haproxy-tools 0.5.0 → 0.6.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
- SHA1:
3
- metadata.gz: 825e6716451dba83fbeed1c9f0763f429973fd11
4
- data.tar.gz: 8cd06033a0c554c32f45f069a5f742c4e7fc25c0
2
+ SHA256:
3
+ metadata.gz: a0532c7e68ca6fdbbbd4a8c7f620f86d712863a724855ad54017839dc0c668b2
4
+ data.tar.gz: d16e7dc9cb1db7dd4493ed471d22328cd1a7951cd6aa0866f30d38c10acf9547
5
5
  SHA512:
6
- metadata.gz: 00f85ecd29f5ec8b7d1a48eb7eccbf236241d60de42876651b7023b15e33b3355bd88345fb5af2f0e67f31658b1d987e02c0027372bec13f4c5131f34378e3b4
7
- data.tar.gz: 1afcfa21d395eaa026685547b4d021f438d65664e7f4283b50f1b676d54245ade5eaef1cf351dba1a899094217e2b3f8704e724d33c49db569a822ff5ef90124
6
+ metadata.gz: dd34fa108c6d3886483e32458098fdc27a1f4d29018378fb5281a2ebc999ff38ad8695256024225b84fc6bb0ff240d14609907ae36dbcd3e3556489236427c6a
7
+ data.tar.gz: 7501bb2ac3cf358d882f384e553dff17e344052e7585b042d24a986f412bbe4525b661ad6a333ce159ccc229ecdaf99371622de4b9590d59eefb45c5b483b12a
data/.ruby-version CHANGED
@@ -1 +1 @@
1
- 2.4.3
1
+ 2.6.2
data/.simplecov CHANGED
@@ -1,13 +1 @@
1
- class SimpleCov::Formatter::QualityFormatter
2
- def format(result)
3
- SimpleCov::Formatter::HTMLFormatter.new.format(result)
4
- File.open('coverage/covered_percent', 'w') do |f|
5
- f.puts result.source_files.covered_percent.to_f
6
- end
7
- end
8
- end
9
- SimpleCov.formatter = SimpleCov::Formatter::QualityFormatter
10
-
11
- SimpleCov.start do
12
- add_filter '/spec/'
13
- end
1
+ SimpleCov.start
data/.standard.yml ADDED
@@ -0,0 +1 @@
1
+ ruby_version: 2.2
data/.travis.yml CHANGED
@@ -3,12 +3,10 @@ cache: bundler
3
3
  before_install:
4
4
  - gem update --system
5
5
  rvm:
6
- - "1.9"
7
- - "2.0"
8
- - "2.1"
9
6
  - "2.2"
10
7
  - "2.3"
11
8
  - "2.4"
12
9
  - "2.5"
10
+ - "2.6"
13
11
 
14
12
  script: "bundle exec rake spec"
data/CHANGES.rdoc CHANGED
@@ -1,3 +1,10 @@
1
+ == 0.6.0
2
+ * [#19] Allow underscores in keywords (@cocker-cc)
3
+ * Removed support for ruby versions older than 2.2
4
+ * Fixes rendering of configs that have no value
5
+ * Added standardrb linting
6
+ * Switched to new style rspec syntax
7
+
1
8
  == 0.5.0
2
9
  * [#16] Updated Readme (@chriswessells)
3
10
  * [#14] Adds Server Attributes for More Versions (@chriswessells)
data/Gemfile CHANGED
@@ -1,4 +1,4 @@
1
- source 'https://rubygems.org'
1
+ source "https://rubygems.org"
2
2
 
3
3
  # Gem dependencies are defined in haproxy-tools.gemspec
4
4
  gemspec
data/README.rdoc CHANGED
@@ -56,5 +56,4 @@ Tools for managing HAProxy with Ruby.
56
56
 
57
57
  == Copyright
58
58
 
59
- Copyright (c) 2011-2015 Jason Wadsworth. See LICENSE.txt for further details.
60
-
59
+ Copyright (c) 2011-2019 Jason Wadsworth. See LICENSE.txt for further details.
data/Rakefile CHANGED
@@ -1,25 +1,26 @@
1
1
  #!/usr/bin/env rake
2
2
 
3
- require 'bundler/gem_tasks'
3
+ require "bundler/gem_tasks"
4
4
 
5
- require 'rspec/core/rake_task'
5
+ require "rspec/core/rake_task"
6
6
  RSpec::Core::RakeTask.new(:spec)
7
7
 
8
- require 'yard'
8
+ require "yard"
9
9
  YARD::Rake::YardocTask.new
10
10
 
11
+ require "standard/rake"
12
+
11
13
  begin
12
- require 'cane/rake_task'
14
+ require "cane/rake_task"
13
15
 
14
16
  desc "Run cane to check quality metrics"
15
17
  Cane::RakeTask.new(:cane) do |cane|
16
- cane.abc_max = 15
17
- cane.style_measure = 100
18
- cane.style_glob = '{lib}/**/*.rb'
19
- cane.gte = {'coverage/covered_percent' => 95}
18
+ cane.no_abc = true
19
+ cane.no_style = true
20
+ cane.gte = {"coverage/.last_run.json" => 95}
20
21
  end
21
22
  rescue LoadError
22
23
  warn "cane not available, quality task not provided."
23
24
  end
24
25
 
