This option enables use of the PROXY protocol with the server, which
allows haproxy to transport original client's address across multiple
architecture layers.
Released version 1.5-dev4 with the following main changes :
- [MINOR] cfgparse: Check whether the path given for the stats socket actually fits into the sockaddr_un structure to avoid truncation.
- [MINOR] unix sockets : inherits the backlog size from the listener
- [CLEANUP] unix sockets : move create_uxst_socket() in uxst_bind_listener()
- [DOC] fix a minor typo
- [DOC] fix ignore-persist documentation
- [MINOR] add warnings on features not compatible with multi-process mode
- [BUG] http: fix http-pretend-keepalive and httpclose/tunnel mode
- [MINOR] stats: add support for several packets in stats admin
- [BUG] stats: admin commands must check the proxy state
- [BUG] stats: admin web interface must check the proxy state
- [MINOR] http: add pattern extraction method to stick on query string parameter
- [MEDIUM] add internal support for IPv6 server addresses
- [MINOR] acl: add be_id/srv_id to match backend's and server's id
- [MINOR] log: add support for passing the forwarded hostname
- [MINOR] log: ability to override the syslog tag
- [MINOR] checks: add PostgreSQL health check
- [DOC] update ROADMAP file
- [BUILD] pattern: use 'int' instead of 'int32_t'
- [OPTIM] linux: add support for bypassing libc to force using vsyscalls
- [BUG] debug: report the correct poller list in verbose mode
- [BUG] capture: do not capture a cookie if there is no memory left
- [BUG] appsession: fix possible double free in case of out of memory
- [CRITICAL] cookies: mixing cookies in indirect mode and appsession can crash the process
- [BUG] http: correctly update the header list when removing two consecutive headers
- [BUILD] add the CPU=native and ARCH=32/64 build options
- [BUILD] add -fno-strict-aliasing to fix warnings with gcc >= 4.4
- [CLEANUP] hash: move the avalanche hash code globally available
- [MEDIUM] hash: add support for an 'avalanche' hash-type
- [DOC] update roadmap file
- [BUG] http: do not re-enable the PROXY analyser on keep-alive
- [OPTIM] http: don't send each chunk in a separate packet
- [DOC] fix minor typos reported recently in the peers section
- [DOC] fix another typo in the doc
- [MINOR] stats: report HTTP message state and buffer flags in error dumps
- [BUG] http chunking: don't report a parsing error on connection errors
- [BUG] stream_interface: truncate buffers when sending error messages
- [MINOR] http: support wrapping messages in error captures
- [MINOR] http: capture incorrectly chunked message bodies
- [MINOR] stats: add global event ID and count
- [BUG] http: analyser optimizations broke pipelining
- [CLEANUP] frontend: only apply TCP-specific settings to TCP/TCP6 sockets
- [BUG] http: fix incorrect error reporting during data transfers
- [CRITICAL] session: correctly leave turn-around and queue states on abort
- [BUG] session: release slot before processing pending connections
- [MINOR] tcp: add support for dynamic MSS setting
- [BUG] stick-table: correctly terminate string keys during lookups
- [BUG] acl: fix handling of empty lines in pattern files
- [BUG] stick-table: use the private buffer when padding strings
- [BUG] ebtree: fix ebmb_lookup() with len smaller than the tree's keys
- [OPTIM] ebtree: ebmb_lookup: reduce stack usage by moving the return code out of the loop
- [OPTIM] ebtree: inline ebst_lookup_len and ebis_lookup_len
- [REVERT] undo the stick-table string key lookup fixes
- [MINOR] http: improve url_param pattern extraction to ignore empty values
- [BUILD] frontend: shut a warning with TCP_MAXSEG
- [BUG] http: update the header list's tail when removing the last header
- [DOC] fix minor typo in the proxy protocol doc
- [DOC] fix typos (http-request instead of http-check)
- [BUG] http: use correct ACL pointer when evaluating authentication
- [BUG] cfgparse: correctly count one socket per port in ranges
- [BUG] startup: set the rlimits before binding ports, not after.
