may generate the same error (eg: 500).
1815
1816 It is important to understand that this keyword is not meant to rewrite
1817 errors returned by the server, but errors detected and returned by HAProxy.
1818 This is why the list of supported errors is limited to a small set.
1819
1820 Note that both keyword return the HTTP 302 status code, which tells the
1821 client to fetch the designated URL using the same HTTP method. This can be
1822 quite problematic in case of non-GET methods such as POST, because the URL
1823 sent to the client might not be allowed for something other than GET. To
1824 workaround this problem, please use "errorloc303" which send the HTTP 303
1825 status code, indicating to the client that the URL must be fetched with a GET
1826 request.
1827
1828 See also : "errorfile", "errorloc303"
1829
1830
1831errorloc303 <code> <url>
1832 Return an HTTP redirection to a URL instead of errors generated by HAProxy
1833 May be used in sections : defaults | frontend | listen | backend
1834 yes | yes | yes | yes
1835 Arguments :
1836 <code> is the HTTP status code. Currently, HAProxy is capable of
1837 generating codes 400, 403, 408, 500, 502, 503, and 504.
1838
1839 <url> it is the exact contents of the "Location" header. It may contain
1840 either a relative URI to an error page hosted on the same site,
1841 or an absolute URI designating an error page on another site.
1842 Special care should be given to relative URIs to avoid redirect
1843 loops if the URI itself may generate the same error (eg: 500).
1844
1845 It is important to understand that this keyword is not meant to rewrite
1846 errors returned by the server, but errors detected and returned by HAProxy.
1847 This is why the list of supported errors is limited to a small set.
1848
1849 Note that both keyword return the HTTP 303 status code, which tells the
1850 client to fetch the designated URL using the same HTTP GET method. This
1851 solves the usual problems associated with "errorloc" and the 302 code. It is
1852 possible that some very old browsers designed before HTTP/1.1 do not support
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001853 it, but no such problem has been reported till now.
Willy Tarreau2769aa02007-12-27 18:26:09 +01001854
1855 See also : "errorfile", "errorloc", "errorloc302"
1856
1857
Willy Tarreau4de91492010-01-22 19:10:05 +01001858force-persist { if | unless } <condition>
1859 Declare a condition to force persistence on down servers
1860 May be used in sections: defaults | frontend | listen | backend
1861 no | yes | yes | yes
1862
1863 By default, requests are not dispatched to down servers. It is possible to
1864 force this using "option persist", but it is unconditional and redispatches
1865 to a valid server if "option redispatch" is set. That leaves with very little
1866 possibilities to force some requests to reach a server which is artificially
1867 marked down for maintenance operations.
1868
1869 The "force-persist" statement allows one to declare various ACL-based
1870 conditions which, when met, will cause a request to ignore the down status of
1871 a server and still try to connect to it. That makes it possible to start a
1872 server, still replying an error to the health checks, and run a specially
1873 configured browser to test the service. Among the handy methods, one could
1874 use a specific source IP address, or a specific cookie. The cookie also has
1875 the advantage that it can easily be added/removed on the browser from a test
1876 page. Once the service is validated, it is then possible to open the service
1877 to the world by returning a valid response to health checks.
1878
1879 The forced persistence is enabled when an "if" condition is met, or unless an
1880 "unless" condition is met. The final redispatch is always disabled when this
1881 is used.
1882
1883 See also : "option redispatch", "persist", and section 7 about ACL usage.
1884
1885
Willy Tarreau2769aa02007-12-27 18:26:09 +01001886fullconn <conns>
1887 Specify at what backend load the servers will reach their maxconn
1888 May be used in sections : defaults | frontend | listen | backend
1889 yes | no | yes | yes
1890 Arguments :
1891 <conns> is the number of connections on the backend which will make the
1892 servers use the maximal number of connections.
1893
Willy Tarreau198a7442008-01-17 12:05:32 +01001894 When a server has a "maxconn" parameter specified, it means that its number
Willy Tarreau2769aa02007-12-27 18:26:09 +01001895 of concurrent connections will never go higher. Additionally, if it has a
Willy Tarreau198a7442008-01-17 12:05:32 +01001896 "minconn" parameter, it indicates a dynamic limit following the backend's
Willy Tarreau2769aa02007-12-27 18:26:09 +01001897 load. The server will then always accept at least <minconn> connections,
1898 never more than <maxconn>, and the limit will be on the ramp between both
1899 values when the backend has less than <conns> concurrent connections. This
1900 makes it possible to limit the load on the servers during normal loads, but
1901 push it further for important loads without overloading the servers during
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001902 exceptional loads.
Willy Tarreau2769aa02007-12-27 18:26:09 +01001903
1904 Example :
1905 # The servers will accept between 100 and 1000 concurrent connections each
1906 # and the maximum of 1000 will be reached when the backend reaches 10000
1907 # connections.
1908 backend dynamic
1909 fullconn 10000
1910 server srv1 dyn1:80 minconn 100 maxconn 1000
1911 server srv2 dyn2:80 minconn 100 maxconn 1000
1912
1913 See also : "maxconn", "server"
1914
1915
1916grace <time>
1917 Maintain a proxy operational for some time after a soft stop
1918 May be used in sections : defaults | frontend | listen | backend
Cyril Bonté99ed3272010-01-24 23:29:44 +01001919 yes | yes | yes | yes
Willy Tarreau2769aa02007-12-27 18:26:09 +01001920 Arguments :
1921 <time> is the time (by default in milliseconds) for which the instance
1922 will remain operational with the frontend sockets still listening
1923 when a soft-stop is received via the SIGUSR1 signal.
1924
1925 This may be used to ensure that the services disappear in a certain order.
1926 This was designed so that frontends which are dedicated to monitoring by an
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001927 external equipment fail immediately while other ones remain up for the time
Willy Tarreau2769aa02007-12-27 18:26:09 +01001928 needed by the equipment to detect the failure.
1929
1930 Note that currently, there is very little benefit in using this parameter,
1931 and it may in fact complicate the soft-reconfiguration process more than
1932 simplify it.
1933
Willy Tarreau0ba27502007-12-24 16:55:16 +01001934
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001935hash-type <method>
1936 Specify a method to use for mapping hashes to servers
1937 May be used in sections : defaults | frontend | listen | backend
1938 yes | no | yes | yes
1939 Arguments :
1940 map-based the hash table is a static array containing all alive servers.
1941 The hashes will be very smooth, will consider weights, but will
1942 be static in that weight changes while a server is up will be
1943 ignored. This means that there will be no slow start. Also,
1944 since a server is selected by its position in the array, most
1945 mappings are changed when the server count changes. This means
1946 that when a server goes up or down, or when a server is added
1947 to a farm, most connections will be redistributed to different
1948 servers. This can be inconvenient with caches for instance.
1949
1950 consistent the hash table is a tree filled with many occurrences of each
1951 server. The hash key is looked up in the tree and the closest
1952 server is chosen. This hash is dynamic, it supports changing
1953 weights while the servers are up, so it is compatible with the
1954 slow start feature. It has the advantage that when a server
1955 goes up or down, only its associations are moved. When a server
1956 is added to the farm, only a few part of the mappings are
1957 redistributed, making it an ideal algorithm for caches.
1958 However, due to its principle, the algorithm will never be very
1959 smooth and it may sometimes be necessary to adjust a server's
1960 weight or its ID to get a more balanced distribution. In order
1961 to get the same distribution on multiple load balancers, it is
1962 important that all servers have the same IDs.
1963
1964 The default hash type is "map-based" and is recommended for most usages.
1965
1966 See also : "balance", "server"
1967
1968
Willy Tarreau0ba27502007-12-24 16:55:16 +01001969http-check disable-on-404
1970 Enable a maintenance mode upon HTTP/404 response to health-checks
1971 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau2769aa02007-12-27 18:26:09 +01001972 yes | no | yes | yes
Willy Tarreau0ba27502007-12-24 16:55:16 +01001973 Arguments : none
1974
1975 When this option is set, a server which returns an HTTP code 404 will be
1976 excluded from further load-balancing, but will still receive persistent
1977 connections. This provides a very convenient method for Web administrators
1978 to perform a graceful shutdown of their servers. It is also important to note
1979 that a server which is detected as failed while it was in this mode will not
1980 generate an alert, just a notice. If the server responds 2xx or 3xx again, it
1981 will immediately be reinserted into the farm. The status on the stats page
1982 reports "NOLB" for a server in this mode. It is important to note that this
1983 option only works in conjunction with the "httpchk" option.
1984
Willy Tarreau2769aa02007-12-27 18:26:09 +01001985 See also : "option httpchk"
1986
1987
Willy Tarreauef781042010-01-27 11:53:01 +01001988http-check send-state
1989 Enable emission of a state header with HTTP health checks
1990 May be used in sections : defaults | frontend | listen | backend
1991 yes | no | yes | yes
1992 Arguments : none
1993
1994 When this option is set, haproxy will systematically send a special header
1995 "X-Haproxy-Server-State" with a list of parameters indicating to each server
1996 how they are seen by haproxy. This can be used for instance when a server is
1997 manipulated without access to haproxy and the operator needs to know whether
1998 haproxy still sees it up or not, or if the server is the last one in a farm.
1999
2000 The header is composed of fields delimited by semi-colons, the first of which
2001 is a word ("UP", "DOWN", "NOLB"), possibly followed by a number of valid
2002 checks on the total number before transition, just as appears in the stats
2003 interface. Next headers are in the form "<variable>=<value>", indicating in
2004 no specific order some values available in the stats interface :
2005 - a variable "name", containing the name of the backend followed by a slash
2006 ("/") then the name of the server. This can be used when a server is
2007 checked in multiple backends.
2008
2009 - a variable "node" containing the name of the haproxy node, as set in the
2010 global "node" variable, otherwise the system's hostname if unspecified.
2011
2012 - a variable "weight" indicating the weight of the server, a slash ("/")
2013 and the total weight of the farm (just counting usable servers). This
2014 helps to know if other servers are available to handle the load when this
2015 one fails.
2016
2017 - a variable "scur" indicating the current number of concurrent connections
2018 on the server, followed by a slash ("/") then the total number of
2019 connections on all servers of the same backend.
2020
2021 - a variable "qcur" indicating the current number of requests in the
2022 server's queue.
2023
2024 Example of a header received by the application server :
2025 >>> X-Haproxy-Server-State: UP 2/3; name=bck/srv2; node=lb1; weight=1/2; \
2026 scur=13/22; qcur=0
2027
2028 See also : "option httpchk", "http-check disable-on-404"
2029
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002030http-request { allow | deny | http-auth [realm <realm>] } [ { if | unless } <condition> ]
2031 Access control for Layer 7 requests
2032
2033 May be used in sections: defaults | frontend | listen | backend
2034 no | yes | yes | yes
2035
2036 These set of options allow to fine control access to a
2037 frontend/listen/backend. Each option may be followed by if/unless and acl.
2038 First option with matched condition (or option without condition) is final.
2039 For "block" a 403 error will be returned, for "allow" normal processing is
2040 performed, for "http-auth" a 401/407 error code is returned so the client
2041 should be asked to enter a username and password.
2042
2043 There is no fixed limit to the number of http-request statements per
2044 instance.
2045
2046 Example:
2047 acl nagios src 192.168.129.3
2048 acl local_net src 192.168.0.0/16
2049 acl auth_ok http_auth(L1)
2050
2051 http-request allow if nagios
2052 http-request allow if local_net auth_ok
2053 http-request auth realm Gimme if local_net auth_ok
2054 http-request deny
2055
2056 Exampe:
2057 acl auth_ok http_auth_group(L1) G1
2058
2059 http-request auth unless auth_ok
2060
2061 See section 3.4 about userlists and 7 about ACL usage.
Willy Tarreauef781042010-01-27 11:53:01 +01002062
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01002063id <value>
Willy Tarreau53fb4ae2009-10-04 23:04:08 +02002064 Set a persistent ID to a proxy.
2065 May be used in sections : defaults | frontend | listen | backend
2066 no | yes | yes | yes
2067 Arguments : none
2068
2069 Set a persistent ID for the proxy. This ID must be unique and positive.
2070 An unused ID will automatically be assigned if unset. The first assigned
2071 value will be 1. This ID is currently only returned in statistics.
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01002072
2073
Willy Tarreau2769aa02007-12-27 18:26:09 +01002074log global
Willy Tarreauf7edefa2009-05-10 17:20:05 +02002075log <address> <facility> [<level> [<minlevel>]]
Willy Tarreau2769aa02007-12-27 18:26:09 +01002076 Enable per-instance logging of events and traffic.
2077 May be used in sections : defaults | frontend | listen | backend
2078 yes | yes | yes | yes
2079 Arguments :
2080 global should be used when the instance's logging parameters are the
2081 same as the global ones. This is the most common usage. "global"
2082 replaces <address>, <facility> and <level> with those of the log
2083 entries found in the "global" section. Only one "log global"
2084 statement may be used per instance, and this form takes no other
2085 parameter.
2086
2087 <address> indicates where to send the logs. It takes the same format as
2088 for the "global" section's logs, and can be one of :
2089
2090 - An IPv4 address optionally followed by a colon (':') and a UDP
2091 port. If no port is specified, 514 is used by default (the
2092 standard syslog port).
2093
2094 - A filesystem path to a UNIX domain socket, keeping in mind
2095 considerations for chroot (be sure the path is accessible
2096 inside the chroot) and uid/gid (be sure the path is
2097 appropriately writeable).
2098
2099 <facility> must be one of the 24 standard syslog facilities :
2100
2101 kern user mail daemon auth syslog lpr news
2102 uucp cron auth2 ftp ntp audit alert cron2
2103 local0 local1 local2 local3 local4 local5 local6 local7
2104
2105 <level> is optional and can be specified to filter outgoing messages. By
2106 default, all messages are sent. If a level is specified, only
2107 messages with a severity at least as important as this level
Willy Tarreauf7edefa2009-05-10 17:20:05 +02002108 will be sent. An optional minimum level can be specified. If it
2109 is set, logs emitted with a more severe level than this one will
2110 be capped to this level. This is used to avoid sending "emerg"
2111 messages on all terminals on some default syslog configurations.
2112 Eight levels are known :
Willy Tarreau2769aa02007-12-27 18:26:09 +01002113
2114 emerg alert crit err warning notice info debug
2115
2116 Note that up to two "log" entries may be specified per instance. However, if
2117 "log global" is used and if the "global" section already contains 2 log
2118 entries, then additional log entries will be ignored.
2119
2120 Also, it is important to keep in mind that it is the frontend which decides
Willy Tarreaucc6c8912009-02-22 10:53:55 +01002121 what to log from a connection, and that in case of content switching, the log
2122 entries from the backend will be ignored. Connections are logged at level
2123 "info".
2124
2125 However, backend log declaration define how and where servers status changes
2126 will be logged. Level "notice" will be used to indicate a server going up,
2127 "warning" will be used for termination signals and definitive service
2128 termination, and "alert" will be used for when a server goes down.
2129
2130 Note : According to RFC3164, messages are truncated to 1024 bytes before
2131 being emitted.
Willy Tarreau2769aa02007-12-27 18:26:09 +01002132
2133 Example :
2134 log global
Willy Tarreauf7edefa2009-05-10 17:20:05 +02002135 log 127.0.0.1:514 local0 notice # only send important events
2136 log 127.0.0.1:514 local0 notice notice # same but limit output level
Willy Tarreau2769aa02007-12-27 18:26:09 +01002137
2138
2139maxconn <conns>
2140 Fix the maximum number of concurrent connections on a frontend
2141 May be used in sections : defaults | frontend | listen | backend
2142 yes | yes | yes | no
2143 Arguments :
2144 <conns> is the maximum number of concurrent connections the frontend will
2145 accept to serve. Excess connections will be queued by the system
2146 in the socket's listen queue and will be served once a connection
2147 closes.
2148
2149 If the system supports it, it can be useful on big sites to raise this limit
2150 very high so that haproxy manages connection queues, instead of leaving the
2151 clients with unanswered connection attempts. This value should not exceed the
2152 global maxconn. Also, keep in mind that a connection contains two buffers
2153 of 8kB each, as well as some other data resulting in about 17 kB of RAM being
2154 consumed per established connection. That means that a medium system equipped
2155 with 1GB of RAM can withstand around 40000-50000 concurrent connections if
2156 properly tuned.
2157
2158 Also, when <conns> is set to large values, it is possible that the servers
2159 are not sized to accept such loads, and for this reason it is generally wise
2160 to assign them some reasonable connection limits.
2161
2162 See also : "server", global section's "maxconn", "fullconn"
2163
2164
2165mode { tcp|http|health }
2166 Set the running mode or protocol of the instance
2167 May be used in sections : defaults | frontend | listen | backend
2168 yes | yes | yes | yes
2169 Arguments :
2170 tcp The instance will work in pure TCP mode. A full-duplex connection
2171 will be established between clients and servers, and no layer 7
2172 examination will be performed. This is the default mode. It
2173 should be used for SSL, SSH, SMTP, ...
2174
2175 http The instance will work in HTTP mode. The client request will be
2176 analyzed in depth before connecting to any server. Any request
2177 which is not RFC-compliant will be rejected. Layer 7 filtering,
2178 processing and switching will be possible. This is the mode which
2179 brings HAProxy most of its value.
2180
2181 health The instance will work in "health" mode. It will just reply "OK"
2182 to incoming connections and close the connection. Nothing will be
2183 logged. This mode is used to reply to external components health
2184 checks. This mode is deprecated and should not be used anymore as
2185 it is possible to do the same and even better by combining TCP or
2186 HTTP modes with the "monitor" keyword.
2187
2188 When doing content switching, it is mandatory that the frontend and the
2189 backend are in the same mode (generally HTTP), otherwise the configuration
2190 will be refused.
2191
2192 Example :
2193 defaults http_instances
2194 mode http
2195
2196 See also : "monitor", "monitor-net"
2197
Willy Tarreau0ba27502007-12-24 16:55:16 +01002198
2199monitor fail [if | unless] <condition>
Willy Tarreau2769aa02007-12-27 18:26:09 +01002200 Add a condition to report a failure to a monitor HTTP request.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002201 May be used in sections : defaults | frontend | listen | backend
2202 no | yes | yes | no
Willy Tarreau0ba27502007-12-24 16:55:16 +01002203 Arguments :
2204 if <cond> the monitor request will fail if the condition is satisfied,
2205 and will succeed otherwise. The condition should describe a
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002206 combined test which must induce a failure if all conditions
Willy Tarreau0ba27502007-12-24 16:55:16 +01002207 are met, for instance a low number of servers both in a
2208 backend and its backup.
2209
2210 unless <cond> the monitor request will succeed only if the condition is
2211 satisfied, and will fail otherwise. Such a condition may be
2212 based on a test on the presence of a minimum number of active
2213 servers in a list of backends.
2214
2215 This statement adds a condition which can force the response to a monitor
2216 request to report a failure. By default, when an external component queries
2217 the URI dedicated to monitoring, a 200 response is returned. When one of the
2218 conditions above is met, haproxy will return 503 instead of 200. This is
2219 very useful to report a site failure to an external component which may base
2220 routing advertisements between multiple sites on the availability reported by
2221 haproxy. In this case, one would rely on an ACL involving the "nbsrv"
Willy Tarreau2769aa02007-12-27 18:26:09 +01002222 criterion. Note that "monitor fail" only works in HTTP mode.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002223
2224 Example:
2225 frontend www
Willy Tarreau2769aa02007-12-27 18:26:09 +01002226 mode http
Willy Tarreau0ba27502007-12-24 16:55:16 +01002227 acl site_dead nbsrv(dynamic) lt 2
2228 acl site_dead nbsrv(static) lt 2
2229 monitor-uri /site_alive
2230 monitor fail if site_dead
2231
Willy Tarreau2769aa02007-12-27 18:26:09 +01002232 See also : "monitor-net", "monitor-uri"
2233
2234
2235monitor-net <source>
2236 Declare a source network which is limited to monitor requests
2237 May be used in sections : defaults | frontend | listen | backend
2238 yes | yes | yes | no
2239 Arguments :
2240 <source> is the source IPv4 address or network which will only be able to
2241 get monitor responses to any request. It can be either an IPv4
2242 address, a host name, or an address followed by a slash ('/')
2243 followed by a mask.
2244
2245 In TCP mode, any connection coming from a source matching <source> will cause
2246 the connection to be immediately closed without any log. This allows another
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002247 equipment to probe the port and verify that it is still listening, without
Willy Tarreau2769aa02007-12-27 18:26:09 +01002248 forwarding the connection to a remote server.
2249
2250 In HTTP mode, a connection coming from a source matching <source> will be
2251 accepted, the following response will be sent without waiting for a request,
2252 then the connection will be closed : "HTTP/1.0 200 OK". This is normally
2253 enough for any front-end HTTP probe to detect that the service is UP and
2254 running without forwarding the request to a backend server.
2255
2256 Monitor requests are processed very early. It is not possible to block nor
2257 divert them using ACLs. They cannot be logged either, and it is the intended
2258 purpose. They are only used to report HAProxy's health to an upper component,
2259 nothing more. Right now, it is not possible to set failure conditions on
2260 requests caught by "monitor-net".
2261
2262 Example :
2263 # addresses .252 and .253 are just probing us.
2264 frontend www
2265 monitor-net 192.168.0.252/31
2266
2267 See also : "monitor fail", "monitor-uri"
2268
2269
2270monitor-uri <uri>
2271 Intercept a URI used by external components' monitor requests
2272 May be used in sections : defaults | frontend | listen | backend
2273 yes | yes | yes | no
2274 Arguments :
2275 <uri> is the exact URI which we want to intercept to return HAProxy's
2276 health status instead of forwarding the request.
2277
2278 When an HTTP request referencing <uri> will be received on a frontend,
2279 HAProxy will not forward it nor log it, but instead will return either
2280 "HTTP/1.0 200 OK" or "HTTP/1.0 503 Service unavailable", depending on failure
2281 conditions defined with "monitor fail". This is normally enough for any
2282 front-end HTTP probe to detect that the service is UP and running without
2283 forwarding the request to a backend server. Note that the HTTP method, the
2284 version and all headers are ignored, but the request must at least be valid
2285 at the HTTP level. This keyword may only be used with an HTTP-mode frontend.
2286
2287 Monitor requests are processed very early. It is not possible to block nor
2288 divert them using ACLs. They cannot be logged either, and it is the intended
2289 purpose. They are only used to report HAProxy's health to an upper component,
2290 nothing more. However, it is possible to add any number of conditions using
2291 "monitor fail" and ACLs so that the result can be adjusted to whatever check
2292 can be imagined (most often the number of available servers in a backend).
2293
2294 Example :
2295 # Use /haproxy_test to report haproxy's status
2296 frontend www
2297 mode http
2298 monitor-uri /haproxy_test
2299
2300 See also : "monitor fail", "monitor-net"
2301
Willy Tarreau0ba27502007-12-24 16:55:16 +01002302
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002303option abortonclose
2304no option abortonclose
2305 Enable or disable early dropping of aborted requests pending in queues.
2306 May be used in sections : defaults | frontend | listen | backend
2307 yes | no | yes | yes
2308 Arguments : none
2309
2310 In presence of very high loads, the servers will take some time to respond.
2311 The per-instance connection queue will inflate, and the response time will
2312 increase respective to the size of the queue times the average per-session
2313 response time. When clients will wait for more than a few seconds, they will
Willy Tarreau198a7442008-01-17 12:05:32 +01002314 often hit the "STOP" button on their browser, leaving a useless request in
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002315 the queue, and slowing down other users, and the servers as well, because the
2316 request will eventually be served, then aborted at the first error
2317 encountered while delivering the response.
2318
2319 As there is no way to distinguish between a full STOP and a simple output
2320 close on the client side, HTTP agents should be conservative and consider
2321 that the client might only have closed its output channel while waiting for
2322 the response. However, this introduces risks of congestion when lots of users
2323 do the same, and is completely useless nowadays because probably no client at
2324 all will close the session while waiting for the response. Some HTTP agents
Willy Tarreaud72758d2010-01-12 10:42:19 +01002325 support this behaviour (Squid, Apache, HAProxy), and others do not (TUX, most
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002326 hardware-based load balancers). So the probability for a closed input channel
Willy Tarreau198a7442008-01-17 12:05:32 +01002327 to represent a user hitting the "STOP" button is close to 100%, and the risk
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002328 of being the single component to break rare but valid traffic is extremely
2329 low, which adds to the temptation to be able to abort a session early while
2330 still not served and not pollute the servers.
2331
2332 In HAProxy, the user can choose the desired behaviour using the option
2333 "abortonclose". By default (without the option) the behaviour is HTTP
2334 compliant and aborted requests will be served. But when the option is
2335 specified, a session with an incoming channel closed will be aborted while
2336 it is still possible, either pending in the queue for a connection slot, or
2337 during the connection establishment if the server has not yet acknowledged
2338 the connection request. This considerably reduces the queue size and the load
2339 on saturated servers when users are tempted to click on STOP, which in turn
Willy Tarreaud72758d2010-01-12 10:42:19 +01002340 reduces the response time for other users.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002341
2342 If this option has been enabled in a "defaults" section, it can be disabled
2343 in a specific instance by prepending the "no" keyword before it.
2344
2345 See also : "timeout queue" and server's "maxconn" and "maxqueue" parameters
2346
2347
Willy Tarreau4076a152009-04-02 15:18:36 +02002348option accept-invalid-http-request
2349no option accept-invalid-http-request
2350 Enable or disable relaxing of HTTP request parsing
2351 May be used in sections : defaults | frontend | listen | backend
2352 yes | yes | yes | no
2353 Arguments : none
2354
2355 By default, HAProxy complies with RFC2616 in terms of message parsing. This
2356 means that invalid characters in header names are not permitted and cause an
2357 error to be returned to the client. This is the desired behaviour as such
2358 forbidden characters are essentially used to build attacks exploiting server
2359 weaknesses, and bypass security filtering. Sometimes, a buggy browser or
2360 server will emit invalid header names for whatever reason (configuration,
2361 implementation) and the issue will not be immediately fixed. In such a case,
2362 it is possible to relax HAProxy's header name parser to accept any character
2363 even if that does not make sense, by specifying this option.
2364
2365 This option should never be enabled by default as it hides application bugs
2366 and open security breaches. It should only be deployed after a problem has
2367 been confirmed.
2368
2369 When this option is enabled, erroneous header names will still be accepted in
2370 requests, but the complete request will be captured in order to permit later
2371 analysis using the "show errors" request on the UNIX stats socket. Doing this
2372 also helps confirming that the issue has been solved.
2373
2374 If this option has been enabled in a "defaults" section, it can be disabled
2375 in a specific instance by prepending the "no" keyword before it.
2376
2377 See also : "option accept-invalid-http-response" and "show errors" on the
2378 stats socket.
2379
2380
2381option accept-invalid-http-response
2382no option accept-invalid-http-response
2383 Enable or disable relaxing of HTTP response parsing
2384 May be used in sections : defaults | frontend | listen | backend
2385 yes | no | yes | yes
2386 Arguments : none
2387
2388 By default, HAProxy complies with RFC2616 in terms of message parsing. This
2389 means that invalid characters in header names are not permitted and cause an
2390 error to be returned to the client. This is the desired behaviour as such
2391 forbidden characters are essentially used to build attacks exploiting server
2392 weaknesses, and bypass security filtering. Sometimes, a buggy browser or
2393 server will emit invalid header names for whatever reason (configuration,
2394 implementation) and the issue will not be immediately fixed. In such a case,
2395 it is possible to relax HAProxy's header name parser to accept any character
2396 even if that does not make sense, by specifying this option.
2397
2398 This option should never be enabled by default as it hides application bugs
2399 and open security breaches. It should only be deployed after a problem has
2400 been confirmed.
2401
2402 When this option is enabled, erroneous header names will still be accepted in
2403 responses, but the complete response will be captured in order to permit
2404 later analysis using the "show errors" request on the UNIX stats socket.
2405 Doing this also helps confirming that the issue has been solved.
2406
2407 If this option has been enabled in a "defaults" section, it can be disabled
2408 in a specific instance by prepending the "no" keyword before it.
2409
2410 See also : "option accept-invalid-http-request" and "show errors" on the
2411 stats socket.
2412
2413
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002414option allbackups
2415no option allbackups
2416 Use either all backup servers at a time or only the first one
2417 May be used in sections : defaults | frontend | listen | backend
2418 yes | no | yes | yes
2419 Arguments : none
2420
2421 By default, the first operational backup server gets all traffic when normal
2422 servers are all down. Sometimes, it may be preferred to use multiple backups
2423 at once, because one will not be enough. When "option allbackups" is enabled,
2424 the load balancing will be performed among all backup servers when all normal
2425 ones are unavailable. The same load balancing algorithm will be used and the
2426 servers' weights will be respected. Thus, there will not be any priority
2427 order between the backup servers anymore.
2428
2429 This option is mostly used with static server farms dedicated to return a
2430 "sorry" page when an application is completely offline.
2431
2432 If this option has been enabled in a "defaults" section, it can be disabled
2433 in a specific instance by prepending the "no" keyword before it.
2434
2435
2436option checkcache
2437no option checkcache
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002438 Analyze all server responses and block requests with cacheable cookies
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002439 May be used in sections : defaults | frontend | listen | backend
2440 yes | no | yes | yes
2441 Arguments : none
2442
2443 Some high-level frameworks set application cookies everywhere and do not
2444 always let enough control to the developer to manage how the responses should
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002445 be cached. When a session cookie is returned on a cacheable object, there is a
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002446 high risk of session crossing or stealing between users traversing the same
2447 caches. In some situations, it is better to block the response than to let
2448 some sensible session information go in the wild.
2449
2450 The option "checkcache" enables deep inspection of all server responses for
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002451 strict compliance with HTTP specification in terms of cacheability. It
Willy Tarreau198a7442008-01-17 12:05:32 +01002452 carefully checks "Cache-control", "Pragma" and "Set-cookie" headers in server
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002453 response to check if there's a risk of caching a cookie on a client-side
2454 proxy. When this option is enabled, the only responses which can be delivered
Willy Tarreau198a7442008-01-17 12:05:32 +01002455 to the client are :
2456 - all those without "Set-Cookie" header ;
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002457 - all those with a return code other than 200, 203, 206, 300, 301, 410,
Willy Tarreau198a7442008-01-17 12:05:32 +01002458 provided that the server has not set a "Cache-control: public" header ;
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002459 - all those that come from a POST request, provided that the server has not
2460 set a 'Cache-Control: public' header ;
2461 - those with a 'Pragma: no-cache' header
2462 - those with a 'Cache-control: private' header
2463 - those with a 'Cache-control: no-store' header
2464 - those with a 'Cache-control: max-age=0' header
2465 - those with a 'Cache-control: s-maxage=0' header
2466 - those with a 'Cache-control: no-cache' header
2467 - those with a 'Cache-control: no-cache="set-cookie"' header
2468 - those with a 'Cache-control: no-cache="set-cookie,' header
2469 (allowing other fields after set-cookie)
2470
2471 If a response doesn't respect these requirements, then it will be blocked
Willy Tarreau198a7442008-01-17 12:05:32 +01002472 just as if it was from an "rspdeny" filter, with an "HTTP 502 bad gateway".
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002473 The session state shows "PH--" meaning that the proxy blocked the response
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002474 during headers processing. Additionally, an alert will be sent in the logs so
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002475 that admins are informed that there's something to be fixed.
2476
2477 Due to the high impact on the application, the application should be tested
2478 in depth with the option enabled before going to production. It is also a
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01002479 good practice to always activate it during tests, even if it is not used in
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002480 production, as it will report potentially dangerous application behaviours.
2481
2482 If this option has been enabled in a "defaults" section, it can be disabled
2483 in a specific instance by prepending the "no" keyword before it.
2484
2485
2486option clitcpka
2487no option clitcpka
2488 Enable or disable the sending of TCP keepalive packets on the client side
2489 May be used in sections : defaults | frontend | listen | backend
2490 yes | yes | yes | no
2491 Arguments : none
2492
2493 When there is a firewall or any session-aware component between a client and
2494 a server, and when the protocol involves very long sessions with long idle
2495 periods (eg: remote desktops), there is a risk that one of the intermediate
2496 components decides to expire a session which has remained idle for too long.
2497
2498 Enabling socket-level TCP keep-alives makes the system regularly send packets
2499 to the other end of the connection, leaving it active. The delay between
2500 keep-alive probes is controlled by the system only and depends both on the
2501 operating system and its tuning parameters.
2502
2503 It is important to understand that keep-alive packets are neither emitted nor
2504 received at the application level. It is only the network stacks which sees
2505 them. For this reason, even if one side of the proxy already uses keep-alives
2506 to maintain its connection alive, those keep-alive packets will not be
2507 forwarded to the other side of the proxy.
2508
2509 Please note that this has nothing to do with HTTP keep-alive.
2510
2511 Using option "clitcpka" enables the emission of TCP keep-alive probes on the
2512 client side of a connection, which should help when session expirations are
2513 noticed between HAProxy and a client.
2514
2515 If this option has been enabled in a "defaults" section, it can be disabled
2516 in a specific instance by prepending the "no" keyword before it.
2517
2518 See also : "option srvtcpka", "option tcpka"
2519
2520
Willy Tarreau0ba27502007-12-24 16:55:16 +01002521option contstats
2522 Enable continuous traffic statistics updates
2523 May be used in sections : defaults | frontend | listen | backend
2524 yes | yes | yes | no
2525 Arguments : none
2526
2527 By default, counters used for statistics calculation are incremented
2528 only when a session finishes. It works quite well when serving small
2529 objects, but with big ones (for example large images or archives) or
2530 with A/V streaming, a graph generated from haproxy counters looks like
2531 a hedgehog. With this option enabled counters get incremented continuously,
2532 during a whole session. Recounting touches a hotpath directly so
2533 it is not enabled by default, as it has small performance impact (~0.5%).
2534
2535
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02002536option dontlog-normal
2537no option dontlog-normal
2538 Enable or disable logging of normal, successful connections
2539 May be used in sections : defaults | frontend | listen | backend
2540 yes | yes | yes | no
2541 Arguments : none
2542
2543 There are large sites dealing with several thousand connections per second
2544 and for which logging is a major pain. Some of them are even forced to turn
2545 logs off and cannot debug production issues. Setting this option ensures that
2546 normal connections, those which experience no error, no timeout, no retry nor
2547 redispatch, will not be logged. This leaves disk space for anomalies. In HTTP
2548 mode, the response status code is checked and return codes 5xx will still be
2549 logged.
2550
2551 It is strongly discouraged to use this option as most of the time, the key to
2552 complex issues is in the normal logs which will not be logged here. If you
2553 need to separate logs, see the "log-separate-errors" option instead.
2554
Willy Tarreauc57f0e22009-05-10 13:12:33 +02002555 See also : "log", "dontlognull", "log-separate-errors" and section 8 about
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02002556 logging.
2557
2558
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002559option dontlognull
2560no option dontlognull
2561 Enable or disable logging of null connections
2562 May be used in sections : defaults | frontend | listen | backend
2563 yes | yes | yes | no
2564 Arguments : none
2565
2566 In certain environments, there are components which will regularly connect to
2567 various systems to ensure that they are still alive. It can be the case from
2568 another load balancer as well as from monitoring systems. By default, even a
2569 simple port probe or scan will produce a log. If those connections pollute
2570 the logs too much, it is possible to enable option "dontlognull" to indicate
2571 that a connection on which no data has been transferred will not be logged,
2572 which typically corresponds to those probes.
2573
2574 It is generally recommended not to use this option in uncontrolled
2575 environments (eg: internet), otherwise scans and other malicious activities
2576 would not be logged.
2577
2578 If this option has been enabled in a "defaults" section, it can be disabled
2579 in a specific instance by prepending the "no" keyword before it.
2580
Willy Tarreauc57f0e22009-05-10 13:12:33 +02002581 See also : "log", "monitor-net", "monitor-uri" and section 8 about logging.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002582
2583
2584option forceclose
2585no option forceclose
2586 Enable or disable active connection closing after response is transferred.
2587 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaua31e5df2009-12-30 01:10:35 +01002588 yes | yes | yes | yes
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002589 Arguments : none
2590
2591 Some HTTP servers do not necessarily close the connections when they receive
2592 the "Connection: close" set by "option httpclose", and if the client does not
2593 close either, then the connection remains open till the timeout expires. This
2594 causes high number of simultaneous connections on the servers and shows high
2595 global session times in the logs.
