---------------------- HAProxy Configuration Manual ---------------------- version 1.3.15 willy tarreau 2008/04/19 This document covers the configuration language as implemented in the version specified above. It does not provide any hint, example or advice. For such documentation, please refer to the Reference Manual or the Architecture Manual. Note to documentation contributors : this document is formated with 80 columns per line, with even number of spaces for indentation and without tabs. Please follow these rules strictly so that it remains easily printable everywhere. If a line needs to be printed verbatim and does not fit, please end each line with a backslash ('\') and continue on next line. HAProxy's configuration process involves 3 major sources of parameters : - the arguments from the command-line, which always take precedence - the "global" section, which sets process-wide parameters - the proxies sections which can take form of "defaults", "listen", "frontend" and "backend". The configuration file syntax consists in lines beginning with a keyword referenced in this manual, optionally followed by one or several parameters delimited by spaces. If spaces have to be entered in strings, then they must be preceeded by a backslash ('\') to be escaped. Backslashes also have to be escaped by doubling them. Some parameters involve values representating time, such as timeouts. These values are generally expressed in milliseconds (unless explicitly stated otherwise) but may be expressed in any other unit by suffixing the unit to the numeric value. It is important to consider this because it will not be repeated for every keyword. Supported units are : - us : microseconds. 1 microsecond = 1/1000000 second - ms : milliseconds. 1 millisecond = 1/1000 second. This is the default. - s : seconds. 1s = 1000ms - m : minutes. 1m = 60s = 60000ms - h : hours. 1h = 60m = 3600s = 3600000ms - d : days. 1d = 24h = 1440m = 86400s = 86400000ms 1. Global parameters -------------------- Parameters in the "global" section are process-wide and often OS-specific. They are generally set once for all and do not need being changed once correct. Some of them have command-line equivalents. The following keywords are supported in the "global" section : * Process management and security - chroot - daemon - gid - group - log - nbproc - pidfile - uid - ulimit-n - user - stats * Performance tuning - maxconn - noepoll - nokqueue - nopoll - nosepoll - spread-checks - tune.maxaccept - tune.maxpollevents * Debugging - debug - quiet 1.1) Process management and security ------------------------------------ chroot Changes current directory to and performs a chroot() there before dropping privileges. This increases the security level in case an unknown vulnerability would be exploited, since it would make it very hard for the attacker to exploit the system. This only works when the process is started with superuser privileges. It is important to ensure that is both empty and unwritable to anyone. daemon Makes the process fork into background. This is the recommended mode of operation. It is equivalent to the command line "-D" argument. It can be disabled by the command line "-db" argument. gid Changes the process' group ID to . It is recommended that the group ID is dedicated to HAProxy or to a small set of similar daemons. HAProxy must be started with a user belonging to this group, or with superuser privileges. See also "group" and "uid". group Similar to "gid" but uses the GID of group name from /etc/group. See also "gid" and "user". log
[max level] Adds a global syslog server. Up to two global servers can be defined. They will receive logs for startups and exits, as well as all logs from proxies configured with "log global".
can be one of: - An IPv4 address optionally followed by a colon and a UDP port. If no port is specified, 514 is used by default (the standard syslog port). - A filesystem path to a UNIX domain socket, keeping in mind considerations for chroot (be sure the path is accessible inside the chroot) and uid/gid (be sure the path is appropriately writeable). must be one of the 24 standard syslog facilities : kern user mail daemon auth syslog lpr news uucp cron auth2 ftp ntp audit alert cron2 local0 local1 local2 local3 local4 local5 local6 local7 An optional level can be specified to filter outgoing messages. By default, all messages are sent. If a level is specified, only messages with a severity at least as important as this level will be sent. 8 levels are known : emerg alert crit err warning notice info debug nbproc Creates processes when going daemon. This requires the "daemon" mode. By default, only one process is created, which is the recommended mode of operation. For systems limited to small sets of file descriptors per process, it may be needed to fork multiple daemons. USING MULTIPLE PROCESSES IS HARDER TO DEBUG AND IS REALLY DISCOURAGED. See also "daemon". pidfile Writes pids of all daemons into file . This option is equivalent to the "-p" command line argument. The file must be accessible to the user starting the process. See also "daemon". stats socket [{uid | user} ] [{gid | group} ] [mode ] Creates a UNIX socket in stream mode at location . Any previously existing socket will be backed up then replaced. Connections to this socket will get a CSV-formated output of the process statistics in response to the "show stat" command followed by a line feed, and more general process information in response to the "show info" command followed by a line feed. On platforms which support it, it is possible to restrict access to this socket by specifying numerical IDs after "uid" and "gid", or valid user and group names after the "user" and "group" keywords. It is also possible to restrict permissions on the socket by passing an octal value after the "mode" keyword (same syntax as chmod). Depending on the platform, the permissions on the socket will be inherited from the directory which hosts it, or from the user the process is started with. stats timeout The default timeout on the stats socket is set to 10 seconds. It is possible to change this value with "stats timeout". The value must be passed in milliseconds, or be suffixed by a time unit among { us, ms, s, m, h, d }. stats maxconn By default, the stats socket is limited to 10 concurrent connections. It is possible to change this value with "stats maxconn". uid Changes the process' user ID to . It is recommended that the user ID is dedicated to HAProxy or to a small set of similar daemons. HAProxy must be started with superuser privileges in order to be able to switch to another one. See also "gid" and "user". ulimit-n Sets the maximum number of per-process file-descriptors to . By default, it is automatically computed, so it is recommended not to use this option. user Similar to "uid" but uses the UID of user name from /etc/passwd. See also "uid" and "group". 