Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 1 | ---------------------- |
| 2 | HAProxy |
| 3 | Configuration Manual |
| 4 | ---------------------- |
Willy Tarreau | 21475e3 | 2010-05-23 08:46:08 +0200 | [diff] [blame] | 5 | version 1.5 |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 6 | willy tarreau |
Willy Tarreau | a3ecbd9 | 2012-12-28 15:04:05 +0100 | [diff] [blame] | 7 | 2012/12/28 |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 8 | |
| 9 | |
| 10 | This document covers the configuration language as implemented in the version |
| 11 | specified above. It does not provide any hint, example or advice. For such |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 12 | documentation, please refer to the Reference Manual or the Architecture Manual. |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 13 | The summary below is meant to help you search sections by name and navigate |
| 14 | through the document. |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 15 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 16 | Note to documentation contributors : |
Jamie Gloudon | aaa2100 | 2012-08-25 00:18:33 -0400 | [diff] [blame] | 17 | This document is formatted with 80 columns per line, with even number of |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 18 | spaces for indentation and without tabs. Please follow these rules strictly |
| 19 | so that it remains easily printable everywhere. If a line needs to be |
| 20 | printed verbatim and does not fit, please end each line with a backslash |
Willy Tarreau | 62a36c4 | 2010-08-17 15:53:10 +0200 | [diff] [blame] | 21 | ('\') and continue on next line, indented by two characters. It is also |
| 22 | sometimes useful to prefix all output lines (logs, console outs) with 3 |
| 23 | closing angle brackets ('>>>') in order to help get the difference between |
| 24 | inputs and outputs when it can become ambiguous. If you add sections, |
| 25 | please update the summary below for easier searching. |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 26 | |
| 27 | |
| 28 | Summary |
| 29 | ------- |
| 30 | |
| 31 | 1. Quick reminder about HTTP |
| 32 | 1.1. The HTTP transaction model |
| 33 | 1.2. HTTP request |
| 34 | 1.2.1. The Request line |
| 35 | 1.2.2. The request headers |
| 36 | 1.3. HTTP response |
| 37 | 1.3.1. The Response line |
| 38 | 1.3.2. The response headers |
| 39 | |
| 40 | 2. Configuring HAProxy |
| 41 | 2.1. Configuration file format |
| 42 | 2.2. Time format |
Patrick Mezard | 35da19c | 2010-06-12 17:02:47 +0200 | [diff] [blame] | 43 | 2.3. Examples |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 44 | |
| 45 | 3. Global parameters |
| 46 | 3.1. Process management and security |
| 47 | 3.2. Performance tuning |
| 48 | 3.3. Debugging |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 49 | 3.4. Userlists |
Cyril Bonté | dc4d903 | 2012-04-08 21:57:39 +0200 | [diff] [blame] | 50 | 3.5. Peers |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 51 | |
| 52 | 4. Proxies |
| 53 | 4.1. Proxy keywords matrix |
| 54 | 4.2. Alphabetically sorted keywords reference |
| 55 | |
Willy Tarreau | 086fbf5 | 2012-09-24 20:34:51 +0200 | [diff] [blame] | 56 | 5. Bind and Server options |
| 57 | 5.1. Bind options |
| 58 | 5.2. Server and default-server options |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 59 | |
| 60 | 6. HTTP header manipulation |
| 61 | |
Cyril Bonté | 7d38afb | 2010-02-03 20:41:26 +0100 | [diff] [blame] | 62 | 7. Using ACLs and pattern extraction |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 63 | 7.1. Matching integers |
| 64 | 7.2. Matching strings |
| 65 | 7.3. Matching regular expressions (regexes) |
Willy Tarreau | ceb4ac9 | 2012-04-28 00:41:46 +0200 | [diff] [blame] | 66 | 7.4. Matching IPv4 and IPv6 addresses |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 67 | 7.5. Available matching criteria |
| 68 | 7.5.1. Matching at Layer 4 and below |
| 69 | 7.5.2. Matching contents at Layer 4 |
| 70 | 7.5.3. Matching at Layer 7 |
| 71 | 7.6. Pre-defined ACLs |
| 72 | 7.7. Using ACLs to form conditions |
Cyril Bonté | 7d38afb | 2010-02-03 20:41:26 +0100 | [diff] [blame] | 73 | 7.8. Pattern extraction |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 74 | |
| 75 | 8. Logging |
| 76 | 8.1. Log levels |
| 77 | 8.2. Log formats |
| 78 | 8.2.1. Default log format |
| 79 | 8.2.2. TCP log format |
| 80 | 8.2.3. HTTP log format |
William Lallemand | 4894040 | 2012-01-30 16:47:22 +0100 | [diff] [blame] | 81 | 8.2.4. Custom log format |
Willy Tarreau | 5f51e1a | 2012-12-03 18:40:10 +0100 | [diff] [blame] | 82 | 8.2.5. Error log format |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 83 | 8.3. Advanced logging options |
| 84 | 8.3.1. Disabling logging of external tests |
| 85 | 8.3.2. Logging before waiting for the session to terminate |
| 86 | 8.3.3. Raising log level upon errors |
| 87 | 8.3.4. Disabling logging of successful connections |
| 88 | 8.4. Timing events |
| 89 | 8.5. Session state at disconnection |
| 90 | 8.6. Non-printable characters |
| 91 | 8.7. Capturing HTTP cookies |
| 92 | 8.8. Capturing HTTP headers |
| 93 | 8.9. Examples of logs |
| 94 | |
| 95 | 9. Statistics and monitoring |
| 96 | 9.1. CSV format |
| 97 | 9.2. Unix Socket commands |
| 98 | |
| 99 | |
| 100 | 1. Quick reminder about HTTP |
| 101 | ---------------------------- |
| 102 | |
| 103 | When haproxy is running in HTTP mode, both the request and the response are |
| 104 | fully analyzed and indexed, thus it becomes possible to build matching criteria |
| 105 | on almost anything found in the contents. |
| 106 | |
| 107 | However, it is important to understand how HTTP requests and responses are |
| 108 | formed, and how HAProxy decomposes them. It will then become easier to write |
| 109 | correct rules and to debug existing configurations. |
| 110 | |
| 111 | |
| 112 | 1.1. The HTTP transaction model |
| 113 | ------------------------------- |
| 114 | |
| 115 | The HTTP protocol is transaction-driven. This means that each request will lead |
Krzysztof Piotr Oledzki | f864533 | 2009-12-13 21:55:50 +0100 | [diff] [blame] | 116 | to one and only one response. Traditionally, a TCP connection is established |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 117 | from the client to the server, a request is sent by the client on the |
| 118 | connection, the server responds and the connection is closed. A new request |
| 119 | will involve a new connection : |
| 120 | |
| 121 | [CON1] [REQ1] ... [RESP1] [CLO1] [CON2] [REQ2] ... [RESP2] [CLO2] ... |
| 122 | |
| 123 | In this mode, called the "HTTP close" mode, there are as many connection |
| 124 | establishments as there are HTTP transactions. Since the connection is closed |
| 125 | by the server after the response, the client does not need to know the content |
| 126 | length. |
| 127 | |
| 128 | Due to the transactional nature of the protocol, it was possible to improve it |
| 129 | to avoid closing a connection between two subsequent transactions. In this mode |
| 130 | however, it is mandatory that the server indicates the content length for each |
| 131 | response so that the client does not wait indefinitely. For this, a special |
| 132 | header is used: "Content-length". This mode is called the "keep-alive" mode : |
| 133 | |
| 134 | [CON] [REQ1] ... [RESP1] [REQ2] ... [RESP2] [CLO] ... |
| 135 | |
| 136 | Its advantages are a reduced latency between transactions, and less processing |
| 137 | power required on the server side. It is generally better than the close mode, |
| 138 | but not always because the clients often limit their concurrent connections to |
Patrick Mezard | 9ec2ec4 | 2010-06-12 17:02:45 +0200 | [diff] [blame] | 139 | a smaller value. |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 140 | |
| 141 | A last improvement in the communications is the pipelining mode. It still uses |
| 142 | keep-alive, but the client does not wait for the first response to send the |
| 143 | second request. This is useful for fetching large number of images composing a |
| 144 | page : |
| 145 | |
| 146 | [CON] [REQ1] [REQ2] ... [RESP1] [RESP2] [CLO] ... |
| 147 | |
| 148 | This can obviously have a tremendous benefit on performance because the network |
| 149 | latency is eliminated between subsequent requests. Many HTTP agents do not |
| 150 | correctly support pipelining since there is no way to associate a response with |
| 151 | the corresponding request in HTTP. For this reason, it is mandatory for the |
Cyril Bonté | 78caf84 | 2010-03-10 22:41:43 +0100 | [diff] [blame] | 152 | server to reply in the exact same order as the requests were received. |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 153 | |
Patrick Mezard | 9ec2ec4 | 2010-06-12 17:02:45 +0200 | [diff] [blame] | 154 | By default HAProxy operates in a tunnel-like mode with regards to persistent |
| 155 | connections: for each connection it processes the first request and forwards |
| 156 | everything else (including additional requests) to selected server. Once |
| 157 | established, the connection is persisted both on the client and server |
| 158 | sides. Use "option http-server-close" to preserve client persistent connections |
| 159 | while handling every incoming request individually, dispatching them one after |
| 160 | another to servers, in HTTP close mode. Use "option httpclose" to switch both |
| 161 | sides to HTTP close mode. "option forceclose" and "option |
| 162 | http-pretend-keepalive" help working around servers misbehaving in HTTP close |
| 163 | mode. |
| 164 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 165 | |
| 166 | 1.2. HTTP request |
| 167 | ----------------- |
| 168 | |
| 169 | First, let's consider this HTTP request : |
| 170 | |
| 171 | Line Contents |
Willy Tarreau | d72758d | 2010-01-12 10:42:19 +0100 | [diff] [blame] | 172 | number |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 173 | 1 GET /serv/login.php?lang=en&profile=2 HTTP/1.1 |
| 174 | 2 Host: www.mydomain.com |
| 175 | 3 User-agent: my small browser |
| 176 | 4 Accept: image/jpeg, image/gif |
| 177 | 5 Accept: image/png |
| 178 | |
| 179 | |
| 180 | 1.2.1. The Request line |
| 181 | ----------------------- |
| 182 | |
| 183 | Line 1 is the "request line". It is always composed of 3 fields : |
| 184 | |
| 185 | - a METHOD : GET |
| 186 | - a URI : /serv/login.php?lang=en&profile=2 |
| 187 | - a version tag : HTTP/1.1 |
| 188 | |
| 189 | All of them are delimited by what the standard calls LWS (linear white spaces), |
| 190 | which are commonly spaces, but can also be tabs or line feeds/carriage returns |
| 191 | followed by spaces/tabs. The method itself cannot contain any colon (':') and |
| 192 | is limited to alphabetic letters. All those various combinations make it |
| 193 | desirable that HAProxy performs the splitting itself rather than leaving it to |
| 194 | the user to write a complex or inaccurate regular expression. |
| 195 | |
| 196 | The URI itself can have several forms : |
| 197 | |
| 198 | - A "relative URI" : |
| 199 | |
| 200 | /serv/login.php?lang=en&profile=2 |
| 201 | |
| 202 | It is a complete URL without the host part. This is generally what is |
| 203 | received by servers, reverse proxies and transparent proxies. |
| 204 | |
| 205 | - An "absolute URI", also called a "URL" : |
| 206 | |
| 207 | http://192.168.0.12:8080/serv/login.php?lang=en&profile=2 |
| 208 | |
| 209 | It is composed of a "scheme" (the protocol name followed by '://'), a host |
| 210 | name or address, optionally a colon (':') followed by a port number, then |
| 211 | a relative URI beginning at the first slash ('/') after the address part. |
| 212 | This is generally what proxies receive, but a server supporting HTTP/1.1 |
| 213 | must accept this form too. |
| 214 | |
| 215 | - a star ('*') : this form is only accepted in association with the OPTIONS |
| 216 | method and is not relayable. It is used to inquiry a next hop's |
| 217 | capabilities. |
Willy Tarreau | d72758d | 2010-01-12 10:42:19 +0100 | [diff] [blame] | 218 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 219 | - an address:port combination : 192.168.0.12:80 |
| 220 | This is used with the CONNECT method, which is used to establish TCP |
| 221 | tunnels through HTTP proxies, generally for HTTPS, but sometimes for |
| 222 | other protocols too. |
| 223 | |
| 224 | In a relative URI, two sub-parts are identified. The part before the question |
| 225 | mark is called the "path". It is typically the relative path to static objects |
| 226 | on the server. The part after the question mark is called the "query string". |
| 227 | It is mostly used with GET requests sent to dynamic scripts and is very |
| 228 | specific to the language, framework or application in use. |
| 229 | |
| 230 | |
| 231 | 1.2.2. The request headers |
| 232 | -------------------------- |
| 233 | |
| 234 | The headers start at the second line. They are composed of a name at the |
| 235 | beginning of the line, immediately followed by a colon (':'). Traditionally, |
| 236 | an LWS is added after the colon but that's not required. Then come the values. |
| 237 | Multiple identical headers may be folded into one single line, delimiting the |
| 238 | values with commas, provided that their order is respected. This is commonly |
| 239 | encountered in the "Cookie:" field. A header may span over multiple lines if |
| 240 | the subsequent lines begin with an LWS. In the example in 1.2, lines 4 and 5 |
| 241 | define a total of 3 values for the "Accept:" header. |
| 242 | |
| 243 | Contrary to a common mis-conception, header names are not case-sensitive, and |
| 244 | their values are not either if they refer to other header names (such as the |
| 245 | "Connection:" header). |
| 246 | |
| 247 | The end of the headers is indicated by the first empty line. People often say |
| 248 | that it's a double line feed, which is not exact, even if a double line feed |
| 249 | is one valid form of empty line. |
| 250 | |
| 251 | Fortunately, HAProxy takes care of all these complex combinations when indexing |
| 252 | headers, checking values and counting them, so there is no reason to worry |
| 253 | about the way they could be written, but it is important not to accuse an |
| 254 | application of being buggy if it does unusual, valid things. |
| 255 | |
| 256 | Important note: |
| 257 | As suggested by RFC2616, HAProxy normalizes headers by replacing line breaks |
| 258 | in the middle of headers by LWS in order to join multi-line headers. This |
| 259 | is necessary for proper analysis and helps less capable HTTP parsers to work |
| 260 | correctly and not to be fooled by such complex constructs. |
| 261 | |
| 262 | |
| 263 | 1.3. HTTP response |
| 264 | ------------------ |
| 265 | |
| 266 | An HTTP response looks very much like an HTTP request. Both are called HTTP |
| 267 | messages. Let's consider this HTTP response : |
| 268 | |
| 269 | Line Contents |
Willy Tarreau | d72758d | 2010-01-12 10:42:19 +0100 | [diff] [blame] | 270 | number |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 271 | 1 HTTP/1.1 200 OK |
| 272 | 2 Content-length: 350 |
| 273 | 3 Content-Type: text/html |
| 274 | |
Willy Tarreau | 816b979 | 2009-09-15 21:25:21 +0200 | [diff] [blame] | 275 | As a special case, HTTP supports so called "Informational responses" as status |
| 276 | codes 1xx. These messages are special in that they don't convey any part of the |
| 277 | response, they're just used as sort of a signaling message to ask a client to |
Willy Tarreau | 5843d1a | 2010-02-01 15:13:32 +0100 | [diff] [blame] | 278 | continue to post its request for instance. In the case of a status 100 response |
| 279 | the requested information will be carried by the next non-100 response message |
| 280 | following the informational one. This implies that multiple responses may be |
| 281 | sent to a single request, and that this only works when keep-alive is enabled |
| 282 | (1xx messages are HTTP/1.1 only). HAProxy handles these messages and is able to |
| 283 | correctly forward and skip them, and only process the next non-100 response. As |
| 284 | such, these messages are neither logged nor transformed, unless explicitly |
| 285 | state otherwise. Status 101 messages indicate that the protocol is changing |
| 286 | over the same connection and that haproxy must switch to tunnel mode, just as |
| 287 | if a CONNECT had occurred. Then the Upgrade header would contain additional |
| 288 | information about the type of protocol the connection is switching to. |
Willy Tarreau | 816b979 | 2009-09-15 21:25:21 +0200 | [diff] [blame] | 289 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 290 | |
| 291 | 1.3.1. The Response line |
| 292 | ------------------------ |
| 293 | |
| 294 | Line 1 is the "response line". It is always composed of 3 fields : |
| 295 | |
| 296 | - a version tag : HTTP/1.1 |
| 297 | - a status code : 200 |
| 298 | - a reason : OK |
| 299 | |
| 300 | The status code is always 3-digit. The first digit indicates a general status : |
Willy Tarreau | 816b979 | 2009-09-15 21:25:21 +0200 | [diff] [blame] | 301 | - 1xx = informational message to be skipped (eg: 100, 101) |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 302 | - 2xx = OK, content is following (eg: 200, 206) |
| 303 | - 3xx = OK, no content following (eg: 302, 304) |
| 304 | - 4xx = error caused by the client (eg: 401, 403, 404) |
| 305 | - 5xx = error caused by the server (eg: 500, 502, 503) |
| 306 | |
| 307 | Please refer to RFC2616 for the detailed meaning of all such codes. The |
Willy Tarreau | d72758d | 2010-01-12 10:42:19 +0100 | [diff] [blame] | 308 | "reason" field is just a hint, but is not parsed by clients. Anything can be |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 309 | found there, but it's a common practice to respect the well-established |
| 310 | messages. It can be composed of one or multiple words, such as "OK", "Found", |
| 311 | or "Authentication Required". |
| 312 | |
| 313 | Haproxy may emit the following status codes by itself : |
| 314 | |
| 315 | Code When / reason |
| 316 | 200 access to stats page, and when replying to monitoring requests |
| 317 | 301 when performing a redirection, depending on the configured code |
| 318 | 302 when performing a redirection, depending on the configured code |
| 319 | 303 when performing a redirection, depending on the configured code |
| 320 | 400 for an invalid or too large request |
| 321 | 401 when an authentication is required to perform the action (when |
| 322 | accessing the stats page) |
| 323 | 403 when a request is forbidden by a "block" ACL or "reqdeny" filter |
| 324 | 408 when the request timeout strikes before the request is complete |
| 325 | 500 when haproxy encounters an unrecoverable internal error, such as a |
| 326 | memory allocation failure, which should never happen |
| 327 | 502 when the server returns an empty, invalid or incomplete response, or |
| 328 | when an "rspdeny" filter blocks the response. |
| 329 | 503 when no server was available to handle the request, or in response to |
| 330 | monitoring requests which match the "monitor fail" condition |
| 331 | 504 when the response timeout strikes before the server responds |
| 332 | |
| 333 | The error 4xx and 5xx codes above may be customized (see "errorloc" in section |
| 334 | 4.2). |
| 335 | |
| 336 | |
| 337 | 1.3.2. The response headers |
| 338 | --------------------------- |
| 339 | |
| 340 | Response headers work exactly like request headers, and as such, HAProxy uses |
| 341 | the same parsing function for both. Please refer to paragraph 1.2.2 for more |
| 342 | details. |
| 343 | |
| 344 | |
| 345 | 2. Configuring HAProxy |
| 346 | ---------------------- |
| 347 | |
| 348 | 2.1. Configuration file format |
| 349 | ------------------------------ |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 350 | |
| 351 | HAProxy's configuration process involves 3 major sources of parameters : |
| 352 | |
| 353 | - the arguments from the command-line, which always take precedence |
| 354 | - the "global" section, which sets process-wide parameters |
| 355 | - the proxies sections which can take form of "defaults", "listen", |
| 356 | "frontend" and "backend". |
| 357 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 358 | The configuration file syntax consists in lines beginning with a keyword |
| 359 | referenced in this manual, optionally followed by one or several parameters |
| 360 | delimited by spaces. If spaces have to be entered in strings, then they must be |
Krzysztof Piotr Oledzki | f864533 | 2009-12-13 21:55:50 +0100 | [diff] [blame] | 361 | preceded by a backslash ('\') to be escaped. Backslashes also have to be |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 362 | escaped by doubling them. |
| 363 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 364 | |
| 365 | 2.2. Time format |
| 366 | ---------------- |
| 367 | |
Krzysztof Piotr Oledzki | f864533 | 2009-12-13 21:55:50 +0100 | [diff] [blame] | 368 | Some parameters involve values representing time, such as timeouts. These |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 369 | values are generally expressed in milliseconds (unless explicitly stated |
| 370 | otherwise) but may be expressed in any other unit by suffixing the unit to the |
| 371 | numeric value. It is important to consider this because it will not be repeated |
| 372 | for every keyword. Supported units are : |
| 373 | |
| 374 | - us : microseconds. 1 microsecond = 1/1000000 second |
| 375 | - ms : milliseconds. 1 millisecond = 1/1000 second. This is the default. |
| 376 | - s : seconds. 1s = 1000ms |
| 377 | - m : minutes. 1m = 60s = 60000ms |
| 378 | - h : hours. 1h = 60m = 3600s = 3600000ms |
| 379 | - d : days. 1d = 24h = 1440m = 86400s = 86400000ms |
| 380 | |
| 381 | |
Patrick Mezard | 35da19c | 2010-06-12 17:02:47 +0200 | [diff] [blame] | 382 | 2.3. Examples |