2596
2597 When this happens, it is possible to use "option forceclose". It will
Willy Tarreau82eeaf22009-12-29 12:09:05 +01002598 actively close the outgoing server channel as soon as the server has finished
Willy Tarreau0dfdf192010-01-05 11:33:11 +01002599 to respond. This option implicitly enables the "httpclose" option. Note that
2600 this option also enables the parsing of the full request and response, which
2601 means we can close the connection to the server very quickly, releasing some
2602 resources earlier than with httpclose.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01002603
2604 If this option has been enabled in a "defaults" section, it can be disabled
2605 in a specific instance by prepending the "no" keyword before it.
2606
2607 See also : "option httpclose"
2608
2609
Ross Westaf72a1d2008-08-03 10:51:45 +02002610option forwardfor [ except <network> ] [ header <name> ]
Willy Tarreauc27debf2008-01-06 08:57:02 +01002611 Enable insertion of the X-Forwarded-For header to requests sent to servers
2612 May be used in sections : defaults | frontend | listen | backend
2613 yes | yes | yes | yes
2614 Arguments :
2615 <network> is an optional argument used to disable this option for sources
2616 matching <network>
Ross Westaf72a1d2008-08-03 10:51:45 +02002617 <name> an optional argument to specify a different "X-Forwarded-For"
Willy Tarreaud72758d2010-01-12 10:42:19 +01002618 header name.
Willy Tarreauc27debf2008-01-06 08:57:02 +01002619
2620 Since HAProxy works in reverse-proxy mode, the servers see its IP address as
2621 their client address. This is sometimes annoying when the client's IP address
2622 is expected in server logs. To solve this problem, the well-known HTTP header
2623 "X-Forwarded-For" may be added by HAProxy to all requests sent to the server.
2624 This header contains a value representing the client's IP address. Since this
2625 header is always appended at the end of the existing header list, the server
2626 must be configured to always use the last occurrence of this header only. See
Ross Westaf72a1d2008-08-03 10:51:45 +02002627 the server's manual to find how to enable use of this standard header. Note
2628 that only the last occurrence of the header must be used, since it is really
2629 possible that the client has already brought one.
2630
Willy Tarreaud72758d2010-01-12 10:42:19 +01002631 The keyword "header" may be used to supply a different header name to replace
Ross Westaf72a1d2008-08-03 10:51:45 +02002632 the default "X-Forwarded-For". This can be useful where you might already
Willy Tarreaud72758d2010-01-12 10:42:19 +01002633 have a "X-Forwarded-For" header from a different application (eg: stunnel),
2634 and you need preserve it. Also if your backend server doesn't use the
Ross Westaf72a1d2008-08-03 10:51:45 +02002635 "X-Forwarded-For" header and requires different one (eg: Zeus Web Servers
2636 require "X-Cluster-Client-IP").
Willy Tarreauc27debf2008-01-06 08:57:02 +01002637
2638 Sometimes, a same HAProxy instance may be shared between a direct client
2639 access and a reverse-proxy access (for instance when an SSL reverse-proxy is
2640 used to decrypt HTTPS traffic). It is possible to disable the addition of the
2641 header for a known source address or network by adding the "except" keyword
2642 followed by the network address. In this case, any source IP matching the
2643 network will not cause an addition of this header. Most common uses are with
2644 private networks or 127.0.0.1.
2645
2646 This option may be specified either in the frontend or in the backend. If at
Ross Westaf72a1d2008-08-03 10:51:45 +02002647 least one of them uses it, the header will be added. Note that the backend's
2648 setting of the header subargument takes precedence over the frontend's if
2649 both are defined.
Willy Tarreauc27debf2008-01-06 08:57:02 +01002650
2651 It is important to note that as long as HAProxy does not support keep-alive
2652 connections, only the first request of a connection will receive the header.
2653 For this reason, it is important to ensure that "option httpclose" is set
2654 when using this option.
2655
Ross Westaf72a1d2008-08-03 10:51:45 +02002656 Examples :
Willy Tarreauc27debf2008-01-06 08:57:02 +01002657 # Public HTTP address also used by stunnel on the same machine
2658 frontend www
2659 mode http
2660 option forwardfor except 127.0.0.1 # stunnel already adds the header
2661
Ross Westaf72a1d2008-08-03 10:51:45 +02002662 # Those servers want the IP Address in X-Client
2663 backend www
2664 mode http
2665 option forwardfor header X-Client
2666
Willy Tarreauc27debf2008-01-06 08:57:02 +01002667 See also : "option httpclose"
2668
2669
Willy Tarreauc27debf2008-01-06 08:57:02 +01002670option httpchk
2671option httpchk <uri>
2672option httpchk <method> <uri>
2673option httpchk <method> <uri> <version>
2674 Enable HTTP protocol to check on the servers health
2675 May be used in sections : defaults | frontend | listen | backend
2676 yes | no | yes | yes
2677 Arguments :
2678 <method> is the optional HTTP method used with the requests. When not set,
2679 the "OPTIONS" method is used, as it generally requires low server
2680 processing and is easy to filter out from the logs. Any method
2681 may be used, though it is not recommended to invent non-standard
2682 ones.
2683
2684 <uri> is the URI referenced in the HTTP requests. It defaults to " / "
2685 which is accessible by default on almost any server, but may be
2686 changed to any other URI. Query strings are permitted.
2687
2688 <version> is the optional HTTP version string. It defaults to "HTTP/1.0"
2689 but some servers might behave incorrectly in HTTP 1.0, so turning
2690 it to HTTP/1.1 may sometimes help. Note that the Host field is
2691 mandatory in HTTP/1.1, and as a trick, it is possible to pass it
2692 after "\r\n" following the version string.
2693
2694 By default, server health checks only consist in trying to establish a TCP
2695 connection. When "option httpchk" is specified, a complete HTTP request is
2696 sent once the TCP connection is established, and responses 2xx and 3xx are
2697 considered valid, while all other ones indicate a server failure, including
2698 the lack of any response.
2699
2700 The port and interval are specified in the server configuration.
2701
2702 This option does not necessarily require an HTTP backend, it also works with
2703 plain TCP backends. This is particularly useful to check simple scripts bound
2704 to some dedicated ports using the inetd daemon.
2705
2706 Examples :
2707 # Relay HTTPS traffic to Apache instance and check service availability
2708 # using HTTP request "OPTIONS * HTTP/1.1" on port 80.
2709 backend https_relay
2710 mode tcp
Willy Tarreauebaf21a2008-03-21 20:17:14 +01002711 option httpchk OPTIONS * HTTP/1.1\r\nHost:\ www
Willy Tarreauc27debf2008-01-06 08:57:02 +01002712 server apache1 192.168.1.1:443 check port 80
2713
Hervé COMMOWICK698ae002010-01-12 09:25:13 +01002714 See also : "option ssl-hello-chk", "option smtpchk", "option mysql-check",
2715 "http-check" and the "check", "port" and "interval" server options.
Willy Tarreauc27debf2008-01-06 08:57:02 +01002716
2717
Willy Tarreaub608feb2010-01-02 22:47:18 +01002718option http-server-close
2719no option http-server-close
2720 Enable or disable HTTP connection closing on the server side
2721 May be used in sections : defaults | frontend | listen | backend
2722 yes | yes | yes | yes
2723 Arguments : none
2724
2725 This mode enables HTTP connection-close mode on the server side while keeping
2726 the ability to support HTTP keep-alive and pipelining on the client side.
2727 This provides the lowest latency on the client side (slow network) and the
2728 fastest session reuse on the server side to save server resources, similarly
2729 to "option forceclose". It also permits non-keepalive capable servers to be
2730 served in keep-alive mode to the clients if they conform to the requirements
2731 of RFC2616.
2732
2733 At the moment, logs will not indicate whether requests came from the same
2734 session or not. The accept date reported in the logs corresponds to the end
2735 of the previous request, and the request time corresponds to the time spent
2736 waiting for a new request. The keep-alive request time is still bound to the
Willy Tarreaub16a5742010-01-10 14:46:16 +01002737 timeout defined by "timeout http-keep-alive" or "timeout http-request" if
2738 not set.
Willy Tarreaub608feb2010-01-02 22:47:18 +01002739
2740 This option may be set both in a frontend and in a backend. It is enabled if
2741 at least one of the frontend or backend holding a connection has it enabled.
Willy Tarreau0dfdf192010-01-05 11:33:11 +01002742 It is worth noting that "option forceclose" has precedence over "option
2743 http-server-close" and that combining "http-server-close" with "httpclose"
2744 basically achieve the same result as "forceclose".
Willy Tarreaub608feb2010-01-02 22:47:18 +01002745
2746 If this option has been enabled in a "defaults" section, it can be disabled
2747 in a specific instance by prepending the "no" keyword before it.
2748
2749 See also : "option forceclose" and "option httpclose"
2750
2751
Willy Tarreau88d349d2010-01-25 12:15:43 +01002752option http-use-proxy-header
2753[no] option http-use-proxy-header
2754 Make use of non-standard Proxy-Connection header instead of Connection
2755 May be used in sections : defaults | frontend | listen | backend
2756 yes | yes | yes | no
2757 Arguments : none
2758
2759 While RFC2616 explicitly states that HTTP/1.1 agents must use the
2760 Connection header to indicate their wish of persistent or non-persistent
2761 connections, both browsers and proxies ignore this header for proxied
2762 connections and make use of the undocumented, non-standard Proxy-Connection
2763 header instead. The issue begins when trying to put a load balancer between
2764 browsers and such proxies, because there will be a difference between what
2765 haproxy understands and what the client and the proxy agree on.
2766
2767 By setting this option in a frontend, haproxy can automatically switch to use
2768 that non-standard header if it sees proxied requests. A proxied request is
2769 defined here as one where the URI begins with neither a '/' nor a '*'. The
2770 choice of header only affects requests passing through proxies making use of
2771 one of the "httpclose", "forceclose" and "http-server-close" options. Note
2772 that this option can only be specified in a frontend and will affect the
2773 request along its whole life.
2774
Willy Tarreau844a7e72010-01-31 21:46:18 +01002775 Also, when this option is set, a request which requires authentication will
2776 automatically switch to use proxy authentication headers if it is itself a
2777 proxied request. That makes it possible to check or enforce authentication in
2778 front of an existing proxy.
2779
Willy Tarreau88d349d2010-01-25 12:15:43 +01002780 This option should normally never be used, except in front of a proxy.
2781
2782 See also : "option httpclose", "option forceclose" and "option
2783 http-server-close".
2784
2785
Willy Tarreauc27debf2008-01-06 08:57:02 +01002786option httpclose
2787no option httpclose
2788 Enable or disable passive HTTP connection closing
2789 May be used in sections : defaults | frontend | listen | backend
2790 yes | yes | yes | yes
2791 Arguments : none
2792
Willy Tarreauc57f0e22009-05-10 13:12:33 +02002793 As stated in section 1, HAProxy does not yes support the HTTP keep-alive
Willy Tarreauc27debf2008-01-06 08:57:02 +01002794 mode. So by default, if a client communicates with a server in this mode, it
2795 will only analyze, log, and process the first request of each connection. To
2796 workaround this limitation, it is possible to specify "option httpclose". It
2797 will check if a "Connection: close" header is already set in each direction,
2798 and will add one if missing. Each end should react to this by actively
2799 closing the TCP connection after each transfer, thus resulting in a switch to
2800 the HTTP close mode. Any "Connection" header different from "close" will also
2801 be removed.
2802
2803 It seldom happens that some servers incorrectly ignore this header and do not
Willy Tarreau0dfdf192010-01-05 11:33:11 +01002804 close the connection eventhough they reply "Connection: close". For this
2805 reason, they are not compatible with older HTTP 1.0 browsers. If this happens
2806 it is possible to use the "option forceclose" which actively closes the
2807 request connection once the server responds. Option "forceclose" also
2808 releases the server connection earlier because it does not have to wait for
2809 the client to acknowledge it.
Willy Tarreauc27debf2008-01-06 08:57:02 +01002810
2811 This option may be set both in a frontend and in a backend. It is enabled if
2812 at least one of the frontend or backend holding a connection has it enabled.
2813 If "option forceclose" is specified too, it has precedence over "httpclose".
Willy Tarreau0dfdf192010-01-05 11:33:11 +01002814 If "option http-server-close" is enabled at the same time as "httpclose", it
2815 basically achieves the same result as "option forceclose".
Willy Tarreauc27debf2008-01-06 08:57:02 +01002816
2817 If this option has been enabled in a "defaults" section, it can be disabled
2818 in a specific instance by prepending the "no" keyword before it.
2819
Willy Tarreaub608feb2010-01-02 22:47:18 +01002820 See also : "option forceclose" and "option http-server-close"
Willy Tarreauc27debf2008-01-06 08:57:02 +01002821
2822
Emeric Brun3a058f32009-06-30 18:26:00 +02002823option httplog [ clf ]
Willy Tarreauc27debf2008-01-06 08:57:02 +01002824 Enable logging of HTTP request, session state and timers
2825 May be used in sections : defaults | frontend | listen | backend
2826 yes | yes | yes | yes
Emeric Brun3a058f32009-06-30 18:26:00 +02002827 Arguments :
2828 clf if the "clf" argument is added, then the output format will be
2829 the CLF format instead of HAProxy's default HTTP format. You can
2830 use this when you need to feed HAProxy's logs through a specific
2831 log analyser which only support the CLF format and which is not
2832 extensible.
Willy Tarreauc27debf2008-01-06 08:57:02 +01002833
2834 By default, the log output format is very poor, as it only contains the
2835 source and destination addresses, and the instance name. By specifying
2836 "option httplog", each log line turns into a much richer format including,
2837 but not limited to, the HTTP request, the connection timers, the session
2838 status, the connections numbers, the captured headers and cookies, the
2839 frontend, backend and server name, and of course the source address and
2840 ports.
2841
2842 This option may be set either in the frontend or the backend.
2843
Emeric Brun3a058f32009-06-30 18:26:00 +02002844 If this option has been enabled in a "defaults" section, it can be disabled
2845 in a specific instance by prepending the "no" keyword before it. Specifying
2846 only "option httplog" will automatically clear the 'clf' mode if it was set
2847 by default.
2848
Willy Tarreauc57f0e22009-05-10 13:12:33 +02002849 See also : section 8 about logging.
Willy Tarreauc27debf2008-01-06 08:57:02 +01002850
Willy Tarreau55165fe2009-05-10 12:02:55 +02002851
2852option http_proxy
2853no option http_proxy
2854 Enable or disable plain HTTP proxy mode
2855 May be used in sections : defaults | frontend | listen | backend
2856 yes | yes | yes | yes
2857 Arguments : none
2858
2859 It sometimes happens that people need a pure HTTP proxy which understands
2860 basic proxy requests without caching nor any fancy feature. In this case,
2861 it may be worth setting up an HAProxy instance with the "option http_proxy"
2862 set. In this mode, no server is declared, and the connection is forwarded to
2863 the IP address and port found in the URL after the "http://" scheme.
2864
2865 No host address resolution is performed, so this only works when pure IP
2866 addresses are passed. Since this option's usage perimeter is rather limited,
2867 it will probably be used only by experts who know they need exactly it. Last,
2868 if the clients are susceptible of sending keep-alive requests, it will be
2869 needed to add "option http_close" to ensure that all requests will correctly
2870 be analyzed.
2871
2872 If this option has been enabled in a "defaults" section, it can be disabled
2873 in a specific instance by prepending the "no" keyword before it.
2874
2875 Example :
2876 # this backend understands HTTP proxy requests and forwards them directly.
2877 backend direct_forward
2878 option httpclose
2879 option http_proxy
2880
2881 See also : "option httpclose"
2882
Willy Tarreau211ad242009-10-03 21:45:07 +02002883
Willy Tarreauf27b5ea2009-10-03 22:01:18 +02002884option independant-streams
2885no option independant-streams
2886 Enable or disable independant timeout processing for both directions
2887 May be used in sections : defaults | frontend | listen | backend
2888 yes | yes | yes | yes
2889 Arguments : none
2890
2891 By default, when data is sent over a socket, both the write timeout and the
2892 read timeout for that socket are refreshed, because we consider that there is
2893 activity on that socket, and we have no other means of guessing if we should
2894 receive data or not.
2895
2896 While this default behaviour is desirable for almost all applications, there
2897 exists a situation where it is desirable to disable it, and only refresh the
2898 read timeout if there are incoming data. This happens on sessions with large
2899 timeouts and low amounts of exchanged data such as telnet session. If the
2900 server suddenly disappears, the output data accumulates in the system's
2901 socket buffers, both timeouts are correctly refreshed, and there is no way
2902 to know the server does not receive them, so we don't timeout. However, when
2903 the underlying protocol always echoes sent data, it would be enough by itself
2904 to detect the issue using the read timeout. Note that this problem does not
2905 happen with more verbose protocols because data won't accumulate long in the
2906 socket buffers.
2907
2908 When this option is set on the frontend, it will disable read timeout updates
2909 on data sent to the client. There probably is little use of this case. When
2910 the option is set on the backend, it will disable read timeout updates on
2911 data sent to the server. Doing so will typically break large HTTP posts from
2912 slow lines, so use it with caution.
2913
2914 See also : "timeout client" and "timeout server"
2915
2916
Willy Tarreau211ad242009-10-03 21:45:07 +02002917option log-health-checks
2918no option log-health-checks
2919 Enable or disable logging of health checks
2920 May be used in sections : defaults | frontend | listen | backend
2921 yes | no | yes | yes
2922 Arguments : none
2923
2924 Enable health checks logging so it possible to check for example what
2925 was happening before a server crash. Failed health check are logged if
2926 server is UP and succeeded health checks if server is DOWN, so the amount
2927 of additional information is limited.
2928
2929 If health check logging is enabled no health check status is printed
2930 when servers is set up UP/DOWN/ENABLED/DISABLED.
2931
2932 See also: "log" and section 8 about logging.
2933
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02002934
2935option log-separate-errors
2936no option log-separate-errors
2937 Change log level for non-completely successful connections
2938 May be used in sections : defaults | frontend | listen | backend
2939 yes | yes | yes | no
2940 Arguments : none
2941
2942 Sometimes looking for errors in logs is not easy. This option makes haproxy
2943 raise the level of logs containing potentially interesting information such
2944 as errors, timeouts, retries, redispatches, or HTTP status codes 5xx. The
2945 level changes from "info" to "err". This makes it possible to log them
2946 separately to a different file with most syslog daemons. Be careful not to
2947 remove them from the original file, otherwise you would lose ordering which
2948 provides very important information.
2949
2950 Using this option, large sites dealing with several thousand connections per
2951 second may log normal traffic to a rotating buffer and only archive smaller
2952 error logs.
2953
Willy Tarreauc57f0e22009-05-10 13:12:33 +02002954 See also : "log", "dontlognull", "dontlog-normal" and section 8 about
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02002955 logging.
2956
Willy Tarreauc27debf2008-01-06 08:57:02 +01002957
2958option logasap
2959no option logasap
2960 Enable or disable early logging of HTTP requests
2961 May be used in sections : defaults | frontend | listen | backend
2962 yes | yes | yes | no
2963 Arguments : none
2964
2965 By default, HTTP requests are logged upon termination so that the total
2966 transfer time and the number of bytes appear in the logs. When large objects
2967 are being transferred, it may take a while before the request appears in the
2968 logs. Using "option logasap", the request gets logged as soon as the server
2969 sends the complete headers. The only missing information in the logs will be
2970 the total number of bytes which will indicate everything except the amount
2971 of data transferred, and the total time which will not take the transfer
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01002972 time into account. In such a situation, it's a good practice to capture the
Willy Tarreauc27debf2008-01-06 08:57:02 +01002973 "Content-Length" response header so that the logs at least indicate how many
2974 bytes are expected to be transferred.
2975
Willy Tarreaucc6c8912009-02-22 10:53:55 +01002976 Examples :
2977 listen http_proxy 0.0.0.0:80
2978 mode http
2979 option httplog
2980 option logasap
2981 log 192.168.2.200 local3
2982
2983 >>> Feb 6 12:14:14 localhost \
2984 haproxy[14389]: 10.0.1.2:33317 [06/Feb/2009:12:14:14.655] http-in \
2985 static/srv1 9/10/7/14/+30 200 +243 - - ---- 3/1/1/1/0 1/0 \
2986 "GET /image.iso HTTP/1.0"
2987
Willy Tarreauc57f0e22009-05-10 13:12:33 +02002988 See also : "option httplog", "capture response header", and section 8 about
Willy Tarreauc27debf2008-01-06 08:57:02 +01002989 logging.
2990
2991
Hervé COMMOWICK698ae002010-01-12 09:25:13 +01002992option mysql-check
2993 Use Mysql health checks for server testing
2994 May be used in sections : defaults | frontend | listen | backend
2995 yes | no | yes | yes
2996 Arguments : none
2997
2998 The check consists in parsing Mysql Handshake Initialisation packet or Error
2999 packet, which is sent by MySQL server on connect. It is a basic but useful
3000 test which does not produce any logging on the server. However, it does not
3001 check database presence nor database consistency, nor user permission to
3002 access. To do this, you can use an external check with xinetd for example.
3003
3004 Most often, an incoming MySQL server needs to see the client's IP address for
3005 various purposes, including IP privilege matching and connection logging.
3006 When possible, it is often wise to masquerade the client's IP address when
3007 connecting to the server using the "usesrc" argument of the "source" keyword,
3008 which requires the cttproxy feature to be compiled in, and the MySQL server
3009 to route the client via the machine hosting haproxy.
3010
3011 See also: "option httpchk"
3012
3013
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003014option nolinger
3015no option nolinger
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003016 Enable or disable immediate session resource cleaning after close
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003017 May be used in sections: defaults | frontend | listen | backend
3018 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01003019 Arguments : none
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003020
3021 When clients or servers abort connections in a dirty way (eg: they are
3022 physically disconnected), the session timeouts triggers and the session is
3023 closed. But it will remain in FIN_WAIT1 state for some time in the system,
3024 using some resources and possibly limiting the ability to establish newer
3025 connections.
3026
3027 When this happens, it is possible to activate "option nolinger" which forces
3028 the system to immediately remove any socket's pending data on close. Thus,
3029 the session is instantly purged from the system's tables. This usually has
3030 side effects such as increased number of TCP resets due to old retransmits
3031 getting immediately rejected. Some firewalls may sometimes complain about
3032 this too.
3033
3034 For this reason, it is not recommended to use this option when not absolutely
3035 needed. You know that you need it when you have thousands of FIN_WAIT1
3036 sessions on your system (TIME_WAIT ones do not count).
3037
3038 This option may be used both on frontends and backends, depending on the side
3039 where it is required. Use it on the frontend for clients, and on the backend
3040 for servers.
3041
3042 If this option has been enabled in a "defaults" section, it can be disabled
3043 in a specific instance by prepending the "no" keyword before it.
3044
3045
Willy Tarreau55165fe2009-05-10 12:02:55 +02003046option originalto [ except <network> ] [ header <name> ]
3047 Enable insertion of the X-Original-To header to requests sent to servers
3048 May be used in sections : defaults | frontend | listen | backend
3049 yes | yes | yes | yes
3050 Arguments :
3051 <network> is an optional argument used to disable this option for sources
3052 matching <network>
3053 <name> an optional argument to specify a different "X-Original-To"
3054 header name.
3055
3056 Since HAProxy can work in transparent mode, every request from a client can
3057 be redirected to the proxy and HAProxy itself can proxy every request to a
3058 complex SQUID environment and the destination host from SO_ORIGINAL_DST will
3059 be lost. This is annoying when you want access rules based on destination ip
3060 addresses. To solve this problem, a new HTTP header "X-Original-To" may be
3061 added by HAProxy to all requests sent to the server. This header contains a
3062 value representing the original destination IP address. Since this must be
3063 configured to always use the last occurrence of this header only. Note that
3064 only the last occurrence of the header must be used, since it is really
3065 possible that the client has already brought one.
3066
3067 The keyword "header" may be used to supply a different header name to replace
3068 the default "X-Original-To". This can be useful where you might already
3069 have a "X-Original-To" header from a different application, and you need
3070 preserve it. Also if your backend server doesn't use the "X-Original-To"
3071 header and requires different one.
3072
3073 Sometimes, a same HAProxy instance may be shared between a direct client
3074 access and a reverse-proxy access (for instance when an SSL reverse-proxy is
3075 used to decrypt HTTPS traffic). It is possible to disable the addition of the
3076 header for a known source address or network by adding the "except" keyword
3077 followed by the network address. In this case, any source IP matching the
3078 network will not cause an addition of this header. Most common uses are with
3079 private networks or 127.0.0.1.
3080
3081 This option may be specified either in the frontend or in the backend. If at
3082 least one of them uses it, the header will be added. Note that the backend's
3083 setting of the header subargument takes precedence over the frontend's if
3084 both are defined.
3085
3086 It is important to note that as long as HAProxy does not support keep-alive
3087 connections, only the first request of a connection will receive the header.
3088 For this reason, it is important to ensure that "option httpclose" is set
3089 when using this option.
3090
3091 Examples :
3092 # Original Destination address
3093 frontend www
3094 mode http
3095 option originalto except 127.0.0.1
3096
3097 # Those servers want the IP Address in X-Client-Dst
3098 backend www
3099 mode http
3100 option originalto header X-Client-Dst
3101
3102 See also : "option httpclose"
3103
3104
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003105option persist
3106no option persist
3107 Enable or disable forced persistence on down servers
3108 May be used in sections: defaults | frontend | listen | backend
3109 yes | no | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01003110 Arguments : none
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003111
3112 When an HTTP request reaches a backend with a cookie which references a dead
3113 server, by default it is redispatched to another server. It is possible to
3114 force the request to be sent to the dead server first using "option persist"
3115 if absolutely needed. A common use case is when servers are under extreme
3116 load and spend their time flapping. In this case, the users would still be
3117 directed to the server they opened the session on, in the hope they would be
3118 correctly served. It is recommended to use "option redispatch" in conjunction
3119 with this option so that in the event it would not be possible to connect to
3120 the server at all (server definitely dead), the client would finally be
3121 redirected to another valid server.
3122
3123 If this option has been enabled in a "defaults" section, it can be disabled
3124 in a specific instance by prepending the "no" keyword before it.
3125
Willy Tarreau4de91492010-01-22 19:10:05 +01003126 See also : "option redispatch", "retries", "force-persist"
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003127
3128
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003129option redispatch
3130no option redispatch
3131 Enable or disable session redistribution in case of connection failure
3132 May be used in sections: defaults | frontend | listen | backend
3133 yes | no | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01003134 Arguments : none
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003135
3136 In HTTP mode, if a server designated by a cookie is down, clients may
3137 definitely stick to it because they cannot flush the cookie, so they will not
3138 be able to access the service anymore.
3139
3140 Specifying "option redispatch" will allow the proxy to break their
3141 persistence and redistribute them to a working server.
3142
3143 It also allows to retry last connection to another server in case of multiple
3144 connection failures. Of course, it requires having "retries" set to a nonzero
3145 value.
Willy Tarreaud72758d2010-01-12 10:42:19 +01003146
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003147 This form is the preferred form, which replaces both the "redispatch" and
3148 "redisp" keywords.
3149
3150 If this option has been enabled in a "defaults" section, it can be disabled
3151 in a specific instance by prepending the "no" keyword before it.
3152
Willy Tarreau4de91492010-01-22 19:10:05 +01003153 See also : "redispatch", "retries", "force-persist"
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003154
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003155
3156option smtpchk
3157option smtpchk <hello> <domain>
3158 Use SMTP health checks for server testing
3159 May be used in sections : defaults | frontend | listen | backend
3160 yes | no | yes | yes
Willy Tarreaud72758d2010-01-12 10:42:19 +01003161 Arguments :
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003162 <hello> is an optional argument. It is the "hello" command to use. It can
3163 be either "HELO" (for SMTP) or "EHLO" (for ESTMP). All other
3164 values will be turned into the default command ("HELO").
3165
3166 <domain> is the domain name to present to the server. It may only be
3167 specified (and is mandatory) if the hello command has been
3168 specified. By default, "localhost" is used.
3169
3170 When "option smtpchk" is set, the health checks will consist in TCP
3171 connections followed by an SMTP command. By default, this command is
3172 "HELO localhost". The server's return code is analyzed and only return codes
3173 starting with a "2" will be considered as valid. All other responses,
3174 including a lack of response will constitute an error and will indicate a
3175 dead server.
3176
3177 This test is meant to be used with SMTP servers or relays. Depending on the
3178 request, it is possible that some servers do not log each connection attempt,
3179 so you may want to experiment to improve the behaviour. Using telnet on port
3180 25 is often easier than adjusting the configuration.
3181
3182 Most often, an incoming SMTP server needs to see the client's IP address for
3183 various purposes, including spam filtering, anti-spoofing and logging. When
3184 possible, it is often wise to masquerade the client's IP address when
3185 connecting to the server using the "usesrc" argument of the "source" keyword,
3186 which requires the cttproxy feature to be compiled in.
3187
3188 Example :
3189 option smtpchk HELO mydomain.org
3190
3191 See also : "option httpchk", "source"
3192
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003193
Krzysztof Piotr Oledzkiaeebf9b2009-10-04 15:43:17 +02003194option socket-stats
3195no option socket-stats
3196
3197 Enable or disable collecting & providing separate statistics for each socket.
3198 May be used in sections : defaults | frontend | listen | backend
3199 yes | yes | yes | no
3200
3201 Arguments : none
3202
3203
Willy Tarreauff4f82d2009-02-06 11:28:13 +01003204option splice-auto
3205no option splice-auto
3206 Enable or disable automatic kernel acceleration on sockets in both directions
3207 May be used in sections : defaults | frontend | listen | backend
3208 yes | yes | yes | yes
3209 Arguments : none
3210
3211 When this option is enabled either on a frontend or on a backend, haproxy
3212 will automatically evaluate the opportunity to use kernel tcp splicing to
3213 forward data between the client and the server, in either direction. Haproxy
3214 uses heuristics to estimate if kernel splicing might improve performance or
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003215 not. Both directions are handled independently. Note that the heuristics used
Willy Tarreauff4f82d2009-02-06 11:28:13 +01003216 are not much aggressive in order to limit excessive use of splicing. This
3217 option requires splicing to be enabled at compile time, and may be globally
3218 disabled with the global option "nosplice". Since splice uses pipes, using it
3219 requires that there are enough spare pipes.
3220
3221 Important note: kernel-based TCP splicing is a Linux-specific feature which
3222 first appeared in kernel 2.6.25. It offers kernel-based acceleration to
3223 transfer data between sockets without copying these data to user-space, thus
3224 providing noticeable performance gains and CPU cycles savings. Since many
3225 early implementations are buggy, corrupt data and/or are inefficient, this
3226 feature is not enabled by default, and it should be used with extreme care.
3227 While it is not possible to detect the correctness of an implementation,
3228 2.6.29 is the first version offering a properly working implementation. In
3229 case of doubt, splicing may be globally disabled using the global "nosplice"
3230 keyword.
3231
3232 Example :
3233 option splice-auto
3234
3235 If this option has been enabled in a "defaults" section, it can be disabled
3236 in a specific instance by prepending the "no" keyword before it.
3237
3238 See also : "option splice-request", "option splice-response", and global
3239 options "nosplice" and "maxpipes"
3240
3241
3242option splice-request
3243no option splice-request
3244 Enable or disable automatic kernel acceleration on sockets for requests
3245 May be used in sections : defaults | frontend | listen | backend
3246 yes | yes | yes | yes
3247 Arguments : none
3248
3249 When this option is enabled either on a frontend or on a backend, haproxy
3250 will user kernel tcp splicing whenever possible to forward data going from
3251 the client to the server. It might still use the recv/send scheme if there
3252 are no spare pipes left. This option requires splicing to be enabled at
3253 compile time, and may be globally disabled with the global option "nosplice".
3254 Since splice uses pipes, using it requires that there are enough spare pipes.
3255
3256 Important note: see "option splice-auto" for usage limitations.
3257
3258 Example :
3259 option splice-request
3260
3261 If this option has been enabled in a "defaults" section, it can be disabled
3262 in a specific instance by prepending the "no" keyword before it.
3263
3264 See also : "option splice-auto", "option splice-response", and global options
3265 "nosplice" and "maxpipes"
3266
3267
3268option splice-response
3269no option splice-response
3270 Enable or disable automatic kernel acceleration on sockets for responses
3271 May be used in sections : defaults | frontend | listen | backend
3272 yes | yes | yes | yes
3273 Arguments : none
3274
3275 When this option is enabled either on a frontend or on a backend, haproxy
3276 will user kernel tcp splicing whenever possible to forward data going from
3277 the server to the client. It might still use the recv/send scheme if there
3278 are no spare pipes left. This option requires splicing to be enabled at
3279 compile time, and may be globally disabled with the global option "nosplice".
3280 Since splice uses pipes, using it requires that there are enough spare pipes.
3281
3282 Important note: see "option splice-auto" for usage limitations.
3283
3284 Example :
3285 option splice-response
3286
3287 If this option has been enabled in a "defaults" section, it can be disabled
3288 in a specific instance by prepending the "no" keyword before it.
3289
3290 See also : "option splice-auto", "option splice-request", and global options
3291 "nosplice" and "maxpipes"
3292
3293
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003294option srvtcpka
3295no option srvtcpka
3296 Enable or disable the sending of TCP keepalive packets on the server side
3297 May be used in sections : defaults | frontend | listen | backend
3298 yes | no | yes | yes
3299 Arguments : none
3300
3301 When there is a firewall or any session-aware component between a client and
3302 a server, and when the protocol involves very long sessions with long idle
3303 periods (eg: remote desktops), there is a risk that one of the intermediate
3304 components decides to expire a session which has remained idle for too long.
3305
3306 Enabling socket-level TCP keep-alives makes the system regularly send packets
3307 to the other end of the connection, leaving it active. The delay between
3308 keep-alive probes is controlled by the system only and depends both on the
3309 operating system and its tuning parameters.
3310
3311 It is important to understand that keep-alive packets are neither emitted nor
3312 received at the application level. It is only the network stacks which sees
3313 them. For this reason, even if one side of the proxy already uses keep-alives
3314 to maintain its connection alive, those keep-alive packets will not be
3315 forwarded to the other side of the proxy.
3316
3317 Please note that this has nothing to do with HTTP keep-alive.
3318
3319 Using option "srvtcpka" enables the emission of TCP keep-alive probes on the
3320 server side of a connection, which should help when session expirations are
3321 noticed between HAProxy and a server.
3322
3323 If this option has been enabled in a "defaults" section, it can be disabled
3324 in a specific instance by prepending the "no" keyword before it.
3325
3326 See also : "option clitcpka", "option tcpka"
3327
3328
Willy Tarreaua453bdd2008-01-08 19:50:52 +01003329option ssl-hello-chk
3330 Use SSLv3 client hello health checks for server testing
3331 May be used in sections : defaults | frontend | listen | backend
3332 yes | no | yes | yes
3333 Arguments : none
3334
3335 When some SSL-based protocols are relayed in TCP mode through HAProxy, it is
3336 possible to test that the server correctly talks SSL instead of just testing
3337 that it accepts the TCP connection. When "option ssl-hello-chk" is set, pure
3338 SSLv3 client hello messages are sent once the connection is established to
3339 the server, and the response is analyzed to find an SSL server hello message.
3340 The server is considered valid only when the response contains this server
3341 hello message.
3342
3343 All servers tested till there correctly reply to SSLv3 client hello messages,
3344 and most servers tested do not even log the requests containing only hello
3345 messages, which is appreciable.
3346
3347 See also: "option httpchk"
3348
3349
Willy Tarreau9ea05a72009-06-14 12:07:01 +02003350option tcp-smart-accept
3351no option tcp-smart-accept
3352 Enable or disable the saving of one ACK packet during the accept sequence
3353 May be used in sections : defaults | frontend | listen | backend
3354 yes | yes | yes | no
3355 Arguments : none
3356
3357 When an HTTP connection request comes in, the system acknowledges it on
3358 behalf of HAProxy, then the client immediately sends its request, and the
3359 system acknowledges it too while it is notifying HAProxy about the new
3360 connection. HAProxy then reads the request and responds. This means that we
3361 have one TCP ACK sent by the system for nothing, because the request could
3362 very well be acknowledged by HAProxy when it sends its response.