1.2) Performance tuning ----------------------- maxconn Sets the maximum per-process number of concurrent connections to . It is equivalent to the command-line argument "-n". Proxies will stop accepting connections when this limit is reached. The "ulimit-n" parameter is automatically adjusted according to this value. See also "ulimit-n". noepoll Disables the use of the "epoll" event polling system on Linux. It is equivalent to the command-line argument "-de". The next polling system used will generally be "poll". See also "nosepoll", and "nopoll". nokqueue Disables the use of the "kqueue" event polling system on BSD. It is equivalent to the command-line argument "-dk". The next polling system used will generally be "poll". See also "nopoll". nopoll Disables the use of the "poll" event polling system. It is equivalent to the command-line argument "-dp". The next polling system used will be "select". It should never be needed to disable "poll" since it's available on all platforms supported by HAProxy. See also "nosepoll", and "nopoll" and "nokqueue". nosepoll Disables the use of the "speculative epoll" event polling system on Linux. It is equivalent to the command-line argument "-ds". The next polling system used will generally be "epoll". See also "nosepoll", and "nopoll". spread-checks <0..50, in percent> Sometimes it is desirable to avoid sending health checks to servers at exact intervals, for instance when many logical servers are located on the same physical server. With the help of this parameter, it becomes possible to add some randomness in the check interval between 0 and +/- 50%. A value between 2 and 5 seems to show good results. The default value remains at 0. tune.maxaccept Sets the maximum number of consecutive accepts that a process may perform on a single wake up. High values give higher priority to high connection rates, while lower values give higher priority to already established connections. This value is unlimited by default in single process mode. However, in multi-process mode (nbproc > 1), it defaults to 8 so that when one process wakes up, it does not take all incoming connections for itself and leaves a part of them to other processes. Setting this value to zero or less disables the limitation. It should normally not be needed to tweak this value. tune.maxpollevents Sets the maximum amount of events that can be processed at once in a call to the polling system. The default value is adapted to the operating system. It has been noticed that reducing it below 200 tends to slightly decrease latency at the expense of network bandwidth, and increasing it above 200 tends to trade latency for slightly increased bandwidth. 1.3) Debugging --------------- debug Enables debug mode which dumps to stdout all exchanges, and disables forking into background. It is the equivalent of the command-line argument "-d". It should never be used in a production configuration since it may prevent full system startup. quiet Do not display any message during startup. It is equivalent to the command- line argument "-q". 2) Proxies ---------- Proxy configuration can be located in a set of sections : - defaults - frontend - backend - listen A "defaults" section sets default parameters for all other sections following its declaration. Those default parameters are reset by the next "defaults" section. See below for the list of parameters which can be set in a "defaults" section. The name is optional but its use is encouraged for better readability. A "frontend" section describes a set of listening sockets accepting client connections. A "backend" section describes a set of servers to which the proxy will connect to forward incoming connections. A "listen" section defines a complete proxy with its frontend and backend parts combined in one section. It is generally useful for TCP-only traffic. All proxy names must be formed from upper and lower case letters, digits, '-' (dash), '_' (underscore) , '.' (dot) and ':' (colon). ACL names are case-sensitive, which means that "www" and "WWW" are two different proxies. Historically, all proxy names could overlap, it just caused troubles in the logs. Since the introduction of content switching, it is mandatory that two proxies with overlapping capabilities (frontend/backend) have different names. However, it is still permitted that a frontend and a backend share the same name, as this configuration seems to be commonly encountered. Right now, two major proxy modes are supported : "tcp", also known as layer 4, and "http", also known as layer 7. In layer 4 mode, HAProxy simply forwards bidirectionnal traffic between two sides. In layer 7 mode, HAProxy analyzes the protocol, and can interact with it by allowing, blocking, switching, adding, modifying, or removing arbitrary contents in requests or responses, based on arbitrary criteria. 2.1) Quick reminder about HTTP ------------------------------ When a proxy is running in HTTP mode, both the request and the response are fully analyzed and indexed, thus it becomes possible to build matching criteria on almost anything found in the contents. However, it is important to understand how HTTP requests and responses are formed, and how HAProxy decomposes them. It will then become easier to write correct rules and to debug existing configurations. 2.1.1) The HTTP transaction model --------------------------------- The HTTP protocol is transaction-driven. This means that each request will lead to one and only one response. Traditionnally, a TCP connection is established from the client to the server, a request is sent by the client on the connection, the server responds and the connection is closed. A new request will involve a new connection : [CON1] [REQ1] ... [RESP1] [CLO1] [CON2] [REQ2] ... [RESP2] [CLO2] ... In this mode, called the "HTTP close" mode, there are as many connection establishments as there are HTTP transactions. Since the connection is closed by the server after the response, the client does not need to know the content length. Due to the transactional nature of the protocol, it was possible to improve it to avoid closing a connection between two subsequent transactions. In this mode however, it is mandatory that the server indicates the content length for each response so that the client does not wait indefinitely. For this, a special header is used: "Content-length". This mode is called the "keep-alive" mode : [CON] [REQ1] ... [RESP1] [REQ2] ... [RESP2] [CLO] ... Its advantages are a reduced latency between transactions, and less processing power required on the server side. It is generally better than the close mode, but not always because the clients often limit their concurrent connections to a smaller value. HAProxy currently does not support the HTTP keep-alive mode, but knows how to transform