25
- task :default => [:spec, :cane]
26
+ task default: [:spec, :standard, :cane]
data/bin/rake ADDED
@@ -0,0 +1,29 @@
1
+ #!/usr/bin/env ruby
2
+ # frozen_string_literal: true
3
+
4
+ #
5
+ # This file was generated by Bundler.
6
+ #
7
+ # The application 'rake' is installed as part of a gem, and
8
+ # this file is here to facilitate running it.
9
+ #
10
+
11
+ require "pathname"
12
+ ENV["BUNDLE_GEMFILE"] ||= File.expand_path("../../Gemfile",
13
+ Pathname.new(__FILE__).realpath)
14
+
15
+ bundle_binstub = File.expand_path("../bundle", __FILE__)
16
+
17
+ if File.file?(bundle_binstub)
18
+ if File.read(bundle_binstub, 300) =~ /This file was generated by Bundler/
19
+ load(bundle_binstub)
20
+ else
21
+ abort("Your `bin/bundle` was not generated by Bundler, so this binstub cannot run.
22
+ Replace `bin/bundle` by running `bundle binstubs bundler --force`, then run this command again.")
23
+ end
24
+ end
25
+
26
+ require "rubygems"
27
+ require "bundler/setup"
28
+
29
+ load Gem.bin_path("rake", "rake")
data/bin/rspec ADDED
@@ -0,0 +1,29 @@
1
+ #!/usr/bin/env ruby
2
+ # frozen_string_literal: true
3
+
4
+ #
5
+ # This file was generated by Bundler.
6
+ #
7
+ # The application 'rspec' is installed as part of a gem, and
8
+ # this file is here to facilitate running it.
9
+ #
10
+
11
+ require "pathname"
12
+ ENV["BUNDLE_GEMFILE"] ||= File.expand_path("../../Gemfile",
13
+ Pathname.new(__FILE__).realpath)
14
+
15
+ bundle_binstub = File.expand_path("../bundle", __FILE__)
16
+
17
+ if File.file?(bundle_binstub)
18
+ if File.read(bundle_binstub, 150) =~ /This file was generated by Bundler/
19
+ load(bundle_binstub)
20
+ else
21
+ abort("Your `bin/bundle` was not generated by Bundler, so this binstub cannot run.
22
+ Replace `bin/bundle` by running `bundle binstubs bundler --force`, then run this command again.")
23
+ end
24
+ end
25
+
26
+ require "rubygems"
27
+ require "bundler/setup"
28
+
29
+ load Gem.bin_path("rspec-core", "rspec")
data/bin/standardrb ADDED
@@ -0,0 +1,29 @@
1
+ #!/usr/bin/env ruby
2
+ # frozen_string_literal: true
3
+
4
+ #
5
+ # This file was generated by Bundler.
6
+ #
7
+ # The application 'standardrb' is installed as part of a gem, and
8
+ # this file is here to facilitate running it.
9
+ #
10
+
11
+ require "pathname"
12
+ ENV["BUNDLE_GEMFILE"] ||= File.expand_path("../../Gemfile",
13
+ Pathname.new(__FILE__).realpath)
14
+
15
+ bundle_binstub = File.expand_path("../bundle", __FILE__)
16
+
17
+ if File.file?(bundle_binstub)
18
+ if File.read(bundle_binstub, 300) =~ /This file was generated by Bundler/
19
+ load(bundle_binstub)
20
+ else
21
+ abort("Your `bin/bundle` was not generated by Bundler, so this binstub cannot run.
22
+ Replace `bin/bundle` by running `bundle binstubs bundler --force`, then run this command again.")
23
+ end
24
+ end
25
+
26
+ require "rubygems"
27
+ require "bundler/setup"
28
+
29
+ load Gem.bin_path("standard", "standardrb")
@@ -4,7 +4,7 @@
4
4
  ----------------------
5
5
  version 1.7
6
6
  willy tarreau
7
- 2018/01/02
7
+ 2018/04/30
8
8
 
9
9
 
10
10
  This document covers the configuration language as implemented in the version
@@ -724,7 +724,7 @@ group <group name>
724
724
  See also "gid" and "user".
725
725
 
726
726
  log <address> [len <length>] [format <format>] <facility> [max level [min level]]
727
- Adds a global syslog server. Up to two global servers can be defined. They
727
+ Adds a global syslog server. Several global servers can be defined. They
728
728
  will receive logs for startups and exits, as well as all logs from proxies
729
729
  configured with "log global".
730
730
 
@@ -1847,7 +1847,7 @@ errorloc X X X X
1847
1847
  errorloc302 X X X X
1848
1848
  -- keyword -------------------------- defaults - frontend - listen -- backend -
1849
1849
  errorloc303 X X X X
1850
- force-persist - X X X
1850
+ force-persist - - X X
1851
1851
  filter - X X X
1852
1852
  fullconn X - X X
1853
1853
  grace X X X X
@@ -1860,7 +1860,7 @@ http-response - X X X
1860
1860
  http-reuse X - X X
1861
1861
  http-send-name-header - - X X
1862
1862
  id - X X X
1863
- ignore-persist - X X X
1863
+ ignore-persist - - X X
1864
1864
  load-server-state-from-file X - X X
1865
1865
  log (*) X X X X
1866
1866
  log-format X X X -
@@ -3287,7 +3287,7 @@ email-alert to <emailaddr>
3287
3287
  force-persist { if | unless } <condition>
3288
3288
  Declare a condition to force persistence on down servers
3289
3289
  May be used in sections: defaults | frontend | listen | backend
3290
- no | yes | yes | yes
3290
+ no | no | yes | yes
3291
3291
 
3292
3292
  By default, requests are not dispatched to down servers. It is possible to
3293
3293
  force this using "option persist", but it is unconditional and redispatches
@@ -4556,7 +4556,7 @@ id <value>
4556
4556
  ignore-persist { if | unless } <condition>
4557
4557
  Declare a condition to ignore persistence
4558
4558
  May be used in sections: defaults | frontend | listen | backend
4559
- no | yes | yes | yes
4559
+ no | no | yes | yes
4560
4560
 
4561
4561
  By default, when cookie persistence is enabled, every requests containing
4562
4562
  the cookie are unconditionally persistent (assuming the target server is up
@@ -5496,9 +5496,6 @@ no option http-keep-alive
5496
5496
  available to try optimize server selection so that if the server currently
5497
5497
  attached to an idle connection is usable, it will be used.
5498
5498
 
5499
- In general it is preferred to use "option http-server-close" with application
5500
- servers, and some static servers might benefit from "option http-keep-alive".
5501
-
5502
5499
  At the moment, logs will not indicate whether requests came from the same
5503
5500
  session or not. The accept date reported in the logs corresponds to the end
5504
5501
  of the previous request, and the request time corresponds to the time spent
@@ -10384,7 +10381,12 @@ interface <interface>
10384
10381
  interface, not an aliased interface. It is also possible to bind multiple
10385
10382
  frontends to the same address if they are bound to different interfaces. Note
10386
10383
  that binding to a network interface requires root privileges. This parameter
10387
- is only compatible with TCPv4/TCPv6 sockets.
10384
+ is only compatible with TCPv4/TCPv6 sockets. When specified, return traffic
10385
+ uses the same interface as inbound traffic, and its associated routing table,
10386
+ even if there are explicit routes through different interfaces configured.
10387
+ This can prove useful to address asymmetric routing issues when the same
10388
+ client IP addresses need to be able to reach frontends hosted on different
10389
+ interfaces.
10388
10390
 