3363
3364 For this reason, in HTTP mode, HAProxy automatically asks the system to avoid
3365 sending this useless ACK on platforms which support it (currently at least
3366 Linux). It must not cause any problem, because the system will send it anyway
3367 after 40 ms if the response takes more time than expected to come.
3368
3369 During complex network debugging sessions, it may be desirable to disable
3370 this optimization because delayed ACKs can make troubleshooting more complex
3371 when trying to identify where packets are delayed. It is then possible to
3372 fall back to normal behaviour by specifying "no option tcp-smart-accept".
3373
3374 It is also possible to force it for non-HTTP proxies by simply specifying
3375 "option tcp-smart-accept". For instance, it can make sense with some services
3376 such as SMTP where the server speaks first.
3377
3378 It is recommended to avoid forcing this option in a defaults section. In case
3379 of doubt, consider setting it back to automatic values by prepending the
3380 "default" keyword before it, or disabling it using the "no" keyword.
3381
Willy Tarreaud88edf22009-06-14 15:48:17 +02003382 See also : "option tcp-smart-connect"
3383
3384
3385option tcp-smart-connect
3386no option tcp-smart-connect
3387 Enable or disable the saving of one ACK packet during the connect sequence
3388 May be used in sections : defaults | frontend | listen | backend
3389 yes | no | yes | yes
3390 Arguments : none
3391
3392 On certain systems (at least Linux), HAProxy can ask the kernel not to
3393 immediately send an empty ACK upon a connection request, but to directly
3394 send the buffer request instead. This saves one packet on the network and
3395 thus boosts performance. It can also be useful for some servers, because they
3396 immediately get the request along with the incoming connection.
3397
3398 This feature is enabled when "option tcp-smart-connect" is set in a backend.
3399 It is not enabled by default because it makes network troubleshooting more
3400 complex.
3401
3402 It only makes sense to enable it with protocols where the client speaks first
3403 such as HTTP. In other situations, if there is no data to send in place of
3404 the ACK, a normal ACK is sent.
3405
3406 If this option has been enabled in a "defaults" section, it can be disabled
3407 in a specific instance by prepending the "no" keyword before it.
3408
3409 See also : "option tcp-smart-accept"
3410
Willy Tarreau9ea05a72009-06-14 12:07:01 +02003411
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003412option tcpka
3413 Enable or disable the sending of TCP keepalive packets on both sides
3414 May be used in sections : defaults | frontend | listen | backend
3415 yes | yes | yes | yes
3416 Arguments : none
3417
3418 When there is a firewall or any session-aware component between a client and
3419 a server, and when the protocol involves very long sessions with long idle
3420 periods (eg: remote desktops), there is a risk that one of the intermediate
3421 components decides to expire a session which has remained idle for too long.
3422
3423 Enabling socket-level TCP keep-alives makes the system regularly send packets
3424 to the other end of the connection, leaving it active. The delay between
3425 keep-alive probes is controlled by the system only and depends both on the
3426 operating system and its tuning parameters.
3427
3428 It is important to understand that keep-alive packets are neither emitted nor
3429 received at the application level. It is only the network stacks which sees
3430 them. For this reason, even if one side of the proxy already uses keep-alives
3431 to maintain its connection alive, those keep-alive packets will not be
3432 forwarded to the other side of the proxy.
3433
3434 Please note that this has nothing to do with HTTP keep-alive.
3435
3436 Using option "tcpka" enables the emission of TCP keep-alive probes on both
3437 the client and server sides of a connection. Note that this is meaningful
3438 only in "defaults" or "listen" sections. If this option is used in a
3439 frontend, only the client side will get keep-alives, and if this option is
3440 used in a backend, only the server side will get keep-alives. For this
3441 reason, it is strongly recommended to explicitly use "option clitcpka" and
3442 "option srvtcpka" when the configuration is split between frontends and
3443 backends.
3444
3445 See also : "option clitcpka", "option srvtcpka"
3446
Willy Tarreau844e3c52008-01-11 16:28:18 +01003447
3448option tcplog
3449 Enable advanced logging of TCP connections with session state and timers
3450 May be used in sections : defaults | frontend | listen | backend
3451 yes | yes | yes | yes
3452 Arguments : none
3453
3454 By default, the log output format is very poor, as it only contains the
3455 source and destination addresses, and the instance name. By specifying
3456 "option tcplog", each log line turns into a much richer format including, but
3457 not limited to, the connection timers, the session status, the connections
3458 numbers, the frontend, backend and server name, and of course the source
3459 address and ports. This option is useful for pure TCP proxies in order to
3460 find which of the client or server disconnects or times out. For normal HTTP
3461 proxies, it's better to use "option httplog" which is even more complete.
3462
3463 This option may be set either in the frontend or the backend.
3464
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003465 See also : "option httplog", and section 8 about logging.
Willy Tarreau844e3c52008-01-11 16:28:18 +01003466
3467
Willy Tarreau844e3c52008-01-11 16:28:18 +01003468option transparent
3469no option transparent
3470 Enable client-side transparent proxying
3471 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau4b1f8592008-12-23 23:13:55 +01003472 yes | no | yes | yes
Willy Tarreau844e3c52008-01-11 16:28:18 +01003473 Arguments : none
3474
3475 This option was introduced in order to provide layer 7 persistence to layer 3
3476 load balancers. The idea is to use the OS's ability to redirect an incoming
3477 connection for a remote address to a local process (here HAProxy), and let
3478 this process know what address was initially requested. When this option is
3479 used, sessions without cookies will be forwarded to the original destination
3480 IP address of the incoming request (which should match that of another
3481 equipment), while requests with cookies will still be forwarded to the
3482 appropriate server.
3483
3484 Note that contrary to a common belief, this option does NOT make HAProxy
3485 present the client's IP to the server when establishing the connection.
3486
Willy Tarreaueabeafa2008-01-16 16:17:06 +01003487 See also: the "usersrc" argument of the "source" keyword, and the
3488 "transparent" option of the "bind" keyword.
Willy Tarreau844e3c52008-01-11 16:28:18 +01003489
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003490
Emeric Brun647caf12009-06-30 17:57:00 +02003491persist rdp-cookie
3492persist rdp-cookie(name)
3493 Enable RDP cookie-based persistence
3494 May be used in sections : defaults | frontend | listen | backend
3495 yes | no | yes | yes
3496 Arguments :
3497 <name> is the optional name of the RDP cookie to check. If omitted, the
3498 default cookie name "mstshash" will be used. There currently is
3499 no valid reason to change this name.
3500
3501 This statement enables persistence based on an RDP cookie. The RDP cookie
3502 contains all information required to find the server in the list of known
3503 servers. So when this option is set in the backend, the request is analysed
3504 and if an RDP cookie is found, it is decoded. If it matches a known server
3505 which is still UP (or if "option persist" is set), then the connection is
3506 forwarded to this server.
3507
3508 Note that this only makes sense in a TCP backend, but for this to work, the
3509 frontend must have waited long enough to ensure that an RDP cookie is present
3510 in the request buffer. This is the same requirement as with the "rdp-cookie"
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003511 load-balancing method. Thus it is highly recommended to put all statements in
Emeric Brun647caf12009-06-30 17:57:00 +02003512 a single "listen" section.
3513
3514 Example :
3515 listen tse-farm
3516 bind :3389
3517 # wait up to 5s for an RDP cookie in the request
3518 tcp-request inspect-delay 5s
3519 tcp-request content accept if RDP_COOKIE
3520 # apply RDP cookie persistence
3521 persist rdp-cookie
3522 # if server is unknown, let's balance on the same cookie.
3523 # alternatively, "balance leastconn" may be useful too.
3524 balance rdp-cookie
3525 server srv1 1.1.1.1:3389
3526 server srv2 1.1.1.2:3389
3527
3528 See also : "balance rdp-cookie", "tcp-request" and the "req_rdp_cookie" ACL.
3529
3530
Willy Tarreau3a7d2072009-03-05 23:48:25 +01003531rate-limit sessions <rate>
3532 Set a limit on the number of new sessions accepted per second on a frontend
3533 May be used in sections : defaults | frontend | listen | backend
3534 yes | yes | yes | no
3535 Arguments :
3536 <rate> The <rate> parameter is an integer designating the maximum number
3537 of new sessions per second to accept on the frontend.
3538
3539 When the frontend reaches the specified number of new sessions per second, it
3540 stops accepting new connections until the rate drops below the limit again.
3541 During this time, the pending sessions will be kept in the socket's backlog
3542 (in system buffers) and haproxy will not even be aware that sessions are
3543 pending. When applying very low limit on a highly loaded service, it may make
3544 sense to increase the socket's backlog using the "backlog" keyword.
3545
3546 This feature is particularly efficient at blocking connection-based attacks
3547 or service abuse on fragile servers. Since the session rate is measured every
3548 millisecond, it is extremely accurate. Also, the limit applies immediately,
3549 no delay is needed at all to detect the threshold.
3550
3551 Example : limit the connection rate on SMTP to 10 per second max
3552 listen smtp
3553 mode tcp
3554 bind :25
3555 rate-limit sessions 10
3556 server 127.0.0.1:1025
3557
3558 Note : when the maximum rate is reached, the frontend's status appears as
3559 "FULL" in the statistics, exactly as when it is saturated.
3560
3561 See also : the "backlog" keyword and the "fe_sess_rate" ACL criterion.
3562
3563
Willy Tarreauf285f542010-01-03 20:03:03 +01003564redirect location <to> [code <code>] <option> [{if | unless} <condition>]
3565redirect prefix <to> [code <code>] <option> [{if | unless} <condition>]
Willy Tarreaub463dfb2008-06-07 23:08:56 +02003566 Return an HTTP redirection if/unless a condition is matched
3567 May be used in sections : defaults | frontend | listen | backend
3568 no | yes | yes | yes
3569
3570 If/unless the condition is matched, the HTTP request will lead to a redirect
Willy Tarreauf285f542010-01-03 20:03:03 +01003571 response. If no condition is specified, the redirect applies unconditionally.
Willy Tarreaub463dfb2008-06-07 23:08:56 +02003572
Willy Tarreau0140f252008-11-19 21:07:09 +01003573 Arguments :
3574 <to> With "redirect location", the exact value in <to> is placed into
3575 the HTTP "Location" header. In case of "redirect prefix", the
3576 "Location" header is built from the concatenation of <to> and the
3577 complete URI, including the query string, unless the "drop-query"
Willy Tarreaufe651a52008-11-19 21:15:17 +01003578 option is specified (see below). As a special case, if <to>
3579 equals exactly "/" in prefix mode, then nothing is inserted
3580 before the original URI. It allows one to redirect to the same
3581 URL.
Willy Tarreau0140f252008-11-19 21:07:09 +01003582
3583 <code> The code is optional. It indicates which type of HTTP redirection
3584 is desired. Only codes 301, 302 and 303 are supported, and 302 is
3585 used if no code is specified. 301 means "Moved permanently", and
3586 a browser may cache the Location. 302 means "Moved permanently"
3587 and means that the browser should not cache the redirection. 303
3588 is equivalent to 302 except that the browser will fetch the
3589 location with a GET method.
3590
3591 <option> There are several options which can be specified to adjust the
3592 expected behaviour of a redirection :
3593
3594 - "drop-query"
3595 When this keyword is used in a prefix-based redirection, then the
3596 location will be set without any possible query-string, which is useful
3597 for directing users to a non-secure page for instance. It has no effect
3598 with a location-type redirect.
3599
Willy Tarreau81e3b4f2010-01-10 00:42:19 +01003600 - "append-slash"
3601 This keyword may be used in conjunction with "drop-query" to redirect
3602 users who use a URL not ending with a '/' to the same one with the '/'.
3603 It can be useful to ensure that search engines will only see one URL.
3604 For this, a return code 301 is preferred.
3605
Willy Tarreau0140f252008-11-19 21:07:09 +01003606 - "set-cookie NAME[=value]"
3607 A "Set-Cookie" header will be added with NAME (and optionally "=value")
3608 to the response. This is sometimes used to indicate that a user has
3609 been seen, for instance to protect against some types of DoS. No other
3610 cookie option is added, so the cookie will be a session cookie. Note
3611 that for a browser, a sole cookie name without an equal sign is
3612 different from a cookie with an equal sign.
3613
3614 - "clear-cookie NAME[=]"
3615 A "Set-Cookie" header will be added with NAME (and optionally "="), but
3616 with the "Max-Age" attribute set to zero. This will tell the browser to
3617 delete this cookie. It is useful for instance on logout pages. It is
3618 important to note that clearing the cookie "NAME" will not remove a
3619 cookie set with "NAME=value". You have to clear the cookie "NAME=" for
3620 that, because the browser makes the difference.
Willy Tarreaub463dfb2008-06-07 23:08:56 +02003621
3622 Example: move the login URL only to HTTPS.
3623 acl clear dst_port 80
3624 acl secure dst_port 8080
3625 acl login_page url_beg /login
Willy Tarreau0140f252008-11-19 21:07:09 +01003626 acl logout url_beg /logout
Willy Tarreau79da4692008-11-19 20:03:04 +01003627 acl uid_given url_reg /login?userid=[^&]+
Willy Tarreau0140f252008-11-19 21:07:09 +01003628 acl cookie_set hdr_sub(cookie) SEEN=1
3629
3630 redirect prefix https://mysite.com set-cookie SEEN=1 if !cookie_set
Willy Tarreau79da4692008-11-19 20:03:04 +01003631 redirect prefix https://mysite.com if login_page !secure
3632 redirect prefix http://mysite.com drop-query if login_page !uid_given
3633 redirect location http://mysite.com/ if !login_page secure
Willy Tarreau0140f252008-11-19 21:07:09 +01003634 redirect location / clear-cookie USERID= if logout
Willy Tarreaub463dfb2008-06-07 23:08:56 +02003635
Willy Tarreau81e3b4f2010-01-10 00:42:19 +01003636 Example: send redirects for request for articles without a '/'.
3637 acl missing_slash path_reg ^/article/[^/]*$
3638 redirect code 301 prefix / drop-query append-slash if missing_slash
3639
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003640 See section 7 about ACL usage.
Willy Tarreaub463dfb2008-06-07 23:08:56 +02003641
3642
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003643redisp (deprecated)
3644redispatch (deprecated)
3645 Enable or disable session redistribution in case of connection failure
3646 May be used in sections: defaults | frontend | listen | backend
3647 yes | no | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01003648 Arguments : none
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003649
3650 In HTTP mode, if a server designated by a cookie is down, clients may
3651 definitely stick to it because they cannot flush the cookie, so they will not
3652 be able to access the service anymore.
3653
3654 Specifying "redispatch" will allow the proxy to break their persistence and
3655 redistribute them to a working server.
3656
3657 It also allows to retry last connection to another server in case of multiple
3658 connection failures. Of course, it requires having "retries" set to a nonzero
3659 value.
Willy Tarreaud72758d2010-01-12 10:42:19 +01003660
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01003661 This form is deprecated, do not use it in any new configuration, use the new
3662 "option redispatch" instead.
3663
3664 See also : "option redispatch"
3665
Willy Tarreaueabeafa2008-01-16 16:17:06 +01003666
Willy Tarreau8abd4cd2010-01-31 14:30:44 +01003667reqadd <string> [{if | unless} <cond>]
Willy Tarreau303c0352008-01-17 19:01:39 +01003668 Add a header at the end of the HTTP request
3669 May be used in sections : defaults | frontend | listen | backend
3670 no | yes | yes | yes
3671 Arguments :
3672 <string> is the complete line to be added. Any space or known delimiter
3673 must be escaped using a backslash ('\'). Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003674 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01003675
Willy Tarreau8abd4cd2010-01-31 14:30:44 +01003676 <cond> is an optional matching condition built from ACLs. It makes it
3677 possible to ignore this rule when other conditions are not met.
3678
Willy Tarreau303c0352008-01-17 19:01:39 +01003679 A new line consisting in <string> followed by a line feed will be added after
3680 the last header of an HTTP request.
3681
3682 Header transformations only apply to traffic which passes through HAProxy,
3683 and not to traffic generated by HAProxy, such as health-checks or error
3684 responses.
3685
Willy Tarreau8abd4cd2010-01-31 14:30:44 +01003686 Example : add "X-Proto: SSL" to requests coming via port 81
3687 acl is-ssl dst_port 81
3688 reqadd X-Proto:\ SSL if is-ssl
3689
3690 See also: "rspadd", section 6 about HTTP header manipulation, and section 7
3691 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01003692
3693
Willy Tarreau5321c422010-01-28 20:35:13 +01003694reqallow <search> [{if | unless} <cond>]
3695reqiallow <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01003696 Definitely allow an HTTP request if a line matches a regular expression
3697 May be used in sections : defaults | frontend | listen | backend
3698 no | yes | yes | yes
3699 Arguments :
3700 <search> is the regular expression applied to HTTP headers and to the
3701 request line. This is an extended regular expression. Parenthesis
3702 grouping is supported and no preliminary backslash is required.
3703 Any space or known delimiter must be escaped using a backslash
3704 ('\'). The pattern applies to a full line at a time. The
3705 "reqallow" keyword strictly matches case while "reqiallow"
3706 ignores case.
3707
Willy Tarreau5321c422010-01-28 20:35:13 +01003708 <cond> is an optional matching condition built from ACLs. It makes it
3709 possible to ignore this rule when other conditions are not met.
3710
Willy Tarreau303c0352008-01-17 19:01:39 +01003711 A request containing any line which matches extended regular expression
3712 <search> will mark the request as allowed, even if any later test would
3713 result in a deny. The test applies both to the request line and to request
3714 headers. Keep in mind that URLs in request line are case-sensitive while
Willy Tarreaud72758d2010-01-12 10:42:19 +01003715 header names are not.
Willy Tarreau303c0352008-01-17 19:01:39 +01003716
3717 It is easier, faster and more powerful to use ACLs to write access policies.
3718 Reqdeny, reqallow and reqpass should be avoided in new designs.
3719
3720 Example :
3721 # allow www.* but refuse *.local
3722 reqiallow ^Host:\ www\.
3723 reqideny ^Host:\ .*\.local
3724
Willy Tarreau5321c422010-01-28 20:35:13 +01003725 See also: "reqdeny", "block", section 6 about HTTP header manipulation, and
3726 section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01003727
3728
Willy Tarreau5321c422010-01-28 20:35:13 +01003729reqdel <search> [{if | unless} <cond>]
3730reqidel <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01003731 Delete all headers matching a regular expression in an HTTP request
3732 May be used in sections : defaults | frontend | listen | backend
3733 no | yes | yes | yes
3734 Arguments :
3735 <search> is the regular expression applied to HTTP headers and to the
3736 request line. This is an extended regular expression. Parenthesis
3737 grouping is supported and no preliminary backslash is required.
3738 Any space or known delimiter must be escaped using a backslash
3739 ('\'). The pattern applies to a full line at a time. The "reqdel"
3740 keyword strictly matches case while "reqidel" ignores case.
3741
Willy Tarreau5321c422010-01-28 20:35:13 +01003742 <cond> is an optional matching condition built from ACLs. It makes it
3743 possible to ignore this rule when other conditions are not met.
3744
Willy Tarreau303c0352008-01-17 19:01:39 +01003745 Any header line matching extended regular expression <search> in the request
3746 will be completely deleted. Most common use of this is to remove unwanted
3747 and/or dangerous headers or cookies from a request before passing it to the
3748 next servers.
3749
3750 Header transformations only apply to traffic which passes through HAProxy,
3751 and not to traffic generated by HAProxy, such as health-checks or error
3752 responses. Keep in mind that header names are not case-sensitive.
3753
3754 Example :
3755 # remove X-Forwarded-For header and SERVER cookie
3756 reqidel ^X-Forwarded-For:.*
3757 reqidel ^Cookie:.*SERVER=
3758
Willy Tarreau5321c422010-01-28 20:35:13 +01003759 See also: "reqadd", "reqrep", "rspdel", section 6 about HTTP header
3760 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01003761
3762
Willy Tarreau5321c422010-01-28 20:35:13 +01003763reqdeny <search> [{if | unless} <cond>]
3764reqideny <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01003765 Deny an HTTP request if a line matches a regular expression
3766 May be used in sections : defaults | frontend | listen | backend
3767 no | yes | yes | yes
3768 Arguments :
3769 <search> is the regular expression applied to HTTP headers and to the
3770 request line. This is an extended regular expression. Parenthesis
3771 grouping is supported and no preliminary backslash is required.
3772 Any space or known delimiter must be escaped using a backslash
3773 ('\'). The pattern applies to a full line at a time. The
3774 "reqdeny" keyword strictly matches case while "reqideny" ignores
3775 case.
3776
Willy Tarreau5321c422010-01-28 20:35:13 +01003777 <cond> is an optional matching condition built from ACLs. It makes it
3778 possible to ignore this rule when other conditions are not met.
3779
Willy Tarreau303c0352008-01-17 19:01:39 +01003780 A request containing any line which matches extended regular expression
3781 <search> will mark the request as denied, even if any later test would
3782 result in an allow. The test applies both to the request line and to request
3783 headers. Keep in mind that URLs in request line are case-sensitive while
Willy Tarreaud72758d2010-01-12 10:42:19 +01003784 header names are not.
Willy Tarreau303c0352008-01-17 19:01:39 +01003785
Willy Tarreauced27012008-01-17 20:35:34 +01003786 A denied request will generate an "HTTP 403 forbidden" response once the
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01003787 complete request has been parsed. This is consistent with what is practiced
Willy Tarreaud72758d2010-01-12 10:42:19 +01003788 using ACLs.
Willy Tarreauced27012008-01-17 20:35:34 +01003789
Willy Tarreau303c0352008-01-17 19:01:39 +01003790 It is easier, faster and more powerful to use ACLs to write access policies.
3791 Reqdeny, reqallow and reqpass should be avoided in new designs.
3792
3793 Example :
3794 # refuse *.local, then allow www.*
3795 reqideny ^Host:\ .*\.local
3796 reqiallow ^Host:\ www\.
3797
Willy Tarreau5321c422010-01-28 20:35:13 +01003798 See also: "reqallow", "rspdeny", "block", section 6 about HTTP header
3799 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01003800
3801
Willy Tarreau5321c422010-01-28 20:35:13 +01003802reqpass <search> [{if | unless} <cond>]
3803reqipass <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01003804 Ignore any HTTP request line matching a regular expression in next rules
3805 May be used in sections : defaults | frontend | listen | backend
3806 no | yes | yes | yes
3807 Arguments :
3808 <search> is the regular expression applied to HTTP headers and to the
3809 request line. This is an extended regular expression. Parenthesis
3810 grouping is supported and no preliminary backslash is required.
3811 Any space or known delimiter must be escaped using a backslash
3812 ('\'). The pattern applies to a full line at a time. The
3813 "reqpass" keyword strictly matches case while "reqipass" ignores
3814 case.
3815
Willy Tarreau5321c422010-01-28 20:35:13 +01003816 <cond> is an optional matching condition built from ACLs. It makes it
3817 possible to ignore this rule when other conditions are not met.
3818
Willy Tarreau303c0352008-01-17 19:01:39 +01003819 A request containing any line which matches extended regular expression
3820 <search> will skip next rules, without assigning any deny or allow verdict.
3821 The test applies both to the request line and to request headers. Keep in
3822 mind that URLs in request line are case-sensitive while header names are not.
3823
3824 It is easier, faster and more powerful to use ACLs to write access policies.
3825 Reqdeny, reqallow and reqpass should be avoided in new designs.
3826
3827 Example :
3828 # refuse *.local, then allow www.*, but ignore "www.private.local"
3829 reqipass ^Host:\ www.private\.local
3830 reqideny ^Host:\ .*\.local
3831 reqiallow ^Host:\ www\.
3832
Willy Tarreau5321c422010-01-28 20:35:13 +01003833 See also: "reqallow", "reqdeny", "block", section 6 about HTTP header
3834 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01003835
3836
Willy Tarreau5321c422010-01-28 20:35:13 +01003837reqrep <search> <string> [{if | unless} <cond>]
3838reqirep <search> <string> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01003839 Replace a regular expression with a string in an HTTP request line
3840 May be used in sections : defaults | frontend | listen | backend
3841 no | yes | yes | yes
3842 Arguments :
3843 <search> is the regular expression applied to HTTP headers and to the
3844 request line. This is an extended regular expression. Parenthesis
3845 grouping is supported and no preliminary backslash is required.
3846 Any space or known delimiter must be escaped using a backslash
3847 ('\'). The pattern applies to a full line at a time. The "reqrep"
3848 keyword strictly matches case while "reqirep" ignores case.
3849
3850 <string> is the complete line to be added. Any space or known delimiter
3851 must be escaped using a backslash ('\'). References to matched
3852 pattern groups are possible using the common \N form, with N
3853 being a single digit between 0 and 9. Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003854 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01003855
Willy Tarreau5321c422010-01-28 20:35:13 +01003856 <cond> is an optional matching condition built from ACLs. It makes it
3857 possible to ignore this rule when other conditions are not met.
3858
Willy Tarreau303c0352008-01-17 19:01:39 +01003859 Any line matching extended regular expression <search> in the request (both
3860 the request line and header lines) will be completely replaced with <string>.
3861 Most common use of this is to rewrite URLs or domain names in "Host" headers.
3862
3863 Header transformations only apply to traffic which passes through HAProxy,
3864 and not to traffic generated by HAProxy, such as health-checks or error
3865 responses. Note that for increased readability, it is suggested to add enough
3866 spaces between the request and the response. Keep in mind that URLs in
3867 request line are case-sensitive while header names are not.
3868
3869 Example :
3870 # replace "/static/" with "/" at the beginning of any request path.
3871 reqrep ^([^\ ]*)\ /static/(.*) \1\ /\2
3872 # replace "www.mydomain.com" with "www" in the host name.
3873 reqirep ^Host:\ www.mydomain.com Host:\ www
3874
Willy Tarreau5321c422010-01-28 20:35:13 +01003875 See also: "reqadd", "reqdel", "rsprep", section 6 about HTTP header
3876 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01003877
3878
Willy Tarreau5321c422010-01-28 20:35:13 +01003879reqtarpit <search> [{if | unless} <cond>]
3880reqitarpit <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01003881 Tarpit an HTTP request containing a line matching a regular expression
3882 May be used in sections : defaults | frontend | listen | backend
3883 no | yes | yes | yes
3884 Arguments :
3885 <search> is the regular expression applied to HTTP headers and to the
3886 request line. This is an extended regular expression. Parenthesis
3887 grouping is supported and no preliminary backslash is required.
3888 Any space or known delimiter must be escaped using a backslash
3889 ('\'). The pattern applies to a full line at a time. The
3890 "reqtarpit" keyword strictly matches case while "reqitarpit"
3891 ignores case.
3892
Willy Tarreau5321c422010-01-28 20:35:13 +01003893 <cond> is an optional matching condition built from ACLs. It makes it
3894 possible to ignore this rule when other conditions are not met.
3895
Willy Tarreau303c0352008-01-17 19:01:39 +01003896 A request containing any line which matches extended regular expression
3897 <search> will be tarpitted, which means that it will connect to nowhere, will
Willy Tarreauced27012008-01-17 20:35:34 +01003898 be kept open for a pre-defined time, then will return an HTTP error 500 so
3899 that the attacker does not suspect it has been tarpitted. The status 500 will
3900 be reported in the logs, but the completion flags will indicate "PT". The
Willy Tarreau303c0352008-01-17 19:01:39 +01003901 delay is defined by "timeout tarpit", or "timeout connect" if the former is
3902 not set.
3903
3904 The goal of the tarpit is to slow down robots attacking servers with
3905 identifiable requests. Many robots limit their outgoing number of connections
3906 and stay connected waiting for a reply which can take several minutes to
3907 come. Depending on the environment and attack, it may be particularly
3908 efficient at reducing the load on the network and firewalls.
3909
Willy Tarreau5321c422010-01-28 20:35:13 +01003910 Examples :
Willy Tarreau303c0352008-01-17 19:01:39 +01003911 # ignore user-agents reporting any flavour of "Mozilla" or "MSIE", but
3912 # block all others.
3913 reqipass ^User-Agent:\.*(Mozilla|MSIE)
3914 reqitarpit ^User-Agent:
3915
Willy Tarreau5321c422010-01-28 20:35:13 +01003916 # block bad guys
3917 acl badguys src 10.1.0.3 172.16.13.20/28
3918 reqitarpit . if badguys
3919
3920 See also: "reqallow", "reqdeny", "reqpass", section 6 about HTTP header
3921 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01003922
3923
Willy Tarreaue5c5ce92008-06-20 17:27:19 +02003924retries <value>
3925 Set the number of retries to perform on a server after a connection failure
3926 May be used in sections: defaults | frontend | listen | backend
3927 yes | no | yes | yes
3928 Arguments :
3929 <value> is the number of times a connection attempt should be retried on
3930 a server when a connection either is refused or times out. The
3931 default value is 3.
3932
3933 It is important to understand that this value applies to the number of
3934 connection attempts, not full requests. When a connection has effectively
3935 been established to a server, there will be no more retry.
3936
3937 In order to avoid immediate reconnections to a server which is restarting,
3938 a turn-around timer of 1 second is applied before a retry occurs.
3939
3940 When "option redispatch" is set, the last retry may be performed on another
3941 server even if a cookie references a different server.
3942
3943 See also : "option redispatch"
3944
3945
Willy Tarreaufdb563c2010-01-31 15:43:27 +01003946rspadd <string> [{if | unless} <cond>]
Willy Tarreau303c0352008-01-17 19:01:39 +01003947 Add a header at the end of the HTTP response
3948 May be used in sections : defaults | frontend | listen | backend
3949 no | yes | yes | yes
3950 Arguments :
3951 <string> is the complete line to be added. Any space or known delimiter
3952 must be escaped using a backslash ('\'). Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003953 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01003954
Willy Tarreaufdb563c2010-01-31 15:43:27 +01003955 <cond> is an optional matching condition built from ACLs. It makes it
3956 possible to ignore this rule when other conditions are not met.
3957
Willy Tarreau303c0352008-01-17 19:01:39 +01003958 A new line consisting in <string> followed by a line feed will be added after
3959 the last header of an HTTP response.
3960
3961 Header transformations only apply to traffic which passes through HAProxy,
3962 and not to traffic generated by HAProxy, such as health-checks or error
3963 responses.
3964
Willy Tarreaufdb563c2010-01-31 15:43:27 +01003965 See also: "reqadd", section 6 about HTTP header manipulation, and section 7
3966 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01003967
3968
Willy Tarreaufdb563c2010-01-31 15:43:27 +01003969rspdel <search> [{if | unless} <cond>]
3970rspidel <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01003971 Delete all headers matching a regular expression in an HTTP response
3972 May be used in sections : defaults | frontend | listen | backend
3973 no | yes | yes | yes
3974 Arguments :
3975 <search> is the regular expression applied to HTTP headers and to the
3976 response line. This is an extended regular expression, so
3977 parenthesis grouping is supported and no preliminary backslash
3978 is required. Any space or known delimiter must be escaped using
3979 a backslash ('\'). The pattern applies to a full line at a time.
3980 The "rspdel" keyword strictly matches case while "rspidel"
3981 ignores case.
3982
Willy Tarreaufdb563c2010-01-31 15:43:27 +01003983 <cond> is an optional matching condition built from ACLs. It makes it
3984 possible to ignore this rule when other conditions are not met.
3985
Willy Tarreau303c0352008-01-17 19:01:39 +01003986 Any header line matching extended regular expression <search> in the response
3987 will be completely deleted. Most common use of this is to remove unwanted
3988 and/or sensible headers or cookies from a response before passing it to the
3989 client.
3990
3991 Header transformations only apply to traffic which passes through HAProxy,
3992 and not to traffic generated by HAProxy, such as health-checks or error
3993 responses. Keep in mind that header names are not case-sensitive.
3994
3995 Example :
3996 # remove the Server header from responses
3997 reqidel ^Server:.*
3998
Willy Tarreaufdb563c2010-01-31 15:43:27 +01003999 See also: "rspadd", "rsprep", "reqdel", section 6 about HTTP header
4000 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004001
4002
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004003rspdeny <search> [{if | unless} <cond>]
4004rspideny <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01004005 Block an HTTP response if a line matches a regular expression
4006 May be used in sections : defaults | frontend | listen | backend
4007 no | yes | yes | yes
4008 Arguments :
4009 <search> is the regular expression applied to HTTP headers and to the
4010 response line. This is an extended regular expression, so
4011 parenthesis grouping is supported and no preliminary backslash
4012 is required. Any space or known delimiter must be escaped using
4013 a backslash ('\'). The pattern applies to a full line at a time.
4014 The "rspdeny" keyword strictly matches case while "rspideny"
4015 ignores case.
4016
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004017 <cond> is an optional matching condition built from ACLs. It makes it
4018 possible to ignore this rule when other conditions are not met.
4019
Willy Tarreau303c0352008-01-17 19:01:39 +01004020 A response containing any line which matches extended regular expression
4021 <search> will mark the request as denied. The test applies both to the
4022 response line and to response headers. Keep in mind that header names are not
4023 case-sensitive.
4024
4025 Main use of this keyword is to prevent sensitive information leak and to
Willy Tarreauced27012008-01-17 20:35:34 +01004026 block the response before it reaches the client. If a response is denied, it
4027 will be replaced with an HTTP 502 error so that the client never retrieves
4028 any sensitive data.
Willy Tarreau303c0352008-01-17 19:01:39 +01004029
4030 It is easier, faster and more powerful to use ACLs to write access policies.
4031 Rspdeny should be avoided in new designs.
4032
4033 Example :
4034 # Ensure that no content type matching ms-word will leak
4035 rspideny ^Content-type:\.*/ms-word
4036
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004037 See also: "reqdeny", "acl", "block", section 6 about HTTP header manipulation
4038 and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004039
4040
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004041rsprep <search> <string> [{if | unless} <cond>]
4042rspirep <search> <string> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01004043 Replace a regular expression with a string in an HTTP response line
4044 May be used in sections : defaults | frontend | listen | backend
4045 no | yes | yes | yes
4046 Arguments :
4047 <search> is the regular expression applied to HTTP headers and to the
4048 response line. This is an extended regular expression, so
4049 parenthesis grouping is supported and no preliminary backslash
4050 is required. Any space or known delimiter must be escaped using
4051 a backslash ('\'). The pattern applies to a full line at a time.
4052 The "rsprep" keyword strictly matches case while "rspirep"
4053 ignores case.
4054
4055 <string> is the complete line to be added. Any space or known delimiter
4056 must be escaped using a backslash ('\'). References to matched
4057 pattern groups are possible using the common \N form, with N
4058 being a single digit between 0 and 9. Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004059 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01004060
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004061 <cond> is an optional matching condition built from ACLs. It makes it
4062 possible to ignore this rule when other conditions are not met.
4063
Willy Tarreau303c0352008-01-17 19:01:39 +01004064 Any line matching extended regular expression <search> in the response (both
4065 the response line and header lines) will be completely replaced with
4066 <string>. Most common use of this is to rewrite Location headers.
4067
4068 Header transformations only apply to traffic which passes through HAProxy,
4069 and not to traffic generated by HAProxy, such as health-checks or error
4070 responses. Note that for increased readability, it is suggested to add enough
4071 spaces between the request and the response. Keep in mind that header names
4072 are not case-sensitive.
4073
4074 Example :
4075 # replace "Location: 127.0.0.1:8080" with "Location: www.mydomain.com"
4076 rspirep ^Location:\ 127.0.0.1:8080 Location:\ www.mydomain.com
4077
Willy Tarreaufdb563c2010-01-31 15:43:27 +01004078 See also: "rspadd", "rspdel", "reqrep", section 6 about HTTP header
4079 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01004080
4081
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004082server <name> <address>[:port] [param*]
4083 Declare a server in a backend
4084 May be used in sections : defaults | frontend | listen | backend
4085 no | no | yes | yes
4086 Arguments :
4087 <name> is the internal name assigned to this server. This name will
4088 appear in logs and alerts.
4089
4090 <address> is the IPv4 address of the server. Alternatively, a resolvable
4091 hostname is supported, but this name will be resolved during
4092 start-up.
4093
4094 <ports> is an optional port specification. If set, all connections will
4095 be sent to this port. If unset, the same port the client
4096 connected to will be used. The port may also be prefixed by a "+"
4097 or a "-". In this case, the server's port will be determined by
4098 adding this value to the client's port.