it to the close mode. A last improvement in the communications is the pipelining mode. It still uses keep-alive, but the client does not wait for the first response to send the second request. This is useful for fetching large number of images composing a page : [CON] [REQ1] [REQ2] ... [RESP1] [RESP2] [CLO] ... This can obviously have a tremendous benefit on performance because the network latency is eliminated between subsequent requests. Many HTTP agents do not correctly support pipelining since there is no way to associate a response with the corresponding request in HTTP. For this reason, it is mandatory for the server to reply in the exact same order as the requests were received. Right now, HAProxy only supports the first mode (HTTP close) if it needs to process the request. This means that for each request, there will be one TCP connection. If keep-alive or pipelining are required, HAProxy will still support them, but will only see the first request and the first response of each transaction. While this is generally problematic with regards to logs, content switching or filtering, it most often causes no problem for persistence with cookie insertion. 2.1.2) HTTP request ------------------- First, let's consider this HTTP request : Line Contents number 1 GET /serv/login.php?lang=en&profile=2 HTTP/1.1 2 Host: www.mydomain.com 3 User-agent: my small browser 4 Accept: image/jpeg, image/gif 5 Accept: image/png 2.1.2.1) The Request line ------------------------- Line 1 is the "request line". It is always composed of 3 fields : - a METHOD : GET - a URI : /serv/login.php?lang=en&profile=2 - a version tag : HTTP/1.1 All of them are delimited by what the standard calls LWS (linear white spaces), which are commonly spaces, but can also be tabs or line feeds/carriage returns followed by spaces/tabs. The method itself cannot contain any colon (':') and is limited to alphabetic letters. All those various combinations make it desirable that HAProxy performs the splitting itself rather than leaving it to the user to write a complex or inaccurate regular expression. The URI itself can have several forms : - A "relative URI" : /serv/login.php?lang=en&profile=2 It is a complete URL without the host part. This is generally what is received by servers, reverse proxies and transparent proxies. - An "absolute URI", also called a "URL" : http://192.168.0.12:8080/serv/login.php?lang=en&profile=2 It is composed of a "scheme" (the protocol name followed by '://'), a host name or address, optionally a colon (':') followed by a port number, then a relative URI beginning at the first slash ('/') after the address part. This is generally what proxies receive, but a server supporting HTTP/1.1 must accept this form too. - a star ('*') : this form is only accepted in association with the OPTIONS method and is not relayable. It is used to inquiry a next hop's capabilities. - an address:port combination : 192.168.0.12:80 This is used with the CONNECT method, which is used to establish TCP tunnels through HTTP proxies, generally for HTTPS, but sometimes for other protocols too. In a relative URI, two sub-parts are identified. The part before the question mark is called the "path". It is typically the relative path to static objects on the server. The part after the question mark is called the "query string". It is mostly used with GET requests sent to dynamic scripts and is very specific to the language, framework or application in use. 2.1.2.2) The request headers ---------------------------- The headers start at the second line. They are composed of a name at the beginning of the line, immediately followed by a colon (':'). Traditionally, an LWS is added after the colon but that's not required. Then come the values. Multiple identical headers may be folded into one single line, delimiting the values with commas, provided that their order is respected. This is commonly encountered in the "Cookie:" field. A header may span over multiple lines if the subsequent lines begin with an LWS. In the example in 2.1.2, lines 4 and 5 define a total of 3 values for the "Accept:" header. Contrary to a common mis-conception, header names are not case-sensitive, and their values are not either if they refer to other header names (such as the "Connection:" header). The end of the headers is indicated by the first empty line. People often say that it's a double line feed, which is not exact, even if a double line feed is one valid form of empty line. Fortunately, HAProxy takes care of all these complex combinations when indexing headers, checking values and counting them, so there is no reason to worry about the way they could be written, but it is important not to accuse an application of being buggy if it does unusual, valid things. Important note: As suggested by RFC2616, HAProxy normalizes headers by replacing line breaks in the middle of headers by LWS in order to join multi-line headers. This is necessary for proper analysis and helps less capable HTTP parsers to work correctly and not to be fooled by such complex constructs. 2.1.3) HTTP response -------------------- An HTTP response looks very much like an HTTP request. Both are called HTTP messages. Let's consider this HTTP response : Line Contents number 1 HTTP/1.1 200 OK 2 Content-length: 350 3 Content-Type: text/html 2.1.3.1) The Response line -------------------------- Line 1 is the "response line". It is always composed of 3 fields : - a version tag : HTTP/1.1 - a status code : 200 - a reason : OK The status code is always 3-digit. The first digit indicates a general status : - 2xx = OK, content is following (eg: 200, 206) - 3xx = OK, no content following (eg: 302, 304) - 4xx = error caused by the client (eg: 401, 403, 404) - 5xx = error caused by the server (eg: 500, 502, 503) Please refer to RFC2616 for the detailed meaning of all such codes. The "reason" field is just a hint, but is not parsed by clients. Anything can be found there, but it's a common practice to respect the well-established messages. It can be composed of one or multiple words, such as "OK", "Found", or "Authentication Required". 2.1.3.2) The response headers ----------------------------- Response headers work exactly like request headers, and as such, HAProxy uses the same parsing function for both. Please refer to paragraph 2.1.2.2 for more details. 