rhaproxy 0.1.0 → 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (10) hide show
  1. data/Changelog +41 -0
  2. data/README +8 -8
  3. data/lib/rhaproxy/backend.rb +29 -4989
  4. data/lib/rhaproxy/defaults.rb +66 -3682
  5. data/lib/rhaproxy/frontend.rb +56 -3226
  6. data/lib/rhaproxy/keywords.rb +6502 -0
  7. data/lib/rhaproxy/listen.rb +3 -6065
  8. data/lib/rhaproxy/mixins.rb +20 -0
  9. data/lib/rhaproxy.rb +2 -0
  10. metadata +6 -4
data/lib/rhaproxy/defaults.rb CHANGED
@@ -16,3697 +16,81 @@
16
16
  # section. The name is optional but its use is encouraged for better readability.
17
17
  #
18
18
  class RhaproxyDefaults
19
-
20
- #
21
- # backlog <conns>
22
- # Give hints to the system about the approximate listen backlog desired size
23
- # May be used in sections : defaults | frontend | listen | backend
24
- # yes | yes | yes | no
25
- # Arguments :
26
- # <conns> is the number of pending connections. Depending on the operating
27
- # system, it may represent the number of already acknowledged
28
- # connections, of non-acknowledged ones, or both.
29
- #
30
- # In order to protect against SYN flood attacks, one solution is to increase
31
- # the system's SYN backlog size. Depending on the system, sometimes it is just
32
- # tunable via a system parameter, sometimes it is not adjustable at all, and
33
- # sometimes the system relies on hints given by the application at the time of
34
- # the listen() syscall. By default, HAProxy passes the frontend's maxconn value
35
- # to the listen() syscall. On systems which can make use of this value, it can
36
- # sometimes be useful to be able to specify a different value, hence this
37
- # backlog parameter.
38
- #
39
- # On Linux 2.4, the parameter is ignored by the system. On Linux 2.6, it is
40
- # used as a hint and the system accepts up to the smallest greater power of
41
- # two, and never more than some limits (usually 32768).
42
- #
43
- # See also : "maxconn" and the target operating system's tuning guide.
44
- #
45
- attr_accessor :backlog
46
-
47
- #
48
- # balance <algorithm> [ <arguments> ]
49
- # balance url_param <param> [check_post [<max_wait>]]
50
- # Define the load balancing algorithm to be used in a backend.
51
- # May be used in sections : defaults | frontend | listen | backend
52
- # yes | no | yes | yes
53
- # Arguments :
54
- # <algorithm> is the algorithm used to select a server when doing load
55
- # balancing. This only applies when no persistence information
56
- # is available, or when a connection is redispatched to another
57
- # server. <algorithm> may be one of the following :
58
- #
59
- # roundrobin Each server is used in turns, according to their weights.
60
- # This is the smoothest and fairest algorithm when the server's
61
- # processing time remains equally distributed. This algorithm
62
- # is dynamic, which means that server weights may be adjusted
63
- # on the fly for slow starts for instance. It is limited by
64
- # design to 4128 active servers per backend. Note that in some
65
- # large farms, when a server becomes up after having been down
66
- # for a very short time, it may sometimes take a few hundreds
67
- # requests for it to be re-integrated into the farm and start
68
- # receiving traffic. This is normal, though very rare. It is
69
- # indicated here in case you would have the chance to observe
70
- # it, so that you don't worry.
71
- #
72
- # static-rr Each server is used in turns, according to their weights.
73
- # This algorithm is as similar to roundrobin except that it is
74
- # static, which means that changing a server's weight on the
75
- # fly will have no effect. On the other hand, it has no design
76
- # limitation on the number of servers, and when a server goes
77
- # up, it is always immediately reintroduced into the farm, once
78
- # the full map is recomputed. It also uses slightly less CPU to
79
- # run (around -1%).
80
- #
81
- # leastconn The server with the lowest number of connections receives the
82
- # connection. Round-robin is performed within groups of servers
83
- # of the same load to ensure that all servers will be used. Use
84
- # of this algorithm is recommended where very long sessions are
85
- # expected, such as LDAP, SQL, TSE, etc... but is not very well
86
- # suited for protocols using short sessions such as HTTP. This
87
- # algorithm is dynamic, which means that server weights may be
88
- # adjusted on the fly for slow starts for instance.
89
- #
90
- # source The source IP address is hashed and divided by the total
91
- # weight of the running servers to designate which server will
92
- # receive the request. This ensures that the same client IP
93
- # address will always reach the same server as long as no
94
- # server goes down or up. If the hash result changes due to the
95
- # number of running servers changing, many clients will be
96
- # directed to a different server. This algorithm is generally
97
- # used in TCP mode where no cookie may be inserted. It may also
98
- # be used on the Internet to provide a best-effort stickiness
99
- # to clients which refuse session cookies. This algorithm is
100
- # static by default, which means that changing a server's
101
- # weight on the fly will have no effect, but this can be
102
- # changed using "hash-type".
103
- #
104
- # uri The left part of the URI (before the question mark) is hashed
105
- # and divided by the total weight of the running servers. The
106
- # result designates which server will receive the request. This
107
- # ensures that a same URI will always be directed to the same
108
- # server as long as no server goes up or down. This is used
109
- # with proxy caches and anti-virus proxies in order to maximize
110
- # the cache hit rate. Note that this algorithm may only be used
111
- # in an HTTP backend. This algorithm is static by default,
112
- # which means that changing a server's weight on the fly will
113
- # have no effect, but this can be changed using "hash-type".
114
- #
115
- # This algorithm support two optional parameters "len" and
116
- # "depth", both followed by a positive integer number. These
117
- # options may be helpful when it is needed to balance servers
118
- # based on the beginning of the URI only. The "len" parameter
119
- # indicates that the algorithm should only consider that many
120
- # characters at the beginning of the URI to compute the hash.
121
- # Note that having "len" set to 1 rarely makes sense since most
122
- # URIs start with a leading "/".
123
- #
124
- # The "depth" parameter indicates the maximum directory depth
125
- # to be used to compute the hash. One level is counted for each
126
- # slash in the request. If both parameters are specified, the
127
- # evaluation stops when either is reached.
128
- #
129
- # url_param The URL parameter specified in argument will be looked up in
130
- # the query string of each HTTP GET request.
131
- #
132
- # If the modifier "check_post" is used, then an HTTP POST
133
- # request entity will be searched for the parameter argument,
134
- # when the question mark indicating a query string ('?') is not
135
- # present in the URL. Optionally, specify a number of octets to
136
- # wait for before attempting to search the message body. If the
137
- # entity can not be searched, then round robin is used for each
138
- # request. For instance, if your clients always send the LB
139
- # parameter in the first 128 bytes, then specify that. The
140
- # default is 48. The entity data will not be scanned until the
141
- # required number of octets have arrived at the gateway, this
142
- # is the minimum of: (default/max_wait, Content-Length or first
143
- # chunk length). If Content-Length is missing or zero, it does
144
- # not need to wait for more data than the client promised to
145
- # send. When Content-Length is present and larger than
146
- # <max_wait>, then waiting is limited to <max_wait> and it is
147
- # assumed that this will be enough data to search for the
148
- # presence of the parameter. In the unlikely event that
149
- # Transfer-Encoding: chunked is used, only the first chunk is
150
- # scanned. Parameter values separated by a chunk boundary, may
151
- # be randomly balanced if at all.
152
- #
153
- # If the parameter is found followed by an equal sign ('=') and
154
- # a value, then the value is hashed and divided by the total
155
- # weight of the running servers. The result designates which
156
- # server will receive the request.
157
- #
158
- # This is used to track user identifiers in requests and ensure
159
- # that a same user ID will always be sent to the same server as
160
- # long as no server goes up or down. If no value is found or if
161
- # the parameter is not found, then a round robin algorithm is
162
- # applied. Note that this algorithm may only be used in an HTTP
163
- # backend. This algorithm is static by default, which means
164
- # that changing a server's weight on the fly will have no
165
- # effect, but this can be changed using "hash-type".
166
- #
167
- # hdr(name) The HTTP header <name> will be looked up in each HTTP request.
168
- # Just as with the equivalent ACL 'hdr()' function, the header
169
- # name in parenthesis is not case sensitive. If the header is
170
- # absent or if it does not contain any value, the roundrobin
171
- # algorithm is applied instead.
172
- #
173
- # An optional 'use_domain_only' parameter is available, for
174
- # reducing the hash algorithm to the main domain part with some
175
- # specific headers such as 'Host'. For instance, in the Host
176
- # value "haproxy.1wt.eu", only "1wt" will be considered.
177
- #
178
- # This algorithm is static by default, which means that
179
- # changing a server's weight on the fly will have no effect,
180
- # but this can be changed using "hash-type".
181
- #
182
- # rdp-cookie
183
- # rdp-cookie(name)
184
- # The RDP cookie <name> (or "mstshash" if omitted) will be
185
- # looked up and hashed for each incoming TCP request. Just as
186
- # with the equivalent ACL 'req_rdp_cookie()' function, the name
187
- # is not case-sensitive. This mechanism is useful as a degraded
188
- # persistence mode, as it makes it possible to always send the
189
- # same user (or the same session ID) to the same server. If the
190
- # cookie is not found, the normal roundrobin algorithm is
191
- # used instead.
192
- #
193
- # Note that for this to work, the frontend must ensure that an
194
- # RDP cookie is already present in the request buffer. For this
195
- # you must use 'tcp-request content accept' rule combined with
196
- # a 'req_rdp_cookie_cnt' ACL.
197
- #
198
- # This algorithm is static by default, which means that
199
- # changing a server's weight on the fly will have no effect,
200
- # but this can be changed using "hash-type".
201
- #
202
- # <arguments> is an optional list of arguments which may be needed by some
203
- # algorithms. Right now, only "url_param" and "uri" support an
204
- # optional argument.
205
- #
206
- # balance uri [len <len>] [depth <depth>]
207
- # balance url_param <param> [check_post [<max_wait>]]
208
- #
209
- # The load balancing algorithm of a backend is set to roundrobin when no other
210
- # algorithm, mode nor option have been set. The algorithm may only be set once
211
- # for each backend.
212
- #
213
- # Examples :
214
- # balance roundrobin
215
- # balance url_param userid
216
- # balance url_param session_id check_post 64
217
- # balance hdr(User-Agent)
218
- # balance hdr(host)
219
- # balance hdr(Host) use_domain_only
220
- #
221
- # Note: the following caveats and limitations on using the "check_post"
222
- # extension with "url_param" must be considered :
223
- #
224
- # - all POST requests are eligible for consideration, because there is no way
225
- # to determine if the parameters will be found in the body or entity which
226
- # may contain binary data. Therefore another method may be required to
227
- # restrict consideration of POST requests that have no URL parameters in
228
- # the body. (see acl reqideny http_end)
229
- #
230
- # - using a <max_wait> value larger than the request buffer size does not
231
- # make sense and is useless. The buffer size is set at build time, and
232
- # defaults to 16 kB.
233
- #
234
- # - Content-Encoding is not supported, the parameter search will probably
235
- # fail; and load balancing will fall back to Round Robin.
236
- #
237
- # - Expect: 100-continue is not supported, load balancing will fall back to
238
- # Round Robin.
239
- #
240
- # - Transfer-Encoding (RFC2616 3.6.1) is only supported in the first chunk.
241
- # If the entire parameter value is not present in the first chunk, the
242
- # selection of server is undefined (actually, defined by how little
243
- # actually appeared in the first chunk).
244
- #
245
- # - This feature does not support generation of a 100, 411 or 501 response.
246
- #
247
- # - In some cases, requesting "check_post" MAY attempt to scan the entire
248
- # contents of a message body. Scanning normally terminates when linear
249
- # white space or control characters are found, indicating the end of what
250
- # might be a URL parameter list. This is probably not a concern with SGML
251
- # type message bodies.
252
- #
253
- # See also : "dispatch", "cookie", "appsession", "transparent", "hash-type" and
254
- # "http_proxy".
255
- #
256
- attr_accessor :balance
257
-
258
- #
259
- # bind-process [ all | odd | even | <number 1-32> ] ...
260
- # Limit visibility of an instance to a certain set of processes numbers.
261
- # May be used in sections : defaults | frontend | listen | backend
262
- # yes | yes | yes | yes
263
- # Arguments :
264
- # all All process will see this instance. This is the default. It
265
- # may be used to override a default value.
266
- #
267
- # odd This instance will be enabled on processes 1,3,5,...31. This
268
- # option may be combined with other numbers.
269
- #
270
- # even This instance will be enabled on processes 2,4,6,...32. This
271
- # option may be combined with other numbers. Do not use it
272
- # with less than 2 processes otherwise some instances might be
273
- # missing from all processes.
274
- #
275
- # number The instance will be enabled on this process number, between
276
- # 1 and 32. You must be careful not to reference a process
277
- # number greater than the configured global.nbproc, otherwise
278
- # some instances might be missing from all processes.
279
- #
280
- # This keyword limits binding of certain instances to certain processes. This
281
- # is useful in order not to have too many processes listening to the same
282
- # ports. For instance, on a dual-core machine, it might make sense to set
283
- # 'nbproc 2' in the global section, then distributes the listeners among 'odd'
284
- # and 'even' instances.
285
- #
286
- # At the moment, it is not possible to reference more than 32 processes using
287
- # this keyword, but this should be more than enough for most setups. Please
288
- # note that 'all' really means all processes and is not limited to the first
289
- # 32.
290
- #
291
- # If some backends are referenced by frontends bound to other processes, the
292
- # backend automatically inherits the frontend's processes.
293
- #
294
- # Example :
295
- # listen app_ip1
296
- # bind 10.0.0.1:80
297
- # bind-process odd
298
- #
299
- # listen app_ip2
300
- # bind 10.0.0.2:80
301
- # bind-process even
302
- #
303
- # listen management
304
- # bind 10.0.0.3:80
305
- # bind-process 1 2 3 4
306
- #
307
- # See also : "nbproc" in global section.
308
- #
309
- attr_accessor :bind_process
310
-
311
- #
312
- # cookie <name> [ rewrite | insert | prefix ] [ indirect ] [ nocache ]
313
- # [ postonly ] [ preserve ] [ domain <domain> ]*
314
- # [ maxidle <idle> ] [ maxlife <life> ]
315
- # Enable cookie-based persistence in a backend.
316
- # May be used in sections : defaults | frontend | listen | backend
317
- # yes | no | yes | yes
318
- # Arguments :
319
- # <name> is the name of the cookie which will be monitored, modified or
320
- # inserted in order to bring persistence. This cookie is sent to
321
- # the client via a "Set-Cookie" header in the response, and is
322
- # brought back by the client in a "Cookie" header in all requests.
323
- # Special care should be taken to choose a name which does not
324
- # conflict with any likely application cookie. Also, if the same
325
- # backends are subject to be used by the same clients (eg:
326
- # HTTP/HTTPS), care should be taken to use different cookie names
327
- # between all backends if persistence between them is not desired.
328
- #
329
- # rewrite This keyword indicates that the cookie will be provided by the
330
- # server and that haproxy will have to modify its value to set the
331
- # server's identifier in it. This mode is handy when the management
332
- # of complex combinations of "Set-cookie" and "Cache-control"
333
- # headers is left to the application. The application can then
334
- # decide whether or not it is appropriate to emit a persistence
335
- # cookie. Since all responses should be monitored, this mode only
336
- # works in HTTP close mode. Unless the application behaviour is
337
- # very complex and/or broken, it is advised not to start with this
338
- # mode for new deployments. This keyword is incompatible with
339
- # "insert" and "prefix".
340
- #
341
- # insert This keyword indicates that the persistence cookie will have to
342
- # be inserted by haproxy in server responses if the client did not
343
- #
344
- # already have a cookie that would have permitted it to access this
345
- # server. When used without the "preserve" option, if the server
346
- # emits a cookie with the same name, it will be remove before
347
- # processing. For this reason, this mode can be used to upgrade
348
- # existing configurations running in the "rewrite" mode. The cookie
349
- # will only be a session cookie and will not be stored on the
350
- # client's disk. By default, unless the "indirect" option is added,
351
- # the server will see the cookies emitted by the client. Due to
352
- # caching effects, it is generally wise to add the "nocache" or
353
- # "postonly" keywords (see below). The "insert" keyword is not
354
- # compatible with "rewrite" and "prefix".
355
- #
356
- # prefix This keyword indicates that instead of relying on a dedicated
357
- # cookie for the persistence, an existing one will be completed.
358
- # This may be needed in some specific environments where the client
359
- # does not support more than one single cookie and the application
360
- # already needs it. In this case, whenever the server sets a cookie
361
- # named <name>, it will be prefixed with the server's identifier
362
- # and a delimiter. The prefix will be removed from all client
363
- # requests so that the server still finds the cookie it emitted.
364
- # Since all requests and responses are subject to being modified,
365
- # this mode requires the HTTP close mode. The "prefix" keyword is
366
- # not compatible with "rewrite" and "insert".
367
- #
368
- # indirect When this option is specified, no cookie will be emitted to a
369
- # client which already has a valid one for the server which has
370
- # processed the request. If the server sets such a cookie itself,
371
- # it will be removed, unless the "preserve" option is also set. In
372
- # "insert" mode, this will additionally remove cookies from the
373
- # requests transmitted to the server, making the persistence
374
- # mechanism totally transparent from an application point of view.
375
- #
376
- # nocache This option is recommended in conjunction with the insert mode
377
- # when there is a cache between the client and HAProxy, as it
378
- # ensures that a cacheable response will be tagged non-cacheable if
379
- # a cookie needs to be inserted. This is important because if all
380
- # persistence cookies are added on a cacheable home page for
381
- # instance, then all customers will then fetch the page from an
382
- # outer cache and will all share the same persistence cookie,
383
- # leading to one server receiving much more traffic than others.
384
- # See also the "insert" and "postonly" options.
385
- #
386
- # postonly This option ensures that cookie insertion will only be performed
387
- # on responses to POST requests. It is an alternative to the
388
- # "nocache" option, because POST responses are not cacheable, so
389
- # this ensures that the persistence cookie will never get cached.
390
- # Since most sites do not need any sort of persistence before the
391
- # first POST which generally is a login request, this is a very
392
- # efficient method to optimize caching without risking to find a
393
- # persistence cookie in the cache.
394
- # See also the "insert" and "nocache" options.
395
- #
396
- # preserve This option may only be used with "insert" and/or "indirect". It
397
- # allows the server to emit the persistence cookie itself. In this
398
- # case, if a cookie is found in the response, haproxy will leave it
399
- # untouched. This is useful in order to end persistence after a
400
- # logout request for instance. For this, the server just has to
401
- # emit a cookie with an invalid value (eg: empty) or with a date in
402
- # the past. By combining this mechanism with the "disable-on-404"
403
- # check option, it is possible to perform a completely graceful
404
- # shutdown because users will definitely leave the server after
405
- # they logout.
406
- #
407
- # domain This option allows to specify the domain at which a cookie is
408
- # inserted. It requires exactly one parameter: a valid domain
409
- # name. If the domain begins with a dot, the browser is allowed to
410
- # use it for any host ending with that name. It is also possible to
411
- # specify several domain names by invoking this option multiple
412
- # times. Some browsers might have small limits on the number of
413
- # domains, so be careful when doing that. For the record, sending
414
- # 10 domains to MSIE 6 or Firefox 2 works as expected.
415
- #
416
- # maxidle This option allows inserted cookies to be ignored after some idle
417
- # time. It only works with insert-mode cookies. When a cookie is
418
- # sent to the client, the date this cookie was emitted is sent too.
419
- # Upon further presentations of this cookie, if the date is older
420
- # than the delay indicated by the parameter (in seconds), it will
421
- # be ignored. Otherwise, it will be refreshed if needed when the
422
- # response is sent to the client. This is particularly useful to
423
- # prevent users who never close their browsers from remaining for
424
- # too long on the same server (eg: after a farm size change). When
425
- # this option is set and a cookie has no date, it is always
426
- # accepted, but gets refreshed in the response. This maintains the
427
- # ability for admins to access their sites. Cookies that have a
428
- # date in the future further than 24 hours are ignored. Doing so
429
- # lets admins fix timezone issues without risking kicking users off
430
- # the site.
431
- #
432
- # maxlife This option allows inserted cookies to be ignored after some life
433
- # time, whether they're in use or not. It only works with insert
434
- # mode cookies. When a cookie is first sent to the client, the date
435
- # this cookie was emitted is sent too. Upon further presentations
436
- # of this cookie, if the date is older than the delay indicated by
437
- # the parameter (in seconds), it will be ignored. If the cookie in
438
- # the request has no date, it is accepted and a date will be set.
439
- # Cookies that have a date in the future further than 24 hours are
440
- # ignored. Doing so lets admins fix timezone issues without risking
441
- # kicking users off the site. Contrary to maxidle, this value is
442
- # not refreshed, only the first visit date counts. Both maxidle and
443
- # maxlife may be used at the time. This is particularly useful to
444
- # prevent users who never close their browsers from remaining for
445
- # too long on the same server (eg: after a farm size change). This
446
- # is stronger than the maxidle method in that it forces a
447
- # redispatch after some absolute delay.