| 383 | ------------- |
| 384 | |
| 385 | # Simple configuration for an HTTP proxy listening on port 80 on all |
| 386 | # interfaces and forwarding requests to a single backend "servers" with a |
| 387 | # single server "server1" listening on 127.0.0.1:8000 |
| 388 | global |
| 389 | daemon |
| 390 | maxconn 256 |
| 391 | |
| 392 | defaults |
| 393 | mode http |
| 394 | timeout connect 5000ms |
| 395 | timeout client 50000ms |
| 396 | timeout server 50000ms |
| 397 | |
| 398 | frontend http-in |
| 399 | bind *:80 |
| 400 | default_backend servers |
| 401 | |
| 402 | backend servers |
| 403 | server server1 127.0.0.1:8000 maxconn 32 |
| 404 | |
| 405 | |
| 406 | # The same configuration defined with a single listen block. Shorter but |
| 407 | # less expressive, especially in HTTP mode. |
| 408 | global |
| 409 | daemon |
| 410 | maxconn 256 |
| 411 | |
| 412 | defaults |
| 413 | mode http |
| 414 | timeout connect 5000ms |
| 415 | timeout client 50000ms |
| 416 | timeout server 50000ms |
| 417 | |
| 418 | listen http-in |
| 419 | bind *:80 |
| 420 | server server1 127.0.0.1:8000 maxconn 32 |
| 421 | |
| 422 | |
| 423 | Assuming haproxy is in $PATH, test these configurations in a shell with: |
| 424 | |
Willy Tarreau | ccb289d | 2010-12-11 20:19:38 +0100 | [diff] [blame] | 425 | $ sudo haproxy -f configuration.conf -c |
Patrick Mezard | 35da19c | 2010-06-12 17:02:47 +0200 | [diff] [blame] | 426 | |
| 427 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 428 | 3. Global parameters |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 429 | -------------------- |
| 430 | |
| 431 | Parameters in the "global" section are process-wide and often OS-specific. They |
| 432 | are generally set once for all and do not need being changed once correct. Some |
| 433 | of them have command-line equivalents. |
| 434 | |
| 435 | The following keywords are supported in the "global" section : |
| 436 | |
| 437 | * Process management and security |
Emeric Brun | c8e8d12 | 2012-10-02 18:42:10 +0200 | [diff] [blame] | 438 | - ca-base |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 439 | - chroot |
Emeric Brun | c8e8d12 | 2012-10-02 18:42:10 +0200 | [diff] [blame] | 440 | - crt-base |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 441 | - daemon |
| 442 | - gid |
| 443 | - group |
| 444 | - log |
Joe Williams | df5b38f | 2010-12-29 17:05:48 +0100 | [diff] [blame] | 445 | - log-send-hostname |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 446 | - nbproc |
| 447 | - pidfile |
| 448 | - uid |
| 449 | - ulimit-n |
| 450 | - user |
Willy Tarreau | fbee713 | 2007-10-18 13:53:22 +0200 | [diff] [blame] | 451 | - stats |
Krzysztof Piotr Oledzki | 48cb2ae | 2009-10-02 22:51:14 +0200 | [diff] [blame] | 452 | - node |
| 453 | - description |
Willy Tarreau | ceb24bc | 2010-11-09 12:46:41 +0100 | [diff] [blame] | 454 | - unix-bind |
Willy Tarreau | d72758d | 2010-01-12 10:42:19 +0100 | [diff] [blame] | 455 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 456 | * Performance tuning |
| 457 | - maxconn |
Willy Tarreau | 81c25d0 | 2011-09-07 15:17:21 +0200 | [diff] [blame] | 458 | - maxconnrate |
William Lallemand | d85f917 | 2012-11-09 17:05:39 +0100 | [diff] [blame] | 459 | - maxcomprate |
William Lallemand | 072a2bf | 2012-11-20 17:01:01 +0100 | [diff] [blame] | 460 | - maxcompcpuusage |
Willy Tarreau | ff4f82d | 2009-02-06 11:28:13 +0100 | [diff] [blame] | 461 | - maxpipes |
Willy Tarreau | 403edff | 2012-09-06 11:58:37 +0200 | [diff] [blame] | 462 | - maxsslconn |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 463 | - noepoll |
| 464 | - nokqueue |
| 465 | - nopoll |
Willy Tarreau | ff4f82d | 2009-02-06 11:28:13 +0100 | [diff] [blame] | 466 | - nosplice |
Willy Tarreau | fe255b7 | 2007-10-14 23:09:26 +0200 | [diff] [blame] | 467 | - spread-checks |
Willy Tarreau | 27a674e | 2009-08-17 07:23:33 +0200 | [diff] [blame] | 468 | - tune.bufsize |
Willy Tarreau | 43961d5 | 2010-10-04 20:39:20 +0200 | [diff] [blame] | 469 | - tune.chksize |
William Lallemand | f374783 | 2012-11-09 12:33:10 +0100 | [diff] [blame] | 470 | - tune.comp.maxlevel |
Willy Tarreau | 193b8c6 | 2012-11-22 00:17:38 +0100 | [diff] [blame] | 471 | - tune.http.cookielen |
Willy Tarreau | ac1932d | 2011-10-24 19:14:41 +0200 | [diff] [blame] | 472 | - tune.http.maxhdr |
Willy Tarreau | a0250ba | 2008-01-06 11:22:57 +0100 | [diff] [blame] | 473 | - tune.maxaccept |
| 474 | - tune.maxpollevents |
Willy Tarreau | 27a674e | 2009-08-17 07:23:33 +0200 | [diff] [blame] | 475 | - tune.maxrewrite |
Willy Tarreau | bd9a0a7 | 2011-10-23 21:14:29 +0200 | [diff] [blame] | 476 | - tune.pipesize |
Willy Tarreau | e803de2 | 2010-01-21 17:43:04 +0100 | [diff] [blame] | 477 | - tune.rcvbuf.client |
| 478 | - tune.rcvbuf.server |
| 479 | - tune.sndbuf.client |
| 480 | - tune.sndbuf.server |
Willy Tarreau | 6ec58db | 2012-11-16 16:32:15 +0100 | [diff] [blame] | 481 | - tune.ssl.cachesize |
William Lallemand | a509e4c | 2012-11-07 16:54:34 +0100 | [diff] [blame] | 482 | - tune.zlib.memlevel |
| 483 | - tune.zlib.windowsize |
Willy Tarreau | d72758d | 2010-01-12 10:42:19 +0100 | [diff] [blame] | 484 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 485 | * Debugging |
| 486 | - debug |
| 487 | - quiet |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 488 | |
| 489 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 490 | 3.1. Process management and security |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 491 | ------------------------------------ |
| 492 | |
Emeric Brun | c8e8d12 | 2012-10-02 18:42:10 +0200 | [diff] [blame] | 493 | ca-base <dir> |
| 494 | Assigns a default directory to fetch SSL CA certificates and CRLs from when a |
Emeric Brun | fd33a26 | 2012-10-11 16:28:27 +0200 | [diff] [blame] | 495 | relative path is used with "ca-file" or "crl-file" directives. Absolute |
| 496 | locations specified in "ca-file" and "crl-file" prevail and ignore "ca-base". |
Emeric Brun | c8e8d12 | 2012-10-02 18:42:10 +0200 | [diff] [blame] | 497 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 498 | chroot <jail dir> |
| 499 | Changes current directory to <jail dir> and performs a chroot() there before |
| 500 | dropping privileges. This increases the security level in case an unknown |
| 501 | vulnerability would be exploited, since it would make it very hard for the |
| 502 | attacker to exploit the system. This only works when the process is started |
| 503 | with superuser privileges. It is important to ensure that <jail_dir> is both |
| 504 | empty and unwritable to anyone. |
Willy Tarreau | d72758d | 2010-01-12 10:42:19 +0100 | [diff] [blame] | 505 | |
Willy Tarreau | fc6c032 | 2012-11-16 16:12:27 +0100 | [diff] [blame] | 506 | cpu-map <"all"|"odd"|"even"|process_num> <cpu-set>... |
| 507 | On Linux 2.6 and above, it is possible to bind a process to a specific CPU |
| 508 | set. This means that the process will never run on other CPUs. The "cpu-map" |
| 509 | directive specifies CPU sets for process sets. The first argument is the |
| 510 | process number to bind. This process must have a number between 1 and 32, |
| 511 | and any process IDs above nbproc are ignored. It is possible to specify all |
| 512 | processes at once using "all", only odd numbers using "odd" or even numbers |
| 513 | using "even", just like with the "bind-process" directive. The second and |
| 514 | forthcoming arguments are CPU sets. Each CPU set is either a unique number |
| 515 | between 0 and 31 or a range with two such numbers delimited by a dash ('-'). |
| 516 | Multiple CPU numbers or ranges may be specified, and the processes will be |
| 517 | allowed to bind to all of them. Obviously, multiple "cpu-map" directives may |
| 518 | be specified. Each "cpu-map" directive will replace the previous ones when |
| 519 | they overlap. |
| 520 | |
Emeric Brun | c8e8d12 | 2012-10-02 18:42:10 +0200 | [diff] [blame] | 521 | crt-base <dir> |
| 522 | Assigns a default directory to fetch SSL certificates from when a relative |
| 523 | path is used with "crtfile" directives. Absolute locations specified after |
| 524 | "crtfile" prevail and ignore "crt-base". |
| 525 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 526 | daemon |
| 527 | Makes the process fork into background. This is the recommended mode of |
| 528 | operation. It is equivalent to the command line "-D" argument. It can be |
| 529 | disabled by the command line "-db" argument. |
| 530 | |
| 531 | gid <number> |
| 532 | Changes the process' group ID to <number>. It is recommended that the group |
| 533 | ID is dedicated to HAProxy or to a small set of similar daemons. HAProxy must |
| 534 | be started with a user belonging to this group, or with superuser privileges. |
Michael Scherer | ab012dd | 2013-01-12 18:35:19 +0100 | [diff] [blame] | 535 | Note that if haproxy is started from a user having supplementary groups, it |
| 536 | will only be able to drop these groups if started with superuser privileges. |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 537 | See also "group" and "uid". |
Willy Tarreau | d72758d | 2010-01-12 10:42:19 +0100 | [diff] [blame] | 538 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 539 | group <group name> |
| 540 | Similar to "gid" but uses the GID of group name <group name> from /etc/group. |
| 541 | See also "gid" and "user". |
Willy Tarreau | d72758d | 2010-01-12 10:42:19 +0100 | [diff] [blame] | 542 | |
Willy Tarreau | f7edefa | 2009-05-10 17:20:05 +0200 | [diff] [blame] | 543 | log <address> <facility> [max level [min level]] |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 544 | Adds a global syslog server. Up to two global servers can be defined. They |
| 545 | will receive logs for startups and exits, as well as all logs from proxies |
Robert Tsai | 81ae195 | 2007-12-05 10:47:29 +0100 | [diff] [blame] | 546 | configured with "log global". |
| 547 | |
| 548 | <address> can be one of: |
| 549 | |
Willy Tarreau | 2769aa0 | 2007-12-27 18:26:09 +0100 | [diff] [blame] | 550 | - An IPv4 address optionally followed by a colon and a UDP port. If |
Robert Tsai | 81ae195 | 2007-12-05 10:47:29 +0100 | [diff] [blame] | 551 | no port is specified, 514 is used by default (the standard syslog |
| 552 | port). |
| 553 | |
David du Colombier | 24bb5f5 | 2011-03-17 10:40:23 +0100 | [diff] [blame] | 554 | - An IPv6 address followed by a colon and optionally a UDP port. If |
| 555 | no port is specified, 514 is used by default (the standard syslog |
| 556 | port). |
| 557 | |
Robert Tsai | 81ae195 | 2007-12-05 10:47:29 +0100 | [diff] [blame] | 558 | - A filesystem path to a UNIX domain socket, keeping in mind |
| 559 | considerations for chroot (be sure the path is accessible inside |
| 560 | the chroot) and uid/gid (be sure the path is appropriately |
| 561 | writeable). |
| 562 | |
| 563 | <facility> must be one of the 24 standard syslog facilities : |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 564 | |
| 565 | kern user mail daemon auth syslog lpr news |
| 566 | uucp cron auth2 ftp ntp audit alert cron2 |
| 567 | local0 local1 local2 local3 local4 local5 local6 local7 |
| 568 | |
| 569 | An optional level can be specified to filter outgoing messages. By default, |
Willy Tarreau | f7edefa | 2009-05-10 17:20:05 +0200 | [diff] [blame] | 570 | all messages are sent. If a maximum level is specified, only messages with a |
| 571 | severity at least as important as this level will be sent. An optional minimum |
| 572 | level can be specified. If it is set, logs emitted with a more severe level |
| 573 | than this one will be capped to this level. This is used to avoid sending |
| 574 | "emerg" messages on all terminals on some default syslog configurations. |
| 575 | Eight levels are known : |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 576 | |
Cyril Bonté | dc4d903 | 2012-04-08 21:57:39 +0200 | [diff] [blame] | 577 | emerg alert crit err warning notice info debug |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 578 | |
Joe Williams | df5b38f | 2010-12-29 17:05:48 +0100 | [diff] [blame] | 579 | log-send-hostname [<string>] |
| 580 | Sets the hostname field in the syslog header. If optional "string" parameter |
| 581 | is set the header is set to the string contents, otherwise uses the hostname |
| 582 | of the system. Generally used if one is not relaying logs through an |
| 583 | intermediate syslog server or for simply customizing the hostname printed in |
| 584 | the logs. |
| 585 | |
Kevinm | 48936af | 2010-12-22 16:08:21 +0000 | [diff] [blame] | 586 | log-tag <string> |
| 587 | Sets the tag field in the syslog header to this string. It defaults to the |
| 588 | program name as launched from the command line, which usually is "haproxy". |
| 589 | Sometimes it can be useful to differentiate between multiple processes |
| 590 | running on the same host. |
| 591 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 592 | nbproc <number> |
| 593 | Creates <number> processes when going daemon. This requires the "daemon" |
| 594 | mode. By default, only one process is created, which is the recommended mode |
| 595 | of operation. For systems limited to small sets of file descriptors per |
| 596 | process, it may be needed to fork multiple daemons. USING MULTIPLE PROCESSES |
| 597 | IS HARDER TO DEBUG AND IS REALLY DISCOURAGED. See also "daemon". |
| 598 | |
| 599 | pidfile <pidfile> |
| 600 | Writes pids of all daemons into file <pidfile>. This option is equivalent to |
| 601 | the "-p" command line argument. The file must be accessible to the user |
| 602 | starting the process. See also "daemon". |
| 603 | |
Willy Tarreau | 110ecc1 | 2012-11-15 17:50:01 +0100 | [diff] [blame] | 604 | stats bind-process [ all | odd | even | <number 1-32>[-<number 1-32>] ] ... |
Willy Tarreau | 35b7b16 | 2012-10-22 23:17:18 +0200 | [diff] [blame] | 605 | Limits the stats socket to a certain set of processes numbers. By default the |
| 606 | stats socket is bound to all processes, causing a warning to be emitted when |
| 607 | nbproc is greater than 1 because there is no way to select the target process |
| 608 | when connecting. However, by using this setting, it becomes possible to pin |
| 609 | the stats socket to a specific set of processes, typically the first one. The |
| 610 | warning will automatically be disabled when this setting is used, whatever |
| 611 | the number of processes used. |
| 612 | |
Willy Tarreau | abb175f | 2012-09-24 12:43:26 +0200 | [diff] [blame] | 613 | stats socket [<address:port>|<path>] [param*] |
| 614 | Binds a UNIX socket to <path> or a TCPv4/v6 address to <address:port>. |
| 615 | Connections to this socket will return various statistics outputs and even |
| 616 | allow some commands to be issued to change some runtime settings. Please |
| 617 | consult section 9.2 "Unix Socket commands" for more details. |
Willy Tarreau | 6162db2 | 2009-10-10 17:13:00 +0200 | [diff] [blame] | 618 | |
Willy Tarreau | abb175f | 2012-09-24 12:43:26 +0200 | [diff] [blame] | 619 | All parameters supported by "bind" lines are supported, for instance to |
| 620 | restrict access to some users or their access rights. Please consult |
| 621 | section 5.1 for more information. |
Willy Tarreau | fbee713 | 2007-10-18 13:53:22 +0200 | [diff] [blame] | 622 | |
| 623 | stats timeout <timeout, in milliseconds> |
| 624 | The default timeout on the stats socket is set to 10 seconds. It is possible |
| 625 | to change this value with "stats timeout". The value must be passed in |
Willy Tarreau | befdff1 | 2007-12-02 22:27:38 +0100 | [diff] [blame] | 626 | milliseconds, or be suffixed by a time unit among { us, ms, s, m, h, d }. |
Willy Tarreau | fbee713 | 2007-10-18 13:53:22 +0200 | [diff] [blame] | 627 | |
| 628 | stats maxconn <connections> |
| 629 | By default, the stats socket is limited to 10 concurrent connections. It is |
| 630 | possible to change this value with "stats maxconn". |
| 631 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 632 | uid <number> |
| 633 | Changes the process' user ID to <number>. It is recommended that the user ID |
| 634 | is dedicated to HAProxy or to a small set of similar daemons. HAProxy must |
| 635 | be started with superuser privileges in order to be able to switch to another |
| 636 | one. See also "gid" and "user". |
| 637 | |
| 638 | ulimit-n <number> |
| 639 | Sets the maximum number of per-process file-descriptors to <number>. By |
| 640 | default, it is automatically computed, so it is recommended not to use this |
| 641 | option. |
| 642 | |
Willy Tarreau | ceb24bc | 2010-11-09 12:46:41 +0100 | [diff] [blame] | 643 | unix-bind [ prefix <prefix> ] [ mode <mode> ] [ user <user> ] [ uid <uid> ] |
| 644 | [ group <group> ] [ gid <gid> ] |
| 645 | |
| 646 | Fixes common settings to UNIX listening sockets declared in "bind" statements. |
| 647 | This is mainly used to simplify declaration of those UNIX sockets and reduce |
| 648 | the risk of errors, since those settings are most commonly required but are |
| 649 | also process-specific. The <prefix> setting can be used to force all socket |
| 650 | path to be relative to that directory. This might be needed to access another |
| 651 | component's chroot. Note that those paths are resolved before haproxy chroots |
| 652 | itself, so they are absolute. The <mode>, <user>, <uid>, <group> and <gid> |
| 653 | all have the same meaning as their homonyms used by the "bind" statement. If |
| 654 | both are specified, the "bind" statement has priority, meaning that the |
| 655 | "unix-bind" settings may be seen as process-wide default settings. |
| 656 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 657 | user <user name> |
| 658 | Similar to "uid" but uses the UID of user name <user name> from /etc/passwd. |
| 659 | See also "uid" and "group". |
| 660 | |
Krzysztof Piotr Oledzki | 48cb2ae | 2009-10-02 22:51:14 +0200 | [diff] [blame] | 661 | node <name> |
| 662 | Only letters, digits, hyphen and underscore are allowed, like in DNS names. |
| 663 | |
| 664 | This statement is useful in HA configurations where two or more processes or |
| 665 | servers share the same IP address. By setting a different node-name on all |
| 666 | nodes, it becomes easy to immediately spot what server is handling the |
| 667 | traffic. |
| 668 | |
| 669 | description <text> |
| 670 | Add a text that describes the instance. |
| 671 | |
| 672 | Please note that it is required to escape certain characters (# for example) |
| 673 | and this text is inserted into a html page so you should avoid using |
| 674 | "<" and ">" characters. |
| 675 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 676 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 677 | 3.2. Performance tuning |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 678 | ----------------------- |
| 679 | |
| 680 | maxconn <number> |
| 681 | Sets the maximum per-process number of concurrent connections to <number>. It |
| 682 | is equivalent to the command-line argument "-n". Proxies will stop accepting |
| 683 | connections when this limit is reached. The "ulimit-n" parameter is |
| 684 | automatically adjusted according to this value. See also "ulimit-n". |
| 685 | |
Willy Tarreau | 81c25d0 | 2011-09-07 15:17:21 +0200 | [diff] [blame] | 686 | maxconnrate <number> |
| 687 | Sets the maximum per-process number of connections per second to <number>. |
| 688 | Proxies will stop accepting connections when this limit is reached. It can be |
| 689 | used to limit the global capacity regardless of each frontend capacity. It is |
| 690 | important to note that this can only be used as a service protection measure, |
| 691 | as there will not necessarily be a fair share between frontends when the |
| 692 | limit is reached, so it's a good idea to also limit each frontend to some |
| 693 | value close to its expected share. Also, lowering tune.maxaccept can improve |
| 694 | fairness. |
| 695 | |
William Lallemand | d85f917 | 2012-11-09 17:05:39 +0100 | [diff] [blame] | 696 | maxcomprate <number> |
| 697 | Sets the maximum per-process input compression rate to <number> kilobytes |
| 698 | pers second. For each session, if the maximum is reached, the compression |
| 699 | level will be decreased during the session. If the maximum is reached at the |
| 700 | beginning of a session, the session will not compress at all. If the maximum |
| 701 | is not reached, the compression level will be increased up to |
| 702 | tune.comp.maxlevel. A value of zero means there is no limit, this is the |
| 703 | default value. |
| 704 | |
William Lallemand | 072a2bf | 2012-11-20 17:01:01 +0100 | [diff] [blame] | 705 | maxcompcpuusage <number> |
| 706 | Sets the maximum CPU usage HAProxy can reach before stopping the compression |
| 707 | for new requests or decreasing the compression level of current requests. |
| 708 | It works like 'maxcomprate' but measures CPU usage instead of incoming data |
| 709 | bandwidth. The value is expressed in percent of the CPU used by haproxy. In |
| 710 | case of multiple processes (nbproc > 1), each process manages its individual |
| 711 | usage. A value of 100 disable the limit. The default value is 100. Setting |
| 712 | a lower value will prevent the compression work from slowing the whole |
| 713 | process down and from introducing high latencies. |
| 714 | |
Willy Tarreau | ff4f82d | 2009-02-06 11:28:13 +0100 | [diff] [blame] | 715 | maxpipes <number> |
| 716 | Sets the maximum per-process number of pipes to <number>. Currently, pipes |
| 717 | are only used by kernel-based tcp splicing. Since a pipe contains two file |
| 718 | descriptors, the "ulimit-n" value will be increased accordingly. The default |
| 719 | value is maxconn/4, which seems to be more than enough for most heavy usages. |
| 720 | The splice code dynamically allocates and releases pipes, and can fall back |
| 721 | to standard copy, so setting this value too low may only impact performance. |
| 722 | |
