rhaproxy 0.1.0 → 0.1.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (10) hide show
  1. data/Changelog +41 -0
  2. data/README +8 -8
  3. data/lib/rhaproxy/backend.rb +29 -4989
  4. data/lib/rhaproxy/defaults.rb +66 -3682
  5. data/lib/rhaproxy/frontend.rb +56 -3226
  6. data/lib/rhaproxy/keywords.rb +6502 -0
  7. data/lib/rhaproxy/listen.rb +3 -6065
  8. data/lib/rhaproxy/mixins.rb +20 -0
  9. data/lib/rhaproxy.rb +2 -0
  10. metadata +6 -4
data/lib/rhaproxy/defaults.rb CHANGED
@@ -16,3697 +16,81 @@
16
16
  # section. The name is optional but its use is encouraged for better readability.
17
17
  #
18
18
  class RhaproxyDefaults
19
-
20
- #
21
- # backlog <conns>
22
- # Give hints to the system about the approximate listen backlog desired size
23
- # May be used in sections : defaults | frontend | listen | backend
24
- # yes | yes | yes | no
25
- # Arguments :
26
- # <conns> is the number of pending connections. Depending on the operating
27
- # system, it may represent the number of already acknowledged
28
- # connections, of non-acknowledged ones, or both.
29
- #
30
- # In order to protect against SYN flood attacks, one solution is to increase
31
- # the system's SYN backlog size. Depending on the system, sometimes it is just
32
- # tunable via a system parameter, sometimes it is not adjustable at all, and
33
- # sometimes the system relies on hints given by the application at the time of
34
- # the listen() syscall. By default, HAProxy passes the frontend's maxconn value
35
- # to the listen() syscall. On systems which can make use of this value, it can
36
- # sometimes be useful to be able to specify a different value, hence this
37
- # backlog parameter.
38
- #
39
- # On Linux 2.4, the parameter is ignored by the system. On Linux 2.6, it is
40
- # used as a hint and the system accepts up to the smallest greater power of
41
- # two, and never more than some limits (usually 32768).
42
- #
43
- # See also : "maxconn" and the target operating system's tuning guide.
44
- #
45
- attr_accessor :backlog
46
-
47
- #
48
- # balance <algorithm> [ <arguments> ]
49
- # balance url_param <param> [check_post [<max_wait>]]
50
- # Define the load balancing algorithm to be used in a backend.
51
- # May be used in sections : defaults | frontend | listen | backend
52
- # yes | no | yes | yes
53
- # Arguments :
54
- # <algorithm> is the algorithm used to select a server when doing load
55
- # balancing. This only applies when no persistence information
56
- # is available, or when a connection is redispatched to another
57
- # server. <algorithm> may be one of the following :
58
- #
59
- # roundrobin Each server is used in turns, according to their weights.
60
- # This is the smoothest and fairest algorithm when the server's
61
- # processing time remains equally distributed. This algorithm
62
- # is dynamic, which means that server weights may be adjusted
63
- # on the fly for slow starts for instance. It is limited by
64
- # design to 4128 active servers per backend. Note that in some
65
- # large farms, when a server becomes up after having been down
66
- # for a very short time, it may sometimes take a few hundreds
67
- # requests for it to be re-integrated into the farm and start
68
- # receiving traffic. This is normal, though very rare. It is
69
- # indicated here in case you would have the chance to observe
70
- # it, so that you don't worry.
71
- #
72
- # static-rr Each server is used in turns, according to their weights.
73
- # This algorithm is as similar to roundrobin except that it is
74
- # static, which means that changing a server's weight on the
75
- # fly will have no effect. On the other hand, it has no design
76
- # limitation on the number of servers, and when a server goes
77
- # up, it is always immediately reintroduced into the farm, once
78
- # the full map is recomputed. It also uses slightly less CPU to
79
- # run (around -1%).
80
- #
81
- # leastconn The server with the lowest number of connections receives the
82
- # connection. Round-robin is performed within groups of servers
83
- # of the same load to ensure that all servers will be used. Use
84
- # of this algorithm is recommended where very long sessions are
85
- # expected, such as LDAP, SQL, TSE, etc... but is not very well
86
- # suited for protocols using short sessions such as HTTP. This
87
- # algorithm is dynamic, which means that server weights may be
88
- # adjusted on the fly for slow starts for instance.