10389
10391
  level <level>
10390
10392
  This setting is used with the stats sockets only to restrict the nature of
@@ -13886,7 +13888,8 @@ ssl_fc_has_sni : boolean
13886
13888
 
13887
13889
  ssl_fc_is_resumed : boolean
13888
13890
  Returns true if the SSL/TLS session has been resumed through the use of
13889
- SSL session cache or TLS tickets.
13891
+ SSL session cache or TLS tickets on an incoming connection over an SSL/TLS
13892
+ transport layer.
13890
13893
 
13891
13894
  ssl_fc_npn : string
13892
13895
  This extracts the Next Protocol Negotiation field from an incoming connection
@@ -4,7 +4,7 @@
4
4
  ----------------------
5
5
  version 1.8
6
6
  willy tarreau
7
- 2017/12/30
7
+ 2019/02/11
8
8
 
9
9
 
10
10
  This document covers the configuration language as implemented in the version
@@ -580,8 +580,10 @@ The following keywords are supported in the "global" section :
580
580
  - setenv
581
581
  - stats
582
582
  - ssl-default-bind-ciphers
583
+ - ssl-default-bind-ciphersuites
583
584
  - ssl-default-bind-options
584
585
  - ssl-default-server-ciphers
586
+ - ssl-default-server-ciphersuites
585
587
  - ssl-default-server-options
586
588
  - ssl-dh-param-file
587
589
  - ssl-server-verify
@@ -818,7 +820,7 @@ group <group name>
818
820
  See also "gid" and "user".
819
821
 
820
822
  log <address> [len <length>] [format <format>] <facility> [max level [min level]]
821
- Adds a global syslog server. Up to two global servers can be defined. They
823
+ Adds a global syslog server. Several global servers can be defined. They
822
824
  will receive logs for starts and exits, as well as all logs from proxies
823
825
  configured with "log global".
824
826
 
@@ -915,14 +917,14 @@ nbproc <number>
915
917
  mode. By default, only one process is created, which is the recommended mode
916
918
  of operation. For systems limited to small sets of file descriptors per
917
919
  process, it may be needed to fork multiple daemons. USING MULTIPLE PROCESSES
918
- IS HARDER TO DEBUG AND IS REALLY DISCOURAGED. See also "daemon".
920
+ IS HARDER TO DEBUG AND IS REALLY DISCOURAGED. See also "daemon" and
921
+ "nbthread".
919
922
 
920
923
  nbthread <number>
921
924
  This setting is only available when support for threads was built in. It
922
925
  creates <number> threads for each created processes. It means if HAProxy is
923
926
  started in foreground, it only creates <number> threads for the first
924
- process. FOR NOW, THREADS SUPPORT IN HAPROXY IS HIGHLY EXPERIMENTAL AND IT
925
- MUST BE ENABLED WITH CAUTION AND AT YOUR OWN RISK. See also "nbproc".
927
+ process. See also "nbproc".
926
928
 
927
929
  pidfile <pidfile>
928
930
  Writes PIDs of all daemons into file <pidfile>. This option is equivalent to
@@ -984,11 +986,25 @@ setenv <name> <value>
984
986
  ssl-default-bind-ciphers <ciphers>
985
987
  This setting is only available when support for OpenSSL was built in. It sets
986
988
  the default string describing the list of cipher algorithms ("cipher suite")
987
- that are negotiated during the SSL/TLS handshake for all "bind" lines which
988
- do not explicitly define theirs. The format of the string is defined in
989
- "man 1 ciphers" from OpenSSL man pages, and can be for instance a string such
990
- as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without quotes). Please check the
991
- "bind" keyword for more information.
989
+ that are negotiated during the SSL/TLS handshake up to TLSv1.2 for all
990
+ "bind" lines which do not explicitly define theirs. The format of the string
991
+ is defined in "man 1 ciphers" from OpenSSL man pages. For background
992
+ information and recommendations see e.g.
993
+ (https://wiki.mozilla.org/Security/Server_Side_TLS) and
994
+ (https://mozilla.github.io/server-side-tls/ssl-config-generator/). For TLSv1.3
995
+ cipher configuration, please check the "ssl-default-bind-ciphersuites" keyword.
996
+ Please check the "bind" keyword for more information.
997
+
998
+ ssl-default-bind-ciphersuites <ciphersuites>
999
+ This setting is only available when support for OpenSSL was built in and
1000
+ OpenSSL 1.1.1 or later was used to build HAProxy. It sets the default string
1001
+ describing the list of cipher algorithms ("cipher suite") that are negotiated
1002
+ during the TLSv1.3 handshake for all "bind" lines which do not explicitly define
1003
+ theirs. The format of the string is defined in
1004
+ "man 1 ciphers" from OpenSSL man pages under the section "ciphersuites". For
1005
+ cipher configuration for TLSv1.2 and earlier, please check the
1006
+ "ssl-default-bind-ciphers" keyword. Please check the "bind" keyword for more
1007
+ information.
992
1008
 
993
1009
  ssl-default-bind-options [<option>]...
994
1010
  This setting is only available when support for OpenSSL was built in. It sets
@@ -1002,10 +1018,26 @@ ssl-default-bind-options [<option>]...
1002
1018
  ssl-default-server-ciphers <ciphers>
1003
1019
  This setting is only available when support for OpenSSL was built in. It
1004
1020
  sets the default string describing the list of cipher algorithms that are
1005
- negotiated during the SSL/TLS handshake with the server, for all "server"
1006
- lines which do not explicitly define theirs. The format of the string is
1007
- defined in "man 1 ciphers". Please check the "server" keyword for more
1008
- information.
1021
+ negotiated during the SSL/TLS handshake up to TLSv1.2 with the server,
1022
+ for all "server" lines which do not explicitly define theirs. The format of
1023
+ the string is defined in "man 1 ciphers" from OpenSSL man pages. For background
1024
+ information and recommendations see e.g.
1025
+ (https://wiki.mozilla.org/Security/Server_Side_TLS) and
1026
+ (https://mozilla.github.io/server-side-tls/ssl-config-generator/).
1027
+ For TLSv1.3 cipher configuration, please check the
1028
+ "ssl-default-server-ciphersuites" keyword. Please check the "server" keyword
1029
+ for more information.
1030
+
1031
+ ssl-default-server-ciphersuites <ciphersuites>
1032
+ This setting is only available when support for OpenSSL was built in and
1033
+ OpenSSL 1.1.1 or later was used to build HAProxy. It sets the default
1034
+ string describing the list of cipher algorithms that are negotiated during
1035
+ the TLSv1.3 handshake with the server, for all "server" lines which do not
1036
+ explicitly define theirs. The format of the string is defined in
1037
+ "man 1 ciphers" from OpenSSL man pages under the section "ciphersuites". For
1038
+ cipher configuration for TLSv1.2 and earlier, please check the
1039
+ "ssl-default-server-ciphers" keyword. Please check the "server" keyword for
1040
+ more information.
1009
1041
 
