blob: 5f7a65bb0929ec93f5b233ed024d9c9643ecdf03 [file] [log] [blame]
Willy Tarreau6a06a402007-07-15 20:15:28 +02001 ----------------------
2 HAProxy
3 Configuration Manual
4 ----------------------
Willy Tarreau21475e32010-05-23 08:46:08 +02005 version 1.5
Willy Tarreau6a06a402007-07-15 20:15:28 +02006 willy tarreau
Willy Tarreaua3ecbd92012-12-28 15:04:05 +01007 2012/12/28
Willy Tarreau6a06a402007-07-15 20:15:28 +02008
9
10This document covers the configuration language as implemented in the version
11specified above. It does not provide any hint, example or advice. For such
Willy Tarreau0ba27502007-12-24 16:55:16 +010012documentation, please refer to the Reference Manual or the Architecture Manual.
Willy Tarreauc57f0e22009-05-10 13:12:33 +020013The summary below is meant to help you search sections by name and navigate
14through the document.
Willy Tarreau6a06a402007-07-15 20:15:28 +020015
Willy Tarreauc57f0e22009-05-10 13:12:33 +020016Note to documentation contributors :
Jamie Gloudonaaa21002012-08-25 00:18:33 -040017 This document is formatted with 80 columns per line, with even number of
Willy Tarreauc57f0e22009-05-10 13:12:33 +020018 spaces for indentation and without tabs. Please follow these rules strictly
19 so that it remains easily printable everywhere. If a line needs to be
20 printed verbatim and does not fit, please end each line with a backslash
Willy Tarreau62a36c42010-08-17 15:53:10 +020021 ('\') and continue on next line, indented by two characters. It is also
22 sometimes useful to prefix all output lines (logs, console outs) with 3
23 closing angle brackets ('>>>') in order to help get the difference between
24 inputs and outputs when it can become ambiguous. If you add sections,
25 please update the summary below for easier searching.
Willy Tarreauc57f0e22009-05-10 13:12:33 +020026
27
28Summary
29-------
30
311. Quick reminder about HTTP
321.1. The HTTP transaction model
331.2. HTTP request
341.2.1. The Request line
351.2.2. The request headers
361.3. HTTP response
371.3.1. The Response line
381.3.2. The response headers
39
402. Configuring HAProxy
412.1. Configuration file format
422.2. Time format
Patrick Mezard35da19c2010-06-12 17:02:47 +0200432.3. Examples
Willy Tarreauc57f0e22009-05-10 13:12:33 +020044
453. Global parameters
463.1. Process management and security
473.2. Performance tuning
483.3. Debugging
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100493.4. Userlists
Cyril Bontédc4d9032012-04-08 21:57:39 +0200503.5. Peers
Willy Tarreauc57f0e22009-05-10 13:12:33 +020051
524. Proxies
534.1. Proxy keywords matrix
544.2. Alphabetically sorted keywords reference
55
Willy Tarreau086fbf52012-09-24 20:34:51 +0200565. Bind and Server options
575.1. Bind options
585.2. Server and default-server options
Willy Tarreauc57f0e22009-05-10 13:12:33 +020059
606. HTTP header manipulation
61
Cyril Bonté7d38afb2010-02-03 20:41:26 +0100627. Using ACLs and pattern extraction
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200637.1. Matching integers
647.2. Matching strings
657.3. Matching regular expressions (regexes)
Willy Tarreauceb4ac92012-04-28 00:41:46 +0200667.4. Matching IPv4 and IPv6 addresses
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200677.5. Available matching criteria
687.5.1. Matching at Layer 4 and below
697.5.2. Matching contents at Layer 4
707.5.3. Matching at Layer 7
717.6. Pre-defined ACLs
727.7. Using ACLs to form conditions
Cyril Bonté7d38afb2010-02-03 20:41:26 +0100737.8. Pattern extraction
Willy Tarreauc57f0e22009-05-10 13:12:33 +020074
758. Logging
768.1. Log levels
778.2. Log formats
788.2.1. Default log format
798.2.2. TCP log format
808.2.3. HTTP log format
William Lallemand48940402012-01-30 16:47:22 +0100818.2.4. Custom log format
Willy Tarreau5f51e1a2012-12-03 18:40:10 +0100828.2.5. Error log format
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200838.3. Advanced logging options
848.3.1. Disabling logging of external tests
858.3.2. Logging before waiting for the session to terminate
868.3.3. Raising log level upon errors
878.3.4. Disabling logging of successful connections
888.4. Timing events
898.5. Session state at disconnection
908.6. Non-printable characters
918.7. Capturing HTTP cookies
928.8. Capturing HTTP headers
938.9. Examples of logs
94
959. Statistics and monitoring
969.1. CSV format
979.2. Unix Socket commands
98
99
1001. Quick reminder about HTTP
101----------------------------
102
103When haproxy is running in HTTP mode, both the request and the response are
104fully analyzed and indexed, thus it becomes possible to build matching criteria
105on almost anything found in the contents.
106
107However, it is important to understand how HTTP requests and responses are
108formed, and how HAProxy decomposes them. It will then become easier to write
109correct rules and to debug existing configurations.
110
111
1121.1. The HTTP transaction model
113-------------------------------
114
115The HTTP protocol is transaction-driven. This means that each request will lead
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100116to one and only one response. Traditionally, a TCP connection is established
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200117from the client to the server, a request is sent by the client on the
118connection, the server responds and the connection is closed. A new request
119will involve a new connection :
120
121 [CON1] [REQ1] ... [RESP1] [CLO1] [CON2] [REQ2] ... [RESP2] [CLO2] ...
122
123In this mode, called the "HTTP close" mode, there are as many connection
124establishments as there are HTTP transactions. Since the connection is closed
125by the server after the response, the client does not need to know the content
126length.
127
128Due to the transactional nature of the protocol, it was possible to improve it
129to avoid closing a connection between two subsequent transactions. In this mode
130however, it is mandatory that the server indicates the content length for each
131response so that the client does not wait indefinitely. For this, a special
132header is used: "Content-length". This mode is called the "keep-alive" mode :
133
134 [CON] [REQ1] ... [RESP1] [REQ2] ... [RESP2] [CLO] ...
135
136Its advantages are a reduced latency between transactions, and less processing
137power required on the server side. It is generally better than the close mode,
138but not always because the clients often limit their concurrent connections to
Patrick Mezard9ec2ec42010-06-12 17:02:45 +0200139a smaller value.
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200140
141A last improvement in the communications is the pipelining mode. It still uses
142keep-alive, but the client does not wait for the first response to send the
143second request. This is useful for fetching large number of images composing a
144page :
145
146 [CON] [REQ1] [REQ2] ... [RESP1] [RESP2] [CLO] ...
147
148This can obviously have a tremendous benefit on performance because the network
149latency is eliminated between subsequent requests. Many HTTP agents do not
150correctly support pipelining since there is no way to associate a response with
151the corresponding request in HTTP. For this reason, it is mandatory for the
Cyril Bonté78caf842010-03-10 22:41:43 +0100152server to reply in the exact same order as the requests were received.
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200153
Patrick Mezard9ec2ec42010-06-12 17:02:45 +0200154By default HAProxy operates in a tunnel-like mode with regards to persistent
155connections: for each connection it processes the first request and forwards
156everything else (including additional requests) to selected server. Once
157established, the connection is persisted both on the client and server
158sides. Use "option http-server-close" to preserve client persistent connections
159while handling every incoming request individually, dispatching them one after
160another to servers, in HTTP close mode. Use "option httpclose" to switch both
161sides to HTTP close mode. "option forceclose" and "option
162http-pretend-keepalive" help working around servers misbehaving in HTTP close
163mode.
164
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200165
1661.2. HTTP request
167-----------------
168
169First, let's consider this HTTP request :
170
171 Line Contents
Willy Tarreaud72758d2010-01-12 10:42:19 +0100172 number
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200173 1 GET /serv/login.php?lang=en&profile=2 HTTP/1.1
174 2 Host: www.mydomain.com
175 3 User-agent: my small browser
176 4 Accept: image/jpeg, image/gif
177 5 Accept: image/png
178
179
1801.2.1. The Request line
181-----------------------
182
183Line 1 is the "request line". It is always composed of 3 fields :
184
185 - a METHOD : GET
186 - a URI : /serv/login.php?lang=en&profile=2
187 - a version tag : HTTP/1.1
188
189All of them are delimited by what the standard calls LWS (linear white spaces),
190which are commonly spaces, but can also be tabs or line feeds/carriage returns
191followed by spaces/tabs. The method itself cannot contain any colon (':') and
192is limited to alphabetic letters. All those various combinations make it
193desirable that HAProxy performs the splitting itself rather than leaving it to
194the user to write a complex or inaccurate regular expression.
195
196The URI itself can have several forms :
197
198 - A "relative URI" :
199
200 /serv/login.php?lang=en&profile=2
201
202 It is a complete URL without the host part. This is generally what is
203 received by servers, reverse proxies and transparent proxies.
204
205 - An "absolute URI", also called a "URL" :
206
207 http://192.168.0.12:8080/serv/login.php?lang=en&profile=2
208
209 It is composed of a "scheme" (the protocol name followed by '://'), a host
210 name or address, optionally a colon (':') followed by a port number, then
211 a relative URI beginning at the first slash ('/') after the address part.
212 This is generally what proxies receive, but a server supporting HTTP/1.1
213 must accept this form too.
214
215 - a star ('*') : this form is only accepted in association with the OPTIONS
216 method and is not relayable. It is used to inquiry a next hop's
217 capabilities.
Willy Tarreaud72758d2010-01-12 10:42:19 +0100218
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200219 - an address:port combination : 192.168.0.12:80
220 This is used with the CONNECT method, which is used to establish TCP
221 tunnels through HTTP proxies, generally for HTTPS, but sometimes for
222 other protocols too.
223
224In a relative URI, two sub-parts are identified. The part before the question
225mark is called the "path". It is typically the relative path to static objects
226on the server. The part after the question mark is called the "query string".
227It is mostly used with GET requests sent to dynamic scripts and is very
228specific to the language, framework or application in use.
229
230
2311.2.2. The request headers
232--------------------------
233
234The headers start at the second line. They are composed of a name at the
235beginning of the line, immediately followed by a colon (':'). Traditionally,
236an LWS is added after the colon but that's not required. Then come the values.
237Multiple identical headers may be folded into one single line, delimiting the
238values with commas, provided that their order is respected. This is commonly
239encountered in the "Cookie:" field. A header may span over multiple lines if
240the subsequent lines begin with an LWS. In the example in 1.2, lines 4 and 5
241define a total of 3 values for the "Accept:" header.
242
243Contrary to a common mis-conception, header names are not case-sensitive, and
244their values are not either if they refer to other header names (such as the
245"Connection:" header).
246
247The end of the headers is indicated by the first empty line. People often say
248that it's a double line feed, which is not exact, even if a double line feed
249is one valid form of empty line.
250
251Fortunately, HAProxy takes care of all these complex combinations when indexing
252headers, checking values and counting them, so there is no reason to worry
253about the way they could be written, but it is important not to accuse an
254application of being buggy if it does unusual, valid things.
255
256Important note:
257 As suggested by RFC2616, HAProxy normalizes headers by replacing line breaks
258 in the middle of headers by LWS in order to join multi-line headers. This
259 is necessary for proper analysis and helps less capable HTTP parsers to work
260 correctly and not to be fooled by such complex constructs.
261
262
2631.3. HTTP response
264------------------
265
266An HTTP response looks very much like an HTTP request. Both are called HTTP
267messages. Let's consider this HTTP response :
268
269 Line Contents
Willy Tarreaud72758d2010-01-12 10:42:19 +0100270 number
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200271 1 HTTP/1.1 200 OK
272 2 Content-length: 350
273 3 Content-Type: text/html
274
Willy Tarreau816b9792009-09-15 21:25:21 +0200275As a special case, HTTP supports so called "Informational responses" as status
276codes 1xx. These messages are special in that they don't convey any part of the
277response, they're just used as sort of a signaling message to ask a client to
Willy Tarreau5843d1a2010-02-01 15:13:32 +0100278continue to post its request for instance. In the case of a status 100 response
279the requested information will be carried by the next non-100 response message
280following the informational one. This implies that multiple responses may be
281sent to a single request, and that this only works when keep-alive is enabled
282(1xx messages are HTTP/1.1 only). HAProxy handles these messages and is able to
283correctly forward and skip them, and only process the next non-100 response. As
284such, these messages are neither logged nor transformed, unless explicitly
285state otherwise. Status 101 messages indicate that the protocol is changing
286over the same connection and that haproxy must switch to tunnel mode, just as
287if a CONNECT had occurred. Then the Upgrade header would contain additional
288information about the type of protocol the connection is switching to.
Willy Tarreau816b9792009-09-15 21:25:21 +0200289
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200290
2911.3.1. The Response line
292------------------------
293
294Line 1 is the "response line". It is always composed of 3 fields :
295
296 - a version tag : HTTP/1.1
297 - a status code : 200
298 - a reason : OK
299
300The status code is always 3-digit. The first digit indicates a general status :
Willy Tarreau816b9792009-09-15 21:25:21 +0200301 - 1xx = informational message to be skipped (eg: 100, 101)
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200302 - 2xx = OK, content is following (eg: 200, 206)
303 - 3xx = OK, no content following (eg: 302, 304)
304 - 4xx = error caused by the client (eg: 401, 403, 404)
305 - 5xx = error caused by the server (eg: 500, 502, 503)
306
307Please refer to RFC2616 for the detailed meaning of all such codes. The
Willy Tarreaud72758d2010-01-12 10:42:19 +0100308"reason" field is just a hint, but is not parsed by clients. Anything can be
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200309found there, but it's a common practice to respect the well-established
310messages. It can be composed of one or multiple words, such as "OK", "Found",
311or "Authentication Required".
312
313Haproxy may emit the following status codes by itself :
314
315 Code When / reason
316 200 access to stats page, and when replying to monitoring requests
317 301 when performing a redirection, depending on the configured code
318 302 when performing a redirection, depending on the configured code
319 303 when performing a redirection, depending on the configured code
320 400 for an invalid or too large request
321 401 when an authentication is required to perform the action (when
322 accessing the stats page)
323 403 when a request is forbidden by a "block" ACL or "reqdeny" filter
324 408 when the request timeout strikes before the request is complete
325 500 when haproxy encounters an unrecoverable internal error, such as a
326 memory allocation failure, which should never happen
327 502 when the server returns an empty, invalid or incomplete response, or
328 when an "rspdeny" filter blocks the response.
329 503 when no server was available to handle the request, or in response to
330 monitoring requests which match the "monitor fail" condition
331 504 when the response timeout strikes before the server responds
332
333The error 4xx and 5xx codes above may be customized (see "errorloc" in section
3344.2).
335
336
3371.3.2. The response headers
338---------------------------
339
340Response headers work exactly like request headers, and as such, HAProxy uses
341the same parsing function for both. Please refer to paragraph 1.2.2 for more
342details.
343
344
3452. Configuring HAProxy
346----------------------
347
3482.1. Configuration file format
349------------------------------
Willy Tarreau6a06a402007-07-15 20:15:28 +0200350
351HAProxy's configuration process involves 3 major sources of parameters :
352
353 - the arguments from the command-line, which always take precedence
354 - the "global" section, which sets process-wide parameters
355 - the proxies sections which can take form of "defaults", "listen",
356 "frontend" and "backend".
357
Willy Tarreau0ba27502007-12-24 16:55:16 +0100358The configuration file syntax consists in lines beginning with a keyword
359referenced in this manual, optionally followed by one or several parameters
360delimited by spaces. If spaces have to be entered in strings, then they must be
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100361preceded by a backslash ('\') to be escaped. Backslashes also have to be
Willy Tarreau0ba27502007-12-24 16:55:16 +0100362escaped by doubling them.
363
Willy Tarreauc57f0e22009-05-10 13:12:33 +0200364
3652.2. Time format
366----------------
367
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100368Some parameters involve values representing time, such as timeouts. These
Willy Tarreau0ba27502007-12-24 16:55:16 +0100369values are generally expressed in milliseconds (unless explicitly stated
370otherwise) but may be expressed in any other unit by suffixing the unit to the
371numeric value. It is important to consider this because it will not be repeated
372for every keyword. Supported units are :
373
374 - us : microseconds. 1 microsecond = 1/1000000 second
375 - ms : milliseconds. 1 millisecond = 1/1000 second. This is the default.
376 - s : seconds. 1s = 1000ms
377 - m : minutes. 1m = 60s = 60000ms
378 - h : hours. 1h = 60m = 3600s = 3600000ms
379 - d : days. 1d = 24h = 1440m = 86400s = 86400000ms
380
381
Patrick Mezard35da19c2010-06-12 17:02:47 +02003822.3. Examples
383-------------
384
385 # Simple configuration for an HTTP proxy listening on port 80 on all
386 # interfaces and forwarding requests to a single backend "servers" with a
387 # single server "server1" listening on 127.0.0.1:8000
388 global
389 daemon
390 maxconn 256
391
392 defaults
393 mode http
394 timeout connect 5000ms
395 timeout client 50000ms
396 timeout server 50000ms
397
398 frontend http-in
399 bind *:80
400 default_backend servers
401
402 backend servers
403 server server1 127.0.0.1:8000 maxconn 32
404
405
406 # The same configuration defined with a single listen block. Shorter but
407 # less expressive, especially in HTTP mode.