448
- #
449
- # There can be only one persistence cookie per HTTP backend, and it can be
450
- # declared in a defaults section. The value of the cookie will be the value
451
- # indicated after the "cookie" keyword in a "server" statement. If no cookie
452
- # is declared for a given server, the cookie is not set.
453
- #
454
- # Examples :
455
- # cookie JSESSIONID prefix
456
- # cookie SRV insert indirect nocache
457
- # cookie SRV insert postonly indirect
458
- # cookie SRV insert indirect nocache maxidle 30m maxlife 8h
459
- #
460
- # See also : "appsession", "balance source", "capture cookie", "server"
461
- # and "ignore-persist".
462
- #
463
- attr_accessor :cookie
464
-
465
- #
466
- # default-server [param*]
467
- # Change default options for a server in a backend
468
- # May be used in sections : defaults | frontend | listen | backend
469
- # yes | no | yes | yes
470
- # Arguments:
471
- # <param*> is a list of parameters for this server. The "default-server"
472
- # keyword accepts an important number of options and has a complete
473
- # section dedicated to it. Please refer to section 5 for more
474
- # details.
475
- #
476
- # Example :
477
- # default-server inter 1000 weight 13
478
- #
479
- # See also: "server" and section 5 about server options
480
- #
481
- attr_accessor :default_server
482
-
483
- #
484
- # default_backend <backend>
485
- # Specify the backend to use when no "use_backend" rule has been matched.
486
- # May be used in sections : defaults | frontend | listen | backend
487
- # yes | yes | yes | no
488
- # Arguments :
489
- # <backend> is the name of the backend to use.
490
- #
491
- # When doing content-switching between frontend and backends using the
492
- # "use_backend" keyword, it is often useful to indicate which backend will be
493
- # used when no rule has matched. It generally is the dynamic backend which
494
- # will catch all undetermined requests.
495
- #
496
- # Example :
497
- #
498
- # use_backend dynamic if url_dyn
499
- # use_backend static if url_css url_img extension_img
500
- # default_backend dynamic
501
- #
502
- # See also : "use_backend", "reqsetbe", "reqisetbe"
503
- #
504
- attr_accessor :default_backend
505
-
506
- #
507
- # disabled
508
- # Disable a proxy, frontend or backend.
509
- # May be used in sections : defaults | frontend | listen | backend
510
- # yes | yes | yes | yes
511
- # Arguments : none
512
- #
513
- # The "disabled" keyword is used to disable an instance, mainly in order to
514
- # liberate a listening port or to temporarily disable a service. The instance
515
- # will still be created and its configuration will be checked, but it will be
516
- # created in the "stopped" state and will appear as such in the statistics. It
517
- # will not receive any traffic nor will it send any health-checks or logs. It
518
- # is possible to disable many instances at once by adding the "disabled"
519
- # keyword in a "defaults" section.
520
- #
521
- # See also : "enabled"
522
- #
523
- attr_accessor :disabled
524
-
525
- #
526
- # enabled
527
- # Enable a proxy, frontend or backend.
528
- # May be used in sections : defaults | frontend | listen | backend
529
- # yes | yes | yes | yes
530
- # Arguments : none
531
- #
532
- # The "enabled" keyword is used to explicitly enable an instance, when the
533
- # defaults has been set to "disabled". This is very rarely used.
534
- #
535
- # See also : "disabled"
536
- #
537
- attr_accessor :enabled
538
-
539
- #
540
- # errorfile <code> <file>
541
- # Return a file contents instead of errors generated by HAProxy
542
- # May be used in sections : defaults | frontend | listen | backend
543
- # yes | yes | yes | yes
544
- # Arguments :
545
- # <code> is the HTTP status code. Currently, HAProxy is capable of
546
- # generating codes 400, 403, 408, 500, 502, 503, and 504.
547
- #
548
- # <file> designates a file containing the full HTTP response. It is
549
- # recommended to follow the common practice of appending ".http" to
550
- # the filename so that people do not confuse the response with HTML
551
- # error pages, and to use absolute paths, since files are read
552
- # before any chroot is performed.
553
- #
554
- # It is important to understand that this keyword is not meant to rewrite
555
- # errors returned by the server, but errors detected and returned by HAProxy.
556
- # This is why the list of supported errors is limited to a small set.
557
- #
558
- # The files are returned verbatim on the TCP socket. This allows any trick such
559
- # as redirections to another URL or site, as well as tricks to clean cookies,
560
- # force enable or disable caching, etc... The package provides default error
561
- # files returning the same contents as default errors.
562
- #
563
- # The files should not exceed the configured buffer size (BUFSIZE), which
564
- # generally is 8 or 16 kB, otherwise they will be truncated. It is also wise
565
- # not to put any reference to local contents (eg: images) in order to avoid
566
- # loops between the client and HAProxy when all servers are down, causing an
567
- # error to be returned instead of an image. For better HTTP compliance, it is
568
- # recommended that all header lines end with CR-LF and not LF alone.
569
- #
570
- # The files are read at the same time as the configuration and kept in memory.
571
- # For this reason, the errors continue to be returned even when the process is
572
- # chrooted, and no file change is considered while the process is running. A
573
- # simple method for developing those files consists in associating them to the
574
- # 403 status code and interrogating a blocked URL.
575
- #
576
- # See also : "errorloc", "errorloc302", "errorloc303"
577
- #
578
- # Example :
579
- # errorfile 400 /etc/haproxy/errorfiles/400badreq.http
580
- # errorfile 403 /etc/haproxy/errorfiles/403forbid.http
581
- # errorfile 503 /etc/haproxy/errorfiles/503sorry.http
582
- #
583
- attr_accessor :errorfile
584
-
585
- #
586
- # errorloc <code> <url>
587
- # Return an HTTP redirection to a URL instead of errors generated by HAProxy
588
- # May be used in sections : defaults | frontend | listen | backend
589
- # yes | yes | yes | yes
590
- # Arguments :
591
- # <code> is the HTTP status code. Currently, HAProxy is capable of
592
- # generating codes 400, 403, 408, 500, 502, 503, and 504.
593
- #
594
- # <url> it is the exact contents of the "Location" header. It may contain
595
- # either a relative URI to an error page hosted on the same site,
596
- # or an absolute URI designating an error page on another site.
597
- # Special care should be given to relative URIs to avoid redirect
598
- # loops if the URI itself may generate the same error (eg: 500).
599
- #
600
- # It is important to understand that this keyword is not meant to rewrite
601
- # errors returned by the server, but errors detected and returned by HAProxy.
602
- # This is why the list of supported errors is limited to a small set.
603
- #
604
- # Note that both keyword return the HTTP 302 status code, which tells the
605
- # client to fetch the designated URL using the same HTTP method. This can be
606
- # quite problematic in case of non-GET methods such as POST, because the URL
607
- # sent to the client might not be allowed for something other than GET. To
608
- # workaround this problem, please use "errorloc303" which send the HTTP 303
609
- # status code, indicating to the client that the URL must be fetched with a GET
610
- # request.
611
- #
612
- # See also : "errorfile", "errorloc303"
613
- #
614
- attr_accessor :errorloc
615
-
616
- #
617
- # errorloc302 <code> <url>
618
- # Return an HTTP redirection to a URL instead of errors generated by HAProxy
619
- # May be used in sections : defaults | frontend | listen | backend
620
- # yes | yes | yes | yes
621
- # Arguments :
622
- # <code> is the HTTP status code. Currently, HAProxy is capable of
623
- # generating codes 400, 403, 408, 500, 502, 503, and 504.
624
- #
625
- # <url> it is the exact contents of the "Location" header. It may contain
626
- # either a relative URI to an error page hosted on the same site,
627
- # or an absolute URI designating an error page on another site.
628
- # Special care should be given to relative URIs to avoid redirect
629
- # loops if the URI itself may generate the same error (eg: 500).
630
- #
631
- # It is important to understand that this keyword is not meant to rewrite
632
- # errors returned by the server, but errors detected and returned by HAProxy.
633
- # This is why the list of supported errors is limited to a small set.
634
- #
635
- # Note that both keyword return the HTTP 302 status code, which tells the
636
- # client to fetch the designated URL using the same HTTP method. This can be
637
- # quite problematic in case of non-GET methods such as POST, because the URL
638
- # sent to the client might not be allowed for something other than GET. To
639
- # workaround this problem, please use "errorloc303" which send the HTTP 303
640
- # status code, indicating to the client that the URL must be fetched with a GET
641
- # request.
642
- #
643
- # See also : "errorfile", "errorloc303"
644
- #
645
- attr_accessor :errorloc302
646
-
647
- #
648
- # errorloc303 <code> <url>
649
- # Return an HTTP redirection to a URL instead of errors generated by HAProxy
650
- # May be used in sections : defaults | frontend | listen | backend
651
- # yes | yes | yes | yes
652
- # Arguments :
653
- # <code> is the HTTP status code. Currently, HAProxy is capable of
654
- # generating codes 400, 403, 408, 500, 502, 503, and 504.
655
- #
656
- # <url> it is the exact contents of the "Location" header. It may contain
657
- # either a relative URI to an error page hosted on the same site,
658
- # or an absolute URI designating an error page on another site.
659
- # Special care should be given to relative URIs to avoid redirect
660
- # loops if the URI itself may generate the same error (eg: 500).
661
- #
662
- # It is important to understand that this keyword is not meant to rewrite
663
- # errors returned by the server, but errors detected and returned by HAProxy.
664
- # This is why the list of supported errors is limited to a small set.
665
- #
666
- # Note that both keyword return the HTTP 303 status code, which tells the
667
- # client to fetch the designated URL using the same HTTP GET method. This
668
- # solves the usual problems associated with "errorloc" and the 302 code. It is
669
- # possible that some very old browsers designed before HTTP/1.1 do not support
670
- # it, but no such problem has been reported till now.
671
- #
672
- # See also : "errorfile", "errorloc", "errorloc302"
673
- #
674
- attr_accessor :errorloc303
675
-
676
- #
677
- # fullconn <conns>
678
- # Specify at what backend load the servers will reach their maxconn
679
- # May be used in sections : defaults | frontend | listen | backend
680
- # yes | no | yes | yes
681
- # Arguments :
682
- # <conns> is the number of connections on the backend which will make the
683
- # servers use the maximal number of connections.
684
- #
685
- # When a server has a "maxconn" parameter specified, it means that its number
686
- # of concurrent connections will never go higher. Additionally, if it has a
687
- # "minconn" parameter, it indicates a dynamic limit following the backend's
688
- # load. The server will then always accept at least <minconn> connections,
689
- # never more than <maxconn>, and the limit will be on the ramp between both
690
- # values when the backend has less than <conns> concurrent connections. This
691
- # makes it possible to limit the load on the servers during normal loads, but
692
- # push it further for important loads without overloading the servers during
693
- # exceptional loads.
694
- #
695
- # Example :
696
- # # The servers will accept between 100 and 1000 concurrent connections each
697
- # # and the maximum of 1000 will be reached when the backend reaches 10000
698
- # # connections.
699
- # backend dynamic
700
- # fullconn 10000
701
- # server srv1 dyn1:80 minconn 100 maxconn 1000
702
- # server srv2 dyn2:80 minconn 100 maxconn 1000
703
- #
704
- # See also : "maxconn", "server"
705
- #
706
- attr_accessor :fullconn
707
-
708
- #
709
- # grace <time>
710
- # Maintain a proxy operational for some time after a soft stop
711
- # May be used in sections : defaults | frontend | listen | backend
712
- # yes | yes | yes | yes
713
- # Arguments :
714
- # <time> is the time (by default in milliseconds) for which the instance
715
- # will remain operational with the frontend sockets still listening
716
- # when a soft-stop is received via the SIGUSR1 signal.
717
- #
718
- # This may be used to ensure that the services disappear in a certain order.
719
- # This was designed so that frontends which are dedicated to monitoring by an
720
- # external equipment fail immediately while other ones remain up for the time
721
- # needed by the equipment to detect the failure.
722
- #
723
- # Note that currently, there is very little benefit in using this parameter,
724
- # and it may in fact complicate the soft-reconfiguration process more than
725
- # simplify it.
726
- #
727
- attr_accessor :grace
728
-
729
- #
730
- # hash-type <method>
731
- # Specify a method to use for mapping hashes to servers
732
- # May be used in sections : defaults | frontend | listen | backend
733
- # yes | no | yes | yes
734
- # Arguments :
735
- # map-based the hash table is a static array containing all alive servers.
736
- # The hashes will be very smooth, will consider weights, but will
737
- # be static in that weight changes while a server is up will be
738
- # ignored. This means that there will be no slow start. Also,
739
- # since a server is selected by its position in the array, most
740
- # mappings are changed when the server count changes. This means
741
- # that when a server goes up or down, or when a server is added
742
- # to a farm, most connections will be redistributed to different
743
- # servers. This can be inconvenient with caches for instance.
744
- #
745
- # consistent the hash table is a tree filled with many occurrences of each
746
- # server. The hash key is looked up in the tree and the closest
747
- # server is chosen. This hash is dynamic, it supports changing
748
- # weights while the servers are up, so it is compatible with the
749
- # slow start feature. It has the advantage that when a server
750
- # goes up or down, only its associations are moved. When a server
751
- # is added to the farm, only a few part of the mappings are
752
- # redistributed, making it an ideal algorithm for caches.
753
- # However, due to its principle, the algorithm will never be very
754
- # smooth and it may sometimes be necessary to adjust a server's
755
- # weight or its ID to get a more balanced distribution. In order
756
- # to get the same distribution on multiple load balancers, it is
757
- # important that all servers have the same IDs.
758
- #
759
- # The default hash type is "map-based" and is recommended for most usages.
760
- #
761
- # See also : "balance", "server"
762
- #
763
- attr_accessor :hash_type
764
-
765
- #
766
- # http-check disable-on-404
767
- # Enable a maintenance mode upon HTTP/404 response to health-checks
768
- # May be used in sections : defaults | frontend | listen | backend
769
- # yes | no | yes | yes
770
- # Arguments : none
771
- #
772
- # When this option is set, a server which returns an HTTP code 404 will be
773
- # excluded from further load-balancing, but will still receive persistent
774
- # connections. This provides a very convenient method for Web administrators
775
- # to perform a graceful shutdown of their servers. It is also important to note
776
- # that a server which is detected as failed while it was in this mode will not
777
- # generate an alert, just a notice. If the server responds 2xx or 3xx again, it
778
- # will immediately be reinserted into the farm. The status on the stats page
779
- # reports "NOLB" for a server in this mode. It is important to note that this
780
- # option only works in conjunction with the "httpchk" option. If this option
781
- # is used with "http-check expect", then it has precedence over it so that 404
782
- # responses will still be considered as soft-stop.
783
- #
784
- # See also : "option httpchk", "http-check expect"
785
- #
786
- attr_accessor :http_check_disable_on_404
787
-
788
- #
789
- # http-check send-state
790
- # Enable emission of a state header with HTTP health checks
791
- # May be used in sections : defaults | frontend | listen | backend
792
- # yes | no | yes | yes
793
- # Arguments : none
794
- #
795
- # When this option is set, haproxy will systematically send a special header
796
- # "X-Haproxy-Server-State" with a list of parameters indicating to each server
797
- # how they are seen by haproxy. This can be used for instance when a server is
798
- # manipulated without access to haproxy and the operator needs to know whether
799
- # haproxy still sees it up or not, or if the server is the last one in a farm.
800
- #
801
- # The header is composed of fields delimited by semi-colons, the first of which
802
- # is a word ("UP", "DOWN", "NOLB"), possibly followed by a number of valid
803
- # checks on the total number before transition, just as appears in the stats
804
- # interface. Next headers are in the form "<variable>=<value>", indicating in
805
- # no specific order some values available in the stats interface :
806
- # - a variable "name", containing the name of the backend followed by a slash
807
- # ("/") then the name of the server. This can be used when a server is
808
- # checked in multiple backends.
809
- #
810
- # - a variable "node" containing the name of the haproxy node, as set in the
811
- # global "node" variable, otherwise the system's hostname if unspecified.
812
- #
813
- # - a variable "weight" indicating the weight of the server, a slash ("/")
814
- # and the total weight of the farm (just counting usable servers). This
815
- # helps to know if other servers are available to handle the load when this
816
- # one fails.
817
- #
818
- # - a variable "scur" indicating the current number of concurrent connections
819
- # on the server, followed by a slash ("/") then the total number of
820
- # connections on all servers of the same backend.
821
- #
822
- # - a variable "qcur" indicating the current number of requests in the
823
- # server's queue.
824
- #
825
- # Example of a header received by the application server :
826
- # >>> X-Haproxy-Server-State: UP 2/3; name=bck/srv2; node=lb1; weight=1/2; \
827
- # scur=13/22; qcur=0
828
- #
829
- # See also : "option httpchk", "http-check disable-on-404"
830
- #
831
- attr_accessor :http_check_send_state
832
-
833
- # log global
834
- # log <address> <facility> [<level> [<minlevel>]]
835
- # Enable per-instance logging of events and traffic.
836
- # May be used in sections : defaults | frontend | listen | backend
837
- # yes | yes | yes | yes
838
- # Arguments :
839
- # global should be used when the instance's logging parameters are the
840
- # same as the global ones. This is the most common usage. "global"
841
- # replaces <address>, <facility> and <level> with those of the log
842
- # entries found in the "global" section. Only one "log global"
843
- # statement may be used per instance, and this form takes no other
844
- # parameter.
845
- #
846
- # <address> indicates where to send the logs. It takes the same format as
847
- # for the "global" section's logs, and can be one of :
848
- #
849
- # - An IPv4 address optionally followed by a colon (':') and a UDP
850
- # port. If no port is specified, 514 is used by default (the
851
- # standard syslog port).
852
- #
853
- # - A filesystem path to a UNIX domain socket, keeping in mind
854
- # considerations for chroot (be sure the path is accessible
855
- # inside the chroot) and uid/gid (be sure the path is
856
- # appropriately writeable).
857
- #
858
- # <facility> must be one of the 24 standard syslog facilities :
859
- #
860
- # kern user mail daemon auth syslog lpr news
861
- # uucp cron auth2 ftp ntp audit alert cron2
862
- # local0 local1 local2 local3 local4 local5 local6 local7
863
- #
864
- # <level> is optional and can be specified to filter outgoing messages. By
865
- # default, all messages are sent. If a level is specified, only
866
- # messages with a severity at least as important as this level
867
- # will be sent. An optional minimum level can be specified. If it
868
- # is set, logs emitted with a more severe level than this one will
869
- # be capped to this level. This is used to avoid sending "emerg"
870
- # messages on all terminals on some default syslog configurations.
871
- # Eight levels are known :
872
- #
873
- # emerg alert crit err warning notice info debug
874
- #
875
- # Note that up to two "log" entries may be specified per instance. However, if
876
- # "log global" is used and if the "global" section already contains 2 log
877
- # entries, then additional log entries will be ignored.
878
- #
879
- # Also, it is important to keep in mind that it is the frontend which decides
880
- # what to log from a connection, and that in case of content switching, the log
881
- # entries from the backend will be ignored. Connections are logged at level
882
- # "info".
883
- #
884
- # However, backend log declaration define how and where servers status changes
885
- # will be logged. Level "notice" will be used to indicate a server going up,
886
- # "warning" will be used for termination signals and definitive service
887
- # termination, and "alert" will be used for when a server goes down.
888
- #
889
- # Note : According to RFC3164, messages are truncated to 1024 bytes before
890
- # being emitted.
891
- #
892
- # Example :
893
- # log global
894
- # log 127.0.0.1:514 local0 notice # only send important events
895
- # log 127.0.0.1:514 local0 notice notice # same but limit output level
896
- #
897
- attr_accessor :log
898
-
899
- #
900
- # maxconn <conns>
901
- # Fix the maximum number of concurrent connections on a frontend
902
- # May be used in sections : defaults | frontend | listen | backend
903
- # yes | yes | yes | no
904
- # Arguments :
905
- # <conns> is the maximum number of concurrent connections the frontend will
906
- # accept to serve. Excess connections will be queued by the system
907
- # in the socket's listen queue and will be served once a connection
908
- # closes.
909
- #
910
- # If the system supports it, it can be useful on big sites to raise this limit
911
- # very high so that haproxy manages connection queues, instead of leaving the
912
- # clients with unanswered connection attempts. This value should not exceed the
913
- # global maxconn. Also, keep in mind that a connection contains two buffers
914
- # of 8kB each, as well as some other data resulting in about 17 kB of RAM being
915
- # consumed per established connection. That means that a medium system equipped
916
- # with 1GB of RAM can withstand around 40000-50000 concurrent connections if
917
- # properly tuned.