Willy Tarreau | 403edff | 2012-09-06 11:58:37 +0200 | [diff] [blame] | 723 | maxsslconn <number> |
| 724 | Sets the maximum per-process number of concurrent SSL connections to |
| 725 | <number>. By default there is no SSL-specific limit, which means that the |
| 726 | global maxconn setting will apply to all connections. Setting this limit |
| 727 | avoids having openssl use too much memory and crash when malloc returns NULL |
| 728 | (since it unfortunately does not reliably check for such conditions). Note |
| 729 | that the limit applies both to incoming and outgoing connections, so one |
| 730 | connection which is deciphered then ciphered accounts for 2 SSL connections. |
| 731 | |
William Lallemand | 9d5f548 | 2012-11-07 16:12:57 +0100 | [diff] [blame] | 732 | maxzlibmem <number> |
| 733 | Sets the maximum amount of RAM in megabytes per process usable by the zlib. |
| 734 | When the maximum amount is reached, future sessions will not compress as long |
| 735 | as RAM is unavailable. When sets to 0, there is no limit. |
William Lallemand | e3a7d99 | 2012-11-20 11:25:20 +0100 | [diff] [blame] | 736 | The default value is 0. The value is available in bytes on the UNIX socket |
| 737 | with "show info" on the line "MaxZlibMemUsage", the memory used by zlib is |
| 738 | "ZlibMemUsage" in bytes. |
| 739 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 740 | noepoll |
| 741 | Disables the use of the "epoll" event polling system on Linux. It is |
| 742 | equivalent to the command-line argument "-de". The next polling system |
Willy Tarreau | e9f49e7 | 2012-11-11 17:42:00 +0100 | [diff] [blame] | 743 | used will generally be "poll". See also "nopoll". |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 744 | |
| 745 | nokqueue |
| 746 | Disables the use of the "kqueue" event polling system on BSD. It is |
| 747 | equivalent to the command-line argument "-dk". The next polling system |
| 748 | used will generally be "poll". See also "nopoll". |
| 749 | |
| 750 | nopoll |
| 751 | Disables the use of the "poll" event polling system. It is equivalent to the |
| 752 | command-line argument "-dp". The next polling system used will be "select". |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 753 | It should never be needed to disable "poll" since it's available on all |
Willy Tarreau | e9f49e7 | 2012-11-11 17:42:00 +0100 | [diff] [blame] | 754 | platforms supported by HAProxy. See also "nokqueue" and "noepoll". |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 755 | |
Willy Tarreau | ff4f82d | 2009-02-06 11:28:13 +0100 | [diff] [blame] | 756 | nosplice |
| 757 | Disables the use of kernel tcp splicing between sockets on Linux. It is |
| 758 | equivalent to the command line argument "-dS". Data will then be copied |
| 759 | using conventional and more portable recv/send calls. Kernel tcp splicing is |
Krzysztof Piotr Oledzki | f864533 | 2009-12-13 21:55:50 +0100 | [diff] [blame] | 760 | limited to some very recent instances of kernel 2.6. Most versions between |
Willy Tarreau | ff4f82d | 2009-02-06 11:28:13 +0100 | [diff] [blame] | 761 | 2.6.25 and 2.6.28 are buggy and will forward corrupted data, so they must not |
| 762 | be used. This option makes it easier to globally disable kernel splicing in |
| 763 | case of doubt. See also "option splice-auto", "option splice-request" and |
| 764 | "option splice-response". |
| 765 | |
Willy Tarreau | fe255b7 | 2007-10-14 23:09:26 +0200 | [diff] [blame] | 766 | spread-checks <0..50, in percent> |
| 767 | Sometimes it is desirable to avoid sending health checks to servers at exact |
| 768 | intervals, for instance when many logical servers are located on the same |
| 769 | physical server. With the help of this parameter, it becomes possible to add |
| 770 | some randomness in the check interval between 0 and +/- 50%. A value between |
| 771 | 2 and 5 seems to show good results. The default value remains at 0. |
| 772 | |
Willy Tarreau | 27a674e | 2009-08-17 07:23:33 +0200 | [diff] [blame] | 773 | tune.bufsize <number> |
| 774 | Sets the buffer size to this size (in bytes). Lower values allow more |
| 775 | sessions to coexist in the same amount of RAM, and higher values allow some |
| 776 | applications with very large cookies to work. The default value is 16384 and |
| 777 | can be changed at build time. It is strongly recommended not to change this |
| 778 | from the default value, as very low values will break some services such as |
| 779 | statistics, and values larger than default size will increase memory usage, |
| 780 | possibly causing the system to run out of memory. At least the global maxconn |
| 781 | parameter should be decreased by the same factor as this one is increased. |
Dmitry Sivachenko | f6f4f7b | 2012-10-21 18:10:25 +0400 | [diff] [blame] | 782 | If HTTP request is larger than (tune.bufsize - tune.maxrewrite), haproxy will |
| 783 | return HTTP 400 (Bad Request) error. Similarly if an HTTP response is larger |
| 784 | than this size, haproxy will return HTTP 502 (Bad Gateway). |
Willy Tarreau | 27a674e | 2009-08-17 07:23:33 +0200 | [diff] [blame] | 785 | |
Willy Tarreau | 43961d5 | 2010-10-04 20:39:20 +0200 | [diff] [blame] | 786 | tune.chksize <number> |
| 787 | Sets the check buffer size to this size (in bytes). Higher values may help |
| 788 | find string or regex patterns in very large pages, though doing so may imply |
| 789 | more memory and CPU usage. The default value is 16384 and can be changed at |
| 790 | build time. It is not recommended to change this value, but to use better |
| 791 | checks whenever possible. |
| 792 | |
William Lallemand | f374783 | 2012-11-09 12:33:10 +0100 | [diff] [blame] | 793 | tune.comp.maxlevel <number> |
| 794 | Sets the maximum compression level. The compression level affects CPU |
| 795 | usage during compression. This value affects CPU usage during compression. |
| 796 | Each session using compression initializes the compression algorithm with |
| 797 | this value. The default value is 1. |
| 798 | |
Willy Tarreau | 193b8c6 | 2012-11-22 00:17:38 +0100 | [diff] [blame] | 799 | tune.http.cookielen <number> |
| 800 | Sets the maximum length of captured cookies. This is the maximum value that |
| 801 | the "capture cookie xxx len yyy" will be allowed to take, and any upper value |
| 802 | will automatically be truncated to this one. It is important not to set too |
| 803 | high a value because all cookie captures still allocate this size whatever |
| 804 | their configured value (they share a same pool). This value is per request |
| 805 | per response, so the memory allocated is twice this value per connection. |
| 806 | When not specified, the limit is set to 63 characters. It is recommended not |
| 807 | to change this value. |
| 808 | |
Willy Tarreau | ac1932d | 2011-10-24 19:14:41 +0200 | [diff] [blame] | 809 | tune.http.maxhdr <number> |
| 810 | Sets the maximum number of headers in a request. When a request comes with a |
| 811 | number of headers greater than this value (including the first line), it is |
| 812 | rejected with a "400 Bad Request" status code. Similarly, too large responses |
| 813 | are blocked with "502 Bad Gateway". The default value is 101, which is enough |
| 814 | for all usages, considering that the widely deployed Apache server uses the |
| 815 | same limit. It can be useful to push this limit further to temporarily allow |
| 816 | a buggy application to work by the time it gets fixed. Keep in mind that each |
| 817 | new header consumes 32bits of memory for each session, so don't push this |
| 818 | limit too high. |
| 819 | |
Willy Tarreau | a0250ba | 2008-01-06 11:22:57 +0100 | [diff] [blame] | 820 | tune.maxaccept <number> |
Willy Tarreau | 16a2147 | 2012-11-19 12:39:59 +0100 | [diff] [blame] | 821 | Sets the maximum number of consecutive connections a process may accept in a |
| 822 | row before switching to other work. In single process mode, higher numbers |
| 823 | give better performance at high connection rates. However in multi-process |
| 824 | modes, keeping a bit of fairness between processes generally is better to |
| 825 | increase performance. This value applies individually to each listener, so |
| 826 | that the number of processes a listener is bound to is taken into account. |
| 827 | This value defaults to 64. In multi-process mode, it is divided by twice |
| 828 | the number of processes the listener is bound to. Setting this value to -1 |
| 829 | completely disables the limitation. It should normally not be needed to tweak |
| 830 | this value. |
Willy Tarreau | a0250ba | 2008-01-06 11:22:57 +0100 | [diff] [blame] | 831 | |
| 832 | tune.maxpollevents <number> |
| 833 | Sets the maximum amount of events that can be processed at once in a call to |
| 834 | the polling system. The default value is adapted to the operating system. It |
| 835 | has been noticed that reducing it below 200 tends to slightly decrease |
| 836 | latency at the expense of network bandwidth, and increasing it above 200 |
| 837 | tends to trade latency for slightly increased bandwidth. |
| 838 | |
Willy Tarreau | 27a674e | 2009-08-17 07:23:33 +0200 | [diff] [blame] | 839 | tune.maxrewrite <number> |
| 840 | Sets the reserved buffer space to this size in bytes. The reserved space is |
| 841 | used for header rewriting or appending. The first reads on sockets will never |
| 842 | fill more than bufsize-maxrewrite. Historically it has defaulted to half of |
| 843 | bufsize, though that does not make much sense since there are rarely large |
| 844 | numbers of headers to add. Setting it too high prevents processing of large |
| 845 | requests or responses. Setting it too low prevents addition of new headers |
| 846 | to already large requests or to POST requests. It is generally wise to set it |
| 847 | to about 1024. It is automatically readjusted to half of bufsize if it is |
| 848 | larger than that. This means you don't have to worry about it when changing |
| 849 | bufsize. |
| 850 | |
Willy Tarreau | bd9a0a7 | 2011-10-23 21:14:29 +0200 | [diff] [blame] | 851 | tune.pipesize <number> |
| 852 | Sets the kernel pipe buffer size to this size (in bytes). By default, pipes |
| 853 | are the default size for the system. But sometimes when using TCP splicing, |
| 854 | it can improve performance to increase pipe sizes, especially if it is |
| 855 | suspected that pipes are not filled and that many calls to splice() are |
| 856 | performed. This has an impact on the kernel's memory footprint, so this must |
| 857 | not be changed if impacts are not understood. |
| 858 | |
Willy Tarreau | e803de2 | 2010-01-21 17:43:04 +0100 | [diff] [blame] | 859 | tune.rcvbuf.client <number> |
| 860 | tune.rcvbuf.server <number> |
| 861 | Forces the kernel socket receive buffer size on the client or the server side |
| 862 | to the specified value in bytes. This value applies to all TCP/HTTP frontends |
| 863 | and backends. It should normally never be set, and the default size (0) lets |
| 864 | the kernel autotune this value depending on the amount of available memory. |
| 865 | However it can sometimes help to set it to very low values (eg: 4096) in |
| 866 | order to save kernel memory by preventing it from buffering too large amounts |
| 867 | of received data. Lower values will significantly increase CPU usage though. |
| 868 | |
| 869 | tune.sndbuf.client <number> |
| 870 | tune.sndbuf.server <number> |
| 871 | Forces the kernel socket send buffer size on the client or the server side to |
| 872 | the specified value in bytes. This value applies to all TCP/HTTP frontends |
| 873 | and backends. It should normally never be set, and the default size (0) lets |
| 874 | the kernel autotune this value depending on the amount of available memory. |
| 875 | However it can sometimes help to set it to very low values (eg: 4096) in |
| 876 | order to save kernel memory by preventing it from buffering too large amounts |
| 877 | of received data. Lower values will significantly increase CPU usage though. |
| 878 | Another use case is to prevent write timeouts with extremely slow clients due |
| 879 | to the kernel waiting for a large part of the buffer to be read before |
| 880 | notifying haproxy again. |
| 881 | |
Willy Tarreau | 6ec58db | 2012-11-16 16:32:15 +0100 | [diff] [blame] | 882 | tune.ssl.cachesize <number> |
Emeric Brun | af9619d | 2012-11-28 18:47:52 +0100 | [diff] [blame] | 883 | Sets the size of the global SSL session cache, in a number of blocks. A block |
| 884 | is large enough to contain an encoded session without peer certificate. |
| 885 | An encoded session with peer certificate is stored in multiple blocks |
| 886 | depending on the size of the peer certificate. A block use approximatively |
| 887 | 200 bytes of memory. The default value may be forced at build time, otherwise |
| 888 | defaults to 20000. When the cache is full, the most idle entries are purged |
| 889 | and reassigned. Higher values reduce the occurrence of such a purge, hence |
| 890 | the number of CPU-intensive SSL handshakes by ensuring that all users keep |
| 891 | their session as long as possible. All entries are pre-allocated upon startup |
Emeric Brun | 22890a1 | 2012-12-28 14:41:32 +0100 | [diff] [blame] | 892 | and are shared between all processes if "nbproc" is greater than 1. Setting |
| 893 | this value to 0 disables the SSL session cache. |
Willy Tarreau | 6ec58db | 2012-11-16 16:32:15 +0100 | [diff] [blame] | 894 | |
Emeric Brun | 4f65bff | 2012-11-16 15:11:00 +0100 | [diff] [blame] | 895 | tune.ssl.lifetime <timeout> |
| 896 | Sets how long a cached SSL session may remain valid. This time is expressed |
| 897 | in seconds and defaults to 300 (5 mn). It is important to understand that it |
| 898 | does not guarantee that sessions will last that long, because if the cache is |
| 899 | full, the longest idle sessions will be purged despite their configured |
| 900 | lifetime. The real usefulness of this setting is to prevent sessions from |
| 901 | being used for too long. |
| 902 | |
William Lallemand | a509e4c | 2012-11-07 16:54:34 +0100 | [diff] [blame] | 903 | tune.zlib.memlevel <number> |
| 904 | Sets the memLevel parameter in zlib initialization for each session. It |
| 905 | defines how much memory should be allocated for the intenal compression |
| 906 | state. A value of 1 uses minimum memory but is slow and reduces compression |
| 907 | ratio, a value of 9 uses maximum memory for optimal speed. Can be a value |
| 908 | between 1 and 9. The default value is 8. |
| 909 | |
| 910 | tune.zlib.windowsize <number> |
| 911 | Sets the window size (the size of the history buffer) as a parameter of the |
| 912 | zlib initialization for each session. Larger values of this parameter result |
| 913 | in better compression at the expense of memory usage. Can be a value between |
| 914 | 8 and 15. The default value is 15. |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 915 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 916 | 3.3. Debugging |
| 917 | -------------- |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 918 | |
| 919 | debug |
| 920 | Enables debug mode which dumps to stdout all exchanges, and disables forking |
| 921 | into background. It is the equivalent of the command-line argument "-d". It |
| 922 | should never be used in a production configuration since it may prevent full |
| 923 | system startup. |
| 924 | |
| 925 | quiet |
| 926 | Do not display any message during startup. It is equivalent to the command- |
| 927 | line argument "-q". |
| 928 | |
Emeric Brun | f099e79 | 2010-09-27 12:05:28 +0200 | [diff] [blame] | 929 | |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 930 | 3.4. Userlists |
| 931 | -------------- |
| 932 | It is possible to control access to frontend/backend/listen sections or to |
| 933 | http stats by allowing only authenticated and authorized users. To do this, |
| 934 | it is required to create at least one userlist and to define users. |
| 935 | |
| 936 | userlist <listname> |
Cyril Bonté | 78caf84 | 2010-03-10 22:41:43 +0100 | [diff] [blame] | 937 | Creates new userlist with name <listname>. Many independent userlists can be |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 938 | used to store authentication & authorization data for independent customers. |
| 939 | |
| 940 | group <groupname> [users <user>,<user>,(...)] |
Cyril Bonté | 78caf84 | 2010-03-10 22:41:43 +0100 | [diff] [blame] | 941 | Adds group <groupname> to the current userlist. It is also possible to |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 942 | attach users to this group by using a comma separated list of names |
| 943 | proceeded by "users" keyword. |
| 944 | |
Cyril Bonté | f0c6061 | 2010-02-06 14:44:47 +0100 | [diff] [blame] | 945 | user <username> [password|insecure-password <password>] |
| 946 | [groups <group>,<group>,(...)] |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 947 | Adds user <username> to the current userlist. Both secure (encrypted) and |
| 948 | insecure (unencrypted) passwords can be used. Encrypted passwords are |
Cyril Bonté | 78caf84 | 2010-03-10 22:41:43 +0100 | [diff] [blame] | 949 | evaluated using the crypt(3) function so depending of the system's |
| 950 | capabilities, different algorithms are supported. For example modern Glibc |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 951 | based Linux system supports MD5, SHA-256, SHA-512 and of course classic, |
| 952 | DES-based method of crypting passwords. |
| 953 | |
| 954 | |
| 955 | Example: |
Cyril Bonté | f0c6061 | 2010-02-06 14:44:47 +0100 | [diff] [blame] | 956 | userlist L1 |
| 957 | group G1 users tiger,scott |
| 958 | group G2 users xdb,scott |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 959 | |
Cyril Bonté | f0c6061 | 2010-02-06 14:44:47 +0100 | [diff] [blame] | 960 | user tiger password $6$k6y3o.eP$JlKBx9za9667qe4(...)xHSwRv6J.C0/D7cV91 |
| 961 | user scott insecure-password elgato |
| 962 | user xdb insecure-password hello |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 963 | |
Cyril Bonté | f0c6061 | 2010-02-06 14:44:47 +0100 | [diff] [blame] | 964 | userlist L2 |
| 965 | group G1 |
| 966 | group G2 |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 967 | |
Cyril Bonté | f0c6061 | 2010-02-06 14:44:47 +0100 | [diff] [blame] | 968 | user tiger password $6$k6y3o.eP$JlKBx(...)xHSwRv6J.C0/D7cV91 groups G1 |
| 969 | user scott insecure-password elgato groups G1,G2 |
| 970 | user xdb insecure-password hello groups G2 |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 971 | |
| 972 | Please note that both lists are functionally identical. |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 973 | |
Emeric Brun | f099e79 | 2010-09-27 12:05:28 +0200 | [diff] [blame] | 974 | |
| 975 | 3.5. Peers |
Cyril Bonté | dc4d903 | 2012-04-08 21:57:39 +0200 | [diff] [blame] | 976 | ---------- |
Emeric Brun | f099e79 | 2010-09-27 12:05:28 +0200 | [diff] [blame] | 977 | It is possible to synchronize server entries in stick tables between several |
| 978 | haproxy instances over TCP connections in a multi-master fashion. Each instance |
| 979 | pushes its local updates and insertions to remote peers. Server IDs are used to |
| 980 | identify servers remotely, so it is important that configurations look similar |
| 981 | or at least that the same IDs are forced on each server on all participants. |
| 982 | Interrupted exchanges are automatically detected and recovered from the last |
| 983 | known point. In addition, during a soft restart, the old process connects to |
| 984 | the new one using such a TCP connection to push all its entries before the new |
| 985 | process tries to connect to other peers. That ensures very fast replication |
| 986 | during a reload, it typically takes a fraction of a second even for large |
| 987 | tables. |
| 988 | |
| 989 | peers <peersect> |
Jamie Gloudon | 801a0a3 | 2012-08-25 00:18:33 -0400 | [diff] [blame] | 990 | Creates a new peer list with name <peersect>. It is an independent section, |
Emeric Brun | f099e79 | 2010-09-27 12:05:28 +0200 | [diff] [blame] | 991 | which is referenced by one or more stick-tables. |
| 992 | |
| 993 | peer <peername> <ip>:<port> |
| 994 | Defines a peer inside a peers section. |
| 995 | If <peername> is set to the local peer name (by default hostname, or forced |
| 996 | using "-L" command line option), haproxy will listen for incoming remote peer |
| 997 | connection on <ip>:<port>. Otherwise, <ip>:<port> defines where to connect to |
| 998 | to join the remote peer, and <peername> is used at the protocol level to |
| 999 | identify and validate the remote peer on the server side. |
| 1000 | |
| 1001 | During a soft restart, local peer <ip>:<port> is used by the old instance to |
| 1002 | connect the new one and initiate a complete replication (teaching process). |
| 1003 | |
| 1004 | It is strongly recommended to have the exact same peers declaration on all |
| 1005 | peers and to only rely on the "-L" command line argument to change the local |
| 1006 | peer name. This makes it easier to maintain coherent configuration files |
| 1007 | across all peers. |
| 1008 | |
Cyril Bonté | dc4d903 | 2012-04-08 21:57:39 +0200 | [diff] [blame] | 1009 | Example: |
Emeric Brun | f099e79 | 2010-09-27 12:05:28 +0200 | [diff] [blame] | 1010 | peers mypeers |
Willy Tarreau | f7b30a9 | 2010-12-06 22:59:17 +0100 | [diff] [blame] | 1011 | peer haproxy1 192.168.0.1:1024 |
| 1012 | peer haproxy2 192.168.0.2:1024 |
| 1013 | peer haproxy3 10.2.0.1:1024 |
Emeric Brun | f099e79 | 2010-09-27 12:05:28 +0200 | [diff] [blame] | 1014 | |
| 1015 | backend mybackend |
| 1016 | mode tcp |
| 1017 | balance roundrobin |
| 1018 | stick-table type ip size 20k peers mypeers |
| 1019 | stick on src |
| 1020 | |
Willy Tarreau | f7b30a9 | 2010-12-06 22:59:17 +0100 | [diff] [blame] | 1021 | server srv1 192.168.0.30:80 |
| 1022 | server srv2 192.168.0.31:80 |
Emeric Brun | f099e79 | 2010-09-27 12:05:28 +0200 | [diff] [blame] | 1023 | |
