blob: 080d8fcc3357b449f6eabfc34b77a2f43168432f [file] [log] [blame]
Willy Tarreau6a06a402007-07-15 20:15:28 +02001 ----------------------
Willy Tarreau8317b282014-04-23 01:49:41 +02002 HAProxy
Willy Tarreau6a06a402007-07-15 20:15:28 +02003 Configuration Manual
4 ----------------------
Willy Tarreau4dfb7952014-06-24 11:30:21 +02005 version 1.5.1
Willy Tarreau6a06a402007-07-15 20:15:28 +02006 willy tarreau
Willy Tarreau4dfb7952014-06-24 11:30:21 +02007 2014/06/24
Willy Tarreau6a06a402007-07-15 20:15:28 +02008
9
10This document covers the configuration language as implemented in the version
11specified above. It does not provide any hint, example or advice. For such
Willy Tarreau0ba27502007-12-24 16:55:16 +010012documentation, please refer to the Reference Manual or the Architecture Manual.
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013The summary below is meant to help you search sections by name and navigate
14through the document.
Willy Tarreau6a06a402007-07-15 20:15:28 +020015
Willy Tarreauc57f0e22009-05-10 13:12:33 +020016Note to documentation contributors :
Jamie Gloudonaaa21002012-08-25 00:18:33 -040017 This document is formatted with 80 columns per line, with even number of
Willy Tarreauc57f0e22009-05-10 13:12:33 +020018 spaces for indentation and without tabs. Please follow these rules strictly
19 so that it remains easily printable everywhere. If a line needs to be
20 printed verbatim and does not fit, please end each line with a backslash
Willy Tarreau62a36c42010-08-17 15:53:10 +020021 ('\') and continue on next line, indented by two characters. It is also
22 sometimes useful to prefix all output lines (logs, console outs) with 3
23 closing angle brackets ('>>>') in order to help get the difference between
24 inputs and outputs when it can become ambiguous. If you add sections,
25 please update the summary below for easier searching.
Willy Tarreauc57f0e22009-05-10 13:12:33 +020026
27
28Summary
29-------
30
311. Quick reminder about HTTP
321.1. The HTTP transaction model
331.2. HTTP request
341.2.1. The Request line
351.2.2. The request headers
361.3. HTTP response
371.3.1. The Response line
381.3.2. The response headers
39
402. Configuring HAProxy
412.1. Configuration file format
422.2. Time format
Patrick Mezard35da19c2010-06-12 17:02:47 +0200432.3. Examples
Willy Tarreauc57f0e22009-05-10 13:12:33 +020044
453. Global parameters
463.1. Process management and security
473.2. Performance tuning
483.3. Debugging
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100493.4. Userlists
Cyril Bontédc4d9032012-04-08 21:57:39 +0200503.5. Peers
Willy Tarreauc57f0e22009-05-10 13:12:33 +020051
524. Proxies
534.1. Proxy keywords matrix
544.2. Alphabetically sorted keywords reference
55
Willy Tarreau086fbf52012-09-24 20:34:51 +0200565. Bind and Server options
575.1. Bind options
585.2. Server and default-server options
Willy Tarreauc57f0e22009-05-10 13:12:33 +020059
606. HTTP header manipulation
61
Willy Tarreau74ca5042013-06-11 23:12:07 +0200627. Using ACLs and fetching samples
637.1. ACL basics
647.1.1. Matching booleans
657.1.2. Matching integers
667.1.3. Matching strings
677.1.4. Matching regular expressions (regexes)
687.1.5. Matching arbitrary data blocks
697.1.6. Matching IPv4 and IPv6 addresses
707.2. Using ACLs to form conditions
717.3. Fetching samples
Thierry FOURNIER060762e2014-04-23 13:29:15 +0200727.3.1. Converters
737.3.2. Fetching samples from internal states
747.3.3. Fetching samples at Layer 4
757.3.4. Fetching samples at Layer 5
767.3.5. Fetching samples from buffer contents (Layer 6)
777.3.6. Fetching HTTP samples (Layer 7)
Willy Tarreau74ca5042013-06-11 23:12:07 +0200787.4. Pre-defined ACLs
Willy Tarreauc57f0e22009-05-10 13:12:33 +020079
808. Logging
818.1. Log levels
828.2. Log formats
838.2.1. Default log format
848.2.2. TCP log format
858.2.3. HTTP log format
William Lallemand48940402012-01-30 16:47:22 +0100868.2.4. Custom log format
Willy Tarreau5f51e1a2012-12-03 18:40:10 +0100878.2.5. Error log format
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200888.3. Advanced logging options
898.3.1. Disabling logging of external tests
908.3.2. Logging before waiting for the session to terminate
918.3.3. Raising log level upon errors
928.3.4. Disabling logging of successful connections
938.4. Timing events
948.5. Session state at disconnection
958.6. Non-printable characters
968.7. Capturing HTTP cookies
978.8. Capturing HTTP headers
988.9. Examples of logs
99
1009. Statistics and monitoring
1019.1. CSV format
1029.2. Unix Socket commands
103
104
1051. Quick reminder about HTTP
106----------------------------
107
108When haproxy is running in HTTP mode, both the request and the response are
109fully analyzed and indexed, thus it becomes possible to build matching criteria
110on almost anything found in the contents.
111
112However, it is important to understand how HTTP requests and responses are
113formed, and how HAProxy decomposes them. It will then become easier to write
114correct rules and to debug existing configurations.
115
116
1171.1. The HTTP transaction model
118-------------------------------
119
120The HTTP protocol is transaction-driven. This means that each request will lead
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100121to one and only one response. Traditionally, a TCP connection is established
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200122from the client to the server, a request is sent by the client on the
123connection, the server responds and the connection is closed. A new request
124will involve a new connection :
125
126 [CON1] [REQ1] ... [RESP1] [CLO1] [CON2] [REQ2] ... [RESP2] [CLO2] ...
127
128In this mode, called the "HTTP close" mode, there are as many connection
129establishments as there are HTTP transactions. Since the connection is closed
130by the server after the response, the client does not need to know the content
131length.
132
133Due to the transactional nature of the protocol, it was possible to improve it
134to avoid closing a connection between two subsequent transactions. In this mode
135however, it is mandatory that the server indicates the content length for each
136response so that the client does not wait indefinitely. For this, a special
137header is used: "Content-length". This mode is called the "keep-alive" mode :
138
139 [CON] [REQ1] ... [RESP1] [REQ2] ... [RESP2] [CLO] ...
140
141Its advantages are a reduced latency between transactions, and less processing
142power required on the server side. It is generally better than the close mode,
143but not always because the clients often limit their concurrent connections to
Patrick Mezard9ec2ec42010-06-12 17:02:45 +0200144a smaller value.
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200145
146A last improvement in the communications is the pipelining mode. It still uses
147keep-alive, but the client does not wait for the first response to send the
148second request. This is useful for fetching large number of images composing a
149page :
150
151 [CON] [REQ1] [REQ2] ... [RESP1] [RESP2] [CLO] ...
152
153This can obviously have a tremendous benefit on performance because the network
154latency is eliminated between subsequent requests. Many HTTP agents do not
155correctly support pipelining since there is no way to associate a response with
156the corresponding request in HTTP. For this reason, it is mandatory for the
Cyril Bonté78caf842010-03-10 22:41:43 +0100157server to reply in the exact same order as the requests were received.
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200158
Willy Tarreau70dffda2014-01-30 03:07:23 +0100159By default HAProxy operates in keep-alive mode with regards to persistent
160connections: for each connection it processes each request and response, and
161leaves the connection idle on both sides between the end of a response and the
162start of a new request.
Patrick Mezard9ec2ec42010-06-12 17:02:45 +0200163
Willy Tarreau70dffda2014-01-30 03:07:23 +0100164HAProxy supports 5 connection modes :
165 - keep alive : all requests and responses are processed (default)
166 - tunnel : only the first request and response are processed,
167 everything else is forwarded with no analysis.
168 - passive close : tunnel with "Connection: close" added in both directions.
169 - server close : the server-facing connection is closed after the response.
170 - forced close : the connection is actively closed after end of response.
171
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200172
1731.2. HTTP request
174-----------------
175
176First, let's consider this HTTP request :
177
178 Line Contents
Willy Tarreaud72758d2010-01-12 10:42:19 +0100179 number
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200180 1 GET /serv/login.php?lang=en&profile=2 HTTP/1.1
181 2 Host: www.mydomain.com
182 3 User-agent: my small browser
183 4 Accept: image/jpeg, image/gif
184 5 Accept: image/png
185
186
1871.2.1. The Request line
188-----------------------
189
190Line 1 is the "request line". It is always composed of 3 fields :
191
192 - a METHOD : GET
193 - a URI : /serv/login.php?lang=en&profile=2
194 - a version tag : HTTP/1.1
195
196All of them are delimited by what the standard calls LWS (linear white spaces),
197which are commonly spaces, but can also be tabs or line feeds/carriage returns
198followed by spaces/tabs. The method itself cannot contain any colon (':') and
199is limited to alphabetic letters. All those various combinations make it
200desirable that HAProxy performs the splitting itself rather than leaving it to
201the user to write a complex or inaccurate regular expression.
202
203The URI itself can have several forms :
204
205 - A "relative URI" :
206
207 /serv/login.php?lang=en&profile=2
208
209 It is a complete URL without the host part. This is generally what is
210 received by servers, reverse proxies and transparent proxies.
211
212 - An "absolute URI", also called a "URL" :
213
214 http://192.168.0.12:8080/serv/login.php?lang=en&profile=2
215
216 It is composed of a "scheme" (the protocol name followed by '://'), a host
217 name or address, optionally a colon (':') followed by a port number, then
218 a relative URI beginning at the first slash ('/') after the address part.
219 This is generally what proxies receive, but a server supporting HTTP/1.1
220 must accept this form too.
221
222 - a star ('*') : this form is only accepted in association with the OPTIONS
223 method and is not relayable. It is used to inquiry a next hop's
224 capabilities.
Willy Tarreaud72758d2010-01-12 10:42:19 +0100225
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200226 - an address:port combination : 192.168.0.12:80
227 This is used with the CONNECT method, which is used to establish TCP
228 tunnels through HTTP proxies, generally for HTTPS, but sometimes for
229 other protocols too.
230
231In a relative URI, two sub-parts are identified. The part before the question
232mark is called the "path". It is typically the relative path to static objects
233on the server. The part after the question mark is called the "query string".
234It is mostly used with GET requests sent to dynamic scripts and is very
235specific to the language, framework or application in use.
236
237
2381.2.2. The request headers
239--------------------------
240
241The headers start at the second line. They are composed of a name at the
242beginning of the line, immediately followed by a colon (':'). Traditionally,
243an LWS is added after the colon but that's not required. Then come the values.
244Multiple identical headers may be folded into one single line, delimiting the
245values with commas, provided that their order is respected. This is commonly
246encountered in the "Cookie:" field. A header may span over multiple lines if
247the subsequent lines begin with an LWS. In the example in 1.2, lines 4 and 5
248define a total of 3 values for the "Accept:" header.
249
250Contrary to a common mis-conception, header names are not case-sensitive, and
251their values are not either if they refer to other header names (such as the
252"Connection:" header).
253
254The end of the headers is indicated by the first empty line. People often say
255that it's a double line feed, which is not exact, even if a double line feed
256is one valid form of empty line.
257
258Fortunately, HAProxy takes care of all these complex combinations when indexing
259headers, checking values and counting them, so there is no reason to worry
260about the way they could be written, but it is important not to accuse an
261application of being buggy if it does unusual, valid things.
262
263Important note:
264 As suggested by RFC2616, HAProxy normalizes headers by replacing line breaks
265 in the middle of headers by LWS in order to join multi-line headers. This
266 is necessary for proper analysis and helps less capable HTTP parsers to work
267 correctly and not to be fooled by such complex constructs.
268
269
2701.3. HTTP response
271------------------
272
273An HTTP response looks very much like an HTTP request. Both are called HTTP
274messages. Let's consider this HTTP response :
275
276 Line Contents
Willy Tarreaud72758d2010-01-12 10:42:19 +0100277 number
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200278 1 HTTP/1.1 200 OK
279 2 Content-length: 350
280 3 Content-Type: text/html
281
Willy Tarreau816b9792009-09-15 21:25:21 +0200282As a special case, HTTP supports so called "Informational responses" as status
283codes 1xx. These messages are special in that they don't convey any part of the
284response, they're just used as sort of a signaling message to ask a client to
Willy Tarreau5843d1a2010-02-01 15:13:32 +0100285continue to post its request for instance. In the case of a status 100 response
286the requested information will be carried by the next non-100 response message
287following the informational one. This implies that multiple responses may be
288sent to a single request, and that this only works when keep-alive is enabled
289(1xx messages are HTTP/1.1 only). HAProxy handles these messages and is able to
290correctly forward and skip them, and only process the next non-100 response. As
291such, these messages are neither logged nor transformed, unless explicitly
292state otherwise. Status 101 messages indicate that the protocol is changing
293over the same connection and that haproxy must switch to tunnel mode, just as
294if a CONNECT had occurred. Then the Upgrade header would contain additional
295information about the type of protocol the connection is switching to.
Willy Tarreau816b9792009-09-15 21:25:21 +0200296
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200297
2981.3.1. The Response line
299------------------------
300
301Line 1 is the "response line". It is always composed of 3 fields :
302
303 - a version tag : HTTP/1.1
304 - a status code : 200
305 - a reason : OK
306
307The status code is always 3-digit. The first digit indicates a general status :
Willy Tarreau816b9792009-09-15 21:25:21 +0200308 - 1xx = informational message to be skipped (eg: 100, 101)
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200309 - 2xx = OK, content is following (eg: 200, 206)
310 - 3xx = OK, no content following (eg: 302, 304)
311 - 4xx = error caused by the client (eg: 401, 403, 404)
312 - 5xx = error caused by the server (eg: 500, 502, 503)
313
314Please refer to RFC2616 for the detailed meaning of all such codes. The
Willy Tarreaud72758d2010-01-12 10:42:19 +0100315"reason" field is just a hint, but is not parsed by clients. Anything can be
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200316found there, but it's a common practice to respect the well-established
317messages. It can be composed of one or multiple words, such as "OK", "Found",
318or "Authentication Required".
319
320Haproxy may emit the following status codes by itself :
321
322 Code When / reason
323 200 access to stats page, and when replying to monitoring requests
324 301 when performing a redirection, depending on the configured code
325 302 when performing a redirection, depending on the configured code
326 303 when performing a redirection, depending on the configured code
Willy Tarreaub67fdc42013-03-29 19:28:11 +0100327 307 when performing a redirection, depending on the configured code
328 308 when performing a redirection, depending on the configured code
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200329 400 for an invalid or too large request
330 401 when an authentication is required to perform the action (when
331 accessing the stats page)
332 403 when a request is forbidden by a "block" ACL or "reqdeny" filter
333 408 when the request timeout strikes before the request is complete
334 500 when haproxy encounters an unrecoverable internal error, such as a
335 memory allocation failure, which should never happen
336 502 when the server returns an empty, invalid or incomplete response, or
337 when an "rspdeny" filter blocks the response.
338 503 when no server was available to handle the request, or in response to
339 monitoring requests which match the "monitor fail" condition
340 504 when the response timeout strikes before the server responds
341
342The error 4xx and 5xx codes above may be customized (see "errorloc" in section
3434.2).
344
345
3461.3.2. The response headers
347---------------------------
348
349Response headers work exactly like request headers, and as such, HAProxy uses
350the same parsing function for both. Please refer to paragraph 1.2.2 for more
351details.
352
353
3542. Configuring HAProxy
355----------------------
356
3572.1. Configuration file format
358------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +0200359
360HAProxy's configuration process involves 3 major sources of parameters :
361
362 - the arguments from the command-line, which always take precedence
363 - the "global" section, which sets process-wide parameters
364 - the proxies sections which can take form of "defaults", "listen",
365 "frontend" and "backend".
366
Willy Tarreau0ba27502007-12-24 16:55:16 +0100367The configuration file syntax consists in lines beginning with a keyword
368referenced in this manual, optionally followed by one or several parameters
369delimited by spaces. If spaces have to be entered in strings, then they must be
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100370preceded by a backslash ('\') to be escaped. Backslashes also have to be
Willy Tarreau0ba27502007-12-24 16:55:16 +0100371escaped by doubling them.
372
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200373
3742.2. Time format
375----------------
376
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100377Some parameters involve values representing time, such as timeouts. These
Willy Tarreau0ba27502007-12-24 16:55:16 +0100378values are generally expressed in milliseconds (unless explicitly stated
379otherwise) but may be expressed in any other unit by suffixing the unit to the
380numeric value. It is important to consider this because it will not be repeated
381for every keyword. Supported units are :
382
383 - us : microseconds. 1 microsecond = 1/1000000 second
384 - ms : milliseconds. 1 millisecond = 1/1000 second. This is the default.
385 - s : seconds. 1s = 1000ms
386 - m : minutes. 1m = 60s = 60000ms
387 - h : hours. 1h = 60m = 3600s = 3600000ms
388 - d : days. 1d = 24h = 1440m = 86400s = 86400000ms
389
390
Patrick Mezard35da19c2010-06-12 17:02:47 +02003912.3. Examples
392-------------
393
394 # Simple configuration for an HTTP proxy listening on port 80 on all
395 # interfaces and forwarding requests to a single backend "servers" with a
396 # single server "server1" listening on 127.0.0.1:8000
397 global
398 daemon
399 maxconn 256
400
401 defaults
402 mode http
403 timeout connect 5000ms
404 timeout client 50000ms
405 timeout server 50000ms
406
407 frontend http-in
408 bind *:80
409 default_backend servers
410
411 backend servers
412 server server1 127.0.0.1:8000 maxconn 32
413
414
415 # The same configuration defined with a single listen block. Shorter but
416 # less expressive, especially in HTTP mode.
417 global
418 daemon
419 maxconn 256
420
421 defaults
422 mode http
423 timeout connect 5000ms
424 timeout client 50000ms
425 timeout server 50000ms
426
427 listen http-in
428 bind *:80
429 server server1 127.0.0.1:8000 maxconn 32
430
431
432Assuming haproxy is in $PATH, test these configurations in a shell with:
433
Willy Tarreauccb289d2010-12-11 20:19:38 +0100434 $ sudo haproxy -f configuration.conf -c
Patrick Mezard35da19c2010-06-12 17:02:47 +0200435
436
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004373. Global parameters
Willy Tarreau6a06a402007-07-15 20:15:28 +0200438--------------------
439
440Parameters in the "global" section are process-wide and often OS-specific. They
441are generally set once for all and do not need being changed once correct. Some
442of them have command-line equivalents.
443
444The following keywords are supported in the "global" section :
445
446 * Process management and security
Emeric Brunc8e8d122012-10-02 18:42:10 +0200447 - ca-base
Willy Tarreau6a06a402007-07-15 20:15:28 +0200448 - chroot
Emeric Brunc8e8d122012-10-02 18:42:10 +0200449 - crt-base
Willy Tarreau6a06a402007-07-15 20:15:28 +0200450 - daemon
451 - gid
452 - group
453 - log
Joe Williamsdf5b38f2010-12-29 17:05:48 +0100454 - log-send-hostname
Willy Tarreau6a06a402007-07-15 20:15:28 +0200455 - nbproc
456 - pidfile
457 - uid
458 - ulimit-n
459 - user
Willy Tarreaufbee7132007-10-18 13:53:22 +0200460 - stats
Emeric Brun850efd52014-01-29 12:24:34 +0100461 - ssl-server-verify
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +0200462 - node
463 - description
Willy Tarreauceb24bc2010-11-09 12:46:41 +0100464 - unix-bind
Willy Tarreaud72758d2010-01-12 10:42:19 +0100465
Willy Tarreau6a06a402007-07-15 20:15:28 +0200466 * Performance tuning
Willy Tarreau1746eec2014-04-25 10:46:47 +0200467 - max-spread-checks
Willy Tarreau6a06a402007-07-15 20:15:28 +0200468 - maxconn
Willy Tarreau81c25d02011-09-07 15:17:21 +0200469 - maxconnrate
William Lallemandd85f9172012-11-09 17:05:39 +0100470 - maxcomprate
William Lallemand072a2bf2012-11-20 17:01:01 +0100471 - maxcompcpuusage
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100472 - maxpipes
Willy Tarreau93e7c002013-10-07 18:51:07 +0200473 - maxsessrate
Willy Tarreau403edff2012-09-06 11:58:37 +0200474 - maxsslconn
Willy Tarreaue43d5322013-10-07 20:01:52 +0200475 - maxsslrate
Willy Tarreau6a06a402007-07-15 20:15:28 +0200476 - noepoll
477 - nokqueue
478 - nopoll
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100479 - nosplice
Jarno Huuskonen0e82b922014-04-12 18:22:19 +0300480 - nogetaddrinfo
Willy Tarreaufe255b72007-10-14 23:09:26 +0200481 - spread-checks
Willy Tarreau27a674e2009-08-17 07:23:33 +0200482 - tune.bufsize
Willy Tarreau43961d52010-10-04 20:39:20 +0200483 - tune.chksize
William Lallemandf3747832012-11-09 12:33:10 +0100484 - tune.comp.maxlevel
Willy Tarreau193b8c62012-11-22 00:17:38 +0100485 - tune.http.cookielen
Willy Tarreauac1932d2011-10-24 19:14:41 +0200486 - tune.http.maxhdr
Willy Tarreau7e312732014-02-12 16:35:14 +0100487 - tune.idletimer
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100488 - tune.maxaccept
489 - tune.maxpollevents
Willy Tarreau27a674e2009-08-17 07:23:33 +0200490 - tune.maxrewrite
Willy Tarreaubd9a0a72011-10-23 21:14:29 +0200491 - tune.pipesize
Willy Tarreaue803de22010-01-21 17:43:04 +0100492 - tune.rcvbuf.client
493 - tune.rcvbuf.server
494 - tune.sndbuf.client
495 - tune.sndbuf.server
Willy Tarreau6ec58db2012-11-16 16:32:15 +0100496 - tune.ssl.cachesize
Willy Tarreaubfd59462013-02-21 07:46:09 +0100497 - tune.ssl.lifetime
Emeric Brun8dc60392014-05-09 13:52:00 +0200498 - tune.ssl.force-private-cache
Willy Tarreaubfd59462013-02-21 07:46:09 +0100499 - tune.ssl.maxrecord
Remi Gacognef46cd6e2014-06-12 14:58:40 +0200500 - tune.ssl.default-dh-param
William Lallemanda509e4c2012-11-07 16:54:34 +0100501 - tune.zlib.memlevel
502 - tune.zlib.windowsize
Willy Tarreaud72758d2010-01-12 10:42:19 +0100503
Willy Tarreau6a06a402007-07-15 20:15:28 +0200504 * Debugging
505 - debug
506 - quiet
Willy Tarreau6a06a402007-07-15 20:15:28 +0200507
508
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005093.1. Process management and security
Willy Tarreau6a06a402007-07-15 20:15:28 +0200510------------------------------------
511
Emeric Brunc8e8d122012-10-02 18:42:10 +0200512ca-base <dir>
513 Assigns a default directory to fetch SSL CA certificates and CRLs from when a
Emeric Brunfd33a262012-10-11 16:28:27 +0200514 relative path is used with "ca-file" or "crl-file" directives. Absolute
515 locations specified in "ca-file" and "crl-file" prevail and ignore "ca-base".
Emeric Brunc8e8d122012-10-02 18:42:10 +0200516
Willy Tarreau6a06a402007-07-15 20:15:28 +0200517chroot <jail dir>
518 Changes current directory to <jail dir> and performs a chroot() there before
519 dropping privileges. This increases the security level in case an unknown
520 vulnerability would be exploited, since it would make it very hard for the
521 attacker to exploit the system. This only works when the process is started
522 with superuser privileges. It is important to ensure that <jail_dir> is both
523 empty and unwritable to anyone.
Willy Tarreaud72758d2010-01-12 10:42:19 +0100524
Willy Tarreaufc6c0322012-11-16 16:12:27 +0100525cpu-map <"all"|"odd"|"even"|process_num> <cpu-set>...
526 On Linux 2.6 and above, it is possible to bind a process to a specific CPU
527 set. This means that the process will never run on other CPUs. The "cpu-map"
528 directive specifies CPU sets for process sets. The first argument is the
Willy Tarreaua9db57e2013-01-18 11:29:29 +0100529 process number to bind. This process must have a number between 1 and 32 or
530 64, depending on the machine's word size, and any process IDs above nbproc
531 are ignored. It is possible to specify all processes at once using "all",
532 only odd numbers using "odd" or even numbers using "even", just like with the
533 "bind-process" directive. The second and forthcoming arguments are CPU sets.
534 Each CPU set is either a unique number between 0 and 31 or 63 or a range with
535 two such numbers delimited by a dash ('-'). Multiple CPU numbers or ranges
536 may be specified, and the processes will be allowed to bind to all of them.
537 Obviously, multiple "cpu-map" directives may be specified. Each "cpu-map"
538 directive will replace the previous ones when they overlap.
Willy Tarreaufc6c0322012-11-16 16:12:27 +0100539
Emeric Brunc8e8d122012-10-02 18:42:10 +0200540crt-base <dir>
541 Assigns a default directory to fetch SSL certificates from when a relative
542 path is used with "crtfile" directives. Absolute locations specified after
543 "crtfile" prevail and ignore "crt-base".
544
Willy Tarreau6a06a402007-07-15 20:15:28 +0200545daemon
546 Makes the process fork into background. This is the recommended mode of
547 operation. It is equivalent to the command line "-D" argument. It can be
548 disabled by the command line "-db" argument.
549
550gid <number>
551 Changes the process' group ID to <number>. It is recommended that the group
552 ID is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
553 be started with a user belonging to this group, or with superuser privileges.
Michael Schererab012dd2013-01-12 18:35:19 +0100554 Note that if haproxy is started from a user having supplementary groups, it
555 will only be able to drop these groups if started with superuser privileges.
Willy Tarreau6a06a402007-07-15 20:15:28 +0200556 See also "group" and "uid".
Willy Tarreaud72758d2010-01-12 10:42:19 +0100557
Willy Tarreau6a06a402007-07-15 20:15:28 +0200558group <group name>
559 Similar to "gid" but uses the GID of group name <group name> from /etc/group.
560 See also "gid" and "user".
Willy Tarreaud72758d2010-01-12 10:42:19 +0100561
Willy Tarreauf7edefa2009-05-10 17:20:05 +0200562log <address> <facility> [max level [min level]]
Willy Tarreau6a06a402007-07-15 20:15:28 +0200563 Adds a global syslog server. Up to two global servers can be defined. They
564 will receive logs for startups and exits, as well as all logs from proxies
Robert Tsai81ae1952007-12-05 10:47:29 +0100565 configured with "log global".
566
567 <address> can be one of:
568
Willy Tarreau2769aa02007-12-27 18:26:09 +0100569 - An IPv4 address optionally followed by a colon and a UDP port. If
Robert Tsai81ae1952007-12-05 10:47:29 +0100570 no port is specified, 514 is used by default (the standard syslog
571 port).
572
David du Colombier24bb5f52011-03-17 10:40:23 +0100573 - An IPv6 address followed by a colon and optionally a UDP port. If
574 no port is specified, 514 is used by default (the standard syslog
575 port).
576
Robert Tsai81ae1952007-12-05 10:47:29 +0100577 - A filesystem path to a UNIX domain socket, keeping in mind
578 considerations for chroot (be sure the path is accessible inside
579 the chroot) and uid/gid (be sure the path is appropriately
580 writeable).
581
Willy Tarreaudad36a32013-03-11 01:20:04 +0100582 Any part of the address string may reference any number of environment
583 variables by preceding their name with a dollar sign ('$') and
584 optionally enclosing them with braces ('{}'), similarly to what is done
585 in Bourne shell.
586
Robert Tsai81ae1952007-12-05 10:47:29 +0100587 <facility> must be one of the 24 standard syslog facilities :
Willy Tarreau6a06a402007-07-15 20:15:28 +0200588
589 kern user mail daemon auth syslog lpr news
590 uucp cron auth2 ftp ntp audit alert cron2
591 local0 local1 local2 local3 local4 local5 local6 local7
592
593 An optional level can be specified to filter outgoing messages. By default,
Willy Tarreauf7edefa2009-05-10 17:20:05 +0200594 all messages are sent. If a maximum level is specified, only messages with a
595 severity at least as important as this level will be sent. An optional minimum
596 level can be specified. If it is set, logs emitted with a more severe level
597 than this one will be capped to this level. This is used to avoid sending
598 "emerg" messages on all terminals on some default syslog configurations.
599 Eight levels are known :
Willy Tarreau6a06a402007-07-15 20:15:28 +0200600
Cyril Bontédc4d9032012-04-08 21:57:39 +0200601 emerg alert crit err warning notice info debug
Willy Tarreau6a06a402007-07-15 20:15:28 +0200602
Joe Williamsdf5b38f2010-12-29 17:05:48 +0100603log-send-hostname [<string>]
604 Sets the hostname field in the syslog header. If optional "string" parameter
605 is set the header is set to the string contents, otherwise uses the hostname
606 of the system. Generally used if one is not relaying logs through an
607 intermediate syslog server or for simply customizing the hostname printed in
608 the logs.
609
Kevinm48936af2010-12-22 16:08:21 +0000610log-tag <string>
611 Sets the tag field in the syslog header to this string. It defaults to the
612 program name as launched from the command line, which usually is "haproxy".
613 Sometimes it can be useful to differentiate between multiple processes
614 running on the same host.
615
Willy Tarreau6a06a402007-07-15 20:15:28 +0200616nbproc <number>
617 Creates <number> processes when going daemon. This requires the "daemon"
618 mode. By default, only one process is created, which is the recommended mode
619 of operation. For systems limited to small sets of file descriptors per
620 process, it may be needed to fork multiple daemons. USING MULTIPLE PROCESSES
621 IS HARDER TO DEBUG AND IS REALLY DISCOURAGED. See also "daemon".
622
623pidfile <pidfile>
624 Writes pids of all daemons into file <pidfile>. This option is equivalent to
625 the "-p" command line argument. The file must be accessible to the user
626 starting the process. See also "daemon".
627
Willy Tarreaua9db57e2013-01-18 11:29:29 +0100628stats bind-process [ all | odd | even | <number 1-64>[-<number 1-64>] ] ...
Willy Tarreau35b7b162012-10-22 23:17:18 +0200629 Limits the stats socket to a certain set of processes numbers. By default the
630 stats socket is bound to all processes, causing a warning to be emitted when
631 nbproc is greater than 1 because there is no way to select the target process
632 when connecting. However, by using this setting, it becomes possible to pin
633 the stats socket to a specific set of processes, typically the first one. The
634 warning will automatically be disabled when this setting is used, whatever
Willy Tarreaua9db57e2013-01-18 11:29:29 +0100635 the number of processes used. The maximum process ID depends on the machine's
Willy Tarreauae302532014-05-07 19:22:24 +0200636 word size (32 or 64). A better option consists in using the "process" setting
637 of the "stats socket" line to force the process on each line.
Willy Tarreau35b7b162012-10-22 23:17:18 +0200638
Willy Tarreau610f04b2014-02-13 11:36:41 +0100639ssl-default-bind-ciphers <ciphers>
640 This setting is only available when support for OpenSSL was built in. It sets
641 the default string describing the list of cipher algorithms ("cipher suite")
Jarno Huuskonen0e82b922014-04-12 18:22:19 +0300642 that are negotiated during the SSL/TLS handshake for all "bind" lines which
Willy Tarreau610f04b2014-02-13 11:36:41 +0100643 do not explicitly define theirs. The format of the string is defined in
644 "man 1 ciphers" from OpenSSL man pages, and can be for instance a string such
645 as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without quotes). Please check the
646 "bind" keyword for more information.
647
648ssl-default-server-ciphers <ciphers>
649 This setting is only available when support for OpenSSL was built in. It
650 sets the default string describing the list of cipher algorithms that are
Jarno Huuskonen0e82b922014-04-12 18:22:19 +0300651 negotiated during the SSL/TLS handshake with the server, for all "server"
Willy Tarreau610f04b2014-02-13 11:36:41 +0100652 lines which do not explicitly define theirs. The format of the string is
653 defined in "man 1 ciphers". Please check the "server" keyword for more
654 information.
655
Emeric Brun850efd52014-01-29 12:24:34 +0100656ssl-server-verify [none|required]
657 The default behavior for SSL verify on servers side. If specified to 'none',
658 servers certificates are not verified. The default is 'required' except if
659 forced using cmdline option '-dV'.
660
Willy Tarreauabb175f2012-09-24 12:43:26 +0200661stats socket [<address:port>|<path>] [param*]
662 Binds a UNIX socket to <path> or a TCPv4/v6 address to <address:port>.
663 Connections to this socket will return various statistics outputs and even
664 allow some commands to be issued to change some runtime settings. Please
665 consult section 9.2 "Unix Socket commands" for more details.
Willy Tarreau6162db22009-10-10 17:13:00 +0200666
Willy Tarreauabb175f2012-09-24 12:43:26 +0200667 All parameters supported by "bind" lines are supported, for instance to
668 restrict access to some users or their access rights. Please consult
669 section 5.1 for more information.
Willy Tarreaufbee7132007-10-18 13:53:22 +0200670
671stats timeout <timeout, in milliseconds>
672 The default timeout on the stats socket is set to 10 seconds. It is possible
673 to change this value with "stats timeout". The value must be passed in
Willy Tarreaubefdff12007-12-02 22:27:38 +0100674 milliseconds, or be suffixed by a time unit among { us, ms, s, m, h, d }.
Willy Tarreaufbee7132007-10-18 13:53:22 +0200675
676stats maxconn <connections>
677 By default, the stats socket is limited to 10 concurrent connections. It is
678 possible to change this value with "stats maxconn".
679
Willy Tarreau6a06a402007-07-15 20:15:28 +0200680uid <number>
681 Changes the process' user ID to <number>. It is recommended that the user ID
682 is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
683 be started with superuser privileges in order to be able to switch to another
684 one. See also "gid" and "user".
685
686ulimit-n <number>
687 Sets the maximum number of per-process file-descriptors to <number>. By
688 default, it is automatically computed, so it is recommended not to use this
689 option.
690
Willy Tarreauceb24bc2010-11-09 12:46:41 +0100691unix-bind [ prefix <prefix> ] [ mode <mode> ] [ user <user> ] [ uid <uid> ]
692 [ group <group> ] [ gid <gid> ]
693
694 Fixes common settings to UNIX listening sockets declared in "bind" statements.
695 This is mainly used to simplify declaration of those UNIX sockets and reduce
696 the risk of errors, since those settings are most commonly required but are
697 also process-specific. The <prefix> setting can be used to force all socket
698 path to be relative to that directory. This might be needed to access another
699 component's chroot. Note that those paths are resolved before haproxy chroots
700 itself, so they are absolute. The <mode>, <user>, <uid>, <group> and <gid>
701 all have the same meaning as their homonyms used by the "bind" statement. If
702 both are specified, the "bind" statement has priority, meaning that the
703 "unix-bind" settings may be seen as process-wide default settings.
704
Willy Tarreau6a06a402007-07-15 20:15:28 +0200705user <user name>
706 Similar to "uid" but uses the UID of user name <user name> from /etc/passwd.
707 See also "uid" and "group".
708
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +0200709node <name>
710 Only letters, digits, hyphen and underscore are allowed, like in DNS names.
711
712 This statement is useful in HA configurations where two or more processes or
713 servers share the same IP address. By setting a different node-name on all
714 nodes, it becomes easy to immediately spot what server is handling the
715 traffic.
716
717description <text>
718 Add a text that describes the instance.
719
720 Please note that it is required to escape certain characters (# for example)
721 and this text is inserted into a html page so you should avoid using
722 "<" and ">" characters.
723
Willy Tarreau6a06a402007-07-15 20:15:28 +0200724
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007253.2. Performance tuning
Willy Tarreau6a06a402007-07-15 20:15:28 +0200726-----------------------
727
Willy Tarreau1746eec2014-04-25 10:46:47 +0200728max-spread-checks <delay in milliseconds>
729 By default, haproxy tries to spread the start of health checks across the
730 smallest health check interval of all the servers in a farm. The principle is
731 to avoid hammering services running on the same server. But when using large
732 check intervals (10 seconds or more), the last servers in the farm take some
733 time before starting to be tested, which can be a problem. This parameter is
734 used to enforce an upper bound on delay between the first and the last check,
735 even if the servers' check intervals are larger. When servers run with
736 shorter intervals, their intervals will be respected though.
737
Willy Tarreau6a06a402007-07-15 20:15:28 +0200738maxconn <number>
739 Sets the maximum per-process number of concurrent connections to <number>. It
740 is equivalent to the command-line argument "-n". Proxies will stop accepting
741 connections when this limit is reached. The "ulimit-n" parameter is
Willy Tarreau8274e102014-06-19 15:31:25 +0200742 automatically adjusted according to this value. See also "ulimit-n". Note:
743 the "select" poller cannot reliably use more than 1024 file descriptors on
744 some platforms. If your platform only supports select and reports "select
745 FAILED" on startup, you need to reduce maxconn until it works (slightly
746 below 500 in general).
Willy Tarreau6a06a402007-07-15 20:15:28 +0200747
Willy Tarreau81c25d02011-09-07 15:17:21 +0200748maxconnrate <number>
749 Sets the maximum per-process number of connections per second to <number>.
750 Proxies will stop accepting connections when this limit is reached. It can be
751 used to limit the global capacity regardless of each frontend capacity. It is
752 important to note that this can only be used as a service protection measure,
753 as there will not necessarily be a fair share between frontends when the
754 limit is reached, so it's a good idea to also limit each frontend to some
755 value close to its expected share. Also, lowering tune.maxaccept can improve
756 fairness.
757
William Lallemandd85f9172012-11-09 17:05:39 +0100758maxcomprate <number>
759 Sets the maximum per-process input compression rate to <number> kilobytes
Jarno Huuskonen0e82b922014-04-12 18:22:19 +0300760 per second. For each session, if the maximum is reached, the compression
William Lallemandd85f9172012-11-09 17:05:39 +0100761 level will be decreased during the session. If the maximum is reached at the
762 beginning of a session, the session will not compress at all. If the maximum
763 is not reached, the compression level will be increased up to
764 tune.comp.maxlevel. A value of zero means there is no limit, this is the
765 default value.
766
William Lallemand072a2bf2012-11-20 17:01:01 +0100767maxcompcpuusage <number>
768 Sets the maximum CPU usage HAProxy can reach before stopping the compression
769 for new requests or decreasing the compression level of current requests.
770 It works like 'maxcomprate' but measures CPU usage instead of incoming data
771 bandwidth. The value is expressed in percent of the CPU used by haproxy. In
772 case of multiple processes (nbproc > 1), each process manages its individual
773 usage. A value of 100 disable the limit. The default value is 100. Setting
774 a lower value will prevent the compression work from slowing the whole
775 process down and from introducing high latencies.
776
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100777maxpipes <number>
778 Sets the maximum per-process number of pipes to <number>. Currently, pipes
779 are only used by kernel-based tcp splicing. Since a pipe contains two file
780 descriptors, the "ulimit-n" value will be increased accordingly. The default
781 value is maxconn/4, which seems to be more than enough for most heavy usages.
782 The splice code dynamically allocates and releases pipes, and can fall back
783 to standard copy, so setting this value too low may only impact performance.
784
Willy Tarreau93e7c002013-10-07 18:51:07 +0200785maxsessrate <number>
786 Sets the maximum per-process number of sessions per second to <number>.
787 Proxies will stop accepting connections when this limit is reached. It can be
788 used to limit the global capacity regardless of each frontend capacity. It is
789 important to note that this can only be used as a service protection measure,
790 as there will not necessarily be a fair share between frontends when the
791 limit is reached, so it's a good idea to also limit each frontend to some
792 value close to its expected share. Also, lowering tune.maxaccept can improve
793 fairness.
794
Willy Tarreau403edff2012-09-06 11:58:37 +0200795maxsslconn <number>
796 Sets the maximum per-process number of concurrent SSL connections to
797 <number>. By default there is no SSL-specific limit, which means that the
798 global maxconn setting will apply to all connections. Setting this limit
799 avoids having openssl use too much memory and crash when malloc returns NULL
800 (since it unfortunately does not reliably check for such conditions). Note
801 that the limit applies both to incoming and outgoing connections, so one
802 connection which is deciphered then ciphered accounts for 2 SSL connections.
803
Willy Tarreaue43d5322013-10-07 20:01:52 +0200804maxsslrate <number>
805 Sets the maximum per-process number of SSL sessions per second to <number>.
806 SSL listeners will stop accepting connections when this limit is reached. It
807 can be used to limit the global SSL CPU usage regardless of each frontend
808 capacity. It is important to note that this can only be used as a service
809 protection measure, as there will not necessarily be a fair share between
810 frontends when the limit is reached, so it's a good idea to also limit each
811 frontend to some value close to its expected share. It is also important to
812 note that the sessions are accounted before they enter the SSL stack and not
813 after, which also protects the stack against bad handshakes. Also, lowering
814 tune.maxaccept can improve fairness.
815
William Lallemand9d5f5482012-11-07 16:12:57 +0100816maxzlibmem <number>
817 Sets the maximum amount of RAM in megabytes per process usable by the zlib.
818 When the maximum amount is reached, future sessions will not compress as long
819 as RAM is unavailable. When sets to 0, there is no limit.
William Lallemande3a7d992012-11-20 11:25:20 +0100820 The default value is 0. The value is available in bytes on the UNIX socket
821 with "show info" on the line "MaxZlibMemUsage", the memory used by zlib is
822 "ZlibMemUsage" in bytes.
823
Willy Tarreau6a06a402007-07-15 20:15:28 +0200824noepoll
825 Disables the use of the "epoll" event polling system on Linux. It is
826 equivalent to the command-line argument "-de". The next polling system
Willy Tarreaue9f49e72012-11-11 17:42:00 +0100827 used will generally be "poll". See also "nopoll".
Willy Tarreau6a06a402007-07-15 20:15:28 +0200828
829nokqueue
830 Disables the use of the "kqueue" event polling system on BSD. It is
831 equivalent to the command-line argument "-dk". The next polling system
832 used will generally be "poll". See also "nopoll".
833
834nopoll
835 Disables the use of the "poll" event polling system. It is equivalent to the
836 command-line argument "-dp". The next polling system used will be "select".
Willy Tarreau0ba27502007-12-24 16:55:16 +0100837 It should never be needed to disable "poll" since it's available on all
Willy Tarreaue9f49e72012-11-11 17:42:00 +0100838 platforms supported by HAProxy. See also "nokqueue" and "noepoll".
Willy Tarreau6a06a402007-07-15 20:15:28 +0200839
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100840nosplice
841 Disables the use of kernel tcp splicing between sockets on Linux. It is
842 equivalent to the command line argument "-dS". Data will then be copied
843 using conventional and more portable recv/send calls. Kernel tcp splicing is
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100844 limited to some very recent instances of kernel 2.6. Most versions between
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100845 2.6.25 and 2.6.28 are buggy and will forward corrupted data, so they must not
846 be used. This option makes it easier to globally disable kernel splicing in
847 case of doubt. See also "option splice-auto", "option splice-request" and
848 "option splice-response".
849
Jarno Huuskonen0e82b922014-04-12 18:22:19 +0300850nogetaddrinfo
851 Disables the use of getaddrinfo(3) for name resolving. It is equivalent to
852 the command line argument "-dG". Deprecated gethostbyname(3) will be used.
853
Willy Tarreaufe255b72007-10-14 23:09:26 +0200854spread-checks <0..50, in percent>
Simon Hormand60d6912013-11-25 10:46:36 +0900855 Sometimes it is desirable to avoid sending agent and health checks to
856 servers at exact intervals, for instance when many logical servers are
857 located on the same physical server. With the help of this parameter, it
858 becomes possible to add some randomness in the check interval between 0
859 and +/- 50%. A value between 2 and 5 seems to show good results. The
860 default value remains at 0.
Willy Tarreaufe255b72007-10-14 23:09:26 +0200861
Willy Tarreau27a674e2009-08-17 07:23:33 +0200862tune.bufsize <number>
863 Sets the buffer size to this size (in bytes). Lower values allow more
864 sessions to coexist in the same amount of RAM, and higher values allow some
865 applications with very large cookies to work. The default value is 16384 and
866 can be changed at build time. It is strongly recommended not to change this
867 from the default value, as very low values will break some services such as
868 statistics, and values larger than default size will increase memory usage,
869 possibly causing the system to run out of memory. At least the global maxconn
870 parameter should be decreased by the same factor as this one is increased.
Dmitry Sivachenkof6f4f7b2012-10-21 18:10:25 +0400871 If HTTP request is larger than (tune.bufsize - tune.maxrewrite), haproxy will
872 return HTTP 400 (Bad Request) error. Similarly if an HTTP response is larger
873 than this size, haproxy will return HTTP 502 (Bad Gateway).
Willy Tarreau27a674e2009-08-17 07:23:33 +0200874
Willy Tarreau43961d52010-10-04 20:39:20 +0200875tune.chksize <number>
876 Sets the check buffer size to this size (in bytes). Higher values may help
877 find string or regex patterns in very large pages, though doing so may imply
878 more memory and CPU usage. The default value is 16384 and can be changed at
879 build time. It is not recommended to change this value, but to use better
880 checks whenever possible.
881
William Lallemandf3747832012-11-09 12:33:10 +0100882tune.comp.maxlevel <number>
883 Sets the maximum compression level. The compression level affects CPU
884 usage during compression. This value affects CPU usage during compression.
885 Each session using compression initializes the compression algorithm with
886 this value. The default value is 1.
887
Willy Tarreau193b8c62012-11-22 00:17:38 +0100888tune.http.cookielen <number>
889 Sets the maximum length of captured cookies. This is the maximum value that
890 the "capture cookie xxx len yyy" will be allowed to take, and any upper value
891 will automatically be truncated to this one. It is important not to set too
892 high a value because all cookie captures still allocate this size whatever
893 their configured value (they share a same pool). This value is per request
894 per response, so the memory allocated is twice this value per connection.
895 When not specified, the limit is set to 63 characters. It is recommended not
896 to change this value.
897
Willy Tarreauac1932d2011-10-24 19:14:41 +0200898tune.http.maxhdr <number>
899 Sets the maximum number of headers in a request. When a request comes with a
900 number of headers greater than this value (including the first line), it is
901 rejected with a "400 Bad Request" status code. Similarly, too large responses
902 are blocked with "502 Bad Gateway". The default value is 101, which is enough
903 for all usages, considering that the widely deployed Apache server uses the
904 same limit. It can be useful to push this limit further to temporarily allow
905 a buggy application to work by the time it gets fixed. Keep in mind that each
906 new header consumes 32bits of memory for each session, so don't push this
907 limit too high.
908
Willy Tarreau7e312732014-02-12 16:35:14 +0100909tune.idletimer <timeout>
910 Sets the duration after which haproxy will consider that an empty buffer is
911 probably associated with an idle stream. This is used to optimally adjust
912 some packet sizes while forwarding large and small data alternatively. The
913 decision to use splice() or to send large buffers in SSL is modulated by this
914 parameter. The value is in milliseconds between 0 and 65535. A value of zero
915 means that haproxy will not try to detect idle streams. The default is 1000,
916 which seems to correctly detect end user pauses (eg: read a page before
917 clicking). There should be not reason for changing this value. Please check
918 tune.ssl.maxrecord below.
919
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100920tune.maxaccept <number>
Willy Tarreau16a21472012-11-19 12:39:59 +0100921 Sets the maximum number of consecutive connections a process may accept in a
922 row before switching to other work. In single process mode, higher numbers
923 give better performance at high connection rates. However in multi-process
924 modes, keeping a bit of fairness between processes generally is better to
925 increase performance. This value applies individually to each listener, so
926 that the number of processes a listener is bound to is taken into account.
927 This value defaults to 64. In multi-process mode, it is divided by twice
928 the number of processes the listener is bound to. Setting this value to -1
929 completely disables the limitation. It should normally not be needed to tweak
930 this value.
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100931
932tune.maxpollevents <number>
933 Sets the maximum amount of events that can be processed at once in a call to
934 the polling system. The default value is adapted to the operating system. It
935 has been noticed that reducing it below 200 tends to slightly decrease
936 latency at the expense of network bandwidth, and increasing it above 200
937 tends to trade latency for slightly increased bandwidth.
938
Willy Tarreau27a674e2009-08-17 07:23:33 +0200939tune.maxrewrite <number>
940 Sets the reserved buffer space to this size in bytes. The reserved space is
941 used for header rewriting or appending. The first reads on sockets will never
942 fill more than bufsize-maxrewrite. Historically it has defaulted to half of
943 bufsize, though that does not make much sense since there are rarely large
944 numbers of headers to add. Setting it too high prevents processing of large
945 requests or responses. Setting it too low prevents addition of new headers
946 to already large requests or to POST requests. It is generally wise to set it
947 to about 1024. It is automatically readjusted to half of bufsize if it is
948 larger than that. This means you don't have to worry about it when changing
949 bufsize.
950
Willy Tarreaubd9a0a72011-10-23 21:14:29 +0200951tune.pipesize <number>
952 Sets the kernel pipe buffer size to this size (in bytes). By default, pipes
953 are the default size for the system. But sometimes when using TCP splicing,
954 it can improve performance to increase pipe sizes, especially if it is
955 suspected that pipes are not filled and that many calls to splice() are
956 performed. This has an impact on the kernel's memory footprint, so this must
957 not be changed if impacts are not understood.
958
Willy Tarreaue803de22010-01-21 17:43:04 +0100959tune.rcvbuf.client <number>
960tune.rcvbuf.server <number>
961 Forces the kernel socket receive buffer size on the client or the server side
962 to the specified value in bytes. This value applies to all TCP/HTTP frontends
963 and backends. It should normally never be set, and the default size (0) lets
964 the kernel autotune this value depending on the amount of available memory.
965 However it can sometimes help to set it to very low values (eg: 4096) in
966 order to save kernel memory by preventing it from buffering too large amounts
967 of received data. Lower values will significantly increase CPU usage though.
968
969tune.sndbuf.client <number>
970tune.sndbuf.server <number>
971 Forces the kernel socket send buffer size on the client or the server side to
972 the specified value in bytes. This value applies to all TCP/HTTP frontends
973 and backends. It should normally never be set, and the default size (0) lets
974 the kernel autotune this value depending on the amount of available memory.
975 However it can sometimes help to set it to very low values (eg: 4096) in
976 order to save kernel memory by preventing it from buffering too large amounts
977 of received data. Lower values will significantly increase CPU usage though.
978 Another use case is to prevent write timeouts with extremely slow clients due
979 to the kernel waiting for a large part of the buffer to be read before
980 notifying haproxy again.
981
Willy Tarreau6ec58db2012-11-16 16:32:15 +0100982tune.ssl.cachesize <number>
Emeric Brunaf9619d2012-11-28 18:47:52 +0100983 Sets the size of the global SSL session cache, in a number of blocks. A block
984 is large enough to contain an encoded session without peer certificate.
985 An encoded session with peer certificate is stored in multiple blocks
Jarno Huuskonen0e82b922014-04-12 18:22:19 +0300986 depending on the size of the peer certificate. A block uses approximately
Emeric Brunaf9619d2012-11-28 18:47:52 +0100987 200 bytes of memory. The default value may be forced at build time, otherwise
988 defaults to 20000. When the cache is full, the most idle entries are purged
989 and reassigned. Higher values reduce the occurrence of such a purge, hence
990 the number of CPU-intensive SSL handshakes by ensuring that all users keep
991 their session as long as possible. All entries are pre-allocated upon startup
Emeric Brun22890a12012-12-28 14:41:32 +0100992 and are shared between all processes if "nbproc" is greater than 1. Setting
993 this value to 0 disables the SSL session cache.
Willy Tarreau6ec58db2012-11-16 16:32:15 +0100994
Emeric Brun8dc60392014-05-09 13:52:00 +0200995tune.ssl.force-private-cache
996 This boolean disables SSL session cache sharing between all processes. It
997 should normally not be used since it will force many renegotiations due to
998 clients hitting a random process. But it may be required on some operating
999 systems where none of the SSL cache synchronization method may be used. In
1000 this case, adding a first layer of hash-based load balancing before the SSL
1001 layer might limit the impact of the lack of session sharing.
1002
Emeric Brun4f65bff2012-11-16 15:11:00 +01001003tune.ssl.lifetime <timeout>
1004 Sets how long a cached SSL session may remain valid. This time is expressed
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03001005 in seconds and defaults to 300 (5 min). It is important to understand that it
Emeric Brun4f65bff2012-11-16 15:11:00 +01001006 does not guarantee that sessions will last that long, because if the cache is
1007 full, the longest idle sessions will be purged despite their configured
1008 lifetime. The real usefulness of this setting is to prevent sessions from
1009 being used for too long.
1010
Willy Tarreaubfd59462013-02-21 07:46:09 +01001011tune.ssl.maxrecord <number>
1012 Sets the maximum amount of bytes passed to SSL_write() at a time. Default
1013 value 0 means there is no limit. Over SSL/TLS, the client can decipher the
1014 data only once it has received a full record. With large records, it means
1015 that clients might have to download up to 16kB of data before starting to
1016 process them. Limiting the value can improve page load times on browsers
1017 located over high latency or low bandwidth networks. It is suggested to find
1018 optimal values which fit into 1 or 2 TCP segments (generally 1448 bytes over
1019 Ethernet with TCP timestamps enabled, or 1460 when timestamps are disabled),
1020 keeping in mind that SSL/TLS add some overhead. Typical values of 1419 and
1021 2859 gave good results during tests. Use "strace -e trace=write" to find the
Willy Tarreau7e312732014-02-12 16:35:14 +01001022 best value. Haproxy will automatically switch to this setting after an idle
1023 stream has been detected (see tune.idletimer above).
Willy Tarreaubfd59462013-02-21 07:46:09 +01001024
Remi Gacognef46cd6e2014-06-12 14:58:40 +02001025tune.ssl.default-dh-param <number>
1026 Sets the maximum size of the Diffie-Hellman parameters used for generating
1027 the ephemeral/temporary Diffie-Hellman key in case of DHE key exchange. The
1028 final size will try to match the size of the server's RSA (or DSA) key (e.g,
1029 a 2048 bits temporary DH key for a 2048 bits RSA key), but will not exceed
1030 this maximum value. Default value if 1024. Only 1024 or higher values are
1031 allowed. Higher values will increase the CPU load, and values greater than
1032 1024 bits are not supported by Java 7 and earlier clients. This value is not
1033 used if static Diffie-Hellman parameters are supplied via the certificate file.
1034
William Lallemanda509e4c2012-11-07 16:54:34 +01001035tune.zlib.memlevel <number>
1036 Sets the memLevel parameter in zlib initialization for each session. It
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03001037 defines how much memory should be allocated for the internal compression
William Lallemanda509e4c2012-11-07 16:54:34 +01001038 state. A value of 1 uses minimum memory but is slow and reduces compression
1039 ratio, a value of 9 uses maximum memory for optimal speed. Can be a value
1040 between 1 and 9. The default value is 8.
1041
1042tune.zlib.windowsize <number>
1043 Sets the window size (the size of the history buffer) as a parameter of the
1044 zlib initialization for each session. Larger values of this parameter result
1045 in better compression at the expense of memory usage. Can be a value between
1046 8 and 15. The default value is 15.
Willy Tarreau6a06a402007-07-15 20:15:28 +02001047
Willy Tarreauc57f0e22009-05-10 13:12:33 +020010483.3. Debugging
1049--------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02001050
1051debug
1052 Enables debug mode which dumps to stdout all exchanges, and disables forking
1053 into background. It is the equivalent of the command-line argument "-d". It
1054 should never be used in a production configuration since it may prevent full
1055 system startup.
1056
1057quiet
1058 Do not display any message during startup. It is equivalent to the command-
1059 line argument "-q".
1060
Emeric Brunf099e792010-09-27 12:05:28 +02001061
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +010010623.4. Userlists
1063--------------
1064It is possible to control access to frontend/backend/listen sections or to
1065http stats by allowing only authenticated and authorized users. To do this,
1066it is required to create at least one userlist and to define users.
1067
1068userlist <listname>
Cyril Bonté78caf842010-03-10 22:41:43 +01001069 Creates new userlist with name <listname>. Many independent userlists can be
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01001070 used to store authentication & authorization data for independent customers.
1071
1072group <groupname> [users <user>,<user>,(...)]
Cyril Bonté78caf842010-03-10 22:41:43 +01001073 Adds group <groupname> to the current userlist. It is also possible to
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01001074 attach users to this group by using a comma separated list of names
1075 proceeded by "users" keyword.
1076
Cyril Bontéf0c60612010-02-06 14:44:47 +01001077user <username> [password|insecure-password <password>]
1078 [groups <group>,<group>,(...)]
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01001079 Adds user <username> to the current userlist. Both secure (encrypted) and
1080 insecure (unencrypted) passwords can be used. Encrypted passwords are
Cyril Bonté78caf842010-03-10 22:41:43 +01001081 evaluated using the crypt(3) function so depending of the system's
1082 capabilities, different algorithms are supported. For example modern Glibc
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01001083 based Linux system supports MD5, SHA-256, SHA-512 and of course classic,
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03001084 DES-based method of encrypting passwords.
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01001085
1086
1087 Example:
Cyril Bontéf0c60612010-02-06 14:44:47 +01001088 userlist L1
1089 group G1 users tiger,scott
1090 group G2 users xdb,scott
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01001091
Cyril Bontéf0c60612010-02-06 14:44:47 +01001092 user tiger password $6$k6y3o.eP$JlKBx9za9667qe4(...)xHSwRv6J.C0/D7cV91
1093 user scott insecure-password elgato
1094 user xdb insecure-password hello
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01001095
Cyril Bontéf0c60612010-02-06 14:44:47 +01001096 userlist L2
1097 group G1
1098 group G2
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01001099
Cyril Bontéf0c60612010-02-06 14:44:47 +01001100 user tiger password $6$k6y3o.eP$JlKBx(...)xHSwRv6J.C0/D7cV91 groups G1
1101 user scott insecure-password elgato groups G1,G2
1102 user xdb insecure-password hello groups G2
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01001103
1104 Please note that both lists are functionally identical.
Willy Tarreau6a06a402007-07-15 20:15:28 +02001105
Emeric Brunf099e792010-09-27 12:05:28 +02001106
11073.5. Peers
Cyril Bontédc4d9032012-04-08 21:57:39 +02001108----------
Emeric Brunf099e792010-09-27 12:05:28 +02001109It is possible to synchronize server entries in stick tables between several
1110haproxy instances over TCP connections in a multi-master fashion. Each instance
1111pushes its local updates and insertions to remote peers. Server IDs are used to
1112identify servers remotely, so it is important that configurations look similar
1113or at least that the same IDs are forced on each server on all participants.
1114Interrupted exchanges are automatically detected and recovered from the last
1115known point. In addition, during a soft restart, the old process connects to
1116the new one using such a TCP connection to push all its entries before the new
1117process tries to connect to other peers. That ensures very fast replication
1118during a reload, it typically takes a fraction of a second even for large
1119tables.
1120
1121peers <peersect>
Jamie Gloudon801a0a32012-08-25 00:18:33 -04001122 Creates a new peer list with name <peersect>. It is an independent section,
Emeric Brunf099e792010-09-27 12:05:28 +02001123 which is referenced by one or more stick-tables.
1124
1125peer <peername> <ip>:<port>
1126 Defines a peer inside a peers section.
1127 If <peername> is set to the local peer name (by default hostname, or forced
1128 using "-L" command line option), haproxy will listen for incoming remote peer
1129 connection on <ip>:<port>. Otherwise, <ip>:<port> defines where to connect to
1130 to join the remote peer, and <peername> is used at the protocol level to
1131 identify and validate the remote peer on the server side.
1132
1133 During a soft restart, local peer <ip>:<port> is used by the old instance to
1134 connect the new one and initiate a complete replication (teaching process).
1135
1136 It is strongly recommended to have the exact same peers declaration on all
1137 peers and to only rely on the "-L" command line argument to change the local
1138 peer name. This makes it easier to maintain coherent configuration files
1139 across all peers.
1140
Willy Tarreaudad36a32013-03-11 01:20:04 +01001141 Any part of the address string may reference any number of environment
1142 variables by preceding their name with a dollar sign ('$') and optionally
1143 enclosing them with braces ('{}'), similarly to what is done in Bourne shell.
1144
Cyril Bontédc4d9032012-04-08 21:57:39 +02001145 Example:
Emeric Brunf099e792010-09-27 12:05:28 +02001146 peers mypeers
Willy Tarreauf7b30a92010-12-06 22:59:17 +01001147 peer haproxy1 192.168.0.1:1024
1148 peer haproxy2 192.168.0.2:1024
1149 peer haproxy3 10.2.0.1:1024
Emeric Brunf099e792010-09-27 12:05:28 +02001150
1151 backend mybackend
1152 mode tcp
1153 balance roundrobin
1154 stick-table type ip size 20k peers mypeers
1155 stick on src
1156
Willy Tarreauf7b30a92010-12-06 22:59:17 +01001157 server srv1 192.168.0.30:80
1158 server srv2 192.168.0.31:80
Emeric Brunf099e792010-09-27 12:05:28 +02001159
1160
Willy Tarreauc57f0e22009-05-10 13:12:33 +020011614. Proxies
Willy Tarreau6a06a402007-07-15 20:15:28 +02001162----------
Willy Tarreau0ba27502007-12-24 16:55:16 +01001163
Willy Tarreau6a06a402007-07-15 20:15:28 +02001164Proxy configuration can be located in a set of sections :
1165 - defaults <name>
1166 - frontend <name>
1167 - backend <name>
1168 - listen <name>
1169
1170A "defaults" section sets default parameters for all other sections following
1171its declaration. Those default parameters are reset by the next "defaults"
1172section. See below for the list of parameters which can be set in a "defaults"
Willy Tarreau0ba27502007-12-24 16:55:16 +01001173section. The name is optional but its use is encouraged for better readability.
Willy Tarreau6a06a402007-07-15 20:15:28 +02001174
1175A "frontend" section describes a set of listening sockets accepting client
1176connections.
1177
1178A "backend" section describes a set of servers to which the proxy will connect
1179to forward incoming connections.
1180
1181A "listen" section defines a complete proxy with its frontend and backend
1182parts combined in one section. It is generally useful for TCP-only traffic.
1183
Willy Tarreau0ba27502007-12-24 16:55:16 +01001184All proxy names must be formed from upper and lower case letters, digits,
1185'-' (dash), '_' (underscore) , '.' (dot) and ':' (colon). ACL names are
1186case-sensitive, which means that "www" and "WWW" are two different proxies.
1187
1188Historically, all proxy names could overlap, it just caused troubles in the
1189logs. Since the introduction of content switching, it is mandatory that two
1190proxies with overlapping capabilities (frontend/backend) have different names.
1191However, it is still permitted that a frontend and a backend share the same
1192name, as this configuration seems to be commonly encountered.
1193
1194Right now, two major proxy modes are supported : "tcp", also known as layer 4,
1195and "http", also known as layer 7. In layer 4 mode, HAProxy simply forwards
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001196bidirectional traffic between two sides. In layer 7 mode, HAProxy analyzes the
Willy Tarreau0ba27502007-12-24 16:55:16 +01001197protocol, and can interact with it by allowing, blocking, switching, adding,
1198modifying, or removing arbitrary contents in requests or responses, based on
1199arbitrary criteria.
1200
Willy Tarreau70dffda2014-01-30 03:07:23 +01001201In HTTP mode, the processing applied to requests and responses flowing over
1202a connection depends in the combination of the frontend's HTTP options and
1203the backend's. HAProxy supports 5 connection modes :
1204
1205 - KAL : keep alive ("option http-keep-alive") which is the default mode : all
1206 requests and responses are processed, and connections remain open but idle
1207 between responses and new requests.
1208
1209 - TUN: tunnel ("option http-tunnel") : this was the default mode for versions
1210 1.0 to 1.5-dev21 : only the first request and response are processed, and
1211 everything else is forwarded with no analysis at all. This mode should not
1212 be used as it creates lots of trouble with logging and HTTP processing.
1213
1214 - PCL: passive close ("option httpclose") : exactly the same as tunnel mode,
1215 but with "Connection: close" appended in both directions to try to make
1216 both ends close after the first request/response exchange.
1217
1218 - SCL: server close ("option http-server-close") : the server-facing
1219 connection is closed after the end of the response is received, but the
1220 client-facing connection remains open.
1221
1222 - FCL: forced close ("option forceclose") : the connection is actively closed
1223 after the end of the response.
1224
1225The effective mode that will be applied to a connection passing through a
1226frontend and a backend can be determined by both proxy modes according to the
1227following matrix, but in short, the modes are symmetric, keep-alive is the
1228weakest option and force close is the strongest.
1229
1230 Backend mode
1231
1232 | KAL | TUN | PCL | SCL | FCL
1233 ----+-----+-----+-----+-----+----
1234 KAL | KAL | TUN | PCL | SCL | FCL
1235 ----+-----+-----+-----+-----+----
1236 TUN | TUN | TUN | PCL | SCL | FCL
1237 Frontend ----+-----+-----+-----+-----+----
1238 mode PCL | PCL | PCL | PCL | FCL | FCL
1239 ----+-----+-----+-----+-----+----
1240 SCL | SCL | SCL | FCL | SCL | FCL
1241 ----+-----+-----+-----+-----+----
1242 FCL | FCL | FCL | FCL | FCL | FCL
1243
Willy Tarreau0ba27502007-12-24 16:55:16 +01001244
Willy Tarreau70dffda2014-01-30 03:07:23 +01001245
Willy Tarreauc57f0e22009-05-10 13:12:33 +020012464.1. Proxy keywords matrix
1247--------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +01001248
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001249The following list of keywords is supported. Most of them may only be used in a
1250limited set of section types. Some of them are marked as "deprecated" because
1251they are inherited from an old syntax which may be confusing or functionally
1252limited, and there are new recommended keywords to replace them. Keywords
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001253marked with "(*)" can be optionally inverted using the "no" prefix, eg. "no
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001254option contstats". This makes sense when the option has been enabled by default
Willy Tarreau3842f002009-06-14 11:39:52 +02001255and must be disabled for a specific instance. Such options may also be prefixed
1256with "default" in order to restore default settings regardless of what has been
1257specified in a previous "defaults" section.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001258
Willy Tarreau6a06a402007-07-15 20:15:28 +02001259
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001260 keyword defaults frontend listen backend
1261------------------------------------+----------+----------+---------+---------
1262acl - X X X
1263appsession - - X X
1264backlog X X X -
1265balance X - X X
1266bind - X X -
1267bind-process X X X X
1268block - X X X
1269capture cookie - X X -
1270capture request header - X X -
1271capture response header - X X -
1272clitimeout (deprecated) X X X -
William Lallemand82fe75c2012-10-23 10:25:10 +02001273compression X X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001274contimeout (deprecated) X - X X
1275cookie X - X X
1276default-server X - X X
1277default_backend X X X -
1278description - X X X
1279disabled X X X X
1280dispatch - - X X
1281enabled X X X X
1282errorfile X X X X
1283errorloc X X X X
1284errorloc302 X X X X
1285-- keyword -------------------------- defaults - frontend - listen -- backend -
1286errorloc303 X X X X
Cyril Bonté0d4bf012010-04-25 23:21:46 +02001287force-persist - X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001288fullconn X - X X
1289grace X X X X
1290hash-type X - X X
1291http-check disable-on-404 X - X X
Willy Tarreaubd741542010-03-16 18:46:54 +01001292http-check expect - - X X
Willy Tarreau7ab6aff2010-10-12 06:30:16 +02001293http-check send-state X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001294http-request - X X X
Willy Tarreaue365c0b2013-06-11 16:06:12 +02001295http-response - X X X
Baptiste Assmann2c42ef52013-10-09 21:57:02 +02001296http-send-name-header - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001297id - X X X
Cyril Bonté0d4bf012010-04-25 23:21:46 +02001298ignore-persist - X X X
William Lallemand0f99e342011-10-12 17:50:54 +02001299log (*) X X X X
Willy Tarreauc35362a2014-04-25 13:58:37 +02001300max-keep-alive-queue X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001301maxconn X X X -
1302mode X X X X
1303monitor fail - X X -
1304monitor-net X X X -
1305monitor-uri X X X -
1306option abortonclose (*) X - X X
1307option accept-invalid-http-request (*) X X X -
1308option accept-invalid-http-response (*) X - X X
1309option allbackups (*) X - X X
1310option checkcache (*) X - X X
1311option clitcpka (*) X X X -
1312option contstats (*) X X X -
1313option dontlog-normal (*) X X X -
1314option dontlognull (*) X X X -
1315option forceclose (*) X X X X
1316-- keyword -------------------------- defaults - frontend - listen -- backend -
1317option forwardfor X X X X
Willy Tarreau16bfb022010-01-16 19:48:41 +01001318option http-keep-alive (*) X X X X
Willy Tarreau96e31212011-05-30 18:10:30 +02001319option http-no-delay (*) X X X X
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02001320option http-pretend-keepalive (*) X X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001321option http-server-close (*) X X X X
Willy Tarreau02bce8b2014-01-30 00:15:28 +01001322option http-tunnel (*) X X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001323option http-use-proxy-header (*) X X X -
1324option httpchk X - X X
1325option httpclose (*) X X X X
1326option httplog X X X X
1327option http_proxy (*) X X X X
Jamie Gloudon801a0a32012-08-25 00:18:33 -04001328option independent-streams (*) X X X X
Gabor Lekenyb4c81e42010-09-29 18:17:05 +02001329option ldap-check X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001330option log-health-checks (*) X - X X
1331option log-separate-errors (*) X X X -
1332option logasap (*) X X X -
1333option mysql-check X - X X
Rauf Kuliyev38b41562011-01-04 15:14:13 +01001334option pgsql-check X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001335option nolinger (*) X X X X
1336option originalto X X X X
1337option persist (*) X - X X
1338option redispatch (*) X - X X
Hervé COMMOWICKec032d62011-08-05 16:23:48 +02001339option redis-check X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001340option smtpchk X - X X
1341option socket-stats (*) X X X -
1342option splice-auto (*) X X X X
1343option splice-request (*) X X X X
1344option splice-response (*) X X X X
1345option srvtcpka (*) X - X X
1346option ssl-hello-chk X - X X
1347-- keyword -------------------------- defaults - frontend - listen -- backend -
Willy Tarreaued179852013-12-16 01:07:00 +01001348option tcp-check X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001349option tcp-smart-accept (*) X X X -
1350option tcp-smart-connect (*) X - X X
1351option tcpka X X X X
1352option tcplog X X X X
1353option transparent (*) X - X X
1354persist rdp-cookie X - X X
1355rate-limit sessions X X X -
1356redirect - X X X
1357redisp (deprecated) X - X X
1358redispatch (deprecated) X - X X
1359reqadd - X X X
1360reqallow - X X X
1361reqdel - X X X
1362reqdeny - X X X
1363reqiallow - X X X
1364reqidel - X X X
1365reqideny - X X X
1366reqipass - X X X
1367reqirep - X X X
1368reqisetbe - X X X
1369reqitarpit - X X X
1370reqpass - X X X
1371reqrep - X X X
1372-- keyword -------------------------- defaults - frontend - listen -- backend -
1373reqsetbe - X X X
1374reqtarpit - X X X
1375retries X - X X
1376rspadd - X X X
1377rspdel - X X X
1378rspdeny - X X X
1379rspidel - X X X
1380rspideny - X X X
1381rspirep - X X X
1382rsprep - X X X
1383server - - X X
1384source X - X X
1385srvtimeout (deprecated) X - X X
Cyril Bonté66c327d2010-10-12 00:14:37 +02001386stats admin - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001387stats auth X - X X
1388stats enable X - X X
1389stats hide-version X - X X
Cyril Bonté2be1b3f2010-09-30 23:46:30 +02001390stats http-request - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001391stats realm X - X X
1392stats refresh X - X X
1393stats scope X - X X
1394stats show-desc X - X X
1395stats show-legends X - X X
1396stats show-node X - X X
1397stats uri X - X X
1398-- keyword -------------------------- defaults - frontend - listen -- backend -
1399stick match - - X X
1400stick on - - X X
1401stick store-request - - X X
Willy Tarreaud8dc99f2011-07-01 11:33:25 +02001402stick store-response - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001403stick-table - - X X
Willy Tarreau938c7fe2014-04-25 14:21:39 +02001404tcp-check connect - - X X
1405tcp-check expect - - X X
1406tcp-check send - - X X
1407tcp-check send-binary - - X X
Willy Tarreaue9656522010-08-17 15:40:09 +02001408tcp-request connection - X X -
1409tcp-request content - X X X
Willy Tarreaua56235c2010-09-14 11:31:36 +02001410tcp-request inspect-delay - X X X
Emeric Brun0a3b67f2010-09-24 15:34:53 +02001411tcp-response content - - X X
1412tcp-response inspect-delay - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001413timeout check X - X X
1414timeout client X X X -
Willy Tarreau05cdd962014-05-10 14:30:07 +02001415timeout client-fin X X X -
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001416timeout clitimeout (deprecated) X X X -
1417timeout connect X - X X
1418timeout contimeout (deprecated) X - X X
1419timeout http-keep-alive X X X X
1420timeout http-request X X X X
1421timeout queue X - X X
1422timeout server X - X X
Willy Tarreau05cdd962014-05-10 14:30:07 +02001423timeout server-fin X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001424timeout srvtimeout (deprecated) X - X X
1425timeout tarpit X X X X
Willy Tarreauce887fd2012-05-12 12:50:00 +02001426timeout tunnel X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001427transparent (deprecated) X - X X
William Lallemanda73203e2012-03-12 12:48:57 +01001428unique-id-format X X X -
1429unique-id-header X X X -
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001430use_backend - X X -
Willy Tarreau4a5cade2012-04-05 21:09:48 +02001431use-server - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001432------------------------------------+----------+----------+---------+---------
1433 keyword defaults frontend listen backend
Willy Tarreau6a06a402007-07-15 20:15:28 +02001434
Willy Tarreau0ba27502007-12-24 16:55:16 +01001435
Willy Tarreauc57f0e22009-05-10 13:12:33 +020014364.2. Alphabetically sorted keywords reference
1437---------------------------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +01001438
1439This section provides a description of each keyword and its usage.
1440
1441
1442acl <aclname> <criterion> [flags] [operator] <value> ...
1443 Declare or complete an access list.
1444 May be used in sections : defaults | frontend | listen | backend
1445 no | yes | yes | yes
1446 Example:
1447 acl invalid_src src 0.0.0.0/7 224.0.0.0/3
1448 acl invalid_src src_port 0:1023
1449 acl local_dst hdr(host) -i localhost
1450
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001451 See section 7 about ACL usage.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001452
1453
Cyril Bontéb21570a2009-11-29 20:04:48 +01001454appsession <cookie> len <length> timeout <holdtime>
1455 [request-learn] [prefix] [mode <path-parameters|query-string>]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001456 Define session stickiness on an existing application cookie.
1457 May be used in sections : defaults | frontend | listen | backend
1458 no | no | yes | yes
1459 Arguments :
1460 <cookie> this is the name of the cookie used by the application and which
1461 HAProxy will have to learn for each new session.
1462
Cyril Bontéb21570a2009-11-29 20:04:48 +01001463 <length> this is the max number of characters that will be memorized and
Willy Tarreau0ba27502007-12-24 16:55:16 +01001464 checked in each cookie value.
1465
1466 <holdtime> this is the time after which the cookie will be removed from
1467 memory if unused. If no unit is specified, this time is in
1468 milliseconds.
1469
Cyril Bontébf47aeb2009-10-15 00:15:40 +02001470 request-learn
1471 If this option is specified, then haproxy will be able to learn
1472 the cookie found in the request in case the server does not
1473 specify any in response. This is typically what happens with
1474 PHPSESSID cookies, or when haproxy's session expires before
1475 the application's session and the correct server is selected.
1476 It is recommended to specify this option to improve reliability.
1477
Cyril Bontéb21570a2009-11-29 20:04:48 +01001478 prefix When this option is specified, haproxy will match on the cookie
1479 prefix (or URL parameter prefix). The appsession value is the
1480 data following this prefix.
1481
1482 Example :
1483 appsession ASPSESSIONID len 64 timeout 3h prefix
1484
1485 This will match the cookie ASPSESSIONIDXXXX=XXXXX,
1486 the appsession value will be XXXX=XXXXX.
1487
1488 mode This option allows to change the URL parser mode.
1489 2 modes are currently supported :
1490 - path-parameters :
1491 The parser looks for the appsession in the path parameters
1492 part (each parameter is separated by a semi-colon), which is
1493 convenient for JSESSIONID for example.
1494 This is the default mode if the option is not set.
1495 - query-string :
1496 In this mode, the parser will look for the appsession in the
1497 query string.
1498
Willy Tarreau0ba27502007-12-24 16:55:16 +01001499 When an application cookie is defined in a backend, HAProxy will check when
1500 the server sets such a cookie, and will store its value in a table, and
1501 associate it with the server's identifier. Up to <length> characters from
1502 the value will be retained. On each connection, haproxy will look for this
Cyril Bontéb21570a2009-11-29 20:04:48 +01001503 cookie both in the "Cookie:" headers, and as a URL parameter (depending on
1504 the mode used). If a known value is found, the client will be directed to the
1505 server associated with this value. Otherwise, the load balancing algorithm is
Willy Tarreau0ba27502007-12-24 16:55:16 +01001506 applied. Cookies are automatically removed from memory when they have been
1507 unused for a duration longer than <holdtime>.
1508
1509 The definition of an application cookie is limited to one per backend.
1510
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01001511 Note : Consider not using this feature in multi-process mode (nbproc > 1)
1512 unless you know what you do : memory is not shared between the
1513 processes, which can result in random behaviours.
1514
Willy Tarreau0ba27502007-12-24 16:55:16 +01001515 Example :
1516 appsession JSESSIONID len 52 timeout 3h
1517
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01001518 See also : "cookie", "capture cookie", "balance", "stick", "stick-table",
1519 "ignore-persist", "nbproc" and "bind-process".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001520
1521
Willy Tarreauc73ce2b2008-01-06 10:55:10 +01001522backlog <conns>
1523 Give hints to the system about the approximate listen backlog desired size
1524 May be used in sections : defaults | frontend | listen | backend
1525 yes | yes | yes | no
1526 Arguments :
1527 <conns> is the number of pending connections. Depending on the operating
1528 system, it may represent the number of already acknowledged
Cyril Bontédc4d9032012-04-08 21:57:39 +02001529 connections, of non-acknowledged ones, or both.
Willy Tarreauc73ce2b2008-01-06 10:55:10 +01001530
1531 In order to protect against SYN flood attacks, one solution is to increase
1532 the system's SYN backlog size. Depending on the system, sometimes it is just
1533 tunable via a system parameter, sometimes it is not adjustable at all, and
1534 sometimes the system relies on hints given by the application at the time of
1535 the listen() syscall. By default, HAProxy passes the frontend's maxconn value
1536 to the listen() syscall. On systems which can make use of this value, it can
1537 sometimes be useful to be able to specify a different value, hence this
1538 backlog parameter.
1539
1540 On Linux 2.4, the parameter is ignored by the system. On Linux 2.6, it is
1541 used as a hint and the system accepts up to the smallest greater power of
1542 two, and never more than some limits (usually 32768).
1543
1544 See also : "maxconn" and the target operating system's tuning guide.
1545
1546
Willy Tarreau0ba27502007-12-24 16:55:16 +01001547balance <algorithm> [ <arguments> ]
Willy Tarreau226071e2014-04-10 11:55:45 +02001548balance url_param <param> [check_post]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001549 Define the load balancing algorithm to be used in a backend.
1550 May be used in sections : defaults | frontend | listen | backend
1551 yes | no | yes | yes
1552 Arguments :
1553 <algorithm> is the algorithm used to select a server when doing load
1554 balancing. This only applies when no persistence information
1555 is available, or when a connection is redispatched to another
1556 server. <algorithm> may be one of the following :
1557
1558 roundrobin Each server is used in turns, according to their weights.
1559 This is the smoothest and fairest algorithm when the server's
1560 processing time remains equally distributed. This algorithm
1561 is dynamic, which means that server weights may be adjusted
Willy Tarreau9757a382009-10-03 12:56:50 +02001562 on the fly for slow starts for instance. It is limited by
Godbacha34bdc02013-07-22 07:44:53 +08001563 design to 4095 active servers per backend. Note that in some
Willy Tarreau9757a382009-10-03 12:56:50 +02001564 large farms, when a server becomes up after having been down
1565 for a very short time, it may sometimes take a few hundreds
1566 requests for it to be re-integrated into the farm and start
1567 receiving traffic. This is normal, though very rare. It is
1568 indicated here in case you would have the chance to observe
1569 it, so that you don't worry.
1570
1571 static-rr Each server is used in turns, according to their weights.
1572 This algorithm is as similar to roundrobin except that it is
1573 static, which means that changing a server's weight on the
1574 fly will have no effect. On the other hand, it has no design
1575 limitation on the number of servers, and when a server goes
1576 up, it is always immediately reintroduced into the farm, once
1577 the full map is recomputed. It also uses slightly less CPU to
1578 run (around -1%).
Willy Tarreau0ba27502007-12-24 16:55:16 +01001579
Willy Tarreau2d2a7f82008-03-17 12:07:56 +01001580 leastconn The server with the lowest number of connections receives the
1581 connection. Round-robin is performed within groups of servers
1582 of the same load to ensure that all servers will be used. Use
1583 of this algorithm is recommended where very long sessions are
1584 expected, such as LDAP, SQL, TSE, etc... but is not very well
1585 suited for protocols using short sessions such as HTTP. This
1586 algorithm is dynamic, which means that server weights may be
1587 adjusted on the fly for slow starts for instance.
1588
Willy Tarreauf09c6602012-02-13 17:12:08 +01001589 first The first server with available connection slots receives the
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03001590 connection. The servers are chosen from the lowest numeric
Willy Tarreauf09c6602012-02-13 17:12:08 +01001591 identifier to the highest (see server parameter "id"), which
1592 defaults to the server's position in the farm. Once a server
Willy Tarreau64559c52012-04-07 09:08:45 +02001593 reaches its maxconn value, the next server is used. It does
Willy Tarreauf09c6602012-02-13 17:12:08 +01001594 not make sense to use this algorithm without setting maxconn.
1595 The purpose of this algorithm is to always use the smallest
1596 number of servers so that extra servers can be powered off
1597 during non-intensive hours. This algorithm ignores the server
1598 weight, and brings more benefit to long session such as RDP
Willy Tarreau64559c52012-04-07 09:08:45 +02001599 or IMAP than HTTP, though it can be useful there too. In
1600 order to use this algorithm efficiently, it is recommended
1601 that a cloud controller regularly checks server usage to turn
1602 them off when unused, and regularly checks backend queue to
1603 turn new servers on when the queue inflates. Alternatively,
1604 using "http-check send-state" may inform servers on the load.
Willy Tarreauf09c6602012-02-13 17:12:08 +01001605
Willy Tarreau0ba27502007-12-24 16:55:16 +01001606 source The source IP address is hashed and divided by the total
1607 weight of the running servers to designate which server will
1608 receive the request. This ensures that the same client IP
1609 address will always reach the same server as long as no
1610 server goes down or up. If the hash result changes due to the
1611 number of running servers changing, many clients will be
1612 directed to a different server. This algorithm is generally
1613 used in TCP mode where no cookie may be inserted. It may also
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001614 be used on the Internet to provide a best-effort stickiness
Willy Tarreau0ba27502007-12-24 16:55:16 +01001615 to clients which refuse session cookies. This algorithm is
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001616 static by default, which means that changing a server's
1617 weight on the fly will have no effect, but this can be
1618 changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001619
Oskar Stolc8dc41842012-05-19 10:19:54 +01001620 uri This algorithm hashes either the left part of the URI (before
1621 the question mark) or the whole URI (if the "whole" parameter
1622 is present) and divides the hash value by the total weight of
1623 the running servers. The result designates which server will
1624 receive the request. This ensures that the same URI will
1625 always be directed to the same server as long as no server
1626 goes up or down. This is used with proxy caches and
1627 anti-virus proxies in order to maximize the cache hit rate.
1628 Note that this algorithm may only be used in an HTTP backend.
1629 This algorithm is static by default, which means that
1630 changing a server's weight on the fly will have no effect,
1631 but this can be changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001632
Oskar Stolc8dc41842012-05-19 10:19:54 +01001633 This algorithm supports two optional parameters "len" and
Marek Majkowski9c30fc12008-04-27 23:25:55 +02001634 "depth", both followed by a positive integer number. These
1635 options may be helpful when it is needed to balance servers
1636 based on the beginning of the URI only. The "len" parameter
1637 indicates that the algorithm should only consider that many
1638 characters at the beginning of the URI to compute the hash.
1639 Note that having "len" set to 1 rarely makes sense since most
1640 URIs start with a leading "/".
1641
1642 The "depth" parameter indicates the maximum directory depth
1643 to be used to compute the hash. One level is counted for each
1644 slash in the request. If both parameters are specified, the
1645 evaluation stops when either is reached.
1646
Willy Tarreau0ba27502007-12-24 16:55:16 +01001647 url_param The URL parameter specified in argument will be looked up in
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001648 the query string of each HTTP GET request.
1649
1650 If the modifier "check_post" is used, then an HTTP POST
Cyril Bontédc4d9032012-04-08 21:57:39 +02001651 request entity will be searched for the parameter argument,
1652 when it is not found in a query string after a question mark
Willy Tarreau226071e2014-04-10 11:55:45 +02001653 ('?') in the URL. The message body will only start to be
1654 analyzed once either the advertised amount of data has been
1655 received or the request buffer is full. In the unlikely event
1656 that chunked encoding is used, only the first chunk is
Cyril Bontédc4d9032012-04-08 21:57:39 +02001657 scanned. Parameter values separated by a chunk boundary, may
Willy Tarreau226071e2014-04-10 11:55:45 +02001658 be randomly balanced if at all. This keyword used to support
1659 an optional <max_wait> parameter which is now ignored.
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001660
1661 If the parameter is found followed by an equal sign ('=') and
1662 a value, then the value is hashed and divided by the total
1663 weight of the running servers. The result designates which
1664 server will receive the request.
1665
1666 This is used to track user identifiers in requests and ensure
1667 that a same user ID will always be sent to the same server as
1668 long as no server goes up or down. If no value is found or if
1669 the parameter is not found, then a round robin algorithm is
1670 applied. Note that this algorithm may only be used in an HTTP
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001671 backend. This algorithm is static by default, which means
1672 that changing a server's weight on the fly will have no
1673 effect, but this can be changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001674
Cyril Bontédc4d9032012-04-08 21:57:39 +02001675 hdr(<name>) The HTTP header <name> will be looked up in each HTTP
1676 request. Just as with the equivalent ACL 'hdr()' function,
1677 the header name in parenthesis is not case sensitive. If the
1678 header is absent or if it does not contain any value, the
1679 roundrobin algorithm is applied instead.
Benoitaffb4812009-03-25 13:02:10 +01001680
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001681 An optional 'use_domain_only' parameter is available, for
Benoitaffb4812009-03-25 13:02:10 +01001682 reducing the hash algorithm to the main domain part with some
1683 specific headers such as 'Host'. For instance, in the Host
1684 value "haproxy.1wt.eu", only "1wt" will be considered.
1685
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001686 This algorithm is static by default, which means that
1687 changing a server's weight on the fly will have no effect,
1688 but this can be changed using "hash-type".
1689
Emeric Brun736aa232009-06-30 17:56:00 +02001690 rdp-cookie
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02001691 rdp-cookie(<name>)
Emeric Brun736aa232009-06-30 17:56:00 +02001692 The RDP cookie <name> (or "mstshash" if omitted) will be
1693 looked up and hashed for each incoming TCP request. Just as
1694 with the equivalent ACL 'req_rdp_cookie()' function, the name
1695 is not case-sensitive. This mechanism is useful as a degraded
1696 persistence mode, as it makes it possible to always send the
1697 same user (or the same session ID) to the same server. If the
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001698 cookie is not found, the normal roundrobin algorithm is
Emeric Brun736aa232009-06-30 17:56:00 +02001699 used instead.
1700
1701 Note that for this to work, the frontend must ensure that an
1702 RDP cookie is already present in the request buffer. For this
1703 you must use 'tcp-request content accept' rule combined with
1704 a 'req_rdp_cookie_cnt' ACL.
1705
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001706 This algorithm is static by default, which means that
1707 changing a server's weight on the fly will have no effect,
1708 but this can be changed using "hash-type".
1709
Cyril Bontédc4d9032012-04-08 21:57:39 +02001710 See also the rdp_cookie pattern fetch function.
Simon Hormanab814e02011-06-24 14:50:20 +09001711
Willy Tarreau0ba27502007-12-24 16:55:16 +01001712 <arguments> is an optional list of arguments which may be needed by some
Marek Majkowski9c30fc12008-04-27 23:25:55 +02001713 algorithms. Right now, only "url_param" and "uri" support an
1714 optional argument.
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001715
Willy Tarreau3cd9af22009-03-15 14:06:41 +01001716 The load balancing algorithm of a backend is set to roundrobin when no other
1717 algorithm, mode nor option have been set. The algorithm may only be set once
1718 for each backend.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001719
1720 Examples :
1721 balance roundrobin
1722 balance url_param userid
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001723 balance url_param session_id check_post 64
Benoitaffb4812009-03-25 13:02:10 +01001724 balance hdr(User-Agent)
1725 balance hdr(host)
1726 balance hdr(Host) use_domain_only
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001727
1728 Note: the following caveats and limitations on using the "check_post"
1729 extension with "url_param" must be considered :
1730
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001731 - all POST requests are eligible for consideration, because there is no way
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001732 to determine if the parameters will be found in the body or entity which
1733 may contain binary data. Therefore another method may be required to
1734 restrict consideration of POST requests that have no URL parameters in
1735 the body. (see acl reqideny http_end)
1736
1737 - using a <max_wait> value larger than the request buffer size does not
1738 make sense and is useless. The buffer size is set at build time, and
1739 defaults to 16 kB.
1740
1741 - Content-Encoding is not supported, the parameter search will probably
1742 fail; and load balancing will fall back to Round Robin.
1743
1744 - Expect: 100-continue is not supported, load balancing will fall back to
1745 Round Robin.
1746
1747 - Transfer-Encoding (RFC2616 3.6.1) is only supported in the first chunk.
1748 If the entire parameter value is not present in the first chunk, the
1749 selection of server is undefined (actually, defined by how little
1750 actually appeared in the first chunk).
1751
1752 - This feature does not support generation of a 100, 411 or 501 response.
1753
1754 - In some cases, requesting "check_post" MAY attempt to scan the entire
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001755 contents of a message body. Scanning normally terminates when linear
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001756 white space or control characters are found, indicating the end of what
1757 might be a URL parameter list. This is probably not a concern with SGML
1758 type message bodies.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001759
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001760 See also : "dispatch", "cookie", "appsession", "transparent", "hash-type" and
1761 "http_proxy".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001762
1763
Willy Tarreaub6205fd2012-09-24 12:27:33 +02001764bind [<address>]:<port_range> [, ...] [param*]
1765bind /<path> [, ...] [param*]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001766 Define one or several listening addresses and/or ports in a frontend.
1767 May be used in sections : defaults | frontend | listen | backend
1768 no | yes | yes | no
1769 Arguments :
Willy Tarreaub1e52e82008-01-13 14:49:51 +01001770 <address> is optional and can be a host name, an IPv4 address, an IPv6
1771 address, or '*'. It designates the address the frontend will
1772 listen on. If unset, all IPv4 addresses of the system will be
1773 listened on. The same will apply for '*' or the system's
David du Colombier9c938da2011-03-17 10:40:27 +01001774 special address "0.0.0.0". The IPv6 equivalent is '::'.
Willy Tarreau24709282013-03-10 21:32:12 +01001775 Optionally, an address family prefix may be used before the
1776 address to force the family regardless of the address format,
1777 which can be useful to specify a path to a unix socket with
1778 no slash ('/'). Currently supported prefixes are :
1779 - 'ipv4@' -> address is always IPv4
1780 - 'ipv6@' -> address is always IPv6
1781 - 'unix@' -> address is a path to a local unix socket
Willy Tarreauccfccef2014-05-10 01:49:15 +02001782 - 'abns@' -> address is in abstract namespace (Linux only)
Willy Tarreau40aa0702013-03-10 23:51:38 +01001783 - 'fd@<n>' -> use file descriptor <n> inherited from the
1784 parent. The fd must be bound and may or may not already
1785 be listening.
Willy Tarreaudad36a32013-03-11 01:20:04 +01001786 Any part of the address string may reference any number of
1787 environment variables by preceding their name with a dollar
1788 sign ('$') and optionally enclosing them with braces ('{}'),
1789 similarly to what is done in Bourne shell.
Willy Tarreaub1e52e82008-01-13 14:49:51 +01001790
Willy Tarreauc5011ca2010-03-22 11:53:56 +01001791 <port_range> is either a unique TCP port, or a port range for which the
1792 proxy will accept connections for the IP address specified
Willy Tarreauceb24bc2010-11-09 12:46:41 +01001793 above. The port is mandatory for TCP listeners. Note that in
1794 the case of an IPv6 address, the port is always the number
1795 after the last colon (':'). A range can either be :
Willy Tarreauc5011ca2010-03-22 11:53:56 +01001796 - a numerical port (ex: '80')
1797 - a dash-delimited ports range explicitly stating the lower
1798 and upper bounds (ex: '2000-2100') which are included in
1799 the range.
1800
1801 Particular care must be taken against port ranges, because
1802 every <address:port> couple consumes one socket (= a file
1803 descriptor), so it's easy to consume lots of descriptors
1804 with a simple range, and to run out of sockets. Also, each
1805 <address:port> couple must be used only once among all
1806 instances running on a same system. Please note that binding
1807 to ports lower than 1024 generally require particular
Jamie Gloudon801a0a32012-08-25 00:18:33 -04001808 privileges to start the program, which are independent of
Willy Tarreauc5011ca2010-03-22 11:53:56 +01001809 the 'uid' parameter.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001810
Willy Tarreauceb24bc2010-11-09 12:46:41 +01001811 <path> is a UNIX socket path beginning with a slash ('/'). This is
1812 alternative to the TCP listening port. Haproxy will then
1813 receive UNIX connections on the socket located at this place.