918
- #
919
- # Also, when <conns> is set to large values, it is possible that the servers
920
- # are not sized to accept such loads, and for this reason it is generally wise
921
- # to assign them some reasonable connection limits.
922
- #
923
- # See also : "server", global section's "maxconn", "fullconn"
924
- #
925
- attr_accessor :maxconn
926
-
927
- #
928
- # mode { tcp|http|health }
929
- # Set the running mode or protocol of the instance
930
- # May be used in sections : defaults | frontend | listen | backend
931
- # yes | yes | yes | yes
932
- # Arguments :
933
- # tcp The instance will work in pure TCP mode. A full-duplex connection
934
- # will be established between clients and servers, and no layer 7
935
- # examination will be performed. This is the default mode. It
936
- # should be used for SSL, SSH, SMTP, ...
937
- #
938
- # http The instance will work in HTTP mode. The client request will be
939
- # analyzed in depth before connecting to any server. Any request
940
- # which is not RFC-compliant will be rejected. Layer 7 filtering,
941
- # processing and switching will be possible. This is the mode which
942
- # brings HAProxy most of its value.
943
- #
944
- # health The instance will work in "health" mode. It will just reply "OK"
945
- # to incoming connections and close the connection. Nothing will be
946
- # logged. This mode is used to reply to external components health
947
- # checks. This mode is deprecated and should not be used anymore as
948
- # it is possible to do the same and even better by combining TCP or
949
- # HTTP modes with the "monitor" keyword.
950
- #
951
- # When doing content switching, it is mandatory that the frontend and the
952
- # backend are in the same mode (generally HTTP), otherwise the configuration
953
- # will be refused.
954
- #
955
- # Example :
956
- # defaults http_instances
957
- # mode http
958
- #
959
- # See also : "monitor", "monitor-net"
960
- #
961
- attr_accessor :mode
962
-
963
- #
964
- # monitor-net <source>
965
- # Declare a source network which is limited to monitor requests
966
- # May be used in sections : defaults | frontend | listen | backend
967
- # yes | yes | yes | no
968
- # Arguments :
969
- # <source> is the source IPv4 address or network which will only be able to
970
- # get monitor responses to any request. It can be either an IPv4
971
- # address, a host name, or an address followed by a slash ('/')
972
- # followed by a mask.
973
- #
974
- # In TCP mode, any connection coming from a source matching <source> will cause
975
- # the connection to be immediately closed without any log. This allows another
976
- # equipment to probe the port and verify that it is still listening, without
977
- # forwarding the connection to a remote server.
978
- #
979
- # In HTTP mode, a connection coming from a source matching <source> will be
980
- # accepted, the following response will be sent without waiting for a request,
981
- # then the connection will be closed : "HTTP/1.0 200 OK". This is normally
982
- # enough for any front-end HTTP probe to detect that the service is UP and
983
- # running without forwarding the request to a backend server.
984
- #
985
- # Monitor requests are processed very early. It is not possible to block nor
986
- # divert them using ACLs. They cannot be logged either, and it is the intended
987
- # purpose. They are only used to report HAProxy's health to an upper component,
988
- # nothing more. Right now, it is not possible to set failure conditions on
989
- # requests caught by "monitor-net".
990
- #
991
- # Last, please note that only one "monitor-net" statement can be specified in
992
- # a frontend. If more than one is found, only the last one will be considered.
993
- #
994
- # Example :
995
- # # addresses .252 and .253 are just probing us.
996
- # frontend www
997
- # monitor-net 192.168.0.252/31
998
- #
999
- # See also : "monitor fail", "monitor-uri"
1000
- #
1001
- attr_accessor :monitor_net
1002
-
1003
- #
1004
- # monitor-uri <uri>
1005
- # Intercept a URI used by external components' monitor requests
1006
- # May be used in sections : defaults | frontend | listen | backend
1007
- # yes | yes | yes | no
1008
- # Arguments :
1009
- # <uri> is the exact URI which we want to intercept to return HAProxy's
1010
- # health status instead of forwarding the request.
1011
- #
1012
- # When an HTTP request referencing <uri> will be received on a frontend,
1013
- # HAProxy will not forward it nor log it, but instead will return either
1014
- # "HTTP/1.0 200 OK" or "HTTP/1.0 503 Service unavailable", depending on failure
1015
- # conditions defined with "monitor fail". This is normally enough for any
1016
- # front-end HTTP probe to detect that the service is UP and running without
1017
- # forwarding the request to a backend server. Note that the HTTP method, the
1018
- # version and all headers are ignored, but the request must at least be valid
1019
- # at the HTTP level. This keyword may only be used with an HTTP-mode frontend.
1020
- #
1021
- # Monitor requests are processed very early. It is not possible to block nor
1022
- # divert them using ACLs. They cannot be logged either, and it is the intended
1023
- # purpose. They are only used to report HAProxy's health to an upper component,
1024
- # nothing more. However, it is possible to add any number of conditions using
1025
- # "monitor fail" and ACLs so that the result can be adjusted to whatever check
1026
- # can be imagined (most often the number of available servers in a backend).
1027
- #
1028
- # Example :
1029
- # # Use /haproxy_test to report haproxy's status
1030
- # frontend www
1031
- # mode http
1032
- # monitor-uri /haproxy_test
1033
- #
1034
- # See also : "monitor fail", "monitor-net"
1035
- #
1036
- attr_accessor :monitor_uri
1037
-
1038
- #
1039
- # option abortonclose
1040
- # no option abortonclose
1041
- # Enable or disable early dropping of aborted requests pending in queues.
1042
- # May be used in sections : defaults | frontend | listen | backend
1043
- # yes | no | yes | yes
1044
- # Arguments : none
1045
- #
1046
- # In presence of very high loads, the servers will take some time to respond.
1047
- # The per-instance connection queue will inflate, and the response time will
1048
- # increase respective to the size of the queue times the average per-session
1049
- # response time. When clients will wait for more than a few seconds, they will
1050
- # often hit the "STOP" button on their browser, leaving a useless request in
1051
- # the queue, and slowing down other users, and the servers as well, because the
1052
- # request will eventually be served, then aborted at the first error
1053
- # encountered while delivering the response.
1054
- #
1055
- # As there is no way to distinguish between a full STOP and a simple output
1056
- # close on the client side, HTTP agents should be conservative and consider
1057
- # that the client might only have closed its output channel while waiting for
1058
- # the response. However, this introduces risks of congestion when lots of users
1059
- # do the same, and is completely useless nowadays because probably no client at
1060
- # all will close the session while waiting for the response. Some HTTP agents
1061
- # support this behaviour (Squid, Apache, HAProxy), and others do not (TUX, most
1062
- # hardware-based load balancers). So the probability for a closed input channel
1063
- # to represent a user hitting the "STOP" button is close to 100%, and the risk
1064
- # of being the single component to break rare but valid traffic is extremely
1065
- # low, which adds to the temptation to be able to abort a session early while
1066
- # still not served and not pollute the servers.
1067
- #
1068
- # In HAProxy, the user can choose the desired behaviour using the option
1069
- # "abortonclose". By default (without the option) the behaviour is HTTP
1070
- # compliant and aborted requests will be served. But when the option is
1071
- # specified, a session with an incoming channel closed will be aborted while
1072
- # it is still possible, either pending in the queue for a connection slot, or
1073
- # during the connection establishment if the server has not yet acknowledged
1074
- # the connection request. This considerably reduces the queue size and the load
1075
- # on saturated servers when users are tempted to click on STOP, which in turn
1076
- # reduces the response time for other users.
1077
- #
1078
- # If this option has been enabled in a "defaults" section, it can be disabled
1079
- # in a specific instance by prepending the "no" keyword before it.
1080
- #
1081
- # See also : "timeout queue" and server's "maxconn" and "maxqueue" parameters
1082
- #
1083
- attr_accessor :option_abortonclose
1084
-
1085
- #
1086
- # option accept-invalid-http-request
1087
- # no option accept-invalid-http-request
1088
- # Enable or disable relaxing of HTTP request parsing
1089
- # May be used in sections : defaults | frontend | listen | backend
1090
- # yes | yes | yes | no
1091
- # Arguments : none
1092
- #
1093
- # By default, HAProxy complies with RFC2616 in terms of message parsing. This
1094
- # means that invalid characters in header names are not permitted and cause an
1095
- # error to be returned to the client. This is the desired behaviour as such
1096
- # forbidden characters are essentially used to build attacks exploiting server
1097
- # weaknesses, and bypass security filtering. Sometimes, a buggy browser or
1098
- # server will emit invalid header names for whatever reason (configuration,
1099
- # implementation) and the issue will not be immediately fixed. In such a case,
1100
- # it is possible to relax HAProxy's header name parser to accept any character
1101
- # even if that does not make sense, by specifying this option.
1102
- #
1103
- # This option should never be enabled by default as it hides application bugs
1104
- # and open security breaches. It should only be deployed after a problem has
1105
- # been confirmed.
1106
- #
1107
- # When this option is enabled, erroneous header names will still be accepted in
1108
- # requests, but the complete request will be captured in order to permit later
1109
- # analysis using the "show errors" request on the UNIX stats socket. Doing this
1110
- # also helps confirming that the issue has been solved.
1111
- #
1112
- # If this option has been enabled in a "defaults" section, it can be disabled
1113
- # in a specific instance by prepending the "no" keyword before it.
1114
- #
1115
- # See also : "option accept-invalid-http-response" and "show errors" on the
1116
- # stats socket.
1117
- #
1118
- attr_accessor :option_accept_invalid_http_request
1119
-
1120
- #
1121
- # option accept-invalid-http-response
1122
- # no option accept-invalid-http-response
1123
- # Enable or disable relaxing of HTTP response parsing
1124
- # May be used in sections : defaults | frontend | listen | backend
1125
- # yes | no | yes | yes
1126
- # Arguments : none
1127
- #
1128
- # By default, HAProxy complies with RFC2616 in terms of message parsing. This
1129
- # means that invalid characters in header names are not permitted and cause an
1130
- # error to be returned to the client. This is the desired behaviour as such
1131
- # forbidden characters are essentially used to build attacks exploiting server
1132
- # weaknesses, and bypass security filtering. Sometimes, a buggy browser or
1133
- # server will emit invalid header names for whatever reason (configuration,
1134
- # implementation) and the issue will not be immediately fixed. In such a case,
1135
- # it is possible to relax HAProxy's header name parser to accept any character
1136
- # even if that does not make sense, by specifying this option.
1137
- #
1138
- # This option should never be enabled by default as it hides application bugs
1139
- # and open security breaches. It should only be deployed after a problem has
1140
- # been confirmed.
1141
- #
1142
- # When this option is enabled, erroneous header names will still be accepted in
1143
- # responses, but the complete response will be captured in order to permit
1144
- # later analysis using the "show errors" request on the UNIX stats socket.
1145
- # Doing this also helps confirming that the issue has been solved.
1146
- #
1147
- # If this option has been enabled in a "defaults" section, it can be disabled
1148
- # in a specific instance by prepending the "no" keyword before it.
1149
- #
1150
- # See also : "option accept-invalid-http-request" and "show errors" on the
1151
- # stats socket.
1152
- #
1153
- attr_accessor :option_accept_invalid_http_response
1154
-
1155
- #
1156
- # option allbackups
1157
- # no option allbackups
1158
- # Use either all backup servers at a time or only the first one
1159
- # May be used in sections : defaults | frontend | listen | backend
1160
- # yes | no | yes | yes
1161
- # Arguments : none
1162
- #
1163
- # By default, the first operational backup server gets all traffic when normal
1164
- # servers are all down. Sometimes, it may be preferred to use multiple backups
1165
- # at once, because one will not be enough. When "option allbackups" is enabled,
1166
- # the load balancing will be performed among all backup servers when all normal
1167
- # ones are unavailable. The same load balancing algorithm will be used and the
1168
- # servers' weights will be respected. Thus, there will not be any priority
1169
- # order between the backup servers anymore.
1170
- #
1171
- # This option is mostly used with static server farms dedicated to return a
1172
- # "sorry" page when an application is completely offline.
1173
- #
1174
- # If this option has been enabled in a "defaults" section, it can be disabled
1175
- # in a specific instance by prepending the "no" keyword before it.
1176
- #
1177
- attr_accessor :option_allbackups
1178
-
1179
- #
1180
- # option checkcache
1181
- # no option checkcache
1182
- # Analyze all server responses and block requests with cacheable cookies
1183
- # May be used in sections : defaults | frontend | listen | backend
1184
- # yes | no | yes | yes
1185
- # Arguments : none
1186
- #
1187
- # Some high-level frameworks set application cookies everywhere and do not
1188
- # always let enough control to the developer to manage how the responses should
1189
- # be cached. When a session cookie is returned on a cacheable object, there is a
1190
- # high risk of session crossing or stealing between users traversing the same
1191
- # caches. In some situations, it is better to block the response than to let
1192
- # some sensible session information go in the wild.
1193
- #
1194
- # The option "checkcache" enables deep inspection of all server responses for
1195
- # strict compliance with HTTP specification in terms of cacheability. It
1196
- # carefully checks "Cache-control", "Pragma" and "Set-cookie" headers in server
1197
- # response to check if there's a risk of caching a cookie on a client-side
1198
- # proxy. When this option is enabled, the only responses which can be delivered
1199
- # to the client are :
1200
- # - all those without "Set-Cookie" header ;
1201
- # - all those with a return code other than 200, 203, 206, 300, 301, 410,
1202
- # provided that the server has not set a "Cache-control: public" header ;
1203
- # - all those that come from a POST request, provided that the server has not
1204
- # set a 'Cache-Control: public' header ;
1205
- # - those with a 'Pragma: no-cache' header
1206
- # - those with a 'Cache-control: private' header
1207
- # - those with a 'Cache-control: no-store' header
1208
- # - those with a 'Cache-control: max-age=0' header
1209
- # - those with a 'Cache-control: s-maxage=0' header
1210
- # - those with a 'Cache-control: no-cache' header
1211
- # - those with a 'Cache-control: no-cache="set-cookie"' header
1212
- # - those with a 'Cache-control: no-cache="set-cookie,' header
1213
- # (allowing other fields after set-cookie)
1214
- #
1215
- # If a response doesn't respect these requirements, then it will be blocked
1216
- # just as if it was from an "rspdeny" filter, with an "HTTP 502 bad gateway".
1217
- # The session state shows "PH--" meaning that the proxy blocked the response
1218
- # during headers processing. Additionally, an alert will be sent in the logs so
1219
- # that admins are informed that there's something to be fixed.
1220
- #
1221
- # Due to the high impact on the application, the application should be tested
1222
- # in depth with the option enabled before going to production. It is also a
1223
- # good practice to always activate it during tests, even if it is not used in
1224
- # production, as it will report potentially dangerous application behaviours.
1225
- #
1226
- # If this option has been enabled in a "defaults" section, it can be disabled
1227
- # in a specific instance by prepending the "no" keyword before it.
1228
- #
1229
- attr_accessor :option_checkcache
1230
-
1231
- #
1232
- # option clitcpka
1233
- # no option clitcpka
1234
- # Enable or disable the sending of TCP keepalive packets on the client side
1235
- # May be used in sections : defaults | frontend | listen | backend
1236
- # yes | yes | yes | no
1237
- # Arguments : none
1238
- #
1239
- # When there is a firewall or any session-aware component between a client and
1240
- # a server, and when the protocol involves very long sessions with long idle
1241
- # periods (eg: remote desktops), there is a risk that one of the intermediate
1242
- # components decides to expire a session which has remained idle for too long.
1243
- #
1244
- # Enabling socket-level TCP keep-alives makes the system regularly send packets
1245
- # to the other end of the connection, leaving it active. The delay between
1246
- # keep-alive probes is controlled by the system only and depends both on the
1247
- # operating system and its tuning parameters.
1248
- #
1249
- # It is important to understand that keep-alive packets are neither emitted nor
1250
- # received at the application level. It is only the network stacks which sees
1251
- # them. For this reason, even if one side of the proxy already uses keep-alives
1252
- # to maintain its connection alive, those keep-alive packets will not be
1253
- # forwarded to the other side of the proxy.
1254
- #
1255
- # Please note that this has nothing to do with HTTP keep-alive.
1256
- #
1257
- # Using option "clitcpka" enables the emission of TCP keep-alive probes on the
1258
- # client side of a connection, which should help when session expirations are
1259
- # noticed between HAProxy and a client.
1260
- #
1261
- # If this option has been enabled in a "defaults" section, it can be disabled
1262
- # in a specific instance by prepending the "no" keyword before it.
1263
- #
1264
- # See also : "option srvtcpka", "option tcpka"
1265
- #
1266
- attr_accessor :option_clitcpka
1267
-
1268
- #
1269
- # option contstats
1270
- # Enable continuous traffic statistics updates
1271
- # May be used in sections : defaults | frontend | listen | backend
1272
- # yes | yes | yes | no
1273
- # Arguments : none
1274
- #
1275
- # By default, counters used for statistics calculation are incremented
1276
- # only when a session finishes. It works quite well when serving small
1277
- # objects, but with big ones (for example large images or archives) or
1278
- # with A/V streaming, a graph generated from haproxy counters looks like
1279
- # a hedgehog. With this option enabled counters get incremented continuously,
1280
- # during a whole session. Recounting touches a hotpath directly so
1281
- # it is not enabled by default, as it has small performance impact (~0.5%).
1282
- #
1283
- attr_accessor :option_contstats
1284
-
1285
- #
1286
- # option dontlog-normal
1287
- # no option dontlog-normal
1288
- # Enable or disable logging of normal, successful connections
1289
- # May be used in sections : defaults | frontend | listen | backend
1290
- # yes | yes | yes | no
1291
- # Arguments : none
1292
- #
1293
- # There are large sites dealing with several thousand connections per second
1294
- # and for which logging is a major pain. Some of them are even forced to turn
1295
- # logs off and cannot debug production issues. Setting this option ensures that
1296
- # normal connections, those which experience no error, no timeout, no retry nor
1297
- # redispatch, will not be logged. This leaves disk space for anomalies. In HTTP
1298
- # mode, the response status code is checked and return codes 5xx will still be
1299
- # logged.
1300
- #
1301
- # It is strongly discouraged to use this option as most of the time, the key to
1302
- # complex issues is in the normal logs which will not be logged here. If you
1303
- # need to separate logs, see the "log-separate-errors" option instead.
1304
- #
1305
- # See also : "log", "dontlognull", "log-separate-errors" and section 8 about
1306
- # logging.
1307
- #
1308
- attr_accessor :option_dontlog_normal
1309
-
1310
- #
1311
- # option dontlognull
1312
- # no option dontlognull
1313
- # Enable or disable logging of null connections
1314
- # May be used in sections : defaults | frontend | listen | backend
1315
- # yes | yes | yes | no
1316
- # Arguments : none
1317
- #
1318
- # In certain environments, there are components which will regularly connect to
1319
- # various systems to ensure that they are still alive. It can be the case from
1320
- # another load balancer as well as from monitoring systems. By default, even a
1321
- # simple port probe or scan will produce a log. If those connections pollute
1322
- # the logs too much, it is possible to enable option "dontlognull" to indicate
1323
- # that a connection on which no data has been transferred will not be logged,
1324
- # which typically corresponds to those probes.
1325
- #
1326
- # It is generally recommended not to use this option in uncontrolled
1327
- # environments (eg: internet), otherwise scans and other malicious activities
1328
- # would not be logged.
1329
- #
1330
- # If this option has been enabled in a "defaults" section, it can be disabled
1331
- # in a specific instance by prepending the "no" keyword before it.
1332
- #
1333
- # See also : "log", "monitor-net", "monitor-uri" and section 8 about logging.
1334
- #
1335
- attr_accessor :option_dontlognull
1336
-
1337
- #
1338
- # option forceclose
1339
- # no option forceclose
1340
- # Enable or disable active connection closing after response is transferred.
1341
- # May be used in sections : defaults | frontend | listen | backend
1342
- # yes | yes | yes | yes
1343
- # Arguments : none
1344
- #
1345
- # Some HTTP servers do not necessarily close the connections when they receive
1346
- # the "Connection: close" set by "option httpclose", and if the client does not
1347
- # close either, then the connection remains open till the timeout expires. This
1348
- # causes high number of simultaneous connections on the servers and shows high
1349
- # global session times in the logs.
1350
- #
1351
- # When this happens, it is possible to use "option forceclose". It will
1352
- # actively close the outgoing server channel as soon as the server has finished
1353
- # to respond. This option implicitly enables the "httpclose" option. Note that
1354
- # this option also enables the parsing of the full request and response, which
1355
- # means we can close the connection to the server very quickly, releasing some
1356
- # resources earlier than with httpclose.
1357
- #
1358
- # This option may also be combined with "option http-pretend-keepalive", which
1359
- # will disable sending of the "Connection: close" header, but will still cause
1360
- # the connection to be closed once the whole response is received.
1361
- #
1362
- # If this option has been enabled in a "defaults" section, it can be disabled
1363
- # in a specific instance by prepending the "no" keyword before it.