89
- #
90
- # source The source IP address is hashed and divided by the total
91
- # weight of the running servers to designate which server will
92
- # receive the request. This ensures that the same client IP
93
- # address will always reach the same server as long as no
94
- # server goes down or up. If the hash result changes due to the
95
- # number of running servers changing, many clients will be
96
- # directed to a different server. This algorithm is generally
97
- # used in TCP mode where no cookie may be inserted. It may also
98
- # be used on the Internet to provide a best-effort stickiness
99
- # to clients which refuse session cookies. This algorithm is
100
- # static by default, which means that changing a server's
101
- # weight on the fly will have no effect, but this can be
102
- # changed using "hash-type".
103
- #
104
- # uri The left part of the URI (before the question mark) is hashed
105
- # and divided by the total weight of the running servers. The
106
- # result designates which server will receive the request. This
107
- # ensures that a same URI will always be directed to the same
108
- # server as long as no server goes up or down. This is used
109
- # with proxy caches and anti-virus proxies in order to maximize
110
- # the cache hit rate. Note that this algorithm may only be used
111
- # in an HTTP backend. This algorithm is static by default,
112
- # which means that changing a server's weight on the fly will
113
- # have no effect, but this can be changed using "hash-type".
114
- #
115
- # This algorithm support two optional parameters "len" and
116
- # "depth", both followed by a positive integer number. These
117
- # options may be helpful when it is needed to balance servers
118
- # based on the beginning of the URI only. The "len" parameter
119
- # indicates that the algorithm should only consider that many
120
- # characters at the beginning of the URI to compute the hash.
121
- # Note that having "len" set to 1 rarely makes sense since most
122
- # URIs start with a leading "/".
123
- #
124
- # The "depth" parameter indicates the maximum directory depth
125
- # to be used to compute the hash. One level is counted for each
126
- # slash in the request. If both parameters are specified, the
127
- # evaluation stops when either is reached.
128
- #
129
- # url_param The URL parameter specified in argument will be looked up in
130
- # the query string of each HTTP GET request.
131
- #
132
- # If the modifier "check_post" is used, then an HTTP POST
133
- # request entity will be searched for the parameter argument,
134
- # when the question mark indicating a query string ('?') is not
135
- # present in the URL. Optionally, specify a number of octets to
136
- # wait for before attempting to search the message body. If the
137
- # entity can not be searched, then round robin is used for each
138
- # request. For instance, if your clients always send the LB
139
- # parameter in the first 128 bytes, then specify that. The
140
- # default is 48. The entity data will not be scanned until the
141
- # required number of octets have arrived at the gateway, this
142
- # is the minimum of: (default/max_wait, Content-Length or first
143
- # chunk length). If Content-Length is missing or zero, it does
144
- # not need to wait for more data than the client promised to
145
- # send. When Content-Length is present and larger than
146
- # <max_wait>, then waiting is limited to <max_wait> and it is
147
- # assumed that this will be enough data to search for the
148
- # presence of the parameter. In the unlikely event that
149
- # Transfer-Encoding: chunked is used, only the first chunk is
150
- # scanned. Parameter values separated by a chunk boundary, may
151
- # be randomly balanced if at all.
152
- #
153
- # If the parameter is found followed by an equal sign ('=') and
154
- # a value, then the value is hashed and divided by the total
155
- # weight of the running servers. The result designates which
156
- # server will receive the request.
157
- #
158
- # This is used to track user identifiers in requests and ensure
159
- # that a same user ID will always be sent to the same server as
160
- # long as no server goes up or down. If no value is found or if
161
- # the parameter is not found, then a round robin algorithm is
162
- # applied. Note that this algorithm may only be used in an HTTP
163
- # backend. This algorithm is static by default, which means
164
- # that changing a server's weight on the fly will have no
165
- # effect, but this can be changed using "hash-type".
166
- #
167
- # hdr(name) The HTTP header <name> will be looked up in each HTTP request.
168
- # Just as with the equivalent ACL 'hdr()' function, the header
169
- # name in parenthesis is not case sensitive. If the header is
170
- # absent or if it does not contain any value, the roundrobin
171
- # algorithm is applied instead.
172
- #
173
- # An optional 'use_domain_only' parameter is available, for
174
- # reducing the hash algorithm to the main domain part with some
175
- # specific headers such as 'Host'. For instance, in the Host
176
- # value "haproxy.1wt.eu", only "1wt" will be considered.