1814 The path must begin with a slash and by default is absolute.
1815 It can be relative to the prefix defined by "unix-bind" in
1816 the global section. Note that the total length of the prefix
1817 followed by the socket path cannot exceed some system limits
1818 for UNIX sockets, which commonly are set to 107 characters.
1819
Willy Tarreaub6205fd2012-09-24 12:27:33 +02001820 <param*> is a list of parameters common to all sockets declared on the
1821 same line. These numerous parameters depend on OS and build
1822 options and have a complete section dedicated to them. Please
1823 refer to section 5 to for more details.
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02001824
Willy Tarreau0ba27502007-12-24 16:55:16 +01001825 It is possible to specify a list of address:port combinations delimited by
1826 commas. The frontend will then listen on all of these addresses. There is no
1827 fixed limit to the number of addresses and ports which can be listened on in
1828 a frontend, as well as there is no limit to the number of "bind" statements
1829 in a frontend.
1830
1831 Example :
1832 listen http_proxy
1833 bind :80,:443
1834 bind 10.0.0.1:10080,10.0.0.1:10443
Willy Tarreauceb24bc2010-11-09 12:46:41 +01001835 bind /var/run/ssl-frontend.sock user root mode 600 accept-proxy
Willy Tarreau0ba27502007-12-24 16:55:16 +01001836
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02001837 listen http_https_proxy
1838 bind :80
Cyril Bonté0d44fc62012-10-09 22:45:33 +02001839 bind :443 ssl crt /etc/haproxy/site.pem
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02001840
Willy Tarreau24709282013-03-10 21:32:12 +01001841 listen http_https_proxy_explicit
1842 bind ipv6@:80
1843 bind ipv4@public_ssl:443 ssl crt /etc/haproxy/site.pem
1844 bind unix@ssl-frontend.sock user root mode 600 accept-proxy
1845
Willy Tarreaudad36a32013-03-11 01:20:04 +01001846 listen external_bind_app1
1847 bind fd@${FD_APP1}
1848
Willy Tarreauceb24bc2010-11-09 12:46:41 +01001849 See also : "source", "option forwardfor", "unix-bind" and the PROXY protocol
Willy Tarreaub6205fd2012-09-24 12:27:33 +02001850 documentation, and section 5 about bind options.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001851
1852
Willy Tarreaua9db57e2013-01-18 11:29:29 +01001853bind-process [ all | odd | even | <number 1-64>[-<number 1-64>] ] ...
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001854 Limit visibility of an instance to a certain set of processes numbers.
1855 May be used in sections : defaults | frontend | listen | backend
1856 yes | yes | yes | yes
1857 Arguments :
1858 all All process will see this instance. This is the default. It
1859 may be used to override a default value.
1860
Willy Tarreaua9db57e2013-01-18 11:29:29 +01001861 odd This instance will be enabled on processes 1,3,5,...63. This
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001862 option may be combined with other numbers.
1863
Willy Tarreaua9db57e2013-01-18 11:29:29 +01001864 even This instance will be enabled on processes 2,4,6,...64. This
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001865 option may be combined with other numbers. Do not use it
1866 with less than 2 processes otherwise some instances might be
1867 missing from all processes.
1868
Willy Tarreau110ecc12012-11-15 17:50:01 +01001869 number The instance will be enabled on this process number or range,
Willy Tarreaua9db57e2013-01-18 11:29:29 +01001870 whose values must all be between 1 and 32 or 64 depending on
Willy Tarreau102df612014-05-07 23:56:38 +02001871 the machine's word size. If a proxy is bound to process
1872 numbers greater than the configured global.nbproc, it will
1873 either be forced to process #1 if a single process was
1874 specified, or to all processes otherwise.
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001875
1876 This keyword limits binding of certain instances to certain processes. This
1877 is useful in order not to have too many processes listening to the same
1878 ports. For instance, on a dual-core machine, it might make sense to set
1879 'nbproc 2' in the global section, then distributes the listeners among 'odd'
1880 and 'even' instances.
1881
Willy Tarreaua9db57e2013-01-18 11:29:29 +01001882 At the moment, it is not possible to reference more than 32 or 64 processes
1883 using this keyword, but this should be more than enough for most setups.
1884 Please note that 'all' really means all processes regardless of the machine's
1885 word size, and is not limited to the first 32 or 64.
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001886
Willy Tarreau6ae1ba62014-05-07 19:01:58 +02001887 Each "bind" line may further be limited to a subset of the proxy's processes,
1888 please consult the "process" bind keyword in section 5.1.
1889
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001890 If some backends are referenced by frontends bound to other processes, the
1891 backend automatically inherits the frontend's processes.
1892
1893 Example :
1894 listen app_ip1
1895 bind 10.0.0.1:80
Willy Tarreaubfcd3112010-10-23 11:22:08 +02001896 bind-process odd
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001897
1898 listen app_ip2
1899 bind 10.0.0.2:80
Willy Tarreaubfcd3112010-10-23 11:22:08 +02001900 bind-process even
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001901
1902 listen management
1903 bind 10.0.0.3:80
Willy Tarreaubfcd3112010-10-23 11:22:08 +02001904 bind-process 1 2 3 4
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001905
Willy Tarreau110ecc12012-11-15 17:50:01 +01001906 listen management
1907 bind 10.0.0.4:80
1908 bind-process 1-4
1909
Willy Tarreau6ae1ba62014-05-07 19:01:58 +02001910 See also : "nbproc" in global section, and "process" in section 5.1.
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001911
1912
Willy Tarreau0ba27502007-12-24 16:55:16 +01001913block { if | unless } <condition>
1914 Block a layer 7 request if/unless a condition is matched
1915 May be used in sections : defaults | frontend | listen | backend
1916 no | yes | yes | yes
1917
1918 The HTTP request will be blocked very early in the layer 7 processing
1919 if/unless <condition> is matched. A 403 error will be returned if the request
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001920 is blocked. The condition has to reference ACLs (see section 7). This is
Willy Tarreau3c92c5f2011-08-28 09:45:47 +02001921 typically used to deny access to certain sensitive resources if some
Willy Tarreau0ba27502007-12-24 16:55:16 +01001922 conditions are met or not met. There is no fixed limit to the number of
1923 "block" statements per instance.
1924
1925 Example:
1926 acl invalid_src src 0.0.0.0/7 224.0.0.0/3
1927 acl invalid_src src_port 0:1023
1928 acl local_dst hdr(host) -i localhost
1929 block if invalid_src || local_dst
1930
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001931 See section 7 about ACL usage.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001932
1933
1934capture cookie <name> len <length>
1935 Capture and log a cookie in the request and in the response.
1936 May be used in sections : defaults | frontend | listen | backend
1937 no | yes | yes | no
1938 Arguments :
1939 <name> is the beginning of the name of the cookie to capture. In order
1940 to match the exact name, simply suffix the name with an equal
1941 sign ('='). The full name will appear in the logs, which is
1942 useful with application servers which adjust both the cookie name
1943 and value (eg: ASPSESSIONXXXXX).
1944
1945 <length> is the maximum number of characters to report in the logs, which
1946 include the cookie name, the equal sign and the value, all in the
1947 standard "name=value" form. The string will be truncated on the
1948 right if it exceeds <length>.
1949
1950 Only the first cookie is captured. Both the "cookie" request headers and the
1951 "set-cookie" response headers are monitored. This is particularly useful to
1952 check for application bugs causing session crossing or stealing between
1953 users, because generally the user's cookies can only change on a login page.
1954
1955 When the cookie was not presented by the client, the associated log column
1956 will report "-". When a request does not cause a cookie to be assigned by the
1957 server, a "-" is reported in the response column.
1958
1959 The capture is performed in the frontend only because it is necessary that
1960 the log format does not change for a given frontend depending on the
1961 backends. This may change in the future. Note that there can be only one
Willy Tarreau193b8c62012-11-22 00:17:38 +01001962 "capture cookie" statement in a frontend. The maximum capture length is set
1963 by the global "tune.http.cookielen" setting and defaults to 63 characters. It
1964 is not possible to specify a capture in a "defaults" section.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001965
1966 Example:
1967 capture cookie ASPSESSION len 32
1968
1969 See also : "capture request header", "capture response header" as well as
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001970 section 8 about logging.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001971
1972
1973capture request header <name> len <length>
Willy Tarreau4460d032012-11-21 23:37:37 +01001974 Capture and log the last occurrence of the specified request header.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001975 May be used in sections : defaults | frontend | listen | backend
1976 no | yes | yes | no
1977 Arguments :
1978 <name> is the name of the header to capture. The header names are not
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001979 case-sensitive, but it is a common practice to write them as they
Willy Tarreau0ba27502007-12-24 16:55:16 +01001980 appear in the requests, with the first letter of each word in
1981 upper case. The header name will not appear in the logs, only the
1982 value is reported, but the position in the logs is respected.
1983
1984 <length> is the maximum number of characters to extract from the value and
1985 report in the logs. The string will be truncated on the right if
1986 it exceeds <length>.
1987
Willy Tarreau4460d032012-11-21 23:37:37 +01001988 The complete value of the last occurrence of the header is captured. The
Willy Tarreau0ba27502007-12-24 16:55:16 +01001989 value will be added to the logs between braces ('{}'). If multiple headers
1990 are captured, they will be delimited by a vertical bar ('|') and will appear
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001991 in the same order they were declared in the configuration. Non-existent
1992 headers will be logged just as an empty string. Common uses for request
1993 header captures include the "Host" field in virtual hosting environments, the
1994 "Content-length" when uploads are supported, "User-agent" to quickly
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001995 differentiate between real users and robots, and "X-Forwarded-For" in proxied
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001996 environments to find where the request came from.
1997
1998 Note that when capturing headers such as "User-agent", some spaces may be
1999 logged, making the log analysis more difficult. Thus be careful about what
2000 you log if you know your log parser is not smart enough to rely on the
2001 braces.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002002
Willy Tarreau0900abb2012-11-22 00:21:46 +01002003 There is no limit to the number of captured request headers nor to their
2004 length, though it is wise to keep them low to limit memory usage per session.
2005 In order to keep log format consistent for a same frontend, header captures
2006 can only be declared in a frontend. It is not possible to specify a capture
2007 in a "defaults" section.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002008
2009 Example:
2010 capture request header Host len 15
2011 capture request header X-Forwarded-For len 15
2012 capture request header Referrer len 15
2013
Willy Tarreauc57f0e22009-05-10 13:12:33 +02002014 See also : "capture cookie", "capture response header" as well as section 8
Willy Tarreau0ba27502007-12-24 16:55:16 +01002015 about logging.
2016
2017
2018capture response header <name> len <length>
Willy Tarreau4460d032012-11-21 23:37:37 +01002019 Capture and log the last occurrence of the specified response header.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002020 May be used in sections : defaults | frontend | listen | backend
2021 no | yes | yes | no
2022 Arguments :
2023 <name> is the name of the header to capture. The header names are not
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01002024 case-sensitive, but it is a common practice to write them as they
Willy Tarreau0ba27502007-12-24 16:55:16 +01002025 appear in the response, with the first letter of each word in
2026 upper case. The header name will not appear in the logs, only the
2027 value is reported, but the position in the logs is respected.
2028
2029 <length> is the maximum number of characters to extract from the value and
2030 report in the logs. The string will be truncated on the right if
2031 it exceeds <length>.
2032
Willy Tarreau4460d032012-11-21 23:37:37 +01002033 The complete value of the last occurrence of the header is captured. The
Willy Tarreau0ba27502007-12-24 16:55:16 +01002034 result will be added to the logs between braces ('{}') after the captured
2035 request headers. If multiple headers are captured, they will be delimited by
2036 a vertical bar ('|') and will appear in the same order they were declared in
Willy Tarreaucc6c8912009-02-22 10:53:55 +01002037 the configuration. Non-existent headers will be logged just as an empty
2038 string. Common uses for response header captures include the "Content-length"
2039 header which indicates how many bytes are expected to be returned, the
2040 "Location" header to track redirections.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002041
Willy Tarreau0900abb2012-11-22 00:21:46 +01002042 There is no limit to the number of captured response headers nor to their
2043 length, though it is wise to keep them low to limit memory usage per session.
2044 In order to keep log format consistent for a same frontend, header captures
2045 can only be declared in a frontend. It is not possible to specify a capture
2046 in a "defaults" section.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002047
2048 Example:
2049 capture response header Content-length len 9
2050 capture response header Location len 15
2051
Willy Tarreauc57f0e22009-05-10 13:12:33 +02002052 See also : "capture cookie", "capture request header" as well as section 8
Willy Tarreau0ba27502007-12-24 16:55:16 +01002053 about logging.
2054
2055
Cyril Bontéf0c60612010-02-06 14:44:47 +01002056clitimeout <timeout> (deprecated)
Willy Tarreau0ba27502007-12-24 16:55:16 +01002057 Set the maximum inactivity time on the client side.
2058 May be used in sections : defaults | frontend | listen | backend
2059 yes | yes | yes | no
2060 Arguments :
2061 <timeout> is the timeout value is specified in milliseconds by default, but
2062 can be in any other unit if the number is suffixed by the unit,
2063 as explained at the top of this document.
2064
2065 The inactivity timeout applies when the client is expected to acknowledge or
2066 send data. In HTTP mode, this timeout is particularly important to consider
2067 during the first phase, when the client sends the request, and during the
2068 response while it is reading data sent by the server. The value is specified
2069 in milliseconds by default, but can be in any other unit if the number is
2070 suffixed by the unit, as specified at the top of this document. In TCP mode
2071 (and to a lesser extent, in HTTP mode), it is highly recommended that the
2072 client timeout remains equal to the server timeout in order to avoid complex
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01002073 situations to debug. It is a good practice to cover one or several TCP packet
Willy Tarreau0ba27502007-12-24 16:55:16 +01002074 losses by specifying timeouts that are slightly above multiples of 3 seconds
2075 (eg: 4 or 5 seconds).
2076
2077 This parameter is specific to frontends, but can be specified once for all in
2078 "defaults" sections. This is in fact one of the easiest solutions not to
2079 forget about it. An unspecified timeout results in an infinite timeout, which
2080 is not recommended. Such a usage is accepted and works but reports a warning
2081 during startup because it may results in accumulation of expired sessions in
2082 the system if the system's timeouts are not configured either.
2083
2084 This parameter is provided for compatibility but is currently deprecated.
2085 Please use "timeout client" instead.
2086
Willy Tarreau036fae02008-01-06 13:24:40 +01002087 See also : "timeout client", "timeout http-request", "timeout server", and
2088 "srvtimeout".
Willy Tarreau0ba27502007-12-24 16:55:16 +01002089
Cyril Bonté316a8cf2012-11-11 13:38:27 +01002090compression algo <algorithm> ...
2091compression type <mime type> ...
Willy Tarreau70737d12012-10-27 00:34:28 +02002092compression offload
William Lallemand82fe75c2012-10-23 10:25:10 +02002093 Enable HTTP compression.
2094 May be used in sections : defaults | frontend | listen | backend
2095 yes | yes | yes | yes
2096 Arguments :
Cyril Bonté316a8cf2012-11-11 13:38:27 +01002097 algo is followed by the list of supported compression algorithms.
2098 type is followed by the list of MIME types that will be compressed.
2099 offload makes haproxy work as a compression offloader only (see notes).
2100
2101 The currently supported algorithms are :
Dmitry Sivachenko87c208b2012-11-22 20:03:26 +04002102 identity this is mostly for debugging, and it was useful for developing
Cyril Bonté316a8cf2012-11-11 13:38:27 +01002103 the compression feature. Identity does not apply any change on
2104 data.
2105
2106 gzip applies gzip compression. This setting is only available when
2107 support for zlib was built in.
2108
2109 deflate same as gzip, but with deflate algorithm and zlib format.
2110 Note that this algorithm has ambiguous support on many browsers
2111 and no support at all from recent ones. It is strongly
2112 recommended not to use it for anything else than experimentation.
2113 This setting is only available when support for zlib was built
2114 in.
2115
Dmitry Sivachenko87c208b2012-11-22 20:03:26 +04002116 Compression will be activated depending on the Accept-Encoding request
Cyril Bonté316a8cf2012-11-11 13:38:27 +01002117 header. With identity, it does not take care of that header.
Dmitry Sivachenkoc9f3b452012-11-28 17:47:11 +04002118 If backend servers support HTTP compression, these directives
2119 will be no-op: haproxy will see the compressed response and will not
2120 compress again. If backend servers do not support HTTP compression and
2121 there is Accept-Encoding header in request, haproxy will compress the
2122 matching response.
Willy Tarreau70737d12012-10-27 00:34:28 +02002123
2124 The "offload" setting makes haproxy remove the Accept-Encoding header to
2125 prevent backend servers from compressing responses. It is strongly
2126 recommended not to do this because this means that all the compression work
2127 will be done on the single point where haproxy is located. However in some
2128 deployment scenarios, haproxy may be installed in front of a buggy gateway
Dmitry Sivachenkoc9f3b452012-11-28 17:47:11 +04002129 with broken HTTP compression implementation which can't be turned off.
2130 In that case haproxy can be used to prevent that gateway from emitting
2131 invalid payloads. In this case, simply removing the header in the
2132 configuration does not work because it applies before the header is parsed,
2133 so that prevents haproxy from compressing. The "offload" setting should
2134 then be used for such scenarios.
William Lallemand82fe75c2012-10-23 10:25:10 +02002135
William Lallemand05097442012-11-20 12:14:28 +01002136 Compression is disabled when:
Baptiste Assmann650d53d2013-01-05 15:44:44 +01002137 * the request does not advertise a supported compression algorithm in the
2138 "Accept-Encoding" header
2139 * the response message is not HTTP/1.1
William Lallemandd3002612012-11-26 14:34:47 +01002140 * HTTP status code is not 200
William Lallemand8bb4e342013-12-10 17:28:48 +01002141 * response header "Transfer-Encoding" contains "chunked" (Temporary
2142 Workaround)
Baptiste Assmann650d53d2013-01-05 15:44:44 +01002143 * response contain neither a "Content-Length" header nor a
2144 "Transfer-Encoding" whose last value is "chunked"
2145 * response contains a "Content-Type" header whose first value starts with
2146 "multipart"
2147 * the response contains the "no-transform" value in the "Cache-control"
2148 header
2149 * User-Agent matches "Mozilla/4" unless it is MSIE 6 with XP SP2, or MSIE 7
2150 and later
2151 * The response contains a "Content-Encoding" header, indicating that the
2152 response is already compressed (see compression offload)
William Lallemand05097442012-11-20 12:14:28 +01002153
Baptiste Assmann650d53d2013-01-05 15:44:44 +01002154 Note: The compression does not rewrite Etag headers, and does not emit the
2155 Warning header.
William Lallemand05097442012-11-20 12:14:28 +01002156
William Lallemand82fe75c2012-10-23 10:25:10 +02002157 Examples :
2158 compression algo gzip
2159 compression type text/html text/plain
Willy Tarreau0ba27502007-12-24 16:55:16 +01002160
Cyril Bontéf0c60612010-02-06 14:44:47 +01002161contimeout <timeout> (deprecated)
Willy Tarreau0ba27502007-12-24 16:55:16 +01002162 Set the maximum time to wait for a connection attempt to a server to succeed.
2163 May be used in sections : defaults | frontend | listen | backend
2164 yes | no | yes | yes
2165 Arguments :
2166 <timeout> is the timeout value is specified in milliseconds by default, but
2167 can be in any other unit if the number is suffixed by the unit,
2168 as explained at the top of this document.
2169
2170 If the server is located on the same LAN as haproxy, the connection should be
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01002171 immediate (less than a few milliseconds). Anyway, it is a good practice to
Willy Tarreaud72758d2010-01-12 10:42:19 +01002172 cover one or several TCP packet losses by specifying timeouts that are
Willy Tarreau0ba27502007-12-24 16:55:16 +01002173 slightly above multiples of 3 seconds (eg: 4 or 5 seconds). By default, the
2174 connect timeout also presets the queue timeout to the same value if this one
2175 has not been specified. Historically, the contimeout was also used to set the
2176 tarpit timeout in a listen section, which is not possible in a pure frontend.
2177
2178 This parameter is specific to backends, but can be specified once for all in
2179 "defaults" sections. This is in fact one of the easiest solutions not to
2180 forget about it. An unspecified timeout results in an infinite timeout, which
2181 is not recommended. Such a usage is accepted and works but reports a warning
2182 during startup because it may results in accumulation of failed sessions in
2183 the system if the system's timeouts are not configured either.
2184
2185 This parameter is provided for backwards compatibility but is currently
2186 deprecated. Please use "timeout connect", "timeout queue" or "timeout tarpit"
2187 instead.
2188
2189 See also : "timeout connect", "timeout queue", "timeout tarpit",
2190 "timeout server", "contimeout".
2191
2192
Willy Tarreau55165fe2009-05-10 12:02:55 +02002193cookie <name> [ rewrite | insert | prefix ] [ indirect ] [ nocache ]
Willy Tarreau4992dd22012-05-31 21:02:17 +02002194 [ postonly ] [ preserve ] [ httponly ] [ secure ]
2195 [ domain <domain> ]* [ maxidle <idle> ] [ maxlife <life> ]
Willy Tarreau0ba27502007-12-24 16:55:16 +01002196 Enable cookie-based persistence in a backend.
2197 May be used in sections : defaults | frontend | listen | backend
2198 yes | no | yes | yes
2199 Arguments :
2200 <name> is the name of the cookie which will be monitored, modified or
2201 inserted in order to bring persistence. This cookie is sent to
2202 the client via a "Set-Cookie" header in the response, and is
2203 brought back by the client in a "Cookie" header in all requests.
2204 Special care should be taken to choose a name which does not
2205 conflict with any likely application cookie. Also, if the same
2206 backends are subject to be used by the same clients (eg:
2207 HTTP/HTTPS), care should be taken to use different cookie names
2208 between all backends if persistence between them is not desired.
2209
2210 rewrite This keyword indicates that the cookie will be provided by the
2211 server and that haproxy will have to modify its value to set the
2212 server's identifier in it. This mode is handy when the management
2213 of complex combinations of "Set-cookie" and "Cache-control"
2214 headers is left to the application. The application can then
2215 decide whether or not it is appropriate to emit a persistence
2216 cookie. Since all responses should be monitored, this mode only
2217 works in HTTP close mode. Unless the application behaviour is
2218 very complex and/or broken, it is advised not to start with this
2219 mode for new deployments. This keyword is incompatible with
2220 "insert" and "prefix".
2221
2222 insert This keyword indicates that the persistence cookie will have to
Willy Tarreaua79094d2010-08-31 22:54:15 +02002223 be inserted by haproxy in server responses if the client did not
Willy Tarreauba4c5be2010-10-23 12:46:42 +02002224
Willy Tarreaua79094d2010-08-31 22:54:15 +02002225 already have a cookie that would have permitted it to access this
Willy Tarreauba4c5be2010-10-23 12:46:42 +02002226 server. When used without the "preserve" option, if the server
2227 emits a cookie with the same name, it will be remove before
2228 processing. For this reason, this mode can be used to upgrade
2229 existing configurations running in the "rewrite" mode. The cookie
2230 will only be a session cookie and will not be stored on the
2231 client's disk. By default, unless the "indirect" option is added,
2232 the server will see the cookies emitted by the client. Due to
2233 caching effects, it is generally wise to add the "nocache" or
2234 "postonly" keywords (see below). The "insert" keyword is not
2235 compatible with "rewrite" and "prefix".
Willy Tarreau0ba27502007-12-24 16:55:16 +01002236
2237 prefix This keyword indicates that instead of relying on a dedicated
2238 cookie for the persistence, an existing one will be completed.
2239 This may be needed in some specific environments where the client
2240 does not support more than one single cookie and the application
2241 already needs it. In this case, whenever the server sets a cookie
2242 named <name>, it will be prefixed with the server's identifier
2243 and a delimiter. The prefix will be removed from all client
2244 requests so that the server still finds the cookie it emitted.
2245 Since all requests and responses are subject to being modified,
2246 this mode requires the HTTP close mode. The "prefix" keyword is
Willy Tarreau37229df2011-10-17 12:24:55 +02002247 not compatible with "rewrite" and "insert". Note: it is highly
2248 recommended not to use "indirect" with "prefix", otherwise server
2249 cookie updates would not be sent to clients.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002250
Willy Tarreaua79094d2010-08-31 22:54:15 +02002251 indirect When this option is specified, no cookie will be emitted to a
2252 client which already has a valid one for the server which has
2253 processed the request. If the server sets such a cookie itself,
Willy Tarreauba4c5be2010-10-23 12:46:42 +02002254 it will be removed, unless the "preserve" option is also set. In
2255 "insert" mode, this will additionally remove cookies from the
2256 requests transmitted to the server, making the persistence
2257 mechanism totally transparent from an application point of view.
Willy Tarreau37229df2011-10-17 12:24:55 +02002258 Note: it is highly recommended not to use "indirect" with
2259 "prefix", otherwise server cookie updates would not be sent to
2260 clients.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002261
2262 nocache This option is recommended in conjunction with the insert mode
2263 when there is a cache between the client and HAProxy, as it
2264 ensures that a cacheable response will be tagged non-cacheable if
2265 a cookie needs to be inserted. This is important because if all
2266 persistence cookies are added on a cacheable home page for
2267 instance, then all customers will then fetch the page from an
2268 outer cache and will all share the same persistence cookie,
2269 leading to one server receiving much more traffic than others.
2270 See also the "insert" and "postonly" options.
2271
2272 postonly This option ensures that cookie insertion will only be performed
2273 on responses to POST requests. It is an alternative to the
2274 "nocache" option, because POST responses are not cacheable, so
2275 this ensures that the persistence cookie will never get cached.
2276 Since most sites do not need any sort of persistence before the
2277 first POST which generally is a login request, this is a very
2278 efficient method to optimize caching without risking to find a
2279 persistence cookie in the cache.
2280 See also the "insert" and "nocache" options.
2281
Willy Tarreauba4c5be2010-10-23 12:46:42 +02002282 preserve This option may only be used with "insert" and/or "indirect". It
2283 allows the server to emit the persistence cookie itself. In this
2284 case, if a cookie is found in the response, haproxy will leave it
2285 untouched. This is useful in order to end persistence after a
2286 logout request for instance. For this, the server just has to
2287 emit a cookie with an invalid value (eg: empty) or with a date in
2288 the past. By combining this mechanism with the "disable-on-404"
2289 check option, it is possible to perform a completely graceful
2290 shutdown because users will definitely leave the server after
2291 they logout.
2292
Willy Tarreau4992dd22012-05-31 21:02:17 +02002293 httponly This option tells haproxy to add an "HttpOnly" cookie attribute
2294 when a cookie is inserted. This attribute is used so that a
2295 user agent doesn't share the cookie with non-HTTP components.
2296 Please check RFC6265 for more information on this attribute.
2297
2298 secure This option tells haproxy to add a "Secure" cookie attribute when
2299 a cookie is inserted. This attribute is used so that a user agent
2300 never emits this cookie over non-secure channels, which means
2301 that a cookie learned with this flag will be presented only over
2302 SSL/TLS connections. Please check RFC6265 for more information on
2303 this attribute.
2304
Krzysztof Piotr Oledzkiefe3b6f2008-05-23 23:49:32 +02002305 domain This option allows to specify the domain at which a cookie is
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002306 inserted. It requires exactly one parameter: a valid domain
Willy Tarreau68a897b2009-12-03 23:28:34 +01002307 name. If the domain begins with a dot, the browser is allowed to
2308 use it for any host ending with that name. It is also possible to
2309 specify several domain names by invoking this option multiple
2310 times. Some browsers might have small limits on the number of
2311 domains, so be careful when doing that. For the record, sending
2312 10 domains to MSIE 6 or Firefox 2 works as expected.
Krzysztof Piotr Oledzkiefe3b6f2008-05-23 23:49:32 +02002313
Willy Tarreau996a92c2010-10-13 19:30:47 +02002314 maxidle This option allows inserted cookies to be ignored after some idle
2315 time. It only works with insert-mode cookies. When a cookie is
2316 sent to the client, the date this cookie was emitted is sent too.
2317 Upon further presentations of this cookie, if the date is older
2318 than the delay indicated by the parameter (in seconds), it will
2319 be ignored. Otherwise, it will be refreshed if needed when the
2320 response is sent to the client. This is particularly useful to
2321 prevent users who never close their browsers from remaining for
2322 too long on the same server (eg: after a farm size change). When
2323 this option is set and a cookie has no date, it is always
2324 accepted, but gets refreshed in the response. This maintains the
2325 ability for admins to access their sites. Cookies that have a
2326 date in the future further than 24 hours are ignored. Doing so
2327 lets admins fix timezone issues without risking kicking users off
2328 the site.
2329
2330 maxlife This option allows inserted cookies to be ignored after some life
2331 time, whether they're in use or not. It only works with insert
2332 mode cookies. When a cookie is first sent to the client, the date
2333 this cookie was emitted is sent too. Upon further presentations
2334 of this cookie, if the date is older than the delay indicated by
2335 the parameter (in seconds), it will be ignored. If the cookie in
2336 the request has no date, it is accepted and a date will be set.
2337 Cookies that have a date in the future further than 24 hours are
2338 ignored. Doing so lets admins fix timezone issues without risking
2339 kicking users off the site. Contrary to maxidle, this value is
2340 not refreshed, only the first visit date counts. Both maxidle and
2341 maxlife may be used at the time. This is particularly useful to
2342 prevent users who never close their browsers from remaining for
2343 too long on the same server (eg: after a farm size change). This
2344 is stronger than the maxidle method in that it forces a
2345 redispatch after some absolute delay.
2346
Willy Tarreau0ba27502007-12-24 16:55:16 +01002347 There can be only one persistence cookie per HTTP backend, and it can be
2348 declared in a defaults section. The value of the cookie will be the value
2349 indicated after the "cookie" keyword in a "server" statement. If no cookie
2350 is declared for a given server, the cookie is not set.
Willy Tarreau6a06a402007-07-15 20:15:28 +02002351
Willy Tarreau0ba27502007-12-24 16:55:16 +01002352 Examples :
2353 cookie JSESSIONID prefix
2354 cookie SRV insert indirect nocache
2355 cookie SRV insert postonly indirect
Willy Tarreau996a92c2010-10-13 19:30:47 +02002356 cookie SRV insert indirect nocache maxidle 30m maxlife 8h
Willy Tarreau0ba27502007-12-24 16:55:16 +01002357
Cyril Bontéa8e7bbc2010-04-25 22:29:29 +02002358 See also : "appsession", "balance source", "capture cookie", "server"
Cyril Bonté0d4bf012010-04-25 23:21:46 +02002359 and "ignore-persist".
Willy Tarreau0ba27502007-12-24 16:55:16 +01002360
Willy Tarreau983e01e2010-01-11 18:42:06 +01002361
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01002362default-server [param*]
2363 Change default options for a server in a backend
2364 May be used in sections : defaults | frontend | listen | backend
2365 yes | no | yes | yes
2366 Arguments:
Willy Tarreau983e01e2010-01-11 18:42:06 +01002367 <param*> is a list of parameters for this server. The "default-server"
2368 keyword accepts an important number of options and has a complete
2369 section dedicated to it. Please refer to section 5 for more
2370 details.
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01002371
Willy Tarreau983e01e2010-01-11 18:42:06 +01002372 Example :
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01002373 default-server inter 1000 weight 13
2374
2375 See also: "server" and section 5 about server options
Willy Tarreau0ba27502007-12-24 16:55:16 +01002376
Willy Tarreau983e01e2010-01-11 18:42:06 +01002377
Willy Tarreau0ba27502007-12-24 16:55:16 +01002378default_backend <backend>
2379 Specify the backend to use when no "use_backend" rule has been matched.
2380 May be used in sections : defaults | frontend | listen | backend
2381 yes | yes | yes | no
2382 Arguments :
2383 <backend> is the name of the backend to use.
2384
2385 When doing content-switching between frontend and backends using the
2386 "use_backend" keyword, it is often useful to indicate which backend will be
2387 used when no rule has matched. It generally is the dynamic backend which
2388 will catch all undetermined requests.
2389
Willy Tarreau0ba27502007-12-24 16:55:16 +01002390 Example :
2391
2392 use_backend dynamic if url_dyn
2393 use_backend static if url_css url_img extension_img
2394 default_backend dynamic
2395
Willy Tarreau2769aa02007-12-27 18:26:09 +01002396 See also : "use_backend", "reqsetbe", "reqisetbe"
2397
Willy Tarreau0ba27502007-12-24 16:55:16 +01002398
Baptiste Assmann27f51342013-10-09 06:51:49 +02002399description <string>
2400 Describe a listen, frontend or backend.
2401 May be used in sections : defaults | frontend | listen | backend
2402 no | yes | yes | yes
2403 Arguments : string
2404
2405 Allows to add a sentence to describe the related object in the HAProxy HTML
2406 stats page. The description will be printed on the right of the object name
2407 it describes.
2408 No need to backslash spaces in the <string> arguments.
2409
2410
Willy Tarreau0ba27502007-12-24 16:55:16 +01002411disabled
2412 Disable a proxy, frontend or backend.
2413 May be used in sections : defaults | frontend | listen | backend
2414 yes | yes | yes | yes
2415 Arguments : none
2416
2417 The "disabled" keyword is used to disable an instance, mainly in order to
2418 liberate a listening port or to temporarily disable a service. The instance
2419 will still be created and its configuration will be checked, but it will be
2420 created in the "stopped" state and will appear as such in the statistics. It
2421 will not receive any traffic nor will it send any health-checks or logs. It
2422 is possible to disable many instances at once by adding the "disabled"
2423 keyword in a "defaults" section.
2424
2425 See also : "enabled"
2426
2427
Willy Tarreau5ce94572010-06-07 14:35:41 +02002428dispatch <address>:<port>
2429 Set a default server address
2430 May be used in sections : defaults | frontend | listen | backend
2431 no | no | yes | yes
Cyril Bonté108cf6e2012-04-21 23:30:29 +02002432 Arguments :
Willy Tarreau5ce94572010-06-07 14:35:41 +02002433
2434 <address> is the IPv4 address of the default server. Alternatively, a
2435 resolvable hostname is supported, but this name will be resolved
2436 during start-up.
2437
2438 <ports> is a mandatory port specification. All connections will be sent
2439 to this port, and it is not permitted to use port offsets as is
2440 possible with normal servers.
2441
Willy Tarreau787aed52011-04-15 06:45:37 +02002442 The "dispatch" keyword designates a default server for use when no other
Willy Tarreau5ce94572010-06-07 14:35:41 +02002443 server can take the connection. In the past it was used to forward non
2444 persistent connections to an auxiliary load balancer. Due to its simple
2445 syntax, it has also been used for simple TCP relays. It is recommended not to
2446 use it for more clarity, and to use the "server" directive instead.
2447
2448 See also : "server"
2449
2450
Willy Tarreau0ba27502007-12-24 16:55:16 +01002451enabled
2452 Enable a proxy, frontend or backend.
2453 May be used in sections : defaults | frontend | listen | backend
2454 yes | yes | yes | yes
2455 Arguments : none
2456
2457 The "enabled" keyword is used to explicitly enable an instance, when the
2458 defaults has been set to "disabled". This is very rarely used.
2459
2460 See also : "disabled"
2461
2462
2463errorfile <code> <file>
2464 Return a file contents instead of errors generated by HAProxy
2465 May be used in sections : defaults | frontend | listen | backend
2466 yes | yes | yes | yes
2467 Arguments :
2468 <code> is the HTTP status code. Currently, HAProxy is capable of
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002469 generating codes 200, 400, 403, 408, 500, 502, 503, and 504.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002470
2471 <file> designates a file containing the full HTTP response. It is
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01002472 recommended to follow the common practice of appending ".http" to
Willy Tarreau0ba27502007-12-24 16:55:16 +01002473 the filename so that people do not confuse the response with HTML
Willy Tarreau59140a22009-02-22 12:02:30 +01002474 error pages, and to use absolute paths, since files are read
2475 before any chroot is performed.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002476
2477 It is important to understand that this keyword is not meant to rewrite
2478 errors returned by the server, but errors detected and returned by HAProxy.
2479 This is why the list of supported errors is limited to a small set.
2480
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002481 Code 200 is emitted in response to requests matching a "monitor-uri" rule.
2482
Willy Tarreau0ba27502007-12-24 16:55:16 +01002483 The files are returned verbatim on the TCP socket. This allows any trick such
2484 as redirections to another URL or site, as well as tricks to clean cookies,
2485 force enable or disable caching, etc... The package provides default error
2486 files returning the same contents as default errors.
2487
Willy Tarreau59140a22009-02-22 12:02:30 +01002488 The files should not exceed the configured buffer size (BUFSIZE), which
2489 generally is 8 or 16 kB, otherwise they will be truncated. It is also wise
2490 not to put any reference to local contents (eg: images) in order to avoid
2491 loops between the client and HAProxy when all servers are down, causing an
2492 error to be returned instead of an image. For better HTTP compliance, it is
2493 recommended that all header lines end with CR-LF and not LF alone.
2494
Willy Tarreau0ba27502007-12-24 16:55:16 +01002495 The files are read at the same time as the configuration and kept in memory.
2496 For this reason, the errors continue to be returned even when the process is
2497 chrooted, and no file change is considered while the process is running. A
Willy Tarreauc27debf2008-01-06 08:57:02 +01002498 simple method for developing those files consists in associating them to the
Willy Tarreau0ba27502007-12-24 16:55:16 +01002499 403 status code and interrogating a blocked URL.
2500
2501 See also : "errorloc", "errorloc302", "errorloc303"
2502
Willy Tarreau59140a22009-02-22 12:02:30 +01002503 Example :
2504 errorfile 400 /etc/haproxy/errorfiles/400badreq.http
Willy Tarreau2705a612014-05-23 17:38:34 +02002505 errorfile 408 /dev/null # workaround Chrome pre-connect bug
Willy Tarreau59140a22009-02-22 12:02:30 +01002506 errorfile 403 /etc/haproxy/errorfiles/403forbid.http
2507 errorfile 503 /etc/haproxy/errorfiles/503sorry.http
2508
Willy Tarreau2769aa02007-12-27 18:26:09 +01002509
2510errorloc <code> <url>
2511errorloc302 <code> <url>
2512 Return an HTTP redirection to a URL instead of errors generated by HAProxy
2513 May be used in sections : defaults | frontend | listen | backend
2514 yes | yes | yes | yes
2515 Arguments :
2516 <code> is the HTTP status code. Currently, HAProxy is capable of
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002517 generating codes 200, 400, 403, 408, 500, 502, 503, and 504.
Willy Tarreau2769aa02007-12-27 18:26:09 +01002518
2519 <url> it is the exact contents of the "Location" header. It may contain
2520 either a relative URI to an error page hosted on the same site,
2521 or an absolute URI designating an error page on another site.
2522 Special care should be given to relative URIs to avoid redirect
2523 loops if the URI itself may generate the same error (eg: 500).
2524
2525 It is important to understand that this keyword is not meant to rewrite
2526 errors returned by the server, but errors detected and returned by HAProxy.
2527 This is why the list of supported errors is limited to a small set.
2528
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002529 Code 200 is emitted in response to requests matching a "monitor-uri" rule.
2530
Willy Tarreau2769aa02007-12-27 18:26:09 +01002531 Note that both keyword return the HTTP 302 status code, which tells the
2532 client to fetch the designated URL using the same HTTP method. This can be
2533 quite problematic in case of non-GET methods such as POST, because the URL
2534 sent to the client might not be allowed for something other than GET. To
2535 workaround this problem, please use "errorloc303" which send the HTTP 303
2536 status code, indicating to the client that the URL must be fetched with a GET
2537 request.
2538
2539 See also : "errorfile", "errorloc303"
2540
2541
2542errorloc303 <code> <url>
2543 Return an HTTP redirection to a URL instead of errors generated by HAProxy
2544 May be used in sections : defaults | frontend | listen | backend
2545 yes | yes | yes | yes
2546 Arguments :
2547 <code> is the HTTP status code. Currently, HAProxy is capable of
2548 generating codes 400, 403, 408, 500, 502, 503, and 504.
2549
2550 <url> it is the exact contents of the "Location" header. It may contain
2551 either a relative URI to an error page hosted on the same site,
2552 or an absolute URI designating an error page on another site.
2553 Special care should be given to relative URIs to avoid redirect
2554 loops if the URI itself may generate the same error (eg: 500).
2555
2556 It is important to understand that this keyword is not meant to rewrite
2557 errors returned by the server, but errors detected and returned by HAProxy.
2558 This is why the list of supported errors is limited to a small set.
2559
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002560 Code 200 is emitted in response to requests matching a "monitor-uri" rule.
2561
Willy Tarreau2769aa02007-12-27 18:26:09 +01002562 Note that both keyword return the HTTP 303 status code, which tells the
2563 client to fetch the designated URL using the same HTTP GET method. This
2564 solves the usual problems associated with "errorloc" and the 302 code. It is
2565 possible that some very old browsers designed before HTTP/1.1 do not support
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01002566 it, but no such problem has been reported till now.
Willy Tarreau2769aa02007-12-27 18:26:09 +01002567
2568 See also : "errorfile", "errorloc", "errorloc302"
2569
2570
Willy Tarreau4de91492010-01-22 19:10:05 +01002571force-persist { if | unless } <condition>
2572 Declare a condition to force persistence on down servers
2573 May be used in sections: defaults | frontend | listen | backend
2574 no | yes | yes | yes
2575
2576 By default, requests are not dispatched to down servers. It is possible to
2577 force this using "option persist", but it is unconditional and redispatches
2578 to a valid server if "option redispatch" is set. That leaves with very little
2579 possibilities to force some requests to reach a server which is artificially
2580 marked down for maintenance operations.
2581
2582 The "force-persist" statement allows one to declare various ACL-based
2583 conditions which, when met, will cause a request to ignore the down status of
2584 a server and still try to connect to it. That makes it possible to start a
2585 server, still replying an error to the health checks, and run a specially
2586 configured browser to test the service. Among the handy methods, one could
2587 use a specific source IP address, or a specific cookie. The cookie also has
2588 the advantage that it can easily be added/removed on the browser from a test
2589 page. Once the service is validated, it is then possible to open the service
2590 to the world by returning a valid response to health checks.
2591
2592 The forced persistence is enabled when an "if" condition is met, or unless an
2593 "unless" condition is met. The final redispatch is always disabled when this
2594 is used.
2595
Cyril Bonté0d4bf012010-04-25 23:21:46 +02002596 See also : "option redispatch", "ignore-persist", "persist",
Cyril Bontéa8e7bbc2010-04-25 22:29:29 +02002597 and section 7 about ACL usage.
Willy Tarreau4de91492010-01-22 19:10:05 +01002598
2599
Willy Tarreau2769aa02007-12-27 18:26:09 +01002600fullconn <conns>
2601 Specify at what backend load the servers will reach their maxconn
2602 May be used in sections : defaults | frontend | listen | backend
2603 yes | no | yes | yes
2604 Arguments :
2605 <conns> is the number of connections on the backend which will make the
2606 servers use the maximal number of connections.
2607
Willy Tarreau198a7442008-01-17 12:05:32 +01002608 When a server has a "maxconn" parameter specified, it means that its number
Willy Tarreau2769aa02007-12-27 18:26:09 +01002609 of concurrent connections will never go higher. Additionally, if it has a
Willy Tarreau198a7442008-01-17 12:05:32 +01002610 "minconn" parameter, it indicates a dynamic limit following the backend's
Willy Tarreau2769aa02007-12-27 18:26:09 +01002611 load. The server will then always accept at least <minconn> connections,
2612 never more than <maxconn>, and the limit will be on the ramp between both
2613 values when the backend has less than <conns> concurrent connections. This
2614 makes it possible to limit the load on the servers during normal loads, but
2615 push it further for important loads without overloading the servers during
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002616 exceptional loads.
Willy Tarreau2769aa02007-12-27 18:26:09 +01002617
Willy Tarreaufbb78422011-06-05 15:38:35 +02002618 Since it's hard to get this value right, haproxy automatically sets it to
2619 10% of the sum of the maxconns of all frontends that may branch to this
Bertrand Jacquin702d44f2013-11-19 11:43:06 +01002620 backend (based on "use_backend" and "default_backend" rules). That way it's
2621 safe to leave it unset. However, "use_backend" involving dynamic names are
2622 not counted since there is no way to know if they could match or not.
Willy Tarreaufbb78422011-06-05 15:38:35 +02002623
Willy Tarreau2769aa02007-12-27 18:26:09 +01002624 Example :
2625 # The servers will accept between 100 and 1000 concurrent connections each
2626 # and the maximum of 1000 will be reached when the backend reaches 10000
2627 # connections.
2628 backend dynamic
2629 fullconn 10000
2630 server srv1 dyn1:80 minconn 100 maxconn 1000
2631 server srv2 dyn2:80 minconn 100 maxconn 1000
2632
2633 See also : "maxconn", "server"
2634
2635
2636grace <time>
2637 Maintain a proxy operational for some time after a soft stop
2638 May be used in sections : defaults | frontend | listen | backend
Cyril Bonté99ed3272010-01-24 23:29:44 +01002639 yes | yes | yes | yes
Willy Tarreau2769aa02007-12-27 18:26:09 +01002640 Arguments :
2641 <time> is the time (by default in milliseconds) for which the instance
2642 will remain operational with the frontend sockets still listening
2643 when a soft-stop is received via the SIGUSR1 signal.
2644
2645 This may be used to ensure that the services disappear in a certain order.
2646 This was designed so that frontends which are dedicated to monitoring by an
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002647 external equipment fail immediately while other ones remain up for the time
Willy Tarreau2769aa02007-12-27 18:26:09 +01002648 needed by the equipment to detect the failure.
2649
2650 Note that currently, there is very little benefit in using this parameter,
2651 and it may in fact complicate the soft-reconfiguration process more than
2652 simplify it.
2653
Willy Tarreau0ba27502007-12-24 16:55:16 +01002654
Bhaskar Maddalab6c0ac92013-11-05 11:54:02 -05002655hash-type <method> <function> <modifier>
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02002656 Specify a method to use for mapping hashes to servers
2657 May be used in sections : defaults | frontend | listen | backend
2658 yes | no | yes | yes
2659 Arguments :
Bhaskar98634f02013-10-29 23:30:51 -04002660 <method> is the method used to select a server from the hash computed by
2661 the <function> :
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02002662
Bhaskar98634f02013-10-29 23:30:51 -04002663 map-based the hash table is a static array containing all alive servers.
2664 The hashes will be very smooth, will consider weights, but
2665 will be static in that weight changes while a server is up
2666 will be ignored. This means that there will be no slow start.
2667 Also, since a server is selected by its position in the array,
2668 most mappings are changed when the server count changes. This
2669 means that when a server goes up or down, or when a server is
2670 added to a farm, most connections will be redistributed to
2671 different servers. This can be inconvenient with caches for
2672 instance.
Willy Tarreau798a39c2010-11-24 15:04:29 +01002673
Bhaskar98634f02013-10-29 23:30:51 -04002674 consistent the hash table is a tree filled with many occurrences of each
2675 server. The hash key is looked up in the tree and the closest
2676 server is chosen. This hash is dynamic, it supports changing
2677 weights while the servers are up, so it is compatible with the
2678 slow start feature. It has the advantage that when a server
2679 goes up or down, only its associations are moved. When a
2680 server is added to the farm, only a few part of the mappings
2681 are redistributed, making it an ideal method for caches.
2682 However, due to its principle, the distribution will never be
2683 very smooth and it may sometimes be necessary to adjust a
2684 server's weight or its ID to get a more balanced distribution.
2685 In order to get the same distribution on multiple load
2686 balancers, it is important that all servers have the exact
Bhaskar Maddalab6c0ac92013-11-05 11:54:02 -05002687 same IDs. Note: consistent hash uses sdbm and avalanche if no
2688 hash function is specified.
Bhaskar98634f02013-10-29 23:30:51 -04002689
2690 <function> is the hash function to be used :
2691
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03002692 sdbm this function was created initially for sdbm (a public-domain
Bhaskar98634f02013-10-29 23:30:51 -04002693 reimplementation of ndbm) database library. It was found to do
2694 well in scrambling bits, causing better distribution of the keys
2695 and fewer splits. It also happens to be a good general hashing
Bhaskar Maddalab6c0ac92013-11-05 11:54:02 -05002696 function with good distribution, unless the total server weight
2697 is a multiple of 64, in which case applying the avalanche
2698 modifier may help.
Bhaskar98634f02013-10-29 23:30:51 -04002699
2700 djb2 this function was first proposed by Dan Bernstein many years ago
2701 on comp.lang.c. Studies have shown that for certain workload this
Bhaskar Maddalab6c0ac92013-11-05 11:54:02 -05002702 function provides a better distribution than sdbm. It generally
2703 works well with text-based inputs though it can perform extremely
2704 poorly with numeric-only input or when the total server weight is
2705 a multiple of 33, unless the avalanche modifier is also used.
2706
Willy Tarreaua0f42712013-11-14 14:30:35 +01002707 wt6 this function was designed for haproxy while testing other
2708 functions in the past. It is not as smooth as the other ones, but
2709 is much less sensible to the input data set or to the number of
2710 servers. It can make sense as an alternative to sdbm+avalanche or
2711 djb2+avalanche for consistent hashing or when hashing on numeric
2712 data such as a source IP address or a visitor identifier in a URL
2713 parameter.
2714
Bhaskar Maddalab6c0ac92013-11-05 11:54:02 -05002715 <modifier> indicates an optional method applied after hashing the key :
2716
2717 avalanche This directive indicates that the result from the hash
2718 function above should not be used in its raw form but that
2719 a 4-byte full avalanche hash must be applied first. The
2720 purpose of this step is to mix the resulting bits from the
2721 previous hash in order to avoid any undesired effect when
2722 the input contains some limited values or when the number of
2723 servers is a multiple of one of the hash's components (64
2724 for SDBM, 33 for DJB2). Enabling avalanche tends to make the
2725 result less predictable, but it's also not as smooth as when
2726 using the original function. Some testing might be needed
2727 with some workloads. This hash is one of the many proposed
2728 by Bob Jenkins.
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02002729
Bhaskar98634f02013-10-29 23:30:51 -04002730 The default hash type is "map-based" and is recommended for most usages. The
2731 default function is "sdbm", the selection of a function should be based on
2732 the range of the values being hashed.
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02002733
2734 See also : "balance", "server"
2735
2736
Willy Tarreau0ba27502007-12-24 16:55:16 +01002737http-check disable-on-404
2738 Enable a maintenance mode upon HTTP/404 response to health-checks
2739 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau2769aa02007-12-27 18:26:09 +01002740 yes | no | yes | yes
Willy Tarreau0ba27502007-12-24 16:55:16 +01002741 Arguments : none
2742
2743 When this option is set, a server which returns an HTTP code 404 will be
2744 excluded from further load-balancing, but will still receive persistent
2745 connections. This provides a very convenient method for Web administrators
2746 to perform a graceful shutdown of their servers. It is also important to note
2747 that a server which is detected as failed while it was in this mode will not
2748 generate an alert, just a notice. If the server responds 2xx or 3xx again, it
2749 will immediately be reinserted into the farm. The status on the stats page
2750 reports "NOLB" for a server in this mode. It is important to note that this
Willy Tarreaubd741542010-03-16 18:46:54 +01002751 option only works in conjunction with the "httpchk" option. If this option
2752 is used with "http-check expect", then it has precedence over it so that 404
2753 responses will still be considered as soft-stop.
2754
2755 See also : "option httpchk", "http-check expect"
2756
2757
2758http-check expect [!] <match> <pattern>
Jamie Gloudonaaa21002012-08-25 00:18:33 -04002759 Make HTTP health checks consider response contents or specific status codes
Willy Tarreaubd741542010-03-16 18:46:54 +01002760 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau1ee51a62011-08-19 20:04:17 +02002761 yes | no | yes | yes
Willy Tarreaubd741542010-03-16 18:46:54 +01002762 Arguments :
2763 <match> is a keyword indicating how to look for a specific pattern in the
2764 response. The keyword may be one of "status", "rstatus",
Jamie Gloudonaaa21002012-08-25 00:18:33 -04002765 "string", or "rstring". The keyword may be preceded by an
Willy Tarreaubd741542010-03-16 18:46:54 +01002766 exclamation mark ("!") to negate the match. Spaces are allowed
2767 between the exclamation mark and the keyword. See below for more
2768 details on the supported keywords.
2769
2770 <pattern> is the pattern to look for. It may be a string or a regular
2771 expression. If the pattern contains spaces, they must be escaped
2772 with the usual backslash ('\').
2773
2774 By default, "option httpchk" considers that response statuses 2xx and 3xx
2775 are valid, and that others are invalid. When "http-check expect" is used,
2776 it defines what is considered valid or invalid. Only one "http-check"
2777 statement is supported in a backend. If a server fails to respond or times
2778 out, the check obviously fails. The available matches are :
2779
2780 status <string> : test the exact string match for the HTTP status code.
Jamie Gloudonaaa21002012-08-25 00:18:33 -04002781 A health check response will be considered valid if the
Willy Tarreaubd741542010-03-16 18:46:54 +01002782 response's status code is exactly this string. If the
2783 "status" keyword is prefixed with "!", then the response
2784 will be considered invalid if the status code matches.
2785
2786 rstatus <regex> : test a regular expression for the HTTP status code.
Jamie Gloudonaaa21002012-08-25 00:18:33 -04002787 A health check response will be considered valid if the
Willy Tarreaubd741542010-03-16 18:46:54 +01002788 response's status code matches the expression. If the
2789 "rstatus" keyword is prefixed with "!", then the response
2790 will be considered invalid if the status code matches.
2791 This is mostly used to check for multiple codes.
2792
2793 string <string> : test the exact string match in the HTTP response body.
Jamie Gloudonaaa21002012-08-25 00:18:33 -04002794 A health check response will be considered valid if the
Willy Tarreaubd741542010-03-16 18:46:54 +01002795 response's body contains this exact string. If the
2796 "string" keyword is prefixed with "!", then the response
2797 will be considered invalid if the body contains this
2798 string. This can be used to look for a mandatory word at
2799 the end of a dynamic page, or to detect a failure when a
2800 specific error appears on the check page (eg: a stack
2801 trace).
2802
2803 rstring <regex> : test a regular expression on the HTTP response body.
Jamie Gloudonaaa21002012-08-25 00:18:33 -04002804 A health check response will be considered valid if the
Willy Tarreaubd741542010-03-16 18:46:54 +01002805 response's body matches this expression. If the "rstring"
2806 keyword is prefixed with "!", then the response will be
2807 considered invalid if the body matches the expression.
2808 This can be used to look for a mandatory word at the end
2809 of a dynamic page, or to detect a failure when a specific
2810 error appears on the check page (eg: a stack trace).
2811
2812 It is important to note that the responses will be limited to a certain size
2813 defined by the global "tune.chksize" option, which defaults to 16384 bytes.
2814 Thus, too large responses may not contain the mandatory pattern when using
2815 "string" or "rstring". If a large response is absolutely required, it is
2816 possible to change the default max size by setting the global variable.
2817 However, it is worth keeping in mind that parsing very large responses can
2818 waste some CPU cycles, especially when regular expressions are used, and that
2819 it is always better to focus the checks on smaller resources.
2820
2821 Last, if "http-check expect" is combined with "http-check disable-on-404",
2822 then this last one has precedence when the server responds with 404.
2823
2824 Examples :
2825 # only accept status 200 as valid
Willy Tarreau8f2a1e72011-01-06 16:36:10 +01002826 http-check expect status 200
Willy Tarreaubd741542010-03-16 18:46:54 +01002827
2828 # consider SQL errors as errors
Willy Tarreau8f2a1e72011-01-06 16:36:10 +01002829 http-check expect ! string SQL\ Error
Willy Tarreaubd741542010-03-16 18:46:54 +01002830
2831 # consider status 5xx only as errors
Willy Tarreau8f2a1e72011-01-06 16:36:10 +01002832 http-check expect ! rstatus ^5
Willy Tarreaubd741542010-03-16 18:46:54 +01002833
2834 # check that we have a correct hexadecimal tag before /html
Willy Tarreau8f2a1e72011-01-06 16:36:10 +01002835 http-check expect rstring <!--tag:[0-9a-f]*</html>
Willy Tarreau0ba27502007-12-24 16:55:16 +01002836
Willy Tarreaubd741542010-03-16 18:46:54 +01002837 See also : "option httpchk", "http-check disable-on-404"
Willy Tarreau2769aa02007-12-27 18:26:09 +01002838
2839
Willy Tarreauef781042010-01-27 11:53:01 +01002840http-check send-state
2841 Enable emission of a state header with HTTP health checks
2842 May be used in sections : defaults | frontend | listen | backend
2843 yes | no | yes | yes
2844 Arguments : none
2845
2846 When this option is set, haproxy will systematically send a special header
2847 "X-Haproxy-Server-State" with a list of parameters indicating to each server
2848 how they are seen by haproxy. This can be used for instance when a server is
2849 manipulated without access to haproxy and the operator needs to know whether
2850 haproxy still sees it up or not, or if the server is the last one in a farm.
2851
2852 The header is composed of fields delimited by semi-colons, the first of which
2853 is a word ("UP", "DOWN", "NOLB"), possibly followed by a number of valid
2854 checks on the total number before transition, just as appears in the stats
2855 interface. Next headers are in the form "<variable>=<value>", indicating in
2856 no specific order some values available in the stats interface :
2857 - a variable "name", containing the name of the backend followed by a slash
2858 ("/") then the name of the server. This can be used when a server is
2859 checked in multiple backends.
2860
2861 - a variable "node" containing the name of the haproxy node, as set in the
2862 global "node" variable, otherwise the system's hostname if unspecified.
2863
2864 - a variable "weight" indicating the weight of the server, a slash ("/")
2865 and the total weight of the farm (just counting usable servers). This
2866 helps to know if other servers are available to handle the load when this
2867 one fails.
2868
2869 - a variable "scur" indicating the current number of concurrent connections
2870 on the server, followed by a slash ("/") then the total number of
2871 connections on all servers of the same backend.
2872
2873 - a variable "qcur" indicating the current number of requests in the
2874 server's queue.
2875
2876 Example of a header received by the application server :
2877 >>> X-Haproxy-Server-State: UP 2/3; name=bck/srv2; node=lb1; weight=1/2; \
2878 scur=13/22; qcur=0
2879
2880 See also : "option httpchk", "http-check disable-on-404"
2881
Willy Tarreauccbcc372012-12-27 12:37:57 +01002882http-request { allow | deny | tarpit | auth [realm <realm>] | redirect <rule> |
Willy Tarreauf4c43c12013-06-11 17:01:13 +02002883 add-header <name> <fmt> | set-header <name> <fmt> |
Thierry FOURNIERdad3d1d2014-04-22 18:07:25 +02002884 del-header <name> | set-nice <nice> | set-log-level <level> |
Sasha Pachev218f0642014-06-16 12:05:59 -06002885 replace-header <name> <match-regex> <replace-fmt> |
2886 replace-value <name> <match-regex> <replace-fmt> |
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02002887 set-tos <tos> | set-mark <mark> |
2888 add-acl(<file name>) <key fmt> |
2889 del-acl(<file name>) <key fmt> |
2890 del-map(<file name>) <key fmt> |
2891 set-map(<file name>) <key fmt> <value fmt>
2892 }
Cyril Bontéf0c60612010-02-06 14:44:47 +01002893 [ { if | unless } <condition> ]
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002894 Access control for Layer 7 requests
2895
2896 May be used in sections: defaults | frontend | listen | backend
2897 no | yes | yes | yes
2898
Willy Tarreau20b0de52012-12-24 15:45:22 +01002899 The http-request statement defines a set of rules which apply to layer 7
2900 processing. The rules are evaluated in their declaration order when they are
2901 met in a frontend, listen or backend section. Any rule may optionally be
2902 followed by an ACL-based condition, in which case it will only be evaluated
2903 if the condition is true.
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002904
Willy Tarreau20b0de52012-12-24 15:45:22 +01002905 The first keyword is the rule's action. Currently supported actions include :
2906 - "allow" : this stops the evaluation of the rules and lets the request
2907 pass the check. No further "http-request" rules are evaluated.
2908
2909 - "deny" : this stops the evaluation of the rules and immediately rejects
2910 the request and emits an HTTP 403 error. No further "http-request" rules
2911 are evaluated.
2912
Willy Tarreauccbcc372012-12-27 12:37:57 +01002913 - "tarpit" : this stops the evaluation of the rules and immediately blocks
2914 the request without responding for a delay specified by "timeout tarpit"
2915 or "timeout connect" if the former is not set. After that delay, if the
2916 client is still connected, an HTTP error 500 is returned so that the
2917 client does not suspect it has been tarpitted. Logs will report the flags
2918 "PT". The goal of the tarpit rule is to slow down robots during an attack
2919 when they're limited on the number of concurrent requests. It can be very
2920 efficient against very dumb robots, and will significantly reduce the
2921 load on firewalls compared to a "deny" rule. But when facing "correctly"
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03002922 developed robots, it can make things worse by forcing haproxy and the
Willy Tarreauccbcc372012-12-27 12:37:57 +01002923 front firewall to support insane number of concurrent connections.
2924
Willy Tarreau20b0de52012-12-24 15:45:22 +01002925 - "auth" : this stops the evaluation of the rules and immediately responds
2926 with an HTTP 401 or 407 error code to invite the user to present a valid
2927 user name and password. No further "http-request" rules are evaluated. An
2928 optional "realm" parameter is supported, it sets the authentication realm
2929 that is returned with the response (typically the application's name).
2930
Willy Tarreau81499eb2012-12-27 12:19:02 +01002931 - "redirect" : this performs an HTTP redirection based on a redirect rule.
2932 This is exactly the same as the "redirect" statement except that it
2933 inserts a redirect rule which can be processed in the middle of other
Thierry FOURNIERd18cd0f2013-11-29 12:15:45 +01002934 "http-request" rules and that these rules use the "log-format" strings.
2935 See the "redirect" keyword for the rule's syntax.
Willy Tarreau81499eb2012-12-27 12:19:02 +01002936
Willy Tarreau20b0de52012-12-24 15:45:22 +01002937 - "add-header" appends an HTTP header field whose name is specified in
2938 <name> and whose value is defined by <fmt> which follows the log-format
2939 rules (see Custom Log Format in section 8.2.4). This is particularly
2940 useful to pass connection-specific information to the server (eg: the
2941 client's SSL certificate), or to combine several headers into one. This
2942 rule is not final, so it is possible to add other similar rules. Note
2943 that header addition is performed immediately, so one rule might reuse
2944 the resulting header from a previous rule.
2945
2946 - "set-header" does the same as "add-header" except that the header name
2947 is first removed if it existed. This is useful when passing security
2948 information to the server, where the header must not be manipulated by
2949 external users.
2950
Thierry FOURNIERdad3d1d2014-04-22 18:07:25 +02002951 - "del-header" removes all HTTP header fields whose name is specified in
2952 <name>.
2953
Sasha Pachev218f0642014-06-16 12:05:59 -06002954 - "replace-header" matches the regular expression in all occurrences of
2955 header field <name> according to <match-regex>, and replaces them with
2956 the <replace-fmt> argument. Format characters are allowed in replace-fmt
2957 and work like in <fmt> arguments in "add-header". The match is only
2958 case-sensitive. It is important to understand that this action only
2959 considers whole header lines, regardless of the number of values they
2960 may contain. This usage is suited to headers naturally containing commas
2961 in their value, such as If-Modified-Since and so on.
2962
2963 Example:
2964
2965 http-request replace-header Cookie foo=([^;]*);(.*) foo=\1;ip=%bi;\2
2966
2967 applied to:
2968
2969 Cookie: foo=foobar; expires=Tue, 14-Jun-2016 01:40:45 GMT;
2970
2971 outputs:
2972
2973 Cookie: foo=foobar;ip=192.168.1.20; expires=Tue, 14-Jun-2016 01:40:45 GMT;
2974
2975 assuming the backend IP is 192.168.1.20
2976
2977 - "replace-value" works like "replace-header" except that it matches the
2978 regex against every comma-delimited value of the header field <name>
2979 instead of the entire header. This is suited for all headers which are
2980 allowed to carry more than one value. An example could be the Accept
2981 header.
2982
2983 Example:
2984
2985 http-request replace-value X-Forwarded-For ^192\.168\.(.*)$ 172.16.\1
2986
2987 applied to:
2988
2989 X-Forwarded-For: 192.168.10.1, 192.168.13.24, 10.0.0.37
2990
2991 outputs:
2992
2993 X-Forwarded-For: 172.16.10.1, 172.16.13.24, 10.0.0.37
2994
Willy Tarreauf4c43c12013-06-11 17:01:13 +02002995 - "set-nice" sets the "nice" factor of the current request being processed.
2996 It only has effect against the other requests being processed at the same
2997 time. The default value is 0, unless altered by the "nice" setting on the
2998 "bind" line. The accepted range is -1024..1024. The higher the value, the
2999 nicest the request will be. Lower values will make the request more
3000 important than other ones. This can be useful to improve the speed of
3001 some requests, or lower the priority of non-important requests. Using
3002 this setting without prior experimentation can cause some major slowdown.
3003
Willy Tarreau9a355ec2013-06-11 17:45:46 +02003004 - "set-log-level" is used to change the log level of the current request
3005 when a certain condition is met. Valid levels are the 8 syslog levels
3006 (see the "log" keyword) plus the special level "silent" which disables
3007 logging for this request. This rule is not final so the last matching
3008 rule wins. This rule can be useful to disable health checks coming from
3009 another equipment.
3010
Willy Tarreau42cf39e2013-06-11 18:51:32 +02003011 - "set-tos" is used to set the TOS or DSCP field value of packets sent to
3012 the client to the value passed in <tos> on platforms which support this.
3013 This value represents the whole 8 bits of the IP TOS field, and can be
3014 expressed both in decimal or hexadecimal format (prefixed by "0x"). Note
3015 that only the 6 higher bits are used in DSCP or TOS, and the two lower
3016 bits are always 0. This can be used to adjust some routing behaviour on
3017 border routers based on some information from the request. See RFC 2474,
3018 2597, 3260 and 4594 for more information.
3019
Willy Tarreau51347ed2013-06-11 19:34:13 +02003020 - "set-mark" is used to set the Netfilter MARK on all packets sent to the
3021 client to the value passed in <mark> on platforms which support it. This
3022 value is an unsigned 32 bit value which can be matched by netfilter and
3023 by the routing table. It can be expressed both in decimal or hexadecimal
3024 format (prefixed by "0x"). This can be useful to force certain packets to
3025 take a different route (for example a cheaper network path for bulk
3026 downloads). This works on Linux kernels 2.6.32 and above and requires
3027 admin privileges.
3028
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02003029 - "add-acl" is used to add a new entry into an ACL. The ACL must be loaded
3030 from a file (even a dummy empty file). The file name of the ACL to be
3031 updated is passed between parentheses. It takes one argument: <key fmt>,
3032 which follows log-format rules, to collect content of the new entry. It
3033 performs a lookup in the ACL before insertion, to avoid duplicated (or
3034 more) values. This lookup is done by a linear search and can be expensive
3035 with large lists! It is the equivalent of the "add acl" command from the
3036 stats socket, but can be triggered by an HTTP request.
3037
3038 - "del-acl" is used to delete an entry from an ACL. The ACL must be loaded
3039 from a file (even a dummy empty file). The file name of the ACL to be
3040 updated is passed between parentheses. It takes one argument: <key fmt>,
3041 which follows log-format rules, to collect content of the entry to delete.
3042 It is the equivalent of the "del acl" command from the stats socket, but
3043 can be triggered by an HTTP request.
3044
3045 - "del-map" is used to delete an entry from a MAP. The MAP must be loaded
3046 from a file (even a dummy empty file). The file name of the MAP to be
3047 updated is passed between parentheses. It takes one argument: <key fmt>,
3048 which follows log-format rules, to collect content of the entry to delete.
3049 It takes one argument: "file name" It is the equivalent of the "del map"
3050 command from the stats socket, but can be triggered by an HTTP request.
3051
3052 - "set-map" is used to add a new entry into a MAP. The MAP must be loaded
3053 from a file (even a dummy empty file). The file name of the MAP to be
3054 updated is passed between parentheses. It takes 2 arguments: <key fmt>,
3055 which follows log-format rules, used to collect MAP key, and <value fmt>,
3056 which follows log-format rules, used to collect content for the new entry.
3057 It performs a lookup in the MAP before insertion, to avoid duplicated (or
3058 more) values. This lookup is done by a linear search and can be expensive
3059 with large lists! It is the equivalent of the "set map" command from the
3060 stats socket, but can be triggered by an HTTP request.
3061
Willy Tarreau20b0de52012-12-24 15:45:22 +01003062 There is no limit to the number of http-request statements per instance.
3063
3064 It is important to know that http-request rules are processed very early in
3065 the HTTP processing, just after "block" rules and before "reqdel" or "reqrep"
3066 rules. That way, headers added by "add-header"/"set-header" are visible by
3067 almost all further ACL rules.
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01003068
3069 Example:
Cyril Bonté78caf842010-03-10 22:41:43 +01003070 acl nagios src 192.168.129.3
3071 acl local_net src 192.168.0.0/16
3072 acl auth_ok http_auth(L1)
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01003073
Cyril Bonté78caf842010-03-10 22:41:43 +01003074 http-request allow if nagios
3075 http-request allow if local_net auth_ok
3076 http-request auth realm Gimme if local_net auth_ok
3077 http-request deny
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01003078
Cyril Bonté78caf842010-03-10 22:41:43 +01003079 Example:
3080 acl auth_ok http_auth_group(L1) G1
Cyril Bonté78caf842010-03-10 22:41:43 +01003081 http-request auth unless auth_ok
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01003082
Willy Tarreau20b0de52012-12-24 15:45:22 +01003083 Example:
3084 http-request set-header X-Haproxy-Current-Date %T
3085 http-request set-header X-SSL %[ssl_fc]
3086 http-request set-header X-SSL-Session_ID %[ssl_fc_session_id]
3087 http-request set-header X-SSL-Client-Verify %[ssl_c_verify]
3088 http-request set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn]
3089 http-request set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
3090 http-request set-header X-SSL-Issuer %{+Q}[ssl_c_i_dn]
3091 http-request set-header X-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore]
3092 http-request set-header X-SSL-Client-NotAfter %{+Q}[ssl_c_notafter]
3093
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02003094 Example:
3095 acl key req.hdr(X-Add-Acl-Key) -m found
3096 acl add path /addacl
3097 acl del path /delacl
3098
3099 acl myhost hdr(Host) -f myhost.lst
3100
3101 http-request add-acl(myhost.lst) %[req.hdr(X-Add-Acl-Key)] if key add
3102 http-request del-acl(myhost.lst) %[req.hdr(X-Add-Acl-Key)] if key del
3103
3104 Example:
3105 acl value req.hdr(X-Value) -m found
3106 acl setmap path /setmap
3107 acl delmap path /delmap
3108
3109 use_backend bk_appli if { hdr(Host),map_str(map.lst) -m found }
3110
3111 http-request set-map(map.lst) %[src] %[req.hdr(X-Value)] if setmap value
3112 http-request del-map(map.lst) %[src] if delmap
3113
Cyril Bonté2be1b3f2010-09-30 23:46:30 +02003114 See also : "stats http-request", section 3.4 about userlists and section 7
3115 about ACL usage.
Willy Tarreauef781042010-01-27 11:53:01 +01003116
Willy Tarreauf4c43c12013-06-11 17:01:13 +02003117http-response { allow | deny | add-header <name> <fmt> | set-nice <nice> |
Thierry FOURNIERdad3d1d2014-04-22 18:07:25 +02003118 set-header <name> <fmt> | del-header <name> |
Sasha Pachev218f0642014-06-16 12:05:59 -06003119 replace-header <name> <regex-match> <replace-fmt> |
3120 replace-value <name> <regex-match> <replace-fmt> |
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02003121 set-log-level <level> | set-mark <mark> | set-tos <tos> |
3122 add-acl(<file name>) <key fmt> |
3123 del-acl(<file name>) <key fmt> |
3124 del-map(<file name>) <key fmt> |
3125 set-map(<file name>) <key fmt> <value fmt>
3126 }
Lukas Tribus2dd1d1a2013-06-19 23:34:41 +02003127 [ { if | unless } <condition> ]
Willy Tarreaue365c0b2013-06-11 16:06:12 +02003128 Access control for Layer 7 responses
3129
3130 May be used in sections: defaults | frontend | listen | backend
3131 no | yes | yes | yes
3132
3133 The http-response statement defines a set of rules which apply to layer 7
3134 processing. The rules are evaluated in their declaration order when they are
3135 met in a frontend, listen or backend section. Any rule may optionally be
3136 followed by an ACL-based condition, in which case it will only be evaluated
3137 if the condition is true. Since these rules apply on responses, the backend
3138 rules are applied first, followed by the frontend's rules.
3139
3140 The first keyword is the rule's action. Currently supported actions include :
3141 - "allow" : this stops the evaluation of the rules and lets the response
3142 pass the check. No further "http-response" rules are evaluated for the
3143 current section.
3144
3145 - "deny" : this stops the evaluation of the rules and immediately rejects
3146 the response and emits an HTTP 502 error. No further "http-response"
3147 rules are evaluated.
3148
3149 - "add-header" appends an HTTP header field whose name is specified in
3150 <name> and whose value is defined by <fmt> which follows the log-format
3151 rules (see Custom Log Format in section 8.2.4). This may be used to send
3152 a cookie to a client for example, or to pass some internal information.
3153 This rule is not final, so it is possible to add other similar rules.
3154 Note that header addition is performed immediately, so one rule might
3155 reuse the resulting header from a previous rule.
3156
3157 - "set-header" does the same as "add-header" except that the header name
3158 is first removed if it existed. This is useful when passing security
3159 information to the server, where the header must not be manipulated by
3160 external users.
3161
Thierry FOURNIERdad3d1d2014-04-22 18:07:25 +02003162 - "del-header" removes all HTTP header fields whose name is specified in
3163 <name>.
3164
Sasha Pachev218f0642014-06-16 12:05:59 -06003165 - "replace-header" matches the regular expression in all occurrences of
3166 header field <name> according to <match-regex>, and replaces them with
3167 the <replace-fmt> argument. Format characters are allowed in replace-fmt
3168 and work like in <fmt> arguments in "add-header". The match is only
3169 case-sensitive. It is important to understand that this action only
3170 considers whole header lines, regardless of the number of values they
3171 may contain. This usage is suited to headers naturally containing commas
3172 in their value, such as Set-Cookie, Expires and so on.
3173
3174 Example:
3175
3176 http-response replace-header Set-Cookie (C=[^;]*);(.*) \1;ip=%bi;\2
3177
3178 applied to:
3179
3180 Set-Cookie: C=1; expires=Tue, 14-Jun-2016 01:40:45 GMT
3181
3182 outputs:
3183
3184 Set-Cookie: C=1;ip=192.168.1.20; expires=Tue, 14-Jun-2016 01:40:45 GMT
3185
3186 assuming the backend IP is 192.168.1.20.
3187
3188 - "replace-value" works like "replace-header" except that it matches the
3189 regex against every comma-delimited value of the header field <name>
3190 instead of the entire header. This is suited for all headers which are
3191 allowed to carry more than one value. An example could be the Accept
3192 header.
3193
3194 Example:
3195
3196 http-response replace-value Cache-control ^public$ private
3197
3198 applied to:
3199
3200 Cache-Control: max-age=3600, public
3201
3202 outputs:
3203
3204 Cache-Control: max-age=3600, private
3205
Willy Tarreauf4c43c12013-06-11 17:01:13 +02003206 - "set-nice" sets the "nice" factor of the current request being processed.
3207 It only has effect against the other requests being processed at the same
3208 time. The default value is 0, unless altered by the "nice" setting on the
3209 "bind" line. The accepted range is -1024..1024. The higher the value, the
3210 nicest the request will be. Lower values will make the request more
3211 important than other ones. This can be useful to improve the speed of
3212 some requests, or lower the priority of non-important requests. Using
3213 this setting without prior experimentation can cause some major slowdown.
3214
Willy Tarreau9a355ec2013-06-11 17:45:46 +02003215 - "set-log-level" is used to change the log level of the current request
3216 when a certain condition is met. Valid levels are the 8 syslog levels
3217 (see the "log" keyword) plus the special level "silent" which disables
3218 logging for this request. This rule is not final so the last matching
3219 rule wins. This rule can be useful to disable health checks coming from
3220 another equipment.
3221
Willy Tarreau42cf39e2013-06-11 18:51:32 +02003222 - "set-tos" is used to set the TOS or DSCP field value of packets sent to
3223 the client to the value passed in <tos> on platforms which support this.
3224 This value represents the whole 8 bits of the IP TOS field, and can be
3225 expressed both in decimal or hexadecimal format (prefixed by "0x"). Note
3226 that only the 6 higher bits are used in DSCP or TOS, and the two lower
3227 bits are always 0. This can be used to adjust some routing behaviour on
3228 border routers based on some information from the request. See RFC 2474,
3229 2597, 3260 and 4594 for more information.
3230
Willy Tarreau51347ed2013-06-11 19:34:13 +02003231 - "set-mark" is used to set the Netfilter MARK on all packets sent to the
3232 client to the value passed in <mark> on platforms which support it. This
3233 value is an unsigned 32 bit value which can be matched by netfilter and
3234 by the routing table. It can be expressed both in decimal or hexadecimal
3235 format (prefixed by "0x"). This can be useful to force certain packets to
3236 take a different route (for example a cheaper network path for bulk
3237 downloads). This works on Linux kernels 2.6.32 and above and requires
3238 admin privileges.
3239
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02003240 - "add-acl" is used to add a new entry into an ACL. The ACL must be loaded
3241 from a file (even a dummy empty file). The file name of the ACL to be
3242 updated is passed between parentheses. It takes one argument: <key fmt>,
3243 which follows log-format rules, to collect content of the new entry. It
3244 performs a lookup in the ACL before insertion, to avoid duplicated (or
3245 more) values. This lookup is done by a linear search and can be expensive
3246 with large lists! It is the equivalent of the "add acl" command from the
3247 stats socket, but can be triggered by an HTTP response.
3248
3249 - "del-acl" is used to delete an entry from an ACL. The ACL must be loaded
3250 from a file (even a dummy empty file). The file name of the ACL to be
3251 updated is passed between parentheses. It takes one argument: <key fmt>,
3252 which follows log-format rules, to collect content of the entry to delete.
3253 It is the equivalent of the "del acl" command from the stats socket, but
3254 can be triggered by an HTTP response.
3255
3256 - "del-map" is used to delete an entry from a MAP. The MAP must be loaded
3257 from a file (even a dummy empty file). The file name of the MAP to be
3258 updated is passed between parentheses. It takes one argument: <key fmt>,
3259 which follows log-format rules, to collect content of the entry to delete.
3260 It takes one argument: "file name" It is the equivalent of the "del map"
3261 command from the stats socket, but can be triggered by an HTTP response.
3262
3263 - "set-map" is used to add a new entry into a MAP. The MAP must be loaded
3264 from a file (even a dummy empty file). The file name of the MAP to be
3265 updated is passed between parentheses. It takes 2 arguments: <key fmt>,
3266 which follows log-format rules, used to collect MAP key, and <value fmt>,
3267 which follows log-format rules, used to collect content for the new entry.
3268 It performs a lookup in the MAP before insertion, to avoid duplicated (or
3269 more) values. This lookup is done by a linear search and can be expensive
3270 with large lists! It is the equivalent of the "set map" command from the
3271 stats socket, but can be triggered by an HTTP response.
3272
Willy Tarreaue365c0b2013-06-11 16:06:12 +02003273 There is no limit to the number of http-response statements per instance.
3274
Godbach09250262013-07-02 01:19:15 +08003275 It is important to know that http-response rules are processed very early in
Willy Tarreaue365c0b2013-06-11 16:06:12 +02003276 the HTTP processing, before "reqdel" or "reqrep" rules. That way, headers
3277 added by "add-header"/"set-header" are visible by almost all further ACL
3278 rules.
3279
Baptiste Assmannfabcbe02014-04-24 22:16:59 +02003280 Example:
3281 acl key_acl res.hdr(X-Acl-Key) -m found
3282
3283 acl myhost hdr(Host) -f myhost.lst
3284
3285 http-response add-acl(myhost.lst) %[res.hdr(X-Acl-Key)] if key_acl
3286 http-response del-acl(myhost.lst) %[res.hdr(X-Acl-Key)] if key_acl
3287
3288 Example:
3289 acl value res.hdr(X-Value) -m found
3290
3291 use_backend bk_appli if { hdr(Host),map_str(map.lst) -m found }
3292
3293 http-response set-map(map.lst) %[src] %[res.hdr(X-Value)] if value
3294 http-response del-map(map.lst) %[src] if ! value
3295
Willy Tarreaue365c0b2013-06-11 16:06:12 +02003296 See also : "http-request", section 3.4 about userlists and section 7 about
3297 ACL usage.
3298
Baptiste Assmann5ecb77f2013-10-06 23:24:13 +02003299
Mark Lamourinec2247f02012-01-04 13:02:01 -05003300http-send-name-header [<header>]
3301 Add the server name to a request. Use the header string given by <header>
3302
3303 May be used in sections: defaults | frontend | listen | backend
3304 yes | no | yes | yes
3305
3306 Arguments :
3307
3308 <header> The header string to use to send the server name
3309
3310 The "http-send-name-header" statement causes the name of the target
3311 server to be added to the headers of an HTTP request. The name
3312 is added with the header string proved.
3313
3314 See also : "server"
3315
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01003316id <value>
Willy Tarreau53fb4ae2009-10-04 23:04:08 +02003317 Set a persistent ID to a proxy.
3318 May be used in sections : defaults | frontend | listen | backend
3319 no | yes | yes | yes
3320 Arguments : none
3321
3322 Set a persistent ID for the proxy. This ID must be unique and positive.
3323 An unused ID will automatically be assigned if unset. The first assigned
3324 value will be 1. This ID is currently only returned in statistics.
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +01003325
3326
Cyril Bonté0d4bf012010-04-25 23:21:46 +02003327ignore-persist { if | unless } <condition>
3328 Declare a condition to ignore persistence
3329 May be used in sections: defaults | frontend | listen | backend
3330 no | yes | yes | yes
3331
3332 By default, when cookie persistence is enabled, every requests containing
3333 the cookie are unconditionally persistent (assuming the target server is up
3334 and running).
3335
3336 The "ignore-persist" statement allows one to declare various ACL-based
3337 conditions which, when met, will cause a request to ignore persistence.
3338 This is sometimes useful to load balance requests for static files, which
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03003339 often don't require persistence. This can also be used to fully disable
Cyril Bonté0d4bf012010-04-25 23:21:46 +02003340 persistence for a specific User-Agent (for example, some web crawler bots).
3341
3342 Combined with "appsession", it can also help reduce HAProxy memory usage, as
3343 the appsession table won't grow if persistence is ignored.
3344
3345 The persistence is ignored when an "if" condition is met, or unless an
3346 "unless" condition is met.
3347
3348 See also : "force-persist", "cookie", and section 7 about ACL usage.
3349
3350
Willy Tarreau2769aa02007-12-27 18:26:09 +01003351log global
Willy Tarreauf7edefa2009-05-10 17:20:05 +02003352log <address> <facility> [<level> [<minlevel>]]
William Lallemand0f99e342011-10-12 17:50:54 +02003353no log
Willy Tarreau2769aa02007-12-27 18:26:09 +01003354 Enable per-instance logging of events and traffic.
3355 May be used in sections : defaults | frontend | listen | backend
3356 yes | yes | yes | yes
William Lallemand0f99e342011-10-12 17:50:54 +02003357
3358 Prefix :
3359 no should be used when the logger list must be flushed. For example,
3360 if you don't want to inherit from the default logger list. This
3361 prefix does not allow arguments.
3362
Willy Tarreau2769aa02007-12-27 18:26:09 +01003363 Arguments :
3364 global should be used when the instance's logging parameters are the
3365 same as the global ones. This is the most common usage. "global"
3366 replaces <address>, <facility> and <level> with those of the log
3367 entries found in the "global" section. Only one "log global"
3368 statement may be used per instance, and this form takes no other
3369 parameter.
3370
3371 <address> indicates where to send the logs. It takes the same format as
3372 for the "global" section's logs, and can be one of :
3373
3374 - An IPv4 address optionally followed by a colon (':') and a UDP
3375 port. If no port is specified, 514 is used by default (the
3376 standard syslog port).
3377
David du Colombier24bb5f52011-03-17 10:40:23 +01003378 - An IPv6 address followed by a colon (':') and optionally a UDP
3379 port. If no port is specified, 514 is used by default (the
3380 standard syslog port).
3381
Willy Tarreau2769aa02007-12-27 18:26:09 +01003382 - A filesystem path to a UNIX domain socket, keeping in mind
3383 considerations for chroot (be sure the path is accessible
3384 inside the chroot) and uid/gid (be sure the path is
3385 appropriately writeable).
3386
Willy Tarreaudad36a32013-03-11 01:20:04 +01003387 Any part of the address string may reference any number of
3388 environment variables by preceding their name with a dollar
3389 sign ('$') and optionally enclosing them with braces ('{}'),
3390 similarly to what is done in Bourne shell.
3391
Willy Tarreau2769aa02007-12-27 18:26:09 +01003392 <facility> must be one of the 24 standard syslog facilities :
3393
3394 kern user mail daemon auth syslog lpr news
3395 uucp cron auth2 ftp ntp audit alert cron2
3396 local0 local1 local2 local3 local4 local5 local6 local7
3397
3398 <level> is optional and can be specified to filter outgoing messages. By
3399 default, all messages are sent. If a level is specified, only
3400 messages with a severity at least as important as this level
Willy Tarreauf7edefa2009-05-10 17:20:05 +02003401 will be sent. An optional minimum level can be specified. If it
3402 is set, logs emitted with a more severe level than this one will
3403 be capped to this level. This is used to avoid sending "emerg"
3404 messages on all terminals on some default syslog configurations.
3405 Eight levels are known :
Willy Tarreau2769aa02007-12-27 18:26:09 +01003406
3407 emerg alert crit err warning notice info debug
3408
William Lallemand0f99e342011-10-12 17:50:54 +02003409 It is important to keep in mind that it is the frontend which decides what to
3410 log from a connection, and that in case of content switching, the log entries
3411 from the backend will be ignored. Connections are logged at level "info".
Willy Tarreaucc6c8912009-02-22 10:53:55 +01003412
3413 However, backend log declaration define how and where servers status changes
3414 will be logged. Level "notice" will be used to indicate a server going up,
3415 "warning" will be used for termination signals and definitive service
3416 termination, and "alert" will be used for when a server goes down.
3417
3418 Note : According to RFC3164, messages are truncated to 1024 bytes before
3419 being emitted.
Willy Tarreau2769aa02007-12-27 18:26:09 +01003420
3421 Example :
3422 log global
Willy Tarreauf7edefa2009-05-10 17:20:05 +02003423 log 127.0.0.1:514 local0 notice # only send important events
3424 log 127.0.0.1:514 local0 notice notice # same but limit output level
Willy Tarreaudad36a32013-03-11 01:20:04 +01003425 log ${LOCAL_SYSLOG}:514 local0 notice # send to local server
3426
Willy Tarreau2769aa02007-12-27 18:26:09 +01003427
William Lallemand48940402012-01-30 16:47:22 +01003428log-format <string>
3429 Allows you to custom a log line.
3430
3431 See also : Custom Log Format (8.2.4)
3432
Willy Tarreau2769aa02007-12-27 18:26:09 +01003433
Willy Tarreauc35362a2014-04-25 13:58:37 +02003434max-keep-alive-queue <value>
3435 Set the maximum server queue size for maintaining keep-alive connections
3436 May be used in sections: defaults | frontend | listen | backend
3437 yes | no | yes | yes
3438
3439 HTTP keep-alive tries to reuse the same server connection whenever possible,
3440 but sometimes it can be counter-productive, for example if a server has a lot
3441 of connections while other ones are idle. This is especially true for static
3442 servers.
3443
3444 The purpose of this setting is to set a threshold on the number of queued
3445 connections at which haproxy stops trying to reuse the same server and prefers
3446 to find another one. The default value, -1, means there is no limit. A value
3447 of zero means that keep-alive requests will never be queued. For very close
3448 servers which can be reached with a low latency and which are not sensible to
3449 breaking keep-alive, a low value is recommended (eg: local static server can
3450 use a value of 10 or less). For remote servers suffering from a high latency,
3451 higher values might be needed to cover for the latency and/or the cost of
3452 picking a different server.
3453
3454 Note that this has no impact on responses which are maintained to the same
3455 server consecutively to a 401 response. They will still go to the same server
3456 even if they have to be queued.
3457
3458 See also : "option http-server-close", "option prefer-last-server", server
3459 "maxconn" and cookie persistence.
3460
3461
Willy Tarreau2769aa02007-12-27 18:26:09 +01003462maxconn <conns>
3463 Fix the maximum number of concurrent connections on a frontend
3464 May be used in sections : defaults | frontend | listen | backend
3465 yes | yes | yes | no
3466 Arguments :
3467 <conns> is the maximum number of concurrent connections the frontend will
3468 accept to serve. Excess connections will be queued by the system
3469 in the socket's listen queue and will be served once a connection
3470 closes.
3471
3472 If the system supports it, it can be useful on big sites to raise this limit
3473 very high so that haproxy manages connection queues, instead of leaving the
3474 clients with unanswered connection attempts. This value should not exceed the
3475 global maxconn. Also, keep in mind that a connection contains two buffers
3476 of 8kB each, as well as some other data resulting in about 17 kB of RAM being
3477 consumed per established connection. That means that a medium system equipped
3478 with 1GB of RAM can withstand around 40000-50000 concurrent connections if
3479 properly tuned.
3480
3481 Also, when <conns> is set to large values, it is possible that the servers
3482 are not sized to accept such loads, and for this reason it is generally wise
3483 to assign them some reasonable connection limits.
3484
Vincent Bernat6341be52012-06-27 17:18:30 +02003485 By default, this value is set to 2000.
3486
Willy Tarreau2769aa02007-12-27 18:26:09 +01003487 See also : "server", global section's "maxconn", "fullconn"
3488
3489
3490mode { tcp|http|health }
3491 Set the running mode or protocol of the instance
3492 May be used in sections : defaults | frontend | listen | backend
3493 yes | yes | yes | yes
3494 Arguments :
3495 tcp The instance will work in pure TCP mode. A full-duplex connection
3496 will be established between clients and servers, and no layer 7
3497 examination will be performed. This is the default mode. It
3498 should be used for SSL, SSH, SMTP, ...
3499
3500 http The instance will work in HTTP mode. The client request will be
3501 analyzed in depth before connecting to any server. Any request
3502 which is not RFC-compliant will be rejected. Layer 7 filtering,
3503 processing and switching will be possible. This is the mode which
3504 brings HAProxy most of its value.
3505
3506 health The instance will work in "health" mode. It will just reply "OK"
Willy Tarreau82569f92012-09-27 23:48:56 +02003507 to incoming connections and close the connection. Alternatively,
3508 If the "httpchk" option is set, "HTTP/1.0 200 OK" will be sent
3509 instead. Nothing will be logged in either case. This mode is used
3510 to reply to external components health checks. This mode is
3511 deprecated and should not be used anymore as it is possible to do
3512 the same and even better by combining TCP or HTTP modes with the
3513 "monitor" keyword.
Willy Tarreau2769aa02007-12-27 18:26:09 +01003514
Cyril Bonté108cf6e2012-04-21 23:30:29 +02003515 When doing content switching, it is mandatory that the frontend and the
3516 backend are in the same mode (generally HTTP), otherwise the configuration
3517 will be refused.
Willy Tarreau2769aa02007-12-27 18:26:09 +01003518
Cyril Bonté108cf6e2012-04-21 23:30:29 +02003519 Example :
Willy Tarreau2769aa02007-12-27 18:26:09 +01003520 defaults http_instances
3521 mode http
3522
Cyril Bonté108cf6e2012-04-21 23:30:29 +02003523 See also : "monitor", "monitor-net"
Willy Tarreau2769aa02007-12-27 18:26:09 +01003524
Willy Tarreau0ba27502007-12-24 16:55:16 +01003525
Cyril Bontéf0c60612010-02-06 14:44:47 +01003526monitor fail { if | unless } <condition>
Willy Tarreau2769aa02007-12-27 18:26:09 +01003527 Add a condition to report a failure to a monitor HTTP request.
Willy Tarreau0ba27502007-12-24 16:55:16 +01003528 May be used in sections : defaults | frontend | listen | backend
3529 no | yes | yes | no
Willy Tarreau0ba27502007-12-24 16:55:16 +01003530 Arguments :
3531 if <cond> the monitor request will fail if the condition is satisfied,
3532 and will succeed otherwise. The condition should describe a
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003533 combined test which must induce a failure if all conditions
Willy Tarreau0ba27502007-12-24 16:55:16 +01003534 are met, for instance a low number of servers both in a
3535 backend and its backup.
3536
3537 unless <cond> the monitor request will succeed only if the condition is
3538 satisfied, and will fail otherwise. Such a condition may be
3539 based on a test on the presence of a minimum number of active
3540 servers in a list of backends.
3541
3542 This statement adds a condition which can force the response to a monitor
3543 request to report a failure. By default, when an external component queries
3544 the URI dedicated to monitoring, a 200 response is returned. When one of the
3545 conditions above is met, haproxy will return 503 instead of 200. This is
3546 very useful to report a site failure to an external component which may base
3547 routing advertisements between multiple sites on the availability reported by
3548 haproxy. In this case, one would rely on an ACL involving the "nbsrv"
Willy Tarreauae94d4d2011-05-11 16:28:49 +02003549 criterion. Note that "monitor fail" only works in HTTP mode. Both status
3550 messages may be tweaked using "errorfile" or "errorloc" if needed.