1364
- #
1365
- # See also : "option httpclose" and "option http-pretend-keepalive"
1366
- #
1367
- attr_accessor :option_forceclose
1368
-
1369
- #
1370
- # option forwardfor [ except <network> ] [ header <name> ]
1371
- # Enable insertion of the X-Forwarded-For header to requests sent to servers
1372
- # May be used in sections : defaults | frontend | listen | backend
1373
- # yes | yes | yes | yes
1374
- # Arguments :
1375
- # <network> is an optional argument used to disable this option for sources
1376
- # matching <network>
1377
- # <name> an optional argument to specify a different "X-Forwarded-For"
1378
- # header name.
1379
- #
1380
- # Since HAProxy works in reverse-proxy mode, the servers see its IP address as
1381
- # their client address. This is sometimes annoying when the client's IP address
1382
- # is expected in server logs. To solve this problem, the well-known HTTP header
1383
- # "X-Forwarded-For" may be added by HAProxy to all requests sent to the server.
1384
- # This header contains a value representing the client's IP address. Since this
1385
- # header is always appended at the end of the existing header list, the server
1386
- # must be configured to always use the last occurrence of this header only. See
1387
- # the server's manual to find how to enable use of this standard header. Note
1388
- # that only the last occurrence of the header must be used, since it is really
1389
- # possible that the client has already brought one.
1390
- #
1391
- # The keyword "header" may be used to supply a different header name to replace
1392
- # the default "X-Forwarded-For". This can be useful where you might already
1393
- # have a "X-Forwarded-For" header from a different application (eg: stunnel),
1394
- # and you need preserve it. Also if your backend server doesn't use the
1395
- # "X-Forwarded-For" header and requires different one (eg: Zeus Web Servers
1396
- # require "X-Cluster-Client-IP").
1397
- #
1398
- # Sometimes, a same HAProxy instance may be shared between a direct client
1399
- # access and a reverse-proxy access (for instance when an SSL reverse-proxy is
1400
- # used to decrypt HTTPS traffic). It is possible to disable the addition of the
1401
- # header for a known source address or network by adding the "except" keyword
1402
- # followed by the network address. In this case, any source IP matching the
1403
- # network will not cause an addition of this header. Most common uses are with
1404
- # private networks or 127.0.0.1.
1405
- #
1406
- # This option may be specified either in the frontend or in the backend. If at
1407
- # least one of them uses it, the header will be added. Note that the backend's
1408
- # setting of the header subargument takes precedence over the frontend's if
1409
- # both are defined.
1410
- #
1411
- # It is important to note that as long as HAProxy does not support keep-alive
1412
- # connections, only the first request of a connection will receive the header.
1413
- # For this reason, it is important to ensure that "option httpclose" is set
1414
- # when using this option.
1415
- #
1416
- # Examples :
1417
- # # Public HTTP address also used by stunnel on the same machine
1418
- # frontend www
1419
- # mode http
1420
- # option forwardfor except 127.0.0.1 # stunnel already adds the header
1421
- #
1422
- # # Those servers want the IP Address in X-Client
1423
- # backend www
1424
- # mode http
1425
- # option forwardfor header X-Client
1426
- #
1427
- # See also : "option httpclose"
1428
- #
1429
- attr_accessor :option_forwardfor
1430
-
1431
- #
1432
- # option http-pretend-keepalive
1433
- # no option http-pretend-keepalive
1434
- # Define whether haproxy will announce keepalive to the server or not
1435
- # May be used in sections : defaults | frontend | listen | backend
1436
- # yes | yes | yes | yes
1437
- # Arguments : none
1438
- #
1439
- # When running with "option http-server-close" or "option forceclose", haproxy
1440
- # adds a "Connection: close" header to the request forwarded to the server.
1441
- # Unfortunately, when some servers see this header, they automatically refrain
1442
- # from using the chunked encoding for responses of unknown length, while this
1443
- # is totally unrelated. The immediate effect is that this prevents haproxy from
1444
- # maintaining the client connection alive. A second effect is that a client or
1445
- # a cache could receive an incomplete response without being aware of it, and
1446
- # consider the response complete.
1447
- #
1448
- # By setting "option http-pretend-keepalive", haproxy will make the server
1449
- # believe it will keep the connection alive. The server will then not fall back
1450
- # to the abnormal undesired above. When haproxy gets the whole response, it
1451
- # will close the connection with the server just as it would do with the
1452
- # "forceclose" option. That way the client gets a normal response and the
1453
- # connection is correctly closed on the server side.
1454
- #
1455
- # It is recommended not to enable this option by default, because most servers
1456
- # will more efficiently close the connection themselves after the last packet,
1457
- # and release its buffers slightly earlier. Also, the added packet on the
1458
- # network could slightly reduce the overall peak performance. However it is
1459
- # worth noting that when this option is enabled, haproxy will have slightly
1460
- # less work to do. So if haproxy is the bottleneck on the whole architecture,
1461
- # enabling this option might save a few CPU cycles.
1462
- #
1463
- # This option may be set both in a frontend and in a backend. It is enabled if
1464
- # at least one of the frontend or backend holding a connection has it enabled.
1465
- # This option may be compbined with "option httpclose", which will cause
1466
- # keepalive to be announced to the server and close to be announced to the
1467
- # client. This practice is discouraged though.
1468
- #
1469
- # If this option has been enabled in a "defaults" section, it can be disabled
1470
- # in a specific instance by prepending the "no" keyword before it.
1471
- #
1472
- # See also : "option forceclose" and "option http-server-close"
1473
- #
1474
- attr_accessor :option_http_pretend_keepalive
1475
-
1476
- #
1477
- # option http-server-close
1478
- # no option http-server-close
1479
- # Enable or disable HTTP connection closing on the server side
1480
- # May be used in sections : defaults | frontend | listen | backend
1481
- # yes | yes | yes | yes
1482
- # Arguments : none
1483
- #
1484
- # By default, when a client communicates with a server, HAProxy will only
1485
- # analyze, log, and process the first request of each connection. Setting
1486
- # "option http-server-close" enables HTTP connection-close mode on the server
1487
- # side while keeping the ability to support HTTP keep-alive and pipelining on
1488
- # the client side. This provides the lowest latency on the client side (slow
1489
- # network) and the fastest session reuse on the server side to save server
1490
- # resources, similarly to "option forceclose". It also permits non-keepalive
1491
- # capable servers to be served in keep-alive mode to the clients if they
1492
- # conform to the requirements of RFC2616. Please note that some servers do not
1493
- # always conform to those requirements when they see "Connection: close" in the
1494
- # request. The effect will be that keep-alive will never be used. A workaround
1495
- # consists in enabling "option http-pretend-keepalive".
1496
- #
1497
- # At the moment, logs will not indicate whether requests came from the same
1498
- # session or not. The accept date reported in the logs corresponds to the end
1499
- # of the previous request, and the request time corresponds to the time spent
1500
- # waiting for a new request. The keep-alive request time is still bound to the
1501
- # timeout defined by "timeout http-keep-alive" or "timeout http-request" if
1502
- # not set.
1503
- #
1504
- # This option may be set both in a frontend and in a backend. It is enabled if
1505
- # at least one of the frontend or backend holding a connection has it enabled.
1506
- # It is worth noting that "option forceclose" has precedence over "option
1507
- # http-server-close" and that combining "http-server-close" with "httpclose"
1508
- # basically achieve the same result as "forceclose".
1509
- #
1510
- # If this option has been enabled in a "defaults" section, it can be disabled
1511
- # in a specific instance by prepending the "no" keyword before it.
1512
- #
1513
- # See also : "option forceclose", "option http-pretend-keepalive",
1514
- # "option httpclose" and "1.1. The HTTP transaction model".
1515
- #
1516
- attr_accessor :option_http_server_close
1517
-
1518
- #
1519
- # option http-use-proxy-header
1520
- # no option http-use-proxy-header
1521
- # Make use of non-standard Proxy-Connection header instead of Connection
1522
- # May be used in sections : defaults | frontend | listen | backend
1523
- # yes | yes | yes | no
1524
- # Arguments : none
1525
- #
1526
- # While RFC2616 explicitly states that HTTP/1.1 agents must use the
1527
- # Connection header to indicate their wish of persistent or non-persistent
1528
- # connections, both browsers and proxies ignore this header for proxied
1529
- # connections and make use of the undocumented, non-standard Proxy-Connection
1530
- # header instead. The issue begins when trying to put a load balancer between
1531
- # browsers and such proxies, because there will be a difference between what
1532
- # haproxy understands and what the client and the proxy agree on.
1533
- #
1534
- # By setting this option in a frontend, haproxy can automatically switch to use
1535
- # that non-standard header if it sees proxied requests. A proxied request is
1536
- # defined here as one where the URI begins with neither a '/' nor a '*'. The
1537
- # choice of header only affects requests passing through proxies making use of
1538
- # one of the "httpclose", "forceclose" and "http-server-close" options. Note
1539
- # that this option can only be specified in a frontend and will affect the
1540
- # request along its whole life.
1541
- #
1542
- # Also, when this option is set, a request which requires authentication will
1543
- # automatically switch to use proxy authentication headers if it is itself a
1544
- # proxied request. That makes it possible to check or enforce authentication in
1545
- # front of an existing proxy.
1546
- #
1547
- # This option should normally never be used, except in front of a proxy.
1548
- #
1549
- # See also : "option httpclose", "option forceclose" and "option
1550
- # http-server-close".
1551
- #
1552
- attr_accessor :option_http_use_proxy_header
1553
-
1554
- #
1555
- # option httpchk
1556
- # option httpchk <uri>
1557
- # option httpchk <method> <uri>
1558
- # option httpchk <method> <uri> <version>
1559
- # Enable HTTP protocol to check on the servers health
1560
- # May be used in sections : defaults | frontend | listen | backend
1561
- # yes | no | yes | yes
1562
- # Arguments :
1563
- # <method> is the optional HTTP method used with the requests. When not set,
1564
- # the "OPTIONS" method is used, as it generally requires low server
1565
- # processing and is easy to filter out from the logs. Any method
1566
- # may be used, though it is not recommended to invent non-standard
1567
- # ones.
1568
- #
1569
- # <uri> is the URI referenced in the HTTP requests. It defaults to " / "
1570
- # which is accessible by default on almost any server, but may be
1571
- # changed to any other URI. Query strings are permitted.
1572
- #
1573
- # <version> is the optional HTTP version string. It defaults to "HTTP/1.0"
1574
- # but some servers might behave incorrectly in HTTP 1.0, so turning
1575
- # it to HTTP/1.1 may sometimes help. Note that the Host field is
1576
- # mandatory in HTTP/1.1, and as a trick, it is possible to pass it
1577
- # after "\r\n" following the version string.
1578
- #
1579
- # By default, server health checks only consist in trying to establish a TCP
1580
- # connection. When "option httpchk" is specified, a complete HTTP request is
1581
- # sent once the TCP connection is established, and responses 2xx and 3xx are
1582
- # considered valid, while all other ones indicate a server failure, including
1583
- # the lack of any response.
1584
- #
1585
- # The port and interval are specified in the server configuration.
1586
- #
1587
- # This option does not necessarily require an HTTP backend, it also works with
1588
- # plain TCP backends. This is particularly useful to check simple scripts bound
1589
- # to some dedicated ports using the inetd daemon.
1590
- #
1591
- # Examples :
1592
- # # Relay HTTPS traffic to Apache instance and check service availability
1593
- # # using HTTP request "OPTIONS * HTTP/1.1" on port 80.
1594
- # backend https_relay
1595
- # mode tcp
1596
- # option httpchk OPTIONS * HTTP/1.1\r\nHost:\ www
1597
- # server apache1 192.168.1.1:443 check port 80
1598
- #
1599
- # See also : "option ssl-hello-chk", "option smtpchk", "option mysql-check",
1600
- # "http-check" and the "check", "port" and "inter" server options.
1601
- #
1602
- attr_accessor :option_httpchk
1603
-
1604
- #
1605
- # option httpclose
1606
- # no option httpclose
1607
- # Enable or disable passive HTTP connection closing
1608
- # May be used in sections : defaults | frontend | listen | backend
1609
- # yes | yes | yes | yes
1610
- # Arguments : none
1611
- #
1612
- # By default, when a client communicates with a server, HAProxy will only
1613
- # analyze, log, and process the first request of each connection. If "option
1614
- # httpclose" is set, it will check if a "Connection: close" header is already
1615
- # set in each direction, and will add one if missing. Each end should react to
1616
- # this by actively closing the TCP connection after each transfer, thus
1617
- # resulting in a switch to the HTTP close mode. Any "Connection" header
1618
- # different from "close" will also be removed.
1619
- #
1620
- # It seldom happens that some servers incorrectly ignore this header and do not
1621
- # close the connection eventhough they reply "Connection: close". For this
1622
- # reason, they are not compatible with older HTTP 1.0 browsers. If this happens
1623
- # it is possible to use the "option forceclose" which actively closes the
1624
- # request connection once the server responds. Option "forceclose" also
1625
- # releases the server connection earlier because it does not have to wait for
1626
- # the client to acknowledge it.
1627
- #
1628
- # This option may be set both in a frontend and in a backend. It is enabled if
1629
- # at least one of the frontend or backend holding a connection has it enabled.
1630
- # If "option forceclose" is specified too, it has precedence over "httpclose".
1631
- # If "option http-server-close" is enabled at the same time as "httpclose", it
1632
- # basically achieves the same result as "option forceclose".
1633
- #
1634
- # If this option has been enabled in a "defaults" section, it can be disabled
1635
- # in a specific instance by prepending the "no" keyword before it.
1636
- #
1637
- # See also : "option forceclose", "option http-server-close" and
1638
- # "1.1. The HTTP transaction model".
1639
- #
1640
- attr_accessor :option_httpclose
1641
-
1642
- #
1643
- # option httplog [ clf ]
1644
- # Enable logging of HTTP request, session state and timers
1645
- # May be used in sections : defaults | frontend | listen | backend
1646
- # yes | yes | yes | yes
1647
- # Arguments :
1648
- # clf if the "clf" argument is added, then the output format will be
1649
- # the CLF format instead of HAProxy's default HTTP format. You can
1650
- # use this when you need to feed HAProxy's logs through a specific
1651
- # log analyser which only support the CLF format and which is not
1652
- # extensible.
1653
- #
1654
- # By default, the log output format is very poor, as it only contains the
1655
- # source and destination addresses, and the instance name. By specifying
1656
- # "option httplog", each log line turns into a much richer format including,
1657
- # but not limited to, the HTTP request, the connection timers, the session
1658
- # status, the connections numbers, the captured headers and cookies, the
1659
- # frontend, backend and server name, and of course the source address and
1660
- # ports.
1661
- #
1662
- # This option may be set either in the frontend or the backend.
1663
- #
1664
- # If this option has been enabled in a "defaults" section, it can be disabled
1665
- # in a specific instance by prepending the "no" keyword before it. Specifying
1666
- # only "option httplog" will automatically clear the 'clf' mode if it was set
1667
- # by default.
1668
- #
1669
- # See also : section 8 about logging.
1670
- #
1671
- attr_accessor :option_httplog
1672
-
1673
- #
1674
- # option http_proxy
1675
- # no option http_proxy
1676
- # Enable or disable plain HTTP proxy mode
1677
- # May be used in sections : defaults | frontend | listen | backend
1678
- # yes | yes | yes | yes
1679
- # Arguments : none
1680
- #
1681
- # It sometimes happens that people need a pure HTTP proxy which understands
1682
- # basic proxy requests without caching nor any fancy feature. In this case,
1683
- # it may be worth setting up an HAProxy instance with the "option http_proxy"
1684
- # set. In this mode, no server is declared, and the connection is forwarded to
1685
- # the IP address and port found in the URL after the "http://" scheme.
1686
- #
1687
- # No host address resolution is performed, so this only works when pure IP
1688
- # addresses are passed. Since this option's usage perimeter is rather limited,
1689
- # it will probably be used only by experts who know they need exactly it. Last,
1690
- # if the clients are susceptible of sending keep-alive requests, it will be
1691
- # needed to add "option http_close" to ensure that all requests will correctly
1692
- # be analyzed.
1693
- #
1694
- # If this option has been enabled in a "defaults" section, it can be disabled
1695
- # in a specific instance by prepending the "no" keyword before it.
1696
- #
1697
- # Example :
1698
- # # this backend understands HTTP proxy requests and forwards them directly.
1699
- # backend direct_forward
1700
- # option httpclose
1701
- # option http_proxy
1702
- #
1703
- # See also : "option httpclose"
1704
- #
1705
- attr_accessor :option_http_proxy
1706
-
1707
- #
1708
- # option independant-streams
1709
- # no option independant-streams
1710
- # Enable or disable independant timeout processing for both directions
1711
- # May be used in sections : defaults | frontend | listen | backend
1712
- # yes | yes | yes | yes
1713
- # Arguments : none
1714
- #
1715
- # By default, when data is sent over a socket, both the write timeout and the
1716
- # read timeout for that socket are refreshed, because we consider that there is
1717
- # activity on that socket, and we have no other means of guessing if we should
1718
- # receive data or not.
1719
- #
1720
- # While this default behaviour is desirable for almost all applications, there
1721
- # exists a situation where it is desirable to disable it, and only refresh the
1722
- # read timeout if there are incoming data. This happens on sessions with large
1723
- # timeouts and low amounts of exchanged data such as telnet session. If the
1724
- # server suddenly disappears, the output data accumulates in the system's
1725
- # socket buffers, both timeouts are correctly refreshed, and there is no way
1726
- # to know the server does not receive them, so we don't timeout. However, when
1727
- # the underlying protocol always echoes sent data, it would be enough by itself
1728
- # to detect the issue using the read timeout. Note that this problem does not
1729
- # happen with more verbose protocols because data won't accumulate long in the
1730
- # socket buffers.
1731
- #
1732
- # When this option is set on the frontend, it will disable read timeout updates
1733
- # on data sent to the client. There probably is little use of this case. When
1734
- # the option is set on the backend, it will disable read timeout updates on
1735
- # data sent to the server. Doing so will typically break large HTTP posts from
1736
- # slow lines, so use it with caution.
1737
- #
1738
- # See also : "timeout client" and "timeout server"
1739
- #
1740
- attr_accessor :option_independant_streams
1741
-
1742
- #
1743
- # option ldap-check
1744
- # Use LDAPv3 health checks for server testing
1745
- # May be used in sections : defaults | frontend | listen | backend
1746
- # yes | no | yes | yes
1747
- # Arguments : none
1748
- #
1749
- # It is possible to test that the server correctly talks LDAPv3 instead of just
1750
- # testing that it accepts the TCP connection. When this option is set, an
1751
- # LDAPv3 anonymous simple bind message is sent to the server, and the response
1752
- # is analyzed to find an LDAPv3 bind response message.
1753
- #
1754
- # The server is considered valid only when the LDAP response contains success
1755
- # resultCode (http://tools.ietf.org/html/rfc4511#section-4.1.9).
1756
- #
1757
- # Logging of bind requests is server dependent see your documentation how to
1758
- # configure it.
1759
- #
1760
- # Example :
1761
- # option ldap-check
1762
- #
1763
- # See also : "option httpchk"
1764
- #
1765
- attr_accessor :option_ldap_check
1766
-
1767
- #
1768
- # option log-health-checks
1769
- # no option log-health-checks
1770
- # Enable or disable logging of health checks
1771
- # May be used in sections : defaults | frontend | listen | backend
1772
- # yes | no | yes | yes
1773
- # Arguments : none
1774
- #
1775
- # Enable health checks logging so it possible to check for example what
1776
- # was happening before a server crash. Failed health check are logged if
1777
- # server is UP and succeeded health checks if server is DOWN, so the amount
1778
- # of additional information is limited.
1779
- #
1780
- # If health check logging is enabled no health check status is printed
1781
- # when servers is set up UP/DOWN/ENABLED/DISABLED.
1782
- #
1783
- # See also: "log" and section 8 about logging.
1784
- #
1785
- attr_accessor :option_log_health_checks
1786
-
1787
- #
1788
- # option log-separate-errors
1789
- # no option log-separate-errors
1790
- # Change log level for non-completely successful connections
1791
- # May be used in sections : defaults | frontend | listen | backend
1792
- # yes | yes | yes | no
1793
- # Arguments : none
1794
- #
1795
- # Sometimes looking for errors in logs is not easy. This option makes haproxy
1796
- # raise the level of logs containing potentially interesting information such
1797
- # as errors, timeouts, retries, redispatches, or HTTP status codes 5xx. The
1798
- # level changes from "info" to "err". This makes it possible to log them
1799
- # separately to a different file with most syslog daemons. Be careful not to
1800
- # remove them from the original file, otherwise you would lose ordering which
1801
- # provides very important information.
1802
- #
1803
- # Using this option, large sites dealing with several thousand connections per
1804
- # second may log normal traffic to a rotating buffer and only archive smaller
1805
- # error logs.