4099
4100 <param*> is a list of parameters for this server. The "server" keywords
4101 accepts an important number of options and has a complete section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004102 dedicated to it. Please refer to section 5 for more details.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004103
4104 Examples :
4105 server first 10.1.1.1:1080 cookie first check inter 1000
4106 server second 10.1.1.2:1080 cookie second check inter 1000
4107
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01004108 See also: "default-server" and section 5 about server options
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004109
4110
4111source <addr>[:<port>] [usesrc { <addr2>[:<port2>] | client | clientip } ]
Willy Tarreaud53f96b2009-02-04 18:46:54 +01004112source <addr>[:<port>] [interface <name>]
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004113 Set the source address for outgoing connections
4114 May be used in sections : defaults | frontend | listen | backend
4115 yes | no | yes | yes
4116 Arguments :
4117 <addr> is the IPv4 address HAProxy will bind to before connecting to a
4118 server. This address is also used as a source for health checks.
4119 The default value of 0.0.0.0 means that the system will select
4120 the most appropriate address to reach its destination.
4121
4122 <port> is an optional port. It is normally not needed but may be useful
4123 in some very specific contexts. The default value of zero means
Willy Tarreauc6f4ce82009-06-10 11:09:37 +02004124 the system will select a free port. Note that port ranges are not
4125 supported in the backend. If you want to force port ranges, you
4126 have to specify them on each "server" line.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004127
4128 <addr2> is the IP address to present to the server when connections are
4129 forwarded in full transparent proxy mode. This is currently only
4130 supported on some patched Linux kernels. When this address is
4131 specified, clients connecting to the server will be presented
4132 with this address, while health checks will still use the address
4133 <addr>.
4134
4135 <port2> is the optional port to present to the server when connections
4136 are forwarded in full transparent proxy mode (see <addr2> above).
4137 The default value of zero means the system will select a free
4138 port.
4139
Willy Tarreaud53f96b2009-02-04 18:46:54 +01004140 <name> is an optional interface name to which to bind to for outgoing
4141 traffic. On systems supporting this features (currently, only
4142 Linux), this allows one to bind all traffic to the server to
4143 this interface even if it is not the one the system would select
4144 based on routing tables. This should be used with extreme care.
4145 Note that using this option requires root privileges.
4146
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004147 The "source" keyword is useful in complex environments where a specific
4148 address only is allowed to connect to the servers. It may be needed when a
4149 private address must be used through a public gateway for instance, and it is
4150 known that the system cannot determine the adequate source address by itself.
4151
4152 An extension which is available on certain patched Linux kernels may be used
4153 through the "usesrc" optional keyword. It makes it possible to connect to the
4154 servers with an IP address which does not belong to the system itself. This
4155 is called "full transparent proxy mode". For this to work, the destination
4156 servers have to route their traffic back to this address through the machine
4157 running HAProxy, and IP forwarding must generally be enabled on this machine.
4158
4159 In this "full transparent proxy" mode, it is possible to force a specific IP
4160 address to be presented to the servers. This is not much used in fact. A more
4161 common use is to tell HAProxy to present the client's IP address. For this,
4162 there are two methods :
4163
4164 - present the client's IP and port addresses. This is the most transparent
4165 mode, but it can cause problems when IP connection tracking is enabled on
4166 the machine, because a same connection may be seen twice with different
4167 states. However, this solution presents the huge advantage of not
4168 limiting the system to the 64k outgoing address+port couples, because all
4169 of the client ranges may be used.
4170
4171 - present only the client's IP address and select a spare port. This
4172 solution is still quite elegant but slightly less transparent (downstream
4173 firewalls logs will not match upstream's). It also presents the downside
4174 of limiting the number of concurrent connections to the usual 64k ports.
4175 However, since the upstream and downstream ports are different, local IP
4176 connection tracking on the machine will not be upset by the reuse of the
4177 same session.
4178
4179 Note that depending on the transparent proxy technology used, it may be
4180 required to force the source address. In fact, cttproxy version 2 requires an
4181 IP address in <addr> above, and does not support setting of "0.0.0.0" as the
4182 IP address because it creates NAT entries which much match the exact outgoing
4183 address. Tproxy version 4 and some other kernel patches which work in pure
4184 forwarding mode generally will not have this limitation.
4185
4186 This option sets the default source for all servers in the backend. It may
4187 also be specified in a "defaults" section. Finer source address specification
4188 is possible at the server level using the "source" server option. Refer to
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004189 section 5 for more information.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004190
4191 Examples :
4192 backend private
4193 # Connect to the servers using our 192.168.1.200 source address
4194 source 192.168.1.200
4195
4196 backend transparent_ssl1
4197 # Connect to the SSL farm from the client's source address
4198 source 192.168.1.200 usesrc clientip
4199
4200 backend transparent_ssl2
4201 # Connect to the SSL farm from the client's source address and port
4202 # not recommended if IP conntrack is present on the local machine.
4203 source 192.168.1.200 usesrc client
4204
4205 backend transparent_ssl3
4206 # Connect to the SSL farm from the client's source address. It
4207 # is more conntrack-friendly.
4208 source 192.168.1.200 usesrc clientip
4209
4210 backend transparent_smtp
4211 # Connect to the SMTP farm from the client's source address/port
4212 # with Tproxy version 4.
4213 source 0.0.0.0 usesrc clientip
4214
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004215 See also : the "source" server option in section 5, the Tproxy patches for
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004216 the Linux kernel on www.balabit.com, the "bind" keyword.
4217
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01004218
Willy Tarreau844e3c52008-01-11 16:28:18 +01004219srvtimeout <timeout> (deprecated)
4220 Set the maximum inactivity time on the server side.
4221 May be used in sections : defaults | frontend | listen | backend
4222 yes | no | yes | yes
4223 Arguments :
4224 <timeout> is the timeout value specified in milliseconds by default, but
4225 can be in any other unit if the number is suffixed by the unit,
4226 as explained at the top of this document.
4227
4228 The inactivity timeout applies when the server is expected to acknowledge or
4229 send data. In HTTP mode, this timeout is particularly important to consider
4230 during the first phase of the server's response, when it has to send the
4231 headers, as it directly represents the server's processing time for the
4232 request. To find out what value to put there, it's often good to start with
4233 what would be considered as unacceptable response times, then check the logs
4234 to observe the response time distribution, and adjust the value accordingly.
4235
4236 The value is specified in milliseconds by default, but can be in any other
4237 unit if the number is suffixed by the unit, as specified at the top of this
4238 document. In TCP mode (and to a lesser extent, in HTTP mode), it is highly
4239 recommended that the client timeout remains equal to the server timeout in
4240 order to avoid complex situations to debug. Whatever the expected server
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01004241 response times, it is a good practice to cover at least one or several TCP
Willy Tarreau844e3c52008-01-11 16:28:18 +01004242 packet losses by specifying timeouts that are slightly above multiples of 3
Willy Tarreaud72758d2010-01-12 10:42:19 +01004243 seconds (eg: 4 or 5 seconds minimum).
Willy Tarreau844e3c52008-01-11 16:28:18 +01004244
4245 This parameter is specific to backends, but can be specified once for all in
4246 "defaults" sections. This is in fact one of the easiest solutions not to
4247 forget about it. An unspecified timeout results in an infinite timeout, which
4248 is not recommended. Such a usage is accepted and works but reports a warning
4249 during startup because it may results in accumulation of expired sessions in
4250 the system if the system's timeouts are not configured either.
4251
4252 This parameter is provided for compatibility but is currently deprecated.
4253 Please use "timeout server" instead.
4254
4255 See also : "timeout server", "timeout client" and "clitimeout".
4256
4257
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004258stats auth <user>:<passwd>
4259 Enable statistics with authentication and grant access to an account
4260 May be used in sections : defaults | frontend | listen | backend
4261 yes | no | yes | yes
4262 Arguments :
4263 <user> is a user name to grant access to
4264
4265 <passwd> is the cleartext password associated to this user
4266
4267 This statement enables statistics with default settings, and restricts access
4268 to declared users only. It may be repeated as many times as necessary to
4269 allow as many users as desired. When a user tries to access the statistics
4270 without a valid account, a "401 Forbidden" response will be returned so that
4271 the browser asks the user to provide a valid user and password. The real
4272 which will be returned to the browser is configurable using "stats realm".
4273
4274 Since the authentication method is HTTP Basic Authentication, the passwords
4275 circulate in cleartext on the network. Thus, it was decided that the
4276 configuration file would also use cleartext passwords to remind the users
4277 that those ones should not be sensible and not shared with any other account.
4278
4279 It is also possible to reduce the scope of the proxies which appear in the
4280 report using "stats scope".
4281
4282 Though this statement alone is enough to enable statistics reporting, it is
4283 recommended to set all other settings in order to avoid relying on default
4284 unobvious parameters.
4285
4286 Example :
4287 # public access (limited to this backend only)
4288 backend public_www
4289 server srv1 192.168.0.1:80
4290 stats enable
4291 stats hide-version
4292 stats scope .
4293 stats uri /admin?stats
4294 stats realm Haproxy\ Statistics
4295 stats auth admin1:AdMiN123
4296 stats auth admin2:AdMiN321
4297
4298 # internal monitoring access (unlimited)
4299 backend private_monitoring
4300 stats enable
4301 stats uri /admin?stats
4302 stats refresh 5s
4303
4304 See also : "stats enable", "stats realm", "stats scope", "stats uri"
4305
4306
4307stats enable
4308 Enable statistics reporting with default settings
4309 May be used in sections : defaults | frontend | listen | backend
4310 yes | no | yes | yes
4311 Arguments : none
4312
4313 This statement enables statistics reporting with default settings defined
4314 at build time. Unless stated otherwise, these settings are used :
4315 - stats uri : /haproxy?stats
4316 - stats realm : "HAProxy Statistics"
4317 - stats auth : no authentication
4318 - stats scope : no restriction
4319
4320 Though this statement alone is enough to enable statistics reporting, it is
4321 recommended to set all other settings in order to avoid relying on default
4322 unobvious parameters.
4323
4324 Example :
4325 # public access (limited to this backend only)
4326 backend public_www
4327 server srv1 192.168.0.1:80
4328 stats enable
4329 stats hide-version
4330 stats scope .
4331 stats uri /admin?stats
4332 stats realm Haproxy\ Statistics
4333 stats auth admin1:AdMiN123
4334 stats auth admin2:AdMiN321
4335
4336 # internal monitoring access (unlimited)
4337 backend private_monitoring
4338 stats enable
4339 stats uri /admin?stats
4340 stats refresh 5s
4341
4342 See also : "stats auth", "stats realm", "stats uri"
4343
4344
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +02004345stats show-node [ <name> ]
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02004346 Enable reporting of a host name on the statistics page.
4347 May be used in sections : defaults | frontend | listen | backend
4348 yes | no | yes | yes
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +02004349 Arguments:
4350 <name> is an optional name to be reported. If unspecified, the
4351 node name from global section is automatically used instead.
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02004352
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +02004353 This statement is useful for users that offer shared services to their
4354 customers, where node or description might be different on a stats page
4355 provided for each customer.
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02004356
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +02004357 Though this statement alone is enough to enable statistics reporting, it is
4358 recommended to set all other settings in order to avoid relying on default
4359 unobvious parameters.
4360
4361 Example:
4362 # internal monitoring access (unlimited)
4363 backend private_monitoring
4364 stats enable
4365 stats show-node Europe-1
4366 stats uri /admin?stats
4367 stats refresh 5s
4368
Willy Tarreau983e01e2010-01-11 18:42:06 +01004369 See also: "show-desc", "stats enable", "stats uri", and "node" in global
4370 section.
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +02004371
4372
4373stats show-desc [ <description> ]
4374 Enable reporting of a description on the statistics page.
4375 May be used in sections : defaults | frontend | listen | backend
4376 yes | no | yes | yes
4377
4378 <name> is an optional description to be reported. If unspecified, the
4379 description from global section is automatically used instead.
4380
4381 This statement is useful for users that offer shared services to their
4382 customers, where node or description should be different for each customer.
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02004383
4384 Though this statement alone is enough to enable statistics reporting, it is
4385 recommended to set all other settings in order to avoid relying on default
4386 unobvious parameters.
4387
4388 Example :
4389 # internal monitoring access (unlimited)
4390 backend private_monitoring
4391 stats enable
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +02004392 stats show-desc Master node for Europe, Asia, Africa
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02004393 stats uri /admin?stats
4394 stats refresh 5s
4395
Willy Tarreau983e01e2010-01-11 18:42:06 +01004396 See also: "show-node", "stats enable", "stats uri" and "description" in
4397 global section.
4398
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02004399
Krzysztof Piotr Oledzki15514c22010-01-04 16:03:09 +01004400stats show-legends
4401 Enable reporting additional informations on the statistics page :
4402 - cap: capabilities (proxy)
4403 - mode: one of tcp, http or health (proxy)
4404 - id: SNMP ID (proxy, socket, server)
4405 - IP (socket, server)
4406 - cookie (backend, server)
4407
4408 Though this statement alone is enough to enable statistics reporting, it is
4409 recommended to set all other settings in order to avoid relying on default
4410 unobvious parameters.
4411
4412 See also: "stats enable", "stats uri".
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02004413
Willy Tarreau983e01e2010-01-11 18:42:06 +01004414
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004415stats realm <realm>
4416 Enable statistics and set authentication realm
4417 May be used in sections : defaults | frontend | listen | backend
4418 yes | no | yes | yes
4419 Arguments :
4420 <realm> is the name of the HTTP Basic Authentication realm reported to
4421 the browser. The browser uses it to display it in the pop-up
4422 inviting the user to enter a valid username and password.
4423
4424 The realm is read as a single word, so any spaces in it should be escaped
4425 using a backslash ('\').
4426
4427 This statement is useful only in conjunction with "stats auth" since it is
4428 only related to authentication.
4429
4430 Though this statement alone is enough to enable statistics reporting, it is
4431 recommended to set all other settings in order to avoid relying on default
4432 unobvious parameters.
4433
4434 Example :
4435 # public access (limited to this backend only)
4436 backend public_www
4437 server srv1 192.168.0.1:80
4438 stats enable
4439 stats hide-version
4440 stats scope .
4441 stats uri /admin?stats
4442 stats realm Haproxy\ Statistics
4443 stats auth admin1:AdMiN123
4444 stats auth admin2:AdMiN321
4445
4446 # internal monitoring access (unlimited)
4447 backend private_monitoring
4448 stats enable
4449 stats uri /admin?stats
4450 stats refresh 5s
4451
4452 See also : "stats auth", "stats enable", "stats uri"
4453
4454
4455stats refresh <delay>
4456 Enable statistics with automatic refresh
4457 May be used in sections : defaults | frontend | listen | backend
4458 yes | no | yes | yes
4459 Arguments :
4460 <delay> is the suggested refresh delay, specified in seconds, which will
4461 be returned to the browser consulting the report page. While the
4462 browser is free to apply any delay, it will generally respect it
4463 and refresh the page this every seconds. The refresh interval may
4464 be specified in any other non-default time unit, by suffixing the
4465 unit after the value, as explained at the top of this document.
4466
4467 This statement is useful on monitoring displays with a permanent page
4468 reporting the load balancer's activity. When set, the HTML report page will
4469 include a link "refresh"/"stop refresh" so that the user can select whether
4470 he wants automatic refresh of the page or not.
4471
4472 Though this statement alone is enough to enable statistics reporting, it is
4473 recommended to set all other settings in order to avoid relying on default
4474 unobvious parameters.
4475
4476 Example :
4477 # public access (limited to this backend only)
4478 backend public_www
4479 server srv1 192.168.0.1:80
4480 stats enable
4481 stats hide-version
4482 stats scope .
4483 stats uri /admin?stats
4484 stats realm Haproxy\ Statistics
4485 stats auth admin1:AdMiN123
4486 stats auth admin2:AdMiN321
4487
4488 # internal monitoring access (unlimited)
4489 backend private_monitoring
4490 stats enable
4491 stats uri /admin?stats
4492 stats refresh 5s
4493
4494 See also : "stats auth", "stats enable", "stats realm", "stats uri"
4495
4496
4497stats scope { <name> | "." }
4498 Enable statistics and limit access scope
4499 May be used in sections : defaults | frontend | listen | backend
4500 yes | no | yes | yes
4501 Arguments :
4502 <name> is the name of a listen, frontend or backend section to be
4503 reported. The special name "." (a single dot) designates the
4504 section in which the statement appears.
4505
4506 When this statement is specified, only the sections enumerated with this
4507 statement will appear in the report. All other ones will be hidden. This
4508 statement may appear as many times as needed if multiple sections need to be
4509 reported. Please note that the name checking is performed as simple string
4510 comparisons, and that it is never checked that a give section name really
4511 exists.
4512
4513 Though this statement alone is enough to enable statistics reporting, it is
4514 recommended to set all other settings in order to avoid relying on default
4515 unobvious parameters.
4516
4517 Example :
4518 # public access (limited to this backend only)
4519 backend public_www
4520 server srv1 192.168.0.1:80
4521 stats enable
4522 stats hide-version
4523 stats scope .
4524 stats uri /admin?stats
4525 stats realm Haproxy\ Statistics
4526 stats auth admin1:AdMiN123
4527 stats auth admin2:AdMiN321
4528
4529 # internal monitoring access (unlimited)
4530 backend private_monitoring
4531 stats enable
4532 stats uri /admin?stats
4533 stats refresh 5s
4534
4535 See also : "stats auth", "stats enable", "stats realm", "stats uri"
4536
4537
4538stats uri <prefix>
4539 Enable statistics and define the URI prefix to access them
4540 May be used in sections : defaults | frontend | listen | backend
4541 yes | no | yes | yes
4542 Arguments :
4543 <prefix> is the prefix of any URI which will be redirected to stats. This
4544 prefix may contain a question mark ('?') to indicate part of a
4545 query string.
4546
4547 The statistics URI is intercepted on the relayed traffic, so it appears as a
4548 page within the normal application. It is strongly advised to ensure that the
4549 selected URI will never appear in the application, otherwise it will never be
4550 possible to reach it in the application.
4551
4552 The default URI compiled in haproxy is "/haproxy?stats", but this may be
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01004553 changed at build time, so it's better to always explicitly specify it here.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004554 It is generally a good idea to include a question mark in the URI so that
4555 intermediate proxies refrain from caching the results. Also, since any string
4556 beginning with the prefix will be accepted as a stats request, the question
4557 mark helps ensuring that no valid URI will begin with the same words.
4558
4559 It is sometimes very convenient to use "/" as the URI prefix, and put that
4560 statement in a "listen" instance of its own. That makes it easy to dedicate
4561 an address or a port to statistics only.
4562
4563 Though this statement alone is enough to enable statistics reporting, it is
4564 recommended to set all other settings in order to avoid relying on default
4565 unobvious parameters.
4566
4567 Example :
4568 # public access (limited to this backend only)
4569 backend public_www
4570 server srv1 192.168.0.1:80
4571 stats enable
4572 stats hide-version
4573 stats scope .
4574 stats uri /admin?stats
4575 stats realm Haproxy\ Statistics
4576 stats auth admin1:AdMiN123
4577 stats auth admin2:AdMiN321
4578
4579 # internal monitoring access (unlimited)
4580 backend private_monitoring
4581 stats enable
4582 stats uri /admin?stats
4583 stats refresh 5s
4584
4585 See also : "stats auth", "stats enable", "stats realm"
4586
4587
4588stats hide-version
4589 Enable statistics and hide HAProxy version reporting
4590 May be used in sections : defaults | frontend | listen | backend
4591 yes | no | yes | yes
4592 Arguments : none
4593
4594 By default, the stats page reports some useful status information along with
4595 the statistics. Among them is HAProxy's version. However, it is generally
4596 considered dangerous to report precise version to anyone, as it can help them
4597 target known weaknesses with specific attacks. The "stats hide-version"
4598 statement removes the version from the statistics report. This is recommended
4599 for public sites or any site with a weak login/password.
4600
4601 Though this statement alone is enough to enable statistics reporting, it is
4602 recommended to set all other settings in order to avoid relying on default
4603 unobvious parameters.
4604
4605 Example :
4606 # public access (limited to this backend only)
4607 backend public_www
4608 server srv1 192.168.0.1:80
4609 stats enable
4610 stats hide-version
4611 stats scope .
4612 stats uri /admin?stats
4613 stats realm Haproxy\ Statistics
4614 stats auth admin1:AdMiN123
4615 stats auth admin2:AdMiN321
4616
4617 # internal monitoring access (unlimited)
4618 backend private_monitoring
4619 stats enable
4620 stats uri /admin?stats
4621 stats refresh 5s
4622
4623 See also : "stats auth", "stats enable", "stats realm", "stats uri"
4624
4625
Willy Tarreaub937b7e2010-01-12 15:27:54 +01004626stick match <pattern> [table <table>] [{if | unless} <cond>]
4627 Define a request pattern matching condition to stick a user to a server
4628 May be used in sections : defaults | frontend | listen | backend
4629 no | no | yes | yes
4630
4631 Arguments :
4632 <pattern> is a pattern extraction rule as described in section 7.8. It
4633 describes what elements of the incoming request or connection
4634 will be analysed in the hope to find a matching entry in a
4635 stickiness table. This rule is mandatory.
4636
4637 <table> is an optional stickiness table name. If unspecified, the same
4638 backend's table is used. A stickiness table is declared using
4639 the "stick-table" statement.
4640
4641 <cond> is an optional matching condition. It makes it possible to match
4642 on a certain criterion only when other conditions are met (or
4643 not met). For instance, it could be used to match on a source IP
4644 address except when a request passes through a known proxy, in
4645 which case we'd match on a header containing that IP address.
4646
4647 Some protocols or applications require complex stickiness rules and cannot
4648 always simply rely on cookies nor hashing. The "stick match" statement
4649 describes a rule to extract the stickiness criterion from an incoming request
4650 or connection. See section 7 for a complete list of possible patterns and
4651 transformation rules.
4652
4653 The table has to be declared using the "stick-table" statement. It must be of
4654 a type compatible with the pattern. By default it is the one which is present
4655 in the same backend. It is possible to share a table with other backends by
4656 referencing it using the "table" keyword. If another table is referenced,
4657 the server's ID inside the backends are used. By default, all server IDs
4658 start at 1 in each backend, so the server ordering is enough. But in case of
4659 doubt, it is highly recommended to force server IDs using their "id" setting.
4660
4661 It is possible to restrict the conditions where a "stick match" statement
4662 will apply, using "if" or "unless" followed by a condition. See section 7 for
4663 ACL based conditions.
4664
4665 There is no limit on the number of "stick match" statements. The first that
4666 applies and matches will cause the request to be directed to the same server
4667 as was used for the request which created the entry. That way, multiple
4668 matches can be used as fallbacks.
4669
4670 The stick rules are checked after the persistence cookies, so they will not
4671 affect stickiness if a cookie has already been used to select a server. That
4672 way, it becomes very easy to insert cookies and match on IP addresses in
4673 order to maintain stickiness between HTTP and HTTPS.
4674
4675 Example :
4676 # forward SMTP users to the same server they just used for POP in the
4677 # last 30 minutes
4678 backend pop
4679 mode tcp
4680 balance roundrobin
4681 stick store-request src
4682 stick-table type ip size 200k expire 30m
4683 server s1 192.168.1.1:110
4684 server s2 192.168.1.1:110
4685
4686 backend smtp
4687 mode tcp
4688 balance roundrobin
4689 stick match src table pop
4690 server s1 192.168.1.1:25
4691 server s2 192.168.1.1:25
4692
4693 See also : "stick-table", "stick on", and section 7 about ACLs and pattern
4694 extraction.
4695
4696
4697stick on <pattern> [table <table>] [{if | unless} <condition>]
4698 Define a request pattern to associate a user to a server
4699 May be used in sections : defaults | frontend | listen | backend
4700 no | no | yes | yes
4701
4702 Note : This form is exactly equivalent to "stick match" followed by
4703 "stick store-request", all with the same arguments. Please refer
4704 to both keywords for details. It is only provided as a convenience
4705 for writing more maintainable configurations.
4706
4707 Examples :
4708 # The following form ...
4709 stick or src table pop if !localhost
4710
4711 # ...is strictly equivalent to this one :
4712 stick match src table pop if !localhost
4713 stick store-request src table pop if !localhost
4714
4715
4716 # Use cookie persistence for HTTP, and stick on source address for HTTPS as
4717 # well as HTTP without cookie. Share the same table between both accesses.
4718 backend http
4719 mode http
4720 balance roundrobin
4721 stick on src table https
4722 cookie SRV insert indirect nocache
4723 server s1 192.168.1.1:80 cookie s1
4724 server s2 192.168.1.1:80 cookie s2
4725
4726 backend https
4727 mode tcp
4728 balance roundrobin
4729 stick-table type ip size 200k expire 30m
4730 stick on src
4731 server s1 192.168.1.1:443
4732 server s2 192.168.1.1:443
4733
4734 See also : "stick match" and "stick store-request"
4735
4736
4737stick store-request <pattern> [table <table>] [{if | unless} <condition>]
4738 Define a request pattern used to create an entry in a stickiness table
4739 May be used in sections : defaults | frontend | listen | backend
4740 no | no | yes | yes
4741
4742 Arguments :
4743 <pattern> is a pattern extraction rule as described in section 7.8. It
4744 describes what elements of the incoming request or connection
4745 will be analysed, extracted and stored in the table once a
4746 server is selected.
4747
4748 <table> is an optional stickiness table name. If unspecified, the same
4749 backend's table is used. A stickiness table is declared using
4750 the "stick-table" statement.
4751
4752 <cond> is an optional storage condition. It makes it possible to store
4753 certain criteria only when some conditions are met (or not met).
4754 For instance, it could be used to store the source IP address
4755 except when the request passes through a known proxy, in which
4756 case we'd store a converted form of a header containing that IP
4757 address.
4758
4759 Some protocols or applications require complex stickiness rules and cannot
4760 always simply rely on cookies nor hashing. The "stick store-request" statement
4761 describes a rule to decide what to extract from the request and when to do
4762 it, in order to store it into a stickiness table for further requests to
4763 match it using the "stick match" statement. Obviously the extracted part must
4764 make sense and have a chance to be matched in a further request. Storing a
4765 client's IP address for instance often makes sense. Storing an ID found in a
4766 URL parameter also makes sense. Storing a source port will almost never make
4767 any sense because it will be randomly matched. See section 7 for a complete
4768 list of possible patterns and transformation rules.
4769
4770 The table has to be declared using the "stick-table" statement. It must be of
4771 a type compatible with the pattern. By default it is the one which is present
4772 in the same backend. It is possible to share a table with other backends by
4773 referencing it using the "table" keyword. If another table is referenced,
4774 the server's ID inside the backends are used. By default, all server IDs
4775 start at 1 in each backend, so the server ordering is enough. But in case of
4776 doubt, it is highly recommended to force server IDs using their "id" setting.
4777
4778 It is possible to restrict the conditions where a "stick store-request"
4779 statement will apply, using "if" or "unless" followed by a condition. This
4780 condition will be evaluated while parsing the request, so any criteria can be
4781 used. See section 7 for ACL based conditions.
4782
4783 There is no limit on the number of "stick store-request" statements, but
4784 there is a limit of 8 simultaneous stores per request or response. This
4785 makes it possible to store up to 8 criteria, all extracted from either the
4786 request or the response, regardless of the number of rules. Only the 8 first
4787 ones which match will be kept. Using this, it is possible to feed multiple
4788 tables at once in the hope to increase the chance to recognize a user on
4789 another protocol or access method.
4790
4791 The "store-request" rules are evaluated once the server connection has been
4792 established, so that the table will contain the real server that processed
4793 the request.
4794
4795 Example :
4796 # forward SMTP users to the same server they just used for POP in the
4797 # last 30 minutes
4798 backend pop
4799 mode tcp
4800 balance roundrobin
4801 stick store-request src
4802 stick-table type ip size 200k expire 30m
4803 server s1 192.168.1.1:110
4804 server s2 192.168.1.1:110
4805
4806 backend smtp
4807 mode tcp
4808 balance roundrobin
4809 stick match src table pop
4810 server s1 192.168.1.1:25
4811 server s2 192.168.1.1:25
4812
4813 See also : "stick-table", "stick on", and section 7 about ACLs and pattern
4814 extraction.
4815
4816
4817stick-table type {ip | integer | string [len <length>] } size <size>
4818 [expire <expire>] [nopurge]
4819 Configure the stickiness table for the current backend
4820 May be used in sections : defaults | frontend | listen | backend
4821 no | no | yes | yes
4822
4823 Arguments :
4824 ip a table declared with "type ip" will only store IPv4 addresses.
4825 This form is very compact (about 50 bytes per entry) and allows
4826 very fast entry lookup and stores with almost no overhead. This
4827 is mainly used to store client source IP addresses.
4828
4829 integer a table declared with "type integer" will store 32bit integers
4830 which can represent a client identifier found in a request for
4831 instance.
4832
4833 string a table declared with "type string" will store substrings of up
4834 to <len> characters. If the string provided by the pattern
4835 extractor is larger than <len>, it will be truncated before
4836 being stored. During matching, at most <len> characters will be
4837 compared between the string in the table and the extracted
4838 pattern. When not specified, the string is automatically limited
4839 to 31 characters.
4840
4841 <length> is the maximum number of characters that will be stored in a
4842 "string" type table. See type "string" above. Be careful when
4843 changing this parameter as memory usage will proportionally
4844 increase.
4845
4846 <size> is the maximum number of entries that can fit in the table. This
4847 value directly impats memory usage. Count approximately 50 bytes
4848 per entry, plus the size of a string if any. The size supports
4849 suffixes "k", "m", "g" for 2^10, 2^20 and 2^30 factors.
4850
4851 [nopurge] indicates that we refuse to purge older entries when the table
4852 is full. When not specified and the table is full when haproxy
4853 wants to store an entry in it, it will flush a few of the oldest
4854 entries in order to release some space for the new ones. This is
4855 most often the desired behaviour. In some specific cases, it
4856 be desirable to refuse new entries instead of purging the older
4857 ones. That may be the case when the amount of data to store is
4858 far above the hardware limits and we prefer not to offer access
4859 to new clients than to reject the ones already connected. When
4860 using this parameter, be sure to properly set the "expire"
4861 parameter (see below).
4862
4863 <expire> defines the maximum duration of an entry in the table since it
4864 was last created, refreshed or matched. The expiration delay is
4865 defined using the standard time format, similarly as the various
4866 timeouts. The maximum duration is slightly above 24 days. See
4867 section 2.2 for more information. If this delay is not specified,
4868 the session won't automatically expire, but older entries will
4869 be removed once full. Be sure not to use the "nopurge" parameter
4870 if not expiration delay is specified.
4871
4872 The is only one stick-table per backend. At the moment of writing this doc,
4873 it does not seem useful to have multiple tables per backend. If this happens
4874 to be required, simply create a dummy backend with a stick-table in it and
4875 reference it.
4876
4877 It is important to understand that stickiness based on learning information
4878 has some limitations, including the fact that all learned associations are
4879 lost upon restart. In general it can be good as a complement but not always
4880 as an exclusive stickiness.
4881
4882 See also : "stick match", "stick on", "stick store-request", and section 2.2
4883 about time format.
4884
4885
Willy Tarreau62644772008-07-16 18:36:06 +02004886tcp-request content accept [{if | unless} <condition>]
4887 Accept a connection if/unless a content inspection condition is matched
4888 May be used in sections : defaults | frontend | listen | backend
4889 no | yes | yes | no
4890
4891 During TCP content inspection, the connection is immediately validated if the
4892 condition is true (when used with "if") or false (when used with "unless").
4893 Most of the time during content inspection, a condition will be in an
4894 uncertain state which is neither true nor false. The evaluation immediately
4895 stops when such a condition is encountered. It is important to understand
4896 that "accept" and "reject" rules are evaluated in their exact declaration
4897 order, so that it is possible to build complex rules from them. There is no
4898 specific limit to the number of rules which may be inserted.
4899
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01004900 Note that the "if/unless" condition is optional. If no condition is set on
Willy Tarreau62644772008-07-16 18:36:06 +02004901 the action, it is simply performed unconditionally.
4902
4903 If no "tcp-request content" rules are matched, the default action already is
4904 "accept". Thus, this statement alone does not bring anything without another
4905 "reject" statement.
4906
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004907 See section 7 about ACL usage.
Willy Tarreau62644772008-07-16 18:36:06 +02004908
Willy Tarreau55165fe2009-05-10 12:02:55 +02004909 See also : "tcp-request content reject", "tcp-request inspect-delay"
Willy Tarreau62644772008-07-16 18:36:06 +02004910
4911
4912tcp-request content reject [{if | unless} <condition>]
4913 Reject a connection if/unless a content inspection condition is matched
4914 May be used in sections : defaults | frontend | listen | backend
4915 no | yes | yes | no
4916
4917 During TCP content inspection, the connection is immediately rejected if the
4918 condition is true (when used with "if") or false (when used with "unless").
4919 Most of the time during content inspection, a condition will be in an
4920 uncertain state which is neither true nor false. The evaluation immediately
4921 stops when such a condition is encountered. It is important to understand
4922 that "accept" and "reject" rules are evaluated in their exact declaration
4923 order, so that it is possible to build complex rules from them. There is no
4924 specific limit to the number of rules which may be inserted.
4925
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01004926 Note that the "if/unless" condition is optional. If no condition is set on
Willy Tarreau62644772008-07-16 18:36:06 +02004927 the action, it is simply performed unconditionally.
4928
4929 If no "tcp-request content" rules are matched, the default action is set to
4930 "accept".
4931
4932 Example:
4933 # reject SMTP connection if client speaks first
4934 tcp-request inspect-delay 30s
4935 acl content_present req_len gt 0
4936 tcp-request reject if content_present
4937
4938 # Forward HTTPS connection only if client speaks
4939 tcp-request inspect-delay 30s
4940 acl content_present req_len gt 0
4941 tcp-request accept if content_present
4942 tcp-request reject
4943
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004944 See section 7 about ACL usage.
Willy Tarreau62644772008-07-16 18:36:06 +02004945
Willy Tarreau55165fe2009-05-10 12:02:55 +02004946 See also : "tcp-request content accept", "tcp-request inspect-delay"
Willy Tarreau62644772008-07-16 18:36:06 +02004947
4948
4949tcp-request inspect-delay <timeout>
4950 Set the maximum allowed time to wait for data during content inspection
4951 May be used in sections : defaults | frontend | listen | backend
4952 no | yes | yes | no
4953 Arguments :
4954 <timeout> is the timeout value specified in milliseconds by default, but
4955 can be in any other unit if the number is suffixed by the unit,
4956 as explained at the top of this document.
4957
4958 People using haproxy primarily as a TCP relay are often worried about the
4959 risk of passing any type of protocol to a server without any analysis. In
4960 order to be able to analyze the request contents, we must first withhold
4961 the data then analyze them. This statement simply enables withholding of
4962 data for at most the specified amount of time.
4963
4964 Note that when performing content inspection, haproxy will evaluate the whole
4965 rules for every new chunk which gets in, taking into account the fact that
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01004966 those data are partial. If no rule matches before the aforementioned delay,
Willy Tarreau62644772008-07-16 18:36:06 +02004967 a last check is performed upon expiration, this time considering that the
Willy Tarreaud869b242009-03-15 14:43:58 +01004968 contents are definitive. If no delay is set, haproxy will not wait at all
4969 and will immediately apply a verdict based on the available information.
4970 Obviously this is unlikely to be very useful and might even be racy, so such
4971 setups are not recommended.
Willy Tarreau62644772008-07-16 18:36:06 +02004972
4973 As soon as a rule matches, the request is released and continues as usual. If
4974 the timeout is reached and no rule matches, the default policy will be to let
4975 it pass through unaffected.
4976
4977 For most protocols, it is enough to set it to a few seconds, as most clients
4978 send the full request immediately upon connection. Add 3 or more seconds to
4979 cover TCP retransmits but that's all. For some protocols, it may make sense
Willy Tarreaud72758d2010-01-12 10:42:19 +01004980 to use large values, for instance to ensure that the client never talks
Willy Tarreau62644772008-07-16 18:36:06 +02004981 before the server (eg: SMTP), or to wait for a client to talk before passing
4982 data to the server (eg: SSL). Note that the client timeout must cover at
4983 least the inspection delay, otherwise it will expire first.