408 global
409 daemon
410 maxconn 256
411
412 defaults
413 mode http
414 timeout connect 5000ms
415 timeout client 50000ms
416 timeout server 50000ms
417
418 listen http-in
419 bind *:80
420 server server1 127.0.0.1:8000 maxconn 32
421
422
423Assuming haproxy is in $PATH, test these configurations in a shell with:
424
Willy Tarreauccb289d2010-12-11 20:19:38 +0100425 $ sudo haproxy -f configuration.conf -c
Patrick Mezard35da19c2010-06-12 17:02:47 +0200426
427
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004283. Global parameters
Willy Tarreau6a06a402007-07-15 20:15:28 +0200429--------------------
430
431Parameters in the "global" section are process-wide and often OS-specific. They
432are generally set once for all and do not need being changed once correct. Some
433of them have command-line equivalents.
434
435The following keywords are supported in the "global" section :
436
437 * Process management and security
Emeric Brunc8e8d122012-10-02 18:42:10 +0200438 - ca-base
Willy Tarreau6a06a402007-07-15 20:15:28 +0200439 - chroot
Emeric Brunc8e8d122012-10-02 18:42:10 +0200440 - crt-base
Willy Tarreau6a06a402007-07-15 20:15:28 +0200441 - daemon
442 - gid
443 - group
444 - log
Joe Williamsdf5b38f2010-12-29 17:05:48 +0100445 - log-send-hostname
Willy Tarreau6a06a402007-07-15 20:15:28 +0200446 - nbproc
447 - pidfile
448 - uid
449 - ulimit-n
450 - user
Willy Tarreaufbee7132007-10-18 13:53:22 +0200451 - stats
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +0200452 - node
453 - description
Willy Tarreauceb24bc2010-11-09 12:46:41 +0100454 - unix-bind
Willy Tarreaud72758d2010-01-12 10:42:19 +0100455
Willy Tarreau6a06a402007-07-15 20:15:28 +0200456 * Performance tuning
457 - maxconn
Willy Tarreau81c25d02011-09-07 15:17:21 +0200458 - maxconnrate
William Lallemandd85f9172012-11-09 17:05:39 +0100459 - maxcomprate
William Lallemand072a2bf2012-11-20 17:01:01 +0100460 - maxcompcpuusage
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100461 - maxpipes
Willy Tarreau403edff2012-09-06 11:58:37 +0200462 - maxsslconn
Willy Tarreau6a06a402007-07-15 20:15:28 +0200463 - noepoll
464 - nokqueue
465 - nopoll
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100466 - nosplice
Willy Tarreaufe255b72007-10-14 23:09:26 +0200467 - spread-checks
Willy Tarreau27a674e2009-08-17 07:23:33 +0200468 - tune.bufsize
Willy Tarreau43961d52010-10-04 20:39:20 +0200469 - tune.chksize
William Lallemandf3747832012-11-09 12:33:10 +0100470 - tune.comp.maxlevel
Willy Tarreau193b8c62012-11-22 00:17:38 +0100471 - tune.http.cookielen
Willy Tarreauac1932d2011-10-24 19:14:41 +0200472 - tune.http.maxhdr
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100473 - tune.maxaccept
474 - tune.maxpollevents
Willy Tarreau27a674e2009-08-17 07:23:33 +0200475 - tune.maxrewrite
Willy Tarreaubd9a0a72011-10-23 21:14:29 +0200476 - tune.pipesize
Willy Tarreaue803de22010-01-21 17:43:04 +0100477 - tune.rcvbuf.client
478 - tune.rcvbuf.server
479 - tune.sndbuf.client
480 - tune.sndbuf.server
Willy Tarreau6ec58db2012-11-16 16:32:15 +0100481 - tune.ssl.cachesize
William Lallemanda509e4c2012-11-07 16:54:34 +0100482 - tune.zlib.memlevel
483 - tune.zlib.windowsize
Willy Tarreaud72758d2010-01-12 10:42:19 +0100484
Willy Tarreau6a06a402007-07-15 20:15:28 +0200485 * Debugging
486 - debug
487 - quiet
Willy Tarreau6a06a402007-07-15 20:15:28 +0200488
489
Willy Tarreauc57f0e22009-05-10 13:12:33 +02004903.1. Process management and security
Willy Tarreau6a06a402007-07-15 20:15:28 +0200491------------------------------------
492
Emeric Brunc8e8d122012-10-02 18:42:10 +0200493ca-base <dir>
494 Assigns a default directory to fetch SSL CA certificates and CRLs from when a
Emeric Brunfd33a262012-10-11 16:28:27 +0200495 relative path is used with "ca-file" or "crl-file" directives. Absolute
496 locations specified in "ca-file" and "crl-file" prevail and ignore "ca-base".
Emeric Brunc8e8d122012-10-02 18:42:10 +0200497
Willy Tarreau6a06a402007-07-15 20:15:28 +0200498chroot <jail dir>
499 Changes current directory to <jail dir> and performs a chroot() there before
500 dropping privileges. This increases the security level in case an unknown
501 vulnerability would be exploited, since it would make it very hard for the
502 attacker to exploit the system. This only works when the process is started
503 with superuser privileges. It is important to ensure that <jail_dir> is both
504 empty and unwritable to anyone.
Willy Tarreaud72758d2010-01-12 10:42:19 +0100505
Willy Tarreaufc6c0322012-11-16 16:12:27 +0100506cpu-map <"all"|"odd"|"even"|process_num> <cpu-set>...
507 On Linux 2.6 and above, it is possible to bind a process to a specific CPU
508 set. This means that the process will never run on other CPUs. The "cpu-map"
509 directive specifies CPU sets for process sets. The first argument is the
510 process number to bind. This process must have a number between 1 and 32,
511 and any process IDs above nbproc are ignored. It is possible to specify all
512 processes at once using "all", only odd numbers using "odd" or even numbers
513 using "even", just like with the "bind-process" directive. The second and
514 forthcoming arguments are CPU sets. Each CPU set is either a unique number
515 between 0 and 31 or a range with two such numbers delimited by a dash ('-').
516 Multiple CPU numbers or ranges may be specified, and the processes will be
517 allowed to bind to all of them. Obviously, multiple "cpu-map" directives may
518 be specified. Each "cpu-map" directive will replace the previous ones when
519 they overlap.
520
Emeric Brunc8e8d122012-10-02 18:42:10 +0200521crt-base <dir>
522 Assigns a default directory to fetch SSL certificates from when a relative
523 path is used with "crtfile" directives. Absolute locations specified after
524 "crtfile" prevail and ignore "crt-base".
525
Willy Tarreau6a06a402007-07-15 20:15:28 +0200526daemon
527 Makes the process fork into background. This is the recommended mode of
528 operation. It is equivalent to the command line "-D" argument. It can be
529 disabled by the command line "-db" argument.
530
531gid <number>
532 Changes the process' group ID to <number>. It is recommended that the group
533 ID is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
534 be started with a user belonging to this group, or with superuser privileges.
Michael Schererab012dd2013-01-12 18:35:19 +0100535 Note that if haproxy is started from a user having supplementary groups, it
536 will only be able to drop these groups if started with superuser privileges.
Willy Tarreau6a06a402007-07-15 20:15:28 +0200537 See also "group" and "uid".
Willy Tarreaud72758d2010-01-12 10:42:19 +0100538
Willy Tarreau6a06a402007-07-15 20:15:28 +0200539group <group name>
540 Similar to "gid" but uses the GID of group name <group name> from /etc/group.
541 See also "gid" and "user".
Willy Tarreaud72758d2010-01-12 10:42:19 +0100542
Willy Tarreauf7edefa2009-05-10 17:20:05 +0200543log <address> <facility> [max level [min level]]
Willy Tarreau6a06a402007-07-15 20:15:28 +0200544 Adds a global syslog server. Up to two global servers can be defined. They
545 will receive logs for startups and exits, as well as all logs from proxies
Robert Tsai81ae1952007-12-05 10:47:29 +0100546 configured with "log global".
547
548 <address> can be one of:
549
Willy Tarreau2769aa02007-12-27 18:26:09 +0100550 - An IPv4 address optionally followed by a colon and a UDP port. If
Robert Tsai81ae1952007-12-05 10:47:29 +0100551 no port is specified, 514 is used by default (the standard syslog
552 port).
553
David du Colombier24bb5f52011-03-17 10:40:23 +0100554 - An IPv6 address followed by a colon and optionally a UDP port. If
555 no port is specified, 514 is used by default (the standard syslog
556 port).
557
Robert Tsai81ae1952007-12-05 10:47:29 +0100558 - A filesystem path to a UNIX domain socket, keeping in mind
559 considerations for chroot (be sure the path is accessible inside
560 the chroot) and uid/gid (be sure the path is appropriately
561 writeable).
562
563 <facility> must be one of the 24 standard syslog facilities :
Willy Tarreau6a06a402007-07-15 20:15:28 +0200564
565 kern user mail daemon auth syslog lpr news
566 uucp cron auth2 ftp ntp audit alert cron2
567 local0 local1 local2 local3 local4 local5 local6 local7
568
569 An optional level can be specified to filter outgoing messages. By default,
Willy Tarreauf7edefa2009-05-10 17:20:05 +0200570 all messages are sent. If a maximum level is specified, only messages with a
571 severity at least as important as this level will be sent. An optional minimum
572 level can be specified. If it is set, logs emitted with a more severe level
573 than this one will be capped to this level. This is used to avoid sending
574 "emerg" messages on all terminals on some default syslog configurations.
575 Eight levels are known :
Willy Tarreau6a06a402007-07-15 20:15:28 +0200576
Cyril Bontédc4d9032012-04-08 21:57:39 +0200577 emerg alert crit err warning notice info debug
Willy Tarreau6a06a402007-07-15 20:15:28 +0200578
Joe Williamsdf5b38f2010-12-29 17:05:48 +0100579log-send-hostname [<string>]
580 Sets the hostname field in the syslog header. If optional "string" parameter
581 is set the header is set to the string contents, otherwise uses the hostname
582 of the system. Generally used if one is not relaying logs through an
583 intermediate syslog server or for simply customizing the hostname printed in
584 the logs.
585
Kevinm48936af2010-12-22 16:08:21 +0000586log-tag <string>
587 Sets the tag field in the syslog header to this string. It defaults to the
588 program name as launched from the command line, which usually is "haproxy".
589 Sometimes it can be useful to differentiate between multiple processes
590 running on the same host.
591
Willy Tarreau6a06a402007-07-15 20:15:28 +0200592nbproc <number>
593 Creates <number> processes when going daemon. This requires the "daemon"
594 mode. By default, only one process is created, which is the recommended mode
595 of operation. For systems limited to small sets of file descriptors per
596 process, it may be needed to fork multiple daemons. USING MULTIPLE PROCESSES
597 IS HARDER TO DEBUG AND IS REALLY DISCOURAGED. See also "daemon".
598
599pidfile <pidfile>
600 Writes pids of all daemons into file <pidfile>. This option is equivalent to
601 the "-p" command line argument. The file must be accessible to the user
602 starting the process. See also "daemon".
603
Willy Tarreau110ecc12012-11-15 17:50:01 +0100604stats bind-process [ all | odd | even | <number 1-32>[-<number 1-32>] ] ...
Willy Tarreau35b7b162012-10-22 23:17:18 +0200605 Limits the stats socket to a certain set of processes numbers. By default the
606 stats socket is bound to all processes, causing a warning to be emitted when
607 nbproc is greater than 1 because there is no way to select the target process
608 when connecting. However, by using this setting, it becomes possible to pin
609 the stats socket to a specific set of processes, typically the first one. The
610 warning will automatically be disabled when this setting is used, whatever
611 the number of processes used.
612
Willy Tarreauabb175f2012-09-24 12:43:26 +0200613stats socket [<address:port>|<path>] [param*]
614 Binds a UNIX socket to <path> or a TCPv4/v6 address to <address:port>.
615 Connections to this socket will return various statistics outputs and even
616 allow some commands to be issued to change some runtime settings. Please
617 consult section 9.2 "Unix Socket commands" for more details.
Willy Tarreau6162db22009-10-10 17:13:00 +0200618
Willy Tarreauabb175f2012-09-24 12:43:26 +0200619 All parameters supported by "bind" lines are supported, for instance to
620 restrict access to some users or their access rights. Please consult
621 section 5.1 for more information.
Willy Tarreaufbee7132007-10-18 13:53:22 +0200622
623stats timeout <timeout, in milliseconds>
624 The default timeout on the stats socket is set to 10 seconds. It is possible
625 to change this value with "stats timeout". The value must be passed in
Willy Tarreaubefdff12007-12-02 22:27:38 +0100626 milliseconds, or be suffixed by a time unit among { us, ms, s, m, h, d }.
Willy Tarreaufbee7132007-10-18 13:53:22 +0200627
628stats maxconn <connections>
629 By default, the stats socket is limited to 10 concurrent connections. It is
630 possible to change this value with "stats maxconn".
631
Willy Tarreau6a06a402007-07-15 20:15:28 +0200632uid <number>
633 Changes the process' user ID to <number>. It is recommended that the user ID
634 is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
635 be started with superuser privileges in order to be able to switch to another
636 one. See also "gid" and "user".
637
638ulimit-n <number>
639 Sets the maximum number of per-process file-descriptors to <number>. By
640 default, it is automatically computed, so it is recommended not to use this
641 option.
642
Willy Tarreauceb24bc2010-11-09 12:46:41 +0100643unix-bind [ prefix <prefix> ] [ mode <mode> ] [ user <user> ] [ uid <uid> ]
644 [ group <group> ] [ gid <gid> ]
645
646 Fixes common settings to UNIX listening sockets declared in "bind" statements.
647 This is mainly used to simplify declaration of those UNIX sockets and reduce
648 the risk of errors, since those settings are most commonly required but are
649 also process-specific. The <prefix> setting can be used to force all socket
650 path to be relative to that directory. This might be needed to access another
651 component's chroot. Note that those paths are resolved before haproxy chroots
652 itself, so they are absolute. The <mode>, <user>, <uid>, <group> and <gid>
653 all have the same meaning as their homonyms used by the "bind" statement. If
654 both are specified, the "bind" statement has priority, meaning that the
655 "unix-bind" settings may be seen as process-wide default settings.
656
Willy Tarreau6a06a402007-07-15 20:15:28 +0200657user <user name>
658 Similar to "uid" but uses the UID of user name <user name> from /etc/passwd.
659 See also "uid" and "group".
660
Krzysztof Piotr Oledzki48cb2ae2009-10-02 22:51:14 +0200661node <name>
662 Only letters, digits, hyphen and underscore are allowed, like in DNS names.
663
664 This statement is useful in HA configurations where two or more processes or
665 servers share the same IP address. By setting a different node-name on all
666 nodes, it becomes easy to immediately spot what server is handling the
667 traffic.
668
669description <text>
670 Add a text that describes the instance.
671
672 Please note that it is required to escape certain characters (# for example)
673 and this text is inserted into a html page so you should avoid using
674 "<" and ">" characters.
675
Willy Tarreau6a06a402007-07-15 20:15:28 +0200676
Willy Tarreauc57f0e22009-05-10 13:12:33 +02006773.2. Performance tuning
Willy Tarreau6a06a402007-07-15 20:15:28 +0200678-----------------------
679
680maxconn <number>
681 Sets the maximum per-process number of concurrent connections to <number>. It
682 is equivalent to the command-line argument "-n". Proxies will stop accepting
683 connections when this limit is reached. The "ulimit-n" parameter is
684 automatically adjusted according to this value. See also "ulimit-n".
685
Willy Tarreau81c25d02011-09-07 15:17:21 +0200686maxconnrate <number>
687 Sets the maximum per-process number of connections per second to <number>.
688 Proxies will stop accepting connections when this limit is reached. It can be
689 used to limit the global capacity regardless of each frontend capacity. It is
690 important to note that this can only be used as a service protection measure,
691 as there will not necessarily be a fair share between frontends when the
692 limit is reached, so it's a good idea to also limit each frontend to some
693 value close to its expected share. Also, lowering tune.maxaccept can improve
694 fairness.
695
William Lallemandd85f9172012-11-09 17:05:39 +0100696maxcomprate <number>
697 Sets the maximum per-process input compression rate to <number> kilobytes
698 pers second. For each session, if the maximum is reached, the compression
699 level will be decreased during the session. If the maximum is reached at the
700 beginning of a session, the session will not compress at all. If the maximum
701 is not reached, the compression level will be increased up to
702 tune.comp.maxlevel. A value of zero means there is no limit, this is the
703 default value.
704
William Lallemand072a2bf2012-11-20 17:01:01 +0100705maxcompcpuusage <number>
706 Sets the maximum CPU usage HAProxy can reach before stopping the compression
707 for new requests or decreasing the compression level of current requests.
708 It works like 'maxcomprate' but measures CPU usage instead of incoming data
709 bandwidth. The value is expressed in percent of the CPU used by haproxy. In
710 case of multiple processes (nbproc > 1), each process manages its individual
711 usage. A value of 100 disable the limit. The default value is 100. Setting
712 a lower value will prevent the compression work from slowing the whole
713 process down and from introducing high latencies.