1806
- #
1807
- # See also : "log", "dontlognull", "dontlog-normal" and section 8 about
1808
- # logging.
1809
- #
1810
- attr_accessor :option_log_separate_errors
1811
-
1812
- #
1813
- # option logasap
1814
- # no option logasap
1815
- # Enable or disable early logging of HTTP requests
1816
- # May be used in sections : defaults | frontend | listen | backend
1817
- # yes | yes | yes | no
1818
- # Arguments : none
1819
- #
1820
- # By default, HTTP requests are logged upon termination so that the total
1821
- # transfer time and the number of bytes appear in the logs. When large objects
1822
- # are being transferred, it may take a while before the request appears in the
1823
- # logs. Using "option logasap", the request gets logged as soon as the server
1824
- # sends the complete headers. The only missing information in the logs will be
1825
- # the total number of bytes which will indicate everything except the amount
1826
- # of data transferred, and the total time which will not take the transfer
1827
- # time into account. In such a situation, it's a good practice to capture the
1828
- # "Content-Length" response header so that the logs at least indicate how many
1829
- # bytes are expected to be transferred.
1830
- #
1831
- # Examples :
1832
- # listen http_proxy 0.0.0.0:80
1833
- # mode http
1834
- # option httplog
1835
- # option logasap
1836
- # log 192.168.2.200 local3
1837
- #
1838
- # >>> Feb 6 12:14:14 localhost \
1839
- # haproxy[14389]: 10.0.1.2:33317 [06/Feb/2009:12:14:14.655] http-in \
1840
- # static/srv1 9/10/7/14/+30 200 +243 - - ---- 3/1/1/1/0 1/0 \
1841
- # "GET /image.iso HTTP/1.0"
1842
- #
1843
- # See also : "option httplog", "capture response header", and section 8 about
1844
- # logging.
1845
- #
1846
- attr_accessor :option_logasap
1847
-
1848
- #
1849
- # option mysql-check [ user <username> ]
1850
- # Use MySQL health checks for server testing
1851
- # May be used in sections : defaults | frontend | listen | backend
1852
- # yes | no | yes | yes
1853
- # Arguments :
1854
- # user <username> This is the username which will be used when connecting
1855
- # to MySQL server.
1856
- #
1857
- # If you specify a username, the check consists of sending two MySQL packet,
1858
- # one Client Authentication packet, and one QUIT packet, to correctly close
1859
- # MySQL session. We then parse the MySQL Handshake Initialisation packet and/or
1860
- # Error packet. It is a basic but useful test which does not produce error nor
1861
- # aborted connect on the server. However, it requires adding an authorization
1862
- # in the MySQL table, like this :
1863
- #
1864
- # USE mysql;
1865
- # INSERT INTO user (Host,User) values ('<ip_of_haproxy>','<username>');
1866
- # FLUSH PRIVILEGES;
1867
- #
1868
- # If you don't specify a username (it is deprecated and not recommended), the
1869
- # check only consists in parsing the Mysql Handshake Initialisation packet or
1870
- # Error packet, we don't send anything in this mode. It was reported that it
1871
- # can generate lockout if check is too frequent and/or if there is not enough
1872
- # traffic. In fact, you need in this case to check MySQL "max_connect_errors"
1873
- # value as if a connection is established successfully within fewer than MySQL
1874
- # "max_connect_errors" attempts after a previous connection was interrupted,
1875
- # the error count for the host is cleared to zero. If HAProxy's server get
1876
- # blocked, the "FLUSH HOSTS" statement is the only way to unblock it.
1877
- #
1878
- # Remember that this does not check database presence nor database consistency.
1879
- # To do this, you can use an external check with xinetd for example.
1880
- #
1881
- # The check requires MySQL >=4.0, for older version, please use TCP check.
1882
- #
1883
- # Most often, an incoming MySQL server needs to see the client's IP address for
1884
- # various purposes, including IP privilege matching and connection logging.
1885
- # When possible, it is often wise to masquerade the client's IP address when
1886
- # connecting to the server using the "usesrc" argument of the "source" keyword,
1887
- # which requires the cttproxy feature to be compiled in, and the MySQL server
1888
- # to route the client via the machine hosting haproxy.
1889
- #
1890
- # See also: "option httpchk"
1891
- #
1892
- attr_accessor :option_mysql_check
1893
-
1894
- #
1895
- # option nolinger
1896
- # no option nolinger
1897
- # Enable or disable immediate session resource cleaning after close
1898
- # May be used in sections: defaults | frontend | listen | backend
1899
- # yes | yes | yes | yes
1900
- # Arguments : none
1901
- #
1902
- # When clients or servers abort connections in a dirty way (eg: they are
1903
- # physically disconnected), the session timeouts triggers and the session is
1904
- # closed. But it will remain in FIN_WAIT1 state for some time in the system,
1905
- # using some resources and possibly limiting the ability to establish newer
1906
- # connections.
1907
- #
1908
- # When this happens, it is possible to activate "option nolinger" which forces
1909
- # the system to immediately remove any socket's pending data on close. Thus,
1910
- # the session is instantly purged from the system's tables. This usually has
1911
- # side effects such as increased number of TCP resets due to old retransmits
1912
- # getting immediately rejected. Some firewalls may sometimes complain about
1913
- # this too.
1914
- #
1915
- # For this reason, it is not recommended to use this option when not absolutely
1916
- # needed. You know that you need it when you have thousands of FIN_WAIT1
1917
- # sessions on your system (TIME_WAIT ones do not count).
1918
- #
1919
- # This option may be used both on frontends and backends, depending on the side
1920
- # where it is required. Use it on the frontend for clients, and on the backend
1921
- # for servers.
1922
- #
1923
- # If this option has been enabled in a "defaults" section, it can be disabled
1924
- # in a specific instance by prepending the "no" keyword before it.
1925
- #
1926
- attr_accessor :option_nolinger
1927
-
1928
- #
1929
- # option originalto [ except <network> ] [ header <name> ]
1930
- # Enable insertion of the X-Original-To header to requests sent to servers
1931
- # May be used in sections : defaults | frontend | listen | backend
1932
- # yes | yes | yes | yes
1933
- # Arguments :
1934
- # <network> is an optional argument used to disable this option for sources
1935
- # matching <network>
1936
- # <name> an optional argument to specify a different "X-Original-To"
1937
- # header name.
1938
- #
1939
- # Since HAProxy can work in transparent mode, every request from a client can
1940
- # be redirected to the proxy and HAProxy itself can proxy every request to a
1941
- # complex SQUID environment and the destination host from SO_ORIGINAL_DST will
1942
- # be lost. This is annoying when you want access rules based on destination ip
1943
- # addresses. To solve this problem, a new HTTP header "X-Original-To" may be
1944
- # added by HAProxy to all requests sent to the server. This header contains a
1945
- # value representing the original destination IP address. Since this must be
1946
- # configured to always use the last occurrence of this header only. Note that
1947
- # only the last occurrence of the header must be used, since it is really
1948
- # possible that the client has already brought one.
1949
- #
1950
- # The keyword "header" may be used to supply a different header name to replace
1951
- # the default "X-Original-To". This can be useful where you might already
1952
- # have a "X-Original-To" header from a different application, and you need
1953
- # preserve it. Also if your backend server doesn't use the "X-Original-To"
1954
- # header and requires different one.
1955
- #
1956
- # Sometimes, a same HAProxy instance may be shared between a direct client
1957
- # access and a reverse-proxy access (for instance when an SSL reverse-proxy is
1958
- # used to decrypt HTTPS traffic). It is possible to disable the addition of the
1959
- # header for a known source address or network by adding the "except" keyword
1960
- # followed by the network address. In this case, any source IP matching the
1961
- # network will not cause an addition of this header. Most common uses are with
1962
- # private networks or 127.0.0.1.
1963
- #
1964
- # This option may be specified either in the frontend or in the backend. If at
1965
- # least one of them uses it, the header will be added. Note that the backend's
1966
- # setting of the header subargument takes precedence over the frontend's if
1967
- # both are defined.
1968
- #
1969
- # It is important to note that as long as HAProxy does not support keep-alive
1970
- # connections, only the first request of a connection will receive the header.
1971
- # For this reason, it is important to ensure that "option httpclose" is set
1972
- # when using this option.
1973
- #
1974
- # Examples :
1975
- # # Original Destination address
1976
- # frontend www
1977
- # mode http
1978
- # option originalto except 127.0.0.1
1979
- #
1980
- # # Those servers want the IP Address in X-Client-Dst
1981
- # backend www
1982
- # mode http
1983
- # option originalto header X-Client-Dst
1984
- #
1985
- # See also : "option httpclose"
1986
- #
1987
- attr_accessor :option_originalto
1988
-
1989
- #
1990
- # option persist
1991
- # no option persist
1992
- # Enable or disable forced persistence on down servers
1993
- # May be used in sections: defaults | frontend | listen | backend
1994
- # yes | no | yes | yes
1995
- # Arguments : none
1996
- #
1997
- # When an HTTP request reaches a backend with a cookie which references a dead
1998
- # server, by default it is redispatched to another server. It is possible to
1999
- # force the request to be sent to the dead server first using "option persist"
2000
- # if absolutely needed. A common use case is when servers are under extreme
2001
- # load and spend their time flapping. In this case, the users would still be
2002
- # directed to the server they opened the session on, in the hope they would be
2003
- # correctly served. It is recommended to use "option redispatch" in conjunction
2004
- # with this option so that in the event it would not be possible to connect to
2005
- # the server at all (server definitely dead), the client would finally be
2006
- # redirected to another valid server.
2007
- #
2008
- # If this option has been enabled in a "defaults" section, it can be disabled
2009
- # in a specific instance by prepending the "no" keyword before it.
2010
- #
2011
- # See also : "option redispatch", "retries", "force-persist"
2012
- #
2013
- attr_accessor :option_persist
2014
-
2015
- #
2016
- # option redispatch
2017
- # no option redispatch
2018
- # Enable or disable session redistribution in case of connection failure
2019
- # May be used in sections: defaults | frontend | listen | backend
2020
- # yes | no | yes | yes
2021
- # Arguments : none
2022
- #
2023
- # In HTTP mode, if a server designated by a cookie is down, clients may
2024
- # definitely stick to it because they cannot flush the cookie, so they will not
2025
- # be able to access the service anymore.
2026
- #
2027
- # Specifying "option redispatch" will allow the proxy to break their
2028
- # persistence and redistribute them to a working server.
2029
- #
2030
- # It also allows to retry last connection to another server in case of multiple
2031
- # connection failures. Of course, it requires having "retries" set to a nonzero
2032
- # value.
2033
- #
2034
- # This form is the preferred form, which replaces both the "redispatch" and
2035
- # "redisp" keywords.
2036
- #
2037
- # If this option has been enabled in a "defaults" section, it can be disabled
2038
- # in a specific instance by prepending the "no" keyword before it.
2039
- #
2040
- # See also : "redispatch", "retries", "force-persist"
2041
- #
2042
- attr_accessor :option_redispatch
2043
-
2044
- #
2045
- # option smtpchk
2046
- # option smtpchk <hello> <domain>
2047
- # Use SMTP health checks for server testing
2048
- # May be used in sections : defaults | frontend | listen | backend
2049
- # yes | no | yes | yes
2050
- # Arguments :
2051
- # <hello> is an optional argument. It is the "hello" command to use. It can
2052
- # be either "HELO" (for SMTP) or "EHLO" (for ESTMP). All other
2053
- # values will be turned into the default command ("HELO").
2054
- #
2055
- # <domain> is the domain name to present to the server. It may only be
2056
- # specified (and is mandatory) if the hello command has been
2057
- # specified. By default, "localhost" is used.
2058
- #
2059
- # When "option smtpchk" is set, the health checks will consist in TCP
2060
- # connections followed by an SMTP command. By default, this command is
2061
- # "HELO localhost". The server's return code is analyzed and only return codes
2062
- # starting with a "2" will be considered as valid. All other responses,
2063
- # including a lack of response will constitute an error and will indicate a
2064
- # dead server.
2065
- #
2066
- # This test is meant to be used with SMTP servers or relays. Depending on the
2067
- # request, it is possible that some servers do not log each connection attempt,
2068
- # so you may want to experiment to improve the behaviour. Using telnet on port
2069
- # 25 is often easier than adjusting the configuration.
2070
- #
2071
- # Most often, an incoming SMTP server needs to see the client's IP address for
2072
- # various purposes, including spam filtering, anti-spoofing and logging. When
2073
- # possible, it is often wise to masquerade the client's IP address when
2074
- # connecting to the server using the "usesrc" argument of the "source" keyword,
2075
- # which requires the cttproxy feature to be compiled in.
2076
- #
2077
- # Example :
2078
- # option smtpchk HELO mydomain.org
2079
- #
2080
- # See also : "option httpchk", "source"
2081
- #
2082
- attr_accessor :option_smtpchk
2083
-
2084
- #
2085
- # option socket-stats
2086
- # no option socket-stats
2087
- #
2088
- # Enable or disable collecting & providing separate statistics for each socket.
2089
- # May be used in sections : defaults | frontend | listen | backend
2090
- # yes | yes | yes | no
2091
- #
2092
- # Arguments : none
2093
- #
2094
- attr_accessor :option_socket_stats
2095
-
2096
- #
2097
- # option splice-auto
2098
- # no option splice-auto
2099
- # Enable or disable automatic kernel acceleration on sockets in both directions
2100
- # May be used in sections : defaults | frontend | listen | backend
2101
- # yes | yes | yes | yes
2102
- # Arguments : none
2103
- #
2104
- # When this option is enabled either on a frontend or on a backend, haproxy
2105
- # will automatically evaluate the opportunity to use kernel tcp splicing to
2106
- # forward data between the client and the server, in either direction. Haproxy
2107
- # uses heuristics to estimate if kernel splicing might improve performance or
2108
- # not. Both directions are handled independently. Note that the heuristics used
2109
- # are not much aggressive in order to limit excessive use of splicing. This
2110
- # option requires splicing to be enabled at compile time, and may be globally
2111
- # disabled with the global option "nosplice". Since splice uses pipes, using it
2112
- # requires that there are enough spare pipes.
2113
- #
2114
- # Important note: kernel-based TCP splicing is a Linux-specific feature which
2115
- # first appeared in kernel 2.6.25. It offers kernel-based acceleration to
2116
- # transfer data between sockets without copying these data to user-space, thus
2117
- # providing noticeable performance gains and CPU cycles savings. Since many
2118
- # early implementations are buggy, corrupt data and/or are inefficient, this
2119
- # feature is not enabled by default, and it should be used with extreme care.
2120
- # While it is not possible to detect the correctness of an implementation,
2121
- # 2.6.29 is the first version offering a properly working implementation. In
2122
- # case of doubt, splicing may be globally disabled using the global "nosplice"
2123
- # keyword.
2124
- #
2125
- # Example :
2126
- # option splice-auto
2127
- #
2128
- # If this option has been enabled in a "defaults" section, it can be disabled
2129
- # in a specific instance by prepending the "no" keyword before it.
2130
- #
2131
- # See also : "option splice-request", "option splice-response", and global
2132
- # options "nosplice" and "maxpipes"
2133
- #
2134
- attr_accessor :option_splice_auto
2135
-
2136
- #
2137
- # option splice-request
2138
- # no option splice-request
2139
- # Enable or disable automatic kernel acceleration on sockets for requests
2140
- # May be used in sections : defaults | frontend | listen | backend
2141
- # yes | yes | yes | yes
2142
- # Arguments : none
2143
- #
2144
- # When this option is enabled either on a frontend or on a backend, haproxy
2145
- # will user kernel tcp splicing whenever possible to forward data going from
2146
- # the client to the server. It might still use the recv/send scheme if there
2147
- # are no spare pipes left. This option requires splicing to be enabled at
2148
- # compile time, and may be globally disabled with the global option "nosplice".
2149
- # Since splice uses pipes, using it requires that there are enough spare pipes.
2150
- #
2151
- # Important note: see "option splice-auto" for usage limitations.
2152
- #
2153
- # Example :
2154
- # option splice-request
2155
- #
2156
- # If this option has been enabled in a "defaults" section, it can be disabled
2157
- # in a specific instance by prepending the "no" keyword before it.
2158
- #
2159
- # See also : "option splice-auto", "option splice-response", and global options
2160
- # "nosplice" and "maxpipes"
2161
- #
2162
- attr_accessor :option_splice_request
2163
-
2164
- #
2165
- # option splice-response
2166
- # no option splice-response
2167
- # Enable or disable automatic kernel acceleration on sockets for responses
2168
- # May be used in sections : defaults | frontend | listen | backend
2169
- # yes | yes | yes | yes
2170
- # Arguments : none
2171
- #
2172
- # When this option is enabled either on a frontend or on a backend, haproxy
2173
- # will user kernel tcp splicing whenever possible to forward data going from
2174
- # the server to the client. It might still use the recv/send scheme if there
2175
- # are no spare pipes left. This option requires splicing to be enabled at
2176
- # compile time, and may be globally disabled with the global option "nosplice".
2177
- # Since splice uses pipes, using it requires that there are enough spare pipes.
2178
- #
2179
- # Important note: see "option splice-auto" for usage limitations.
2180
- #
2181
- # Example :
2182
- # option splice-response
2183
- #
2184
- # If this option has been enabled in a "defaults" section, it can be disabled
2185
- # in a specific instance by prepending the "no" keyword before it.
2186
- #
2187
- # See also : "option splice-auto", "option splice-request", and global options
2188
- # "nosplice" and "maxpipes"
2189
- #
2190
- attr_accessor :option_splice_response
2191
-
2192
- #
2193
- # option srvtcpka
2194
- # no option srvtcpka
2195
- # Enable or disable the sending of TCP keepalive packets on the server side
2196
- # May be used in sections : defaults | frontend | listen | backend
2197
- # yes | no | yes | yes
2198
- # Arguments : none
2199
- #
2200
- # When there is a firewall or any session-aware component between a client and
2201
- # a server, and when the protocol involves very long sessions with long idle
2202
- # periods (eg: remote desktops), there is a risk that one of the intermediate
2203
- # components decides to expire a session which has remained idle for too long.
2204
- #
2205
- # Enabling socket-level TCP keep-alives makes the system regularly send packets
2206
- # to the other end of the connection, leaving it active. The delay between
2207
- # keep-alive probes is controlled by the system only and depends both on the
2208
- # operating system and its tuning parameters.
2209
- #
2210
- # It is important to understand that keep-alive packets are neither emitted nor
2211
- # received at the application level. It is only the network stacks which sees
2212
- # them. For this reason, even if one side of the proxy already uses keep-alives
2213
- # to maintain its connection alive, those keep-alive packets will not be
2214
- # forwarded to the other side of the proxy.
2215
- #
2216
- # Please note that this has nothing to do with HTTP keep-alive.
2217
- #
2218
- # Using option "srvtcpka" enables the emission of TCP keep-alive probes on the
2219
- # server side of a connection, which should help when session expirations are
2220
- # noticed between HAProxy and a server.
2221
- #
2222
- # If this option has been enabled in a "defaults" section, it can be disabled
2223
- # in a specific instance by prepending the "no" keyword before it.
2224
- #
2225
- # See also : "option clitcpka", "option tcpka"
2226
- #
2227
- attr_accessor :option_srvtcpka
2228
-
2229
- #
2230
- # option ssl-hello-chk
2231
- # Use SSLv3 client hello health checks for server testing
2232
- # May be used in sections : defaults | frontend | listen | backend
2233
- # yes | no | yes | yes
2234
- # Arguments : none
2235
- #
2236
- # When some SSL-based protocols are relayed in TCP mode through HAProxy, it is
2237
- # possible to test that the server correctly talks SSL instead of just testing
2238
- # that it accepts the TCP connection. When "option ssl-hello-chk" is set, pure
2239
- # SSLv3 client hello messages are sent once the connection is established to
2240
- # the server, and the response is analyzed to find an SSL server hello message.
2241
- # The server is considered valid only when the response contains this server
2242
- # hello message.
2243
- #
2244
- # All servers tested till there correctly reply to SSLv3 client hello messages,
2245
- # and most servers tested do not even log the requests containing only hello
2246
- # messages, which is appreciable.
2247
- #
2248
- # See also: "option httpchk"
2249
- #
2250
- attr_accessor :option_ssl_hello_chk
2251
-
2252
- #
2253
- # option tcp-smart-accept
2254
- # no option tcp-smart-accept
2255
- # Enable or disable the saving of one ACK packet during the accept sequence
2256
- # May be used in sections : defaults | frontend | listen | backend
2257
- # yes | yes | yes | no
2258
- # Arguments : none
2259
- #
2260
- # When an HTTP connection request comes in, the system acknowledges it on
2261
- # behalf of HAProxy, then the client immediately sends its request, and the
2262
- # system acknowledges it too while it is notifying HAProxy about the new
2263
- # connection. HAProxy then reads the request and responds. This means that we
2264
- # have one TCP ACK sent by the system for nothing, because the request could
2265
- # very well be acknowledged by HAProxy when it sends its response.