4984
Willy Tarreau55165fe2009-05-10 12:02:55 +02004985 See also : "tcp-request content accept", "tcp-request content reject",
Willy Tarreau62644772008-07-16 18:36:06 +02004986 "timeout client".
4987
4988
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01004989timeout check <timeout>
4990 Set additional check timeout, but only after a connection has been already
4991 established.
4992
4993 May be used in sections: defaults | frontend | listen | backend
4994 yes | no | yes | yes
4995 Arguments:
4996 <timeout> is the timeout value specified in milliseconds by default, but
4997 can be in any other unit if the number is suffixed by the unit,
4998 as explained at the top of this document.
4999
5000 If set, haproxy uses min("timeout connect", "inter") as a connect timeout
5001 for check and "timeout check" as an additional read timeout. The "min" is
5002 used so that people running with *very* long "timeout connect" (eg. those
5003 who needed this due to the queue or tarpit) do not slow down their checks.
5004 Of course it is better to use "check queue" and "check tarpit" instead of
5005 long "timeout connect".
5006
5007 If "timeout check" is not set haproxy uses "inter" for complete check
5008 timeout (connect + read) exactly like all <1.3.15 version.
5009
5010 In most cases check request is much simpler and faster to handle than normal
5011 requests and people may want to kick out laggy servers so this timeout should
Willy Tarreau41a340d2008-01-22 12:25:31 +01005012 be smaller than "timeout server".
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01005013
5014 This parameter is specific to backends, but can be specified once for all in
5015 "defaults" sections. This is in fact one of the easiest solutions not to
5016 forget about it.
5017
Willy Tarreau41a340d2008-01-22 12:25:31 +01005018 See also: "timeout connect", "timeout queue", "timeout server",
5019 "timeout tarpit".
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01005020
5021
Willy Tarreau0ba27502007-12-24 16:55:16 +01005022timeout client <timeout>
5023timeout clitimeout <timeout> (deprecated)
5024 Set the maximum inactivity time on the client side.
5025 May be used in sections : defaults | frontend | listen | backend
5026 yes | yes | yes | no
5027 Arguments :
Willy Tarreau844e3c52008-01-11 16:28:18 +01005028 <timeout> is the timeout value specified in milliseconds by default, but
Willy Tarreau0ba27502007-12-24 16:55:16 +01005029 can be in any other unit if the number is suffixed by the unit,
5030 as explained at the top of this document.
5031
5032 The inactivity timeout applies when the client is expected to acknowledge or
5033 send data. In HTTP mode, this timeout is particularly important to consider
5034 during the first phase, when the client sends the request, and during the
5035 response while it is reading data sent by the server. The value is specified
5036 in milliseconds by default, but can be in any other unit if the number is
5037 suffixed by the unit, as specified at the top of this document. In TCP mode
5038 (and to a lesser extent, in HTTP mode), it is highly recommended that the
5039 client timeout remains equal to the server timeout in order to avoid complex
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01005040 situations to debug. It is a good practice to cover one or several TCP packet
Willy Tarreau0ba27502007-12-24 16:55:16 +01005041 losses by specifying timeouts that are slightly above multiples of 3 seconds
5042 (eg: 4 or 5 seconds).
5043
5044 This parameter is specific to frontends, but can be specified once for all in
5045 "defaults" sections. This is in fact one of the easiest solutions not to
5046 forget about it. An unspecified timeout results in an infinite timeout, which
5047 is not recommended. Such a usage is accepted and works but reports a warning
5048 during startup because it may results in accumulation of expired sessions in
5049 the system if the system's timeouts are not configured either.
5050
5051 This parameter replaces the old, deprecated "clitimeout". It is recommended
5052 to use it to write new configurations. The form "timeout clitimeout" is
5053 provided only by backwards compatibility but its use is strongly discouraged.
5054
5055 See also : "clitimeout", "timeout server".
5056
5057
5058timeout connect <timeout>
5059timeout contimeout <timeout> (deprecated)
5060 Set the maximum time to wait for a connection attempt to a server to succeed.
5061 May be used in sections : defaults | frontend | listen | backend
5062 yes | no | yes | yes
5063 Arguments :
Willy Tarreau844e3c52008-01-11 16:28:18 +01005064 <timeout> is the timeout value specified in milliseconds by default, but
Willy Tarreau0ba27502007-12-24 16:55:16 +01005065 can be in any other unit if the number is suffixed by the unit,
5066 as explained at the top of this document.
5067
5068 If the server is located on the same LAN as haproxy, the connection should be
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01005069 immediate (less than a few milliseconds). Anyway, it is a good practice to
Willy Tarreaud72758d2010-01-12 10:42:19 +01005070 cover one or several TCP packet losses by specifying timeouts that are
Willy Tarreau0ba27502007-12-24 16:55:16 +01005071 slightly above multiples of 3 seconds (eg: 4 or 5 seconds). By default, the
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01005072 connect timeout also presets both queue and tarpit timeouts to the same value
5073 if these have not been specified.
Willy Tarreau0ba27502007-12-24 16:55:16 +01005074
5075 This parameter is specific to backends, but can be specified once for all in
5076 "defaults" sections. This is in fact one of the easiest solutions not to
5077 forget about it. An unspecified timeout results in an infinite timeout, which
5078 is not recommended. Such a usage is accepted and works but reports a warning
5079 during startup because it may results in accumulation of failed sessions in
5080 the system if the system's timeouts are not configured either.
5081
5082 This parameter replaces the old, deprecated "contimeout". It is recommended
5083 to use it to write new configurations. The form "timeout contimeout" is
5084 provided only by backwards compatibility but its use is strongly discouraged.
5085
Willy Tarreau41a340d2008-01-22 12:25:31 +01005086 See also: "timeout check", "timeout queue", "timeout server", "contimeout",
5087 "timeout tarpit".
Willy Tarreau0ba27502007-12-24 16:55:16 +01005088
5089
Willy Tarreaub16a5742010-01-10 14:46:16 +01005090timeout http-keep-alive <timeout>
5091 Set the maximum allowed time to wait for a new HTTP request to appear
5092 May be used in sections : defaults | frontend | listen | backend
5093 yes | yes | yes | yes
5094 Arguments :
5095 <timeout> is the timeout value specified in milliseconds by default, but
5096 can be in any other unit if the number is suffixed by the unit,
5097 as explained at the top of this document.
5098
5099 By default, the time to wait for a new request in case of keep-alive is set
5100 by "timeout http-request". However this is not always convenient because some
5101 people want very short keep-alive timeouts in order to release connections
5102 faster, and others prefer to have larger ones but still have short timeouts
5103 once the request has started to present itself.
5104
5105 The "http-keep-alive" timeout covers these needs. It will define how long to
5106 wait for a new HTTP request to start coming after a response was sent. Once
5107 the first byte of request has been seen, the "http-request" timeout is used
5108 to wait for the complete request to come. Note that empty lines prior to a
5109 new request do not refresh the timeout and are not counted as a new request.
5110
5111 There is also another difference between the two timeouts : when a connection
5112 expires during timeout http-keep-alive, no error is returned, the connection
5113 just closes. If the connection expires in "http-request" while waiting for a
5114 connection to complete, a HTTP 408 error is returned.
5115
5116 In general it is optimal to set this value to a few tens to hundreds of
5117 milliseconds, to allow users to fetch all objects of a page at once but
5118 without waiting for further clicks. Also, if set to a very small value (eg:
5119 1 millisecond) it will probably only accept pipelined requests but not the
5120 non-pipelined ones. It may be a nice trade-off for very large sites running
5121 with tends to hundreds of thousands of clients.
5122
5123 If this parameter is not set, the "http-request" timeout applies, and if both
5124 are not set, "timeout client" still applies at the lower level. It should be
5125 set in the frontend to take effect, unless the frontend is in TCP mode, in
5126 which case the HTTP backend's timeout will be used.
5127
5128 See also : "timeout http-request", "timeout client".
5129
5130
Willy Tarreau036fae02008-01-06 13:24:40 +01005131timeout http-request <timeout>
5132 Set the maximum allowed time to wait for a complete HTTP request
5133 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaucd7afc02009-07-12 10:03:17 +02005134 yes | yes | yes | yes
Willy Tarreau036fae02008-01-06 13:24:40 +01005135 Arguments :
Willy Tarreau844e3c52008-01-11 16:28:18 +01005136 <timeout> is the timeout value specified in milliseconds by default, but
Willy Tarreau036fae02008-01-06 13:24:40 +01005137 can be in any other unit if the number is suffixed by the unit,
5138 as explained at the top of this document.
5139
5140 In order to offer DoS protection, it may be required to lower the maximum
5141 accepted time to receive a complete HTTP request without affecting the client
5142 timeout. This helps protecting against established connections on which
5143 nothing is sent. The client timeout cannot offer a good protection against
5144 this abuse because it is an inactivity timeout, which means that if the
5145 attacker sends one character every now and then, the timeout will not
5146 trigger. With the HTTP request timeout, no matter what speed the client
5147 types, the request will be aborted if it does not complete in time.
5148
5149 Note that this timeout only applies to the header part of the request, and
5150 not to any data. As soon as the empty line is received, this timeout is not
Willy Tarreaub16a5742010-01-10 14:46:16 +01005151 used anymore. It is used again on keep-alive connections to wait for a second
5152 request if "timeout http-keep-alive" is not set.
Willy Tarreau036fae02008-01-06 13:24:40 +01005153
5154 Generally it is enough to set it to a few seconds, as most clients send the
5155 full request immediately upon connection. Add 3 or more seconds to cover TCP
5156 retransmits but that's all. Setting it to very low values (eg: 50 ms) will
5157 generally work on local networks as long as there are no packet losses. This
5158 will prevent people from sending bare HTTP requests using telnet.
5159
5160 If this parameter is not set, the client timeout still applies between each
Willy Tarreaucd7afc02009-07-12 10:03:17 +02005161 chunk of the incoming request. It should be set in the frontend to take
5162 effect, unless the frontend is in TCP mode, in which case the HTTP backend's
5163 timeout will be used.
Willy Tarreau036fae02008-01-06 13:24:40 +01005164
Willy Tarreaub16a5742010-01-10 14:46:16 +01005165 See also : "timeout http-keep-alive", "timeout client".
Willy Tarreau036fae02008-01-06 13:24:40 +01005166
Willy Tarreau844e3c52008-01-11 16:28:18 +01005167
5168timeout queue <timeout>
5169 Set the maximum time to wait in the queue for a connection slot to be free
5170 May be used in sections : defaults | frontend | listen | backend
5171 yes | no | yes | yes
5172 Arguments :
5173 <timeout> is the timeout value specified in milliseconds by default, but
5174 can be in any other unit if the number is suffixed by the unit,
5175 as explained at the top of this document.
5176
5177 When a server's maxconn is reached, connections are left pending in a queue
5178 which may be server-specific or global to the backend. In order not to wait
5179 indefinitely, a timeout is applied to requests pending in the queue. If the
5180 timeout is reached, it is considered that the request will almost never be
5181 served, so it is dropped and a 503 error is returned to the client.
5182
5183 The "timeout queue" statement allows to fix the maximum time for a request to
5184 be left pending in a queue. If unspecified, the same value as the backend's
5185 connection timeout ("timeout connect") is used, for backwards compatibility
5186 with older versions with no "timeout queue" parameter.
5187
5188 See also : "timeout connect", "contimeout".
5189
5190
5191timeout server <timeout>
5192timeout srvtimeout <timeout> (deprecated)
5193 Set the maximum inactivity time on the server side.
5194 May be used in sections : defaults | frontend | listen | backend
5195 yes | no | yes | yes
5196 Arguments :
5197 <timeout> is the timeout value specified in milliseconds by default, but
5198 can be in any other unit if the number is suffixed by the unit,
5199 as explained at the top of this document.
5200
5201 The inactivity timeout applies when the server is expected to acknowledge or
5202 send data. In HTTP mode, this timeout is particularly important to consider
5203 during the first phase of the server's response, when it has to send the
5204 headers, as it directly represents the server's processing time for the
5205 request. To find out what value to put there, it's often good to start with
5206 what would be considered as unacceptable response times, then check the logs
5207 to observe the response time distribution, and adjust the value accordingly.
5208
5209 The value is specified in milliseconds by default, but can be in any other
5210 unit if the number is suffixed by the unit, as specified at the top of this
5211 document. In TCP mode (and to a lesser extent, in HTTP mode), it is highly
5212 recommended that the client timeout remains equal to the server timeout in
5213 order to avoid complex situations to debug. Whatever the expected server
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01005214 response times, it is a good practice to cover at least one or several TCP
Willy Tarreau844e3c52008-01-11 16:28:18 +01005215 packet losses by specifying timeouts that are slightly above multiples of 3
Willy Tarreaud72758d2010-01-12 10:42:19 +01005216 seconds (eg: 4 or 5 seconds minimum).
Willy Tarreau844e3c52008-01-11 16:28:18 +01005217
5218 This parameter is specific to backends, but can be specified once for all in
5219 "defaults" sections. This is in fact one of the easiest solutions not to
5220 forget about it. An unspecified timeout results in an infinite timeout, which
5221 is not recommended. Such a usage is accepted and works but reports a warning
5222 during startup because it may results in accumulation of expired sessions in
5223 the system if the system's timeouts are not configured either.
5224
5225 This parameter replaces the old, deprecated "srvtimeout". It is recommended
5226 to use it to write new configurations. The form "timeout srvtimeout" is
5227 provided only by backwards compatibility but its use is strongly discouraged.
5228
5229 See also : "srvtimeout", "timeout client".
5230
5231
5232timeout tarpit <timeout>
5233 Set the duration for which tapitted connections will be maintained
5234 May be used in sections : defaults | frontend | listen | backend
5235 yes | yes | yes | yes
5236 Arguments :
5237 <timeout> is the tarpit duration specified in milliseconds by default, but
5238 can be in any other unit if the number is suffixed by the unit,
5239 as explained at the top of this document.
5240
5241 When a connection is tarpitted using "reqtarpit", it is maintained open with
5242 no activity for a certain amount of time, then closed. "timeout tarpit"
5243 defines how long it will be maintained open.
5244
5245 The value is specified in milliseconds by default, but can be in any other
5246 unit if the number is suffixed by the unit, as specified at the top of this
5247 document. If unspecified, the same value as the backend's connection timeout
5248 ("timeout connect") is used, for backwards compatibility with older versions
Willy Tarreaud72758d2010-01-12 10:42:19 +01005249 with no "timeout tapit" parameter.
Willy Tarreau844e3c52008-01-11 16:28:18 +01005250
5251 See also : "timeout connect", "contimeout".
5252
5253
5254transparent (deprecated)
5255 Enable client-side transparent proxying
5256 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau4b1f8592008-12-23 23:13:55 +01005257 yes | no | yes | yes
Willy Tarreau844e3c52008-01-11 16:28:18 +01005258 Arguments : none
5259
5260 This keyword was introduced in order to provide layer 7 persistence to layer
5261 3 load balancers. The idea is to use the OS's ability to redirect an incoming
5262 connection for a remote address to a local process (here HAProxy), and let
5263 this process know what address was initially requested. When this option is
5264 used, sessions without cookies will be forwarded to the original destination
5265 IP address of the incoming request (which should match that of another
5266 equipment), while requests with cookies will still be forwarded to the
5267 appropriate server.
5268
5269 The "transparent" keyword is deprecated, use "option transparent" instead.
5270
5271 Note that contrary to a common belief, this option does NOT make HAProxy
5272 present the client's IP to the server when establishing the connection.
5273
Willy Tarreau844e3c52008-01-11 16:28:18 +01005274 See also: "option transparent"
5275
5276
5277use_backend <backend> if <condition>
5278use_backend <backend> unless <condition>
Willy Tarreau1d0dfb12009-07-07 15:10:31 +02005279 Switch to a specific backend if/unless an ACL-based condition is matched.
Willy Tarreau844e3c52008-01-11 16:28:18 +01005280 May be used in sections : defaults | frontend | listen | backend
5281 no | yes | yes | no
5282 Arguments :
5283 <backend> is the name of a valid backend or "listen" section.
5284
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005285 <condition> is a condition composed of ACLs, as described in section 7.
Willy Tarreau844e3c52008-01-11 16:28:18 +01005286
5287 When doing content-switching, connections arrive on a frontend and are then
5288 dispatched to various backends depending on a number of conditions. The
5289 relation between the conditions and the backends is described with the
Willy Tarreau1d0dfb12009-07-07 15:10:31 +02005290 "use_backend" keyword. While it is normally used with HTTP processing, it can
5291 also be used in pure TCP, either without content using stateless ACLs (eg:
5292 source address validation) or combined with a "tcp-request" rule to wait for
5293 some payload.
Willy Tarreau844e3c52008-01-11 16:28:18 +01005294
5295 There may be as many "use_backend" rules as desired. All of these rules are
5296 evaluated in their declaration order, and the first one which matches will
5297 assign the backend.
5298
5299 In the first form, the backend will be used if the condition is met. In the
5300 second form, the backend will be used if the condition is not met. If no
5301 condition is valid, the backend defined with "default_backend" will be used.
5302 If no default backend is defined, either the servers in the same section are
5303 used (in case of a "listen" section) or, in case of a frontend, no server is
5304 used and a 503 service unavailable response is returned.
5305
Willy Tarreau51aecc72009-07-12 09:47:04 +02005306 Note that it is possible to switch from a TCP frontend to an HTTP backend. In
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01005307 this case, either the frontend has already checked that the protocol is HTTP,
Willy Tarreau51aecc72009-07-12 09:47:04 +02005308 and backend processing will immediately follow, or the backend will wait for
5309 a complete HTTP request to get in. This feature is useful when a frontend
5310 must decode several protocols on a unique port, one of them being HTTP.
5311
Willy Tarreau1d0dfb12009-07-07 15:10:31 +02005312 See also: "default_backend", "tcp-request", and section 7 about ACLs.
Willy Tarreaud72758d2010-01-12 10:42:19 +01005313
Willy Tarreau036fae02008-01-06 13:24:40 +01005314
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +010053155. Server and default-server options
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005316-----------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02005317
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01005318The "server" and "default-server" keywords support a certain number of settings
5319which are all passed as arguments on the server line. The order in which those
5320arguments appear does not count, and they are all optional. Some of those
5321settings are single words (booleans) while others expect one or several values
5322after them. In this case, the values must immediately follow the setting name.
5323Except default-server, all those settings must be specified after the server's
5324address if they are used:
Willy Tarreau6a06a402007-07-15 20:15:28 +02005325
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005326 server <name> <address>[:port] [settings ...]
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01005327 default-server [settings ...]
Willy Tarreau6a06a402007-07-15 20:15:28 +02005328
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005329The currently supported settings are the following ones.
Willy Tarreau0ba27502007-12-24 16:55:16 +01005330
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005331addr <ipv4>
5332 Using the "addr" parameter, it becomes possible to use a different IP address
5333 to send health-checks. On some servers, it may be desirable to dedicate an IP
5334 address to specific component able to perform complex tests which are more
5335 suitable to health-checks than the application. This parameter is ignored if
5336 the "check" parameter is not set. See also the "port" parameter.
Willy Tarreau6a06a402007-07-15 20:15:28 +02005337
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005338 Supported in default-server: No
5339
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005340backup
5341 When "backup" is present on a server line, the server is only used in load
5342 balancing when all other non-backup servers are unavailable. Requests coming
5343 with a persistence cookie referencing the server will always be served
5344 though. By default, only the first operational backup server is used, unless
5345 the "allbackups" option is set in the backend. See also the "allbackups"
5346 option.
Willy Tarreau6a06a402007-07-15 20:15:28 +02005347
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005348 Supported in default-server: No
5349
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005350check
5351 This option enables health checks on the server. By default, a server is
5352 always considered available. If "check" is set, the server will receive
5353 periodic health checks to ensure that it is really able to serve requests.
5354 The default address and port to send the tests to are those of the server,
5355 and the default source is the same as the one defined in the backend. It is
5356 possible to change the address using the "addr" parameter, the port using the
5357 "port" parameter, the source address using the "source" address, and the
5358 interval and timers using the "inter", "rise" and "fall" parameters. The
5359 request method is define in the backend using the "httpchk", "smtpchk",
Hervé COMMOWICK698ae002010-01-12 09:25:13 +01005360 "mysql-check" and "ssl-hello-chk" options. Please refer to those options and
5361 parameters for more information.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005362
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005363 Supported in default-server: No
5364
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005365cookie <value>
5366 The "cookie" parameter sets the cookie value assigned to the server to
5367 <value>. This value will be checked in incoming requests, and the first
5368 operational server possessing the same value will be selected. In return, in
5369 cookie insertion or rewrite modes, this value will be assigned to the cookie
5370 sent to the client. There is nothing wrong in having several servers sharing
5371 the same cookie value, and it is in fact somewhat common between normal and
5372 backup servers. See also the "cookie" keyword in backend section.
5373
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005374 Supported in default-server: No
5375
5376error-limit <count>
Willy Tarreau983e01e2010-01-11 18:42:06 +01005377 If health observing is enabled, the "error-limit" parameter specifies the
5378 number of consecutive errors that triggers event selected by the "on-error"
5379 option. By default it is set to 10 consecutive errors.
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01005380
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005381 Supported in default-server: Yes
5382
5383 See also the "check", "error-limit" and "on-error".
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01005384
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005385fall <count>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005386 The "fall" parameter states that a server will be considered as dead after
5387 <count> consecutive unsuccessful health checks. This value defaults to 3 if
5388 unspecified. See also the "check", "inter" and "rise" parameters.
5389
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005390 Supported in default-server: Yes
5391
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005392id <value>
Willy Tarreau53fb4ae2009-10-04 23:04:08 +02005393 Set a persistent ID for the server. This ID must be positive and unique for
5394 the proxy. An unused ID will automatically be assigned if unset. The first
5395 assigned value will be 1. This ID is currently only returned in statistics.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005396
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005397 Supported in default-server: No
5398
5399inter <delay>
5400fastinter <delay>
5401downinter <delay>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005402 The "inter" parameter sets the interval between two consecutive health checks
5403 to <delay> milliseconds. If left unspecified, the delay defaults to 2000 ms.
5404 It is also possible to use "fastinter" and "downinter" to optimize delays
5405 between checks depending on the server state :
5406
5407 Server state | Interval used
5408 ---------------------------------+-----------------------------------------
5409 UP 100% (non-transitional) | "inter"
5410 ---------------------------------+-----------------------------------------
5411 Transitionally UP (going down), |
5412 Transitionally DOWN (going up), | "fastinter" if set, "inter" otherwise.
5413 or yet unchecked. |
5414 ---------------------------------+-----------------------------------------
5415 DOWN 100% (non-transitional) | "downinter" if set, "inter" otherwise.
5416 ---------------------------------+-----------------------------------------
Willy Tarreaud72758d2010-01-12 10:42:19 +01005417
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005418 Just as with every other time-based parameter, they can be entered in any
5419 other explicit unit among { us, ms, s, m, h, d }. The "inter" parameter also
5420 serves as a timeout for health checks sent to servers if "timeout check" is
5421 not set. In order to reduce "resonance" effects when multiple servers are
5422 hosted on the same hardware, the health-checks of all servers are started
5423 with a small time offset between them. It is also possible to add some random
5424 noise in the health checks interval using the global "spread-checks"
5425 keyword. This makes sense for instance when a lot of backends use the same
5426 servers.
5427
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005428 Supported in default-server: Yes
5429
5430maxconn <maxconn>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005431 The "maxconn" parameter specifies the maximal number of concurrent
5432 connections that will be sent to this server. If the number of incoming
5433 concurrent requests goes higher than this value, they will be queued, waiting
5434 for a connection to be released. This parameter is very important as it can
5435 save fragile servers from going down under extreme loads. If a "minconn"
5436 parameter is specified, the limit becomes dynamic. The default value is "0"
5437 which means unlimited. See also the "minconn" and "maxqueue" parameters, and
5438 the backend's "fullconn" keyword.
5439
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005440 Supported in default-server: Yes
5441
5442maxqueue <maxqueue>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005443 The "maxqueue" parameter specifies the maximal number of connections which
5444 will wait in the queue for this server. If this limit is reached, next
5445 requests will be redispatched to other servers instead of indefinitely
5446 waiting to be served. This will break persistence but may allow people to
5447 quickly re-log in when the server they try to connect to is dying. The
5448 default value is "0" which means the queue is unlimited. See also the
5449 "maxconn" and "minconn" parameters.
5450
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005451 Supported in default-server: Yes
5452
5453minconn <minconn>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005454 When the "minconn" parameter is set, the maxconn limit becomes a dynamic
5455 limit following the backend's load. The server will always accept at least
5456 <minconn> connections, never more than <maxconn>, and the limit will be on
5457 the ramp between both values when the backend has less than <fullconn>
5458 concurrent connections. This makes it possible to limit the load on the
5459 server during normal loads, but push it further for important loads without
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01005460 overloading the server during exceptional loads. See also the "maxconn"
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005461 and "maxqueue" parameters, as well as the "fullconn" backend keyword.
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01005462
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005463 Supported in default-server: Yes
5464
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01005465observe <mode>
5466 This option enables health adjusting based on observing communication with
5467 the server. By default this functionality is disabled and enabling it also
5468 requires to enable health checks. There are two supported modes: "layer4" and
5469 "layer7". In layer4 mode, only successful/unsuccessful tcp connections are
5470 significant. In layer7, which is only allowed for http proxies, responses
5471 received from server are verified, like valid/wrong http code, unparsable
5472 headers, a timeout, etc.
5473
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005474 Supported in default-server: No
5475
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01005476 See also the "check", "on-error" and "error-limit".
5477
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005478on-error <mode>
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01005479 Select what should happen when enough consecutive errors are detected.
5480 Currently, four modes are available:
5481 - fastinter: force fastinter
5482 - fail-check: simulate a failed check, also forces fastinter (default)
5483 - sudden-death: simulate a pre-fatal failed health check, one more failed
5484 check will mark a server down, forces fastinter
5485 - mark-down: mark the server immediately down and force fastinter
5486
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005487 Supported in default-server: Yes
5488
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01005489 See also the "check", "observe" and "error-limit".
5490
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005491port <port>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005492 Using the "port" parameter, it becomes possible to use a different port to
5493 send health-checks. On some servers, it may be desirable to dedicate a port
5494 to a specific component able to perform complex tests which are more suitable
5495 to health-checks than the application. It is common to run a simple script in
5496 inetd for instance. This parameter is ignored if the "check" parameter is not
5497 set. See also the "addr" parameter.
5498
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005499 Supported in default-server: Yes
5500
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005501redir <prefix>
5502 The "redir" parameter enables the redirection mode for all GET and HEAD
5503 requests addressing this server. This means that instead of having HAProxy
5504 forward the request to the server, it will send an "HTTP 302" response with
5505 the "Location" header composed of this prefix immediately followed by the
5506 requested URI beginning at the leading '/' of the path component. That means
5507 that no trailing slash should be used after <prefix>. All invalid requests
5508 will be rejected, and all non-GET or HEAD requests will be normally served by
5509 the server. Note that since the response is completely forged, no header
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01005510 mangling nor cookie insertion is possible in the response. However, cookies in
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005511 requests are still analysed, making this solution completely usable to direct
5512 users to a remote location in case of local disaster. Main use consists in
5513 increasing bandwidth for static servers by having the clients directly
5514 connect to them. Note: never use a relative location here, it would cause a
5515 loop between the client and HAProxy!
5516
5517 Example : server srv1 192.168.1.1:80 redir http://image1.mydomain.com check
5518
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005519 Supported in default-server: No
5520
5521rise <count>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005522 The "rise" parameter states that a server will be considered as operational
5523 after <count> consecutive successful health checks. This value defaults to 2
5524 if unspecified. See also the "check", "inter" and "fall" parameters.
5525
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005526 Supported in default-server: Yes
5527
5528slowstart <start_time_in_ms>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005529 The "slowstart" parameter for a server accepts a value in milliseconds which
5530 indicates after how long a server which has just come back up will run at
5531 full speed. Just as with every other time-based parameter, it can be entered
5532 in any other explicit unit among { us, ms, s, m, h, d }. The speed grows
5533 linearly from 0 to 100% during this time. The limitation applies to two
5534 parameters :
5535
5536 - maxconn: the number of connections accepted by the server will grow from 1
5537 to 100% of the usual dynamic limit defined by (minconn,maxconn,fullconn).
5538
5539 - weight: when the backend uses a dynamic weighted algorithm, the weight
5540 grows linearly from 1 to 100%. In this case, the weight is updated at every
5541 health-check. For this reason, it is important that the "inter" parameter
5542 is smaller than the "slowstart", in order to maximize the number of steps.
5543
5544 The slowstart never applies when haproxy starts, otherwise it would cause
5545 trouble to running servers. It only applies when a server has been previously
5546 seen as failed.
5547
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005548 Supported in default-server: Yes
5549
Willy Tarreauc6f4ce82009-06-10 11:09:37 +02005550source <addr>[:<pl>[-<ph>]] [usesrc { <addr2>[:<port2>] | client | clientip } ]
5551source <addr>[:<pl>[-<ph>]] [interface <name>] ...
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005552 The "source" parameter sets the source address which will be used when
5553 connecting to the server. It follows the exact same parameters and principle
5554 as the backend "source" keyword, except that it only applies to the server
5555 referencing it. Please consult the "source" keyword for details.
5556
Willy Tarreauc6f4ce82009-06-10 11:09:37 +02005557 Additionally, the "source" statement on a server line allows one to specify a
5558 source port range by indicating the lower and higher bounds delimited by a
5559 dash ('-'). Some operating systems might require a valid IP address when a
5560 source port range is specified. It is permitted to have the same IP/range for
5561 several servers. Doing so makes it possible to bypass the maximum of 64k
5562 total concurrent connections. The limit will then reach 64k connections per
5563 server.
5564
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005565 Supported in default-server: No
5566
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005567track [<proxy>/]<server>
5568 This option enables ability to set the current state of the server by
5569 tracking another one. Only a server with checks enabled can be tracked
5570 so it is not possible for example to track a server that tracks another
5571 one. If <proxy> is omitted the current one is used. If disable-on-404 is
5572 used, it has to be enabled on both proxies.
5573
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005574 Supported in default-server: No
5575
5576weight <weight>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005577 The "weight" parameter is used to adjust the server's weight relative to
5578 other servers. All servers will receive a load proportional to their weight
5579 relative to the sum of all weights, so the higher the weight, the higher the
Willy Tarreau6704d672009-06-15 10:56:05 +02005580 load. The default weight is 1, and the maximal value is 256. A value of 0
5581 means the server will not participate in load-balancing but will still accept
5582 persistent connections. If this parameter is used to distribute the load
5583 according to server's capacity, it is recommended to start with values which
5584 can both grow and shrink, for instance between 10 and 100 to leave enough
5585 room above and below for later adjustments.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005586
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01005587 Supported in default-server: Yes
5588
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005589
55906. HTTP header manipulation
5591---------------------------
5592
5593In HTTP mode, it is possible to rewrite, add or delete some of the request and
5594response headers based on regular expressions. It is also possible to block a
5595request or a response if a particular header matches a regular expression,
5596which is enough to stop most elementary protocol attacks, and to protect
5597against information leak from the internal network. But there is a limitation
5598to this : since HAProxy's HTTP engine does not support keep-alive, only headers
5599passed during the first request of a TCP session will be seen. All subsequent
5600headers will be considered data only and not analyzed. Furthermore, HAProxy
5601never touches data contents, it stops analysis at the end of headers.
5602
Willy Tarreau816b9792009-09-15 21:25:21 +02005603There is an exception though. If HAProxy encounters an "Informational Response"
5604(status code 1xx), it is able to process all rsp* rules which can allow, deny,
5605rewrite or delete a header, but it will refuse to add a header to any such
5606messages as this is not HTTP-compliant. The reason for still processing headers
5607in such responses is to stop and/or fix any possible information leak which may
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01005608happen, for instance because another downstream equipment would unconditionally
Willy Tarreau816b9792009-09-15 21:25:21 +02005609add a header, or if a server name appears there. When such messages are seen,
5610normal processing still occurs on the next non-informational messages.
5611
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005612This section covers common usage of the following keywords, described in detail
5613in section 4.2 :
5614
5615 - reqadd <string>
5616 - reqallow <search>
5617 - reqiallow <search>
5618 - reqdel <search>
5619 - reqidel <search>
5620 - reqdeny <search>
5621 - reqideny <search>
5622 - reqpass <search>
5623 - reqipass <search>
5624 - reqrep <search> <replace>
5625 - reqirep <search> <replace>
5626 - reqtarpit <search>
5627 - reqitarpit <search>
5628 - rspadd <string>
5629 - rspdel <search>
5630 - rspidel <search>
5631 - rspdeny <search>
5632 - rspideny <search>
5633 - rsprep <search> <replace>
5634 - rspirep <search> <replace>
5635
5636With all these keywords, the same conventions are used. The <search> parameter
5637is a POSIX extended regular expression (regex) which supports grouping through
5638parenthesis (without the backslash). Spaces and other delimiters must be
5639prefixed with a backslash ('\') to avoid confusion with a field delimiter.
5640Other characters may be prefixed with a backslash to change their meaning :
5641
5642 \t for a tab
5643 \r for a carriage return (CR)
5644 \n for a new line (LF)
5645 \ to mark a space and differentiate it from a delimiter
5646 \# to mark a sharp and differentiate it from a comment
5647 \\ to use a backslash in a regex
5648 \\\\ to use a backslash in the text (*2 for regex, *2 for haproxy)
5649 \xXX to write the ASCII hex code XX as in the C language
5650
5651The <replace> parameter contains the string to be used to replace the largest
5652portion of text matching the regex. It can make use of the special characters
5653above, and can reference a substring which is delimited by parenthesis in the
5654regex, by writing a backslash ('\') immediately followed by one digit from 0 to
56559 indicating the group position (0 designating the entire line). This practice
5656is very common to users of the "sed" program.
5657
5658The <string> parameter represents the string which will systematically be added
5659after the last header line. It can also use special character sequences above.
5660
5661Notes related to these keywords :
5662---------------------------------
5663 - these keywords are not always convenient to allow/deny based on header
5664 contents. It is strongly recommended to use ACLs with the "block" keyword
5665 instead, resulting in far more flexible and manageable rules.
5666
5667 - lines are always considered as a whole. It is not possible to reference
5668 a header name only or a value only. This is important because of the way
5669 headers are written (notably the number of spaces after the colon).
5670
5671 - the first line is always considered as a header, which makes it possible to
5672 rewrite or filter HTTP requests URIs or response codes, but in turn makes
5673 it harder to distinguish between headers and request line. The regex prefix
5674 ^[^\ \t]*[\ \t] matches any HTTP method followed by a space, and the prefix
5675 ^[^ \t:]*: matches any header name followed by a colon.
5676
5677 - for performances reasons, the number of characters added to a request or to
5678 a response is limited at build time to values between 1 and 4 kB. This
5679 should normally be far more than enough for most usages. If it is too short
5680 on occasional usages, it is possible to gain some space by removing some
5681 useless headers before adding new ones.
5682
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01005683 - keywords beginning with "reqi" and "rspi" are the same as their counterpart
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005684 without the 'i' letter except that they ignore case when matching patterns.
5685
5686 - when a request passes through a frontend then a backend, all req* rules
5687 from the frontend will be evaluated, then all req* rules from the backend
5688 will be evaluated. The reverse path is applied to responses.
5689
5690 - req* statements are applied after "block" statements, so that "block" is
5691 always the first one, but before "use_backend" in order to permit rewriting
Willy Tarreaud72758d2010-01-12 10:42:19 +01005692 before switching.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005693
5694
Willy Tarreaub937b7e2010-01-12 15:27:54 +010056957. Using ACLs and pattern extraction
5696------------------------------------
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005697
5698The use of Access Control Lists (ACL) provides a flexible solution to perform
5699content switching and generally to take decisions based on content extracted
5700from the request, the response or any environmental status. The principle is
5701simple :
5702
5703 - define test criteria with sets of values
5704 - perform actions only if a set of tests is valid
5705
5706The actions generally consist in blocking the request, or selecting a backend.
5707
5708In order to define a test, the "acl" keyword is used. The syntax is :
5709
5710 acl <aclname> <criterion> [flags] [operator] <value> ...
5711
5712This creates a new ACL <aclname> or completes an existing one with new tests.