Willy Tarreau0ba27502007-12-24 16:55:16 +01003551
3552 Example:
3553 frontend www
Willy Tarreau2769aa02007-12-27 18:26:09 +01003554 mode http
Willy Tarreau0ba27502007-12-24 16:55:16 +01003555 acl site_dead nbsrv(dynamic) lt 2
3556 acl site_dead nbsrv(static) lt 2
3557 monitor-uri /site_alive
3558 monitor fail if site_dead
3559
Willy Tarreauae94d4d2011-05-11 16:28:49 +02003560 See also : "monitor-net", "monitor-uri", "errorfile", "errorloc"
Willy Tarreau2769aa02007-12-27 18:26:09 +01003561
3562
3563monitor-net <source>
3564 Declare a source network which is limited to monitor requests
3565 May be used in sections : defaults | frontend | listen | backend
3566 yes | yes | yes | no
3567 Arguments :
3568 <source> is the source IPv4 address or network which will only be able to
3569 get monitor responses to any request. It can be either an IPv4
3570 address, a host name, or an address followed by a slash ('/')
3571 followed by a mask.
3572
3573 In TCP mode, any connection coming from a source matching <source> will cause
3574 the connection to be immediately closed without any log. This allows another
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003575 equipment to probe the port and verify that it is still listening, without
Willy Tarreau2769aa02007-12-27 18:26:09 +01003576 forwarding the connection to a remote server.
3577
3578 In HTTP mode, a connection coming from a source matching <source> will be
3579 accepted, the following response will be sent without waiting for a request,
3580 then the connection will be closed : "HTTP/1.0 200 OK". This is normally
3581 enough for any front-end HTTP probe to detect that the service is UP and
Willy Tarreau82569f92012-09-27 23:48:56 +02003582 running without forwarding the request to a backend server. Note that this
3583 response is sent in raw format, without any transformation. This is important
3584 as it means that it will not be SSL-encrypted on SSL listeners.
Willy Tarreau2769aa02007-12-27 18:26:09 +01003585
Willy Tarreau82569f92012-09-27 23:48:56 +02003586 Monitor requests are processed very early, just after tcp-request connection
3587 ACLs which are the only ones able to block them. These connections are short
3588 lived and never wait for any data from the client. They cannot be logged, and
3589 it is the intended purpose. They are only used to report HAProxy's health to
3590 an upper component, nothing more. Please note that "monitor fail" rules do
3591 not apply to connections intercepted by "monitor-net".
Willy Tarreau2769aa02007-12-27 18:26:09 +01003592
Willy Tarreau95cd2832010-03-04 23:36:33 +01003593 Last, please note that only one "monitor-net" statement can be specified in
3594 a frontend. If more than one is found, only the last one will be considered.
Cyril Bonté108cf6e2012-04-21 23:30:29 +02003595
Willy Tarreau2769aa02007-12-27 18:26:09 +01003596 Example :
3597 # addresses .252 and .253 are just probing us.
3598 frontend www
3599 monitor-net 192.168.0.252/31
3600
3601 See also : "monitor fail", "monitor-uri"
3602
3603
3604monitor-uri <uri>
3605 Intercept a URI used by external components' monitor requests
3606 May be used in sections : defaults | frontend | listen | backend
3607 yes | yes | yes | no
3608 Arguments :
3609 <uri> is the exact URI which we want to intercept to return HAProxy's
3610 health status instead of forwarding the request.
3611
3612 When an HTTP request referencing <uri> will be received on a frontend,
3613 HAProxy will not forward it nor log it, but instead will return either
3614 "HTTP/1.0 200 OK" or "HTTP/1.0 503 Service unavailable", depending on failure
3615 conditions defined with "monitor fail". This is normally enough for any
3616 front-end HTTP probe to detect that the service is UP and running without
3617 forwarding the request to a backend server. Note that the HTTP method, the
3618 version and all headers are ignored, but the request must at least be valid
3619 at the HTTP level. This keyword may only be used with an HTTP-mode frontend.
3620
3621 Monitor requests are processed very early. It is not possible to block nor
3622 divert them using ACLs. They cannot be logged either, and it is the intended
3623 purpose. They are only used to report HAProxy's health to an upper component,
3624 nothing more. However, it is possible to add any number of conditions using
3625 "monitor fail" and ACLs so that the result can be adjusted to whatever check
3626 can be imagined (most often the number of available servers in a backend).
3627
3628 Example :
3629 # Use /haproxy_test to report haproxy's status
3630 frontend www
3631 mode http
3632 monitor-uri /haproxy_test
3633
3634 See also : "monitor fail", "monitor-net"
3635
Willy Tarreau0ba27502007-12-24 16:55:16 +01003636
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003637option abortonclose
3638no option abortonclose
3639 Enable or disable early dropping of aborted requests pending in queues.
3640 May be used in sections : defaults | frontend | listen | backend
3641 yes | no | yes | yes
3642 Arguments : none
3643
3644 In presence of very high loads, the servers will take some time to respond.
3645 The per-instance connection queue will inflate, and the response time will
3646 increase respective to the size of the queue times the average per-session
3647 response time. When clients will wait for more than a few seconds, they will
Willy Tarreau198a7442008-01-17 12:05:32 +01003648 often hit the "STOP" button on their browser, leaving a useless request in
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003649 the queue, and slowing down other users, and the servers as well, because the
3650 request will eventually be served, then aborted at the first error
3651 encountered while delivering the response.
3652
3653 As there is no way to distinguish between a full STOP and a simple output
3654 close on the client side, HTTP agents should be conservative and consider
3655 that the client might only have closed its output channel while waiting for
3656 the response. However, this introduces risks of congestion when lots of users
3657 do the same, and is completely useless nowadays because probably no client at
3658 all will close the session while waiting for the response. Some HTTP agents
Willy Tarreaud72758d2010-01-12 10:42:19 +01003659 support this behaviour (Squid, Apache, HAProxy), and others do not (TUX, most
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003660 hardware-based load balancers). So the probability for a closed input channel
Willy Tarreau198a7442008-01-17 12:05:32 +01003661 to represent a user hitting the "STOP" button is close to 100%, and the risk
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003662 of being the single component to break rare but valid traffic is extremely
3663 low, which adds to the temptation to be able to abort a session early while
3664 still not served and not pollute the servers.
3665
3666 In HAProxy, the user can choose the desired behaviour using the option
3667 "abortonclose". By default (without the option) the behaviour is HTTP
3668 compliant and aborted requests will be served. But when the option is
3669 specified, a session with an incoming channel closed will be aborted while
3670 it is still possible, either pending in the queue for a connection slot, or
3671 during the connection establishment if the server has not yet acknowledged
3672 the connection request. This considerably reduces the queue size and the load
3673 on saturated servers when users are tempted to click on STOP, which in turn
Willy Tarreaud72758d2010-01-12 10:42:19 +01003674 reduces the response time for other users.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003675
3676 If this option has been enabled in a "defaults" section, it can be disabled
3677 in a specific instance by prepending the "no" keyword before it.
3678
3679 See also : "timeout queue" and server's "maxconn" and "maxqueue" parameters
3680
3681
Willy Tarreau4076a152009-04-02 15:18:36 +02003682option accept-invalid-http-request
3683no option accept-invalid-http-request
3684 Enable or disable relaxing of HTTP request parsing
3685 May be used in sections : defaults | frontend | listen | backend
3686 yes | yes | yes | no
3687 Arguments : none
3688
3689 By default, HAProxy complies with RFC2616 in terms of message parsing. This
3690 means that invalid characters in header names are not permitted and cause an
3691 error to be returned to the client. This is the desired behaviour as such
3692 forbidden characters are essentially used to build attacks exploiting server
3693 weaknesses, and bypass security filtering. Sometimes, a buggy browser or
3694 server will emit invalid header names for whatever reason (configuration,
3695 implementation) and the issue will not be immediately fixed. In such a case,
3696 it is possible to relax HAProxy's header name parser to accept any character
Willy Tarreau422246e2012-01-07 23:54:13 +01003697 even if that does not make sense, by specifying this option. Similarly, the
3698 list of characters allowed to appear in a URI is well defined by RFC3986, and
3699 chars 0-31, 32 (space), 34 ('"'), 60 ('<'), 62 ('>'), 92 ('\'), 94 ('^'), 96
3700 ('`'), 123 ('{'), 124 ('|'), 125 ('}'), 127 (delete) and anything above are
3701 not allowed at all. Haproxy always blocks a number of them (0..32, 127). The
3702 remaining ones are blocked by default unless this option is enabled.
Willy Tarreau4076a152009-04-02 15:18:36 +02003703
3704 This option should never be enabled by default as it hides application bugs
3705 and open security breaches. It should only be deployed after a problem has
3706 been confirmed.
3707
3708 When this option is enabled, erroneous header names will still be accepted in
3709 requests, but the complete request will be captured in order to permit later
Willy Tarreau422246e2012-01-07 23:54:13 +01003710 analysis using the "show errors" request on the UNIX stats socket. Similarly,
3711 requests containing invalid chars in the URI part will be logged. Doing this
Willy Tarreau4076a152009-04-02 15:18:36 +02003712 also helps confirming that the issue has been solved.
3713
3714 If this option has been enabled in a "defaults" section, it can be disabled
3715 in a specific instance by prepending the "no" keyword before it.
3716
3717 See also : "option accept-invalid-http-response" and "show errors" on the
3718 stats socket.
3719
3720
3721option accept-invalid-http-response
3722no option accept-invalid-http-response
3723 Enable or disable relaxing of HTTP response parsing
3724 May be used in sections : defaults | frontend | listen | backend
3725 yes | no | yes | yes
3726 Arguments : none
3727
3728 By default, HAProxy complies with RFC2616 in terms of message parsing. This
3729 means that invalid characters in header names are not permitted and cause an
3730 error to be returned to the client. This is the desired behaviour as such
3731 forbidden characters are essentially used to build attacks exploiting server
3732 weaknesses, and bypass security filtering. Sometimes, a buggy browser or
3733 server will emit invalid header names for whatever reason (configuration,
3734 implementation) and the issue will not be immediately fixed. In such a case,
3735 it is possible to relax HAProxy's header name parser to accept any character
3736 even if that does not make sense, by specifying this option.
3737
3738 This option should never be enabled by default as it hides application bugs
3739 and open security breaches. It should only be deployed after a problem has
3740 been confirmed.
3741
3742 When this option is enabled, erroneous header names will still be accepted in
3743 responses, but the complete response will be captured in order to permit
3744 later analysis using the "show errors" request on the UNIX stats socket.
3745 Doing this also helps confirming that the issue has been solved.
3746
3747 If this option has been enabled in a "defaults" section, it can be disabled
3748 in a specific instance by prepending the "no" keyword before it.
3749
3750 See also : "option accept-invalid-http-request" and "show errors" on the
3751 stats socket.
3752
3753
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003754option allbackups
3755no option allbackups
3756 Use either all backup servers at a time or only the first one
3757 May be used in sections : defaults | frontend | listen | backend
3758 yes | no | yes | yes
3759 Arguments : none
3760
3761 By default, the first operational backup server gets all traffic when normal
3762 servers are all down. Sometimes, it may be preferred to use multiple backups
3763 at once, because one will not be enough. When "option allbackups" is enabled,
3764 the load balancing will be performed among all backup servers when all normal
3765 ones are unavailable. The same load balancing algorithm will be used and the
3766 servers' weights will be respected. Thus, there will not be any priority
3767 order between the backup servers anymore.
3768
3769 This option is mostly used with static server farms dedicated to return a
3770 "sorry" page when an application is completely offline.
3771
3772 If this option has been enabled in a "defaults" section, it can be disabled
3773 in a specific instance by prepending the "no" keyword before it.
3774
3775
3776option checkcache
3777no option checkcache
Godbach7056a352013-12-11 20:01:07 +08003778 Analyze all server responses and block responses with cacheable cookies
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003779 May be used in sections : defaults | frontend | listen | backend
3780 yes | no | yes | yes
3781 Arguments : none
3782
3783 Some high-level frameworks set application cookies everywhere and do not
3784 always let enough control to the developer to manage how the responses should
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003785 be cached. When a session cookie is returned on a cacheable object, there is a
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003786 high risk of session crossing or stealing between users traversing the same
3787 caches. In some situations, it is better to block the response than to let
Willy Tarreau3c92c5f2011-08-28 09:45:47 +02003788 some sensitive session information go in the wild.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003789
3790 The option "checkcache" enables deep inspection of all server responses for
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003791 strict compliance with HTTP specification in terms of cacheability. It
Willy Tarreau198a7442008-01-17 12:05:32 +01003792 carefully checks "Cache-control", "Pragma" and "Set-cookie" headers in server
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003793 response to check if there's a risk of caching a cookie on a client-side
3794 proxy. When this option is enabled, the only responses which can be delivered
Willy Tarreau198a7442008-01-17 12:05:32 +01003795 to the client are :
3796 - all those without "Set-Cookie" header ;
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003797 - all those with a return code other than 200, 203, 206, 300, 301, 410,
Willy Tarreau198a7442008-01-17 12:05:32 +01003798 provided that the server has not set a "Cache-control: public" header ;
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003799 - all those that come from a POST request, provided that the server has not
3800 set a 'Cache-Control: public' header ;
3801 - those with a 'Pragma: no-cache' header
3802 - those with a 'Cache-control: private' header
3803 - those with a 'Cache-control: no-store' header
3804 - those with a 'Cache-control: max-age=0' header
3805 - those with a 'Cache-control: s-maxage=0' header
3806 - those with a 'Cache-control: no-cache' header
3807 - those with a 'Cache-control: no-cache="set-cookie"' header
3808 - those with a 'Cache-control: no-cache="set-cookie,' header
3809 (allowing other fields after set-cookie)
3810
3811 If a response doesn't respect these requirements, then it will be blocked
Willy Tarreau198a7442008-01-17 12:05:32 +01003812 just as if it was from an "rspdeny" filter, with an "HTTP 502 bad gateway".
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003813 The session state shows "PH--" meaning that the proxy blocked the response
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01003814 during headers processing. Additionally, an alert will be sent in the logs so
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003815 that admins are informed that there's something to be fixed.
3816
3817 Due to the high impact on the application, the application should be tested
3818 in depth with the option enabled before going to production. It is also a
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01003819 good practice to always activate it during tests, even if it is not used in
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003820 production, as it will report potentially dangerous application behaviours.
3821
3822 If this option has been enabled in a "defaults" section, it can be disabled
3823 in a specific instance by prepending the "no" keyword before it.
3824
3825
3826option clitcpka
3827no option clitcpka
3828 Enable or disable the sending of TCP keepalive packets on the client side
3829 May be used in sections : defaults | frontend | listen | backend
3830 yes | yes | yes | no
3831 Arguments : none
3832
3833 When there is a firewall or any session-aware component between a client and
3834 a server, and when the protocol involves very long sessions with long idle
3835 periods (eg: remote desktops), there is a risk that one of the intermediate
3836 components decides to expire a session which has remained idle for too long.
3837
3838 Enabling socket-level TCP keep-alives makes the system regularly send packets
3839 to the other end of the connection, leaving it active. The delay between
3840 keep-alive probes is controlled by the system only and depends both on the
3841 operating system and its tuning parameters.
3842
3843 It is important to understand that keep-alive packets are neither emitted nor
3844 received at the application level. It is only the network stacks which sees
3845 them. For this reason, even if one side of the proxy already uses keep-alives
3846 to maintain its connection alive, those keep-alive packets will not be
3847 forwarded to the other side of the proxy.
3848
3849 Please note that this has nothing to do with HTTP keep-alive.
3850
3851 Using option "clitcpka" enables the emission of TCP keep-alive probes on the
3852 client side of a connection, which should help when session expirations are
3853 noticed between HAProxy and a client.
3854
3855 If this option has been enabled in a "defaults" section, it can be disabled
3856 in a specific instance by prepending the "no" keyword before it.
3857
3858 See also : "option srvtcpka", "option tcpka"
3859
3860
Willy Tarreau0ba27502007-12-24 16:55:16 +01003861option contstats
3862 Enable continuous traffic statistics updates
3863 May be used in sections : defaults | frontend | listen | backend
3864 yes | yes | yes | no
3865 Arguments : none
3866
3867 By default, counters used for statistics calculation are incremented
3868 only when a session finishes. It works quite well when serving small
3869 objects, but with big ones (for example large images or archives) or
3870 with A/V streaming, a graph generated from haproxy counters looks like
3871 a hedgehog. With this option enabled counters get incremented continuously,
3872 during a whole session. Recounting touches a hotpath directly so
3873 it is not enabled by default, as it has small performance impact (~0.5%).
3874
3875
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02003876option dontlog-normal
3877no option dontlog-normal
3878 Enable or disable logging of normal, successful connections
3879 May be used in sections : defaults | frontend | listen | backend
3880 yes | yes | yes | no
3881 Arguments : none
3882
3883 There are large sites dealing with several thousand connections per second
3884 and for which logging is a major pain. Some of them are even forced to turn
3885 logs off and cannot debug production issues. Setting this option ensures that
3886 normal connections, those which experience no error, no timeout, no retry nor
3887 redispatch, will not be logged. This leaves disk space for anomalies. In HTTP
3888 mode, the response status code is checked and return codes 5xx will still be
3889 logged.
3890
3891 It is strongly discouraged to use this option as most of the time, the key to
3892 complex issues is in the normal logs which will not be logged here. If you
3893 need to separate logs, see the "log-separate-errors" option instead.
3894
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003895 See also : "log", "dontlognull", "log-separate-errors" and section 8 about
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02003896 logging.
3897
3898
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003899option dontlognull
3900no option dontlognull
3901 Enable or disable logging of null connections
3902 May be used in sections : defaults | frontend | listen | backend
3903 yes | yes | yes | no
3904 Arguments : none
3905
3906 In certain environments, there are components which will regularly connect to
3907 various systems to ensure that they are still alive. It can be the case from
3908 another load balancer as well as from monitoring systems. By default, even a
3909 simple port probe or scan will produce a log. If those connections pollute
3910 the logs too much, it is possible to enable option "dontlognull" to indicate
3911 that a connection on which no data has been transferred will not be logged,
3912 which typically corresponds to those probes.
3913
3914 It is generally recommended not to use this option in uncontrolled
3915 environments (eg: internet), otherwise scans and other malicious activities
3916 would not be logged.
3917
3918 If this option has been enabled in a "defaults" section, it can be disabled
3919 in a specific instance by prepending the "no" keyword before it.
3920
Willy Tarreauc57f0e22009-05-10 13:12:33 +02003921 See also : "log", "monitor-net", "monitor-uri" and section 8 about logging.
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003922
3923
3924option forceclose
3925no option forceclose
3926 Enable or disable active connection closing after response is transferred.
3927 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaua31e5df2009-12-30 01:10:35 +01003928 yes | yes | yes | yes
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003929 Arguments : none
3930
3931 Some HTTP servers do not necessarily close the connections when they receive
3932 the "Connection: close" set by "option httpclose", and if the client does not
3933 close either, then the connection remains open till the timeout expires. This
3934 causes high number of simultaneous connections on the servers and shows high
3935 global session times in the logs.
3936
3937 When this happens, it is possible to use "option forceclose". It will
Willy Tarreau82eeaf22009-12-29 12:09:05 +01003938 actively close the outgoing server channel as soon as the server has finished
Cyril Bonté653dcd62014-02-20 00:13:15 +01003939 to respond and release some resources earlier than with "option httpclose".
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003940
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02003941 This option may also be combined with "option http-pretend-keepalive", which
3942 will disable sending of the "Connection: close" header, but will still cause
3943 the connection to be closed once the whole response is received.
3944
Cyril Bonté653dcd62014-02-20 00:13:15 +01003945 This option disables and replaces any previous "option httpclose", "option
3946 http-server-close", "option http-keep-alive", or "option http-tunnel".
Willy Tarreau02bce8b2014-01-30 00:15:28 +01003947
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003948 If this option has been enabled in a "defaults" section, it can be disabled
3949 in a specific instance by prepending the "no" keyword before it.
3950
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02003951 See also : "option httpclose" and "option http-pretend-keepalive"
Willy Tarreaubf1f8162007-12-28 17:42:56 +01003952
3953
Willy Tarreau87cf5142011-08-19 22:57:24 +02003954option forwardfor [ except <network> ] [ header <name> ] [ if-none ]
Willy Tarreauc27debf2008-01-06 08:57:02 +01003955 Enable insertion of the X-Forwarded-For header to requests sent to servers
3956 May be used in sections : defaults | frontend | listen | backend
3957 yes | yes | yes | yes
3958 Arguments :
3959 <network> is an optional argument used to disable this option for sources
3960 matching <network>
Ross Westaf72a1d2008-08-03 10:51:45 +02003961 <name> an optional argument to specify a different "X-Forwarded-For"
Willy Tarreaud72758d2010-01-12 10:42:19 +01003962 header name.
Willy Tarreauc27debf2008-01-06 08:57:02 +01003963
3964 Since HAProxy works in reverse-proxy mode, the servers see its IP address as
3965 their client address. This is sometimes annoying when the client's IP address
3966 is expected in server logs. To solve this problem, the well-known HTTP header
3967 "X-Forwarded-For" may be added by HAProxy to all requests sent to the server.
3968 This header contains a value representing the client's IP address. Since this
3969 header is always appended at the end of the existing header list, the server
3970 must be configured to always use the last occurrence of this header only. See
Ross Westaf72a1d2008-08-03 10:51:45 +02003971 the server's manual to find how to enable use of this standard header. Note
3972 that only the last occurrence of the header must be used, since it is really
3973 possible that the client has already brought one.
3974
Willy Tarreaud72758d2010-01-12 10:42:19 +01003975 The keyword "header" may be used to supply a different header name to replace
Ross Westaf72a1d2008-08-03 10:51:45 +02003976 the default "X-Forwarded-For". This can be useful where you might already
Willy Tarreaud72758d2010-01-12 10:42:19 +01003977 have a "X-Forwarded-For" header from a different application (eg: stunnel),
3978 and you need preserve it. Also if your backend server doesn't use the
Ross Westaf72a1d2008-08-03 10:51:45 +02003979 "X-Forwarded-For" header and requires different one (eg: Zeus Web Servers
3980 require "X-Cluster-Client-IP").
Willy Tarreauc27debf2008-01-06 08:57:02 +01003981
3982 Sometimes, a same HAProxy instance may be shared between a direct client
3983 access and a reverse-proxy access (for instance when an SSL reverse-proxy is
3984 used to decrypt HTTPS traffic). It is possible to disable the addition of the
3985 header for a known source address or network by adding the "except" keyword
3986 followed by the network address. In this case, any source IP matching the
3987 network will not cause an addition of this header. Most common uses are with
3988 private networks or 127.0.0.1.
3989
Willy Tarreau87cf5142011-08-19 22:57:24 +02003990 Alternatively, the keyword "if-none" states that the header will only be
3991 added if it is not present. This should only be used in perfectly trusted
3992 environment, as this might cause a security issue if headers reaching haproxy
3993 are under the control of the end-user.
3994
Willy Tarreauc27debf2008-01-06 08:57:02 +01003995 This option may be specified either in the frontend or in the backend. If at
Ross Westaf72a1d2008-08-03 10:51:45 +02003996 least one of them uses it, the header will be added. Note that the backend's
3997 setting of the header subargument takes precedence over the frontend's if
Willy Tarreau87cf5142011-08-19 22:57:24 +02003998 both are defined. In the case of the "if-none" argument, if at least one of
3999 the frontend or the backend does not specify it, it wants the addition to be
4000 mandatory, so it wins.
Willy Tarreauc27debf2008-01-06 08:57:02 +01004001
Ross Westaf72a1d2008-08-03 10:51:45 +02004002 Examples :
Willy Tarreauc27debf2008-01-06 08:57:02 +01004003 # Public HTTP address also used by stunnel on the same machine
4004 frontend www
4005 mode http
4006 option forwardfor except 127.0.0.1 # stunnel already adds the header
4007
Ross Westaf72a1d2008-08-03 10:51:45 +02004008 # Those servers want the IP Address in X-Client
4009 backend www
4010 mode http
4011 option forwardfor header X-Client
4012
Willy Tarreau87cf5142011-08-19 22:57:24 +02004013 See also : "option httpclose", "option http-server-close",
Willy Tarreau70dffda2014-01-30 03:07:23 +01004014 "option forceclose", "option http-keep-alive"
Willy Tarreauc27debf2008-01-06 08:57:02 +01004015
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02004016
Willy Tarreau16bfb022010-01-16 19:48:41 +01004017option http-keep-alive
4018no option http-keep-alive
4019 Enable or disable HTTP keep-alive from client to server
4020 May be used in sections : defaults | frontend | listen | backend
4021 yes | yes | yes | yes
4022 Arguments : none
4023
Willy Tarreau70dffda2014-01-30 03:07:23 +01004024 By default HAProxy operates in keep-alive mode with regards to persistent
4025 connections: for each connection it processes each request and response, and
4026 leaves the connection idle on both sides between the end of a response and the
4027 start of a new request. This mode may be changed by several options such as
4028 "option http-server-close", "option forceclose", "option httpclose" or
4029 "option http-tunnel". This option allows to set back the keep-alive mode,
4030 which can be useful when another mode was used in a defaults section.
4031
4032 Setting "option http-keep-alive" enables HTTP keep-alive mode on the client-
4033 and server- sides. This provides the lowest latency on the client side (slow
Willy Tarreau16bfb022010-01-16 19:48:41 +01004034 network) and the fastest session reuse on the server side at the expense
4035 of maintaining idle connections to the servers. In general, it is possible
4036 with this option to achieve approximately twice the request rate that the
4037 "http-server-close" option achieves on small objects. There are mainly two
4038 situations where this option may be useful :
4039
4040 - when the server is non-HTTP compliant and authenticates the connection
4041 instead of requests (eg: NTLM authentication)
4042
4043 - when the cost of establishing the connection to the server is significant
4044 compared to the cost of retrieving the associated object from the server.
4045
4046 This last case can happen when the server is a fast static server of cache.
4047 In this case, the server will need to be properly tuned to support high enough
4048 connection counts because connections will last until the client sends another
4049 request.
4050
4051 If the client request has to go to another backend or another server due to
4052 content switching or the load balancing algorithm, the idle connection will
Willy Tarreau9420b122013-12-15 18:58:25 +01004053 immediately be closed and a new one re-opened. Option "prefer-last-server" is
4054 available to try optimize server selection so that if the server currently
4055 attached to an idle connection is usable, it will be used.
Willy Tarreau16bfb022010-01-16 19:48:41 +01004056
4057 In general it is preferred to use "option http-server-close" with application
4058 servers, and some static servers might benefit from "option http-keep-alive".
4059
4060 At the moment, logs will not indicate whether requests came from the same
4061 session or not. The accept date reported in the logs corresponds to the end
4062 of the previous request, and the request time corresponds to the time spent
4063 waiting for a new request. The keep-alive request time is still bound to the
4064 timeout defined by "timeout http-keep-alive" or "timeout http-request" if
4065 not set.
4066
Cyril Bonté653dcd62014-02-20 00:13:15 +01004067 This option disables and replaces any previous "option httpclose", "option
4068 http-server-close", "option forceclose" or "option http-tunnel". When backend
Willy Tarreau70dffda2014-01-30 03:07:23 +01004069 and frontend options differ, all of these 4 options have precedence over
Cyril Bonté653dcd62014-02-20 00:13:15 +01004070 "option http-keep-alive".
Willy Tarreau16bfb022010-01-16 19:48:41 +01004071
4072 See also : "option forceclose", "option http-server-close",
Willy Tarreau9420b122013-12-15 18:58:25 +01004073 "option prefer-last-server", "option http-pretend-keepalive",
4074 "option httpclose", and "1.1. The HTTP transaction model".
Willy Tarreau16bfb022010-01-16 19:48:41 +01004075
4076
Willy Tarreau96e31212011-05-30 18:10:30 +02004077option http-no-delay
4078no option http-no-delay
4079 Instruct the system to favor low interactive delays over performance in HTTP
4080 May be used in sections : defaults | frontend | listen | backend
4081 yes | yes | yes | yes
4082 Arguments : none
4083
4084 In HTTP, each payload is unidirectional and has no notion of interactivity.
4085 Any agent is expected to queue data somewhat for a reasonably low delay.
4086 There are some very rare server-to-server applications that abuse the HTTP
4087 protocol and expect the payload phase to be highly interactive, with many
4088 interleaved data chunks in both directions within a single request. This is
4089 absolutely not supported by the HTTP specification and will not work across
4090 most proxies or servers. When such applications attempt to do this through
4091 haproxy, it works but they will experience high delays due to the network
4092 optimizations which favor performance by instructing the system to wait for
4093 enough data to be available in order to only send full packets. Typical
4094 delays are around 200 ms per round trip. Note that this only happens with
4095 abnormal uses. Normal uses such as CONNECT requests nor WebSockets are not
4096 affected.
4097
4098 When "option http-no-delay" is present in either the frontend or the backend
4099 used by a connection, all such optimizations will be disabled in order to
4100 make the exchanges as fast as possible. Of course this offers no guarantee on
4101 the functionality, as it may break at any other place. But if it works via
4102 HAProxy, it will work as fast as possible. This option should never be used
4103 by default, and should never be used at all unless such a buggy application
4104 is discovered. The impact of using this option is an increase of bandwidth
4105 usage and CPU usage, which may significantly lower performance in high
4106 latency environments.
4107
4108
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02004109option http-pretend-keepalive
4110no option http-pretend-keepalive
4111 Define whether haproxy will announce keepalive to the server or not
4112 May be used in sections : defaults | frontend | listen | backend
4113 yes | yes | yes | yes
4114 Arguments : none
4115
4116 When running with "option http-server-close" or "option forceclose", haproxy
4117 adds a "Connection: close" header to the request forwarded to the server.
4118 Unfortunately, when some servers see this header, they automatically refrain
4119 from using the chunked encoding for responses of unknown length, while this
4120 is totally unrelated. The immediate effect is that this prevents haproxy from
4121 maintaining the client connection alive. A second effect is that a client or
4122 a cache could receive an incomplete response without being aware of it, and
4123 consider the response complete.
4124
4125 By setting "option http-pretend-keepalive", haproxy will make the server
4126 believe it will keep the connection alive. The server will then not fall back
4127 to the abnormal undesired above. When haproxy gets the whole response, it
4128 will close the connection with the server just as it would do with the
4129 "forceclose" option. That way the client gets a normal response and the
4130 connection is correctly closed on the server side.
4131
4132 It is recommended not to enable this option by default, because most servers
4133 will more efficiently close the connection themselves after the last packet,
4134 and release its buffers slightly earlier. Also, the added packet on the
4135 network could slightly reduce the overall peak performance. However it is
4136 worth noting that when this option is enabled, haproxy will have slightly
4137 less work to do. So if haproxy is the bottleneck on the whole architecture,
4138 enabling this option might save a few CPU cycles.
4139
4140 This option may be set both in a frontend and in a backend. It is enabled if
4141 at least one of the frontend or backend holding a connection has it enabled.
Jamie Gloudonaaa21002012-08-25 00:18:33 -04004142 This option may be combined with "option httpclose", which will cause
Willy Tarreau22a95342010-09-29 14:31:41 +02004143 keepalive to be announced to the server and close to be announced to the
4144 client. This practice is discouraged though.
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02004145
4146 If this option has been enabled in a "defaults" section, it can be disabled
4147 in a specific instance by prepending the "no" keyword before it.
4148
Willy Tarreau16bfb022010-01-16 19:48:41 +01004149 See also : "option forceclose", "option http-server-close", and
4150 "option http-keep-alive"
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02004151
Willy Tarreauc27debf2008-01-06 08:57:02 +01004152
Willy Tarreaub608feb2010-01-02 22:47:18 +01004153option http-server-close
4154no option http-server-close
4155 Enable or disable HTTP connection closing on the server side
4156 May be used in sections : defaults | frontend | listen | backend
4157 yes | yes | yes | yes
4158 Arguments : none
4159
Willy Tarreau70dffda2014-01-30 03:07:23 +01004160 By default HAProxy operates in keep-alive mode with regards to persistent
4161 connections: for each connection it processes each request and response, and
4162 leaves the connection idle on both sides between the end of a response and
4163 the start of a new request. This mode may be changed by several options such
4164 as "option http-server-close", "option forceclose", "option httpclose" or
4165 "option http-tunnel". Setting "option http-server-close" enables HTTP
4166 connection-close mode on the server side while keeping the ability to support
4167 HTTP keep-alive and pipelining on the client side. This provides the lowest
4168 latency on the client side (slow network) and the fastest session reuse on
4169 the server side to save server resources, similarly to "option forceclose".
4170 It also permits non-keepalive capable servers to be served in keep-alive mode
4171 to the clients if they conform to the requirements of RFC2616. Please note
4172 that some servers do not always conform to those requirements when they see
4173 "Connection: close" in the request. The effect will be that keep-alive will
4174 never be used. A workaround consists in enabling "option
4175 http-pretend-keepalive".
Willy Tarreaub608feb2010-01-02 22:47:18 +01004176
4177 At the moment, logs will not indicate whether requests came from the same
4178 session or not. The accept date reported in the logs corresponds to the end
4179 of the previous request, and the request time corresponds to the time spent
4180 waiting for a new request. The keep-alive request time is still bound to the
Willy Tarreaub16a5742010-01-10 14:46:16 +01004181 timeout defined by "timeout http-keep-alive" or "timeout http-request" if
4182 not set.
Willy Tarreaub608feb2010-01-02 22:47:18 +01004183
4184 This option may be set both in a frontend and in a backend. It is enabled if
4185 at least one of the frontend or backend holding a connection has it enabled.
Cyril Bonté653dcd62014-02-20 00:13:15 +01004186 It disables and replaces any previous "option httpclose", "option forceclose",
4187 "option http-tunnel" or "option http-keep-alive". Please check section 4
Willy Tarreau70dffda2014-01-30 03:07:23 +01004188 ("Proxies") to see how this option combines with others when frontend and
4189 backend options differ.
Willy Tarreaub608feb2010-01-02 22:47:18 +01004190
4191 If this option has been enabled in a "defaults" section, it can be disabled
4192 in a specific instance by prepending the "no" keyword before it.
4193
Patrick Mezard9ec2ec42010-06-12 17:02:45 +02004194 See also : "option forceclose", "option http-pretend-keepalive",
Willy Tarreau16bfb022010-01-16 19:48:41 +01004195 "option httpclose", "option http-keep-alive", and
4196 "1.1. The HTTP transaction model".
Willy Tarreaub608feb2010-01-02 22:47:18 +01004197
4198
Willy Tarreau02bce8b2014-01-30 00:15:28 +01004199option http-tunnel
4200no option http-tunnel
4201 Disable or enable HTTP connection processing after first transaction
4202 May be used in sections : defaults | frontend | listen | backend
4203 yes | yes | yes | yes
4204 Arguments : none
4205
Willy Tarreau70dffda2014-01-30 03:07:23 +01004206 By default HAProxy operates in keep-alive mode with regards to persistent
4207 connections: for each connection it processes each request and response, and
4208 leaves the connection idle on both sides between the end of a response and
4209 the start of a new request. This mode may be changed by several options such
4210 as "option http-server-close", "option forceclose", "option httpclose" or
4211 "option http-tunnel".
4212
4213 Option "http-tunnel" disables any HTTP processing past the first request and
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03004214 the first response. This is the mode which was used by default in versions
Willy Tarreau70dffda2014-01-30 03:07:23 +01004215 1.0 to 1.5-dev21. It is the mode with the lowest processing overhead, which
4216 is normally not needed anymore unless in very specific cases such as when
4217 using an in-house protocol that looks like HTTP but is not compatible, or
4218 just to log one request per client in order to reduce log size. Note that
4219 everything which works at the HTTP level, including header parsing/addition,
4220 cookie processing or content switching will only work for the first request
4221 and will be ignored after the first response.
Willy Tarreau02bce8b2014-01-30 00:15:28 +01004222
4223 If this option has been enabled in a "defaults" section, it can be disabled
4224 in a specific instance by prepending the "no" keyword before it.
4225
4226 See also : "option forceclose", "option http-server-close",
4227 "option httpclose", "option http-keep-alive", and
4228 "1.1. The HTTP transaction model".
4229
4230
Willy Tarreau88d349d2010-01-25 12:15:43 +01004231option http-use-proxy-header
Cyril Bontéf0c60612010-02-06 14:44:47 +01004232no option http-use-proxy-header
Willy Tarreau88d349d2010-01-25 12:15:43 +01004233 Make use of non-standard Proxy-Connection header instead of Connection
4234 May be used in sections : defaults | frontend | listen | backend
4235 yes | yes | yes | no
4236 Arguments : none
4237
4238 While RFC2616 explicitly states that HTTP/1.1 agents must use the
4239 Connection header to indicate their wish of persistent or non-persistent
4240 connections, both browsers and proxies ignore this header for proxied
4241 connections and make use of the undocumented, non-standard Proxy-Connection
4242 header instead. The issue begins when trying to put a load balancer between
4243 browsers and such proxies, because there will be a difference between what
4244 haproxy understands and what the client and the proxy agree on.
4245
4246 By setting this option in a frontend, haproxy can automatically switch to use
4247 that non-standard header if it sees proxied requests. A proxied request is
4248 defined here as one where the URI begins with neither a '/' nor a '*'. The
4249 choice of header only affects requests passing through proxies making use of
4250 one of the "httpclose", "forceclose" and "http-server-close" options. Note
4251 that this option can only be specified in a frontend and will affect the
4252 request along its whole life.
4253
Willy Tarreau844a7e72010-01-31 21:46:18 +01004254 Also, when this option is set, a request which requires authentication will
4255 automatically switch to use proxy authentication headers if it is itself a
4256 proxied request. That makes it possible to check or enforce authentication in
4257 front of an existing proxy.
4258
Willy Tarreau88d349d2010-01-25 12:15:43 +01004259 This option should normally never be used, except in front of a proxy.
4260
4261 See also : "option httpclose", "option forceclose" and "option
4262 http-server-close".
4263
4264
Willy Tarreaud63335a2010-02-26 12:56:52 +01004265option httpchk
4266option httpchk <uri>
4267option httpchk <method> <uri>
4268option httpchk <method> <uri> <version>
4269 Enable HTTP protocol to check on the servers health
4270 May be used in sections : defaults | frontend | listen | backend
4271 yes | no | yes | yes
4272 Arguments :
4273 <method> is the optional HTTP method used with the requests. When not set,
4274 the "OPTIONS" method is used, as it generally requires low server
4275 processing and is easy to filter out from the logs. Any method
4276 may be used, though it is not recommended to invent non-standard
4277 ones.
4278
4279 <uri> is the URI referenced in the HTTP requests. It defaults to " / "
4280 which is accessible by default on almost any server, but may be
4281 changed to any other URI. Query strings are permitted.
4282
4283 <version> is the optional HTTP version string. It defaults to "HTTP/1.0"
4284 but some servers might behave incorrectly in HTTP 1.0, so turning
4285 it to HTTP/1.1 may sometimes help. Note that the Host field is
4286 mandatory in HTTP/1.1, and as a trick, it is possible to pass it
4287 after "\r\n" following the version string.
4288
4289 By default, server health checks only consist in trying to establish a TCP
4290 connection. When "option httpchk" is specified, a complete HTTP request is
4291 sent once the TCP connection is established, and responses 2xx and 3xx are
4292 considered valid, while all other ones indicate a server failure, including
4293 the lack of any response.
4294
4295 The port and interval are specified in the server configuration.
4296
4297 This option does not necessarily require an HTTP backend, it also works with
4298 plain TCP backends. This is particularly useful to check simple scripts bound
4299 to some dedicated ports using the inetd daemon.
4300
4301 Examples :
4302 # Relay HTTPS traffic to Apache instance and check service availability
4303 # using HTTP request "OPTIONS * HTTP/1.1" on port 80.
4304 backend https_relay
4305 mode tcp
4306 option httpchk OPTIONS * HTTP/1.1\r\nHost:\ www
4307 server apache1 192.168.1.1:443 check port 80
4308
Simon Hormanafc47ee2013-11-25 10:46:35 +09004309 See also : "option ssl-hello-chk", "option smtpchk", "option mysql-check",
4310 "option pgsql-check", "http-check" and the "check", "port" and
4311 "inter" server options.
Willy Tarreaud63335a2010-02-26 12:56:52 +01004312
4313
Willy Tarreauc27debf2008-01-06 08:57:02 +01004314option httpclose
4315no option httpclose
4316 Enable or disable passive HTTP connection closing
4317 May be used in sections : defaults | frontend | listen | backend
4318 yes | yes | yes | yes
4319 Arguments : none
4320
Willy Tarreau70dffda2014-01-30 03:07:23 +01004321 By default HAProxy operates in keep-alive mode with regards to persistent
4322 connections: for each connection it processes each request and response, and
4323 leaves the connection idle on both sides between the end of a response and
4324 the start of a new request. This mode may be changed by several options such
Cyril Bonté653dcd62014-02-20 00:13:15 +01004325 as "option http-server-close", "option forceclose", "option httpclose" or
Willy Tarreau70dffda2014-01-30 03:07:23 +01004326 "option http-tunnel".
4327
4328 If "option httpclose" is set, HAProxy will work in HTTP tunnel mode and check
4329 if a "Connection: close" header is already set in each direction, and will
4330 add one if missing. Each end should react to this by actively closing the TCP
4331 connection after each transfer, thus resulting in a switch to the HTTP close
4332 mode. Any "Connection" header different from "close" will also be removed.
4333 Note that this option is deprecated since what it does is very cheap but not
4334 reliable. Using "option http-server-close" or "option forceclose" is strongly
4335 recommended instead.
Willy Tarreauc27debf2008-01-06 08:57:02 +01004336
4337 It seldom happens that some servers incorrectly ignore this header and do not
Jamie Gloudonaaa21002012-08-25 00:18:33 -04004338 close the connection even though they reply "Connection: close". For this
Willy Tarreau0dfdf192010-01-05 11:33:11 +01004339 reason, they are not compatible with older HTTP 1.0 browsers. If this happens
4340 it is possible to use the "option forceclose" which actively closes the
4341 request connection once the server responds. Option "forceclose" also
4342 releases the server connection earlier because it does not have to wait for
4343 the client to acknowledge it.
Willy Tarreauc27debf2008-01-06 08:57:02 +01004344
4345 This option may be set both in a frontend and in a backend. It is enabled if
4346 at least one of the frontend or backend holding a connection has it enabled.
Cyril Bonté653dcd62014-02-20 00:13:15 +01004347 It disables and replaces any previous "option http-server-close",
4348 "option forceclose", "option http-keep-alive" or "option http-tunnel". Please
Willy Tarreau70dffda2014-01-30 03:07:23 +01004349 check section 4 ("Proxies") to see how this option combines with others when
4350 frontend and backend options differ.
Willy Tarreauc27debf2008-01-06 08:57:02 +01004351
4352 If this option has been enabled in a "defaults" section, it can be disabled
4353 in a specific instance by prepending the "no" keyword before it.
4354
Patrick Mezard9ec2ec42010-06-12 17:02:45 +02004355 See also : "option forceclose", "option http-server-close" and
4356 "1.1. The HTTP transaction model".
Willy Tarreauc27debf2008-01-06 08:57:02 +01004357
4358
Emeric Brun3a058f32009-06-30 18:26:00 +02004359option httplog [ clf ]
Willy Tarreauc27debf2008-01-06 08:57:02 +01004360 Enable logging of HTTP request, session state and timers
4361 May be used in sections : defaults | frontend | listen | backend
4362 yes | yes | yes | yes
Emeric Brun3a058f32009-06-30 18:26:00 +02004363 Arguments :
4364 clf if the "clf" argument is added, then the output format will be
4365 the CLF format instead of HAProxy's default HTTP format. You can
4366 use this when you need to feed HAProxy's logs through a specific
4367 log analyser which only support the CLF format and which is not
4368 extensible.
Willy Tarreauc27debf2008-01-06 08:57:02 +01004369
4370 By default, the log output format is very poor, as it only contains the
4371 source and destination addresses, and the instance name. By specifying
4372 "option httplog", each log line turns into a much richer format including,
4373 but not limited to, the HTTP request, the connection timers, the session
4374 status, the connections numbers, the captured headers and cookies, the
4375 frontend, backend and server name, and of course the source address and
4376 ports.
4377
4378 This option may be set either in the frontend or the backend.
4379
Emeric Brun3a058f32009-06-30 18:26:00 +02004380 If this option has been enabled in a "defaults" section, it can be disabled
4381 in a specific instance by prepending the "no" keyword before it. Specifying
4382 only "option httplog" will automatically clear the 'clf' mode if it was set
4383 by default.
4384
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004385 See also : section 8 about logging.
Willy Tarreauc27debf2008-01-06 08:57:02 +01004386
Willy Tarreau55165fe2009-05-10 12:02:55 +02004387
4388option http_proxy
4389no option http_proxy
4390 Enable or disable plain HTTP proxy mode
4391 May be used in sections : defaults | frontend | listen | backend
4392 yes | yes | yes | yes
4393 Arguments : none
4394
4395 It sometimes happens that people need a pure HTTP proxy which understands
4396 basic proxy requests without caching nor any fancy feature. In this case,
4397 it may be worth setting up an HAProxy instance with the "option http_proxy"
4398 set. In this mode, no server is declared, and the connection is forwarded to
4399 the IP address and port found in the URL after the "http://" scheme.
4400
4401 No host address resolution is performed, so this only works when pure IP
4402 addresses are passed. Since this option's usage perimeter is rather limited,
4403 it will probably be used only by experts who know they need exactly it. Last,
4404 if the clients are susceptible of sending keep-alive requests, it will be
Cyril Bonté2409e682010-12-14 22:47:51 +01004405 needed to add "option httpclose" to ensure that all requests will correctly
Willy Tarreau55165fe2009-05-10 12:02:55 +02004406 be analyzed.
4407
4408 If this option has been enabled in a "defaults" section, it can be disabled
4409 in a specific instance by prepending the "no" keyword before it.
4410
4411 Example :
4412 # this backend understands HTTP proxy requests and forwards them directly.
4413 backend direct_forward
4414 option httpclose
4415 option http_proxy
4416
4417 See also : "option httpclose"
4418
Willy Tarreau211ad242009-10-03 21:45:07 +02004419
Jamie Gloudon801a0a32012-08-25 00:18:33 -04004420option independent-streams
4421no option independent-streams
4422 Enable or disable independent timeout processing for both directions
Willy Tarreauf27b5ea2009-10-03 22:01:18 +02004423 May be used in sections : defaults | frontend | listen | backend
4424 yes | yes | yes | yes
4425 Arguments : none
4426
4427 By default, when data is sent over a socket, both the write timeout and the
4428 read timeout for that socket are refreshed, because we consider that there is
4429 activity on that socket, and we have no other means of guessing if we should
4430 receive data or not.
4431
4432 While this default behaviour is desirable for almost all applications, there
4433 exists a situation where it is desirable to disable it, and only refresh the
4434 read timeout if there are incoming data. This happens on sessions with large
4435 timeouts and low amounts of exchanged data such as telnet session. If the
4436 server suddenly disappears, the output data accumulates in the system's
4437 socket buffers, both timeouts are correctly refreshed, and there is no way
4438 to know the server does not receive them, so we don't timeout. However, when
4439 the underlying protocol always echoes sent data, it would be enough by itself
4440 to detect the issue using the read timeout. Note that this problem does not
4441 happen with more verbose protocols because data won't accumulate long in the
4442 socket buffers.
4443
4444 When this option is set on the frontend, it will disable read timeout updates
4445 on data sent to the client. There probably is little use of this case. When
4446 the option is set on the backend, it will disable read timeout updates on
4447 data sent to the server. Doing so will typically break large HTTP posts from
4448 slow lines, so use it with caution.
4449
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03004450 Note: older versions used to call this setting "option independent-streams"
Jamie Gloudon801a0a32012-08-25 00:18:33 -04004451 with a spelling mistake. This spelling is still supported but
4452 deprecated.
4453
Willy Tarreauce887fd2012-05-12 12:50:00 +02004454 See also : "timeout client", "timeout server" and "timeout tunnel"
Willy Tarreauf27b5ea2009-10-03 22:01:18 +02004455
4456
Gabor Lekenyb4c81e42010-09-29 18:17:05 +02004457option ldap-check
4458 Use LDAPv3 health checks for server testing
4459 May be used in sections : defaults | frontend | listen | backend
4460 yes | no | yes | yes
4461 Arguments : none
4462
4463 It is possible to test that the server correctly talks LDAPv3 instead of just
4464 testing that it accepts the TCP connection. When this option is set, an
4465 LDAPv3 anonymous simple bind message is sent to the server, and the response
4466 is analyzed to find an LDAPv3 bind response message.
4467
4468 The server is considered valid only when the LDAP response contains success
4469 resultCode (http://tools.ietf.org/html/rfc4511#section-4.1.9).
4470
4471 Logging of bind requests is server dependent see your documentation how to
4472 configure it.
4473
4474 Example :
4475 option ldap-check
4476
4477 See also : "option httpchk"
4478
4479
Willy Tarreau211ad242009-10-03 21:45:07 +02004480option log-health-checks
4481no option log-health-checks
Willy Tarreaubef1b322014-05-13 21:01:39 +02004482 Enable or disable logging of health checks status updates
Willy Tarreau211ad242009-10-03 21:45:07 +02004483 May be used in sections : defaults | frontend | listen | backend
4484 yes | no | yes | yes
4485 Arguments : none
4486
Willy Tarreaubef1b322014-05-13 21:01:39 +02004487 By default, failed health check are logged if server is UP and successful
4488 health checks are logged if server is DOWN, so the amount of additional
4489 information is limited.
Willy Tarreau211ad242009-10-03 21:45:07 +02004490
Willy Tarreaubef1b322014-05-13 21:01:39 +02004491 When this option is enabled, any change of the health check status or to
4492 the server's health will be logged, so that it becomes possible to know
4493 that a server was failing occasional checks before crashing, or exactly when
4494 it failed to respond a valid HTTP status, then when the port started to
4495 reject connections, then when the server stopped responding at all.
4496
4497 Note that status changes not caused by health checks (eg: enable/disable on
4498 the CLI) are intentionally not logged by this option.
Willy Tarreau211ad242009-10-03 21:45:07 +02004499
Willy Tarreaubef1b322014-05-13 21:01:39 +02004500 See also: "option httpchk", "option ldap-check", "option mysql-check",
4501 "option pgsql-check", "option redis-check", "option smtpchk",
4502 "option tcp-check", "log" and section 8 about logging.
Willy Tarreau211ad242009-10-03 21:45:07 +02004503
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02004504
4505option log-separate-errors
4506no option log-separate-errors
4507 Change log level for non-completely successful connections
4508 May be used in sections : defaults | frontend | listen | backend
4509 yes | yes | yes | no
4510 Arguments : none
4511
4512 Sometimes looking for errors in logs is not easy. This option makes haproxy
4513 raise the level of logs containing potentially interesting information such
4514 as errors, timeouts, retries, redispatches, or HTTP status codes 5xx. The
4515 level changes from "info" to "err". This makes it possible to log them
4516 separately to a different file with most syslog daemons. Be careful not to
4517 remove them from the original file, otherwise you would lose ordering which
4518 provides very important information.
4519
4520 Using this option, large sites dealing with several thousand connections per
4521 second may log normal traffic to a rotating buffer and only archive smaller
4522 error logs.
4523
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004524 See also : "log", "dontlognull", "dontlog-normal" and section 8 about
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +02004525 logging.
4526
Willy Tarreauc27debf2008-01-06 08:57:02 +01004527
4528option logasap
4529no option logasap
4530 Enable or disable early logging of HTTP requests
4531 May be used in sections : defaults | frontend | listen | backend
4532 yes | yes | yes | no
4533 Arguments : none
4534
4535 By default, HTTP requests are logged upon termination so that the total
4536 transfer time and the number of bytes appear in the logs. When large objects
4537 are being transferred, it may take a while before the request appears in the
4538 logs. Using "option logasap", the request gets logged as soon as the server
4539 sends the complete headers. The only missing information in the logs will be
4540 the total number of bytes which will indicate everything except the amount
4541 of data transferred, and the total time which will not take the transfer
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01004542 time into account. In such a situation, it's a good practice to capture the
Willy Tarreauc27debf2008-01-06 08:57:02 +01004543 "Content-Length" response header so that the logs at least indicate how many
4544 bytes are expected to be transferred.
4545
Willy Tarreaucc6c8912009-02-22 10:53:55 +01004546 Examples :
4547 listen http_proxy 0.0.0.0:80
4548 mode http
4549 option httplog
4550 option logasap
4551 log 192.168.2.200 local3
4552
4553 >>> Feb 6 12:14:14 localhost \
4554 haproxy[14389]: 10.0.1.2:33317 [06/Feb/2009:12:14:14.655] http-in \
4555 static/srv1 9/10/7/14/+30 200 +243 - - ---- 3/1/1/1/0 1/0 \
4556 "GET /image.iso HTTP/1.0"
4557
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004558 See also : "option httplog", "capture response header", and section 8 about
Willy Tarreauc27debf2008-01-06 08:57:02 +01004559 logging.
4560
4561
Nenad Merdanovic6639a7c2014-05-30 14:26:32 +02004562option mysql-check [ user <username> [ post-41 ] ]
Hervé COMMOWICK8776f1b2010-10-18 15:58:36 +02004563 Use MySQL health checks for server testing
Hervé COMMOWICK698ae002010-01-12 09:25:13 +01004564 May be used in sections : defaults | frontend | listen | backend
4565 yes | no | yes | yes
Hervé COMMOWICK8776f1b2010-10-18 15:58:36 +02004566 Arguments :
Cyril Bonté108cf6e2012-04-21 23:30:29 +02004567 <username> This is the username which will be used when connecting to MySQL
4568 server.
Nenad Merdanovic6639a7c2014-05-30 14:26:32 +02004569 post-41 Send post v4.1 client compatible checks
Hervé COMMOWICK8776f1b2010-10-18 15:58:36 +02004570
4571 If you specify a username, the check consists of sending two MySQL packet,
4572 one Client Authentication packet, and one QUIT packet, to correctly close
4573 MySQL session. We then parse the MySQL Handshake Initialisation packet and/or
4574 Error packet. It is a basic but useful test which does not produce error nor
4575 aborted connect on the server. However, it requires adding an authorization
4576 in the MySQL table, like this :
4577
4578 USE mysql;
4579 INSERT INTO user (Host,User) values ('<ip_of_haproxy>','<username>');
4580 FLUSH PRIVILEGES;
4581
4582 If you don't specify a username (it is deprecated and not recommended), the
4583 check only consists in parsing the Mysql Handshake Initialisation packet or
4584 Error packet, we don't send anything in this mode. It was reported that it
4585 can generate lockout if check is too frequent and/or if there is not enough
4586 traffic. In fact, you need in this case to check MySQL "max_connect_errors"
4587 value as if a connection is established successfully within fewer than MySQL
4588 "max_connect_errors" attempts after a previous connection was interrupted,
4589 the error count for the host is cleared to zero. If HAProxy's server get
4590 blocked, the "FLUSH HOSTS" statement is the only way to unblock it.
4591
4592 Remember that this does not check database presence nor database consistency.
4593 To do this, you can use an external check with xinetd for example.
Hervé COMMOWICK698ae002010-01-12 09:25:13 +01004594
Hervé COMMOWICK212f7782011-06-10 14:05:59 +02004595 The check requires MySQL >=3.22, for older version, please use TCP check.
Hervé COMMOWICK698ae002010-01-12 09:25:13 +01004596
4597 Most often, an incoming MySQL server needs to see the client's IP address for
4598 various purposes, including IP privilege matching and connection logging.
4599 When possible, it is often wise to masquerade the client's IP address when
4600 connecting to the server using the "usesrc" argument of the "source" keyword,
4601 which requires the cttproxy feature to be compiled in, and the MySQL server
4602 to route the client via the machine hosting haproxy.
4603
4604 See also: "option httpchk"
4605
4606
Willy Tarreaua453bdd2008-01-08 19:50:52 +01004607option nolinger
4608no option nolinger
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01004609 Enable or disable immediate session resource cleaning after close
Willy Tarreaua453bdd2008-01-08 19:50:52 +01004610 May be used in sections: defaults | frontend | listen | backend
4611 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004612 Arguments : none
Willy Tarreaua453bdd2008-01-08 19:50:52 +01004613
4614 When clients or servers abort connections in a dirty way (eg: they are
4615 physically disconnected), the session timeouts triggers and the session is
4616 closed. But it will remain in FIN_WAIT1 state for some time in the system,
4617 using some resources and possibly limiting the ability to establish newer
4618 connections.
4619
4620 When this happens, it is possible to activate "option nolinger" which forces
4621 the system to immediately remove any socket's pending data on close. Thus,
4622 the session is instantly purged from the system's tables. This usually has
4623 side effects such as increased number of TCP resets due to old retransmits
4624 getting immediately rejected. Some firewalls may sometimes complain about
4625 this too.
4626
4627 For this reason, it is not recommended to use this option when not absolutely
4628 needed. You know that you need it when you have thousands of FIN_WAIT1
4629 sessions on your system (TIME_WAIT ones do not count).
4630
4631 This option may be used both on frontends and backends, depending on the side
4632 where it is required. Use it on the frontend for clients, and on the backend
4633 for servers.
4634
4635 If this option has been enabled in a "defaults" section, it can be disabled
4636 in a specific instance by prepending the "no" keyword before it.
4637
4638
Willy Tarreau55165fe2009-05-10 12:02:55 +02004639option originalto [ except <network> ] [ header <name> ]
4640 Enable insertion of the X-Original-To header to requests sent to servers
4641 May be used in sections : defaults | frontend | listen | backend
4642 yes | yes | yes | yes
4643 Arguments :
4644 <network> is an optional argument used to disable this option for sources
4645 matching <network>
4646 <name> an optional argument to specify a different "X-Original-To"
4647 header name.
4648
4649 Since HAProxy can work in transparent mode, every request from a client can
4650 be redirected to the proxy and HAProxy itself can proxy every request to a
4651 complex SQUID environment and the destination host from SO_ORIGINAL_DST will
4652 be lost. This is annoying when you want access rules based on destination ip
4653 addresses. To solve this problem, a new HTTP header "X-Original-To" may be
4654 added by HAProxy to all requests sent to the server. This header contains a
4655 value representing the original destination IP address. Since this must be
4656 configured to always use the last occurrence of this header only. Note that
4657 only the last occurrence of the header must be used, since it is really
4658 possible that the client has already brought one.
4659
4660 The keyword "header" may be used to supply a different header name to replace
4661 the default "X-Original-To". This can be useful where you might already
4662 have a "X-Original-To" header from a different application, and you need
4663 preserve it. Also if your backend server doesn't use the "X-Original-To"
4664 header and requires different one.
4665
4666 Sometimes, a same HAProxy instance may be shared between a direct client
4667 access and a reverse-proxy access (for instance when an SSL reverse-proxy is
4668 used to decrypt HTTPS traffic). It is possible to disable the addition of the
4669 header for a known source address or network by adding the "except" keyword
4670 followed by the network address. In this case, any source IP matching the
4671 network will not cause an addition of this header. Most common uses are with
4672 private networks or 127.0.0.1.
4673
4674 This option may be specified either in the frontend or in the backend. If at
4675 least one of them uses it, the header will be added. Note that the backend's
4676 setting of the header subargument takes precedence over the frontend's if
4677 both are defined.
4678
Willy Tarreau55165fe2009-05-10 12:02:55 +02004679 Examples :
4680 # Original Destination address
4681 frontend www
4682 mode http
4683 option originalto except 127.0.0.1
4684
4685 # Those servers want the IP Address in X-Client-Dst
4686 backend www
4687 mode http
4688 option originalto header X-Client-Dst
4689
Willy Tarreau87cf5142011-08-19 22:57:24 +02004690 See also : "option httpclose", "option http-server-close",
4691 "option forceclose"
Willy Tarreau55165fe2009-05-10 12:02:55 +02004692
4693
Willy Tarreaua453bdd2008-01-08 19:50:52 +01004694option persist
4695no option persist
4696 Enable or disable forced persistence on down servers
4697 May be used in sections: defaults | frontend | listen | backend
4698 yes | no | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004699 Arguments : none
Willy Tarreaua453bdd2008-01-08 19:50:52 +01004700
4701 When an HTTP request reaches a backend with a cookie which references a dead
4702 server, by default it is redispatched to another server. It is possible to
4703 force the request to be sent to the dead server first using "option persist"
4704 if absolutely needed. A common use case is when servers are under extreme
4705 load and spend their time flapping. In this case, the users would still be
4706 directed to the server they opened the session on, in the hope they would be
4707 correctly served. It is recommended to use "option redispatch" in conjunction
4708 with this option so that in the event it would not be possible to connect to
4709 the server at all (server definitely dead), the client would finally be
4710 redirected to another valid server.
4711
4712 If this option has been enabled in a "defaults" section, it can be disabled
4713 in a specific instance by prepending the "no" keyword before it.
4714
Willy Tarreau4de91492010-01-22 19:10:05 +01004715 See also : "option redispatch", "retries", "force-persist"
Willy Tarreaua453bdd2008-01-08 19:50:52 +01004716
4717
Willy Tarreau0c122822013-12-15 18:49:01 +01004718option pgsql-check [ user <username> ]
4719 Use PostgreSQL health checks for server testing
4720 May be used in sections : defaults | frontend | listen | backend
4721 yes | no | yes | yes
4722 Arguments :
4723 <username> This is the username which will be used when connecting to
4724 PostgreSQL server.
4725
4726 The check sends a PostgreSQL StartupMessage and waits for either
4727 Authentication request or ErrorResponse message. It is a basic but useful
4728 test which does not produce error nor aborted connect on the server.
4729 This check is identical with the "mysql-check".
4730
4731 See also: "option httpchk"
4732
4733
Willy Tarreau9420b122013-12-15 18:58:25 +01004734option prefer-last-server
4735no option prefer-last-server
4736 Allow multiple load balanced requests to remain on the same server
4737 May be used in sections: defaults | frontend | listen | backend
4738 yes | no | yes | yes
4739 Arguments : none
4740
4741 When the load balancing algorithm in use is not deterministic, and a previous
4742 request was sent to a server to which haproxy still holds a connection, it is
4743 sometimes desirable that subsequent requests on a same session go to the same
4744 server as much as possible. Note that this is different from persistence, as
4745 we only indicate a preference which haproxy tries to apply without any form
4746 of warranty. The real use is for keep-alive connections sent to servers. When
4747 this option is used, haproxy will try to reuse the same connection that is
4748 attached to the server instead of rebalancing to another server, causing a
4749 close of the connection. This can make sense for static file servers. It does
Willy Tarreau068621e2013-12-23 15:11:25 +01004750 not make much sense to use this in combination with hashing algorithms. Note,
4751 haproxy already automatically tries to stick to a server which sends a 401 or
4752 to a proxy which sends a 407 (authentication required). This is mandatory for
4753 use with the broken NTLM authentication challenge, and significantly helps in
4754 troubleshooting some faulty applications. Option prefer-last-server might be
4755 desirable in these environments as well, to avoid redistributing the traffic
4756 after every other response.
Willy Tarreau9420b122013-12-15 18:58:25 +01004757
4758 If this option has been enabled in a "defaults" section, it can be disabled
4759 in a specific instance by prepending the "no" keyword before it.
4760
4761 See also: "option http-keep-alive"
4762
4763
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01004764option redispatch
4765no option redispatch
4766 Enable or disable session redistribution in case of connection failure
4767 May be used in sections: defaults | frontend | listen | backend
4768 yes | no | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01004769 Arguments : none
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01004770
4771 In HTTP mode, if a server designated by a cookie is down, clients may
4772 definitely stick to it because they cannot flush the cookie, so they will not
4773 be able to access the service anymore.
4774
4775 Specifying "option redispatch" will allow the proxy to break their
4776 persistence and redistribute them to a working server.
4777
4778 It also allows to retry last connection to another server in case of multiple
4779 connection failures. Of course, it requires having "retries" set to a nonzero
4780 value.
Willy Tarreaud72758d2010-01-12 10:42:19 +01004781
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01004782 This form is the preferred form, which replaces both the "redispatch" and
4783 "redisp" keywords.
4784
4785 If this option has been enabled in a "defaults" section, it can be disabled
4786 in a specific instance by prepending the "no" keyword before it.
4787
Willy Tarreau4de91492010-01-22 19:10:05 +01004788 See also : "redispatch", "retries", "force-persist"
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01004789
Willy Tarreaua453bdd2008-01-08 19:50:52 +01004790
Hervé COMMOWICKec032d62011-08-05 16:23:48 +02004791option redis-check
4792 Use redis health checks for server testing
4793 May be used in sections : defaults | frontend | listen | backend
4794 yes | no | yes | yes
4795 Arguments : none
4796
4797 It is possible to test that the server correctly talks REDIS protocol instead
4798 of just testing that it accepts the TCP connection. When this option is set,
4799 a PING redis command is sent to the server, and the response is analyzed to
4800 find the "+PONG" response message.
4801
4802 Example :
4803 option redis-check
4804
4805 See also : "option httpchk"
4806
4807
Willy Tarreaua453bdd2008-01-08 19:50:52 +01004808option smtpchk
4809option smtpchk <hello> <domain>
4810 Use SMTP health checks for server testing
4811 May be used in sections : defaults | frontend | listen | backend
4812 yes | no | yes | yes
Willy Tarreaud72758d2010-01-12 10:42:19 +01004813 Arguments :
Willy Tarreaua453bdd2008-01-08 19:50:52 +01004814 <hello> is an optional argument. It is the "hello" command to use. It can
4815 be either "HELO" (for SMTP) or "EHLO" (for ESTMP). All other
4816 values will be turned into the default command ("HELO").
4817
4818 <domain> is the domain name to present to the server. It may only be
4819 specified (and is mandatory) if the hello command has been
4820 specified. By default, "localhost" is used.
4821
4822 When "option smtpchk" is set, the health checks will consist in TCP
4823 connections followed by an SMTP command. By default, this command is
4824 "HELO localhost". The server's return code is analyzed and only return codes
4825 starting with a "2" will be considered as valid. All other responses,
4826 including a lack of response will constitute an error and will indicate a
4827 dead server.
4828
4829 This test is meant to be used with SMTP servers or relays. Depending on the
4830 request, it is possible that some servers do not log each connection attempt,
4831 so you may want to experiment to improve the behaviour. Using telnet on port
4832 25 is often easier than adjusting the configuration.
4833
4834 Most often, an incoming SMTP server needs to see the client's IP address for
4835 various purposes, including spam filtering, anti-spoofing and logging. When
4836 possible, it is often wise to masquerade the client's IP address when
4837 connecting to the server using the "usesrc" argument of the "source" keyword,
4838 which requires the cttproxy feature to be compiled in.
4839
4840 Example :
4841 option smtpchk HELO mydomain.org
4842
4843 See also : "option httpchk", "source"
4844
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01004845
Krzysztof Piotr Oledzkiaeebf9b2009-10-04 15:43:17 +02004846option socket-stats
4847no option socket-stats
4848
4849 Enable or disable collecting & providing separate statistics for each socket.
4850 May be used in sections : defaults | frontend | listen | backend
4851 yes | yes | yes | no
4852
4853 Arguments : none
4854
4855
Willy Tarreauff4f82d2009-02-06 11:28:13 +01004856option splice-auto
4857no option splice-auto
4858 Enable or disable automatic kernel acceleration on sockets in both directions
4859 May be used in sections : defaults | frontend | listen | backend
4860 yes | yes | yes | yes
4861 Arguments : none
4862
4863 When this option is enabled either on a frontend or on a backend, haproxy
4864 will automatically evaluate the opportunity to use kernel tcp splicing to
4865 forward data between the client and the server, in either direction. Haproxy
4866 uses heuristics to estimate if kernel splicing might improve performance or
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01004867 not. Both directions are handled independently. Note that the heuristics used
Willy Tarreauff4f82d2009-02-06 11:28:13 +01004868 are not much aggressive in order to limit excessive use of splicing. This
4869 option requires splicing to be enabled at compile time, and may be globally
4870 disabled with the global option "nosplice". Since splice uses pipes, using it
4871 requires that there are enough spare pipes.
4872
4873 Important note: kernel-based TCP splicing is a Linux-specific feature which
4874 first appeared in kernel 2.6.25. It offers kernel-based acceleration to
4875 transfer data between sockets without copying these data to user-space, thus
4876 providing noticeable performance gains and CPU cycles savings. Since many
4877 early implementations are buggy, corrupt data and/or are inefficient, this
4878 feature is not enabled by default, and it should be used with extreme care.
4879 While it is not possible to detect the correctness of an implementation,
4880 2.6.29 is the first version offering a properly working implementation. In
4881 case of doubt, splicing may be globally disabled using the global "nosplice"
4882 keyword.
4883
4884 Example :
4885 option splice-auto
4886
4887 If this option has been enabled in a "defaults" section, it can be disabled
4888 in a specific instance by prepending the "no" keyword before it.
4889
4890 See also : "option splice-request", "option splice-response", and global
4891 options "nosplice" and "maxpipes"
4892
4893
4894option splice-request
4895no option splice-request
4896 Enable or disable automatic kernel acceleration on sockets for requests
4897 May be used in sections : defaults | frontend | listen | backend
4898 yes | yes | yes | yes
4899 Arguments : none
4900
4901 When this option is enabled either on a frontend or on a backend, haproxy
Jamie Gloudonaaa21002012-08-25 00:18:33 -04004902 will use kernel tcp splicing whenever possible to forward data going from
Willy Tarreauff4f82d2009-02-06 11:28:13 +01004903 the client to the server. It might still use the recv/send scheme if there
4904 are no spare pipes left. This option requires splicing to be enabled at
4905 compile time, and may be globally disabled with the global option "nosplice".
4906 Since splice uses pipes, using it requires that there are enough spare pipes.
4907
4908 Important note: see "option splice-auto" for usage limitations.
4909
4910 Example :
4911 option splice-request
4912
4913 If this option has been enabled in a "defaults" section, it can be disabled
4914 in a specific instance by prepending the "no" keyword before it.
4915
4916 See also : "option splice-auto", "option splice-response", and global options
4917 "nosplice" and "maxpipes"
4918
4919
4920option splice-response
4921no option splice-response
4922 Enable or disable automatic kernel acceleration on sockets for responses
4923 May be used in sections : defaults | frontend | listen | backend
4924 yes | yes | yes | yes
4925 Arguments : none
4926
4927 When this option is enabled either on a frontend or on a backend, haproxy
Jamie Gloudonaaa21002012-08-25 00:18:33 -04004928 will use kernel tcp splicing whenever possible to forward data going from
Willy Tarreauff4f82d2009-02-06 11:28:13 +01004929 the server to the client. It might still use the recv/send scheme if there
4930 are no spare pipes left. This option requires splicing to be enabled at
4931 compile time, and may be globally disabled with the global option "nosplice".
4932 Since splice uses pipes, using it requires that there are enough spare pipes.
4933
4934 Important note: see "option splice-auto" for usage limitations.
4935
4936 Example :
4937 option splice-response
4938
4939 If this option has been enabled in a "defaults" section, it can be disabled
4940 in a specific instance by prepending the "no" keyword before it.
4941
4942 See also : "option splice-auto", "option splice-request", and global options
4943 "nosplice" and "maxpipes"
4944
4945
Willy Tarreaubf1f8162007-12-28 17:42:56 +01004946option srvtcpka
4947no option srvtcpka
4948 Enable or disable the sending of TCP keepalive packets on the server side
4949 May be used in sections : defaults | frontend | listen | backend
4950 yes | no | yes | yes
4951 Arguments : none
4952
4953 When there is a firewall or any session-aware component between a client and
4954 a server, and when the protocol involves very long sessions with long idle
4955 periods (eg: remote desktops), there is a risk that one of the intermediate
4956 components decides to expire a session which has remained idle for too long.
4957
4958 Enabling socket-level TCP keep-alives makes the system regularly send packets
4959 to the other end of the connection, leaving it active. The delay between
4960 keep-alive probes is controlled by the system only and depends both on the
4961 operating system and its tuning parameters.
4962
4963 It is important to understand that keep-alive packets are neither emitted nor
4964 received at the application level. It is only the network stacks which sees
4965 them. For this reason, even if one side of the proxy already uses keep-alives
4966 to maintain its connection alive, those keep-alive packets will not be
4967 forwarded to the other side of the proxy.
4968
4969 Please note that this has nothing to do with HTTP keep-alive.
4970
4971 Using option "srvtcpka" enables the emission of TCP keep-alive probes on the
4972 server side of a connection, which should help when session expirations are
4973 noticed between HAProxy and a server.
4974
4975 If this option has been enabled in a "defaults" section, it can be disabled
4976 in a specific instance by prepending the "no" keyword before it.
4977
4978 See also : "option clitcpka", "option tcpka"
4979
4980
Willy Tarreaua453bdd2008-01-08 19:50:52 +01004981option ssl-hello-chk
4982 Use SSLv3 client hello health checks for server testing
4983 May be used in sections : defaults | frontend | listen | backend
4984 yes | no | yes | yes
4985 Arguments : none
4986
4987 When some SSL-based protocols are relayed in TCP mode through HAProxy, it is
4988 possible to test that the server correctly talks SSL instead of just testing
4989 that it accepts the TCP connection. When "option ssl-hello-chk" is set, pure
4990 SSLv3 client hello messages are sent once the connection is established to
4991 the server, and the response is analyzed to find an SSL server hello message.
4992 The server is considered valid only when the response contains this server
4993 hello message.
4994
4995 All servers tested till there correctly reply to SSLv3 client hello messages,
4996 and most servers tested do not even log the requests containing only hello
4997 messages, which is appreciable.
4998
Willy Tarreau763a95b2012-10-04 23:15:39 +02004999 Note that this check works even when SSL support was not built into haproxy
5000 because it forges the SSL message. When SSL support is available, it is best
5001 to use native SSL health checks instead of this one.
Willy Tarreaua453bdd2008-01-08 19:50:52 +01005002
Willy Tarreau763a95b2012-10-04 23:15:39 +02005003 See also: "option httpchk", "check-ssl"
5004
Willy Tarreaua453bdd2008-01-08 19:50:52 +01005005
Willy Tarreaued179852013-12-16 01:07:00 +01005006option tcp-check
5007 Perform health checks using tcp-check send/expect sequences
5008 May be used in sections: defaults | frontend | listen | backend
5009 yes | no | yes | yes
5010
5011 This health check method is intended to be combined with "tcp-check" command
5012 lists in order to support send/expect types of health check sequences.
5013
5014 TCP checks currently support 4 modes of operations :
5015 - no "tcp-check" directive : the health check only consists in a connection
5016 attempt, which remains the default mode.
5017
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03005018 - "tcp-check send" or "tcp-check send-binary" only is mentioned : this is
Willy Tarreaued179852013-12-16 01:07:00 +01005019 used to send a string along with a connection opening. With some
5020 protocols, it helps sending a "QUIT" message for example that prevents
5021 the server from logging a connection error for each health check. The
5022 check result will still be based on the ability to open the connection
5023 only.
5024
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03005025 - "tcp-check expect" only is mentioned : this is used to test a banner.
Willy Tarreaued179852013-12-16 01:07:00 +01005026 The connection is opened and haproxy waits for the server to present some
5027 contents which must validate some rules. The check result will be based
5028 on the matching between the contents and the rules. This is suited for
5029 POP, IMAP, SMTP, FTP, SSH, TELNET.
5030
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03005031 - both "tcp-check send" and "tcp-check expect" are mentioned : this is
Willy Tarreaued179852013-12-16 01:07:00 +01005032 used to test a hello-type protocol. Haproxy sends a message, the server
5033 responds and its response is analysed. the check result will be based on
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03005034 the matching between the response contents and the rules. This is often
Willy Tarreaued179852013-12-16 01:07:00 +01005035 suited for protocols which require a binding or a request/response model.
5036 LDAP, MySQL, Redis and SSL are example of such protocols, though they
5037 already all have their dedicated checks with a deeper understanding of
5038 the respective protocols.
5039 In this mode, many questions may be sent and many answers may be
5040 analysed.
5041
5042 Examples :
5043 # perform a POP check (analyse only server's banner)
5044 option tcp-check
5045 tcp-check expect string +OK\ POP3\ ready
5046
5047 # perform an IMAP check (analyse only server's banner)
5048 option tcp-check
5049 tcp-check expect string *\ OK\ IMAP4\ ready
5050
5051 # look for the redis master server after ensuring it speaks well
5052 # redis protocol, then it exits properly.
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03005053 # (send a command then analyse the response 3 times)
Willy Tarreaued179852013-12-16 01:07:00 +01005054 option tcp-check
5055 tcp-check send PING\r\n
5056 tcp-check expect +PONG
5057 tcp-check send info\ replication\r\n
5058 tcp-check expect string role:master
5059 tcp-check send QUIT\r\n
5060 tcp-check expect string +OK
5061
5062 forge a HTTP request, then analyse the response
5063 (send many headers before analyzing)
5064 option tcp-check
5065 tcp-check send HEAD\ /\ HTTP/1.1\r\n
5066 tcp-check send Host:\ www.mydomain.com\r\n
5067 tcp-check send User-Agent:\ HAProxy\ tcpcheck\r\n
5068 tcp-check send \r\n
5069 tcp-check expect rstring HTTP/1\..\ (2..|3..)
5070
5071
5072 See also : "tcp-check expect", "tcp-check send"
5073
5074
Willy Tarreau9ea05a72009-06-14 12:07:01 +02005075option tcp-smart-accept
5076no option tcp-smart-accept
5077 Enable or disable the saving of one ACK packet during the accept sequence
5078 May be used in sections : defaults | frontend | listen | backend
5079 yes | yes | yes | no
5080 Arguments : none
5081
5082 When an HTTP connection request comes in, the system acknowledges it on
5083 behalf of HAProxy, then the client immediately sends its request, and the
5084 system acknowledges it too while it is notifying HAProxy about the new
5085 connection. HAProxy then reads the request and responds. This means that we
5086 have one TCP ACK sent by the system for nothing, because the request could
5087 very well be acknowledged by HAProxy when it sends its response.
5088
5089 For this reason, in HTTP mode, HAProxy automatically asks the system to avoid
5090 sending this useless ACK on platforms which support it (currently at least
5091 Linux). It must not cause any problem, because the system will send it anyway
5092 after 40 ms if the response takes more time than expected to come.
5093
5094 During complex network debugging sessions, it may be desirable to disable
5095 this optimization because delayed ACKs can make troubleshooting more complex
5096 when trying to identify where packets are delayed. It is then possible to
5097 fall back to normal behaviour by specifying "no option tcp-smart-accept".
5098
5099 It is also possible to force it for non-HTTP proxies by simply specifying
5100 "option tcp-smart-accept". For instance, it can make sense with some services
5101 such as SMTP where the server speaks first.
5102
5103 It is recommended to avoid forcing this option in a defaults section. In case
5104 of doubt, consider setting it back to automatic values by prepending the
5105 "default" keyword before it, or disabling it using the "no" keyword.
5106
Willy Tarreaud88edf22009-06-14 15:48:17 +02005107 See also : "option tcp-smart-connect"
5108
5109
5110option tcp-smart-connect
5111no option tcp-smart-connect
5112 Enable or disable the saving of one ACK packet during the connect sequence
5113 May be used in sections : defaults | frontend | listen | backend
5114 yes | no | yes | yes
5115 Arguments : none
5116
5117 On certain systems (at least Linux), HAProxy can ask the kernel not to
5118 immediately send an empty ACK upon a connection request, but to directly
5119 send the buffer request instead. This saves one packet on the network and
5120 thus boosts performance. It can also be useful for some servers, because they
5121 immediately get the request along with the incoming connection.
5122
5123 This feature is enabled when "option tcp-smart-connect" is set in a backend.
5124 It is not enabled by default because it makes network troubleshooting more
5125 complex.
5126
5127 It only makes sense to enable it with protocols where the client speaks first
5128 such as HTTP. In other situations, if there is no data to send in place of
5129 the ACK, a normal ACK is sent.
5130
5131 If this option has been enabled in a "defaults" section, it can be disabled
5132 in a specific instance by prepending the "no" keyword before it.
5133
5134 See also : "option tcp-smart-accept"
5135
Willy Tarreau9ea05a72009-06-14 12:07:01 +02005136
Willy Tarreaubf1f8162007-12-28 17:42:56 +01005137option tcpka
5138 Enable or disable the sending of TCP keepalive packets on both sides
5139 May be used in sections : defaults | frontend | listen | backend
5140 yes | yes | yes | yes
5141 Arguments : none
5142
5143 When there is a firewall or any session-aware component between a client and
5144 a server, and when the protocol involves very long sessions with long idle
5145 periods (eg: remote desktops), there is a risk that one of the intermediate
5146 components decides to expire a session which has remained idle for too long.
5147
5148 Enabling socket-level TCP keep-alives makes the system regularly send packets
5149 to the other end of the connection, leaving it active. The delay between
5150 keep-alive probes is controlled by the system only and depends both on the
5151 operating system and its tuning parameters.
5152
5153 It is important to understand that keep-alive packets are neither emitted nor
5154 received at the application level. It is only the network stacks which sees
5155 them. For this reason, even if one side of the proxy already uses keep-alives
5156 to maintain its connection alive, those keep-alive packets will not be
5157 forwarded to the other side of the proxy.
5158
5159 Please note that this has nothing to do with HTTP keep-alive.
5160
5161 Using option "tcpka" enables the emission of TCP keep-alive probes on both
5162 the client and server sides of a connection. Note that this is meaningful
5163 only in "defaults" or "listen" sections. If this option is used in a
5164 frontend, only the client side will get keep-alives, and if this option is
5165 used in a backend, only the server side will get keep-alives. For this
5166 reason, it is strongly recommended to explicitly use "option clitcpka" and
5167 "option srvtcpka" when the configuration is split between frontends and
5168 backends.
5169
5170 See also : "option clitcpka", "option srvtcpka"
5171
Willy Tarreau844e3c52008-01-11 16:28:18 +01005172
5173option tcplog
5174 Enable advanced logging of TCP connections with session state and timers
5175 May be used in sections : defaults | frontend | listen | backend
5176 yes | yes | yes | yes
5177 Arguments : none
5178
5179 By default, the log output format is very poor, as it only contains the
5180 source and destination addresses, and the instance name. By specifying
5181 "option tcplog", each log line turns into a much richer format including, but
5182 not limited to, the connection timers, the session status, the connections
5183 numbers, the frontend, backend and server name, and of course the source
5184 address and ports. This option is useful for pure TCP proxies in order to
5185 find which of the client or server disconnects or times out. For normal HTTP
5186 proxies, it's better to use "option httplog" which is even more complete.
5187
5188 This option may be set either in the frontend or the backend.
5189
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005190 See also : "option httplog", and section 8 about logging.
Willy Tarreau844e3c52008-01-11 16:28:18 +01005191
5192
Willy Tarreau844e3c52008-01-11 16:28:18 +01005193option transparent
5194no option transparent
5195 Enable client-side transparent proxying
5196 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau4b1f8592008-12-23 23:13:55 +01005197 yes | no | yes | yes
Willy Tarreau844e3c52008-01-11 16:28:18 +01005198 Arguments : none
5199
5200 This option was introduced in order to provide layer 7 persistence to layer 3
5201 load balancers. The idea is to use the OS's ability to redirect an incoming
5202 connection for a remote address to a local process (here HAProxy), and let
5203 this process know what address was initially requested. When this option is
5204 used, sessions without cookies will be forwarded to the original destination
5205 IP address of the incoming request (which should match that of another
5206 equipment), while requests with cookies will still be forwarded to the
5207 appropriate server.
5208
5209 Note that contrary to a common belief, this option does NOT make HAProxy
5210 present the client's IP to the server when establishing the connection.
5211
Willy Tarreaua1146052011-03-01 09:51:54 +01005212 See also: the "usesrc" argument of the "source" keyword, and the
Willy Tarreaueabeafa2008-01-16 16:17:06 +01005213 "transparent" option of the "bind" keyword.
Willy Tarreau844e3c52008-01-11 16:28:18 +01005214
Willy Tarreaubf1f8162007-12-28 17:42:56 +01005215
Emeric Brun647caf12009-06-30 17:57:00 +02005216persist rdp-cookie
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02005217persist rdp-cookie(<name>)
Emeric Brun647caf12009-06-30 17:57:00 +02005218 Enable RDP cookie-based persistence
5219 May be used in sections : defaults | frontend | listen | backend
5220 yes | no | yes | yes
5221 Arguments :
5222 <name> is the optional name of the RDP cookie to check. If omitted, the
Willy Tarreau61e28f22010-05-16 22:31:05 +02005223 default cookie name "msts" will be used. There currently is no
5224 valid reason to change this name.
Emeric Brun647caf12009-06-30 17:57:00 +02005225
5226 This statement enables persistence based on an RDP cookie. The RDP cookie
5227 contains all information required to find the server in the list of known
5228 servers. So when this option is set in the backend, the request is analysed
5229 and if an RDP cookie is found, it is decoded. If it matches a known server
5230 which is still UP (or if "option persist" is set), then the connection is
5231 forwarded to this server.
5232
5233 Note that this only makes sense in a TCP backend, but for this to work, the
5234 frontend must have waited long enough to ensure that an RDP cookie is present
5235 in the request buffer. This is the same requirement as with the "rdp-cookie"
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01005236 load-balancing method. Thus it is highly recommended to put all statements in
Emeric Brun647caf12009-06-30 17:57:00 +02005237 a single "listen" section.
5238
Willy Tarreau61e28f22010-05-16 22:31:05 +02005239 Also, it is important to understand that the terminal server will emit this
5240 RDP cookie only if it is configured for "token redirection mode", which means
5241 that the "IP address redirection" option is disabled.
5242
Emeric Brun647caf12009-06-30 17:57:00 +02005243 Example :
5244 listen tse-farm
5245 bind :3389
5246 # wait up to 5s for an RDP cookie in the request
5247 tcp-request inspect-delay 5s
5248 tcp-request content accept if RDP_COOKIE
5249 # apply RDP cookie persistence
5250 persist rdp-cookie
5251 # if server is unknown, let's balance on the same cookie.
Cyril Bontédc4d9032012-04-08 21:57:39 +02005252 # alternatively, "balance leastconn" may be useful too.
Emeric Brun647caf12009-06-30 17:57:00 +02005253 balance rdp-cookie
5254 server srv1 1.1.1.1:3389
5255 server srv2 1.1.1.2:3389
5256
Simon Hormanab814e02011-06-24 14:50:20 +09005257 See also : "balance rdp-cookie", "tcp-request", the "req_rdp_cookie" ACL and
5258 the rdp_cookie pattern fetch function.
Emeric Brun647caf12009-06-30 17:57:00 +02005259
5260
Willy Tarreau3a7d2072009-03-05 23:48:25 +01005261rate-limit sessions <rate>
5262 Set a limit on the number of new sessions accepted per second on a frontend
5263 May be used in sections : defaults | frontend | listen | backend
5264 yes | yes | yes | no
5265 Arguments :
5266 <rate> The <rate> parameter is an integer designating the maximum number
5267 of new sessions per second to accept on the frontend.
5268
5269 When the frontend reaches the specified number of new sessions per second, it
5270 stops accepting new connections until the rate drops below the limit again.
5271 During this time, the pending sessions will be kept in the socket's backlog
5272 (in system buffers) and haproxy will not even be aware that sessions are
5273 pending. When applying very low limit on a highly loaded service, it may make
5274 sense to increase the socket's backlog using the "backlog" keyword.
5275
5276 This feature is particularly efficient at blocking connection-based attacks
5277 or service abuse on fragile servers. Since the session rate is measured every
5278 millisecond, it is extremely accurate. Also, the limit applies immediately,
5279 no delay is needed at all to detect the threshold.
5280
5281 Example : limit the connection rate on SMTP to 10 per second max
5282 listen smtp
5283 mode tcp
5284 bind :25
5285 rate-limit sessions 10
5286 server 127.0.0.1:1025
5287
Willy Tarreaua17c2d92011-07-25 08:16:20 +02005288 Note : when the maximum rate is reached, the frontend's status is not changed
5289 but its sockets appear as "WAITING" in the statistics if the
5290 "socket-stats" option is enabled.
Willy Tarreau3a7d2072009-03-05 23:48:25 +01005291
5292 See also : the "backlog" keyword and the "fe_sess_rate" ACL criterion.
5293
5294
Willy Tarreau2e1dca82012-09-12 08:43:15 +02005295redirect location <loc> [code <code>] <option> [{if | unless} <condition>]
5296redirect prefix <pfx> [code <code>] <option> [{if | unless} <condition>]
5297redirect scheme <sch> [code <code>] <option> [{if | unless} <condition>]
Willy Tarreaub463dfb2008-06-07 23:08:56 +02005298 Return an HTTP redirection if/unless a condition is matched
5299 May be used in sections : defaults | frontend | listen | backend
5300 no | yes | yes | yes
5301
5302 If/unless the condition is matched, the HTTP request will lead to a redirect
Willy Tarreauf285f542010-01-03 20:03:03 +01005303 response. If no condition is specified, the redirect applies unconditionally.
Willy Tarreaub463dfb2008-06-07 23:08:56 +02005304
Willy Tarreau0140f252008-11-19 21:07:09 +01005305 Arguments :
Willy Tarreau2e1dca82012-09-12 08:43:15 +02005306 <loc> With "redirect location", the exact value in <loc> is placed into
Thierry FOURNIERd18cd0f2013-11-29 12:15:45 +01005307 the HTTP "Location" header. When used in an "http-request" rule,
5308 <loc> value follows the log-format rules and can include some
5309 dynamic values (see Custom Log Format in section 8.2.4).
Willy Tarreau2e1dca82012-09-12 08:43:15 +02005310
5311 <pfx> With "redirect prefix", the "Location" header is built from the
5312 concatenation of <pfx> and the complete URI path, including the
5313 query string, unless the "drop-query" option is specified (see
5314 below). As a special case, if <pfx> equals exactly "/", then
5315 nothing is inserted before the original URI. It allows one to
Thierry FOURNIERd18cd0f2013-11-29 12:15:45 +01005316 redirect to the same URL (for instance, to insert a cookie). When
5317 used in an "http-request" rule, <pfx> value follows the log-format
5318 rules and can include some dynamic values (see Custom Log Format
5319 in section 8.2.4).
Willy Tarreau2e1dca82012-09-12 08:43:15 +02005320
5321 <sch> With "redirect scheme", then the "Location" header is built by
5322 concatenating <sch> with "://" then the first occurrence of the
5323 "Host" header, and then the URI path, including the query string
5324 unless the "drop-query" option is specified (see below). If no
5325 path is found or if the path is "*", then "/" is used instead. If
5326 no "Host" header is found, then an empty host component will be
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03005327 returned, which most recent browsers interpret as redirecting to
Willy Tarreau2e1dca82012-09-12 08:43:15 +02005328 the same host. This directive is mostly used to redirect HTTP to
Thierry FOURNIERd18cd0f2013-11-29 12:15:45 +01005329 HTTPS. When used in an "http-request" rule, <sch> value follows
5330 the log-format rules and can include some dynamic values (see
5331 Custom Log Format in section 8.2.4).
Willy Tarreau0140f252008-11-19 21:07:09 +01005332
5333 <code> The code is optional. It indicates which type of HTTP redirection
Willy Tarreaub67fdc42013-03-29 19:28:11 +01005334 is desired. Only codes 301, 302, 303, 307 and 308 are supported,
5335 with 302 used by default if no code is specified. 301 means
5336 "Moved permanently", and a browser may cache the Location. 302
5337 means "Moved permanently" and means that the browser should not
5338 cache the redirection. 303 is equivalent to 302 except that the
5339 browser will fetch the location with a GET method. 307 is just
5340 like 302 but makes it clear that the same method must be reused.
5341 Likewise, 308 replaces 301 if the same method must be used.
Willy Tarreau0140f252008-11-19 21:07:09 +01005342
5343 <option> There are several options which can be specified to adjust the
5344 expected behaviour of a redirection :
5345
5346 - "drop-query"
5347 When this keyword is used in a prefix-based redirection, then the
5348 location will be set without any possible query-string, which is useful
5349 for directing users to a non-secure page for instance. It has no effect
5350 with a location-type redirect.
5351
Willy Tarreau81e3b4f2010-01-10 00:42:19 +01005352 - "append-slash"
5353 This keyword may be used in conjunction with "drop-query" to redirect
5354 users who use a URL not ending with a '/' to the same one with the '/'.
5355 It can be useful to ensure that search engines will only see one URL.
5356 For this, a return code 301 is preferred.
5357
Willy Tarreau0140f252008-11-19 21:07:09 +01005358 - "set-cookie NAME[=value]"
5359 A "Set-Cookie" header will be added with NAME (and optionally "=value")
5360 to the response. This is sometimes used to indicate that a user has
5361 been seen, for instance to protect against some types of DoS. No other
5362 cookie option is added, so the cookie will be a session cookie. Note
5363 that for a browser, a sole cookie name without an equal sign is
5364 different from a cookie with an equal sign.
5365
5366 - "clear-cookie NAME[=]"
5367 A "Set-Cookie" header will be added with NAME (and optionally "="), but
5368 with the "Max-Age" attribute set to zero. This will tell the browser to
5369 delete this cookie. It is useful for instance on logout pages. It is
5370 important to note that clearing the cookie "NAME" will not remove a
5371 cookie set with "NAME=value". You have to clear the cookie "NAME=" for
5372 that, because the browser makes the difference.