177
- #
178
- # This algorithm is static by default, which means that
179
- # changing a server's weight on the fly will have no effect,
180
- # but this can be changed using "hash-type".
181
- #
182
- # rdp-cookie
183
- # rdp-cookie(name)
184
- # The RDP cookie <name> (or "mstshash" if omitted) will be
185
- # looked up and hashed for each incoming TCP request. Just as
186
- # with the equivalent ACL 'req_rdp_cookie()' function, the name
187
- # is not case-sensitive. This mechanism is useful as a degraded
188
- # persistence mode, as it makes it possible to always send the
189
- # same user (or the same session ID) to the same server. If the
190
- # cookie is not found, the normal roundrobin algorithm is
191
- # used instead.
192
- #
193
- # Note that for this to work, the frontend must ensure that an
194
- # RDP cookie is already present in the request buffer. For this
195
- # you must use 'tcp-request content accept' rule combined with
196
- # a 'req_rdp_cookie_cnt' ACL.
197
- #
198
- # This algorithm is static by default, which means that
199
- # changing a server's weight on the fly will have no effect,
200
- # but this can be changed using "hash-type".
201
- #
202
- # <arguments> is an optional list of arguments which may be needed by some
203
- # algorithms. Right now, only "url_param" and "uri" support an
204
- # optional argument.
205
- #
206
- # balance uri [len <len>] [depth <depth>]
207
- # balance url_param <param> [check_post [<max_wait>]]
208
- #
209
- # The load balancing algorithm of a backend is set to roundrobin when no other
210
- # algorithm, mode nor option have been set. The algorithm may only be set once
211
- # for each backend.
212
- #
213
- # Examples :
214
- # balance roundrobin
215
- # balance url_param userid
216
- # balance url_param session_id check_post 64
217
- # balance hdr(User-Agent)
218
- # balance hdr(host)
219
- # balance hdr(Host) use_domain_only
220
- #
221
- # Note: the following caveats and limitations on using the "check_post"
222
- # extension with "url_param" must be considered :
223
- #
224
- # - all POST requests are eligible for consideration, because there is no way
225
- # to determine if the parameters will be found in the body or entity which
226
- # may contain binary data. Therefore another method may be required to
227
- # restrict consideration of POST requests that have no URL parameters in
228
- # the body. (see acl reqideny http_end)
229
- #
230
- # - using a <max_wait> value larger than the request buffer size does not
231
- # make sense and is useless. The buffer size is set at build time, and
232
- # defaults to 16 kB.
233
- #
234
- # - Content-Encoding is not supported, the parameter search will probably
235
- # fail; and load balancing will fall back to Round Robin.
236
- #
237
- # - Expect: 100-continue is not supported, load balancing will fall back to
238
- # Round Robin.
239
- #
240
- # - Transfer-Encoding (RFC2616 3.6.1) is only supported in the first chunk.
241
- # If the entire parameter value is not present in the first chunk, the
242
- # selection of server is undefined (actually, defined by how little
243
- # actually appeared in the first chunk).
244
- #
245
- # - This feature does not support generation of a 100, 411 or 501 response.
246
- #
247
- # - In some cases, requesting "check_post" MAY attempt to scan the entire
248
- # contents of a message body. Scanning normally terminates when linear
249
- # white space or control characters are found, indicating the end of what
250
- # might be a URL parameter list. This is probably not a concern with SGML
251
- # type message bodies.
252
- #
253
- # See also : "dispatch", "cookie", "appsession", "transparent", "hash-type" and
254
- # "http_proxy".
255
- #
256
- attr_accessor :balance
257
-
258
- #
259
- # bind-process [ all | odd | even | <number 1-32> ] ...
260
- # Limit visibility of an instance to a certain set of processes numbers.
261
- # May be used in sections : defaults | frontend | listen | backend
262
- # yes | yes | yes | yes
263
- # Arguments :
264
- # all All process will see this instance. This is the default. It
265
- # may be used to override a default value.
266
- #
267
- # odd This instance will be enabled on processes 1,3,5,...31. This
268
- # option may be combined with other numbers.
269
- #
270
- # even This instance will be enabled on processes 2,4,6,...32. This
271
- # option may be combined with other numbers. Do not use it
272
- # with less than 2 processes otherwise some instances might be
273
- # missing from all processes.