5713Those tests apply to the portion of request/response specified in <criterion>
5714and may be adjusted with optional flags [flags]. Some criteria also support
5715an operator which may be specified before the set of values. The values are
5716of the type supported by the criterion, and are separated by spaces.
5717
5718ACL names must be formed from upper and lower case letters, digits, '-' (dash),
5719'_' (underscore) , '.' (dot) and ':' (colon). ACL names are case-sensitive,
5720which means that "my_acl" and "My_Acl" are two different ACLs.
5721
5722There is no enforced limit to the number of ACLs. The unused ones do not affect
5723performance, they just consume a small amount of memory.
5724
5725The following ACL flags are currently supported :
5726
5727 -i : ignore case during matching.
Willy Tarreau6a06a402007-07-15 20:15:28 +02005728 -- : force end of flags. Useful when a string looks like one of the flags.
5729
5730Supported types of values are :
Willy Tarreau0ba27502007-12-24 16:55:16 +01005731
Willy Tarreau6a06a402007-07-15 20:15:28 +02005732 - integers or integer ranges
5733 - strings
5734 - regular expressions
5735 - IP addresses and networks
5736
5737
Willy Tarreauc57f0e22009-05-10 13:12:33 +020057387.1. Matching integers
5739----------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02005740
5741Matching integers is special in that ranges and operators are permitted. Note
5742that integer matching only applies to positive values. A range is a value
5743expressed with a lower and an upper bound separated with a colon, both of which
5744may be omitted.
5745
5746For instance, "1024:65535" is a valid range to represent a range of
5747unprivileged ports, and "1024:" would also work. "0:1023" is a valid
5748representation of privileged ports, and ":1023" would also work.
5749
Willy Tarreau62644772008-07-16 18:36:06 +02005750As a special case, some ACL functions support decimal numbers which are in fact
5751two integers separated by a dot. This is used with some version checks for
5752instance. All integer properties apply to those decimal numbers, including
5753ranges and operators.
5754
Willy Tarreau6a06a402007-07-15 20:15:28 +02005755For an easier usage, comparison operators are also supported. Note that using
Willy Tarreau0ba27502007-12-24 16:55:16 +01005756operators with ranges does not make much sense and is strongly discouraged.
5757Similarly, it does not make much sense to perform order comparisons with a set
5758of values.
Willy Tarreau6a06a402007-07-15 20:15:28 +02005759
Willy Tarreau0ba27502007-12-24 16:55:16 +01005760Available operators for integer matching are :
Willy Tarreau6a06a402007-07-15 20:15:28 +02005761
5762 eq : true if the tested value equals at least one value
5763 ge : true if the tested value is greater than or equal to at least one value
5764 gt : true if the tested value is greater than at least one value
5765 le : true if the tested value is less than or equal to at least one value
5766 lt : true if the tested value is less than at least one value
5767
Willy Tarreau0ba27502007-12-24 16:55:16 +01005768For instance, the following ACL matches any negative Content-Length header :
Willy Tarreau6a06a402007-07-15 20:15:28 +02005769
5770 acl negative-length hdr_val(content-length) lt 0
5771
Willy Tarreau62644772008-07-16 18:36:06 +02005772This one matches SSL versions between 3.0 and 3.1 (inclusive) :
5773
5774 acl sslv3 req_ssl_ver 3:3.1
5775
Willy Tarreau6a06a402007-07-15 20:15:28 +02005776
Willy Tarreauc57f0e22009-05-10 13:12:33 +020057777.2. Matching strings
5778---------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02005779
5780String matching applies to verbatim strings as they are passed, with the
5781exception of the backslash ("\") which makes it possible to escape some
5782characters such as the space. If the "-i" flag is passed before the first
5783string, then the matching will be performed ignoring the case. In order
5784to match the string "-i", either set it second, or pass the "--" flag
Willy Tarreau0ba27502007-12-24 16:55:16 +01005785before the first string. Same applies of course to match the string "--".
Willy Tarreau6a06a402007-07-15 20:15:28 +02005786
5787
Willy Tarreauc57f0e22009-05-10 13:12:33 +020057887.3. Matching regular expressions (regexes)
5789-------------------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02005790
5791Just like with string matching, regex matching applies to verbatim strings as
5792they are passed, with the exception of the backslash ("\") which makes it
5793possible to escape some characters such as the space. If the "-i" flag is
5794passed before the first regex, then the matching will be performed ignoring
5795the case. In order to match the string "-i", either set it second, or pass
Willy Tarreau0ba27502007-12-24 16:55:16 +01005796the "--" flag before the first string. Same principle applies of course to
5797match the string "--".
Willy Tarreau6a06a402007-07-15 20:15:28 +02005798
5799
Willy Tarreauc57f0e22009-05-10 13:12:33 +020058007.4. Matching IPv4 addresses
5801----------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02005802
5803IPv4 addresses values can be specified either as plain addresses or with a
5804netmask appended, in which case the IPv4 address matches whenever it is
5805within the network. Plain addresses may also be replaced with a resolvable
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01005806host name, but this practice is generally discouraged as it makes it more
Willy Tarreau0ba27502007-12-24 16:55:16 +01005807difficult to read and debug configurations. If hostnames are used, you should
5808at least ensure that they are present in /etc/hosts so that the configuration
5809does not depend on any random DNS match at the moment the configuration is
5810parsed.
Willy Tarreau6a06a402007-07-15 20:15:28 +02005811
5812
Willy Tarreauc57f0e22009-05-10 13:12:33 +020058137.5. Available matching criteria
5814--------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02005815
Willy Tarreauc57f0e22009-05-10 13:12:33 +020058167.5.1. Matching at Layer 4 and below
5817------------------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +01005818
5819A first set of criteria applies to information which does not require any
5820analysis of the request or response contents. Those generally include TCP/IP
5821addresses and ports, as well as internal values independant on the stream.
5822
Willy Tarreau6a06a402007-07-15 20:15:28 +02005823always_false
5824 This one never matches. All values and flags are ignored. It may be used as
5825 a temporary replacement for another one when adjusting configurations.
5826
5827always_true
5828 This one always matches. All values and flags are ignored. It may be used as
5829 a temporary replacement for another one when adjusting configurations.
5830
5831src <ip_address>
Willy Tarreau0ba27502007-12-24 16:55:16 +01005832 Applies to the client's IPv4 address. It is usually used to limit access to
Willy Tarreau6a06a402007-07-15 20:15:28 +02005833 certain resources such as statistics. Note that it is the TCP-level source
5834 address which is used, and not the address of a client behind a proxy.
5835
5836src_port <integer>
5837 Applies to the client's TCP source port. This has a very limited usage.
5838
5839dst <ip_address>
Willy Tarreau0ba27502007-12-24 16:55:16 +01005840 Applies to the local IPv4 address the client connected to. It can be used to
Willy Tarreau6a06a402007-07-15 20:15:28 +02005841 switch to a different backend for some alternative addresses.
5842
5843dst_port <integer>
5844 Applies to the local port the client connected to. It can be used to switch
5845 to a different backend for some alternative ports.
5846
5847dst_conn <integer>
Willy Tarreaua36af912009-10-10 12:02:45 +02005848 Applies to the number of currently established connections on the same socket
Willy Tarreau6a06a402007-07-15 20:15:28 +02005849 including the one being evaluated. It can be used to either return a sorry
Willy Tarreau0ba27502007-12-24 16:55:16 +01005850 page before hard-blocking, or to use a specific backend to drain new requests
Willy Tarreaua36af912009-10-10 12:02:45 +02005851 when the socket is considered saturated. This offers the ability to assign
5852 different limits to different listening ports or addresses. See also the
5853 "fe_conn" and "be_conn" criteria.
5854
5855fe_conn <integer>
5856fe_conn(frontend) <integer>
5857 Applies to the number of currently established connections on the frontend,
5858 possibly including the connection being evaluated. If no frontend name is
5859 specified, the current one is used. But it is also possible to check another
5860 frontend. It can be used to either return a sorry page before hard-blocking,
5861 or to use a specific backend to drain new requests when the farm is
5862 considered saturated. See also the "dst_conn", "be_conn" and "fe_sess_rate"
5863 criteria.
5864
Krzysztof Piotr Oledzki346f76d2010-01-12 21:59:30 +01005865fe_id <integer>
5866 Applies to the fronted's id. Can be used in backends to check from which
5867 frontend it was called.
5868
5869so_id <integer>
5870 Applies to the socket's id. Useful in frontends with many bind keywords.
5871
Willy Tarreaua36af912009-10-10 12:02:45 +02005872be_conn <integer>
5873be_conn(frontend) <integer>
5874 Applies to the number of currently established connections on the backend,
5875 possibly including the connection being evaluated. If no backend name is
5876 specified, the current one is used. But it is also possible to check another
5877 backend. It can be used to use a specific farm when the nominal one is full.
5878 See also the "fe_conn", "queue" and "be_sess_rate" criteria.
Willy Tarreau6a06a402007-07-15 20:15:28 +02005879
Willy Tarreau0ba27502007-12-24 16:55:16 +01005880nbsrv <integer>
5881nbsrv(backend) <integer>
5882 Returns true when the number of usable servers of either the current backend
5883 or the named backend matches the values or ranges specified. This is used to
5884 switch to an alternate backend when the number of servers is too low to
5885 to handle some load. It is useful to report a failure when combined with
5886 "monitor fail".
5887
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +08005888connslots <integer>
5889connslots(backend) <integer>
5890 The basic idea here is to be able to measure the number of connection "slots"
Willy Tarreau55165fe2009-05-10 12:02:55 +02005891 still available (connection + queue), so that anything beyond that (intended
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +08005892 usage; see "use_backend" keyword) can be redirected to a different backend.
5893
Willy Tarreau55165fe2009-05-10 12:02:55 +02005894 'connslots' = number of available server connection slots, + number of
5895 available server queue slots.
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +08005896
Willy Tarreaua36af912009-10-10 12:02:45 +02005897 Note that while "fe_conn" may be used, "connslots" comes in especially
Willy Tarreau55165fe2009-05-10 12:02:55 +02005898 useful when you have a case of traffic going to one single ip, splitting into
5899 multiple backends (perhaps using acls to do name-based load balancing) and
5900 you want to be able to differentiate between different backends, and their
5901 available "connslots". Also, whereas "nbsrv" only measures servers that are
5902 actually *down*, this acl is more fine-grained and looks into the number of
Willy Tarreaua36af912009-10-10 12:02:45 +02005903 available connection slots as well. See also "queue" and "avg_queue".
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +08005904
Willy Tarreau55165fe2009-05-10 12:02:55 +02005905 OTHER CAVEATS AND NOTES: at this point in time, the code does not take care
5906 of dynamic connections. Also, if any of the server maxconn, or maxqueue is 0,
5907 then this acl clearly does not make sense, in which case the value returned
5908 will be -1.
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +08005909
Willy Tarreaua36af912009-10-10 12:02:45 +02005910queue <integer>
5911queue(frontend) <integer>
5912 Returns the total number of queued connections of the designated backend,
5913 including all the connections in server queues. If no backend name is
5914 specified, the current one is used, but it is also possible to check another
5915 one. This can be used to take actions when queuing goes above a known level,
5916 generally indicating a surge of traffic or a massive slowdown on the servers.
5917 One possible action could be to reject new users but still accept old ones.
5918 See also the "avg_queue", "be_conn", and "be_sess_rate" criteria.
5919
5920avg_queue <integer>
5921avg_queue(frontend) <integer>
5922 Returns the total number of queued connections of the designated backend
5923 divided by the number of active servers. This is very similar to "queue"
5924 except that the size of the farm is considered, in order to give a more
5925 accurate measurement of the time it may take for a new connection to be
5926 processed. The main usage is to return a sorry page to new users when it
5927 becomes certain they will get a degraded service. Note that in the event
5928 there would not be any active server anymore, we would consider twice the
5929 number of queued connections as the measured value. This is a fair estimate,
5930 as we expect one server to get back soon anyway, but we still prefer to send
5931 new traffic to another backend if in better shape. See also the "queue",
5932 "be_conn", and "be_sess_rate" criteria.
5933
Willy Tarreau079ff0a2009-03-05 21:34:28 +01005934fe_sess_rate <integer>
5935fe_sess_rate(frontend) <integer>
5936 Returns true when the session creation rate on the current or the named
5937 frontend matches the specified values or ranges, expressed in new sessions
5938 per second. This is used to limit the connection rate to acceptable ranges in
5939 order to prevent abuse of service at the earliest moment. This can be
5940 combined with layer 4 ACLs in order to force the clients to wait a bit for
5941 the rate to go down below the limit.
5942
5943 Example :
5944 # This frontend limits incoming mails to 10/s with a max of 100
5945 # concurrent connections. We accept any connection below 10/s, and
5946 # force excess clients to wait for 100 ms. Since clients are limited to
5947 # 100 max, there cannot be more than 10 incoming mails per second.
5948 frontend mail
5949 bind :25
5950 mode tcp
5951 maxconn 100
5952 acl too_fast fe_sess_rate ge 10
5953 tcp-request inspect-delay 100ms
5954 tcp-request content accept if ! too_fast
5955 tcp-request content accept if WAIT_END
Willy Tarreaud72758d2010-01-12 10:42:19 +01005956
Willy Tarreau079ff0a2009-03-05 21:34:28 +01005957be_sess_rate <integer>
5958be_sess_rate(backend) <integer>
5959 Returns true when the sessions creation rate on the backend matches the
5960 specified values or ranges, in number of new sessions per second. This is
5961 used to switch to an alternate backend when an expensive or fragile one
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01005962 reaches too high a session rate, or to limit abuse of service (eg. prevent
Willy Tarreau079ff0a2009-03-05 21:34:28 +01005963 sucking of an online dictionary).
5964
5965 Example :
5966 # Redirect to an error page if the dictionary is requested too often
5967 backend dynamic
5968 mode http
5969 acl being_scanned be_sess_rate gt 100
5970 redirect location /denied.html if being_scanned
5971
Willy Tarreau0ba27502007-12-24 16:55:16 +01005972
Willy Tarreauc57f0e22009-05-10 13:12:33 +020059737.5.2. Matching contents at Layer 4
5974-----------------------------------
Willy Tarreau62644772008-07-16 18:36:06 +02005975
5976A second set of criteria depends on data found in buffers, but which can change
5977during analysis. This requires that some data has been buffered, for instance
5978through TCP request content inspection. Please see the "tcp-request" keyword
5979for more detailed information on the subject.
5980
5981req_len <integer>
Emeric Brunbede3d02009-06-30 17:54:00 +02005982 Returns true when the length of the data in the request buffer matches the
Willy Tarreau62644772008-07-16 18:36:06 +02005983 specified range. It is important to understand that this test does not
5984 return false as long as the buffer is changing. This means that a check with
5985 equality to zero will almost always immediately match at the beginning of the
5986 session, while a test for more data will wait for that data to come in and
5987 return false only when haproxy is certain that no more data will come in.
5988 This test was designed to be used with TCP request content inspection.
5989
Willy Tarreau2492d5b2009-07-11 00:06:00 +02005990req_proto_http
5991 Returns true when data in the request buffer look like HTTP and correctly
5992 parses as such. It is the same parser as the common HTTP request parser which
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01005993 is used so there should be no surprises. This test can be used for instance
Willy Tarreau2492d5b2009-07-11 00:06:00 +02005994 to direct HTTP traffic to a given port and HTTPS traffic to another one
5995 using TCP request content inspection rules.
5996
Emeric Brunbede3d02009-06-30 17:54:00 +02005997req_rdp_cookie <string>
5998req_rdp_cookie(name) <string>
5999 Returns true when data in the request buffer look like the RDP protocol, and
6000 a cookie is present and equal to <string>. By default, any cookie name is
6001 checked, but a specific cookie name can be specified in parenthesis. The
6002 parser only checks for the first cookie, as illustrated in the RDP protocol
6003 specification. The cookie name is case insensitive. This ACL can be useful
6004 with the "MSTS" cookie, as it can contain the user name of the client
6005 connecting to the server if properly configured on the client. This can be
6006 used to restrict access to certain servers to certain users.
6007
6008req_rdp_cookie_cnt <integer>
6009req_rdp_cookie_cnt(name) <integer>
6010 Returns true when the data in the request buffer look like the RDP protocol
6011 and the number of RDP cookies matches the specified range (typically zero or
6012 one). Optionally a specific cookie name can be checked. This is a simple way
6013 of detecting the RDP protocol, as clients generally send the MSTS or MSTSHASH
6014 cookies.
6015
Willy Tarreau62644772008-07-16 18:36:06 +02006016req_ssl_ver <decimal>
6017 Returns true when data in the request buffer look like SSL, with a protocol
6018 version matching the specified range. Both SSLv2 hello messages and SSLv3
6019 messages are supported. The test tries to be strict enough to avoid being
6020 easily fooled. In particular, it waits for as many bytes as announced in the
6021 message header if this header looks valid (bound to the buffer size). Note
6022 that TLSv1 is announced as SSL version 3.1. This test was designed to be used
6023 with TCP request content inspection.
6024
Willy Tarreaub6fb4202008-07-20 11:18:28 +02006025wait_end
6026 Waits for the end of the analysis period to return true. This may be used in
6027 conjunction with content analysis to avoid returning a wrong verdict early.
6028 It may also be used to delay some actions, such as a delayed reject for some
6029 special addresses. Since it either stops the rules evaluation or immediately
6030 returns true, it is recommended to use this acl as the last one in a rule.
6031 Please note that the default ACL "WAIT_END" is always usable without prior
6032 declaration. This test was designed to be used with TCP request content
6033 inspection.
6034
6035 Examples :
6036 # delay every incoming request by 2 seconds
6037 tcp-request inspect-delay 2s
6038 tcp-request content accept if WAIT_END
6039
6040 # don't immediately tell bad guys they are rejected
6041 tcp-request inspect-delay 10s
6042 acl goodguys src 10.0.0.0/24
6043 acl badguys src 10.0.1.0/24
6044 tcp-request content accept if goodguys
6045 tcp-request content reject if badguys WAIT_END
6046 tcp-request content reject
6047
Willy Tarreau62644772008-07-16 18:36:06 +02006048
Willy Tarreauc57f0e22009-05-10 13:12:33 +020060497.5.3. Matching at Layer 7
6050--------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +01006051
Willy Tarreau62644772008-07-16 18:36:06 +02006052A third set of criteria applies to information which can be found at the
Willy Tarreau0ba27502007-12-24 16:55:16 +01006053application layer (layer 7). Those require that a full HTTP request has been
6054read, and are only evaluated then. They may require slightly more CPU resources
6055than the layer 4 ones, but not much since the request and response are indexed.
6056
Willy Tarreau6a06a402007-07-15 20:15:28 +02006057method <string>
6058 Applies to the method in the HTTP request, eg: "GET". Some predefined ACL
6059 already check for most common methods.
6060
Willy Tarreauc097e322010-01-31 15:54:35 +01006061status <integer>
6062 Applies to the HTTP status code in the HTTP response, eg: "302". It can be
6063 used to act on responses depending on status ranges, for instance, remove
6064 any Location header if the response is not a 3xx.
6065
Willy Tarreau6a06a402007-07-15 20:15:28 +02006066req_ver <string>
6067 Applies to the version string in the HTTP request, eg: "1.0". Some predefined
6068 ACL already check for versions 1.0 and 1.1.
6069
6070path <string>
6071 Returns true when the path part of the request, which starts at the first
6072 slash and ends before the question mark, equals one of the strings. It may be
6073 used to match known files, such as /favicon.ico.
6074
6075path_beg <string>
Willy Tarreau0ba27502007-12-24 16:55:16 +01006076 Returns true when the path begins with one of the strings. This can be used
6077 to send certain directory names to alternative backends.
Willy Tarreau6a06a402007-07-15 20:15:28 +02006078
6079path_end <string>
6080 Returns true when the path ends with one of the strings. This may be used to
6081 control file name extension.
6082
6083path_sub <string>
6084 Returns true when the path contains one of the strings. It can be used to
6085 detect particular patterns in paths, such as "../" for example. See also
6086 "path_dir".
6087
6088path_dir <string>
6089 Returns true when one of the strings is found isolated or delimited with
6090 slashes in the path. This is used to perform filename or directory name
6091 matching without the risk of wrong match due to colliding prefixes. See also
6092 "url_dir" and "path_sub".
6093
6094path_dom <string>
6095 Returns true when one of the strings is found isolated or delimited with dots
6096 in the path. This may be used to perform domain name matching in proxy
6097 requests. See also "path_sub" and "url_dom".
6098
6099path_reg <regex>
6100 Returns true when the path matches one of the regular expressions. It can be
6101 used any time, but it is important to remember that regex matching is slower
6102 than other methods. See also "url_reg" and all "path_" criteria.
6103
6104url <string>
6105 Applies to the whole URL passed in the request. The only real use is to match
6106 "*", for which there already is a predefined ACL.
6107
6108url_beg <string>
6109 Returns true when the URL begins with one of the strings. This can be used to
6110 check whether a URL begins with a slash or with a protocol scheme.
6111
6112url_end <string>
6113 Returns true when the URL ends with one of the strings. It has very limited
6114 use. "path_end" should be used instead for filename matching.
6115
6116url_sub <string>
6117 Returns true when the URL contains one of the strings. It can be used to
6118 detect particular patterns in query strings for example. See also "path_sub".
6119
6120url_dir <string>
6121 Returns true when one of the strings is found isolated or delimited with
6122 slashes in the URL. This is used to perform filename or directory name
6123 matching without the risk of wrong match due to colliding prefixes. See also
6124 "path_dir" and "url_sub".
6125
6126url_dom <string>
6127 Returns true when one of the strings is found isolated or delimited with dots
6128 in the URL. This is used to perform domain name matching without the risk of
6129 wrong match due to colliding prefixes. See also "url_sub".
6130
6131url_reg <regex>
6132 Returns true when the URL matches one of the regular expressions. It can be
6133 used any time, but it is important to remember that regex matching is slower
6134 than other methods. See also "path_reg" and all "url_" criteria.
6135
Alexandre Cassen5eb1a902007-11-29 15:43:32 +01006136url_ip <ip_address>
Willy Tarreau0ba27502007-12-24 16:55:16 +01006137 Applies to the IP address specified in the absolute URI in an HTTP request.
6138 It can be used to prevent access to certain resources such as local network.
Willy Tarreau198a7442008-01-17 12:05:32 +01006139 It is useful with option "http_proxy".
Alexandre Cassen5eb1a902007-11-29 15:43:32 +01006140
6141url_port <integer>
Willy Tarreau0ba27502007-12-24 16:55:16 +01006142 Applies to the port specified in the absolute URI in an HTTP request. It can
6143 be used to prevent access to certain resources. It is useful with option
Willy Tarreau198a7442008-01-17 12:05:32 +01006144 "http_proxy". Note that if the port is not specified in the request, port 80
Willy Tarreau0ba27502007-12-24 16:55:16 +01006145 is assumed.
Alexandre Cassen5eb1a902007-11-29 15:43:32 +01006146
Willy Tarreaud72758d2010-01-12 10:42:19 +01006147hdr <string>
Willy Tarreau6a06a402007-07-15 20:15:28 +02006148hdr(header) <string>
6149 Note: all the "hdr*" matching criteria either apply to all headers, or to a
6150 particular header whose name is passed between parenthesis and without any
Willy Tarreau0ba27502007-12-24 16:55:16 +01006151 space. The header name is not case-sensitive. The header matching complies
6152 with RFC2616, and treats as separate headers all values delimited by commas.
Willy Tarreauc097e322010-01-31 15:54:35 +01006153 Use the shdr() variant for response headers sent by the server.
Willy Tarreau6a06a402007-07-15 20:15:28 +02006154
6155 The "hdr" criteria returns true if any of the headers matching the criteria
Willy Tarreau0ba27502007-12-24 16:55:16 +01006156 match any of the strings. This can be used to check exact for values. For
Willy Tarreau6a06a402007-07-15 20:15:28 +02006157 instance, checking that "connection: close" is set :
6158
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006159 hdr(Connection) -i close
Willy Tarreau21d2af32008-02-14 20:25:24 +01006160
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006161hdr_beg <string>
6162hdr_beg(header) <string>
6163 Returns true when one of the headers begins with one of the strings. See
Willy Tarreauc097e322010-01-31 15:54:35 +01006164 "hdr" for more information on header matching. Use the shdr_beg() variant for
6165 response headers sent by the server.
Willy Tarreau21d2af32008-02-14 20:25:24 +01006166
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006167hdr_end <string>
6168hdr_end(header) <string>
6169 Returns true when one of the headers ends with one of the strings. See "hdr"
Willy Tarreauc097e322010-01-31 15:54:35 +01006170 for more information on header matching. Use the shdr_end() variant for
6171 response headers sent by the server.
Willy Tarreau198a7442008-01-17 12:05:32 +01006172
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006173hdr_sub <string>
6174hdr_sub(header) <string>
6175 Returns true when one of the headers contains one of the strings. See "hdr"
Willy Tarreauc097e322010-01-31 15:54:35 +01006176 for more information on header matching. Use the shdr_sub() variant for
6177 response headers sent by the server.
Willy Tarreau5764b382007-11-30 17:46:49 +01006178
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006179hdr_dir <string>
6180hdr_dir(header) <string>
6181 Returns true when one of the headers contains one of the strings either
6182 isolated or delimited by slashes. This is used to perform filename or
6183 directory name matching, and may be used with Referer. See "hdr" for more
Willy Tarreauc097e322010-01-31 15:54:35 +01006184 information on header matching. Use the shdr_dir() variant for response
6185 headers sent by the server.
Willy Tarreau5764b382007-11-30 17:46:49 +01006186
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006187hdr_dom <string>
6188hdr_dom(header) <string>
6189 Returns true when one of the headers contains one of the strings either
6190 isolated or delimited by dots. This is used to perform domain name matching,
6191 and may be used with the Host header. See "hdr" for more information on
Willy Tarreauc097e322010-01-31 15:54:35 +01006192 header matching. Use the shdr_dom() variant for response headers sent by the
6193 server.
Willy Tarreau5764b382007-11-30 17:46:49 +01006194
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006195hdr_reg <regex>
6196hdr_reg(header) <regex>
6197 Returns true when one of the headers matches of the regular expressions. It
6198 can be used at any time, but it is important to remember that regex matching
6199 is slower than other methods. See also other "hdr_" criteria, as well as
Willy Tarreauc097e322010-01-31 15:54:35 +01006200 "hdr" for more information on header matching. Use the shdr_reg() variant for
6201 response headers sent by the server.
Willy Tarreau5764b382007-11-30 17:46:49 +01006202
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006203hdr_val <integer>
6204hdr_val(header) <integer>
6205 Returns true when one of the headers starts with a number which matches the
6206 values or ranges specified. This may be used to limit content-length to
6207 acceptable values for example. See "hdr" for more information on header
Willy Tarreauc097e322010-01-31 15:54:35 +01006208 matching. Use the shdr_val() variant for response headers sent by the server.
Willy Tarreau198a7442008-01-17 12:05:32 +01006209
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006210hdr_cnt <integer>
6211hdr_cnt(header) <integer>
6212 Returns true when the number of occurrence of the specified header matches
6213 the values or ranges specified. It is important to remember that one header
6214 line may count as several headers if it has several values. This is used to
6215 detect presence, absence or abuse of a specific header, as well as to block
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01006216 request smuggling attacks by rejecting requests which contain more than one
Willy Tarreauc097e322010-01-31 15:54:35 +01006217 of certain headers. See "hdr" for more information on header matching. Use
6218 the shdr_cnt() variant for response headers sent by the server.
Krzysztof Piotr Oledzkic8b16fc2008-02-18 01:26:35 +01006219
Willy Tarreau106f9792009-09-19 07:54:16 +02006220hdr_ip <ip_address>
6221hdr_ip(header) <ip_address>
6222 Returns true when one of the headers' values contains an IP address matching
6223 <ip_address>. This is mainly used with headers such as X-Forwarded-For or
Willy Tarreauc097e322010-01-31 15:54:35 +01006224 X-Client-IP. See "hdr" for more information on header matching. Use the
6225 shdr_ip() variant for response headers sent by the server.
Willy Tarreau106f9792009-09-19 07:54:16 +02006226
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01006227http_auth(userlist)
6228http_auth_group(userlist) <group> [<group>]*
6229 Returns true when authentication data received from the client matches
6230 username & password stored on the userlist. It is also possible to
6231 use http_auth_group to check if the user is assigned to at least one
6232 of specified groups.
6233
6234 Currently only http basic auth is supported.
6235
Willy Tarreau198a7442008-01-17 12:05:32 +01006236
Willy Tarreauc57f0e22009-05-10 13:12:33 +020062377.6. Pre-defined ACLs
6238---------------------
Willy Tarreauced27012008-01-17 20:35:34 +01006239
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006240Some predefined ACLs are hard-coded so that they do not have to be declared in
6241every frontend which needs them. They all have their names in upper case in
6242order to avoid confusion. Their equivalence is provided below. Please note that
6243only the first three ones are not layer 7 based.
Willy Tarreauced27012008-01-17 20:35:34 +01006244
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006245ACL name Equivalent to Usage
6246---------------+-----------------------------+---------------------------------
6247TRUE always_true always match
6248FALSE always_false never match
6249LOCALHOST src 127.0.0.1/8 match connection from local host
Willy Tarreau2492d5b2009-07-11 00:06:00 +02006250HTTP req_proto_http match if protocol is valid HTTP
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006251HTTP_1.0 req_ver 1.0 match HTTP version 1.0
6252HTTP_1.1 req_ver 1.1 match HTTP version 1.1
6253METH_CONNECT method CONNECT match HTTP CONNECT method
6254METH_GET method GET HEAD match HTTP GET or HEAD method
6255METH_HEAD method HEAD match HTTP HEAD method
6256METH_OPTIONS method OPTIONS match HTTP OPTIONS method
6257METH_POST method POST match HTTP POST method
6258METH_TRACE method TRACE match HTTP TRACE method
6259HTTP_URL_ABS url_reg ^[^/:]*:// match absolute URL with scheme
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01006260HTTP_URL_SLASH url_beg / match URL beginning with "/"
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006261HTTP_URL_STAR url * match URL equal to "*"
6262HTTP_CONTENT hdr_val(content-length) gt 0 match an existing content-length
Emeric Brunbede3d02009-06-30 17:54:00 +02006263RDP_COOKIE req_rdp_cookie_cnt gt 0 match presence of an RDP cookie
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006264REQ_CONTENT req_len gt 0 match data in the request buffer
6265WAIT_END wait_end wait for end of content analysis
6266---------------+-----------------------------+---------------------------------
Willy Tarreauced27012008-01-17 20:35:34 +01006267
Willy Tarreauced27012008-01-17 20:35:34 +01006268
Willy Tarreauc57f0e22009-05-10 13:12:33 +020062697.7. Using ACLs to form conditions
6270----------------------------------
Willy Tarreauced27012008-01-17 20:35:34 +01006271
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006272Some actions are only performed upon a valid condition. A condition is a
6273combination of ACLs with operators. 3 operators are supported :
Willy Tarreauced27012008-01-17 20:35:34 +01006274
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006275 - AND (implicit)
6276 - OR (explicit with the "or" keyword or the "||" operator)
6277 - Negation with the exclamation mark ("!")
Willy Tarreauced27012008-01-17 20:35:34 +01006278
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01006279A condition is formed as a disjunctive form:
Willy Tarreauced27012008-01-17 20:35:34 +01006280
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006281 [!]acl1 [!]acl2 ... [!]acln { or [!]acl1 [!]acl2 ... [!]acln } ...
Willy Tarreauced27012008-01-17 20:35:34 +01006282
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006283Such conditions are generally used after an "if" or "unless" statement,
6284indicating when the condition will trigger the action.
Willy Tarreauced27012008-01-17 20:35:34 +01006285
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006286For instance, to block HTTP requests to the "*" URL with methods other than
6287"OPTIONS", as well as POST requests without content-length, and GET or HEAD
6288requests with a content-length greater than 0, and finally every request which
6289is not either GET/HEAD/POST/OPTIONS !
Willy Tarreauced27012008-01-17 20:35:34 +01006290
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006291 acl missing_cl hdr_cnt(Content-length) eq 0
6292 block if HTTP_URL_STAR !METH_OPTIONS || METH_POST missing_cl
6293 block if METH_GET HTTP_CONTENT
6294 block unless METH_GET or METH_POST or METH_OPTIONS
Willy Tarreauced27012008-01-17 20:35:34 +01006295
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006296To select a different backend for requests to static contents on the "www" site
6297and to every request on the "img", "video", "download" and "ftp" hosts :
Willy Tarreauced27012008-01-17 20:35:34 +01006298
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006299 acl url_static path_beg /static /images /img /css
6300 acl url_static path_end .gif .png .jpg .css .js
6301 acl host_www hdr_beg(host) -i www
6302 acl host_static hdr_beg(host) -i img. video. download. ftp.
Willy Tarreauced27012008-01-17 20:35:34 +01006303
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006304 # now use backend "static" for all static-only hosts, and for static urls
6305 # of host "www". Use backend "www" for the rest.
6306 use_backend static if host_static or host_www url_static
6307 use_backend www if host_www
Willy Tarreauced27012008-01-17 20:35:34 +01006308
Willy Tarreau95fa4692010-02-01 13:05:50 +01006309It is also possible to form rules using "anonymous ACLs". Those are unnamed ACL
6310expressions that are built on the fly without needing to be declared. They must
6311be enclosed between braces, with a space before and after each brace (because
6312the braces must be seen as independant words). Example :
6313
6314 The following rule :
6315
6316 acl missing_cl hdr_cnt(Content-length) eq 0
6317 block if METH_POST missing_cl
6318
6319 Can also be written that way :
6320
6321 block if METH_POST { hdr_cnt(Content-length) eq 0 }
6322
6323It is generally not recommended to use this construct because it's a lot easier
6324to leave errors in the configuration when written that way. However, for very
6325simple rules matching only one source IP address for instance, it can make more
6326sense to use them than to declare ACLs with random names. Another example of
6327good use is the following :
6328
6329 With named ACLs :
6330
6331 acl site_dead nbsrv(dynamic) lt 2
6332 acl site_dead nbsrv(static) lt 2
6333 monitor fail if site_dead
6334
6335 With anonymous ACLs :
6336
6337 monitor fail if { nbsrv(dynamic) lt 2 } || { nbsrv(static) lt 2 }
6338
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006339See section 4.2 for detailed help on the "block" and "use_backend" keywords.
Willy Tarreauced27012008-01-17 20:35:34 +01006340
Willy Tarreau5764b382007-11-30 17:46:49 +01006341
Willy Tarreaub937b7e2010-01-12 15:27:54 +010063427.8. Pattern extraction
6343-----------------------
6344
6345The stickiness features relies on pattern extraction in the request and
6346response. Sometimes the data needs to be converted first before being stored,
6347for instance converted from ASCII to IP or upper case to lower case.
6348
6349All these operations of data extraction and conversion are defined as
6350"pattern extraction rules". A pattern rule always has the same format. It
6351begins with a single pattern fetch word, potentially followed by a list of
6352arguments within parenthesis then an optional list of transformations. As
6353much as possible, the pattern fetch functions use the same name as their
6354equivalent used in ACLs.
6355
6356The list of currently supported pattern fetch functions is the following :
6357
6358 src This is the source IPv4 address of the client of the session.
6359 It is of type IP and only works with such tables.
6360
6361 dst This is the destination IPv4 address of the session on the
6362 client side, which is the address the client connected to.
6363 It can be useful when running in transparent mode. It is of
6364 typie IP and only works with such tables.
6365
6366 dst_port This is the destination TCP port of the session on the client
6367 side, which is the port the client connected to. This might be
6368 used when running in transparent mode or when assigning dynamic
6369 ports to some clients for a whole application session. It is of
6370 type integer and only works with such tables.
6371
6372
6373The currently available list of transformations include :
6374
6375 lower Convert a string pattern to lower case. This can only be placed
6376 after a string pattern fetch function or after a conversion
6377 function returning a string type. The result is of type string.
6378
6379 upper Convert a string pattern to upper case. This can only be placed
6380 after a string pattern fetch function or after a conversion
6381 function returning a string type. The result is of type string.
6382
Willy Tarreaud31d6eb2010-01-26 18:01:41 +01006383 ipmask(mask) Apply a mask to an IPv4 address, and use the result for lookups
6384 and storage. This can be used to make all hosts within a
6385 certain mask to share the same table entries and as such use
6386 the same server. The mask can be passed in dotted form (eg:
6387 255.255.255.0) or in CIDR form (eg: 24).