714
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100715maxpipes <number>
716 Sets the maximum per-process number of pipes to <number>. Currently, pipes
717 are only used by kernel-based tcp splicing. Since a pipe contains two file
718 descriptors, the "ulimit-n" value will be increased accordingly. The default
719 value is maxconn/4, which seems to be more than enough for most heavy usages.
720 The splice code dynamically allocates and releases pipes, and can fall back
721 to standard copy, so setting this value too low may only impact performance.
722
Willy Tarreau403edff2012-09-06 11:58:37 +0200723maxsslconn <number>
724 Sets the maximum per-process number of concurrent SSL connections to
725 <number>. By default there is no SSL-specific limit, which means that the
726 global maxconn setting will apply to all connections. Setting this limit
727 avoids having openssl use too much memory and crash when malloc returns NULL
728 (since it unfortunately does not reliably check for such conditions). Note
729 that the limit applies both to incoming and outgoing connections, so one
730 connection which is deciphered then ciphered accounts for 2 SSL connections.
731
William Lallemand9d5f5482012-11-07 16:12:57 +0100732maxzlibmem <number>
733 Sets the maximum amount of RAM in megabytes per process usable by the zlib.
734 When the maximum amount is reached, future sessions will not compress as long
735 as RAM is unavailable. When sets to 0, there is no limit.
William Lallemande3a7d992012-11-20 11:25:20 +0100736 The default value is 0. The value is available in bytes on the UNIX socket
737 with "show info" on the line "MaxZlibMemUsage", the memory used by zlib is
738 "ZlibMemUsage" in bytes.
739
Willy Tarreau6a06a402007-07-15 20:15:28 +0200740noepoll
741 Disables the use of the "epoll" event polling system on Linux. It is
742 equivalent to the command-line argument "-de". The next polling system
Willy Tarreaue9f49e72012-11-11 17:42:00 +0100743 used will generally be "poll". See also "nopoll".
Willy Tarreau6a06a402007-07-15 20:15:28 +0200744
745nokqueue
746 Disables the use of the "kqueue" event polling system on BSD. It is
747 equivalent to the command-line argument "-dk". The next polling system
748 used will generally be "poll". See also "nopoll".
749
750nopoll
751 Disables the use of the "poll" event polling system. It is equivalent to the
752 command-line argument "-dp". The next polling system used will be "select".
Willy Tarreau0ba27502007-12-24 16:55:16 +0100753 It should never be needed to disable "poll" since it's available on all
Willy Tarreaue9f49e72012-11-11 17:42:00 +0100754 platforms supported by HAProxy. See also "nokqueue" and "noepoll".
Willy Tarreau6a06a402007-07-15 20:15:28 +0200755
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100756nosplice
757 Disables the use of kernel tcp splicing between sockets on Linux. It is
758 equivalent to the command line argument "-dS". Data will then be copied
759 using conventional and more portable recv/send calls. Kernel tcp splicing is
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +0100760 limited to some very recent instances of kernel 2.6. Most versions between
Willy Tarreauff4f82d2009-02-06 11:28:13 +0100761 2.6.25 and 2.6.28 are buggy and will forward corrupted data, so they must not
762 be used. This option makes it easier to globally disable kernel splicing in
763 case of doubt. See also "option splice-auto", "option splice-request" and
764 "option splice-response".
765
Willy Tarreaufe255b72007-10-14 23:09:26 +0200766spread-checks <0..50, in percent>
767 Sometimes it is desirable to avoid sending health checks to servers at exact
768 intervals, for instance when many logical servers are located on the same
769 physical server. With the help of this parameter, it becomes possible to add
770 some randomness in the check interval between 0 and +/- 50%. A value between
771 2 and 5 seems to show good results. The default value remains at 0.
772
Willy Tarreau27a674e2009-08-17 07:23:33 +0200773tune.bufsize <number>
774 Sets the buffer size to this size (in bytes). Lower values allow more
775 sessions to coexist in the same amount of RAM, and higher values allow some
776 applications with very large cookies to work. The default value is 16384 and
777 can be changed at build time. It is strongly recommended not to change this
778 from the default value, as very low values will break some services such as
779 statistics, and values larger than default size will increase memory usage,
780 possibly causing the system to run out of memory. At least the global maxconn
781 parameter should be decreased by the same factor as this one is increased.
Dmitry Sivachenkof6f4f7b2012-10-21 18:10:25 +0400782 If HTTP request is larger than (tune.bufsize - tune.maxrewrite), haproxy will
783 return HTTP 400 (Bad Request) error. Similarly if an HTTP response is larger
784 than this size, haproxy will return HTTP 502 (Bad Gateway).
Willy Tarreau27a674e2009-08-17 07:23:33 +0200785
Willy Tarreau43961d52010-10-04 20:39:20 +0200786tune.chksize <number>
787 Sets the check buffer size to this size (in bytes). Higher values may help
788 find string or regex patterns in very large pages, though doing so may imply
789 more memory and CPU usage. The default value is 16384 and can be changed at
790 build time. It is not recommended to change this value, but to use better
791 checks whenever possible.
792
William Lallemandf3747832012-11-09 12:33:10 +0100793tune.comp.maxlevel <number>
794 Sets the maximum compression level. The compression level affects CPU
795 usage during compression. This value affects CPU usage during compression.
796 Each session using compression initializes the compression algorithm with
797 this value. The default value is 1.
798
Willy Tarreau193b8c62012-11-22 00:17:38 +0100799tune.http.cookielen <number>
800 Sets the maximum length of captured cookies. This is the maximum value that
801 the "capture cookie xxx len yyy" will be allowed to take, and any upper value
802 will automatically be truncated to this one. It is important not to set too
803 high a value because all cookie captures still allocate this size whatever
804 their configured value (they share a same pool). This value is per request
805 per response, so the memory allocated is twice this value per connection.
806 When not specified, the limit is set to 63 characters. It is recommended not
807 to change this value.
808
Willy Tarreauac1932d2011-10-24 19:14:41 +0200809tune.http.maxhdr <number>
810 Sets the maximum number of headers in a request. When a request comes with a
811 number of headers greater than this value (including the first line), it is
812 rejected with a "400 Bad Request" status code. Similarly, too large responses
813 are blocked with "502 Bad Gateway". The default value is 101, which is enough
814 for all usages, considering that the widely deployed Apache server uses the
815 same limit. It can be useful to push this limit further to temporarily allow
816 a buggy application to work by the time it gets fixed. Keep in mind that each
817 new header consumes 32bits of memory for each session, so don't push this
818 limit too high.
819
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100820tune.maxaccept <number>
Willy Tarreau16a21472012-11-19 12:39:59 +0100821 Sets the maximum number of consecutive connections a process may accept in a
822 row before switching to other work. In single process mode, higher numbers
823 give better performance at high connection rates. However in multi-process
824 modes, keeping a bit of fairness between processes generally is better to
825 increase performance. This value applies individually to each listener, so
826 that the number of processes a listener is bound to is taken into account.
827 This value defaults to 64. In multi-process mode, it is divided by twice
828 the number of processes the listener is bound to. Setting this value to -1
829 completely disables the limitation. It should normally not be needed to tweak
830 this value.
Willy Tarreaua0250ba2008-01-06 11:22:57 +0100831
832tune.maxpollevents <number>
833 Sets the maximum amount of events that can be processed at once in a call to
834 the polling system. The default value is adapted to the operating system. It
835 has been noticed that reducing it below 200 tends to slightly decrease
836 latency at the expense of network bandwidth, and increasing it above 200
837 tends to trade latency for slightly increased bandwidth.
838
Willy Tarreau27a674e2009-08-17 07:23:33 +0200839tune.maxrewrite <number>
840 Sets the reserved buffer space to this size in bytes. The reserved space is
841 used for header rewriting or appending. The first reads on sockets will never
842 fill more than bufsize-maxrewrite. Historically it has defaulted to half of
843 bufsize, though that does not make much sense since there are rarely large
844 numbers of headers to add. Setting it too high prevents processing of large
845 requests or responses. Setting it too low prevents addition of new headers
846 to already large requests or to POST requests. It is generally wise to set it
847 to about 1024. It is automatically readjusted to half of bufsize if it is
848 larger than that. This means you don't have to worry about it when changing
849 bufsize.
850
Willy Tarreaubd9a0a72011-10-23 21:14:29 +0200851tune.pipesize <number>
852 Sets the kernel pipe buffer size to this size (in bytes). By default, pipes
853 are the default size for the system. But sometimes when using TCP splicing,
854 it can improve performance to increase pipe sizes, especially if it is
855 suspected that pipes are not filled and that many calls to splice() are
856 performed. This has an impact on the kernel's memory footprint, so this must
857 not be changed if impacts are not understood.
858
Willy Tarreaue803de22010-01-21 17:43:04 +0100859tune.rcvbuf.client <number>
860tune.rcvbuf.server <number>
861 Forces the kernel socket receive buffer size on the client or the server side
862 to the specified value in bytes. This value applies to all TCP/HTTP frontends
863 and backends. It should normally never be set, and the default size (0) lets
864 the kernel autotune this value depending on the amount of available memory.
865 However it can sometimes help to set it to very low values (eg: 4096) in
866 order to save kernel memory by preventing it from buffering too large amounts
867 of received data. Lower values will significantly increase CPU usage though.
868
869tune.sndbuf.client <number>
870tune.sndbuf.server <number>
871 Forces the kernel socket send buffer size on the client or the server side to
872 the specified value in bytes. This value applies to all TCP/HTTP frontends
873 and backends. It should normally never be set, and the default size (0) lets
874 the kernel autotune this value depending on the amount of available memory.
875 However it can sometimes help to set it to very low values (eg: 4096) in
876 order to save kernel memory by preventing it from buffering too large amounts
877 of received data. Lower values will significantly increase CPU usage though.
878 Another use case is to prevent write timeouts with extremely slow clients due
879 to the kernel waiting for a large part of the buffer to be read before
880 notifying haproxy again.
881
Willy Tarreau6ec58db2012-11-16 16:32:15 +0100882tune.ssl.cachesize <number>
Emeric Brunaf9619d2012-11-28 18:47:52 +0100883 Sets the size of the global SSL session cache, in a number of blocks. A block
884 is large enough to contain an encoded session without peer certificate.
885 An encoded session with peer certificate is stored in multiple blocks
886 depending on the size of the peer certificate. A block use approximatively
887 200 bytes of memory. The default value may be forced at build time, otherwise
888 defaults to 20000. When the cache is full, the most idle entries are purged
889 and reassigned. Higher values reduce the occurrence of such a purge, hence
890 the number of CPU-intensive SSL handshakes by ensuring that all users keep
891 their session as long as possible. All entries are pre-allocated upon startup
Emeric Brun22890a12012-12-28 14:41:32 +0100892 and are shared between all processes if "nbproc" is greater than 1. Setting
893 this value to 0 disables the SSL session cache.
Willy Tarreau6ec58db2012-11-16 16:32:15 +0100894
Emeric Brun4f65bff2012-11-16 15:11:00 +0100895tune.ssl.lifetime <timeout>
896 Sets how long a cached SSL session may remain valid. This time is expressed
897 in seconds and defaults to 300 (5 mn). It is important to understand that it
898 does not guarantee that sessions will last that long, because if the cache is
899 full, the longest idle sessions will be purged despite their configured
900 lifetime. The real usefulness of this setting is to prevent sessions from
901 being used for too long.
902
William Lallemanda509e4c2012-11-07 16:54:34 +0100903tune.zlib.memlevel <number>
904 Sets the memLevel parameter in zlib initialization for each session. It
905 defines how much memory should be allocated for the intenal compression
906 state. A value of 1 uses minimum memory but is slow and reduces compression
907 ratio, a value of 9 uses maximum memory for optimal speed. Can be a value
908 between 1 and 9. The default value is 8.
909
910tune.zlib.windowsize <number>
911 Sets the window size (the size of the history buffer) as a parameter of the
912 zlib initialization for each session. Larger values of this parameter result
913 in better compression at the expense of memory usage. Can be a value between
914 8 and 15. The default value is 15.
Willy Tarreau6a06a402007-07-15 20:15:28 +0200915
Willy Tarreauc57f0e22009-05-10 13:12:33 +02009163.3. Debugging
917--------------
Willy Tarreau6a06a402007-07-15 20:15:28 +0200918
919debug
920 Enables debug mode which dumps to stdout all exchanges, and disables forking
921 into background. It is the equivalent of the command-line argument "-d". It
922 should never be used in a production configuration since it may prevent full
923 system startup.
924
925quiet
926 Do not display any message during startup. It is equivalent to the command-
927 line argument "-q".
928
Emeric Brunf099e792010-09-27 12:05:28 +0200929
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01009303.4. Userlists
931--------------
932It is possible to control access to frontend/backend/listen sections or to
933http stats by allowing only authenticated and authorized users. To do this,
934it is required to create at least one userlist and to define users.
935
936userlist <listname>
Cyril Bonté78caf842010-03-10 22:41:43 +0100937 Creates new userlist with name <listname>. Many independent userlists can be
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100938 used to store authentication & authorization data for independent customers.
939
940group <groupname> [users <user>,<user>,(...)]
Cyril Bonté78caf842010-03-10 22:41:43 +0100941 Adds group <groupname> to the current userlist. It is also possible to
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100942 attach users to this group by using a comma separated list of names
943 proceeded by "users" keyword.
944
Cyril Bontéf0c60612010-02-06 14:44:47 +0100945user <username> [password|insecure-password <password>]
946 [groups <group>,<group>,(...)]
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100947 Adds user <username> to the current userlist. Both secure (encrypted) and
948 insecure (unencrypted) passwords can be used. Encrypted passwords are
Cyril Bonté78caf842010-03-10 22:41:43 +0100949 evaluated using the crypt(3) function so depending of the system's
950 capabilities, different algorithms are supported. For example modern Glibc
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100951 based Linux system supports MD5, SHA-256, SHA-512 and of course classic,
952 DES-based method of crypting passwords.
953
954
955 Example:
Cyril Bontéf0c60612010-02-06 14:44:47 +0100956 userlist L1
957 group G1 users tiger,scott
958 group G2 users xdb,scott
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100959
Cyril Bontéf0c60612010-02-06 14:44:47 +0100960 user tiger password $6$k6y3o.eP$JlKBx9za9667qe4(...)xHSwRv6J.C0/D7cV91
961 user scott insecure-password elgato
962 user xdb insecure-password hello
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100963
Cyril Bontéf0c60612010-02-06 14:44:47 +0100964 userlist L2
965 group G1
966 group G2
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100967
Cyril Bontéf0c60612010-02-06 14:44:47 +0100968 user tiger password $6$k6y3o.eP$JlKBx(...)xHSwRv6J.C0/D7cV91 groups G1
969 user scott insecure-password elgato groups G1,G2
970 user xdb insecure-password hello groups G2
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +0100971
972 Please note that both lists are functionally identical.
Willy Tarreau6a06a402007-07-15 20:15:28 +0200973
Emeric Brunf099e792010-09-27 12:05:28 +0200974
9753.5. Peers
Cyril Bontédc4d9032012-04-08 21:57:39 +0200976----------
Emeric Brunf099e792010-09-27 12:05:28 +0200977It is possible to synchronize server entries in stick tables between several
978haproxy instances over TCP connections in a multi-master fashion. Each instance
979pushes its local updates and insertions to remote peers. Server IDs are used to
980identify servers remotely, so it is important that configurations look similar
981or at least that the same IDs are forced on each server on all participants.
982Interrupted exchanges are automatically detected and recovered from the last
983known point. In addition, during a soft restart, the old process connects to
984the new one using such a TCP connection to push all its entries before the new
985process tries to connect to other peers. That ensures very fast replication
986during a reload, it typically takes a fraction of a second even for large
987tables.
988
989peers <peersect>
Jamie Gloudon801a0a32012-08-25 00:18:33 -0400990 Creates a new peer list with name <peersect>. It is an independent section,
Emeric Brunf099e792010-09-27 12:05:28 +0200991 which is referenced by one or more stick-tables.
992
993peer <peername> <ip>:<port>
994 Defines a peer inside a peers section.
995 If <peername> is set to the local peer name (by default hostname, or forced
996 using "-L" command line option), haproxy will listen for incoming remote peer
997 connection on <ip>:<port>. Otherwise, <ip>:<port> defines where to connect to
998 to join the remote peer, and <peername> is used at the protocol level to
999 identify and validate the remote peer on the server side.
1000
1001 During a soft restart, local peer <ip>:<port> is used by the old instance to
1002 connect the new one and initiate a complete replication (teaching process).
1003
1004 It is strongly recommended to have the exact same peers declaration on all
1005 peers and to only rely on the "-L" command line argument to change the local
1006 peer name. This makes it easier to maintain coherent configuration files
1007 across all peers.