Willy Tarreaub463dfb2008-06-07 23:08:56 +02005373
5374 Example: move the login URL only to HTTPS.
5375 acl clear dst_port 80
5376 acl secure dst_port 8080
5377 acl login_page url_beg /login
Willy Tarreau0140f252008-11-19 21:07:09 +01005378 acl logout url_beg /logout
Willy Tarreau79da4692008-11-19 20:03:04 +01005379 acl uid_given url_reg /login?userid=[^&]+
Willy Tarreau0140f252008-11-19 21:07:09 +01005380 acl cookie_set hdr_sub(cookie) SEEN=1
5381
5382 redirect prefix https://mysite.com set-cookie SEEN=1 if !cookie_set
Willy Tarreau79da4692008-11-19 20:03:04 +01005383 redirect prefix https://mysite.com if login_page !secure
5384 redirect prefix http://mysite.com drop-query if login_page !uid_given
5385 redirect location http://mysite.com/ if !login_page secure
Willy Tarreau0140f252008-11-19 21:07:09 +01005386 redirect location / clear-cookie USERID= if logout
Willy Tarreaub463dfb2008-06-07 23:08:56 +02005387
Willy Tarreau81e3b4f2010-01-10 00:42:19 +01005388 Example: send redirects for request for articles without a '/'.
5389 acl missing_slash path_reg ^/article/[^/]*$
5390 redirect code 301 prefix / drop-query append-slash if missing_slash
5391
Willy Tarreau2e1dca82012-09-12 08:43:15 +02005392 Example: redirect all HTTP traffic to HTTPS when SSL is handled by haproxy.
David BERARDe7153042012-11-03 00:11:31 +01005393 redirect scheme https if !{ ssl_fc }
Willy Tarreau2e1dca82012-09-12 08:43:15 +02005394
Thierry FOURNIERd18cd0f2013-11-29 12:15:45 +01005395 Example: append 'www.' prefix in front of all hosts not having it
5396 http-request redirect code 301 location www.%[hdr(host)]%[req.uri] \
5397 unless { hdr_beg(host) -i www }
5398
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005399 See section 7 about ACL usage.
Willy Tarreaub463dfb2008-06-07 23:08:56 +02005400
5401
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01005402redisp (deprecated)
5403redispatch (deprecated)
5404 Enable or disable session redistribution in case of connection failure
5405 May be used in sections: defaults | frontend | listen | backend
5406 yes | no | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01005407 Arguments : none
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01005408
5409 In HTTP mode, if a server designated by a cookie is down, clients may
5410 definitely stick to it because they cannot flush the cookie, so they will not
5411 be able to access the service anymore.
5412
5413 Specifying "redispatch" will allow the proxy to break their persistence and
5414 redistribute them to a working server.
5415
5416 It also allows to retry last connection to another server in case of multiple
5417 connection failures. Of course, it requires having "retries" set to a nonzero
5418 value.
Willy Tarreaud72758d2010-01-12 10:42:19 +01005419
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01005420 This form is deprecated, do not use it in any new configuration, use the new
5421 "option redispatch" instead.
5422
5423 See also : "option redispatch"
5424
Willy Tarreaueabeafa2008-01-16 16:17:06 +01005425
Willy Tarreau8abd4cd2010-01-31 14:30:44 +01005426reqadd <string> [{if | unless} <cond>]
Willy Tarreau303c0352008-01-17 19:01:39 +01005427 Add a header at the end of the HTTP request
5428 May be used in sections : defaults | frontend | listen | backend
5429 no | yes | yes | yes
5430 Arguments :
5431 <string> is the complete line to be added. Any space or known delimiter
5432 must be escaped using a backslash ('\'). Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005433 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01005434
Willy Tarreau8abd4cd2010-01-31 14:30:44 +01005435 <cond> is an optional matching condition built from ACLs. It makes it
5436 possible to ignore this rule when other conditions are not met.
5437
Willy Tarreau303c0352008-01-17 19:01:39 +01005438 A new line consisting in <string> followed by a line feed will be added after
5439 the last header of an HTTP request.
5440
5441 Header transformations only apply to traffic which passes through HAProxy,
5442 and not to traffic generated by HAProxy, such as health-checks or error
5443 responses.
5444
Willy Tarreau8abd4cd2010-01-31 14:30:44 +01005445 Example : add "X-Proto: SSL" to requests coming via port 81
5446 acl is-ssl dst_port 81
5447 reqadd X-Proto:\ SSL if is-ssl
5448
5449 See also: "rspadd", section 6 about HTTP header manipulation, and section 7
5450 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01005451
5452
Willy Tarreau5321c422010-01-28 20:35:13 +01005453reqallow <search> [{if | unless} <cond>]
5454reqiallow <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01005455 Definitely allow an HTTP request if a line matches a regular expression
5456 May be used in sections : defaults | frontend | listen | backend
5457 no | yes | yes | yes
5458 Arguments :
5459 <search> is the regular expression applied to HTTP headers and to the
5460 request line. This is an extended regular expression. Parenthesis
5461 grouping is supported and no preliminary backslash is required.
5462 Any space or known delimiter must be escaped using a backslash
5463 ('\'). The pattern applies to a full line at a time. The
5464 "reqallow" keyword strictly matches case while "reqiallow"
5465 ignores case.
5466
Willy Tarreau5321c422010-01-28 20:35:13 +01005467 <cond> is an optional matching condition built from ACLs. It makes it
5468 possible to ignore this rule when other conditions are not met.
5469
Willy Tarreau303c0352008-01-17 19:01:39 +01005470 A request containing any line which matches extended regular expression
5471 <search> will mark the request as allowed, even if any later test would
5472 result in a deny. The test applies both to the request line and to request
5473 headers. Keep in mind that URLs in request line are case-sensitive while
Willy Tarreaud72758d2010-01-12 10:42:19 +01005474 header names are not.
Willy Tarreau303c0352008-01-17 19:01:39 +01005475
5476 It is easier, faster and more powerful to use ACLs to write access policies.
5477 Reqdeny, reqallow and reqpass should be avoided in new designs.
5478
5479 Example :
5480 # allow www.* but refuse *.local
5481 reqiallow ^Host:\ www\.
5482 reqideny ^Host:\ .*\.local
5483
Willy Tarreau5321c422010-01-28 20:35:13 +01005484 See also: "reqdeny", "block", section 6 about HTTP header manipulation, and
5485 section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01005486
5487
Willy Tarreau5321c422010-01-28 20:35:13 +01005488reqdel <search> [{if | unless} <cond>]
5489reqidel <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01005490 Delete all headers matching a regular expression in an HTTP request
5491 May be used in sections : defaults | frontend | listen | backend
5492 no | yes | yes | yes
5493 Arguments :
5494 <search> is the regular expression applied to HTTP headers and to the
5495 request line. This is an extended regular expression. Parenthesis
5496 grouping is supported and no preliminary backslash is required.
5497 Any space or known delimiter must be escaped using a backslash
5498 ('\'). The pattern applies to a full line at a time. The "reqdel"
5499 keyword strictly matches case while "reqidel" ignores case.
5500
Willy Tarreau5321c422010-01-28 20:35:13 +01005501 <cond> is an optional matching condition built from ACLs. It makes it
5502 possible to ignore this rule when other conditions are not met.
5503
Willy Tarreau303c0352008-01-17 19:01:39 +01005504 Any header line matching extended regular expression <search> in the request
5505 will be completely deleted. Most common use of this is to remove unwanted
5506 and/or dangerous headers or cookies from a request before passing it to the
5507 next servers.
5508
5509 Header transformations only apply to traffic which passes through HAProxy,
5510 and not to traffic generated by HAProxy, such as health-checks or error
5511 responses. Keep in mind that header names are not case-sensitive.
5512
5513 Example :
5514 # remove X-Forwarded-For header and SERVER cookie
5515 reqidel ^X-Forwarded-For:.*
5516 reqidel ^Cookie:.*SERVER=
5517
Willy Tarreau5321c422010-01-28 20:35:13 +01005518 See also: "reqadd", "reqrep", "rspdel", section 6 about HTTP header
5519 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01005520
5521
Willy Tarreau5321c422010-01-28 20:35:13 +01005522reqdeny <search> [{if | unless} <cond>]
5523reqideny <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01005524 Deny an HTTP request if a line matches a regular expression
5525 May be used in sections : defaults | frontend | listen | backend
5526 no | yes | yes | yes
5527 Arguments :
5528 <search> is the regular expression applied to HTTP headers and to the
5529 request line. This is an extended regular expression. Parenthesis
5530 grouping is supported and no preliminary backslash is required.
5531 Any space or known delimiter must be escaped using a backslash
5532 ('\'). The pattern applies to a full line at a time. The
5533 "reqdeny" keyword strictly matches case while "reqideny" ignores
5534 case.
5535
Willy Tarreau5321c422010-01-28 20:35:13 +01005536 <cond> is an optional matching condition built from ACLs. It makes it
5537 possible to ignore this rule when other conditions are not met.
5538
Willy Tarreau303c0352008-01-17 19:01:39 +01005539 A request containing any line which matches extended regular expression
5540 <search> will mark the request as denied, even if any later test would
5541 result in an allow. The test applies both to the request line and to request
5542 headers. Keep in mind that URLs in request line are case-sensitive while
Willy Tarreaud72758d2010-01-12 10:42:19 +01005543 header names are not.
Willy Tarreau303c0352008-01-17 19:01:39 +01005544
Willy Tarreauced27012008-01-17 20:35:34 +01005545 A denied request will generate an "HTTP 403 forbidden" response once the
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01005546 complete request has been parsed. This is consistent with what is practiced
Willy Tarreaud72758d2010-01-12 10:42:19 +01005547 using ACLs.
Willy Tarreauced27012008-01-17 20:35:34 +01005548
Willy Tarreau303c0352008-01-17 19:01:39 +01005549 It is easier, faster and more powerful to use ACLs to write access policies.
5550 Reqdeny, reqallow and reqpass should be avoided in new designs.
5551
5552 Example :
5553 # refuse *.local, then allow www.*
5554 reqideny ^Host:\ .*\.local
5555 reqiallow ^Host:\ www\.
5556
Willy Tarreau5321c422010-01-28 20:35:13 +01005557 See also: "reqallow", "rspdeny", "block", section 6 about HTTP header
5558 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01005559
5560
Willy Tarreau5321c422010-01-28 20:35:13 +01005561reqpass <search> [{if | unless} <cond>]
5562reqipass <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01005563 Ignore any HTTP request line matching a regular expression in next rules
5564 May be used in sections : defaults | frontend | listen | backend
5565 no | yes | yes | yes
5566 Arguments :
5567 <search> is the regular expression applied to HTTP headers and to the
5568 request line. This is an extended regular expression. Parenthesis
5569 grouping is supported and no preliminary backslash is required.
5570 Any space or known delimiter must be escaped using a backslash
5571 ('\'). The pattern applies to a full line at a time. The
5572 "reqpass" keyword strictly matches case while "reqipass" ignores
5573 case.
5574
Willy Tarreau5321c422010-01-28 20:35:13 +01005575 <cond> is an optional matching condition built from ACLs. It makes it
5576 possible to ignore this rule when other conditions are not met.
5577
Willy Tarreau303c0352008-01-17 19:01:39 +01005578 A request containing any line which matches extended regular expression
5579 <search> will skip next rules, without assigning any deny or allow verdict.
5580 The test applies both to the request line and to request headers. Keep in
5581 mind that URLs in request line are case-sensitive while header names are not.
5582
5583 It is easier, faster and more powerful to use ACLs to write access policies.
5584 Reqdeny, reqallow and reqpass should be avoided in new designs.
5585
5586 Example :
5587 # refuse *.local, then allow www.*, but ignore "www.private.local"
5588 reqipass ^Host:\ www.private\.local
5589 reqideny ^Host:\ .*\.local
5590 reqiallow ^Host:\ www\.
5591
Willy Tarreau5321c422010-01-28 20:35:13 +01005592 See also: "reqallow", "reqdeny", "block", section 6 about HTTP header
5593 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01005594
5595
Willy Tarreau5321c422010-01-28 20:35:13 +01005596reqrep <search> <string> [{if | unless} <cond>]
5597reqirep <search> <string> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01005598 Replace a regular expression with a string in an HTTP request line
5599 May be used in sections : defaults | frontend | listen | backend
5600 no | yes | yes | yes
5601 Arguments :
5602 <search> is the regular expression applied to HTTP headers and to the
5603 request line. This is an extended regular expression. Parenthesis
5604 grouping is supported and no preliminary backslash is required.
5605 Any space or known delimiter must be escaped using a backslash
5606 ('\'). The pattern applies to a full line at a time. The "reqrep"
5607 keyword strictly matches case while "reqirep" ignores case.
5608
5609 <string> is the complete line to be added. Any space or known delimiter
5610 must be escaped using a backslash ('\'). References to matched
5611 pattern groups are possible using the common \N form, with N
5612 being a single digit between 0 and 9. Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005613 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01005614
Willy Tarreau5321c422010-01-28 20:35:13 +01005615 <cond> is an optional matching condition built from ACLs. It makes it
5616 possible to ignore this rule when other conditions are not met.
5617
Willy Tarreau303c0352008-01-17 19:01:39 +01005618 Any line matching extended regular expression <search> in the request (both
5619 the request line and header lines) will be completely replaced with <string>.
5620 Most common use of this is to rewrite URLs or domain names in "Host" headers.
5621
5622 Header transformations only apply to traffic which passes through HAProxy,
5623 and not to traffic generated by HAProxy, such as health-checks or error
5624 responses. Note that for increased readability, it is suggested to add enough
5625 spaces between the request and the response. Keep in mind that URLs in
5626 request line are case-sensitive while header names are not.
5627
5628 Example :
5629 # replace "/static/" with "/" at the beginning of any request path.
Dmitry Sivachenko7823de32012-05-16 14:00:26 +04005630 reqrep ^([^\ :]*)\ /static/(.*) \1\ /\2
Willy Tarreau303c0352008-01-17 19:01:39 +01005631 # replace "www.mydomain.com" with "www" in the host name.
5632 reqirep ^Host:\ www.mydomain.com Host:\ www
5633
Dmitry Sivachenkof6f4f7b2012-10-21 18:10:25 +04005634 See also: "reqadd", "reqdel", "rsprep", "tune.bufsize", section 6 about
5635 HTTP header manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01005636
5637
Willy Tarreau5321c422010-01-28 20:35:13 +01005638reqtarpit <search> [{if | unless} <cond>]
5639reqitarpit <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01005640 Tarpit an HTTP request containing a line matching a regular expression
5641 May be used in sections : defaults | frontend | listen | backend
5642 no | yes | yes | yes
5643 Arguments :
5644 <search> is the regular expression applied to HTTP headers and to the
5645 request line. This is an extended regular expression. Parenthesis
5646 grouping is supported and no preliminary backslash is required.
5647 Any space or known delimiter must be escaped using a backslash
5648 ('\'). The pattern applies to a full line at a time. The
5649 "reqtarpit" keyword strictly matches case while "reqitarpit"
5650 ignores case.
5651
Willy Tarreau5321c422010-01-28 20:35:13 +01005652 <cond> is an optional matching condition built from ACLs. It makes it
5653 possible to ignore this rule when other conditions are not met.
5654
Willy Tarreau303c0352008-01-17 19:01:39 +01005655 A request containing any line which matches extended regular expression
5656 <search> will be tarpitted, which means that it will connect to nowhere, will
Willy Tarreauced27012008-01-17 20:35:34 +01005657 be kept open for a pre-defined time, then will return an HTTP error 500 so
5658 that the attacker does not suspect it has been tarpitted. The status 500 will
5659 be reported in the logs, but the completion flags will indicate "PT". The
Willy Tarreau303c0352008-01-17 19:01:39 +01005660 delay is defined by "timeout tarpit", or "timeout connect" if the former is
5661 not set.
5662
5663 The goal of the tarpit is to slow down robots attacking servers with
5664 identifiable requests. Many robots limit their outgoing number of connections
5665 and stay connected waiting for a reply which can take several minutes to
5666 come. Depending on the environment and attack, it may be particularly
5667 efficient at reducing the load on the network and firewalls.
5668
Willy Tarreau5321c422010-01-28 20:35:13 +01005669 Examples :
Willy Tarreau303c0352008-01-17 19:01:39 +01005670 # ignore user-agents reporting any flavour of "Mozilla" or "MSIE", but
5671 # block all others.
5672 reqipass ^User-Agent:\.*(Mozilla|MSIE)
5673 reqitarpit ^User-Agent:
5674
Willy Tarreau5321c422010-01-28 20:35:13 +01005675 # block bad guys
5676 acl badguys src 10.1.0.3 172.16.13.20/28
5677 reqitarpit . if badguys
5678
5679 See also: "reqallow", "reqdeny", "reqpass", section 6 about HTTP header
5680 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01005681
5682
Willy Tarreaue5c5ce92008-06-20 17:27:19 +02005683retries <value>
5684 Set the number of retries to perform on a server after a connection failure
5685 May be used in sections: defaults | frontend | listen | backend
5686 yes | no | yes | yes
5687 Arguments :
5688 <value> is the number of times a connection attempt should be retried on
5689 a server when a connection either is refused or times out. The
5690 default value is 3.
5691
5692 It is important to understand that this value applies to the number of
5693 connection attempts, not full requests. When a connection has effectively
5694 been established to a server, there will be no more retry.
5695
5696 In order to avoid immediate reconnections to a server which is restarting,
5697 a turn-around timer of 1 second is applied before a retry occurs.
5698
5699 When "option redispatch" is set, the last retry may be performed on another
5700 server even if a cookie references a different server.
5701
5702 See also : "option redispatch"
5703
5704
Willy Tarreaufdb563c2010-01-31 15:43:27 +01005705rspadd <string> [{if | unless} <cond>]
Willy Tarreau303c0352008-01-17 19:01:39 +01005706 Add a header at the end of the HTTP response
5707 May be used in sections : defaults | frontend | listen | backend
5708 no | yes | yes | yes
5709 Arguments :
5710 <string> is the complete line to be added. Any space or known delimiter
5711 must be escaped using a backslash ('\'). Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005712 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01005713
Willy Tarreaufdb563c2010-01-31 15:43:27 +01005714 <cond> is an optional matching condition built from ACLs. It makes it
5715 possible to ignore this rule when other conditions are not met.
5716
Willy Tarreau303c0352008-01-17 19:01:39 +01005717 A new line consisting in <string> followed by a line feed will be added after
5718 the last header of an HTTP response.
5719
5720 Header transformations only apply to traffic which passes through HAProxy,
5721 and not to traffic generated by HAProxy, such as health-checks or error
5722 responses.
5723
Willy Tarreaufdb563c2010-01-31 15:43:27 +01005724 See also: "reqadd", section 6 about HTTP header manipulation, and section 7
5725 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01005726
5727
Willy Tarreaufdb563c2010-01-31 15:43:27 +01005728rspdel <search> [{if | unless} <cond>]
5729rspidel <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01005730 Delete all headers matching a regular expression in an HTTP response
5731 May be used in sections : defaults | frontend | listen | backend
5732 no | yes | yes | yes
5733 Arguments :
5734 <search> is the regular expression applied to HTTP headers and to the
5735 response line. This is an extended regular expression, so
5736 parenthesis grouping is supported and no preliminary backslash
5737 is required. Any space or known delimiter must be escaped using
5738 a backslash ('\'). The pattern applies to a full line at a time.
5739 The "rspdel" keyword strictly matches case while "rspidel"
5740 ignores case.
5741
Willy Tarreaufdb563c2010-01-31 15:43:27 +01005742 <cond> is an optional matching condition built from ACLs. It makes it
5743 possible to ignore this rule when other conditions are not met.
5744
Willy Tarreau303c0352008-01-17 19:01:39 +01005745 Any header line matching extended regular expression <search> in the response
5746 will be completely deleted. Most common use of this is to remove unwanted
Willy Tarreau3c92c5f2011-08-28 09:45:47 +02005747 and/or sensitive headers or cookies from a response before passing it to the
Willy Tarreau303c0352008-01-17 19:01:39 +01005748 client.
5749
5750 Header transformations only apply to traffic which passes through HAProxy,
5751 and not to traffic generated by HAProxy, such as health-checks or error
5752 responses. Keep in mind that header names are not case-sensitive.
5753
5754 Example :
5755 # remove the Server header from responses
Willy Tarreau5e80e022013-05-25 08:31:25 +02005756 rspidel ^Server:.*
Willy Tarreau303c0352008-01-17 19:01:39 +01005757
Willy Tarreaufdb563c2010-01-31 15:43:27 +01005758 See also: "rspadd", "rsprep", "reqdel", section 6 about HTTP header
5759 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01005760
5761
Willy Tarreaufdb563c2010-01-31 15:43:27 +01005762rspdeny <search> [{if | unless} <cond>]
5763rspideny <search> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01005764 Block an HTTP response if a line matches a regular expression
5765 May be used in sections : defaults | frontend | listen | backend
5766 no | yes | yes | yes
5767 Arguments :
5768 <search> is the regular expression applied to HTTP headers and to the
5769 response line. This is an extended regular expression, so
5770 parenthesis grouping is supported and no preliminary backslash
5771 is required. Any space or known delimiter must be escaped using
5772 a backslash ('\'). The pattern applies to a full line at a time.
5773 The "rspdeny" keyword strictly matches case while "rspideny"
5774 ignores case.
5775
Willy Tarreaufdb563c2010-01-31 15:43:27 +01005776 <cond> is an optional matching condition built from ACLs. It makes it
5777 possible to ignore this rule when other conditions are not met.
5778
Willy Tarreau303c0352008-01-17 19:01:39 +01005779 A response containing any line which matches extended regular expression
5780 <search> will mark the request as denied. The test applies both to the
5781 response line and to response headers. Keep in mind that header names are not
5782 case-sensitive.
5783
5784 Main use of this keyword is to prevent sensitive information leak and to
Willy Tarreauced27012008-01-17 20:35:34 +01005785 block the response before it reaches the client. If a response is denied, it
5786 will be replaced with an HTTP 502 error so that the client never retrieves
5787 any sensitive data.
Willy Tarreau303c0352008-01-17 19:01:39 +01005788
5789 It is easier, faster and more powerful to use ACLs to write access policies.
5790 Rspdeny should be avoided in new designs.
5791
5792 Example :
5793 # Ensure that no content type matching ms-word will leak
5794 rspideny ^Content-type:\.*/ms-word
5795
Willy Tarreaufdb563c2010-01-31 15:43:27 +01005796 See also: "reqdeny", "acl", "block", section 6 about HTTP header manipulation
5797 and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01005798
5799
Willy Tarreaufdb563c2010-01-31 15:43:27 +01005800rsprep <search> <string> [{if | unless} <cond>]
5801rspirep <search> <string> [{if | unless} <cond>] (ignore case)
Willy Tarreau303c0352008-01-17 19:01:39 +01005802 Replace a regular expression with a string in an HTTP response line
5803 May be used in sections : defaults | frontend | listen | backend
5804 no | yes | yes | yes
5805 Arguments :
5806 <search> is the regular expression applied to HTTP headers and to the
5807 response line. This is an extended regular expression, so
5808 parenthesis grouping is supported and no preliminary backslash
5809 is required. Any space or known delimiter must be escaped using
5810 a backslash ('\'). The pattern applies to a full line at a time.
5811 The "rsprep" keyword strictly matches case while "rspirep"
5812 ignores case.
5813
5814 <string> is the complete line to be added. Any space or known delimiter
5815 must be escaped using a backslash ('\'). References to matched
5816 pattern groups are possible using the common \N form, with N
5817 being a single digit between 0 and 9. Please refer to section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005818 6 about HTTP header manipulation for more information.
Willy Tarreau303c0352008-01-17 19:01:39 +01005819
Willy Tarreaufdb563c2010-01-31 15:43:27 +01005820 <cond> is an optional matching condition built from ACLs. It makes it
5821 possible to ignore this rule when other conditions are not met.
5822
Willy Tarreau303c0352008-01-17 19:01:39 +01005823 Any line matching extended regular expression <search> in the response (both
5824 the response line and header lines) will be completely replaced with
5825 <string>. Most common use of this is to rewrite Location headers.
5826
5827 Header transformations only apply to traffic which passes through HAProxy,
5828 and not to traffic generated by HAProxy, such as health-checks or error
5829 responses. Note that for increased readability, it is suggested to add enough
5830 spaces between the request and the response. Keep in mind that header names
5831 are not case-sensitive.
5832
5833 Example :
5834 # replace "Location: 127.0.0.1:8080" with "Location: www.mydomain.com"
5835 rspirep ^Location:\ 127.0.0.1:8080 Location:\ www.mydomain.com
5836
Willy Tarreaufdb563c2010-01-31 15:43:27 +01005837 See also: "rspadd", "rspdel", "reqrep", section 6 about HTTP header
5838 manipulation, and section 7 about ACLs.
Willy Tarreau303c0352008-01-17 19:01:39 +01005839
5840
David du Colombier486df472011-03-17 10:40:26 +01005841server <name> <address>[:[port]] [param*]
Willy Tarreaueabeafa2008-01-16 16:17:06 +01005842 Declare a server in a backend
5843 May be used in sections : defaults | frontend | listen | backend
5844 no | no | yes | yes
5845 Arguments :
5846 <name> is the internal name assigned to this server. This name will
Cyril Bonté941a0c62012-10-15 19:44:24 +02005847 appear in logs and alerts. If "http-send-name-header" is
Mark Lamourinec2247f02012-01-04 13:02:01 -05005848 set, it will be added to the request header sent to the server.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01005849
David du Colombier486df472011-03-17 10:40:26 +01005850 <address> is the IPv4 or IPv6 address of the server. Alternatively, a
5851 resolvable hostname is supported, but this name will be resolved
5852 during start-up. Address "0.0.0.0" or "*" has a special meaning.
5853 It indicates that the connection will be forwarded to the same IP
Willy Tarreaud669a4f2010-07-13 14:49:50 +02005854 address as the one from the client connection. This is useful in
5855 transparent proxy architectures where the client's connection is
5856 intercepted and haproxy must forward to the original destination
5857 address. This is more or less what the "transparent" keyword does
5858 except that with a server it's possible to limit concurrency and
Willy Tarreau24709282013-03-10 21:32:12 +01005859 to report statistics. Optionally, an address family prefix may be
5860 used before the address to force the family regardless of the
5861 address format, which can be useful to specify a path to a unix
5862 socket with no slash ('/'). Currently supported prefixes are :
5863 - 'ipv4@' -> address is always IPv4
5864 - 'ipv6@' -> address is always IPv6
5865 - 'unix@' -> address is a path to a local unix socket
Willy Tarreauccfccef2014-05-10 01:49:15 +02005866 - 'abns@' -> address is in abstract namespace (Linux only)
Willy Tarreaudad36a32013-03-11 01:20:04 +01005867 Any part of the address string may reference any number of
5868 environment variables by preceding their name with a dollar
5869 sign ('$') and optionally enclosing them with braces ('{}'),
5870 similarly to what is done in Bourne shell.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01005871
Willy Tarreaub6205fd2012-09-24 12:27:33 +02005872 <port> is an optional port specification. If set, all connections will
Willy Tarreaueabeafa2008-01-16 16:17:06 +01005873 be sent to this port. If unset, the same port the client
5874 connected to will be used. The port may also be prefixed by a "+"
5875 or a "-". In this case, the server's port will be determined by
5876 adding this value to the client's port.
5877
5878 <param*> is a list of parameters for this server. The "server" keywords
5879 accepts an important number of options and has a complete section
Willy Tarreauc57f0e22009-05-10 13:12:33 +02005880 dedicated to it. Please refer to section 5 for more details.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01005881
5882 Examples :
5883 server first 10.1.1.1:1080 cookie first check inter 1000
5884 server second 10.1.1.2:1080 cookie second check inter 1000
Willy Tarreau24709282013-03-10 21:32:12 +01005885 server transp ipv4@
Willy Tarreaudad36a32013-03-11 01:20:04 +01005886 server backup ${SRV_BACKUP}:1080 backup
5887 server www1_dc1 ${LAN_DC1}.101:80
5888 server www1_dc2 ${LAN_DC2}.101:80
Willy Tarreaueabeafa2008-01-16 16:17:06 +01005889
Mark Lamourinec2247f02012-01-04 13:02:01 -05005890 See also: "default-server", "http-send-name-header" and section 5 about
5891 server options
Willy Tarreaueabeafa2008-01-16 16:17:06 +01005892
5893
5894source <addr>[:<port>] [usesrc { <addr2>[:<port2>] | client | clientip } ]
Willy Tarreaubce70882009-09-07 11:51:47 +02005895source <addr>[:<port>] [usesrc { <addr2>[:<port2>] | hdr_ip(<hdr>[,<occ>]) } ]
Willy Tarreaud53f96b2009-02-04 18:46:54 +01005896source <addr>[:<port>] [interface <name>]
Willy Tarreaueabeafa2008-01-16 16:17:06 +01005897 Set the source address for outgoing connections
5898 May be used in sections : defaults | frontend | listen | backend
5899 yes | no | yes | yes
5900 Arguments :
5901 <addr> is the IPv4 address HAProxy will bind to before connecting to a
5902 server. This address is also used as a source for health checks.
Willy Tarreau24709282013-03-10 21:32:12 +01005903
Willy Tarreaueabeafa2008-01-16 16:17:06 +01005904 The default value of 0.0.0.0 means that the system will select
Willy Tarreau24709282013-03-10 21:32:12 +01005905 the most appropriate address to reach its destination. Optionally
5906 an address family prefix may be used before the address to force
5907 the family regardless of the address format, which can be useful
5908 to specify a path to a unix socket with no slash ('/'). Currently
5909 supported prefixes are :
5910 - 'ipv4@' -> address is always IPv4
5911 - 'ipv6@' -> address is always IPv6
5912 - 'unix@' -> address is a path to a local unix socket
Willy Tarreauccfccef2014-05-10 01:49:15 +02005913 - 'abns@' -> address is in abstract namespace (Linux only)
Willy Tarreaudad36a32013-03-11 01:20:04 +01005914 Any part of the address string may reference any number of
5915 environment variables by preceding their name with a dollar
5916 sign ('$') and optionally enclosing them with braces ('{}'),
5917 similarly to what is done in Bourne shell.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01005918
5919 <port> is an optional port. It is normally not needed but may be useful
5920 in some very specific contexts. The default value of zero means
Willy Tarreauc6f4ce82009-06-10 11:09:37 +02005921 the system will select a free port. Note that port ranges are not
5922 supported in the backend. If you want to force port ranges, you
5923 have to specify them on each "server" line.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01005924
5925 <addr2> is the IP address to present to the server when connections are
5926 forwarded in full transparent proxy mode. This is currently only
5927 supported on some patched Linux kernels. When this address is
5928 specified, clients connecting to the server will be presented
5929 with this address, while health checks will still use the address
5930 <addr>.
5931
5932 <port2> is the optional port to present to the server when connections
5933 are forwarded in full transparent proxy mode (see <addr2> above).
5934 The default value of zero means the system will select a free
5935 port.
5936
Willy Tarreaubce70882009-09-07 11:51:47 +02005937 <hdr> is the name of a HTTP header in which to fetch the IP to bind to.
5938 This is the name of a comma-separated header list which can
5939 contain multiple IP addresses. By default, the last occurrence is
5940 used. This is designed to work with the X-Forwarded-For header
Baptiste Assmannea3e73b2013-02-02 23:47:49 +01005941 and to automatically bind to the client's IP address as seen
Willy Tarreaubce70882009-09-07 11:51:47 +02005942 by previous proxy, typically Stunnel. In order to use another
5943 occurrence from the last one, please see the <occ> parameter
5944 below. When the header (or occurrence) is not found, no binding
5945 is performed so that the proxy's default IP address is used. Also
5946 keep in mind that the header name is case insensitive, as for any
5947 HTTP header.
5948
5949 <occ> is the occurrence number of a value to be used in a multi-value
5950 header. This is to be used in conjunction with "hdr_ip(<hdr>)",
Jamie Gloudonaaa21002012-08-25 00:18:33 -04005951 in order to specify which occurrence to use for the source IP
Willy Tarreaubce70882009-09-07 11:51:47 +02005952 address. Positive values indicate a position from the first
5953 occurrence, 1 being the first one. Negative values indicate
5954 positions relative to the last one, -1 being the last one. This
5955 is helpful for situations where an X-Forwarded-For header is set
5956 at the entry point of an infrastructure and must be used several
5957 proxy layers away. When this value is not specified, -1 is
5958 assumed. Passing a zero here disables the feature.
5959
Willy Tarreaud53f96b2009-02-04 18:46:54 +01005960 <name> is an optional interface name to which to bind to for outgoing
5961 traffic. On systems supporting this features (currently, only
5962 Linux), this allows one to bind all traffic to the server to
5963 this interface even if it is not the one the system would select
5964 based on routing tables. This should be used with extreme care.
5965 Note that using this option requires root privileges.
5966
Willy Tarreaueabeafa2008-01-16 16:17:06 +01005967 The "source" keyword is useful in complex environments where a specific
5968 address only is allowed to connect to the servers. It may be needed when a
5969 private address must be used through a public gateway for instance, and it is
5970 known that the system cannot determine the adequate source address by itself.
5971
5972 An extension which is available on certain patched Linux kernels may be used
5973 through the "usesrc" optional keyword. It makes it possible to connect to the
5974 servers with an IP address which does not belong to the system itself. This
5975 is called "full transparent proxy mode". For this to work, the destination
5976 servers have to route their traffic back to this address through the machine
5977 running HAProxy, and IP forwarding must generally be enabled on this machine.
5978
5979 In this "full transparent proxy" mode, it is possible to force a specific IP
5980 address to be presented to the servers. This is not much used in fact. A more
5981 common use is to tell HAProxy to present the client's IP address. For this,
5982 there are two methods :
5983
5984 - present the client's IP and port addresses. This is the most transparent
5985 mode, but it can cause problems when IP connection tracking is enabled on
5986 the machine, because a same connection may be seen twice with different
5987 states. However, this solution presents the huge advantage of not
5988 limiting the system to the 64k outgoing address+port couples, because all
5989 of the client ranges may be used.
5990
5991 - present only the client's IP address and select a spare port. This
5992 solution is still quite elegant but slightly less transparent (downstream
5993 firewalls logs will not match upstream's). It also presents the downside
5994 of limiting the number of concurrent connections to the usual 64k ports.
5995 However, since the upstream and downstream ports are different, local IP
5996 connection tracking on the machine will not be upset by the reuse of the
5997 same session.
5998
5999 Note that depending on the transparent proxy technology used, it may be
6000 required to force the source address. In fact, cttproxy version 2 requires an
6001 IP address in <addr> above, and does not support setting of "0.0.0.0" as the
6002 IP address because it creates NAT entries which much match the exact outgoing
6003 address. Tproxy version 4 and some other kernel patches which work in pure
6004 forwarding mode generally will not have this limitation.
6005
6006 This option sets the default source for all servers in the backend. It may
6007 also be specified in a "defaults" section. Finer source address specification
6008 is possible at the server level using the "source" server option. Refer to
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006009 section 5 for more information.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006010
6011 Examples :
6012 backend private
6013 # Connect to the servers using our 192.168.1.200 source address
6014 source 192.168.1.200
6015
6016 backend transparent_ssl1
6017 # Connect to the SSL farm from the client's source address
6018 source 192.168.1.200 usesrc clientip
6019
6020 backend transparent_ssl2
6021 # Connect to the SSL farm from the client's source address and port
6022 # not recommended if IP conntrack is present on the local machine.
6023 source 192.168.1.200 usesrc client
6024
6025 backend transparent_ssl3
6026 # Connect to the SSL farm from the client's source address. It
6027 # is more conntrack-friendly.
6028 source 192.168.1.200 usesrc clientip
6029
6030 backend transparent_smtp
6031 # Connect to the SMTP farm from the client's source address/port
6032 # with Tproxy version 4.
6033 source 0.0.0.0 usesrc clientip
6034
Willy Tarreaubce70882009-09-07 11:51:47 +02006035 backend transparent_http
6036 # Connect to the servers using the client's IP as seen by previous
6037 # proxy.
6038 source 0.0.0.0 usesrc hdr_ip(x-forwarded-for,-1)
6039
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006040 See also : the "source" server option in section 5, the Tproxy patches for
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006041 the Linux kernel on www.balabit.com, the "bind" keyword.
6042
Krzysztof Piotr Oledzki25b501a2008-01-06 16:36:16 +01006043
Willy Tarreau844e3c52008-01-11 16:28:18 +01006044srvtimeout <timeout> (deprecated)
6045 Set the maximum inactivity time on the server side.
6046 May be used in sections : defaults | frontend | listen | backend
6047 yes | no | yes | yes
6048 Arguments :
6049 <timeout> is the timeout value specified in milliseconds by default, but
6050 can be in any other unit if the number is suffixed by the unit,
6051 as explained at the top of this document.
6052
6053 The inactivity timeout applies when the server is expected to acknowledge or
6054 send data. In HTTP mode, this timeout is particularly important to consider
6055 during the first phase of the server's response, when it has to send the
6056 headers, as it directly represents the server's processing time for the
6057 request. To find out what value to put there, it's often good to start with
6058 what would be considered as unacceptable response times, then check the logs
6059 to observe the response time distribution, and adjust the value accordingly.
6060
6061 The value is specified in milliseconds by default, but can be in any other
6062 unit if the number is suffixed by the unit, as specified at the top of this
6063 document. In TCP mode (and to a lesser extent, in HTTP mode), it is highly
6064 recommended that the client timeout remains equal to the server timeout in
6065 order to avoid complex situations to debug. Whatever the expected server
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01006066 response times, it is a good practice to cover at least one or several TCP
Willy Tarreau844e3c52008-01-11 16:28:18 +01006067 packet losses by specifying timeouts that are slightly above multiples of 3
Willy Tarreaud72758d2010-01-12 10:42:19 +01006068 seconds (eg: 4 or 5 seconds minimum).
Willy Tarreau844e3c52008-01-11 16:28:18 +01006069
6070 This parameter is specific to backends, but can be specified once for all in
6071 "defaults" sections. This is in fact one of the easiest solutions not to
6072 forget about it. An unspecified timeout results in an infinite timeout, which
6073 is not recommended. Such a usage is accepted and works but reports a warning
6074 during startup because it may results in accumulation of expired sessions in
6075 the system if the system's timeouts are not configured either.
6076
6077 This parameter is provided for compatibility but is currently deprecated.
6078 Please use "timeout server" instead.
6079
Willy Tarreauce887fd2012-05-12 12:50:00 +02006080 See also : "timeout server", "timeout tunnel", "timeout client" and
6081 "clitimeout".
Willy Tarreau844e3c52008-01-11 16:28:18 +01006082
6083
Cyril Bonté66c327d2010-10-12 00:14:37 +02006084stats admin { if | unless } <cond>
6085 Enable statistics admin level if/unless a condition is matched
6086 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +02006087 no | yes | yes | yes
Cyril Bonté66c327d2010-10-12 00:14:37 +02006088
6089 This statement enables the statistics admin level if/unless a condition is
6090 matched.
6091
6092 The admin level allows to enable/disable servers from the web interface. By
6093 default, statistics page is read-only for security reasons.
6094
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01006095 Note : Consider not using this feature in multi-process mode (nbproc > 1)
6096 unless you know what you do : memory is not shared between the
6097 processes, which can result in random behaviours.
6098
Cyril Bonté23b39d92011-02-10 22:54:44 +01006099 Currently, the POST request is limited to the buffer size minus the reserved
6100 buffer space, which means that if the list of servers is too long, the
6101 request won't be processed. It is recommended to alter few servers at a
6102 time.
Cyril Bonté66c327d2010-10-12 00:14:37 +02006103
6104 Example :
6105 # statistics admin level only for localhost
6106 backend stats_localhost
6107 stats enable
6108 stats admin if LOCALHOST
6109
6110 Example :
6111 # statistics admin level always enabled because of the authentication
6112 backend stats_auth
6113 stats enable
6114 stats auth admin:AdMiN123
6115 stats admin if TRUE
6116
6117 Example :
6118 # statistics admin level depends on the authenticated user
6119 userlist stats-auth
6120 group admin users admin
6121 user admin insecure-password AdMiN123
6122 group readonly users haproxy
6123 user haproxy insecure-password haproxy
6124
6125 backend stats_auth
6126 stats enable
6127 acl AUTH http_auth(stats-auth)
6128 acl AUTH_ADMIN http_auth_group(stats-auth) admin
6129 stats http-request auth unless AUTH
6130 stats admin if AUTH_ADMIN
6131
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01006132 See also : "stats enable", "stats auth", "stats http-request", "nbproc",
6133 "bind-process", section 3.4 about userlists and section 7 about
6134 ACL usage.
Cyril Bonté66c327d2010-10-12 00:14:37 +02006135
6136
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006137stats auth <user>:<passwd>
6138 Enable statistics with authentication and grant access to an account
6139 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +02006140 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006141 Arguments :
6142 <user> is a user name to grant access to
6143
6144 <passwd> is the cleartext password associated to this user
6145
6146 This statement enables statistics with default settings, and restricts access
6147 to declared users only. It may be repeated as many times as necessary to
6148 allow as many users as desired. When a user tries to access the statistics
6149 without a valid account, a "401 Forbidden" response will be returned so that
6150 the browser asks the user to provide a valid user and password. The real
6151 which will be returned to the browser is configurable using "stats realm".
6152
6153 Since the authentication method is HTTP Basic Authentication, the passwords
6154 circulate in cleartext on the network. Thus, it was decided that the
6155 configuration file would also use cleartext passwords to remind the users
Willy Tarreau3c92c5f2011-08-28 09:45:47 +02006156 that those ones should not be sensitive and not shared with any other account.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006157
6158 It is also possible to reduce the scope of the proxies which appear in the
6159 report using "stats scope".
6160
6161 Though this statement alone is enough to enable statistics reporting, it is
6162 recommended to set all other settings in order to avoid relying on default
6163 unobvious parameters.
6164
6165 Example :
6166 # public access (limited to this backend only)
6167 backend public_www
6168 server srv1 192.168.0.1:80
6169 stats enable
6170 stats hide-version
6171 stats scope .
6172 stats uri /admin?stats
6173 stats realm Haproxy\ Statistics
6174 stats auth admin1:AdMiN123
6175 stats auth admin2:AdMiN321
6176
6177 # internal monitoring access (unlimited)
6178 backend private_monitoring
6179 stats enable
6180 stats uri /admin?stats
6181 stats refresh 5s
6182
6183 See also : "stats enable", "stats realm", "stats scope", "stats uri"
6184
6185
6186stats enable
6187 Enable statistics reporting with default settings
6188 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +02006189 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006190 Arguments : none
6191
6192 This statement enables statistics reporting with default settings defined
6193 at build time. Unless stated otherwise, these settings are used :
6194 - stats uri : /haproxy?stats
6195 - stats realm : "HAProxy Statistics"
6196 - stats auth : no authentication
6197 - stats scope : no restriction
6198
6199 Though this statement alone is enough to enable statistics reporting, it is
6200 recommended to set all other settings in order to avoid relying on default
6201 unobvious parameters.
6202
6203 Example :
6204 # public access (limited to this backend only)
6205 backend public_www
6206 server srv1 192.168.0.1:80
6207 stats enable
6208 stats hide-version
6209 stats scope .
6210 stats uri /admin?stats
6211 stats realm Haproxy\ Statistics
6212 stats auth admin1:AdMiN123
6213 stats auth admin2:AdMiN321
6214
6215 # internal monitoring access (unlimited)
6216 backend private_monitoring
6217 stats enable
6218 stats uri /admin?stats
6219 stats refresh 5s
6220
6221 See also : "stats auth", "stats realm", "stats uri"
6222
6223
Willy Tarreaud63335a2010-02-26 12:56:52 +01006224stats hide-version
6225 Enable statistics and hide HAProxy version reporting
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02006226 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +02006227 yes | yes | yes | yes
Willy Tarreaud63335a2010-02-26 12:56:52 +01006228 Arguments : none
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02006229
Willy Tarreaud63335a2010-02-26 12:56:52 +01006230 By default, the stats page reports some useful status information along with
6231 the statistics. Among them is HAProxy's version. However, it is generally
6232 considered dangerous to report precise version to anyone, as it can help them
6233 target known weaknesses with specific attacks. The "stats hide-version"
6234 statement removes the version from the statistics report. This is recommended
6235 for public sites or any site with a weak login/password.
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02006236
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +02006237 Though this statement alone is enough to enable statistics reporting, it is
6238 recommended to set all other settings in order to avoid relying on default
6239 unobvious parameters.
6240
Willy Tarreaud63335a2010-02-26 12:56:52 +01006241 Example :
6242 # public access (limited to this backend only)
6243 backend public_www
6244 server srv1 192.168.0.1:80
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +02006245 stats enable
Willy Tarreaud63335a2010-02-26 12:56:52 +01006246 stats hide-version
6247 stats scope .
6248 stats uri /admin?stats
6249 stats realm Haproxy\ Statistics
6250 stats auth admin1:AdMiN123
6251 stats auth admin2:AdMiN321
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02006252
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02006253 # internal monitoring access (unlimited)
6254 backend private_monitoring
6255 stats enable
Willy Tarreaud63335a2010-02-26 12:56:52 +01006256 stats uri /admin?stats
6257 stats refresh 5s
Krzysztof Piotr Oledzki15514c22010-01-04 16:03:09 +01006258
Willy Tarreaud63335a2010-02-26 12:56:52 +01006259 See also : "stats auth", "stats enable", "stats realm", "stats uri"
Willy Tarreau1d45b7c2009-08-16 10:29:18 +02006260
Willy Tarreau983e01e2010-01-11 18:42:06 +01006261
Cyril Bonté2be1b3f2010-09-30 23:46:30 +02006262stats http-request { allow | deny | auth [realm <realm>] }
6263 [ { if | unless } <condition> ]
6264 Access control for statistics
6265
6266 May be used in sections: defaults | frontend | listen | backend
6267 no | no | yes | yes
6268
6269 As "http-request", these set of options allow to fine control access to
6270 statistics. Each option may be followed by if/unless and acl.
6271 First option with matched condition (or option without condition) is final.
6272 For "deny" a 403 error will be returned, for "allow" normal processing is
6273 performed, for "auth" a 401/407 error code is returned so the client
6274 should be asked to enter a username and password.
6275
6276 There is no fixed limit to the number of http-request statements per
6277 instance.
6278
6279 See also : "http-request", section 3.4 about userlists and section 7
6280 about ACL usage.
6281
6282
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006283stats realm <realm>
6284 Enable statistics and set authentication realm
6285 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +02006286 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006287 Arguments :
6288 <realm> is the name of the HTTP Basic Authentication realm reported to
6289 the browser. The browser uses it to display it in the pop-up
6290 inviting the user to enter a valid username and password.
6291
6292 The realm is read as a single word, so any spaces in it should be escaped
6293 using a backslash ('\').
6294
6295 This statement is useful only in conjunction with "stats auth" since it is
6296 only related to authentication.
6297
6298 Though this statement alone is enough to enable statistics reporting, it is
6299 recommended to set all other settings in order to avoid relying on default
6300 unobvious parameters.
6301
6302 Example :
6303 # public access (limited to this backend only)
6304 backend public_www
6305 server srv1 192.168.0.1:80
6306 stats enable
6307 stats hide-version
6308 stats scope .
6309 stats uri /admin?stats
6310 stats realm Haproxy\ Statistics
6311 stats auth admin1:AdMiN123
6312 stats auth admin2:AdMiN321
6313
6314 # internal monitoring access (unlimited)
6315 backend private_monitoring
6316 stats enable
6317 stats uri /admin?stats
6318 stats refresh 5s
6319
6320 See also : "stats auth", "stats enable", "stats uri"
6321
6322
6323stats refresh <delay>
6324 Enable statistics with automatic refresh
6325 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +02006326 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006327 Arguments :
6328 <delay> is the suggested refresh delay, specified in seconds, which will
6329 be returned to the browser consulting the report page. While the
6330 browser is free to apply any delay, it will generally respect it
6331 and refresh the page this every seconds. The refresh interval may
6332 be specified in any other non-default time unit, by suffixing the
6333 unit after the value, as explained at the top of this document.
6334
6335 This statement is useful on monitoring displays with a permanent page
6336 reporting the load balancer's activity. When set, the HTML report page will
6337 include a link "refresh"/"stop refresh" so that the user can select whether
6338 he wants automatic refresh of the page or not.
6339
6340 Though this statement alone is enough to enable statistics reporting, it is
6341 recommended to set all other settings in order to avoid relying on default
6342 unobvious parameters.
6343
6344 Example :
6345 # public access (limited to this backend only)
6346 backend public_www
6347 server srv1 192.168.0.1:80
6348 stats enable
6349 stats hide-version
6350 stats scope .
6351 stats uri /admin?stats
6352 stats realm Haproxy\ Statistics
6353 stats auth admin1:AdMiN123
6354 stats auth admin2:AdMiN321
6355
6356 # internal monitoring access (unlimited)
6357 backend private_monitoring
6358 stats enable
6359 stats uri /admin?stats
6360 stats refresh 5s
6361
6362 See also : "stats auth", "stats enable", "stats realm", "stats uri"
6363
6364
6365stats scope { <name> | "." }
6366 Enable statistics and limit access scope
6367 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +02006368 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006369 Arguments :
6370 <name> is the name of a listen, frontend or backend section to be
6371 reported. The special name "." (a single dot) designates the
6372 section in which the statement appears.
6373
6374 When this statement is specified, only the sections enumerated with this
6375 statement will appear in the report. All other ones will be hidden. This
6376 statement may appear as many times as needed if multiple sections need to be
6377 reported. Please note that the name checking is performed as simple string
6378 comparisons, and that it is never checked that a give section name really
6379 exists.
6380
6381 Though this statement alone is enough to enable statistics reporting, it is
6382 recommended to set all other settings in order to avoid relying on default
6383 unobvious parameters.
6384
6385 Example :
6386 # public access (limited to this backend only)
6387 backend public_www
6388 server srv1 192.168.0.1:80
6389 stats enable
6390 stats hide-version
6391 stats scope .
6392 stats uri /admin?stats
6393 stats realm Haproxy\ Statistics
6394 stats auth admin1:AdMiN123
6395 stats auth admin2:AdMiN321
6396
6397 # internal monitoring access (unlimited)
6398 backend private_monitoring
6399 stats enable
6400 stats uri /admin?stats
6401 stats refresh 5s
6402
6403 See also : "stats auth", "stats enable", "stats realm", "stats uri"
6404
Willy Tarreaud63335a2010-02-26 12:56:52 +01006405
Willy Tarreauc9705a12010-07-27 20:05:50 +02006406stats show-desc [ <desc> ]
Willy Tarreaud63335a2010-02-26 12:56:52 +01006407 Enable reporting of a description on the statistics page.
6408 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +02006409 yes | yes | yes | yes
Willy Tarreaud63335a2010-02-26 12:56:52 +01006410
Willy Tarreauc9705a12010-07-27 20:05:50 +02006411 <desc> is an optional description to be reported. If unspecified, the
Willy Tarreaud63335a2010-02-26 12:56:52 +01006412 description from global section is automatically used instead.
6413
6414 This statement is useful for users that offer shared services to their
6415 customers, where node or description should be different for each customer.
6416
6417 Though this statement alone is enough to enable statistics reporting, it is
6418 recommended to set all other settings in order to avoid relying on default
Dmitry Sivachenko7823de32012-05-16 14:00:26 +04006419 unobvious parameters. By default description is not shown.
Willy Tarreaud63335a2010-02-26 12:56:52 +01006420
6421 Example :
6422 # internal monitoring access (unlimited)
6423 backend private_monitoring
6424 stats enable
6425 stats show-desc Master node for Europe, Asia, Africa
6426 stats uri /admin?stats
6427 stats refresh 5s
6428
6429 See also: "show-node", "stats enable", "stats uri" and "description" in
6430 global section.
6431
6432
6433stats show-legends
Willy Tarreaued2119c2014-04-24 22:10:39 +02006434 Enable reporting additional information on the statistics page
6435 May be used in sections : defaults | frontend | listen | backend
6436 yes | yes | yes | yes
6437 Arguments : none
6438
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03006439 Enable reporting additional information on the statistics page :
Willy Tarreaud63335a2010-02-26 12:56:52 +01006440 - cap: capabilities (proxy)
6441 - mode: one of tcp, http or health (proxy)
6442 - id: SNMP ID (proxy, socket, server)
6443 - IP (socket, server)
6444 - cookie (backend, server)
6445
6446 Though this statement alone is enough to enable statistics reporting, it is
6447 recommended to set all other settings in order to avoid relying on default
Dmitry Sivachenko7823de32012-05-16 14:00:26 +04006448 unobvious parameters. Default behaviour is not to show this information.
Willy Tarreaud63335a2010-02-26 12:56:52 +01006449
6450 See also: "stats enable", "stats uri".
6451
6452
6453stats show-node [ <name> ]
6454 Enable reporting of a host name on the statistics page.
6455 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +02006456 yes | yes | yes | yes
Willy Tarreaud63335a2010-02-26 12:56:52 +01006457 Arguments:
6458 <name> is an optional name to be reported. If unspecified, the
6459 node name from global section is automatically used instead.
6460
6461 This statement is useful for users that offer shared services to their
6462 customers, where node or description might be different on a stats page
Dmitry Sivachenko7823de32012-05-16 14:00:26 +04006463 provided for each customer. Default behaviour is not to show host name.
Willy Tarreaud63335a2010-02-26 12:56:52 +01006464
6465 Though this statement alone is enough to enable statistics reporting, it is
6466 recommended to set all other settings in order to avoid relying on default
6467 unobvious parameters.
6468
6469 Example:
6470 # internal monitoring access (unlimited)
6471 backend private_monitoring
6472 stats enable
6473 stats show-node Europe-1
6474 stats uri /admin?stats
6475 stats refresh 5s
6476
6477 See also: "show-desc", "stats enable", "stats uri", and "node" in global
6478 section.
6479
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006480
6481stats uri <prefix>
6482 Enable statistics and define the URI prefix to access them
6483 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaued2119c2014-04-24 22:10:39 +02006484 yes | yes | yes | yes
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006485 Arguments :
6486 <prefix> is the prefix of any URI which will be redirected to stats. This
6487 prefix may contain a question mark ('?') to indicate part of a
6488 query string.
6489
6490 The statistics URI is intercepted on the relayed traffic, so it appears as a
6491 page within the normal application. It is strongly advised to ensure that the
6492 selected URI will never appear in the application, otherwise it will never be
6493 possible to reach it in the application.
6494
6495 The default URI compiled in haproxy is "/haproxy?stats", but this may be
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01006496 changed at build time, so it's better to always explicitly specify it here.
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006497 It is generally a good idea to include a question mark in the URI so that
6498 intermediate proxies refrain from caching the results. Also, since any string
6499 beginning with the prefix will be accepted as a stats request, the question
6500 mark helps ensuring that no valid URI will begin with the same words.
6501
6502 It is sometimes very convenient to use "/" as the URI prefix, and put that
6503 statement in a "listen" instance of its own. That makes it easy to dedicate
6504 an address or a port to statistics only.
6505
6506 Though this statement alone is enough to enable statistics reporting, it is
6507 recommended to set all other settings in order to avoid relying on default
6508 unobvious parameters.
6509
6510 Example :
6511 # public access (limited to this backend only)
6512 backend public_www
6513 server srv1 192.168.0.1:80
6514 stats enable
6515 stats hide-version
6516 stats scope .
6517 stats uri /admin?stats
6518 stats realm Haproxy\ Statistics
6519 stats auth admin1:AdMiN123
6520 stats auth admin2:AdMiN321
6521
6522 # internal monitoring access (unlimited)
6523 backend private_monitoring
6524 stats enable
6525 stats uri /admin?stats
6526 stats refresh 5s
6527
6528 See also : "stats auth", "stats enable", "stats realm"
6529
6530
Willy Tarreaud63335a2010-02-26 12:56:52 +01006531stick match <pattern> [table <table>] [{if | unless} <cond>]
6532 Define a request pattern matching condition to stick a user to a server
Willy Tarreaueabeafa2008-01-16 16:17:06 +01006533 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaud63335a2010-02-26 12:56:52 +01006534 no | no | yes | yes
Willy Tarreaub937b7e2010-01-12 15:27:54 +01006535
6536 Arguments :
Willy Tarreaube722a22014-06-13 16:31:59 +02006537 <pattern> is a sample expression rule as described in section 7.3. It
Willy Tarreaub937b7e2010-01-12 15:27:54 +01006538 describes what elements of the incoming request or connection
6539 will be analysed in the hope to find a matching entry in a
6540 stickiness table. This rule is mandatory.
6541
6542 <table> is an optional stickiness table name. If unspecified, the same
6543 backend's table is used. A stickiness table is declared using
6544 the "stick-table" statement.
6545
6546 <cond> is an optional matching condition. It makes it possible to match
6547 on a certain criterion only when other conditions are met (or
6548 not met). For instance, it could be used to match on a source IP
6549 address except when a request passes through a known proxy, in
6550 which case we'd match on a header containing that IP address.
6551
6552 Some protocols or applications require complex stickiness rules and cannot
6553 always simply rely on cookies nor hashing. The "stick match" statement
6554 describes a rule to extract the stickiness criterion from an incoming request
6555 or connection. See section 7 for a complete list of possible patterns and
6556 transformation rules.
6557
6558 The table has to be declared using the "stick-table" statement. It must be of
6559 a type compatible with the pattern. By default it is the one which is present
6560 in the same backend. It is possible to share a table with other backends by
6561 referencing it using the "table" keyword. If another table is referenced,
6562 the server's ID inside the backends are used. By default, all server IDs
6563 start at 1 in each backend, so the server ordering is enough. But in case of
6564 doubt, it is highly recommended to force server IDs using their "id" setting.
6565
6566 It is possible to restrict the conditions where a "stick match" statement
6567 will apply, using "if" or "unless" followed by a condition. See section 7 for
6568 ACL based conditions.
6569
6570 There is no limit on the number of "stick match" statements. The first that
6571 applies and matches will cause the request to be directed to the same server
6572 as was used for the request which created the entry. That way, multiple
6573 matches can be used as fallbacks.
6574
6575 The stick rules are checked after the persistence cookies, so they will not
6576 affect stickiness if a cookie has already been used to select a server. That
6577 way, it becomes very easy to insert cookies and match on IP addresses in
6578 order to maintain stickiness between HTTP and HTTPS.
6579
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01006580 Note : Consider not using this feature in multi-process mode (nbproc > 1)
6581 unless you know what you do : memory is not shared between the
6582 processes, which can result in random behaviours.
6583
Willy Tarreaub937b7e2010-01-12 15:27:54 +01006584 Example :
6585 # forward SMTP users to the same server they just used for POP in the
6586 # last 30 minutes
6587 backend pop
6588 mode tcp
6589 balance roundrobin
6590 stick store-request src
6591 stick-table type ip size 200k expire 30m
6592 server s1 192.168.1.1:110
6593 server s2 192.168.1.1:110
6594
6595 backend smtp
6596 mode tcp
6597 balance roundrobin
6598 stick match src table pop
6599 server s1 192.168.1.1:25
6600 server s2 192.168.1.1:25
6601
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01006602 See also : "stick-table", "stick on", "nbproc", "bind-process" and section 7
Willy Tarreaube722a22014-06-13 16:31:59 +02006603 about ACLs and samples fetching.
Willy Tarreaub937b7e2010-01-12 15:27:54 +01006604
6605
6606stick on <pattern> [table <table>] [{if | unless} <condition>]
6607 Define a request pattern to associate a user to a server
6608 May be used in sections : defaults | frontend | listen | backend
6609 no | no | yes | yes
6610
6611 Note : This form is exactly equivalent to "stick match" followed by
6612 "stick store-request", all with the same arguments. Please refer
6613 to both keywords for details. It is only provided as a convenience
6614 for writing more maintainable configurations.
6615
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01006616 Note : Consider not using this feature in multi-process mode (nbproc > 1)
6617 unless you know what you do : memory is not shared between the
6618 processes, which can result in random behaviours.
6619
Willy Tarreaub937b7e2010-01-12 15:27:54 +01006620 Examples :
6621 # The following form ...
Willy Tarreauec579d82010-02-26 19:15:04 +01006622 stick on src table pop if !localhost
Willy Tarreaub937b7e2010-01-12 15:27:54 +01006623
6624 # ...is strictly equivalent to this one :
6625 stick match src table pop if !localhost
6626 stick store-request src table pop if !localhost
6627
6628
6629 # Use cookie persistence for HTTP, and stick on source address for HTTPS as
6630 # well as HTTP without cookie. Share the same table between both accesses.
6631 backend http
6632 mode http
6633 balance roundrobin
6634 stick on src table https
6635 cookie SRV insert indirect nocache
6636 server s1 192.168.1.1:80 cookie s1
6637 server s2 192.168.1.1:80 cookie s2
6638
6639 backend https
6640 mode tcp
6641 balance roundrobin
6642 stick-table type ip size 200k expire 30m
6643 stick on src
6644 server s1 192.168.1.1:443
6645 server s2 192.168.1.1:443
6646
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01006647 See also : "stick match", "stick store-request", "nbproc" and "bind-process".
Willy Tarreaub937b7e2010-01-12 15:27:54 +01006648
6649
6650stick store-request <pattern> [table <table>] [{if | unless} <condition>]
6651 Define a request pattern used to create an entry in a stickiness table
6652 May be used in sections : defaults | frontend | listen | backend
6653 no | no | yes | yes
6654
6655 Arguments :
Willy Tarreaube722a22014-06-13 16:31:59 +02006656 <pattern> is a sample expression rule as described in section 7.3. It
Willy Tarreaub937b7e2010-01-12 15:27:54 +01006657 describes what elements of the incoming request or connection
6658 will be analysed, extracted and stored in the table once a
6659 server is selected.
6660
6661 <table> is an optional stickiness table name. If unspecified, the same
6662 backend's table is used. A stickiness table is declared using
6663 the "stick-table" statement.
6664
6665 <cond> is an optional storage condition. It makes it possible to store
6666 certain criteria only when some conditions are met (or not met).
6667 For instance, it could be used to store the source IP address
6668 except when the request passes through a known proxy, in which
6669 case we'd store a converted form of a header containing that IP
6670 address.
6671
6672 Some protocols or applications require complex stickiness rules and cannot
6673 always simply rely on cookies nor hashing. The "stick store-request" statement
6674 describes a rule to decide what to extract from the request and when to do
6675 it, in order to store it into a stickiness table for further requests to
6676 match it using the "stick match" statement. Obviously the extracted part must
6677 make sense and have a chance to be matched in a further request. Storing a
6678 client's IP address for instance often makes sense. Storing an ID found in a
6679 URL parameter also makes sense. Storing a source port will almost never make
6680 any sense because it will be randomly matched. See section 7 for a complete
6681 list of possible patterns and transformation rules.
6682
6683 The table has to be declared using the "stick-table" statement. It must be of
6684 a type compatible with the pattern. By default it is the one which is present
6685 in the same backend. It is possible to share a table with other backends by
6686 referencing it using the "table" keyword. If another table is referenced,
6687 the server's ID inside the backends are used. By default, all server IDs
6688 start at 1 in each backend, so the server ordering is enough. But in case of
6689 doubt, it is highly recommended to force server IDs using their "id" setting.
6690
6691 It is possible to restrict the conditions where a "stick store-request"
6692 statement will apply, using "if" or "unless" followed by a condition. This
6693 condition will be evaluated while parsing the request, so any criteria can be
6694 used. See section 7 for ACL based conditions.
6695
6696 There is no limit on the number of "stick store-request" statements, but
6697 there is a limit of 8 simultaneous stores per request or response. This
6698 makes it possible to store up to 8 criteria, all extracted from either the
6699 request or the response, regardless of the number of rules. Only the 8 first
6700 ones which match will be kept. Using this, it is possible to feed multiple
6701 tables at once in the hope to increase the chance to recognize a user on
Willy Tarreau9667a802013-12-09 12:52:13 +01006702 another protocol or access method. Using multiple store-request rules with
6703 the same table is possible and may be used to find the best criterion to rely
6704 on, by arranging the rules by decreasing preference order. Only the first
6705 extracted criterion for a given table will be stored. All subsequent store-
6706 request rules referencing the same table will be skipped and their ACLs will
6707 not be evaluated.
Willy Tarreaub937b7e2010-01-12 15:27:54 +01006708
6709 The "store-request" rules are evaluated once the server connection has been
6710 established, so that the table will contain the real server that processed
6711 the request.
6712
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01006713 Note : Consider not using this feature in multi-process mode (nbproc > 1)
6714 unless you know what you do : memory is not shared between the
6715 processes, which can result in random behaviours.
6716
Willy Tarreaub937b7e2010-01-12 15:27:54 +01006717 Example :
6718 # forward SMTP users to the same server they just used for POP in the
6719 # last 30 minutes
6720 backend pop
6721 mode tcp
6722 balance roundrobin
6723 stick store-request src
6724 stick-table type ip size 200k expire 30m
6725 server s1 192.168.1.1:110
6726 server s2 192.168.1.1:110
6727
6728 backend smtp
6729 mode tcp
6730 balance roundrobin
6731 stick match src table pop
6732 server s1 192.168.1.1:25
6733 server s2 192.168.1.1:25
6734
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01006735 See also : "stick-table", "stick on", "nbproc", "bind-process" and section 7
Willy Tarreaube722a22014-06-13 16:31:59 +02006736 about ACLs and sample fetching.
Willy Tarreaub937b7e2010-01-12 15:27:54 +01006737
6738
Emeric Brun7c6b82e2010-09-24 16:34:28 +02006739stick-table type {ip | integer | string [len <length>] | binary [len <length>]}
Emeric Brunf099e792010-09-27 12:05:28 +02006740 size <size> [expire <expire>] [nopurge] [peers <peersect>]
6741 [store <data_type>]*
Godbach64cef792013-12-04 16:08:22 +08006742 Configure the stickiness table for the current section
Willy Tarreaub937b7e2010-01-12 15:27:54 +01006743 May be used in sections : defaults | frontend | listen | backend
Willy Tarreauc00cdc22010-06-06 16:48:26 +02006744 no | yes | yes | yes
Willy Tarreaub937b7e2010-01-12 15:27:54 +01006745
6746 Arguments :
6747 ip a table declared with "type ip" will only store IPv4 addresses.
6748 This form is very compact (about 50 bytes per entry) and allows
6749 very fast entry lookup and stores with almost no overhead. This
6750 is mainly used to store client source IP addresses.
6751
David du Colombier9a6d3c92011-03-17 10:40:24 +01006752 ipv6 a table declared with "type ipv6" will only store IPv6 addresses.
6753 This form is very compact (about 60 bytes per entry) and allows
6754 very fast entry lookup and stores with almost no overhead. This
6755 is mainly used to store client source IP addresses.
6756
Willy Tarreaub937b7e2010-01-12 15:27:54 +01006757 integer a table declared with "type integer" will store 32bit integers
6758 which can represent a client identifier found in a request for
6759 instance.
6760
6761 string a table declared with "type string" will store substrings of up
6762 to <len> characters. If the string provided by the pattern
6763 extractor is larger than <len>, it will be truncated before
6764 being stored. During matching, at most <len> characters will be
6765 compared between the string in the table and the extracted
6766 pattern. When not specified, the string is automatically limited
Emeric Brun7c6b82e2010-09-24 16:34:28 +02006767 to 32 characters.
6768
6769 binary a table declared with "type binary" will store binary blocks
6770 of <len> bytes. If the block provided by the pattern
6771 extractor is larger than <len>, it will be truncated before
Willy Tarreaube722a22014-06-13 16:31:59 +02006772 being stored. If the block provided by the sample expression
Emeric Brun7c6b82e2010-09-24 16:34:28 +02006773 is shorter than <len>, it will be padded by 0. When not
6774 specified, the block is automatically limited to 32 bytes.
Willy Tarreaub937b7e2010-01-12 15:27:54 +01006775
6776 <length> is the maximum number of characters that will be stored in a
Emeric Brun7c6b82e2010-09-24 16:34:28 +02006777 "string" type table (See type "string" above). Or the number
6778 of bytes of the block in "binary" type table. Be careful when
Willy Tarreaub937b7e2010-01-12 15:27:54 +01006779 changing this parameter as memory usage will proportionally
6780 increase.
6781
6782 <size> is the maximum number of entries that can fit in the table. This
Cyril Bonté78caf842010-03-10 22:41:43 +01006783 value directly impacts memory usage. Count approximately
6784 50 bytes per entry, plus the size of a string if any. The size
6785 supports suffixes "k", "m", "g" for 2^10, 2^20 and 2^30 factors.
Willy Tarreaub937b7e2010-01-12 15:27:54 +01006786
6787 [nopurge] indicates that we refuse to purge older entries when the table
6788 is full. When not specified and the table is full when haproxy
6789 wants to store an entry in it, it will flush a few of the oldest
6790 entries in order to release some space for the new ones. This is
6791 most often the desired behaviour. In some specific cases, it
6792 be desirable to refuse new entries instead of purging the older
6793 ones. That may be the case when the amount of data to store is
6794 far above the hardware limits and we prefer not to offer access
6795 to new clients than to reject the ones already connected. When
6796 using this parameter, be sure to properly set the "expire"
6797 parameter (see below).
6798
Emeric Brunf099e792010-09-27 12:05:28 +02006799 <peersect> is the name of the peers section to use for replication. Entries
6800 which associate keys to server IDs are kept synchronized with
6801 the remote peers declared in this section. All entries are also
6802 automatically learned from the local peer (old process) during a
6803 soft restart.
6804
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01006805 NOTE : peers can't be used in multi-process mode.
6806
Willy Tarreaub937b7e2010-01-12 15:27:54 +01006807 <expire> defines the maximum duration of an entry in the table since it
6808 was last created, refreshed or matched. The expiration delay is
6809 defined using the standard time format, similarly as the various
6810 timeouts. The maximum duration is slightly above 24 days. See
6811 section 2.2 for more information. If this delay is not specified,
Cyril Bontédc4d9032012-04-08 21:57:39 +02006812 the session won't automatically expire, but older entries will
Willy Tarreaub937b7e2010-01-12 15:27:54 +01006813 be removed once full. Be sure not to use the "nopurge" parameter
6814 if not expiration delay is specified.
6815
Willy Tarreau08d5f982010-06-06 13:34:54 +02006816 <data_type> is used to store additional information in the stick-table. This
6817 may be used by ACLs in order to control various criteria related
6818 to the activity of the client matching the stick-table. For each
6819 item specified here, the size of each entry will be inflated so
Willy Tarreauc9705a12010-07-27 20:05:50 +02006820 that the additional data can fit. Several data types may be
6821 stored with an entry. Multiple data types may be specified after
6822 the "store" keyword, as a comma-separated list. Alternatively,
6823 it is possible to repeat the "store" keyword followed by one or
6824 several data types. Except for the "server_id" type which is
6825 automatically detected and enabled, all data types must be
6826 explicitly declared to be stored. If an ACL references a data
6827 type which is not stored, the ACL will simply not match. Some
6828 data types require an argument which must be passed just after
6829 the type between parenthesis. See below for the supported data
6830 types and their arguments.
6831
6832 The data types that can be stored with an entry are the following :
6833 - server_id : this is an integer which holds the numeric ID of the server a
6834 request was assigned to. It is used by the "stick match", "stick store",
6835 and "stick on" rules. It is automatically enabled when referenced.
6836
6837 - gpc0 : first General Purpose Counter. It is a positive 32-bit integer
6838 integer which may be used for anything. Most of the time it will be used
6839 to put a special tag on some entries, for instance to note that a
6840 specific behaviour was detected and must be known for future matches.
6841
Willy Tarreauba2ffd12013-05-29 15:54:14 +02006842 - gpc0_rate(<period>) : increment rate of the first General Purpose Counter
6843 over a period. It is a positive 32-bit integer integer which may be used
6844 for anything. Just like <gpc0>, it counts events, but instead of keeping
6845 a cumulative count, it maintains the rate at which the counter is
6846 incremented. Most of the time it will be used to measure the frequency of
6847 occurrence of certain events (eg: requests to a specific URL).
6848
Willy Tarreauc9705a12010-07-27 20:05:50 +02006849 - conn_cnt : Connection Count. It is a positive 32-bit integer which counts
6850 the absolute number of connections received from clients which matched
6851 this entry. It does not mean the connections were accepted, just that
6852 they were received.
6853
6854 - conn_cur : Current Connections. It is a positive 32-bit integer which
6855 stores the concurrent connection counts for the entry. It is incremented
6856 once an incoming connection matches the entry, and decremented once the
6857 connection leaves. That way it is possible to know at any time the exact
6858 number of concurrent connections for an entry.
6859
6860 - conn_rate(<period>) : frequency counter (takes 12 bytes). It takes an
6861 integer parameter <period> which indicates in milliseconds the length
6862 of the period over which the average is measured. It reports the average
6863 incoming connection rate over that period, in connections per period. The
6864 result is an integer which can be matched using ACLs.
6865
6866 - sess_cnt : Session Count. It is a positive 32-bit integer which counts
6867 the absolute number of sessions received from clients which matched this
6868 entry. A session is a connection that was accepted by the layer 4 rules.
6869
6870 - sess_rate(<period>) : frequency counter (takes 12 bytes). It takes an
6871 integer parameter <period> which indicates in milliseconds the length
6872 of the period over which the average is measured. It reports the average
6873 incoming session rate over that period, in sessions per period. The
6874 result is an integer which can be matched using ACLs.
6875
6876 - http_req_cnt : HTTP request Count. It is a positive 32-bit integer which
6877 counts the absolute number of HTTP requests received from clients which
6878 matched this entry. It does not matter whether they are valid requests or
6879 not. Note that this is different from sessions when keep-alive is used on
6880 the client side.
6881
6882 - http_req_rate(<period>) : frequency counter (takes 12 bytes). It takes an
6883 integer parameter <period> which indicates in milliseconds the length
6884 of the period over which the average is measured. It reports the average
6885 HTTP request rate over that period, in requests per period. The result is
6886 an integer which can be matched using ACLs. It does not matter whether
6887 they are valid requests or not. Note that this is different from sessions
6888 when keep-alive is used on the client side.
6889
6890 - http_err_cnt : HTTP Error Count. It is a positive 32-bit integer which
6891 counts the absolute number of HTTP requests errors induced by clients
6892 which matched this entry. Errors are counted on invalid and truncated
6893 requests, as well as on denied or tarpitted requests, and on failed
6894 authentications. If the server responds with 4xx, then the request is
6895 also counted as an error since it's an error triggered by the client
6896 (eg: vulnerability scan).
6897
6898 - http_err_rate(<period>) : frequency counter (takes 12 bytes). It takes an
6899 integer parameter <period> which indicates in milliseconds the length
6900 of the period over which the average is measured. It reports the average
6901 HTTP request error rate over that period, in requests per period (see
6902 http_err_cnt above for what is accounted as an error). The result is an
6903 integer which can be matched using ACLs.
6904
6905 - bytes_in_cnt : client to server byte count. It is a positive 64-bit
6906 integer which counts the cumulated amount of bytes received from clients
6907 which matched this entry. Headers are included in the count. This may be
6908 used to limit abuse of upload features on photo or video servers.
6909
6910 - bytes_in_rate(<period>) : frequency counter (takes 12 bytes). It takes an
6911 integer parameter <period> which indicates in milliseconds the length
6912 of the period over which the average is measured. It reports the average
6913 incoming bytes rate over that period, in bytes per period. It may be used
6914 to detect users which upload too much and too fast. Warning: with large
6915 uploads, it is possible that the amount of uploaded data will be counted
6916 once upon termination, thus causing spikes in the average transfer speed
6917 instead of having a smooth one. This may partially be smoothed with
6918 "option contstats" though this is not perfect yet. Use of byte_in_cnt is
6919 recommended for better fairness.
6920
6921 - bytes_out_cnt : server to client byte count. It is a positive 64-bit
6922 integer which counts the cumulated amount of bytes sent to clients which
6923 matched this entry. Headers are included in the count. This may be used
6924 to limit abuse of bots sucking the whole site.
6925
6926 - bytes_out_rate(<period>) : frequency counter (takes 12 bytes). It takes
6927 an integer parameter <period> which indicates in milliseconds the length
6928 of the period over which the average is measured. It reports the average
6929 outgoing bytes rate over that period, in bytes per period. It may be used
6930 to detect users which download too much and too fast. Warning: with large
6931 transfers, it is possible that the amount of transferred data will be
6932 counted once upon termination, thus causing spikes in the average
6933 transfer speed instead of having a smooth one. This may partially be
6934 smoothed with "option contstats" though this is not perfect yet. Use of
6935 byte_out_cnt is recommended for better fairness.
Willy Tarreau08d5f982010-06-06 13:34:54 +02006936
Willy Tarreauc00cdc22010-06-06 16:48:26 +02006937 There is only one stick-table per proxy. At the moment of writing this doc,
6938 it does not seem useful to have multiple tables per proxy. If this happens
Willy Tarreaub937b7e2010-01-12 15:27:54 +01006939 to be required, simply create a dummy backend with a stick-table in it and
6940 reference it.
6941
6942 It is important to understand that stickiness based on learning information
6943 has some limitations, including the fact that all learned associations are
6944 lost upon restart. In general it can be good as a complement but not always
6945 as an exclusive stickiness.
6946
Willy Tarreauc9705a12010-07-27 20:05:50 +02006947 Last, memory requirements may be important when storing many data types.
6948 Indeed, storing all indicators above at once in each entry requires 116 bytes
6949 per entry, or 116 MB for a 1-million entries table. This is definitely not
6950 something that can be ignored.
6951
6952 Example:
6953 # Keep track of counters of up to 1 million IP addresses over 5 minutes
6954 # and store a general purpose counter and the average connection rate
6955 # computed over a sliding window of 30 seconds.
6956 stick-table type ip size 1m expire 5m store gpc0,conn_rate(30s)
6957
6958 See also : "stick match", "stick on", "stick store-request", section 2.2
David du Colombiera13d1b92011-03-17 10:40:22 +01006959 about time format and section 7 about ACLs.
Willy Tarreaub937b7e2010-01-12 15:27:54 +01006960
6961
Emeric Brun6a1cefa2010-09-24 18:15:17 +02006962stick store-response <pattern> [table <table>] [{if | unless} <condition>]
6963 Define a request pattern used to create an entry in a stickiness table
6964 May be used in sections : defaults | frontend | listen | backend
6965 no | no | yes | yes
6966
6967 Arguments :
Willy Tarreaube722a22014-06-13 16:31:59 +02006968 <pattern> is a sample expression rule as described in section 7.3. It
Emeric Brun6a1cefa2010-09-24 18:15:17 +02006969 describes what elements of the response or connection will
6970 be analysed, extracted and stored in the table once a
6971 server is selected.
6972
6973 <table> is an optional stickiness table name. If unspecified, the same
6974 backend's table is used. A stickiness table is declared using
6975 the "stick-table" statement.
6976
6977 <cond> is an optional storage condition. It makes it possible to store
6978 certain criteria only when some conditions are met (or not met).
6979 For instance, it could be used to store the SSL session ID only
6980 when the response is a SSL server hello.
6981
6982 Some protocols or applications require complex stickiness rules and cannot
6983 always simply rely on cookies nor hashing. The "stick store-response"
6984 statement describes a rule to decide what to extract from the response and
6985 when to do it, in order to store it into a stickiness table for further
6986 requests to match it using the "stick match" statement. Obviously the
6987 extracted part must make sense and have a chance to be matched in a further
Cyril Bonté108cf6e2012-04-21 23:30:29 +02006988 request. Storing an ID found in a header of a response makes sense.
Emeric Brun6a1cefa2010-09-24 18:15:17 +02006989 See section 7 for a complete list of possible patterns and transformation
6990 rules.
6991
6992 The table has to be declared using the "stick-table" statement. It must be of
6993 a type compatible with the pattern. By default it is the one which is present
6994 in the same backend. It is possible to share a table with other backends by
6995 referencing it using the "table" keyword. If another table is referenced,
6996 the server's ID inside the backends are used. By default, all server IDs
6997 start at 1 in each backend, so the server ordering is enough. But in case of
6998 doubt, it is highly recommended to force server IDs using their "id" setting.
6999
7000 It is possible to restrict the conditions where a "stick store-response"
7001 statement will apply, using "if" or "unless" followed by a condition. This
7002 condition will be evaluated while parsing the response, so any criteria can
7003 be used. See section 7 for ACL based conditions.
7004
7005 There is no limit on the number of "stick store-response" statements, but
7006 there is a limit of 8 simultaneous stores per request or response. This
7007 makes it possible to store up to 8 criteria, all extracted from either the
7008 request or the response, regardless of the number of rules. Only the 8 first
7009 ones which match will be kept. Using this, it is possible to feed multiple
7010 tables at once in the hope to increase the chance to recognize a user on
Willy Tarreau9667a802013-12-09 12:52:13 +01007011 another protocol or access method. Using multiple store-response rules with
7012 the same table is possible and may be used to find the best criterion to rely
7013 on, by arranging the rules by decreasing preference order. Only the first
7014 extracted criterion for a given table will be stored. All subsequent store-
7015 response rules referencing the same table will be skipped and their ACLs will
7016 not be evaluated. However, even if a store-request rule references a table, a
7017 store-response rule may also use the same table. This means that each table
7018 may learn exactly one element from the request and one element from the
7019 response at once.
Emeric Brun6a1cefa2010-09-24 18:15:17 +02007020
7021 The table will contain the real server that processed the request.
7022
7023 Example :
7024 # Learn SSL session ID from both request and response and create affinity.
7025 backend https
7026 mode tcp
7027 balance roundrobin
Cyril Bontédc4d9032012-04-08 21:57:39 +02007028 # maximum SSL session ID length is 32 bytes.
Emeric Brun6a1cefa2010-09-24 18:15:17 +02007029 stick-table type binary len 32 size 30k expire 30m
Cyril Bonté108cf6e2012-04-21 23:30:29 +02007030
Emeric Brun6a1cefa2010-09-24 18:15:17 +02007031 acl clienthello req_ssl_hello_type 1
7032 acl serverhello rep_ssl_hello_type 2
7033
7034 # use tcp content accepts to detects ssl client and server hello.
7035 tcp-request inspect-delay 5s
7036 tcp-request content accept if clienthello
7037
7038 # no timeout on response inspect delay by default.
7039 tcp-response content accept if serverhello
Cyril Bonté108cf6e2012-04-21 23:30:29 +02007040
Emeric Brun6a1cefa2010-09-24 18:15:17 +02007041 # SSL session ID (SSLID) may be present on a client or server hello.
7042 # Its length is coded on 1 byte at offset 43 and its value starts
7043 # at offset 44.
7044
7045 # Match and learn on request if client hello.
7046 stick on payload_lv(43,1) if clienthello
7047
7048 # Learn on response if server hello.
7049 stick store-response payload_lv(43,1) if serverhello
Cyril Bontédc4d9032012-04-08 21:57:39 +02007050
Emeric Brun6a1cefa2010-09-24 18:15:17 +02007051 server s1 192.168.1.1:443
7052 server s2 192.168.1.1:443
7053
7054 See also : "stick-table", "stick on", and section 7 about ACLs and pattern
7055 extraction.
7056
7057
Willy Tarreau938c7fe2014-04-25 14:21:39 +02007058tcp-check connect [params*]
7059 Opens a new connection
7060 May be used in sections: defaults | frontend | listen | backend
7061 no | no | yes | yes
7062
7063 When an application lies on more than a single TCP port or when HAProxy
7064 load-balance many services in a single backend, it makes sense to probe all
7065 the services individually before considering a server as operational.
7066
7067 When there are no TCP port configured on the server line neither server port
7068 directive, then the 'tcp-check connect port <port>' must be the first step
7069 of the sequence.
7070
7071 In a tcp-check ruleset a 'connect' is required, it is also mandatory to start
7072 the ruleset with a 'connect' rule. Purpose is to ensure admin know what they
7073 do.
7074
7075 Parameters :
7076 They are optional and can be used to describe how HAProxy should open and
7077 use the TCP connection.
7078
7079 port if not set, check port or server port is used.
7080 It tells HAProxy where to open the connection to.
7081 <port> must be a valid TCP port source integer, from 1 to 65535.
7082
7083 send-proxy send a PROXY protocol string
7084
7085 ssl opens a ciphered connection
7086
7087 Examples:
7088 # check HTTP and HTTPs services on a server.
7089 # first open port 80 thanks to server line port directive, then
7090 # tcp-check opens port 443, ciphered and run a request on it:
7091 option tcp-check
7092 tcp-check connect
7093 tcp-check send GET\ /\ HTTP/1.0\r\n
7094 tcp-check send Host:\ haproxy.1wt.eu\r\n
7095 tcp-check send \r\n
7096 tcp-check expect rstring (2..|3..)
7097 tcp-check connect port 443 ssl
7098 tcp-check send GET\ /\ HTTP/1.0\r\n
7099 tcp-check send Host:\ haproxy.1wt.eu\r\n
7100 tcp-check send \r\n
7101 tcp-check expect rstring (2..|3..)
7102 server www 10.0.0.1 check port 80
7103
7104 # check both POP and IMAP from a single server:
7105 option tcp-check
7106 tcp-check connect port 110
7107 tcp-check expect string +OK\ POP3\ ready
7108 tcp-check connect port 143
7109 tcp-check expect string *\ OK\ IMAP4\ ready
7110 server mail 10.0.0.1 check
7111
7112 See also : "option tcp-check", "tcp-check send", "tcp-check expect"
7113
7114
7115tcp-check expect [!] <match> <pattern>
7116 Specify data to be collected and analysed during a generic health check
7117 May be used in sections: defaults | frontend | listen | backend
7118 no | no | yes | yes
7119
7120 Arguments :
7121 <match> is a keyword indicating how to look for a specific pattern in the
7122 response. The keyword may be one of "string", "rstring" or
7123 binary.
7124 The keyword may be preceded by an exclamation mark ("!") to negate
7125 the match. Spaces are allowed between the exclamation mark and the
7126 keyword. See below for more details on the supported keywords.
7127
7128 <pattern> is the pattern to look for. It may be a string or a regular
7129 expression. If the pattern contains spaces, they must be escaped
7130 with the usual backslash ('\').
7131 If the match is set to binary, then the pattern must be passed as
7132 a serie of hexadecimal digits in an even number. Each sequence of
7133 two digits will represent a byte. The hexadecimal digits may be
7134 used upper or lower case.
7135
7136
7137 The available matches are intentionally similar to their http-check cousins :
7138
7139 string <string> : test the exact string matches in the response buffer.
7140 A health check response will be considered valid if the
7141 response's buffer contains this exact string. If the
7142 "string" keyword is prefixed with "!", then the response
7143 will be considered invalid if the body contains this
7144 string. This can be used to look for a mandatory pattern
7145 in a protocol response, or to detect a failure when a
7146 specific error appears in a protocol banner.
7147
7148 rstring <regex> : test a regular expression on the response buffer.
7149 A health check response will be considered valid if the
7150 response's buffer matches this expression. If the
7151 "rstring" keyword is prefixed with "!", then the response
7152 will be considered invalid if the body matches the
7153 expression.
7154
7155 binary <hexstring> : test the exact string in its hexadecimal form matches
7156 in the response buffer. A health check response will
7157 be considered valid if the response's buffer contains
7158 this exact hexadecimal string.
7159 Purpose is to match data on binary protocols.
7160
7161 It is important to note that the responses will be limited to a certain size
7162 defined by the global "tune.chksize" option, which defaults to 16384 bytes.
7163 Thus, too large responses may not contain the mandatory pattern when using
7164 "string", "rstring" or binary. If a large response is absolutely required, it
7165 is possible to change the default max size by setting the global variable.
7166 However, it is worth keeping in mind that parsing very large responses can
7167 waste some CPU cycles, especially when regular expressions are used, and that
7168 it is always better to focus the checks on smaller resources. Also, in its
7169 current state, the check will not find any string nor regex past a null
7170 character in the response. Similarly it is not possible to request matching
7171 the null character.
7172
7173 Examples :
7174 # perform a POP check
7175 option tcp-check
7176 tcp-check expect string +OK\ POP3\ ready
7177
7178 # perform an IMAP check
7179 option tcp-check
7180 tcp-check expect string *\ OK\ IMAP4\ ready
7181
7182 # look for the redis master server
7183 option tcp-check
7184 tcp-check send PING\r\n
7185 tcp-check expect +PONG
7186 tcp-check send info\ replication\r\n
7187 tcp-check expect string role:master
7188 tcp-check send QUIT\r\n
7189 tcp-check expect string +OK
7190
7191
7192 See also : "option tcp-check", "tcp-check connect", "tcp-check send",
7193 "tcp-check send-binary", "http-check expect", tune.chksize
7194
7195
7196tcp-check send <data>
7197 Specify a string to be sent as a question during a generic health check
7198 May be used in sections: defaults | frontend | listen | backend
7199 no | no | yes | yes
7200
7201 <data> : the data to be sent as a question during a generic health check
7202 session. For now, <data> must be a string.
7203
7204 Examples :
7205 # look for the redis master server
7206 option tcp-check
7207 tcp-check send info\ replication\r\n
7208 tcp-check expect string role:master
7209
7210 See also : "option tcp-check", "tcp-check connect", "tcp-check expect",
7211 "tcp-check send-binary", tune.chksize
7212
7213
7214tcp-check send-binary <hexastring>
7215 Specify an hexa digits string to be sent as a binary question during a raw
7216 tcp health check
7217 May be used in sections: defaults | frontend | listen | backend
7218 no | no | yes | yes
7219
7220 <data> : the data to be sent as a question during a generic health check
7221 session. For now, <data> must be a string.
7222 <hexastring> : test the exact string in its hexadecimal form matches in the
7223 response buffer. A health check response will be considered
7224 valid if the response's buffer contains this exact
7225 hexadecimal string.
7226 Purpose is to send binary data to ask on binary protocols.
7227
7228 Examples :
7229 # redis check in binary
7230 option tcp-check
7231 tcp-check send-binary 50494e470d0a # PING\r\n
7232 tcp-check expect binary 2b504F4e47 # +PONG
7233
7234
7235 See also : "option tcp-check", "tcp-check connect", "tcp-check expect",
7236 "tcp-check send", tune.chksize
7237
7238
Willy Tarreaue9656522010-08-17 15:40:09 +02007239tcp-request connection <action> [{if | unless} <condition>]
7240 Perform an action on an incoming connection depending on a layer 4 condition
Willy Tarreau1a687942010-05-23 22:40:30 +02007241 May be used in sections : defaults | frontend | listen | backend
7242 no | yes | yes | no
Willy Tarreaue9656522010-08-17 15:40:09 +02007243 Arguments :
7244 <action> defines the action to perform if the condition applies. Valid
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02007245 actions include : "accept", "reject", "track-sc0", "track-sc1",
7246 "track-sc2", and "expect-proxy". See below for more details.
Willy Tarreau1a687942010-05-23 22:40:30 +02007247
Willy Tarreaue9656522010-08-17 15:40:09 +02007248 <condition> is a standard layer4-only ACL-based condition (see section 7).
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007249
7250 Immediately after acceptance of a new incoming connection, it is possible to
7251 evaluate some conditions to decide whether this connection must be accepted
Willy Tarreaue9656522010-08-17 15:40:09 +02007252 or dropped or have its counters tracked. Those conditions cannot make use of
7253 any data contents because the connection has not been read from yet, and the
7254 buffers are not yet allocated. This is used to selectively and very quickly
7255 accept or drop connections from various sources with a very low overhead. If
7256 some contents need to be inspected in order to take the decision, the
7257 "tcp-request content" statements must be used instead.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007258
Willy Tarreaue9656522010-08-17 15:40:09 +02007259 The "tcp-request connection" rules are evaluated in their exact declaration
7260 order. If no rule matches or if there is no rule, the default action is to
7261 accept the incoming connection. There is no specific limit to the number of
7262 rules which may be inserted.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007263
Willy Tarreau18bf01e2014-06-13 16:18:52 +02007264 Five types of actions are supported :
Willy Tarreaue9656522010-08-17 15:40:09 +02007265 - accept :
7266 accepts the connection if the condition is true (when used with "if")
7267 or false (when used with "unless"). The first such rule executed ends
7268 the rules evaluation.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007269
Willy Tarreaue9656522010-08-17 15:40:09 +02007270 - reject :
7271 rejects the connection if the condition is true (when used with "if")
7272 or false (when used with "unless"). The first such rule executed ends
7273 the rules evaluation. Rejected connections do not even become a
7274 session, which is why they are accounted separately for in the stats,
7275 as "denied connections". They are not considered for the session
7276 rate-limit and are not logged either. The reason is that these rules
7277 should only be used to filter extremely high connection rates such as
7278 the ones encountered during a massive DDoS attack. Under these extreme
7279 conditions, the simple action of logging each event would make the
7280 system collapse and would considerably lower the filtering capacity. If
7281 logging is absolutely desired, then "tcp-request content" rules should
7282 be used instead.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007283
Willy Tarreau4f0d9192013-06-11 20:40:55 +02007284 - expect-proxy layer4 :
7285 configures the client-facing connection to receive a PROXY protocol
7286 header before any byte is read from the socket. This is equivalent to
7287 having the "accept-proxy" keyword on the "bind" line, except that using
7288 the TCP rule allows the PROXY protocol to be accepted only for certain
7289 IP address ranges using an ACL. This is convenient when multiple layers
7290 of load balancers are passed through by traffic coming from public
7291 hosts.
7292
Willy Tarreau18bf01e2014-06-13 16:18:52 +02007293 - capture <sample> len <length> :
7294 This only applies to "tcp-request content" rules. It captures sample
7295 expression <sample> from the request buffer, and converts it to a
7296 string of at most <len> characters. The resulting string is stored into
7297 the next request "capture" slot, so it will possibly appear next to
7298 some captured HTTP headers. It will then automatically appear in the
7299 logs, and it will be possible to extract it using sample fetch rules to
7300 feed it into headers or anything. The length should be limited given
7301 that this size will be allocated for each capture during the whole
7302 session life. Since it applies to Please check section 7.3 (Fetching
7303 samples) and "capture request header" for more information.