| 1024 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 1025 | 4. Proxies |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 1026 | ---------- |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1027 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 1028 | Proxy configuration can be located in a set of sections : |
| 1029 | - defaults <name> |
| 1030 | - frontend <name> |
| 1031 | - backend <name> |
| 1032 | - listen <name> |
| 1033 | |
| 1034 | A "defaults" section sets default parameters for all other sections following |
| 1035 | its declaration. Those default parameters are reset by the next "defaults" |
| 1036 | section. See below for the list of parameters which can be set in a "defaults" |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1037 | section. The name is optional but its use is encouraged for better readability. |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 1038 | |
| 1039 | A "frontend" section describes a set of listening sockets accepting client |
| 1040 | connections. |
| 1041 | |
| 1042 | A "backend" section describes a set of servers to which the proxy will connect |
| 1043 | to forward incoming connections. |
| 1044 | |
| 1045 | A "listen" section defines a complete proxy with its frontend and backend |
| 1046 | parts combined in one section. It is generally useful for TCP-only traffic. |
| 1047 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1048 | All proxy names must be formed from upper and lower case letters, digits, |
| 1049 | '-' (dash), '_' (underscore) , '.' (dot) and ':' (colon). ACL names are |
| 1050 | case-sensitive, which means that "www" and "WWW" are two different proxies. |
| 1051 | |
| 1052 | Historically, all proxy names could overlap, it just caused troubles in the |
| 1053 | logs. Since the introduction of content switching, it is mandatory that two |
| 1054 | proxies with overlapping capabilities (frontend/backend) have different names. |
| 1055 | However, it is still permitted that a frontend and a backend share the same |
| 1056 | name, as this configuration seems to be commonly encountered. |
| 1057 | |
| 1058 | Right now, two major proxy modes are supported : "tcp", also known as layer 4, |
| 1059 | and "http", also known as layer 7. In layer 4 mode, HAProxy simply forwards |
Krzysztof Piotr Oledzki | f864533 | 2009-12-13 21:55:50 +0100 | [diff] [blame] | 1060 | bidirectional traffic between two sides. In layer 7 mode, HAProxy analyzes the |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1061 | protocol, and can interact with it by allowing, blocking, switching, adding, |
| 1062 | modifying, or removing arbitrary contents in requests or responses, based on |
| 1063 | arbitrary criteria. |
| 1064 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1065 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 1066 | 4.1. Proxy keywords matrix |
| 1067 | -------------------------- |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1068 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 1069 | The following list of keywords is supported. Most of them may only be used in a |
| 1070 | limited set of section types. Some of them are marked as "deprecated" because |
| 1071 | they are inherited from an old syntax which may be confusing or functionally |
| 1072 | limited, and there are new recommended keywords to replace them. Keywords |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1073 | marked with "(*)" can be optionally inverted using the "no" prefix, eg. "no |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 1074 | option contstats". This makes sense when the option has been enabled by default |
Willy Tarreau | 3842f00 | 2009-06-14 11:39:52 +0200 | [diff] [blame] | 1075 | and must be disabled for a specific instance. Such options may also be prefixed |
| 1076 | with "default" in order to restore default settings regardless of what has been |
| 1077 | specified in a previous "defaults" section. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1078 | |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 1079 | |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1080 | keyword defaults frontend listen backend |
| 1081 | ------------------------------------+----------+----------+---------+--------- |
| 1082 | acl - X X X |
| 1083 | appsession - - X X |
| 1084 | backlog X X X - |
| 1085 | balance X - X X |
| 1086 | bind - X X - |
| 1087 | bind-process X X X X |
| 1088 | block - X X X |
| 1089 | capture cookie - X X - |
| 1090 | capture request header - X X - |
| 1091 | capture response header - X X - |
| 1092 | clitimeout (deprecated) X X X - |
William Lallemand | 82fe75c | 2012-10-23 10:25:10 +0200 | [diff] [blame] | 1093 | compression X X X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1094 | contimeout (deprecated) X - X X |
| 1095 | cookie X - X X |
| 1096 | default-server X - X X |
| 1097 | default_backend X X X - |
| 1098 | description - X X X |
| 1099 | disabled X X X X |
| 1100 | dispatch - - X X |
| 1101 | enabled X X X X |
| 1102 | errorfile X X X X |
| 1103 | errorloc X X X X |
| 1104 | errorloc302 X X X X |
| 1105 | -- keyword -------------------------- defaults - frontend - listen -- backend - |
| 1106 | errorloc303 X X X X |
Cyril Bonté | 0d4bf01 | 2010-04-25 23:21:46 +0200 | [diff] [blame] | 1107 | force-persist - X X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1108 | fullconn X - X X |
| 1109 | grace X X X X |
| 1110 | hash-type X - X X |
| 1111 | http-check disable-on-404 X - X X |
Willy Tarreau | bd74154 | 2010-03-16 18:46:54 +0100 | [diff] [blame] | 1112 | http-check expect - - X X |
Willy Tarreau | 7ab6aff | 2010-10-12 06:30:16 +0200 | [diff] [blame] | 1113 | http-check send-state X - X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1114 | http-request - X X X |
| 1115 | id - X X X |
Cyril Bonté | 0d4bf01 | 2010-04-25 23:21:46 +0200 | [diff] [blame] | 1116 | ignore-persist - X X X |
William Lallemand | 0f99e34 | 2011-10-12 17:50:54 +0200 | [diff] [blame] | 1117 | log (*) X X X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1118 | maxconn X X X - |
| 1119 | mode X X X X |
| 1120 | monitor fail - X X - |
| 1121 | monitor-net X X X - |
| 1122 | monitor-uri X X X - |
| 1123 | option abortonclose (*) X - X X |
| 1124 | option accept-invalid-http-request (*) X X X - |
| 1125 | option accept-invalid-http-response (*) X - X X |
| 1126 | option allbackups (*) X - X X |
| 1127 | option checkcache (*) X - X X |
| 1128 | option clitcpka (*) X X X - |
| 1129 | option contstats (*) X X X - |
| 1130 | option dontlog-normal (*) X X X - |
| 1131 | option dontlognull (*) X X X - |
| 1132 | option forceclose (*) X X X X |
| 1133 | -- keyword -------------------------- defaults - frontend - listen -- backend - |
| 1134 | option forwardfor X X X X |
Willy Tarreau | 96e3121 | 2011-05-30 18:10:30 +0200 | [diff] [blame] | 1135 | option http-no-delay (*) X X X X |
Willy Tarreau | 8a8e1d9 | 2010-04-05 16:15:16 +0200 | [diff] [blame] | 1136 | option http-pretend-keepalive (*) X X X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1137 | option http-server-close (*) X X X X |
| 1138 | option http-use-proxy-header (*) X X X - |
| 1139 | option httpchk X - X X |
| 1140 | option httpclose (*) X X X X |
| 1141 | option httplog X X X X |
| 1142 | option http_proxy (*) X X X X |
Jamie Gloudon | 801a0a3 | 2012-08-25 00:18:33 -0400 | [diff] [blame] | 1143 | option independent-streams (*) X X X X |
Gabor Lekeny | b4c81e4 | 2010-09-29 18:17:05 +0200 | [diff] [blame] | 1144 | option ldap-check X - X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1145 | option log-health-checks (*) X - X X |
| 1146 | option log-separate-errors (*) X X X - |
| 1147 | option logasap (*) X X X - |
| 1148 | option mysql-check X - X X |
Rauf Kuliyev | 38b4156 | 2011-01-04 15:14:13 +0100 | [diff] [blame] | 1149 | option pgsql-check X - X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1150 | option nolinger (*) X X X X |
| 1151 | option originalto X X X X |
| 1152 | option persist (*) X - X X |
| 1153 | option redispatch (*) X - X X |
Hervé COMMOWICK | ec032d6 | 2011-08-05 16:23:48 +0200 | [diff] [blame] | 1154 | option redis-check X - X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1155 | option smtpchk X - X X |
| 1156 | option socket-stats (*) X X X - |
| 1157 | option splice-auto (*) X X X X |
| 1158 | option splice-request (*) X X X X |
| 1159 | option splice-response (*) X X X X |
| 1160 | option srvtcpka (*) X - X X |
| 1161 | option ssl-hello-chk X - X X |
| 1162 | -- keyword -------------------------- defaults - frontend - listen -- backend - |
| 1163 | option tcp-smart-accept (*) X X X - |
| 1164 | option tcp-smart-connect (*) X - X X |
| 1165 | option tcpka X X X X |
| 1166 | option tcplog X X X X |
| 1167 | option transparent (*) X - X X |
| 1168 | persist rdp-cookie X - X X |
| 1169 | rate-limit sessions X X X - |
| 1170 | redirect - X X X |
| 1171 | redisp (deprecated) X - X X |
| 1172 | redispatch (deprecated) X - X X |
| 1173 | reqadd - X X X |
| 1174 | reqallow - X X X |
| 1175 | reqdel - X X X |
| 1176 | reqdeny - X X X |
| 1177 | reqiallow - X X X |
| 1178 | reqidel - X X X |
| 1179 | reqideny - X X X |
| 1180 | reqipass - X X X |
| 1181 | reqirep - X X X |
| 1182 | reqisetbe - X X X |
| 1183 | reqitarpit - X X X |
| 1184 | reqpass - X X X |
| 1185 | reqrep - X X X |
| 1186 | -- keyword -------------------------- defaults - frontend - listen -- backend - |
| 1187 | reqsetbe - X X X |
| 1188 | reqtarpit - X X X |
| 1189 | retries X - X X |
| 1190 | rspadd - X X X |
| 1191 | rspdel - X X X |
| 1192 | rspdeny - X X X |
| 1193 | rspidel - X X X |
| 1194 | rspideny - X X X |
| 1195 | rspirep - X X X |
| 1196 | rsprep - X X X |
| 1197 | server - - X X |
| 1198 | source X - X X |
| 1199 | srvtimeout (deprecated) X - X X |
Cyril Bonté | 66c327d | 2010-10-12 00:14:37 +0200 | [diff] [blame] | 1200 | stats admin - - X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1201 | stats auth X - X X |
| 1202 | stats enable X - X X |
| 1203 | stats hide-version X - X X |
Cyril Bonté | 2be1b3f | 2010-09-30 23:46:30 +0200 | [diff] [blame] | 1204 | stats http-request - - X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1205 | stats realm X - X X |
| 1206 | stats refresh X - X X |
| 1207 | stats scope X - X X |
| 1208 | stats show-desc X - X X |
| 1209 | stats show-legends X - X X |
| 1210 | stats show-node X - X X |
| 1211 | stats uri X - X X |
| 1212 | -- keyword -------------------------- defaults - frontend - listen -- backend - |
| 1213 | stick match - - X X |
| 1214 | stick on - - X X |
| 1215 | stick store-request - - X X |
Willy Tarreau | d8dc99f | 2011-07-01 11:33:25 +0200 | [diff] [blame] | 1216 | stick store-response - - X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1217 | stick-table - - X X |
Willy Tarreau | e965652 | 2010-08-17 15:40:09 +0200 | [diff] [blame] | 1218 | tcp-request connection - X X - |
| 1219 | tcp-request content - X X X |
Willy Tarreau | a56235c | 2010-09-14 11:31:36 +0200 | [diff] [blame] | 1220 | tcp-request inspect-delay - X X X |
Emeric Brun | 0a3b67f | 2010-09-24 15:34:53 +0200 | [diff] [blame] | 1221 | tcp-response content - - X X |
| 1222 | tcp-response inspect-delay - - X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1223 | timeout check X - X X |
| 1224 | timeout client X X X - |
| 1225 | timeout clitimeout (deprecated) X X X - |
| 1226 | timeout connect X - X X |
| 1227 | timeout contimeout (deprecated) X - X X |
| 1228 | timeout http-keep-alive X X X X |
| 1229 | timeout http-request X X X X |
| 1230 | timeout queue X - X X |
| 1231 | timeout server X - X X |
| 1232 | timeout srvtimeout (deprecated) X - X X |
| 1233 | timeout tarpit X X X X |
Willy Tarreau | ce887fd | 2012-05-12 12:50:00 +0200 | [diff] [blame] | 1234 | timeout tunnel X - X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1235 | transparent (deprecated) X - X X |
William Lallemand | a73203e | 2012-03-12 12:48:57 +0100 | [diff] [blame] | 1236 | unique-id-format X X X - |
| 1237 | unique-id-header X X X - |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1238 | use_backend - X X - |
Willy Tarreau | 4a5cade | 2012-04-05 21:09:48 +0200 | [diff] [blame] | 1239 | use-server - - X X |
Willy Tarreau | 5c6f7b3 | 2010-02-26 13:34:29 +0100 | [diff] [blame] | 1240 | ------------------------------------+----------+----------+---------+--------- |
| 1241 | keyword defaults frontend listen backend |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 1242 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1243 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 1244 | 4.2. Alphabetically sorted keywords reference |
| 1245 | --------------------------------------------- |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1246 | |
| 1247 | This section provides a description of each keyword and its usage. |
| 1248 | |
| 1249 | |
| 1250 | acl <aclname> <criterion> [flags] [operator] <value> ... |
| 1251 | Declare or complete an access list. |
| 1252 | May be used in sections : defaults | frontend | listen | backend |
| 1253 | no | yes | yes | yes |
| 1254 | Example: |
| 1255 | acl invalid_src src 0.0.0.0/7 224.0.0.0/3 |
| 1256 | acl invalid_src src_port 0:1023 |
| 1257 | acl local_dst hdr(host) -i localhost |
| 1258 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 1259 | See section 7 about ACL usage. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1260 | |
| 1261 | |
Cyril Bonté | b21570a | 2009-11-29 20:04:48 +0100 | [diff] [blame] | 1262 | appsession <cookie> len <length> timeout <holdtime> |
| 1263 | [request-learn] [prefix] [mode <path-parameters|query-string>] |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1264 | Define session stickiness on an existing application cookie. |
| 1265 | May be used in sections : defaults | frontend | listen | backend |
| 1266 | no | no | yes | yes |
| 1267 | Arguments : |
| 1268 | <cookie> this is the name of the cookie used by the application and which |
| 1269 | HAProxy will have to learn for each new session. |
| 1270 | |
Cyril Bonté | b21570a | 2009-11-29 20:04:48 +0100 | [diff] [blame] | 1271 | <length> this is the max number of characters that will be memorized and |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1272 | checked in each cookie value. |
| 1273 | |
| 1274 | <holdtime> this is the time after which the cookie will be removed from |
| 1275 | memory if unused. If no unit is specified, this time is in |
| 1276 | milliseconds. |
| 1277 | |
Cyril Bonté | bf47aeb | 2009-10-15 00:15:40 +0200 | [diff] [blame] | 1278 | request-learn |
| 1279 | If this option is specified, then haproxy will be able to learn |
| 1280 | the cookie found in the request in case the server does not |
| 1281 | specify any in response. This is typically what happens with |
| 1282 | PHPSESSID cookies, or when haproxy's session expires before |
| 1283 | the application's session and the correct server is selected. |
| 1284 | It is recommended to specify this option to improve reliability. |
| 1285 | |
Cyril Bonté | b21570a | 2009-11-29 20:04:48 +0100 | [diff] [blame] | 1286 | prefix When this option is specified, haproxy will match on the cookie |
| 1287 | prefix (or URL parameter prefix). The appsession value is the |
| 1288 | data following this prefix. |
| 1289 | |
| 1290 | Example : |
| 1291 | appsession ASPSESSIONID len 64 timeout 3h prefix |
| 1292 | |
| 1293 | This will match the cookie ASPSESSIONIDXXXX=XXXXX, |
| 1294 | the appsession value will be XXXX=XXXXX. |
| 1295 | |
| 1296 | mode This option allows to change the URL parser mode. |
| 1297 | 2 modes are currently supported : |
| 1298 | - path-parameters : |
| 1299 | The parser looks for the appsession in the path parameters |
| 1300 | part (each parameter is separated by a semi-colon), which is |
| 1301 | convenient for JSESSIONID for example. |
| 1302 | This is the default mode if the option is not set. |
| 1303 | - query-string : |
| 1304 | In this mode, the parser will look for the appsession in the |
| 1305 | query string. |
| 1306 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1307 | When an application cookie is defined in a backend, HAProxy will check when |
| 1308 | the server sets such a cookie, and will store its value in a table, and |
| 1309 | associate it with the server's identifier. Up to <length> characters from |
| 1310 | the value will be retained. On each connection, haproxy will look for this |
Cyril Bonté | b21570a | 2009-11-29 20:04:48 +0100 | [diff] [blame] | 1311 | cookie both in the "Cookie:" headers, and as a URL parameter (depending on |
| 1312 | the mode used). If a known value is found, the client will be directed to the |
| 1313 | server associated with this value. Otherwise, the load balancing algorithm is |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1314 | applied. Cookies are automatically removed from memory when they have been |
| 1315 | unused for a duration longer than <holdtime>. |
| 1316 | |
| 1317 | The definition of an application cookie is limited to one per backend. |
| 1318 | |
Cyril Bonté | 02ff8ef | 2010-12-14 22:48:49 +0100 | [diff] [blame] | 1319 | Note : Consider not using this feature in multi-process mode (nbproc > 1) |
| 1320 | unless you know what you do : memory is not shared between the |
| 1321 | processes, which can result in random behaviours. |
| 1322 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1323 | Example : |
| 1324 | appsession JSESSIONID len 52 timeout 3h |
| 1325 | |
Cyril Bonté | 02ff8ef | 2010-12-14 22:48:49 +0100 | [diff] [blame] | 1326 | See also : "cookie", "capture cookie", "balance", "stick", "stick-table", |
| 1327 | "ignore-persist", "nbproc" and "bind-process". |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1328 | |
| 1329 | |
Willy Tarreau | c73ce2b | 2008-01-06 10:55:10 +0100 | [diff] [blame] | 1330 | backlog <conns> |
| 1331 | Give hints to the system about the approximate listen backlog desired size |
| 1332 | May be used in sections : defaults | frontend | listen | backend |
| 1333 | yes | yes | yes | no |
| 1334 | Arguments : |
| 1335 | <conns> is the number of pending connections. Depending on the operating |
| 1336 | system, it may represent the number of already acknowledged |
Cyril Bonté | dc4d903 | 2012-04-08 21:57:39 +0200 | [diff] [blame] | 1337 | connections, of non-acknowledged ones, or both. |
Willy Tarreau | c73ce2b | 2008-01-06 10:55:10 +0100 | [diff] [blame] | 1338 | |
| 1339 | In order to protect against SYN flood attacks, one solution is to increase |
| 1340 | the system's SYN backlog size. Depending on the system, sometimes it is just |
| 1341 | tunable via a system parameter, sometimes it is not adjustable at all, and |
| 1342 | sometimes the system relies on hints given by the application at the time of |
| 1343 | the listen() syscall. By default, HAProxy passes the frontend's maxconn value |
| 1344 | to the listen() syscall. On systems which can make use of this value, it can |
| 1345 | sometimes be useful to be able to specify a different value, hence this |
| 1346 | backlog parameter. |
| 1347 | |
| 1348 | On Linux 2.4, the parameter is ignored by the system. On Linux 2.6, it is |
| 1349 | used as a hint and the system accepts up to the smallest greater power of |
| 1350 | two, and never more than some limits (usually 32768). |
| 1351 | |
| 1352 | See also : "maxconn" and the target operating system's tuning guide. |
| 1353 | |
| 1354 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1355 | balance <algorithm> [ <arguments> ] |
matt.farnsworth@nokia.com | 1c2ab96 | 2008-04-14 20:47:37 +0200 | [diff] [blame] | 1356 | balance url_param <param> [check_post [<max_wait>]] |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1357 | Define the load balancing algorithm to be used in a backend. |
| 1358 | May be used in sections : defaults | frontend | listen | backend |
| 1359 | yes | no | yes | yes |
| 1360 | Arguments : |
| 1361 | <algorithm> is the algorithm used to select a server when doing load |
| 1362 | balancing. This only applies when no persistence information |
| 1363 | is available, or when a connection is redispatched to another |
| 1364 | server. <algorithm> may be one of the following : |
| 1365 | |
| 1366 | roundrobin Each server is used in turns, according to their weights. |
| 1367 | This is the smoothest and fairest algorithm when the server's |
| 1368 | processing time remains equally distributed. This algorithm |
| 1369 | is dynamic, which means that server weights may be adjusted |
Willy Tarreau | 9757a38 | 2009-10-03 12:56:50 +0200 | [diff] [blame] | 1370 | on the fly for slow starts for instance. It is limited by |
| 1371 | design to 4128 active servers per backend. Note that in some |
| 1372 | large farms, when a server becomes up after having been down |
| 1373 | for a very short time, it may sometimes take a few hundreds |
| 1374 | requests for it to be re-integrated into the farm and start |
| 1375 | receiving traffic. This is normal, though very rare. It is |
| 1376 | indicated here in case you would have the chance to observe |
| 1377 | it, so that you don't worry. |
| 1378 | |
| 1379 | static-rr Each server is used in turns, according to their weights. |
| 1380 | This algorithm is as similar to roundrobin except that it is |
| 1381 | static, which means that changing a server's weight on the |
| 1382 | fly will have no effect. On the other hand, it has no design |
| 1383 | limitation on the number of servers, and when a server goes |
| 1384 | up, it is always immediately reintroduced into the farm, once |
| 1385 | the full map is recomputed. It also uses slightly less CPU to |
| 1386 | run (around -1%). |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1387 | |
Willy Tarreau | 2d2a7f8 | 2008-03-17 12:07:56 +0100 | [diff] [blame] | 1388 | leastconn The server with the lowest number of connections receives the |
| 1389 | connection. Round-robin is performed within groups of servers |