1010
1042
  ssl-default-server-options [<option>]...
1011
1043
  This setting is only available when support for OpenSSL was built in. It sets
@@ -1651,7 +1683,7 @@ tune.ssl.cachesize <number>
1651
1683
  this value to 0 disables the SSL session cache.
1652
1684
 
1653
1685
  tune.ssl.force-private-cache
1654
- This boolean disables SSL session cache sharing between all processes. It
1686
+ This option disables SSL session cache sharing between all processes. It
1655
1687
  should normally not be used since it will force many renegotiations due to
1656
1688
  clients hitting a random process. But it may be required on some operating
1657
1689
  systems where none of the SSL cache synchronization method may be used. In
@@ -2039,7 +2071,7 @@ errorloc X X X X
2039
2071
  errorloc302 X X X X
2040
2072
  -- keyword -------------------------- defaults - frontend - listen -- backend -
2041
2073
  errorloc303 X X X X
2042
- force-persist - X X X
2074
+ force-persist - - X X
2043
2075
  filter - X X X
2044
2076
  fullconn X - X X
2045
2077
  grace X X X X
@@ -2052,7 +2084,7 @@ http-response - X X X
2052
2084
  http-reuse X - X X
2053
2085
  http-send-name-header - - X X
2054
2086
  id - X X X
2055
- ignore-persist - X X X
2087
+ ignore-persist - - X X
2056
2088
  load-server-state-from-file X - X X
2057
2089
  log (*) X X X X
2058
2090
  log-format X X X -
@@ -2471,6 +2503,11 @@ balance url_param <param> [check_post]
2471
2503
  algorithm, mode nor option have been set. The algorithm may only be set once
2472
2504
  for each backend.
2473
2505
 
2506
+ With authentication schemes that require the same connection like NTLM, URI
2507
+ based alghoritms must not be used, as they would cause subsequent requests
2508
+ to be routed to different backend servers, breaking the invalid assumptions
2509
+ NTLM relies on.
2510
+
2474
2511
  Examples :
2475
2512
  balance roundrobin
2476
2513
  balance url_param userid
@@ -3503,7 +3540,7 @@ email-alert to <emailaddr>
3503
3540
  force-persist { if | unless } <condition>
3504
3541
  Declare a condition to force persistence on down servers
3505
3542
  May be used in sections: defaults | frontend | listen | backend
3506
- no | yes | yes | yes
3543
+ no | no | yes | yes
3507
3544
 
3508
3545
  By default, requests are not dispatched to down servers. It is possible to
3509
3546
  force this using "option persist", but it is unconditional and redispatches
@@ -4146,9 +4183,11 @@ http-request { allow | auth [realm <realm>] | redirect <rule> | reject |
4146
4183
 
4147
4184
  - { track-sc0 | track-sc1 | track-sc2 } <key> [table <table>] :
4148
4185
  enables tracking of sticky counters from current request. These rules
4149
- do not stop evaluation and do not change default action. Three sets of
4150
- counters may be simultaneously tracked by the same connection. The first
4151
- "track-sc0" rule executed enables tracking of the counters of the
4186
+ do not stop evaluation and do not change default action. The number of
4187
+ counters that may be simultaneously tracked by the same connection is set
4188
+ in MAX_SESS_STKCTR at build time (reported in haproxy -vv) which defaults
4189
+ to 3, so the track-sc number is between 0 and (MAX_SESS_STCKTR-1). The
4190
+ first "track-sc0" rule executed enables tracking of the counters of the
4152
4191
  specified table as the first set. The first "track-sc1" rule executed
4153
4192
  enables tracking of the counters of the specified table as the second
4154
4193
  set. The first "track-sc2" rule executed enables tracking of the
@@ -4771,10 +4810,8 @@ http-reuse { never | safe | aggressive | always }
4771
4810
  - connections sent to a server with a TLS SNI extension are marked private
4772
4811
  and are never shared;
4773
4812
 
4774
- - connections receiving a status code 401 or 407 expect some authentication
4775
- to be sent in return. Due to certain bogus authentication schemes (such
4776
- as NTLM) relying on the connection, these connections are marked private
4777
- and are never shared;
4813
+ - connections with certain bogus authentication schemes (relying on the
4814
+ connection) like NTLM are detected, marked private and are never shared;
4778
4815
 
4779
4816
  No connection pool is involved, once a session dies, the last idle connection
4780
4817
  it was attached to is deleted at the same time. This ensures that connections
@@ -4817,7 +4854,7 @@ id <value>
4817
4854
  ignore-persist { if | unless } <condition>
4818
4855
  Declare a condition to ignore persistence
4819
4856
  May be used in sections: defaults | frontend | listen | backend
4820
- no | yes | yes | yes
4857
+ no | no | yes | yes
4821
4858
 
4822
4859
  By default, when cookie persistence is enabled, every requests containing
4823
4860
  the cookie are unconditionally persistent (assuming the target server is up
@@ -5759,9 +5796,6 @@ no option http-keep-alive
5759
5796
  available to try optimize server selection so that if the server currently
5760
5797
  attached to an idle connection is usable, it will be used.
5761
5798
 
5762
- In general it is preferred to use "option http-server-close" with application
5763
- servers, and some static servers might benefit from "option http-keep-alive".
5764
-
5765
5799
  At the moment, logs will not indicate whether requests came from the same
5766
5800
  session or not. The accept date reported in the logs corresponds to the end
5767
5801
  of the previous request, and the request time corresponds to the time spent
@@ -6064,7 +6098,7 @@ no option httpclose
6064
6098
  option httplog [ clf ]
6065
6099
  Enable logging of HTTP request, session state and timers
6066
6100
  May be used in sections : defaults | frontend | listen | backend
6067
- yes | yes | yes | yes
6101
+ yes | yes | yes | no
6068
6102
  Arguments :
6069
6103
  clf if the "clf" argument is added, then the output format will be
6070
6104
  the CLF format instead of HAProxy's default HTTP format. You can
@@ -6080,8 +6114,6 @@ option httplog [ clf ]
6080
6114
  frontend, backend and server name, and of course the source address and
6081
6115
  ports.
6082
6116
 