1008
Cyril Bontédc4d9032012-04-08 21:57:39 +02001009 Example:
Emeric Brunf099e792010-09-27 12:05:28 +02001010 peers mypeers
Willy Tarreauf7b30a92010-12-06 22:59:17 +01001011 peer haproxy1 192.168.0.1:1024
1012 peer haproxy2 192.168.0.2:1024
1013 peer haproxy3 10.2.0.1:1024
Emeric Brunf099e792010-09-27 12:05:28 +02001014
1015 backend mybackend
1016 mode tcp
1017 balance roundrobin
1018 stick-table type ip size 20k peers mypeers
1019 stick on src
1020
Willy Tarreauf7b30a92010-12-06 22:59:17 +01001021 server srv1 192.168.0.30:80
1022 server srv2 192.168.0.31:80
Emeric Brunf099e792010-09-27 12:05:28 +02001023
1024
Willy Tarreauc57f0e22009-05-10 13:12:33 +020010254. Proxies
Willy Tarreau6a06a402007-07-15 20:15:28 +02001026----------
Willy Tarreau0ba27502007-12-24 16:55:16 +01001027
Willy Tarreau6a06a402007-07-15 20:15:28 +02001028Proxy configuration can be located in a set of sections :
1029 - defaults <name>
1030 - frontend <name>
1031 - backend <name>
1032 - listen <name>
1033
1034A "defaults" section sets default parameters for all other sections following
1035its declaration. Those default parameters are reset by the next "defaults"
1036section. See below for the list of parameters which can be set in a "defaults"
Willy Tarreau0ba27502007-12-24 16:55:16 +01001037section. The name is optional but its use is encouraged for better readability.
Willy Tarreau6a06a402007-07-15 20:15:28 +02001038
1039A "frontend" section describes a set of listening sockets accepting client
1040connections.
1041
1042A "backend" section describes a set of servers to which the proxy will connect
1043to forward incoming connections.
1044
1045A "listen" section defines a complete proxy with its frontend and backend
1046parts combined in one section. It is generally useful for TCP-only traffic.
1047
Willy Tarreau0ba27502007-12-24 16:55:16 +01001048All proxy names must be formed from upper and lower case letters, digits,
1049'-' (dash), '_' (underscore) , '.' (dot) and ':' (colon). ACL names are
1050case-sensitive, which means that "www" and "WWW" are two different proxies.
1051
1052Historically, all proxy names could overlap, it just caused troubles in the
1053logs. Since the introduction of content switching, it is mandatory that two
1054proxies with overlapping capabilities (frontend/backend) have different names.
1055However, it is still permitted that a frontend and a backend share the same
1056name, as this configuration seems to be commonly encountered.
1057
1058Right now, two major proxy modes are supported : "tcp", also known as layer 4,
1059and "http", also known as layer 7. In layer 4 mode, HAProxy simply forwards
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001060bidirectional traffic between two sides. In layer 7 mode, HAProxy analyzes the
Willy Tarreau0ba27502007-12-24 16:55:16 +01001061protocol, and can interact with it by allowing, blocking, switching, adding,
1062modifying, or removing arbitrary contents in requests or responses, based on
1063arbitrary criteria.
1064
Willy Tarreau0ba27502007-12-24 16:55:16 +01001065
Willy Tarreauc57f0e22009-05-10 13:12:33 +020010664.1. Proxy keywords matrix
1067--------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +01001068
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001069The following list of keywords is supported. Most of them may only be used in a
1070limited set of section types. Some of them are marked as "deprecated" because
1071they are inherited from an old syntax which may be confusing or functionally
1072limited, and there are new recommended keywords to replace them. Keywords
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001073marked with "(*)" can be optionally inverted using the "no" prefix, eg. "no
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001074option contstats". This makes sense when the option has been enabled by default
Willy Tarreau3842f002009-06-14 11:39:52 +02001075and must be disabled for a specific instance. Such options may also be prefixed
1076with "default" in order to restore default settings regardless of what has been
1077specified in a previous "defaults" section.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001078
Willy Tarreau6a06a402007-07-15 20:15:28 +02001079
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001080 keyword defaults frontend listen backend
1081------------------------------------+----------+----------+---------+---------
1082acl - X X X
1083appsession - - X X
1084backlog X X X -
1085balance X - X X
1086bind - X X -
1087bind-process X X X X
1088block - X X X
1089capture cookie - X X -
1090capture request header - X X -
1091capture response header - X X -
1092clitimeout (deprecated) X X X -
William Lallemand82fe75c2012-10-23 10:25:10 +02001093compression X X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001094contimeout (deprecated) X - X X
1095cookie X - X X
1096default-server X - X X
1097default_backend X X X -
1098description - X X X
1099disabled X X X X
1100dispatch - - X X
1101enabled X X X X
1102errorfile X X X X
1103errorloc X X X X
1104errorloc302 X X X X
1105-- keyword -------------------------- defaults - frontend - listen -- backend -
1106errorloc303 X X X X
Cyril Bonté0d4bf012010-04-25 23:21:46 +02001107force-persist - X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001108fullconn X - X X
1109grace X X X X
1110hash-type X - X X
1111http-check disable-on-404 X - X X
Willy Tarreaubd741542010-03-16 18:46:54 +01001112http-check expect - - X X
Willy Tarreau7ab6aff2010-10-12 06:30:16 +02001113http-check send-state X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001114http-request - X X X
1115id - X X X
Cyril Bonté0d4bf012010-04-25 23:21:46 +02001116ignore-persist - X X X
William Lallemand0f99e342011-10-12 17:50:54 +02001117log (*) X X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001118maxconn X X X -
1119mode X X X X
1120monitor fail - X X -
1121monitor-net X X X -
1122monitor-uri X X X -
1123option abortonclose (*) X - X X
1124option accept-invalid-http-request (*) X X X -
1125option accept-invalid-http-response (*) X - X X
1126option allbackups (*) X - X X
1127option checkcache (*) X - X X
1128option clitcpka (*) X X X -
1129option contstats (*) X X X -
1130option dontlog-normal (*) X X X -
1131option dontlognull (*) X X X -
1132option forceclose (*) X X X X
1133-- keyword -------------------------- defaults - frontend - listen -- backend -
1134option forwardfor X X X X
Willy Tarreau96e31212011-05-30 18:10:30 +02001135option http-no-delay (*) X X X X
Willy Tarreau8a8e1d92010-04-05 16:15:16 +02001136option http-pretend-keepalive (*) X X X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001137option http-server-close (*) X X X X
1138option http-use-proxy-header (*) X X X -
1139option httpchk X - X X
1140option httpclose (*) X X X X
1141option httplog X X X X
1142option http_proxy (*) X X X X
Jamie Gloudon801a0a32012-08-25 00:18:33 -04001143option independent-streams (*) X X X X
Gabor Lekenyb4c81e42010-09-29 18:17:05 +02001144option ldap-check X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001145option log-health-checks (*) X - X X
1146option log-separate-errors (*) X X X -
1147option logasap (*) X X X -
1148option mysql-check X - X X
Rauf Kuliyev38b41562011-01-04 15:14:13 +01001149option pgsql-check X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001150option nolinger (*) X X X X
1151option originalto X X X X
1152option persist (*) X - X X
1153option redispatch (*) X - X X
Hervé COMMOWICKec032d62011-08-05 16:23:48 +02001154option redis-check X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001155option smtpchk X - X X
1156option socket-stats (*) X X X -
1157option splice-auto (*) X X X X
1158option splice-request (*) X X X X
1159option splice-response (*) X X X X
1160option srvtcpka (*) X - X X
1161option ssl-hello-chk X - X X
1162-- keyword -------------------------- defaults - frontend - listen -- backend -
1163option tcp-smart-accept (*) X X X -
1164option tcp-smart-connect (*) X - X X
1165option tcpka X X X X
1166option tcplog X X X X
1167option transparent (*) X - X X
1168persist rdp-cookie X - X X
1169rate-limit sessions X X X -
1170redirect - X X X
1171redisp (deprecated) X - X X
1172redispatch (deprecated) X - X X
1173reqadd - X X X
1174reqallow - X X X
1175reqdel - X X X
1176reqdeny - X X X
1177reqiallow - X X X
1178reqidel - X X X
1179reqideny - X X X
1180reqipass - X X X
1181reqirep - X X X
1182reqisetbe - X X X
1183reqitarpit - X X X
1184reqpass - X X X
1185reqrep - X X X
1186-- keyword -------------------------- defaults - frontend - listen -- backend -
1187reqsetbe - X X X
1188reqtarpit - X X X
1189retries X - X X
1190rspadd - X X X
1191rspdel - X X X
1192rspdeny - X X X
1193rspidel - X X X
1194rspideny - X X X
1195rspirep - X X X
1196rsprep - X X X
1197server - - X X
1198source X - X X
1199srvtimeout (deprecated) X - X X
Cyril Bonté66c327d2010-10-12 00:14:37 +02001200stats admin - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001201stats auth X - X X
1202stats enable X - X X
1203stats hide-version X - X X
Cyril Bonté2be1b3f2010-09-30 23:46:30 +02001204stats http-request - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001205stats realm X - X X
1206stats refresh X - X X
1207stats scope X - X X
1208stats show-desc X - X X
1209stats show-legends X - X X
1210stats show-node X - X X
1211stats uri X - X X
1212-- keyword -------------------------- defaults - frontend - listen -- backend -
1213stick match - - X X
1214stick on - - X X
1215stick store-request - - X X
Willy Tarreaud8dc99f2011-07-01 11:33:25 +02001216stick store-response - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001217stick-table - - X X
Willy Tarreaue9656522010-08-17 15:40:09 +02001218tcp-request connection - X X -
1219tcp-request content - X X X
Willy Tarreaua56235c2010-09-14 11:31:36 +02001220tcp-request inspect-delay - X X X
Emeric Brun0a3b67f2010-09-24 15:34:53 +02001221tcp-response content - - X X
1222tcp-response inspect-delay - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001223timeout check X - X X
1224timeout client X X X -
1225timeout clitimeout (deprecated) X X X -
1226timeout connect X - X X
1227timeout contimeout (deprecated) X - X X
1228timeout http-keep-alive X X X X
1229timeout http-request X X X X
1230timeout queue X - X X
1231timeout server X - X X
1232timeout srvtimeout (deprecated) X - X X
1233timeout tarpit X X X X
Willy Tarreauce887fd2012-05-12 12:50:00 +02001234timeout tunnel X - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001235transparent (deprecated) X - X X
William Lallemanda73203e2012-03-12 12:48:57 +01001236unique-id-format X X X -
1237unique-id-header X X X -
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001238use_backend - X X -
Willy Tarreau4a5cade2012-04-05 21:09:48 +02001239use-server - - X X
Willy Tarreau5c6f7b32010-02-26 13:34:29 +01001240------------------------------------+----------+----------+---------+---------
1241 keyword defaults frontend listen backend
Willy Tarreau6a06a402007-07-15 20:15:28 +02001242
Willy Tarreau0ba27502007-12-24 16:55:16 +01001243
Willy Tarreauc57f0e22009-05-10 13:12:33 +020012444.2. Alphabetically sorted keywords reference
1245---------------------------------------------
Willy Tarreau0ba27502007-12-24 16:55:16 +01001246
1247This section provides a description of each keyword and its usage.
1248
1249
1250acl <aclname> <criterion> [flags] [operator] <value> ...
1251 Declare or complete an access list.
1252 May be used in sections : defaults | frontend | listen | backend
1253 no | yes | yes | yes
1254 Example:
1255 acl invalid_src src 0.0.0.0/7 224.0.0.0/3
1256 acl invalid_src src_port 0:1023
1257 acl local_dst hdr(host) -i localhost
1258
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001259 See section 7 about ACL usage.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001260
1261
Cyril Bontéb21570a2009-11-29 20:04:48 +01001262appsession <cookie> len <length> timeout <holdtime>
1263 [request-learn] [prefix] [mode <path-parameters|query-string>]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001264 Define session stickiness on an existing application cookie.
1265 May be used in sections : defaults | frontend | listen | backend
1266 no | no | yes | yes
1267 Arguments :
1268 <cookie> this is the name of the cookie used by the application and which
1269 HAProxy will have to learn for each new session.
1270
Cyril Bontéb21570a2009-11-29 20:04:48 +01001271 <length> this is the max number of characters that will be memorized and
Willy Tarreau0ba27502007-12-24 16:55:16 +01001272 checked in each cookie value.
1273
1274 <holdtime> this is the time after which the cookie will be removed from
1275 memory if unused. If no unit is specified, this time is in
1276 milliseconds.
1277
Cyril Bontébf47aeb2009-10-15 00:15:40 +02001278 request-learn
1279 If this option is specified, then haproxy will be able to learn
1280 the cookie found in the request in case the server does not
1281 specify any in response. This is typically what happens with
1282 PHPSESSID cookies, or when haproxy's session expires before
1283 the application's session and the correct server is selected.
1284 It is recommended to specify this option to improve reliability.
1285
Cyril Bontéb21570a2009-11-29 20:04:48 +01001286 prefix When this option is specified, haproxy will match on the cookie
1287 prefix (or URL parameter prefix). The appsession value is the
1288 data following this prefix.
1289
1290 Example :
1291 appsession ASPSESSIONID len 64 timeout 3h prefix
1292
1293 This will match the cookie ASPSESSIONIDXXXX=XXXXX,
1294 the appsession value will be XXXX=XXXXX.
1295
1296 mode This option allows to change the URL parser mode.
1297 2 modes are currently supported :
1298 - path-parameters :
1299 The parser looks for the appsession in the path parameters
1300 part (each parameter is separated by a semi-colon), which is
1301 convenient for JSESSIONID for example.
1302 This is the default mode if the option is not set.
1303 - query-string :
1304 In this mode, the parser will look for the appsession in the
1305 query string.
1306
Willy Tarreau0ba27502007-12-24 16:55:16 +01001307 When an application cookie is defined in a backend, HAProxy will check when
1308 the server sets such a cookie, and will store its value in a table, and
1309 associate it with the server's identifier. Up to <length> characters from
1310 the value will be retained. On each connection, haproxy will look for this
Cyril Bontéb21570a2009-11-29 20:04:48 +01001311 cookie both in the "Cookie:" headers, and as a URL parameter (depending on
1312 the mode used). If a known value is found, the client will be directed to the
1313 server associated with this value. Otherwise, the load balancing algorithm is
Willy Tarreau0ba27502007-12-24 16:55:16 +01001314 applied. Cookies are automatically removed from memory when they have been
1315 unused for a duration longer than <holdtime>.
1316
1317 The definition of an application cookie is limited to one per backend.
1318
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01001319 Note : Consider not using this feature in multi-process mode (nbproc > 1)
1320 unless you know what you do : memory is not shared between the
1321 processes, which can result in random behaviours.
1322
Willy Tarreau0ba27502007-12-24 16:55:16 +01001323 Example :
1324 appsession JSESSIONID len 52 timeout 3h
1325
Cyril Bonté02ff8ef2010-12-14 22:48:49 +01001326 See also : "cookie", "capture cookie", "balance", "stick", "stick-table",
1327 "ignore-persist", "nbproc" and "bind-process".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001328
1329
Willy Tarreauc73ce2b2008-01-06 10:55:10 +01001330backlog <conns>
1331 Give hints to the system about the approximate listen backlog desired size
1332 May be used in sections : defaults | frontend | listen | backend
1333 yes | yes | yes | no
1334 Arguments :
1335 <conns> is the number of pending connections. Depending on the operating
1336 system, it may represent the number of already acknowledged
Cyril Bontédc4d9032012-04-08 21:57:39 +02001337 connections, of non-acknowledged ones, or both.
Willy Tarreauc73ce2b2008-01-06 10:55:10 +01001338
1339 In order to protect against SYN flood attacks, one solution is to increase
1340 the system's SYN backlog size. Depending on the system, sometimes it is just
1341 tunable via a system parameter, sometimes it is not adjustable at all, and
1342 sometimes the system relies on hints given by the application at the time of
1343 the listen() syscall. By default, HAProxy passes the frontend's maxconn value
1344 to the listen() syscall. On systems which can make use of this value, it can
1345 sometimes be useful to be able to specify a different value, hence this
1346 backlog parameter.
1347
1348 On Linux 2.4, the parameter is ignored by the system. On Linux 2.6, it is
1349 used as a hint and the system accepts up to the smallest greater power of
1350 two, and never more than some limits (usually 32768).
1351
1352 See also : "maxconn" and the target operating system's tuning guide.
1353
1354
Willy Tarreau0ba27502007-12-24 16:55:16 +01001355balance <algorithm> [ <arguments> ]
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001356balance url_param <param> [check_post [<max_wait>]]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001357 Define the load balancing algorithm to be used in a backend.
1358 May be used in sections : defaults | frontend | listen | backend
1359 yes | no | yes | yes
1360 Arguments :
1361 <algorithm> is the algorithm used to select a server when doing load
1362 balancing. This only applies when no persistence information
1363 is available, or when a connection is redispatched to another
1364 server. <algorithm> may be one of the following :
1365
1366 roundrobin Each server is used in turns, according to their weights.
1367 This is the smoothest and fairest algorithm when the server's
1368 processing time remains equally distributed. This algorithm
1369 is dynamic, which means that server weights may be adjusted
Willy Tarreau9757a382009-10-03 12:56:50 +02001370 on the fly for slow starts for instance. It is limited by
1371 design to 4128 active servers per backend. Note that in some
1372 large farms, when a server becomes up after having been down
1373 for a very short time, it may sometimes take a few hundreds
1374 requests for it to be re-integrated into the farm and start
1375 receiving traffic. This is normal, though very rare. It is
1376 indicated here in case you would have the chance to observe
1377 it, so that you don't worry.