2.2) Proxy keywords matrix ---------------------------- The following list of keywords is supported. Most of them may only be used in a limited set of section types. Some of them are marked as "deprecated" because they are inherited from an old syntax which may be confusing or functionally limited, and there are new recommended keywords to replace them. Keywords listed with [no] can be optionally inverted using the "no" prefix, ex. "no option contstats". This makes sense when the option has been enabled by default and must be disabled for a specific instance. keyword defaults frontend listen backend ----------------------+----------+----------+---------+--------- acl - X X X appsession - - X X backlog X X X - balance X - X X bind - X X - block - X X X capture cookie - X X - capture request header - X X - capture response header - X X - clitimeout X X X - (deprecated) contimeout X - X X (deprecated) cookie X - X X default_backend - X X - disabled X X X X dispatch - - X X enabled X X X X errorfile X X X X errorloc X X X X errorloc302 X X X X errorloc303 X X X X fullconn X - X X grace - X X X http-check disable-on-404 X - X X log X X X X maxconn X X X - mode X X X X monitor fail - X X - monitor-net X X X - monitor-uri X X X - [no] option abortonclose X - X X [no] option allbackups X - X X [no] option checkcache X - X X [no] option clitcpka X X X - [no] option contstats X X X - [no] option dontlognull X X X - [no] option forceclose X - X X option forwardfor X X X X [no] option http_proxy X X X X option httpchk X - X X [no] option httpclose X X X X option httplog X X X X [no] option logasap X X X - [no] option nolinger X X X X [no] option persist X - X X [no] option redispatch X - X X option smtpchk X - X X [no] option srvtcpka X - X X option ssl-hello-chk X - X X option tcpka X X X X option tcplog X X X X [no] option tcpsplice X X X X [no] option transparent X X X - redisp X - X X (deprecated) redispatch X - X X (deprecated) reqadd - X X X reqallow - X X X reqdel - X X X reqdeny - X X X reqiallow - X X X reqidel - X X X reqideny - X X X reqipass - X X X reqirep - X X X reqisetbe - X X X reqitarpit - X X X reqpass - X X X reqrep - X X X reqsetbe - X X X reqtarpit - X X X retries X - X X rspadd - X X X rspdel - X X X rspdeny - X X X rspidel - X X X rspideny - X X X rspirep - X X X rsprep - X X X server - - X X source X - X X srvtimeout X - X X (deprecated) stats auth X - X X stats enable X - X X stats realm X - X X stats refresh X - X X stats scope X - X X stats uri X - X X stats hide-version X - X X timeout check X - X X timeout client X X X - timeout clitimeout X X X - (deprecated) timeout connect X - X X timeout contimeout X - X X (deprecated) timeout http-request X X X - timeout queue X - X X timeout server X - X X timeout srvtimeout X - X X (deprecated) timeout tarpit X X X X transparent X X X - (deprecated) use_backend - X X - ----------------------+----------+----------+---------+--------- keyword defaults frontend listen backend 2.2.1) Alphabetically sorted keywords reference ----------------------------------------------- This section provides a description of each keyword and its usage. acl [flags] [operator] ... Declare or complete an access list. May be used in sections : defaults | frontend | listen | backend no | yes | yes | yes Example: acl invalid_src src 0.0.0.0/7 224.0.0.0/3 acl invalid_src src_port 0:1023 acl local_dst hdr(host) -i localhost See section 2.3 about ACL usage. appsession len timeout Define session stickiness on an existing application cookie. May be used in sections : defaults | frontend | listen | backend no | no | yes | yes Arguments : this is the name of the cookie used by the application and which HAProxy will have to learn for each new session. this is the number of characters that will be memorized and checked in each cookie value. this is the time after which the cookie will be removed from memory if unused. If no unit is specified, this time is in milliseconds. When an application cookie is defined in a backend, HAProxy will check when the server sets such a cookie, and will store its value in a table, and associate it with the server's identifier. Up to characters from the value will be retained. On each connection, haproxy will look for this cookie both in the "Cookie:" headers, and as a URL parameter in the query string. If a known value is found, the client will be directed to the server associated with this value. Otherwise, the load balancing algorithm is applied. Cookies are automatically removed from memory when they have been unused for a duration longer than . The definition of an application cookie is limited to one per backend. Example : appsession JSESSIONID len 52 timeout 3h See also : "cookie", "capture cookie" and "balance". backlog Give hints to the system about the approximate listen backlog desired size May be used in sections : defaults | frontend | listen | backend yes | yes | yes | no Arguments : is the number of pending connections. Depending on the operating system, it may represent the number of already acknowledged connections, of non-acknowledged ones, or both. In order to protect against SYN flood attacks, one solution is to increase the system's SYN backlog size. Depending on the system, sometimes it is just tunable via a system parameter, sometimes it is not adjustable at all, and sometimes the system relies on hints given by the application at the time of the listen() syscall. By default, HAProxy passes the frontend's maxconn value to the listen() syscall. On systems which can make use of this value, it can sometimes be useful to be able to specify a different value, hence this backlog parameter. On Linux 2.4, the parameter is ignored by the system. On Linux 2.6, it is used as a hint and the system accepts up to the smallest greater power of two, and never more than some limits (usually 32768). See also : "maxconn" and the target operating system's tuning guide. balance [ ] balance url_param [check_post []] Define the load balancing algorithm to be used in a backend. May be used in sections : defaults | frontend | listen | backend yes | no | yes | yes Arguments : is the algorithm used to select a server when doing load balancing. This only applies when no persistence information is available, or when a connection is redispatched to another server. may be one of the following : roundrobin Each server is used in turns, according to their weights. This is the smoothest and fairest algorithm when the server's processing time remains equally distributed. This algorithm is dynamic, which means that server weights may be adjusted on the fly for slow starts for instance. leastconn The server with the lowest number of connections receives the connection. Round-robin is performed within groups of servers of the same load to ensure that all servers will be used. Use of this algorithm is recommended where very long sessions are expected, such as LDAP, SQL, TSE, etc... but is not very well suited for protocols using short sessions such as HTTP. This algorithm is dynamic, which means that server weights may be adjusted on the fly for slow starts for instance. source The source IP address is hashed and divided by the total weight of the running servers to designate which server will receive the request. This ensures that the same client IP address will always reach the same server as long as no