2266
- #
2267
- # For this reason, in HTTP mode, HAProxy automatically asks the system to avoid
2268
- # sending this useless ACK on platforms which support it (currently at least
2269
- # Linux). It must not cause any problem, because the system will send it anyway
2270
- # after 40 ms if the response takes more time than expected to come.
2271
- #
2272
- # During complex network debugging sessions, it may be desirable to disable
2273
- # this optimization because delayed ACKs can make troubleshooting more complex
2274
- # when trying to identify where packets are delayed. It is then possible to
2275
- # fall back to normal behaviour by specifying "no option tcp-smart-accept".
2276
- #
2277
- # It is also possible to force it for non-HTTP proxies by simply specifying
2278
- # "option tcp-smart-accept". For instance, it can make sense with some services
2279
- # such as SMTP where the server speaks first.
2280
- #
2281
- # It is recommended to avoid forcing this option in a defaults section. In case
2282
- # of doubt, consider setting it back to automatic values by prepending the
2283
- # "default" keyword before it, or disabling it using the "no" keyword.
2284
- #
2285
- # See also : "option tcp-smart-connect"
2286
- #
2287
- attr_accessor :option_tcp_smart_accept
2288
-
2289
- #
2290
- # option tcp-smart-connect
2291
- # no option tcp-smart-connect
2292
- # Enable or disable the saving of one ACK packet during the connect sequence
2293
- # May be used in sections : defaults | frontend | listen | backend
2294
- # yes | no | yes | yes
2295
- # Arguments : none
2296
- #
2297
- # On certain systems (at least Linux), HAProxy can ask the kernel not to
2298
- # immediately send an empty ACK upon a connection request, but to directly
2299
- # send the buffer request instead. This saves one packet on the network and
2300
- # thus boosts performance. It can also be useful for some servers, because they
2301
- # immediately get the request along with the incoming connection.
2302
- #
2303
- # This feature is enabled when "option tcp-smart-connect" is set in a backend.
2304
- # It is not enabled by default because it makes network troubleshooting more
2305
- # complex.
2306
- #
2307
- # It only makes sense to enable it with protocols where the client speaks first
2308
- # such as HTTP. In other situations, if there is no data to send in place of
2309
- # the ACK, a normal ACK is sent.
2310
- #
2311
- # If this option has been enabled in a "defaults" section, it can be disabled
2312
- # in a specific instance by prepending the "no" keyword before it.
2313
- #
2314
- # See also : "option tcp-smart-accept"
2315
- #
2316
- attr_accessor :option_tcp_smart_connect
2317
-
2318
- #
2319
- # option tcpka
2320
- # Enable or disable the sending of TCP keepalive packets on both sides
2321
- # May be used in sections : defaults | frontend | listen | backend
2322
- # yes | yes | yes | yes
2323
- # Arguments : none
2324
- #
2325
- # When there is a firewall or any session-aware component between a client and
2326
- # a server, and when the protocol involves very long sessions with long idle
2327
- # periods (eg: remote desktops), there is a risk that one of the intermediate
2328
- # components decides to expire a session which has remained idle for too long.
2329
- #
2330
- # Enabling socket-level TCP keep-alives makes the system regularly send packets
2331
- # to the other end of the connection, leaving it active. The delay between
2332
- # keep-alive probes is controlled by the system only and depends both on the
2333
- # operating system and its tuning parameters.
2334
- #
2335
- # It is important to understand that keep-alive packets are neither emitted nor
2336
- # received at the application level. It is only the network stacks which sees
2337
- # them. For this reason, even if one side of the proxy already uses keep-alives
2338
- # to maintain its connection alive, those keep-alive packets will not be
2339
- # forwarded to the other side of the proxy.
2340
- #
2341
- # Please note that this has nothing to do with HTTP keep-alive.
2342
- #
2343
- # Using option "tcpka" enables the emission of TCP keep-alive probes on both
2344
- # the client and server sides of a connection. Note that this is meaningful
2345
- # only in "defaults" or "listen" sections. If this option is used in a
2346
- # frontend, only the client side will get keep-alives, and if this option is
2347
- # used in a backend, only the server side will get keep-alives. For this
2348
- # reason, it is strongly recommended to explicitly use "option clitcpka" and
2349
- # "option srvtcpka" when the configuration is split between frontends and
2350
- # backends.
2351
- #
2352
- # See also : "option clitcpka", "option srvtcpka"
2353
- #
2354
- attr_accessor :option_tcpka
2355
-
2356
- #
2357
- # option tcplog
2358
- # Enable advanced logging of TCP connections with session state and timers
2359
- # May be used in sections : defaults | frontend | listen | backend
2360
- # yes | yes | yes | yes
2361
- # Arguments : none
2362
- #
2363
- # By default, the log output format is very poor, as it only contains the
2364
- # source and destination addresses, and the instance name. By specifying
2365
- # "option tcplog", each log line turns into a much richer format including, but
2366
- # not limited to, the connection timers, the session status, the connections
2367
- # numbers, the frontend, backend and server name, and of course the source
2368
- # address and ports. This option is useful for pure TCP proxies in order to
2369
- # find which of the client or server disconnects or times out. For normal HTTP
2370
- # proxies, it's better to use "option httplog" which is even more complete.
2371
- #
2372
- # This option may be set either in the frontend or the backend.
2373
- #
2374
- # See also : "option httplog", and section 8 about logging.
2375
- #
2376
- attr_accessor :option_tcplog
2377
-
2378
- #
2379
- # option transparent
2380
- # no option transparent
2381
- # Enable client-side transparent proxying
2382
- # May be used in sections : defaults | frontend | listen | backend
2383
- # yes | no | yes | yes
2384
- # Arguments : none
2385
- #
2386
- # This option was introduced in order to provide layer 7 persistence to layer 3
2387
- # load balancers. The idea is to use the OS's ability to redirect an incoming
2388
- # connection for a remote address to a local process (here HAProxy), and let
2389
- # this process know what address was initially requested. When this option is
2390
- # used, sessions without cookies will be forwarded to the original destination
2391
- # IP address of the incoming request (which should match that of another
2392
- # equipment), while requests with cookies will still be forwarded to the
2393
- # appropriate server.
2394
- #
2395
- # Note that contrary to a common belief, this option does NOT make HAProxy
2396
- # present the client's IP to the server when establishing the connection.
2397
- #
2398
- # See also: the "usersrc" argument of the "source" keyword, and the
2399
- # "transparent" option of the "bind" keyword.
2400
- #
2401
- attr_accessor :option_transparent
2402
-
2403
- #
2404
- # persist rdp-cookie
2405
- # persist rdp-cookie(name)
2406
- # Enable RDP cookie-based persistence
2407
- # May be used in sections : defaults | frontend | listen | backend
2408
- # yes | no | yes | yes
2409
- # Arguments :
2410
- # <name> is the optional name of the RDP cookie to check. If omitted, the
2411
- # default cookie name "msts" will be used. There currently is no
2412
- # valid reason to change this name.
2413
- #
2414
- # This statement enables persistence based on an RDP cookie. The RDP cookie
2415
- # contains all information required to find the server in the list of known
2416
- # servers. So when this option is set in the backend, the request is analysed
2417
- # and if an RDP cookie is found, it is decoded. If it matches a known server
2418
- # which is still UP (or if "option persist" is set), then the connection is
2419
- # forwarded to this server.
2420
- #
2421
- # Note that this only makes sense in a TCP backend, but for this to work, the
2422
- # frontend must have waited long enough to ensure that an RDP cookie is present
2423
- # in the request buffer. This is the same requirement as with the "rdp-cookie"
2424
- # load-balancing method. Thus it is highly recommended to put all statements in
2425
- # a single "listen" section.
2426
- #
2427
- # Also, it is important to understand that the terminal server will emit this
2428
- # RDP cookie only if it is configured for "token redirection mode", which means
2429
- # that the "IP address redirection" option is disabled.
2430
- #
2431
- # Example :
2432
- # listen tse-farm
2433
- # bind :3389
2434
- # # wait up to 5s for an RDP cookie in the request
2435
- # tcp-request inspect-delay 5s
2436
- # tcp-request content accept if RDP_COOKIE
2437
- # # apply RDP cookie persistence
2438
- # persist rdp-cookie
2439
- # # if server is unknown, let's balance on the same cookie.
2440
- # # alternatively, "balance leastconn" may be useful too.
2441
- # balance rdp-cookie
2442
- # server srv1 1.1.1.1:3389
2443
- # server srv2 1.1.1.2:3389
2444
- #
2445
- # See also : "balance rdp-cookie", "tcp-request" and the "req_rdp_cookie" ACL.
2446
- #
2447
- attr_accessor :persist_rdp_cookie
2448
-
2449
- #
2450
- # rate-limit sessions <rate>
2451
- # Set a limit on the number of new sessions accepted per second on a frontend
2452
- # May be used in sections : defaults | frontend | listen | backend
2453
- # yes | yes | yes | no
2454
- # Arguments :
2455
- # <rate> The <rate> parameter is an integer designating the maximum number
2456
- # of new sessions per second to accept on the frontend.
2457
- #
2458
- # When the frontend reaches the specified number of new sessions per second, it
2459
- # stops accepting new connections until the rate drops below the limit again.
2460
- # During this time, the pending sessions will be kept in the socket's backlog
2461
- # (in system buffers) and haproxy will not even be aware that sessions are
2462
- # pending. When applying very low limit on a highly loaded service, it may make
2463
- # sense to increase the socket's backlog using the "backlog" keyword.
2464
- #
2465
- # This feature is particularly efficient at blocking connection-based attacks
2466
- # or service abuse on fragile servers. Since the session rate is measured every
2467
- # millisecond, it is extremely accurate. Also, the limit applies immediately,
2468
- # no delay is needed at all to detect the threshold.
2469
- #
2470
- # Example : limit the connection rate on SMTP to 10 per second max
2471
- # listen smtp
2472
- # mode tcp
2473
- # bind :25
2474
- # rate-limit sessions 10
2475
- # server 127.0.0.1:1025
2476
- #
2477
- # Note : when the maximum rate is reached, the frontend's status appears as
2478
- # "FULL" in the statistics, exactly as when it is saturated.
2479
- #
2480
- # See also : the "backlog" keyword and the "fe_sess_rate" ACL criterion.
2481
- #
2482
- attr_accessor :rate_limit_sessions
2483
-
2484
- #
2485
- # retries <value>
2486
- # Set the number of retries to perform on a server after a connection failure
2487
- # May be used in sections: defaults | frontend | listen | backend
2488
- # yes | no | yes | yes
2489
- # Arguments :
2490
- # <value> is the number of times a connection attempt should be retried on
2491
- # a server when a connection either is refused or times out. The
2492
- # default value is 3.
2493
- #
2494
- # It is important to understand that this value applies to the number of
2495
- # connection attempts, not full requests. When a connection has effectively
2496
- # been established to a server, there will be no more retry.
2497
- #
2498
- # In order to avoid immediate reconnections to a server which is restarting,
2499
- # a turn-around timer of 1 second is applied before a retry occurs.
2500
- #
2501
- # When "option redispatch" is set, the last retry may be performed on another
2502
- # server even if a cookie references a different server.
2503
- #
2504
- # See also : "option redispatch"
2505
- #
2506
- attr_accessor :retries
2507
-
2508
- #
2509
- # source <addr>[:<port>] [usesrc { <addr2>[:<port2>] | client | clientip } ]
2510
- # source <addr>[:<port>] [usesrc { <addr2>[:<port2>] | hdr_ip(<hdr>[,<occ>]) } ]
2511
- # source <addr>[:<port>] [interface <name>]
2512
- # Set the source address for outgoing connections
2513
- # May be used in sections : defaults | frontend | listen | backend
2514
- # yes | no | yes | yes
2515
- # Arguments :
2516
- # <addr> is the IPv4 address HAProxy will bind to before connecting to a
2517
- # server. This address is also used as a source for health checks.
2518
- # The default value of 0.0.0.0 means that the system will select
2519
- # the most appropriate address to reach its destination.
2520
- #
2521
- # <port> is an optional port. It is normally not needed but may be useful
2522
- # in some very specific contexts. The default value of zero means
2523
- # the system will select a free port. Note that port ranges are not
2524
- # supported in the backend. If you want to force port ranges, you
2525
- # have to specify them on each "server" line.
2526
- #
2527
- # <addr2> is the IP address to present to the server when connections are
2528
- # forwarded in full transparent proxy mode. This is currently only
2529
- # supported on some patched Linux kernels. When this address is
2530
- # specified, clients connecting to the server will be presented
2531
- # with this address, while health checks will still use the address
2532
- # <addr>.
2533
- #
2534
- # <port2> is the optional port to present to the server when connections
2535
- # are forwarded in full transparent proxy mode (see <addr2> above).
2536
- # The default value of zero means the system will select a free
2537
- # port.
2538
- #
2539
- # <hdr> is the name of a HTTP header in which to fetch the IP to bind to.
2540
- # This is the name of a comma-separated header list which can
2541
- # contain multiple IP addresses. By default, the last occurrence is
2542
- # used. This is designed to work with the X-Forwarded-For header
2543
- # and to automatically bind to the the client's IP address as seen
2544
- # by previous proxy, typically Stunnel. In order to use another
2545
- # occurrence from the last one, please see the <occ> parameter
2546
- # below. When the header (or occurrence) is not found, no binding
2547
- # is performed so that the proxy's default IP address is used. Also
2548
- # keep in mind that the header name is case insensitive, as for any
2549
- # HTTP header.
2550
- #
2551
- # <occ> is the occurrence number of a value to be used in a multi-value
2552
- # header. This is to be used in conjunction with "hdr_ip(<hdr>)",
2553
- # in order to specificy which occurrence to use for the source IP
2554
- # address. Positive values indicate a position from the first
2555
- # occurrence, 1 being the first one. Negative values indicate
2556
- # positions relative to the last one, -1 being the last one. This
2557
- # is helpful for situations where an X-Forwarded-For header is set
2558
- # at the entry point of an infrastructure and must be used several
2559
- # proxy layers away. When this value is not specified, -1 is
2560
- # assumed. Passing a zero here disables the feature.
2561
- #
2562
- # <name> is an optional interface name to which to bind to for outgoing
2563
- # traffic. On systems supporting this features (currently, only
2564
- # Linux), this allows one to bind all traffic to the server to
2565
- # this interface even if it is not the one the system would select
2566
- # based on routing tables. This should be used with extreme care.
2567
- # Note that using this option requires root privileges.
2568
- #
2569
- # The "source" keyword is useful in complex environments where a specific
2570
- # address only is allowed to connect to the servers. It may be needed when a
2571
- # private address must be used through a public gateway for instance, and it is
2572
- # known that the system cannot determine the adequate source address by itself.
2573
- #
2574
- # An extension which is available on certain patched Linux kernels may be used
2575
- # through the "usesrc" optional keyword. It makes it possible to connect to the
2576
- # servers with an IP address which does not belong to the system itself. This
2577
- # is called "full transparent proxy mode". For this to work, the destination
2578
- # servers have to route their traffic back to this address through the machine
2579
- # running HAProxy, and IP forwarding must generally be enabled on this machine.
2580
- #
2581
- # In this "full transparent proxy" mode, it is possible to force a specific IP
2582
- # address to be presented to the servers. This is not much used in fact. A more
2583
- # common use is to tell HAProxy to present the client's IP address. For this,
2584
- # there are two methods :
2585
- #
2586
- # - present the client's IP and port addresses. This is the most transparent
2587
- # mode, but it can cause problems when IP connection tracking is enabled on
2588
- # the machine, because a same connection may be seen twice with different
2589
- # states. However, this solution presents the huge advantage of not
2590
- # limiting the system to the 64k outgoing address+port couples, because all
2591
- # of the client ranges may be used.
2592
- #
2593
- # - present only the client's IP address and select a spare port. This
2594
- # solution is still quite elegant but slightly less transparent (downstream
2595
- # firewalls logs will not match upstream's). It also presents the downside
2596
- # of limiting the number of concurrent connections to the usual 64k ports.
2597
- # However, since the upstream and downstream ports are different, local IP
2598
- # connection tracking on the machine will not be upset by the reuse of the
2599
- # same session.
2600
- #
2601
- # Note that depending on the transparent proxy technology used, it may be
2602
- # required to force the source address. In fact, cttproxy version 2 requires an
2603
- # IP address in <addr> above, and does not support setting of "0.0.0.0" as the
2604
- # IP address because it creates NAT entries which much match the exact outgoing
2605
- # address. Tproxy version 4 and some other kernel patches which work in pure
2606
- # forwarding mode generally will not have this limitation.
2607
- #
2608
- # This option sets the default source for all servers in the backend. It may
2609
- # also be specified in a "defaults" section. Finer source address specification
2610
- # is possible at the server level using the "source" server option. Refer to
2611
- # section 5 for more information.
2612
- #
2613
- # Examples :
2614
- # backend private
2615
- # # Connect to the servers using our 192.168.1.200 source address
2616
- # source 192.168.1.200
2617
- #
2618
- # backend transparent_ssl1
2619
- # # Connect to the SSL farm from the client's source address
2620
- # source 192.168.1.200 usesrc clientip
2621
- #
2622
- # backend transparent_ssl2
2623
- # # Connect to the SSL farm from the client's source address and port
2624
- # # not recommended if IP conntrack is present on the local machine.
2625
- # source 192.168.1.200 usesrc client
2626
- #
2627
- # backend transparent_ssl3
2628
- # # Connect to the SSL farm from the client's source address. It
2629
- # # is more conntrack-friendly.
2630
- # source 192.168.1.200 usesrc clientip
2631
- #
2632
- # backend transparent_smtp
2633
- # # Connect to the SMTP farm from the client's source address/port
2634
- # # with Tproxy version 4.
2635
- # source 0.0.0.0 usesrc clientip
2636
- #
2637
- # backend transparent_http
2638
- # # Connect to the servers using the client's IP as seen by previous
2639
- # # proxy.
2640
- # source 0.0.0.0 usesrc hdr_ip(x-forwarded-for,-1)
2641
- #
2642
- # See also : the "source" server option in section 5, the Tproxy patches for
2643
- # the Linux kernel on www.balabit.com, the "bind" keyword.
2644
- #
2645
- attr_accessor :source
2646
-
2647
- #
2648
- # stats auth <user>:<passwd>
2649
- # Enable statistics with authentication and grant access to an account
2650
- # May be used in sections : defaults | frontend | listen | backend
2651
- # yes | no | yes | yes
2652
- # Arguments :
2653
- # <user> is a user name to grant access to
2654
- #
2655
- # <passwd> is the cleartext password associated to this user
2656
- #
2657
- # This statement enables statistics with default settings, and restricts access
2658
- # to declared users only. It may be repeated as many times as necessary to
2659
- # allow as many users as desired. When a user tries to access the statistics
2660
- # without a valid account, a "401 Forbidden" response will be returned so that
2661
- # the browser asks the user to provide a valid user and password. The real
2662
- # which will be returned to the browser is configurable using "stats realm".
2663
- #
2664
- # Since the authentication method is HTTP Basic Authentication, the passwords
2665
- # circulate in cleartext on the network. Thus, it was decided that the
2666
- # configuration file would also use cleartext passwords to remind the users
2667
- # that those ones should not be sensible and not shared with any other account.
2668
- #
2669
- # It is also possible to reduce the scope of the proxies which appear in the
2670
- # report using "stats scope".
2671
- #
2672
- # Though this statement alone is enough to enable statistics reporting, it is
2673
- # recommended to set all other settings in order to avoid relying on default
2674
- # unobvious parameters.
2675
- #
2676
- # Example :
2677
- # # public access (limited to this backend only)
2678
- # backend public_www
2679
- # server srv1 192.168.0.1:80
2680
- # stats enable
2681
- # stats hide-version
2682
- # stats scope .
2683
- # stats uri /admin?stats
2684
- # stats realm Haproxy\ Statistics
2685
- # stats auth admin1:AdMiN123
2686
- # stats auth admin2:AdMiN321
2687
- #
2688
- # # internal monitoring access (unlimited)
2689
- # backend private_monitoring
2690
- # stats enable
2691
- # stats uri /admin?stats
2692
- # stats refresh 5s
2693
- #
2694
- # See also : "stats enable", "stats realm", "stats scope", "stats uri"
2695
- #
2696
- attr_accessor :stats_auth
2697
-
2698
- #
2699
- # stats enable
2700
- # Enable statistics reporting with default settings
2701
- # May be used in sections : defaults | frontend | listen | backend
2702
- # yes | no | yes | yes
2703
- # Arguments : none
2704
- #
2705
- # This statement enables statistics reporting with default settings defined
2706
- # at build time. Unless stated otherwise, these settings are used :
2707
- # - stats uri : /haproxy?stats
2708
- # - stats realm : "HAProxy Statistics"
2709
- # - stats auth : no authentication
2710
- # - stats scope : no restriction
2711
- #
2712
- # Though this statement alone is enough to enable statistics reporting, it is
2713
- # recommended to set all other settings in order to avoid relying on default
2714
- # unobvious parameters.