1378
1379 static-rr Each server is used in turns, according to their weights.
1380 This algorithm is as similar to roundrobin except that it is
1381 static, which means that changing a server's weight on the
1382 fly will have no effect. On the other hand, it has no design
1383 limitation on the number of servers, and when a server goes
1384 up, it is always immediately reintroduced into the farm, once
1385 the full map is recomputed. It also uses slightly less CPU to
1386 run (around -1%).
Willy Tarreau0ba27502007-12-24 16:55:16 +01001387
Willy Tarreau2d2a7f82008-03-17 12:07:56 +01001388 leastconn The server with the lowest number of connections receives the
1389 connection. Round-robin is performed within groups of servers
1390 of the same load to ensure that all servers will be used. Use
1391 of this algorithm is recommended where very long sessions are
1392 expected, such as LDAP, SQL, TSE, etc... but is not very well
1393 suited for protocols using short sessions such as HTTP. This
1394 algorithm is dynamic, which means that server weights may be
1395 adjusted on the fly for slow starts for instance.
1396
Willy Tarreauf09c6602012-02-13 17:12:08 +01001397 first The first server with available connection slots receives the
1398 connection. The servers are choosen from the lowest numeric
1399 identifier to the highest (see server parameter "id"), which
1400 defaults to the server's position in the farm. Once a server
Willy Tarreau64559c52012-04-07 09:08:45 +02001401 reaches its maxconn value, the next server is used. It does
Willy Tarreauf09c6602012-02-13 17:12:08 +01001402 not make sense to use this algorithm without setting maxconn.
1403 The purpose of this algorithm is to always use the smallest
1404 number of servers so that extra servers can be powered off
1405 during non-intensive hours. This algorithm ignores the server
1406 weight, and brings more benefit to long session such as RDP
Willy Tarreau64559c52012-04-07 09:08:45 +02001407 or IMAP than HTTP, though it can be useful there too. In
1408 order to use this algorithm efficiently, it is recommended
1409 that a cloud controller regularly checks server usage to turn
1410 them off when unused, and regularly checks backend queue to
1411 turn new servers on when the queue inflates. Alternatively,
1412 using "http-check send-state" may inform servers on the load.
Willy Tarreauf09c6602012-02-13 17:12:08 +01001413
Willy Tarreau0ba27502007-12-24 16:55:16 +01001414 source The source IP address is hashed and divided by the total
1415 weight of the running servers to designate which server will
1416 receive the request. This ensures that the same client IP
1417 address will always reach the same server as long as no
1418 server goes down or up. If the hash result changes due to the
1419 number of running servers changing, many clients will be
1420 directed to a different server. This algorithm is generally
1421 used in TCP mode where no cookie may be inserted. It may also
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001422 be used on the Internet to provide a best-effort stickiness
Willy Tarreau0ba27502007-12-24 16:55:16 +01001423 to clients which refuse session cookies. This algorithm is
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001424 static by default, which means that changing a server's
1425 weight on the fly will have no effect, but this can be
1426 changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001427
Oskar Stolc8dc41842012-05-19 10:19:54 +01001428 uri This algorithm hashes either the left part of the URI (before
1429 the question mark) or the whole URI (if the "whole" parameter
1430 is present) and divides the hash value by the total weight of
1431 the running servers. The result designates which server will
1432 receive the request. This ensures that the same URI will
1433 always be directed to the same server as long as no server
1434 goes up or down. This is used with proxy caches and
1435 anti-virus proxies in order to maximize the cache hit rate.
1436 Note that this algorithm may only be used in an HTTP backend.
1437 This algorithm is static by default, which means that
1438 changing a server's weight on the fly will have no effect,
1439 but this can be changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001440
Oskar Stolc8dc41842012-05-19 10:19:54 +01001441 This algorithm supports two optional parameters "len" and
Marek Majkowski9c30fc12008-04-27 23:25:55 +02001442 "depth", both followed by a positive integer number. These
1443 options may be helpful when it is needed to balance servers
1444 based on the beginning of the URI only. The "len" parameter
1445 indicates that the algorithm should only consider that many
1446 characters at the beginning of the URI to compute the hash.
1447 Note that having "len" set to 1 rarely makes sense since most
1448 URIs start with a leading "/".
1449
1450 The "depth" parameter indicates the maximum directory depth
1451 to be used to compute the hash. One level is counted for each
1452 slash in the request. If both parameters are specified, the
1453 evaluation stops when either is reached.
1454
Willy Tarreau0ba27502007-12-24 16:55:16 +01001455 url_param The URL parameter specified in argument will be looked up in
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001456 the query string of each HTTP GET request.
1457
1458 If the modifier "check_post" is used, then an HTTP POST
Cyril Bontédc4d9032012-04-08 21:57:39 +02001459 request entity will be searched for the parameter argument,
1460 when it is not found in a query string after a question mark
1461 ('?') in the URL. Optionally, specify a number of octets to
1462 wait for before attempting to search the message body. If the
1463 entity can not be searched, then round robin is used for each
1464 request. For instance, if your clients always send the LB
1465 parameter in the first 128 bytes, then specify that. The
1466 default is 48. The entity data will not be scanned until the
1467 required number of octets have arrived at the gateway, this
1468 is the minimum of: (default/max_wait, Content-Length or first
1469 chunk length). If Content-Length is missing or zero, it does
1470 not need to wait for more data than the client promised to
1471 send. When Content-Length is present and larger than
1472 <max_wait>, then waiting is limited to <max_wait> and it is
1473 assumed that this will be enough data to search for the
1474 presence of the parameter. In the unlikely event that
1475 Transfer-Encoding: chunked is used, only the first chunk is
1476 scanned. Parameter values separated by a chunk boundary, may
1477 be randomly balanced if at all.
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001478
1479 If the parameter is found followed by an equal sign ('=') and
1480 a value, then the value is hashed and divided by the total
1481 weight of the running servers. The result designates which
1482 server will receive the request.
1483
1484 This is used to track user identifiers in requests and ensure
1485 that a same user ID will always be sent to the same server as
1486 long as no server goes up or down. If no value is found or if
1487 the parameter is not found, then a round robin algorithm is
1488 applied. Note that this algorithm may only be used in an HTTP
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001489 backend. This algorithm is static by default, which means
1490 that changing a server's weight on the fly will have no
1491 effect, but this can be changed using "hash-type".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001492
Cyril Bontédc4d9032012-04-08 21:57:39 +02001493 hdr(<name>) The HTTP header <name> will be looked up in each HTTP
1494 request. Just as with the equivalent ACL 'hdr()' function,
1495 the header name in parenthesis is not case sensitive. If the
1496 header is absent or if it does not contain any value, the
1497 roundrobin algorithm is applied instead.
Benoitaffb4812009-03-25 13:02:10 +01001498
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001499 An optional 'use_domain_only' parameter is available, for
Benoitaffb4812009-03-25 13:02:10 +01001500 reducing the hash algorithm to the main domain part with some
1501 specific headers such as 'Host'. For instance, in the Host
1502 value "haproxy.1wt.eu", only "1wt" will be considered.
1503
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001504 This algorithm is static by default, which means that
1505 changing a server's weight on the fly will have no effect,
1506 but this can be changed using "hash-type".
1507
Emeric Brun736aa232009-06-30 17:56:00 +02001508 rdp-cookie
Hervé COMMOWICKa3eb39c2011-08-05 18:48:51 +02001509 rdp-cookie(<name>)
Emeric Brun736aa232009-06-30 17:56:00 +02001510 The RDP cookie <name> (or "mstshash" if omitted) will be
1511 looked up and hashed for each incoming TCP request. Just as
1512 with the equivalent ACL 'req_rdp_cookie()' function, the name
1513 is not case-sensitive. This mechanism is useful as a degraded
1514 persistence mode, as it makes it possible to always send the
1515 same user (or the same session ID) to the same server. If the
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001516 cookie is not found, the normal roundrobin algorithm is
Emeric Brun736aa232009-06-30 17:56:00 +02001517 used instead.
1518
1519 Note that for this to work, the frontend must ensure that an
1520 RDP cookie is already present in the request buffer. For this
1521 you must use 'tcp-request content accept' rule combined with
1522 a 'req_rdp_cookie_cnt' ACL.
1523
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001524 This algorithm is static by default, which means that
1525 changing a server's weight on the fly will have no effect,
1526 but this can be changed using "hash-type".
1527
Cyril Bontédc4d9032012-04-08 21:57:39 +02001528 See also the rdp_cookie pattern fetch function.
Simon Hormanab814e02011-06-24 14:50:20 +09001529
Willy Tarreau0ba27502007-12-24 16:55:16 +01001530 <arguments> is an optional list of arguments which may be needed by some
Marek Majkowski9c30fc12008-04-27 23:25:55 +02001531 algorithms. Right now, only "url_param" and "uri" support an
1532 optional argument.
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001533
Marek Majkowski9c30fc12008-04-27 23:25:55 +02001534 balance uri [len <len>] [depth <depth>]
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001535 balance url_param <param> [check_post [<max_wait>]]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001536
Willy Tarreau3cd9af22009-03-15 14:06:41 +01001537 The load balancing algorithm of a backend is set to roundrobin when no other
1538 algorithm, mode nor option have been set. The algorithm may only be set once
1539 for each backend.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001540
1541 Examples :
1542 balance roundrobin
1543 balance url_param userid
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001544 balance url_param session_id check_post 64
Benoitaffb4812009-03-25 13:02:10 +01001545 balance hdr(User-Agent)
1546 balance hdr(host)
1547 balance hdr(Host) use_domain_only
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001548
1549 Note: the following caveats and limitations on using the "check_post"
1550 extension with "url_param" must be considered :
1551
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001552 - all POST requests are eligible for consideration, because there is no way
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001553 to determine if the parameters will be found in the body or entity which
1554 may contain binary data. Therefore another method may be required to
1555 restrict consideration of POST requests that have no URL parameters in
1556 the body. (see acl reqideny http_end)
1557
1558 - using a <max_wait> value larger than the request buffer size does not
1559 make sense and is useless. The buffer size is set at build time, and
1560 defaults to 16 kB.
1561
1562 - Content-Encoding is not supported, the parameter search will probably
1563 fail; and load balancing will fall back to Round Robin.
1564
1565 - Expect: 100-continue is not supported, load balancing will fall back to
1566 Round Robin.
1567
1568 - Transfer-Encoding (RFC2616 3.6.1) is only supported in the first chunk.
1569 If the entire parameter value is not present in the first chunk, the
1570 selection of server is undefined (actually, defined by how little
1571 actually appeared in the first chunk).
1572
1573 - This feature does not support generation of a 100, 411 or 501 response.
1574
1575 - In some cases, requesting "check_post" MAY attempt to scan the entire
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001576 contents of a message body. Scanning normally terminates when linear
matt.farnsworth@nokia.com1c2ab962008-04-14 20:47:37 +02001577 white space or control characters are found, indicating the end of what
1578 might be a URL parameter list. This is probably not a concern with SGML
1579 type message bodies.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001580
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02001581 See also : "dispatch", "cookie", "appsession", "transparent", "hash-type" and
1582 "http_proxy".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001583
1584
Willy Tarreaub6205fd2012-09-24 12:27:33 +02001585bind [<address>]:<port_range> [, ...] [param*]
1586bind /<path> [, ...] [param*]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001587 Define one or several listening addresses and/or ports in a frontend.
1588 May be used in sections : defaults | frontend | listen | backend
1589 no | yes | yes | no
1590 Arguments :
Willy Tarreaub1e52e82008-01-13 14:49:51 +01001591 <address> is optional and can be a host name, an IPv4 address, an IPv6
1592 address, or '*'. It designates the address the frontend will
1593 listen on. If unset, all IPv4 addresses of the system will be
1594 listened on. The same will apply for '*' or the system's
David du Colombier9c938da2011-03-17 10:40:27 +01001595 special address "0.0.0.0". The IPv6 equivalent is '::'.
Willy Tarreaub1e52e82008-01-13 14:49:51 +01001596
Willy Tarreauc5011ca2010-03-22 11:53:56 +01001597 <port_range> is either a unique TCP port, or a port range for which the
1598 proxy will accept connections for the IP address specified
Willy Tarreauceb24bc2010-11-09 12:46:41 +01001599 above. The port is mandatory for TCP listeners. Note that in
1600 the case of an IPv6 address, the port is always the number
1601 after the last colon (':'). A range can either be :
Willy Tarreauc5011ca2010-03-22 11:53:56 +01001602 - a numerical port (ex: '80')
1603 - a dash-delimited ports range explicitly stating the lower
1604 and upper bounds (ex: '2000-2100') which are included in
1605 the range.
1606
1607 Particular care must be taken against port ranges, because
1608 every <address:port> couple consumes one socket (= a file
1609 descriptor), so it's easy to consume lots of descriptors
1610 with a simple range, and to run out of sockets. Also, each
1611 <address:port> couple must be used only once among all
1612 instances running on a same system. Please note that binding
1613 to ports lower than 1024 generally require particular
Jamie Gloudon801a0a32012-08-25 00:18:33 -04001614 privileges to start the program, which are independent of
Willy Tarreauc5011ca2010-03-22 11:53:56 +01001615 the 'uid' parameter.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001616
Willy Tarreauceb24bc2010-11-09 12:46:41 +01001617 <path> is a UNIX socket path beginning with a slash ('/'). This is
1618 alternative to the TCP listening port. Haproxy will then
1619 receive UNIX connections on the socket located at this place.
1620 The path must begin with a slash and by default is absolute.
1621 It can be relative to the prefix defined by "unix-bind" in
1622 the global section. Note that the total length of the prefix
1623 followed by the socket path cannot exceed some system limits
1624 for UNIX sockets, which commonly are set to 107 characters.
1625
Willy Tarreaub6205fd2012-09-24 12:27:33 +02001626 <param*> is a list of parameters common to all sockets declared on the
1627 same line. These numerous parameters depend on OS and build
1628 options and have a complete section dedicated to them. Please
1629 refer to section 5 to for more details.
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02001630
Willy Tarreau0ba27502007-12-24 16:55:16 +01001631 It is possible to specify a list of address:port combinations delimited by
1632 commas. The frontend will then listen on all of these addresses. There is no
1633 fixed limit to the number of addresses and ports which can be listened on in
1634 a frontend, as well as there is no limit to the number of "bind" statements
1635 in a frontend.
1636
1637 Example :
1638 listen http_proxy
1639 bind :80,:443
1640 bind 10.0.0.1:10080,10.0.0.1:10443
Willy Tarreauceb24bc2010-11-09 12:46:41 +01001641 bind /var/run/ssl-frontend.sock user root mode 600 accept-proxy
Willy Tarreau0ba27502007-12-24 16:55:16 +01001642
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02001643 listen http_https_proxy
1644 bind :80
Cyril Bonté0d44fc62012-10-09 22:45:33 +02001645 bind :443 ssl crt /etc/haproxy/site.pem
Willy Tarreaua0ee1d02012-09-10 09:01:23 +02001646
Willy Tarreauceb24bc2010-11-09 12:46:41 +01001647 See also : "source", "option forwardfor", "unix-bind" and the PROXY protocol
Willy Tarreaub6205fd2012-09-24 12:27:33 +02001648 documentation, and section 5 about bind options.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001649
1650
Willy Tarreau110ecc12012-11-15 17:50:01 +01001651bind-process [ all | odd | even | <number 1-32>[-<number 1-32>] ] ...
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001652 Limit visibility of an instance to a certain set of processes numbers.
1653 May be used in sections : defaults | frontend | listen | backend
1654 yes | yes | yes | yes
1655 Arguments :
1656 all All process will see this instance. This is the default. It
1657 may be used to override a default value.
1658
1659 odd This instance will be enabled on processes 1,3,5,...31. This
1660 option may be combined with other numbers.
1661
1662 even This instance will be enabled on processes 2,4,6,...32. This
1663 option may be combined with other numbers. Do not use it
1664 with less than 2 processes otherwise some instances might be
1665 missing from all processes.
1666
Willy Tarreau110ecc12012-11-15 17:50:01 +01001667 number The instance will be enabled on this process number or range,
1668 whose values must all be between 1 and 32. You must be
1669 careful not to reference a process number greater than the
1670 configured global.nbproc, otherwise some instances might be
1671 missing from all processes.
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001672
1673 This keyword limits binding of certain instances to certain processes. This
1674 is useful in order not to have too many processes listening to the same
1675 ports. For instance, on a dual-core machine, it might make sense to set
1676 'nbproc 2' in the global section, then distributes the listeners among 'odd'
1677 and 'even' instances.
1678
1679 At the moment, it is not possible to reference more than 32 processes using
1680 this keyword, but this should be more than enough for most setups. Please
1681 note that 'all' really means all processes and is not limited to the first
1682 32.
1683
1684 If some backends are referenced by frontends bound to other processes, the
1685 backend automatically inherits the frontend's processes.