server goes down or up. If the hash result changes due to the number of running servers changing, many clients will be directed to a different server. This algorithm is generally used in TCP mode where no cookie may be inserted. It may also be used on the Internet to provide a best-effort stickyness to clients which refuse session cookies. This algorithm is static, which means that changing a server's weight on the fly will have no effect. uri The left part of the URI (before the question mark) is hashed and divided by the total weight of the running servers. The result designates which server will receive the request. This ensures that a same URI will always be directed to the same server as long as no server goes up or down. This is used with proxy caches and anti-virus proxies in order to maximize the cache hit rate. Note that this algorithm may only be used in an HTTP backend. This algorithm is static, which means that changing a server's weight on the fly will have no effect. url_param The URL parameter specified in argument will be looked up in the query string of each HTTP GET request. If the modifier "check_post" is used, then an HTTP POST request entity will be searched for the parameter argument, when the question mark indicating a query string ('?') is not present in the URL. Optionally, specify a number of octets to wait for before attempting to search the message body. If the entity can not be searched, then round robin is used for each request. For instance, if your clients always send the LB parameter in the first 128 bytes, then specify that. The default is 48. The entity data will not be scanned until the required number of octets have arrived at the gateway, this is the minimum of: (default/max_wait, Content-Length or first chunk length). If Content-Length is missing or zero, it does not need to wait for more data than the client promised to send. When Content-Length is present and larger than , then waiting is limited to and it is assumed that this will be enough data to search for the presence of the parameter. In the unlikely event that Transfer-Encoding: chunked is used, only the first chunk is scanned. Parameter values separated by a chunk boundary, may be randomly balanced if at all. If the parameter is found followed by an equal sign ('=') and a value, then the value is hashed and divided by the total weight of the running servers. The result designates which server will receive the request. This is used to track user identifiers in requests and ensure that a same user ID will always be sent to the same server as long as no server goes up or down. If no value is found or if the parameter is not found, then a round robin algorithm is applied. Note that this algorithm may only be used in an HTTP backend. This algorithm is static, which means that changing a server's weight on the fly will have no effect. is an optional list of arguments which may be needed by some algorithms. Right now, only the "url_param" algorithm supports an optional argument. balance url_param [check_post []] The definition of the load balancing algorithm is mandatory for a backend and limited to one per backend. Examples : balance roundrobin balance url_param userid balance url_param session_id check_post 64 Note: the following caveats and limitations on using the "check_post" extension with "url_param" must be considered : - all POST requests are eligable for consideration, because there is no way to determine if the parameters will be found in the body or entity which may contain binary data. Therefore another method may be required to restrict consideration of POST requests that have no URL parameters in the body. (see acl reqideny http_end) - using a value larger than the request buffer size does not make sense and is useless. The buffer size is set at build time, and defaults to 16 kB. - Content-Encoding is not supported, the parameter search will probably fail; and load balancing will fall back to Round Robin. - Expect: 100-continue is not supported, load balancing will fall back to Round Robin. - Transfer-Encoding (RFC2616 3.6.1) is only supported in the first chunk. If the entire parameter value is not present in the first chunk, the selection of server is undefined (actually, defined by how little actually appeared in the first chunk). - This feature does not support generation of a 100, 411 or 501 response. - In some cases, requesting "check_post" MAY attempt to scan the entire contents of a message body. Scaning normally terminates when linear white space or control characters are found, indicating the end of what might be a URL parameter list. This is probably not a concern with SGML type message bodies. See also : "dispatch", "cookie", "appsession", "transparent" and "http_proxy". bind [
]: [, ...] bind [
]: [, ...] transparent Define one or several listening addresses and/or ports in a frontend. May be used in sections : defaults | frontend | listen | backend no | yes | yes | no Arguments :
is optional and can be a host name, an IPv4 address, an IPv6 address, or '*'. It designates the address the frontend will listen on. If unset, all IPv4 addresses of the system will be listened on. The same will apply for '*' or the system's special address "0.0.0.0". is the TCP port number the proxy will listen on. The port is mandatory. Note that in the case of an IPv6 address, the port is always the number after the last colon (':'). transparent is an optional keyword which is supported only on certain Linux kernels. It indicates that the addresses will be bound even if they do not belong to the local machine. Any packet targetting any of these addresses will be caught just as if the address was locally configured. This normally requires that IP forwarding is enabled. Caution! do not use this with the default address '*', as it would redirect any traffic for the specified port. This keyword is available only when HAProxy is built with USE_LINUX_TPROXY=1. It is possible to specify a list of address:port combinations delimited by commas. The frontend will then listen on all of these addresses. There is no fixed limit to the number of addresses and ports which can be listened on in a frontend, as well as there is no limit to the number of "bind" statements in a frontend. Example : listen http_proxy bind :80,:443 bind 10.0.0.1:10080,10.0.0.1:10443 See also : "source". block { if | unless } Block a layer 7 request if/unless a condition is matched May be used in sections : defaults | frontend | listen | backend no | yes | yes | yes The HTTP request will be blocked very early in the layer 7 processing if/unless is matched. A 403 error will be returned if the request is blocked. The condition has to reference ACLs (see section 2.3). This is typically used to deny access to certain sensible resources if some conditions are met or not met. There is no fixed