- [BUG] acl: srv_id must return no match when the server is NULL
- [MINOR] acl: add ability to check for internal response-only parameters
- [MINOR] acl: srv_id is only valid in responses
- [MINOR] config: warn if response-only conditions are used in "redirect" rules
- [BUG] acl: fd leak when reading patterns from file
- [DOC] fix minor typo in "usesrc"
- [BUG] http: fix possible incorrect forwarded wrapping chunk size
- [BUG] http: fix computation of message body length after forwarding has started
- [BUG] http: balance url_param did not work with first parameters on POST
- [TESTS] update the url_param regression test to test check_post too
- [DOC] update ROADMAP
- [DOC] internal: reflect the fact that SI_ST_ASS is transient
- [BUG] config: don't crash on empty pattern files.
- [MINOR] stream_interface: make use of an applet descriptor for IO handlers
- [REORG] stream_interface: move the st0, st1 and private members to the applet
- [REORG] stream_interface: split the struct members in 3 parts
- [REORG] session: move client and server address to the stream interface
- [REORG] tcp: make tcpv4_connect_server() take the target address from the SI
- [MEDIUM] stream_interface: store the target pointer and type
- [CLEANUP] stream_interface: remove the applet.handler pointer
- [MEDIUM] log: take the logged server name from the stream interface
- [CLEANUP] session: remove data_source from struct session
- [CLEANUP] stats: make all dump functions only rely on the stream interface
- [REORG] session: move the data_ctx struct to the stream interface's applet
- [MINOR] proxy: add PR_O2_DISPATCH to detect dispatch mode
- [MINOR] cfgparse: only keep one of dispatch, transparent, http_proxy
- [MINOR] session: add a pointer to the new target into the session
- [MEDIUM] session: remove s->prev_srv which is not needed anymore
- [CLEANUP] stream_interface: use inline functions to manipulate targets
- [MAJOR] session: remove the ->srv pointer from struct session
- [MEDIUM] stats: split frontend and backend stats
- [MEDIUM] http: always evaluate http-request rules before stats http-request
- [REORG] http: move the http-request rules to proto_http
- [BUG] http: stats were not incremented on http-request deny
- [MINOR] checks: report it if checks fail due to socket creation error
Bryan Talbot reported that POST requests with a query string were not
correctly processed if the hash parameter was the first one, because
the delimiter that was looked for to trigger the parsing was '&' instead
of '?'.
Also, while checking the code, it became apparent that it was enough for
a query string to be present in the request for POST parameters to be
ignored, even if the url_param was in the body and not in the URL.
The code has then been fixed like this :
1) look for URL param. If found, return it.
2) if no URL param was found and method is POST, then look it up into
the body
The code now seems to pass all request combinations.
This patch must be backported to 1.4 since 1.4 is equally broken right now.
Some browsers send POST requests in several packets, which was not supported
by the "stats admin" function.
This patch allows to wait for more data when they are not fully received
(we are still limited to a certain size defined by the buffer size minus its
reserved space).
It also adds support for the "Expect: 100-Continue" header.
I have written a small patch to enable a correct PostgreSQL health check
It works similar to mysql-check with the very same parameters.
E.g.:
listen pgsql 127.0.0.1:5432
mode tcp
option pgsql-check user pgsql
server masterdb pgsql.server.com:5432 check inter 10000
One of the requirements we have is to run multiple instances of haproxy on a
single host; this is so that we can split the responsibilities (and change
permissions) between product teams. An issue we ran up against is how we
would distinguish between the logs generated by each instance. The solution
we came up with (please let me know if there is a better way) is to override
the application tag written to syslog. We can then configure syslog to write
these to different files.
I have attached a patch adding a global option 'log-tag' to override the
default syslog tag 'haproxy' (actually defaults to argv[0]).
By passing a negative value to the "mss" argument of "bind" lines, it
becomes possible to subtract this value to the MSS advertised by the
client, which results in segments smaller than advertised. The effect
is useful with some TCP stacks which ACK less often when segments are
not full, because they only ACK every other full segment as suggested
by RFC1122.