7304
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02007305 - { track-sc0 | track-sc1 | track-sc2 } <key> [table <table>] :
Willy Tarreaue9656522010-08-17 15:40:09 +02007306 enables tracking of sticky counters from current connection. These
7307 rules do not stop evaluation and do not change default action. Two sets
7308 of counters may be simultaneously tracked by the same connection. The
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02007309 first "track-sc0" rule executed enables tracking of the counters of the
7310 specified table as the first set. The first "track-sc1" rule executed
Willy Tarreaue9656522010-08-17 15:40:09 +02007311 enables tracking of the counters of the specified table as the second
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02007312 set. The first "track-sc2" rule executed enables tracking of the
7313 counters of the specified table as the third set. It is a recommended
7314 practice to use the first set of counters for the per-frontend counters
7315 and the second set for the per-backend ones. But this is just a
7316 guideline, all may be used everywhere.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007317
Willy Tarreaue9656522010-08-17 15:40:09 +02007318 These actions take one or two arguments :
Willy Tarreaube722a22014-06-13 16:31:59 +02007319 <key> is mandatory, and is a sample expression rule as described
Willy Tarreau74ca5042013-06-11 23:12:07 +02007320 in section 7.3. It describes what elements of the incoming
Willy Tarreau5d5b5d82012-12-09 12:00:04 +01007321 request or connection will be analysed, extracted, combined,
7322 and used to select which table entry to update the counters.
7323 Note that "tcp-request connection" cannot use content-based
7324 fetches.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007325
Willy Tarreaue9656522010-08-17 15:40:09 +02007326 <table> is an optional table to be used instead of the default one,
7327 which is the stick-table declared in the current proxy. All
7328 the counters for the matches and updates for the key will
7329 then be performed in that table until the session ends.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007330
Willy Tarreaue9656522010-08-17 15:40:09 +02007331 Once a "track-sc*" rule is executed, the key is looked up in the table
7332 and if it is not found, an entry is allocated for it. Then a pointer to
7333 that entry is kept during all the session's life, and this entry's
7334 counters are updated as often as possible, every time the session's
7335 counters are updated, and also systematically when the session ends.
Willy Tarreau5d5b5d82012-12-09 12:00:04 +01007336 Counters are only updated for events that happen after the tracking has
7337 been started. For example, connection counters will not be updated when
7338 tracking layer 7 information, since the connection event happens before
7339 layer7 information is extracted.
7340
Willy Tarreaue9656522010-08-17 15:40:09 +02007341 If the entry tracks concurrent connection counters, one connection is
7342 counted for as long as the entry is tracked, and the entry will not
7343 expire during that time. Tracking counters also provides a performance
7344 advantage over just checking the keys, because only one table lookup is
7345 performed for all ACL checks that make use of it.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007346
Willy Tarreaue9656522010-08-17 15:40:09 +02007347 Note that the "if/unless" condition is optional. If no condition is set on
7348 the action, it is simply performed unconditionally. That can be useful for
7349 "track-sc*" actions as well as for changing the default action to a reject.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007350
Willy Tarreaue9656522010-08-17 15:40:09 +02007351 Example: accept all connections from white-listed hosts, reject too fast
7352 connection without counting them, and track accepted connections.
7353 This results in connection rate being capped from abusive sources.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007354
Willy Tarreaue9656522010-08-17 15:40:09 +02007355 tcp-request connection accept if { src -f /etc/haproxy/whitelist.lst }
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007356 tcp-request connection reject if { src_conn_rate gt 10 }
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02007357 tcp-request connection track-sc0 src
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007358
Willy Tarreaue9656522010-08-17 15:40:09 +02007359 Example: accept all connections from white-listed hosts, count all other
7360 connections and reject too fast ones. This results in abusive ones
7361 being blocked as long as they don't slow down.
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007362
Willy Tarreaue9656522010-08-17 15:40:09 +02007363 tcp-request connection accept if { src -f /etc/haproxy/whitelist.lst }
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02007364 tcp-request connection track-sc0 src
7365 tcp-request connection reject if { sc0_conn_rate gt 10 }
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007366
Willy Tarreau4f0d9192013-06-11 20:40:55 +02007367 Example: enable the PROXY protocol for traffic coming from all known proxies.
7368
7369 tcp-request connection expect-proxy layer4 if { src -f proxies.lst }
7370
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007371 See section 7 about ACL usage.
7372
Willy Tarreaue9656522010-08-17 15:40:09 +02007373 See also : "tcp-request content", "stick-table"
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007374
7375
Willy Tarreaue9656522010-08-17 15:40:09 +02007376tcp-request content <action> [{if | unless} <condition>]
7377 Perform an action on a new session depending on a layer 4-7 condition
Willy Tarreau62644772008-07-16 18:36:06 +02007378 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaufb356202010-08-03 14:02:05 +02007379 no | yes | yes | yes
Willy Tarreaue9656522010-08-17 15:40:09 +02007380 Arguments :
7381 <action> defines the action to perform if the condition applies. Valid
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02007382 actions include : "accept", "reject", "track-sc0", "track-sc1",
Willy Tarreau18bf01e2014-06-13 16:18:52 +02007383 "track-sc2" and "capture". See "tcp-request connection" above
7384 for their signification.
Willy Tarreau62644772008-07-16 18:36:06 +02007385
Willy Tarreaue9656522010-08-17 15:40:09 +02007386 <condition> is a standard layer 4-7 ACL-based condition (see section 7).
Willy Tarreau62644772008-07-16 18:36:06 +02007387
Willy Tarreaue9656522010-08-17 15:40:09 +02007388 A request's contents can be analysed at an early stage of request processing
7389 called "TCP content inspection". During this stage, ACL-based rules are
7390 evaluated every time the request contents are updated, until either an
7391 "accept" or a "reject" rule matches, or the TCP request inspection delay
7392 expires with no matching rule.
Willy Tarreau62644772008-07-16 18:36:06 +02007393
Willy Tarreaue9656522010-08-17 15:40:09 +02007394 The first difference between these rules and "tcp-request connection" rules
7395 is that "tcp-request content" rules can make use of contents to take a
7396 decision. Most often, these decisions will consider a protocol recognition or
7397 validity. The second difference is that content-based rules can be used in
Willy Tarreauf3338342014-01-28 21:40:28 +01007398 both frontends and backends. In case of HTTP keep-alive with the client, all
7399 tcp-request content rules are evaluated again, so haproxy keeps a record of
7400 what sticky counters were assigned by a "tcp-request connection" versus a
7401 "tcp-request content" rule, and flushes all the content-related ones after
7402 processing an HTTP request, so that they may be evaluated again by the rules
7403 being evaluated again for the next request. This is of particular importance
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03007404 when the rule tracks some L7 information or when it is conditioned by an
Willy Tarreauf3338342014-01-28 21:40:28 +01007405 L7-based ACL, since tracking may change between requests.
Willy Tarreau62644772008-07-16 18:36:06 +02007406
Willy Tarreaue9656522010-08-17 15:40:09 +02007407 Content-based rules are evaluated in their exact declaration order. If no
7408 rule matches or if there is no rule, the default action is to accept the
7409 contents. There is no specific limit to the number of rules which may be
7410 inserted.
Willy Tarreau62644772008-07-16 18:36:06 +02007411
Willy Tarreau18bf01e2014-06-13 16:18:52 +02007412 Four types of actions are supported :
7413 - accept : the request is accepted
7414 - reject : the request is rejected and the connection is closed
7415 - capture : the specified sample expression is captured
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02007416 - { track-sc0 | track-sc1 | track-sc2 } <key> [table <table>]
Willy Tarreau62644772008-07-16 18:36:06 +02007417
Willy Tarreaue9656522010-08-17 15:40:09 +02007418 They have the same meaning as their counter-parts in "tcp-request connection"
7419 so please refer to that section for a complete description.
Willy Tarreau62644772008-07-16 18:36:06 +02007420
Willy Tarreauf3338342014-01-28 21:40:28 +01007421 While there is nothing mandatory about it, it is recommended to use the
7422 track-sc0 in "tcp-request connection" rules, track-sc1 for "tcp-request
7423 content" rules in the frontend, and track-sc2 for "tcp-request content"
7424 rules in the backend, because that makes the configuration more readable
7425 and easier to troubleshoot, but this is just a guideline and all counters
7426 may be used everywhere.
Willy Tarreau62644772008-07-16 18:36:06 +02007427
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01007428 Note that the "if/unless" condition is optional. If no condition is set on
Willy Tarreaue9656522010-08-17 15:40:09 +02007429 the action, it is simply performed unconditionally. That can be useful for
7430 "track-sc*" actions as well as for changing the default action to a reject.
Willy Tarreau62644772008-07-16 18:36:06 +02007431
Willy Tarreaue9656522010-08-17 15:40:09 +02007432 It is perfectly possible to match layer 7 contents with "tcp-request content"
Willy Tarreauc0239e02012-04-16 14:42:55 +02007433 rules, since HTTP-specific ACL matches are able to preliminarily parse the
7434 contents of a buffer before extracting the required data. If the buffered
7435 contents do not parse as a valid HTTP message, then the ACL does not match.
7436 The parser which is involved there is exactly the same as for all other HTTP
Willy Tarreauf3338342014-01-28 21:40:28 +01007437 processing, so there is no risk of parsing something differently. In an HTTP
7438 backend connected to from an HTTP frontend, it is guaranteed that HTTP
7439 contents will always be immediately present when the rule is evaluated first.
Willy Tarreau62644772008-07-16 18:36:06 +02007440
Willy Tarreau5d5b5d82012-12-09 12:00:04 +01007441 Tracking layer7 information is also possible provided that the information
7442 are present when the rule is processed. The current solution for making the
7443 rule engine wait for such information is to set an inspect delay and to
7444 condition its execution with an ACL relying on such information.
7445
Willy Tarreau62644772008-07-16 18:36:06 +02007446 Example:
Willy Tarreaue9656522010-08-17 15:40:09 +02007447 # Accept HTTP requests containing a Host header saying "example.com"
7448 # and reject everything else.
7449 acl is_host_com hdr(Host) -i example.com
7450 tcp-request inspect-delay 30s
Willy Tarreauc0239e02012-04-16 14:42:55 +02007451 tcp-request content accept if is_host_com
Willy Tarreaue9656522010-08-17 15:40:09 +02007452 tcp-request content reject
7453
7454 Example:
Willy Tarreau62644772008-07-16 18:36:06 +02007455 # reject SMTP connection if client speaks first
7456 tcp-request inspect-delay 30s
7457 acl content_present req_len gt 0
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007458 tcp-request content reject if content_present
Willy Tarreau62644772008-07-16 18:36:06 +02007459
7460 # Forward HTTPS connection only if client speaks
7461 tcp-request inspect-delay 30s
7462 acl content_present req_len gt 0
Willy Tarreau68c03ab2010-08-06 15:08:45 +02007463 tcp-request content accept if content_present
Willy Tarreaue9656522010-08-17 15:40:09 +02007464 tcp-request content reject
7465
Willy Tarreau5d5b5d82012-12-09 12:00:04 +01007466 Example:
7467 # Track the last IP from X-Forwarded-For
7468 tcp-request inspect-delay 10s
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02007469 tcp-request content track-sc0 hdr(x-forwarded-for,-1) if HTTP
Willy Tarreau5d5b5d82012-12-09 12:00:04 +01007470
7471 Example:
7472 # track request counts per "base" (concatenation of Host+URL)
7473 tcp-request inspect-delay 10s
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02007474 tcp-request content track-sc0 base table req-rate if HTTP
Willy Tarreau5d5b5d82012-12-09 12:00:04 +01007475
Willy Tarreaue9656522010-08-17 15:40:09 +02007476 Example: track per-frontend and per-backend counters, block abusers at the
7477 frontend when the backend detects abuse.
7478
7479 frontend http
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02007480 # Use General Purpose Couter 0 in SC0 as a global abuse counter
Willy Tarreaue9656522010-08-17 15:40:09 +02007481 # protecting all our sites
7482 stick-table type ip size 1m expire 5m store gpc0
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02007483 tcp-request connection track-sc0 src
7484 tcp-request connection reject if { sc0_get_gpc0 gt 0 }
Willy Tarreaue9656522010-08-17 15:40:09 +02007485 ...
7486 use_backend http_dynamic if { path_end .php }
7487
7488 backend http_dynamic
7489 # if a source makes too fast requests to this dynamic site (tracked
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02007490 # by SC1), block it globally in the frontend.
Willy Tarreaue9656522010-08-17 15:40:09 +02007491 stick-table type ip size 1m expire 5m store http_req_rate(10s)
Willy Tarreaube4a3ef2013-06-17 15:04:07 +02007492 acl click_too_fast sc1_http_req_rate gt 10
7493 acl mark_as_abuser sc0_inc_gpc0 gt 0
7494 tcp-request content track-sc1 src
Willy Tarreaue9656522010-08-17 15:40:09 +02007495 tcp-request content reject if click_too_fast mark_as_abuser
Willy Tarreau62644772008-07-16 18:36:06 +02007496
Willy Tarreauc57f0e22009-05-10 13:12:33 +02007497 See section 7 about ACL usage.
Willy Tarreau62644772008-07-16 18:36:06 +02007498
Willy Tarreaue9656522010-08-17 15:40:09 +02007499 See also : "tcp-request connection", "tcp-request inspect-delay"
Willy Tarreau62644772008-07-16 18:36:06 +02007500
7501
7502tcp-request inspect-delay <timeout>
7503 Set the maximum allowed time to wait for data during content inspection
7504 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaufb356202010-08-03 14:02:05 +02007505 no | yes | yes | yes
Willy Tarreau62644772008-07-16 18:36:06 +02007506 Arguments :
7507 <timeout> is the timeout value specified in milliseconds by default, but
7508 can be in any other unit if the number is suffixed by the unit,
7509 as explained at the top of this document.
7510
7511 People using haproxy primarily as a TCP relay are often worried about the
7512 risk of passing any type of protocol to a server without any analysis. In
7513 order to be able to analyze the request contents, we must first withhold
7514 the data then analyze them. This statement simply enables withholding of
7515 data for at most the specified amount of time.
7516
Willy Tarreaufb356202010-08-03 14:02:05 +02007517 TCP content inspection applies very early when a connection reaches a
7518 frontend, then very early when the connection is forwarded to a backend. This
7519 means that a connection may experience a first delay in the frontend and a
7520 second delay in the backend if both have tcp-request rules.
7521
Willy Tarreau62644772008-07-16 18:36:06 +02007522 Note that when performing content inspection, haproxy will evaluate the whole
7523 rules for every new chunk which gets in, taking into account the fact that
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01007524 those data are partial. If no rule matches before the aforementioned delay,
Willy Tarreau62644772008-07-16 18:36:06 +02007525 a last check is performed upon expiration, this time considering that the
Willy Tarreaud869b242009-03-15 14:43:58 +01007526 contents are definitive. If no delay is set, haproxy will not wait at all
7527 and will immediately apply a verdict based on the available information.
7528 Obviously this is unlikely to be very useful and might even be racy, so such
7529 setups are not recommended.
Willy Tarreau62644772008-07-16 18:36:06 +02007530
7531 As soon as a rule matches, the request is released and continues as usual. If
7532 the timeout is reached and no rule matches, the default policy will be to let
7533 it pass through unaffected.
7534
7535 For most protocols, it is enough to set it to a few seconds, as most clients
7536 send the full request immediately upon connection. Add 3 or more seconds to
7537 cover TCP retransmits but that's all. For some protocols, it may make sense
Willy Tarreaud72758d2010-01-12 10:42:19 +01007538 to use large values, for instance to ensure that the client never talks
Willy Tarreau62644772008-07-16 18:36:06 +02007539 before the server (eg: SMTP), or to wait for a client to talk before passing
7540 data to the server (eg: SSL). Note that the client timeout must cover at
Willy Tarreaub824b002010-09-29 16:36:16 +02007541 least the inspection delay, otherwise it will expire first. If the client
7542 closes the connection or if the buffer is full, the delay immediately expires
7543 since the contents will not be able to change anymore.
Willy Tarreau62644772008-07-16 18:36:06 +02007544
Willy Tarreau55165fe2009-05-10 12:02:55 +02007545 See also : "tcp-request content accept", "tcp-request content reject",
Willy Tarreau62644772008-07-16 18:36:06 +02007546 "timeout client".
7547
7548
Emeric Brun0a3b67f2010-09-24 15:34:53 +02007549tcp-response content <action> [{if | unless} <condition>]
7550 Perform an action on a session response depending on a layer 4-7 condition
7551 May be used in sections : defaults | frontend | listen | backend
7552 no | no | yes | yes
7553 Arguments :
7554 <action> defines the action to perform if the condition applies. Valid
Willy Tarreaucc1e04b2013-09-11 23:20:29 +02007555 actions include : "accept", "close", "reject".
Emeric Brun0a3b67f2010-09-24 15:34:53 +02007556
7557 <condition> is a standard layer 4-7 ACL-based condition (see section 7).
7558
7559 Response contents can be analysed at an early stage of response processing
7560 called "TCP content inspection". During this stage, ACL-based rules are
7561 evaluated every time the response contents are updated, until either an
Willy Tarreaucc1e04b2013-09-11 23:20:29 +02007562 "accept", "close" or a "reject" rule matches, or a TCP response inspection
7563 delay is set and expires with no matching rule.
Emeric Brun0a3b67f2010-09-24 15:34:53 +02007564
7565 Most often, these decisions will consider a protocol recognition or validity.
7566
7567 Content-based rules are evaluated in their exact declaration order. If no
7568 rule matches or if there is no rule, the default action is to accept the
7569 contents. There is no specific limit to the number of rules which may be
7570 inserted.
7571
7572 Two types of actions are supported :
7573 - accept :
7574 accepts the response if the condition is true (when used with "if")
7575 or false (when used with "unless"). The first such rule executed ends
7576 the rules evaluation.
7577
Willy Tarreaucc1e04b2013-09-11 23:20:29 +02007578 - close :
7579 immediately closes the connection with the server if the condition is
7580 true (when used with "if"), or false (when used with "unless"). The
7581 first such rule executed ends the rules evaluation. The main purpose of
7582 this action is to force a connection to be finished between a client
7583 and a server after an exchange when the application protocol expects
7584 some long time outs to elapse first. The goal is to eliminate idle
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03007585 connections which take significant resources on servers with certain
Willy Tarreaucc1e04b2013-09-11 23:20:29 +02007586 protocols.
7587
Emeric Brun0a3b67f2010-09-24 15:34:53 +02007588 - reject :
7589 rejects the response if the condition is true (when used with "if")
7590 or false (when used with "unless"). The first such rule executed ends
Jamie Gloudonaaa21002012-08-25 00:18:33 -04007591 the rules evaluation. Rejected session are immediately closed.
Emeric Brun0a3b67f2010-09-24 15:34:53 +02007592
7593 Note that the "if/unless" condition is optional. If no condition is set on
7594 the action, it is simply performed unconditionally. That can be useful for
7595 for changing the default action to a reject.
7596
Jamie Gloudonaaa21002012-08-25 00:18:33 -04007597 It is perfectly possible to match layer 7 contents with "tcp-response
7598 content" rules, but then it is important to ensure that a full response has
7599 been buffered, otherwise no contents will match. In order to achieve this,
7600 the best solution involves detecting the HTTP protocol during the inspection
Emeric Brun0a3b67f2010-09-24 15:34:53 +02007601 period.
7602
7603 See section 7 about ACL usage.
7604
7605 See also : "tcp-request content", "tcp-response inspect-delay"
7606
7607
7608tcp-response inspect-delay <timeout>
7609 Set the maximum allowed time to wait for a response during content inspection
7610 May be used in sections : defaults | frontend | listen | backend
7611 no | no | yes | yes
7612 Arguments :
7613 <timeout> is the timeout value specified in milliseconds by default, but
7614 can be in any other unit if the number is suffixed by the unit,
7615 as explained at the top of this document.
7616
7617 See also : "tcp-response content", "tcp-request inspect-delay".
7618
7619
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01007620timeout check <timeout>
7621 Set additional check timeout, but only after a connection has been already
7622 established.
7623
7624 May be used in sections: defaults | frontend | listen | backend
7625 yes | no | yes | yes
7626 Arguments:
7627 <timeout> is the timeout value specified in milliseconds by default, but
7628 can be in any other unit if the number is suffixed by the unit,
7629 as explained at the top of this document.
7630
7631 If set, haproxy uses min("timeout connect", "inter") as a connect timeout
7632 for check and "timeout check" as an additional read timeout. The "min" is
7633 used so that people running with *very* long "timeout connect" (eg. those
7634 who needed this due to the queue or tarpit) do not slow down their checks.
Willy Tarreaud7550a22010-02-10 05:10:19 +01007635 (Please also note that there is no valid reason to have such long connect
7636 timeouts, because "timeout queue" and "timeout tarpit" can always be used to
7637 avoid that).
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01007638
7639 If "timeout check" is not set haproxy uses "inter" for complete check
7640 timeout (connect + read) exactly like all <1.3.15 version.
7641
7642 In most cases check request is much simpler and faster to handle than normal
7643 requests and people may want to kick out laggy servers so this timeout should
Willy Tarreau41a340d2008-01-22 12:25:31 +01007644 be smaller than "timeout server".
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01007645
7646 This parameter is specific to backends, but can be specified once for all in
7647 "defaults" sections. This is in fact one of the easiest solutions not to
7648 forget about it.
7649
Willy Tarreau41a340d2008-01-22 12:25:31 +01007650 See also: "timeout connect", "timeout queue", "timeout server",
7651 "timeout tarpit".
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01007652
7653
Willy Tarreau0ba27502007-12-24 16:55:16 +01007654timeout client <timeout>
7655timeout clitimeout <timeout> (deprecated)
7656 Set the maximum inactivity time on the client side.
7657 May be used in sections : defaults | frontend | listen | backend
7658 yes | yes | yes | no
7659 Arguments :
Willy Tarreau844e3c52008-01-11 16:28:18 +01007660 <timeout> is the timeout value specified in milliseconds by default, but
Willy Tarreau0ba27502007-12-24 16:55:16 +01007661 can be in any other unit if the number is suffixed by the unit,
7662 as explained at the top of this document.
7663
7664 The inactivity timeout applies when the client is expected to acknowledge or
7665 send data. In HTTP mode, this timeout is particularly important to consider
7666 during the first phase, when the client sends the request, and during the
7667 response while it is reading data sent by the server. The value is specified
7668 in milliseconds by default, but can be in any other unit if the number is
7669 suffixed by the unit, as specified at the top of this document. In TCP mode
7670 (and to a lesser extent, in HTTP mode), it is highly recommended that the
7671 client timeout remains equal to the server timeout in order to avoid complex
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01007672 situations to debug. It is a good practice to cover one or several TCP packet
Willy Tarreau0ba27502007-12-24 16:55:16 +01007673 losses by specifying timeouts that are slightly above multiples of 3 seconds
Willy Tarreauce887fd2012-05-12 12:50:00 +02007674 (eg: 4 or 5 seconds). If some long-lived sessions are mixed with short-lived
7675 sessions (eg: WebSocket and HTTP), it's worth considering "timeout tunnel",
Willy Tarreau05cdd962014-05-10 14:30:07 +02007676 which overrides "timeout client" and "timeout server" for tunnels, as well as
7677 "timeout client-fin" for half-closed connections.
Willy Tarreau0ba27502007-12-24 16:55:16 +01007678
7679 This parameter is specific to frontends, but can be specified once for all in
7680 "defaults" sections. This is in fact one of the easiest solutions not to
7681 forget about it. An unspecified timeout results in an infinite timeout, which
7682 is not recommended. Such a usage is accepted and works but reports a warning
7683 during startup because it may results in accumulation of expired sessions in
7684 the system if the system's timeouts are not configured either.
7685
7686 This parameter replaces the old, deprecated "clitimeout". It is recommended
7687 to use it to write new configurations. The form "timeout clitimeout" is
7688 provided only by backwards compatibility but its use is strongly discouraged.
7689
Willy Tarreauce887fd2012-05-12 12:50:00 +02007690 See also : "clitimeout", "timeout server", "timeout tunnel".
Willy Tarreau0ba27502007-12-24 16:55:16 +01007691
7692
Willy Tarreau05cdd962014-05-10 14:30:07 +02007693timeout client-fin <timeout>
7694 Set the inactivity timeout on the client side for half-closed connections.
7695 May be used in sections : defaults | frontend | listen | backend
7696 yes | yes | yes | no
7697 Arguments :
7698 <timeout> is the timeout value specified in milliseconds by default, but
7699 can be in any other unit if the number is suffixed by the unit,
7700 as explained at the top of this document.
7701
7702 The inactivity timeout applies when the client is expected to acknowledge or
7703 send data while one direction is already shut down. This timeout is different
7704 from "timeout client" in that it only applies to connections which are closed
7705 in one direction. This is particularly useful to avoid keeping connections in
7706 FIN_WAIT state for too long when clients do not disconnect cleanly. This
7707 problem is particularly common long connections such as RDP or WebSocket.
7708 Note that this timeout can override "timeout tunnel" when a connection shuts
7709 down in one direction.
7710
7711 This parameter is specific to frontends, but can be specified once for all in
7712 "defaults" sections. By default it is not set, so half-closed connections
7713 will use the other timeouts (timeout.client or timeout.tunnel).
7714
7715 See also : "timeout client", "timeout server-fin", and "timeout tunnel".
7716
7717
Willy Tarreau0ba27502007-12-24 16:55:16 +01007718timeout connect <timeout>
7719timeout contimeout <timeout> (deprecated)
7720 Set the maximum time to wait for a connection attempt to a server to succeed.
7721 May be used in sections : defaults | frontend | listen | backend
7722 yes | no | yes | yes
7723 Arguments :
Willy Tarreau844e3c52008-01-11 16:28:18 +01007724 <timeout> is the timeout value specified in milliseconds by default, but
Willy Tarreau0ba27502007-12-24 16:55:16 +01007725 can be in any other unit if the number is suffixed by the unit,
7726 as explained at the top of this document.
7727
7728 If the server is located on the same LAN as haproxy, the connection should be
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01007729 immediate (less than a few milliseconds). Anyway, it is a good practice to
Willy Tarreaud72758d2010-01-12 10:42:19 +01007730 cover one or several TCP packet losses by specifying timeouts that are
Willy Tarreau0ba27502007-12-24 16:55:16 +01007731 slightly above multiples of 3 seconds (eg: 4 or 5 seconds). By default, the
Krzysztof Piotr Oledzki5259dfe2008-01-21 01:54:06 +01007732 connect timeout also presets both queue and tarpit timeouts to the same value
7733 if these have not been specified.
Willy Tarreau0ba27502007-12-24 16:55:16 +01007734
7735 This parameter is specific to backends, but can be specified once for all in
7736 "defaults" sections. This is in fact one of the easiest solutions not to
7737 forget about it. An unspecified timeout results in an infinite timeout, which
7738 is not recommended. Such a usage is accepted and works but reports a warning
7739 during startup because it may results in accumulation of failed sessions in
7740 the system if the system's timeouts are not configured either.
7741
7742 This parameter replaces the old, deprecated "contimeout". It is recommended
7743 to use it to write new configurations. The form "timeout contimeout" is
7744 provided only by backwards compatibility but its use is strongly discouraged.
7745
Willy Tarreau41a340d2008-01-22 12:25:31 +01007746 See also: "timeout check", "timeout queue", "timeout server", "contimeout",
7747 "timeout tarpit".
Willy Tarreau0ba27502007-12-24 16:55:16 +01007748
7749
Willy Tarreaub16a5742010-01-10 14:46:16 +01007750timeout http-keep-alive <timeout>
7751 Set the maximum allowed time to wait for a new HTTP request to appear
7752 May be used in sections : defaults | frontend | listen | backend
7753 yes | yes | yes | yes
7754 Arguments :
7755 <timeout> is the timeout value specified in milliseconds by default, but
7756 can be in any other unit if the number is suffixed by the unit,
7757 as explained at the top of this document.
7758
7759 By default, the time to wait for a new request in case of keep-alive is set
7760 by "timeout http-request". However this is not always convenient because some
7761 people want very short keep-alive timeouts in order to release connections
7762 faster, and others prefer to have larger ones but still have short timeouts
7763 once the request has started to present itself.
7764
7765 The "http-keep-alive" timeout covers these needs. It will define how long to
7766 wait for a new HTTP request to start coming after a response was sent. Once
7767 the first byte of request has been seen, the "http-request" timeout is used
7768 to wait for the complete request to come. Note that empty lines prior to a
7769 new request do not refresh the timeout and are not counted as a new request.
7770
7771 There is also another difference between the two timeouts : when a connection
7772 expires during timeout http-keep-alive, no error is returned, the connection
7773 just closes. If the connection expires in "http-request" while waiting for a
7774 connection to complete, a HTTP 408 error is returned.
7775
7776 In general it is optimal to set this value to a few tens to hundreds of
7777 milliseconds, to allow users to fetch all objects of a page at once but
7778 without waiting for further clicks. Also, if set to a very small value (eg:
7779 1 millisecond) it will probably only accept pipelined requests but not the
7780 non-pipelined ones. It may be a nice trade-off for very large sites running
Patrick Mézard2382ad62010-05-09 10:43:32 +02007781 with tens to hundreds of thousands of clients.
Willy Tarreaub16a5742010-01-10 14:46:16 +01007782
7783 If this parameter is not set, the "http-request" timeout applies, and if both
7784 are not set, "timeout client" still applies at the lower level. It should be
7785 set in the frontend to take effect, unless the frontend is in TCP mode, in
7786 which case the HTTP backend's timeout will be used.
7787
7788 See also : "timeout http-request", "timeout client".
7789
7790
Willy Tarreau036fae02008-01-06 13:24:40 +01007791timeout http-request <timeout>
7792 Set the maximum allowed time to wait for a complete HTTP request
7793 May be used in sections : defaults | frontend | listen | backend
Willy Tarreaucd7afc02009-07-12 10:03:17 +02007794 yes | yes | yes | yes
Willy Tarreau036fae02008-01-06 13:24:40 +01007795 Arguments :
Willy Tarreau844e3c52008-01-11 16:28:18 +01007796 <timeout> is the timeout value specified in milliseconds by default, but
Willy Tarreau036fae02008-01-06 13:24:40 +01007797 can be in any other unit if the number is suffixed by the unit,
7798 as explained at the top of this document.
7799
7800 In order to offer DoS protection, it may be required to lower the maximum
7801 accepted time to receive a complete HTTP request without affecting the client
7802 timeout. This helps protecting against established connections on which
7803 nothing is sent. The client timeout cannot offer a good protection against
7804 this abuse because it is an inactivity timeout, which means that if the
7805 attacker sends one character every now and then, the timeout will not
7806 trigger. With the HTTP request timeout, no matter what speed the client
Willy Tarreau2705a612014-05-23 17:38:34 +02007807 types, the request will be aborted if it does not complete in time. When the
7808 timeout expires, an HTTP 408 response is sent to the client to inform it
7809 about the problem, and the connection is closed. The logs will report
7810 termination codes "cR". Some recent browsers are having problems with this
7811 standard, well-documented behaviour, so it might be needed to hide the 408
7812 code using "errorfile 408 /dev/null". See more details in the explanations of
7813 the "cR" termination code in section 8.5.
Willy Tarreau036fae02008-01-06 13:24:40 +01007814
7815 Note that this timeout only applies to the header part of the request, and
7816 not to any data. As soon as the empty line is received, this timeout is not
Willy Tarreaub16a5742010-01-10 14:46:16 +01007817 used anymore. It is used again on keep-alive connections to wait for a second
7818 request if "timeout http-keep-alive" is not set.
Willy Tarreau036fae02008-01-06 13:24:40 +01007819
7820 Generally it is enough to set it to a few seconds, as most clients send the
7821 full request immediately upon connection. Add 3 or more seconds to cover TCP
7822 retransmits but that's all. Setting it to very low values (eg: 50 ms) will
7823 generally work on local networks as long as there are no packet losses. This
7824 will prevent people from sending bare HTTP requests using telnet.
7825
7826 If this parameter is not set, the client timeout still applies between each
Willy Tarreaucd7afc02009-07-12 10:03:17 +02007827 chunk of the incoming request. It should be set in the frontend to take
7828 effect, unless the frontend is in TCP mode, in which case the HTTP backend's
7829 timeout will be used.
Willy Tarreau036fae02008-01-06 13:24:40 +01007830
Willy Tarreau2705a612014-05-23 17:38:34 +02007831 See also : "errorfile", "timeout http-keep-alive", "timeout client".
Willy Tarreau036fae02008-01-06 13:24:40 +01007832
Willy Tarreau844e3c52008-01-11 16:28:18 +01007833
7834timeout queue <timeout>
7835 Set the maximum time to wait in the queue for a connection slot to be free
7836 May be used in sections : defaults | frontend | listen | backend
7837 yes | no | yes | yes
7838 Arguments :
7839 <timeout> is the timeout value specified in milliseconds by default, but
7840 can be in any other unit if the number is suffixed by the unit,
7841 as explained at the top of this document.
7842
7843 When a server's maxconn is reached, connections are left pending in a queue
7844 which may be server-specific or global to the backend. In order not to wait
7845 indefinitely, a timeout is applied to requests pending in the queue. If the
7846 timeout is reached, it is considered that the request will almost never be
7847 served, so it is dropped and a 503 error is returned to the client.
7848
7849 The "timeout queue" statement allows to fix the maximum time for a request to
7850 be left pending in a queue. If unspecified, the same value as the backend's
7851 connection timeout ("timeout connect") is used, for backwards compatibility
7852 with older versions with no "timeout queue" parameter.
7853
7854 See also : "timeout connect", "contimeout".
7855
7856
7857timeout server <timeout>
7858timeout srvtimeout <timeout> (deprecated)
7859 Set the maximum inactivity time on the server side.
7860 May be used in sections : defaults | frontend | listen | backend
7861 yes | no | yes | yes
7862 Arguments :
7863 <timeout> is the timeout value specified in milliseconds by default, but
7864 can be in any other unit if the number is suffixed by the unit,
7865 as explained at the top of this document.
7866
7867 The inactivity timeout applies when the server is expected to acknowledge or
7868 send data. In HTTP mode, this timeout is particularly important to consider
7869 during the first phase of the server's response, when it has to send the
7870 headers, as it directly represents the server's processing time for the
7871 request. To find out what value to put there, it's often good to start with
7872 what would be considered as unacceptable response times, then check the logs
7873 to observe the response time distribution, and adjust the value accordingly.
7874
7875 The value is specified in milliseconds by default, but can be in any other
7876 unit if the number is suffixed by the unit, as specified at the top of this
7877 document. In TCP mode (and to a lesser extent, in HTTP mode), it is highly
7878 recommended that the client timeout remains equal to the server timeout in
7879 order to avoid complex situations to debug. Whatever the expected server
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01007880 response times, it is a good practice to cover at least one or several TCP
Willy Tarreau844e3c52008-01-11 16:28:18 +01007881 packet losses by specifying timeouts that are slightly above multiples of 3
Willy Tarreauce887fd2012-05-12 12:50:00 +02007882 seconds (eg: 4 or 5 seconds minimum). If some long-lived sessions are mixed
7883 with short-lived sessions (eg: WebSocket and HTTP), it's worth considering
7884 "timeout tunnel", which overrides "timeout client" and "timeout server" for
7885 tunnels.
Willy Tarreau844e3c52008-01-11 16:28:18 +01007886
7887 This parameter is specific to backends, but can be specified once for all in
7888 "defaults" sections. This is in fact one of the easiest solutions not to
7889 forget about it. An unspecified timeout results in an infinite timeout, which
7890 is not recommended. Such a usage is accepted and works but reports a warning
7891 during startup because it may results in accumulation of expired sessions in
7892 the system if the system's timeouts are not configured either.
7893
7894 This parameter replaces the old, deprecated "srvtimeout". It is recommended
7895 to use it to write new configurations. The form "timeout srvtimeout" is
7896 provided only by backwards compatibility but its use is strongly discouraged.
7897
Willy Tarreauce887fd2012-05-12 12:50:00 +02007898 See also : "srvtimeout", "timeout client" and "timeout tunnel".
Willy Tarreau844e3c52008-01-11 16:28:18 +01007899
Willy Tarreau05cdd962014-05-10 14:30:07 +02007900
7901timeout server-fin <timeout>
7902 Set the inactivity timeout on the server side for half-closed connections.
7903 May be used in sections : defaults | frontend | listen | backend
7904 yes | no | yes | yes
7905 Arguments :
7906 <timeout> is the timeout value specified in milliseconds by default, but
7907 can be in any other unit if the number is suffixed by the unit,
7908 as explained at the top of this document.
7909
7910 The inactivity timeout applies when the server is expected to acknowledge or
7911 send data while one direction is already shut down. This timeout is different
7912 from "timeout server" in that it only applies to connections which are closed
7913 in one direction. This is particularly useful to avoid keeping connections in
7914 FIN_WAIT state for too long when a remote server does not disconnect cleanly.
7915 This problem is particularly common long connections such as RDP or WebSocket.
7916 Note that this timeout can override "timeout tunnel" when a connection shuts
7917 down in one direction. This setting was provided for completeness, but in most
7918 situations, it should not be needed.
7919
7920 This parameter is specific to backends, but can be specified once for all in
7921 "defaults" sections. By default it is not set, so half-closed connections
7922 will use the other timeouts (timeout.server or timeout.tunnel).
7923
7924 See also : "timeout client-fin", "timeout server", and "timeout tunnel".
7925
Willy Tarreau844e3c52008-01-11 16:28:18 +01007926
7927timeout tarpit <timeout>
Cyril Bonté78caf842010-03-10 22:41:43 +01007928 Set the duration for which tarpitted connections will be maintained
Willy Tarreau844e3c52008-01-11 16:28:18 +01007929 May be used in sections : defaults | frontend | listen | backend
7930 yes | yes | yes | yes
7931 Arguments :
7932 <timeout> is the tarpit duration specified in milliseconds by default, but
7933 can be in any other unit if the number is suffixed by the unit,
7934 as explained at the top of this document.
7935
7936 When a connection is tarpitted using "reqtarpit", it is maintained open with
7937 no activity for a certain amount of time, then closed. "timeout tarpit"
7938 defines how long it will be maintained open.
7939
7940 The value is specified in milliseconds by default, but can be in any other
7941 unit if the number is suffixed by the unit, as specified at the top of this
7942 document. If unspecified, the same value as the backend's connection timeout
7943 ("timeout connect") is used, for backwards compatibility with older versions
Cyril Bonté78caf842010-03-10 22:41:43 +01007944 with no "timeout tarpit" parameter.
Willy Tarreau844e3c52008-01-11 16:28:18 +01007945
7946 See also : "timeout connect", "contimeout".
7947
7948
Willy Tarreauce887fd2012-05-12 12:50:00 +02007949timeout tunnel <timeout>
7950 Set the maximum inactivity time on the client and server side for tunnels.
7951 May be used in sections : defaults | frontend | listen | backend
7952 yes | no | yes | yes
7953 Arguments :
7954 <timeout> is the timeout value specified in milliseconds by default, but
7955 can be in any other unit if the number is suffixed by the unit,
7956 as explained at the top of this document.
7957
Jamie Gloudonaaa21002012-08-25 00:18:33 -04007958 The tunnel timeout applies when a bidirectional connection is established
Willy Tarreauce887fd2012-05-12 12:50:00 +02007959 between a client and a server, and the connection remains inactive in both
7960 directions. This timeout supersedes both the client and server timeouts once
7961 the connection becomes a tunnel. In TCP, this timeout is used as soon as no
7962 analyser remains attached to either connection (eg: tcp content rules are
7963 accepted). In HTTP, this timeout is used when a connection is upgraded (eg:
7964 when switching to the WebSocket protocol, or forwarding a CONNECT request
7965 to a proxy), or after the first response when no keepalive/close option is
7966 specified.
7967
Willy Tarreau05cdd962014-05-10 14:30:07 +02007968 Since this timeout is usually used in conjunction with long-lived connections,
7969 it usually is a good idea to also set "timeout client-fin" to handle the
7970 situation where a client suddenly disappears from the net and does not
7971 acknowledge a close, or sends a shutdown and does not acknowledge pending
7972 data anymore. This can happen in lossy networks where firewalls are present,
7973 and is detected by the presence of large amounts of sessions in a FIN_WAIT
7974 state.
7975
Willy Tarreauce887fd2012-05-12 12:50:00 +02007976 The value is specified in milliseconds by default, but can be in any other
7977 unit if the number is suffixed by the unit, as specified at the top of this
7978 document. Whatever the expected normal idle time, it is a good practice to
7979 cover at least one or several TCP packet losses by specifying timeouts that
7980 are slightly above multiples of 3 seconds (eg: 4 or 5 seconds minimum).
7981
7982 This parameter is specific to backends, but can be specified once for all in
7983 "defaults" sections. This is in fact one of the easiest solutions not to
7984 forget about it.
7985
7986 Example :
7987 defaults http
7988 option http-server-close
7989 timeout connect 5s
7990 timeout client 30s
Willy Tarreau05cdd962014-05-10 14:30:07 +02007991 timeout client-fin 30s
Willy Tarreauce887fd2012-05-12 12:50:00 +02007992 timeout server 30s
7993 timeout tunnel 1h # timeout to use with WebSocket and CONNECT
7994
Willy Tarreau05cdd962014-05-10 14:30:07 +02007995 See also : "timeout client", "timeout client-fin", "timeout server".
Willy Tarreauce887fd2012-05-12 12:50:00 +02007996
7997
Willy Tarreau844e3c52008-01-11 16:28:18 +01007998transparent (deprecated)
7999 Enable client-side transparent proxying
8000 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau4b1f8592008-12-23 23:13:55 +01008001 yes | no | yes | yes
Willy Tarreau844e3c52008-01-11 16:28:18 +01008002 Arguments : none
8003
8004 This keyword was introduced in order to provide layer 7 persistence to layer
8005 3 load balancers. The idea is to use the OS's ability to redirect an incoming
8006 connection for a remote address to a local process (here HAProxy), and let
8007 this process know what address was initially requested. When this option is
8008 used, sessions without cookies will be forwarded to the original destination
8009 IP address of the incoming request (which should match that of another
8010 equipment), while requests with cookies will still be forwarded to the
8011 appropriate server.
8012
8013 The "transparent" keyword is deprecated, use "option transparent" instead.
8014
8015 Note that contrary to a common belief, this option does NOT make HAProxy
8016 present the client's IP to the server when establishing the connection.
8017
Willy Tarreau844e3c52008-01-11 16:28:18 +01008018 See also: "option transparent"
8019
William Lallemanda73203e2012-03-12 12:48:57 +01008020unique-id-format <string>
8021 Generate a unique ID for each request.
8022 May be used in sections : defaults | frontend | listen | backend
8023 yes | yes | yes | no
8024 Arguments :
8025 <string> is a log-format string.
8026
Cyril Bonté108cf6e2012-04-21 23:30:29 +02008027 This keyword creates a ID for each request using the custom log format. A
8028 unique ID is useful to trace a request passing through many components of
8029 a complex infrastructure. The newly created ID may also be logged using the
8030 %ID tag the log-format string.
William Lallemanda73203e2012-03-12 12:48:57 +01008031
Cyril Bonté108cf6e2012-04-21 23:30:29 +02008032 The format should be composed from elements that are guaranteed to be
8033 unique when combined together. For instance, if multiple haproxy instances
8034 are involved, it might be important to include the node name. It is often
8035 needed to log the incoming connection's source and destination addresses
8036 and ports. Note that since multiple requests may be performed over the same
8037 connection, including a request counter may help differentiate them.
8038 Similarly, a timestamp may protect against a rollover of the counter.
8039 Logging the process ID will avoid collisions after a service restart.
William Lallemanda73203e2012-03-12 12:48:57 +01008040
Cyril Bonté108cf6e2012-04-21 23:30:29 +02008041 It is recommended to use hexadecimal notation for many fields since it
8042 makes them more compact and saves space in logs.
William Lallemanda73203e2012-03-12 12:48:57 +01008043
Cyril Bonté108cf6e2012-04-21 23:30:29 +02008044 Example:
William Lallemanda73203e2012-03-12 12:48:57 +01008045
Julien Vehentf21be322014-03-07 08:27:34 -05008046 unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid
William Lallemanda73203e2012-03-12 12:48:57 +01008047
8048 will generate:
8049
8050 7F000001:8296_7F00001E:1F90_4F7B0A69_0003:790A
8051
8052 See also: "unique-id-header"
8053
8054unique-id-header <name>
8055 Add a unique ID header in the HTTP request.
8056 May be used in sections : defaults | frontend | listen | backend
8057 yes | yes | yes | no
8058 Arguments :
8059 <name> is the name of the header.
8060
Cyril Bonté108cf6e2012-04-21 23:30:29 +02008061 Add a unique-id header in the HTTP request sent to the server, using the
8062 unique-id-format. It can't work if the unique-id-format doesn't exist.
William Lallemanda73203e2012-03-12 12:48:57 +01008063
Cyril Bonté108cf6e2012-04-21 23:30:29 +02008064 Example:
William Lallemanda73203e2012-03-12 12:48:57 +01008065
Julien Vehentf21be322014-03-07 08:27:34 -05008066 unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid
William Lallemanda73203e2012-03-12 12:48:57 +01008067 unique-id-header X-Unique-ID
8068
8069 will generate:
8070
8071 X-Unique-ID: 7F000001:8296_7F00001E:1F90_4F7B0A69_0003:790A
8072
8073 See also: "unique-id-format"
Willy Tarreau844e3c52008-01-11 16:28:18 +01008074
Willy Tarreauf51658d2014-04-23 01:21:56 +02008075use_backend <backend> [{if | unless} <condition>]
Willy Tarreau1d0dfb12009-07-07 15:10:31 +02008076 Switch to a specific backend if/unless an ACL-based condition is matched.
Willy Tarreau844e3c52008-01-11 16:28:18 +01008077 May be used in sections : defaults | frontend | listen | backend
8078 no | yes | yes | no
8079 Arguments :
Bertrand Jacquin702d44f2013-11-19 11:43:06 +01008080 <backend> is the name of a valid backend or "listen" section, or a
8081 "log-format" string resolving to a backend name.
Willy Tarreau844e3c52008-01-11 16:28:18 +01008082
Willy Tarreauf51658d2014-04-23 01:21:56 +02008083 <condition> is a condition composed of ACLs, as described in section 7. If
8084 it is omitted, the rule is unconditionally applied.
Willy Tarreau844e3c52008-01-11 16:28:18 +01008085
8086 When doing content-switching, connections arrive on a frontend and are then
8087 dispatched to various backends depending on a number of conditions. The
8088 relation between the conditions and the backends is described with the
Willy Tarreau1d0dfb12009-07-07 15:10:31 +02008089 "use_backend" keyword. While it is normally used with HTTP processing, it can
8090 also be used in pure TCP, either without content using stateless ACLs (eg:
8091 source address validation) or combined with a "tcp-request" rule to wait for
8092 some payload.
Willy Tarreau844e3c52008-01-11 16:28:18 +01008093
8094 There may be as many "use_backend" rules as desired. All of these rules are
8095 evaluated in their declaration order, and the first one which matches will
8096 assign the backend.
8097
8098 In the first form, the backend will be used if the condition is met. In the
8099 second form, the backend will be used if the condition is not met. If no
8100 condition is valid, the backend defined with "default_backend" will be used.
8101 If no default backend is defined, either the servers in the same section are
8102 used (in case of a "listen" section) or, in case of a frontend, no server is
8103 used and a 503 service unavailable response is returned.
8104
Willy Tarreau51aecc72009-07-12 09:47:04 +02008105 Note that it is possible to switch from a TCP frontend to an HTTP backend. In
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01008106 this case, either the frontend has already checked that the protocol is HTTP,
Willy Tarreau51aecc72009-07-12 09:47:04 +02008107 and backend processing will immediately follow, or the backend will wait for
8108 a complete HTTP request to get in. This feature is useful when a frontend
8109 must decode several protocols on a unique port, one of them being HTTP.
8110
Bertrand Jacquin702d44f2013-11-19 11:43:06 +01008111 When <backend> is a simple name, it is resolved at configuration time, and an
8112 error is reported if the specified backend does not exist. If <backend> is
8113 a log-format string instead, no check may be done at configuration time, so
8114 the backend name is resolved dynamically at run time. If the resulting
8115 backend name does not correspond to any valid backend, no other rule is
8116 evaluated, and the default_backend directive is applied instead. Note that
8117 when using dynamic backend names, it is highly recommended to use a prefix
8118 that no other backend uses in order to ensure that an unauthorized backend
8119 cannot be forced from the request.
8120
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008121 It is worth mentioning that "use_backend" rules with an explicit name are
Bertrand Jacquin702d44f2013-11-19 11:43:06 +01008122 used to detect the association between frontends and backends to compute the
8123 backend's "fullconn" setting. This cannot be done for dynamic names.
8124
8125 See also: "default_backend", "tcp-request", "fullconn", "log-format", and
8126 section 7 about ACLs.
Willy Tarreaud72758d2010-01-12 10:42:19 +01008127
Willy Tarreau036fae02008-01-06 13:24:40 +01008128
Willy Tarreau4a5cade2012-04-05 21:09:48 +02008129use-server <server> if <condition>
8130use-server <server> unless <condition>
8131 Only use a specific server if/unless an ACL-based condition is matched.
8132 May be used in sections : defaults | frontend | listen | backend
8133 no | no | yes | yes
8134 Arguments :
Cyril Bonté108cf6e2012-04-21 23:30:29 +02008135 <server> is the name of a valid server in the same backend section.
Willy Tarreau4a5cade2012-04-05 21:09:48 +02008136
8137 <condition> is a condition composed of ACLs, as described in section 7.
8138
8139 By default, connections which arrive to a backend are load-balanced across
8140 the available servers according to the configured algorithm, unless a
8141 persistence mechanism such as a cookie is used and found in the request.
8142
8143 Sometimes it is desirable to forward a particular request to a specific
8144 server without having to declare a dedicated backend for this server. This
8145 can be achieved using the "use-server" rules. These rules are evaluated after
8146 the "redirect" rules and before evaluating cookies, and they have precedence
8147 on them. There may be as many "use-server" rules as desired. All of these
8148 rules are evaluated in their declaration order, and the first one which
8149 matches will assign the server.
8150
8151 If a rule designates a server which is down, and "option persist" is not used
8152 and no force-persist rule was validated, it is ignored and evaluation goes on
8153 with the next rules until one matches.
8154
8155 In the first form, the server will be used if the condition is met. In the
8156 second form, the server will be used if the condition is not met. If no
8157 condition is valid, the processing continues and the server will be assigned
8158 according to other persistence mechanisms.
8159
8160 Note that even if a rule is matched, cookie processing is still performed but
8161 does not assign the server. This allows prefixed cookies to have their prefix
8162 stripped.
8163
8164 The "use-server" statement works both in HTTP and TCP mode. This makes it
8165 suitable for use with content-based inspection. For instance, a server could
8166 be selected in a farm according to the TLS SNI field. And if these servers
8167 have their weight set to zero, they will not be used for other traffic.
8168
8169 Example :
8170 # intercept incoming TLS requests based on the SNI field
8171 use-server www if { req_ssl_sni -i www.example.com }
8172 server www 192.168.0.1:443 weight 0
8173 use-server mail if { req_ssl_sni -i mail.example.com }
8174 server mail 192.168.0.1:587 weight 0
8175 use-server imap if { req_ssl_sni -i imap.example.com }
8176 server mail 192.168.0.1:993 weight 0
8177 # all the rest is forwarded to this server
8178 server default 192.168.0.2:443 check
8179
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008180 See also: "use_backend", section 5 about server and section 7 about ACLs.
Willy Tarreau4a5cade2012-04-05 21:09:48 +02008181
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008182
81835. Bind and Server options
8184--------------------------
8185
8186The "bind", "server" and "default-server" keywords support a number of settings
8187depending on some build options and on the system HAProxy was built on. These
8188settings generally each consist in one word sometimes followed by a value,
8189written on the same line as the "bind" or "server" line. All these options are
8190described in this section.
8191
8192
81935.1. Bind options
8194-----------------
8195
8196The "bind" keyword supports a certain number of settings which are all passed
8197as arguments on the same line. The order in which those arguments appear makes
8198no importance, provided that they appear after the bind address. All of these
8199parameters are optional. Some of them consist in a single words (booleans),
8200while other ones expect a value after them. In this case, the value must be
8201provided immediately after the setting name.
8202
8203The currently supported settings are the following ones.
8204
8205accept-proxy
8206 Enforces the use of the PROXY protocol over any connection accepted by any of
Willy Tarreau77992672014-06-14 11:06:17 +02008207 the sockets declared on the same line. Versions 1 and 2 of the PROXY protocol
8208 are supported and correctly detected. The PROXY protocol dictates the layer
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008209 3/4 addresses of the incoming connection to be used everywhere an address is
8210 used, with the only exception of "tcp-request connection" rules which will
8211 only see the real connection address. Logs will reflect the addresses
8212 indicated in the protocol, unless it is violated, in which case the real
8213 address will still be used. This keyword combined with support from external
8214 components can be used as an efficient and reliable alternative to the
8215 X-Forwarded-For mechanism which is not always reliable and not even always
Willy Tarreau4f0d9192013-06-11 20:40:55 +02008216 usable. See also "tcp-request connection expect-proxy" for a finer-grained
8217 setting of which client is allowed to use the protocol.
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008218
Willy Tarreauab861d32013-04-02 02:30:41 +02008219alpn <protocols>
8220 This enables the TLS ALPN extension and advertises the specified protocol
8221 list as supported on top of ALPN. The protocol list consists in a comma-
8222 delimited list of protocol names, for instance: "http/1.1,http/1.0" (without
8223 quotes). This requires that the SSL library is build with support for TLS
8224 extensions enabled (check with haproxy -vv). The ALPN extension replaces the
8225 initial NPN extension.
8226
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008227backlog <backlog>
8228 Sets the socket's backlog to this value. If unspecified, the frontend's
8229 backlog is used instead, which generally defaults to the maxconn value.
8230
Emeric Brun7fb34422012-09-28 15:26:15 +02008231ecdhe <named curve>
8232 This setting is only available when support for OpenSSL was built in. It sets
Emeric Brun6924ef82013-03-06 14:08:53 +01008233 the named curve (RFC 4492) used to generate ECDH ephemeral keys. By default,
8234 used named curve is prime256v1.
Emeric Brun7fb34422012-09-28 15:26:15 +02008235
Emeric Brunfd33a262012-10-11 16:28:27 +02008236ca-file <cafile>
Emeric Brun1a073b42012-09-28 17:07:34 +02008237 This setting is only available when support for OpenSSL was built in. It
8238 designates a PEM file from which to load CA certificates used to verify
8239 client's certificate.
8240
Emeric Brunb6dc9342012-09-28 17:55:37 +02008241ca-ignore-err [all|<errorID>,...]
8242 This setting is only available when support for OpenSSL was built in.
8243 Sets a comma separated list of errorIDs to ignore during verify at depth > 0.
8244 If set to 'all', all errors are ignored. SSL handshake is not aborted if an
8245 error is ignored.
8246
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008247ciphers <ciphers>
8248 This setting is only available when support for OpenSSL was built in. It sets
8249 the string describing the list of cipher algorithms ("cipher suite") that are
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008250 negotiated during the SSL/TLS handshake. The format of the string is defined
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008251 in "man 1 ciphers" from OpenSSL man pages, and can be for instance a string
8252 such as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without quotes).
8253
Emeric Brunfd33a262012-10-11 16:28:27 +02008254crl-file <crlfile>
Emeric Brun1a073b42012-09-28 17:07:34 +02008255 This setting is only available when support for OpenSSL was built in. It
8256 designates a PEM file from which to load certificate revocation list used
8257 to verify client's certificate.
8258
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008259crt <cert>
Alex Davies0fbf0162013-03-02 16:04:50 +00008260 This setting is only available when support for OpenSSL was built in. It
8261 designates a PEM file containing both the required certificates and any
8262 associated private keys. This file can be built by concatenating multiple
8263 PEM files into one (e.g. cat cert.pem key.pem > combined.pem). If your CA
8264 requires an intermediate certificate, this can also be concatenated into this
8265 file.
8266
8267 If the OpenSSL used supports Diffie-Hellman, parameters present in this file
8268 are loaded.
8269
8270 If a directory name is used instead of a PEM file, then all files found in
Emeric Brun4147b2e2014-06-16 18:36:30 +02008271 that directory will be loaded unless their name ends with '.issuer' or
8272 '.ocsp' (reserved extensions). This directive may be specified multiple times
Alex Davies0fbf0162013-03-02 16:04:50 +00008273 in order to load certificates from multiple files or directories. The
8274 certificates will be presented to clients who provide a valid TLS Server Name
8275 Indication field matching one of their CN or alt subjects. Wildcards are
8276 supported, where a wildcard character '*' is used instead of the first
8277 hostname component (eg: *.example.org matches www.example.org but not
8278 www.sub.example.org).
8279
8280 If no SNI is provided by the client or if the SSL library does not support
8281 TLS extensions, or if the client provides an SNI hostname which does not
8282 match any certificate, then the first loaded certificate will be presented.
8283 This means that when loading certificates from a directory, it is highly
8284 recommended to load the default one first as a file.
8285
Emeric Brune032bfa2012-09-28 13:01:45 +02008286 Note that the same cert may be loaded multiple times without side effects.
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008287
Alex Davies0fbf0162013-03-02 16:04:50 +00008288 Some CAs (such as Godaddy) offer a drop down list of server types that do not
8289 include HAProxy when obtaining a certificate. If this happens be sure to
Godbach8bf60a12014-04-21 21:42:41 +08008290 choose a webserver that the CA believes requires an intermediate CA (for
Alex Davies0fbf0162013-03-02 16:04:50 +00008291 Godaddy, selection Apache Tomcat will get the correct bundle, but many
8292 others, e.g. nginx, result in a wrong bundle that will not work for some
8293 clients).
8294
Emeric Brun4147b2e2014-06-16 18:36:30 +02008295 For each PEM file, haproxy checks for the presence of file at the same path
8296 suffixed by ".ocsp". If such file is found, support for the TLS Certificate
8297 Status Request extension (also known as "OCSP stapling") is automatically
8298 enabled. The content of this file is optional. If not empty, it must contain
8299 a valid OCSP Response in DER format. In order to be valid an OCSP Response
8300 must comply with the following rules: it has to indicate a good status,
8301 it has to be a single response for the certificate of the PEM file, and it
8302 has to be valid at the moment of addition. If these rules are not respected
8303 the OCSP Response is ignored and a warning is emitted. In order to identify
8304 which certificate an OCSP Response applies to, the issuer's certificate is
8305 necessary. If the issuer's certificate is not found in the PEM file, it will
8306 be loaded from a file at the same path as the PEM file suffixed by ".issuer"
8307 if it exists otherwise it will fail with an error.
8308
Emeric Brunb6dc9342012-09-28 17:55:37 +02008309crt-ignore-err <errors>
Alex Davies0fbf0162013-03-02 16:04:50 +00008310 This setting is only available when support for OpenSSL was built in. Sets a
8311 comma separated list of errorIDs to ignore during verify at depth == 0. If
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008312 set to 'all', all errors are ignored. SSL handshake is not aborted if an error
Alex Davies0fbf0162013-03-02 16:04:50 +00008313 is ignored.
Emeric Brunb6dc9342012-09-28 17:55:37 +02008314
Emmanuel Hocdetfe616562013-01-22 15:31:15 +01008315crt-list <file>
8316 This setting is only available when support for OpenSSL was built in. It
Emmanuel Hocdet7c41a1b2013-05-07 20:20:06 +02008317 designates a list of PEM file with an optional list of SNI filter per
8318 certificate, with the following format for each line :
Emmanuel Hocdetfe616562013-01-22 15:31:15 +01008319
Emmanuel Hocdet7c41a1b2013-05-07 20:20:06 +02008320 <crtfile> [[!]<snifilter> ...]
Emmanuel Hocdetfe616562013-01-22 15:31:15 +01008321
Emmanuel Hocdet7c41a1b2013-05-07 20:20:06 +02008322 Wildcards are supported in the SNI filter. Negative filter are also supported,
8323 only useful in combination with a wildcard filter to exclude a particular SNI.
8324 The certificates will be presented to clients who provide a valid TLS Server
8325 Name Indication field matching one of the SNI filters. If no SNI filter is
8326 specified, the CN and alt subjects are used. This directive may be specified
8327 multiple times. See the "crt" option for more information. The default
8328 certificate is still needed to meet OpenSSL expectations. If it is not used,
8329 the 'strict-sni' option may be used.
Emmanuel Hocdetfe616562013-01-22 15:31:15 +01008330
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008331defer-accept
8332 Is an optional keyword which is supported only on certain Linux kernels. It
8333 states that a connection will only be accepted once some data arrive on it,
8334 or at worst after the first retransmit. This should be used only on protocols
8335 for which the client talks first (eg: HTTP). It can slightly improve
8336 performance by ensuring that most of the request is already available when
8337 the connection is accepted. On the other hand, it will not be able to detect
8338 connections which don't talk. It is important to note that this option is
8339 broken in all kernels up to 2.6.31, as the connection is never accepted until
8340 the client talks. This can cause issues with front firewalls which would see
8341 an established connection while the proxy will only see it in SYN_RECV. This
8342 option is only supported on TCPv4/TCPv6 sockets and ignored by other ones.
8343
Emeric Brun2cb7ae52012-10-05 14:14:21 +02008344force-sslv3
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008345 This option enforces use of SSLv3 only on SSL connections instantiated from
Emeric Brun2cb7ae52012-10-05 14:14:21 +02008346 this listener. SSLv3 is generally less expensive than the TLS counterparts
8347 for high connection rates. See also "force-tls*", "no-sslv3", and "no-tls*".
8348
8349force-tlsv10
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008350 This option enforces use of TLSv1.0 only on SSL connections instantiated from
Emeric Brun2cb7ae52012-10-05 14:14:21 +02008351 this listener. See also "force-tls*", "no-sslv3", and "no-tls*".
8352
8353force-tlsv11
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008354 This option enforces use of TLSv1.1 only on SSL connections instantiated from
Emeric Brun2cb7ae52012-10-05 14:14:21 +02008355 this listener. See also "force-tls*", "no-sslv3", and "no-tls*".
8356
8357force-tlsv12
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008358 This option enforces use of TLSv1.2 only on SSL connections instantiated from
Emeric Brun2cb7ae52012-10-05 14:14:21 +02008359 this listener. See also "force-tls*", "no-sslv3", and "no-tls*".
8360
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008361gid <gid>
8362 Sets the group of the UNIX sockets to the designated system gid. It can also
8363 be set by default in the global section's "unix-bind" statement. Note that
8364 some platforms simply ignore this. This setting is equivalent to the "group"
8365 setting except that the group ID is used instead of its name. This setting is
8366 ignored by non UNIX sockets.
8367
8368group <group>
8369 Sets the group of the UNIX sockets to the designated system group. It can
8370 also be set by default in the global section's "unix-bind" statement. Note
8371 that some platforms simply ignore this. This setting is equivalent to the
8372 "gid" setting except that the group name is used instead of its gid. This
8373 setting is ignored by non UNIX sockets.
8374
8375id <id>
8376 Fixes the socket ID. By default, socket IDs are automatically assigned, but
8377 sometimes it is more convenient to fix them to ease monitoring. This value
8378 must be strictly positive and unique within the listener/frontend. This
8379 option can only be used when defining only a single socket.
8380
8381interface <interface>
Lukas Tribusfce2e962013-02-12 22:13:19 +01008382 Restricts the socket to a specific interface. When specified, only packets
8383 received from that particular interface are processed by the socket. This is
8384 currently only supported on Linux. The interface must be a primary system
8385 interface, not an aliased interface. It is also possible to bind multiple
8386 frontends to the same address if they are bound to different interfaces. Note
8387 that binding to a network interface requires root privileges. This parameter
8388 is only compatible with TCPv4/TCPv6 sockets.
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008389
Willy Tarreauabb175f2012-09-24 12:43:26 +02008390level <level>
8391 This setting is used with the stats sockets only to restrict the nature of
8392 the commands that can be issued on the socket. It is ignored by other
8393 sockets. <level> can be one of :
8394 - "user" is the least privileged level ; only non-sensitive stats can be
8395 read, and no change is allowed. It would make sense on systems where it
8396 is not easy to restrict access to the socket.
8397 - "operator" is the default level and fits most common uses. All data can
8398 be read, and only non-sensitive changes are permitted (eg: clear max
8399 counters).
8400 - "admin" should be used with care, as everything is permitted (eg: clear
8401 all counters).
8402
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008403maxconn <maxconn>
8404 Limits the sockets to this number of concurrent connections. Extraneous
8405 connections will remain in the system's backlog until a connection is
8406 released. If unspecified, the limit will be the same as the frontend's
8407 maxconn. Note that in case of port ranges or multiple addresses, the same
8408 value will be applied to each socket. This setting enables different
8409 limitations on expensive sockets, for instance SSL entries which may easily
8410 eat all memory.
8411
8412mode <mode>
8413 Sets the octal mode used to define access permissions on the UNIX socket. It
8414 can also be set by default in the global section's "unix-bind" statement.
8415 Note that some platforms simply ignore this. This setting is ignored by non
8416 UNIX sockets.
8417
8418mss <maxseg>
8419 Sets the TCP Maximum Segment Size (MSS) value to be advertised on incoming
8420 connections. This can be used to force a lower MSS for certain specific
8421 ports, for instance for connections passing through a VPN. Note that this
8422 relies on a kernel feature which is theoretically supported under Linux but
8423 was buggy in all versions prior to 2.6.28. It may or may not work on other
8424 operating systems. It may also not change the advertised value but change the
8425 effective size of outgoing segments. The commonly advertised value for TCPv4
8426 over Ethernet networks is 1460 = 1500(MTU) - 40(IP+TCP). If this value is
8427 positive, it will be used as the advertised MSS. If it is negative, it will
8428 indicate by how much to reduce the incoming connection's advertised MSS for
8429 outgoing segments. This parameter is only compatible with TCP v4/v6 sockets.
8430
8431name <name>
8432 Sets an optional name for these sockets, which will be reported on the stats
8433 page.
8434
8435nice <nice>
8436 Sets the 'niceness' of connections initiated from the socket. Value must be
8437 in the range -1024..1024 inclusive, and defaults to zero. Positive values
8438 means that such connections are more friendly to others and easily offer
8439 their place in the scheduler. On the opposite, negative values mean that
8440 connections want to run with a higher priority than others. The difference
8441 only happens under high loads when the system is close to saturation.
8442 Negative values are appropriate for low-latency or administration services,
8443 and high values are generally recommended for CPU intensive tasks such as SSL
8444 processing or bulk transfers which are less sensible to latency. For example,
8445 it may make sense to use a positive value for an SMTP socket and a negative
8446 one for an RDP socket.
8447
Emeric Brun9b3009b2012-10-05 11:55:06 +02008448no-sslv3
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008449 This setting is only available when support for OpenSSL was built in. It
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008450 disables support for SSLv3 on any sockets instantiated from the listener when
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008451 SSL is supported. Note that SSLv2 is forced disabled in the code and cannot
Emeric Brun2cb7ae52012-10-05 14:14:21 +02008452 be enabled using any configuration option. See also "force-tls*",
8453 and "force-sslv3".
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008454
Emeric Brun90ad8722012-10-02 14:00:59 +02008455no-tls-tickets
8456 This setting is only available when support for OpenSSL was built in. It
8457 disables the stateless session resumption (RFC 5077 TLS Ticket
8458 extension) and force to use stateful session resumption. Stateless
8459 session resumption is more expensive in CPU usage.
8460
Emeric Brun9b3009b2012-10-05 11:55:06 +02008461no-tlsv10
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008462 This setting is only available when support for OpenSSL was built in. It
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008463 disables support for TLSv1.0 on any sockets instantiated from the listener
Emeric Brun2cb7ae52012-10-05 14:14:21 +02008464 when SSL is supported. Note that SSLv2 is forced disabled in the code and
8465 cannot be enabled using any configuration option. See also "force-tls*",
8466 and "force-sslv3".
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008467
Emeric Brun9b3009b2012-10-05 11:55:06 +02008468no-tlsv11
Emeric Brunf5da4932012-09-28 19:42:54 +02008469 This setting is only available when support for OpenSSL was built in. It
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008470 disables support for TLSv1.1 on any sockets instantiated from the listener
Emeric Brun2cb7ae52012-10-05 14:14:21 +02008471 when SSL is supported. Note that SSLv2 is forced disabled in the code and
8472 cannot be enabled using any configuration option. See also "force-tls*",
8473 and "force-sslv3".
Emeric Brunf5da4932012-09-28 19:42:54 +02008474
Emeric Brun9b3009b2012-10-05 11:55:06 +02008475no-tlsv12
Emeric Brunf5da4932012-09-28 19:42:54 +02008476 This setting is only available when support for OpenSSL was built in. It
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008477 disables support for TLSv1.2 on any sockets instantiated from the listener
Emeric Brun2cb7ae52012-10-05 14:14:21 +02008478 when SSL is supported. Note that SSLv2 is forced disabled in the code and
8479 cannot be enabled using any configuration option. See also "force-tls*",
8480 and "force-sslv3".
Emeric Brunf5da4932012-09-28 19:42:54 +02008481
Willy Tarreau6c9a3d52012-10-18 18:57:14 +02008482npn <protocols>
8483 This enables the NPN TLS extension and advertises the specified protocol list
8484 as supported on top of NPN. The protocol list consists in a comma-delimited
8485 list of protocol names, for instance: "http/1.1,http/1.0" (without quotes).
8486 This requires that the SSL library is build with support for TLS extensions
Willy Tarreauab861d32013-04-02 02:30:41 +02008487 enabled (check with haproxy -vv). Note that the NPN extension has been
8488 replaced with the ALPN extension (see the "alpn" keyword).
Willy Tarreau6c9a3d52012-10-18 18:57:14 +02008489
Willy Tarreau6ae1ba62014-05-07 19:01:58 +02008490process [ all | odd | even | <number 1-64>[-<number 1-64>] ]
8491 This restricts the list of processes on which this listener is allowed to
8492 run. It does not enforce any process but eliminates those which do not match.
8493 If the frontend uses a "bind-process" setting, the intersection between the
8494 two is applied. If in the end the listener is not allowed to run on any
8495 remaining process, a warning is emitted, and the listener will either run on
8496 the first process of the listener if a single process was specified, or on
8497 all of its processes if multiple processes were specified. For the unlikely
Willy Tarreauae302532014-05-07 19:22:24 +02008498 case where several ranges are needed, this directive may be repeated. The
8499 main purpose of this directive is to be used with the stats sockets and have
8500 one different socket per process. The second purpose is to have multiple bind
8501 lines sharing the same IP:port but not the same process in a listener, so
8502 that the system can distribute the incoming connections into multiple queues
8503 and allow a smoother inter-process load balancing. Currently Linux 3.9 and
8504 above is known for supporting this. See also "bind-process" and "nbproc".
Willy Tarreau6ae1ba62014-05-07 19:01:58 +02008505
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008506ssl
8507 This setting is only available when support for OpenSSL was built in. It
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008508 enables SSL deciphering on connections instantiated from this listener. A
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008509 certificate is necessary (see "crt" above). All contents in the buffers will
8510 appear in clear text, so that ACLs and HTTP processing will only have access
8511 to deciphered contents.
8512
Emmanuel Hocdet65623372013-01-24 17:17:15 +01008513strict-sni
8514 This setting is only available when support for OpenSSL was built in. The
8515 SSL/TLS negotiation is allow only if the client provided an SNI which match
8516 a certificate. The default certificate is not used.
8517 See the "crt" option for more information.
8518
Willy Tarreau1c862c52012-10-05 16:21:00 +02008519tfo
Lukas Tribus0defb902013-02-13 23:35:39 +01008520 Is an optional keyword which is supported only on Linux kernels >= 3.7. It
Willy Tarreau1c862c52012-10-05 16:21:00 +02008521 enables TCP Fast Open on the listening socket, which means that clients which
8522 support this feature will be able to send a request and receive a response
8523 during the 3-way handshake starting from second connection, thus saving one
8524 round-trip after the first connection. This only makes sense with protocols
8525 that use high connection rates and where each round trip matters. This can
8526 possibly cause issues with many firewalls which do not accept data on SYN
8527 packets, so this option should only be enabled once well tested. This option
Lukas Tribus0999f762013-04-02 16:43:24 +02008528 is only supported on TCPv4/TCPv6 sockets and ignored by other ones. You may
8529 need to build HAProxy with USE_TFO=1 if your libc doesn't define
8530 TCP_FASTOPEN.
Willy Tarreau1c862c52012-10-05 16:21:00 +02008531
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008532transparent
8533 Is an optional keyword which is supported only on certain Linux kernels. It
8534 indicates that the addresses will be bound even if they do not belong to the
8535 local machine, and that packets targeting any of these addresses will be
8536 intercepted just as if the addresses were locally configured. This normally
8537 requires that IP forwarding is enabled. Caution! do not use this with the
8538 default address '*', as it would redirect any traffic for the specified port.
8539 This keyword is available only when HAProxy is built with USE_LINUX_TPROXY=1.
8540 This parameter is only compatible with TCPv4 and TCPv6 sockets, depending on
8541 kernel version. Some distribution kernels include backports of the feature,
8542 so check for support with your vendor.
8543
Willy Tarreau77e3af92012-11-24 15:07:23 +01008544v4v6
8545 Is an optional keyword which is supported only on most recent systems
8546 including Linux kernels >= 2.4.21. It is used to bind a socket to both IPv4
8547 and IPv6 when it uses the default address. Doing so is sometimes necessary
8548 on systems which bind to IPv6 only by default. It has no effect on non-IPv6
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008549 sockets, and is overridden by the "v6only" option.
Willy Tarreau77e3af92012-11-24 15:07:23 +01008550
Willy Tarreau9b6700f2012-11-24 11:55:28 +01008551v6only
8552 Is an optional keyword which is supported only on most recent systems
8553 including Linux kernels >= 2.4.21. It is used to bind a socket to IPv6 only
8554 when it uses the default address. Doing so is sometimes preferred to doing it
Willy Tarreau77e3af92012-11-24 15:07:23 +01008555 system-wide as it is per-listener. It has no effect on non-IPv6 sockets and
8556 has precedence over the "v4v6" option.
Willy Tarreau9b6700f2012-11-24 11:55:28 +01008557
Willy Tarreaub6205fd2012-09-24 12:27:33 +02008558uid <uid>
8559 Sets the owner of the UNIX sockets to the designated system uid. It can also
8560 be set by default in the global section's "unix-bind" statement. Note that
8561 some platforms simply ignore this. This setting is equivalent to the "user"
8562 setting except that the user numeric ID is used instead of its name. This
8563 setting is ignored by non UNIX sockets.
8564
8565user <user>
8566 Sets the owner of the UNIX sockets to the designated system user. It can also
8567 be set by default in the global section's "unix-bind" statement. Note that
8568 some platforms simply ignore this. This setting is equivalent to the "uid"
8569 setting except that the user name is used instead of its uid. This setting is
8570 ignored by non UNIX sockets.
8571
Emeric Brun1a073b42012-09-28 17:07:34 +02008572verify [none|optional|required]
8573 This setting is only available when support for OpenSSL was built in. If set
8574 to 'none', client certificate is not requested. This is the default. In other
8575 cases, a client certificate is requested. If the client does not provide a
8576 certificate after the request and if 'verify' is set to 'required', then the
8577 handshake is aborted, while it would have succeeded if set to 'optional'. The
Emeric Brunfd33a262012-10-11 16:28:27 +02008578 certificate provided by the client is always verified using CAs from
8579 'ca-file' and optional CRLs from 'crl-file'. On verify failure the handshake
8580 is aborted, regardless of the 'verify' option, unless the error code exactly
8581 matches one of those listed with 'ca-ignore-err' or 'crt-ignore-err'.
Willy Tarreau4a5cade2012-04-05 21:09:48 +02008582
Willy Tarreaub6205fd2012-09-24 12:27:33 +020085835.2. Server and default-server options
Cyril Bontéf0c60612010-02-06 14:44:47 +01008584------------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02008585
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01008586The "server" and "default-server" keywords support a certain number of settings
8587which are all passed as arguments on the server line. The order in which those
8588arguments appear does not count, and they are all optional. Some of those
8589settings are single words (booleans) while others expect one or several values
8590after them. In this case, the values must immediately follow the setting name.
8591Except default-server, all those settings must be specified after the server's
8592address if they are used:
Willy Tarreau6a06a402007-07-15 20:15:28 +02008593
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008594 server <name> <address>[:port] [settings ...]
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01008595 default-server [settings ...]
Willy Tarreau6a06a402007-07-15 20:15:28 +02008596
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01008597The currently supported settings are the following ones.
Willy Tarreau0ba27502007-12-24 16:55:16 +01008598
Willy Tarreauceb4ac92012-04-28 00:41:46 +02008599addr <ipv4|ipv6>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008600 Using the "addr" parameter, it becomes possible to use a different IP address
8601 to send health-checks. On some servers, it may be desirable to dedicate an IP
8602 address to specific component able to perform complex tests which are more
8603 suitable to health-checks than the application. This parameter is ignored if
8604 the "check" parameter is not set. See also the "port" parameter.
Willy Tarreau6a06a402007-07-15 20:15:28 +02008605
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01008606 Supported in default-server: No
8607
Simon Hormand60d6912013-11-25 10:46:36 +09008608agent-check
8609 Enable an auxiliary agent check which is run independently of a regular
Willy Tarreau81f5d942013-12-09 20:51:51 +01008610 health check. An agent health check is performed by making a TCP connection
8611 to the port set by the "agent-port" parameter and reading an ASCII string.
8612 The string is made of a series of words delimited by spaces, tabs or commas
8613 in any order, optionally terminated by '\r' and/or '\n', each consisting of :
Simon Hormand60d6912013-11-25 10:46:36 +09008614
Willy Tarreau81f5d942013-12-09 20:51:51 +01008615 - An ASCII representation of a positive integer percentage, e.g. "75%".
Simon Hormand60d6912013-11-25 10:46:36 +09008616 Values in this format will set the weight proportional to the initial
8617 weight of a server as configured when haproxy starts.
8618
Willy Tarreau81f5d942013-12-09 20:51:51 +01008619 - The word "ready". This will turn the server's administrative state to the
8620 READY mode, thus cancelling any DRAIN or MAINT state
Simon Hormand60d6912013-11-25 10:46:36 +09008621
Willy Tarreau81f5d942013-12-09 20:51:51 +01008622 - The word "drain". This will turn the server's administrative state to the
8623 DRAIN mode, thus it will not accept any new connections other than those
8624 that are accepted via persistence.
Simon Hormand60d6912013-11-25 10:46:36 +09008625
Willy Tarreau81f5d942013-12-09 20:51:51 +01008626 - The word "maint". This will turn the server's administrative state to the
8627 MAINT mode, thus it will not accept any new connections at all, and health
8628 checks will be stopped.
Simon Hormand60d6912013-11-25 10:46:36 +09008629
Willy Tarreau81f5d942013-12-09 20:51:51 +01008630 - The words "down", "failed", or "stopped", optionally followed by a
8631 description string after a sharp ('#'). All of these mark the server's
8632 operating state as DOWN, but since the word itself is reported on the stats
8633 page, the difference allows an administrator to know if the situation was
8634 expected or not : the service may intentionally be stopped, may appear up
8635 but fail some validity tests, or may be seen as down (eg: missing process,
8636 or port not responding).
Simon Hormand60d6912013-11-25 10:46:36 +09008637
Willy Tarreau81f5d942013-12-09 20:51:51 +01008638 - The word "up" sets back the server's operating state as UP if health checks
8639 also report that the service is accessible.
Simon Hormand60d6912013-11-25 10:46:36 +09008640
Willy Tarreau81f5d942013-12-09 20:51:51 +01008641 Parameters which are not advertised by the agent are not changed. For
8642 example, an agent might be designed to monitor CPU usage and only report a
8643 relative weight and never interact with the operating status. Similarly, an
8644 agent could be designed as an end-user interface with 3 radio buttons
8645 allowing an administrator to change only the administrative state. However,
8646 it is important to consider that only the agent may revert its own actions,
8647 so if a server is set to DRAIN mode or to DOWN state using the agent, the
8648 agent must implement the other equivalent actions to bring the service into
8649 operations again.
Simon Hormand60d6912013-11-25 10:46:36 +09008650
Simon Horman2f1f9552013-11-25 10:46:37 +09008651 Failure to connect to the agent is not considered an error as connectivity
8652 is tested by the regular health check which is enabled by the "check"
Willy Tarreau81f5d942013-12-09 20:51:51 +01008653 parameter. Warning though, it is not a good idea to stop an agent after it
8654 reports "down", since only an agent reporting "up" will be able to turn the
8655 server up again. Note that the CLI on the Unix stats socket is also able to
8656 force an agent's result in order to workaround a bogus agent if needed.
Simon Horman2f1f9552013-11-25 10:46:37 +09008657
Willy Tarreau81f5d942013-12-09 20:51:51 +01008658 Requires the "agent-port" parameter to be set. See also the "agent-inter"
8659 parameter.
Simon Hormand60d6912013-11-25 10:46:36 +09008660
8661 Supported in default-server: No
8662
8663agent-inter <delay>
8664 The "agent-inter" parameter sets the interval between two agent checks
8665 to <delay> milliseconds. If left unspecified, the delay defaults to 2000 ms.
8666
8667 Just as with every other time-based parameter, it may be entered in any
8668 other explicit unit among { us, ms, s, m, h, d }. The "agent-inter"
8669 parameter also serves as a timeout for agent checks "timeout check" is
8670 not set. In order to reduce "resonance" effects when multiple servers are
8671 hosted on the same hardware, the agent and health checks of all servers
8672 are started with a small time offset between them. It is also possible to
8673 add some random noise in the agent and health checks interval using the
8674 global "spread-checks" keyword. This makes sense for instance when a lot
8675 of backends use the same servers.
8676
8677 See also the "agent-check" and "agent-port" parameters.
8678
8679 Supported in default-server: Yes
8680
8681agent-port <port>
8682 The "agent-port" parameter sets the TCP port used for agent checks.
8683
8684 See also the "agent-check" and "agent-inter" parameters.
8685
8686 Supported in default-server: Yes
8687
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008688backup
8689 When "backup" is present on a server line, the server is only used in load
8690 balancing when all other non-backup servers are unavailable. Requests coming
8691 with a persistence cookie referencing the server will always be served
8692 though. By default, only the first operational backup server is used, unless
8693 the "allbackups" option is set in the backend. See also the "allbackups"
8694 option.
Willy Tarreau6a06a402007-07-15 20:15:28 +02008695
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01008696 Supported in default-server: No
8697
Emeric Brunef42d922012-10-11 16:11:36 +02008698ca-file <cafile>
8699 This setting is only available when support for OpenSSL was built in. It
8700 designates a PEM file from which to load CA certificates used to verify
8701 server's certificate.
8702
8703 Supported in default-server: No
8704
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008705check
8706 This option enables health checks on the server. By default, a server is
Patrick Mézardb7aeec62012-01-22 16:01:22 +01008707 always considered available. If "check" is set, the server is available when
8708 accepting periodic TCP connections, to ensure that it is really able to serve
8709 requests. The default address and port to send the tests to are those of the
8710 server, and the default source is the same as the one defined in the
8711 backend. It is possible to change the address using the "addr" parameter, the
8712 port using the "port" parameter, the source address using the "source"
8713 address, and the interval and timers using the "inter", "rise" and "fall"
Simon Hormanafc47ee2013-11-25 10:46:35 +09008714 parameters. The request method is define in the backend using the "httpchk",
8715 "smtpchk", "mysql-check", "pgsql-check" and "ssl-hello-chk" options. Please
8716 refer to those options and parameters for more information.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008717
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01008718 Supported in default-server: No
8719
Willy Tarreau6c16adc2012-10-05 00:04:16 +02008720check-send-proxy
8721 This option forces emission of a PROXY protocol line with outgoing health
8722 checks, regardless of whether the server uses send-proxy or not for the
8723 normal traffic. By default, the PROXY protocol is enabled for health checks
8724 if it is already enabled for normal traffic and if no "port" nor "addr"
8725 directive is present. However, if such a directive is present, the
8726 "check-send-proxy" option needs to be used to force the use of the
8727 protocol. See also the "send-proxy" option for more information.
8728
8729 Supported in default-server: No
8730
Willy Tarreau763a95b2012-10-04 23:15:39 +02008731check-ssl
8732 This option forces encryption of all health checks over SSL, regardless of
8733 whether the server uses SSL or not for the normal traffic. This is generally
8734 used when an explicit "port" or "addr" directive is specified and SSL health
8735 checks are not inherited. It is important to understand that this option
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008736 inserts an SSL transport layer below the checks, so that a simple TCP connect
Willy Tarreau763a95b2012-10-04 23:15:39 +02008737 check becomes an SSL connect, which replaces the old ssl-hello-chk. The most
8738 common use is to send HTTPS checks by combining "httpchk" with SSL checks.
8739 All SSL settings are common to health checks and traffic (eg: ciphers).
8740 See the "ssl" option for more information.
8741
8742 Supported in default-server: No
8743
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02008744ciphers <ciphers>
8745 This option sets the string describing the list of cipher algorithms that is
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03008746 is negotiated during the SSL/TLS handshake with the server. The format of the
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02008747 string is defined in "man 1 ciphers". When SSL is used to communicate with
8748 servers on the local network, it is common to see a weaker set of algorithms
8749 than what is used over the internet. Doing so reduces CPU usage on both the
8750 server and haproxy while still keeping it compatible with deployed software.
8751 Some algorithms such as RC4-SHA1 are reasonably cheap. If no security at all
8752 is needed and just connectivity, using DES can be appropriate.
8753
Willy Tarreau763a95b2012-10-04 23:15:39 +02008754 Supported in default-server: No
8755
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008756cookie <value>
8757 The "cookie" parameter sets the cookie value assigned to the server to
8758 <value>. This value will be checked in incoming requests, and the first
8759 operational server possessing the same value will be selected. In return, in
8760 cookie insertion or rewrite modes, this value will be assigned to the cookie
8761 sent to the client. There is nothing wrong in having several servers sharing
8762 the same cookie value, and it is in fact somewhat common between normal and
8763 backup servers. See also the "cookie" keyword in backend section.
8764
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01008765 Supported in default-server: No
8766
Emeric Brunef42d922012-10-11 16:11:36 +02008767crl-file <crlfile>
8768 This setting is only available when support for OpenSSL was built in. It
8769 designates a PEM file from which to load certificate revocation list used
8770 to verify server's certificate.
8771
8772 Supported in default-server: No
8773
Emeric Bruna7aa3092012-10-26 12:58:00 +02008774crt <cert>
8775 This setting is only available when support for OpenSSL was built in.
8776 It designates a PEM file from which to load both a certificate and the
8777 associated private key. This file can be built by concatenating both PEM
8778 files into one. This certificate will be sent if the server send a client
8779 certificate request.
8780
8781 Supported in default-server: No
8782
Willy Tarreau96839092010-03-29 10:02:24 +02008783disabled
8784 The "disabled" keyword starts the server in the "disabled" state. That means
8785 that it is marked down in maintenance mode, and no connection other than the
8786 ones allowed by persist mode will reach it. It is very well suited to setup
8787 new servers, because normal traffic will never reach them, while it is still
8788 possible to test the service by making use of the force-persist mechanism.
8789
8790 Supported in default-server: No
8791
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01008792error-limit <count>
Willy Tarreau983e01e2010-01-11 18:42:06 +01008793 If health observing is enabled, the "error-limit" parameter specifies the
8794 number of consecutive errors that triggers event selected by the "on-error"
8795 option. By default it is set to 10 consecutive errors.
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01008796
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01008797 Supported in default-server: Yes
8798
8799 See also the "check", "error-limit" and "on-error".
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01008800
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01008801fall <count>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008802 The "fall" parameter states that a server will be considered as dead after
8803 <count> consecutive unsuccessful health checks. This value defaults to 3 if
8804 unspecified. See also the "check", "inter" and "rise" parameters.
8805
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01008806 Supported in default-server: Yes
8807
Emeric Brun8694b9a2012-10-05 14:39:07 +02008808force-sslv3
8809 This option enforces use of SSLv3 only when SSL is used to communicate with
8810 the server. SSLv3 is generally less expensive than the TLS counterparts for
8811 high connection rates. See also "no-tlsv*", "no-sslv3".
8812
8813 Supported in default-server: No
8814
8815force-tlsv10
8816 This option enforces use of TLSv1.0 only when SSL is used to communicate with
8817 the server. See also "no-tlsv*", "no-sslv3".
8818
8819 Supported in default-server: No
8820
8821force-tlsv11
8822 This option enforces use of TLSv1.1 only when SSL is used to communicate with
8823 the server. See also "no-tlsv*", "no-sslv3".
8824
8825 Supported in default-server: No
8826
8827force-tlsv12
8828 This option enforces use of TLSv1.2 only when SSL is used to communicate with
8829 the server. See also "no-tlsv*", "no-sslv3".
8830
8831 Supported in default-server: No
8832
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008833id <value>
Willy Tarreau53fb4ae2009-10-04 23:04:08 +02008834 Set a persistent ID for the server. This ID must be positive and unique for
8835 the proxy. An unused ID will automatically be assigned if unset. The first
8836 assigned value will be 1. This ID is currently only returned in statistics.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008837
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01008838 Supported in default-server: No
8839
8840inter <delay>
8841fastinter <delay>
8842downinter <delay>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008843 The "inter" parameter sets the interval between two consecutive health checks
8844 to <delay> milliseconds. If left unspecified, the delay defaults to 2000 ms.
8845 It is also possible to use "fastinter" and "downinter" to optimize delays
8846 between checks depending on the server state :
8847
8848 Server state | Interval used
8849 ---------------------------------+-----------------------------------------
8850 UP 100% (non-transitional) | "inter"
8851 ---------------------------------+-----------------------------------------
8852 Transitionally UP (going down), |
8853 Transitionally DOWN (going up), | "fastinter" if set, "inter" otherwise.
8854 or yet unchecked. |
8855 ---------------------------------+-----------------------------------------
8856 DOWN 100% (non-transitional) | "downinter" if set, "inter" otherwise.
8857 ---------------------------------+-----------------------------------------
Willy Tarreaud72758d2010-01-12 10:42:19 +01008858
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008859 Just as with every other time-based parameter, they can be entered in any
8860 other explicit unit among { us, ms, s, m, h, d }. The "inter" parameter also
8861 serves as a timeout for health checks sent to servers if "timeout check" is
8862 not set. In order to reduce "resonance" effects when multiple servers are
Simon Hormand60d6912013-11-25 10:46:36 +09008863 hosted on the same hardware, the agent and health checks of all servers
8864 are started with a small time offset between them. It is also possible to
8865 add some random noise in the agent and health checks interval using the
8866 global "spread-checks" keyword. This makes sense for instance when a lot
8867 of backends use the same servers.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008868
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01008869 Supported in default-server: Yes
8870
8871maxconn <maxconn>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008872 The "maxconn" parameter specifies the maximal number of concurrent
8873 connections that will be sent to this server. If the number of incoming
8874 concurrent requests goes higher than this value, they will be queued, waiting
8875 for a connection to be released. This parameter is very important as it can
8876 save fragile servers from going down under extreme loads. If a "minconn"
8877 parameter is specified, the limit becomes dynamic. The default value is "0"
8878 which means unlimited. See also the "minconn" and "maxqueue" parameters, and
8879 the backend's "fullconn" keyword.
8880
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01008881 Supported in default-server: Yes
8882
8883maxqueue <maxqueue>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008884 The "maxqueue" parameter specifies the maximal number of connections which
8885 will wait in the queue for this server. If this limit is reached, next
8886 requests will be redispatched to other servers instead of indefinitely
8887 waiting to be served. This will break persistence but may allow people to
8888 quickly re-log in when the server they try to connect to is dying. The
8889 default value is "0" which means the queue is unlimited. See also the
8890 "maxconn" and "minconn" parameters.
8891
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01008892 Supported in default-server: Yes
8893
8894minconn <minconn>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008895 When the "minconn" parameter is set, the maxconn limit becomes a dynamic
8896 limit following the backend's load. The server will always accept at least
8897 <minconn> connections, never more than <maxconn>, and the limit will be on
8898 the ramp between both values when the backend has less than <fullconn>
8899 concurrent connections. This makes it possible to limit the load on the
8900 server during normal loads, but push it further for important loads without
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01008901 overloading the server during exceptional loads. See also the "maxconn"
Willy Tarreauc57f0e22009-05-10 13:12:33 +02008902 and "maxqueue" parameters, as well as the "fullconn" backend keyword.
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01008903
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01008904 Supported in default-server: Yes
8905
Emeric Brun9b3009b2012-10-05 11:55:06 +02008906no-sslv3
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02008907 This option disables support for SSLv3 when SSL is used to communicate with
8908 the server. Note that SSLv2 is disabled in the code and cannot be enabled
Emeric Brun8694b9a2012-10-05 14:39:07 +02008909 using any configuration option. See also "force-sslv3", "force-tlsv*".
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02008910
Willy Tarreau763a95b2012-10-04 23:15:39 +02008911 Supported in default-server: No
8912
Emeric Brunf9c5c472012-10-11 15:28:34 +02008913no-tls-tickets
8914 This setting is only available when support for OpenSSL was built in. It
8915 disables the stateless session resumption (RFC 5077 TLS Ticket
8916 extension) and force to use stateful session resumption. Stateless
8917 session resumption is more expensive in CPU usage for servers.
8918
8919 Supported in default-server: No
8920
Emeric Brun9b3009b2012-10-05 11:55:06 +02008921no-tlsv10
Emeric Brun8694b9a2012-10-05 14:39:07 +02008922 This option disables support for TLSv1.0 when SSL is used to communicate with
Emeric Brunf5da4932012-09-28 19:42:54 +02008923 the server. Note that SSLv2 is disabled in the code and cannot be enabled
8924 using any configuration option. TLSv1 is more expensive than SSLv3 so it
Emeric Brun8694b9a2012-10-05 14:39:07 +02008925 often makes sense to disable it when communicating with local servers. See
8926 also "force-sslv3", "force-tlsv*".
Emeric Brunf5da4932012-09-28 19:42:54 +02008927
Willy Tarreau763a95b2012-10-04 23:15:39 +02008928 Supported in default-server: No
8929
Emeric Brun9b3009b2012-10-05 11:55:06 +02008930no-tlsv11
Emeric Brun8694b9a2012-10-05 14:39:07 +02008931 This option disables support for TLSv1.1 when SSL is used to communicate with
Emeric Brunf5da4932012-09-28 19:42:54 +02008932 the server. Note that SSLv2 is disabled in the code and cannot be enabled
8933 using any configuration option. TLSv1 is more expensive than SSLv3 so it
Emeric Brun8694b9a2012-10-05 14:39:07 +02008934 often makes sense to disable it when communicating with local servers. See
8935 also "force-sslv3", "force-tlsv*".