1686
1687 Example :
1688 listen app_ip1
1689 bind 10.0.0.1:80
Willy Tarreaubfcd3112010-10-23 11:22:08 +02001690 bind-process odd
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001691
1692 listen app_ip2
1693 bind 10.0.0.2:80
Willy Tarreaubfcd3112010-10-23 11:22:08 +02001694 bind-process even
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001695
1696 listen management
1697 bind 10.0.0.3:80
Willy Tarreaubfcd3112010-10-23 11:22:08 +02001698 bind-process 1 2 3 4
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001699
Willy Tarreau110ecc12012-11-15 17:50:01 +01001700 listen management
1701 bind 10.0.0.4:80
1702 bind-process 1-4
1703
Willy Tarreau0b9c02c2009-02-04 22:05:05 +01001704 See also : "nbproc" in global section.
1705
1706
Willy Tarreau0ba27502007-12-24 16:55:16 +01001707block { if | unless } <condition>
1708 Block a layer 7 request if/unless a condition is matched
1709 May be used in sections : defaults | frontend | listen | backend
1710 no | yes | yes | yes
1711
1712 The HTTP request will be blocked very early in the layer 7 processing
1713 if/unless <condition> is matched. A 403 error will be returned if the request
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001714 is blocked. The condition has to reference ACLs (see section 7). This is
Willy Tarreau3c92c5f2011-08-28 09:45:47 +02001715 typically used to deny access to certain sensitive resources if some
Willy Tarreau0ba27502007-12-24 16:55:16 +01001716 conditions are met or not met. There is no fixed limit to the number of
1717 "block" statements per instance.
1718
1719 Example:
1720 acl invalid_src src 0.0.0.0/7 224.0.0.0/3
1721 acl invalid_src src_port 0:1023
1722 acl local_dst hdr(host) -i localhost
1723 block if invalid_src || local_dst
1724
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001725 See section 7 about ACL usage.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001726
1727
1728capture cookie <name> len <length>
1729 Capture and log a cookie in the request and in the response.
1730 May be used in sections : defaults | frontend | listen | backend
1731 no | yes | yes | no
1732 Arguments :
1733 <name> is the beginning of the name of the cookie to capture. In order
1734 to match the exact name, simply suffix the name with an equal
1735 sign ('='). The full name will appear in the logs, which is
1736 useful with application servers which adjust both the cookie name
1737 and value (eg: ASPSESSIONXXXXX).
1738
1739 <length> is the maximum number of characters to report in the logs, which
1740 include the cookie name, the equal sign and the value, all in the
1741 standard "name=value" form. The string will be truncated on the
1742 right if it exceeds <length>.
1743
1744 Only the first cookie is captured. Both the "cookie" request headers and the
1745 "set-cookie" response headers are monitored. This is particularly useful to
1746 check for application bugs causing session crossing or stealing between
1747 users, because generally the user's cookies can only change on a login page.
1748
1749 When the cookie was not presented by the client, the associated log column
1750 will report "-". When a request does not cause a cookie to be assigned by the
1751 server, a "-" is reported in the response column.
1752
1753 The capture is performed in the frontend only because it is necessary that
1754 the log format does not change for a given frontend depending on the
1755 backends. This may change in the future. Note that there can be only one
Willy Tarreau193b8c62012-11-22 00:17:38 +01001756 "capture cookie" statement in a frontend. The maximum capture length is set
1757 by the global "tune.http.cookielen" setting and defaults to 63 characters. It
1758 is not possible to specify a capture in a "defaults" section.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001759
1760 Example:
1761 capture cookie ASPSESSION len 32
1762
1763 See also : "capture request header", "capture response header" as well as
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001764 section 8 about logging.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001765
1766
1767capture request header <name> len <length>
Willy Tarreau4460d032012-11-21 23:37:37 +01001768 Capture and log the last occurrence of the specified request header.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001769 May be used in sections : defaults | frontend | listen | backend
1770 no | yes | yes | no
1771 Arguments :
1772 <name> is the name of the header to capture. The header names are not
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001773 case-sensitive, but it is a common practice to write them as they
Willy Tarreau0ba27502007-12-24 16:55:16 +01001774 appear in the requests, with the first letter of each word in
1775 upper case. The header name will not appear in the logs, only the
1776 value is reported, but the position in the logs is respected.
1777
1778 <length> is the maximum number of characters to extract from the value and
1779 report in the logs. The string will be truncated on the right if
1780 it exceeds <length>.
1781
Willy Tarreau4460d032012-11-21 23:37:37 +01001782 The complete value of the last occurrence of the header is captured. The
Willy Tarreau0ba27502007-12-24 16:55:16 +01001783 value will be added to the logs between braces ('{}'). If multiple headers
1784 are captured, they will be delimited by a vertical bar ('|') and will appear
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001785 in the same order they were declared in the configuration. Non-existent
1786 headers will be logged just as an empty string. Common uses for request
1787 header captures include the "Host" field in virtual hosting environments, the
1788 "Content-length" when uploads are supported, "User-agent" to quickly
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01001789 differentiate between real users and robots, and "X-Forwarded-For" in proxied
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001790 environments to find where the request came from.
1791
1792 Note that when capturing headers such as "User-agent", some spaces may be
1793 logged, making the log analysis more difficult. Thus be careful about what
1794 you log if you know your log parser is not smart enough to rely on the
1795 braces.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001796
Willy Tarreau0900abb2012-11-22 00:21:46 +01001797 There is no limit to the number of captured request headers nor to their
1798 length, though it is wise to keep them low to limit memory usage per session.
1799 In order to keep log format consistent for a same frontend, header captures
1800 can only be declared in a frontend. It is not possible to specify a capture
1801 in a "defaults" section.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001802
1803 Example:
1804 capture request header Host len 15
1805 capture request header X-Forwarded-For len 15
1806 capture request header Referrer len 15
1807
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001808 See also : "capture cookie", "capture response header" as well as section 8
Willy Tarreau0ba27502007-12-24 16:55:16 +01001809 about logging.
1810
1811
1812capture response header <name> len <length>
Willy Tarreau4460d032012-11-21 23:37:37 +01001813 Capture and log the last occurrence of the specified response header.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001814 May be used in sections : defaults | frontend | listen | backend
1815 no | yes | yes | no
1816 Arguments :
1817 <name> is the name of the header to capture. The header names are not
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001818 case-sensitive, but it is a common practice to write them as they
Willy Tarreau0ba27502007-12-24 16:55:16 +01001819 appear in the response, with the first letter of each word in
1820 upper case. The header name will not appear in the logs, only the
1821 value is reported, but the position in the logs is respected.
1822
1823 <length> is the maximum number of characters to extract from the value and
1824 report in the logs. The string will be truncated on the right if
1825 it exceeds <length>.
1826
Willy Tarreau4460d032012-11-21 23:37:37 +01001827 The complete value of the last occurrence of the header is captured. The
Willy Tarreau0ba27502007-12-24 16:55:16 +01001828 result will be added to the logs between braces ('{}') after the captured
1829 request headers. If multiple headers are captured, they will be delimited by
1830 a vertical bar ('|') and will appear in the same order they were declared in
Willy Tarreaucc6c8912009-02-22 10:53:55 +01001831 the configuration. Non-existent headers will be logged just as an empty
1832 string. Common uses for response header captures include the "Content-length"
1833 header which indicates how many bytes are expected to be returned, the
1834 "Location" header to track redirections.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001835
Willy Tarreau0900abb2012-11-22 00:21:46 +01001836 There is no limit to the number of captured response headers nor to their
1837 length, though it is wise to keep them low to limit memory usage per session.
1838 In order to keep log format consistent for a same frontend, header captures
1839 can only be declared in a frontend. It is not possible to specify a capture
1840 in a "defaults" section.
Willy Tarreau0ba27502007-12-24 16:55:16 +01001841
1842 Example:
1843 capture response header Content-length len 9
1844 capture response header Location len 15
1845
Willy Tarreauc57f0e22009-05-10 13:12:33 +02001846 See also : "capture cookie", "capture request header" as well as section 8
Willy Tarreau0ba27502007-12-24 16:55:16 +01001847 about logging.
1848
1849
Cyril Bontéf0c60612010-02-06 14:44:47 +01001850clitimeout <timeout> (deprecated)
Willy Tarreau0ba27502007-12-24 16:55:16 +01001851 Set the maximum inactivity time on the client side.
1852 May be used in sections : defaults | frontend | listen | backend
1853 yes | yes | yes | no
1854 Arguments :
1855 <timeout> is the timeout value is specified in milliseconds by default, but
1856 can be in any other unit if the number is suffixed by the unit,
1857 as explained at the top of this document.
1858
1859 The inactivity timeout applies when the client is expected to acknowledge or
1860 send data. In HTTP mode, this timeout is particularly important to consider
1861 during the first phase, when the client sends the request, and during the
1862 response while it is reading data sent by the server. The value is specified
1863 in milliseconds by default, but can be in any other unit if the number is
1864 suffixed by the unit, as specified at the top of this document. In TCP mode
1865 (and to a lesser extent, in HTTP mode), it is highly recommended that the
1866 client timeout remains equal to the server timeout in order to avoid complex
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001867 situations to debug. It is a good practice to cover one or several TCP packet
Willy Tarreau0ba27502007-12-24 16:55:16 +01001868 losses by specifying timeouts that are slightly above multiples of 3 seconds
1869 (eg: 4 or 5 seconds).
1870
1871 This parameter is specific to frontends, but can be specified once for all in
1872 "defaults" sections. This is in fact one of the easiest solutions not to
1873 forget about it. An unspecified timeout results in an infinite timeout, which
1874 is not recommended. Such a usage is accepted and works but reports a warning
1875 during startup because it may results in accumulation of expired sessions in
1876 the system if the system's timeouts are not configured either.
1877
1878 This parameter is provided for compatibility but is currently deprecated.
1879 Please use "timeout client" instead.
1880
Willy Tarreau036fae02008-01-06 13:24:40 +01001881 See also : "timeout client", "timeout http-request", "timeout server", and
1882 "srvtimeout".
Willy Tarreau0ba27502007-12-24 16:55:16 +01001883
Cyril Bonté316a8cf2012-11-11 13:38:27 +01001884compression algo <algorithm> ...
1885compression type <mime type> ...
Willy Tarreau70737d12012-10-27 00:34:28 +02001886compression offload
William Lallemand82fe75c2012-10-23 10:25:10 +02001887 Enable HTTP compression.
1888 May be used in sections : defaults | frontend | listen | backend
1889 yes | yes | yes | yes
1890 Arguments :
Cyril Bonté316a8cf2012-11-11 13:38:27 +01001891 algo is followed by the list of supported compression algorithms.
1892 type is followed by the list of MIME types that will be compressed.
1893 offload makes haproxy work as a compression offloader only (see notes).
1894
1895 The currently supported algorithms are :
Dmitry Sivachenko87c208b2012-11-22 20:03:26 +04001896 identity this is mostly for debugging, and it was useful for developing
Cyril Bonté316a8cf2012-11-11 13:38:27 +01001897 the compression feature. Identity does not apply any change on
1898 data.
1899
1900 gzip applies gzip compression. This setting is only available when
1901 support for zlib was built in.
1902
1903 deflate same as gzip, but with deflate algorithm and zlib format.
1904 Note that this algorithm has ambiguous support on many browsers
1905 and no support at all from recent ones. It is strongly
1906 recommended not to use it for anything else than experimentation.
1907 This setting is only available when support for zlib was built
1908 in.
1909
Dmitry Sivachenko87c208b2012-11-22 20:03:26 +04001910 Compression will be activated depending on the Accept-Encoding request
Cyril Bonté316a8cf2012-11-11 13:38:27 +01001911 header. With identity, it does not take care of that header.
Dmitry Sivachenkoc9f3b452012-11-28 17:47:11 +04001912 If backend servers support HTTP compression, these directives
1913 will be no-op: haproxy will see the compressed response and will not
1914 compress again. If backend servers do not support HTTP compression and
1915 there is Accept-Encoding header in request, haproxy will compress the
1916 matching response.
Willy Tarreau70737d12012-10-27 00:34:28 +02001917
1918 The "offload" setting makes haproxy remove the Accept-Encoding header to
1919 prevent backend servers from compressing responses. It is strongly
1920 recommended not to do this because this means that all the compression work
1921 will be done on the single point where haproxy is located. However in some
1922 deployment scenarios, haproxy may be installed in front of a buggy gateway
Dmitry Sivachenkoc9f3b452012-11-28 17:47:11 +04001923 with broken HTTP compression implementation which can't be turned off.
1924 In that case haproxy can be used to prevent that gateway from emitting
1925 invalid payloads. In this case, simply removing the header in the
1926 configuration does not work because it applies before the header is parsed,
1927 so that prevents haproxy from compressing. The "offload" setting should
1928 then be used for such scenarios.
William Lallemand82fe75c2012-10-23 10:25:10 +02001929
William Lallemand05097442012-11-20 12:14:28 +01001930 Compression is disabled when:
Baptiste Assmann650d53d2013-01-05 15:44:44 +01001931 * the request does not advertise a supported compression algorithm in the
1932 "Accept-Encoding" header
1933 * the response message is not HTTP/1.1
William Lallemandd3002612012-11-26 14:34:47 +01001934 * HTTP status code is not 200
Baptiste Assmann650d53d2013-01-05 15:44:44 +01001935 * response contain neither a "Content-Length" header nor a
1936 "Transfer-Encoding" whose last value is "chunked"
1937 * response contains a "Content-Type" header whose first value starts with
1938 "multipart"
1939 * the response contains the "no-transform" value in the "Cache-control"
1940 header
1941 * User-Agent matches "Mozilla/4" unless it is MSIE 6 with XP SP2, or MSIE 7
1942 and later
1943 * The response contains a "Content-Encoding" header, indicating that the
1944 response is already compressed (see compression offload)
William Lallemand05097442012-11-20 12:14:28 +01001945
Baptiste Assmann650d53d2013-01-05 15:44:44 +01001946 Note: The compression does not rewrite Etag headers, and does not emit the
1947 Warning header.
William Lallemand05097442012-11-20 12:14:28 +01001948
William Lallemand82fe75c2012-10-23 10:25:10 +02001949 Examples :
1950 compression algo gzip
1951 compression type text/html text/plain
Willy Tarreau0ba27502007-12-24 16:55:16 +01001952
Cyril Bontéf0c60612010-02-06 14:44:47 +01001953contimeout <timeout> (deprecated)
Willy Tarreau0ba27502007-12-24 16:55:16 +01001954 Set the maximum time to wait for a connection attempt to a server to succeed.
1955 May be used in sections : defaults | frontend | listen | backend
1956 yes | no | yes | yes
1957 Arguments :
1958 <timeout> is the timeout value is specified in milliseconds by default, but
1959 can be in any other unit if the number is suffixed by the unit,
1960 as explained at the top of this document.
1961
1962 If the server is located on the same LAN as haproxy, the connection should be
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01001963 immediate (less than a few milliseconds). Anyway, it is a good practice to
Willy Tarreaud72758d2010-01-12 10:42:19 +01001964 cover one or several TCP packet losses by specifying timeouts that are
Willy Tarreau0ba27502007-12-24 16:55:16 +01001965 slightly above multiples of 3 seconds (eg: 4 or 5 seconds). By default, the
1966 connect timeout also presets the queue timeout to the same value if this one
1967 has not been specified. Historically, the contimeout was also used to set the
1968 tarpit timeout in a listen section, which is not possible in a pure frontend.
1969
1970 This parameter is specific to backends, but can be specified once for all in
1971 "defaults" sections. This is in fact one of the easiest solutions not to
1972 forget about it. An unspecified timeout results in an infinite timeout, which
1973 is not recommended. Such a usage is accepted and works but reports a warning
1974 during startup because it may results in accumulation of failed sessions in
1975 the system if the system's timeouts are not configured either.
1976
1977 This parameter is provided for backwards compatibility but is currently
1978 deprecated. Please use "timeout connect", "timeout queue" or "timeout tarpit"
1979 instead.
1980
1981 See also : "timeout connect", "timeout queue", "timeout tarpit",
1982 "timeout server", "contimeout".
1983
1984
Willy Tarreau55165fe2009-05-10 12:02:55 +02001985cookie <name> [ rewrite | insert | prefix ] [ indirect ] [ nocache ]
Willy Tarreau4992dd22012-05-31 21:02:17 +02001986 [ postonly ] [ preserve ] [ httponly ] [ secure ]
1987 [ domain <domain> ]* [ maxidle <idle> ] [ maxlife <life> ]
Willy Tarreau0ba27502007-12-24 16:55:16 +01001988 Enable cookie-based persistence in a backend.
1989 May be used in sections : defaults | frontend | listen | backend
1990 yes | no | yes | yes
1991 Arguments :
1992 <name> is the name of the cookie which will be monitored, modified or
1993 inserted in order to bring persistence. This cookie is sent to
1994 the client via a "Set-Cookie" header in the response, and is
1995 brought back by the client in a "Cookie" header in all requests.
1996 Special care should be taken to choose a name which does not
1997 conflict with any likely application cookie. Also, if the same
1998 backends are subject to be used by the same clients (eg:
1999 HTTP/HTTPS), care should be taken to use different cookie names
2000 between all backends if persistence between them is not desired.