NOTE: currently this has no effect on Linux kernel 2.6, a kernel patch
is still required to change the MSS of established connections.
Haproxy does not include the hostname rather the IP of the machine in
the syslog headers it sends. Unfortunately this means that for each log
line rsyslog does a reverse dns on the client IP and in the case of
non-routable IPs one gets the public hostname not the internal one.
While this is valid according to RFC3164 as one might imagine this is
troublsome if you have some machines with public IPs, internal IPs, no
reverse DNS entries, etc and you want a standardized hostname based log
directory structure. The rfc says the preferred value is the hostname.
This patch adds a global "log-send-hostname" statement which accepts an
optional string to force the host name. If unset, the local host name
is used.
We've had several issues related to data transfers. First, if a
client aborted an upload before the server started to respond, it
would get a 502 followed by a 400. The same was true (in the other
way around) if the server suddenly aborted while the client was
uploading the data.
The flags reported in the logs were misleading. Request errors could
be reported while the transfer was stopped during the data phase. The
status codes could also be overwritten by a 400 eventhough the start
of the response was transferred to the client.
The stats were also wrong in case of data aborts. The server or the
client could sometimes be miscredited for being the author of the
abort depending on where the abort was detected. Some client aborts
could also be accounted as request errors and some server aborts as
response errors.
Now it seems like all such issues are fixed. Since we don't have a
specific state for data flowing from the client to the server
before the server responds, we're still counting the client aborted
transfers as "CH", and they become "CD" when the server starts to
respond. Ideally a "P" state would be desired.
This patch should be backported to 1.4.
Using haproxy in multi-process mode (nbproc > 1), some features can be
not fully compatible or not work at all. haproxy will now display a warning on
startup for :
- appsession
- sticking rules
- stats / stats admin
- stats socket
- peers (fatal error in that case)
During the documentation of the "ignore-persist" keyword, I documented an
invalid "option ignore-persist" and forgot to remove it. It's time to fix it.
When the number of servers is a multiple of the size of the input set,
map-based hash can be inefficient. This typically happens with 64
servers when doing URI hashing. The "avalanche" hash-type applies an
avalanche hash before performing a map lookup in order to smooth the
distribution. The result is slightly less smooth than the map for small
numbers of servers, but still better than the consistent hashing.
Released version 1.5-dev3 with the following main changes :
- [DOC] fix http-request documentation
- [MEDIUM] enable/disable servers from the stats web interface
- [MEDIUM] stats: add an admin level
- [DOC] stats: document the "stats admin" statement
- [MINOR] startup: print the proxy socket which caused an error
- [CLEANUP] Remove unneeded chars allocation
- [MINOR] config: detect options not supported due to compilation options
- [MINOR] Add pattern's fetchs payload and payload_lv
- [MINOR] frontend: improve accept-proxy header parsing
- [MINOR] frontend: add tcpv6 support on accept-proxy bind
- [MEDIUM] Enhance message errors management on binds
- [MINOR] Manage unix socket source field on logs
- [MINOR] Manage unix socket source field on session dump on sock stats
- [MINOR] Support of unix listener sockets for debug and log event messages on frontend.c
- [MINOR] Add some tests on sockets family for port remapping and mode transparent.
- [MINOR] Manage socket type unix for some logs
- [MINOR] Enhance controls of socket's family on acls and pattern fetch
- [MINOR] Support listener's sockets unix on http logs.
- [MEDIUM] Add supports of bind on unix sockets.
- [BUG] stick table purge failure if size less than 255
- [BUG] stick table entries expire on counters updates/read or show table, even if there is no "expire" parameter
- [MEDIUM] Implement tcp inspect response rules
- [DOC] tcp-response content and inspect
- [MINOR] new acls fetch req_ssl_hello_type and rep_ssl_hello_type
- [DOC] acls rep_ssl_hello and req_ssl_hello
- [MEDIUM] Create new protected pattern types CONSTSTRING and CONSTDATA to force memcpy if data from protected areas need to be manipulated.