Emeric Brunf5da4932012-09-28 19:42:54 +02008936
Willy Tarreau763a95b2012-10-04 23:15:39 +02008937 Supported in default-server: No
8938
Emeric Brun9b3009b2012-10-05 11:55:06 +02008939no-tlsv12
Emeric Brun8694b9a2012-10-05 14:39:07 +02008940 This option disables support for TLSv1.2 when SSL is used to communicate with
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02008941 the server. Note that SSLv2 is disabled in the code and cannot be enabled
8942 using any configuration option. TLSv1 is more expensive than SSLv3 so it
Emeric Brun8694b9a2012-10-05 14:39:07 +02008943 often makes sense to disable it when communicating with local servers. See
8944 also "force-sslv3", "force-tlsv*".
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02008945
Willy Tarreau763a95b2012-10-04 23:15:39 +02008946 Supported in default-server: No
8947
Simon Hormanfa461682011-06-25 09:39:49 +09008948non-stick
8949 Never add connections allocated to this sever to a stick-table.
8950 This may be used in conjunction with backup to ensure that
8951 stick-table persistence is disabled for backup servers.
8952
Willy Tarreau763a95b2012-10-04 23:15:39 +02008953 Supported in default-server: No
8954
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01008955observe <mode>
8956 This option enables health adjusting based on observing communication with
8957 the server. By default this functionality is disabled and enabling it also
8958 requires to enable health checks. There are two supported modes: "layer4" and
8959 "layer7". In layer4 mode, only successful/unsuccessful tcp connections are
8960 significant. In layer7, which is only allowed for http proxies, responses
8961 received from server are verified, like valid/wrong http code, unparsable
Willy Tarreau150d1462012-03-10 08:19:02 +01008962 headers, a timeout, etc. Valid status codes include 100 to 499, 501 and 505.
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01008963
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01008964 Supported in default-server: No
8965
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01008966 See also the "check", "on-error" and "error-limit".
8967
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01008968on-error <mode>
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01008969 Select what should happen when enough consecutive errors are detected.
8970 Currently, four modes are available:
8971 - fastinter: force fastinter
8972 - fail-check: simulate a failed check, also forces fastinter (default)
8973 - sudden-death: simulate a pre-fatal failed health check, one more failed
8974 check will mark a server down, forces fastinter
8975 - mark-down: mark the server immediately down and force fastinter
8976
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01008977 Supported in default-server: Yes
8978
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +01008979 See also the "check", "observe" and "error-limit".
8980
Simon Hormane0d1bfb2011-06-21 14:34:58 +09008981on-marked-down <action>
8982 Modify what occurs when a server is marked down.
8983 Currently one action is available:
Justin Karnegeseb2c24a2012-05-24 15:28:52 -07008984 - shutdown-sessions: Shutdown peer sessions. When this setting is enabled,
8985 all connections to the server are immediately terminated when the server
8986 goes down. It might be used if the health check detects more complex cases
8987 than a simple connection status, and long timeouts would cause the service
8988 to remain unresponsive for too long a time. For instance, a health check
8989 might detect that a database is stuck and that there's no chance to reuse
8990 existing connections anymore. Connections killed this way are logged with
8991 a 'D' termination code (for "Down").
Simon Hormane0d1bfb2011-06-21 14:34:58 +09008992
8993 Actions are disabled by default
8994
8995 Supported in default-server: Yes
8996
Justin Karnegeseb2c24a2012-05-24 15:28:52 -07008997on-marked-up <action>
8998 Modify what occurs when a server is marked up.
8999 Currently one action is available:
9000 - shutdown-backup-sessions: Shutdown sessions on all backup servers. This is
9001 done only if the server is not in backup state and if it is not disabled
9002 (it must have an effective weight > 0). This can be used sometimes to force
9003 an active server to take all the traffic back after recovery when dealing
9004 with long sessions (eg: LDAP, SQL, ...). Doing this can cause more trouble
9005 than it tries to solve (eg: incomplete transactions), so use this feature
9006 with extreme care. Sessions killed because a server comes up are logged
9007 with an 'U' termination code (for "Up").
9008
9009 Actions are disabled by default
9010
9011 Supported in default-server: Yes
9012
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009013port <port>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009014 Using the "port" parameter, it becomes possible to use a different port to
9015 send health-checks. On some servers, it may be desirable to dedicate a port
9016 to a specific component able to perform complex tests which are more suitable
9017 to health-checks than the application. It is common to run a simple script in
9018 inetd for instance. This parameter is ignored if the "check" parameter is not
9019 set. See also the "addr" parameter.
9020
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009021 Supported in default-server: Yes
9022
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009023redir <prefix>
9024 The "redir" parameter enables the redirection mode for all GET and HEAD
9025 requests addressing this server. This means that instead of having HAProxy
9026 forward the request to the server, it will send an "HTTP 302" response with
9027 the "Location" header composed of this prefix immediately followed by the
9028 requested URI beginning at the leading '/' of the path component. That means
9029 that no trailing slash should be used after <prefix>. All invalid requests
9030 will be rejected, and all non-GET or HEAD requests will be normally served by
9031 the server. Note that since the response is completely forged, no header
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01009032 mangling nor cookie insertion is possible in the response. However, cookies in
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009033 requests are still analysed, making this solution completely usable to direct
9034 users to a remote location in case of local disaster. Main use consists in
9035 increasing bandwidth for static servers by having the clients directly
9036 connect to them. Note: never use a relative location here, it would cause a
9037 loop between the client and HAProxy!
9038
9039 Example : server srv1 192.168.1.1:80 redir http://image1.mydomain.com check
9040
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009041 Supported in default-server: No
9042
9043rise <count>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009044 The "rise" parameter states that a server will be considered as operational
9045 after <count> consecutive successful health checks. This value defaults to 2
9046 if unspecified. See also the "check", "inter" and "fall" parameters.
9047
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009048 Supported in default-server: Yes
9049
Willy Tarreau5ab04ec2011-03-20 10:32:26 +01009050send-proxy
9051 The "send-proxy" parameter enforces use of the PROXY protocol over any
9052 connection established to this server. The PROXY protocol informs the other
9053 end about the layer 3/4 addresses of the incoming connection, so that it can
9054 know the client's address or the public address it accessed to, whatever the
9055 upper layer protocol. For connections accepted by an "accept-proxy" listener,
9056 the advertised address will be used. Only TCPv4 and TCPv6 address families
9057 are supported. Other families such as Unix sockets, will report an UNKNOWN
9058 family. Servers using this option can fully be chained to another instance of
9059 haproxy listening with an "accept-proxy" setting. This setting must not be
Willy Tarreau6c16adc2012-10-05 00:04:16 +02009060 used if the server isn't aware of the protocol. When health checks are sent
9061 to the server, the PROXY protocol is automatically used when this option is
9062 set, unless there is an explicit "port" or "addr" directive, in which case an
9063 explicit "check-send-proxy" directive would also be needed to use the PROXY
9064 protocol. See also the "accept-proxy" option of the "bind" keyword.
Willy Tarreau5ab04ec2011-03-20 10:32:26 +01009065
9066 Supported in default-server: No
9067
David Safb76832014-05-08 23:42:08 -04009068send-proxy-v2
9069 The "send-proxy-v2" parameter enforces use of the PROXY protocol version 2
9070 over any connection established to this server. The PROXY protocol informs
9071 the other end about the layer 3/4 addresses of the incoming connection, so
9072 that it can know the client's address or the public address it accessed to,
9073 whatever the upper layer protocol. This setting must not be used if the
9074 server isn't aware of this version of the protocol. See also the "send-proxy"
9075 option of the "bind" keyword.
9076
9077 Supported in default-server: No
9078
9079send-proxy-v2-ssl
9080 The "send-proxy-v2-ssl" parameter enforces use of the PROXY protocol version
9081 2 over any connection established to this server. The PROXY protocol informs
9082 the other end about the layer 3/4 addresses of the incoming connection, so
9083 that it can know the client's address or the public address it accessed to,
9084 whatever the upper layer protocol. In addition, the SSL information extension
9085 of the PROXY protocol is added to the PROXY protocol header. This setting
9086 must not be used if the server isn't aware of this version of the protocol.
9087 See also the "send-proxy-v2" option of the "bind" keyword.
9088
9089 Supported in default-server: No
9090
9091send-proxy-v2-ssl-cn
9092 The "send-proxy-v2-ssl" parameter enforces use of the PROXY protocol version
9093 2 over any connection established to this server. The PROXY protocol informs
9094 the other end about the layer 3/4 addresses of the incoming connection, so
9095 that it can know the client's address or the public address it accessed to,
9096 whatever the upper layer protocol. In addition, the SSL information extension
9097 of the PROXY protocol, along along with the Common Name from the subject of
9098 the client certificate (if any), is added to the PROXY protocol header. This
9099 setting must not be used if the server isn't aware of this version of the
9100 protocol. See also the "send-proxy-v2" option of the "bind" keyword.
9101
9102 Supported in default-server: No
9103
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009104slowstart <start_time_in_ms>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009105 The "slowstart" parameter for a server accepts a value in milliseconds which
9106 indicates after how long a server which has just come back up will run at
9107 full speed. Just as with every other time-based parameter, it can be entered
9108 in any other explicit unit among { us, ms, s, m, h, d }. The speed grows
9109 linearly from 0 to 100% during this time. The limitation applies to two
9110 parameters :
9111
9112 - maxconn: the number of connections accepted by the server will grow from 1
9113 to 100% of the usual dynamic limit defined by (minconn,maxconn,fullconn).
9114
9115 - weight: when the backend uses a dynamic weighted algorithm, the weight
9116 grows linearly from 1 to 100%. In this case, the weight is updated at every
9117 health-check. For this reason, it is important that the "inter" parameter
9118 is smaller than the "slowstart", in order to maximize the number of steps.
9119
9120 The slowstart never applies when haproxy starts, otherwise it would cause
9121 trouble to running servers. It only applies when a server has been previously
9122 seen as failed.
9123
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009124 Supported in default-server: Yes
9125
Willy Tarreauc6f4ce82009-06-10 11:09:37 +02009126source <addr>[:<pl>[-<ph>]] [usesrc { <addr2>[:<port2>] | client | clientip } ]
Willy Tarreaubce70882009-09-07 11:51:47 +02009127source <addr>[:<port>] [usesrc { <addr2>[:<port2>] | hdr_ip(<hdr>[,<occ>]) } ]
Willy Tarreauc6f4ce82009-06-10 11:09:37 +02009128source <addr>[:<pl>[-<ph>]] [interface <name>] ...
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009129 The "source" parameter sets the source address which will be used when
9130 connecting to the server. It follows the exact same parameters and principle
9131 as the backend "source" keyword, except that it only applies to the server
9132 referencing it. Please consult the "source" keyword for details.
9133
Willy Tarreauc6f4ce82009-06-10 11:09:37 +02009134 Additionally, the "source" statement on a server line allows one to specify a
9135 source port range by indicating the lower and higher bounds delimited by a
9136 dash ('-'). Some operating systems might require a valid IP address when a
9137 source port range is specified. It is permitted to have the same IP/range for
9138 several servers. Doing so makes it possible to bypass the maximum of 64k
9139 total concurrent connections. The limit will then reach 64k connections per
9140 server.
9141
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009142 Supported in default-server: No
9143
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02009144ssl
Willy Tarreau44f65392013-06-25 07:56:20 +02009145 This option enables SSL ciphering on outgoing connections to the server. It
9146 is critical to verify server certificates using "verify" when using SSL to
9147 connect to servers, otherwise the communication is prone to trivial man in
9148 the-middle attacks rendering SSL useless. When this option is used, health
9149 checks are automatically sent in SSL too unless there is a "port" or an
9150 "addr" directive indicating the check should be sent to a different location.
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03009151 See the "check-ssl" option to force SSL health checks.
Willy Tarreau763a95b2012-10-04 23:15:39 +02009152
9153 Supported in default-server: No
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02009154
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009155track [<proxy>/]<server>
Willy Tarreau32091232014-05-16 13:52:00 +02009156 This option enables ability to set the current state of the server by tracking
9157 another one. It is possible to track a server which itself tracks another
9158 server, provided that at the end of the chain, a server has health checks
9159 enabled. If <proxy> is omitted the current one is used. If disable-on-404 is
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009160 used, it has to be enabled on both proxies.
9161
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009162 Supported in default-server: No
9163
Emeric Brunef42d922012-10-11 16:11:36 +02009164verify [none|required]
9165 This setting is only available when support for OpenSSL was built in. If set
Emeric Brun850efd52014-01-29 12:24:34 +01009166 to 'none', server certificate is not verified. In the other case, The
9167 certificate provided by the server is verified using CAs from 'ca-file'
9168 and optional CRLs from 'crl-file'. If 'ssl_server_verify' is not specified
9169 in global section, this is the default. On verify failure the handshake
Willy Tarreau44f65392013-06-25 07:56:20 +02009170 is aborted. It is critically important to verify server certificates when
9171 using SSL to connect to servers, otherwise the communication is prone to
9172 trivial man-in-the-middle attacks rendering SSL totally useless.
Emeric Brunef42d922012-10-11 16:11:36 +02009173
9174 Supported in default-server: No
9175
Evan Broderbe554312013-06-27 00:05:25 -07009176verifyhost <hostname>
9177 This setting is only available when support for OpenSSL was built in, and
9178 only takes effect if 'verify required' is also specified. When set, the
9179 hostnames in the subject and subjectAlternateNames of the certificate
9180 provided by the server are checked. If none of the hostnames in the
9181 certificate match the specified hostname, the handshake is aborted. The
9182 hostnames in the server-provided certificate may include wildcards.
9183
9184 Supported in default-server: No
9185
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009186weight <weight>
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009187 The "weight" parameter is used to adjust the server's weight relative to
9188 other servers. All servers will receive a load proportional to their weight
9189 relative to the sum of all weights, so the higher the weight, the higher the
Willy Tarreau6704d672009-06-15 10:56:05 +02009190 load. The default weight is 1, and the maximal value is 256. A value of 0
9191 means the server will not participate in load-balancing but will still accept
9192 persistent connections. If this parameter is used to distribute the load
9193 according to server's capacity, it is recommended to start with values which
9194 can both grow and shrink, for instance between 10 and 100 to leave enough
9195 room above and below for later adjustments.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009196
Krzysztof Piotr Oledzkic53601c2010-01-06 10:50:42 +01009197 Supported in default-server: Yes
9198
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009199
92006. HTTP header manipulation
9201---------------------------
9202
9203In HTTP mode, it is possible to rewrite, add or delete some of the request and
9204response headers based on regular expressions. It is also possible to block a
9205request or a response if a particular header matches a regular expression,
9206which is enough to stop most elementary protocol attacks, and to protect
Willy Tarreau70dffda2014-01-30 03:07:23 +01009207against information leak from the internal network.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009208
Willy Tarreau70dffda2014-01-30 03:07:23 +01009209If HAProxy encounters an "Informational Response" (status code 1xx), it is able
9210to process all rsp* rules which can allow, deny, rewrite or delete a header,
9211but it will refuse to add a header to any such messages as this is not
9212HTTP-compliant. The reason for still processing headers in such responses is to
9213stop and/or fix any possible information leak which may happen, for instance
9214because another downstream equipment would unconditionally add a header, or if
9215a server name appears there. When such messages are seen, normal processing
9216still occurs on the next non-informational messages.
Willy Tarreau816b9792009-09-15 21:25:21 +02009217
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009218This section covers common usage of the following keywords, described in detail
9219in section 4.2 :
9220
9221 - reqadd <string>
9222 - reqallow <search>
9223 - reqiallow <search>
9224 - reqdel <search>
9225 - reqidel <search>
9226 - reqdeny <search>
9227 - reqideny <search>
9228 - reqpass <search>
9229 - reqipass <search>
9230 - reqrep <search> <replace>
9231 - reqirep <search> <replace>
9232 - reqtarpit <search>
9233 - reqitarpit <search>
9234 - rspadd <string>
9235 - rspdel <search>
9236 - rspidel <search>
9237 - rspdeny <search>
9238 - rspideny <search>
9239 - rsprep <search> <replace>
9240 - rspirep <search> <replace>
9241
9242With all these keywords, the same conventions are used. The <search> parameter
9243is a POSIX extended regular expression (regex) which supports grouping through
9244parenthesis (without the backslash). Spaces and other delimiters must be
9245prefixed with a backslash ('\') to avoid confusion with a field delimiter.
9246Other characters may be prefixed with a backslash to change their meaning :
9247
9248 \t for a tab
9249 \r for a carriage return (CR)
9250 \n for a new line (LF)
9251 \ to mark a space and differentiate it from a delimiter
9252 \# to mark a sharp and differentiate it from a comment
9253 \\ to use a backslash in a regex
9254 \\\\ to use a backslash in the text (*2 for regex, *2 for haproxy)
9255 \xXX to write the ASCII hex code XX as in the C language
9256
9257The <replace> parameter contains the string to be used to replace the largest
9258portion of text matching the regex. It can make use of the special characters
9259above, and can reference a substring which is delimited by parenthesis in the
9260regex, by writing a backslash ('\') immediately followed by one digit from 0 to
92619 indicating the group position (0 designating the entire line). This practice
9262is very common to users of the "sed" program.
9263
9264The <string> parameter represents the string which will systematically be added
9265after the last header line. It can also use special character sequences above.
9266
9267Notes related to these keywords :
9268---------------------------------
9269 - these keywords are not always convenient to allow/deny based on header
9270 contents. It is strongly recommended to use ACLs with the "block" keyword
9271 instead, resulting in far more flexible and manageable rules.
9272
9273 - lines are always considered as a whole. It is not possible to reference
9274 a header name only or a value only. This is important because of the way
9275 headers are written (notably the number of spaces after the colon).
9276
9277 - the first line is always considered as a header, which makes it possible to
9278 rewrite or filter HTTP requests URIs or response codes, but in turn makes
9279 it harder to distinguish between headers and request line. The regex prefix
9280 ^[^\ \t]*[\ \t] matches any HTTP method followed by a space, and the prefix
9281 ^[^ \t:]*: matches any header name followed by a colon.
9282
9283 - for performances reasons, the number of characters added to a request or to
9284 a response is limited at build time to values between 1 and 4 kB. This
9285 should normally be far more than enough for most usages. If it is too short
9286 on occasional usages, it is possible to gain some space by removing some
9287 useless headers before adding new ones.
9288
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01009289 - keywords beginning with "reqi" and "rspi" are the same as their counterpart
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009290 without the 'i' letter except that they ignore case when matching patterns.
9291
9292 - when a request passes through a frontend then a backend, all req* rules
9293 from the frontend will be evaluated, then all req* rules from the backend
9294 will be evaluated. The reverse path is applied to responses.
9295
9296 - req* statements are applied after "block" statements, so that "block" is
9297 always the first one, but before "use_backend" in order to permit rewriting
Willy Tarreaud72758d2010-01-12 10:42:19 +01009298 before switching.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009299
9300
Willy Tarreau74ca5042013-06-11 23:12:07 +020093017. Using ACLs and fetching samples
9302----------------------------------
9303
9304Haproxy is capable of extracting data from request or response streams, from
9305client or server information, from tables, environmental information etc...
9306The action of extracting such data is called fetching a sample. Once retrieved,
9307these samples may be used for various purposes such as a key to a stick-table,
9308but most common usages consist in matching them against predefined constant
9309data called patterns.
9310
9311
93127.1. ACL basics
9313---------------
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009314
9315The use of Access Control Lists (ACL) provides a flexible solution to perform
9316content switching and generally to take decisions based on content extracted
9317from the request, the response or any environmental status. The principle is
9318simple :
9319
Willy Tarreau74ca5042013-06-11 23:12:07 +02009320 - extract a data sample from a stream, table or the environment
Willy Tarreaue6b11e42013-11-26 19:02:32 +01009321 - optionally apply some format conversion to the extracted sample
Willy Tarreau74ca5042013-06-11 23:12:07 +02009322 - apply one or multiple pattern matching methods on this sample
9323 - perform actions only when a pattern matches the sample
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009324
Willy Tarreau74ca5042013-06-11 23:12:07 +02009325The actions generally consist in blocking a request, selecting a backend, or
9326adding a header.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009327
9328In order to define a test, the "acl" keyword is used. The syntax is :
9329
Willy Tarreau74ca5042013-06-11 23:12:07 +02009330 acl <aclname> <criterion> [flags] [operator] [<value>] ...
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009331
9332This creates a new ACL <aclname> or completes an existing one with new tests.
9333Those tests apply to the portion of request/response specified in <criterion>
9334and may be adjusted with optional flags [flags]. Some criteria also support
Willy Tarreaue6b11e42013-11-26 19:02:32 +01009335an operator which may be specified before the set of values. Optionally some
9336conversion operators may be applied to the sample, and they will be specified
9337as a comma-delimited list of keywords just after the first keyword. The values
9338are of the type supported by the criterion, and are separated by spaces.
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009339
9340ACL names must be formed from upper and lower case letters, digits, '-' (dash),
9341'_' (underscore) , '.' (dot) and ':' (colon). ACL names are case-sensitive,
9342which means that "my_acl" and "My_Acl" are two different ACLs.
9343
9344There is no enforced limit to the number of ACLs. The unused ones do not affect
9345performance, they just consume a small amount of memory.
9346
Willy Tarreau74ca5042013-06-11 23:12:07 +02009347The criterion generally is the name of a sample fetch method, or one of its ACL
9348specific declinations. The default test method is implied by the output type of
9349this sample fetch method. The ACL declinations can describe alternate matching
Willy Tarreaue6b11e42013-11-26 19:02:32 +01009350methods of a same sample fetch method. The sample fetch methods are the only
9351ones supporting a conversion.
Willy Tarreau74ca5042013-06-11 23:12:07 +02009352
9353Sample fetch methods return data which can be of the following types :
9354 - boolean
9355 - integer (signed or unsigned)
9356 - IPv4 or IPv6 address
9357 - string
9358 - data block
9359
Willy Tarreaue6b11e42013-11-26 19:02:32 +01009360Converters transform any of these data into any of these. For example, some
9361converters might convert a string to a lower-case string while other ones
9362would turn a string to an IPv4 address, or apply a netmask to an IP address.
9363The resulting sample is of the type of the last converter applied to the list,
9364which defaults to the type of the sample fetch method.
9365
Thierry FOURNIER2a06e392014-05-11 15:49:55 +02009366Each sample or converter returns data of a specific type, specified with its
9367keyword in this documentation. When an ACL is declared using a standard sample
9368fetch method, certain types automatically involved a default matching method
9369which are summarized in the table below :
9370
9371 +---------------------+-----------------+
9372 | Sample or converter | Default |
9373 | output type | matching method |
9374 +---------------------+-----------------+
9375 | boolean | bool |
9376 +---------------------+-----------------+
9377 | integer | int |
9378 +---------------------+-----------------+
9379 | ip | ip |
9380 +---------------------+-----------------+
9381 | string | str |
9382 +---------------------+-----------------+
9383 | binary | none, use "-m" |
9384 +---------------------+-----------------+
9385
9386Note that in order to match a binary samples, it is mandatory to specify a
9387matching method, see below.
9388
Willy Tarreau74ca5042013-06-11 23:12:07 +02009389The ACL engine can match these types against patterns of the following types :
9390 - boolean
9391 - integer or integer range
9392 - IP address / network
9393 - string (exact, substring, suffix, prefix, subdir, domain)
9394 - regular expression
9395 - hex block
9396
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009397The following ACL flags are currently supported :
9398
Willy Tarreau2b5285d2010-05-09 23:45:24 +02009399 -i : ignore case during matching of all subsequent patterns.
9400 -f : load patterns from a file.
Willy Tarreau74ca5042013-06-11 23:12:07 +02009401 -m : use a specific pattern matching method
Thierry FOURNIERb7729c92014-02-11 16:24:41 +01009402 -n : forbid the DNS resolutions
Thierry FOURNIER9860c412014-01-29 14:23:29 +01009403 -M : load the file pointed by -f like a map file.
Thierry FOURNIER3534d882014-01-20 17:01:44 +01009404 -u : force the unique id of the ACL
Willy Tarreau6a06a402007-07-15 20:15:28 +02009405 -- : force end of flags. Useful when a string looks like one of the flags.
9406
Willy Tarreau74ca5042013-06-11 23:12:07 +02009407The "-f" flag is followed by the name of a file from which all lines will be
9408read as individual values. It is even possible to pass multiple "-f" arguments
9409if the patterns are to be loaded from multiple files. Empty lines as well as
9410lines beginning with a sharp ('#') will be ignored. All leading spaces and tabs
9411will be stripped. If it is absolutely necessary to insert a valid pattern
9412beginning with a sharp, just prefix it with a space so that it is not taken for
9413a comment. Depending on the data type and match method, haproxy may load the
9414lines into a binary tree, allowing very fast lookups. This is true for IPv4 and
9415exact string matching. In this case, duplicates will automatically be removed.
9416
Thierry FOURNIER9860c412014-01-29 14:23:29 +01009417The "-M" flag allows an ACL to use a map file. If this flag is set, the file is
9418parsed as two column file. The first column contains the patterns used by the
9419ACL, and the second column contain the samples. The sample can be used later by
9420a map. This can be useful in some rare cases where an ACL would just be used to
9421check for the existence of a pattern in a map before a mapping is applied.
9422
Thierry FOURNIER3534d882014-01-20 17:01:44 +01009423The "-u" flag forces the unique id of the ACL. This unique id is used with the
9424socket interface to identify ACL and dynamically change its values. Note that a
9425file is always identified by its name even if an id is set.
9426
Willy Tarreau74ca5042013-06-11 23:12:07 +02009427Also, note that the "-i" flag applies to subsequent entries and not to entries
9428loaded from files preceding it. For instance :
9429
9430 acl valid-ua hdr(user-agent) -f exact-ua.lst -i -f generic-ua.lst test
9431
9432In this example, each line of "exact-ua.lst" will be exactly matched against
9433the "user-agent" header of the request. Then each line of "generic-ua" will be
9434case-insensitively matched. Then the word "test" will be insensitively matched
9435as well.
9436
9437The "-m" flag is used to select a specific pattern matching method on the input
9438sample. All ACL-specific criteria imply a pattern matching method and generally
9439do not need this flag. However, this flag is useful with generic sample fetch
9440methods to describe how they're going to be matched against the patterns. This
9441is required for sample fetches which return data type for which there is no
9442obvious matching method (eg: string or binary). When "-m" is specified and
9443followed by a pattern matching method name, this method is used instead of the
9444default one for the criterion. This makes it possible to match contents in ways
9445that were not initially planned, or with sample fetch methods which return a
9446string. The matching method also affects the way the patterns are parsed.
9447
Thierry FOURNIERb7729c92014-02-11 16:24:41 +01009448The "-n" flag forbids the dns resolutions. It is used with the load of ip files.
9449By default, if the parser cannot parse ip address it considers that the parsed
9450string is maybe a domain name and try dns resolution. The flag "-n" disable this
9451resolution. It is useful for detecting malformed ip lists. Note that if the DNS
9452server is not reachable, the haproxy configuration parsing may last many minutes
9453waiting fir the timeout. During this time no error messages are displayed. The
9454flag "-n" disable this behavior. Note also that during the runtime, this
9455function is disabled for the dynamic acl modifications.
9456
Willy Tarreau74ca5042013-06-11 23:12:07 +02009457There are some restrictions however. Not all methods can be used with all
9458sample fetch methods. Also, if "-m" is used in conjunction with "-f", it must
9459be placed first. The pattern matching method must be one of the following :
Willy Tarreau5adeda12013-03-31 22:13:34 +02009460
9461 - "found" : only check if the requested sample could be found in the stream,
9462 but do not compare it against any pattern. It is recommended not
Willy Tarreau74ca5042013-06-11 23:12:07 +02009463 to pass any pattern to avoid confusion. This matching method is
9464 particularly useful to detect presence of certain contents such
9465 as headers, cookies, etc... even if they are empty and without
9466 comparing them to anything nor counting them.
Willy Tarreau5adeda12013-03-31 22:13:34 +02009467
9468 - "bool" : check the value as a boolean. It can only be applied to fetches
9469 which return a boolean or integer value, and takes no pattern.
Willy Tarreau74ca5042013-06-11 23:12:07 +02009470 Value zero or false does not match, all other values do match.
Willy Tarreau5adeda12013-03-31 22:13:34 +02009471
9472 - "int" : match the value as an integer. It can be used with integer and
Willy Tarreau74ca5042013-06-11 23:12:07 +02009473 boolean samples. Boolean false is integer 0, true is integer 1.
Willy Tarreau5adeda12013-03-31 22:13:34 +02009474
9475 - "ip" : match the value as an IPv4 or IPv6 address. It is compatible
Willy Tarreau74ca5042013-06-11 23:12:07 +02009476 with IP address samples only, so it is implied and never needed.
Willy Tarreau5adeda12013-03-31 22:13:34 +02009477
9478 - "bin" : match the contents against an hexadecimal string representing a
9479 binary sequence. This may be used with binary or string samples.
9480
9481 - "len" : match the sample's length as an integer. This may be used with
9482 binary or string samples.
9483
Willy Tarreau74ca5042013-06-11 23:12:07 +02009484 - "str" : exact match : match the contents against a string. This may be
9485 used with binary or string samples.
Willy Tarreau5adeda12013-03-31 22:13:34 +02009486
Willy Tarreau74ca5042013-06-11 23:12:07 +02009487 - "sub" : substring match : check that the contents contain at least one of
9488 the provided string patterns. This may be used with binary or
9489 string samples.
Willy Tarreau5adeda12013-03-31 22:13:34 +02009490
Willy Tarreau74ca5042013-06-11 23:12:07 +02009491 - "reg" : regex match : match the contents against a list of regular
9492 expressions. This may be used with binary or string samples.
Willy Tarreau5adeda12013-03-31 22:13:34 +02009493
Willy Tarreau74ca5042013-06-11 23:12:07 +02009494 - "beg" : prefix match : check that the contents begin like the provided
9495 string patterns. This may be used with binary or string samples.
Willy Tarreau5adeda12013-03-31 22:13:34 +02009496
Willy Tarreau74ca5042013-06-11 23:12:07 +02009497 - "end" : suffix match : check that the contents end like the provided
9498 string patterns. This may be used with binary or string samples.
Willy Tarreau5adeda12013-03-31 22:13:34 +02009499
Willy Tarreau74ca5042013-06-11 23:12:07 +02009500 - "dir" : subdir match : check that a slash-delimited portion of the
9501 contents exactly matches one of the provided string patterns.
Willy Tarreau5adeda12013-03-31 22:13:34 +02009502 This may be used with binary or string samples.
9503
Willy Tarreau74ca5042013-06-11 23:12:07 +02009504 - "dom" : domain match : check that a dot-delimited portion of the contents
9505 exactly match one of the provided string patterns. This may be
9506 used with binary or string samples.
Willy Tarreau5adeda12013-03-31 22:13:34 +02009507
9508For example, to quickly detect the presence of cookie "JSESSIONID" in an HTTP
9509request, it is possible to do :
9510
9511 acl jsess_present cook(JSESSIONID) -m found
9512
9513In order to apply a regular expression on the 500 first bytes of data in the
9514buffer, one would use the following acl :
9515
9516 acl script_tag payload(0,500) -m reg -i <script>
9517
Willy Tarreaue6b11e42013-11-26 19:02:32 +01009518On systems where the regex library is much slower when using "-i", it is
9519possible to convert the sample to lowercase before matching, like this :
9520
9521 acl script_tag payload(0,500),lower -m reg <script>
9522
Willy Tarreau74ca5042013-06-11 23:12:07 +02009523All ACL-specific criteria imply a default matching method. Most often, these
9524criteria are composed by concatenating the name of the original sample fetch
9525method and the matching method. For example, "hdr_beg" applies the "beg" match
9526to samples retrieved using the "hdr" fetch method. Since all ACL-specific
9527criteria rely on a sample fetch method, it is always possible instead to use
9528the original sample fetch method and the explicit matching method using "-m".
Willy Tarreau2b5285d2010-05-09 23:45:24 +02009529
Willy Tarreau74ca5042013-06-11 23:12:07 +02009530If an alternate match is specified using "-m" on an ACL-specific criterion,
Jarno Huuskonen0e82b922014-04-12 18:22:19 +03009531the matching method is simply applied to the underlying sample fetch method.
9532For example, all ACLs below are exact equivalent :
Willy Tarreau2b5285d2010-05-09 23:45:24 +02009533
Willy Tarreau74ca5042013-06-11 23:12:07 +02009534 acl short_form hdr_beg(host) www.
9535 acl alternate1 hdr_beg(host) -m beg www.
9536 acl alternate2 hdr_dom(host) -m beg www.
9537 acl alternate3 hdr(host) -m beg www.
Willy Tarreau2b5285d2010-05-09 23:45:24 +02009538
Willy Tarreau2b5285d2010-05-09 23:45:24 +02009539
Thierry FOURNIER2a06e392014-05-11 15:49:55 +02009540The table below summarizes the compatibility matrix between sample or converter
9541types and the pattern types to fetch against. It indicates for each compatible
9542combination the name of the matching method to be used, surrounded with angle
9543brackets ">" and "<" when the method is the default one and will work by
9544default without "-m".
Willy Tarreau0ba27502007-12-24 16:55:16 +01009545
Willy Tarreau74ca5042013-06-11 23:12:07 +02009546 +-------------------------------------------------+
9547 | Input sample type |
9548 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIER2a06e392014-05-11 15:49:55 +02009549 | pattern type | boolean | integer | ip | string | binary |
Willy Tarreau74ca5042013-06-11 23:12:07 +02009550 +----------------------+---------+---------+---------+---------+---------+
9551 | none (presence only) | found | found | found | found | found |
9552 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIER2a06e392014-05-11 15:49:55 +02009553 | none (boolean value) |> bool <| bool | | bool | |
Willy Tarreau74ca5042013-06-11 23:12:07 +02009554 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIER2a06e392014-05-11 15:49:55 +02009555 | integer (value) | int |> int <| int | int | |
Willy Tarreau74ca5042013-06-11 23:12:07 +02009556 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIERe3ded592013-12-06 15:36:54 +01009557 | integer (length) | len | len | len | len | len |
Willy Tarreau74ca5042013-06-11 23:12:07 +02009558 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIER2a06e392014-05-11 15:49:55 +02009559 | IP address | | |> ip <| ip | ip |
Willy Tarreau74ca5042013-06-11 23:12:07 +02009560 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIER2a06e392014-05-11 15:49:55 +02009561 | exact string | str | str | str |> str <| str |
Willy Tarreau74ca5042013-06-11 23:12:07 +02009562 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIERe3ded592013-12-06 15:36:54 +01009563 | prefix | beg | beg | beg | beg | beg |
Willy Tarreau74ca5042013-06-11 23:12:07 +02009564 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIERe3ded592013-12-06 15:36:54 +01009565 | suffix | end | end | end | end | end |
Willy Tarreau74ca5042013-06-11 23:12:07 +02009566 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIERe3ded592013-12-06 15:36:54 +01009567 | substring | sub | sub | sub | sub | sub |
Willy Tarreau74ca5042013-06-11 23:12:07 +02009568 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIERe3ded592013-12-06 15:36:54 +01009569 | subdir | dir | dir | dir | dir | dir |
Willy Tarreau74ca5042013-06-11 23:12:07 +02009570 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIERe3ded592013-12-06 15:36:54 +01009571 | domain | dom | dom | dom | dom | dom |
Willy Tarreau74ca5042013-06-11 23:12:07 +02009572 +----------------------+---------+---------+---------+---------+---------+
Thierry FOURNIERe3ded592013-12-06 15:36:54 +01009573 | regex | reg | reg | reg | reg | reg |
Willy Tarreau74ca5042013-06-11 23:12:07 +02009574 +----------------------+---------+---------+---------+---------+---------+
9575 | hex block | | | | bin | bin |
9576 +----------------------+---------+---------+---------+---------+---------+
Willy Tarreau6a06a402007-07-15 20:15:28 +02009577
9578
Willy Tarreau74ca5042013-06-11 23:12:07 +020095797.1.1. Matching booleans
9580------------------------
9581
9582In order to match a boolean, no value is needed and all values are ignored.
9583Boolean matching is used by default for all fetch methods of type "boolean".
9584When boolean matching is used, the fetched value is returned as-is, which means
9585that a boolean "true" will always match and a boolean "false" will never match.
9586
9587Boolean matching may also be enforced using "-m bool" on fetch methods which
9588return an integer value. Then, integer value 0 is converted to the boolean
9589"false" and all other values are converted to "true".
9590
Willy Tarreau6a06a402007-07-15 20:15:28 +02009591
Willy Tarreau74ca5042013-06-11 23:12:07 +020095927.1.2. Matching integers
9593------------------------
9594
9595Integer matching applies by default to integer fetch methods. It can also be
9596enforced on boolean fetches using "-m int". In this case, "false" is converted
9597to the integer 0, and "true" is converted to the integer 1.
9598
9599Integer matching also supports integer ranges and operators. Note that integer
9600matching only applies to positive values. A range is a value expressed with a
9601lower and an upper bound separated with a colon, both of which may be omitted.
Willy Tarreau6a06a402007-07-15 20:15:28 +02009602
9603For instance, "1024:65535" is a valid range to represent a range of
9604unprivileged ports, and "1024:" would also work. "0:1023" is a valid
9605representation of privileged ports, and ":1023" would also work.
9606
Willy Tarreau62644772008-07-16 18:36:06 +02009607As a special case, some ACL functions support decimal numbers which are in fact
9608two integers separated by a dot. This is used with some version checks for
9609instance. All integer properties apply to those decimal numbers, including
9610ranges and operators.
9611
Willy Tarreau6a06a402007-07-15 20:15:28 +02009612For an easier usage, comparison operators are also supported. Note that using
Willy Tarreau0ba27502007-12-24 16:55:16 +01009613operators with ranges does not make much sense and is strongly discouraged.
9614Similarly, it does not make much sense to perform order comparisons with a set
9615of values.
Willy Tarreau6a06a402007-07-15 20:15:28 +02009616
Willy Tarreau0ba27502007-12-24 16:55:16 +01009617Available operators for integer matching are :
Willy Tarreau6a06a402007-07-15 20:15:28 +02009618
9619 eq : true if the tested value equals at least one value
9620 ge : true if the tested value is greater than or equal to at least one value
9621 gt : true if the tested value is greater than at least one value
9622 le : true if the tested value is less than or equal to at least one value
9623 lt : true if the tested value is less than at least one value
9624
Willy Tarreau0ba27502007-12-24 16:55:16 +01009625For instance, the following ACL matches any negative Content-Length header :
Willy Tarreau6a06a402007-07-15 20:15:28 +02009626
9627 acl negative-length hdr_val(content-length) lt 0
9628
Willy Tarreau62644772008-07-16 18:36:06 +02009629This one matches SSL versions between 3.0 and 3.1 (inclusive) :
9630
9631 acl sslv3 req_ssl_ver 3:3.1
9632
Willy Tarreau6a06a402007-07-15 20:15:28 +02009633
Willy Tarreau74ca5042013-06-11 23:12:07 +020096347.1.3. Matching strings
9635-----------------------
9636
9637String matching applies to string or binary fetch methods, and exists in 6
9638different forms :
9639
9640 - exact match (-m str) : the extracted string must exactly match the
9641 patterns ;
9642
9643 - substring match (-m sub) : the patterns are looked up inside the
9644 extracted string, and the ACL matches if any of them is found inside ;
9645
9646 - prefix match (-m beg) : the patterns are compared with the beginning of
9647 the extracted string, and the ACL matches if any of them matches.
9648
9649 - suffix match (-m end) : the patterns are compared with the end of the
9650 extracted string, and the ACL matches if any of them matches.
9651
9652 - subdir match (-m sub) : the patterns are looked up inside the extracted
9653 string, delimited with slashes ("/"), and the ACL matches if any of them
9654 matches.
9655
9656 - domain match (-m dom) : the patterns are looked up inside the extracted
9657 string, delimited with dots ("."), and the ACL matches if any of them
9658 matches.
Willy Tarreau6a06a402007-07-15 20:15:28 +02009659
9660String matching applies to verbatim strings as they are passed, with the
9661exception of the backslash ("\") which makes it possible to escape some
9662characters such as the space. If the "-i" flag is passed before the first
9663string, then the matching will be performed ignoring the case. In order
9664to match the string "-i", either set it second, or pass the "--" flag
Willy Tarreau0ba27502007-12-24 16:55:16 +01009665before the first string. Same applies of course to match the string "--".
Willy Tarreau6a06a402007-07-15 20:15:28 +02009666
9667
Willy Tarreau74ca5042013-06-11 23:12:07 +020096687.1.4. Matching regular expressions (regexes)
9669---------------------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02009670
9671Just like with string matching, regex matching applies to verbatim strings as
9672they are passed, with the exception of the backslash ("\") which makes it
9673possible to escape some characters such as the space. If the "-i" flag is
9674passed before the first regex, then the matching will be performed ignoring
9675the case. In order to match the string "-i", either set it second, or pass
Willy Tarreau0ba27502007-12-24 16:55:16 +01009676the "--" flag before the first string. Same principle applies of course to
9677match the string "--".
Willy Tarreau6a06a402007-07-15 20:15:28 +02009678
9679
Willy Tarreau74ca5042013-06-11 23:12:07 +020096807.1.5. Matching arbitrary data blocks
9681-------------------------------------
9682
9683It is possible to match some extracted samples against a binary block which may
9684not safely be represented as a string. For this, the patterns must be passed as
9685a series of hexadecimal digits in an even number, when the match method is set
9686to binary. Each sequence of two digits will represent a byte. The hexadecimal
9687digits may be used upper or lower case.
9688
9689Example :
9690 # match "Hello\n" in the input stream (\x48 \x65 \x6c \x6c \x6f \x0a)
9691 acl hello payload(0,6) -m bin 48656c6c6f0a
9692
9693
96947.1.6. Matching IPv4 and IPv6 addresses
9695---------------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +02009696
9697IPv4 addresses values can be specified either as plain addresses or with a
9698netmask appended, in which case the IPv4 address matches whenever it is
9699within the network. Plain addresses may also be replaced with a resolvable
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01009700host name, but this practice is generally discouraged as it makes it more
Willy Tarreau0ba27502007-12-24 16:55:16 +01009701difficult to read and debug configurations. If hostnames are used, you should
9702at least ensure that they are present in /etc/hosts so that the configuration
9703does not depend on any random DNS match at the moment the configuration is
9704parsed.
Willy Tarreau6a06a402007-07-15 20:15:28 +02009705
Willy Tarreauceb4ac92012-04-28 00:41:46 +02009706IPv6 may be entered in their usual form, with or without a netmask appended.
9707Only bit counts are accepted for IPv6 netmasks. In order to avoid any risk of
9708trouble with randomly resolved IP addresses, host names are never allowed in
9709IPv6 patterns.
9710
9711HAProxy is also able to match IPv4 addresses with IPv6 addresses in the
9712following situations :
9713 - tested address is IPv4, pattern address is IPv4, the match applies
9714 in IPv4 using the supplied mask if any.
9715 - tested address is IPv6, pattern address is IPv6, the match applies
9716 in IPv6 using the supplied mask if any.
9717 - tested address is IPv6, pattern address is IPv4, the match applies in IPv4
9718 using the pattern's mask if the IPv6 address matches with 2002:IPV4::,
9719 ::IPV4 or ::ffff:IPV4, otherwise it fails.
9720 - tested address is IPv4, pattern address is IPv6, the IPv4 address is first
9721 converted to IPv6 by prefixing ::ffff: in front of it, then the match is
9722 applied in IPv6 using the supplied IPv6 mask.
9723
Willy Tarreau74ca5042013-06-11 23:12:07 +02009724
97257.2. Using ACLs to form conditions
9726----------------------------------
9727
9728Some actions are only performed upon a valid condition. A condition is a
9729combination of ACLs with operators. 3 operators are supported :
9730
9731 - AND (implicit)
9732 - OR (explicit with the "or" keyword or the "||" operator)
9733 - Negation with the exclamation mark ("!")
Willy Tarreau6a06a402007-07-15 20:15:28 +02009734
Willy Tarreau74ca5042013-06-11 23:12:07 +02009735A condition is formed as a disjunctive form:
Willy Tarreau6a06a402007-07-15 20:15:28 +02009736
Willy Tarreau74ca5042013-06-11 23:12:07 +02009737 [!]acl1 [!]acl2 ... [!]acln { or [!]acl1 [!]acl2 ... [!]acln } ...
Willy Tarreaubef91e72013-03-31 23:14:46 +02009738
Willy Tarreau74ca5042013-06-11 23:12:07 +02009739Such conditions are generally used after an "if" or "unless" statement,
9740indicating when the condition will trigger the action.
Willy Tarreaubef91e72013-03-31 23:14:46 +02009741
Willy Tarreau74ca5042013-06-11 23:12:07 +02009742For instance, to block HTTP requests to the "*" URL with methods other than
9743"OPTIONS", as well as POST requests without content-length, and GET or HEAD
9744requests with a content-length greater than 0, and finally every request which
9745is not either GET/HEAD/POST/OPTIONS !
9746
9747 acl missing_cl hdr_cnt(Content-length) eq 0
9748 block if HTTP_URL_STAR !METH_OPTIONS || METH_POST missing_cl
9749 block if METH_GET HTTP_CONTENT
9750 block unless METH_GET or METH_POST or METH_OPTIONS
9751
9752To select a different backend for requests to static contents on the "www" site
9753and to every request on the "img", "video", "download" and "ftp" hosts :
9754
9755 acl url_static path_beg /static /images /img /css
9756 acl url_static path_end .gif .png .jpg .css .js
9757 acl host_www hdr_beg(host) -i www
9758 acl host_static hdr_beg(host) -i img. video. download. ftp.
9759
9760 # now use backend "static" for all static-only hosts, and for static urls
9761 # of host "www". Use backend "www" for the rest.
9762 use_backend static if host_static or host_www url_static
9763 use_backend www if host_www
9764
9765It is also possible to form rules using "anonymous ACLs". Those are unnamed ACL
9766expressions that are built on the fly without needing to be declared. They must
9767be enclosed between braces, with a space before and after each brace (because
9768the braces must be seen as independent words). Example :
9769
9770 The following rule :
9771
9772 acl missing_cl hdr_cnt(Content-length) eq 0
9773 block if METH_POST missing_cl
9774
9775 Can also be written that way :
9776
9777 block if METH_POST { hdr_cnt(Content-length) eq 0 }
9778
9779It is generally not recommended to use this construct because it's a lot easier
9780to leave errors in the configuration when written that way. However, for very
9781simple rules matching only one source IP address for instance, it can make more
9782sense to use them than to declare ACLs with random names. Another example of
9783good use is the following :
9784
9785 With named ACLs :
9786
9787 acl site_dead nbsrv(dynamic) lt 2
9788 acl site_dead nbsrv(static) lt 2
9789 monitor fail if site_dead
9790
9791 With anonymous ACLs :
9792
9793 monitor fail if { nbsrv(dynamic) lt 2 } || { nbsrv(static) lt 2 }
9794
9795See section 4.2 for detailed help on the "block" and "use_backend" keywords.
9796
9797
97987.3. Fetching samples
9799---------------------
9800
9801Historically, sample fetch methods were only used to retrieve data to match
9802against patterns using ACLs. With the arrival of stick-tables, a new class of
9803sample fetch methods was created, most often sharing the same syntax as their
9804ACL counterpart. These sample fetch methods are also known as "fetches". As
9805of now, ACLs and fetches have converged. All ACL fetch methods have been made
9806available as fetch methods, and ACLs may use any sample fetch method as well.
9807
9808This section details all available sample fetch methods and their output type.
9809Some sample fetch methods have deprecated aliases that are used to maintain
9810compatibility with existing configurations. They are then explicitly marked as
9811deprecated and should not be used in new setups.
9812
9813The ACL derivatives are also indicated when available, with their respective
9814matching methods. These ones all have a well defined default pattern matching
9815method, so it is never necessary (though allowed) to pass the "-m" option to
9816indicate how the sample will be matched using ACLs.
9817
9818As indicated in the sample type versus matching compatibility matrix above,
9819when using a generic sample fetch method in an ACL, the "-m" option is
9820mandatory unless the sample type is one of boolean, integer, IPv4 or IPv6. When
9821the same keyword exists as an ACL keyword and as a standard fetch method, the
9822ACL engine will automatically pick the ACL-only one by default.
9823
9824Some of these keywords support one or multiple mandatory arguments, and one or
9825multiple optional arguments. These arguments are strongly typed and are checked
9826when the configuration is parsed so that there is no risk of running with an
9827incorrect argument (eg: an unresolved backend name). Fetch function arguments
9828are passed between parenthesis and are delimited by commas. When an argument
9829is optional, it will be indicated below between square brackets ('[ ]'). When
9830all arguments are optional, the parenthesis may be omitted.
9831
9832Thus, the syntax of a standard sample fetch method is one of the following :
9833 - name
9834 - name(arg1)
9835 - name(arg1,arg2)
9836
Thierry FOURNIER060762e2014-04-23 13:29:15 +02009837
98387.3.1. Converters
9839-----------------
9840
Willy Tarreaue6b11e42013-11-26 19:02:32 +01009841Sample fetch methods may be combined with transformations to be applied on top
9842of the fetched sample (also called "converters"). These combinations form what
9843is called "sample expressions" and the result is a "sample". Initially this
9844was only supported by "stick on" and "stick store-request" directives but this
9845has now be extended to all places where samples may be used (acls, log-format,
9846unique-id-format, add-header, ...).
9847
9848These transformations are enumerated as a series of specific keywords after the
9849sample fetch method. These keywords may equally be appended immediately after
9850the fetch keyword's argument, delimited by a comma. These keywords can also
9851support some arguments (eg: a netmask) which must be passed in parenthesis.
Willy Tarreau0ba27502007-12-24 16:55:16 +01009852
Willy Tarreau74ca5042013-06-11 23:12:07 +02009853The currently available list of transformation keywords include :
Willy Tarreau0ba27502007-12-24 16:55:16 +01009854
Emeric Brun53d1a982014-04-30 18:21:37 +02009855base64
9856 Converts a binary input sample to a base64 string. It is used to log or
9857 transfer binary content in a way that can be reliably transferred (eg:
9858 an SSL ID can be copied in a header).
9859
Thierry FOURNIER060762e2014-04-23 13:29:15 +02009860lower
9861 Convert a string sample to lower case. This can only be placed after a string
9862 sample fetch function or after a transformation keyword returning a string
9863 type. The result is of type string.
Willy Tarreau6a06a402007-07-15 20:15:28 +02009864
Thierry FOURNIER060762e2014-04-23 13:29:15 +02009865upper
9866 Convert a string sample to upper case. This can only be placed after a string
9867 sample fetch function or after a transformation keyword returning a string
9868 type. The result is of type string.
Willy Tarreau6a06a402007-07-15 20:15:28 +02009869
Thierry FOURNIER060762e2014-04-23 13:29:15 +02009870hex
9871 Converts a binary input sample to an hex string containing two hex digits per
9872 input byte. It is used to log or transfer hex dumps of some binary input data
9873 in a way that can be reliably transferred (eg: an SSL ID can be copied in a
9874 header).
Thierry FOURNIER2f49d6d2014-03-12 15:01:52 +01009875
Thierry FOURNIER060762e2014-04-23 13:29:15 +02009876ipmask(<mask>)
9877 Apply a mask to an IPv4 address, and use the result for lookups and storage.
9878 This can be used to make all hosts within a certain mask to share the same
9879 table entries and as such use the same server. The mask can be passed in
9880 dotted form (eg: 255.255.255.0) or in CIDR form (eg: 24).
Willy Tarreau74ca5042013-06-11 23:12:07 +02009881
Thierry FOURNIER060762e2014-04-23 13:29:15 +02009882http_date([<offset>])
9883 Converts an integer supposed to contain a date since epoch to a string
9884 representing this date in a format suitable for use in HTTP header fields. If
9885 an offset value is specified, then it is a number of seconds that is added to
9886 the date before the conversion is operated. This is particularly useful to
9887 emit Date header fields, Expires values in responses when combined with a
9888 positive offset, or Last-Modified values when the offset is negative.
Willy Tarreau74ca5042013-06-11 23:12:07 +02009889
Thierry FOURNIER060762e2014-04-23 13:29:15 +02009890language(<value>[,<default>])
9891 Returns the value with the highest q-factor from a list as extracted from the
9892 "accept-language" header using "req.fhdr". Values with no q-factor have a
9893 q-factor of 1. Values with a q-factor of 0 are dropped. Only values which
9894 belong to the list of semi-colon delimited <values> will be considered. The
9895 argument <value> syntax is "lang[;lang[;lang[;...]]]". If no value matches the
9896 given list and a default value is provided, it is returned. Note that language
9897 names may have a variant after a dash ('-'). If this variant is present in the
9898 list, it will be matched, but if it is not, only the base language is checked.
9899 The match is case-sensitive, and the output string is always one of those
9900 provided in arguments. The ordering of arguments is meaningless, only the
9901 ordering of the values in the request counts, as the first value among
9902 multiple sharing the same q-factor is used.
Thierry FOURNIERad903512014-04-11 17:51:01 +02009903
Thierry FOURNIER060762e2014-04-23 13:29:15 +02009904 Example :
Thierry FOURNIERad903512014-04-11 17:51:01 +02009905
Thierry FOURNIER060762e2014-04-23 13:29:15 +02009906 # this configuration switches to the backend matching a
9907 # given language based on the request :
Thierry FOURNIERad903512014-04-11 17:51:01 +02009908
Thierry FOURNIER060762e2014-04-23 13:29:15 +02009909 acl es req.fhdr(accept-language),language(es;fr;en) -m str es
9910 acl fr req.fhdr(accept-language),language(es;fr;en) -m str fr
9911 acl en req.fhdr(accept-language),language(es;fr;en) -m str en
9912 use_backend spanish if es
9913 use_backend french if fr
9914 use_backend english if en
9915 default_backend choose_your_language
Thierry FOURNIERad903512014-04-11 17:51:01 +02009916
Thierry FOURNIER060762e2014-04-23 13:29:15 +02009917map(<map_file>[,<default_value>])
9918map_<match_type>(<map_file>[,<default_value>])
9919map_<match_type>_<output_type>(<map_file>[,<default_value>])
9920 Search the input value from <map_file> using the <match_type> matching method,
9921 and return the associated value converted to the type <output_type>. If the
9922 input value cannot be found in the <map_file>, the converter returns the
9923 <default_value>. If the <default_value> is not set, the converter fails and
9924 acts as if no input value could be fetched. If the <match_type> is not set, it
9925 defaults to "str". Likewise, if the <output_type> is not set, it defaults to
9926 "str". For convenience, the "map" keyword is an alias for "map_str" and maps a
9927 string to another string.
Thierry FOURNIERd5f624d2013-11-26 11:52:33 +01009928
Thierry FOURNIER060762e2014-04-23 13:29:15 +02009929 It is important to avoid overlapping between the keys : IP addresses and
9930 strings are stored in trees, so the first of the finest match will be used.
9931 Other keys are stored in lists, so the first matching occurrence will be used.
Thierry FOURNIERd5f624d2013-11-26 11:52:33 +01009932
Thierry FOURNIER060762e2014-04-23 13:29:15 +02009933 The following array contains the list of all map functions avalaible sorted by
9934 input type, match type and output type.
Thierry FOURNIERd5f624d2013-11-26 11:52:33 +01009935
Thierry FOURNIER060762e2014-04-23 13:29:15 +02009936 input type | match method | output type str | output type int | output type ip
9937 -----------+--------------+-----------------+-----------------+---------------
9938 str | str | map_str | map_str_int | map_str_ip
9939 -----------+--------------+-----------------+-----------------+---------------
Willy Tarreau787a4c02014-05-10 07:55:30 +02009940 str | beg | map_beg | map_beg_int | map_end_ip
9941 -----------+--------------+-----------------+-----------------+---------------
Thierry FOURNIER060762e2014-04-23 13:29:15 +02009942 str | sub | map_sub | map_sub_int | map_sub_ip
9943 -----------+--------------+-----------------+-----------------+---------------
9944 str | dir | map_dir | map_dir_int | map_dir_ip
9945 -----------+--------------+-----------------+-----------------+---------------
9946 str | dom | map_dom | map_dom_int | map_dom_ip
9947 -----------+--------------+-----------------+-----------------+---------------
9948 str | end | map_end | map_end_int | map_end_ip
9949 -----------+--------------+-----------------+-----------------+---------------
9950 str | reg | map_reg | map_reg_int | map_reg_ip
9951 -----------+--------------+-----------------+-----------------+---------------
9952 int | int | map_int | map_int_int | map_int_ip
9953 -----------+--------------+-----------------+-----------------+---------------
9954 ip | ip | map_ip | map_ip_int | map_ip_ip
9955 -----------+--------------+-----------------+-----------------+---------------
Thierry FOURNIERd5f624d2013-11-26 11:52:33 +01009956
Thierry FOURNIER060762e2014-04-23 13:29:15 +02009957 The file contains one key + value per line. Lines which start with '#' are
9958 ignored, just like empty lines. Leading tabs and spaces are stripped. The key
9959 is then the first "word" (series of non-space/tabs characters), and the value
9960 is what follows this series of space/tab till the end of the line excluding
9961 trailing spaces/tabs.
Thierry FOURNIERd5f624d2013-11-26 11:52:33 +01009962
Thierry FOURNIER060762e2014-04-23 13:29:15 +02009963 Example :
9964
9965 # this is a comment and is ignored
9966 2.22.246.0/23 United Kingdom \n
9967 <-><-----------><--><------------><---->
9968 | | | | `- trailing spaces ignored
9969 | | | `---------- value
9970 | | `-------------------- middle spaces ignored
9971 | `---------------------------- key
9972 `------------------------------------ leading spaces ignored
9973
Thierry FOURNIERd5f624d2013-11-26 11:52:33 +01009974
Thierry FOURNIER060762e2014-04-23 13:29:15 +020099757.3.2. Fetching samples from internal states
Willy Tarreau74ca5042013-06-11 23:12:07 +02009976--------------------------------------------
9977
9978A first set of sample fetch methods applies to internal information which does
9979not even relate to any client information. These ones are sometimes used with
9980"monitor-fail" directives to report an internal status to external watchers.
9981The sample fetch methods described in this section are usable anywhere.
9982
9983always_false : boolean
9984 Always returns the boolean "false" value. It may be used with ACLs as a
9985 temporary replacement for another one when adjusting configurations.
9986
9987always_true : boolean
9988 Always returns the boolean "true" value. It may be used with ACLs as a
9989 temporary replacement for another one when adjusting configurations.
9990
9991avg_queue([<backend>]) : integer
Willy Tarreaud63335a2010-02-26 12:56:52 +01009992 Returns the total number of queued connections of the designated backend
Willy Tarreau74ca5042013-06-11 23:12:07 +02009993 divided by the number of active servers. The current backend is used if no
9994 backend is specified. This is very similar to "queue" except that the size of
9995 the farm is considered, in order to give a more accurate measurement of the
9996 time it may take for a new connection to be processed. The main usage is with
9997 ACL to return a sorry page to new users when it becomes certain they will get
9998 a degraded service, or to pass to the backend servers in a header so that
9999 they decide to work in degraded mode or to disable some functions to speed up
10000 the processing a bit. Note that in the event there would not be any active
10001 server anymore, twice the number of queued connections would be considered as
10002 the measured value. This is a fair estimate, as we expect one server to get
10003 back soon anyway, but we still prefer to send new traffic to another backend
10004 if in better shape. See also the "queue", "be_conn", and "be_sess_rate"
10005 sample fetches.
Krzysztof Piotr Oledzki346f76d2010-01-12 21:59:30 +010010006
Willy Tarreau74ca5042013-06-11 23:12:07 +020010007be_conn([<backend>]) : integer
Willy Tarreaua36af912009-10-10 12:02:45 +020010008 Applies to the number of currently established connections on the backend,
10009 possibly including the connection being evaluated. If no backend name is
10010 specified, the current one is used. But it is also possible to check another
10011 backend. It can be used to use a specific farm when the nominal one is full.
10012 See also the "fe_conn", "queue" and "be_sess_rate" criteria.
Willy Tarreau6a06a402007-07-15 20:15:28 +020010013
Willy Tarreau74ca5042013-06-11 23:12:07 +020010014be_sess_rate([<backend>]) : integer
10015 Returns an integer value corresponding to the sessions creation rate on the
10016 backend, in number of new sessions per second. This is used with ACLs to
10017 switch to an alternate backend when an expensive or fragile one reaches too
10018 high a session rate, or to limit abuse of service (eg. prevent sucking of an
10019 online dictionary). It can also be useful to add this element to logs using a
10020 log-format directive.
Willy Tarreaud63335a2010-02-26 12:56:52 +010010021
10022 Example :
10023 # Redirect to an error page if the dictionary is requested too often
10024 backend dynamic
10025 mode http
10026 acl being_scanned be_sess_rate gt 100
10027 redirect location /denied.html if being_scanned
Willy Tarreau0ba27502007-12-24 16:55:16 +010010028
Willy Tarreau74ca5042013-06-11 23:12:07 +020010029connslots([<backend>]) : integer
10030 Returns an integer value corresponding to the number of connection slots
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030010031 still available in the backend, by totaling the maximum amount of
Willy Tarreau74ca5042013-06-11 23:12:07 +020010032 connections on all servers and the maximum queue size. This is probably only
10033 used with ACLs.
Tait Clarridge7896d522012-12-05 21:39:31 -050010034
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +080010035 The basic idea here is to be able to measure the number of connection "slots"
Willy Tarreau55165fe2009-05-10 12:02:55 +020010036 still available (connection + queue), so that anything beyond that (intended
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +080010037 usage; see "use_backend" keyword) can be redirected to a different backend.
10038
Willy Tarreau55165fe2009-05-10 12:02:55 +020010039 'connslots' = number of available server connection slots, + number of
10040 available server queue slots.
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +080010041
Willy Tarreaua36af912009-10-10 12:02:45 +020010042 Note that while "fe_conn" may be used, "connslots" comes in especially
Willy Tarreau55165fe2009-05-10 12:02:55 +020010043 useful when you have a case of traffic going to one single ip, splitting into
Willy Tarreau74ca5042013-06-11 23:12:07 +020010044 multiple backends (perhaps using ACLs to do name-based load balancing) and
Willy Tarreau55165fe2009-05-10 12:02:55 +020010045 you want to be able to differentiate between different backends, and their
10046 available "connslots". Also, whereas "nbsrv" only measures servers that are
Willy Tarreau74ca5042013-06-11 23:12:07 +020010047 actually *down*, this fetch is more fine-grained and looks into the number of
Willy Tarreaua36af912009-10-10 12:02:45 +020010048 available connection slots as well. See also "queue" and "avg_queue".
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +080010049
Willy Tarreau55165fe2009-05-10 12:02:55 +020010050 OTHER CAVEATS AND NOTES: at this point in time, the code does not take care
10051 of dynamic connections. Also, if any of the server maxconn, or maxqueue is 0,
Willy Tarreau74ca5042013-06-11 23:12:07 +020010052 then this fetch clearly does not make sense, in which case the value returned
Willy Tarreau55165fe2009-05-10 12:02:55 +020010053 will be -1.
Jeffrey 'jf' Lim5051d7b2008-09-04 01:03:03 +080010054
Willy Tarreau6236d3a2013-07-25 14:28:25 +020010055date([<offset>]) : integer
10056 Returns the current date as the epoch (number of seconds since 01/01/1970).
10057 If an offset value is specified, then it is a number of seconds that is added
10058 to the current date before returning the value. This is particularly useful
10059 to compute relative dates, as both positive and negative offsets are allowed.
Willy Tarreau276fae92013-07-25 14:36:01 +020010060 It is useful combined with the http_date converter.
10061
10062 Example :
10063
10064 # set an expires header to now+1 hour in every response
10065 http-response set-header Expires %[date(3600),http_date]
Willy Tarreau6236d3a2013-07-25 14:28:25 +020010066
Willy Tarreau595ec542013-06-12 21:34:28 +020010067env(<name>) : string
10068 Returns a string containing the value of environment variable <name>. As a
10069 reminder, environment variables are per-process and are sampled when the
10070 process starts. This can be useful to pass some information to a next hop
10071 server, or with ACLs to take specific action when the process is started a
10072 certain way.
10073
10074 Examples :
10075 # Pass the Via header to next hop with the local hostname in it
10076 http-request add-header Via 1.1\ %[env(HOSTNAME)]
10077
10078 # reject cookie-less requests when the STOP environment variable is set
10079 http-request deny if !{ cook(SESSIONID) -m found } { env(STOP) -m found }
10080
Willy Tarreau74ca5042013-06-11 23:12:07 +020010081fe_conn([<frontend>]) : integer
10082 Returns the number of currently established connections on the frontend,
Willy Tarreaud63335a2010-02-26 12:56:52 +010010083 possibly including the connection being evaluated. If no frontend name is
10084 specified, the current one is used. But it is also possible to check another
Willy Tarreau74ca5042013-06-11 23:12:07 +020010085 frontend. It can be used to return a sorry page before hard-blocking, or to
10086 use a specific backend to drain new requests when the farm is considered
10087 full. This is mostly used with ACLs but can also be used to pass some
10088 statistics to servers in HTTP headers. See also the "dst_conn", "be_conn",
10089 "fe_sess_rate" fetches.
Willy Tarreaua36af912009-10-10 12:02:45 +020010090
Willy Tarreau74ca5042013-06-11 23:12:07 +020010091fe_sess_rate([<frontend>]) : integer
10092 Returns an integer value corresponding to the sessions creation rate on the
10093 frontend, in number of new sessions per second. This is used with ACLs to
10094 limit the incoming session rate to an acceptable range in order to prevent
10095 abuse of service at the earliest moment, for example when combined with other
10096 layer 4 ACLs in order to force the clients to wait a bit for the rate to go
10097 down below the limit. It can also be useful to add this element to logs using
10098 a log-format directive. See also the "rate-limit sessions" directive for use
10099 in frontends.
Willy Tarreau079ff0a2009-03-05 21:34:28 +010010100
10101 Example :
10102 # This frontend limits incoming mails to 10/s with a max of 100
10103 # concurrent connections. We accept any connection below 10/s, and
10104 # force excess clients to wait for 100 ms. Since clients are limited to
10105 # 100 max, there cannot be more than 10 incoming mails per second.
10106 frontend mail
10107 bind :25
10108 mode tcp
10109 maxconn 100
10110 acl too_fast fe_sess_rate ge 10
10111 tcp-request inspect-delay 100ms
10112 tcp-request content accept if ! too_fast
10113 tcp-request content accept if WAIT_END
Willy Tarreaud72758d2010-01-12 10:42:19 +010010114
Willy Tarreau74ca5042013-06-11 23:12:07 +020010115nbsrv([<backend>]) : integer
10116 Returns an integer value corresponding to the number of usable servers of
10117 either the current backend or the named backend. This is mostly used with
10118 ACLs but can also be useful when added to logs. This is normally used to
Willy Tarreaud63335a2010-02-26 12:56:52 +010010119 switch to an alternate backend when the number of servers is too low to
10120 to handle some load. It is useful to report a failure when combined with
10121 "monitor fail".
Willy Tarreau079ff0a2009-03-05 21:34:28 +010010122
Willy Tarreau74ca5042013-06-11 23:12:07 +020010123queue([<backend>]) : integer
Willy Tarreaud63335a2010-02-26 12:56:52 +010010124 Returns the total number of queued connections of the designated backend,
10125 including all the connections in server queues. If no backend name is
10126 specified, the current one is used, but it is also possible to check another
Willy Tarreau74ca5042013-06-11 23:12:07 +020010127 one. This is useful with ACLs or to pass statistics to backend servers. This
10128 can be used to take actions when queuing goes above a known level, generally
10129 indicating a surge of traffic or a massive slowdown on the servers. One
10130 possible action could be to reject new users but still accept old ones. See
10131 also the "avg_queue", "be_conn", and "be_sess_rate" fetches.
10132
Willy Tarreau84310e22014-02-14 11:59:04 +010010133rand([<range>]) : integer
10134 Returns a random integer value within a range of <range> possible values,
10135 starting at zero. If the range is not specified, it defaults to 2^32, which
10136 gives numbers between 0 and 4294967295. It can be useful to pass some values
10137 needed to take some routing decisions for example, or just for debugging
10138 purposes. This random must not be used for security purposes.
10139
Willy Tarreau74ca5042013-06-11 23:12:07 +020010140srv_conn([<backend>/]<server>) : integer
10141 Returns an integer value corresponding to the number of currently established
10142 connections on the designated server, possibly including the connection being
10143 evaluated. If <backend> is omitted, then the server is looked up in the
10144 current backend. It can be used to use a specific farm when one server is
10145 full, or to inform the server about our view of the number of active
10146 connections with it. See also the "fe_conn", "be_conn" and "queue" fetch
10147 methods.
10148
10149srv_is_up([<backend>/]<server>) : boolean
10150 Returns true when the designated server is UP, and false when it is either
10151 DOWN or in maintenance mode. If <backend> is omitted, then the server is
10152 looked up in the current backend. It is mainly used to take action based on
10153 an external status reported via a health check (eg: a geographical site's
10154 availability). Another possible use which is more of a hack consists in
10155 using dummy servers as boolean variables that can be enabled or disabled from
10156 the CLI, so that rules depending on those ACLs can be tweaked in realtime.
10157
10158srv_sess_rate([<backend>/]<server>) : integer
10159 Returns an integer corresponding to the sessions creation rate on the
10160 designated server, in number of new sessions per second. If <backend> is
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030010161 omitted, then the server is looked up in the current backend. This is mostly
Willy Tarreau74ca5042013-06-11 23:12:07 +020010162 used with ACLs but can make sense with logs too. This is used to switch to an
10163 alternate backend when an expensive or fragile one reaches too high a session
10164 rate, or to limit abuse of service (eg. prevent latent requests from
10165 overloading servers).
10166
10167 Example :
10168 # Redirect to a separate back
10169 acl srv1_full srv_sess_rate(be1/srv1) gt 50
10170 acl srv2_full srv_sess_rate(be1/srv2) gt 50
10171 use_backend be2 if srv1_full or srv2_full
10172
10173table_avl([<table>]) : integer
10174 Returns the total number of available entries in the current proxy's
10175 stick-table or in the designated stick-table. See also table_cnt.
10176
10177table_cnt([<table>]) : integer
10178 Returns the total number of entries currently in use in the current proxy's
10179 stick-table or in the designated stick-table. See also src_conn_cnt and
10180 table_avl for other entry counting methods.
10181
10182
Thierry FOURNIER060762e2014-04-23 13:29:15 +0200101837.3.3. Fetching samples at Layer 4
Willy Tarreau74ca5042013-06-11 23:12:07 +020010184----------------------------------
10185
10186The layer 4 usually describes just the transport layer which in haproxy is
10187closest to the connection, where no content is yet made available. The fetch
10188methods described here are usable as low as the "tcp-request connection" rule
10189sets unless they require some future information. Those generally include
10190TCP/IP addresses and ports, as well as elements from stick-tables related to
Willy Tarreau4d4149c2013-07-23 19:33:46 +020010191the incoming connection. For retrieving a value from a sticky counters, the
10192counter number can be explicitly set as 0, 1, or 2 using the pre-defined
10193"sc0_", "sc1_", or "sc2_" prefix, or it can be specified as the first integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020010194argument when using the "sc_" prefix. An optional table may be specified with
10195the "sc*" form, in which case the currently tracked key will be looked up into
10196this alternate table instead of the table currently being tracked.
Willy Tarreau74ca5042013-06-11 23:12:07 +020010197
10198be_id : integer
10199 Returns an integer containing the current backend's id. It can be used in
10200 frontends with responses to check which backend processed the request.
10201
10202dst : ip
10203 This is the destination IPv4 address of the connection on the client side,
10204 which is the address the client connected to. It can be useful when running
10205 in transparent mode. It is of type IP and works on both IPv4 and IPv6 tables.
10206 On IPv6 tables, IPv4 address is mapped to its IPv6 equivalent, according to
10207 RFC 4291.
10208
10209dst_conn : integer
10210 Returns an integer value corresponding to the number of currently established
10211 connections on the same socket including the one being evaluated. It is
10212 normally used with ACLs but can as well be used to pass the information to
10213 servers in an HTTP header or in logs. It can be used to either return a sorry
10214 page before hard-blocking, or to use a specific backend to drain new requests
10215 when the socket is considered saturated. This offers the ability to assign
10216 different limits to different listening ports or addresses. See also the
10217 "fe_conn" and "be_conn" fetches.
Willy Tarreaud63335a2010-02-26 12:56:52 +010010218
Willy Tarreau74ca5042013-06-11 23:12:07 +020010219dst_port : integer
10220 Returns an integer value corresponding to the destination TCP port of the
10221 connection on the client side, which is the port the client connected to.
10222 This might be used when running in transparent mode, when assigning dynamic
10223 ports to some clients for a whole application session, to stick all users to
10224 a same server, or to pass the destination port information to a server using
10225 an HTTP header.
10226
10227fe_id : integer
10228 Returns an integer containing the current frontend's id. It can be used in
10229 backends to check from which backend it was called, or to stick all users
10230 coming via a same frontend to the same server.
10231
Cyril Bonté62ba8702014-04-22 23:52:25 +020010232sc_bytes_in_rate(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020010233sc0_bytes_in_rate([<table>]) : integer
10234sc1_bytes_in_rate([<table>]) : integer
10235sc2_bytes_in_rate([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020010236 Returns the average client-to-server bytes rate from the currently tracked
10237 counters, measured in amount of bytes over the period configured in the
10238 table. See also src_bytes_in_rate.
10239
Cyril Bonté62ba8702014-04-22 23:52:25 +020010240sc_bytes_out_rate(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020010241sc0_bytes_out_rate([<table>]) : integer
10242sc1_bytes_out_rate([<table>]) : integer
10243sc2_bytes_out_rate([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020010244 Returns the average server-to-client bytes rate from the currently tracked
10245 counters, measured in amount of bytes over the period configured in the
10246 table. See also src_bytes_out_rate.
10247
Cyril Bonté62ba8702014-04-22 23:52:25 +020010248sc_clr_gpc0(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020010249sc0_clr_gpc0([<table>]) : integer
10250sc1_clr_gpc0([<table>]) : integer
10251sc2_clr_gpc0([<table>]) : integer
Willy Tarreauf73cd112011-08-13 01:45:16 +020010252 Clears the first General Purpose Counter associated to the currently tracked
10253 counters, and returns its previous value. Before the first invocation, the
Willy Tarreau869948b2013-01-04 14:14:57 +010010254 stored value is zero, so first invocation will always return zero. This is
10255 typically used as a second ACL in an expression in order to mark a connection
10256 when a first ACL was verified :
Willy Tarreauf73cd112011-08-13 01:45:16 +020010257
10258 # block if 5 consecutive requests continue to come faster than 10 sess
10259 # per second, and reset the counter as soon as the traffic slows down.
Willy Tarreaube4a3ef2013-06-17 15:04:07 +020010260 acl abuse sc0_http_req_rate gt 10
10261 acl kill sc0_inc_gpc0 gt 5
10262 acl save sc0_clr_gpc0 ge 0
Willy Tarreauf73cd112011-08-13 01:45:16 +020010263 tcp-request connection accept if !abuse save
10264 tcp-request connection reject if abuse kill
10265
Cyril Bonté62ba8702014-04-22 23:52:25 +020010266sc_conn_cnt(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020010267sc0_conn_cnt([<table>]) : integer
10268sc1_conn_cnt([<table>]) : integer
10269sc2_conn_cnt([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020010270 Returns the cumulated number of incoming connections from currently tracked
10271 counters. See also src_conn_cnt.
10272
Cyril Bonté62ba8702014-04-22 23:52:25 +020010273sc_conn_cur(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020010274sc0_conn_cur([<table>]) : integer
10275sc1_conn_cur([<table>]) : integer
10276sc2_conn_cur([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020010277 Returns the current amount of concurrent connections tracking the same
10278 tracked counters. This number is automatically incremented when tracking
10279 begins and decremented when tracking stops. See also src_conn_cur.
10280
Cyril Bonté62ba8702014-04-22 23:52:25 +020010281sc_conn_rate(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020010282sc0_conn_rate([<table>]) : integer
10283sc1_conn_rate([<table>]) : integer
10284sc2_conn_rate([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020010285 Returns the average connection rate from the currently tracked counters,
10286 measured in amount of connections over the period configured in the table.
10287 See also src_conn_rate.
10288
Cyril Bonté62ba8702014-04-22 23:52:25 +020010289sc_get_gpc0(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020010290sc0_get_gpc0([<table>]) : integer
10291sc1_get_gpc0([<table>]) : integer
10292sc2_get_gpc0([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020010293 Returns the value of the first General Purpose Counter associated to the
Willy Tarreau4d4149c2013-07-23 19:33:46 +020010294 currently tracked counters. See also src_get_gpc0 and sc/sc0/sc1/sc2_inc_gpc0.
Willy Tarreauba2ffd12013-05-29 15:54:14 +020010295
Cyril Bonté62ba8702014-04-22 23:52:25 +020010296sc_gpc0_rate(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020010297sc0_gpc0_rate([<table>]) : integer
10298sc1_gpc0_rate([<table>]) : integer
10299sc2_gpc0_rate([<table>]) : integer
Willy Tarreauba2ffd12013-05-29 15:54:14 +020010300 Returns the average increment rate of the first General Purpose Counter
10301 associated to the currently tracked counters. It reports the frequency
10302 which the gpc0 counter was incremented over the configured period. See also
Willy Tarreau4d4149c2013-07-23 19:33:46 +020010303 src_gpc0_rate, sc/sc0/sc1/sc2_get_gpc0, and sc/sc0/sc1/sc2_inc_gpc0. Note
10304 that the "gpc0_rate" counter must be stored in the stick-table for a value to
10305 be returned, as "gpc0" only holds the event count.
Willy Tarreaue9656522010-08-17 15:40:09 +020010306
Cyril Bonté62ba8702014-04-22 23:52:25 +020010307sc_http_err_cnt(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020010308sc0_http_err_cnt([<table>]) : integer
10309sc1_http_err_cnt([<table>]) : integer
10310sc2_http_err_cnt([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020010311 Returns the cumulated number of HTTP errors from the currently tracked
10312 counters. This includes the both request errors and 4xx error responses.
10313 See also src_http_err_cnt.
10314
Cyril Bonté62ba8702014-04-22 23:52:25 +020010315sc_http_err_rate(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020010316sc0_http_err_rate([<table>]) : integer
10317sc1_http_err_rate([<table>]) : integer
10318sc2_http_err_rate([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020010319 Returns the average rate of HTTP errors from the currently tracked counters,
10320 measured in amount of errors over the period configured in the table. This
10321 includes the both request errors and 4xx error responses. See also
10322 src_http_err_rate.
10323
Cyril Bonté62ba8702014-04-22 23:52:25 +020010324sc_http_req_cnt(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020010325sc0_http_req_cnt([<table>]) : integer
10326sc1_http_req_cnt([<table>]) : integer
10327sc2_http_req_cnt([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020010328 Returns the cumulated number of HTTP requests from the currently tracked
10329 counters. This includes every started request, valid or not. See also
10330 src_http_req_cnt.
10331
Cyril Bonté62ba8702014-04-22 23:52:25 +020010332sc_http_req_rate(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020010333sc0_http_req_rate([<table>]) : integer
10334sc1_http_req_rate([<table>]) : integer
10335sc2_http_req_rate([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020010336 Returns the average rate of HTTP requests from the currently tracked
10337 counters, measured in amount of requests over the period configured in
10338 the table. This includes every started request, valid or not. See also
10339 src_http_req_rate.
10340
Cyril Bonté62ba8702014-04-22 23:52:25 +020010341sc_inc_gpc0(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020010342sc0_inc_gpc0([<table>]) : integer
10343sc1_inc_gpc0([<table>]) : integer
10344sc2_inc_gpc0([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020010345 Increments the first General Purpose Counter associated to the currently
Willy Tarreau869948b2013-01-04 14:14:57 +010010346 tracked counters, and returns its new value. Before the first invocation,
10347 the stored value is zero, so first invocation will increase it to 1 and will
10348 return 1. This is typically used as a second ACL in an expression in order
10349 to mark a connection when a first ACL was verified :
Willy Tarreaue9656522010-08-17 15:40:09 +020010350
Willy Tarreaube4a3ef2013-06-17 15:04:07 +020010351 acl abuse sc0_http_req_rate gt 10
10352 acl kill sc0_inc_gpc0 gt 0
Willy Tarreaue9656522010-08-17 15:40:09 +020010353 tcp-request connection reject if abuse kill
10354
Cyril Bonté62ba8702014-04-22 23:52:25 +020010355sc_kbytes_in(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020010356sc0_kbytes_in([<table>]) : integer
10357sc1_kbytes_in([<table>]) : integer
10358sc2_kbytes_in([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020010359 Returns the amount of client-to-server data from the currently tracked
10360 counters, measured in kilobytes over the period configured in the table. The
10361 test is currently performed on 32-bit integers, which limits values to 4
10362 terabytes. See also src_kbytes_in.
10363
Cyril Bonté62ba8702014-04-22 23:52:25 +020010364sc_kbytes_out(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020010365sc0_kbytes_out([<table>]) : integer
10366sc1_kbytes_out([<table>]) : integer
10367sc2_kbytes_out([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020010368 Returns the amount of server-to-client data from the currently tracked
10369 counters, measured in kilobytes over the period configured in the table. The
10370 test is currently performed on 32-bit integers, which limits values to 4
10371 terabytes. See also src_kbytes_out.
10372
Cyril Bonté62ba8702014-04-22 23:52:25 +020010373sc_sess_cnt(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020010374sc0_sess_cnt([<table>]) : integer
10375sc1_sess_cnt([<table>]) : integer
10376sc2_sess_cnt([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020010377 Returns the cumulated number of incoming connections that were transformed
10378 into sessions, which means that they were accepted by a "tcp-request
10379 connection" rule, from the currently tracked counters. A backend may count
10380 more sessions than connections because each connection could result in many
Jamie Gloudonaaa21002012-08-25 00:18:33 -040010381 backend sessions if some HTTP keep-alive is performed over the connection
Willy Tarreaue9656522010-08-17 15:40:09 +020010382 with the client. See also src_sess_cnt.
10383
Cyril Bonté62ba8702014-04-22 23:52:25 +020010384sc_sess_rate(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020010385sc0_sess_rate([<table>]) : integer
10386sc1_sess_rate([<table>]) : integer
10387sc2_sess_rate([<table>]) : integer
Willy Tarreaue9656522010-08-17 15:40:09 +020010388 Returns the average session rate from the currently tracked counters,
10389 measured in amount of sessions over the period configured in the table. A
10390 session is a connection that got past the early "tcp-request connection"
10391 rules. A backend may count more sessions than connections because each
10392 connection could result in many backend sessions if some HTTP keep-alive is
Jamie Gloudonaaa21002012-08-25 00:18:33 -040010393 performed over the connection with the client. See also src_sess_rate.
Willy Tarreaue9656522010-08-17 15:40:09 +020010394
Cyril Bonté62ba8702014-04-22 23:52:25 +020010395sc_tracked(<ctr>[,<table>]) : boolean
Willy Tarreau0f791d42013-07-23 19:56:43 +020010396sc0_tracked([<table>]) : boolean
10397sc1_tracked([<table>]) : boolean
10398sc2_tracked([<table>]) : boolean
Willy Tarreau6f1615f2013-06-03 15:15:22 +020010399 Returns true if the designated session counter is currently being tracked by
10400 the current session. This can be useful when deciding whether or not we want
10401 to set some values in a header passed to the server.
10402
Cyril Bonté62ba8702014-04-22 23:52:25 +020010403sc_trackers(<ctr>[,<table>]) : integer
Willy Tarreau0f791d42013-07-23 19:56:43 +020010404sc0_trackers([<table>]) : integer
10405sc1_trackers([<table>]) : integer
10406sc2_trackers([<table>]) : integer
Willy Tarreau2406db42012-12-09 12:16:43 +010010407 Returns the current amount of concurrent connections tracking the same
10408 tracked counters. This number is automatically incremented when tracking
Willy Tarreaube4a3ef2013-06-17 15:04:07 +020010409 begins and decremented when tracking stops. It differs from sc0_conn_cur in
Willy Tarreau2406db42012-12-09 12:16:43 +010010410 that it does not rely on any stored information but on the table's reference
10411 count (the "use" value which is returned by "show table" on the CLI). This
Willy Tarreau74ca5042013-06-11 23:12:07 +020010412 may sometimes be more suited for layer7 tracking. It can be used to tell a
10413 server how many concurrent connections there are from a given address for
10414 example.
Willy Tarreau2406db42012-12-09 12:16:43 +010010415
Willy Tarreau74ca5042013-06-11 23:12:07 +020010416so_id : integer
10417 Returns an integer containing the current listening socket's id. It is useful
10418 in frontends involving many "bind" lines, or to stick all users coming via a
10419 same socket to the same server.
Willy Tarreaud63335a2010-02-26 12:56:52 +010010420
Willy Tarreau74ca5042013-06-11 23:12:07 +020010421src : ip
10422 This is the source IPv4 address of the client of the session. It is of type
10423 IP and works on both IPv4 and IPv6 tables. On IPv6 tables, IPv4 addresses are
10424 mapped to their IPv6 equivalent, according to RFC 4291. Note that it is the
10425 TCP-level source address which is used, and not the address of a client
10426 behind a proxy. However if the "accept-proxy" bind directive is used, it can
10427 be the address of a client behind another PROXY-protocol compatible component
10428 for all rule sets except "tcp-request connection" which sees the real address.
Willy Tarreaud63335a2010-02-26 12:56:52 +010010429
Thierry FOURNIERd5f624d2013-11-26 11:52:33 +010010430 Example:
10431 # add an HTTP header in requests with the originating address' country
10432 http-request set-header X-Country %[src,map_ip(geoip.lst)]
10433
Willy Tarreau74ca5042013-06-11 23:12:07 +020010434src_bytes_in_rate([<table>]) : integer
10435 Returns the average bytes rate from the incoming connection's source address
10436 in the current proxy's stick-table or in the designated stick-table, measured
10437 in amount of bytes over the period configured in the table. If the address is
Willy Tarreau4d4149c2013-07-23 19:33:46 +020010438 not found, zero is returned. See also sc/sc0/sc1/sc2_bytes_in_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +020010439
Willy Tarreau74ca5042013-06-11 23:12:07 +020010440src_bytes_out_rate([<table>]) : integer
10441 Returns the average bytes rate to the incoming connection's source address in
10442 the current proxy's stick-table or in the designated stick-table, measured in
Willy Tarreauc9705a12010-07-27 20:05:50 +020010443 amount of bytes over the period configured in the table. If the address is
Willy Tarreau4d4149c2013-07-23 19:33:46 +020010444 not found, zero is returned. See also sc/sc0/sc1/sc2_bytes_out_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +020010445
Willy Tarreau74ca5042013-06-11 23:12:07 +020010446src_clr_gpc0([<table>]) : integer
10447 Clears the first General Purpose Counter associated to the incoming
10448 connection's source address in the current proxy's stick-table or in the
10449 designated stick-table, and returns its previous value. If the address is not
10450 found, an entry is created and 0 is returned. This is typically used as a
10451 second ACL in an expression in order to mark a connection when a first ACL
10452 was verified :
Willy Tarreauf73cd112011-08-13 01:45:16 +020010453
10454 # block if 5 consecutive requests continue to come faster than 10 sess
10455 # per second, and reset the counter as soon as the traffic slows down.
10456 acl abuse src_http_req_rate gt 10
10457 acl kill src_inc_gpc0 gt 5
Willy Tarreau869948b2013-01-04 14:14:57 +010010458 acl save src_clr_gpc0 ge 0
Willy Tarreauf73cd112011-08-13 01:45:16 +020010459 tcp-request connection accept if !abuse save
10460 tcp-request connection reject if abuse kill
10461
Willy Tarreau74ca5042013-06-11 23:12:07 +020010462src_conn_cnt([<table>]) : integer
Willy Tarreauc9705a12010-07-27 20:05:50 +020010463 Returns the cumulated number of connections initiated from the current
Willy Tarreau74ca5042013-06-11 23:12:07 +020010464 incoming connection's source address in the current proxy's stick-table or in
Willy Tarreauc9705a12010-07-27 20:05:50 +020010465 the designated stick-table. If the address is not found, zero is returned.
Willy Tarreau4d4149c2013-07-23 19:33:46 +020010466 See also sc/sc0/sc1/sc2_conn_cnt.
Willy Tarreauc9705a12010-07-27 20:05:50 +020010467
Willy Tarreau74ca5042013-06-11 23:12:07 +020010468src_conn_cur([<table>]) : integer
Willy Tarreauc9705a12010-07-27 20:05:50 +020010469 Returns the current amount of concurrent connections initiated from the
Willy Tarreau74ca5042013-06-11 23:12:07 +020010470 current incoming connection's source address in the current proxy's
10471 stick-table or in the designated stick-table. If the address is not found,
Willy Tarreau4d4149c2013-07-23 19:33:46 +020010472 zero is returned. See also sc/sc0/sc1/sc2_conn_cur.
Willy Tarreauc9705a12010-07-27 20:05:50 +020010473
Willy Tarreau74ca5042013-06-11 23:12:07 +020010474src_conn_rate([<table>]) : integer
10475 Returns the average connection rate from the incoming connection's source
10476 address in the current proxy's stick-table or in the designated stick-table,
10477 measured in amount of connections over the period configured in the table. If
Willy Tarreau4d4149c2013-07-23 19:33:46 +020010478 the address is not found, zero is returned. See also sc/sc0/sc1/sc2_conn_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +020010479
Willy Tarreau74ca5042013-06-11 23:12:07 +020010480src_get_gpc0([<table>]) : integer
Willy Tarreauc9705a12010-07-27 20:05:50 +020010481 Returns the value of the first General Purpose Counter associated to the
Willy Tarreau74ca5042013-06-11 23:12:07 +020010482 incoming connection's source address in the current proxy's stick-table or in
Willy Tarreauc9705a12010-07-27 20:05:50 +020010483 the designated stick-table. If the address is not found, zero is returned.
Willy Tarreau4d4149c2013-07-23 19:33:46 +020010484 See also sc/sc0/sc1/sc2_get_gpc0 and src_inc_gpc0.
Willy Tarreauc9705a12010-07-27 20:05:50 +020010485
Willy Tarreau74ca5042013-06-11 23:12:07 +020010486src_gpc0_rate([<table>]) : integer
Willy Tarreauba2ffd12013-05-29 15:54:14 +020010487 Returns the average increment rate of the first General Purpose Counter
Willy Tarreau74ca5042013-06-11 23:12:07 +020010488 associated to the incoming connection's source address in the current proxy's
Willy Tarreauba2ffd12013-05-29 15:54:14 +020010489 stick-table or in the designated stick-table. It reports the frequency
10490 which the gpc0 counter was incremented over the configured period. See also
Willy Tarreau4d4149c2013-07-23 19:33:46 +020010491 sc/sc0/sc1/sc2_gpc0_rate, src_get_gpc0, and sc/sc0/sc1/sc2_inc_gpc0. Note
10492 that the "gpc0_rate" counter must be stored in the stick-table for a value to
10493 be returned, as "gpc0" only holds the event count.
Willy Tarreauba2ffd12013-05-29 15:54:14 +020010494
Willy Tarreau74ca5042013-06-11 23:12:07 +020010495src_http_err_cnt([<table>]) : integer
10496 Returns the cumulated number of HTTP errors from the incoming connection's
10497 source address in the current proxy's stick-table or in the designated
Willy Tarreauc9705a12010-07-27 20:05:50 +020010498 stick-table. This includes the both request errors and 4xx error responses.
Willy Tarreau4d4149c2013-07-23 19:33:46 +020010499 See also sc/sc0/sc1/sc2_http_err_cnt. If the address is not found, zero is
Willy Tarreau74ca5042013-06-11 23:12:07 +020010500 returned.
Willy Tarreauc9705a12010-07-27 20:05:50 +020010501
Willy Tarreau74ca5042013-06-11 23:12:07 +020010502src_http_err_rate([<table>]) : integer
10503 Returns the average rate of HTTP errors from the incoming connection's source
10504 address in the current proxy's stick-table or in the designated stick-table,
10505 measured in amount of errors over the period configured in the table. This
10506 includes the both request errors and 4xx error responses. If the address is
Willy Tarreau4d4149c2013-07-23 19:33:46 +020010507 not found, zero is returned. See also sc/sc0/sc1/sc2_http_err_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +020010508
Willy Tarreau74ca5042013-06-11 23:12:07 +020010509src_http_req_cnt([<table>]) : integer
10510 Returns the cumulated number of HTTP requests from the incoming connection's
10511 source address in the current proxy's stick-table or in the designated stick-
10512 table. This includes every started request, valid or not. If the address is
Willy Tarreau4d4149c2013-07-23 19:33:46 +020010513 not found, zero is returned. See also sc/sc0/sc1/sc2_http_req_cnt.
Willy Tarreauc9705a12010-07-27 20:05:50 +020010514
Willy Tarreau74ca5042013-06-11 23:12:07 +020010515src_http_req_rate([<table>]) : integer
10516 Returns the average rate of HTTP requests from the incoming connection's
10517 source address in the current proxy's stick-table or in the designated stick-
10518 table, measured in amount of requests over the period configured in the
Willy Tarreauc9705a12010-07-27 20:05:50 +020010519 table. This includes every started request, valid or not. If the address is
Willy Tarreau4d4149c2013-07-23 19:33:46 +020010520 not found, zero is returned. See also sc/sc0/sc1/sc2_http_req_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +020010521
Willy Tarreau74ca5042013-06-11 23:12:07 +020010522src_inc_gpc0([<table>]) : integer
10523 Increments the first General Purpose Counter associated to the incoming
10524 connection's source address in the current proxy's stick-table or in the
10525 designated stick-table, and returns its new value. If the address is not
Willy Tarreaube4a3ef2013-06-17 15:04:07 +020010526 found, an entry is created and 1 is returned. See also sc0/sc2/sc2_inc_gpc0.