| 1390 | of the same load to ensure that all servers will be used. Use |
| 1391 | of this algorithm is recommended where very long sessions are |
| 1392 | expected, such as LDAP, SQL, TSE, etc... but is not very well |
| 1393 | suited for protocols using short sessions such as HTTP. This |
| 1394 | algorithm is dynamic, which means that server weights may be |
| 1395 | adjusted on the fly for slow starts for instance. |
| 1396 | |
Willy Tarreau | f09c660 | 2012-02-13 17:12:08 +0100 | [diff] [blame] | 1397 | first The first server with available connection slots receives the |
| 1398 | connection. The servers are choosen from the lowest numeric |
| 1399 | identifier to the highest (see server parameter "id"), which |
| 1400 | defaults to the server's position in the farm. Once a server |
Willy Tarreau | 64559c5 | 2012-04-07 09:08:45 +0200 | [diff] [blame] | 1401 | reaches its maxconn value, the next server is used. It does |
Willy Tarreau | f09c660 | 2012-02-13 17:12:08 +0100 | [diff] [blame] | 1402 | not make sense to use this algorithm without setting maxconn. |
| 1403 | The purpose of this algorithm is to always use the smallest |
| 1404 | number of servers so that extra servers can be powered off |
| 1405 | during non-intensive hours. This algorithm ignores the server |
| 1406 | weight, and brings more benefit to long session such as RDP |
Willy Tarreau | 64559c5 | 2012-04-07 09:08:45 +0200 | [diff] [blame] | 1407 | or IMAP than HTTP, though it can be useful there too. In |
| 1408 | order to use this algorithm efficiently, it is recommended |
| 1409 | that a cloud controller regularly checks server usage to turn |
| 1410 | them off when unused, and regularly checks backend queue to |
| 1411 | turn new servers on when the queue inflates. Alternatively, |
| 1412 | using "http-check send-state" may inform servers on the load. |
Willy Tarreau | f09c660 | 2012-02-13 17:12:08 +0100 | [diff] [blame] | 1413 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1414 | source The source IP address is hashed and divided by the total |
| 1415 | weight of the running servers to designate which server will |
| 1416 | receive the request. This ensures that the same client IP |
| 1417 | address will always reach the same server as long as no |
| 1418 | server goes down or up. If the hash result changes due to the |
| 1419 | number of running servers changing, many clients will be |
| 1420 | directed to a different server. This algorithm is generally |
| 1421 | used in TCP mode where no cookie may be inserted. It may also |
Krzysztof Piotr Oledzki | f864533 | 2009-12-13 21:55:50 +0100 | [diff] [blame] | 1422 | be used on the Internet to provide a best-effort stickiness |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1423 | to clients which refuse session cookies. This algorithm is |
Willy Tarreau | 6b2e11b | 2009-10-01 07:52:15 +0200 | [diff] [blame] | 1424 | static by default, which means that changing a server's |
| 1425 | weight on the fly will have no effect, but this can be |
| 1426 | changed using "hash-type". |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1427 | |
Oskar Stolc | 8dc4184 | 2012-05-19 10:19:54 +0100 | [diff] [blame] | 1428 | uri This algorithm hashes either the left part of the URI (before |
| 1429 | the question mark) or the whole URI (if the "whole" parameter |
| 1430 | is present) and divides the hash value by the total weight of |
| 1431 | the running servers. The result designates which server will |
| 1432 | receive the request. This ensures that the same URI will |
| 1433 | always be directed to the same server as long as no server |
| 1434 | goes up or down. This is used with proxy caches and |
| 1435 | anti-virus proxies in order to maximize the cache hit rate. |
| 1436 | Note that this algorithm may only be used in an HTTP backend. |
| 1437 | This algorithm is static by default, which means that |
| 1438 | changing a server's weight on the fly will have no effect, |
| 1439 | but this can be changed using "hash-type". |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1440 | |
Oskar Stolc | 8dc4184 | 2012-05-19 10:19:54 +0100 | [diff] [blame] | 1441 | This algorithm supports two optional parameters "len" and |
Marek Majkowski | 9c30fc1 | 2008-04-27 23:25:55 +0200 | [diff] [blame] | 1442 | "depth", both followed by a positive integer number. These |
| 1443 | options may be helpful when it is needed to balance servers |
| 1444 | based on the beginning of the URI only. The "len" parameter |
| 1445 | indicates that the algorithm should only consider that many |
| 1446 | characters at the beginning of the URI to compute the hash. |
| 1447 | Note that having "len" set to 1 rarely makes sense since most |
| 1448 | URIs start with a leading "/". |
| 1449 | |
| 1450 | The "depth" parameter indicates the maximum directory depth |
| 1451 | to be used to compute the hash. One level is counted for each |
| 1452 | slash in the request. If both parameters are specified, the |
| 1453 | evaluation stops when either is reached. |
| 1454 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1455 | url_param The URL parameter specified in argument will be looked up in |
matt.farnsworth@nokia.com | 1c2ab96 | 2008-04-14 20:47:37 +0200 | [diff] [blame] | 1456 | the query string of each HTTP GET request. |
| 1457 | |
| 1458 | If the modifier "check_post" is used, then an HTTP POST |
Cyril Bonté | dc4d903 | 2012-04-08 21:57:39 +0200 | [diff] [blame] | 1459 | request entity will be searched for the parameter argument, |
| 1460 | when it is not found in a query string after a question mark |
| 1461 | ('?') in the URL. Optionally, specify a number of octets to |
| 1462 | wait for before attempting to search the message body. If the |
| 1463 | entity can not be searched, then round robin is used for each |
| 1464 | request. For instance, if your clients always send the LB |
| 1465 | parameter in the first 128 bytes, then specify that. The |
| 1466 | default is 48. The entity data will not be scanned until the |
| 1467 | required number of octets have arrived at the gateway, this |
| 1468 | is the minimum of: (default/max_wait, Content-Length or first |
| 1469 | chunk length). If Content-Length is missing or zero, it does |
| 1470 | not need to wait for more data than the client promised to |
| 1471 | send. When Content-Length is present and larger than |
| 1472 | <max_wait>, then waiting is limited to <max_wait> and it is |
| 1473 | assumed that this will be enough data to search for the |
| 1474 | presence of the parameter. In the unlikely event that |
| 1475 | Transfer-Encoding: chunked is used, only the first chunk is |
| 1476 | scanned. Parameter values separated by a chunk boundary, may |
| 1477 | be randomly balanced if at all. |
matt.farnsworth@nokia.com | 1c2ab96 | 2008-04-14 20:47:37 +0200 | [diff] [blame] | 1478 | |
| 1479 | If the parameter is found followed by an equal sign ('=') and |
| 1480 | a value, then the value is hashed and divided by the total |
| 1481 | weight of the running servers. The result designates which |
| 1482 | server will receive the request. |
| 1483 | |
| 1484 | This is used to track user identifiers in requests and ensure |
| 1485 | that a same user ID will always be sent to the same server as |
| 1486 | long as no server goes up or down. If no value is found or if |
| 1487 | the parameter is not found, then a round robin algorithm is |
| 1488 | applied. Note that this algorithm may only be used in an HTTP |
Willy Tarreau | 6b2e11b | 2009-10-01 07:52:15 +0200 | [diff] [blame] | 1489 | backend. This algorithm is static by default, which means |
| 1490 | that changing a server's weight on the fly will have no |
| 1491 | effect, but this can be changed using "hash-type". |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1492 | |
Cyril Bonté | dc4d903 | 2012-04-08 21:57:39 +0200 | [diff] [blame] | 1493 | hdr(<name>) The HTTP header <name> will be looked up in each HTTP |
| 1494 | request. Just as with the equivalent ACL 'hdr()' function, |
| 1495 | the header name in parenthesis is not case sensitive. If the |
| 1496 | header is absent or if it does not contain any value, the |
| 1497 | roundrobin algorithm is applied instead. |
Benoit | affb481 | 2009-03-25 13:02:10 +0100 | [diff] [blame] | 1498 | |
Krzysztof Piotr Oledzki | f864533 | 2009-12-13 21:55:50 +0100 | [diff] [blame] | 1499 | An optional 'use_domain_only' parameter is available, for |
Benoit | affb481 | 2009-03-25 13:02:10 +0100 | [diff] [blame] | 1500 | reducing the hash algorithm to the main domain part with some |
| 1501 | specific headers such as 'Host'. For instance, in the Host |
| 1502 | value "haproxy.1wt.eu", only "1wt" will be considered. |
| 1503 | |
Willy Tarreau | 6b2e11b | 2009-10-01 07:52:15 +0200 | [diff] [blame] | 1504 | This algorithm is static by default, which means that |
| 1505 | changing a server's weight on the fly will have no effect, |
| 1506 | but this can be changed using "hash-type". |
| 1507 | |
Emeric Brun | 736aa23 | 2009-06-30 17:56:00 +0200 | [diff] [blame] | 1508 | rdp-cookie |
Hervé COMMOWICK | a3eb39c | 2011-08-05 18:48:51 +0200 | [diff] [blame] | 1509 | rdp-cookie(<name>) |
Emeric Brun | 736aa23 | 2009-06-30 17:56:00 +0200 | [diff] [blame] | 1510 | The RDP cookie <name> (or "mstshash" if omitted) will be |
| 1511 | looked up and hashed for each incoming TCP request. Just as |
| 1512 | with the equivalent ACL 'req_rdp_cookie()' function, the name |
| 1513 | is not case-sensitive. This mechanism is useful as a degraded |
| 1514 | persistence mode, as it makes it possible to always send the |
| 1515 | same user (or the same session ID) to the same server. If the |
Krzysztof Piotr Oledzki | f864533 | 2009-12-13 21:55:50 +0100 | [diff] [blame] | 1516 | cookie is not found, the normal roundrobin algorithm is |
Emeric Brun | 736aa23 | 2009-06-30 17:56:00 +0200 | [diff] [blame] | 1517 | used instead. |
| 1518 | |
| 1519 | Note that for this to work, the frontend must ensure that an |
| 1520 | RDP cookie is already present in the request buffer. For this |
| 1521 | you must use 'tcp-request content accept' rule combined with |
| 1522 | a 'req_rdp_cookie_cnt' ACL. |
| 1523 | |
Willy Tarreau | 6b2e11b | 2009-10-01 07:52:15 +0200 | [diff] [blame] | 1524 | This algorithm is static by default, which means that |
| 1525 | changing a server's weight on the fly will have no effect, |
| 1526 | but this can be changed using "hash-type". |
| 1527 | |
Cyril Bonté | dc4d903 | 2012-04-08 21:57:39 +0200 | [diff] [blame] | 1528 | See also the rdp_cookie pattern fetch function. |
Simon Horman | ab814e0 | 2011-06-24 14:50:20 +0900 | [diff] [blame] | 1529 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1530 | <arguments> is an optional list of arguments which may be needed by some |
Marek Majkowski | 9c30fc1 | 2008-04-27 23:25:55 +0200 | [diff] [blame] | 1531 | algorithms. Right now, only "url_param" and "uri" support an |
| 1532 | optional argument. |
matt.farnsworth@nokia.com | 1c2ab96 | 2008-04-14 20:47:37 +0200 | [diff] [blame] | 1533 | |
Marek Majkowski | 9c30fc1 | 2008-04-27 23:25:55 +0200 | [diff] [blame] | 1534 | balance uri [len <len>] [depth <depth>] |
matt.farnsworth@nokia.com | 1c2ab96 | 2008-04-14 20:47:37 +0200 | [diff] [blame] | 1535 | balance url_param <param> [check_post [<max_wait>]] |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1536 | |
Willy Tarreau | 3cd9af2 | 2009-03-15 14:06:41 +0100 | [diff] [blame] | 1537 | The load balancing algorithm of a backend is set to roundrobin when no other |
| 1538 | algorithm, mode nor option have been set. The algorithm may only be set once |
| 1539 | for each backend. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1540 | |
| 1541 | Examples : |
| 1542 | balance roundrobin |
| 1543 | balance url_param userid |
matt.farnsworth@nokia.com | 1c2ab96 | 2008-04-14 20:47:37 +0200 | [diff] [blame] | 1544 | balance url_param session_id check_post 64 |
Benoit | affb481 | 2009-03-25 13:02:10 +0100 | [diff] [blame] | 1545 | balance hdr(User-Agent) |
| 1546 | balance hdr(host) |
| 1547 | balance hdr(Host) use_domain_only |
matt.farnsworth@nokia.com | 1c2ab96 | 2008-04-14 20:47:37 +0200 | [diff] [blame] | 1548 | |
| 1549 | Note: the following caveats and limitations on using the "check_post" |
| 1550 | extension with "url_param" must be considered : |
| 1551 | |
Krzysztof Piotr Oledzki | f864533 | 2009-12-13 21:55:50 +0100 | [diff] [blame] | 1552 | - all POST requests are eligible for consideration, because there is no way |
matt.farnsworth@nokia.com | 1c2ab96 | 2008-04-14 20:47:37 +0200 | [diff] [blame] | 1553 | to determine if the parameters will be found in the body or entity which |
| 1554 | may contain binary data. Therefore another method may be required to |
| 1555 | restrict consideration of POST requests that have no URL parameters in |
| 1556 | the body. (see acl reqideny http_end) |
| 1557 | |
| 1558 | - using a <max_wait> value larger than the request buffer size does not |
| 1559 | make sense and is useless. The buffer size is set at build time, and |
| 1560 | defaults to 16 kB. |
| 1561 | |
| 1562 | - Content-Encoding is not supported, the parameter search will probably |
| 1563 | fail; and load balancing will fall back to Round Robin. |
| 1564 | |
| 1565 | - Expect: 100-continue is not supported, load balancing will fall back to |
| 1566 | Round Robin. |
| 1567 | |
| 1568 | - Transfer-Encoding (RFC2616 3.6.1) is only supported in the first chunk. |
| 1569 | If the entire parameter value is not present in the first chunk, the |
| 1570 | selection of server is undefined (actually, defined by how little |
| 1571 | actually appeared in the first chunk). |
| 1572 | |
| 1573 | - This feature does not support generation of a 100, 411 or 501 response. |
| 1574 | |
| 1575 | - In some cases, requesting "check_post" MAY attempt to scan the entire |
Krzysztof Piotr Oledzki | f864533 | 2009-12-13 21:55:50 +0100 | [diff] [blame] | 1576 | contents of a message body. Scanning normally terminates when linear |
matt.farnsworth@nokia.com | 1c2ab96 | 2008-04-14 20:47:37 +0200 | [diff] [blame] | 1577 | white space or control characters are found, indicating the end of what |
| 1578 | might be a URL parameter list. This is probably not a concern with SGML |
| 1579 | type message bodies. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1580 | |
Willy Tarreau | 6b2e11b | 2009-10-01 07:52:15 +0200 | [diff] [blame] | 1581 | See also : "dispatch", "cookie", "appsession", "transparent", "hash-type" and |
| 1582 | "http_proxy". |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1583 | |
| 1584 | |
Willy Tarreau | b6205fd | 2012-09-24 12:27:33 +0200 | [diff] [blame] | 1585 | bind [<address>]:<port_range> [, ...] [param*] |
| 1586 | bind /<path> [, ...] [param*] |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1587 | Define one or several listening addresses and/or ports in a frontend. |
| 1588 | May be used in sections : defaults | frontend | listen | backend |
| 1589 | no | yes | yes | no |
| 1590 | Arguments : |
Willy Tarreau | b1e52e8 | 2008-01-13 14:49:51 +0100 | [diff] [blame] | 1591 | <address> is optional and can be a host name, an IPv4 address, an IPv6 |
| 1592 | address, or '*'. It designates the address the frontend will |
| 1593 | listen on. If unset, all IPv4 addresses of the system will be |
| 1594 | listened on. The same will apply for '*' or the system's |
David du Colombier | 9c938da | 2011-03-17 10:40:27 +0100 | [diff] [blame] | 1595 | special address "0.0.0.0". The IPv6 equivalent is '::'. |
Willy Tarreau | b1e52e8 | 2008-01-13 14:49:51 +0100 | [diff] [blame] | 1596 | |
Willy Tarreau | c5011ca | 2010-03-22 11:53:56 +0100 | [diff] [blame] | 1597 | <port_range> is either a unique TCP port, or a port range for which the |
| 1598 | proxy will accept connections for the IP address specified |
Willy Tarreau | ceb24bc | 2010-11-09 12:46:41 +0100 | [diff] [blame] | 1599 | above. The port is mandatory for TCP listeners. Note that in |
| 1600 | the case of an IPv6 address, the port is always the number |
| 1601 | after the last colon (':'). A range can either be : |
Willy Tarreau | c5011ca | 2010-03-22 11:53:56 +0100 | [diff] [blame] | 1602 | - a numerical port (ex: '80') |
| 1603 | - a dash-delimited ports range explicitly stating the lower |
| 1604 | and upper bounds (ex: '2000-2100') which are included in |
| 1605 | the range. |
| 1606 | |
| 1607 | Particular care must be taken against port ranges, because |
| 1608 | every <address:port> couple consumes one socket (= a file |
| 1609 | descriptor), so it's easy to consume lots of descriptors |
| 1610 | with a simple range, and to run out of sockets. Also, each |
| 1611 | <address:port> couple must be used only once among all |
| 1612 | instances running on a same system. Please note that binding |
| 1613 | to ports lower than 1024 generally require particular |
Jamie Gloudon | 801a0a3 | 2012-08-25 00:18:33 -0400 | [diff] [blame] | 1614 | privileges to start the program, which are independent of |
Willy Tarreau | c5011ca | 2010-03-22 11:53:56 +0100 | [diff] [blame] | 1615 | the 'uid' parameter. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1616 | |
Willy Tarreau | ceb24bc | 2010-11-09 12:46:41 +0100 | [diff] [blame] | 1617 | <path> is a UNIX socket path beginning with a slash ('/'). This is |
| 1618 | alternative to the TCP listening port. Haproxy will then |
| 1619 | receive UNIX connections on the socket located at this place. |
| 1620 | The path must begin with a slash and by default is absolute. |
| 1621 | It can be relative to the prefix defined by "unix-bind" in |
| 1622 | the global section. Note that the total length of the prefix |
| 1623 | followed by the socket path cannot exceed some system limits |
| 1624 | for UNIX sockets, which commonly are set to 107 characters. |
| 1625 | |
Willy Tarreau | b6205fd | 2012-09-24 12:27:33 +0200 | [diff] [blame] | 1626 | <param*> is a list of parameters common to all sockets declared on the |
| 1627 | same line. These numerous parameters depend on OS and build |
| 1628 | options and have a complete section dedicated to them. Please |
| 1629 | refer to section 5 to for more details. |
Willy Tarreau | a0ee1d0 | 2012-09-10 09:01:23 +0200 | [diff] [blame] | 1630 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1631 | It is possible to specify a list of address:port combinations delimited by |
| 1632 | commas. The frontend will then listen on all of these addresses. There is no |
| 1633 | fixed limit to the number of addresses and ports which can be listened on in |
| 1634 | a frontend, as well as there is no limit to the number of "bind" statements |
| 1635 | in a frontend. |
| 1636 | |
| 1637 | Example : |
| 1638 | listen http_proxy |
| 1639 | bind :80,:443 |
| 1640 | bind 10.0.0.1:10080,10.0.0.1:10443 |
Willy Tarreau | ceb24bc | 2010-11-09 12:46:41 +0100 | [diff] [blame] | 1641 | bind /var/run/ssl-frontend.sock user root mode 600 accept-proxy |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1642 | |
Willy Tarreau | a0ee1d0 | 2012-09-10 09:01:23 +0200 | [diff] [blame] | 1643 | listen http_https_proxy |
| 1644 | bind :80 |
Cyril Bonté | 0d44fc6 | 2012-10-09 22:45:33 +0200 | [diff] [blame] | 1645 | bind :443 ssl crt /etc/haproxy/site.pem |
Willy Tarreau | a0ee1d0 | 2012-09-10 09:01:23 +0200 | [diff] [blame] | 1646 | |
Willy Tarreau | ceb24bc | 2010-11-09 12:46:41 +0100 | [diff] [blame] | 1647 | See also : "source", "option forwardfor", "unix-bind" and the PROXY protocol |
Willy Tarreau | b6205fd | 2012-09-24 12:27:33 +0200 | [diff] [blame] | 1648 | documentation, and section 5 about bind options. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1649 | |
| 1650 | |
Willy Tarreau | 110ecc1 | 2012-11-15 17:50:01 +0100 | [diff] [blame] | 1651 | bind-process [ all | odd | even | <number 1-32>[-<number 1-32>] ] ... |
Willy Tarreau | 0b9c02c | 2009-02-04 22:05:05 +0100 | [diff] [blame] | 1652 | Limit visibility of an instance to a certain set of processes numbers. |
| 1653 | May be used in sections : defaults | frontend | listen | backend |
| 1654 | yes | yes | yes | yes |
| 1655 | Arguments : |
| 1656 | all All process will see this instance. This is the default. It |
| 1657 | may be used to override a default value. |
| 1658 | |
| 1659 | odd This instance will be enabled on processes 1,3,5,...31. This |
| 1660 | option may be combined with other numbers. |
| 1661 | |
| 1662 | even This instance will be enabled on processes 2,4,6,...32. This |
| 1663 | option may be combined with other numbers. Do not use it |
| 1664 | with less than 2 processes otherwise some instances might be |
| 1665 | missing from all processes. |
| 1666 | |
Willy Tarreau | 110ecc1 | 2012-11-15 17:50:01 +0100 | [diff] [blame] | 1667 | number The instance will be enabled on this process number or range, |
| 1668 | whose values must all be between 1 and 32. You must be |
| 1669 | careful not to reference a process number greater than the |
| 1670 | configured global.nbproc, otherwise some instances might be |
| 1671 | missing from all processes. |
Willy Tarreau | 0b9c02c | 2009-02-04 22:05:05 +0100 | [diff] [blame] | 1672 | |
| 1673 | This keyword limits binding of certain instances to certain processes. This |
| 1674 | is useful in order not to have too many processes listening to the same |
| 1675 | ports. For instance, on a dual-core machine, it might make sense to set |
| 1676 | 'nbproc 2' in the global section, then distributes the listeners among 'odd' |
| 1677 | and 'even' instances. |
| 1678 | |
| 1679 | At the moment, it is not possible to reference more than 32 processes using |
| 1680 | this keyword, but this should be more than enough for most setups. Please |
| 1681 | note that 'all' really means all processes and is not limited to the first |
| 1682 | 32. |
| 1683 | |
| 1684 | If some backends are referenced by frontends bound to other processes, the |
| 1685 | backend automatically inherits the frontend's processes. |
| 1686 | |
| 1687 | Example : |