2715
- #
2716
- # Example :
2717
- # # public access (limited to this backend only)
2718
- # backend public_www
2719
- # server srv1 192.168.0.1:80
2720
- # stats enable
2721
- # stats hide-version
2722
- # stats scope .
2723
- # stats uri /admin?stats
2724
- # stats realm Haproxy\ Statistics
2725
- # stats auth admin1:AdMiN123
2726
- # stats auth admin2:AdMiN321
2727
- #
2728
- # # internal monitoring access (unlimited)
2729
- # backend private_monitoring
2730
- # stats enable
2731
- # stats uri /admin?stats
2732
- # stats refresh 5s
2733
- #
2734
- # See also : "stats auth", "stats realm", "stats uri"
2735
- #
2736
- attr_accessor :stats_enable
2737
-
2738
- #
2739
- # stats hide-version
2740
- # Enable statistics and hide HAProxy version reporting
2741
- # May be used in sections : defaults | frontend | listen | backend
2742
- # yes | no | yes | yes
2743
- # Arguments : none
2744
- #
2745
- # By default, the stats page reports some useful status information along with
2746
- # the statistics. Among them is HAProxy's version. However, it is generally
2747
- # considered dangerous to report precise version to anyone, as it can help them
2748
- # target known weaknesses with specific attacks. The "stats hide-version"
2749
- # statement removes the version from the statistics report. This is recommended
2750
- # for public sites or any site with a weak login/password.
2751
- #
2752
- # Though this statement alone is enough to enable statistics reporting, it is
2753
- # recommended to set all other settings in order to avoid relying on default
2754
- # unobvious parameters.
2755
- #
2756
- # Example :
2757
- # # public access (limited to this backend only)
2758
- # backend public_www
2759
- # server srv1 192.168.0.1:80
2760
- # stats enable
2761
- # stats hide-version
2762
- # stats scope .
2763
- # stats uri /admin?stats
2764
- # stats realm Haproxy\ Statistics
2765
- # stats auth admin1:AdMiN123
2766
- # stats auth admin2:AdMiN321
2767
- #
2768
- # # internal monitoring access (unlimited)
2769
- # backend private_monitoring
2770
- # stats enable
2771
- # stats uri /admin?stats
2772
- # stats refresh 5s
2773
- #
2774
- # See also : "stats auth", "stats enable", "stats realm", "stats uri"
2775
- #
2776
- attr_accessor :stats_hide_version
2777
-
2778
- #
2779
- # stats realm <realm>
2780
- # Enable statistics and set authentication realm
2781
- # May be used in sections : defaults | frontend | listen | backend
2782
- # yes | no | yes | yes
2783
- # Arguments :
2784
- # <realm> is the name of the HTTP Basic Authentication realm reported to
2785
- # the browser. The browser uses it to display it in the pop-up
2786
- # inviting the user to enter a valid username and password.
2787
- #
2788
- # The realm is read as a single word, so any spaces in it should be escaped
2789
- # using a backslash ('\').
2790
- #
2791
- # This statement is useful only in conjunction with "stats auth" since it is
2792
- # only related to authentication.
2793
- #
2794
- # Though this statement alone is enough to enable statistics reporting, it is
2795
- # recommended to set all other settings in order to avoid relying on default
2796
- # unobvious parameters.
2797
- #
2798
- # Example :
2799
- # # public access (limited to this backend only)
2800
- # backend public_www
2801
- # server srv1 192.168.0.1:80
2802
- # stats enable
2803
- # stats hide-version
2804
- # stats scope .
2805
- # stats uri /admin?stats
2806
- # stats realm Haproxy\ Statistics
2807
- # stats auth admin1:AdMiN123
2808
- # stats auth admin2:AdMiN321
2809
- #
2810
- # # internal monitoring access (unlimited)
2811
- # backend private_monitoring
2812
- # stats enable
2813
- # stats uri /admin?stats
2814
- # stats refresh 5s
2815
- #
2816
- # See also : "stats auth", "stats enable", "stats uri"
2817
- #
2818
- attr_accessor :stats_realm
2819
-
2820
- #
2821
- # stats refresh <delay>
2822
- # Enable statistics with automatic refresh
2823
- # May be used in sections : defaults | frontend | listen | backend
2824
- # yes | no | yes | yes
2825
- # Arguments :
2826
- # <delay> is the suggested refresh delay, specified in seconds, which will
2827
- # be returned to the browser consulting the report page. While the
2828
- # browser is free to apply any delay, it will generally respect it
2829
- # and refresh the page this every seconds. The refresh interval may
2830
- # be specified in any other non-default time unit, by suffixing the
2831
- # unit after the value, as explained at the top of this document.
2832
- #
2833
- # This statement is useful on monitoring displays with a permanent page
2834
- # reporting the load balancer's activity. When set, the HTML report page will
2835
- # include a link "refresh"/"stop refresh" so that the user can select whether
2836
- # he wants automatic refresh of the page or not.
2837
- #
2838
- # Though this statement alone is enough to enable statistics reporting, it is
2839
- # recommended to set all other settings in order to avoid relying on default
2840
- # unobvious parameters.
2841
- #
2842
- # Example :
2843
- # # public access (limited to this backend only)
2844
- # backend public_www
2845
- # server srv1 192.168.0.1:80
2846
- # stats enable
2847
- # stats hide-version
2848
- # stats scope .
2849
- # stats uri /admin?stats
2850
- # stats realm Haproxy\ Statistics
2851
- # stats auth admin1:AdMiN123
2852
- # stats auth admin2:AdMiN321
2853
- #
2854
- # # internal monitoring access (unlimited)
2855
- # backend private_monitoring
2856
- # stats enable
2857
- # stats uri /admin?stats
2858
- # stats refresh 5s
2859
- #
2860
- # See also : "stats auth", "stats enable", "stats realm", "stats uri"
2861
- #
2862
- attr_accessor :stats_refresh
2863
-
2864
- #
2865
- # stats scope { <name> | "." }
2866
- # Enable statistics and limit access scope
2867
- # May be used in sections : defaults | frontend | listen | backend
2868
- # yes | no | yes | yes
2869
- # Arguments :
2870
- # <name> is the name of a listen, frontend or backend section to be
2871
- # reported. The special name "." (a single dot) designates the
2872
- # section in which the statement appears.
2873
- #
2874
- # When this statement is specified, only the sections enumerated with this
2875
- # statement will appear in the report. All other ones will be hidden. This
2876
- # statement may appear as many times as needed if multiple sections need to be
2877
- # reported. Please note that the name checking is performed as simple string
2878
- # comparisons, and that it is never checked that a give section name really
2879
- # exists.
2880
- #
2881
- # Though this statement alone is enough to enable statistics reporting, it is
2882
- # recommended to set all other settings in order to avoid relying on default
2883
- # unobvious parameters.
2884
- #
2885
- # Example :
2886
- # # public access (limited to this backend only)
2887
- # backend public_www
2888
- # server srv1 192.168.0.1:80
2889
- # stats enable
2890
- # stats hide-version
2891
- # stats scope .
2892
- # stats uri /admin?stats
2893
- # stats realm Haproxy\ Statistics
2894
- # stats auth admin1:AdMiN123
2895
- # stats auth admin2:AdMiN321
2896
- #
2897
- # # internal monitoring access (unlimited)
2898
- # backend private_monitoring
2899
- # stats enable
2900
- # stats uri /admin?stats
2901
- # stats refresh 5s
2902
- #
2903
- # See also : "stats auth", "stats enable", "stats realm", "stats uri"
2904
- #
2905
- attr_accessor :stats_scope
2906
-
2907
- #
2908
- # stats show-desc [ <desc> ]
2909
- # Enable reporting of a description on the statistics page.
2910
- # May be used in sections : defaults | frontend | listen | backend
2911
- # yes | no | yes | yes
2912
- #
2913
- # <desc> is an optional description to be reported. If unspecified, the
2914
- # description from global section is automatically used instead.
2915
- #
2916
- # This statement is useful for users that offer shared services to their
2917
- # customers, where node or description should be different for each customer.
2918
- #
2919
- # Though this statement alone is enough to enable statistics reporting, it is
2920
- # recommended to set all other settings in order to avoid relying on default
2921
- # unobvious parameters.
2922
- #
2923
- # Example :
2924
- # # internal monitoring access (unlimited)
2925
- # backend private_monitoring
2926
- # stats enable
2927
- # stats show-desc Master node for Europe, Asia, Africa
2928
- # stats uri /admin?stats
2929
- # stats refresh 5s
2930
- #
2931
- # See also: "show-node", "stats enable", "stats uri" and "description" in
2932
- # global section.
2933
- #
2934
- attr_accessor :stats_show_desc
2935
-
2936
- #
2937
- # stats show-legends
2938
- # Enable reporting additional informations on the statistics page :
2939
- # - cap: capabilities (proxy)
2940
- # - mode: one of tcp, http or health (proxy)
2941
- # - id: SNMP ID (proxy, socket, server)
2942
- # - IP (socket, server)
2943
- # - cookie (backend, server)
2944
- #
2945
- # Though this statement alone is enough to enable statistics reporting, it is
2946
- # recommended to set all other settings in order to avoid relying on default
2947
- # unobvious parameters.
2948
- #
2949
- # See also: "stats enable", "stats uri".
2950
- #
2951
- attr_accessor :stats_show_legends
2952
-
2953
- #
2954
- # stats show-node [ <name> ]
2955
- # Enable reporting of a host name on the statistics page.
2956
- # May be used in sections : defaults | frontend | listen | backend
2957
- # yes | no | yes | yes
2958
- # Arguments:
2959
- # <name> is an optional name to be reported. If unspecified, the
2960
- # node name from global section is automatically used instead.
2961
- #
2962
- # This statement is useful for users that offer shared services to their
2963
- # customers, where node or description might be different on a stats page
2964
- # provided for each customer.
2965
- #
2966
- # Though this statement alone is enough to enable statistics reporting, it is
2967
- # recommended to set all other settings in order to avoid relying on default
2968
- # unobvious parameters.
2969
- #
2970
- # Example:
2971
- # # internal monitoring access (unlimited)
2972
- # backend private_monitoring
2973
- # stats enable
2974
- # stats show-node Europe-1
2975
- # stats uri /admin?stats
2976
- # stats refresh 5s
2977
- #
2978
- # See also: "show-desc", "stats enable", "stats uri", and "node" in global
2979
- # section.
2980
- #
2981
- attr_accessor :stats_show_node
2982
-
2983
- #
2984
- # stats uri <prefix>
2985
- # Enable statistics and define the URI prefix to access them
2986
- # May be used in sections : defaults | frontend | listen | backend
2987
- # yes | no | yes | yes
2988
- # Arguments :
2989
- # <prefix> is the prefix of any URI which will be redirected to stats. This
2990
- # prefix may contain a question mark ('?') to indicate part of a
2991
- # query string.
2992
- #
2993
- # The statistics URI is intercepted on the relayed traffic, so it appears as a
2994
- # page within the normal application. It is strongly advised to ensure that the
2995
- # selected URI will never appear in the application, otherwise it will never be
2996
- # possible to reach it in the application.
2997
- #
2998
- # The default URI compiled in haproxy is "/haproxy?stats", but this may be
2999
- # changed at build time, so it's better to always explicitly specify it here.
3000
- # It is generally a good idea to include a question mark in the URI so that
3001
- # intermediate proxies refrain from caching the results. Also, since any string
3002
- # beginning with the prefix will be accepted as a stats request, the question
3003
- # mark helps ensuring that no valid URI will begin with the same words.
3004
- #
3005
- # It is sometimes very convenient to use "/" as the URI prefix, and put that
3006
- # statement in a "listen" instance of its own. That makes it easy to dedicate
3007
- # an address or a port to statistics only.
3008
- #
3009
- # Though this statement alone is enough to enable statistics reporting, it is
3010
- # recommended to set all other settings in order to avoid relying on default
3011
- # unobvious parameters.
3012
- #
3013
- # Example :
3014
- # # public access (limited to this backend only)
3015
- # backend public_www
3016
- # server srv1 192.168.0.1:80
3017
- # stats enable
3018
- # stats hide-version
3019
- # stats scope .
3020
- # stats uri /admin?stats
3021
- # stats realm Haproxy\ Statistics
3022
- # stats auth admin1:AdMiN123
3023
- # stats auth admin2:AdMiN321
3024
- #
3025
- # # internal monitoring access (unlimited)
3026
- # backend private_monitoring
3027
- # stats enable
3028
- # stats uri /admin?stats
3029
- # stats refresh 5s
3030
- #
3031
- # See also : "stats auth", "stats enable", "stats realm"
3032
- #
3033
- attr_accessor :stats_uri
3034
-
3035
- #
3036
- # timeout check <timeout>
3037
- # Set additional check timeout, but only after a connection has been already
3038
- # established.
3039
- #
3040
- # May be used in sections: defaults | frontend | listen | backend
3041
- # yes | no | yes | yes
3042
- # Arguments:
3043
- # <timeout> is the timeout value specified in milliseconds by default, but
3044
- # can be in any other unit if the number is suffixed by the unit,
3045
- # as explained at the top of this document.
3046
- #
3047
- # If set, haproxy uses min("timeout connect", "inter") as a connect timeout
3048
- # for check and "timeout check" as an additional read timeout. The "min" is
3049
- # used so that people running with *very* long "timeout connect" (eg. those
3050
- # who needed this due to the queue or tarpit) do not slow down their checks.
3051
- # (Please also note that there is no valid reason to have such long connect
3052
- # timeouts, because "timeout queue" and "timeout tarpit" can always be used to
3053
- # avoid that).
3054
- #
3055
- # If "timeout check" is not set haproxy uses "inter" for complete check
3056
- # timeout (connect + read) exactly like all <1.3.15 version.
3057
- #
3058
- # In most cases check request is much simpler and faster to handle than normal
3059
- # requests and people may want to kick out laggy servers so this timeout should
3060
- # be smaller than "timeout server".
3061
- #
3062
- # This parameter is specific to backends, but can be specified once for all in
3063
- # "defaults" sections. This is in fact one of the easiest solutions not to
3064
- # forget about it.
3065
- #
3066
- # See also: "timeout connect", "timeout queue", "timeout server",
3067
- # "timeout tarpit".
3068
- #
3069
- attr_accessor :timeout_check
3070
-
3071
- #
3072
- # timeout client <timeout>
3073
- # timeout clitimeout <timeout> (deprecated)
3074
- # Set the maximum inactivity time on the client side.
3075
- # May be used in sections : defaults | frontend | listen | backend
3076
- # yes | yes | yes | no
3077
- # Arguments :
3078
- # <timeout> is the timeout value specified in milliseconds by default, but
3079
- # can be in any other unit if the number is suffixed by the unit,
3080
- # as explained at the top of this document.
3081
- #
3082
- # The inactivity timeout applies when the client is expected to acknowledge or
3083
- # send data. In HTTP mode, this timeout is particularly important to consider
3084
- # during the first phase, when the client sends the request, and during the
3085
- # response while it is reading data sent by the server. The value is specified
3086
- # in milliseconds by default, but can be in any other unit if the number is
3087
- # suffixed by the unit, as specified at the top of this document. In TCP mode
3088
- # (and to a lesser extent, in HTTP mode), it is highly recommended that the
3089
- # client timeout remains equal to the server timeout in order to avoid complex
3090
- # situations to debug. It is a good practice to cover one or several TCP packet
3091
- # losses by specifying timeouts that are slightly above multiples of 3 seconds
3092
- # (eg: 4 or 5 seconds).
3093
- #
3094
- # This parameter is specific to frontends, but can be specified once for all in
3095
- # "defaults" sections. This is in fact one of the easiest solutions not to
3096
- # forget about it. An unspecified timeout results in an infinite timeout, which
3097
- # is not recommended. Such a usage is accepted and works but reports a warning
3098
- # during startup because it may results in accumulation of expired sessions in
3099
- # the system if the system's timeouts are not configured either.
3100
- #
3101
- # This parameter replaces the old, deprecated "clitimeout". It is recommended
3102
- # to use it to write new configurations. The form "timeout clitimeout" is
3103
- # provided only by backwards compatibility but its use is strongly discouraged.
3104
- #
3105
- # See also : "clitimeout", "timeout server".
3106
- #
3107
- attr_accessor :timeout_client
3108
-
3109
- #
3110
- # timeout connect <timeout>
3111
- # timeout contimeout <timeout> (deprecated)
3112
- # Set the maximum time to wait for a connection attempt to a server to succeed.
3113
- # May be used in sections : defaults | frontend | listen | backend
3114
- # yes | no | yes | yes
3115
- # Arguments :
3116
- # <timeout> is the timeout value specified in milliseconds by default, but
3117
- # can be in any other unit if the number is suffixed by the unit,
3118
- # as explained at the top of this document.
3119
- #
3120
- # If the server is located on the same LAN as haproxy, the connection should be
3121
- # immediate (less than a few milliseconds). Anyway, it is a good practice to
3122
- # cover one or several TCP packet losses by specifying timeouts that are
3123
- # slightly above multiples of 3 seconds (eg: 4 or 5 seconds). By default, the
3124
- # connect timeout also presets both queue and tarpit timeouts to the same value
3125
- # if these have not been specified.
3126
- #
3127
- # This parameter is specific to backends, but can be specified once for all in
3128
- # "defaults" sections. This is in fact one of the easiest solutions not to
3129
- # forget about it. An unspecified timeout results in an infinite timeout, which
3130
- # is not recommended. Such a usage is accepted and works but reports a warning
3131
- # during startup because it may results in accumulation of failed sessions in
3132
- # the system if the system's timeouts are not configured either.
3133
- #
3134
- # This parameter replaces the old, deprecated "contimeout". It is recommended
3135
- # to use it to write new configurations. The form "timeout contimeout" is
3136
- # provided only by backwards compatibility but its use is strongly discouraged.
3137
- #
3138
- # See also: "timeout check", "timeout queue", "timeout server", "contimeout",
3139
- # "timeout tarpit".
3140
- #
3141
- attr_accessor :timeout_connect
3142
-
3143
- #
3144
- # timeout http-keep-alive <timeout>
3145
- # Set the maximum allowed time to wait for a new HTTP request to appear
3146
- # May be used in sections : defaults | frontend | listen | backend
3147
- # yes | yes | yes | yes
3148
- # Arguments :
3149
- # <timeout> is the timeout value specified in milliseconds by default, but
3150
- # can be in any other unit if the number is suffixed by the unit,
3151
- # as explained at the top of this document.
3152
- #
3153
- # By default, the time to wait for a new request in case of keep-alive is set
3154
- # by "timeout http-request". However this is not always convenient because some
3155
- # people want very short keep-alive timeouts in order to release connections
3156
- # faster, and others prefer to have larger ones but still have short timeouts
3157
- # once the request has started to present itself.
3158
- #
3159
- # The "http-keep-alive" timeout covers these needs. It will define how long to
3160
- # wait for a new HTTP request to start coming after a response was sent. Once
3161
- # the first byte of request has been seen, the "http-request" timeout is used
3162
- # to wait for the complete request to come. Note that empty lines prior to a
3163
- # new request do not refresh the timeout and are not counted as a new request.
3164
- #
3165
- # There is also another difference between the two timeouts : when a connection
3166
- # expires during timeout http-keep-alive, no error is returned, the connection
3167
- # just closes. If the connection expires in "http-request" while waiting for a
3168
- # connection to complete, a HTTP 408 error is returned.
3169
- #
3170
- # In general it is optimal to set this value to a few tens to hundreds of
3171
- # milliseconds, to allow users to fetch all objects of a page at once but
3172
- # without waiting for further clicks. Also, if set to a very small value (eg:
3173
- # 1 millisecond) it will probably only accept pipelined requests but not the
3174
- # non-pipelined ones. It may be a nice trade-off for very large sites running
3175
- # with tens to hundreds of thousands of clients.
3176
- #
3177
- # If this parameter is not set, the "http-request" timeout applies, and if both
3178
- # are not set, "timeout client" still applies at the lower level. It should be
3179
- # set in the frontend to take effect, unless the frontend is in TCP mode, in
3180
- # which case the HTTP backend's timeout will be used.
3181
- #
3182
- # See also : "timeout http-request", "timeout client".
3183
- #
3184
- attr_accessor :timeout_http_keep_alive
3185
-
3186
- #
3187
- # timeout http-request <timeout>
3188
- # Set the maximum allowed time to wait for a complete HTTP request
3189
- # May be used in sections : defaults | frontend | listen | backend
3190
- # yes | yes | yes | yes
3191
- # Arguments :
3192
- # <timeout> is the timeout value specified in milliseconds by default, but
3193
- # can be in any other unit if the number is suffixed by the unit,
3194
- # as explained at the top of this document.