Willy Tarreau74ca5042013-06-11 23:12:07 +020010527 This is typically used as a second ACL in an expression in order to mark a
10528 connection when a first ACL was verified :
Willy Tarreauc9705a12010-07-27 20:05:50 +020010529
10530 acl abuse src_http_req_rate gt 10
Willy Tarreau869948b2013-01-04 14:14:57 +010010531 acl kill src_inc_gpc0 gt 0
Willy Tarreaue9656522010-08-17 15:40:09 +020010532 tcp-request connection reject if abuse kill
Willy Tarreauc9705a12010-07-27 20:05:50 +020010533
Willy Tarreau74ca5042013-06-11 23:12:07 +020010534src_kbytes_in([<table>]) : integer
10535 Returns the amount of data received from the incoming connection's source
10536 address in the current proxy's stick-table or in the designated stick-table,
10537 measured in kilobytes over the period configured in the table. If the address
10538 is not found, zero is returned. The test is currently performed on 32-bit
Willy Tarreau4d4149c2013-07-23 19:33:46 +020010539 integers, which limits values to 4 terabytes. See also
10540 sc/sc0/sc1/sc2_kbytes_in.
Willy Tarreauc9705a12010-07-27 20:05:50 +020010541
Willy Tarreau74ca5042013-06-11 23:12:07 +020010542src_kbytes_out([<table>]) : integer
10543 Returns the amount of data sent to the incoming connection's source address
10544 in the current proxy's stick-table or in the designated stick-table, measured
Willy Tarreauc9705a12010-07-27 20:05:50 +020010545 in kilobytes over the period configured in the table. If the address is not
10546 found, zero is returned. The test is currently performed on 32-bit integers,
Willy Tarreau4d4149c2013-07-23 19:33:46 +020010547 which limits values to 4 terabytes. See also sc/sc0/sc1/sc2_kbytes_out.
Willy Tarreaua975b8f2010-06-05 19:13:27 +020010548
Willy Tarreau74ca5042013-06-11 23:12:07 +020010549src_port : integer
10550 Returns an integer value corresponding to the TCP source port of the
10551 connection on the client side, which is the port the client connected from.
10552 Usage of this function is very limited as modern protocols do not care much
10553 about source ports nowadays.
Willy Tarreau079ff0a2009-03-05 21:34:28 +010010554
Willy Tarreau74ca5042013-06-11 23:12:07 +020010555src_sess_cnt([<table>]) : integer
10556 Returns the cumulated number of connections initiated from the incoming
Willy Tarreauc9705a12010-07-27 20:05:50 +020010557 connection's source IPv4 address in the current proxy's stick-table or in the
10558 designated stick-table, that were transformed into sessions, which means that
10559 they were accepted by "tcp-request" rules. If the address is not found, zero
Willy Tarreau4d4149c2013-07-23 19:33:46 +020010560 is returned. See also sc/sc0/sc1/sc2_sess_cnt.
Willy Tarreauc9705a12010-07-27 20:05:50 +020010561
Willy Tarreau74ca5042013-06-11 23:12:07 +020010562src_sess_rate([<table>]) : integer
10563 Returns the average session rate from the incoming connection's source
10564 address in the current proxy's stick-table or in the designated stick-table,
10565 measured in amount of sessions over the period configured in the table. A
10566 session is a connection that went past the early "tcp-request" rules. If the
Willy Tarreau4d4149c2013-07-23 19:33:46 +020010567 address is not found, zero is returned. See also sc/sc0/sc1/sc2_sess_rate.
Willy Tarreauc9705a12010-07-27 20:05:50 +020010568
Willy Tarreau74ca5042013-06-11 23:12:07 +020010569src_updt_conn_cnt([<table>]) : integer
10570 Creates or updates the entry associated to the incoming connection's source
10571 address in the current proxy's stick-table or in the designated stick-table.
10572 This table must be configured to store the "conn_cnt" data type, otherwise
10573 the match will be ignored. The current count is incremented by one, and the
10574 expiration timer refreshed. The updated count is returned, so this match
10575 can't return zero. This was used to reject service abusers based on their
10576 source address. Note: it is recommended to use the more complete "track-sc*"
10577 actions in "tcp-request" rules instead.
Willy Tarreaua975b8f2010-06-05 19:13:27 +020010578
10579 Example :
10580 # This frontend limits incoming SSH connections to 3 per 10 second for
10581 # each source address, and rejects excess connections until a 10 second
10582 # silence is observed. At most 20 addresses are tracked.
10583 listen ssh
10584 bind :22
10585 mode tcp
10586 maxconn 100
Willy Tarreauc9705a12010-07-27 20:05:50 +020010587 stick-table type ip size 20 expire 10s store conn_cnt
Willy Tarreau74ca5042013-06-11 23:12:07 +020010588 tcp-request content reject if { src_updt_conn_cnt gt 3 }
Willy Tarreaua975b8f2010-06-05 19:13:27 +020010589 server local 127.0.0.1:22
10590
Willy Tarreau74ca5042013-06-11 23:12:07 +020010591srv_id : integer
10592 Returns an integer containing the server's id when processing the response.
10593 While it's almost only used with ACLs, it may be used for logging or
10594 debugging.
Hervé COMMOWICKdaa824e2011-08-05 12:09:44 +020010595
Hervé COMMOWICK35ed8012010-12-15 14:04:51 +010010596
Thierry FOURNIER060762e2014-04-23 13:29:15 +0200105977.3.4. Fetching samples at Layer 5
Willy Tarreau74ca5042013-06-11 23:12:07 +020010598----------------------------------
Willy Tarreau0b1cd942010-05-16 22:18:27 +020010599
Willy Tarreau74ca5042013-06-11 23:12:07 +020010600The layer 5 usually describes just the session layer which in haproxy is
10601closest to the session once all the connection handshakes are finished, but
10602when no content is yet made available. The fetch methods described here are
10603usable as low as the "tcp-request content" rule sets unless they require some
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030010604future information. Those generally include the results of SSL negotiations.
Willy Tarreauc735a072011-03-29 00:57:02 +020010605
Emeric Brun645ae792014-04-30 14:21:06 +020010606ssl_bc : boolean
10607 Returns true when the back connection was made via an SSL/TLS transport
10608 layer and is locally deciphered. This means the outgoing connection was made
10609 other a server with the "ssl" option.
10610
10611ssl_bc_alg_keysize : integer
10612 Returns the symmetric cipher key size supported in bits when the outgoing
10613 connection was made over an SSL/TLS transport layer.
10614
10615ssl_bc_cipher : string
10616 Returns the name of the used cipher when the outgoing connection was made
10617 over an SSL/TLS transport layer.
10618
10619ssl_bc_protocol : string
10620 Returns the name of the used protocol when the outgoing connection was made
10621 over an SSL/TLS transport layer.
10622
Emeric Brunb73a9b02014-04-30 18:49:19 +020010623ssl_bc_unique_id : binary
Emeric Brun645ae792014-04-30 14:21:06 +020010624 When the outgoing connection was made over an SSL/TLS transport layer,
Emeric Brunb73a9b02014-04-30 18:49:19 +020010625 returns the TLS unique ID as defined in RFC5929 section 3. The unique id
10626 can be encoded to base64 using the converter: "ssl_bc_unique_id,base64".
Emeric Brun645ae792014-04-30 14:21:06 +020010627
10628ssl_bc_session_id : binary
10629 Returns the SSL ID of the back connection when the outgoing connection was
10630 made over an SSL/TLS transport layer. It is useful to log if we want to know
10631 if session was reused or not.
10632
10633ssl_bc_use_keysize : integer
10634 Returns the symmetric cipher key size used in bits when the outgoing
10635 connection was made over an SSL/TLS transport layer.
10636
Willy Tarreau74ca5042013-06-11 23:12:07 +020010637ssl_c_ca_err : integer
10638 When the incoming connection was made over an SSL/TLS transport layer,
10639 returns the ID of the first error detected during verification of the client
10640 certificate at depth > 0, or 0 if no error was encountered during this
10641 verification process. Please refer to your SSL library's documentation to
10642 find the exhaustive list of error codes.
Willy Tarreauc735a072011-03-29 00:57:02 +020010643
Willy Tarreau74ca5042013-06-11 23:12:07 +020010644ssl_c_ca_err_depth : integer
10645 When the incoming connection was made over an SSL/TLS transport layer,
10646 returns the depth in the CA chain of the first error detected during the
10647 verification of the client certificate. If no error is encountered, 0 is
10648 returned.
Willy Tarreau0ba27502007-12-24 16:55:16 +010010649
Willy Tarreau74ca5042013-06-11 23:12:07 +020010650ssl_c_err : integer
10651 When the incoming connection was made over an SSL/TLS transport layer,
10652 returns the ID of the first error detected during verification at depth 0, or
10653 0 if no error was encountered during this verification process. Please refer
10654 to your SSL library's documentation to find the exhaustive list of error
10655 codes.
Willy Tarreau62644772008-07-16 18:36:06 +020010656
Willy Tarreau74ca5042013-06-11 23:12:07 +020010657ssl_c_i_dn([<entry>[,<occ>]]) : string
10658 When the incoming connection was made over an SSL/TLS transport layer,
10659 returns the full distinguished name of the issuer of the certificate
10660 presented by the client when no <entry> is specified, or the value of the
10661 first given entry found from the beginning of the DN. If a positive/negative
10662 occurrence number is specified as the optional second argument, it returns
10663 the value of the nth given entry value from the beginning/end of the DN.
10664 For instance, "ssl_c_i_dn(OU,2)" the second organization unit, and
10665 "ssl_c_i_dn(CN)" retrieves the common name.
Willy Tarreau62644772008-07-16 18:36:06 +020010666
Willy Tarreau74ca5042013-06-11 23:12:07 +020010667ssl_c_key_alg : string
10668 Returns the name of the algorithm used to generate the key of the certificate
10669 presented by the client when the incoming connection was made over an SSL/TLS
10670 transport layer.
Willy Tarreau62644772008-07-16 18:36:06 +020010671
Willy Tarreau74ca5042013-06-11 23:12:07 +020010672ssl_c_notafter : string
10673 Returns the end date presented by the client as a formatted string
10674 YYMMDDhhmmss[Z] when the incoming connection was made over an SSL/TLS
10675 transport layer.
Emeric Brunbede3d02009-06-30 17:54:00 +020010676
Willy Tarreau74ca5042013-06-11 23:12:07 +020010677ssl_c_notbefore : string
10678 Returns the start date presented by the client as a formatted string
10679 YYMMDDhhmmss[Z] when the incoming connection was made over an SSL/TLS
10680 transport layer.
Willy Tarreaub6672b52011-12-12 17:23:41 +010010681
Willy Tarreau74ca5042013-06-11 23:12:07 +020010682ssl_c_s_dn([<entry>[,<occ>]]) : string
10683 When the incoming connection was made over an SSL/TLS transport layer,
10684 returns the full distinguished name of the subject of the certificate
10685 presented by the client when no <entry> is specified, or the value of the
10686 first given entry found from the beginning of the DN. If a positive/negative
10687 occurrence number is specified as the optional second argument, it returns
10688 the value of the nth given entry value from the beginning/end of the DN.
10689 For instance, "ssl_c_s_dn(OU,2)" the second organization unit, and
10690 "ssl_c_s_dn(CN)" retrieves the common name.
Willy Tarreaub6672b52011-12-12 17:23:41 +010010691
Willy Tarreau74ca5042013-06-11 23:12:07 +020010692ssl_c_serial : binary
10693 Returns the serial of the certificate presented by the client when the
10694 incoming connection was made over an SSL/TLS transport layer. When used for
10695 an ACL, the value(s) to match against can be passed in hexadecimal form.
Emeric Brun2525b6b2012-10-18 15:59:43 +020010696
Willy Tarreau74ca5042013-06-11 23:12:07 +020010697ssl_c_sha1 : binary
10698 Returns the SHA-1 fingerprint of the certificate presented by the client when
10699 the incoming connection was made over an SSL/TLS transport layer. This can be
10700 used to stick a client to a server, or to pass this information to a server.
Emeric Brun2525b6b2012-10-18 15:59:43 +020010701
Willy Tarreau74ca5042013-06-11 23:12:07 +020010702ssl_c_sig_alg : string
10703 Returns the name of the algorithm used to sign the certificate presented by
10704 the client when the incoming connection was made over an SSL/TLS transport
10705 layer.
Emeric Brun87855892012-10-17 17:39:35 +020010706
Willy Tarreau74ca5042013-06-11 23:12:07 +020010707ssl_c_used : boolean
10708 Returns true if current SSL session uses a client certificate even if current
10709 connection uses SSL session resumption. See also "ssl_fc_has_crt".
Emeric Brun7f56e742012-10-19 18:15:40 +020010710
Willy Tarreau74ca5042013-06-11 23:12:07 +020010711ssl_c_verify : integer
10712 Returns the verify result error ID when the incoming connection was made over
10713 an SSL/TLS transport layer, otherwise zero if no error is encountered. Please
10714 refer to your SSL library's documentation for an exhaustive list of error
10715 codes.
Emeric Brunce5ad802012-10-22 14:11:22 +020010716
Willy Tarreau74ca5042013-06-11 23:12:07 +020010717ssl_c_version : integer
10718 Returns the version of the certificate presented by the client when the
10719 incoming connection was made over an SSL/TLS transport layer.
Emeric Brunce5ad802012-10-22 14:11:22 +020010720
Willy Tarreau74ca5042013-06-11 23:12:07 +020010721ssl_f_i_dn([<entry>[,<occ>]]) : string
10722 When the incoming connection was made over an SSL/TLS transport layer,
10723 returns the full distinguished name of the issuer of the certificate
10724 presented by the frontend when no <entry> is specified, or the value of the
10725 first given entry found from the beginning of the DN. If a positive/negative
Emeric Brun87855892012-10-17 17:39:35 +020010726 occurrence number is specified as the optional second argument, it returns
Willy Tarreau74ca5042013-06-11 23:12:07 +020010727 the value of the nth given entry value from the beginning/end of the DN.
10728 For instance, "ssl_f_i_dn(OU,2)" the second organization unit, and
10729 "ssl_f_i_dn(CN)" retrieves the common name.
Emeric Brun87855892012-10-17 17:39:35 +020010730
Willy Tarreau74ca5042013-06-11 23:12:07 +020010731ssl_f_key_alg : string
10732 Returns the name of the algorithm used to generate the key of the certificate
10733 presented by the frontend when the incoming connection was made over an
10734 SSL/TLS transport layer.
Emeric Brun7f56e742012-10-19 18:15:40 +020010735
Willy Tarreau74ca5042013-06-11 23:12:07 +020010736ssl_f_notafter : string
10737 Returns the end date presented by the frontend as a formatted string
10738 YYMMDDhhmmss[Z] when the incoming connection was made over an SSL/TLS
10739 transport layer.
Emeric Brun2525b6b2012-10-18 15:59:43 +020010740
Willy Tarreau74ca5042013-06-11 23:12:07 +020010741ssl_f_notbefore : string
10742 Returns the start date presented by the frontend as a formatted string
10743 YYMMDDhhmmss[Z] when the incoming connection was made over an SSL/TLS
10744 transport layer.
Emeric Brun87855892012-10-17 17:39:35 +020010745
Willy Tarreau74ca5042013-06-11 23:12:07 +020010746ssl_f_s_dn([<entry>[,<occ>]]) : string
10747 When the incoming connection was made over an SSL/TLS transport layer,
10748 returns the full distinguished name of the subject of the certificate
10749 presented by the frontend when no <entry> is specified, or the value of the
10750 first given entry found from the beginning of the DN. If a positive/negative
10751 occurrence number is specified as the optional second argument, it returns
10752 the value of the nth given entry value from the beginning/end of the DN.
10753 For instance, "ssl_f_s_dn(OU,2)" the second organization unit, and
10754 "ssl_f_s_dn(CN)" retrieves the common name.
Emeric Brunce5ad802012-10-22 14:11:22 +020010755
Willy Tarreau74ca5042013-06-11 23:12:07 +020010756ssl_f_serial : binary
10757 Returns the serial of the certificate presented by the frontend when the
10758 incoming connection was made over an SSL/TLS transport layer. When used for
10759 an ACL, the value(s) to match against can be passed in hexadecimal form.
Emeric Brun87855892012-10-17 17:39:35 +020010760
Emeric Brun55f4fa82014-04-30 17:11:25 +020010761ssl_f_sha1 : binary
10762 Returns the SHA-1 fingerprint of the certificate presented by the frontend
10763 when the incoming connection was made over an SSL/TLS transport layer. This
10764 can be used to know which certificate was chosen using SNI.
10765
Willy Tarreau74ca5042013-06-11 23:12:07 +020010766ssl_f_sig_alg : string
10767 Returns the name of the algorithm used to sign the certificate presented by
10768 the frontend when the incoming connection was made over an SSL/TLS transport
10769 layer.
Emeric Brun7f56e742012-10-19 18:15:40 +020010770
Willy Tarreau74ca5042013-06-11 23:12:07 +020010771ssl_f_version : integer
10772 Returns the version of the certificate presented by the frontend when the
10773 incoming connection was made over an SSL/TLS transport layer.
10774
10775ssl_fc : boolean
Emeric Brun2525b6b2012-10-18 15:59:43 +020010776 Returns true when the front connection was made via an SSL/TLS transport
10777 layer and is locally deciphered. This means it has matched a socket declared
10778 with a "bind" line having the "ssl" option.
10779
Willy Tarreau74ca5042013-06-11 23:12:07 +020010780 Example :
10781 # This passes "X-Proto: https" to servers when client connects over SSL
10782 listen http-https
10783 bind :80
10784 bind :443 ssl crt /etc/haproxy.pem
10785 http-request add-header X-Proto https if { ssl_fc }
10786
10787ssl_fc_alg_keysize : integer
10788 Returns the symmetric cipher key size supported in bits when the incoming
10789 connection was made over an SSL/TLS transport layer.
10790
10791ssl_fc_alpn : string
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030010792 This extracts the Application Layer Protocol Negotiation field from an
Willy Tarreau74ca5042013-06-11 23:12:07 +020010793 incoming connection made via a TLS transport layer and locally deciphered by
10794 haproxy. The result is a string containing the protocol name advertised by
10795 the client. The SSL library must have been built with support for TLS
10796 extensions enabled (check haproxy -vv). Note that the TLS ALPN extension is
10797 not advertised unless the "alpn" keyword on the "bind" line specifies a
10798 protocol list. Also, nothing forces the client to pick a protocol from this
10799 list, any other one may be requested. The TLS ALPN extension is meant to
10800 replace the TLS NPN extension. See also "ssl_fc_npn".
10801
Willy Tarreau74ca5042013-06-11 23:12:07 +020010802ssl_fc_cipher : string
10803 Returns the name of the used cipher when the incoming connection was made
10804 over an SSL/TLS transport layer.
Willy Tarreauab861d32013-04-02 02:30:41 +020010805
Willy Tarreau74ca5042013-06-11 23:12:07 +020010806ssl_fc_has_crt : boolean
Emeric Brun2525b6b2012-10-18 15:59:43 +020010807 Returns true if a client certificate is present in an incoming connection over
10808 SSL/TLS transport layer. Useful if 'verify' statement is set to 'optional'.
Emeric Brun9143d372012-12-20 15:44:16 +010010809 Note: on SSL session resumption with Session ID or TLS ticket, client
10810 certificate is not present in the current connection but may be retrieved
10811 from the cache or the ticket. So prefer "ssl_c_used" if you want to check if
10812 current SSL session uses a client certificate.
Emeric Brun2525b6b2012-10-18 15:59:43 +020010813
Willy Tarreau74ca5042013-06-11 23:12:07 +020010814ssl_fc_has_sni : boolean
10815 This checks for the presence of a Server Name Indication TLS extension (SNI)
Willy Tarreauf7bc57c2012-10-03 00:19:48 +020010816 in an incoming connection was made over an SSL/TLS transport layer. Returns
10817 true when the incoming connection presents a TLS SNI field. This requires
10818 that the SSL library is build with support for TLS extensions enabled (check
10819 haproxy -vv).
Willy Tarreau7875d092012-09-10 08:20:03 +020010820
Willy Tarreau74ca5042013-06-11 23:12:07 +020010821ssl_fc_npn : string
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030010822 This extracts the Next Protocol Negotiation field from an incoming connection
Willy Tarreau74ca5042013-06-11 23:12:07 +020010823 made via a TLS transport layer and locally deciphered by haproxy. The result
10824 is a string containing the protocol name advertised by the client. The SSL
10825 library must have been built with support for TLS extensions enabled (check
10826 haproxy -vv). Note that the TLS NPN extension is not advertised unless the
10827 "npn" keyword on the "bind" line specifies a protocol list. Also, nothing
10828 forces the client to pick a protocol from this list, any other one may be
10829 requested. Please note that the TLS NPN extension was replaced with ALPN.
Willy Tarreaua33c6542012-10-15 13:19:06 +020010830
Willy Tarreau74ca5042013-06-11 23:12:07 +020010831ssl_fc_protocol : string
10832 Returns the name of the used protocol when the incoming connection was made
10833 over an SSL/TLS transport layer.
Willy Tarreau7875d092012-09-10 08:20:03 +020010834
Emeric Brunb73a9b02014-04-30 18:49:19 +020010835ssl_fc_unique_id : binary
David Sc1ad52e2014-04-08 18:48:47 -040010836 When the incoming connection was made over an SSL/TLS transport layer,
Emeric Brunb73a9b02014-04-30 18:49:19 +020010837 returns the TLS unique ID as defined in RFC5929 section 3. The unique id
10838 can be encoded to base64 using the converter: "ssl_bc_unique_id,base64".
David Sc1ad52e2014-04-08 18:48:47 -040010839
Willy Tarreau74ca5042013-06-11 23:12:07 +020010840ssl_fc_session_id : binary
10841 Returns the SSL ID of the front connection when the incoming connection was
10842 made over an SSL/TLS transport layer. It is useful to stick a given client to
10843 a server. It is important to note that some browsers refresh their session ID
10844 every few minutes.
Willy Tarreau7875d092012-09-10 08:20:03 +020010845
Willy Tarreau74ca5042013-06-11 23:12:07 +020010846ssl_fc_sni : string
10847 This extracts the Server Name Indication TLS extension (SNI) field from an
10848 incoming connection made via an SSL/TLS transport layer and locally
10849 deciphered by haproxy. The result (when present) typically is a string
10850 matching the HTTPS host name (253 chars or less). The SSL library must have
10851 been built with support for TLS extensions enabled (check haproxy -vv).
10852
10853 This fetch is different from "req_ssl_sni" above in that it applies to the
10854 connection being deciphered by haproxy and not to SSL contents being blindly
10855 forwarded. See also "ssl_fc_sni_end" and "ssl_fc_sni_reg" below. This
Cyril Bonté9c1eb1e2012-10-09 22:45:34 +020010856 requires that the SSL library is build with support for TLS extensions
10857 enabled (check haproxy -vv).
Willy Tarreau62644772008-07-16 18:36:06 +020010858
Willy Tarreau74ca5042013-06-11 23:12:07 +020010859 ACL derivatives :
Willy Tarreau74ca5042013-06-11 23:12:07 +020010860 ssl_fc_sni_end : suffix match
10861 ssl_fc_sni_reg : regex match
Emeric Brun589fcad2012-10-16 14:13:26 +020010862
Willy Tarreau74ca5042013-06-11 23:12:07 +020010863ssl_fc_use_keysize : integer
10864 Returns the symmetric cipher key size used in bits when the incoming
10865 connection was made over an SSL/TLS transport layer.
Willy Tarreaub6fb4202008-07-20 11:18:28 +020010866
Willy Tarreaub6fb4202008-07-20 11:18:28 +020010867
Thierry FOURNIER060762e2014-04-23 13:29:15 +0200108687.3.5. Fetching samples from buffer contents (Layer 6)
Willy Tarreau74ca5042013-06-11 23:12:07 +020010869------------------------------------------------------
Willy Tarreaub6fb4202008-07-20 11:18:28 +020010870
Willy Tarreau74ca5042013-06-11 23:12:07 +020010871Fetching samples from buffer contents is a bit different from the previous
10872sample fetches above because the sampled data are ephemeral. These data can
10873only be used when they're available and will be lost when they're forwarded.
10874For this reason, samples fetched from buffer contents during a request cannot
10875be used in a response for example. Even while the data are being fetched, they
10876can change. Sometimes it is necessary to set some delays or combine multiple
10877sample fetch methods to ensure that the expected data are complete and usable,
10878for example through TCP request content inspection. Please see the "tcp-request
10879content" keyword for more detailed information on the subject.
Willy Tarreau62644772008-07-16 18:36:06 +020010880
Willy Tarreau74ca5042013-06-11 23:12:07 +020010881payload(<offset>,<length>) : binary (deprecated)
10882 This is an alias for "req.payload" when used in the context of a request (eg:
10883 "stick on", "stick match"), and for "res.payload" when used in the context of
10884 a response such as in "stick store response".
Willy Tarreau0ba27502007-12-24 16:55:16 +010010885
Willy Tarreau74ca5042013-06-11 23:12:07 +020010886payload_lv(<offset1>,<length>[,<offset2>]) : binary (deprecated)
10887 This is an alias for "req.payload_lv" when used in the context of a request
10888 (eg: "stick on", "stick match"), and for "res.payload_lv" when used in the
10889 context of a response such as in "stick store response".
Willy Tarreau0ba27502007-12-24 16:55:16 +010010890
Willy Tarreau74ca5042013-06-11 23:12:07 +020010891req.len : integer
10892req_len : integer (deprecated)
10893 Returns an integer value corresponding to the number of bytes present in the
10894 request buffer. This is mostly used in ACL. It is important to understand
10895 that this test does not return false as long as the buffer is changing. This
10896 means that a check with equality to zero will almost always immediately match
10897 at the beginning of the session, while a test for more data will wait for
10898 that data to come in and return false only when haproxy is certain that no
10899 more data will come in. This test was designed to be used with TCP request
10900 content inspection.
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020010901
Willy Tarreau74ca5042013-06-11 23:12:07 +020010902req.payload(<offset>,<length>) : binary
10903 This extracts a binary block of <length> bytes and starting at byte <offset>
Willy Tarreau00f00842013-08-02 11:07:32 +020010904 in the request buffer. As a special case, if the <length> argument is zero,
10905 the the whole buffer from <offset> to the end is extracted. This can be used
10906 with ACLs in order to check for the presence of some content in a buffer at
10907 any location.
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020010908
Willy Tarreau74ca5042013-06-11 23:12:07 +020010909 ACL alternatives :
10910 payload(<offset>,<length>) : hex binary match
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020010911
Willy Tarreau74ca5042013-06-11 23:12:07 +020010912req.payload_lv(<offset1>,<length>[,<offset2>]) : binary
10913 This extracts a binary block whose size is specified at <offset1> for <length>
10914 bytes, and which starts at <offset2> if specified or just after the length in
10915 the request buffer. The <offset2> parameter also supports relative offsets if
10916 prepended with a '+' or '-' sign.
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020010917
Willy Tarreau74ca5042013-06-11 23:12:07 +020010918 ACL alternatives :
10919 payload_lv(<offset1>,<length>[,<offset2>]) : hex binary match
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020010920
Willy Tarreau74ca5042013-06-11 23:12:07 +020010921 Example : please consult the example from the "stick store-response" keyword.
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020010922
Willy Tarreau74ca5042013-06-11 23:12:07 +020010923req.proto_http : boolean
10924req_proto_http : boolean (deprecated)
10925 Returns true when data in the request buffer look like HTTP and correctly
10926 parses as such. It is the same parser as the common HTTP request parser which
10927 is used so there should be no surprises. The test does not match until the
10928 request is complete, failed or timed out. This test may be used to report the
10929 protocol in TCP logs, but the biggest use is to block TCP request analysis
10930 until a complete HTTP request is present in the buffer, for example to track
10931 a header.
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020010932
Willy Tarreau74ca5042013-06-11 23:12:07 +020010933 Example:
10934 # track request counts per "base" (concatenation of Host+URL)
10935 tcp-request inspect-delay 10s
10936 tcp-request content reject if !HTTP
Willy Tarreaube4a3ef2013-06-17 15:04:07 +020010937 tcp-request content track-sc0 base table req-rate
Willy Tarreaua7ad50c2012-04-29 15:39:40 +020010938
Willy Tarreau74ca5042013-06-11 23:12:07 +020010939req.rdp_cookie([<name>]) : string
10940rdp_cookie([<name>]) : string (deprecated)
10941 When the request buffer looks like the RDP protocol, extracts the RDP cookie
10942 <name>, or any cookie if unspecified. The parser only checks for the first
10943 cookie, as illustrated in the RDP protocol specification. The cookie name is
10944 case insensitive. Generally the "MSTS" cookie name will be used, as it can
10945 contain the user name of the client connecting to the server if properly
10946 configured on the client. The "MSTSHASH" cookie is often used as well for
10947 session stickiness to servers.
Willy Tarreau04aa6a92012-04-06 18:57:55 +020010948
Willy Tarreau74ca5042013-06-11 23:12:07 +020010949 This differs from "balance rdp-cookie" in that any balancing algorithm may be
10950 used and thus the distribution of clients to backend servers is not linked to
10951 a hash of the RDP cookie. It is envisaged that using a balancing algorithm
10952 such as "balance roundrobin" or "balance leastconn" will lead to a more even
10953 distribution of clients to backend servers than the hash used by "balance
10954 rdp-cookie".
Willy Tarreau04aa6a92012-04-06 18:57:55 +020010955
Willy Tarreau74ca5042013-06-11 23:12:07 +020010956 ACL derivatives :
10957 req_rdp_cookie([<name>]) : exact string match
Willy Tarreau04aa6a92012-04-06 18:57:55 +020010958
Willy Tarreau74ca5042013-06-11 23:12:07 +020010959 Example :
10960 listen tse-farm
10961 bind 0.0.0.0:3389
10962 # wait up to 5s for an RDP cookie in the request
10963 tcp-request inspect-delay 5s
10964 tcp-request content accept if RDP_COOKIE
10965 # apply RDP cookie persistence
10966 persist rdp-cookie
10967 # Persist based on the mstshash cookie
10968 # This is only useful makes sense if
10969 # balance rdp-cookie is not used
10970 stick-table type string size 204800
10971 stick on req.rdp_cookie(mstshash)
10972 server srv1 1.1.1.1:3389
10973 server srv1 1.1.1.2:3389
Willy Tarreau04aa6a92012-04-06 18:57:55 +020010974
Willy Tarreau74ca5042013-06-11 23:12:07 +020010975 See also : "balance rdp-cookie", "persist rdp-cookie", "tcp-request" and the
10976 "req_rdp_cookie" ACL.
Willy Tarreau04aa6a92012-04-06 18:57:55 +020010977
Willy Tarreau74ca5042013-06-11 23:12:07 +020010978req.rdp_cookie_cnt([name]) : integer
10979rdp_cookie_cnt([name]) : integer (deprecated)
10980 Tries to parse the request buffer as RDP protocol, then returns an integer
10981 corresponding to the number of RDP cookies found. If an optional cookie name
10982 is passed, only cookies matching this name are considered. This is mostly
10983 used in ACL.
Willy Tarreau04aa6a92012-04-06 18:57:55 +020010984
Willy Tarreau74ca5042013-06-11 23:12:07 +020010985 ACL derivatives :
10986 req_rdp_cookie_cnt([<name>]) : integer match
Willy Tarreau04aa6a92012-04-06 18:57:55 +020010987
Willy Tarreau74ca5042013-06-11 23:12:07 +020010988req.ssl_hello_type : integer
10989req_ssl_hello_type : integer (deprecated)
10990 Returns an integer value containing the type of the SSL hello message found
10991 in the request buffer if the buffer contains data that parse as a complete
10992 SSL (v3 or superior) client hello message. Note that this only applies to raw
10993 contents found in the request buffer and not to contents deciphered via an
10994 SSL data layer, so this will not work with "bind" lines having the "ssl"
10995 option. This is mostly used in ACL to detect presence of an SSL hello message
10996 that is supposed to contain an SSL session ID usable for stickiness.
Willy Tarreau04aa6a92012-04-06 18:57:55 +020010997
Willy Tarreau74ca5042013-06-11 23:12:07 +020010998req.ssl_sni : string
10999req_ssl_sni : string (deprecated)
11000 Returns a string containing the value of the Server Name TLS extension sent
11001 by a client in a TLS stream passing through the request buffer if the buffer
11002 contains data that parse as a complete SSL (v3 or superior) client hello
11003 message. Note that this only applies to raw contents found in the request
11004 buffer and not to contents deciphered via an SSL data layer, so this will not
11005 work with "bind" lines having the "ssl" option. SNI normally contains the
11006 name of the host the client tries to connect to (for recent browsers). SNI is
11007 useful for allowing or denying access to certain hosts when SSL/TLS is used
11008 by the client. This test was designed to be used with TCP request content
11009 inspection. If content switching is needed, it is recommended to first wait
11010 for a complete client hello (type 1), like in the example below. See also
11011 "ssl_fc_sni".
Willy Tarreau04aa6a92012-04-06 18:57:55 +020011012
Willy Tarreau74ca5042013-06-11 23:12:07 +020011013 ACL derivatives :
11014 req_ssl_sni : exact string match
Willy Tarreau04aa6a92012-04-06 18:57:55 +020011015
Willy Tarreau74ca5042013-06-11 23:12:07 +020011016 Examples :
11017 # Wait for a client hello for at most 5 seconds
11018 tcp-request inspect-delay 5s
11019 tcp-request content accept if { req_ssl_hello_type 1 }
11020 use_backend bk_allow if { req_ssl_sni -f allowed_sites }
11021 default_backend bk_sorry_page
Willy Tarreau04aa6a92012-04-06 18:57:55 +020011022
Willy Tarreau74ca5042013-06-11 23:12:07 +020011023res.ssl_hello_type : integer
11024rep_ssl_hello_type : integer (deprecated)
11025 Returns an integer value containing the type of the SSL hello message found
11026 in the response buffer if the buffer contains data that parses as a complete
11027 SSL (v3 or superior) hello message. Note that this only applies to raw
11028 contents found in the response buffer and not to contents deciphered via an
11029 SSL data layer, so this will not work with "server" lines having the "ssl"
11030 option. This is mostly used in ACL to detect presence of an SSL hello message
11031 that is supposed to contain an SSL session ID usable for stickiness.
Willy Tarreau51539362012-05-08 12:46:28 +020011032
Willy Tarreau74ca5042013-06-11 23:12:07 +020011033req.ssl_ver : integer
11034req_ssl_ver : integer (deprecated)
11035 Returns an integer value containing the version of the SSL/TLS protocol of a
11036 stream present in the request buffer. Both SSLv2 hello messages and SSLv3
11037 messages are supported. TLSv1 is announced as SSL version 3.1. The value is
11038 composed of the major version multiplied by 65536, added to the minor
11039 version. Note that this only applies to raw contents found in the request
11040 buffer and not to contents deciphered via an SSL data layer, so this will not
11041 work with "bind" lines having the "ssl" option. The ACL version of the test
11042 matches against a decimal notation in the form MAJOR.MINOR (eg: 3.1). This
11043 fetch is mostly used in ACL.
Willy Tarreaud63335a2010-02-26 12:56:52 +010011044
Willy Tarreau74ca5042013-06-11 23:12:07 +020011045 ACL derivatives :
11046 req_ssl_ver : decimal match
Willy Tarreaud63335a2010-02-26 12:56:52 +010011047
Willy Tarreau47e8eba2013-09-11 23:28:46 +020011048res.len : integer
11049 Returns an integer value corresponding to the number of bytes present in the
11050 response buffer. This is mostly used in ACL. It is important to understand
11051 that this test does not return false as long as the buffer is changing. This
11052 means that a check with equality to zero will almost always immediately match
11053 at the beginning of the session, while a test for more data will wait for
11054 that data to come in and return false only when haproxy is certain that no
11055 more data will come in. This test was designed to be used with TCP response
11056 content inspection.
11057
Willy Tarreau74ca5042013-06-11 23:12:07 +020011058res.payload(<offset>,<length>) : binary
11059 This extracts a binary block of <length> bytes and starting at byte <offset>
Willy Tarreau00f00842013-08-02 11:07:32 +020011060 in the response buffer. As a special case, if the <length> argument is zero,
11061 the the whole buffer from <offset> to the end is extracted. This can be used
11062 with ACLs in order to check for the presence of some content in a buffer at
11063 any location.
Willy Tarreaud63335a2010-02-26 12:56:52 +010011064
Willy Tarreau74ca5042013-06-11 23:12:07 +020011065res.payload_lv(<offset1>,<length>[,<offset2>]) : binary
11066 This extracts a binary block whose size is specified at <offset1> for <length>
11067 bytes, and which starts at <offset2> if specified or just after the length in
11068 the response buffer. The <offset2> parameter also supports relative offsets
11069 if prepended with a '+' or '-' sign.
Willy Tarreaud63335a2010-02-26 12:56:52 +010011070
Willy Tarreau74ca5042013-06-11 23:12:07 +020011071 Example : please consult the example from the "stick store-response" keyword.
Willy Tarreaud63335a2010-02-26 12:56:52 +010011072
Willy Tarreau74ca5042013-06-11 23:12:07 +020011073wait_end : boolean
11074 This fetch either returns true when the inspection period is over, or does
11075 not fetch. It is only used in ACLs, in conjunction with content analysis to
11076 avoid returning a wrong verdict early. It may also be used to delay some
11077 actions, such as a delayed reject for some special addresses. Since it either
11078 stops the rules evaluation or immediately returns true, it is recommended to
11079 use this acl as the last one in a rule. Please note that the default ACL
11080 "WAIT_END" is always usable without prior declaration. This test was designed
11081 to be used with TCP request content inspection.
Willy Tarreaud63335a2010-02-26 12:56:52 +010011082
Willy Tarreau74ca5042013-06-11 23:12:07 +020011083 Examples :
11084 # delay every incoming request by 2 seconds
11085 tcp-request inspect-delay 2s
11086 tcp-request content accept if WAIT_END
Willy Tarreaud63335a2010-02-26 12:56:52 +010011087
Willy Tarreau74ca5042013-06-11 23:12:07 +020011088 # don't immediately tell bad guys they are rejected
11089 tcp-request inspect-delay 10s
11090 acl goodguys src 10.0.0.0/24
11091 acl badguys src 10.0.1.0/24
11092 tcp-request content accept if goodguys
11093 tcp-request content reject if badguys WAIT_END
11094 tcp-request content reject
11095
11096
Thierry FOURNIER060762e2014-04-23 13:29:15 +0200110977.3.6. Fetching HTTP samples (Layer 7)
Willy Tarreau74ca5042013-06-11 23:12:07 +020011098--------------------------------------
11099
11100It is possible to fetch samples from HTTP contents, requests and responses.
11101This application layer is also called layer 7. It is only possible to fetch the
11102data in this section when a full HTTP request or response has been parsed from
11103its respective request or response buffer. This is always the case with all
11104HTTP specific rules and for sections running with "mode http". When using TCP
11105content inspection, it may be necessary to support an inspection delay in order
11106to let the request or response come in first. These fetches may require a bit
11107more CPU resources than the layer 4 ones, but not much since the request and
11108response are indexed.
11109
11110base : string
11111 This returns the concatenation of the first Host header and the path part of
11112 the request, which starts at the first slash and ends before the question
11113 mark. It can be useful in virtual hosted environments to detect URL abuses as
11114 well as to improve shared caches efficiency. Using this with a limited size
11115 stick table also allows one to collect statistics about most commonly
11116 requested objects by host/path. With ACLs it can allow simple content
11117 switching rules involving the host and the path at the same time, such as
11118 "www.example.com/favicon.ico". See also "path" and "uri".
11119
11120 ACL derivatives :
11121 base : exact string match
11122 base_beg : prefix match
11123 base_dir : subdir match
11124 base_dom : domain match
11125 base_end : suffix match
11126 base_len : length match
11127 base_reg : regex match
11128 base_sub : substring match
11129
11130base32 : integer
11131 This returns a 32-bit hash of the value returned by the "base" fetch method
11132 above. This is useful to track per-URL activity on high traffic sites without
11133 having to store all URLs. Instead a shorter hash is stored, saving a lot of
11134 memory. The output type is an unsigned integer.
11135
11136base32+src : binary
11137 This returns the concatenation of the base32 fetch above and the src fetch
11138 below. The resulting type is of type binary, with a size of 8 or 20 bytes
11139 depending on the source address family. This can be used to track per-IP,
11140 per-URL counters.
11141
William Lallemand65ad6e12014-01-31 15:08:02 +010011142capture.req.hdr(<idx>) : string
11143 This extracts the content of the header captured by the "capture request
11144 header", idx is the position of the capture keyword in the configuration.
11145 The first entry is an index of 0. See also: "capture request header".
11146
11147capture.req.method : string
11148 This extracts the METHOD of an HTTP request. It can be used in both request
11149 and response. Unlike "method", it can be used in both request and response
11150 because it's allocated.
11151
11152capture.req.uri : string
11153 This extracts the request's URI, which starts at the first slash and ends
11154 before the first space in the request (without the host part). Unlike "path"
11155 and "url", it can be used in both request and response because it's
11156 allocated.
11157
Willy Tarreau3c1b5ec2014-04-24 23:41:57 +020011158capture.req.ver : string
11159 This extracts the request's HTTP version and returns either "HTTP/1.0" or
11160 "HTTP/1.1". Unlike "req.ver", it can be used in both request, response, and
11161 logs because it relies on a persistent flag.
11162
William Lallemand65ad6e12014-01-31 15:08:02 +010011163capture.res.hdr(<idx>) : string
11164 This extracts the content of the header captured by the "capture response
11165 header", idx is the position of the capture keyword in the configuration.
11166 The first entry is an index of 0.
11167 See also: "capture response header"
11168
Willy Tarreau3c1b5ec2014-04-24 23:41:57 +020011169capture.res.ver : string
11170 This extracts the response's HTTP version and returns either "HTTP/1.0" or
11171 "HTTP/1.1". Unlike "res.ver", it can be used in logs because it relies on a
11172 persistent flag.
11173
Willy Tarreau74ca5042013-06-11 23:12:07 +020011174req.cook([<name>]) : string
11175cook([<name>]) : string (deprecated)
11176 This extracts the last occurrence of the cookie name <name> on a "Cookie"
11177 header line from the request, and returns its value as string. If no name is
11178 specified, the first cookie value is returned. When used with ACLs, all
11179 matching cookies are evaluated. Spaces around the name and the value are
11180 ignored as requested by the Cookie header specification (RFC6265). The cookie
11181 name is case-sensitive. Empty cookies are valid, so an empty cookie may very
11182 well return an empty value if it is present. Use the "found" match to detect
11183 presence. Use the res.cook() variant for response cookies sent by the server.
11184
11185 ACL derivatives :
11186 cook([<name>]) : exact string match
11187 cook_beg([<name>]) : prefix match
11188 cook_dir([<name>]) : subdir match
11189 cook_dom([<name>]) : domain match
11190 cook_end([<name>]) : suffix match
11191 cook_len([<name>]) : length match
11192 cook_reg([<name>]) : regex match
11193 cook_sub([<name>]) : substring match
Willy Tarreaud63335a2010-02-26 12:56:52 +010011194
Willy Tarreau74ca5042013-06-11 23:12:07 +020011195req.cook_cnt([<name>]) : integer
11196cook_cnt([<name>]) : integer (deprecated)
11197 Returns an integer value representing the number of occurrences of the cookie
11198 <name> in the request, or all cookies if <name> is not specified.
Willy Tarreaud63335a2010-02-26 12:56:52 +010011199
Willy Tarreau74ca5042013-06-11 23:12:07 +020011200req.cook_val([<name>]) : integer
11201cook_val([<name>]) : integer (deprecated)
11202 This extracts the last occurrence of the cookie name <name> on a "Cookie"
11203 header line from the request, and converts its value to an integer which is
11204 returned. If no name is specified, the first cookie value is returned. When
11205 used in ACLs, all matching names are iterated over until a value matches.
Willy Tarreau0e698542011-09-16 08:32:32 +020011206
Willy Tarreau74ca5042013-06-11 23:12:07 +020011207cookie([<name>]) : string (deprecated)
11208 This extracts the last occurrence of the cookie name <name> on a "Cookie"
11209 header line from the request, or a "Set-Cookie" header from the response, and
11210 returns its value as a string. A typical use is to get multiple clients
11211 sharing a same profile use the same server. This can be similar to what
11212 "appsession" does with the "request-learn" statement, but with support for
11213 multi-peer synchronization and state keeping across restarts. If no name is
11214 specified, the first cookie value is returned. This fetch should not be used
11215 anymore and should be replaced by req.cook() or res.cook() instead as it
11216 ambiguously uses the direction based on the context where it is used.
11217 See also : "appsession".
Willy Tarreaud63335a2010-02-26 12:56:52 +010011218
Willy Tarreau74ca5042013-06-11 23:12:07 +020011219hdr([<name>[,<occ>]]) : string
11220 This is equivalent to req.hdr() when used on requests, and to res.hdr() when
11221 used on responses. Please refer to these respective fetches for more details.
11222 In case of doubt about the fetch direction, please use the explicit ones.
11223 Note that contrary to the hdr() sample fetch method, the hdr_* ACL keywords
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030011224 unambiguously apply to the request headers.
Willy Tarreaud63335a2010-02-26 12:56:52 +010011225
Willy Tarreau74ca5042013-06-11 23:12:07 +020011226req.fhdr(<name>[,<occ>]) : string
11227 This extracts the last occurrence of header <name> in an HTTP request. When
11228 used from an ACL, all occurrences are iterated over until a match is found.
11229 Optionally, a specific occurrence might be specified as a position number.
11230 Positive values indicate a position from the first occurrence, with 1 being
11231 the first one. Negative values indicate positions relative to the last one,
11232 with -1 being the last one. It differs from req.hdr() in that any commas
11233 present in the value are returned and are not used as delimiters. This is
11234 sometimes useful with headers such as User-Agent.
Willy Tarreaud63335a2010-02-26 12:56:52 +010011235
Willy Tarreau74ca5042013-06-11 23:12:07 +020011236req.fhdr_cnt([<name>]) : integer
11237 Returns an integer value representing the number of occurrences of request
11238 header field name <name>, or the total number of header fields if <name> is
11239 not specified. Contrary to its req.hdr_cnt() cousin, this function returns
11240 the number of full line headers and does not stop on commas.
Willy Tarreaud63335a2010-02-26 12:56:52 +010011241
Willy Tarreau74ca5042013-06-11 23:12:07 +020011242req.hdr([<name>[,<occ>]]) : string
11243 This extracts the last occurrence of header <name> in an HTTP request. When
11244 used from an ACL, all occurrences are iterated over until a match is found.
11245 Optionally, a specific occurrence might be specified as a position number.
11246 Positive values indicate a position from the first occurrence, with 1 being
11247 the first one. Negative values indicate positions relative to the last one,
11248 with -1 being the last one. A typical use is with the X-Forwarded-For header
11249 once converted to IP, associated with an IP stick-table. The function
11250 considers any comma as a delimiter for distinct values. If full-line headers
11251 are desired instead, use req.fhdr(). Please carefully check RFC2616 to know
11252 how certain headers are supposed to be parsed. Also, some of them are case
11253 insensitive (eg: Connection).
Willy Tarreaud63335a2010-02-26 12:56:52 +010011254
Willy Tarreau74ca5042013-06-11 23:12:07 +020011255 ACL derivatives :
11256 hdr([<name>[,<occ>]]) : exact string match
11257 hdr_beg([<name>[,<occ>]]) : prefix match
11258 hdr_dir([<name>[,<occ>]]) : subdir match
11259 hdr_dom([<name>[,<occ>]]) : domain match
11260 hdr_end([<name>[,<occ>]]) : suffix match
11261 hdr_len([<name>[,<occ>]]) : length match
11262 hdr_reg([<name>[,<occ>]]) : regex match
11263 hdr_sub([<name>[,<occ>]]) : substring match
11264
11265req.hdr_cnt([<name>]) : integer
11266hdr_cnt([<header>]) : integer (deprecated)
11267 Returns an integer value representing the number of occurrences of request
11268 header field name <name>, or the total number of header field values if
11269 <name> is not specified. It is important to remember that one header line may
11270 count as several headers if it has several values. The function considers any
11271 comma as a delimiter for distinct values. If full-line headers are desired
11272 instead, req.fhdr_cnt() should be used instead. With ACLs, it can be used to
11273 detect presence, absence or abuse of a specific header, as well as to block
11274 request smuggling attacks by rejecting requests which contain more than one
11275 of certain headers. See "req.hdr" for more information on header matching.
11276
11277req.hdr_ip([<name>[,<occ>]]) : ip
11278hdr_ip([<name>[,<occ>]]) : ip (deprecated)
11279 This extracts the last occurrence of header <name> in an HTTP request,
11280 converts it to an IPv4 or IPv6 address and returns this address. When used
11281 with ACLs, all occurrences are checked, and if <name> is omitted, every value
11282 of every header is checked. Optionally, a specific occurrence might be
11283 specified as a position number. Positive values indicate a position from the
11284 first occurrence, with 1 being the first one. Negative values indicate
11285 positions relative to the last one, with -1 being the last one. A typical use
11286 is with the X-Forwarded-For and X-Client-IP headers.
11287
11288req.hdr_val([<name>[,<occ>]]) : integer
11289hdr_val([<name>[,<occ>]]) : integer (deprecated)
11290 This extracts the last occurrence of header <name> in an HTTP request, and
11291 converts it to an integer value. When used with ACLs, all occurrences are
11292 checked, and if <name> is omitted, every value of every header is checked.
11293 Optionally, a specific occurrence might be specified as a position number.
11294 Positive values indicate a position from the first occurrence, with 1 being
11295 the first one. Negative values indicate positions relative to the last one,
11296 with -1 being the last one. A typical use is with the X-Forwarded-For header.
11297
11298http_auth(<userlist>) : boolean
11299 Returns a boolean indicating whether the authentication data received from
11300 the client match a username & password stored in the specified userlist. This
11301 fetch function is not really useful outside of ACLs. Currently only http
11302 basic auth is supported.
11303
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +010011304http_auth_group(<userlist>) : string
11305 Returns a string corresponding to the user name found in the authentication
11306 data received from the client if both the user name and password are valid
11307 according to the specified userlist. The main purpose is to use it in ACLs
11308 where it is then checked whether the user belongs to any group within a list.
Willy Tarreau74ca5042013-06-11 23:12:07 +020011309 This fetch function is not really useful outside of ACLs. Currently only http
11310 basic auth is supported.
11311
11312 ACL derivatives :
Thierry FOURNIER9eec0a62014-01-22 18:38:02 +010011313 http_auth_group(<userlist>) : group ...
11314 Returns true when the user extracted from the request and whose password is
11315 valid according to the specified userlist belongs to at least one of the
11316 groups.
Willy Tarreau74ca5042013-06-11 23:12:07 +020011317
11318http_first_req : boolean
Willy Tarreau7f18e522010-10-22 20:04:13 +020011319 Returns true when the request being processed is the first one of the
11320 connection. This can be used to add or remove headers that may be missing
Willy Tarreau74ca5042013-06-11 23:12:07 +020011321 from some requests when a request is not the first one, or to help grouping
11322 requests in the logs.
Willy Tarreau7f18e522010-10-22 20:04:13 +020011323
Willy Tarreau74ca5042013-06-11 23:12:07 +020011324method : integer + string
11325 Returns an integer value corresponding to the method in the HTTP request. For
11326 example, "GET" equals 1 (check sources to establish the matching). Value 9
11327 means "other method" and may be converted to a string extracted from the
11328 stream. This should not be used directly as a sample, this is only meant to
11329 be used from ACLs, which transparently convert methods from patterns to these
11330 integer + string values. Some predefined ACL already check for most common
11331 methods.
Willy Tarreau6a06a402007-07-15 20:15:28 +020011332
Willy Tarreau74ca5042013-06-11 23:12:07 +020011333 ACL derivatives :
11334 method : case insensitive method match
Willy Tarreau6a06a402007-07-15 20:15:28 +020011335
Willy Tarreau74ca5042013-06-11 23:12:07 +020011336 Example :
11337 # only accept GET and HEAD requests
11338 acl valid_method method GET HEAD
11339 http-request deny if ! valid_method
Willy Tarreau6a06a402007-07-15 20:15:28 +020011340
Willy Tarreau74ca5042013-06-11 23:12:07 +020011341path : string
11342 This extracts the request's URL path, which starts at the first slash and
11343 ends before the question mark (without the host part). A typical use is with
11344 prefetch-capable caches, and with portals which need to aggregate multiple
11345 information from databases and keep them in caches. Note that with outgoing
11346 caches, it would be wiser to use "url" instead. With ACLs, it's typically
11347 used to match exact file names (eg: "/login.php"), or directory parts using
11348 the derivative forms. See also the "url" and "base" fetch methods.
Willy Tarreau6a06a402007-07-15 20:15:28 +020011349
Willy Tarreau74ca5042013-06-11 23:12:07 +020011350 ACL derivatives :
11351 path : exact string match
11352 path_beg : prefix match
11353 path_dir : subdir match
11354 path_dom : domain match
11355 path_end : suffix match
11356 path_len : length match
11357 path_reg : regex match
11358 path_sub : substring match
Willy Tarreau6a06a402007-07-15 20:15:28 +020011359
Willy Tarreau74ca5042013-06-11 23:12:07 +020011360req.ver : string
11361req_ver : string (deprecated)
11362 Returns the version string from the HTTP request, for example "1.1". This can
11363 be useful for logs, but is mostly there for ACL. Some predefined ACL already
11364 check for versions 1.0 and 1.1.
Willy Tarreaud63335a2010-02-26 12:56:52 +010011365
Willy Tarreau74ca5042013-06-11 23:12:07 +020011366 ACL derivatives :
11367 req_ver : exact string match
Willy Tarreau0e698542011-09-16 08:32:32 +020011368
Willy Tarreau74ca5042013-06-11 23:12:07 +020011369res.comp : boolean
11370 Returns the boolean "true" value if the response has been compressed by
11371 HAProxy, otherwise returns boolean "false". This may be used to add
11372 information in the logs.
Willy Tarreau6a06a402007-07-15 20:15:28 +020011373
Willy Tarreau74ca5042013-06-11 23:12:07 +020011374res.comp_algo : string
11375 Returns a string containing the name of the algorithm used if the response
11376 was compressed by HAProxy, for example : "deflate". This may be used to add
11377 some information in the logs.
Willy Tarreaud63335a2010-02-26 12:56:52 +010011378
Willy Tarreau74ca5042013-06-11 23:12:07 +020011379res.cook([<name>]) : string
11380scook([<name>]) : string (deprecated)
11381 This extracts the last occurrence of the cookie name <name> on a "Set-Cookie"
11382 header line from the response, and returns its value as string. If no name is
11383 specified, the first cookie value is returned.
Willy Tarreau0ce3aa02012-04-25 18:46:33 +020011384
Willy Tarreau74ca5042013-06-11 23:12:07 +020011385 ACL derivatives :
11386 scook([<name>] : exact string match
Willy Tarreau0ce3aa02012-04-25 18:46:33 +020011387
Willy Tarreau74ca5042013-06-11 23:12:07 +020011388res.cook_cnt([<name>]) : integer
11389scook_cnt([<name>]) : integer (deprecated)
11390 Returns an integer value representing the number of occurrences of the cookie
11391 <name> in the response, or all cookies if <name> is not specified. This is
11392 mostly useful when combined with ACLs to detect suspicious responses.
Willy Tarreaud63335a2010-02-26 12:56:52 +010011393
Willy Tarreau74ca5042013-06-11 23:12:07 +020011394res.cook_val([<name>]) : integer
11395scook_val([<name>]) : integer (deprecated)
11396 This extracts the last occurrence of the cookie name <name> on a "Set-Cookie"
11397 header line from the response, and converts its value to an integer which is
11398 returned. If no name is specified, the first cookie value is returned.
Willy Tarreaud63335a2010-02-26 12:56:52 +010011399
Willy Tarreau74ca5042013-06-11 23:12:07 +020011400res.fhdr([<name>[,<occ>]]) : string
11401 This extracts the last occurrence of header <name> in an HTTP response, or of
11402 the last header if no <name> is specified. Optionally, a specific occurrence
11403 might be specified as a position number. Positive values indicate a position
11404 from the first occurrence, with 1 being the first one. Negative values
11405 indicate positions relative to the last one, with -1 being the last one. It
11406 differs from res.hdr() in that any commas present in the value are returned
11407 and are not used as delimiters. If this is not desired, the res.hdr() fetch
11408 should be used instead. This is sometimes useful with headers such as Date or
11409 Expires.
Willy Tarreau6a06a402007-07-15 20:15:28 +020011410
Willy Tarreau74ca5042013-06-11 23:12:07 +020011411res.fhdr_cnt([<name>]) : integer
11412 Returns an integer value representing the number of occurrences of response
11413 header field name <name>, or the total number of header fields if <name> is
11414 not specified. Contrary to its res.hdr_cnt() cousin, this function returns
11415 the number of full line headers and does not stop on commas. If this is not
11416 desired, the res.hdr_cnt() fetch should be used instead.
Willy Tarreau6a06a402007-07-15 20:15:28 +020011417
Willy Tarreau74ca5042013-06-11 23:12:07 +020011418res.hdr([<name>[,<occ>]]) : string
11419shdr([<name>[,<occ>]]) : string (deprecated)
11420 This extracts the last occurrence of header <name> in an HTTP response, or of
11421 the last header if no <name> is specified. Optionally, a specific occurrence
11422 might be specified as a position number. Positive values indicate a position
11423 from the first occurrence, with 1 being the first one. Negative values
11424 indicate positions relative to the last one, with -1 being the last one. This
11425 can be useful to learn some data into a stick-table. The function considers
11426 any comma as a delimiter for distinct values. If this is not desired, the
11427 res.fhdr() fetch should be used instead.
Willy Tarreau6a06a402007-07-15 20:15:28 +020011428
Willy Tarreau74ca5042013-06-11 23:12:07 +020011429 ACL derivatives :
11430 shdr([<name>[,<occ>]]) : exact string match
11431 shdr_beg([<name>[,<occ>]]) : prefix match
11432 shdr_dir([<name>[,<occ>]]) : subdir match
11433 shdr_dom([<name>[,<occ>]]) : domain match
11434 shdr_end([<name>[,<occ>]]) : suffix match
11435 shdr_len([<name>[,<occ>]]) : length match
11436 shdr_reg([<name>[,<occ>]]) : regex match
11437 shdr_sub([<name>[,<occ>]]) : substring match
11438
11439res.hdr_cnt([<name>]) : integer
11440shdr_cnt([<name>]) : integer (deprecated)
11441 Returns an integer value representing the number of occurrences of response
11442 header field name <name>, or the total number of header fields if <name> is
11443 not specified. The function considers any comma as a delimiter for distinct
11444 values. If this is not desired, the res.fhdr_cnt() fetch should be used
11445 instead.
Willy Tarreau6a06a402007-07-15 20:15:28 +020011446
Willy Tarreau74ca5042013-06-11 23:12:07 +020011447res.hdr_ip([<name>[,<occ>]]) : ip
11448shdr_ip([<name>[,<occ>]]) : ip (deprecated)
11449 This extracts the last occurrence of header <name> in an HTTP response,
11450 convert it to an IPv4 or IPv6 address and returns this address. Optionally, a
11451 specific occurrence might be specified as a position number. Positive values
11452 indicate a position from the first occurrence, with 1 being the first one.
11453 Negative values indicate positions relative to the last one, with -1 being
11454 the last one. This can be useful to learn some data into a stick table.
Willy Tarreau6a06a402007-07-15 20:15:28 +020011455
Willy Tarreau74ca5042013-06-11 23:12:07 +020011456res.hdr_val([<name>[,<occ>]]) : integer
11457shdr_val([<name>[,<occ>]]) : integer (deprecated)
11458 This extracts the last occurrence of header <name> in an HTTP response, and
11459 converts it to an integer value. Optionally, a specific occurrence might be
11460 specified as a position number. Positive values indicate a position from the
11461 first occurrence, with 1 being the first one. Negative values indicate
11462 positions relative to the last one, with -1 being the last one. This can be
11463 useful to learn some data into a stick table.
Alexandre Cassen5eb1a902007-11-29 15:43:32 +010011464
Willy Tarreau74ca5042013-06-11 23:12:07 +020011465res.ver : string
11466resp_ver : string (deprecated)
11467 Returns the version string from the HTTP response, for example "1.1". This
11468 can be useful for logs, but is mostly there for ACL.
Willy Tarreau0e698542011-09-16 08:32:32 +020011469
Willy Tarreau74ca5042013-06-11 23:12:07 +020011470 ACL derivatives :
11471 resp_ver : exact string match
Alexandre Cassen5eb1a902007-11-29 15:43:32 +010011472
Willy Tarreau74ca5042013-06-11 23:12:07 +020011473set-cookie([<name>]) : string (deprecated)
11474 This extracts the last occurrence of the cookie name <name> on a "Set-Cookie"
11475 header line from the response and uses the corresponding value to match. This
11476 can be comparable to what "appsession" does with default options, but with
11477 support for multi-peer synchronization and state keeping across restarts.
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +010011478
Willy Tarreau74ca5042013-06-11 23:12:07 +020011479 This fetch function is deprecated and has been superseded by the "res.cook"
11480 fetch. This keyword will disappear soon.
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +010011481
Willy Tarreau74ca5042013-06-11 23:12:07 +020011482 See also : "appsession"
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020011483
Willy Tarreau74ca5042013-06-11 23:12:07 +020011484status : integer
11485 Returns an integer containing the HTTP status code in the HTTP response, for
11486 example, 302. It is mostly used within ACLs and integer ranges, for example,
11487 to remove any Location header if the response is not a 3xx.
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020011488
Willy Tarreau74ca5042013-06-11 23:12:07 +020011489url : string
11490 This extracts the request's URL as presented in the request. A typical use is
11491 with prefetch-capable caches, and with portals which need to aggregate
11492 multiple information from databases and keep them in caches. With ACLs, using
11493 "path" is preferred over using "url", because clients may send a full URL as
11494 is normally done with proxies. The only real use is to match "*" which does
11495 not match in "path", and for which there is already a predefined ACL. See
11496 also "path" and "base".
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020011497
Willy Tarreau74ca5042013-06-11 23:12:07 +020011498 ACL derivatives :
11499 url : exact string match
11500 url_beg : prefix match
11501 url_dir : subdir match
11502 url_dom : domain match
11503 url_end : suffix match
11504 url_len : length match
11505 url_reg : regex match
11506 url_sub : substring match
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020011507
Willy Tarreau74ca5042013-06-11 23:12:07 +020011508url_ip : ip
11509 This extracts the IP address from the request's URL when the host part is
11510 presented as an IP address. Its use is very limited. For instance, a
11511 monitoring system might use this field as an alternative for the source IP in
11512 order to test what path a given source address would follow, or to force an
11513 entry in a table for a given source address. With ACLs it can be used to
11514 restrict access to certain systems through a proxy, for example when combined
11515 with option "http_proxy".
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020011516
Willy Tarreau74ca5042013-06-11 23:12:07 +020011517url_port : integer
11518 This extracts the port part from the request's URL. Note that if the port is
11519 not specified in the request, port 80 is assumed. With ACLs it can be used to
11520 restrict access to certain systems through a proxy, for example when combined
11521 with option "http_proxy".
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020011522
Willy Tarreau74ca5042013-06-11 23:12:07 +020011523urlp(<name>[,<delim>]) : string
11524url_param(<name>[,<delim>]) : string
11525 This extracts the first occurrence of the parameter <name> in the query
11526 string, which begins after either '?' or <delim>, and which ends before '&',
11527 ';' or <delim>. The parameter name is case-sensitive. The result is a string
11528 corresponding to the value of the parameter <name> as presented in the
11529 request (no URL decoding is performed). This can be used for session
11530 stickiness based on a client ID, to extract an application cookie passed as a
11531 URL parameter, or in ACLs to apply some checks. Note that the ACL version of
11532 this fetch do not iterate over multiple parameters and stop at the first one
11533 as well.
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020011534
Willy Tarreau74ca5042013-06-11 23:12:07 +020011535 ACL derivatives :
11536 urlp(<name>[,<delim>]) : exact string match
11537 urlp_beg(<name>[,<delim>]) : prefix match
11538 urlp_dir(<name>[,<delim>]) : subdir match
11539 urlp_dom(<name>[,<delim>]) : domain match
11540 urlp_end(<name>[,<delim>]) : suffix match
11541 urlp_len(<name>[,<delim>]) : length match
11542 urlp_reg(<name>[,<delim>]) : regex match
11543 urlp_sub(<name>[,<delim>]) : substring match
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020011544
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020011545
Willy Tarreau74ca5042013-06-11 23:12:07 +020011546 Example :
11547 # match http://example.com/foo?PHPSESSIONID=some_id
11548 stick on urlp(PHPSESSIONID)
11549 # match http://example.com/foo;JSESSIONID=some_id
11550 stick on urlp(JSESSIONID,;)
Willy Tarreau25c1ebc2012-04-25 16:21:44 +020011551
Willy Tarreau74ca5042013-06-11 23:12:07 +020011552urlp_val(<name>[,<delim>]) : integer
11553 See "urlp" above. This one extracts the URL parameter <name> in the request
11554 and converts it to an integer value. This can be used for session stickiness
11555 based on a user ID for example, or with ACLs to match a page number or price.
Willy Tarreaua9fddca2012-07-31 07:51:48 +020011556
Willy Tarreau198a7442008-01-17 12:05:32 +010011557
Willy Tarreau74ca5042013-06-11 23:12:07 +0200115587.4. Pre-defined ACLs
Willy Tarreauc57f0e22009-05-10 13:12:33 +020011559---------------------
Willy Tarreauced27012008-01-17 20:35:34 +010011560
Willy Tarreauc57f0e22009-05-10 13:12:33 +020011561Some predefined ACLs are hard-coded so that they do not have to be declared in
11562every frontend which needs them. They all have their names in upper case in
Patrick Mézard2382ad62010-05-09 10:43:32 +020011563order to avoid confusion. Their equivalence is provided below.
Willy Tarreauced27012008-01-17 20:35:34 +010011564
Willy Tarreauc57f0e22009-05-10 13:12:33 +020011565ACL name Equivalent to Usage
11566---------------+-----------------------------+---------------------------------
Willy Tarreauc57f0e22009-05-10 13:12:33 +020011567FALSE always_false never match
Willy Tarreau2492d5b2009-07-11 00:06:00 +020011568HTTP req_proto_http match if protocol is valid HTTP
Willy Tarreauc57f0e22009-05-10 13:12:33 +020011569HTTP_1.0 req_ver 1.0 match HTTP version 1.0
11570HTTP_1.1 req_ver 1.1 match HTTP version 1.1
Willy Tarreaud63335a2010-02-26 12:56:52 +010011571HTTP_CONTENT hdr_val(content-length) gt 0 match an existing content-length
11572HTTP_URL_ABS url_reg ^[^/:]*:// match absolute URL with scheme
11573HTTP_URL_SLASH url_beg / match URL beginning with "/"
11574HTTP_URL_STAR url * match URL equal to "*"
11575LOCALHOST src 127.0.0.1/8 match connection from local host
Willy Tarreauc57f0e22009-05-10 13:12:33 +020011576METH_CONNECT method CONNECT match HTTP CONNECT method
11577METH_GET method GET HEAD match HTTP GET or HEAD method
11578METH_HEAD method HEAD match HTTP HEAD method
11579METH_OPTIONS method OPTIONS match HTTP OPTIONS method
11580METH_POST method POST match HTTP POST method
11581METH_TRACE method TRACE match HTTP TRACE method
Emeric Brunbede3d02009-06-30 17:54:00 +020011582RDP_COOKIE req_rdp_cookie_cnt gt 0 match presence of an RDP cookie
Willy Tarreauc57f0e22009-05-10 13:12:33 +020011583REQ_CONTENT req_len gt 0 match data in the request buffer
Willy Tarreaud63335a2010-02-26 12:56:52 +010011584TRUE always_true always match
Willy Tarreauc57f0e22009-05-10 13:12:33 +020011585WAIT_END wait_end wait for end of content analysis
11586---------------+-----------------------------+---------------------------------
Willy Tarreauced27012008-01-17 20:35:34 +010011587
Willy Tarreaub937b7e2010-01-12 15:27:54 +010011588
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200115898. Logging
11590----------
Willy Tarreau844e3c52008-01-11 16:28:18 +010011591
Willy Tarreaucc6c8912009-02-22 10:53:55 +010011592One of HAProxy's strong points certainly lies is its precise logs. It probably
11593provides the finest level of information available for such a product, which is
11594very important for troubleshooting complex environments. Standard information
11595provided in logs include client ports, TCP/HTTP state timers, precise session
11596state at termination and precise termination cause, information about decisions
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010011597to direct traffic to a server, and of course the ability to capture arbitrary
Willy Tarreaucc6c8912009-02-22 10:53:55 +010011598headers.
11599
11600In order to improve administrators reactivity, it offers a great transparency
11601about encountered problems, both internal and external, and it is possible to
11602send logs to different sources at the same time with different level filters :
11603
11604 - global process-level logs (system errors, start/stop, etc..)
11605 - per-instance system and internal errors (lack of resource, bugs, ...)
11606 - per-instance external troubles (servers up/down, max connections)
11607 - per-instance activity (client connections), either at the establishment or
11608 at the termination.
11609
11610The ability to distribute different levels of logs to different log servers
11611allow several production teams to interact and to fix their problems as soon
11612as possible. For example, the system team might monitor system-wide errors,
11613while the application team might be monitoring the up/down for their servers in
11614real time, and the security team might analyze the activity logs with one hour
11615delay.
11616
11617
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200116188.1. Log levels
11619---------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010011620
Simon Hormandf791f52011-05-29 15:01:10 +090011621TCP and HTTP connections can be logged with information such as the date, time,
Willy Tarreaucc6c8912009-02-22 10:53:55 +010011622source IP address, destination address, connection duration, response times,
Simon Hormandf791f52011-05-29 15:01:10 +090011623HTTP request, HTTP return code, number of bytes transmitted, conditions
11624in which the session ended, and even exchanged cookies values. For example
11625track a particular user's problems. All messages may be sent to up to two
11626syslog servers. Check the "log" keyword in section 4.2 for more information
11627about log facilities.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010011628
11629
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200116308.2. Log formats
11631----------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010011632
William Lallemand48940402012-01-30 16:47:22 +010011633HAProxy supports 5 log formats. Several fields are common between these formats
Simon Hormandf791f52011-05-29 15:01:10 +090011634and will be detailed in the following sections. A few of them may vary
11635slightly with the configuration, due to indicators specific to certain
11636options. The supported formats are as follows :
Willy Tarreaucc6c8912009-02-22 10:53:55 +010011637
11638 - the default format, which is very basic and very rarely used. It only
11639 provides very basic information about the incoming connection at the moment
11640 it is accepted : source IP:port, destination IP:port, and frontend-name.
11641 This mode will eventually disappear so it will not be described to great
11642 extents.
11643
11644 - the TCP format, which is more advanced. This format is enabled when "option
11645 tcplog" is set on the frontend. HAProxy will then usually wait for the
11646 connection to terminate before logging. This format provides much richer
11647 information, such as timers, connection counts, queue size, etc... This
11648 format is recommended for pure TCP proxies.
11649
11650 - the HTTP format, which is the most advanced for HTTP proxying. This format
11651 is enabled when "option httplog" is set on the frontend. It provides the
11652 same information as the TCP format with some HTTP-specific fields such as
11653 the request, the status code, and captures of headers and cookies. This
11654 format is recommended for HTTP proxies.
11655
Emeric Brun3a058f32009-06-30 18:26:00 +020011656 - the CLF HTTP format, which is equivalent to the HTTP format, but with the
11657 fields arranged in the same order as the CLF format. In this mode, all
11658 timers, captures, flags, etc... appear one per field after the end of the
11659 common fields, in the same order they appear in the standard HTTP format.
11660
William Lallemand48940402012-01-30 16:47:22 +010011661 - the custom log format, allows you to make your own log line.
11662
Willy Tarreaucc6c8912009-02-22 10:53:55 +010011663Next sections will go deeper into details for each of these formats. Format
11664specification will be performed on a "field" basis. Unless stated otherwise, a
11665field is a portion of text delimited by any number of spaces. Since syslog
11666servers are susceptible of inserting fields at the beginning of a line, it is
11667always assumed that the first field is the one containing the process name and
11668identifier.
11669
11670Note : Since log lines may be quite long, the log examples in sections below
11671 might be broken into multiple lines. The example log lines will be
11672 prefixed with 3 closing angle brackets ('>>>') and each time a log is
11673 broken into multiple lines, each non-final line will end with a
11674 backslash ('\') and the next line will start indented by two characters.
11675
11676
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200116778.2.1. Default log format
11678-------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010011679
11680This format is used when no specific option is set. The log is emitted as soon
11681as the connection is accepted. One should note that this currently is the only
11682format which logs the request's destination IP and ports.
11683
11684 Example :
11685 listen www
11686 mode http
11687 log global
11688 server srv1 127.0.0.1:8000
11689
11690 >>> Feb 6 12:12:09 localhost \
11691 haproxy[14385]: Connect from 10.0.1.2:33312 to 10.0.3.31:8012 \
11692 (www/HTTP)
11693
11694 Field Format Extract from the example above
11695 1 process_name '[' pid ']:' haproxy[14385]:
11696 2 'Connect from' Connect from
11697 3 source_ip ':' source_port 10.0.1.2:33312
11698 4 'to' to
11699 5 destination_ip ':' destination_port 10.0.3.31:8012
11700 6 '(' frontend_name '/' mode ')' (www/HTTP)
11701
11702Detailed fields description :
11703 - "source_ip" is the IP address of the client which initiated the connection.
11704 - "source_port" is the TCP port of the client which initiated the connection.
11705 - "destination_ip" is the IP address the client connected to.
11706 - "destination_port" is the TCP port the client connected to.
11707 - "frontend_name" is the name of the frontend (or listener) which received
11708 and processed the connection.
11709 - "mode is the mode the frontend is operating (TCP or HTTP).
11710
Willy Tarreauceb24bc2010-11-09 12:46:41 +010011711In case of a UNIX socket, the source and destination addresses are marked as
11712"unix:" and the ports reflect the internal ID of the socket which accepted the
11713connection (the same ID as reported in the stats).
11714
Willy Tarreaucc6c8912009-02-22 10:53:55 +010011715It is advised not to use this deprecated format for newer installations as it
11716will eventually disappear.
11717
11718
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200117198.2.2. TCP log format
11720---------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010011721
11722The TCP format is used when "option tcplog" is specified in the frontend, and
11723is the recommended format for pure TCP proxies. It provides a lot of precious
11724information for troubleshooting. Since this format includes timers and byte
11725counts, the log is normally emitted at the end of the session. It can be
11726emitted earlier if "option logasap" is specified, which makes sense in most
11727environments with long sessions such as remote terminals. Sessions which match
11728the "monitor" rules are never logged. It is also possible not to emit logs for
11729sessions for which no data were exchanged between the client and the server, by
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +020011730specifying "option dontlognull" in the frontend. Successful connections will
11731not be logged if "option dontlog-normal" is specified in the frontend. A few
11732fields may slightly vary depending on some configuration options, those are
11733marked with a star ('*') after the field name below.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010011734
11735 Example :
11736 frontend fnt
11737 mode tcp
11738 option tcplog
11739 log global
11740 default_backend bck
11741
11742 backend bck
11743 server srv1 127.0.0.1:8000
11744
11745 >>> Feb 6 12:12:56 localhost \
11746 haproxy[14387]: 10.0.1.2:33313 [06/Feb/2009:12:12:51.443] fnt \
11747 bck/srv1 0/0/5007 212 -- 0/0/0/0/3 0/0
11748
11749 Field Format Extract from the example above
11750 1 process_name '[' pid ']:' haproxy[14387]:
11751 2 client_ip ':' client_port 10.0.1.2:33313
11752 3 '[' accept_date ']' [06/Feb/2009:12:12:51.443]
11753 4 frontend_name fnt
11754 5 backend_name '/' server_name bck/srv1
11755 6 Tw '/' Tc '/' Tt* 0/0/5007
11756 7 bytes_read* 212
11757 8 termination_state --
11758 9 actconn '/' feconn '/' beconn '/' srv_conn '/' retries* 0/0/0/0/3
11759 10 srv_queue '/' backend_queue 0/0
11760
11761Detailed fields description :
11762 - "client_ip" is the IP address of the client which initiated the TCP
Willy Tarreauceb24bc2010-11-09 12:46:41 +010011763 connection to haproxy. If the connection was accepted on a UNIX socket
11764 instead, the IP address would be replaced with the word "unix". Note that
11765 when the connection is accepted on a socket configured with "accept-proxy"
11766 and the PROXY protocol is correctly used, then the logs will reflect the
11767 forwarded connection's information.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010011768
11769 - "client_port" is the TCP port of the client which initiated the connection.
Willy Tarreauceb24bc2010-11-09 12:46:41 +010011770 If the connection was accepted on a UNIX socket instead, the port would be
11771 replaced with the ID of the accepting socket, which is also reported in the
11772 stats interface.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010011773
11774 - "accept_date" is the exact date when the connection was received by haproxy
11775 (which might be very slightly different from the date observed on the
11776 network if there was some queuing in the system's backlog). This is usually
11777 the same date which may appear in any upstream firewall's log.
11778
11779 - "frontend_name" is the name of the frontend (or listener) which received
11780 and processed the connection.
11781
11782 - "backend_name" is the name of the backend (or listener) which was selected
11783 to manage the connection to the server. This will be the same as the
11784 frontend if no switching rule has been applied, which is common for TCP
11785 applications.
11786
11787 - "server_name" is the name of the last server to which the connection was
11788 sent, which might differ from the first one if there were connection errors
11789 and a redispatch occurred. Note that this server belongs to the backend
11790 which processed the request. If the connection was aborted before reaching
11791 a server, "<NOSRV>" is indicated instead of a server name.
11792
11793 - "Tw" is the total time in milliseconds spent waiting in the various queues.
11794 It can be "-1" if the connection was aborted before reaching the queue.
11795 See "Timers" below for more details.
11796
11797 - "Tc" is the total time in milliseconds spent waiting for the connection to
11798 establish to the final server, including retries. It can be "-1" if the
11799 connection was aborted before a connection could be established. See
11800 "Timers" below for more details.
11801
11802 - "Tt" is the total time in milliseconds elapsed between the accept and the
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030011803 last close. It covers all possible processing. There is one exception, if
Willy Tarreaucc6c8912009-02-22 10:53:55 +010011804 "option logasap" was specified, then the time counting stops at the moment
11805 the log is emitted. In this case, a '+' sign is prepended before the value,
11806 indicating that the final one will be larger. See "Timers" below for more
11807 details.
11808
11809 - "bytes_read" is the total number of bytes transmitted from the server to
11810 the client when the log is emitted. If "option logasap" is specified, the
11811 this value will be prefixed with a '+' sign indicating that the final one
11812 may be larger. Please note that this value is a 64-bit counter, so log
11813 analysis tools must be able to handle it without overflowing.
11814
11815 - "termination_state" is the condition the session was in when the session
11816 ended. This indicates the session state, which side caused the end of
11817 session to happen, and for what reason (timeout, error, ...). The normal
11818 flags should be "--", indicating the session was closed by either end with
11819 no data remaining in buffers. See below "Session state at disconnection"
11820 for more details.
11821
11822 - "actconn" is the total number of concurrent connections on the process when
Jamie Gloudonaaa21002012-08-25 00:18:33 -040011823 the session was logged. It is useful to detect when some per-process system
Willy Tarreaucc6c8912009-02-22 10:53:55 +010011824 limits have been reached. For instance, if actconn is close to 512 when
11825 multiple connection errors occur, chances are high that the system limits
11826 the process to use a maximum of 1024 file descriptors and that all of them
Willy Tarreauc57f0e22009-05-10 13:12:33 +020011827 are used. See section 3 "Global parameters" to find how to tune the system.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010011828
11829 - "feconn" is the total number of concurrent connections on the frontend when
11830 the session was logged. It is useful to estimate the amount of resource
11831 required to sustain high loads, and to detect when the frontend's "maxconn"
11832 has been reached. Most often when this value increases by huge jumps, it is
11833 because there is congestion on the backend servers, but sometimes it can be
11834 caused by a denial of service attack.
11835
11836 - "beconn" is the total number of concurrent connections handled by the
11837 backend when the session was logged. It includes the total number of
11838 concurrent connections active on servers as well as the number of
11839 connections pending in queues. It is useful to estimate the amount of
11840 additional servers needed to support high loads for a given application.
11841 Most often when this value increases by huge jumps, it is because there is
11842 congestion on the backend servers, but sometimes it can be caused by a
11843 denial of service attack.
11844
11845 - "srv_conn" is the total number of concurrent connections still active on
11846 the server when the session was logged. It can never exceed the server's
11847 configured "maxconn" parameter. If this value is very often close or equal
11848 to the server's "maxconn", it means that traffic regulation is involved a
11849 lot, meaning that either the server's maxconn value is too low, or that
11850 there aren't enough servers to process the load with an optimal response
11851 time. When only one of the server's "srv_conn" is high, it usually means
11852 that this server has some trouble causing the connections to take longer to
11853 be processed than on other servers.
11854
11855 - "retries" is the number of connection retries experienced by this session
11856 when trying to connect to the server. It must normally be zero, unless a
11857 server is being stopped at the same moment the connection was attempted.
11858 Frequent retries generally indicate either a network problem between
11859 haproxy and the server, or a misconfigured system backlog on the server
11860 preventing new connections from being queued. This field may optionally be
11861 prefixed with a '+' sign, indicating that the session has experienced a
11862 redispatch after the maximal retry count has been reached on the initial
11863 server. In this case, the server name appearing in the log is the one the
11864 connection was redispatched to, and not the first one, though both may
11865 sometimes be the same in case of hashing for instance. So as a general rule
11866 of thumb, when a '+' is present in front of the retry count, this count
11867 should not be attributed to the logged server.
11868
11869 - "srv_queue" is the total number of requests which were processed before
11870 this one in the server queue. It is zero when the request has not gone
11871 through the server queue. It makes it possible to estimate the approximate
11872 server's response time by dividing the time spent in queue by the number of
11873 requests in the queue. It is worth noting that if a session experiences a
11874 redispatch and passes through two server queues, their positions will be
11875 cumulated. A request should not pass through both the server queue and the
11876 backend queue unless a redispatch occurs.
11877
11878 - "backend_queue" is the total number of requests which were processed before
11879 this one in the backend's global queue. It is zero when the request has not
11880 gone through the global queue. It makes it possible to estimate the average
11881 queue length, which easily translates into a number of missing servers when
11882 divided by a server's "maxconn" parameter. It is worth noting that if a
11883 session experiences a redispatch, it may pass twice in the backend's queue,
11884 and then both positions will be cumulated. A request should not pass
11885 through both the server queue and the backend queue unless a redispatch
11886 occurs.
11887
11888
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200118898.2.3. HTTP log format
11890----------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010011891
11892The HTTP format is the most complete and the best suited for HTTP proxies. It
11893is enabled by when "option httplog" is specified in the frontend. It provides
11894the same level of information as the TCP format with additional features which
11895are specific to the HTTP protocol. Just like the TCP format, the log is usually
11896emitted at the end of the session, unless "option logasap" is specified, which
11897generally only makes sense for download sites. A session which matches the
11898"monitor" rules will never logged. It is also possible not to log sessions for
11899which no data were sent by the client by specifying "option dontlognull" in the
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +020011900frontend. Successful connections will not be logged if "option dontlog-normal"
11901is specified in the frontend.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010011902
11903Most fields are shared with the TCP log, some being different. A few fields may
11904slightly vary depending on some configuration options. Those ones are marked
11905with a star ('*') after the field name below.
11906
11907 Example :
11908 frontend http-in
11909 mode http
11910 option httplog
11911 log global
11912 default_backend bck
11913
11914 backend static
11915 server srv1 127.0.0.1:8000
11916
11917 >>> Feb 6 12:14:14 localhost \
11918 haproxy[14389]: 10.0.1.2:33317 [06/Feb/2009:12:14:14.655] http-in \
11919 static/srv1 10/0/30/69/109 200 2750 - - ---- 1/1/1/1/0 0/0 {1wt.eu} \
Willy Tarreaud72758d2010-01-12 10:42:19 +010011920 {} "GET /index.html HTTP/1.1"
Willy Tarreaucc6c8912009-02-22 10:53:55 +010011921
11922 Field Format Extract from the example above
11923 1 process_name '[' pid ']:' haproxy[14389]:
11924 2 client_ip ':' client_port 10.0.1.2:33317
11925 3 '[' accept_date ']' [06/Feb/2009:12:14:14.655]
11926 4 frontend_name http-in
11927 5 backend_name '/' server_name static/srv1
11928 6 Tq '/' Tw '/' Tc '/' Tr '/' Tt* 10/0/30/69/109
11929 7 status_code 200
11930 8 bytes_read* 2750
11931 9 captured_request_cookie -
11932 10 captured_response_cookie -
11933 11 termination_state ----
11934 12 actconn '/' feconn '/' beconn '/' srv_conn '/' retries* 1/1/1/1/0
11935 13 srv_queue '/' backend_queue 0/0
11936 14 '{' captured_request_headers* '}' {haproxy.1wt.eu}
11937 15 '{' captured_response_headers* '}' {}
11938 16 '"' http_request '"' "GET /index.html HTTP/1.1"
Willy Tarreaud72758d2010-01-12 10:42:19 +010011939
Willy Tarreaucc6c8912009-02-22 10:53:55 +010011940
11941Detailed fields description :
11942 - "client_ip" is the IP address of the client which initiated the TCP
Willy Tarreauceb24bc2010-11-09 12:46:41 +010011943 connection to haproxy. If the connection was accepted on a UNIX socket
11944 instead, the IP address would be replaced with the word "unix". Note that
11945 when the connection is accepted on a socket configured with "accept-proxy"
11946 and the PROXY protocol is correctly used, then the logs will reflect the
11947 forwarded connection's information.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010011948
11949 - "client_port" is the TCP port of the client which initiated the connection.
Willy Tarreauceb24bc2010-11-09 12:46:41 +010011950 If the connection was accepted on a UNIX socket instead, the port would be
11951 replaced with the ID of the accepting socket, which is also reported in the
11952 stats interface.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010011953
11954 - "accept_date" is the exact date when the TCP connection was received by
11955 haproxy (which might be very slightly different from the date observed on
11956 the network if there was some queuing in the system's backlog). This is
11957 usually the same date which may appear in any upstream firewall's log. This
11958 does not depend on the fact that the client has sent the request or not.
11959
11960 - "frontend_name" is the name of the frontend (or listener) which received
11961 and processed the connection.
11962
11963 - "backend_name" is the name of the backend (or listener) which was selected
11964 to manage the connection to the server. This will be the same as the
11965 frontend if no switching rule has been applied.
11966
11967 - "server_name" is the name of the last server to which the connection was
11968 sent, which might differ from the first one if there were connection errors
11969 and a redispatch occurred. Note that this server belongs to the backend
11970 which processed the request. If the request was aborted before reaching a
11971 server, "<NOSRV>" is indicated instead of a server name. If the request was
11972 intercepted by the stats subsystem, "<STATS>" is indicated instead.
11973
11974 - "Tq" is the total time in milliseconds spent waiting for the client to send
11975 a full HTTP request, not counting data. It can be "-1" if the connection
11976 was aborted before a complete request could be received. It should always
11977 be very small because a request generally fits in one single packet. Large
11978 times here generally indicate network trouble between the client and
11979 haproxy. See "Timers" below for more details.
11980
11981 - "Tw" is the total time in milliseconds spent waiting in the various queues.
11982 It can be "-1" if the connection was aborted before reaching the queue.
11983 See "Timers" below for more details.
11984
11985 - "Tc" is the total time in milliseconds spent waiting for the connection to
11986 establish to the final server, including retries. It can be "-1" if the
11987 request was aborted before a connection could be established. See "Timers"
11988 below for more details.
11989
11990 - "Tr" is the total time in milliseconds spent waiting for the server to send
11991 a full HTTP response, not counting data. It can be "-1" if the request was
11992 aborted before a complete response could be received. It generally matches
11993 the server's processing time for the request, though it may be altered by
11994 the amount of data sent by the client to the server. Large times here on
11995 "GET" requests generally indicate an overloaded server. See "Timers" below
11996 for more details.
11997
11998 - "Tt" is the total time in milliseconds elapsed between the accept and the
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030011999 last close. It covers all possible processing. There is one exception, if
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012000 "option logasap" was specified, then the time counting stops at the moment
12001 the log is emitted. In this case, a '+' sign is prepended before the value,
12002 indicating that the final one will be larger. See "Timers" below for more
12003 details.
12004
12005 - "status_code" is the HTTP status code returned to the client. This status
12006 is generally set by the server, but it might also be set by haproxy when
12007 the server cannot be reached or when its response is blocked by haproxy.
12008
12009 - "bytes_read" is the total number of bytes transmitted to the client when
12010 the log is emitted. This does include HTTP headers. If "option logasap" is
12011 specified, the this value will be prefixed with a '+' sign indicating that
12012 the final one may be larger. Please note that this value is a 64-bit
12013 counter, so log analysis tools must be able to handle it without
12014 overflowing.
12015
12016 - "captured_request_cookie" is an optional "name=value" entry indicating that
12017 the client had this cookie in the request. The cookie name and its maximum
12018 length are defined by the "capture cookie" statement in the frontend
12019 configuration. The field is a single dash ('-') when the option is not
12020 set. Only one cookie may be captured, it is generally used to track session
12021 ID exchanges between a client and a server to detect session crossing
12022 between clients due to application bugs. For more details, please consult
12023 the section "Capturing HTTP headers and cookies" below.
12024
12025 - "captured_response_cookie" is an optional "name=value" entry indicating
12026 that the server has returned a cookie with its response. The cookie name
12027 and its maximum length are defined by the "capture cookie" statement in the
12028 frontend configuration. The field is a single dash ('-') when the option is
12029 not set. Only one cookie may be captured, it is generally used to track
12030 session ID exchanges between a client and a server to detect session
12031 crossing between clients due to application bugs. For more details, please
12032 consult the section "Capturing HTTP headers and cookies" below.
12033
12034 - "termination_state" is the condition the session was in when the session
12035 ended. This indicates the session state, which side caused the end of
12036 session to happen, for what reason (timeout, error, ...), just like in TCP
12037 logs, and information about persistence operations on cookies in the last
12038 two characters. The normal flags should begin with "--", indicating the
12039 session was closed by either end with no data remaining in buffers. See
12040 below "Session state at disconnection" for more details.
12041
12042 - "actconn" is the total number of concurrent connections on the process when
Jamie Gloudonaaa21002012-08-25 00:18:33 -040012043 the session was logged. It is useful to detect when some per-process system
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012044 limits have been reached. For instance, if actconn is close to 512 or 1024
12045 when multiple connection errors occur, chances are high that the system
12046 limits the process to use a maximum of 1024 file descriptors and that all
Willy Tarreauc57f0e22009-05-10 13:12:33 +020012047 of them are used. See section 3 "Global parameters" to find how to tune the
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012048 system.
12049
12050 - "feconn" is the total number of concurrent connections on the frontend when
12051 the session was logged. It is useful to estimate the amount of resource
12052 required to sustain high loads, and to detect when the frontend's "maxconn"
12053 has been reached. Most often when this value increases by huge jumps, it is
12054 because there is congestion on the backend servers, but sometimes it can be
12055 caused by a denial of service attack.
12056
12057 - "beconn" is the total number of concurrent connections handled by the
12058 backend when the session was logged. It includes the total number of
12059 concurrent connections active on servers as well as the number of
12060 connections pending in queues. It is useful to estimate the amount of
12061 additional servers needed to support high loads for a given application.
12062 Most often when this value increases by huge jumps, it is because there is
12063 congestion on the backend servers, but sometimes it can be caused by a
12064 denial of service attack.
12065
12066 - "srv_conn" is the total number of concurrent connections still active on
12067 the server when the session was logged. It can never exceed the server's
12068 configured "maxconn" parameter. If this value is very often close or equal
12069 to the server's "maxconn", it means that traffic regulation is involved a
12070 lot, meaning that either the server's maxconn value is too low, or that
12071 there aren't enough servers to process the load with an optimal response
12072 time. When only one of the server's "srv_conn" is high, it usually means
12073 that this server has some trouble causing the requests to take longer to be
12074 processed than on other servers.
12075
12076 - "retries" is the number of connection retries experienced by this session
12077 when trying to connect to the server. It must normally be zero, unless a
12078 server is being stopped at the same moment the connection was attempted.
12079 Frequent retries generally indicate either a network problem between
12080 haproxy and the server, or a misconfigured system backlog on the server
12081 preventing new connections from being queued. This field may optionally be
12082 prefixed with a '+' sign, indicating that the session has experienced a
12083 redispatch after the maximal retry count has been reached on the initial
12084 server. In this case, the server name appearing in the log is the one the
12085 connection was redispatched to, and not the first one, though both may
12086 sometimes be the same in case of hashing for instance. So as a general rule
12087 of thumb, when a '+' is present in front of the retry count, this count
12088 should not be attributed to the logged server.
12089
12090 - "srv_queue" is the total number of requests which were processed before
12091 this one in the server queue. It is zero when the request has not gone
12092 through the server queue. It makes it possible to estimate the approximate
12093 server's response time by dividing the time spent in queue by the number of
12094 requests in the queue. It is worth noting that if a session experiences a
12095 redispatch and passes through two server queues, their positions will be
12096 cumulated. A request should not pass through both the server queue and the
12097 backend queue unless a redispatch occurs.