| 1688 | listen app_ip1 |
| 1689 | bind 10.0.0.1:80 |
Willy Tarreau | bfcd311 | 2010-10-23 11:22:08 +0200 | [diff] [blame] | 1690 | bind-process odd |
Willy Tarreau | 0b9c02c | 2009-02-04 22:05:05 +0100 | [diff] [blame] | 1691 | |
| 1692 | listen app_ip2 |
| 1693 | bind 10.0.0.2:80 |
Willy Tarreau | bfcd311 | 2010-10-23 11:22:08 +0200 | [diff] [blame] | 1694 | bind-process even |
Willy Tarreau | 0b9c02c | 2009-02-04 22:05:05 +0100 | [diff] [blame] | 1695 | |
| 1696 | listen management |
| 1697 | bind 10.0.0.3:80 |
Willy Tarreau | bfcd311 | 2010-10-23 11:22:08 +0200 | [diff] [blame] | 1698 | bind-process 1 2 3 4 |
Willy Tarreau | 0b9c02c | 2009-02-04 22:05:05 +0100 | [diff] [blame] | 1699 | |
Willy Tarreau | 110ecc1 | 2012-11-15 17:50:01 +0100 | [diff] [blame] | 1700 | listen management |
| 1701 | bind 10.0.0.4:80 |
| 1702 | bind-process 1-4 |
| 1703 | |
Willy Tarreau | 0b9c02c | 2009-02-04 22:05:05 +0100 | [diff] [blame] | 1704 | See also : "nbproc" in global section. |
| 1705 | |
| 1706 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1707 | block { if | unless } <condition> |
| 1708 | Block a layer 7 request if/unless a condition is matched |
| 1709 | May be used in sections : defaults | frontend | listen | backend |
| 1710 | no | yes | yes | yes |
| 1711 | |
| 1712 | The HTTP request will be blocked very early in the layer 7 processing |
| 1713 | if/unless <condition> is matched. A 403 error will be returned if the request |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 1714 | is blocked. The condition has to reference ACLs (see section 7). This is |
Willy Tarreau | 3c92c5f | 2011-08-28 09:45:47 +0200 | [diff] [blame] | 1715 | typically used to deny access to certain sensitive resources if some |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1716 | conditions are met or not met. There is no fixed limit to the number of |
| 1717 | "block" statements per instance. |
| 1718 | |
| 1719 | Example: |
| 1720 | acl invalid_src src 0.0.0.0/7 224.0.0.0/3 |
| 1721 | acl invalid_src src_port 0:1023 |
| 1722 | acl local_dst hdr(host) -i localhost |
| 1723 | block if invalid_src || local_dst |
| 1724 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 1725 | See section 7 about ACL usage. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1726 | |
| 1727 | |
| 1728 | capture cookie <name> len <length> |
| 1729 | Capture and log a cookie in the request and in the response. |
| 1730 | May be used in sections : defaults | frontend | listen | backend |
| 1731 | no | yes | yes | no |
| 1732 | Arguments : |
| 1733 | <name> is the beginning of the name of the cookie to capture. In order |
| 1734 | to match the exact name, simply suffix the name with an equal |
| 1735 | sign ('='). The full name will appear in the logs, which is |
| 1736 | useful with application servers which adjust both the cookie name |
| 1737 | and value (eg: ASPSESSIONXXXXX). |
| 1738 | |
| 1739 | <length> is the maximum number of characters to report in the logs, which |
| 1740 | include the cookie name, the equal sign and the value, all in the |
| 1741 | standard "name=value" form. The string will be truncated on the |
| 1742 | right if it exceeds <length>. |
| 1743 | |
| 1744 | Only the first cookie is captured. Both the "cookie" request headers and the |
| 1745 | "set-cookie" response headers are monitored. This is particularly useful to |
| 1746 | check for application bugs causing session crossing or stealing between |
| 1747 | users, because generally the user's cookies can only change on a login page. |
| 1748 | |
| 1749 | When the cookie was not presented by the client, the associated log column |
| 1750 | will report "-". When a request does not cause a cookie to be assigned by the |
| 1751 | server, a "-" is reported in the response column. |
| 1752 | |
| 1753 | The capture is performed in the frontend only because it is necessary that |
| 1754 | the log format does not change for a given frontend depending on the |
| 1755 | backends. This may change in the future. Note that there can be only one |
Willy Tarreau | 193b8c6 | 2012-11-22 00:17:38 +0100 | [diff] [blame] | 1756 | "capture cookie" statement in a frontend. The maximum capture length is set |
| 1757 | by the global "tune.http.cookielen" setting and defaults to 63 characters. It |
| 1758 | is not possible to specify a capture in a "defaults" section. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1759 | |
| 1760 | Example: |
| 1761 | capture cookie ASPSESSION len 32 |
| 1762 | |
| 1763 | See also : "capture request header", "capture response header" as well as |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 1764 | section 8 about logging. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1765 | |
| 1766 | |
| 1767 | capture request header <name> len <length> |
Willy Tarreau | 4460d03 | 2012-11-21 23:37:37 +0100 | [diff] [blame] | 1768 | Capture and log the last occurrence of the specified request header. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1769 | May be used in sections : defaults | frontend | listen | backend |
| 1770 | no | yes | yes | no |
| 1771 | Arguments : |
| 1772 | <name> is the name of the header to capture. The header names are not |
Willy Tarreau | d2a4aa2 | 2008-01-31 15:28:22 +0100 | [diff] [blame] | 1773 | case-sensitive, but it is a common practice to write them as they |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1774 | appear in the requests, with the first letter of each word in |
| 1775 | upper case. The header name will not appear in the logs, only the |
| 1776 | value is reported, but the position in the logs is respected. |
| 1777 | |
| 1778 | <length> is the maximum number of characters to extract from the value and |
| 1779 | report in the logs. The string will be truncated on the right if |
| 1780 | it exceeds <length>. |
| 1781 | |
Willy Tarreau | 4460d03 | 2012-11-21 23:37:37 +0100 | [diff] [blame] | 1782 | The complete value of the last occurrence of the header is captured. The |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1783 | value will be added to the logs between braces ('{}'). If multiple headers |
| 1784 | are captured, they will be delimited by a vertical bar ('|') and will appear |
Willy Tarreau | cc6c891 | 2009-02-22 10:53:55 +0100 | [diff] [blame] | 1785 | in the same order they were declared in the configuration. Non-existent |
| 1786 | headers will be logged just as an empty string. Common uses for request |
| 1787 | header captures include the "Host" field in virtual hosting environments, the |
| 1788 | "Content-length" when uploads are supported, "User-agent" to quickly |
Krzysztof Piotr Oledzki | f864533 | 2009-12-13 21:55:50 +0100 | [diff] [blame] | 1789 | differentiate between real users and robots, and "X-Forwarded-For" in proxied |
Willy Tarreau | cc6c891 | 2009-02-22 10:53:55 +0100 | [diff] [blame] | 1790 | environments to find where the request came from. |
| 1791 | |
| 1792 | Note that when capturing headers such as "User-agent", some spaces may be |
| 1793 | logged, making the log analysis more difficult. Thus be careful about what |
| 1794 | you log if you know your log parser is not smart enough to rely on the |
| 1795 | braces. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1796 | |
Willy Tarreau | 0900abb | 2012-11-22 00:21:46 +0100 | [diff] [blame] | 1797 | There is no limit to the number of captured request headers nor to their |
| 1798 | length, though it is wise to keep them low to limit memory usage per session. |
| 1799 | In order to keep log format consistent for a same frontend, header captures |
| 1800 | can only be declared in a frontend. It is not possible to specify a capture |
| 1801 | in a "defaults" section. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1802 | |
| 1803 | Example: |
| 1804 | capture request header Host len 15 |
| 1805 | capture request header X-Forwarded-For len 15 |
| 1806 | capture request header Referrer len 15 |
| 1807 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 1808 | See also : "capture cookie", "capture response header" as well as section 8 |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1809 | about logging. |
| 1810 | |
| 1811 | |
| 1812 | capture response header <name> len <length> |
Willy Tarreau | 4460d03 | 2012-11-21 23:37:37 +0100 | [diff] [blame] | 1813 | Capture and log the last occurrence of the specified response header. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1814 | May be used in sections : defaults | frontend | listen | backend |
| 1815 | no | yes | yes | no |
| 1816 | Arguments : |
| 1817 | <name> is the name of the header to capture. The header names are not |
Willy Tarreau | d2a4aa2 | 2008-01-31 15:28:22 +0100 | [diff] [blame] | 1818 | case-sensitive, but it is a common practice to write them as they |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1819 | appear in the response, with the first letter of each word in |
| 1820 | upper case. The header name will not appear in the logs, only the |
| 1821 | value is reported, but the position in the logs is respected. |
| 1822 | |
| 1823 | <length> is the maximum number of characters to extract from the value and |
| 1824 | report in the logs. The string will be truncated on the right if |
| 1825 | it exceeds <length>. |
| 1826 | |
Willy Tarreau | 4460d03 | 2012-11-21 23:37:37 +0100 | [diff] [blame] | 1827 | The complete value of the last occurrence of the header is captured. The |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1828 | result will be added to the logs between braces ('{}') after the captured |
| 1829 | request headers. If multiple headers are captured, they will be delimited by |
| 1830 | a vertical bar ('|') and will appear in the same order they were declared in |
Willy Tarreau | cc6c891 | 2009-02-22 10:53:55 +0100 | [diff] [blame] | 1831 | the configuration. Non-existent headers will be logged just as an empty |
| 1832 | string. Common uses for response header captures include the "Content-length" |
| 1833 | header which indicates how many bytes are expected to be returned, the |
| 1834 | "Location" header to track redirections. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1835 | |
Willy Tarreau | 0900abb | 2012-11-22 00:21:46 +0100 | [diff] [blame] | 1836 | There is no limit to the number of captured response headers nor to their |
| 1837 | length, though it is wise to keep them low to limit memory usage per session. |
| 1838 | In order to keep log format consistent for a same frontend, header captures |
| 1839 | can only be declared in a frontend. It is not possible to specify a capture |
| 1840 | in a "defaults" section. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1841 | |
| 1842 | Example: |
| 1843 | capture response header Content-length len 9 |
| 1844 | capture response header Location len 15 |
| 1845 | |
Willy Tarreau | c57f0e2 | 2009-05-10 13:12:33 +0200 | [diff] [blame] | 1846 | See also : "capture cookie", "capture request header" as well as section 8 |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1847 | about logging. |
| 1848 | |
| 1849 | |
Cyril Bonté | f0c6061 | 2010-02-06 14:44:47 +0100 | [diff] [blame] | 1850 | clitimeout <timeout> (deprecated) |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1851 | Set the maximum inactivity time on the client side. |
| 1852 | May be used in sections : defaults | frontend | listen | backend |
| 1853 | yes | yes | yes | no |
| 1854 | Arguments : |
| 1855 | <timeout> is the timeout value is specified in milliseconds by default, but |
| 1856 | can be in any other unit if the number is suffixed by the unit, |
| 1857 | as explained at the top of this document. |
| 1858 | |
| 1859 | The inactivity timeout applies when the client is expected to acknowledge or |
| 1860 | send data. In HTTP mode, this timeout is particularly important to consider |
| 1861 | during the first phase, when the client sends the request, and during the |
| 1862 | response while it is reading data sent by the server. The value is specified |
| 1863 | in milliseconds by default, but can be in any other unit if the number is |
| 1864 | suffixed by the unit, as specified at the top of this document. In TCP mode |
| 1865 | (and to a lesser extent, in HTTP mode), it is highly recommended that the |
| 1866 | client timeout remains equal to the server timeout in order to avoid complex |
Willy Tarreau | d2a4aa2 | 2008-01-31 15:28:22 +0100 | [diff] [blame] | 1867 | situations to debug. It is a good practice to cover one or several TCP packet |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1868 | losses by specifying timeouts that are slightly above multiples of 3 seconds |
| 1869 | (eg: 4 or 5 seconds). |
| 1870 | |
| 1871 | This parameter is specific to frontends, but can be specified once for all in |
| 1872 | "defaults" sections. This is in fact one of the easiest solutions not to |
| 1873 | forget about it. An unspecified timeout results in an infinite timeout, which |
| 1874 | is not recommended. Such a usage is accepted and works but reports a warning |
| 1875 | during startup because it may results in accumulation of expired sessions in |
| 1876 | the system if the system's timeouts are not configured either. |
| 1877 | |
| 1878 | This parameter is provided for compatibility but is currently deprecated. |
| 1879 | Please use "timeout client" instead. |
| 1880 | |
Willy Tarreau | 036fae0 | 2008-01-06 13:24:40 +0100 | [diff] [blame] | 1881 | See also : "timeout client", "timeout http-request", "timeout server", and |
| 1882 | "srvtimeout". |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1883 | |
Cyril Bonté | 316a8cf | 2012-11-11 13:38:27 +0100 | [diff] [blame] | 1884 | compression algo <algorithm> ... |
| 1885 | compression type <mime type> ... |
Willy Tarreau | 70737d1 | 2012-10-27 00:34:28 +0200 | [diff] [blame] | 1886 | compression offload |
William Lallemand | 82fe75c | 2012-10-23 10:25:10 +0200 | [diff] [blame] | 1887 | Enable HTTP compression. |
| 1888 | May be used in sections : defaults | frontend | listen | backend |
| 1889 | yes | yes | yes | yes |
| 1890 | Arguments : |
Cyril Bonté | 316a8cf | 2012-11-11 13:38:27 +0100 | [diff] [blame] | 1891 | algo is followed by the list of supported compression algorithms. |
| 1892 | type is followed by the list of MIME types that will be compressed. |
| 1893 | offload makes haproxy work as a compression offloader only (see notes). |
| 1894 | |
| 1895 | The currently supported algorithms are : |
Dmitry Sivachenko | 87c208b | 2012-11-22 20:03:26 +0400 | [diff] [blame] | 1896 | identity this is mostly for debugging, and it was useful for developing |
Cyril Bonté | 316a8cf | 2012-11-11 13:38:27 +0100 | [diff] [blame] | 1897 | the compression feature. Identity does not apply any change on |
| 1898 | data. |
| 1899 | |
| 1900 | gzip applies gzip compression. This setting is only available when |
| 1901 | support for zlib was built in. |
| 1902 | |
| 1903 | deflate same as gzip, but with deflate algorithm and zlib format. |
| 1904 | Note that this algorithm has ambiguous support on many browsers |
| 1905 | and no support at all from recent ones. It is strongly |
| 1906 | recommended not to use it for anything else than experimentation. |
| 1907 | This setting is only available when support for zlib was built |
| 1908 | in. |
| 1909 | |
Dmitry Sivachenko | 87c208b | 2012-11-22 20:03:26 +0400 | [diff] [blame] | 1910 | Compression will be activated depending on the Accept-Encoding request |
Cyril Bonté | 316a8cf | 2012-11-11 13:38:27 +0100 | [diff] [blame] | 1911 | header. With identity, it does not take care of that header. |
Dmitry Sivachenko | c9f3b45 | 2012-11-28 17:47:11 +0400 | [diff] [blame] | 1912 | If backend servers support HTTP compression, these directives |
| 1913 | will be no-op: haproxy will see the compressed response and will not |
| 1914 | compress again. If backend servers do not support HTTP compression and |
| 1915 | there is Accept-Encoding header in request, haproxy will compress the |
| 1916 | matching response. |
Willy Tarreau | 70737d1 | 2012-10-27 00:34:28 +0200 | [diff] [blame] | 1917 | |
| 1918 | The "offload" setting makes haproxy remove the Accept-Encoding header to |
| 1919 | prevent backend servers from compressing responses. It is strongly |
| 1920 | recommended not to do this because this means that all the compression work |
| 1921 | will be done on the single point where haproxy is located. However in some |
| 1922 | deployment scenarios, haproxy may be installed in front of a buggy gateway |
Dmitry Sivachenko | c9f3b45 | 2012-11-28 17:47:11 +0400 | [diff] [blame] | 1923 | with broken HTTP compression implementation which can't be turned off. |
| 1924 | In that case haproxy can be used to prevent that gateway from emitting |
| 1925 | invalid payloads. In this case, simply removing the header in the |
| 1926 | configuration does not work because it applies before the header is parsed, |
| 1927 | so that prevents haproxy from compressing. The "offload" setting should |
| 1928 | then be used for such scenarios. |
William Lallemand | 82fe75c | 2012-10-23 10:25:10 +0200 | [diff] [blame] | 1929 | |
William Lallemand | 0509744 | 2012-11-20 12:14:28 +0100 | [diff] [blame] | 1930 | Compression is disabled when: |
Baptiste Assmann | 650d53d | 2013-01-05 15:44:44 +0100 | [diff] [blame] | 1931 | * the request does not advertise a supported compression algorithm in the |
| 1932 | "Accept-Encoding" header |
| 1933 | * the response message is not HTTP/1.1 |
William Lallemand | d300261 | 2012-11-26 14:34:47 +0100 | [diff] [blame] | 1934 | * HTTP status code is not 200 |
Baptiste Assmann | 650d53d | 2013-01-05 15:44:44 +0100 | [diff] [blame] | 1935 | * response contain neither a "Content-Length" header nor a |
| 1936 | "Transfer-Encoding" whose last value is "chunked" |
| 1937 | * response contains a "Content-Type" header whose first value starts with |
| 1938 | "multipart" |
| 1939 | * the response contains the "no-transform" value in the "Cache-control" |
| 1940 | header |
| 1941 | * User-Agent matches "Mozilla/4" unless it is MSIE 6 with XP SP2, or MSIE 7 |
| 1942 | and later |
| 1943 | * The response contains a "Content-Encoding" header, indicating that the |
| 1944 | response is already compressed (see compression offload) |
William Lallemand | 0509744 | 2012-11-20 12:14:28 +0100 | [diff] [blame] | 1945 | |
Baptiste Assmann | 650d53d | 2013-01-05 15:44:44 +0100 | [diff] [blame] | 1946 | Note: The compression does not rewrite Etag headers, and does not emit the |
| 1947 | Warning header. |
William Lallemand | 0509744 | 2012-11-20 12:14:28 +0100 | [diff] [blame] | 1948 | |
William Lallemand | 82fe75c | 2012-10-23 10:25:10 +0200 | [diff] [blame] | 1949 | Examples : |
| 1950 | compression algo gzip |
| 1951 | compression type text/html text/plain |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1952 | |
Cyril Bonté | f0c6061 | 2010-02-06 14:44:47 +0100 | [diff] [blame] | 1953 | contimeout <timeout> (deprecated) |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1954 | Set the maximum time to wait for a connection attempt to a server to succeed. |
| 1955 | May be used in sections : defaults | frontend | listen | backend |
| 1956 | yes | no | yes | yes |
| 1957 | Arguments : |
| 1958 | <timeout> is the timeout value is specified in milliseconds by default, but |
| 1959 | can be in any other unit if the number is suffixed by the unit, |
| 1960 | as explained at the top of this document. |
| 1961 | |
| 1962 | If the server is located on the same LAN as haproxy, the connection should be |
Willy Tarreau | d2a4aa2 | 2008-01-31 15:28:22 +0100 | [diff] [blame] | 1963 | immediate (less than a few milliseconds). Anyway, it is a good practice to |
Willy Tarreau | d72758d | 2010-01-12 10:42:19 +0100 | [diff] [blame] | 1964 | cover one or several TCP packet losses by specifying timeouts that are |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1965 | slightly above multiples of 3 seconds (eg: 4 or 5 seconds). By default, the |
| 1966 | connect timeout also presets the queue timeout to the same value if this one |
| 1967 | has not been specified. Historically, the contimeout was also used to set the |
| 1968 | tarpit timeout in a listen section, which is not possible in a pure frontend. |
| 1969 | |
| 1970 | This parameter is specific to backends, but can be specified once for all in |
| 1971 | "defaults" sections. This is in fact one of the easiest solutions not to |
| 1972 | forget about it. An unspecified timeout results in an infinite timeout, which |
| 1973 | is not recommended. Such a usage is accepted and works but reports a warning |
| 1974 | during startup because it may results in accumulation of failed sessions in |
| 1975 | the system if the system's timeouts are not configured either. |
| 1976 | |
| 1977 | This parameter is provided for backwards compatibility but is currently |
| 1978 | deprecated. Please use "timeout connect", "timeout queue" or "timeout tarpit" |
| 1979 | instead. |
| 1980 | |
| 1981 | See also : "timeout connect", "timeout queue", "timeout tarpit", |
| 1982 | "timeout server", "contimeout". |
| 1983 | |
| 1984 | |
Willy Tarreau | 55165fe | 2009-05-10 12:02:55 +0200 | [diff] [blame] | 1985 | cookie <name> [ rewrite | insert | prefix ] [ indirect ] [ nocache ] |
Willy Tarreau | 4992dd2 | 2012-05-31 21:02:17 +0200 | [diff] [blame] | 1986 | [ postonly ] [ preserve ] [ httponly ] [ secure ] |
| 1987 | [ domain <domain> ]* [ maxidle <idle> ] [ maxlife <life> ] |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 1988 | Enable cookie-based persistence in a backend. |
| 1989 | May be used in sections : defaults | frontend | listen | backend |
| 1990 | yes | no | yes | yes |
| 1991 | Arguments : |
| 1992 | <name> is the name of the cookie which will be monitored, modified or |
| 1993 | inserted in order to bring persistence. This cookie is sent to |
| 1994 | the client via a "Set-Cookie" header in the response, and is |