274
- #
275
- # number The instance will be enabled on this process number, between
276
- # 1 and 32. You must be careful not to reference a process
277
- # number greater than the configured global.nbproc, otherwise
278
- # some instances might be missing from all processes.
279
- #
280
- # This keyword limits binding of certain instances to certain processes. This
281
- # is useful in order not to have too many processes listening to the same
282
- # ports. For instance, on a dual-core machine, it might make sense to set
283
- # 'nbproc 2' in the global section, then distributes the listeners among 'odd'
284
- # and 'even' instances.
285
- #
286
- # At the moment, it is not possible to reference more than 32 processes using
287
- # this keyword, but this should be more than enough for most setups. Please
288
- # note that 'all' really means all processes and is not limited to the first
289
- # 32.
290
- #
291
- # If some backends are referenced by frontends bound to other processes, the
292
- # backend automatically inherits the frontend's processes.
293
- #
294
- # Example :
295
- # listen app_ip1
296
- # bind 10.0.0.1:80
297
- # bind-process odd
298
- #
299
- # listen app_ip2
300
- # bind 10.0.0.2:80
301
- # bind-process even
302
- #
303
- # listen management
304
- # bind 10.0.0.3:80
305
- # bind-process 1 2 3 4
306
- #
307
- # See also : "nbproc" in global section.
308
- #
309
- attr_accessor :bind_process
310
-
311
- #
312
- # cookie <name> [ rewrite | insert | prefix ] [ indirect ] [ nocache ]
313
- # [ postonly ] [ preserve ] [ domain <domain> ]*
314
- # [ maxidle <idle> ] [ maxlife <life> ]
315
- # Enable cookie-based persistence in a backend.
316
- # May be used in sections : defaults | frontend | listen | backend
317
- # yes | no | yes | yes
318
- # Arguments :
319
- # <name> is the name of the cookie which will be monitored, modified or
320
- # inserted in order to bring persistence. This cookie is sent to
321
- # the client via a "Set-Cookie" header in the response, and is
322
- # brought back by the client in a "Cookie" header in all requests.
323
- # Special care should be taken to choose a name which does not
324
- # conflict with any likely application cookie. Also, if the same
325
- # backends are subject to be used by the same clients (eg:
326
- # HTTP/HTTPS), care should be taken to use different cookie names
327
- # between all backends if persistence between them is not desired.
328
- #
329
- # rewrite This keyword indicates that the cookie will be provided by the
330
- # server and that haproxy will have to modify its value to set the
331
- # server's identifier in it. This mode is handy when the management
332
- # of complex combinations of "Set-cookie" and "Cache-control"
333
- # headers is left to the application. The application can then
334
- # decide whether or not it is appropriate to emit a persistence
335
- # cookie. Since all responses should be monitored, this mode only
336
- # works in HTTP close mode. Unless the application behaviour is
337
- # very complex and/or broken, it is advised not to start with this
338
- # mode for new deployments. This keyword is incompatible with
339
- # "insert" and "prefix".
340
- #
341
- # insert This keyword indicates that the persistence cookie will have to
342
- # be inserted by haproxy in server responses if the client did not
343
- #
344
- # already have a cookie that would have permitted it to access this
345
- # server. When used without the "preserve" option, if the server
346
- # emits a cookie with the same name, it will be remove before
347
- # processing. For this reason, this mode can be used to upgrade
348
- # existing configurations running in the "rewrite" mode. The cookie
349
- # will only be a session cookie and will not be stored on the
350
- # client's disk. By default, unless the "indirect" option is added,
351
- # the server will see the cookies emitted by the client. Due to
352
- # caching effects, it is generally wise to add the "nocache" or
353
- # "postonly" keywords (see below). The "insert" keyword is not
354
- # compatible with "rewrite" and "prefix".
355
- #
356
- # prefix This keyword indicates that instead of relying on a dedicated
357
- # cookie for the persistence, an existing one will be completed.
358
- # This may be needed in some specific environments where the client
359
- # does not support more than one single cookie and the application
360
- # already needs it. In this case, whenever the server sets a cookie
361
- # named <name>, it will be prefixed with the server's identifier
362
- # and a delimiter. The prefix will be removed from all client
363
- # requests so that the server still finds the cookie it emitted.