6083
- This option may be set either in the frontend or the backend.
6084
-
6085
6117
  Specifying only "option httplog" will automatically clear the 'clf' mode
6086
6118
  if it was set by default.
6087
6119
 
@@ -6150,7 +6182,7 @@ no option independent-streams
6150
6182
  data sent to the server. Doing so will typically break large HTTP posts from
6151
6183
  slow lines, so use it with caution.
6152
6184
 
6153
- Note: older versions used to call this setting "option independent-streams"
6185
+ Note: older versions used to call this setting "option independant-streams"
6154
6186
  with a spelling mistake. This spelling is still supported but
6155
6187
  deprecated.
6156
6188
 
@@ -6466,8 +6498,9 @@ no option prefer-last-server
6466
6498
  close of the connection. This can make sense for static file servers. It does
6467
6499
  not make much sense to use this in combination with hashing algorithms. Note,
6468
6500
  haproxy already automatically tries to stick to a server which sends a 401 or
6469
- to a proxy which sends a 407 (authentication required). This is mandatory for
6470
- use with the broken NTLM authentication challenge, and significantly helps in
6501
+ to a proxy which sends a 407 (authentication required), when the load
6502
+ balancing algorithm is not deterministic. This is mandatory for use with the
6503
+ broken NTLM authentication challenge, and significantly helps in
6471
6504
  troubleshooting some faulty applications. Option prefer-last-server might be
6472
6505
  desirable in these environments as well, to avoid redistributing the traffic
6473
6506
  after every other response.
@@ -6500,8 +6533,8 @@ no option redispatch
6500
6533
  definitely stick to it because they cannot flush the cookie, so they will not
6501
6534
  be able to access the service anymore.
6502
6535
 
6503
- Specifying "option redispatch" will allow the proxy to break their
6504
- persistence and redistribute them to a working server.
6536
+ Specifying "option redispatch" will allow the proxy to break cookie or
6537
+ consistent hash based persistence and redistribute them to a working server.
6505
6538
 
6506
6539
  It also allows to retry connections to another server in case of multiple
6507
6540
  connection failures. Of course, it requires having "retries" set to a nonzero
@@ -6540,7 +6573,7 @@ option smtpchk <hello> <domain>
6540
6573
  yes | no | yes | yes
6541
6574
  Arguments :
6542
6575
  <hello> is an optional argument. It is the "hello" command to use. It can
6543
- be either "HELO" (for SMTP) or "EHLO" (for ESTMP). All other
6576
+ be either "HELO" (for SMTP) or "EHLO" (for ESMTP). All other
6544
6577
  values will be turned into the default command ("HELO").
6545
6578
 
6546
6579
  <domain> is the domain name to present to the server. It may only be
@@ -6931,7 +6964,7 @@ option tcpka
6931
6964
  option tcplog
6932
6965
  Enable advanced logging of TCP connections with session state and timers
6933
6966
  May be used in sections : defaults | frontend | listen | backend
6934
- yes | yes | yes | yes
6967
+ yes | yes | yes | no
6935
6968
  Arguments : none
6936
6969
 
6937
6970
  By default, the log output format is very poor, as it only contains the
@@ -6943,8 +6976,6 @@ option tcplog
6943
6976
  find which of the client or server disconnects or times out. For normal HTTP
6944
6977
  proxies, it's better to use "option httplog" which is even more complete.
6945
6978
 
6946
- This option may be set either in the frontend or the backend.
6947
-
6948
6979
  "option tcplog" overrides any previous "log-format" directive.
6949
6980
 
6950
6981
  See also : "option httplog", and section 8 about logging.
@@ -9208,16 +9239,18 @@ tcp-request connection <action> [{if | unless} <condition>]
9208
9239
 
9209
9240
  - { track-sc0 | track-sc1 | track-sc2 } <key> [table <table>] :
9210
9241
  enables tracking of sticky counters from current connection. These
9211
- rules do not stop evaluation and do not change default action. 3 sets
9212
- of counters may be simultaneously tracked by the same connection. The
9213
- first "track-sc0" rule executed enables tracking of the counters of the
9214
- specified table as the first set. The first "track-sc1" rule executed
9215
- enables tracking of the counters of the specified table as the second
9216
- set. The first "track-sc2" rule executed enables tracking of the
9217
- counters of the specified table as the third set. It is a recommended
9218
- practice to use the first set of counters for the per-frontend counters
9219
- and the second set for the per-backend ones. But this is just a
9220
- guideline, all may be used everywhere.
9242
+ rules do not stop evaluation and do not change default action. The
9243
+ number of counters that may be simultaneously tracked by the same
9244
+ connection is set in MAX_SESS_STKCTR at build time (reported in
9245
+ haproxy -vv) whichs defaults to 3, so the track-sc number is between 0
9246
+ and (MAX_SESS_STCKTR-1). The first "track-sc0" rule executed enables
9247
+ tracking of the counters of the specified table as the first set. The
9248
+ first "track-sc1" rule executed enables tracking of the counters of the
9249
+ specified table as the second set. The first "track-sc2" rule executed
9250
+ enables tracking of the counters of the specified table as the third
9251
+ set. It is a recommended practice to use the first set of counters for
9252
+ the per-frontend counters and the second set for the per-backend ones.
9253
+ But this is just a guideline, all may be used everywhere.
9221
9254
 
9222
9255
  These actions take one or two arguments :
9223
9256
  <key> is mandatory, and is a sample expression rule as described
@@ -10454,8 +10487,11 @@ accept-proxy
10454
10487
  setting of which client is allowed to use the protocol.
10455
10488
 
10456
10489
  allow-0rtt
10457
- Allow receiving early data when using TLS 1.3. This is disabled by default,
10458
- due to security considerations.
10490
+ Allow receiving early data when using TLSv1.3. This is disabled by default,
10491
+ due to security considerations. Because it is vulnerable to replay attacks,
10492
+ you should only allow if for requests that are safe to replay, ie requests
10493
+ that are idempotent. You can use the "wait-for-handshake" action for any
10494
+ request that wouldn't be safe with early data.
10459
10495
 