limit to the number of "block" statements per instance. Example: acl invalid_src src 0.0.0.0/7 224.0.0.0/3 acl invalid_src src_port 0:1023 acl local_dst hdr(host) -i localhost block if invalid_src || local_dst See section 2.3 about ACL usage. capture cookie len Capture and log a cookie in the request and in the response. May be used in sections : defaults | frontend | listen | backend no | yes | yes | no Arguments : is the beginning of the name of the cookie to capture. In order to match the exact name, simply suffix the name with an equal sign ('='). The full name will appear in the logs, which is useful with application servers which adjust both the cookie name and value (eg: ASPSESSIONXXXXX). is the maximum number of characters to report in the logs, which include the cookie name, the equal sign and the value, all in the standard "name=value" form. The string will be truncated on the right if it exceeds . Only the first cookie is captured. Both the "cookie" request headers and the "set-cookie" response headers are monitored. This is particularly useful to check for application bugs causing session crossing or stealing between users, because generally the user's cookies can only change on a login page. When the cookie was not presented by the client, the associated log column will report "-". When a request does not cause a cookie to be assigned by the server, a "-" is reported in the response column. The capture is performed in the frontend only because it is necessary that the log format does not change for a given frontend depending on the backends. This may change in the future. Note that there can be only one "capture cookie" statement in a frontend. The maximum capture length is configured in the souces by default to 64 characters. It is not possible to specify a capture in a "defaults" section. Example: capture cookie ASPSESSION len 32 See also : "capture request header", "capture response header" as well as section 2.6 about logging. capture request header len Capture and log the first occurrence of the specified request header. May be used in sections : defaults | frontend | listen | backend no | yes | yes | no Arguments : is the name of the header to capture. The header names are not case-sensitive, but it is a common practice to write them as they appear in the requests, with the first letter of each word in upper case. The header name will not appear in the logs, only the value is reported, but the position in the logs is respected. is the maximum number of characters to extract from the value and report in the logs. The string will be truncated on the right if it exceeds . Only the first value of the first occurrence of the header is captured. The value will be added to the logs between braces ('{}'). If multiple headers are captured, they will be delimited by a vertical bar ('|') and will appear in the same order they were declared in the configuration. Common uses for request header captures include the "Host" field in virtual hosting environments, the "Content-length" when uploads are supported, "User-agent" to quickly differenciate between real users and robots, and "X-Forwarded-For" in proxied environments to find where the request came from. There is no limit to the number of captured request headers, but each capture is limited to 64 characters. In order to keep log format consistent for a same frontend, header captures can only be declared in a frontend. It is not possible to specify a capture in a "defaults" section. Example: capture request header Host len 15 capture request header X-Forwarded-For len 15 capture request header Referrer len 15 See also : "capture cookie", "capture response header" as well as section 2.6 about logging. capture response header len Capture and log the first occurrence of the specified response header. May be used in sections : defaults | frontend | listen | backend no | yes | yes | no Arguments : is the name of the header to capture. The header names are not case-sensitive, but it is a common practice to write them as they appear in the response, with the first letter of each word in upper case. The header name will not appear in the logs, only the value is reported, but the position in the logs is respected. is the maximum number of characters to extract from the value and report in the logs. The string will be truncated on the right if it exceeds . Only the first value of the first occurrence of the header is captured. The result will be added to the logs between braces ('{}') after the captured request headers. If multiple headers are captured, they will be delimited by a vertical bar ('|') and will appear in the same order they were declared in the configuration. Common uses for response header captures include the "Content-length" header which indicates how many bytes are expected to be returned, the "Location" header to track redirections. There is no limit to the number of captured response headers, but each capture is limited to 64 characters. In order to keep log format consistent for a same frontend, header captures can only be declared in a frontend. It is not possible to specify a capture in a "defaults" section. Example: capture response header Content-length len 9 capture response header Location len 15 See also : "capture cookie", "capture request header" as well as section 2.6 about logging. clitimeout Set the maximum inactivity time on the client side. May be used in sections : defaults | frontend | listen | backend yes | yes | yes | no Arguments : is the timeout value is specified in milliseconds by default, but can be in any other unit if the number is suffixed by the unit, as explained at the top of this document. The inactivity timeout applies when the client is expected to acknowledge or send data. In HTTP mode, this timeout is particularly important to consider during the first phase, when the client sends the request, and during the response while it is reading data sent by the server. The value is specified in milliseconds by default, but can be in any other unit if the number is suffixed by the unit, as specified at the top of this document. In TCP mode (and to a lesser extent, in HTTP mode), it is highly recommended that the client timeout remains equal to the server timeout in order to avoid complex situations to debug. It is a good practice to cover one or several TCP packet losses by specifying timeouts that are slightly above multiples of 3 seconds (eg: 4 or 5 seconds). This parameter is specific to frontends, but can be specified once for all in "defaults" sections. This is in fact one of the easiest solutions not to forget about it. An unspecified timeout results in an infinite timeout, which is not recommended. Such a usage is accepted and works but reports a warning during startup because it may results in accumulation of expired sessions in the system if