3195
- #
3196
- # In order to offer DoS protection, it may be required to lower the maximum
3197
- # accepted time to receive a complete HTTP request without affecting the client
3198
- # timeout. This helps protecting against established connections on which
3199
- # nothing is sent. The client timeout cannot offer a good protection against
3200
- # this abuse because it is an inactivity timeout, which means that if the
3201
- # attacker sends one character every now and then, the timeout will not
3202
- # trigger. With the HTTP request timeout, no matter what speed the client
3203
- # types, the request will be aborted if it does not complete in time.
3204
- #
3205
- # Note that this timeout only applies to the header part of the request, and
3206
- # not to any data. As soon as the empty line is received, this timeout is not
3207
- # used anymore. It is used again on keep-alive connections to wait for a second
3208
- # request if "timeout http-keep-alive" is not set.
3209
- #
3210
- # Generally it is enough to set it to a few seconds, as most clients send the
3211
- # full request immediately upon connection. Add 3 or more seconds to cover TCP
3212
- # retransmits but that's all. Setting it to very low values (eg: 50 ms) will
3213
- # generally work on local networks as long as there are no packet losses. This
3214
- # will prevent people from sending bare HTTP requests using telnet.
3215
- #
3216
- # If this parameter is not set, the client timeout still applies between each
3217
- # chunk of the incoming request. It should be set in the frontend to take
3218
- # effect, unless the frontend is in TCP mode, in which case the HTTP backend's
3219
- # timeout will be used.
3220
- #
3221
- # See also : "timeout http-keep-alive", "timeout client".
3222
- #
3223
- attr_accessor :timeout_http_request
3224
-
3225
- #
3226
- # timeout queue <timeout>
3227
- # Set the maximum time to wait in the queue for a connection slot to be free
3228
- # May be used in sections : defaults | frontend | listen | backend
3229
- # yes | no | yes | yes
3230
- # Arguments :
3231
- # <timeout> is the timeout value specified in milliseconds by default, but
3232
- # can be in any other unit if the number is suffixed by the unit,
3233
- # as explained at the top of this document.
3234
- #
3235
- # When a server's maxconn is reached, connections are left pending in a queue
3236
- # which may be server-specific or global to the backend. In order not to wait
3237
- # indefinitely, a timeout is applied to requests pending in the queue. If the
3238
- # timeout is reached, it is considered that the request will almost never be
3239
- # served, so it is dropped and a 503 error is returned to the client.
3240
- #
3241
- # The "timeout queue" statement allows to fix the maximum time for a request to
3242
- # be left pending in a queue. If unspecified, the same value as the backend's
3243
- # connection timeout ("timeout connect") is used, for backwards compatibility
3244
- # with older versions with no "timeout queue" parameter.
3245
- #
3246
- # See also : "timeout connect", "contimeout".
3247
- #
3248
- attr_accessor :timeout_queue
3249
-
3250
- #
3251
- # timeout server <timeout>
3252
- # timeout srvtimeout <timeout> (deprecated)
3253
- # Set the maximum inactivity time on the server side.
3254
- # May be used in sections : defaults | frontend | listen | backend
3255
- # yes | no | yes | yes
3256
- # Arguments :
3257
- # <timeout> is the timeout value specified in milliseconds by default, but
3258
- # can be in any other unit if the number is suffixed by the unit,
3259
- # as explained at the top of this document.
3260
- #
3261
- # The inactivity timeout applies when the server is expected to acknowledge or
3262
- # send data. In HTTP mode, this timeout is particularly important to consider
3263
- # during the first phase of the server's response, when it has to send the
3264
- # headers, as it directly represents the server's processing time for the
3265
- # request. To find out what value to put there, it's often good to start with
3266
- # what would be considered as unacceptable response times, then check the logs
3267
- # to observe the response time distribution, and adjust the value accordingly.
3268
- #
3269
- # The value is specified in milliseconds by default, but can be in any other
3270
- # unit if the number is suffixed by the unit, as specified at the top of this
3271
- # document. In TCP mode (and to a lesser extent, in HTTP mode), it is highly
3272
- # recommended that the client timeout remains equal to the server timeout in
3273
- # order to avoid complex situations to debug. Whatever the expected server
3274
- # response times, it is a good practice to cover at least one or several TCP
3275
- # packet losses by specifying timeouts that are slightly above multiples of 3
3276
- # seconds (eg: 4 or 5 seconds minimum).
3277
- #
3278
- # This parameter is specific to backends, but can be specified once for all in
3279
- # "defaults" sections. This is in fact one of the easiest solutions not to
3280
- # forget about it. An unspecified timeout results in an infinite timeout, which
3281
- # is not recommended. Such a usage is accepted and works but reports a warning
3282
- # during startup because it may results in accumulation of expired sessions in
3283
- # the system if the system's timeouts are not configured either.
3284
- #
3285
- # This parameter replaces the old, deprecated "srvtimeout". It is recommended
3286
- # to use it to write new configurations. The form "timeout srvtimeout" is
3287
- # provided only by backwards compatibility but its use is strongly discouraged.
3288
- #
3289
- # See also : "srvtimeout", "timeout client".
3290
- #
3291
- attr_accessor :timeout_server
3292
-
3293
- #
3294
- # timeout tarpit <timeout>
3295
- # Set the duration for which tarpitted connections will be maintained
3296
- # May be used in sections : defaults | frontend | listen | backend
3297
- # yes | yes | yes | yes
3298
- # Arguments :
3299
- # <timeout> is the tarpit duration specified in milliseconds by default, but
3300
- # can be in any other unit if the number is suffixed by the unit,
3301
- # as explained at the top of this document.
3302
- #
3303
- # When a connection is tarpitted using "reqtarpit", it is maintained open with
3304
- # no activity for a certain amount of time, then closed. "timeout tarpit"
3305
- # defines how long it will be maintained open.
3306
- #
3307
- # The value is specified in milliseconds by default, but can be in any other
3308
- # unit if the number is suffixed by the unit, as specified at the top of this
3309
- # document. If unspecified, the same value as the backend's connection timeout
3310
- # ("timeout connect") is used, for backwards compatibility with older versions
3311
- # with no "timeout tarpit" parameter.
3312
- #
3313
- # See also : "timeout connect", "contimeout".
3314
- #
3315
- attr_accessor :timeout_tarpit
3316
-
3317
- #
3318
- # name <name>
3319
- # The defaults name is encouraged for better readability.
3320
- #
3321
- attr_accessor :name
19
+ include RhaproxyKeywords,
20
+ :exclude => [
21
+ :acl,
22
+ :appsession,
23
+ :bind,
24
+ :block,
25
+ :capture_cookie,
26
+ :capture_request_header,
27
+ :capture_response_header,
28
+ :description,
29
+ :dispatch,
30
+ :force_persist,
31
+ :http_check_expect,
32
+ :http_request,
33
+ :persistent_id,
34
+ :ignore_persist,
35
+ :monitor_fail,
36
+ :name,
37
+ :redirect,
38
+ :reqadd,
39
+ :reqallow,
40
+ :reqdel,
41
+ :reqdeny,
42
+ :reqiallow,
43
+ :reqidel,
44
+ :reqideny,
45
+ :reqipass,
46
+ :reqirep,
47
+ :reqisetbe,
48
+ :reqitarpit,
49
+ :reqpass,
50
+ :reqrep,
51
+ :reqsetbe,
52
+ :reqtarpit,
53
+ :rspadd,
54
+ :rspdel,
55
+ :rspdeny,
56
+ :rspirep,
57
+ :rsprep,
58
+ :server,
59
+ :stats_admin,
60
+ :stats_http_request,
61
+ :stick_match,
62
+ :stick_on,
63
+ :stick_store_request,
64
+ :stick_table,
65
+ :stick_store_response,
66
+ :tcp_request_connection,
67
+ :tcp_request_content,
68
+ :tcp_request_inspect_delay,
69
+ :tcp_response_content,
70
+ :tcp_response_inspect_delay,
71
+ :use_backend
72
+ ]
3322
73
 
3323
74
  #
3324
75
  # Returns a new RhaproxyDefaults Object
3325
76
  #
3326
77
  def initialize()
78
+ @conf ||= []
79
+ @proxy_type = "defaults"
80
+ @conf.push(" " + "#{@proxy_type} " + "\n")
81
+ @name_index = @conf.index(" " + "#{@proxy_type} " + "\n")
3327
82
  end
3328
83
 
3329
84
  #
3330
- # Compile the HAproxy defaults configuration
85
+ # name <name>
86
+ # The defaults name is encouraged for better readability.
3331
87
  #
3332
- def config
3333
-
3334
- conf = option_string()
3335
-
3336
- return conf
3337
-
3338
- end
3339
-
3340
- private
3341
-
3342
- def option_string()
3343
-
3344
- unless @name
3345
- @name = ""
3346
- end
3347
-
3348
- ostring = " " + "defaults " + @name.to_s + "\n"
3349
-
3350
- if @backlog
3351
- ostring += " " + "backlog " + @backlog.to_s + "\n"
3352
- end
3353
-
3354
- if @balance
3355
- ostring += " " + "balance " + @balance.to_s + "\n"
3356
- end
3357
-
3358
- if @bind_process
3359
- ostring += " " + "bind-process " + @bind_process.to_s + "\n"
3360
- end
3361
-
3362
- if @cookie
3363
- ostring += " " + "cookie " + @cookie.to_s + "\n"
3364
- end
3365
-
3366
- if @default_server
3367
- ostring += " " + "default-server " + @default_server.to_s + "\n"
3368
- end
3369
-
3370
- if @default_backend
3371
- ostring += " " + "default_backend " + @default_backend.to_s + "\n"
3372
- end
3373
-
3374
- if @disabled
3375
- ostring += " " + "disabled " + "\n"
3376
- end
3377
-
3378
- if @enabled
3379
- ostring += " " + "enabled " + "\n"
3380
- end
3381
-
3382
- if @errorfile
3383
- ostring += " " + "errorfile " + @errorfile.to_s + "\n"
3384
- end
3385
-
3386
- if @errorloc
3387
- ostring += " " + "errorloc " + @errorloc.to_s + "\n"
3388
- end
3389
-
3390
- if @errorloc302
3391
- ostring += " " + "errorloc302 " + @errorloc302.to_s + "\n"
3392
- end
3393
-
3394
- if @errorloc303
3395
- ostring += " " + "errorloc303 " + @errorloc303.to_s + "\n"
3396
- end
3397
-
3398
- if @fullconn
3399
- ostring += " " + "fullconn " + @fullconn.to_s + "\n"
3400
- end
3401
-
3402
- if @grace
3403
- ostring += " " + "grace " + @grace.to_s + "\n"
3404
- end
3405
-
3406
- if @hash_type
3407
- ostring += " " + "hash_type " + @hash_type.to_s + "\n"
3408
- end
3409
-
3410
- if @http_check_disable_on_404
3411
- ostring += " " + "http-check disable-on-404 " + "\n"
3412
- end
3413
-
3414
- if @http_check_send_state
3415
- ostring += " " + "http-check send-state " + "\n"
3416
- end
3417
-
3418
- if @log
3419
- ostring += " " + "log " + @log.to_s + "\n"
3420
- end
3421
-
3422
- if @maxconn
3423
- ostring += " " + "maxconn " + @maxconn.to_s + "\n"
3424
- end
3425
-
3426
- if @mode
3427
- ostring += " " + "mode " + @mode.to_s + "\n"
3428
- end
3429
-
3430
- if @monitor_net
3431
- ostring += " " + "monitor-net " + @monitor_net.to_s + "\n"
3432
- end
3433
-
3434
- if @monitor_uri
3435
- ostring += " " + "monitor-uri " + @monitor_uri.to_s + "\n"
3436
- end
3437
-
3438
- if @option_abortonclose
3439
- ostring += " " + "option abortonclose " + "\n"
3440
- end
3441
-
3442
- if @option_accept_invalid_http_request
3443
- ostring += " " + "option accept-invalid-http-request " + "\n"
3444
- end
3445
-
3446
- if @option_accept_invalid_http_response
3447
- ostring += " " + "option accept-invalid-http-response " + "\n"
3448
- end
3449
-
3450
- if @option_allbackups
3451
- ostring += " " + "option allbackups " + "\n"
3452
- end
3453
-
3454
- if @option_checkcache
3455
- ostring += " " + "option checkcache " + "\n"
3456
- end
3457
-
3458
- if @option_clitcpka
3459
- ostring += " " + "option clitcpka " + "\n"
3460
- end
3461
-
3462
- if @option_contstats
3463
- ostring += " " + "option contstats " + "\n"
3464
- end
3465
-
3466
- if @option_dontlog_normal
3467
- ostring += " " + "option dontlog-normal " + "\n"
3468
- end
3469
-
3470
- if @option_dontlognull
3471
- ostring += " " + "option dontlognull " + "\n"
3472
- end
3473
-
3474
- if @option_forceclose
3475
- ostring += " " + "option forceclose " + "\n"
3476
- end
3477
-
3478
- if @option_forwardfor
3479
- ostring += " " + "option forwardfor " + @option_forwardfor.to_s + "\n"
3480
- end
3481
-
3482
- if @option_http_pretend_keepalive
3483
- ostring += " " + "option http-pretend-keepalive " + "\n"
3484
- end
3485
-
3486
- if @option_http_server_close
3487
- ostring += " " + "option http-server-close " + "\n"
3488
- end
3489
-
3490
- if @option_http_use_proxy_header
3491
- ostring += " " + "option http-use-proxy-header " + "\n"
3492
- end
3493
-
3494
- if @option_httpchk
3495
- ostring += " " + "option httpchk " + @option_httpchk.to_s + "\n"
3496
- end
3497
-
3498
- if @option_httpchk_complete
3499
- ostring += " " + "option httpchk " + "\n"
3500
- end
3501
-
3502
- if @option_httpclose
3503
- ostring += " " + "option httpclose " + "\n"
3504
- end
3505
-
3506
- if @option_httplog
3507
- ostring += " " + "option httplog " + "\n"
3508
- end
3509
-
3510
- if @option_httplog_clf
3511
- ostring += " " + "option httplog " + @option_httplog_clf.to_s + "\n"
3512
- end
3513
-
3514
- if @option_http_proxy
3515
- ostring += " " + "option http_proxy " + "\n"
3516
- end
3517
-
3518
- if @option_independant_streams
3519
- ostring += " " + "option independant-streams " + "\n"
3520
- end
3521
-
3522
- if @option_ldap_check
3523
- ostring += " " + "option ldap-check " + "\n"
3524
- end
3525
-
3526
- if @option_log_health_checks
3527
- ostring += " " + "option log-health-checks " + "\n"
3528
- end
3529
-
3530
- if @option_log_separate_errors
3531
- ostring += " " + "option log-separate-errors " + "\n"
3532
- end
3533
-
3534
- if @option_logasap
3535
- ostring += " " + "option logasap " + "\n"
3536
- end
3537
-
3538
- if @option_mysql_check
3539
- ostring += " " + "option mysql-check " + @option_mysql_check.to_s + "\n"
3540
- end
3541
-
3542
- if @option_nolinger
3543
- ostring += " " + "option nolinger " + "\n"
3544
- end
3545
-
3546
- if @option_originalto
3547
- ostring += " " + "option originalto " + @option_originalto.to_s + "\n"
3548
- end
3549
-
3550
- if @option_persist
3551
- ostring += " " + "option persist " + "\n"
3552
- end
3553
-
3554
- if @option_redispatch
3555
- ostring += " " + "option redispatch " + "\n"
3556
- end
3557
-
3558
- if @option_smtpchk
3559
- ostring += " " + "option smtpchk " + @option_smtpchk.to_s + "\n"
3560
- end
3561
-
3562
- if @option_smtpchk_complete
3563
- ostring += " " + "option smtpchk " + "\n"
3564
- end
3565
-
3566
- if @option_socket_stats
3567
- ostring += " " + "option socket-stats " + "\n"
3568
- end
3569
-
3570
- if @option_splice_auto
3571
- ostring += " " + "option splice-auto " + "\n"
3572
- end
3573
-
3574
- if @option_splice_request
3575
- ostring += " " + "option splice-request " + "\n"
3576
- end
3577
-
3578
- if @option_splice_response
3579
- ostring += " " + "option splice-response " + "\n"
3580
- end
3581
-
3582
- if @option_srvtcpka
3583
- ostring += " " + "option srvtcpka " + "\n"
3584
- end
3585
-
3586
- if @option_ssl_hello_chk
3587
- ostring += " " + "option ssl-hello-chk " + "\n"
3588
- end
3589
-
3590
- if @option_tcp_smart_accept
3591
- ostring += " " + "option tcp-smart-accept " + "\n"
3592
- end
3593
-
3594
- if @option_tcp_smart_connect
3595
- ostring += " " + "option tcp-smart-connect " + "\n"
3596
- end
3597
-
3598
- if @option_tcpka
3599
- ostring += " " + "option tcpka " + "\n"
3600
- end
3601
-
3602
- if @option_tcplog
3603
- ostring += " " + "option tcplog " + "\n"
3604
- end
3605
-
3606
- if @option_transparent
3607
- ostring += " " + "option transparent " + "\n"
3608
- end
3609
-
3610
- if @persist_rdp_cookie
3611
- ostring += " " + "persist rdp-cookie " + @persist_rdp_cookie.to_s + "\n"
3612
- end
3613
-
3614
- if @persist_rdp_cookie_msts
3615
- ostring += " " + "persist rdp-cookie " + "\n"
3616
- end
3617
-
3618
- if @rate_limit_sessions
3619
- ostring += " " + "rate-limit sessions " + @rate_limit_sessions.to_s + "\n"
3620
- end
3621
-
3622
- if @retries
3623
- ostring += " " + "retries " + @retries.to_s + "\n"
3624
- end
3625
-
3626
- if @source
3627
- ostring += " " + "source " + @source.to_s + "\n"
3628
- end
3629
-
3630
- if @stats_auth
3631
- ostring += " " + "stats auth " + @stats_auth.to_s + "\n"
3632
- end
3633
-
3634
- if @stats_enable
3635
- ostring += " " + "stats enable " + "\n"
3636
- end
3637
-
3638
- if @stats_hide_version
3639
- ostring += " " + "stats hide-version " + "\n"
3640
- end
3641
-
3642
- if @stats_realm
3643
- ostring += " " + "stats realm " + @stats_realm.to_s + "\n"
3644
- end
3645
-
3646
- if @stats_refresh
3647
- ostring += " " + "stats refresh " + @stats_refresh.to_s + "\n"
3648
- end
3649
-
3650
- if @stats_scope
3651
- ostring += " " + "stats scope " + @stats_scope.to_s + "\n"
3652
- end
3653
-
3654
- if @stats_show_desc
3655
- ostring += " " + "stats show-desc " + @stats_show_desc.to_s + "\n"
3656
- end
3657
-
3658
- if @stats_show_legends
3659
- ostring += " " + "stats show-legends " + "\n"
3660
- end
3661
-
3662
- if @stats_show_node
3663
- ostring += " " + "stats show-node " + @stats_show_node.to_s + "\n"
3664
- end
3665
-
3666
- if @stats_show_node_global
3667
- ostring += " " + "stats show-node " + "\n"
3668
- end
3669
-
3670
- if @stats_uri
3671
- ostring += " " + "stats uri " + @stats_uri.to_s + "\n"
3672
- end
3673
-
3674
- if @timeout_check
3675
- ostring += " " + "timeout check " + @timeout_check.to_s + "\n"
3676
- end
3677
-
3678
- if @timeout_client
3679
- ostring += " " + "timeout client " + @timeout_client.to_s + "\n"
3680
- end
3681
-
3682
- if @timeout_connect
3683
- ostring += " " + "timeout connect " + @timeout_connect.to_s + "\n"
3684
- end
3685
-
3686
- if @timeout_http_keep_alive
3687
- ostring += " " + "timeout http-keep-alive " + @timeout_http_keep_alive.to_s + "\n"
3688
- end
3689
-
3690
- if @timeout_http_request
3691
- ostring += " " + "timeout http-request " + @timeout_http_request.to_s + "\n"
3692
- end
3693
-
3694
- if @timeout_queue
3695
- ostring += " " + "timeout queue " + @timeout_queue.to_s + "\n"
3696
- end
3697
-
3698
- if @timeout_server
3699
- ostring += " " + "timeout server " + @timeout_server.to_s + "\n"
3700
- end
3701
-
3702
- if @timeout_tarpit
3703
- ostring += " " + "timeout tarpit " + @timeout_tarpit.to_s + "\n"
3704
- end
3705
-
3706
- ostring += "\n"
3707
-
3708
- return ostring
3709
-
88
+ # NOTE: This will clear the existing values in the array.
89
+ #
90
+ def name(value = nil)
91
+ @conf.replace( [] )
92
+ @conf.push(" " + "#{@proxy_type} " + value.to_s + "\n")
93
+ @name_index = @conf.index(" " + "#{@proxy_type} " + value.to_s + "\n")
3710
94
  end
3711
95
 
3712
96
  end