10460
10496
  alpn <protocols>
10461
10497
  This enables the TLS ALPN extension and advertises the specified protocol
@@ -10517,13 +10553,20 @@ ca-sign-pass <passphrase>
10517
10553
  ciphers <ciphers>
10518
10554
  This setting is only available when support for OpenSSL was built in. It sets
10519
10555
  the string describing the list of cipher algorithms ("cipher suite") that are
10520
- negotiated during the SSL/TLS handshake. The format of the string is defined
10521
- in "man 1 ciphers" from OpenSSL man pages, and can be for instance a string
10522
- such as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without quotes).
10523
- Depending on the compatibility and security requirements, the list of suitable
10524
- ciphers depends on a variety of variables. For background information and
10525
- recommendations see e. g. (https://wiki.mozilla.org/Security/Server_Side_TLS)
10526
- and (https://mozilla.github.io/server-side-tls/ssl-config-generator/).
10556
+ negotiated during the SSL/TLS handshake up to TLSv1.2. The format of the
10557
+ string is defined in "man 1 ciphers" from OpenSSL man pages. For background
10558
+ information and recommendations see e.g.
10559
+ (https://wiki.mozilla.org/Security/Server_Side_TLS) and
10560
+ (https://mozilla.github.io/server-side-tls/ssl-config-generator/). For TLSv1.3
10561
+ cipher configuration, please check the "ciphersuites" keyword.
10562
+
10563
+ ciphersuites <ciphersuites>
10564
+ This setting is only available when support for OpenSSL was built in and
10565
+ OpenSSL 1.1.1 or later was used to build HAProxy. It sets the string describing
10566
+ the list of cipher algorithms ("cipher suite") that are negotiated during the
10567
+ TLSv1.3 handshake. The format of the string is defined in "man 1 ciphers" from
10568
+ OpenSSL man pages under the "ciphersuites" section. For cipher configuration
10569
+ for TLSv1.2 and earlier, please check the "ciphers" keyword.
10527
10570
 
10528
10571
  crl-file <crlfile>
10529
10572
  This setting is only available when support for OpenSSL was built in. It
@@ -10768,7 +10811,12 @@ interface <interface>
10768
10811
  interface, not an aliased interface. It is also possible to bind multiple
10769
10812
  frontends to the same address if they are bound to different interfaces. Note
10770
10813
  that binding to a network interface requires root privileges. This parameter
10771
- is only compatible with TCPv4/TCPv6 sockets.
10814
+ is only compatible with TCPv4/TCPv6 sockets. When specified, return traffic
10815
+ uses the same interface as inbound traffic, and its associated routing table,
10816
+ even if there are explicit routes through different interfaces configured.
10817
+ This can prove useful to address asymmetric routing issues when the same
10818
+ client IP addresses need to be able to reach frontends hosted on different
10819
+ interfaces.
10772
10820
 
10773
10821
  level <level>
10774
10822
  This setting is used with the stats sockets only to restrict the nature of
@@ -11211,9 +11259,10 @@ check-send-proxy
11211
11259
  "check-send-proxy" option needs to be used to force the use of the
11212
11260
  protocol. See also the "send-proxy" option for more information.
11213
11261
 
11214
- check-sni
11262
+ check-sni <sni>
11215
11263
  This option allows you to specify the SNI to be used when doing health checks
11216
- over SSL.
11264
+ over SSL. It is only possible to use a string to set <sni>. If you want to
11265
+ set a SNI for proxied traffic, see "sni".
11217
11266
 
11218
11267
  check-ssl
11219
11268
  This option forces encryption of all health checks over SSL, regardless of
@@ -11228,14 +11277,23 @@ check-ssl
11228
11277
  this option.
11229
11278
 
11230
11279
  ciphers <ciphers>
11231
- This option sets the string describing the list of cipher algorithms that is
11232
- is negotiated during the SSL/TLS handshake with the server. The format of the
11233
- string is defined in "man 1 ciphers". When SSL is used to communicate with
11234
- servers on the local network, it is common to see a weaker set of algorithms
11235
- than what is used over the internet. Doing so reduces CPU usage on both the
11236
- server and haproxy while still keeping it compatible with deployed software.
11237
- Some algorithms such as RC4-SHA1 are reasonably cheap. If no security at all
11238
- is needed and just connectivity, using DES can be appropriate.
11280
+ This setting is only available when support for OpenSSL was built in. This
11281
+ option sets the string describing the list of cipher algorithms that is
11282
+ negotiated during the SSL/TLS handshake with the server. The format of the
11283
+ string is defined in "man 1 ciphers" from OpenSSL man pages. For background
11284
+ information and recommendations see e.g.
11285
+ (https://wiki.mozilla.org/Security/Server_Side_TLS) and
11286
+ (https://mozilla.github.io/server-side-tls/ssl-config-generator/). For TLSv1.3
11287
+ cipher configuration, please check the "ciphersuites" keyword.
11288
+
11289
+ ciphersuites <ciphersuites>
11290
+ This setting is only available when support for OpenSSL was built in and
11291
+ OpenSSL 1.1.1 or later was used to build HAProxy. This option sets the string
11292
+ describing the list of cipher algorithms that is negotiated during the TLS
11293
+ 1.3 handshake with the server. The format of the string is defined in
11294
+ "man 1 ciphers" from OpenSSL man pages under the "ciphersuites" section.
11295
+ For cipher configuration for TLSv1.2 and earlier, please check the "ciphers"
11296
+ keyword.
11239
11297
 
11240
11298
  cookie <value>
11241
11299
  The "cookie" parameter sets the cookie value assigned to the server to
@@ -11625,6 +11683,40 @@ rise <count>
11625
11683
  after <count> consecutive successful health checks. This value defaults to 2
11626
11684
  if unspecified. See also the "check", "inter" and "fall" parameters.
11627
11685
 