12098
12099 - "backend_queue" is the total number of requests which were processed before
12100 this one in the backend's global queue. It is zero when the request has not
12101 gone through the global queue. It makes it possible to estimate the average
12102 queue length, which easily translates into a number of missing servers when
12103 divided by a server's "maxconn" parameter. It is worth noting that if a
12104 session experiences a redispatch, it may pass twice in the backend's queue,
12105 and then both positions will be cumulated. A request should not pass
12106 through both the server queue and the backend queue unless a redispatch
12107 occurs.
12108
12109 - "captured_request_headers" is a list of headers captured in the request due
12110 to the presence of the "capture request header" statement in the frontend.
12111 Multiple headers can be captured, they will be delimited by a vertical bar
12112 ('|'). When no capture is enabled, the braces do not appear, causing a
12113 shift of remaining fields. It is important to note that this field may
12114 contain spaces, and that using it requires a smarter log parser than when
12115 it's not used. Please consult the section "Capturing HTTP headers and
12116 cookies" below for more details.
12117
12118 - "captured_response_headers" is a list of headers captured in the response
12119 due to the presence of the "capture response header" statement in the
12120 frontend. Multiple headers can be captured, they will be delimited by a
12121 vertical bar ('|'). When no capture is enabled, the braces do not appear,
12122 causing a shift of remaining fields. It is important to note that this
12123 field may contain spaces, and that using it requires a smarter log parser
12124 than when it's not used. Please consult the section "Capturing HTTP headers
12125 and cookies" below for more details.
12126
12127 - "http_request" is the complete HTTP request line, including the method,
12128 request and HTTP version string. Non-printable characters are encoded (see
12129 below the section "Non-printable characters"). This is always the last
12130 field, and it is always delimited by quotes and is the only one which can
12131 contain quotes. If new fields are added to the log format, they will be
12132 added before this field. This field might be truncated if the request is
12133 huge and does not fit in the standard syslog buffer (1024 characters). This
12134 is the reason why this field must always remain the last one.
12135
12136
Cyril Bontédc4d9032012-04-08 21:57:39 +0200121378.2.4. Custom log format
12138------------------------
William Lallemand48940402012-01-30 16:47:22 +010012139
Willy Tarreau2beef582012-12-20 17:22:52 +010012140The directive log-format allows you to customize the logs in http mode and tcp
William Lallemandbddd4fd2012-02-27 11:23:10 +010012141mode. It takes a string as argument.
William Lallemand48940402012-01-30 16:47:22 +010012142
12143HAproxy understands some log format variables. % precedes log format variables.
12144Variables can take arguments using braces ('{}'), and multiple arguments are
12145separated by commas within the braces. Flags may be added or removed by
12146prefixing them with a '+' or '-' sign.
12147
12148Special variable "%o" may be used to propagate its flags to all other
12149variables on the same format string. This is particularly handy with quoted
12150string formats ("Q").
12151
Willy Tarreauc8368452012-12-21 00:09:23 +010012152If a variable is named between square brackets ('[' .. ']') then it is used
Willy Tarreaube722a22014-06-13 16:31:59 +020012153as a sample expression rule (see section 7.3). This it useful to add some
Willy Tarreauc8368452012-12-21 00:09:23 +010012154less common information such as the client's SSL certificate's DN, or to log
12155the key that would be used to store an entry into a stick table.
12156
William Lallemand48940402012-01-30 16:47:22 +010012157Note: spaces must be escaped. A space character is considered as a separator.
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030012158In order to emit a verbatim '%', it must be preceded by another '%' resulting
Willy Tarreau06d97f92013-12-02 17:45:48 +010012159in '%%'. HAProxy will automatically merge consecutive separators.
William Lallemand48940402012-01-30 16:47:22 +010012160
12161Flags are :
12162 * Q: quote a string
Jamie Gloudonaaa21002012-08-25 00:18:33 -040012163 * X: hexadecimal representation (IPs, Ports, %Ts, %rt, %pid)
William Lallemand48940402012-01-30 16:47:22 +010012164
12165 Example:
12166
12167 log-format %T\ %t\ Some\ Text
12168 log-format %{+Q}o\ %t\ %s\ %{-Q}r
12169
12170At the moment, the default HTTP format is defined this way :
12171
Willy Tarreau2beef582012-12-20 17:22:52 +010012172 log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ \
12173 %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r
William Lallemand48940402012-01-30 16:47:22 +010012174
William Lallemandbddd4fd2012-02-27 11:23:10 +010012175the default CLF format is defined this way :
William Lallemand48940402012-01-30 16:47:22 +010012176
Willy Tarreau2beef582012-12-20 17:22:52 +010012177 log-format %{+Q}o\ %{-Q}ci\ -\ -\ [%T]\ %r\ %ST\ %B\ \"\"\ \"\"\ %cp\ \
Willy Tarreau773d65f2012-10-12 14:56:11 +020012178 %ms\ %ft\ %b\ %s\ \%Tq\ %Tw\ %Tc\ %Tr\ %Tt\ %tsc\ %ac\ %fc\ \
Willy Tarreau2beef582012-12-20 17:22:52 +010012179 %bc\ %sc\ %rc\ %sq\ %bq\ %CC\ %CS\ \%hrl\ %hsl
William Lallemand48940402012-01-30 16:47:22 +010012180
William Lallemandbddd4fd2012-02-27 11:23:10 +010012181and the default TCP format is defined this way :
12182
Willy Tarreau2beef582012-12-20 17:22:52 +010012183 log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tw/%Tc/%Tt\ %B\ %ts\ \
William Lallemandbddd4fd2012-02-27 11:23:10 +010012184 %ac/%fc/%bc/%sc/%rc\ %sq/%bq
12185
William Lallemand48940402012-01-30 16:47:22 +010012186Please refer to the table below for currently defined variables :
12187
William Lallemandbddd4fd2012-02-27 11:23:10 +010012188 +---+------+-----------------------------------------------+-------------+
Willy Tarreauffc3fcd2012-10-12 20:17:54 +020012189 | R | var | field name (8.2.2 and 8.2.3 for description) | type |
William Lallemandbddd4fd2012-02-27 11:23:10 +010012190 +---+------+-----------------------------------------------+-------------+
12191 | | %o | special variable, apply flags on all next var | |
12192 +---+------+-----------------------------------------------+-------------+
Willy Tarreau2beef582012-12-20 17:22:52 +010012193 | | %B | bytes_read (from server to client) | numeric |
12194 | H | %CC | captured_request_cookie | string |
12195 | H | %CS | captured_response_cookie | string |
William Lallemand5f232402012-04-05 18:02:55 +020012196 | | %H | hostname | string |
William Lallemanda73203e2012-03-12 12:48:57 +010012197 | | %ID | unique-id | string |
Willy Tarreau4bf99632014-06-13 12:21:40 +020012198 | | %ST | status_code | numeric |
William Lallemand5f232402012-04-05 18:02:55 +020012199 | | %T | gmt_date_time | date |
William Lallemandbddd4fd2012-02-27 11:23:10 +010012200 | | %Tc | Tc | numeric |
Yuxans Yao4e25b012012-10-19 10:36:09 +080012201 | | %Tl | local_date_time | date |
Willy Tarreauffc3fcd2012-10-12 20:17:54 +020012202 | H | %Tq | Tq | numeric |
12203 | H | %Tr | Tr | numeric |
William Lallemand5f232402012-04-05 18:02:55 +020012204 | | %Ts | timestamp | numeric |
William Lallemandbddd4fd2012-02-27 11:23:10 +010012205 | | %Tt | Tt | numeric |
12206 | | %Tw | Tw | numeric |
Willy Tarreau2beef582012-12-20 17:22:52 +010012207 | | %U | bytes_uploaded (from client to server) | numeric |
William Lallemandbddd4fd2012-02-27 11:23:10 +010012208 | | %ac | actconn | numeric |
12209 | | %b | backend_name | string |
Willy Tarreau2beef582012-12-20 17:22:52 +010012210 | | %bc | beconn (backend concurrent connections) | numeric |
12211 | | %bi | backend_source_ip (connecting address) | IP |
12212 | | %bp | backend_source_port (connecting address) | numeric |
William Lallemandbddd4fd2012-02-27 11:23:10 +010012213 | | %bq | backend_queue | numeric |
Willy Tarreau2beef582012-12-20 17:22:52 +010012214 | | %ci | client_ip (accepted address) | IP |
12215 | | %cp | client_port (accepted address) | numeric |
William Lallemandbddd4fd2012-02-27 11:23:10 +010012216 | | %f | frontend_name | string |
Willy Tarreau2beef582012-12-20 17:22:52 +010012217 | | %fc | feconn (frontend concurrent connections) | numeric |
12218 | | %fi | frontend_ip (accepting address) | IP |
12219 | | %fp | frontend_port (accepting address) | numeric |
Willy Tarreau773d65f2012-10-12 14:56:11 +020012220 | | %ft | frontend_name_transport ('~' suffix for SSL) | string |
Willy Tarreaud9ed3d22014-06-13 12:23:06 +020012221 | | %hr | captured_request_headers default style | string |
12222 | | %hrl | captured_request_headers CLF style | string list |
12223 | | %hs | captured_response_headers default style | string |
12224 | | %hsl | captured_response_headers CLF style | string list |
William Lallemandbddd4fd2012-02-27 11:23:10 +010012225 | | %ms | accept date milliseconds | numeric |
William Lallemand5f232402012-04-05 18:02:55 +020012226 | | %pid | PID | numeric |
Willy Tarreauffc3fcd2012-10-12 20:17:54 +020012227 | H | %r | http_request | string |
William Lallemandbddd4fd2012-02-27 11:23:10 +010012228 | | %rc | retries | numeric |
Willy Tarreau1f0da242014-01-25 11:01:50 +010012229 | | %rt | request_counter (HTTP req or TCP session) | numeric |
William Lallemandbddd4fd2012-02-27 11:23:10 +010012230 | | %s | server_name | string |
Willy Tarreau2beef582012-12-20 17:22:52 +010012231 | | %sc | srv_conn (server concurrent connections) | numeric |
12232 | | %si | server_IP (target address) | IP |
12233 | | %sp | server_port (target address) | numeric |
William Lallemandbddd4fd2012-02-27 11:23:10 +010012234 | | %sq | srv_queue | numeric |
Willy Tarreauffc3fcd2012-10-12 20:17:54 +020012235 | S | %sslc| ssl_ciphers (ex: AES-SHA) | string |
12236 | S | %sslv| ssl_version (ex: TLSv1) | string |
Willy Tarreau2beef582012-12-20 17:22:52 +010012237 | | %t | date_time (with millisecond resolution) | date |
William Lallemandbddd4fd2012-02-27 11:23:10 +010012238 | | %ts | termination_state | string |
Willy Tarreauffc3fcd2012-10-12 20:17:54 +020012239 | H | %tsc | termination_state with cookie status | string |
William Lallemandbddd4fd2012-02-27 11:23:10 +010012240 +---+------+-----------------------------------------------+-------------+
William Lallemand48940402012-01-30 16:47:22 +010012241
Willy Tarreauffc3fcd2012-10-12 20:17:54 +020012242 R = Restrictions : H = mode http only ; S = SSL only
William Lallemand48940402012-01-30 16:47:22 +010012243
Willy Tarreau5f51e1a2012-12-03 18:40:10 +010012244
122458.2.5. Error log format
12246-----------------------
12247
12248When an incoming connection fails due to an SSL handshake or an invalid PROXY
12249protocol header, haproxy will log the event using a shorter, fixed line format.
12250By default, logs are emitted at the LOG_INFO level, unless the option
12251"log-separate-errors" is set in the backend, in which case the LOG_ERR level
12252will be used. Connections on which no data are exchanged (eg: probes) are not
12253logged if the "dontlognull" option is set.
12254
12255The format looks like this :
12256
12257 >>> Dec 3 18:27:14 localhost \
12258 haproxy[6103]: 127.0.0.1:56059 [03/Dec/2012:17:35:10.380] frt/f1: \
12259 Connection error during SSL handshake
12260
12261 Field Format Extract from the example above
12262 1 process_name '[' pid ']:' haproxy[6103]:
12263 2 client_ip ':' client_port 127.0.0.1:56059
12264 3 '[' accept_date ']' [03/Dec/2012:17:35:10.380]
12265 4 frontend_name "/" bind_name ":" frt/f1:
12266 5 message Connection error during SSL handshake
12267
12268These fields just provide minimal information to help debugging connection
12269failures.
12270
12271
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200122728.3. Advanced logging options
12273-----------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012274
12275Some advanced logging options are often looked for but are not easy to find out
12276just by looking at the various options. Here is an entry point for the few
12277options which can enable better logging. Please refer to the keywords reference
12278for more information about their usage.
12279
12280
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200122818.3.1. Disabling logging of external tests
12282------------------------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012283
12284It is quite common to have some monitoring tools perform health checks on
12285haproxy. Sometimes it will be a layer 3 load-balancer such as LVS or any
12286commercial load-balancer, and sometimes it will simply be a more complete
12287monitoring system such as Nagios. When the tests are very frequent, users often
12288ask how to disable logging for those checks. There are three possibilities :
12289
12290 - if connections come from everywhere and are just TCP probes, it is often
12291 desired to simply disable logging of connections without data exchange, by
12292 setting "option dontlognull" in the frontend. It also disables logging of
12293 port scans, which may or may not be desired.
12294
12295 - if the connection come from a known source network, use "monitor-net" to
12296 declare this network as monitoring only. Any host in this network will then
12297 only be able to perform health checks, and their requests will not be
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030012298 logged. This is generally appropriate to designate a list of equipment
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012299 such as other load-balancers.
12300
12301 - if the tests are performed on a known URI, use "monitor-uri" to declare
12302 this URI as dedicated to monitoring. Any host sending this request will
12303 only get the result of a health-check, and the request will not be logged.
12304
12305
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200123068.3.2. Logging before waiting for the session to terminate
12307----------------------------------------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012308
12309The problem with logging at end of connection is that you have no clue about
12310what is happening during very long sessions, such as remote terminal sessions
12311or large file downloads. This problem can be worked around by specifying
12312"option logasap" in the frontend. Haproxy will then log as soon as possible,
12313just before data transfer begins. This means that in case of TCP, it will still
12314log the connection status to the server, and in case of HTTP, it will log just
12315after processing the server headers. In this case, the number of bytes reported
12316is the number of header bytes sent to the client. In order to avoid confusion
12317with normal logs, the total time field and the number of bytes are prefixed
12318with a '+' sign which means that real numbers are certainly larger.
12319
12320
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200123218.3.3. Raising log level upon errors
12322------------------------------------
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +020012323
12324Sometimes it is more convenient to separate normal traffic from errors logs,
12325for instance in order to ease error monitoring from log files. When the option
12326"log-separate-errors" is used, connections which experience errors, timeouts,
12327retries, redispatches or HTTP status codes 5xx will see their syslog level
12328raised from "info" to "err". This will help a syslog daemon store the log in
12329a separate file. It is very important to keep the errors in the normal traffic
12330file too, so that log ordering is not altered. You should also be careful if
12331you already have configured your syslog daemon to store all logs higher than
12332"notice" in an "admin" file, because the "err" level is higher than "notice".
12333
12334
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200123358.3.4. Disabling logging of successful connections
12336--------------------------------------------------
Willy Tarreauc9bd0cc2009-05-10 11:57:02 +020012337
12338Although this may sound strange at first, some large sites have to deal with
12339multiple thousands of logs per second and are experiencing difficulties keeping
12340them intact for a long time or detecting errors within them. If the option
12341"dontlog-normal" is set on the frontend, all normal connections will not be
12342logged. In this regard, a normal connection is defined as one without any
12343error, timeout, retry nor redispatch. In HTTP, the status code is checked too,
12344and a response with a status 5xx is not considered normal and will be logged
12345too. Of course, doing is is really discouraged as it will remove most of the
12346useful information from the logs. Do this only if you have no other
12347alternative.
12348
12349
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200123508.4. Timing events
12351------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012352
12353Timers provide a great help in troubleshooting network problems. All values are
12354reported in milliseconds (ms). These timers should be used in conjunction with
12355the session termination flags. In TCP mode with "option tcplog" set on the
12356frontend, 3 control points are reported under the form "Tw/Tc/Tt", and in HTTP
12357mode, 5 control points are reported under the form "Tq/Tw/Tc/Tr/Tt" :
12358
12359 - Tq: total time to get the client request (HTTP mode only). It's the time
12360 elapsed between the moment the client connection was accepted and the
12361 moment the proxy received the last HTTP header. The value "-1" indicates
12362 that the end of headers (empty line) has never been seen. This happens when
12363 the client closes prematurely or times out.
12364
12365 - Tw: total time spent in the queues waiting for a connection slot. It
12366 accounts for backend queue as well as the server queues, and depends on the
12367 queue size, and the time needed for the server to complete previous
12368 requests. The value "-1" means that the request was killed before reaching
12369 the queue, which is generally what happens with invalid or denied requests.
12370
12371 - Tc: total time to establish the TCP connection to the server. It's the time
12372 elapsed between the moment the proxy sent the connection request, and the
12373 moment it was acknowledged by the server, or between the TCP SYN packet and
12374 the matching SYN/ACK packet in return. The value "-1" means that the
12375 connection never established.
12376
12377 - Tr: server response time (HTTP mode only). It's the time elapsed between
12378 the moment the TCP connection was established to the server and the moment
12379 the server sent its complete response headers. It purely shows its request
12380 processing time, without the network overhead due to the data transmission.
12381 It is worth noting that when the client has data to send to the server, for
12382 instance during a POST request, the time already runs, and this can distort
12383 apparent response time. For this reason, it's generally wise not to trust
12384 too much this field for POST requests initiated from clients behind an
12385 untrusted network. A value of "-1" here means that the last the response
12386 header (empty line) was never seen, most likely because the server timeout
12387 stroke before the server managed to process the request.
12388
12389 - Tt: total session duration time, between the moment the proxy accepted it
12390 and the moment both ends were closed. The exception is when the "logasap"
12391 option is specified. In this case, it only equals (Tq+Tw+Tc+Tr), and is
12392 prefixed with a '+' sign. From this field, we can deduce "Td", the data
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030012393 transmission time, by subtracting other timers when valid :
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012394
12395 Td = Tt - (Tq + Tw + Tc + Tr)
12396
12397 Timers with "-1" values have to be excluded from this equation. In TCP
12398 mode, "Tq" and "Tr" have to be excluded too. Note that "Tt" can never be
12399 negative.
12400
12401These timers provide precious indications on trouble causes. Since the TCP
12402protocol defines retransmit delays of 3, 6, 12... seconds, we know for sure
12403that timers close to multiples of 3s are nearly always related to lost packets
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010012404due to network problems (wires, negotiation, congestion). Moreover, if "Tt" is
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012405close to a timeout value specified in the configuration, it often means that a
12406session has been aborted on timeout.
12407
12408Most common cases :
12409
12410 - If "Tq" is close to 3000, a packet has probably been lost between the
12411 client and the proxy. This is very rare on local networks but might happen
12412 when clients are on far remote networks and send large requests. It may
12413 happen that values larger than usual appear here without any network cause.
12414 Sometimes, during an attack or just after a resource starvation has ended,
12415 haproxy may accept thousands of connections in a few milliseconds. The time
12416 spent accepting these connections will inevitably slightly delay processing
12417 of other connections, and it can happen that request times in the order of
12418 a few tens of milliseconds are measured after a few thousands of new
Patrick Mezard105faca2010-06-12 17:02:46 +020012419 connections have been accepted at once. Setting "option http-server-close"
12420 may display larger request times since "Tq" also measures the time spent
12421 waiting for additional requests.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012422
12423 - If "Tc" is close to 3000, a packet has probably been lost between the
12424 server and the proxy during the server connection phase. This value should
12425 always be very low, such as 1 ms on local networks and less than a few tens
12426 of ms on remote networks.
12427
Willy Tarreau55165fe2009-05-10 12:02:55 +020012428 - If "Tr" is nearly always lower than 3000 except some rare values which seem
12429 to be the average majored by 3000, there are probably some packets lost
12430 between the proxy and the server.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012431
12432 - If "Tt" is large even for small byte counts, it generally is because
12433 neither the client nor the server decides to close the connection, for
12434 instance because both have agreed on a keep-alive connection mode. In order
12435 to solve this issue, it will be needed to specify "option httpclose" on
12436 either the frontend or the backend. If the problem persists, it means that
12437 the server ignores the "close" connection mode and expects the client to
12438 close. Then it will be required to use "option forceclose". Having the
12439 smallest possible 'Tt' is important when connection regulation is used with
12440 the "maxconn" option on the servers, since no new connection will be sent
12441 to the server until another one is released.
12442
12443Other noticeable HTTP log cases ('xx' means any value to be ignored) :
12444
12445 Tq/Tw/Tc/Tr/+Tt The "option logasap" is present on the frontend and the log
12446 was emitted before the data phase. All the timers are valid
12447 except "Tt" which is shorter than reality.
12448
12449 -1/xx/xx/xx/Tt The client was not able to send a complete request in time
12450 or it aborted too early. Check the session termination flags
12451 then "timeout http-request" and "timeout client" settings.
12452
12453 Tq/-1/xx/xx/Tt It was not possible to process the request, maybe because
12454 servers were out of order, because the request was invalid
12455 or forbidden by ACL rules. Check the session termination
12456 flags.
12457
12458 Tq/Tw/-1/xx/Tt The connection could not establish on the server. Either it
12459 actively refused it or it timed out after Tt-(Tq+Tw) ms.
12460 Check the session termination flags, then check the
12461 "timeout connect" setting. Note that the tarpit action might
12462 return similar-looking patterns, with "Tw" equal to the time
12463 the client connection was maintained open.
12464
12465 Tq/Tw/Tc/-1/Tt The server has accepted the connection but did not return
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030012466 a complete response in time, or it closed its connection
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012467 unexpectedly after Tt-(Tq+Tw+Tc) ms. Check the session
12468 termination flags, then check the "timeout server" setting.
12469
12470
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200124718.5. Session state at disconnection
12472-----------------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012473
12474TCP and HTTP logs provide a session termination indicator in the
12475"termination_state" field, just before the number of active connections. It is
124762-characters long in TCP mode, and is extended to 4 characters in HTTP mode,
12477each of which has a special meaning :
12478
12479 - On the first character, a code reporting the first event which caused the
12480 session to terminate :
12481
12482 C : the TCP session was unexpectedly aborted by the client.
12483
12484 S : the TCP session was unexpectedly aborted by the server, or the
12485 server explicitly refused it.
12486
12487 P : the session was prematurely aborted by the proxy, because of a
12488 connection limit enforcement, because a DENY filter was matched,
12489 because of a security check which detected and blocked a dangerous
12490 error in server response which might have caused information leak
Willy Tarreau570f2212013-06-10 16:42:09 +020012491 (eg: cacheable cookie).
12492
12493 L : the session was locally processed by haproxy and was not passed to
12494 a server. This is what happens for stats and redirects.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012495
12496 R : a resource on the proxy has been exhausted (memory, sockets, source
12497 ports, ...). Usually, this appears during the connection phase, and
12498 system logs should contain a copy of the precise error. If this
12499 happens, it must be considered as a very serious anomaly which
12500 should be fixed as soon as possible by any means.
12501
12502 I : an internal error was identified by the proxy during a self-check.
12503 This should NEVER happen, and you are encouraged to report any log
12504 containing this, because this would almost certainly be a bug. It
12505 would be wise to preventively restart the process after such an
12506 event too, in case it would be caused by memory corruption.
12507
Simon Horman752dc4a2011-06-21 14:34:59 +090012508 D : the session was killed by haproxy because the server was detected
12509 as down and was configured to kill all connections when going down.
12510
Justin Karnegeseb2c24a2012-05-24 15:28:52 -070012511 U : the session was killed by haproxy on this backup server because an
12512 active server was detected as up and was configured to kill all
12513 backup connections when going up.
12514
Willy Tarreaua2a64e92011-09-07 23:01:56 +020012515 K : the session was actively killed by an admin operating on haproxy.
12516
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012517 c : the client-side timeout expired while waiting for the client to
12518 send or receive data.
12519
12520 s : the server-side timeout expired while waiting for the server to
12521 send or receive data.
12522
12523 - : normal session completion, both the client and the server closed
12524 with nothing left in the buffers.
12525
12526 - on the second character, the TCP or HTTP session state when it was closed :
12527
Willy Tarreauf7b30a92010-12-06 22:59:17 +010012528 R : the proxy was waiting for a complete, valid REQUEST from the client
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012529 (HTTP mode only). Nothing was sent to any server.
12530
12531 Q : the proxy was waiting in the QUEUE for a connection slot. This can
12532 only happen when servers have a 'maxconn' parameter set. It can
12533 also happen in the global queue after a redispatch consecutive to
12534 a failed attempt to connect to a dying server. If no redispatch is
12535 reported, then no connection attempt was made to any server.
12536
12537 C : the proxy was waiting for the CONNECTION to establish on the
12538 server. The server might at most have noticed a connection attempt.
12539
12540 H : the proxy was waiting for complete, valid response HEADERS from the
12541 server (HTTP only).
12542
12543 D : the session was in the DATA phase.
12544
12545 L : the proxy was still transmitting LAST data to the client while the
12546 server had already finished. This one is very rare as it can only
12547 happen when the client dies while receiving the last packets.
12548
12549 T : the request was tarpitted. It has been held open with the client
12550 during the whole "timeout tarpit" duration or until the client
12551 closed, both of which will be reported in the "Tw" timer.
12552
12553 - : normal session completion after end of data transfer.
12554
12555 - the third character tells whether the persistence cookie was provided by
12556 the client (only in HTTP mode) :
12557
12558 N : the client provided NO cookie. This is usually the case for new
12559 visitors, so counting the number of occurrences of this flag in the
12560 logs generally indicate a valid trend for the site frequentation.
12561
12562 I : the client provided an INVALID cookie matching no known server.
12563 This might be caused by a recent configuration change, mixed
Cyril Bontéa8e7bbc2010-04-25 22:29:29 +020012564 cookies between HTTP/HTTPS sites, persistence conditionally
12565 ignored, or an attack.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012566
12567 D : the client provided a cookie designating a server which was DOWN,
12568 so either "option persist" was used and the client was sent to
12569 this server, or it was not set and the client was redispatched to
12570 another server.
12571
Willy Tarreau996a92c2010-10-13 19:30:47 +020012572 V : the client provided a VALID cookie, and was sent to the associated
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012573 server.
12574
Willy Tarreau996a92c2010-10-13 19:30:47 +020012575 E : the client provided a valid cookie, but with a last date which was
12576 older than what is allowed by the "maxidle" cookie parameter, so
12577 the cookie is consider EXPIRED and is ignored. The request will be
12578 redispatched just as if there was no cookie.
12579
12580 O : the client provided a valid cookie, but with a first date which was
12581 older than what is allowed by the "maxlife" cookie parameter, so
12582 the cookie is consider too OLD and is ignored. The request will be
12583 redispatched just as if there was no cookie.
12584
Willy Tarreauc89ccb62012-04-05 21:18:22 +020012585 U : a cookie was present but was not used to select the server because
12586 some other server selection mechanism was used instead (typically a
12587 "use-server" rule).
12588
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012589 - : does not apply (no cookie set in configuration).
12590
12591 - the last character reports what operations were performed on the persistence
12592 cookie returned by the server (only in HTTP mode) :
12593
12594 N : NO cookie was provided by the server, and none was inserted either.
12595
12596 I : no cookie was provided by the server, and the proxy INSERTED one.
12597 Note that in "cookie insert" mode, if the server provides a cookie,
12598 it will still be overwritten and reported as "I" here.
12599
Willy Tarreau996a92c2010-10-13 19:30:47 +020012600 U : the proxy UPDATED the last date in the cookie that was presented by
12601 the client. This can only happen in insert mode with "maxidle". It
Jarno Huuskonen0e82b922014-04-12 18:22:19 +030012602 happens every time there is activity at a different date than the
Willy Tarreau996a92c2010-10-13 19:30:47 +020012603 date indicated in the cookie. If any other change happens, such as
12604 a redispatch, then the cookie will be marked as inserted instead.
12605
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012606 P : a cookie was PROVIDED by the server and transmitted as-is.
12607
12608 R : the cookie provided by the server was REWRITTEN by the proxy, which
12609 happens in "cookie rewrite" or "cookie prefix" modes.
12610
12611 D : the cookie provided by the server was DELETED by the proxy.
12612
12613 - : does not apply (no cookie set in configuration).
12614
Willy Tarreau996a92c2010-10-13 19:30:47 +020012615The combination of the two first flags gives a lot of information about what
12616was happening when the session terminated, and why it did terminate. It can be
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012617helpful to detect server saturation, network troubles, local system resource
12618starvation, attacks, etc...
12619
12620The most common termination flags combinations are indicated below. They are
12621alphabetically sorted, with the lowercase set just after the upper case for
12622easier finding and understanding.
12623
12624 Flags Reason
12625
12626 -- Normal termination.
12627
12628 CC The client aborted before the connection could be established to the
12629 server. This can happen when haproxy tries to connect to a recently
12630 dead (or unchecked) server, and the client aborts while haproxy is
12631 waiting for the server to respond or for "timeout connect" to expire.
12632
12633 CD The client unexpectedly aborted during data transfer. This can be
12634 caused by a browser crash, by an intermediate equipment between the
12635 client and haproxy which decided to actively break the connection,
12636 by network routing issues between the client and haproxy, or by a
12637 keep-alive session between the server and the client terminated first
12638 by the client.
Willy Tarreaud72758d2010-01-12 10:42:19 +010012639
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012640 cD The client did not send nor acknowledge any data for as long as the
12641 "timeout client" delay. This is often caused by network failures on
Cyril Bontédc4d9032012-04-08 21:57:39 +020012642 the client side, or the client simply leaving the net uncleanly.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012643
12644 CH The client aborted while waiting for the server to start responding.
12645 It might be the server taking too long to respond or the client
12646 clicking the 'Stop' button too fast.
12647
12648 cH The "timeout client" stroke while waiting for client data during a
12649 POST request. This is sometimes caused by too large TCP MSS values
12650 for PPPoE networks which cannot transport full-sized packets. It can
12651 also happen when client timeout is smaller than server timeout and
12652 the server takes too long to respond.
12653
12654 CQ The client aborted while its session was queued, waiting for a server
12655 with enough empty slots to accept it. It might be that either all the
12656 servers were saturated or that the assigned server was taking too
12657 long a time to respond.
12658
12659 CR The client aborted before sending a full HTTP request. Most likely
12660 the request was typed by hand using a telnet client, and aborted
12661 too early. The HTTP status code is likely a 400 here. Sometimes this
12662 might also be caused by an IDS killing the connection between haproxy
12663 and the client.
12664
12665 cR The "timeout http-request" stroke before the client sent a full HTTP
12666 request. This is sometimes caused by too large TCP MSS values on the
12667 client side for PPPoE networks which cannot transport full-sized
12668 packets, or by clients sending requests by hand and not typing fast
12669 enough, or forgetting to enter the empty line at the end of the
Willy Tarreau2705a612014-05-23 17:38:34 +020012670 request. The HTTP status code is likely a 408 here. Note: recently,
12671 some browsers such as Google Chrome started to break the deployed Web
12672 infrastructure by aggressively implementing a new "pre-connect"
12673 feature, consisting in sending connections to sites recently visited
12674 without sending any request on them until the user starts to browse
12675 the site. This mechanism causes massive disruption among resource-
12676 limited servers, and causes a lot of 408 errors in HAProxy logs.
12677 Worse, some people report that sometimes the browser displays the 408
12678 error when the user expects to see the actual content (Mozilla fixed
12679 this bug in 2004, while Chrome users continue to report it in 2014),
12680 so in this case, using "errorfile 408 /dev/null" can be used as a
12681 workaround. More information on the subject is available here :
12682 https://bugzilla.mozilla.org/show_bug.cgi?id=248827
12683 https://code.google.com/p/chromium/issues/detail?id=85229
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012684
12685 CT The client aborted while its session was tarpitted. It is important to
12686 check if this happens on valid requests, in order to be sure that no
Willy Tarreau55165fe2009-05-10 12:02:55 +020012687 wrong tarpit rules have been written. If a lot of them happen, it
12688 might make sense to lower the "timeout tarpit" value to something
12689 closer to the average reported "Tw" timer, in order not to consume
12690 resources for just a few attackers.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012691
Willy Tarreau570f2212013-06-10 16:42:09 +020012692 LR The request was intercepted and locally handled by haproxy. Generally
12693 it means that this was a redirect or a stats request.
12694
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010012695 SC The server or an equipment between it and haproxy explicitly refused
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012696 the TCP connection (the proxy received a TCP RST or an ICMP message
12697 in return). Under some circumstances, it can also be the network
12698 stack telling the proxy that the server is unreachable (eg: no route,
12699 or no ARP response on local network). When this happens in HTTP mode,
12700 the status code is likely a 502 or 503 here.
12701
12702 sC The "timeout connect" stroke before a connection to the server could
12703 complete. When this happens in HTTP mode, the status code is likely a
12704 503 or 504 here.
12705
12706 SD The connection to the server died with an error during the data
12707 transfer. This usually means that haproxy has received an RST from
12708 the server or an ICMP message from an intermediate equipment while
12709 exchanging data with the server. This can be caused by a server crash
12710 or by a network issue on an intermediate equipment.
12711
12712 sD The server did not send nor acknowledge any data for as long as the
12713 "timeout server" setting during the data phase. This is often caused
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010012714 by too short timeouts on L4 equipments before the server (firewalls,
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012715 load-balancers, ...), as well as keep-alive sessions maintained
12716 between the client and the server expiring first on haproxy.
12717
12718 SH The server aborted before sending its full HTTP response headers, or
12719 it crashed while processing the request. Since a server aborting at
12720 this moment is very rare, it would be wise to inspect its logs to
12721 control whether it crashed and why. The logged request may indicate a
12722 small set of faulty requests, demonstrating bugs in the application.
12723 Sometimes this might also be caused by an IDS killing the connection
12724 between haproxy and the server.
12725
12726 sH The "timeout server" stroke before the server could return its
12727 response headers. This is the most common anomaly, indicating too
12728 long transactions, probably caused by server or database saturation.
12729 The immediate workaround consists in increasing the "timeout server"
12730 setting, but it is important to keep in mind that the user experience
12731 will suffer from these long response times. The only long term
12732 solution is to fix the application.
12733
12734 sQ The session spent too much time in queue and has been expired. See
12735 the "timeout queue" and "timeout connect" settings to find out how to
12736 fix this if it happens too often. If it often happens massively in
12737 short periods, it may indicate general problems on the affected
12738 servers due to I/O or database congestion, or saturation caused by
12739 external attacks.
12740
12741 PC The proxy refused to establish a connection to the server because the
12742 process' socket limit has been reached while attempting to connect.
Cyril Bontédc4d9032012-04-08 21:57:39 +020012743 The global "maxconn" parameter may be increased in the configuration
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012744 so that it does not happen anymore. This status is very rare and
12745 might happen when the global "ulimit-n" parameter is forced by hand.
12746
Willy Tarreaued2fd2d2010-12-29 11:23:27 +010012747 PD The proxy blocked an incorrectly formatted chunked encoded message in
12748 a request or a response, after the server has emitted its headers. In
12749 most cases, this will indicate an invalid message from the server to
Willy Tarreauf3a3e132013-08-31 08:16:26 +020012750 the client. Haproxy supports chunk sizes of up to 2GB - 1 (2147483647
12751 bytes). Any larger size will be considered as an error.
Willy Tarreaued2fd2d2010-12-29 11:23:27 +010012752
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012753 PH The proxy blocked the server's response, because it was invalid,
12754 incomplete, dangerous (cache control), or matched a security filter.
12755 In any case, an HTTP 502 error is sent to the client. One possible
12756 cause for this error is an invalid syntax in an HTTP header name
Willy Tarreaued2fd2d2010-12-29 11:23:27 +010012757 containing unauthorized characters. It is also possible but quite
12758 rare, that the proxy blocked a chunked-encoding request from the
12759 client due to an invalid syntax, before the server responded. In this
12760 case, an HTTP 400 error is sent to the client and reported in the
12761 logs.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012762
12763 PR The proxy blocked the client's HTTP request, either because of an
12764 invalid HTTP syntax, in which case it returned an HTTP 400 error to
12765 the client, or because a deny filter matched, in which case it
12766 returned an HTTP 403 error.
12767
12768 PT The proxy blocked the client's request and has tarpitted its
12769 connection before returning it a 500 server error. Nothing was sent
12770 to the server. The connection was maintained open for as long as
12771 reported by the "Tw" timer field.
12772
12773 RC A local resource has been exhausted (memory, sockets, source ports)
12774 preventing the connection to the server from establishing. The error
12775 logs will tell precisely what was missing. This is very rare and can
12776 only be solved by proper system tuning.
12777
Willy Tarreau996a92c2010-10-13 19:30:47 +020012778The combination of the two last flags gives a lot of information about how
12779persistence was handled by the client, the server and by haproxy. This is very
12780important to troubleshoot disconnections, when users complain they have to
12781re-authenticate. The commonly encountered flags are :
12782
12783 -- Persistence cookie is not enabled.
12784
12785 NN No cookie was provided by the client, none was inserted in the
12786 response. For instance, this can be in insert mode with "postonly"
12787 set on a GET request.
12788
12789 II A cookie designating an invalid server was provided by the client,
12790 a valid one was inserted in the response. This typically happens when
Jamie Gloudonaaa21002012-08-25 00:18:33 -040012791 a "server" entry is removed from the configuration, since its cookie
Willy Tarreau996a92c2010-10-13 19:30:47 +020012792 value can be presented by a client when no other server knows it.
12793
12794 NI No cookie was provided by the client, one was inserted in the
12795 response. This typically happens for first requests from every user
12796 in "insert" mode, which makes it an easy way to count real users.
12797
12798 VN A cookie was provided by the client, none was inserted in the
12799 response. This happens for most responses for which the client has
12800 already got a cookie.
12801
12802 VU A cookie was provided by the client, with a last visit date which is
12803 not completely up-to-date, so an updated cookie was provided in
12804 response. This can also happen if there was no date at all, or if
12805 there was a date but the "maxidle" parameter was not set, so that the
12806 cookie can be switched to unlimited time.
12807
12808 EI A cookie was provided by the client, with a last visit date which is
12809 too old for the "maxidle" parameter, so the cookie was ignored and a
12810 new cookie was inserted in the response.
12811
12812 OI A cookie was provided by the client, with a first visit date which is
12813 too old for the "maxlife" parameter, so the cookie was ignored and a
12814 new cookie was inserted in the response.
12815
12816 DI The server designated by the cookie was down, a new server was
12817 selected and a new cookie was emitted in the response.
12818
12819 VI The server designated by the cookie was not marked dead but could not
12820 be reached. A redispatch happened and selected another one, which was
12821 then advertised in the response.
12822
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012823
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200128248.6. Non-printable characters
12825-----------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012826
12827In order not to cause trouble to log analysis tools or terminals during log
12828consulting, non-printable characters are not sent as-is into log files, but are
12829converted to the two-digits hexadecimal representation of their ASCII code,
12830prefixed by the character '#'. The only characters that can be logged without
12831being escaped are comprised between 32 and 126 (inclusive). Obviously, the
12832escape character '#' itself is also encoded to avoid any ambiguity ("#23"). It
12833is the same for the character '"' which becomes "#22", as well as '{', '|' and
12834'}' when logging headers.
12835
12836Note that the space character (' ') is not encoded in headers, which can cause
12837issues for tools relying on space count to locate fields. A typical header
12838containing spaces is "User-Agent".
12839
12840Last, it has been observed that some syslog daemons such as syslog-ng escape
12841the quote ('"') with a backslash ('\'). The reverse operation can safely be
12842performed since no quote may appear anywhere else in the logs.
12843
12844
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200128458.7. Capturing HTTP cookies
12846---------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012847
12848Cookie capture simplifies the tracking a complete user session. This can be
12849achieved using the "capture cookie" statement in the frontend. Please refer to
Willy Tarreauc57f0e22009-05-10 13:12:33 +020012850section 4.2 for more details. Only one cookie can be captured, and the same
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012851cookie will simultaneously be checked in the request ("Cookie:" header) and in
12852the response ("Set-Cookie:" header). The respective values will be reported in
12853the HTTP logs at the "captured_request_cookie" and "captured_response_cookie"
Willy Tarreauc57f0e22009-05-10 13:12:33 +020012854locations (see section 8.2.3 about HTTP log format). When either cookie is
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012855not seen, a dash ('-') replaces the value. This way, it's easy to detect when a
12856user switches to a new session for example, because the server will reassign it
12857a new cookie. It is also possible to detect if a server unexpectedly sets a
12858wrong cookie to a client, leading to session crossing.
12859
12860 Examples :
12861 # capture the first cookie whose name starts with "ASPSESSION"
12862 capture cookie ASPSESSION len 32
12863
12864 # capture the first cookie whose name is exactly "vgnvisitor"
12865 capture cookie vgnvisitor= len 32
12866
12867
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200128688.8. Capturing HTTP headers
12869---------------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012870
12871Header captures are useful to track unique request identifiers set by an upper
12872proxy, virtual host names, user-agents, POST content-length, referrers, etc. In
12873the response, one can search for information about the response length, how the
12874server asked the cache to behave, or an object location during a redirection.
12875
12876Header captures are performed using the "capture request header" and "capture
12877response header" statements in the frontend. Please consult their definition in
Willy Tarreauc57f0e22009-05-10 13:12:33 +020012878section 4.2 for more details.
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012879
12880It is possible to include both request headers and response headers at the same
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010012881time. Non-existent headers are logged as empty strings, and if one header
12882appears more than once, only its last occurrence will be logged. Request headers
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012883are grouped within braces '{' and '}' in the same order as they were declared,
12884and delimited with a vertical bar '|' without any space. Response headers
12885follow the same representation, but are displayed after a space following the
12886request headers block. These blocks are displayed just before the HTTP request
12887in the logs.
12888
Willy Tarreaud9ed3d22014-06-13 12:23:06 +020012889As a special case, it is possible to specify an HTTP header capture in a TCP
12890frontend. The purpose is to enable logging of headers which will be parsed in
12891an HTTP backend if the request is then switched to this HTTP backend.
12892
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012893 Example :
12894 # This instance chains to the outgoing proxy
12895 listen proxy-out
12896 mode http
12897 option httplog
12898 option logasap
12899 log global
12900 server cache1 192.168.1.1:3128
12901
12902 # log the name of the virtual server
12903 capture request header Host len 20
12904
12905 # log the amount of data uploaded during a POST
12906 capture request header Content-Length len 10
12907
12908 # log the beginning of the referrer
12909 capture request header Referer len 20
12910
12911 # server name (useful for outgoing proxies only)
12912 capture response header Server len 20
12913
12914 # logging the content-length is useful with "option logasap"
12915 capture response header Content-Length len 10
12916
12917 # log the expected cache behaviour on the response
12918 capture response header Cache-Control len 8
12919
12920 # the Via header will report the next proxy's name
12921 capture response header Via len 20
12922
12923 # log the URL location during a redirection
12924 capture response header Location len 20
12925
12926 >>> Aug 9 20:26:09 localhost \
12927 haproxy[2022]: 127.0.0.1:34014 [09/Aug/2004:20:26:09] proxy-out \
12928 proxy-out/cache1 0/0/0/162/+162 200 +350 - - ---- 0/0/0/0/0 0/0 \
12929 {fr.adserver.yahoo.co||http://fr.f416.mail.} {|864|private||} \
12930 "GET http://fr.adserver.yahoo.com/"
12931
12932 >>> Aug 9 20:30:46 localhost \
12933 haproxy[2022]: 127.0.0.1:34020 [09/Aug/2004:20:30:46] proxy-out \
12934 proxy-out/cache1 0/0/0/182/+182 200 +279 - - ---- 0/0/0/0/0 0/0 \
12935 {w.ods.org||} {Formilux/0.1.8|3495|||} \
Willy Tarreaud72758d2010-01-12 10:42:19 +010012936 "GET http://trafic.1wt.eu/ HTTP/1.1"
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012937
12938 >>> Aug 9 20:30:46 localhost \
12939 haproxy[2022]: 127.0.0.1:34028 [09/Aug/2004:20:30:46] proxy-out \
12940 proxy-out/cache1 0/0/2/126/+128 301 +223 - - ---- 0/0/0/0/0 0/0 \
12941 {www.sytadin.equipement.gouv.fr||http://trafic.1wt.eu/} \
12942 {Apache|230|||http://www.sytadin.} \
Willy Tarreaud72758d2010-01-12 10:42:19 +010012943 "GET http://www.sytadin.equipement.gouv.fr/ HTTP/1.1"
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012944
12945
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200129468.9. Examples of logs
12947---------------------
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012948
12949These are real-world examples of logs accompanied with an explanation. Some of
12950them have been made up by hand. The syslog part has been removed for better
12951reading. Their sole purpose is to explain how to decipher them.
12952
12953 >>> haproxy[674]: 127.0.0.1:33318 [15/Oct/2003:08:31:57.130] px-http \
12954 px-http/srv1 6559/0/7/147/6723 200 243 - - ---- 5/3/3/1/0 0/0 \
12955 "HEAD / HTTP/1.0"
12956
12957 => long request (6.5s) entered by hand through 'telnet'. The server replied
12958 in 147 ms, and the session ended normally ('----')
12959
12960 >>> haproxy[674]: 127.0.0.1:33319 [15/Oct/2003:08:31:57.149] px-http \
12961 px-http/srv1 6559/1230/7/147/6870 200 243 - - ---- 324/239/239/99/0 \
12962 0/9 "HEAD / HTTP/1.0"
12963
12964 => Idem, but the request was queued in the global queue behind 9 other
12965 requests, and waited there for 1230 ms.
12966
12967 >>> haproxy[674]: 127.0.0.1:33320 [15/Oct/2003:08:32:17.654] px-http \
12968 px-http/srv1 9/0/7/14/+30 200 +243 - - ---- 3/3/3/1/0 0/0 \
12969 "GET /image.iso HTTP/1.0"
12970
12971 => request for a long data transfer. The "logasap" option was specified, so
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010012972 the log was produced just before transferring data. The server replied in
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012973 14 ms, 243 bytes of headers were sent to the client, and total time from
12974 accept to first data byte is 30 ms.
12975
12976 >>> haproxy[674]: 127.0.0.1:33320 [15/Oct/2003:08:32:17.925] px-http \
12977 px-http/srv1 9/0/7/14/30 502 243 - - PH-- 3/2/2/0/0 0/0 \
12978 "GET /cgi-bin/bug.cgi? HTTP/1.0"
12979
12980 => the proxy blocked a server response either because of an "rspdeny" or
12981 "rspideny" filter, or because the response was improperly formatted and
Willy Tarreau3c92c5f2011-08-28 09:45:47 +020012982 not HTTP-compliant, or because it blocked sensitive information which
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012983 risked being cached. In this case, the response is replaced with a "502
12984 bad gateway". The flags ("PH--") tell us that it was haproxy who decided
12985 to return the 502 and not the server.
12986
12987 >>> haproxy[18113]: 127.0.0.1:34548 [15/Oct/2003:15:18:55.798] px-http \
Willy Tarreaud72758d2010-01-12 10:42:19 +010012988 px-http/<NOSRV> -1/-1/-1/-1/8490 -1 0 - - CR-- 2/2/2/0/0 0/0 ""
Willy Tarreaucc6c8912009-02-22 10:53:55 +010012989
12990 => the client never completed its request and aborted itself ("C---") after
12991 8.5s, while the proxy was waiting for the request headers ("-R--").
12992 Nothing was sent to any server.
12993
12994 >>> haproxy[18113]: 127.0.0.1:34549 [15/Oct/2003:15:19:06.103] px-http \
12995 px-http/<NOSRV> -1/-1/-1/-1/50001 408 0 - - cR-- 2/2/2/0/0 0/0 ""
12996
12997 => The client never completed its request, which was aborted by the
12998 time-out ("c---") after 50s, while the proxy was waiting for the request
12999 headers ("-R--"). Nothing was sent to any server, but the proxy could
13000 send a 408 return code to the client.
13001
13002 >>> haproxy[18989]: 127.0.0.1:34550 [15/Oct/2003:15:24:28.312] px-tcp \
13003 px-tcp/srv1 0/0/5007 0 cD 0/0/0/0/0 0/0
13004
13005 => This log was produced with "option tcplog". The client timed out after
13006 5 seconds ("c----").
13007
13008 >>> haproxy[18989]: 10.0.0.1:34552 [15/Oct/2003:15:26:31.462] px-http \
13009 px-http/srv1 3183/-1/-1/-1/11215 503 0 - - SC-- 205/202/202/115/3 \
Willy Tarreaud72758d2010-01-12 10:42:19 +010013010 0/0 "HEAD / HTTP/1.0"
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013011
13012 => The request took 3s to complete (probably a network problem), and the
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013013 connection to the server failed ('SC--') after 4 attempts of 2 seconds
Willy Tarreaucc6c8912009-02-22 10:53:55 +010013014 (config says 'retries 3'), and no redispatch (otherwise we would have
13015 seen "/+3"). Status code 503 was returned to the client. There were 115
13016 connections on this server, 202 connections on this proxy, and 205 on
13017 the global process. It is possible that the server refused the
13018 connection because of too many already established.
Willy Tarreau844e3c52008-01-11 16:28:18 +010013019
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +010013020
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200130219. Statistics and monitoring
13022----------------------------
13023
13024It is possible to query HAProxy about its status. The most commonly used
13025mechanism is the HTTP statistics page. This page also exposes an alternative
13026CSV output format for monitoring tools. The same format is provided on the
13027Unix socket.
13028
13029
130309.1. CSV format
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +010013031---------------
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +010013032
Willy Tarreau7f062c42009-03-05 18:43:00 +010013033The statistics may be consulted either from the unix socket or from the HTTP
Willy Tarreaua3310dc2014-06-16 15:43:21 +020013034page. Both means provide a CSV format whose fields follow. The first line
13035begins with a sharp ('#') and has one word per comma-delimited field which
13036represents the title of the column. All other lines starting at the second one
13037use a classical CSV format using a comma as the delimiter, and the double quote
13038('"') as an optional text delimiter, but only if the enclosed text is ambiguous
13039(if it contains a quote or a comma). The double-quote character ('"') in the
13040text is doubled ('""'), which is the format that most tools recognize. Please
13041do not insert any column before these ones in order not to break tools which
13042use hard-coded column positions.
Willy Tarreau7f062c42009-03-05 18:43:00 +010013043
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +010013044 0. pxname: proxy name
13045 1. svname: service name (FRONTEND for frontend, BACKEND for backend, any name
13046 for server)
13047 2. qcur: current queued requests
13048 3. qmax: max queued requests
13049 4. scur: current sessions
13050 5. smax: max sessions
13051 6. slim: sessions limit
13052 7. stot: total sessions
13053 8. bin: bytes in
13054 9. bout: bytes out
13055 10. dreq: denied requests
Krzysztof Piotr Oledzki2c6962c2008-03-02 02:42:14 +010013056 11. dresp: denied responses
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +010013057 12. ereq: request errors
13058 13. econ: connection errors
Willy Tarreauae526782010-03-04 20:34:23 +010013059 14. eresp: response errors (among which srv_abrt)
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +010013060 15. wretr: retries (warning)
13061 16. wredis: redispatches (warning)
Cyril Bonté0dae5852010-02-03 00:26:28 +010013062 17. status: status (UP/DOWN/NOLB/MAINT/MAINT(via)...)
Krzysztof Piotr Oledzkif58a9622008-02-23 01:19:10 +010013063 18. weight: server weight (server), total weight (backend)
13064 19. act: server is active (server), number of active servers (backend)
13065 20. bck: server is backup (server), number of backup servers (backend)
13066 21. chkfail: number of failed checks
13067 22. chkdown: number of UP->DOWN transitions
13068 23. lastchg: last status change (in seconds)
13069 24. downtime: total downtime (in seconds)
13070 25. qlimit: queue limit
13071 26. pid: process id (0 for first instance, 1 for second, ...)
13072 27. iid: unique proxy id
13073 28. sid: service id (unique inside a proxy)
13074 29. throttle: warm up status
13075 30. lbtot: total number of times a server was selected
13076 31. tracked: id of proxy/server if tracking is enabled
Krzysztof Piotr Oledzkiaeebf9b2009-10-04 15:43:17 +020013077 32. type (0=frontend, 1=backend, 2=server, 3=socket)
Krzysztof Piotr Oledzkidb57c6b2009-08-31 21:23:27 +020013078 33. rate: number of sessions per second over last elapsed second
13079 34. rate_lim: limit on new sessions per second
13080 35. rate_max: max number of new sessions per second
Krzysztof Piotr Oledzki09605412009-09-23 22:09:24 +020013081 36. check_status: status of last health check, one of:
Cyril Bontéf0c60612010-02-06 14:44:47 +010013082 UNK -> unknown
13083 INI -> initializing
13084 SOCKERR -> socket error
13085 L4OK -> check passed on layer 4, no upper layers testing enabled
13086 L4TMOUT -> layer 1-4 timeout
13087 L4CON -> layer 1-4 connection problem, for example
13088 "Connection refused" (tcp rst) or "No route to host" (icmp)
13089 L6OK -> check passed on layer 6
13090 L6TOUT -> layer 6 (SSL) timeout
13091 L6RSP -> layer 6 invalid response - protocol error
13092 L7OK -> check passed on layer 7
13093 L7OKC -> check conditionally passed on layer 7, for example 404 with
13094 disable-on-404
13095 L7TOUT -> layer 7 (HTTP/SMTP) timeout
13096 L7RSP -> layer 7 invalid response - protocol error
13097 L7STS -> layer 7 response error, for example HTTP 5xx
Krzysztof Piotr Oledzki09605412009-09-23 22:09:24 +020013098 37. check_code: layer5-7 code, if available
13099 38. check_duration: time in ms took to finish last health check
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010013100 39. hrsp_1xx: http responses with 1xx code
13101 40. hrsp_2xx: http responses with 2xx code
13102 41. hrsp_3xx: http responses with 3xx code
13103 42. hrsp_4xx: http responses with 4xx code
13104 43. hrsp_5xx: http responses with 5xx code
13105 44. hrsp_other: http responses with other codes (protocol error)
Willy Tarreaud63335a2010-02-26 12:56:52 +010013106 45. hanafail: failed health checks details
13107 46. req_rate: HTTP requests per second over last elapsed second
13108 47. req_rate_max: max number of HTTP requests per second observed
13109 48. req_tot: total number of HTTP requests received
Willy Tarreauae526782010-03-04 20:34:23 +010013110 49. cli_abrt: number of data transfers aborted by the client
13111 50. srv_abrt: number of data transfers aborted by the server (inc. in eresp)
Willy Tarreau55058a72012-11-21 08:27:21 +010013112 51. comp_in: number of HTTP response bytes fed to the compressor
13113 52. comp_out: number of HTTP response bytes emitted by the compressor
13114 53. comp_byp: number of bytes that bypassed the HTTP compressor (CPU/BW limit)
Willy Tarreau11d4ec82012-11-26 00:49:03 +010013115 54. comp_rsp: number of HTTP responses that were compressed
Willy Tarreauf522f3d2014-02-10 22:22:49 +010013116 55. lastsess: number of seconds since last session assigned to server/backend
Willy Tarreaua28df3e2014-06-16 16:40:14 +020013117 56. last_chk: last health check contents or textual error
13118 57. last_agt: last agent check contents or textual error
Willy Tarreauf5b1cc32014-06-17 12:20:59 +020013119 58. qtime: the average queue time in ms over the 1024 last requests
13120 59. ctime: the average connect time in ms over the 1024 last requests
13121 60. rtime: the average response time in ms over the 1024 last requests (0 for TCP)
13122 61. ttime: the average total session time in ms over the 1024 last requests
Willy Tarreau844e3c52008-01-11 16:28:18 +010013123
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +010013124
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200131259.2. Unix Socket commands
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +010013126-------------------------
Krzysztof Piotr Oledzki2c6962c2008-03-02 02:42:14 +010013127
Willy Tarreau468f4932013-08-01 16:50:16 +020013128The stats socket is not enabled by default. In order to enable it, it is
13129necessary to add one line in the global section of the haproxy configuration.
13130A second line is recommended to set a larger timeout, always appreciated when
13131issuing commands by hand :
13132
13133 global
13134 stats socket /var/run/haproxy.sock mode 600 level admin
13135 stats timeout 2m
13136
13137It is also possible to add multiple instances of the stats socket by repeating
13138the line, and make them listen to a TCP port instead of a UNIX socket. This is
13139never done by default because this is dangerous, but can be handy in some
13140situations :
13141
13142 global
13143 stats socket /var/run/haproxy.sock mode 600 level admin
13144 stats socket ipv4@192.168.0.1:9999 level admin
13145 stats timeout 2m
13146
13147To access the socket, an external utility such as "socat" is required. Socat is a
13148swiss-army knife to connect anything to anything. We use it to connect terminals
13149to the socket, or a couple of stdin/stdout pipes to it for scripts. The two main
13150syntaxes we'll use are the following :
13151
13152 # socat /var/run/haproxy.sock stdio
13153 # socat /var/run/haproxy.sock readline
13154
13155The first one is used with scripts. It is possible to send the output of a
13156script to haproxy, and pass haproxy's output to another script. That's useful
13157for retrieving counters or attack traces for example.
13158
13159The second one is only useful for issuing commands by hand. It has the benefit
13160that the terminal is handled by the readline library which supports line
13161editing and history, which is very convenient when issuing repeated commands
13162(eg: watch a counter).
13163
13164The socket supports two operation modes :
13165 - interactive
13166 - non-interactive
13167
13168The non-interactive mode is the default when socat connects to the socket. In
13169this mode, a single line may be sent. It is processed as a whole, responses are
13170sent back, and the connection closes after the end of the response. This is the
13171mode that scripts and monitoring tools use. It is possible to send multiple
13172commands in this mode, they need to be delimited by a semi-colon (';'). For
13173example :
13174
13175 # echo "show info;show stat;show table" | socat /var/run/haproxy stdio
13176
13177The interactive mode displays a prompt ('>') and waits for commands to be
13178entered on the line, then processes them, and displays the prompt again to wait
13179for a new command. This mode is entered via the "prompt" command which must be
13180sent on the first line in non-interactive mode. The mode is a flip switch, if
13181"prompt" is sent in interactive mode, it is disabled and the connection closes
13182after processing the last command of the same line.
13183
13184For this reason, when debugging by hand, it's quite common to start with the
13185"prompt" command :
13186
13187 # socat /var/run/haproxy readline
13188 prompt
13189 > show info
13190 ...
13191 >
13192
13193Since multiple commands may be issued at once, haproxy uses the empty line as a
13194delimiter to mark an end of output for each command, and takes care of ensuring
13195that no command can emit an empty line on output. A script can thus easily
13196parse the output even when multiple commands were pipelined on a single line.
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +010013197
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020013198It is important to understand that when multiple haproxy processes are started
13199on the same sockets, any process may pick up the request and will output its
13200own stats.
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +010013201
Willy Tarreau468f4932013-08-01 16:50:16 +020013202The list of commands currently supported on the stats socket is provided below.
13203If an unknown command is sent, haproxy displays the usage message which reminds
13204all supported commands. Some commands support a more complex syntax, generally
13205it will explain what part of the command is invalid when this happens.
13206
Thierry FOURNIERd32079e2014-01-29 20:02:04 +010013207add acl <acl> <pattern>
Thierry FOURNIER65ce6132014-03-20 11:42:45 +010013208 Add an entry into the acl <acl>. <acl> is the #<id> or the <file> returned by
13209 "show acl". This command does not verify if the entry already exists. This
13210 command cannot be used if the reference <acl> is a file also used with a map.
13211 In this case, you must use the command "add map" in place of "add acl".
Thierry FOURNIERd32079e2014-01-29 20:02:04 +010013212
Thierry FOURNIERc0e0d7b2013-12-11 16:55:52 +010013213add map <map> <key> <value>
13214 Add an entry into the map <map> to associate the value <value> to the key
13215 <key>. This command does not verify if the entry already exists. It is
Thierry FOURNIERd32079e2014-01-29 20:02:04 +010013216 mainly used to fill a map after a clear operation. Note that if the reference
13217 <map> is a file and is shared with a map, this map will contain also a new
13218 pattern entry.
Thierry FOURNIERc0e0d7b2013-12-11 16:55:52 +010013219
Willy Tarreaud63335a2010-02-26 12:56:52 +010013220clear counters
13221 Clear the max values of the statistics counters in each proxy (frontend &
13222 backend) and in each server. The cumulated counters are not affected. This
13223 can be used to get clean counters after an incident, without having to
13224 restart nor to clear traffic counters. This command is restricted and can
13225 only be issued on sockets configured for levels "operator" or "admin".
13226
13227clear counters all
13228 Clear all statistics counters in each proxy (frontend & backend) and in each
13229 server. This has the same effect as restarting. This command is restricted
13230 and can only be issued on sockets configured for level "admin".
13231
Thierry FOURNIERd32079e2014-01-29 20:02:04 +010013232clear acl <acl>
Thierry FOURNIER65ce6132014-03-20 11:42:45 +010013233 Remove all entries from the acl <acl>. <acl> is the #<id> or the <file>
13234 returned by "show acl". Note that if the reference <acl> is a file and is
13235 shared with a map, this map will be also cleared.
Thierry FOURNIERd32079e2014-01-29 20:02:04 +010013236
Thierry FOURNIERc0e0d7b2013-12-11 16:55:52 +010013237clear map <map>
Thierry FOURNIER65ce6132014-03-20 11:42:45 +010013238 Remove all entries from the map <map>. <map> is the #<id> or the <file>
13239 returned by "show map". Note that if the reference <map> is a file and is
13240 shared with a acl, this acl will be also cleared.
Thierry FOURNIERc0e0d7b2013-12-11 16:55:52 +010013241
Simon Hormanc88b8872011-06-15 15:18:49 +090013242clear table <table> [ data.<type> <operator> <value> ] | [ key <key> ]
13243 Remove entries from the stick-table <table>.
13244
13245 This is typically used to unblock some users complaining they have been
13246 abusively denied access to a service, but this can also be used to clear some
13247 stickiness entries matching a server that is going to be replaced (see "show
13248 table" below for details). Note that sometimes, removal of an entry will be
13249 refused because it is currently tracked by a session. Retrying a few seconds
13250 later after the session ends is usual enough.
13251
13252 In the case where no options arguments are given all entries will be removed.
13253
13254 When the "data." form is used entries matching a filter applied using the
13255 stored data (see "stick-table" in section 4.2) are removed. A stored data
13256 type must be specified in <type>, and this data type must be stored in the
13257 table otherwise an error is reported. The data is compared according to
13258 <operator> with the 64-bit integer <value>. Operators are the same as with
13259 the ACLs :
13260
13261 - eq : match entries whose data is equal to this value
13262 - ne : match entries whose data is not equal to this value
13263 - le : match entries whose data is less than or equal to this value
13264 - ge : match entries whose data is greater than or equal to this value
13265 - lt : match entries whose data is less than this value
13266 - gt : match entries whose data is greater than this value
13267
13268 When the key form is used the entry <key> is removed. The key must be of the
Simon Horman619e3cc2011-06-15 15:18:52 +090013269 same type as the table, which currently is limited to IPv4, IPv6, integer and
13270 string.
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020013271
13272 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +020013273 $ echo "show table http_proxy" | socat stdio /tmp/sock1
Emeric Brun7c6b82e2010-09-24 16:34:28 +020013274 >>> # table: http_proxy, type: ip, size:204800, used:2
Willy Tarreau62a36c42010-08-17 15:53:10 +020013275 >>> 0x80e6a4c: key=127.0.0.1 use=0 exp=3594729 gpc0=0 conn_rate(30000)=1 \
13276 bytes_out_rate(60000)=187
13277 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
13278 bytes_out_rate(60000)=191
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020013279
13280 $ echo "clear table http_proxy key 127.0.0.1" | socat stdio /tmp/sock1
13281
13282 $ echo "show table http_proxy" | socat stdio /tmp/sock1
Emeric Brun7c6b82e2010-09-24 16:34:28 +020013283 >>> # table: http_proxy, type: ip, size:204800, used:1
Willy Tarreau62a36c42010-08-17 15:53:10 +020013284 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
13285 bytes_out_rate(60000)=191
Simon Hormanc88b8872011-06-15 15:18:49 +090013286 $ echo "clear table http_proxy data.gpc0 eq 1" | socat stdio /tmp/sock1
13287 $ echo "show table http_proxy" | socat stdio /tmp/sock1
13288 >>> # table: http_proxy, type: ip, size:204800, used:1
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020013289
Thierry FOURNIERd32079e2014-01-29 20:02:04 +010013290del acl <acl> [<key>|#<ref>]
13291 Delete all the acl entries from the acl <acl> corresponding to the key <key>.
Thierry FOURNIER65ce6132014-03-20 11:42:45 +010013292 <acl> is the #<id> or the <file> returned by "show acl". If the <ref> is used,
13293 this command delete only the listed reference. The reference can be found with
13294 listing the content of the acl. Note that if the reference <acl> is a file and
13295 is shared with a map, the entry will be also deleted in the map.
Thierry FOURNIERd32079e2014-01-29 20:02:04 +010013296
13297del map <map> [<key>|#<ref>]
Thierry FOURNIER0b90f312014-01-29 20:40:18 +010013298 Delete all the map entries from the map <map> corresponding to the key <key>.
Thierry FOURNIER65ce6132014-03-20 11:42:45 +010013299 <map> is the #<id> or the <file> returned by "show map". If the <ref> is used,
13300 this command delete only the listed reference. The reference can be found with
13301 listing the content of the map. Note that if the reference <map> is a file and
13302 is shared with a acl, the entry will be also deleted in the map.
Thierry FOURNIER0b90f312014-01-29 20:40:18 +010013303
13304disable agent <backend>/<server>
Simon Horman671b6f02013-11-25 10:46:39 +090013305 Mark the auxiliary agent check as temporarily stopped.
13306
13307 In the case where an agent check is being run as a auxiliary check, due
13308 to the agent-check parameter of a server directive, new checks are only
13309 initialised when the agent is in the enabled. Thus, disable agent will
13310 prevent any new agent checks from begin initiated until the agent
13311 re-enabled using enable agent.
13312
13313 When an agent is disabled the processing of an auxiliary agent check that
13314 was initiated while the agent was set as enabled is as follows: All
13315 results that would alter the weight, specifically "drain" or a weight
13316 returned by the agent, are ignored. The processing of agent check is
13317 otherwise unchanged.
13318
13319 The motivation for this feature is to allow the weight changing effects
13320 of the agent checks to be paused to allow the weight of a server to be
13321 configured using set weight without being overridden by the agent.
13322
13323 This command is restricted and can only be issued on sockets configured for
13324 level "admin".
13325
Willy Tarreau532a4502011-09-07 22:37:44 +020013326disable frontend <frontend>
13327 Mark the frontend as temporarily stopped. This corresponds to the mode which
13328 is used during a soft restart : the frontend releases the port but can be
13329 enabled again if needed. This should be used with care as some non-Linux OSes
13330 are unable to enable it back. This is intended to be used in environments
13331 where stopping a proxy is not even imaginable but a misconfigured proxy must
13332 be fixed. That way it's possible to release the port and bind it into another
13333 process to restore operations. The frontend will appear with status "STOP"
13334 on the stats page.
13335
13336 The frontend may be specified either by its name or by its numeric ID,
13337 prefixed with a sharp ('#').
13338
13339 This command is restricted and can only be issued on sockets configured for
13340 level "admin".
13341
Willy Tarreau9b5aecd2014-05-23 11:53:10 +020013342disable health <backend>/<server>
13343 Mark the primary health check as temporarily stopped. This will disable
13344 sending of health checks, and the last health check result will be ignored.
13345 The server will be in unchecked state and considered UP unless an auxiliary
13346 agent check forces it down.
13347
13348 This command is restricted and can only be issued on sockets configured for
13349 level "admin".
13350
Willy Tarreaud63335a2010-02-26 12:56:52 +010013351disable server <backend>/<server>
13352 Mark the server DOWN for maintenance. In this mode, no more checks will be
13353 performed on the server until it leaves maintenance.
13354 If the server is tracked by other servers, those servers will be set to DOWN
13355 during the maintenance.
13356
13357 In the statistics page, a server DOWN for maintenance will appear with a
13358 "MAINT" status, its tracking servers with the "MAINT(via)" one.
13359
13360 Both the backend and the server may be specified either by their name or by
Willy Tarreauf5f31922011-08-02 11:32:07 +020013361 their numeric ID, prefixed with a sharp ('#').
Willy Tarreaud63335a2010-02-26 12:56:52 +010013362
13363 This command is restricted and can only be issued on sockets configured for
13364 level "admin".
13365
Simon Horman671b6f02013-11-25 10:46:39 +090013366enable agent <backend>/<server>
13367 Resume auxiliary agent check that was temporarily stopped.
13368
13369 See "disable agent" for details of the effect of temporarily starting
13370 and stopping an auxiliary agent.
13371
13372 This command is restricted and can only be issued on sockets configured for
13373 level "admin".
13374
Willy Tarreau532a4502011-09-07 22:37:44 +020013375enable frontend <frontend>
13376 Resume a frontend which was temporarily stopped. It is possible that some of
13377 the listening ports won't be able to bind anymore (eg: if another process
13378 took them since the 'disable frontend' operation). If this happens, an error
13379 is displayed. Some operating systems might not be able to resume a frontend
13380 which was disabled.
13381
13382 The frontend may be specified either by its name or by its numeric ID,
13383 prefixed with a sharp ('#').
13384
13385 This command is restricted and can only be issued on sockets configured for
13386 level "admin".
13387
Willy Tarreau9b5aecd2014-05-23 11:53:10 +020013388enable health <backend>/<server>
13389 Resume a primary health check that was temporarily stopped. This will enable
13390 sending of health checks again. Please see "disable health" for details.
13391
13392 This command is restricted and can only be issued on sockets configured for
13393 level "admin".
13394
Willy Tarreaud63335a2010-02-26 12:56:52 +010013395enable server <backend>/<server>
13396 If the server was previously marked as DOWN for maintenance, this marks the
13397 server UP and checks are re-enabled.
13398
13399 Both the backend and the server may be specified either by their name or by
Willy Tarreauf5f31922011-08-02 11:32:07 +020013400 their numeric ID, prefixed with a sharp ('#').
Willy Tarreaud63335a2010-02-26 12:56:52 +010013401
13402 This command is restricted and can only be issued on sockets configured for
13403 level "admin".
13404
Thierry FOURNIER5b16df72014-02-26 18:07:38 +010013405get map <map> <value>
Thierry FOURNIER65ce6132014-03-20 11:42:45 +010013406get acl <acl> <value>
13407 Lookup the value <value> in the map <map> or in the ACL <acl>. <map> or <acl>
13408 are the #<id> or the <file> returned by "show map" or "show acl". This command
13409 returns all the matching patterns associated with this map. This is useful for
13410 debugging maps and ACLs. The output format is composed by one line par
13411 matching type. Each line is composed by space-delimited series of words.
Thierry FOURNIER5b16df72014-02-26 18:07:38 +010013412
13413 The first two words are:
13414
13415 <match method>: The match method applied. It can be "found", "bool",
13416 "int", "ip", "bin", "len", "str", "beg", "sub", "dir",
13417 "dom", "end" or "reg".
13418
13419 <match result>: The result. Can be "match" or "no-match".
13420
13421 The following words are returned only if the pattern matches an entry.
13422
13423 <index type>: "tree" or "list". The internal lookup algorithm.
13424
13425 <case>: "case-insensitive" or "case-sensitive". The
13426 interpretation of the case.
13427
13428 <entry matched>: match="<entry>". Return the matched pattern. It is
13429 useful with regular expressions.
13430
13431 The two last word are used to show the returned value and its type. With the
13432 "acl" case, the pattern doesn't exist.
13433
13434 return=nothing: No return because there are no "map".
13435 return="<value>": The value returned in the string format.
13436 return=cannot-display: The value cannot be converted as string.
13437
13438 type="<type>": The type of the returned sample.
13439
Willy Tarreaud63335a2010-02-26 12:56:52 +010013440get weight <backend>/<server>
13441 Report the current weight and the initial weight of server <server> in
13442 backend <backend> or an error if either doesn't exist. The initial weight is
13443 the one that appears in the configuration file. Both are normally equal
13444 unless the current weight has been changed. Both the backend and the server
13445 may be specified either by their name or by their numeric ID, prefixed with a
Willy Tarreauf5f31922011-08-02 11:32:07 +020013446 sharp ('#').
Willy Tarreaud63335a2010-02-26 12:56:52 +010013447
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020013448help
13449 Print the list of known keywords and their basic usage. The same help screen
13450 is also displayed for unknown commands.
Willy Tarreau3dfe6cd2008-12-07 22:29:48 +010013451
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020013452prompt
13453 Toggle the prompt at the beginning of the line and enter or leave interactive
13454 mode. In interactive mode, the connection is not closed after a command
13455 completes. Instead, the prompt will appear again, indicating the user that
13456 the interpreter is waiting for a new command. The prompt consists in a right
13457 angle bracket followed by a space "> ". This mode is particularly convenient
13458 when one wants to periodically check information such as stats or errors.
13459 It is also a good idea to enter interactive mode before issuing a "help"
13460 command.
13461
13462quit
13463 Close the connection when in interactive mode.
Krzysztof Piotr Oledzki2c6962c2008-03-02 02:42:14 +010013464
Thierry FOURNIERd32079e2014-01-29 20:02:04 +010013465set map <map> [<key>|#<ref>] <value>
Thierry FOURNIER65ce6132014-03-20 11:42:45 +010013466 Modify the value corresponding to each key <key> in a map <map>. <map> is the
13467 #<id> or <file> returned by "show map". If the <ref> is used in place of
13468 <key>, only the entry pointed by <ref> is changed. The new value is <value>.
Thierry FOURNIERc0e0d7b2013-12-11 16:55:52 +010013469
Willy Tarreau2a0f4d22011-08-02 11:49:05 +020013470set maxconn frontend <frontend> <value>
Willy Tarreau3c7a79d2012-09-26 21:07:15 +020013471 Dynamically change the specified frontend's maxconn setting. Any positive
13472 value is allowed including zero, but setting values larger than the global
13473 maxconn does not make much sense. If the limit is increased and connections
13474 were pending, they will immediately be accepted. If it is lowered to a value
13475 below the current number of connections, new connections acceptation will be
Willy Tarreau2a0f4d22011-08-02 11:49:05 +020013476 delayed until the threshold is reached. The frontend might be specified by
13477 either its name or its numeric ID prefixed with a sharp ('#').
13478
Willy Tarreau91886b62011-09-07 14:38:31 +020013479set maxconn global <maxconn>
13480 Dynamically change the global maxconn setting within the range defined by the
13481 initial global maxconn setting. If it is increased and connections were
13482 pending, they will immediately be accepted. If it is lowered to a value below
13483 the current number of connections, new connections acceptation will be
13484 delayed until the threshold is reached. A value of zero restores the initial
13485 setting.
13486
Willy Tarreauf5b22872011-09-07 16:13:44 +020013487set rate-limit connections global <value>
13488 Change the process-wide connection rate limit, which is set by the global
13489 'maxconnrate' setting. A value of zero disables the limitation. This limit
13490 applies to all frontends and the change has an immediate effect. The value
13491 is passed in number of connections per second.
13492
William Lallemandd85f9172012-11-09 17:05:39 +010013493set rate-limit http-compression global <value>
13494 Change the maximum input compression rate, which is set by the global
13495 'maxcomprate' setting. A value of zero disables the limitation. The value is
William Lallemand096f5542012-11-19 17:26:05 +010013496 passed in number of kilobytes per second. The value is available in the "show
13497 info" on the line "CompressBpsRateLim" in bytes.
William Lallemandd85f9172012-11-09 17:05:39 +010013498
Willy Tarreau93e7c002013-10-07 18:51:07 +020013499set rate-limit sessions global <value>
13500 Change the process-wide session rate limit, which is set by the global
13501 'maxsessrate' setting. A value of zero disables the limitation. This limit
13502 applies to all frontends and the change has an immediate effect. The value
13503 is passed in number of sessions per second.
13504
Willy Tarreaue43d5322013-10-07 20:01:52 +020013505set rate-limit ssl-sessions global <value>
13506 Change the process-wide SSL session rate limit, which is set by the global
13507 'maxsslrate' setting. A value of zero disables the limitation. This limit
13508 applies to all frontends and the change has an immediate effect. The value
13509 is passed in number of sessions per second sent to the SSL stack. It applies
13510 before the handshake in order to protect the stack against handshake abuses.
13511
Willy Tarreau2a4b70f2014-05-22 18:42:35 +020013512set server <backend>/<server> agent [ up | down ]
13513 Force a server's agent to a new state. This can be useful to immediately
13514 switch a server's state regardless of some slow agent checks for example.
13515 Note that the change is propagated to tracking servers if any.
13516
13517set server <backend>/<server> health [ up | stopping | down ]
13518 Force a server's health to a new state. This can be useful to immediately
13519 switch a server's state regardless of some slow health checks for example.
13520 Note that the change is propagated to tracking servers if any.
13521
13522set server <backend>/<server> state [ ready | drain | maint ]
13523 Force a server's administrative state to a new state. This can be useful to
13524 disable load balancing and/or any traffic to a server. Setting the state to
13525 "ready" puts the server in normal mode, and the command is the equivalent of
13526 the "enable server" command. Setting the state to "maint" disables any traffic
13527 to the server as well as any health checks. This is the equivalent of the
13528 "disable server" command. Setting the mode to "drain" only removes the server
13529 from load balancing but still allows it to be checked and to accept new
13530 persistent connections. Changes are propagated to tracking servers if any.
13531
13532set server <backend>/<server> weight <weight>[%]
13533 Change a server's weight to the value passed in argument. This is the exact
13534 equivalent of the "set weight" command below.
13535
Emeric Brun4147b2e2014-06-16 18:36:30 +020013536set ssl ocsp-response <response>
13537 This command is used to update an OCSP Response for a certificate (see "crt"
13538 on "bind" lines). Same controls are performed as during the initial loading of
13539 the response. The <response> must be passed as a base64 encoded string of the
13540 DER encoded response from the OCSP server.
13541
13542 Example:
13543 openssl ocsp -issuer issuer.pem -cert server.pem \
13544 -host ocsp.issuer.com:80 -respout resp.der
13545 echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \
13546 socat stdio /var/run/haproxy.stat
13547
Willy Tarreau47060b62013-08-01 21:11:42 +020013548set table <table> key <key> [data.<data_type> <value>]*
Willy Tarreau654694e2012-06-07 01:03:16 +020013549 Create or update a stick-table entry in the table. If the key is not present,
13550 an entry is inserted. See stick-table in section 4.2 to find all possible
13551 values for <data_type>. The most likely use consists in dynamically entering
13552 entries for source IP addresses, with a flag in gpc0 to dynamically block an
Willy Tarreau47060b62013-08-01 21:11:42 +020013553 IP address or affect its quality of service. It is possible to pass multiple
13554 data_types in a single call.
Willy Tarreau654694e2012-06-07 01:03:16 +020013555
Willy Tarreaud63335a2010-02-26 12:56:52 +010013556set timeout cli <delay>
13557 Change the CLI interface timeout for current connection. This can be useful
13558 during long debugging sessions where the user needs to constantly inspect
13559 some indicators without being disconnected. The delay is passed in seconds.
13560
13561set weight <backend>/<server> <weight>[%]
13562 Change a server's weight to the value passed in argument. If the value ends
13563 with the '%' sign, then the new weight will be relative to the initially
Simon Horman58b5d292013-02-12 10:45:52 +090013564 configured weight. Absolute weights are permitted between 0 and 256.
13565 Relative weights must be positive with the resulting absolute weight is
13566 capped at 256. Servers which are part of a farm running a static
13567 load-balancing algorithm have stricter limitations because the weight
13568 cannot change once set. Thus for these servers, the only accepted values
13569 are 0 and 100% (or 0 and the initial weight). Changes take effect
13570 immediately, though certain LB algorithms require a certain amount of
13571 requests to consider changes. A typical usage of this command is to
13572 disable a server during an update by setting its weight to zero, then to
13573 enable it again after the update by setting it back to 100%. This command
13574 is restricted and can only be issued on sockets configured for level
13575 "admin". Both the backend and the server may be specified either by their
13576 name or by their numeric ID, prefixed with a sharp ('#').
Willy Tarreaud63335a2010-02-26 12:56:52 +010013577
Willy Tarreaue0c8a1a2009-03-04 16:33:10 +010013578show errors [<iid>]
13579 Dump last known request and response errors collected by frontends and
13580 backends. If <iid> is specified, the limit the dump to errors concerning
Willy Tarreau6162db22009-10-10 17:13:00 +020013581 either frontend or backend whose ID is <iid>. This command is restricted
13582 and can only be issued on sockets configured for levels "operator" or
13583 "admin".
Willy Tarreaue0c8a1a2009-03-04 16:33:10 +010013584
13585 The errors which may be collected are the last request and response errors
13586 caused by protocol violations, often due to invalid characters in header
13587 names. The report precisely indicates what exact character violated the
13588 protocol. Other important information such as the exact date the error was
13589 detected, frontend and backend names, the server name (when known), the
13590 internal session ID and the source address which has initiated the session
13591 are reported too.
13592
13593 All characters are returned, and non-printable characters are encoded. The
13594 most common ones (\t = 9, \n = 10, \r = 13 and \e = 27) are encoded as one
13595 letter following a backslash. The backslash itself is encoded as '\\' to
13596 avoid confusion. Other non-printable characters are encoded '\xNN' where
13597 NN is the two-digits hexadecimal representation of the character's ASCII
13598 code.
13599
13600 Lines are prefixed with the position of their first character, starting at 0
13601 for the beginning of the buffer. At most one input line is printed per line,
13602 and large lines will be broken into multiple consecutive output lines so that
13603 the output never goes beyond 79 characters wide. It is easy to detect if a
13604 line was broken, because it will not end with '\n' and the next line's offset
13605 will be followed by a '+' sign, indicating it is a continuation of previous
13606 line.
13607
13608 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +020013609 $ echo "show errors" | socat stdio /tmp/sock1
13610 >>> [04/Mar/2009:15:46:56.081] backend http-in (#2) : invalid response
Willy Tarreaue0c8a1a2009-03-04 16:33:10 +010013611 src 127.0.0.1, session #54, frontend fe-eth0 (#1), server s2 (#1)
13612 response length 213 bytes, error at position 23:
13613
13614 00000 HTTP/1.0 200 OK\r\n
13615 00017 header/bizarre:blah\r\n
13616 00038 Location: blah\r\n
13617 00054 Long-line: this is a very long line which should b
13618 00104+ e broken into multiple lines on the output buffer,
13619 00154+ otherwise it would be too large to print in a ter
13620 00204+ minal\r\n
13621 00211 \r\n
13622
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013623 In the example above, we see that the backend "http-in" which has internal
Willy Tarreaue0c8a1a2009-03-04 16:33:10 +010013624 ID 2 has blocked an invalid response from its server s2 which has internal
13625 ID 1. The request was on session 54 initiated by source 127.0.0.1 and
13626 received by frontend fe-eth0 whose ID is 1. The total response length was
13627 213 bytes when the error was detected, and the error was at byte 23. This
13628 is the slash ('/') in header name "header/bizarre", which is not a valid
13629 HTTP character for a header name.
Krzysztof Piotr Oledzki2c6962c2008-03-02 02:42:14 +010013630
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020013631show info
13632 Dump info about haproxy status on current process.
13633
Thierry FOURNIERc0e0d7b2013-12-11 16:55:52 +010013634show map [<map>]
13635 Dump info about map converters. Without argument, the list of all available
Thierry FOURNIER65ce6132014-03-20 11:42:45 +010013636 maps is returned. If a <map> is specified, its contents are dumped. <map> is
13637 the #<id> or <file>. The first column is a unique identifier. It can be used
13638 as reference for the operation "del map" and "set map". The second column is
13639 the pattern and the third column is the sample if available. The data returned
13640 are not directly a list of available maps, but are the list of all patterns
13641 composing any map. Many of these patterns can be shared with ACL.
Thierry FOURNIERd32079e2014-01-29 20:02:04 +010013642
13643show acl [<acl>]
13644 Dump info about acl converters. Without argument, the list of all available
Thierry FOURNIER65ce6132014-03-20 11:42:45 +010013645 acls is returned. If a <acl> is specified, its contents are dumped. <acl> if
13646 the #<id> or <file>. The dump format is the same than the map even for the
13647 sample value. The data returned are not a list of available ACL, but are the
13648 list of all patterns composing any ACL. Many of these patterns can be shared
13649 with maps.
Thierry FOURNIERc0e0d7b2013-12-11 16:55:52 +010013650
Willy Tarreau12833bb2014-01-28 16:49:56 +010013651show pools
13652 Dump the status of internal memory pools. This is useful to track memory
13653 usage when suspecting a memory leak for example. It does exactly the same
13654 as the SIGQUIT when running in foreground except that it does not flush
13655 the pools.
13656
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020013657show sess
13658 Dump all known sessions. Avoid doing this on slow connections as this can
Willy Tarreau6162db22009-10-10 17:13:00 +020013659 be huge. This command is restricted and can only be issued on sockets
13660 configured for levels "operator" or "admin".
13661
Willy Tarreau66dc20a2010-03-05 17:53:32 +010013662show sess <id>
13663 Display a lot of internal information about the specified session identifier.
13664 This identifier is the first field at the beginning of the lines in the dumps
13665 of "show sess" (it corresponds to the session pointer). Those information are
13666 useless to most users but may be used by haproxy developers to troubleshoot a
13667 complex bug. The output format is intentionally not documented so that it can
Willy Tarreau76153662012-11-26 01:16:39 +010013668 freely evolve depending on demands. The special id "all" dumps the states of
13669 all sessions, which can be avoided as much as possible as it is highly CPU
13670 intensive and can take a lot of time.
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020013671
13672show stat [<iid> <type> <sid>]
13673 Dump statistics in the CSV format. By passing <id>, <type> and <sid>, it is
13674 possible to dump only selected items :
13675 - <iid> is a proxy ID, -1 to dump everything
13676 - <type> selects the type of dumpable objects : 1 for frontends, 2 for
13677 backends, 4 for servers, -1 for everything. These values can be ORed,
13678 for example:
13679 1 + 2 = 3 -> frontend + backend.
13680 1 + 2 + 4 = 7 -> frontend + backend + server.
13681 - <sid> is a server ID, -1 to dump everything from the selected proxy.
13682
13683 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +020013684 $ echo "show info;show stat" | socat stdio unix-connect:/tmp/sock1
13685 >>> Name: HAProxy
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020013686 Version: 1.4-dev2-49
13687 Release_date: 2009/09/23
13688 Nbproc: 1
13689 Process_num: 1
13690 (...)
13691
13692 # pxname,svname,qcur,qmax,scur,smax,slim,stot,bin,bout,dreq, (...)
13693 stats,FRONTEND,,,0,0,1000,0,0,0,0,0,0,,,,,OPEN,,,,,,,,,1,1,0, (...)
13694 stats,BACKEND,0,0,0,0,1000,0,0,0,0,0,,0,0,0,0,UP,0,0,0,,0,250,(...)
13695 (...)
13696 www1,BACKEND,0,0,0,0,1000,0,0,0,0,0,,0,0,0,0,UP,1,1,0,,0,250, (...)
13697
13698 $
13699
13700 Here, two commands have been issued at once. That way it's easy to find
13701 which process the stats apply to in multi-process mode. Notice the empty
13702 line after the information output which marks the end of the first block.
13703 A similar empty line appears at the end of the second block (stats) so that
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +010013704 the reader knows the output has not been truncated.
Willy Tarreau9a42c0d2009-09-22 19:31:03 +020013705
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020013706show table
13707 Dump general information on all known stick-tables. Their name is returned
13708 (the name of the proxy which holds them), their type (currently zero, always
13709 IP), their size in maximum possible number of entries, and the number of
13710 entries currently in use.
13711
13712 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +020013713 $ echo "show table" | socat stdio /tmp/sock1
Simon Horman64b28d02011-08-13 08:03:50 +090013714 >>> # table: front_pub, type: ip, size:204800, used:171454
13715 >>> # table: back_rdp, type: ip, size:204800, used:0
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020013716
Simon Horman17bce342011-06-15 15:18:47 +090013717show table <name> [ data.<type> <operator> <value> ] | [ key <key> ]
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020013718 Dump contents of stick-table <name>. In this mode, a first line of generic
13719 information about the table is reported as with "show table", then all
13720 entries are dumped. Since this can be quite heavy, it is possible to specify
Simon Horman17bce342011-06-15 15:18:47 +090013721 a filter in order to specify what entries to display.
13722
13723 When the "data." form is used the filter applies to the stored data (see
13724 "stick-table" in section 4.2). A stored data type must be specified
13725 in <type>, and this data type must be stored in the table otherwise an
13726 error is reported. The data is compared according to <operator> with the
13727 64-bit integer <value>. Operators are the same as with the ACLs :
13728
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020013729 - eq : match entries whose data is equal to this value
13730 - ne : match entries whose data is not equal to this value
13731 - le : match entries whose data is less than or equal to this value
13732 - ge : match entries whose data is greater than or equal to this value
13733 - lt : match entries whose data is less than this value
13734 - gt : match entries whose data is greater than this value
13735
Simon Hormanc88b8872011-06-15 15:18:49 +090013736
13737 When the key form is used the entry <key> is shown. The key must be of the
Simon Horman619e3cc2011-06-15 15:18:52 +090013738 same type as the table, which currently is limited to IPv4, IPv6, integer,
13739 and string.
Simon Horman17bce342011-06-15 15:18:47 +090013740
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020013741 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +020013742 $ echo "show table http_proxy" | socat stdio /tmp/sock1
Simon Horman64b28d02011-08-13 08:03:50 +090013743 >>> # table: http_proxy, type: ip, size:204800, used:2
Willy Tarreau62a36c42010-08-17 15:53:10 +020013744 >>> 0x80e6a4c: key=127.0.0.1 use=0 exp=3594729 gpc0=0 conn_rate(30000)=1 \
13745 bytes_out_rate(60000)=187
13746 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
13747 bytes_out_rate(60000)=191
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020013748
Willy Tarreau62a36c42010-08-17 15:53:10 +020013749 $ echo "show table http_proxy data.gpc0 gt 0" | socat stdio /tmp/sock1
Simon Horman64b28d02011-08-13 08:03:50 +090013750 >>> # table: http_proxy, type: ip, size:204800, used:2
Willy Tarreau62a36c42010-08-17 15:53:10 +020013751 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
13752 bytes_out_rate(60000)=191
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020013753
Willy Tarreau62a36c42010-08-17 15:53:10 +020013754 $ echo "show table http_proxy data.conn_rate gt 5" | \
13755 socat stdio /tmp/sock1
Simon Horman64b28d02011-08-13 08:03:50 +090013756 >>> # table: http_proxy, type: ip, size:204800, used:2
Willy Tarreau62a36c42010-08-17 15:53:10 +020013757 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
13758 bytes_out_rate(60000)=191
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020013759
Simon Horman17bce342011-06-15 15:18:47 +090013760 $ echo "show table http_proxy key 127.0.0.2" | \
13761 socat stdio /tmp/sock1
Simon Horman64b28d02011-08-13 08:03:50 +090013762 >>> # table: http_proxy, type: ip, size:204800, used:2
Simon Horman17bce342011-06-15 15:18:47 +090013763 >>> 0x80e6a80: key=127.0.0.2 use=0 exp=3594740 gpc0=1 conn_rate(30000)=10 \
13764 bytes_out_rate(60000)=191
13765
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020013766 When the data criterion applies to a dynamic value dependent on time such as
13767 a bytes rate, the value is dynamically computed during the evaluation of the
13768 entry in order to decide whether it has to be dumped or not. This means that
13769 such a filter could match for some time then not match anymore because as
13770 time goes, the average event rate drops.
13771
13772 It is possible to use this to extract lists of IP addresses abusing the
13773 service, in order to monitor them or even blacklist them in a firewall.
13774 Example :
Willy Tarreau62a36c42010-08-17 15:53:10 +020013775 $ echo "show table http_proxy data.gpc0 gt 0" \
13776 | socat stdio /tmp/sock1 \
Willy Tarreau88bc4ec2010-08-01 07:58:48 +020013777 | fgrep 'key=' | cut -d' ' -f2 | cut -d= -f2 > abusers-ip.txt
13778 ( or | awk '/key/{ print a[split($2,a,"=")]; }' )
Krzysztof Piotr Oledzki719e7262009-10-04 15:02:46 +020013779
Willy Tarreau532a4502011-09-07 22:37:44 +020013780shutdown frontend <frontend>
13781 Completely delete the specified frontend. All the ports it was bound to will
13782 be released. It will not be possible to enable the frontend anymore after
13783 this operation. This is intended to be used in environments where stopping a
13784 proxy is not even imaginable but a misconfigured proxy must be fixed. That
13785 way it's possible to release the port and bind it into another process to
13786 restore operations. The frontend will not appear at all on the stats page
13787 once it is terminated.
13788
13789 The frontend may be specified either by its name or by its numeric ID,
13790 prefixed with a sharp ('#').
13791
13792 This command is restricted and can only be issued on sockets configured for
13793 level "admin".
13794
Willy Tarreaua295edc2011-09-07 23:21:03 +020013795shutdown session <id>
13796 Immediately terminate the session matching the specified session identifier.
13797 This identifier is the first field at the beginning of the lines in the dumps
13798 of "show sess" (it corresponds to the session pointer). This can be used to
13799 terminate a long-running session without waiting for a timeout or when an
13800 endless transfer is ongoing. Such terminated sessions are reported with a 'K'
13801 flag in the logs.
13802
Willy Tarreau52b2d222011-09-07 23:48:48 +020013803shutdown sessions <backend>/<server>
13804 Immediately terminate all the sessions attached to the specified server. This
13805 can be used to terminate long-running sessions after a server is put into
13806 maintenance mode, for instance. Such terminated sessions are reported with a
13807 'K' flag in the logs.
13808
Willy Tarreau0ba27502007-12-24 16:55:16 +010013809/*
13810 * Local variables:
13811 * fill-column: 79
13812 * End:
13813 */