| 1995 | brought back by the client in a "Cookie" header in all requests. |
| 1996 | Special care should be taken to choose a name which does not |
| 1997 | conflict with any likely application cookie. Also, if the same |
| 1998 | backends are subject to be used by the same clients (eg: |
| 1999 | HTTP/HTTPS), care should be taken to use different cookie names |
| 2000 | between all backends if persistence between them is not desired. |
| 2001 | |
| 2002 | rewrite This keyword indicates that the cookie will be provided by the |
| 2003 | server and that haproxy will have to modify its value to set the |
| 2004 | server's identifier in it. This mode is handy when the management |
| 2005 | of complex combinations of "Set-cookie" and "Cache-control" |
| 2006 | headers is left to the application. The application can then |
| 2007 | decide whether or not it is appropriate to emit a persistence |
| 2008 | cookie. Since all responses should be monitored, this mode only |
| 2009 | works in HTTP close mode. Unless the application behaviour is |
| 2010 | very complex and/or broken, it is advised not to start with this |
| 2011 | mode for new deployments. This keyword is incompatible with |
| 2012 | "insert" and "prefix". |
| 2013 | |
| 2014 | insert This keyword indicates that the persistence cookie will have to |
Willy Tarreau | a79094d | 2010-08-31 22:54:15 +0200 | [diff] [blame] | 2015 | be inserted by haproxy in server responses if the client did not |
Willy Tarreau | ba4c5be | 2010-10-23 12:46:42 +0200 | [diff] [blame] | 2016 | |
Willy Tarreau | a79094d | 2010-08-31 22:54:15 +0200 | [diff] [blame] | 2017 | already have a cookie that would have permitted it to access this |
Willy Tarreau | ba4c5be | 2010-10-23 12:46:42 +0200 | [diff] [blame] | 2018 | server. When used without the "preserve" option, if the server |
| 2019 | emits a cookie with the same name, it will be remove before |
| 2020 | processing. For this reason, this mode can be used to upgrade |
| 2021 | existing configurations running in the "rewrite" mode. The cookie |
| 2022 | will only be a session cookie and will not be stored on the |
| 2023 | client's disk. By default, unless the "indirect" option is added, |
| 2024 | the server will see the cookies emitted by the client. Due to |
| 2025 | caching effects, it is generally wise to add the "nocache" or |
| 2026 | "postonly" keywords (see below). The "insert" keyword is not |
| 2027 | compatible with "rewrite" and "prefix". |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2028 | |
| 2029 | prefix This keyword indicates that instead of relying on a dedicated |
| 2030 | cookie for the persistence, an existing one will be completed. |
| 2031 | This may be needed in some specific environments where the client |
| 2032 | does not support more than one single cookie and the application |
| 2033 | already needs it. In this case, whenever the server sets a cookie |
| 2034 | named <name>, it will be prefixed with the server's identifier |
| 2035 | and a delimiter. The prefix will be removed from all client |
| 2036 | requests so that the server still finds the cookie it emitted. |
| 2037 | Since all requests and responses are subject to being modified, |
| 2038 | this mode requires the HTTP close mode. The "prefix" keyword is |
Willy Tarreau | 37229df | 2011-10-17 12:24:55 +0200 | [diff] [blame] | 2039 | not compatible with "rewrite" and "insert". Note: it is highly |
| 2040 | recommended not to use "indirect" with "prefix", otherwise server |
| 2041 | cookie updates would not be sent to clients. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2042 | |
Willy Tarreau | a79094d | 2010-08-31 22:54:15 +0200 | [diff] [blame] | 2043 | indirect When this option is specified, no cookie will be emitted to a |
| 2044 | client which already has a valid one for the server which has |
| 2045 | processed the request. If the server sets such a cookie itself, |
Willy Tarreau | ba4c5be | 2010-10-23 12:46:42 +0200 | [diff] [blame] | 2046 | it will be removed, unless the "preserve" option is also set. In |
| 2047 | "insert" mode, this will additionally remove cookies from the |
| 2048 | requests transmitted to the server, making the persistence |
| 2049 | mechanism totally transparent from an application point of view. |
Willy Tarreau | 37229df | 2011-10-17 12:24:55 +0200 | [diff] [blame] | 2050 | Note: it is highly recommended not to use "indirect" with |
| 2051 | "prefix", otherwise server cookie updates would not be sent to |
| 2052 | clients. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2053 | |
| 2054 | nocache This option is recommended in conjunction with the insert mode |
| 2055 | when there is a cache between the client and HAProxy, as it |
| 2056 | ensures that a cacheable response will be tagged non-cacheable if |
| 2057 | a cookie needs to be inserted. This is important because if all |
| 2058 | persistence cookies are added on a cacheable home page for |
| 2059 | instance, then all customers will then fetch the page from an |
| 2060 | outer cache and will all share the same persistence cookie, |
| 2061 | leading to one server receiving much more traffic than others. |
| 2062 | See also the "insert" and "postonly" options. |
| 2063 | |
| 2064 | postonly This option ensures that cookie insertion will only be performed |
| 2065 | on responses to POST requests. It is an alternative to the |
| 2066 | "nocache" option, because POST responses are not cacheable, so |
| 2067 | this ensures that the persistence cookie will never get cached. |
| 2068 | Since most sites do not need any sort of persistence before the |
| 2069 | first POST which generally is a login request, this is a very |
| 2070 | efficient method to optimize caching without risking to find a |
| 2071 | persistence cookie in the cache. |
| 2072 | See also the "insert" and "nocache" options. |
| 2073 | |
Willy Tarreau | ba4c5be | 2010-10-23 12:46:42 +0200 | [diff] [blame] | 2074 | preserve This option may only be used with "insert" and/or "indirect". It |
| 2075 | allows the server to emit the persistence cookie itself. In this |
| 2076 | case, if a cookie is found in the response, haproxy will leave it |
| 2077 | untouched. This is useful in order to end persistence after a |
| 2078 | logout request for instance. For this, the server just has to |
| 2079 | emit a cookie with an invalid value (eg: empty) or with a date in |
| 2080 | the past. By combining this mechanism with the "disable-on-404" |
| 2081 | check option, it is possible to perform a completely graceful |
| 2082 | shutdown because users will definitely leave the server after |
| 2083 | they logout. |
| 2084 | |
Willy Tarreau | 4992dd2 | 2012-05-31 21:02:17 +0200 | [diff] [blame] | 2085 | httponly This option tells haproxy to add an "HttpOnly" cookie attribute |
| 2086 | when a cookie is inserted. This attribute is used so that a |
| 2087 | user agent doesn't share the cookie with non-HTTP components. |
| 2088 | Please check RFC6265 for more information on this attribute. |
| 2089 | |
| 2090 | secure This option tells haproxy to add a "Secure" cookie attribute when |
| 2091 | a cookie is inserted. This attribute is used so that a user agent |
| 2092 | never emits this cookie over non-secure channels, which means |
| 2093 | that a cookie learned with this flag will be presented only over |
| 2094 | SSL/TLS connections. Please check RFC6265 for more information on |
| 2095 | this attribute. |
| 2096 | |
Krzysztof Piotr Oledzki | efe3b6f | 2008-05-23 23:49:32 +0200 | [diff] [blame] | 2097 | domain This option allows to specify the domain at which a cookie is |
Krzysztof Piotr Oledzki | f864533 | 2009-12-13 21:55:50 +0100 | [diff] [blame] | 2098 | inserted. It requires exactly one parameter: a valid domain |
Willy Tarreau | 68a897b | 2009-12-03 23:28:34 +0100 | [diff] [blame] | 2099 | name. If the domain begins with a dot, the browser is allowed to |
| 2100 | use it for any host ending with that name. It is also possible to |
| 2101 | specify several domain names by invoking this option multiple |
| 2102 | times. Some browsers might have small limits on the number of |
| 2103 | domains, so be careful when doing that. For the record, sending |
| 2104 | 10 domains to MSIE 6 or Firefox 2 works as expected. |
Krzysztof Piotr Oledzki | efe3b6f | 2008-05-23 23:49:32 +0200 | [diff] [blame] | 2105 | |
Willy Tarreau | 996a92c | 2010-10-13 19:30:47 +0200 | [diff] [blame] | 2106 | maxidle This option allows inserted cookies to be ignored after some idle |
| 2107 | time. It only works with insert-mode cookies. When a cookie is |
| 2108 | sent to the client, the date this cookie was emitted is sent too. |
| 2109 | Upon further presentations of this cookie, if the date is older |
| 2110 | than the delay indicated by the parameter (in seconds), it will |
| 2111 | be ignored. Otherwise, it will be refreshed if needed when the |
| 2112 | response is sent to the client. This is particularly useful to |
| 2113 | prevent users who never close their browsers from remaining for |
| 2114 | too long on the same server (eg: after a farm size change). When |
| 2115 | this option is set and a cookie has no date, it is always |
| 2116 | accepted, but gets refreshed in the response. This maintains the |
| 2117 | ability for admins to access their sites. Cookies that have a |
| 2118 | date in the future further than 24 hours are ignored. Doing so |
| 2119 | lets admins fix timezone issues without risking kicking users off |
| 2120 | the site. |
| 2121 | |
| 2122 | maxlife This option allows inserted cookies to be ignored after some life |
| 2123 | time, whether they're in use or not. It only works with insert |
| 2124 | mode cookies. When a cookie is first sent to the client, the date |
| 2125 | this cookie was emitted is sent too. Upon further presentations |
| 2126 | of this cookie, if the date is older than the delay indicated by |
| 2127 | the parameter (in seconds), it will be ignored. If the cookie in |
| 2128 | the request has no date, it is accepted and a date will be set. |
| 2129 | Cookies that have a date in the future further than 24 hours are |
| 2130 | ignored. Doing so lets admins fix timezone issues without risking |
| 2131 | kicking users off the site. Contrary to maxidle, this value is |
| 2132 | not refreshed, only the first visit date counts. Both maxidle and |
| 2133 | maxlife may be used at the time. This is particularly useful to |
| 2134 | prevent users who never close their browsers from remaining for |
| 2135 | too long on the same server (eg: after a farm size change). This |
| 2136 | is stronger than the maxidle method in that it forces a |
| 2137 | redispatch after some absolute delay. |
| 2138 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2139 | There can be only one persistence cookie per HTTP backend, and it can be |
| 2140 | declared in a defaults section. The value of the cookie will be the value |
| 2141 | indicated after the "cookie" keyword in a "server" statement. If no cookie |
| 2142 | is declared for a given server, the cookie is not set. |
Willy Tarreau | 6a06a40 | 2007-07-15 20:15:28 +0200 | [diff] [blame] | 2143 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2144 | Examples : |
| 2145 | cookie JSESSIONID prefix |
| 2146 | cookie SRV insert indirect nocache |
| 2147 | cookie SRV insert postonly indirect |
Willy Tarreau | 996a92c | 2010-10-13 19:30:47 +0200 | [diff] [blame] | 2148 | cookie SRV insert indirect nocache maxidle 30m maxlife 8h |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2149 | |
Cyril Bonté | a8e7bbc | 2010-04-25 22:29:29 +0200 | [diff] [blame] | 2150 | See also : "appsession", "balance source", "capture cookie", "server" |
Cyril Bonté | 0d4bf01 | 2010-04-25 23:21:46 +0200 | [diff] [blame] | 2151 | and "ignore-persist". |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2152 | |
Willy Tarreau | 983e01e | 2010-01-11 18:42:06 +0100 | [diff] [blame] | 2153 | |
Krzysztof Piotr Oledzki | c6df066 | 2010-01-05 16:38:49 +0100 | [diff] [blame] | 2154 | default-server [param*] |
| 2155 | Change default options for a server in a backend |
| 2156 | May be used in sections : defaults | frontend | listen | backend |
| 2157 | yes | no | yes | yes |
| 2158 | Arguments: |
Willy Tarreau | 983e01e | 2010-01-11 18:42:06 +0100 | [diff] [blame] | 2159 | <param*> is a list of parameters for this server. The "default-server" |
| 2160 | keyword accepts an important number of options and has a complete |
| 2161 | section dedicated to it. Please refer to section 5 for more |
| 2162 | details. |
Krzysztof Piotr Oledzki | c6df066 | 2010-01-05 16:38:49 +0100 | [diff] [blame] | 2163 | |
Willy Tarreau | 983e01e | 2010-01-11 18:42:06 +0100 | [diff] [blame] | 2164 | Example : |
Krzysztof Piotr Oledzki | c6df066 | 2010-01-05 16:38:49 +0100 | [diff] [blame] | 2165 | default-server inter 1000 weight 13 |
| 2166 | |
| 2167 | See also: "server" and section 5 about server options |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2168 | |
Willy Tarreau | 983e01e | 2010-01-11 18:42:06 +0100 | [diff] [blame] | 2169 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2170 | default_backend <backend> |
| 2171 | Specify the backend to use when no "use_backend" rule has been matched. |
| 2172 | May be used in sections : defaults | frontend | listen | backend |
| 2173 | yes | yes | yes | no |
| 2174 | Arguments : |
| 2175 | <backend> is the name of the backend to use. |
| 2176 | |
| 2177 | When doing content-switching between frontend and backends using the |
| 2178 | "use_backend" keyword, it is often useful to indicate which backend will be |
| 2179 | used when no rule has matched. It generally is the dynamic backend which |
| 2180 | will catch all undetermined requests. |
| 2181 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2182 | Example : |
| 2183 | |
| 2184 | use_backend dynamic if url_dyn |
| 2185 | use_backend static if url_css url_img extension_img |
| 2186 | default_backend dynamic |
| 2187 | |
Willy Tarreau | 2769aa0 | 2007-12-27 18:26:09 +0100 | [diff] [blame] | 2188 | See also : "use_backend", "reqsetbe", "reqisetbe" |
| 2189 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2190 | |
| 2191 | disabled |
| 2192 | Disable a proxy, frontend or backend. |
| 2193 | May be used in sections : defaults | frontend | listen | backend |
| 2194 | yes | yes | yes | yes |
| 2195 | Arguments : none |
| 2196 | |
| 2197 | The "disabled" keyword is used to disable an instance, mainly in order to |
| 2198 | liberate a listening port or to temporarily disable a service. The instance |
| 2199 | will still be created and its configuration will be checked, but it will be |
| 2200 | created in the "stopped" state and will appear as such in the statistics. It |
| 2201 | will not receive any traffic nor will it send any health-checks or logs. It |
| 2202 | is possible to disable many instances at once by adding the "disabled" |
| 2203 | keyword in a "defaults" section. |
| 2204 | |
| 2205 | See also : "enabled" |
| 2206 | |
| 2207 | |
Willy Tarreau | 5ce9457 | 2010-06-07 14:35:41 +0200 | [diff] [blame] | 2208 | dispatch <address>:<port> |
| 2209 | Set a default server address |
| 2210 | May be used in sections : defaults | frontend | listen | backend |
| 2211 | no | no | yes | yes |
Cyril Bonté | 108cf6e | 2012-04-21 23:30:29 +0200 | [diff] [blame] | 2212 | Arguments : |
Willy Tarreau | 5ce9457 | 2010-06-07 14:35:41 +0200 | [diff] [blame] | 2213 | |
| 2214 | <address> is the IPv4 address of the default server. Alternatively, a |
| 2215 | resolvable hostname is supported, but this name will be resolved |
| 2216 | during start-up. |
| 2217 | |
| 2218 | <ports> is a mandatory port specification. All connections will be sent |
| 2219 | to this port, and it is not permitted to use port offsets as is |
| 2220 | possible with normal servers. |
| 2221 | |
Willy Tarreau | 787aed5 | 2011-04-15 06:45:37 +0200 | [diff] [blame] | 2222 | The "dispatch" keyword designates a default server for use when no other |
Willy Tarreau | 5ce9457 | 2010-06-07 14:35:41 +0200 | [diff] [blame] | 2223 | server can take the connection. In the past it was used to forward non |
| 2224 | persistent connections to an auxiliary load balancer. Due to its simple |
| 2225 | syntax, it has also been used for simple TCP relays. It is recommended not to |
| 2226 | use it for more clarity, and to use the "server" directive instead. |
| 2227 | |
| 2228 | See also : "server" |
| 2229 | |
| 2230 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2231 | enabled |
| 2232 | Enable a proxy, frontend or backend. |
| 2233 | May be used in sections : defaults | frontend | listen | backend |
| 2234 | yes | yes | yes | yes |
| 2235 | Arguments : none |
| 2236 | |
| 2237 | The "enabled" keyword is used to explicitly enable an instance, when the |
| 2238 | defaults has been set to "disabled". This is very rarely used. |
| 2239 | |
| 2240 | See also : "disabled" |
| 2241 | |
| 2242 | |
| 2243 | errorfile <code> <file> |
| 2244 | Return a file contents instead of errors generated by HAProxy |
| 2245 | May be used in sections : defaults | frontend | listen | backend |
| 2246 | yes | yes | yes | yes |
| 2247 | Arguments : |
| 2248 | <code> is the HTTP status code. Currently, HAProxy is capable of |
Willy Tarreau | ae94d4d | 2011-05-11 16:28:49 +0200 | [diff] [blame] | 2249 | generating codes 200, 400, 403, 408, 500, 502, 503, and 504. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2250 | |
| 2251 | <file> designates a file containing the full HTTP response. It is |
Willy Tarreau | d2a4aa2 | 2008-01-31 15:28:22 +0100 | [diff] [blame] | 2252 | recommended to follow the common practice of appending ".http" to |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2253 | the filename so that people do not confuse the response with HTML |
Willy Tarreau | 59140a2 | 2009-02-22 12:02:30 +0100 | [diff] [blame] | 2254 | error pages, and to use absolute paths, since files are read |
| 2255 | before any chroot is performed. |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2256 | |
| 2257 | It is important to understand that this keyword is not meant to rewrite |
| 2258 | errors returned by the server, but errors detected and returned by HAProxy. |
| 2259 | This is why the list of supported errors is limited to a small set. |
| 2260 | |
Willy Tarreau | ae94d4d | 2011-05-11 16:28:49 +0200 | [diff] [blame] | 2261 | Code 200 is emitted in response to requests matching a "monitor-uri" rule. |
| 2262 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2263 | The files are returned verbatim on the TCP socket. This allows any trick such |
| 2264 | as redirections to another URL or site, as well as tricks to clean cookies, |
| 2265 | force enable or disable caching, etc... The package provides default error |
| 2266 | files returning the same contents as default errors. |
| 2267 | |
Willy Tarreau | 59140a2 | 2009-02-22 12:02:30 +0100 | [diff] [blame] | 2268 | The files should not exceed the configured buffer size (BUFSIZE), which |
| 2269 | generally is 8 or 16 kB, otherwise they will be truncated. It is also wise |
| 2270 | not to put any reference to local contents (eg: images) in order to avoid |
| 2271 | loops between the client and HAProxy when all servers are down, causing an |
| 2272 | error to be returned instead of an image. For better HTTP compliance, it is |
| 2273 | recommended that all header lines end with CR-LF and not LF alone. |
| 2274 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2275 | The files are read at the same time as the configuration and kept in memory. |
| 2276 | For this reason, the errors continue to be returned even when the process is |
| 2277 | chrooted, and no file change is considered while the process is running. A |
Willy Tarreau | c27debf | 2008-01-06 08:57:02 +0100 | [diff] [blame] | 2278 | simple method for developing those files consists in associating them to the |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2279 | 403 status code and interrogating a blocked URL. |
| 2280 | |
| 2281 | See also : "errorloc", "errorloc302", "errorloc303" |
| 2282 | |
Willy Tarreau | 59140a2 | 2009-02-22 12:02:30 +0100 | [diff] [blame] | 2283 | Example : |
| 2284 | errorfile 400 /etc/haproxy/errorfiles/400badreq.http |
| 2285 | errorfile 403 /etc/haproxy/errorfiles/403forbid.http |
| 2286 | errorfile 503 /etc/haproxy/errorfiles/503sorry.http |
| 2287 | |
Willy Tarreau | 2769aa0 | 2007-12-27 18:26:09 +0100 | [diff] [blame] | 2288 | |
| 2289 | errorloc <code> <url> |
| 2290 | errorloc302 <code> <url> |
| 2291 | Return an HTTP redirection to a URL instead of errors generated by HAProxy |
| 2292 | May be used in sections : defaults | frontend | listen | backend |
| 2293 | yes | yes | yes | yes |
| 2294 | Arguments : |
| 2295 | <code> is the HTTP status code. Currently, HAProxy is capable of |
Willy Tarreau | ae94d4d | 2011-05-11 16:28:49 +0200 | [diff] [blame] | 2296 | generating codes 200, 400, 403, 408, 500, 502, 503, and 504. |
Willy Tarreau | 2769aa0 | 2007-12-27 18:26:09 +0100 | [diff] [blame] | 2297 | |
| 2298 | <url> it is the exact contents of the "Location" header. It may contain |
| 2299 | either a relative URI to an error page hosted on the same site, |
| 2300 | or an absolute URI designating an error page on another site. |
| 2301 | Special care should be given to relative URIs to avoid redirect |
| 2302 | loops if the URI itself may generate the same error (eg: 500). |
| 2303 | |
| 2304 | It is important to understand that this keyword is not meant to rewrite |
| 2305 | errors returned by the server, but errors detected and returned by HAProxy. |
| 2306 | This is why the list of supported errors is limited to a small set. |
| 2307 | |
Willy Tarreau | ae94d4d | 2011-05-11 16:28:49 +0200 | [diff] [blame] | 2308 | Code 200 is emitted in response to requests matching a "monitor-uri" rule. |
| 2309 | |
Willy Tarreau | 2769aa0 | 2007-12-27 18:26:09 +0100 | [diff] [blame] | 2310 | Note that both keyword return the HTTP 302 status code, which tells the |