- [DOC] new type binary in stick-table
- [DOC] stick store-response and new patterns payload and payload_lv
- [MINOR] Manage all types (ip, integer, string, binary) on cli "show table" command
- [MEDIUM] Create updates tree on stick table to manage sync.
- [MAJOR] Add new files src/peer.c, include/proto/peers.h and include/types/peers.h for sync stick table management
- [MEDIUM] Manage peers section parsing and stick table registration on peers.
- [MEDIUM] Manage soft stop on peers proxy
- [DOC] add documentation for peers section
- [MINOR] checks: add support for LDAPv3 health checks
- [MINOR] add better support to "mysql-check"
- [BUG] Restore info about available active/backup servers
- [CONTRIB] Update haproxy.pl
- [CONTRIB] Update Cacti Tempates
- [CONTRIB] add templates for Cacti.
- [BUG] http: don't consider commas as a header delimitor within quotes
- [MINOR] support a global jobs counter
- [DOC] add a summary about cookie incompatibilities between specs and browsers
- [DOC] fix description of cookie "insert" and "indirect" modes
- [MEDIUM] http: fix space handling in the request cookie parser
- [MEDIUM] http: fix space handling in the response cookie parser
- [DOC] fix typo in the queue() definition (backend, not frontend)
- [BUG] deinit: unbind listeners before freeing them
- [BUG] stream_interface: only call si->release when both dirs are closed
- [MEDIUM] buffers: rework the functions to exchange between SI and buffers
- [DOC] fix typo in the avg_queue() and be_conn() definition (backend, not frontend)
- [MINOR] halog: add '-tc' to sort by termination codes
- [MINOR] halog: skip non-traffic logs for -st and -tc
- [BUG] stream_sock: cleanly disable the listener in case of resource shortage
- [BUILD] stream_sock: previous fix lacked the #include, causing a warning.
- [DOC] bind option is "defer-accept", not "defer_accept"
- [DOC] missing index entry for http-check send-state
- [DOC] tcp-request inspect-delay is for backends too
- [BUG] ebtree: string_equal_bits() could return garbage on identical strings
- [BUG] stream_sock: try to flush any extra pending request data after a POST
- [BUILD] proto_http: eliminate some build warnings with gcc-2.95
- [MEDIUM] make it possible to combine http-pretend-keepalived with httpclose
- [MEDIUM] tcp-request : don't wait for inspect-delay to expire when the buffer is full
- [MEDIUM] checks: add support for HTTP contents lookup
- [TESTS] add test-check-expect to test various http-check methods
- [MINOR] global: add "tune.chksize" to change the default check buffer size
- [MINOR] cookie: add options "maxidle" and "maxlife"
- [MEDIUM] cookie: support client cookies with some contents appended to their value
- [MINOR] http: make some room in the transaction flags to extend cookies
- [MINOR] cookie: add the expired (E) and old (O) flags for request cookies
- [MEDIUM] cookie: reassign set-cookie status flags to store more states
- [MINOR] add encode/decode function for 30-bit integers from/to base64
- [MEDIUM] cookie: check for maxidle and maxlife for incoming dated cookies
- [MEDIUM] cookie: set the date in the cookie if needed
- [DOC] document the cookie maxidle and maxlife parameters
- [BUG] checks: don't log backend down for all zero-weight servers
- [MEDIUM] checks: set server state to one state from failure when leaving maintenance
- [BUG] config: report correct keywords for "observe"
- [MINOR] checks: ensure that we can inherit binary checks from the defaults section
- [MINOR] acl: add the http_req_first match
- [DOC] fix typos about bind-process syntax
- [BUG] cookie: correctly unset default cookie parameters
- [MINOR] cookie: add support for the "preserve" option
- [BUG] ebtree: fix duplicate strings insertion
- [CONTRIB] halog: report per-url counts, errors and times
- [CONTRIB] halog: minor speed improvement in timer parser
- [MINOR] buffers: add a new request analyser flag for PROXY mode
- [MINOR] listener: add the "accept-proxy" option to the "bind" keyword
- [MINOR] standard: add read_uint() to parse a delimited unsigned integer
- [MINOR] standard: change arg type from const char* to char*
- [MINOR] frontend: add a new analyser to parse a proxied connection