2001
2002 rewrite This keyword indicates that the cookie will be provided by the
2003 server and that haproxy will have to modify its value to set the
2004 server's identifier in it. This mode is handy when the management
2005 of complex combinations of "Set-cookie" and "Cache-control"
2006 headers is left to the application. The application can then
2007 decide whether or not it is appropriate to emit a persistence
2008 cookie. Since all responses should be monitored, this mode only
2009 works in HTTP close mode. Unless the application behaviour is
2010 very complex and/or broken, it is advised not to start with this
2011 mode for new deployments. This keyword is incompatible with
2012 "insert" and "prefix".
2013
2014 insert This keyword indicates that the persistence cookie will have to
Willy Tarreaua79094d2010-08-31 22:54:15 +02002015 be inserted by haproxy in server responses if the client did not
Willy Tarreauba4c5be2010-10-23 12:46:42 +02002016
Willy Tarreaua79094d2010-08-31 22:54:15 +02002017 already have a cookie that would have permitted it to access this
Willy Tarreauba4c5be2010-10-23 12:46:42 +02002018 server. When used without the "preserve" option, if the server
2019 emits a cookie with the same name, it will be remove before
2020 processing. For this reason, this mode can be used to upgrade
2021 existing configurations running in the "rewrite" mode. The cookie
2022 will only be a session cookie and will not be stored on the
2023 client's disk. By default, unless the "indirect" option is added,
2024 the server will see the cookies emitted by the client. Due to
2025 caching effects, it is generally wise to add the "nocache" or
2026 "postonly" keywords (see below). The "insert" keyword is not
2027 compatible with "rewrite" and "prefix".
Willy Tarreau0ba27502007-12-24 16:55:16 +01002028
2029 prefix This keyword indicates that instead of relying on a dedicated
2030 cookie for the persistence, an existing one will be completed.
2031 This may be needed in some specific environments where the client
2032 does not support more than one single cookie and the application
2033 already needs it. In this case, whenever the server sets a cookie
2034 named <name>, it will be prefixed with the server's identifier
2035 and a delimiter. The prefix will be removed from all client
2036 requests so that the server still finds the cookie it emitted.
2037 Since all requests and responses are subject to being modified,
2038 this mode requires the HTTP close mode. The "prefix" keyword is
Willy Tarreau37229df2011-10-17 12:24:55 +02002039 not compatible with "rewrite" and "insert". Note: it is highly
2040 recommended not to use "indirect" with "prefix", otherwise server
2041 cookie updates would not be sent to clients.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002042
Willy Tarreaua79094d2010-08-31 22:54:15 +02002043 indirect When this option is specified, no cookie will be emitted to a
2044 client which already has a valid one for the server which has
2045 processed the request. If the server sets such a cookie itself,
Willy Tarreauba4c5be2010-10-23 12:46:42 +02002046 it will be removed, unless the "preserve" option is also set. In
2047 "insert" mode, this will additionally remove cookies from the
2048 requests transmitted to the server, making the persistence
2049 mechanism totally transparent from an application point of view.
Willy Tarreau37229df2011-10-17 12:24:55 +02002050 Note: it is highly recommended not to use "indirect" with
2051 "prefix", otherwise server cookie updates would not be sent to
2052 clients.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002053
2054 nocache This option is recommended in conjunction with the insert mode
2055 when there is a cache between the client and HAProxy, as it
2056 ensures that a cacheable response will be tagged non-cacheable if
2057 a cookie needs to be inserted. This is important because if all
2058 persistence cookies are added on a cacheable home page for
2059 instance, then all customers will then fetch the page from an
2060 outer cache and will all share the same persistence cookie,
2061 leading to one server receiving much more traffic than others.
2062 See also the "insert" and "postonly" options.
2063
2064 postonly This option ensures that cookie insertion will only be performed
2065 on responses to POST requests. It is an alternative to the
2066 "nocache" option, because POST responses are not cacheable, so
2067 this ensures that the persistence cookie will never get cached.
2068 Since most sites do not need any sort of persistence before the
2069 first POST which generally is a login request, this is a very
2070 efficient method to optimize caching without risking to find a
2071 persistence cookie in the cache.
2072 See also the "insert" and "nocache" options.
2073
Willy Tarreauba4c5be2010-10-23 12:46:42 +02002074 preserve This option may only be used with "insert" and/or "indirect". It
2075 allows the server to emit the persistence cookie itself. In this
2076 case, if a cookie is found in the response, haproxy will leave it
2077 untouched. This is useful in order to end persistence after a
2078 logout request for instance. For this, the server just has to
2079 emit a cookie with an invalid value (eg: empty) or with a date in
2080 the past. By combining this mechanism with the "disable-on-404"
2081 check option, it is possible to perform a completely graceful
2082 shutdown because users will definitely leave the server after
2083 they logout.
2084
Willy Tarreau4992dd22012-05-31 21:02:17 +02002085 httponly This option tells haproxy to add an "HttpOnly" cookie attribute
2086 when a cookie is inserted. This attribute is used so that a
2087 user agent doesn't share the cookie with non-HTTP components.
2088 Please check RFC6265 for more information on this attribute.
2089
2090 secure This option tells haproxy to add a "Secure" cookie attribute when
2091 a cookie is inserted. This attribute is used so that a user agent
2092 never emits this cookie over non-secure channels, which means
2093 that a cookie learned with this flag will be presented only over
2094 SSL/TLS connections. Please check RFC6265 for more information on
2095 this attribute.
2096
Krzysztof Piotr Oledzkiefe3b6f2008-05-23 23:49:32 +02002097 domain This option allows to specify the domain at which a cookie is
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002098 inserted. It requires exactly one parameter: a valid domain
Willy Tarreau68a897b2009-12-03 23:28:34 +01002099 name. If the domain begins with a dot, the browser is allowed to
2100 use it for any host ending with that name. It is also possible to
2101 specify several domain names by invoking this option multiple
2102 times. Some browsers might have small limits on the number of
2103 domains, so be careful when doing that. For the record, sending
2104 10 domains to MSIE 6 or Firefox 2 works as expected.
Krzysztof Piotr Oledzkiefe3b6f2008-05-23 23:49:32 +02002105
Willy Tarreau996a92c2010-10-13 19:30:47 +02002106 maxidle This option allows inserted cookies to be ignored after some idle
2107 time. It only works with insert-mode cookies. When a cookie is
2108 sent to the client, the date this cookie was emitted is sent too.
2109 Upon further presentations of this cookie, if the date is older
2110 than the delay indicated by the parameter (in seconds), it will
2111 be ignored. Otherwise, it will be refreshed if needed when the
2112 response is sent to the client. This is particularly useful to
2113 prevent users who never close their browsers from remaining for
2114 too long on the same server (eg: after a farm size change). When
2115 this option is set and a cookie has no date, it is always
2116 accepted, but gets refreshed in the response. This maintains the
2117 ability for admins to access their sites. Cookies that have a
2118 date in the future further than 24 hours are ignored. Doing so
2119 lets admins fix timezone issues without risking kicking users off
2120 the site.
2121
2122 maxlife This option allows inserted cookies to be ignored after some life
2123 time, whether they're in use or not. It only works with insert
2124 mode cookies. When a cookie is first sent to the client, the date
2125 this cookie was emitted is sent too. Upon further presentations
2126 of this cookie, if the date is older than the delay indicated by
2127 the parameter (in seconds), it will be ignored. If the cookie in
2128 the request has no date, it is accepted and a date will be set.
2129 Cookies that have a date in the future further than 24 hours are
2130 ignored. Doing so lets admins fix timezone issues without risking
2131 kicking users off the site. Contrary to maxidle, this value is
2132 not refreshed, only the first visit date counts. Both maxidle and
2133 maxlife may be used at the time. This is particularly useful to
2134 prevent users who never close their browsers from remaining for
2135 too long on the same server (eg: after a farm size change). This
2136 is stronger than the maxidle method in that it forces a
2137 redispatch after some absolute delay.
2138
Willy Tarreau0ba27502007-12-24 16:55:16 +01002139 There can be only one persistence cookie per HTTP backend, and it can be
2140 declared in a defaults section. The value of the cookie will be the value
2141 indicated after the "cookie" keyword in a "server" statement. If no cookie
2142 is declared for a given server, the cookie is not set.
Willy Tarreau6a06a402007-07-15 20:15:28 +02002143
Willy Tarreau0ba27502007-12-24 16:55:16 +01002144 Examples :
2145 cookie JSESSIONID prefix
2146 cookie SRV insert indirect nocache
2147 cookie SRV insert postonly indirect
Willy Tarreau996a92c2010-10-13 19:30:47 +02002148 cookie SRV insert indirect nocache maxidle 30m maxlife 8h
Willy Tarreau0ba27502007-12-24 16:55:16 +01002149
Cyril Bontéa8e7bbc2010-04-25 22:29:29 +02002150 See also : "appsession", "balance source", "capture cookie", "server"
Cyril Bonté0d4bf012010-04-25 23:21:46 +02002151 and "ignore-persist".
Willy Tarreau0ba27502007-12-24 16:55:16 +01002152
Willy Tarreau983e01e2010-01-11 18:42:06 +01002153
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01002154default-server [param*]
2155 Change default options for a server in a backend
2156 May be used in sections : defaults | frontend | listen | backend
2157 yes | no | yes | yes
2158 Arguments:
Willy Tarreau983e01e2010-01-11 18:42:06 +01002159 <param*> is a list of parameters for this server. The "default-server"
2160 keyword accepts an important number of options and has a complete
2161 section dedicated to it. Please refer to section 5 for more
2162 details.
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01002163
Willy Tarreau983e01e2010-01-11 18:42:06 +01002164 Example :
Krzysztof Piotr Oledzkic6df0662010-01-05 16:38:49 +01002165 default-server inter 1000 weight 13
2166
2167 See also: "server" and section 5 about server options
Willy Tarreau0ba27502007-12-24 16:55:16 +01002168
Willy Tarreau983e01e2010-01-11 18:42:06 +01002169
Willy Tarreau0ba27502007-12-24 16:55:16 +01002170default_backend <backend>
2171 Specify the backend to use when no "use_backend" rule has been matched.
2172 May be used in sections : defaults | frontend | listen | backend
2173 yes | yes | yes | no
2174 Arguments :
2175 <backend> is the name of the backend to use.
2176
2177 When doing content-switching between frontend and backends using the
2178 "use_backend" keyword, it is often useful to indicate which backend will be
2179 used when no rule has matched. It generally is the dynamic backend which
2180 will catch all undetermined requests.
2181
Willy Tarreau0ba27502007-12-24 16:55:16 +01002182 Example :
2183
2184 use_backend dynamic if url_dyn
2185 use_backend static if url_css url_img extension_img
2186 default_backend dynamic
2187
Willy Tarreau2769aa02007-12-27 18:26:09 +01002188 See also : "use_backend", "reqsetbe", "reqisetbe"
2189
Willy Tarreau0ba27502007-12-24 16:55:16 +01002190
2191disabled
2192 Disable a proxy, frontend or backend.
2193 May be used in sections : defaults | frontend | listen | backend
2194 yes | yes | yes | yes
2195 Arguments : none
2196
2197 The "disabled" keyword is used to disable an instance, mainly in order to
2198 liberate a listening port or to temporarily disable a service. The instance
2199 will still be created and its configuration will be checked, but it will be
2200 created in the "stopped" state and will appear as such in the statistics. It
2201 will not receive any traffic nor will it send any health-checks or logs. It
2202 is possible to disable many instances at once by adding the "disabled"
2203 keyword in a "defaults" section.
2204
2205 See also : "enabled"
2206
2207
Willy Tarreau5ce94572010-06-07 14:35:41 +02002208dispatch <address>:<port>
2209 Set a default server address
2210 May be used in sections : defaults | frontend | listen | backend
2211 no | no | yes | yes
Cyril Bonté108cf6e2012-04-21 23:30:29 +02002212 Arguments :
Willy Tarreau5ce94572010-06-07 14:35:41 +02002213
2214 <address> is the IPv4 address of the default server. Alternatively, a
2215 resolvable hostname is supported, but this name will be resolved
2216 during start-up.
2217
2218 <ports> is a mandatory port specification. All connections will be sent
2219 to this port, and it is not permitted to use port offsets as is
2220 possible with normal servers.
2221
Willy Tarreau787aed52011-04-15 06:45:37 +02002222 The "dispatch" keyword designates a default server for use when no other
Willy Tarreau5ce94572010-06-07 14:35:41 +02002223 server can take the connection. In the past it was used to forward non
2224 persistent connections to an auxiliary load balancer. Due to its simple
2225 syntax, it has also been used for simple TCP relays. It is recommended not to
2226 use it for more clarity, and to use the "server" directive instead.
2227
2228 See also : "server"
2229
2230
Willy Tarreau0ba27502007-12-24 16:55:16 +01002231enabled
2232 Enable a proxy, frontend or backend.
2233 May be used in sections : defaults | frontend | listen | backend
2234 yes | yes | yes | yes
2235 Arguments : none
2236
2237 The "enabled" keyword is used to explicitly enable an instance, when the
2238 defaults has been set to "disabled". This is very rarely used.
2239
2240 See also : "disabled"
2241
2242
2243errorfile <code> <file>
2244 Return a file contents instead of errors generated by HAProxy
2245 May be used in sections : defaults | frontend | listen | backend
2246 yes | yes | yes | yes
2247 Arguments :
2248 <code> is the HTTP status code. Currently, HAProxy is capable of
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002249 generating codes 200, 400, 403, 408, 500, 502, 503, and 504.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002250
2251 <file> designates a file containing the full HTTP response. It is
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01002252 recommended to follow the common practice of appending ".http" to
Willy Tarreau0ba27502007-12-24 16:55:16 +01002253 the filename so that people do not confuse the response with HTML
Willy Tarreau59140a22009-02-22 12:02:30 +01002254 error pages, and to use absolute paths, since files are read
2255 before any chroot is performed.
Willy Tarreau0ba27502007-12-24 16:55:16 +01002256
2257 It is important to understand that this keyword is not meant to rewrite
2258 errors returned by the server, but errors detected and returned by HAProxy.
2259 This is why the list of supported errors is limited to a small set.
2260
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002261 Code 200 is emitted in response to requests matching a "monitor-uri" rule.
2262
Willy Tarreau0ba27502007-12-24 16:55:16 +01002263 The files are returned verbatim on the TCP socket. This allows any trick such
2264 as redirections to another URL or site, as well as tricks to clean cookies,
2265 force enable or disable caching, etc... The package provides default error
2266 files returning the same contents as default errors.
2267
Willy Tarreau59140a22009-02-22 12:02:30 +01002268 The files should not exceed the configured buffer size (BUFSIZE), which
2269 generally is 8 or 16 kB, otherwise they will be truncated. It is also wise
2270 not to put any reference to local contents (eg: images) in order to avoid
2271 loops between the client and HAProxy when all servers are down, causing an
2272 error to be returned instead of an image. For better HTTP compliance, it is
2273 recommended that all header lines end with CR-LF and not LF alone.
2274
Willy Tarreau0ba27502007-12-24 16:55:16 +01002275 The files are read at the same time as the configuration and kept in memory.
2276 For this reason, the errors continue to be returned even when the process is
2277 chrooted, and no file change is considered while the process is running. A
Willy Tarreauc27debf2008-01-06 08:57:02 +01002278 simple method for developing those files consists in associating them to the
Willy Tarreau0ba27502007-12-24 16:55:16 +01002279 403 status code and interrogating a blocked URL.
2280
2281 See also : "errorloc", "errorloc302", "errorloc303"
2282
Willy Tarreau59140a22009-02-22 12:02:30 +01002283 Example :
2284 errorfile 400 /etc/haproxy/errorfiles/400badreq.http
2285 errorfile 403 /etc/haproxy/errorfiles/403forbid.http
2286 errorfile 503 /etc/haproxy/errorfiles/503sorry.http
2287
Willy Tarreau2769aa02007-12-27 18:26:09 +01002288
2289errorloc <code> <url>
2290errorloc302 <code> <url>
2291 Return an HTTP redirection to a URL instead of errors generated by HAProxy
2292 May be used in sections : defaults | frontend | listen | backend
2293 yes | yes | yes | yes
2294 Arguments :
2295 <code> is the HTTP status code. Currently, HAProxy is capable of
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002296 generating codes 200, 400, 403, 408, 500, 502, 503, and 504.
Willy Tarreau2769aa02007-12-27 18:26:09 +01002297
2298 <url> it is the exact contents of the "Location" header. It may contain
2299 either a relative URI to an error page hosted on the same site,
2300 or an absolute URI designating an error page on another site.
2301 Special care should be given to relative URIs to avoid redirect
2302 loops if the URI itself may generate the same error (eg: 500).
2303
2304 It is important to understand that this keyword is not meant to rewrite
2305 errors returned by the server, but errors detected and returned by HAProxy.
2306 This is why the list of supported errors is limited to a small set.
2307
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002308 Code 200 is emitted in response to requests matching a "monitor-uri" rule.
2309
Willy Tarreau2769aa02007-12-27 18:26:09 +01002310 Note that both keyword return the HTTP 302 status code, which tells the
2311 client to fetch the designated URL using the same HTTP method. This can be
2312 quite problematic in case of non-GET methods such as POST, because the URL
2313 sent to the client might not be allowed for something other than GET. To
2314 workaround this problem, please use "errorloc303" which send the HTTP 303
2315 status code, indicating to the client that the URL must be fetched with a GET
2316 request.