| 2311 | client to fetch the designated URL using the same HTTP method. This can be |
| 2312 | quite problematic in case of non-GET methods such as POST, because the URL |
| 2313 | sent to the client might not be allowed for something other than GET. To |
| 2314 | workaround this problem, please use "errorloc303" which send the HTTP 303 |
| 2315 | status code, indicating to the client that the URL must be fetched with a GET |
| 2316 | request. |
| 2317 | |
| 2318 | See also : "errorfile", "errorloc303" |
| 2319 | |
| 2320 | |
| 2321 | errorloc303 <code> <url> |
| 2322 | Return an HTTP redirection to a URL instead of errors generated by HAProxy |
| 2323 | May be used in sections : defaults | frontend | listen | backend |
| 2324 | yes | yes | yes | yes |
| 2325 | Arguments : |
| 2326 | <code> is the HTTP status code. Currently, HAProxy is capable of |
| 2327 | generating codes 400, 403, 408, 500, 502, 503, and 504. |
| 2328 | |
| 2329 | <url> it is the exact contents of the "Location" header. It may contain |
| 2330 | either a relative URI to an error page hosted on the same site, |
| 2331 | or an absolute URI designating an error page on another site. |
| 2332 | Special care should be given to relative URIs to avoid redirect |
| 2333 | loops if the URI itself may generate the same error (eg: 500). |
| 2334 | |
| 2335 | It is important to understand that this keyword is not meant to rewrite |
| 2336 | errors returned by the server, but errors detected and returned by HAProxy. |
| 2337 | This is why the list of supported errors is limited to a small set. |
| 2338 | |
Willy Tarreau | ae94d4d | 2011-05-11 16:28:49 +0200 | [diff] [blame] | 2339 | Code 200 is emitted in response to requests matching a "monitor-uri" rule. |
| 2340 | |
Willy Tarreau | 2769aa0 | 2007-12-27 18:26:09 +0100 | [diff] [blame] | 2341 | Note that both keyword return the HTTP 303 status code, which tells the |
| 2342 | client to fetch the designated URL using the same HTTP GET method. This |
| 2343 | solves the usual problems associated with "errorloc" and the 302 code. It is |
| 2344 | possible that some very old browsers designed before HTTP/1.1 do not support |
Willy Tarreau | d2a4aa2 | 2008-01-31 15:28:22 +0100 | [diff] [blame] | 2345 | it, but no such problem has been reported till now. |
Willy Tarreau | 2769aa0 | 2007-12-27 18:26:09 +0100 | [diff] [blame] | 2346 | |
| 2347 | See also : "errorfile", "errorloc", "errorloc302" |
| 2348 | |
| 2349 | |
Willy Tarreau | 4de9149 | 2010-01-22 19:10:05 +0100 | [diff] [blame] | 2350 | force-persist { if | unless } <condition> |
| 2351 | Declare a condition to force persistence on down servers |
| 2352 | May be used in sections: defaults | frontend | listen | backend |
| 2353 | no | yes | yes | yes |
| 2354 | |
| 2355 | By default, requests are not dispatched to down servers. It is possible to |
| 2356 | force this using "option persist", but it is unconditional and redispatches |
| 2357 | to a valid server if "option redispatch" is set. That leaves with very little |
| 2358 | possibilities to force some requests to reach a server which is artificially |
| 2359 | marked down for maintenance operations. |
| 2360 | |
| 2361 | The "force-persist" statement allows one to declare various ACL-based |
| 2362 | conditions which, when met, will cause a request to ignore the down status of |
| 2363 | a server and still try to connect to it. That makes it possible to start a |
| 2364 | server, still replying an error to the health checks, and run a specially |
| 2365 | configured browser to test the service. Among the handy methods, one could |
| 2366 | use a specific source IP address, or a specific cookie. The cookie also has |
| 2367 | the advantage that it can easily be added/removed on the browser from a test |
| 2368 | page. Once the service is validated, it is then possible to open the service |
| 2369 | to the world by returning a valid response to health checks. |
| 2370 | |
| 2371 | The forced persistence is enabled when an "if" condition is met, or unless an |
| 2372 | "unless" condition is met. The final redispatch is always disabled when this |
| 2373 | is used. |
| 2374 | |
Cyril Bonté | 0d4bf01 | 2010-04-25 23:21:46 +0200 | [diff] [blame] | 2375 | See also : "option redispatch", "ignore-persist", "persist", |
Cyril Bonté | a8e7bbc | 2010-04-25 22:29:29 +0200 | [diff] [blame] | 2376 | and section 7 about ACL usage. |
Willy Tarreau | 4de9149 | 2010-01-22 19:10:05 +0100 | [diff] [blame] | 2377 | |
| 2378 | |
Willy Tarreau | 2769aa0 | 2007-12-27 18:26:09 +0100 | [diff] [blame] | 2379 | fullconn <conns> |
| 2380 | Specify at what backend load the servers will reach their maxconn |
| 2381 | May be used in sections : defaults | frontend | listen | backend |
| 2382 | yes | no | yes | yes |
| 2383 | Arguments : |
| 2384 | <conns> is the number of connections on the backend which will make the |
| 2385 | servers use the maximal number of connections. |
| 2386 | |
Willy Tarreau | 198a744 | 2008-01-17 12:05:32 +0100 | [diff] [blame] | 2387 | When a server has a "maxconn" parameter specified, it means that its number |
Willy Tarreau | 2769aa0 | 2007-12-27 18:26:09 +0100 | [diff] [blame] | 2388 | of concurrent connections will never go higher. Additionally, if it has a |
Willy Tarreau | 198a744 | 2008-01-17 12:05:32 +0100 | [diff] [blame] | 2389 | "minconn" parameter, it indicates a dynamic limit following the backend's |
Willy Tarreau | 2769aa0 | 2007-12-27 18:26:09 +0100 | [diff] [blame] | 2390 | load. The server will then always accept at least <minconn> connections, |
| 2391 | never more than <maxconn>, and the limit will be on the ramp between both |
| 2392 | values when the backend has less than <conns> concurrent connections. This |
| 2393 | makes it possible to limit the load on the servers during normal loads, but |
| 2394 | push it further for important loads without overloading the servers during |
Krzysztof Piotr Oledzki | f864533 | 2009-12-13 21:55:50 +0100 | [diff] [blame] | 2395 | exceptional loads. |
Willy Tarreau | 2769aa0 | 2007-12-27 18:26:09 +0100 | [diff] [blame] | 2396 | |
Willy Tarreau | fbb7842 | 2011-06-05 15:38:35 +0200 | [diff] [blame] | 2397 | Since it's hard to get this value right, haproxy automatically sets it to |
| 2398 | 10% of the sum of the maxconns of all frontends that may branch to this |
| 2399 | backend. That way it's safe to leave it unset. |
| 2400 | |
Willy Tarreau | 2769aa0 | 2007-12-27 18:26:09 +0100 | [diff] [blame] | 2401 | Example : |
| 2402 | # The servers will accept between 100 and 1000 concurrent connections each |
| 2403 | # and the maximum of 1000 will be reached when the backend reaches 10000 |
| 2404 | # connections. |
| 2405 | backend dynamic |
| 2406 | fullconn 10000 |
| 2407 | server srv1 dyn1:80 minconn 100 maxconn 1000 |
| 2408 | server srv2 dyn2:80 minconn 100 maxconn 1000 |
| 2409 | |
| 2410 | See also : "maxconn", "server" |
| 2411 | |
| 2412 | |
| 2413 | grace <time> |
| 2414 | Maintain a proxy operational for some time after a soft stop |
| 2415 | May be used in sections : defaults | frontend | listen | backend |
Cyril Bonté | 99ed327 | 2010-01-24 23:29:44 +0100 | [diff] [blame] | 2416 | yes | yes | yes | yes |
Willy Tarreau | 2769aa0 | 2007-12-27 18:26:09 +0100 | [diff] [blame] | 2417 | Arguments : |
| 2418 | <time> is the time (by default in milliseconds) for which the instance |
| 2419 | will remain operational with the frontend sockets still listening |
| 2420 | when a soft-stop is received via the SIGUSR1 signal. |
| 2421 | |
| 2422 | This may be used to ensure that the services disappear in a certain order. |
| 2423 | This was designed so that frontends which are dedicated to monitoring by an |
Krzysztof Piotr Oledzki | f864533 | 2009-12-13 21:55:50 +0100 | [diff] [blame] | 2424 | external equipment fail immediately while other ones remain up for the time |
Willy Tarreau | 2769aa0 | 2007-12-27 18:26:09 +0100 | [diff] [blame] | 2425 | needed by the equipment to detect the failure. |
| 2426 | |
| 2427 | Note that currently, there is very little benefit in using this parameter, |
| 2428 | and it may in fact complicate the soft-reconfiguration process more than |
| 2429 | simplify it. |
| 2430 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2431 | |
Willy Tarreau | 6b2e11b | 2009-10-01 07:52:15 +0200 | [diff] [blame] | 2432 | hash-type <method> |
| 2433 | Specify a method to use for mapping hashes to servers |
| 2434 | May be used in sections : defaults | frontend | listen | backend |
| 2435 | yes | no | yes | yes |
| 2436 | Arguments : |
| 2437 | map-based the hash table is a static array containing all alive servers. |
| 2438 | The hashes will be very smooth, will consider weights, but will |
| 2439 | be static in that weight changes while a server is up will be |
| 2440 | ignored. This means that there will be no slow start. Also, |
| 2441 | since a server is selected by its position in the array, most |
| 2442 | mappings are changed when the server count changes. This means |
| 2443 | that when a server goes up or down, or when a server is added |
| 2444 | to a farm, most connections will be redistributed to different |
| 2445 | servers. This can be inconvenient with caches for instance. |
| 2446 | |
Willy Tarreau | 798a39c | 2010-11-24 15:04:29 +0100 | [diff] [blame] | 2447 | avalanche this mechanism uses the default map-based hashing described |
| 2448 | above but applies a full avalanche hash before performing the |
| 2449 | mapping. The result is a slightly less smooth hash for most |
| 2450 | situations, but the hash becomes better than pure map-based |
| 2451 | hashes when the number of servers is a multiple of the size of |
| 2452 | the input set. When using URI hash with a number of servers |
| 2453 | multiple of 64, it's desirable to change the hash type to |
| 2454 | this value. |
| 2455 | |
Willy Tarreau | 6b2e11b | 2009-10-01 07:52:15 +0200 | [diff] [blame] | 2456 | consistent the hash table is a tree filled with many occurrences of each |
| 2457 | server. The hash key is looked up in the tree and the closest |
| 2458 | server is chosen. This hash is dynamic, it supports changing |
| 2459 | weights while the servers are up, so it is compatible with the |
| 2460 | slow start feature. It has the advantage that when a server |
| 2461 | goes up or down, only its associations are moved. When a server |
| 2462 | is added to the farm, only a few part of the mappings are |
| 2463 | redistributed, making it an ideal algorithm for caches. |
| 2464 | However, due to its principle, the algorithm will never be very |
| 2465 | smooth and it may sometimes be necessary to adjust a server's |
| 2466 | weight or its ID to get a more balanced distribution. In order |
| 2467 | to get the same distribution on multiple load balancers, it is |
| 2468 | important that all servers have the same IDs. |
| 2469 | |
| 2470 | The default hash type is "map-based" and is recommended for most usages. |
| 2471 | |
| 2472 | See also : "balance", "server" |
| 2473 | |
| 2474 | |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2475 | http-check disable-on-404 |
| 2476 | Enable a maintenance mode upon HTTP/404 response to health-checks |
| 2477 | May be used in sections : defaults | frontend | listen | backend |
Willy Tarreau | 2769aa0 | 2007-12-27 18:26:09 +0100 | [diff] [blame] | 2478 | yes | no | yes | yes |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2479 | Arguments : none |
| 2480 | |
| 2481 | When this option is set, a server which returns an HTTP code 404 will be |
| 2482 | excluded from further load-balancing, but will still receive persistent |
| 2483 | connections. This provides a very convenient method for Web administrators |
| 2484 | to perform a graceful shutdown of their servers. It is also important to note |
| 2485 | that a server which is detected as failed while it was in this mode will not |
| 2486 | generate an alert, just a notice. If the server responds 2xx or 3xx again, it |
| 2487 | will immediately be reinserted into the farm. The status on the stats page |
| 2488 | reports "NOLB" for a server in this mode. It is important to note that this |
Willy Tarreau | bd74154 | 2010-03-16 18:46:54 +0100 | [diff] [blame] | 2489 | option only works in conjunction with the "httpchk" option. If this option |
| 2490 | is used with "http-check expect", then it has precedence over it so that 404 |
| 2491 | responses will still be considered as soft-stop. |
| 2492 | |
| 2493 | See also : "option httpchk", "http-check expect" |
| 2494 | |
| 2495 | |
| 2496 | http-check expect [!] <match> <pattern> |
Jamie Gloudon | aaa2100 | 2012-08-25 00:18:33 -0400 | [diff] [blame] | 2497 | Make HTTP health checks consider response contents or specific status codes |
Willy Tarreau | bd74154 | 2010-03-16 18:46:54 +0100 | [diff] [blame] | 2498 | May be used in sections : defaults | frontend | listen | backend |
Willy Tarreau | 1ee51a6 | 2011-08-19 20:04:17 +0200 | [diff] [blame] | 2499 | yes | no | yes | yes |
Willy Tarreau | bd74154 | 2010-03-16 18:46:54 +0100 | [diff] [blame] | 2500 | Arguments : |
| 2501 | <match> is a keyword indicating how to look for a specific pattern in the |
| 2502 | response. The keyword may be one of "status", "rstatus", |
Jamie Gloudon | aaa2100 | 2012-08-25 00:18:33 -0400 | [diff] [blame] | 2503 | "string", or "rstring". The keyword may be preceded by an |
Willy Tarreau | bd74154 | 2010-03-16 18:46:54 +0100 | [diff] [blame] | 2504 | exclamation mark ("!") to negate the match. Spaces are allowed |
| 2505 | between the exclamation mark and the keyword. See below for more |
| 2506 | details on the supported keywords. |
| 2507 | |
| 2508 | <pattern> is the pattern to look for. It may be a string or a regular |
| 2509 | expression. If the pattern contains spaces, they must be escaped |
| 2510 | with the usual backslash ('\'). |
| 2511 | |
| 2512 | By default, "option httpchk" considers that response statuses 2xx and 3xx |
| 2513 | are valid, and that others are invalid. When "http-check expect" is used, |
| 2514 | it defines what is considered valid or invalid. Only one "http-check" |
| 2515 | statement is supported in a backend. If a server fails to respond or times |
| 2516 | out, the check obviously fails. The available matches are : |
| 2517 | |
| 2518 | status <string> : test the exact string match for the HTTP status code. |
Jamie Gloudon | aaa2100 | 2012-08-25 00:18:33 -0400 | [diff] [blame] | 2519 | A health check response will be considered valid if the |
Willy Tarreau | bd74154 | 2010-03-16 18:46:54 +0100 | [diff] [blame] | 2520 | response's status code is exactly this string. If the |
| 2521 | "status" keyword is prefixed with "!", then the response |
| 2522 | will be considered invalid if the status code matches. |
| 2523 | |
| 2524 | rstatus <regex> : test a regular expression for the HTTP status code. |
Jamie Gloudon | aaa2100 | 2012-08-25 00:18:33 -0400 | [diff] [blame] | 2525 | A health check response will be considered valid if the |
Willy Tarreau | bd74154 | 2010-03-16 18:46:54 +0100 | [diff] [blame] | 2526 | response's status code matches the expression. If the |
| 2527 | "rstatus" keyword is prefixed with "!", then the response |
| 2528 | will be considered invalid if the status code matches. |
| 2529 | This is mostly used to check for multiple codes. |
| 2530 | |
| 2531 | string <string> : test the exact string match in the HTTP response body. |
Jamie Gloudon | aaa2100 | 2012-08-25 00:18:33 -0400 | [diff] [blame] | 2532 | A health check response will be considered valid if the |
Willy Tarreau | bd74154 | 2010-03-16 18:46:54 +0100 | [diff] [blame] | 2533 | response's body contains this exact string. If the |
| 2534 | "string" keyword is prefixed with "!", then the response |
| 2535 | will be considered invalid if the body contains this |
| 2536 | string. This can be used to look for a mandatory word at |
| 2537 | the end of a dynamic page, or to detect a failure when a |
| 2538 | specific error appears on the check page (eg: a stack |
| 2539 | trace). |
| 2540 | |
| 2541 | rstring <regex> : test a regular expression on the HTTP response body. |
Jamie Gloudon | aaa2100 | 2012-08-25 00:18:33 -0400 | [diff] [blame] | 2542 | A health check response will be considered valid if the |
Willy Tarreau | bd74154 | 2010-03-16 18:46:54 +0100 | [diff] [blame] | 2543 | response's body matches this expression. If the "rstring" |
| 2544 | keyword is prefixed with "!", then the response will be |
| 2545 | considered invalid if the body matches the expression. |
| 2546 | This can be used to look for a mandatory word at the end |
| 2547 | of a dynamic page, or to detect a failure when a specific |
| 2548 | error appears on the check page (eg: a stack trace). |
| 2549 | |
| 2550 | It is important to note that the responses will be limited to a certain size |
| 2551 | defined by the global "tune.chksize" option, which defaults to 16384 bytes. |
| 2552 | Thus, too large responses may not contain the mandatory pattern when using |
| 2553 | "string" or "rstring". If a large response is absolutely required, it is |
| 2554 | possible to change the default max size by setting the global variable. |
| 2555 | However, it is worth keeping in mind that parsing very large responses can |
| 2556 | waste some CPU cycles, especially when regular expressions are used, and that |
| 2557 | it is always better to focus the checks on smaller resources. |
| 2558 | |
| 2559 | Last, if "http-check expect" is combined with "http-check disable-on-404", |
| 2560 | then this last one has precedence when the server responds with 404. |
| 2561 | |
| 2562 | Examples : |
| 2563 | # only accept status 200 as valid |
Willy Tarreau | 8f2a1e7 | 2011-01-06 16:36:10 +0100 | [diff] [blame] | 2564 | http-check expect status 200 |
Willy Tarreau | bd74154 | 2010-03-16 18:46:54 +0100 | [diff] [blame] | 2565 | |
| 2566 | # consider SQL errors as errors |
Willy Tarreau | 8f2a1e7 | 2011-01-06 16:36:10 +0100 | [diff] [blame] | 2567 | http-check expect ! string SQL\ Error |
Willy Tarreau | bd74154 | 2010-03-16 18:46:54 +0100 | [diff] [blame] | 2568 | |
| 2569 | # consider status 5xx only as errors |
Willy Tarreau | 8f2a1e7 | 2011-01-06 16:36:10 +0100 | [diff] [blame] | 2570 | http-check expect ! rstatus ^5 |
Willy Tarreau | bd74154 | 2010-03-16 18:46:54 +0100 | [diff] [blame] | 2571 | |
| 2572 | # check that we have a correct hexadecimal tag before /html |
Willy Tarreau | 8f2a1e7 | 2011-01-06 16:36:10 +0100 | [diff] [blame] | 2573 | http-check expect rstring <!--tag:[0-9a-f]*</html> |
Willy Tarreau | 0ba2750 | 2007-12-24 16:55:16 +0100 | [diff] [blame] | 2574 | |
Willy Tarreau | bd74154 | 2010-03-16 18:46:54 +0100 | [diff] [blame] | 2575 | See also : "option httpchk", "http-check disable-on-404" |
Willy Tarreau | 2769aa0 | 2007-12-27 18:26:09 +0100 | [diff] [blame] | 2576 | |
| 2577 | |
Willy Tarreau | ef78104 | 2010-01-27 11:53:01 +0100 | [diff] [blame] | 2578 | http-check send-state |
| 2579 | Enable emission of a state header with HTTP health checks |
| 2580 | May be used in sections : defaults | frontend | listen | backend |
| 2581 | yes | no | yes | yes |
| 2582 | Arguments : none |
| 2583 | |
| 2584 | When this option is set, haproxy will systematically send a special header |
| 2585 | "X-Haproxy-Server-State" with a list of parameters indicating to each server |
| 2586 | how they are seen by haproxy. This can be used for instance when a server is |
| 2587 | manipulated without access to haproxy and the operator needs to know whether |
| 2588 | haproxy still sees it up or not, or if the server is the last one in a farm. |
| 2589 | |
| 2590 | The header is composed of fields delimited by semi-colons, the first of which |
| 2591 | is a word ("UP", "DOWN", "NOLB"), possibly followed by a number of valid |
| 2592 | checks on the total number before transition, just as appears in the stats |
| 2593 | interface. Next headers are in the form "<variable>=<value>", indicating in |
| 2594 | no specific order some values available in the stats interface : |
| 2595 | - a variable "name", containing the name of the backend followed by a slash |
| 2596 | ("/") then the name of the server. This can be used when a server is |
| 2597 | checked in multiple backends. |
| 2598 | |
| 2599 | - a variable "node" containing the name of the haproxy node, as set in the |
| 2600 | global "node" variable, otherwise the system's hostname if unspecified. |
| 2601 | |
| 2602 | - a variable "weight" indicating the weight of the server, a slash ("/") |
| 2603 | and the total weight of the farm (just counting usable servers). This |
| 2604 | helps to know if other servers are available to handle the load when this |
| 2605 | one fails. |
| 2606 | |
| 2607 | - a variable "scur" indicating the current number of concurrent connections |
| 2608 | on the server, followed by a slash ("/") then the total number of |
| 2609 | connections on all servers of the same backend. |
| 2610 | |
| 2611 | - a variable "qcur" indicating the current number of requests in the |
| 2612 | server's queue. |
| 2613 | |
| 2614 | Example of a header received by the application server : |
| 2615 | >>> X-Haproxy-Server-State: UP 2/3; name=bck/srv2; node=lb1; weight=1/2; \ |
| 2616 | scur=13/22; qcur=0 |
| 2617 | |
| 2618 | See also : "option httpchk", "http-check disable-on-404" |
| 2619 | |
Willy Tarreau | ccbcc37 | 2012-12-27 12:37:57 +0100 | [diff] [blame] | 2620 | http-request { allow | deny | tarpit | auth [realm <realm>] | redirect <rule> | |
Willy Tarreau | 20b0de5 | 2012-12-24 15:45:22 +0100 | [diff] [blame] | 2621 | add-header <name> <fmt> | set-header <name> <fmt> } |
Cyril Bonté | f0c6061 | 2010-02-06 14:44:47 +0100 | [diff] [blame] | 2622 | [ { if | unless } <condition> ] |
Krzysztof Piotr Oledzki | 6b35ce1 | 2010-02-01 23:35:44 +0100 | [diff] [blame] | 2623 | Access control for Layer 7 requests |
| 2624 | |
| 2625 | May be used in sections: defaults | frontend | listen | backend |
|