6388
Willy Tarreaub937b7e2010-01-12 15:27:54 +01006389
Willy Tarreauc57f0e22009-05-10 13:12:33 +020063908. Logging
6391----------
Willy Tarreau844e3c52008-01-11 16:28:18 +01006392
Willy Tarreaucc6c8912009-02-22 10:53:55 +01006393One of HAProxy's strong points certainly lies is its precise logs. It probably
6394provides the finest level of information available for such a product, which is
6395very important for troubleshooting complex environments. Standard information
6396provided in logs include client ports, TCP/HTTP state timers, precise session
6397state at termination and precise termination cause, information about decisions
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01006398to direct traffic to a server, and of course the ability to capture arbitrary
Willy Tarreaucc6c8912009-02-22 10:53:55 +01006399headers.
6400
6401In order to improve administrators reactivity, it offers a great transparency
6402about encountered problems, both internal and external, and it is possible to
6403send logs to different sources at the same time with different level filters :
6404
6405 - global process-level logs (system errors, start/stop, etc..)
6406 - per-instance system and internal errors (lack of resource, bugs, ...)
6407 - per-instance external troubles (servers up/down, max connections)
6408 - per-instance activity (client connections), either at the establishment or
6409 at the termination.
6410
6411The ability to distribute different levels of logs to different log servers
6412allow several production teams to interact and to fix their problems as soon
6413as possible. For example, the system team might monitor system-wide errors,
6414while the application team might be monitoring the up/down for their servers in
6415real time, and the security team might analyze the activity logs with one hour
6416delay.
6417
6418
Willy Tarreauc57f0e22009-05-10 13:12:33 +020064198.1. Log levels
6420---------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01006421
6422TCP and HTTP connections can be logged with informations such as date, time,
6423source IP address, destination address, connection duration, response times,
6424HTTP request, the HTTP return code, number of bytes transmitted, the conditions
6425in which the session ended, and even exchanged cookies values, to track a
6426particular user's problems for example. All messages are sent to up to two
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006427syslog servers. Check the "log" keyword in section 4.2 for more info about log
Willy Tarreaucc6c8912009-02-22 10:53:55 +01006428facilities.
6429
6430
Willy Tarreauc57f0e22009-05-10 13:12:33 +020064318.2. Log formats
6432----------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01006433
Emeric Brun3a058f32009-06-30 18:26:00 +02006434HAProxy supports 4 log formats. Several fields are common between these formats
Willy Tarreaucc6c8912009-02-22 10:53:55 +01006435and will be detailed in the next sections. A few of them may slightly vary with
6436the configuration, due to indicators specific to certain options. The supported
6437formats are the following ones :
6438
6439 - the default format, which is very basic and very rarely used. It only
6440 provides very basic information about the incoming connection at the moment
6441 it is accepted : source IP:port, destination IP:port, and frontend-name.
6442 This mode will eventually disappear so it will not be described to great
6443 extents.
6444
6445 - the TCP format, which is more advanced. This format is enabled when "option
6446 tcplog" is set on the frontend. HAProxy will then usually wait for the
6447 connection to terminate before logging. This format provides much richer
6448 information, such as timers, connection counts, queue size, etc... This
6449 format is recommended for pure TCP proxies.
6450
6451 - the HTTP format, which is the most advanced for HTTP proxying. This format
6452 is enabled when "option httplog" is set on the frontend. It provides the
6453 same information as the TCP format with some HTTP-specific fields such as
6454 the request, the status code, and captures of headers and cookies. This
6455 format is recommended for HTTP proxies.
6456
Emeric Brun3a058f32009-06-30 18:26:00 +02006457 - the CLF HTTP format, which is equivalent to the HTTP format, but with the
6458 fields arranged in the same order as the CLF format. In this mode, all
6459 timers, captures, flags, etc... appear one per field after the end of the
6460 common fields, in the same order they appear in the standard HTTP format.
6461
Willy Tarreaucc6c8912009-02-22 10:53:55 +01006462Next sections will go deeper into details for each of these formats. Format
6463specification will be performed on a "field" basis. Unless stated otherwise, a
6464field is a portion of text delimited by any number of spaces. Since syslog
6465servers are susceptible of inserting fields at the beginning of a line, it is
6466always assumed that the first field is the one containing the process name and
6467identifier.
6468
6469Note : Since log lines may be quite long, the log examples in sections below
6470 might be broken into multiple lines. The example log lines will be
6471 prefixed with 3 closing angle brackets ('>>>') and each time a log is
6472 broken into multiple lines, each non-final line will end with a
6473 backslash ('\') and the next line will start indented by two characters.
6474
6475
Willy Tarreauc57f0e22009-05-10 13:12:33 +020064768.2.1. Default log format
6477-------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01006478
6479This format is used when no specific option is set. The log is emitted as soon
6480as the connection is accepted. One should note that this currently is the only
6481format which logs the request's destination IP and ports.
6482
6483 Example :
6484 listen www
6485 mode http
6486 log global
6487 server srv1 127.0.0.1:8000
6488
6489 >>> Feb 6 12:12:09 localhost \
6490 haproxy[14385]: Connect from 10.0.1.2:33312 to 10.0.3.31:8012 \
6491 (www/HTTP)
6492
6493 Field Format Extract from the example above
6494 1 process_name '[' pid ']:' haproxy[14385]:
6495 2 'Connect from' Connect from
6496 3 source_ip ':' source_port 10.0.1.2:33312
6497 4 'to' to
6498 5 destination_ip ':' destination_port 10.0.3.31:8012
6499 6 '(' frontend_name '/' mode ')' (www/HTTP)
6500
6501Detailed fields description :
6502 - "source_ip" is the IP address of the client which initiated the connection.
6503 - "source_port" is the TCP port of the client which initiated the connection.
6504 - "destination_ip" is the IP address the client connected to.
6505 - "destination_port" is the TCP port the client connected to.
6506 - "frontend_name" is the name of the frontend (or listener) which received
6507 and processed the connection.
6508 - "mode is the mode the frontend is operating (TCP or HTTP).
6509
6510It is advised not to use this deprecated format for newer installations as it
6511will eventually disappear.
6512
6513
Willy Tarreauc57f0e22009-05-10 13:12:33 +020065148.2.2. TCP log format
6515---------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01006516
6517The TCP format is used when "option tcplog" is specified in the frontend, and
6518is the recommended format for pure TCP proxies. It provides a lot of precious
6519information for troubleshooting. Since this format includes timers and byte
6520counts, the log is normally emitted at the end of the session. It can be
6521emitted earlier if "option logasap" is specified, which makes sense in most
6522environments with long sessions such as remote terminals. Sessions which match
6523the "monitor" rules are never logged. It is also possible not to emit logs for
6524sessions for which no data were exchanged between the client and the server, by
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02006525specifying "option dontlognull" in the frontend. Successful connections will
6526not be logged if "option dontlog-normal" is specified in the frontend. A few
6527fields may slightly vary depending on some configuration options, those are
6528marked with a star ('*') after the field name below.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01006529
6530 Example :
6531 frontend fnt
6532 mode tcp
6533 option tcplog
6534 log global
6535 default_backend bck
6536
6537 backend bck
6538 server srv1 127.0.0.1:8000
6539
6540 >>> Feb 6 12:12:56 localhost \
6541 haproxy[14387]: 10.0.1.2:33313 [06/Feb/2009:12:12:51.443] fnt \
6542 bck/srv1 0/0/5007 212 -- 0/0/0/0/3 0/0
6543
6544 Field Format Extract from the example above
6545 1 process_name '[' pid ']:' haproxy[14387]:
6546 2 client_ip ':' client_port 10.0.1.2:33313
6547 3 '[' accept_date ']' [06/Feb/2009:12:12:51.443]
6548 4 frontend_name fnt
6549 5 backend_name '/' server_name bck/srv1
6550 6 Tw '/' Tc '/' Tt* 0/0/5007
6551 7 bytes_read* 212
6552 8 termination_state --
6553 9 actconn '/' feconn '/' beconn '/' srv_conn '/' retries* 0/0/0/0/3
6554 10 srv_queue '/' backend_queue 0/0
6555
6556Detailed fields description :
6557 - "client_ip" is the IP address of the client which initiated the TCP
6558 connection to haproxy.
6559
6560 - "client_port" is the TCP port of the client which initiated the connection.
6561
6562 - "accept_date" is the exact date when the connection was received by haproxy
6563 (which might be very slightly different from the date observed on the
6564 network if there was some queuing in the system's backlog). This is usually
6565 the same date which may appear in any upstream firewall's log.
6566
6567 - "frontend_name" is the name of the frontend (or listener) which received
6568 and processed the connection.
6569
6570 - "backend_name" is the name of the backend (or listener) which was selected
6571 to manage the connection to the server. This will be the same as the
6572 frontend if no switching rule has been applied, which is common for TCP
6573 applications.
6574
6575 - "server_name" is the name of the last server to which the connection was
6576 sent, which might differ from the first one if there were connection errors
6577 and a redispatch occurred. Note that this server belongs to the backend
6578 which processed the request. If the connection was aborted before reaching
6579 a server, "<NOSRV>" is indicated instead of a server name.
6580
6581 - "Tw" is the total time in milliseconds spent waiting in the various queues.
6582 It can be "-1" if the connection was aborted before reaching the queue.
6583 See "Timers" below for more details.
6584
6585 - "Tc" is the total time in milliseconds spent waiting for the connection to
6586 establish to the final server, including retries. It can be "-1" if the
6587 connection was aborted before a connection could be established. See
6588 "Timers" below for more details.
6589
6590 - "Tt" is the total time in milliseconds elapsed between the accept and the
6591 last close. It covers all possible processings. There is one exception, if
6592 "option logasap" was specified, then the time counting stops at the moment
6593 the log is emitted. In this case, a '+' sign is prepended before the value,
6594 indicating that the final one will be larger. See "Timers" below for more
6595 details.
6596
6597 - "bytes_read" is the total number of bytes transmitted from the server to
6598 the client when the log is emitted. If "option logasap" is specified, the
6599 this value will be prefixed with a '+' sign indicating that the final one
6600 may be larger. Please note that this value is a 64-bit counter, so log
6601 analysis tools must be able to handle it without overflowing.
6602
6603 - "termination_state" is the condition the session was in when the session
6604 ended. This indicates the session state, which side caused the end of
6605 session to happen, and for what reason (timeout, error, ...). The normal
6606 flags should be "--", indicating the session was closed by either end with
6607 no data remaining in buffers. See below "Session state at disconnection"
6608 for more details.
6609
6610 - "actconn" is the total number of concurrent connections on the process when
6611 the session was logged. It it useful to detect when some per-process system
6612 limits have been reached. For instance, if actconn is close to 512 when
6613 multiple connection errors occur, chances are high that the system limits
6614 the process to use a maximum of 1024 file descriptors and that all of them
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006615 are used. See section 3 "Global parameters" to find how to tune the system.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01006616
6617 - "feconn" is the total number of concurrent connections on the frontend when
6618 the session was logged. It is useful to estimate the amount of resource
6619 required to sustain high loads, and to detect when the frontend's "maxconn"
6620 has been reached. Most often when this value increases by huge jumps, it is
6621 because there is congestion on the backend servers, but sometimes it can be
6622 caused by a denial of service attack.
6623
6624 - "beconn" is the total number of concurrent connections handled by the
6625 backend when the session was logged. It includes the total number of
6626 concurrent connections active on servers as well as the number of
6627 connections pending in queues. It is useful to estimate the amount of
6628 additional servers needed to support high loads for a given application.
6629 Most often when this value increases by huge jumps, it is because there is
6630 congestion on the backend servers, but sometimes it can be caused by a
6631 denial of service attack.
6632
6633 - "srv_conn" is the total number of concurrent connections still active on
6634 the server when the session was logged. It can never exceed the server's
6635 configured "maxconn" parameter. If this value is very often close or equal
6636 to the server's "maxconn", it means that traffic regulation is involved a
6637 lot, meaning that either the server's maxconn value is too low, or that
6638 there aren't enough servers to process the load with an optimal response
6639 time. When only one of the server's "srv_conn" is high, it usually means
6640 that this server has some trouble causing the connections to take longer to
6641 be processed than on other servers.
6642
6643 - "retries" is the number of connection retries experienced by this session
6644 when trying to connect to the server. It must normally be zero, unless a
6645 server is being stopped at the same moment the connection was attempted.
6646 Frequent retries generally indicate either a network problem between
6647 haproxy and the server, or a misconfigured system backlog on the server
6648 preventing new connections from being queued. This field may optionally be
6649 prefixed with a '+' sign, indicating that the session has experienced a
6650 redispatch after the maximal retry count has been reached on the initial
6651 server. In this case, the server name appearing in the log is the one the
6652 connection was redispatched to, and not the first one, though both may
6653 sometimes be the same in case of hashing for instance. So as a general rule
6654 of thumb, when a '+' is present in front of the retry count, this count
6655 should not be attributed to the logged server.
6656
6657 - "srv_queue" is the total number of requests which were processed before
6658 this one in the server queue. It is zero when the request has not gone
6659 through the server queue. It makes it possible to estimate the approximate
6660 server's response time by dividing the time spent in queue by the number of
6661 requests in the queue. It is worth noting that if a session experiences a
6662 redispatch and passes through two server queues, their positions will be
6663 cumulated. A request should not pass through both the server queue and the
6664 backend queue unless a redispatch occurs.
6665
6666 - "backend_queue" is the total number of requests which were processed before
6667 this one in the backend's global queue. It is zero when the request has not
6668 gone through the global queue. It makes it possible to estimate the average
6669 queue length, which easily translates into a number of missing servers when
6670 divided by a server's "maxconn" parameter. It is worth noting that if a
6671 session experiences a redispatch, it may pass twice in the backend's queue,
6672 and then both positions will be cumulated. A request should not pass
6673 through both the server queue and the backend queue unless a redispatch
6674 occurs.
6675
6676
Willy Tarreauc57f0e22009-05-10 13:12:33 +020066778.2.3. HTTP log format
6678----------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01006679
6680The HTTP format is the most complete and the best suited for HTTP proxies. It
6681is enabled by when "option httplog" is specified in the frontend. It provides
6682the same level of information as the TCP format with additional features which
6683are specific to the HTTP protocol. Just like the TCP format, the log is usually
6684emitted at the end of the session, unless "option logasap" is specified, which
6685generally only makes sense for download sites. A session which matches the
6686"monitor" rules will never logged. It is also possible not to log sessions for
6687which no data were sent by the client by specifying "option dontlognull" in the
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02006688frontend. Successful connections will not be logged if "option dontlog-normal"
6689is specified in the frontend.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01006690
6691Most fields are shared with the TCP log, some being different. A few fields may
6692slightly vary depending on some configuration options. Those ones are marked
6693with a star ('*') after the field name below.
6694
6695 Example :
6696 frontend http-in
6697 mode http
6698 option httplog
6699 log global
6700 default_backend bck
6701
6702 backend static
6703 server srv1 127.0.0.1:8000
6704
6705 >>> Feb 6 12:14:14 localhost \
6706 haproxy[14389]: 10.0.1.2:33317 [06/Feb/2009:12:14:14.655] http-in \
6707 static/srv1 10/0/30/69/109 200 2750 - - ---- 1/1/1/1/0 0/0 {1wt.eu} \
Willy Tarreaud72758d2010-01-12 10:42:19 +01006708 {} "GET /index.html HTTP/1.1"
Willy Tarreaucc6c8912009-02-22 10:53:55 +01006709
6710 Field Format Extract from the example above
6711 1 process_name '[' pid ']:' haproxy[14389]:
6712 2 client_ip ':' client_port 10.0.1.2:33317
6713 3 '[' accept_date ']' [06/Feb/2009:12:14:14.655]
6714 4 frontend_name http-in
6715 5 backend_name '/' server_name static/srv1
6716 6 Tq '/' Tw '/' Tc '/' Tr '/' Tt* 10/0/30/69/109
6717 7 status_code 200
6718 8 bytes_read* 2750
6719 9 captured_request_cookie -
6720 10 captured_response_cookie -
6721 11 termination_state ----
6722 12 actconn '/' feconn '/' beconn '/' srv_conn '/' retries* 1/1/1/1/0
6723 13 srv_queue '/' backend_queue 0/0
6724 14 '{' captured_request_headers* '}' {haproxy.1wt.eu}
6725 15 '{' captured_response_headers* '}' {}
6726 16 '"' http_request '"' "GET /index.html HTTP/1.1"
Willy Tarreaud72758d2010-01-12 10:42:19 +01006727
Willy Tarreaucc6c8912009-02-22 10:53:55 +01006728
6729Detailed fields description :
6730 - "client_ip" is the IP address of the client which initiated the TCP
6731 connection to haproxy.
6732
6733 - "client_port" is the TCP port of the client which initiated the connection.
6734
6735 - "accept_date" is the exact date when the TCP connection was received by
6736 haproxy (which might be very slightly different from the date observed on
6737 the network if there was some queuing in the system's backlog). This is
6738 usually the same date which may appear in any upstream firewall's log. This
6739 does not depend on the fact that the client has sent the request or not.
6740
6741 - "frontend_name" is the name of the frontend (or listener) which received
6742 and processed the connection.
6743
6744 - "backend_name" is the name of the backend (or listener) which was selected
6745 to manage the connection to the server. This will be the same as the
6746 frontend if no switching rule has been applied.
6747
6748 - "server_name" is the name of the last server to which the connection was
6749 sent, which might differ from the first one if there were connection errors
6750 and a redispatch occurred. Note that this server belongs to the backend
6751 which processed the request. If the request was aborted before reaching a
6752 server, "<NOSRV>" is indicated instead of a server name. If the request was
6753 intercepted by the stats subsystem, "<STATS>" is indicated instead.
6754
6755 - "Tq" is the total time in milliseconds spent waiting for the client to send
6756 a full HTTP request, not counting data. It can be "-1" if the connection
6757 was aborted before a complete request could be received. It should always
6758 be very small because a request generally fits in one single packet. Large
6759 times here generally indicate network trouble between the client and
6760 haproxy. See "Timers" below for more details.
6761
6762 - "Tw" is the total time in milliseconds spent waiting in the various queues.
6763 It can be "-1" if the connection was aborted before reaching the queue.
6764 See "Timers" below for more details.
6765
6766 - "Tc" is the total time in milliseconds spent waiting for the connection to
6767 establish to the final server, including retries. It can be "-1" if the
6768 request was aborted before a connection could be established. See "Timers"
6769 below for more details.
6770
6771 - "Tr" is the total time in milliseconds spent waiting for the server to send
6772 a full HTTP response, not counting data. It can be "-1" if the request was
6773 aborted before a complete response could be received. It generally matches
6774 the server's processing time for the request, though it may be altered by
6775 the amount of data sent by the client to the server. Large times here on
6776 "GET" requests generally indicate an overloaded server. See "Timers" below
6777 for more details.
6778
6779 - "Tt" is the total time in milliseconds elapsed between the accept and the
6780 last close. It covers all possible processings. There is one exception, if
6781 "option logasap" was specified, then the time counting stops at the moment
6782 the log is emitted. In this case, a '+' sign is prepended before the value,
6783 indicating that the final one will be larger. See "Timers" below for more
6784 details.
6785
6786 - "status_code" is the HTTP status code returned to the client. This status
6787 is generally set by the server, but it might also be set by haproxy when
6788 the server cannot be reached or when its response is blocked by haproxy.
6789
6790 - "bytes_read" is the total number of bytes transmitted to the client when
6791 the log is emitted. This does include HTTP headers. If "option logasap" is
6792 specified, the this value will be prefixed with a '+' sign indicating that
6793 the final one may be larger. Please note that this value is a 64-bit
6794 counter, so log analysis tools must be able to handle it without
6795 overflowing.
6796
6797 - "captured_request_cookie" is an optional "name=value" entry indicating that
6798 the client had this cookie in the request. The cookie name and its maximum
6799 length are defined by the "capture cookie" statement in the frontend
6800 configuration. The field is a single dash ('-') when the option is not
6801 set. Only one cookie may be captured, it is generally used to track session
6802 ID exchanges between a client and a server to detect session crossing
6803 between clients due to application bugs. For more details, please consult
6804 the section "Capturing HTTP headers and cookies" below.
6805
6806 - "captured_response_cookie" is an optional "name=value" entry indicating
6807 that the server has returned a cookie with its response. The cookie name
6808 and its maximum length are defined by the "capture cookie" statement in the
6809 frontend configuration. The field is a single dash ('-') when the option is
6810 not set. Only one cookie may be captured, it is generally used to track
6811 session ID exchanges between a client and a server to detect session
6812 crossing between clients due to application bugs. For more details, please
6813 consult the section "Capturing HTTP headers and cookies" below.
6814
6815 - "termination_state" is the condition the session was in when the session
6816 ended. This indicates the session state, which side caused the end of
6817 session to happen, for what reason (timeout, error, ...), just like in TCP
6818 logs, and information about persistence operations on cookies in the last
6819 two characters. The normal flags should begin with "--", indicating the
6820 session was closed by either end with no data remaining in buffers. See
6821 below "Session state at disconnection" for more details.
6822
6823 - "actconn" is the total number of concurrent connections on the process when
6824 the session was logged. It it useful to detect when some per-process system
6825 limits have been reached. For instance, if actconn is close to 512 or 1024
6826 when multiple connection errors occur, chances are high that the system
6827 limits the process to use a maximum of 1024 file descriptors and that all
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006828 of them are used. See section 3 "Global parameters" to find how to tune the
Willy Tarreaucc6c8912009-02-22 10:53:55 +01006829 system.
6830
6831 - "feconn" is the total number of concurrent connections on the frontend when
6832 the session was logged. It is useful to estimate the amount of resource
6833 required to sustain high loads, and to detect when the frontend's "maxconn"
6834 has been reached. Most often when this value increases by huge jumps, it is
6835 because there is congestion on the backend servers, but sometimes it can be
6836 caused by a denial of service attack.
6837
6838 - "beconn" is the total number of concurrent connections handled by the
6839 backend when the session was logged. It includes the total number of
6840 concurrent connections active on servers as well as the number of
6841 connections pending in queues. It is useful to estimate the amount of
6842 additional servers needed to support high loads for a given application.
6843 Most often when this value increases by huge jumps, it is because there is
6844 congestion on the backend servers, but sometimes it can be caused by a
6845 denial of service attack.
6846
6847 - "srv_conn" is the total number of concurrent connections still active on
6848 the server when the session was logged. It can never exceed the server's
6849 configured "maxconn" parameter. If this value is very often close or equal
6850 to the server's "maxconn", it means that traffic regulation is involved a
6851 lot, meaning that either the server's maxconn value is too low, or that
6852 there aren't enough servers to process the load with an optimal response
6853 time. When only one of the server's "srv_conn" is high, it usually means
6854 that this server has some trouble causing the requests to take longer to be
6855 processed than on other servers.
6856
6857 - "retries" is the number of connection retries experienced by this session
6858 when trying to connect to the server. It must normally be zero, unless a
6859 server is being stopped at the same moment the connection was attempted.
6860 Frequent retries generally indicate either a network problem between
6861 haproxy and the server, or a misconfigured system backlog on the server
6862 preventing new connections from being queued. This field may optionally be
6863 prefixed with a '+' sign, indicating that the session has experienced a
6864 redispatch after the maximal retry count has been reached on the initial
6865 server. In this case, the server name appearing in the log is the one the
6866 connection was redispatched to, and not the first one, though both may
6867 sometimes be the same in case of hashing for instance. So as a general rule
6868 of thumb, when a '+' is present in front of the retry count, this count
6869 should not be attributed to the logged server.
6870
6871 - "srv_queue" is the total number of requests which were processed before
6872 this one in the server queue. It is zero when the request has not gone
6873 through the server queue. It makes it possible to estimate the approximate
6874 server's response time by dividing the time spent in queue by the number of
6875 requests in the queue. It is worth noting that if a session experiences a
6876 redispatch and passes through two server queues, their positions will be
6877 cumulated. A request should not pass through both the server queue and the
6878 backend queue unless a redispatch occurs.
6879
6880 - "backend_queue" is the total number of requests which were processed before
6881 this one in the backend's global queue. It is zero when the request has not
6882 gone through the global queue. It makes it possible to estimate the average
6883 queue length, which easily translates into a number of missing servers when
6884 divided by a server's "maxconn" parameter. It is worth noting that if a
6885 session experiences a redispatch, it may pass twice in the backend's queue,
6886 and then both positions will be cumulated. A request should not pass
6887 through both the server queue and the backend queue unless a redispatch
6888 occurs.
6889
6890 - "captured_request_headers" is a list of headers captured in the request due
6891 to the presence of the "capture request header" statement in the frontend.
6892 Multiple headers can be captured, they will be delimited by a vertical bar
6893 ('|'). When no capture is enabled, the braces do not appear, causing a
6894 shift of remaining fields. It is important to note that this field may
6895 contain spaces, and that using it requires a smarter log parser than when
6896 it's not used. Please consult the section "Capturing HTTP headers and
6897 cookies" below for more details.
6898
6899 - "captured_response_headers" is a list of headers captured in the response
6900 due to the presence of the "capture response header" statement in the
6901 frontend. Multiple headers can be captured, they will be delimited by a
6902 vertical bar ('|'). When no capture is enabled, the braces do not appear,
6903 causing a shift of remaining fields. It is important to note that this
6904 field may contain spaces, and that using it requires a smarter log parser
6905 than when it's not used. Please consult the section "Capturing HTTP headers
6906 and cookies" below for more details.
6907
6908 - "http_request" is the complete HTTP request line, including the method,
6909 request and HTTP version string. Non-printable characters are encoded (see
6910 below the section "Non-printable characters"). This is always the last
6911 field, and it is always delimited by quotes and is the only one which can
6912 contain quotes. If new fields are added to the log format, they will be
6913 added before this field. This field might be truncated if the request is
6914 huge and does not fit in the standard syslog buffer (1024 characters). This
6915 is the reason why this field must always remain the last one.
6916
6917
Willy Tarreauc57f0e22009-05-10 13:12:33 +020069188.3. Advanced logging options
6919-----------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01006920
6921Some advanced logging options are often looked for but are not easy to find out
6922just by looking at the various options. Here is an entry point for the few
6923options which can enable better logging. Please refer to the keywords reference
6924for more information about their usage.
6925
6926
Willy Tarreauc57f0e22009-05-10 13:12:33 +020069278.3.1. Disabling logging of external tests
6928------------------------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01006929
6930It is quite common to have some monitoring tools perform health checks on
6931haproxy. Sometimes it will be a layer 3 load-balancer such as LVS or any
6932commercial load-balancer, and sometimes it will simply be a more complete
6933monitoring system such as Nagios. When the tests are very frequent, users often
6934ask how to disable logging for those checks. There are three possibilities :
6935
6936 - if connections come from everywhere and are just TCP probes, it is often
6937 desired to simply disable logging of connections without data exchange, by
6938 setting "option dontlognull" in the frontend. It also disables logging of
6939 port scans, which may or may not be desired.
6940
6941 - if the connection come from a known source network, use "monitor-net" to
6942 declare this network as monitoring only. Any host in this network will then
6943 only be able to perform health checks, and their requests will not be
6944 logged. This is generally appropriate to designate a list of equipments
6945 such as other load-balancers.
6946
6947 - if the tests are performed on a known URI, use "monitor-uri" to declare
6948 this URI as dedicated to monitoring. Any host sending this request will
6949 only get the result of a health-check, and the request will not be logged.
6950
6951
Willy Tarreauc57f0e22009-05-10 13:12:33 +020069528.3.2. Logging before waiting for the session to terminate
6953----------------------------------------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01006954
6955The problem with logging at end of connection is that you have no clue about
6956what is happening during very long sessions, such as remote terminal sessions
6957or large file downloads. This problem can be worked around by specifying
6958"option logasap" in the frontend. Haproxy will then log as soon as possible,
6959just before data transfer begins. This means that in case of TCP, it will still
6960log the connection status to the server, and in case of HTTP, it will log just
6961after processing the server headers. In this case, the number of bytes reported
6962is the number of header bytes sent to the client. In order to avoid confusion
6963with normal logs, the total time field and the number of bytes are prefixed
6964with a '+' sign which means that real numbers are certainly larger.
6965
6966
Willy Tarreauc57f0e22009-05-10 13:12:33 +020069678.3.3. Raising log level upon errors
6968------------------------------------
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02006969
6970Sometimes it is more convenient to separate normal traffic from errors logs,
6971for instance in order to ease error monitoring from log files. When the option
6972"log-separate-errors" is used, connections which experience errors, timeouts,
6973retries, redispatches or HTTP status codes 5xx will see their syslog level
6974raised from "info" to "err". This will help a syslog daemon store the log in
6975a separate file. It is very important to keep the errors in the normal traffic
6976file too, so that log ordering is not altered. You should also be careful if
6977you already have configured your syslog daemon to store all logs higher than
6978"notice" in an "admin" file, because the "err" level is higher than "notice".
6979
6980
Willy Tarreauc57f0e22009-05-10 13:12:33 +020069818.3.4. Disabling logging of successful connections
6982--------------------------------------------------
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02006983
6984Although this may sound strange at first, some large sites have to deal with
6985multiple thousands of logs per second and are experiencing difficulties keeping
6986them intact for a long time or detecting errors within them. If the option
6987"dontlog-normal" is set on the frontend, all normal connections will not be
6988logged. In this regard, a normal connection is defined as one without any
6989error, timeout, retry nor redispatch. In HTTP, the status code is checked too,
6990and a response with a status 5xx is not considered normal and will be logged
6991too. Of course, doing is is really discouraged as it will remove most of the
6992useful information from the logs. Do this only if you have no other
6993alternative.
6994
6995
Willy Tarreauc57f0e22009-05-10 13:12:33 +020069968.4. Timing events
6997------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01006998
6999Timers provide a great help in troubleshooting network problems. All values are
7000reported in milliseconds (ms). These timers should be used in conjunction with
7001the session termination flags. In TCP mode with "option tcplog" set on the
7002frontend, 3 control points are reported under the form "Tw/Tc/Tt", and in HTTP
7003mode, 5 control points are reported under the form "Tq/Tw/Tc/Tr/Tt" :
7004
7005 - Tq: total time to get the client request (HTTP mode only). It's the time
7006 elapsed between the moment the client connection was accepted and the
7007 moment the proxy received the last HTTP header. The value "-1" indicates
7008 that the end of headers (empty line) has never been seen. This happens when
7009 the client closes prematurely or times out.
7010
7011 - Tw: total time spent in the queues waiting for a connection slot. It
7012 accounts for backend queue as well as the server queues, and depends on the
7013 queue size, and the time needed for the server to complete previous
7014 requests. The value "-1" means that the request was killed before reaching
7015 the queue, which is generally what happens with invalid or denied requests.
7016
7017 - Tc: total time to establish the TCP connection to the server. It's the time
7018 elapsed between the moment the proxy sent the connection request, and the
7019 moment it was acknowledged by the server, or between the TCP SYN packet and
7020 the matching SYN/ACK packet in return. The value "-1" means that the
7021 connection never established.
7022
7023 - Tr: server response time (HTTP mode only). It's the time elapsed between
7024 the moment the TCP connection was established to the server and the moment
7025 the server sent its complete response headers. It purely shows its request
7026 processing time, without the network overhead due to the data transmission.
7027 It is worth noting that when the client has data to send to the server, for
7028 instance during a POST request, the time already runs, and this can distort
7029 apparent response time. For this reason, it's generally wise not to trust
7030 too much this field for POST requests initiated from clients behind an
7031 untrusted network. A value of "-1" here means that the last the response
7032 header (empty line) was never seen, most likely because the server timeout
7033 stroke before the server managed to process the request.
7034
7035 - Tt: total session duration time, between the moment the proxy accepted it
7036 and the moment both ends were closed. The exception is when the "logasap"
7037 option is specified. In this case, it only equals (Tq+Tw+Tc+Tr), and is
7038 prefixed with a '+' sign. From this field, we can deduce "Td", the data
7039 transmission time, by substracting other timers when valid :
7040
7041 Td = Tt - (Tq + Tw + Tc + Tr)
7042
7043 Timers with "-1" values have to be excluded from this equation. In TCP
7044 mode, "Tq" and "Tr" have to be excluded too. Note that "Tt" can never be
7045 negative.
7046
7047These timers provide precious indications on trouble causes. Since the TCP
7048protocol defines retransmit delays of 3, 6, 12... seconds, we know for sure
7049that timers close to multiples of 3s are nearly always related to lost packets
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01007050due to network problems (wires, negotiation, congestion). Moreover, if "Tt" is
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007051close to a timeout value specified in the configuration, it often means that a
7052session has been aborted on timeout.
7053
7054Most common cases :
7055
7056 - If "Tq" is close to 3000, a packet has probably been lost between the
7057 client and the proxy. This is very rare on local networks but might happen
7058 when clients are on far remote networks and send large requests. It may
7059 happen that values larger than usual appear here without any network cause.
7060 Sometimes, during an attack or just after a resource starvation has ended,
7061 haproxy may accept thousands of connections in a few milliseconds. The time
7062 spent accepting these connections will inevitably slightly delay processing
7063 of other connections, and it can happen that request times in the order of
7064 a few tens of milliseconds are measured after a few thousands of new
7065 connections have been accepted at once.
7066
7067 - If "Tc" is close to 3000, a packet has probably been lost between the
7068 server and the proxy during the server connection phase. This value should
7069 always be very low, such as 1 ms on local networks and less than a few tens
7070 of ms on remote networks.
7071
Willy Tarreau55165fe2009-05-10 12:02:55 +02007072 - If "Tr" is nearly always lower than 3000 except some rare values which seem
7073 to be the average majored by 3000, there are probably some packets lost
7074 between the proxy and the server.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007075
7076 - If "Tt" is large even for small byte counts, it generally is because
7077 neither the client nor the server decides to close the connection, for
7078 instance because both have agreed on a keep-alive connection mode. In order
7079 to solve this issue, it will be needed to specify "option httpclose" on
7080 either the frontend or the backend. If the problem persists, it means that
7081 the server ignores the "close" connection mode and expects the client to
7082 close. Then it will be required to use "option forceclose". Having the
7083 smallest possible 'Tt' is important when connection regulation is used with
7084 the "maxconn" option on the servers, since no new connection will be sent
7085 to the server until another one is released.
7086
7087Other noticeable HTTP log cases ('xx' means any value to be ignored) :
7088
7089 Tq/Tw/Tc/Tr/+Tt The "option logasap" is present on the frontend and the log
7090 was emitted before the data phase. All the timers are valid
7091 except "Tt" which is shorter than reality.
7092
7093 -1/xx/xx/xx/Tt The client was not able to send a complete request in time
7094 or it aborted too early. Check the session termination flags
7095 then "timeout http-request" and "timeout client" settings.
7096
7097 Tq/-1/xx/xx/Tt It was not possible to process the request, maybe because
7098 servers were out of order, because the request was invalid
7099 or forbidden by ACL rules. Check the session termination
7100 flags.
7101
7102 Tq/Tw/-1/xx/Tt The connection could not establish on the server. Either it
7103 actively refused it or it timed out after Tt-(Tq+Tw) ms.
7104 Check the session termination flags, then check the
7105 "timeout connect" setting. Note that the tarpit action might
7106 return similar-looking patterns, with "Tw" equal to the time
7107 the client connection was maintained open.
7108
7109 Tq/Tw/Tc/-1/Tt The server has accepted the connection but did not return
7110 a complete response in time, or it closed its connexion
7111 unexpectedly after Tt-(Tq+Tw+Tc) ms. Check the session
7112 termination flags, then check the "timeout server" setting.
7113
7114
Willy Tarreauc57f0e22009-05-10 13:12:33 +020071158.5. Session state at disconnection
7116-----------------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007117
7118TCP and HTTP logs provide a session termination indicator in the
7119"termination_state" field, just before the number of active connections. It is
71202-characters long in TCP mode, and is extended to 4 characters in HTTP mode,
7121each of which has a special meaning :
7122
7123 - On the first character, a code reporting the first event which caused the
7124 session to terminate :
7125
7126 C : the TCP session was unexpectedly aborted by the client.
7127
7128 S : the TCP session was unexpectedly aborted by the server, or the
7129 server explicitly refused it.