2317
2318 See also : "errorfile", "errorloc303"
2319
2320
2321errorloc303 <code> <url>
2322 Return an HTTP redirection to a URL instead of errors generated by HAProxy
2323 May be used in sections : defaults | frontend | listen | backend
2324 yes | yes | yes | yes
2325 Arguments :
2326 <code> is the HTTP status code. Currently, HAProxy is capable of
2327 generating codes 400, 403, 408, 500, 502, 503, and 504.
2328
2329 <url> it is the exact contents of the "Location" header. It may contain
2330 either a relative URI to an error page hosted on the same site,
2331 or an absolute URI designating an error page on another site.
2332 Special care should be given to relative URIs to avoid redirect
2333 loops if the URI itself may generate the same error (eg: 500).
2334
2335 It is important to understand that this keyword is not meant to rewrite
2336 errors returned by the server, but errors detected and returned by HAProxy.
2337 This is why the list of supported errors is limited to a small set.
2338
Willy Tarreauae94d4d2011-05-11 16:28:49 +02002339 Code 200 is emitted in response to requests matching a "monitor-uri" rule.
2340
Willy Tarreau2769aa02007-12-27 18:26:09 +01002341 Note that both keyword return the HTTP 303 status code, which tells the
2342 client to fetch the designated URL using the same HTTP GET method. This
2343 solves the usual problems associated with "errorloc" and the 302 code. It is
2344 possible that some very old browsers designed before HTTP/1.1 do not support
Willy Tarreaud2a4aa22008-01-31 15:28:22 +01002345 it, but no such problem has been reported till now.
Willy Tarreau2769aa02007-12-27 18:26:09 +01002346
2347 See also : "errorfile", "errorloc", "errorloc302"
2348
2349
Willy Tarreau4de91492010-01-22 19:10:05 +01002350force-persist { if | unless } <condition>
2351 Declare a condition to force persistence on down servers
2352 May be used in sections: defaults | frontend | listen | backend
2353 no | yes | yes | yes
2354
2355 By default, requests are not dispatched to down servers. It is possible to
2356 force this using "option persist", but it is unconditional and redispatches
2357 to a valid server if "option redispatch" is set. That leaves with very little
2358 possibilities to force some requests to reach a server which is artificially
2359 marked down for maintenance operations.
2360
2361 The "force-persist" statement allows one to declare various ACL-based
2362 conditions which, when met, will cause a request to ignore the down status of
2363 a server and still try to connect to it. That makes it possible to start a
2364 server, still replying an error to the health checks, and run a specially
2365 configured browser to test the service. Among the handy methods, one could
2366 use a specific source IP address, or a specific cookie. The cookie also has
2367 the advantage that it can easily be added/removed on the browser from a test
2368 page. Once the service is validated, it is then possible to open the service
2369 to the world by returning a valid response to health checks.
2370
2371 The forced persistence is enabled when an "if" condition is met, or unless an
2372 "unless" condition is met. The final redispatch is always disabled when this
2373 is used.
2374
Cyril Bonté0d4bf012010-04-25 23:21:46 +02002375 See also : "option redispatch", "ignore-persist", "persist",
Cyril Bontéa8e7bbc2010-04-25 22:29:29 +02002376 and section 7 about ACL usage.
Willy Tarreau4de91492010-01-22 19:10:05 +01002377
2378
Willy Tarreau2769aa02007-12-27 18:26:09 +01002379fullconn <conns>
2380 Specify at what backend load the servers will reach their maxconn
2381 May be used in sections : defaults | frontend | listen | backend
2382 yes | no | yes | yes
2383 Arguments :
2384 <conns> is the number of connections on the backend which will make the
2385 servers use the maximal number of connections.
2386
Willy Tarreau198a7442008-01-17 12:05:32 +01002387 When a server has a "maxconn" parameter specified, it means that its number
Willy Tarreau2769aa02007-12-27 18:26:09 +01002388 of concurrent connections will never go higher. Additionally, if it has a
Willy Tarreau198a7442008-01-17 12:05:32 +01002389 "minconn" parameter, it indicates a dynamic limit following the backend's
Willy Tarreau2769aa02007-12-27 18:26:09 +01002390 load. The server will then always accept at least <minconn> connections,
2391 never more than <maxconn>, and the limit will be on the ramp between both
2392 values when the backend has less than <conns> concurrent connections. This
2393 makes it possible to limit the load on the servers during normal loads, but
2394 push it further for important loads without overloading the servers during
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002395 exceptional loads.
Willy Tarreau2769aa02007-12-27 18:26:09 +01002396
Willy Tarreaufbb78422011-06-05 15:38:35 +02002397 Since it's hard to get this value right, haproxy automatically sets it to
2398 10% of the sum of the maxconns of all frontends that may branch to this
2399 backend. That way it's safe to leave it unset.
2400
Willy Tarreau2769aa02007-12-27 18:26:09 +01002401 Example :
2402 # The servers will accept between 100 and 1000 concurrent connections each
2403 # and the maximum of 1000 will be reached when the backend reaches 10000
2404 # connections.
2405 backend dynamic
2406 fullconn 10000
2407 server srv1 dyn1:80 minconn 100 maxconn 1000
2408 server srv2 dyn2:80 minconn 100 maxconn 1000
2409
2410 See also : "maxconn", "server"
2411
2412
2413grace <time>
2414 Maintain a proxy operational for some time after a soft stop
2415 May be used in sections : defaults | frontend | listen | backend
Cyril Bonté99ed3272010-01-24 23:29:44 +01002416 yes | yes | yes | yes
Willy Tarreau2769aa02007-12-27 18:26:09 +01002417 Arguments :
2418 <time> is the time (by default in milliseconds) for which the instance
2419 will remain operational with the frontend sockets still listening
2420 when a soft-stop is received via the SIGUSR1 signal.
2421
2422 This may be used to ensure that the services disappear in a certain order.
2423 This was designed so that frontends which are dedicated to monitoring by an
Krzysztof Piotr Oledzkif8645332009-12-13 21:55:50 +01002424 external equipment fail immediately while other ones remain up for the time
Willy Tarreau2769aa02007-12-27 18:26:09 +01002425 needed by the equipment to detect the failure.
2426
2427 Note that currently, there is very little benefit in using this parameter,
2428 and it may in fact complicate the soft-reconfiguration process more than
2429 simplify it.
2430
Willy Tarreau0ba27502007-12-24 16:55:16 +01002431
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02002432hash-type <method>
2433 Specify a method to use for mapping hashes to servers
2434 May be used in sections : defaults | frontend | listen | backend
2435 yes | no | yes | yes
2436 Arguments :
2437 map-based the hash table is a static array containing all alive servers.
2438 The hashes will be very smooth, will consider weights, but will
2439 be static in that weight changes while a server is up will be
2440 ignored. This means that there will be no slow start. Also,
2441 since a server is selected by its position in the array, most
2442 mappings are changed when the server count changes. This means
2443 that when a server goes up or down, or when a server is added
2444 to a farm, most connections will be redistributed to different
2445 servers. This can be inconvenient with caches for instance.
2446
Willy Tarreau798a39c2010-11-24 15:04:29 +01002447 avalanche this mechanism uses the default map-based hashing described
2448 above but applies a full avalanche hash before performing the
2449 mapping. The result is a slightly less smooth hash for most
2450 situations, but the hash becomes better than pure map-based
2451 hashes when the number of servers is a multiple of the size of
2452 the input set. When using URI hash with a number of servers
2453 multiple of 64, it's desirable to change the hash type to
2454 this value.
2455
Willy Tarreau6b2e11b2009-10-01 07:52:15 +02002456 consistent the hash table is a tree filled with many occurrences of each
2457 server. The hash key is looked up in the tree and the closest
2458 server is chosen. This hash is dynamic, it supports changing
2459 weights while the servers are up, so it is compatible with the
2460 slow start feature. It has the advantage that when a server
2461 goes up or down, only its associations are moved. When a server
2462 is added to the farm, only a few part of the mappings are
2463 redistributed, making it an ideal algorithm for caches.
2464 However, due to its principle, the algorithm will never be very
2465 smooth and it may sometimes be necessary to adjust a server's
2466 weight or its ID to get a more balanced distribution. In order
2467 to get the same distribution on multiple load balancers, it is
2468 important that all servers have the same IDs.
2469
2470 The default hash type is "map-based" and is recommended for most usages.
2471
2472 See also : "balance", "server"
2473
2474
Willy Tarreau0ba27502007-12-24 16:55:16 +01002475http-check disable-on-404
2476 Enable a maintenance mode upon HTTP/404 response to health-checks
2477 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau2769aa02007-12-27 18:26:09 +01002478 yes | no | yes | yes
Willy Tarreau0ba27502007-12-24 16:55:16 +01002479 Arguments : none
2480
2481 When this option is set, a server which returns an HTTP code 404 will be
2482 excluded from further load-balancing, but will still receive persistent
2483 connections. This provides a very convenient method for Web administrators
2484 to perform a graceful shutdown of their servers. It is also important to note
2485 that a server which is detected as failed while it was in this mode will not
2486 generate an alert, just a notice. If the server responds 2xx or 3xx again, it
2487 will immediately be reinserted into the farm. The status on the stats page
2488 reports "NOLB" for a server in this mode. It is important to note that this
Willy Tarreaubd741542010-03-16 18:46:54 +01002489 option only works in conjunction with the "httpchk" option. If this option
2490 is used with "http-check expect", then it has precedence over it so that 404
2491 responses will still be considered as soft-stop.
2492
2493 See also : "option httpchk", "http-check expect"
2494
2495
2496http-check expect [!] <match> <pattern>
Jamie Gloudonaaa21002012-08-25 00:18:33 -04002497 Make HTTP health checks consider response contents or specific status codes
Willy Tarreaubd741542010-03-16 18:46:54 +01002498 May be used in sections : defaults | frontend | listen | backend
Willy Tarreau1ee51a62011-08-19 20:04:17 +02002499 yes | no | yes | yes
Willy Tarreaubd741542010-03-16 18:46:54 +01002500 Arguments :
2501 <match> is a keyword indicating how to look for a specific pattern in the
2502 response. The keyword may be one of "status", "rstatus",
Jamie Gloudonaaa21002012-08-25 00:18:33 -04002503 "string", or "rstring". The keyword may be preceded by an
Willy Tarreaubd741542010-03-16 18:46:54 +01002504 exclamation mark ("!") to negate the match. Spaces are allowed
2505 between the exclamation mark and the keyword. See below for more
2506 details on the supported keywords.
2507
2508 <pattern> is the pattern to look for. It may be a string or a regular
2509 expression. If the pattern contains spaces, they must be escaped
2510 with the usual backslash ('\').
2511
2512 By default, "option httpchk" considers that response statuses 2xx and 3xx
2513 are valid, and that others are invalid. When "http-check expect" is used,
2514 it defines what is considered valid or invalid. Only one "http-check"
2515 statement is supported in a backend. If a server fails to respond or times
2516 out, the check obviously fails. The available matches are :
2517
2518 status <string> : test the exact string match for the HTTP status code.
Jamie Gloudonaaa21002012-08-25 00:18:33 -04002519 A health check response will be considered valid if the
Willy Tarreaubd741542010-03-16 18:46:54 +01002520 response's status code is exactly this string. If the
2521 "status" keyword is prefixed with "!", then the response
2522 will be considered invalid if the status code matches.
2523
2524 rstatus <regex> : test a regular expression for the HTTP status code.
Jamie Gloudonaaa21002012-08-25 00:18:33 -04002525 A health check response will be considered valid if the
Willy Tarreaubd741542010-03-16 18:46:54 +01002526 response's status code matches the expression. If the
2527 "rstatus" keyword is prefixed with "!", then the response
2528 will be considered invalid if the status code matches.
2529 This is mostly used to check for multiple codes.
2530
2531 string <string> : test the exact string match in the HTTP response body.
Jamie Gloudonaaa21002012-08-25 00:18:33 -04002532 A health check response will be considered valid if the
Willy Tarreaubd741542010-03-16 18:46:54 +01002533 response's body contains this exact string. If the
2534 "string" keyword is prefixed with "!", then the response
2535 will be considered invalid if the body contains this
2536 string. This can be used to look for a mandatory word at
2537 the end of a dynamic page, or to detect a failure when a
2538 specific error appears on the check page (eg: a stack
2539 trace).
2540
2541 rstring <regex> : test a regular expression on the HTTP response body.
Jamie Gloudonaaa21002012-08-25 00:18:33 -04002542 A health check response will be considered valid if the
Willy Tarreaubd741542010-03-16 18:46:54 +01002543 response's body matches this expression. If the "rstring"
2544 keyword is prefixed with "!", then the response will be
2545 considered invalid if the body matches the expression.
2546 This can be used to look for a mandatory word at the end
2547 of a dynamic page, or to detect a failure when a specific
2548 error appears on the check page (eg: a stack trace).
2549
2550 It is important to note that the responses will be limited to a certain size
2551 defined by the global "tune.chksize" option, which defaults to 16384 bytes.
2552 Thus, too large responses may not contain the mandatory pattern when using
2553 "string" or "rstring". If a large response is absolutely required, it is
2554 possible to change the default max size by setting the global variable.
2555 However, it is worth keeping in mind that parsing very large responses can
2556 waste some CPU cycles, especially when regular expressions are used, and that
2557 it is always better to focus the checks on smaller resources.
2558
2559 Last, if "http-check expect" is combined with "http-check disable-on-404",
2560 then this last one has precedence when the server responds with 404.
2561
2562 Examples :
2563 # only accept status 200 as valid
Willy Tarreau8f2a1e72011-01-06 16:36:10 +01002564 http-check expect status 200
Willy Tarreaubd741542010-03-16 18:46:54 +01002565
2566 # consider SQL errors as errors
Willy Tarreau8f2a1e72011-01-06 16:36:10 +01002567 http-check expect ! string SQL\ Error
Willy Tarreaubd741542010-03-16 18:46:54 +01002568
2569 # consider status 5xx only as errors
Willy Tarreau8f2a1e72011-01-06 16:36:10 +01002570 http-check expect ! rstatus ^5
Willy Tarreaubd741542010-03-16 18:46:54 +01002571
2572 # check that we have a correct hexadecimal tag before /html
Willy Tarreau8f2a1e72011-01-06 16:36:10 +01002573 http-check expect rstring <!--tag:[0-9a-f]*</html>
Willy Tarreau0ba27502007-12-24 16:55:16 +01002574
Willy Tarreaubd741542010-03-16 18:46:54 +01002575 See also : "option httpchk", "http-check disable-on-404"
Willy Tarreau2769aa02007-12-27 18:26:09 +01002576
2577
Willy Tarreauef781042010-01-27 11:53:01 +01002578http-check send-state
2579 Enable emission of a state header with HTTP health checks
2580 May be used in sections : defaults | frontend | listen | backend
2581 yes | no | yes | yes
2582 Arguments : none
2583
2584 When this option is set, haproxy will systematically send a special header
2585 "X-Haproxy-Server-State" with a list of parameters indicating to each server
2586 how they are seen by haproxy. This can be used for instance when a server is
2587 manipulated without access to haproxy and the operator needs to know whether
2588 haproxy still sees it up or not, or if the server is the last one in a farm.
2589
2590 The header is composed of fields delimited by semi-colons, the first of which
2591 is a word ("UP", "DOWN", "NOLB"), possibly followed by a number of valid
2592 checks on the total number before transition, just as appears in the stats
2593 interface. Next headers are in the form "<variable>=<value>", indicating in
2594 no specific order some values available in the stats interface :
2595 - a variable "name", containing the name of the backend followed by a slash
2596 ("/") then the name of the server. This can be used when a server is
2597 checked in multiple backends.
2598
2599 - a variable "node" containing the name of the haproxy node, as set in the
2600 global "node" variable, otherwise the system's hostname if unspecified.
2601
2602 - a variable "weight" indicating the weight of the server, a slash ("/")
2603 and the total weight of the farm (just counting usable servers). This
2604 helps to know if other servers are available to handle the load when this
2605 one fails.
2606
2607 - a variable "scur" indicating the current number of concurrent connections
2608 on the server, followed by a slash ("/") then the total number of
2609 connections on all servers of the same backend.
2610
2611 - a variable "qcur" indicating the current number of requests in the
2612 server's queue.
2613
2614 Example of a header received by the application server :
2615 >>> X-Haproxy-Server-State: UP 2/3; name=bck/srv2; node=lb1; weight=1/2; \
2616 scur=13/22; qcur=0
2617
2618 See also : "option httpchk", "http-check disable-on-404"
2619
Willy Tarreauccbcc372012-12-27 12:37:57 +01002620http-request { allow | deny | tarpit | auth [realm <realm>] | redirect <rule> |
Willy Tarreau20b0de52012-12-24 15:45:22 +01002621 add-header <name> <fmt> | set-header <name> <fmt> }
Cyril Bontéf0c60612010-02-06 14:44:47 +01002622 [ { if | unless } <condition> ]
Krzysztof Piotr Oledzki6b35ce12010-02-01 23:35:44 +01002623 Access control for Layer 7 requests
2624
2625 May be used in sections: defaults | frontend | listen | backend