- [MEDIUM] session: call the frontend_decode_proxy analyser on proxied connections
- [DOC] add the proxy protocol's specifications
- [DOC] document the 'accept-proxy' bind option
- [MINOR] cfgparse: report support of <path> for the 'bind' statements
- [DOC] add references to unix socket handling
- [MINOR] move MAXPATHLEN definition to compat.h
- [MEDIUM] unix sockets: cleanup the error reporting path
- [BUG] session: don't stop forwarding of data upon last packet
- [CLEANUP] accept: replace some inappropriate Alert() calls with send_log()
- [BUILD] peers: shut a printf format warning (key_size is a size_t)
- [BUG] accept: don't close twice upon error
- [OPTIM] session: don't recheck analysers when buffer flags have not changed
- [OPTIM] stream_sock: don't clear FDs that are already cleared
- [BUG] proto_tcp: potential bug on pattern fetch dst and dport
This option makes haproxy preserve any persistence cookie emitted by
the server, which allows the server to change it or to unset it, for
instance, after a logout request.
(cherry picked from commit 52e6d75374c7900c1fe691c5633b4ae029cae8d5)
This match returns true when the request calling it is the first one of
a connection.
(cherry picked from commit 922ca979c50653c415852531f36fe409190ad76b)
The MySQL check has been revamped to be able to send real MySQL data,
and to avoid Aborted connects on MySQL side.
It is however backward compatible with older version, but it is highly
recommended to use the new mode, by adding "user <username>" on the
"mysql-check" line.
The new check consists in sending two MySQL packet, one Client
Authentication packet, with "haproxy" username (by default), and one
QUIT packet, to correctly close MySQL session. We then parse the Mysql
Handshake Initialisation packet and/or Error packet. It is a basic but
useful test which does not produce error nor aborted connect on the
server.
(cherry picked from commit a1e4dcfe5718311b7653d7dabfad65c005d0439b)
- fix some erroneous keywords for http-request
- stats http-request was not documented
--
Cyril Bonté
(cherry picked from commit 17e07dad5074571c38cbeb92d54a20f83658449d)
HTTP content-based health checks will be involved in searching text in pages.
Some pages may not fit in the default buffer (16kB) and sometimes it might be
desired to have larger buffers in order to find patterns. Running checks on
smaller URIs is always preferred of course.
(cherry picked from commit 043f44aeb835f3d0b57626c4276581a73600b6b1)
This patch adds the "http-check expect [r]{string,status}" statements
which enable health checks based on whether the response status or body
to an HTTP request contains a string or matches a regex.
This probably is one of the oldest patches that remained unmerged. Over
the time, several people have contributed to it, among which FinalBSD
(first and second implementations), Nick Chalk (port to 1.4), Anze
Skerlavaj (tests and fixes), Cyril Bonté (general fixes), and of course
myself for the final fixes and doc during integration.
Some people already use an old version of this patch which has several
issues, among which the inability to search for a plain string that is
not at the beginning of the data, and the inability to look for response
contents that are provided in a second and subsequent recv() calls. But
since some configs are already deployed, it was quite important to ensure
a 100% compatible behaviour on the working cases.
Thus, that patch fixes the issues while maintaining config compatibility
with already deployed versions.
(cherry picked from commit b507c43a3ce9a8e8e4b770e52e4edc20cba4c37f)
This patch provides a new "option ldap-check" statement to enable
server health checks based on LDAPv3 bind requests.
(cherry picked from commit b76b44c6fed8a7ba6f0f565dd72a9cb77aaeca7c)
Some configs may involve httpclose in a frontend and http-pretend-keepalive
in a backend. httpclose used to take priority over keepalive, thus voiding
its effect. This change ensures that when both are combined, keepalive is
still announced to the server while close is announced to the client.
(cherry picked from commit 2be7ec90fa9caf66294f446423bbab2d00db9004)