the system's timeouts are not configured either. This parameter is provided for compatibility but is currently deprecated. Please use "timeout client" instead. See also : "timeout client", "timeout http-request", "timeout server", and "srvtimeout". contimeout Set the maximum time to wait for a connection attempt to a server to succeed. May be used in sections : defaults | frontend | listen | backend yes | no | yes | yes Arguments : is the timeout value is specified in milliseconds by default, but can be in any other unit if the number is suffixed by the unit, as explained at the top of this document. If the server is located on the same LAN as haproxy, the connection should be immediate (less than a few milliseconds). Anyway, it is a good practice to cover one or several TCP packet losses by specifying timeouts that are slightly above multiples of 3 seconds (eg: 4 or 5 seconds). By default, the connect timeout also presets the queue timeout to the same value if this one has not been specified. Historically, the contimeout was also used to set the tarpit timeout in a listen section, which is not possible in a pure frontend. This parameter is specific to backends, but can be specified once for all in "defaults" sections. This is in fact one of the easiest solutions not to forget about it. An unspecified timeout results in an infinite timeout, which is not recommended. Such a usage is accepted and works but reports a warning during startup because it may results in accumulation of failed sessions in the system if the system's timeouts are not configured either. This parameter is provided for backwards compatibility but is currently deprecated. Please use "timeout connect", "timeout queue" or "timeout tarpit" instead. See also : "timeout connect", "timeout queue", "timeout tarpit", "timeout server", "contimeout". cookie [ rewrite|insert|prefix ] [ indirect ] [ nocache ] [ postonly ] Enable cookie-based persistence in a backend. May be used in sections : defaults | frontend | listen | backend yes | no | yes | yes Arguments : is the name of the cookie which will be monitored, modified or inserted in order to bring persistence. This cookie is sent to the client via a "Set-Cookie" header in the response, and is brought back by the client in a "Cookie" header in all requests. Special care should be taken to choose a name which does not conflict with any likely application cookie. Also, if the same backends are subject to be used by the same clients (eg: HTTP/HTTPS), care should be taken to use different cookie names between all backends if persistence between them is not desired. rewrite This keyword indicates that the cookie will be provided by the server and that haproxy will have to modify its value to set the server's identifier in it. This mode is handy when the management of complex combinations of "Set-cookie" and "Cache-control" headers is left to the application. The application can then decide whether or not it is appropriate to emit a persistence cookie. Since all responses should be monitored, this mode only works in HTTP close mode. Unless the application behaviour is very complex and/or broken, it is advised not to start with this mode for new deployments. This keyword is incompatible with "insert" and "prefix". insert This keyword indicates that the persistence cookie will have to be inserted by haproxy in the responses. If the server emits a cookie with the same name, it will be replaced anyway. For this reason, this mode can be used to upgrade existing configurations running in the "rewrite" mode. The cookie will only be a session cookie and will not be stored on the client's disk. Due to caching effects, it is generally wise to add the "indirect" and "nocache" or "postonly" keywords (see below). The "insert" keyword is not compatible with "rewrite" and "prefix". prefix This keyword indicates that instead of relying on a dedicated cookie for the persistence, an existing one will be completed. This may be needed in some specific environments where the client does not support more than one single cookie and the application already needs it. In this case, whenever the server sets a cookie named , it will be prefixed with the server's identifier and a delimiter. The prefix will be removed from all client requests so that the server still finds the cookie it emitted. Since all requests and responses are subject to being modified, this mode requires the HTTP close mode. The "prefix" keyword is not compatible with "rewrite" and "insert". indirect When this option is specified in insert mode, cookies will only be added when the server was not reached after a direct access, which means that only when a server is elected after applying a load-balancing algorithm, or after a redispatch, then the cookie will be inserted. If the client has all the required information to connect to the same server next time, no further cookie will be inserted. In all cases, when the "indirect" option is used in insert mode, the cookie is always removed from the requests transmitted to the server. The persistence mechanism then becomes totally transparent from the application point of view. nocache This option is recommended in conjunction with the insert mode when there is a cache between the client and HAProxy, as it ensures that a cacheable response will be tagged non-cacheable if a cookie needs to be inserted. This is important because if all persistence cookies are added on a cacheable home page for instance, then all customers will then fetch the page from an outer cache and will all share the same persistence cookie, leading to one server receiving much more traffic than others. See also the "insert" and "postonly" options. postonly This option ensures that cookie insertion will only be performed on responses to POST requests. It is an alternative to the "nocache" option, because POST responses are not cacheable, so this ensures that the persistence cookie will never get cached. Since most sites do not need any sort of persistence before the first POST which generally is a login request, this is a very efficient method to optimize caching without risking to find a persistence cookie in the cache. See also the "insert" and "nocache" options. There can be only one persistence cookie per HTTP backend, and it can be declared in a defaults section. The value of the cookie will be the value indicated after the "cookie" keyword in a "server" statement. If no cookie is declared for a given server, the cookie is not set. Examples : cookie JSESSIONID prefix cookie SRV insert indirect nocache cookie SRV insert postonly indirect See also : "appsession", "balance source", "capture cookie", "server". default_backend Specify the backend to use when no "use_backend" rule has been matched. May be used in sections : defaults | frontend | listen | backend yes | yes | yes | no