7130
7131 P : the session was prematurely aborted by the proxy, because of a
7132 connection limit enforcement, because a DENY filter was matched,
7133 because of a security check which detected and blocked a dangerous
7134 error in server response which might have caused information leak
7135 (eg: cacheable cookie), or because the response was processed by
7136 the proxy (redirect, stats, etc...).
7137
7138 R : a resource on the proxy has been exhausted (memory, sockets, source
7139 ports, ...). Usually, this appears during the connection phase, and
7140 system logs should contain a copy of the precise error. If this
7141 happens, it must be considered as a very serious anomaly which
7142 should be fixed as soon as possible by any means.
7143
7144 I : an internal error was identified by the proxy during a self-check.
7145 This should NEVER happen, and you are encouraged to report any log
7146 containing this, because this would almost certainly be a bug. It
7147 would be wise to preventively restart the process after such an
7148 event too, in case it would be caused by memory corruption.
7149
7150 c : the client-side timeout expired while waiting for the client to
7151 send or receive data.
7152
7153 s : the server-side timeout expired while waiting for the server to
7154 send or receive data.
7155
7156 - : normal session completion, both the client and the server closed
7157 with nothing left in the buffers.
7158
7159 - on the second character, the TCP or HTTP session state when it was closed :
7160
7161 R : th proxy was waiting for a complete, valid REQUEST from the client
7162 (HTTP mode only). Nothing was sent to any server.
7163
7164 Q : the proxy was waiting in the QUEUE for a connection slot. This can
7165 only happen when servers have a 'maxconn' parameter set. It can
7166 also happen in the global queue after a redispatch consecutive to
7167 a failed attempt to connect to a dying server. If no redispatch is
7168 reported, then no connection attempt was made to any server.
7169
7170 C : the proxy was waiting for the CONNECTION to establish on the
7171 server. The server might at most have noticed a connection attempt.
7172
7173 H : the proxy was waiting for complete, valid response HEADERS from the
7174 server (HTTP only).
7175
7176 D : the session was in the DATA phase.
7177
7178 L : the proxy was still transmitting LAST data to the client while the
7179 server had already finished. This one is very rare as it can only
7180 happen when the client dies while receiving the last packets.
7181
7182 T : the request was tarpitted. It has been held open with the client
7183 during the whole "timeout tarpit" duration or until the client
7184 closed, both of which will be reported in the "Tw" timer.
7185
7186 - : normal session completion after end of data transfer.
7187
7188 - the third character tells whether the persistence cookie was provided by
7189 the client (only in HTTP mode) :
7190
7191 N : the client provided NO cookie. This is usually the case for new
7192 visitors, so counting the number of occurrences of this flag in the
7193 logs generally indicate a valid trend for the site frequentation.
7194
7195 I : the client provided an INVALID cookie matching no known server.
7196 This might be caused by a recent configuration change, mixed
7197 cookies between HTTP/HTTPS sites, or an attack.
7198
7199 D : the client provided a cookie designating a server which was DOWN,
7200 so either "option persist" was used and the client was sent to
7201 this server, or it was not set and the client was redispatched to
7202 another server.
7203
7204 V : the client provided a valid cookie, and was sent to the associated
7205 server.
7206
7207 - : does not apply (no cookie set in configuration).
7208
7209 - the last character reports what operations were performed on the persistence
7210 cookie returned by the server (only in HTTP mode) :
7211
7212 N : NO cookie was provided by the server, and none was inserted either.
7213
7214 I : no cookie was provided by the server, and the proxy INSERTED one.
7215 Note that in "cookie insert" mode, if the server provides a cookie,
7216 it will still be overwritten and reported as "I" here.
7217
7218 P : a cookie was PROVIDED by the server and transmitted as-is.
7219
7220 R : the cookie provided by the server was REWRITTEN by the proxy, which
7221 happens in "cookie rewrite" or "cookie prefix" modes.
7222
7223 D : the cookie provided by the server was DELETED by the proxy.
7224
7225 - : does not apply (no cookie set in configuration).
7226
7227The combination of the two first flags give a lot of information about what was
7228happening when the session terminated, and why it did terminate. It can be
7229helpful to detect server saturation, network troubles, local system resource
7230starvation, attacks, etc...
7231
7232The most common termination flags combinations are indicated below. They are
7233alphabetically sorted, with the lowercase set just after the upper case for
7234easier finding and understanding.
7235
7236 Flags Reason
7237
7238 -- Normal termination.
7239
7240 CC The client aborted before the connection could be established to the
7241 server. This can happen when haproxy tries to connect to a recently
7242 dead (or unchecked) server, and the client aborts while haproxy is
7243 waiting for the server to respond or for "timeout connect" to expire.
7244
7245 CD The client unexpectedly aborted during data transfer. This can be
7246 caused by a browser crash, by an intermediate equipment between the
7247 client and haproxy which decided to actively break the connection,
7248 by network routing issues between the client and haproxy, or by a
7249 keep-alive session between the server and the client terminated first
7250 by the client.
Willy Tarreaud72758d2010-01-12 10:42:19 +01007251
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007252 cD The client did not send nor acknowledge any data for as long as the
7253 "timeout client" delay. This is often caused by network failures on
7254 the client side, or the client simply leaving the net uncleanly.
7255
7256 CH The client aborted while waiting for the server to start responding.
7257 It might be the server taking too long to respond or the client
7258 clicking the 'Stop' button too fast.
7259
7260 cH The "timeout client" stroke while waiting for client data during a
7261 POST request. This is sometimes caused by too large TCP MSS values
7262 for PPPoE networks which cannot transport full-sized packets. It can
7263 also happen when client timeout is smaller than server timeout and
7264 the server takes too long to respond.
7265
7266 CQ The client aborted while its session was queued, waiting for a server
7267 with enough empty slots to accept it. It might be that either all the
7268 servers were saturated or that the assigned server was taking too
7269 long a time to respond.
7270
7271 CR The client aborted before sending a full HTTP request. Most likely
7272 the request was typed by hand using a telnet client, and aborted
7273 too early. The HTTP status code is likely a 400 here. Sometimes this
7274 might also be caused by an IDS killing the connection between haproxy
7275 and the client.
7276
7277 cR The "timeout http-request" stroke before the client sent a full HTTP
7278 request. This is sometimes caused by too large TCP MSS values on the
7279 client side for PPPoE networks which cannot transport full-sized
7280 packets, or by clients sending requests by hand and not typing fast
7281 enough, or forgetting to enter the empty line at the end of the
7282 request. The HTTP status code is likely a 408 here.
7283
7284 CT The client aborted while its session was tarpitted. It is important to
7285 check if this happens on valid requests, in order to be sure that no
Willy Tarreau55165fe2009-05-10 12:02:55 +02007286 wrong tarpit rules have been written. If a lot of them happen, it
7287 might make sense to lower the "timeout tarpit" value to something
7288 closer to the average reported "Tw" timer, in order not to consume
7289 resources for just a few attackers.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007290
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01007291 SC The server or an equipment between it and haproxy explicitly refused
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007292 the TCP connection (the proxy received a TCP RST or an ICMP message
7293 in return). Under some circumstances, it can also be the network
7294 stack telling the proxy that the server is unreachable (eg: no route,
7295 or no ARP response on local network). When this happens in HTTP mode,
7296 the status code is likely a 502 or 503 here.
7297
7298 sC The "timeout connect" stroke before a connection to the server could
7299 complete. When this happens in HTTP mode, the status code is likely a
7300 503 or 504 here.
7301
7302 SD The connection to the server died with an error during the data
7303 transfer. This usually means that haproxy has received an RST from
7304 the server or an ICMP message from an intermediate equipment while
7305 exchanging data with the server. This can be caused by a server crash
7306 or by a network issue on an intermediate equipment.
7307
7308 sD The server did not send nor acknowledge any data for as long as the
7309 "timeout server" setting during the data phase. This is often caused
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01007310 by too short timeouts on L4 equipments before the server (firewalls,
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007311 load-balancers, ...), as well as keep-alive sessions maintained
7312 between the client and the server expiring first on haproxy.
7313
7314 SH The server aborted before sending its full HTTP response headers, or
7315 it crashed while processing the request. Since a server aborting at
7316 this moment is very rare, it would be wise to inspect its logs to
7317 control whether it crashed and why. The logged request may indicate a
7318 small set of faulty requests, demonstrating bugs in the application.
7319 Sometimes this might also be caused by an IDS killing the connection
7320 between haproxy and the server.
7321
7322 sH The "timeout server" stroke before the server could return its
7323 response headers. This is the most common anomaly, indicating too
7324 long transactions, probably caused by server or database saturation.
7325 The immediate workaround consists in increasing the "timeout server"
7326 setting, but it is important to keep in mind that the user experience
7327 will suffer from these long response times. The only long term
7328 solution is to fix the application.
7329
7330 sQ The session spent too much time in queue and has been expired. See
7331 the "timeout queue" and "timeout connect" settings to find out how to
7332 fix this if it happens too often. If it often happens massively in
7333 short periods, it may indicate general problems on the affected
7334 servers due to I/O or database congestion, or saturation caused by
7335 external attacks.
7336
7337 PC The proxy refused to establish a connection to the server because the
7338 process' socket limit has been reached while attempting to connect.
7339 The global "maxconn" parameter may be increased in the configuration
7340 so that it does not happen anymore. This status is very rare and
7341 might happen when the global "ulimit-n" parameter is forced by hand.
7342
7343 PH The proxy blocked the server's response, because it was invalid,
7344 incomplete, dangerous (cache control), or matched a security filter.
7345 In any case, an HTTP 502 error is sent to the client. One possible
7346 cause for this error is an invalid syntax in an HTTP header name
7347 containing unauthorized characters.
7348
7349 PR The proxy blocked the client's HTTP request, either because of an
7350 invalid HTTP syntax, in which case it returned an HTTP 400 error to
7351 the client, or because a deny filter matched, in which case it
7352 returned an HTTP 403 error.
7353
7354 PT The proxy blocked the client's request and has tarpitted its
7355 connection before returning it a 500 server error. Nothing was sent
7356 to the server. The connection was maintained open for as long as
7357 reported by the "Tw" timer field.
7358
7359 RC A local resource has been exhausted (memory, sockets, source ports)
7360 preventing the connection to the server from establishing. The error
7361 logs will tell precisely what was missing. This is very rare and can
7362 only be solved by proper system tuning.
7363
7364
Willy Tarreauc57f0e22009-05-10 13:12:33 +020073658.6. Non-printable characters
7366-----------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007367
7368In order not to cause trouble to log analysis tools or terminals during log
7369consulting, non-printable characters are not sent as-is into log files, but are
7370converted to the two-digits hexadecimal representation of their ASCII code,
7371prefixed by the character '#'. The only characters that can be logged without
7372being escaped are comprised between 32 and 126 (inclusive). Obviously, the
7373escape character '#' itself is also encoded to avoid any ambiguity ("#23"). It
7374is the same for the character '"' which becomes "#22", as well as '{', '|' and
7375'}' when logging headers.
7376
7377Note that the space character (' ') is not encoded in headers, which can cause
7378issues for tools relying on space count to locate fields. A typical header
7379containing spaces is "User-Agent".
7380
7381Last, it has been observed that some syslog daemons such as syslog-ng escape
7382the quote ('"') with a backslash ('\'). The reverse operation can safely be
7383performed since no quote may appear anywhere else in the logs.
7384
7385
Willy Tarreauc57f0e22009-05-10 13:12:33 +020073868.7. Capturing HTTP cookies
7387---------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007388
7389Cookie capture simplifies the tracking a complete user session. This can be
7390achieved using the "capture cookie" statement in the frontend. Please refer to
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007391section 4.2 for more details. Only one cookie can be captured, and the same
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007392cookie will simultaneously be checked in the request ("Cookie:" header) and in
7393the response ("Set-Cookie:" header). The respective values will be reported in
7394the HTTP logs at the "captured_request_cookie" and "captured_response_cookie"
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007395locations (see section 8.2.3 about HTTP log format). When either cookie is
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007396not seen, a dash ('-') replaces the value. This way, it's easy to detect when a
7397user switches to a new session for example, because the server will reassign it
7398a new cookie. It is also possible to detect if a server unexpectedly sets a
7399wrong cookie to a client, leading to session crossing.
7400
7401 Examples :
7402 # capture the first cookie whose name starts with "ASPSESSION"
7403 capture cookie ASPSESSION len 32
7404
7405 # capture the first cookie whose name is exactly "vgnvisitor"
7406 capture cookie vgnvisitor= len 32
7407
7408
Willy Tarreauc57f0e22009-05-10 13:12:33 +020074098.8. Capturing HTTP headers
7410---------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007411
7412Header captures are useful to track unique request identifiers set by an upper
7413proxy, virtual host names, user-agents, POST content-length, referrers, etc. In
7414the response, one can search for information about the response length, how the
7415server asked the cache to behave, or an object location during a redirection.
7416
7417Header captures are performed using the "capture request header" and "capture
7418response header" statements in the frontend. Please consult their definition in
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007419section 4.2 for more details.
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007420
7421It is possible to include both request headers and response headers at the same
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01007422time. Non-existent headers are logged as empty strings, and if one header
7423appears more than once, only its last occurrence will be logged. Request headers
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007424are grouped within braces '{' and '}' in the same order as they were declared,
7425and delimited with a vertical bar '|' without any space. Response headers
7426follow the same representation, but are displayed after a space following the
7427request headers block. These blocks are displayed just before the HTTP request
7428in the logs.
7429
7430 Example :
7431 # This instance chains to the outgoing proxy
7432 listen proxy-out
7433 mode http
7434 option httplog
7435 option logasap
7436 log global
7437 server cache1 192.168.1.1:3128
7438
7439 # log the name of the virtual server
7440 capture request header Host len 20
7441
7442 # log the amount of data uploaded during a POST
7443 capture request header Content-Length len 10
7444
7445 # log the beginning of the referrer
7446 capture request header Referer len 20
7447
7448 # server name (useful for outgoing proxies only)
7449 capture response header Server len 20
7450
7451 # logging the content-length is useful with "option logasap"
7452 capture response header Content-Length len 10
7453
7454 # log the expected cache behaviour on the response
7455 capture response header Cache-Control len 8
7456
7457 # the Via header will report the next proxy's name
7458 capture response header Via len 20
7459
7460 # log the URL location during a redirection
7461 capture response header Location len 20
7462
7463 >>> Aug 9 20:26:09 localhost \
7464 haproxy[2022]: 127.0.0.1:34014 [09/Aug/2004:20:26:09] proxy-out \
7465 proxy-out/cache1 0/0/0/162/+162 200 +350 - - ---- 0/0/0/0/0 0/0 \
7466 {fr.adserver.yahoo.co||http://fr.f416.mail.} {|864|private||} \
7467 "GET http://fr.adserver.yahoo.com/"
7468
7469 >>> Aug 9 20:30:46 localhost \
7470 haproxy[2022]: 127.0.0.1:34020 [09/Aug/2004:20:30:46] proxy-out \
7471 proxy-out/cache1 0/0/0/182/+182 200 +279 - - ---- 0/0/0/0/0 0/0 \
7472 {w.ods.org||} {Formilux/0.1.8|3495|||} \
Willy Tarreaud72758d2010-01-12 10:42:19 +01007473 "GET http://trafic.1wt.eu/ HTTP/1.1"
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007474
7475 >>> Aug 9 20:30:46 localhost \
7476 haproxy[2022]: 127.0.0.1:34028 [09/Aug/2004:20:30:46] proxy-out \
7477 proxy-out/cache1 0/0/2/126/+128 301 +223 - - ---- 0/0/0/0/0 0/0 \
7478 {www.sytadin.equipement.gouv.fr||http://trafic.1wt.eu/} \
7479 {Apache|230|||http://www.sytadin.} \
Willy Tarreaud72758d2010-01-12 10:42:19 +01007480 "GET http://www.sytadin.equipement.gouv.fr/ HTTP/1.1"
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007481
7482
Willy Tarreauc57f0e22009-05-10 13:12:33 +020074838.9. Examples of logs
7484---------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007485
7486These are real-world examples of logs accompanied with an explanation. Some of
7487them have been made up by hand. The syslog part has been removed for better
7488reading. Their sole purpose is to explain how to decipher them.
7489
7490 >>> haproxy[674]: 127.0.0.1:33318 [15/Oct/2003:08:31:57.130] px-http \
7491 px-http/srv1 6559/0/7/147/6723 200 243 - - ---- 5/3/3/1/0 0/0 \
7492 "HEAD / HTTP/1.0"
7493
7494 => long request (6.5s) entered by hand through 'telnet'. The server replied
7495 in 147 ms, and the session ended normally ('----')
7496
7497 >>> haproxy[674]: 127.0.0.1:33319 [15/Oct/2003:08:31:57.149] px-http \
7498 px-http/srv1 6559/1230/7/147/6870 200 243 - - ---- 324/239/239/99/0 \
7499 0/9 "HEAD / HTTP/1.0"
7500
7501 => Idem, but the request was queued in the global queue behind 9 other
7502 requests, and waited there for 1230 ms.
7503
7504 >>> haproxy[674]: 127.0.0.1:33320 [15/Oct/2003:08:32:17.654] px-http \
7505 px-http/srv1 9/0/7/14/+30 200 +243 - - ---- 3/3/3/1/0 0/0 \
7506 "GET /image.iso HTTP/1.0"
7507
7508 => request for a long data transfer. The "logasap" option was specified, so
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01007509 the log was produced just before transferring data. The server replied in
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007510 14 ms, 243 bytes of headers were sent to the client, and total time from
7511 accept to first data byte is 30 ms.
7512
7513 >>> haproxy[674]: 127.0.0.1:33320 [15/Oct/2003:08:32:17.925] px-http \
7514 px-http/srv1 9/0/7/14/30 502 243 - - PH-- 3/2/2/0/0 0/0 \
7515 "GET /cgi-bin/bug.cgi? HTTP/1.0"
7516
7517 => the proxy blocked a server response either because of an "rspdeny" or
7518 "rspideny" filter, or because the response was improperly formatted and
7519 not HTTP-compliant, or because it blocked sensible information which
7520 risked being cached. In this case, the response is replaced with a "502
7521 bad gateway". The flags ("PH--") tell us that it was haproxy who decided
7522 to return the 502 and not the server.
7523
7524 >>> haproxy[18113]: 127.0.0.1:34548 [15/Oct/2003:15:18:55.798] px-http \
Willy Tarreaud72758d2010-01-12 10:42:19 +01007525 px-http/<NOSRV> -1/-1/-1/-1/8490 -1 0 - - CR-- 2/2/2/0/0 0/0 ""
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007526
7527 => the client never completed its request and aborted itself ("C---") after
7528 8.5s, while the proxy was waiting for the request headers ("-R--").
7529 Nothing was sent to any server.
7530
7531 >>> haproxy[18113]: 127.0.0.1:34549 [15/Oct/2003:15:19:06.103] px-http \
7532 px-http/<NOSRV> -1/-1/-1/-1/50001 408 0 - - cR-- 2/2/2/0/0 0/0 ""
7533
7534 => The client never completed its request, which was aborted by the
7535 time-out ("c---") after 50s, while the proxy was waiting for the request
7536 headers ("-R--"). Nothing was sent to any server, but the proxy could
7537 send a 408 return code to the client.
7538
7539 >>> haproxy[18989]: 127.0.0.1:34550 [15/Oct/2003:15:24:28.312] px-tcp \
7540 px-tcp/srv1 0/0/5007 0 cD 0/0/0/0/0 0/0
7541
7542 => This log was produced with "option tcplog". The client timed out after
7543 5 seconds ("c----").
7544
7545 >>> haproxy[18989]: 10.0.0.1:34552 [15/Oct/2003:15:26:31.462] px-http \
7546 px-http/srv1 3183/-1/-1/-1/11215 503 0 - - SC-- 205/202/202/115/3 \
Willy Tarreaud72758d2010-01-12 10:42:19 +01007547 0/0 "HEAD / HTTP/1.0"
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007548
7549 => The request took 3s to complete (probably a network problem), and the
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007550 connection to the server failed ('SC--') after 4 attempts of 2 seconds
Willy Tarreaucc6c8912009-02-22 10:53:55 +01007551 (config says 'retries 3'), and no redispatch (otherwise we would have
7552 seen "/+3"). Status code 503 was returned to the client. There were 115
7553 connections on this server, 202 connections on this proxy, and 205 on
7554 the global process. It is possible that the server refused the
7555 connection because of too many already established.
Willy Tarreau844e3c52008-01-11 16:28:18 +01007556
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +01007557
Willy Tarreauc57f0e22009-05-10 13:12:33 +020075589. Statistics and monitoring
7559----------------------------
7560
7561It is possible to query HAProxy about its status. The most commonly used
7562mechanism is the HTTP statistics page. This page also exposes an alternative
7563CSV output format for monitoring tools. The same format is provided on the
7564Unix socket.
7565
7566
75679.1. CSV format
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +01007568---------------
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01007569
Willy Tarreau7f062c42009-03-05 18:43:00 +01007570The statistics may be consulted either from the unix socket or from the HTTP
7571page. Both means provide a CSV format whose fields follow.
7572
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01007573 0. pxname: proxy name
7574 1. svname: service name (FRONTEND for frontend, BACKEND for backend, any name
7575 for server)
7576 2. qcur: current queued requests
7577 3. qmax: max queued requests
7578 4. scur: current sessions
7579 5. smax: max sessions
7580 6. slim: sessions limit
7581 7. stot: total sessions
7582 8. bin: bytes in
7583 9. bout: bytes out
7584 10. dreq: denied requests
Krzysztof Piotr Oledzki2c6962c2008-03-02 02:42:14 +01007585 11. dresp: denied responses
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01007586 12. ereq: request errors
7587 13. econ: connection errors
Krzysztof Piotr Oledzki2c6962c2008-03-02 02:42:14 +01007588 14. eresp: response errors
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01007589 15. wretr: retries (warning)
7590 16. wredis: redispatches (warning)
Cyril Bonté0dae5852010-02-03 00:26:28 +01007591 17. status: status (UP/DOWN/NOLB/MAINT/MAINT(via)...)
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01007592 18. weight: server weight (server), total weight (backend)
7593 19. act: server is active (server), number of active servers (backend)
7594 20. bck: server is backup (server), number of backup servers (backend)
7595 21. chkfail: number of failed checks
7596 22. chkdown: number of UP->DOWN transitions
7597 23. lastchg: last status change (in seconds)
7598 24. downtime: total downtime (in seconds)
7599 25. qlimit: queue limit
7600 26. pid: process id (0 for first instance, 1 for second, ...)
7601 27. iid: unique proxy id
7602 28. sid: service id (unique inside a proxy)
7603 29. throttle: warm up status
7604 30. lbtot: total number of times a server was selected
7605 31. tracked: id of proxy/server if tracking is enabled
Krzysztof Piotr Oledzkiaeebf9b2009-10-04 15:43:17 +02007606 32. type (0=frontend, 1=backend, 2=server, 3=socket)
Krzysztof Piotr Oledzkidb57c6b2009-08-31 21:23:27 +02007607 33. rate: number of sessions per second over last elapsed second
7608 34. rate_lim: limit on new sessions per second
7609 35. rate_max: max number of new sessions per second
Krzysztof Piotr Oledzki09605412009-09-23 22:09:24 +02007610 36. check_status: status of last health check, one of:
7611 UNK -> unknown
7612 INI -> initializing
7613 SOCKERR -> socket error
7614 L4OK -> check passed on layer 4, no upper layers testing enabled
7615 L4TMOUT -> layer 1-4 timeout
7616 L4CON -> layer 1-4 connection problem, for example "Connection refused"
7617 (tcp rst) or "No route to host" (icmp)
7618 L6OK -> check passed on layer 6
7619 L6TOUT -> layer 6 (SSL) timeout
Willy Tarreaud72758d2010-01-12 10:42:19 +01007620 L6RSP -> layer 6 invalid response - protocol error
Krzysztof Piotr Oledzki09605412009-09-23 22:09:24 +02007621 L7OK -> check passed on layer 7
7622 L7OKC -> check conditionally passed on layer 7, for example 404 with
7623 disable-on-404
7624 L7TOUT -> layer 7 (HTTP/SMTP) timeout
Willy Tarreaud72758d2010-01-12 10:42:19 +01007625 L7RSP -> layer 7 invalid response - protocol error
Krzysztof Piotr Oledzki09605412009-09-23 22:09:24 +02007626 L7STS -> layer 7 response error, for example HTTP 5xx
7627 37. check_code: layer5-7 code, if available
7628 38. check_duration: time in ms took to finish last health check
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01007629 39. hrsp_1xx: http responses with 1xx code
7630 40. hrsp_2xx: http responses with 2xx code
7631 41. hrsp_3xx: http responses with 3xx code
7632 42. hrsp_4xx: http responses with 4xx code
7633 43. hrsp_5xx: http responses with 5xx code
7634 44. hrsp_other: http responses with other codes (protocol error)
Willy Tarreau844e3c52008-01-11 16:28:18 +01007635
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +01007636
Willy Tarreauc57f0e22009-05-10 13:12:33 +020076379.2. Unix Socket commands
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +01007638-------------------------
Krzysztof Piotr Oledzki2c6962c2008-03-02 02:42:14 +01007639
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +01007640The following commands are supported on the UNIX stats socket ; all of them
Willy Tarreau9a42c0d2009-09-22 19:31:03 +02007641must be terminated by a line feed. The socket supports pipelining, so that it
7642is possible to chain multiple commands at once provided they are delimited by
7643a semi-colon or a line feed, although the former is more reliable as it has no
7644risk of being truncated over the network. The responses themselves will each be
7645followed by an empty line, so it will be easy for an external script to match a
7646given response with a given request. By default one command line is processed
7647then the connection closes, but there is an interactive allowing multiple lines
7648to be issued one at a time.
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +01007649
Willy Tarreau9a42c0d2009-09-22 19:31:03 +02007650It is important to understand that when multiple haproxy processes are started
7651on the same sockets, any process may pick up the request and will output its
7652own stats.
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +01007653
Willy Tarreau9a42c0d2009-09-22 19:31:03 +02007654help
7655 Print the list of known keywords and their basic usage. The same help screen
7656 is also displayed for unknown commands.
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +01007657
Willy Tarreau9a42c0d2009-09-22 19:31:03 +02007658prompt
7659 Toggle the prompt at the beginning of the line and enter or leave interactive
7660 mode. In interactive mode, the connection is not closed after a command
7661 completes. Instead, the prompt will appear again, indicating the user that
7662 the interpreter is waiting for a new command. The prompt consists in a right
7663 angle bracket followed by a space "> ". This mode is particularly convenient
7664 when one wants to periodically check information such as stats or errors.
7665 It is also a good idea to enter interactive mode before issuing a "help"
7666 command.
7667
7668quit
7669 Close the connection when in interactive mode.
Krzysztof Piotr Oledzki2c6962c2008-03-02 02:42:14 +01007670
Willy Tarreaue0c8a1a2009-03-04 16:33:10 +01007671show errors [<iid>]
7672 Dump last known request and response errors collected by frontends and
7673 backends. If <iid> is specified, the limit the dump to errors concerning
Willy Tarreau6162db22009-10-10 17:13:00 +02007674 either frontend or backend whose ID is <iid>. This command is restricted
7675 and can only be issued on sockets configured for levels "operator" or
7676 "admin".
Willy Tarreaue0c8a1a2009-03-04 16:33:10 +01007677
7678 The errors which may be collected are the last request and response errors
7679 caused by protocol violations, often due to invalid characters in header
7680 names. The report precisely indicates what exact character violated the
7681 protocol. Other important information such as the exact date the error was
7682 detected, frontend and backend names, the server name (when known), the
7683 internal session ID and the source address which has initiated the session
7684 are reported too.
7685
7686 All characters are returned, and non-printable characters are encoded. The
7687 most common ones (\t = 9, \n = 10, \r = 13 and \e = 27) are encoded as one
7688 letter following a backslash. The backslash itself is encoded as '\\' to
7689 avoid confusion. Other non-printable characters are encoded '\xNN' where
7690 NN is the two-digits hexadecimal representation of the character's ASCII
7691 code.
7692
7693 Lines are prefixed with the position of their first character, starting at 0
7694 for the beginning of the buffer. At most one input line is printed per line,
7695 and large lines will be broken into multiple consecutive output lines so that
7696 the output never goes beyond 79 characters wide. It is easy to detect if a
7697 line was broken, because it will not end with '\n' and the next line's offset
7698 will be followed by a '+' sign, indicating it is a continuation of previous
7699 line.
7700
7701 Example :
7702 >>> $ echo "show errors" | socat stdio /tmp/sock1
7703 [04/Mar/2009:15:46:56.081] backend http-in (#2) : invalid response
7704 src 127.0.0.1, session #54, frontend fe-eth0 (#1), server s2 (#1)
7705 response length 213 bytes, error at position 23:
7706
7707 00000 HTTP/1.0 200 OK\r\n
7708 00017 header/bizarre:blah\r\n
7709 00038 Location: blah\r\n
7710 00054 Long-line: this is a very long line which should b
7711 00104+ e broken into multiple lines on the output buffer,
7712 00154+ otherwise it would be too large to print in a ter
7713 00204+ minal\r\n
7714 00211 \r\n
7715
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007716 In the example above, we see that the backend "http-in" which has internal
Willy Tarreaue0c8a1a2009-03-04 16:33:10 +01007717 ID 2 has blocked an invalid response from its server s2 which has internal
7718 ID 1. The request was on session 54 initiated by source 127.0.0.1 and
7719 received by frontend fe-eth0 whose ID is 1. The total response length was
7720 213 bytes when the error was detected, and the error was at byte 23. This
7721 is the slash ('/') in header name "header/bizarre", which is not a valid
7722 HTTP character for a header name.
Krzysztof Piotr Oledzki2c6962c2008-03-02 02:42:14 +01007723
Willy Tarreau9a42c0d2009-09-22 19:31:03 +02007724show info
7725 Dump info about haproxy status on current process.
7726
7727show sess
7728 Dump all known sessions. Avoid doing this on slow connections as this can
Willy Tarreau6162db22009-10-10 17:13:00 +02007729 be huge. This command is restricted and can only be issued on sockets
7730 configured for levels "operator" or "admin".
7731
Willy Tarreau9a42c0d2009-09-22 19:31:03 +02007732
7733show stat [<iid> <type> <sid>]
7734 Dump statistics in the CSV format. By passing <id>, <type> and <sid>, it is
7735 possible to dump only selected items :
7736 - <iid> is a proxy ID, -1 to dump everything
7737 - <type> selects the type of dumpable objects : 1 for frontends, 2 for
7738 backends, 4 for servers, -1 for everything. These values can be ORed,
7739 for example:
7740 1 + 2 = 3 -> frontend + backend.
7741 1 + 2 + 4 = 7 -> frontend + backend + server.
7742 - <sid> is a server ID, -1 to dump everything from the selected proxy.
7743
7744 Example :
7745 >>> $ echo "show info;show stat" | socat stdio unix-connect:/tmp/sock1
7746 Name: HAProxy
7747 Version: 1.4-dev2-49
7748 Release_date: 2009/09/23
7749 Nbproc: 1
7750 Process_num: 1
7751 (...)
7752
7753 # pxname,svname,qcur,qmax,scur,smax,slim,stot,bin,bout,dreq, (...)
7754 stats,FRONTEND,,,0,0,1000,0,0,0,0,0,0,,,,,OPEN,,,,,,,,,1,1,0, (...)
7755 stats,BACKEND,0,0,0,0,1000,0,0,0,0,0,,0,0,0,0,UP,0,0,0,,0,250,(...)
7756 (...)
7757 www1,BACKEND,0,0,0,0,1000,0,0,0,0,0,,0,0,0,0,UP,1,1,0,,0,250, (...)
7758
7759 $
7760
7761 Here, two commands have been issued at once. That way it's easy to find
7762 which process the stats apply to in multi-process mode. Notice the empty
7763 line after the information output which marks the end of the first block.
7764 A similar empty line appears at the end of the second block (stats) so that
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01007765 the reader knows the output has not been truncated.
Willy Tarreau9a42c0d2009-09-22 19:31:03 +02007766
Krzysztof Piotr Oledzki719e7262009-10-04 15:02:46 +02007767clear counters
Willy Tarreau2f6bf2b2009-10-10 15:26:26 +02007768 Clear the max values of the statistics counters in each proxy (frontend &
7769 backend) and in each server. The cumulated counters are not affected. This
7770 can be used to get clean counters after an incident, without having to
Willy Tarreau6162db22009-10-10 17:13:00 +02007771 restart nor to clear traffic counters. This command is restricted and can
7772 only be issued on sockets configured for levels "operator" or "admin".
Willy Tarreau2f6bf2b2009-10-10 15:26:26 +02007773
7774clear counters all
7775 Clear all statistics counters in each proxy (frontend & backend) and in each
Willy Tarreau6162db22009-10-10 17:13:00 +02007776 server. This has the same effect as restarting. This command is restricted
7777 and can only be issued on sockets configured for level "admin".
7778
Cyril Bontécd19e512010-01-31 22:34:03 +01007779disable server <backend>/<server>
7780 Mark the server DOWN for maintenance. In this mode, no more checks will be
7781 performed on the server until it leaves maintenance.
7782 If the server is tracked by other servers, those servers will be set to DOWN
7783 during the maintenance.
7784
Cyril Bonté0dae5852010-02-03 00:26:28 +01007785 In the statistics page, a server DOWN for maintenance will appear with a
7786 "MAINT" status, its tracking servers with the "MAINT(via)" one.
7787
Cyril Bontécd19e512010-01-31 22:34:03 +01007788 Both the backend and the server may be specified either by their name or by
7789 their numeric ID, prefixed with a dash ('#').
7790
7791 This command is restricted and can only be issued on sockets configured for
7792 level "admin".
7793
7794enable server <backend>/<server>
7795 If the server was previously marked as DOWN for maintenance, this marks the
7796 server UP and checks are re-enabled.
7797
7798 Both the backend and the server may be specified either by their name or by
7799 their numeric ID, prefixed with a dash ('#').
7800
7801 This command is restricted and can only be issued on sockets configured for
7802 level "admin".
7803
Willy Tarreau38338fa2009-10-10 18:37:29 +02007804get weight <backend>/<server>
7805 Report the current weight and the initial weight of server <server> in
7806 backend <backend> or an error if either doesn't exist. The initial weight is
7807 the one that appears in the configuration file. Both are normally equal
Willy Tarreaucfeaa472009-10-10 22:33:08 +02007808 unless the current weight has been changed. Both the backend and the server
7809 may be specified either by their name or by their numeric ID, prefixed with a
7810 dash ('#').
Willy Tarreau38338fa2009-10-10 18:37:29 +02007811
Willy Tarreau7aabd112010-01-26 10:59:06 +01007812set timeout cli <delay>
7813 Change the CLI interface timeout for current connection. This can be useful
7814 during long debugging sessions where the user needs to constantly inspect
7815 some indicators without being disconnected. The delay is passed in seconds.
7816
Willy Tarreau4483d432009-10-10 19:30:08 +02007817set weight <backend>/<server> <weight>[%]
7818 Change a server's weight to the value passed in argument. If the value ends
7819 with the '%' sign, then the new weight will be relative to the initially
7820 configured weight. Relative weights are only permitted between 0 and 100%,
7821 and absolute weights are permitted between 0 and 256. Servers which are part
7822 of a farm running a static load-balancing algorithm have stricter limitations
7823 because the weight cannot change once set. Thus for these servers, the only
7824 accepted values are 0 and 100% (or 0 and the initial weight). Changes take
7825 effect immediately, though certain LB algorithms require a certain amount of
7826 requests to consider changes. A typical usage of this command is to disable
7827 a server during an update by setting its weight to zero, then to enable it
7828 again after the update by setting it back to 100%. This command is restricted
Willy Tarreaucfeaa472009-10-10 22:33:08 +02007829 and can only be issued on sockets configured for level "admin". Both the
7830 backend and the server may be specified either by their name or by their
7831 numeric ID, prefixed with a dash ('#').
Willy Tarreau4483d432009-10-10 19:30:08 +02007832
Krzysztof Piotr Oledzki719e7262009-10-04 15:02:46 +02007833
Willy Tarreau0ba27502007-12-24 16:55:16 +01007834/*
7835 * Local variables:
7836 * fill-column: 79
7837 * End:
7838 */