11686
+ resolve-opts <option>,<option>,...
11687
+ Comma separated list of options to apply to DNS resolution linked to this
11688
+ server.
11689
+
11690
+ Available options:
11691
+
11692
+ * allow-dup-ip
11693
+ By default, HAProxy prevents IP address duplication in a backend when DNS
11694
+ resolution at runtime is in operation.
11695
+ That said, for some cases, it makes sense that two servers (in the same
11696
+ backend, being resolved by the same FQDN) have the same IP address.
11697
+ For such case, simply enable this option.
11698
+ This is the opposite of prevent-dup-ip.
11699
+
11700
+ * prevent-dup-ip
11701
+ Ensure HAProxy's default behavior is enforced on a server: prevent re-using
11702
+ an IP address already set to a server in the same backend and sharing the
11703
+ same fqdn.
11704
+ This is the opposite of allow-dup-ip.
11705
+
11706
+ Example:
11707
+ backend b_myapp
11708
+ default-server init-addr none resolvers dns
11709
+ server s1 myapp.example.com:80 check resolve-opts allow-dup-ip
11710
+ server s2 myapp.example.com:81 check resolve-opts allow-dup-ip
11711
+
11712
+ With the option allow-dup-ip set:
11713
+ * if the nameserver returns a single IP address, then both servers will use
11714
+ it
11715
+ * If the nameserver returns 2 IP addresses, then each server will pick up a
11716
+ different address
11717
+
11718
+ Default value: not set
11719
+
11628
11720
  resolve-prefer <family>
11629
11721
  When DNS resolution is enabled for a server and multiple IP addresses from
11630
11722
  different families are returned, HAProxy will prefer using an IP address
@@ -11738,7 +11830,8 @@ sni <expression>
11738
11830
  expression, though alternatives such as req.hdr(host) can also make sense. If
11739
11831
  "verify required" is set (which is the recommended setting), the resulting
11740
11832
  name will also be matched against the server certificate's names. See the
11741
- "verify" directive for more details.
11833
+ "verify" directive for more details. If you want to set a SNI for health
11834
+ checks, see the "check-sni" directive for more details.
11742
11835
 
11743
11836
  source <addr>[:<pl>[-<ph>]] [usesrc { <addr2>[:<port2>] | client | clientip } ]
11744
11837
  source <addr>[:<port>] [usesrc { <addr2>[:<port2>] | hdr_ip(<hdr>[,<occ>]) } ]
@@ -11968,9 +12061,6 @@ accepted_payload_size <nb>
11968
12061
  <nb> is in bytes. If not set, HAProxy announces 512. (minimal value defined
11969
12062
  by RFC 6891)
11970
12063
 
11971
- Note: to get bigger responses but still be sure that responses won't be
11972
- dropped on the wire, one can choose a value between 1280 and 1410.
11973
-
11974
12064
  Note: the maximum allowed value is 8192.
11975
12065
 
11976
12066
  nameserver <id> <ip>:<port>
@@ -13711,10 +13801,13 @@ sets unless they require some future information. Those generally include
13711
13801
  TCP/IP addresses and ports, as well as elements from stick-tables related to
13712
13802
  the incoming connection. For retrieving a value from a sticky counters, the
13713
13803
  counter number can be explicitly set as 0, 1, or 2 using the pre-defined
13714
- "sc0_", "sc1_", or "sc2_" prefix, or it can be specified as the first integer
13715
- argument when using the "sc_" prefix. An optional table may be specified with
13716
- the "sc*" form, in which case the currently tracked key will be looked up into
13717
- this alternate table instead of the table currently being tracked.
13804
+ "sc0_", "sc1_", or "sc2_" prefix. These three pre-defined prefixes can only be
13805
+ used if MAX_SESS_STKCTR value does not exceed 3, otherwise the counter number
13806
+ can be specified as the first integer argument when using the "sc_" prefix.
13807
+ Starting from "sc_0" to "sc_N" where N is (MAX_SESS_STKCTR-1). An optional
13808
+ table may be specified with the "sc*" form, in which case the currently
13809
+ tracked key will be looked up into this alternate table instead of the table
13810
+ currently being tracked.
13718
13811
 
13719
13812
  be_id : integer
13720
13813
  Returns an integer containing the current backend's id. It can be used in
@@ -13729,7 +13822,12 @@ dst : ip
13729
13822
  which is the address the client connected to. It can be useful when running
13730
13823
  in transparent mode. It is of type IP and works on both IPv4 and IPv6 tables.
13731
13824
  On IPv6 tables, IPv4 address is mapped to its IPv6 equivalent, according to
13732
- RFC 4291.
13825
+ RFC 4291. When the incoming connection passed through address translation or
13826
+ redirection involving connection tracking, the original destination address
13827
+ before the redirection will be reported. On Linux systems, the source and
13828
+ destination may seldom appear reversed if the nf_conntrack_tcp_loose sysctl
13829
+ is set, because a late response may reopen a timed out connection and switch
13830
+ what is believed to be the source and the destination.
13733
13831
 
13734
13832
  dst_conn : integer
13735
13833
  Returns an integer value corresponding to the number of currently established
@@ -14034,7 +14132,13 @@ src : ip
14034
14132
  behind a proxy. However if the "accept-proxy" or "accept-netscaler-cip" bind
14035
14133
  directive is used, it can be the address of a client behind another
14036
14134
  PROXY-protocol compatible component for all rule sets except
14037
- "tcp-request connection" which sees the real address.
14135
+ "tcp-request connection" which sees the real address. When the incoming
14136
+ connection passed through address translation or redirection involving
14137
+ connection tracking, the original destination address before the redirection
14138
+ will be reported. On Linux systems, the source and destination may seldom
14139
+ appear reversed if the nf_conntrack_tcp_loose sysctl is set, because a late
14140
+ response may reopen a timed out connection and switch what is believed to be
14141
+ the source and the destination.
14038
14142
 
14039
14143
  Example:
14040
14144
  # add an HTTP header in requests with the originating address' country
@@ -14503,7 +14607,8 @@ ssl_fc_has_sni : boolean
14503
14607
 
14504
14608
  ssl_fc_is_resumed : boolean
14505
14609
  Returns true if the SSL/TLS session has been resumed through the use of
14506
- SSL session cache or TLS tickets.
14610
+ SSL session cache or TLS tickets on an incoming connection over an SSL/TLS
14611
+ transport layer.
14507
14612
 
14508
14613
  ssl_fc_npn : string
14509
14614
  This extracts the Next Protocol Negotiation field from an incoming connection
@@ -15576,7 +15681,10 @@ Detailed fields description :
15576
15681
  - "accept_date" is the exact date when the connection was received by haproxy
15577
15682
  (which might be very slightly different from the date observed on the
15578
15683
  network if there was some queuing in the system's backlog). This is usually
15579
- the same date which may appear in any upstream firewall's log.
15684
+ the same date which may appear in any upstream firewall's log. When used in
15685
+ HTTP mode, the accept_date field will be reset to the first moment the
15686
+ connection is ready to receive a new request (end of previous response for
15687
+ HTTP/1, immediately after previous request for HTTP/2).
15580
15688
 