Arguments : is the name of the backend to use. When doing content-switching between frontend and backends using the "use_backend" keyword, it is often useful to indicate which backend will be used when no rule has matched. It generally is the dynamic backend which will catch all undetermined requests. The "default_backend" keyword is also supported in TCP mode frontends to facilitate the ordering of configurations in frontends and backends, eventhough it does not make much more sense in case of TCP due to the fact that use_backend currently does not work in TCP mode. Example : use_backend dynamic if url_dyn use_backend static if url_css url_img extension_img default_backend dynamic See also : "use_backend", "reqsetbe", "reqisetbe" disabled Disable a proxy, frontend or backend. May be used in sections : defaults | frontend | listen | backend yes | yes | yes | yes Arguments : none The "disabled" keyword is used to disable an instance, mainly in order to liberate a listening port or to temporarily disable a service. The instance will still be created and its configuration will be checked, but it will be created in the "stopped" state and will appear as such in the statistics. It will not receive any traffic nor will it send any health-checks or logs. It is possible to disable many instances at once by adding the "disabled" keyword in a "defaults" section. See also : "enabled" enabled Enable a proxy, frontend or backend. May be used in sections : defaults | frontend | listen | backend yes | yes | yes | yes Arguments : none The "enabled" keyword is used to explicitly enable an instance, when the defaults has been set to "disabled". This is very rarely used. See also : "disabled" errorfile Return a file contents instead of errors generated by HAProxy May be used in sections : defaults | frontend | listen | backend yes | yes | yes | yes Arguments : is the HTTP status code. Currently, HAProxy is capable of generating codes 400, 403, 408, 500, 502, 503, and 504. designates a file containing the full HTTP response. It is recommended to follow the common practice of appending ".http" to the filename so that people do not confuse the response with HTML error pages. It is important to understand that this keyword is not meant to rewrite errors returned by the server, but errors detected and returned by HAProxy. This is why the list of supported errors is limited to a small set. The files are returned verbatim on the TCP socket. This allows any trick such as redirections to another URL or site, as well as tricks to clean cookies, force enable or disable caching, etc... The package provides default error files returning the same contents as default errors. The files are read at the same time as the configuration and kept in memory. For this reason, the errors continue to be returned even when the process is chrooted, and no file change is considered while the process is running. A simple method for developing those files consists in associating them to the 403 status code and interrogating a blocked URL. See also : "errorloc", "errorloc302", "errorloc303" errorloc errorloc302 Return an HTTP redirection to a URL instead of errors generated by HAProxy May be used in sections : defaults | frontend | listen | backend yes | yes | yes | yes Arguments : is the HTTP status code. Currently, HAProxy is capable of generating codes 400, 403, 408, 500, 502, 503, and 504. it is the exact contents of the "Location" header. It may contain either a relative URI to an error page hosted on the same site, or an absolute URI designating an error page on another site. Special care should be given to relative URIs to avoid redirect loops if the URI itself may generate the same error (eg: 500). It is important to understand that this keyword is not meant to rewrite errors returned by the server, but errors detected and returned by HAProxy. This is why the list of supported errors is limited to a small set. Note that both keyword return the HTTP 302 status code, which tells the client to fetch the designated URL using the same HTTP method. This can be quite problematic in case of non-GET methods such as POST, because the URL sent to the client might not be allowed for something other than GET. To workaround this problem, please use "errorloc303" which send the HTTP 303 status code, indicating to the client that the URL must be fetched with a GET request. See also : "errorfile", "errorloc303" errorloc303 Return an HTTP redirection to a URL instead of errors generated by HAProxy May be used in sections : defaults | frontend | listen | backend yes | yes | yes | yes Arguments : is the HTTP status code. Currently, HAProxy is capable of generating codes 400, 403, 408, 500, 502, 503, and 504. it is the exact contents of the "Location" header. It may contain either a relative URI to an error page hosted on the same site, or an absolute URI designating an error page on another site. Special care should be given to relative URIs to avoid redirect loops if the URI itself may generate the same error (eg: 500). It is important to understand that this keyword is not meant to rewrite errors returned by the server, but errors detected and returned by HAProxy. This is why the list of supported errors is limited to a small set. Note that both keyword return the HTTP 303 status code, which tells the client to fetch the designated URL using the same HTTP GET method. This solves the usual problems associated with "errorloc" and the 302 code. It is possible that some very old browsers designed before HTTP/1.1 do not support it, but no such problem has been reported till now. See also : "errorfile", "errorloc", "errorloc302" fullconn Specify at what backend load the servers will reach their maxconn May be used in sections : defaults | frontend | listen | backend yes | no | yes | yes Arguments : is the number of connections on the backend which will make the servers use the maximal number of connections. When a server has a "maxconn" parameter specified, it means that its number of concurrent connections will never go higher. Additionally, if it has a "minconn" parameter, it indicates a dynamic limit following the backend's load. The server will then always accept at least connections, never more than , and the limit will be on the ramp between both values when the backend has less than concurrent connections. This makes it possible to limit the load on the servers during normal loads, but push it further for important loads without overloading the servers during exceptionnal loads. Example : # The servers will accept between 100 and 1000 concurrent connections each # and the maximum of 1000 will be reached when the backend reaches 10000 # connections. backend dynamic fullconn 10000 server srv1 dyn1:80 minconn 100 maxconn 1000 server srv2 dyn2:80 minconn 100 maxconn 1000 See also : "maxconn", "server" grace