15581
15689
  - "frontend_name" is the name of the frontend (or listener) which received
15582
15690
  and processed the connection.
@@ -15776,24 +15884,25 @@ Detailed fields description :
15776
15884
  request could be received or the a bad request was received. It should
15777
15885
  always be very small because a request generally fits in one single packet.
15778
15886
  Large times here generally indicate network issues between the client and
15779
- haproxy or requests being typed by hand. See "Timers" below for more details.
15887
+ haproxy or requests being typed by hand. See section 8.4 "Timing Events"
15888
+ for more details.
15780
15889
 
15781
15890
  - "Tw" is the total time in milliseconds spent waiting in the various queues.
15782
15891
  It can be "-1" if the connection was aborted before reaching the queue.
15783
- See "Timers" below for more details.
15892
+ See section 8.4 "Timing Events" for more details.
15784
15893
 
15785
15894
  - "Tc" is the total time in milliseconds spent waiting for the connection to
15786
15895
  establish to the final server, including retries. It can be "-1" if the
15787
- request was aborted before a connection could be established. See "Timers"
15788
- below for more details.
15896
+ request was aborted before a connection could be established. See section
15897
+ 8.4 "Timing Events" for more details.
15789
15898
 
15790
15899
  - "Tr" is the total time in milliseconds spent waiting for the server to send
15791
15900
  a full HTTP response, not counting data. It can be "-1" if the request was
15792
15901
  aborted before a complete response could be received. It generally matches
15793
15902
  the server's processing time for the request, though it may be altered by
15794
15903
  the amount of data sent by the client to the server. Large times here on
15795
- "GET" requests generally indicate an overloaded server. See "Timers" below
15796
- for more details.
15904
+ "GET" requests generally indicate an overloaded server. See section 8.4
15905
+ "Timing Events" for more details.
15797
15906
 
15798
15907
  - "Ta" is the time the request remained active in haproxy, which is the total
15799
15908
  time in milliseconds elapsed between the first byte of the request was
@@ -15802,7 +15911,7 @@ Detailed fields description :
15802
15911
  one exception, if "option logasap" was specified, then the time counting
15803
15912
  stops at the moment the log is emitted. In this case, a '+' sign is
15804
15913
  prepended before the value, indicating that the final one will be larger.
15805
- See "Timers" below for more details.
15914
+ See section 8.4 "Timing Events" for more details.
15806
15915
 
15807
15916
  - "status_code" is the HTTP status code returned to the client. This status
15808
15917
  is generally set by the server, but it might also be set by haproxy when
@@ -16059,7 +16168,7 @@ Please refer to the table below for currently defined variables :
16059
16168
  | | %t | date_time (with millisecond resolution) | date |
16060
16169
  | H | %tr | date_time of HTTP request | date |
16061
16170
  | H | %trg | gmt_date_time of start of HTTP request | date |
16062
- | H | %trl | locla_date_time of start of HTTP request | date |
16171
+ | H | %trl | local_date_time of start of HTTP request | date |
16063
16172
  | | %ts | termination_state | string |
16064
16173
  | H | %tsc | termination_state with cookie status | string |
16065
16174
  +---+------+-----------------------------------------------+-------------+
@@ -16208,16 +16317,20 @@ Timings events in TCP mode:
16208
16317
  may indicate that the client only pre-established the connection without
16209
16318
  speaking, that it is experiencing network issues preventing it from
16210
16319
  completing a handshake in a reasonable time (e.g. MTU issues), or that an
16211
- SSL handshake was very expensive to compute.
16320
+ SSL handshake was very expensive to compute. Please note that this time is
16321
+ reported only before the first request, so it is safe to average it over
16322
+ all request to calculate the amortized value. The second and subsequent
16323
+ request will always report zero here.
16212
16324
 
16213
16325
  - Ti: is the idle time before the HTTP request (HTTP mode only). This timer
16214
16326
  counts between the end of the handshakes and the first byte of the HTTP
16215
16327
  request. When dealing with a second request in keep-alive mode, it starts
16216
- to count after the end of the transmission the previous response. Some
16217
- browsers pre-establish connections to a server in order to reduce the
16218
- latency of a future request, and keep them pending until they need it. This
16219
- delay will be reported as the idle time. A value of -1 indicates that
16220
- nothing was received on the connection.
16328
+ to count after the end of the transmission the previous response. When a
16329
+ multiplexed protocol such as HTTP/2 is used, it starts to count immediately
16330
+ after the previous request. Some browsers pre-establish connections to a
16331
+ server in order to reduce the latency of a future request, and keep them
16332
+ pending until they need it. This delay will be reported as the idle time. A
16333
+ value of -1 indicates that nothing was received on the connection.
16221
16334
 
16222
16335
  - TR: total time to get the client request (HTTP mode only). It's the time
16223
16336
  elapsed between the first bytes received and the moment the proxy received
@@ -17025,6 +17138,7 @@ The cache won't store and won't deliver objects in these cases:
17025
17138
 
17026
17139
  - If the request is not a GET
17027
17140
  - If the HTTP version of the request is smaller than 1.1
17141
+ - If the request contains an Authorization header
17028
17142
 
17029
17143
  Caution!: Due to the current limitation of the filters, it is not recommended
17030
17144
  to use the cache with other filters. Using them can cause undefined behavior
@@ -17045,7 +17159,7 @@ cache <name>
17045
17159
 
17046
17160
  total-max-size <megabytes>
17047
17161
  Define the size in RAM of the cache in megabytes. This size is split in
17048
- blocks of 1kB which are used by the cache entries.
17162
+ blocks of 1kB which are used by the cache entries. Its maximum value is 4095.
17049
17163
 
17050
17164
  max-age <seconds>
17051
17165
  Define the maximum expiration duration. The expiration is set has the lowest
@@ -17057,13 +17171,13 @@ max-age <seconds>
17057
17171
  10.2.2. Proxy section
17058
17172
  ---------------------
17059
17173
 
17060
- http-request cache-use <name>
17174
+ http-request cache-use <name> [ { if | unless } <condition> ]
17061
17175
  Try to deliver a cached object from the cache <name>. This directive is also
17062
17176
  mandatory to store the cache as it calculates the cache hash. If you want to
17063
17177
  use a condition for both storage and delivering that's a good idea to put it
17064
17178
  after this one.
17065
17179
 
17066
- http-response cache-store <name>
17180
+ http-response cache-store <name> [ { if | unless } <condition> ]
17067
17181
  Store an http-response within the cache. The storage of the response headers
17068
17182
  is done at this step, which means you can use others http-response actions
17069
17183
  to modify headers before or after the storage of the response. This action