364
- # Since all requests and responses are subject to being modified,
365
- # this mode requires the HTTP close mode. The "prefix" keyword is
366
- # not compatible with "rewrite" and "insert".
367
- #
368
- # indirect When this option is specified, no cookie will be emitted to a
369
- # client which already has a valid one for the server which has
370
- # processed the request. If the server sets such a cookie itself,
371
- # it will be removed, unless the "preserve" option is also set. In
372
- # "insert" mode, this will additionally remove cookies from the
373
- # requests transmitted to the server, making the persistence
374
- # mechanism totally transparent from an application point of view.
375
- #
376
- # nocache This option is recommended in conjunction with the insert mode
377
- # when there is a cache between the client and HAProxy, as it
378
- # ensures that a cacheable response will be tagged non-cacheable if
379
- # a cookie needs to be inserted. This is important because if all
380
- # persistence cookies are added on a cacheable home page for
381
- # instance, then all customers will then fetch the page from an
382
- # outer cache and will all share the same persistence cookie,
383
- # leading to one server receiving much more traffic than others.
384
- # See also the "insert" and "postonly" options.
385
- #
386
- # postonly This option ensures that cookie insertion will only be performed
387
- # on responses to POST requests. It is an alternative to the
388
- # "nocache" option, because POST responses are not cacheable, so
389
- # this ensures that the persistence cookie will never get cached.
390
- # Since most sites do not need any sort of persistence before the
391
- # first POST which generally is a login request, this is a very
392
- # efficient method to optimize caching without risking to find a
393
- # persistence cookie in the cache.
394
- # See also the "insert" and "nocache" options.
395
- #
396
- # preserve This option may only be used with "insert" and/or "indirect". It
397
- # allows the server to emit the persistence cookie itself. In this
398
- # case, if a cookie is found in the response, haproxy will leave it
399
- # untouched. This is useful in order to end persistence after a
400
- # logout request for instance. For this, the server just has to
401
- # emit a cookie with an invalid value (eg: empty) or with a date in
402
- # the past. By combining this mechanism with the "disable-on-404"
403
- # check option, it is possible to perform a completely graceful
404
- # shutdown because users will definitely leave the server after
405
- # they logout.
406
- #
407
- # domain This option allows to specify the domain at which a cookie is
408
- # inserted. It requires exactly one parameter: a valid domain
409
- # name. If the domain begins with a dot, the browser is allowed to
410
- # use it for any host ending with that name. It is also possible to
411
- # specify several domain names by invoking this option multiple
412
- # times. Some browsers might have small limits on the number of
413
- # domains, so be careful when doing that. For the record, sending
414
- # 10 domains to MSIE 6 or Firefox 2 works as expected.
415
- #
416
- # maxidle This option allows inserted cookies to be ignored after some idle
417
- # time. It only works with insert-mode cookies. When a cookie is
418
- # sent to the client, the date this cookie was emitted is sent too.
419
- # Upon further presentations of this cookie, if the date is older
420
- # than the delay indicated by the parameter (in seconds), it will
421
- # be ignored. Otherwise, it will be refreshed if needed when the
422
- # response is sent to the client. This is particularly useful to
423
- # prevent users who never close their browsers from remaining for
424
- # too long on the same server (eg: after a farm size change). When
425
- # this option is set and a cookie has no date, it is always
426
- # accepted, but gets refreshed in the response. This maintains the
427
- # ability for admins to access their sites. Cookies that have a
428
- # date in the future further than 24 hours are ignored. Doing so
429
- # lets admins fix timezone issues without risking kicking users off
430
- # the site.
431
- #
432
- # maxlife This option allows inserted cookies to be ignored after some life
433
- # time, whether they're in use or not. It only works with insert
434
- # mode cookies. When a cookie is first sent to the client, the date
435
- # this cookie was emitted is sent too. Upon further presentations
436
- # of this cookie, if the date is older than the delay indicated by
437
- # the parameter (in seconds), it will be ignored. If the cookie in
438
- # the request has no date, it is accepted and a date will be set.
439
- # Cookies that have a date in the future further than 24 hours are
440
- # ignored. Doing so lets admins fix timezone issues without risking
441
- # kicking users off the site. Contrary to maxidle, this value is
442
- # not refreshed, only the first visit date counts. Both maxidle and
443
- # maxlife may be used at the time. This is particularly useful to
444
- # prevent users who never close their browsers from remaining for
445
- # too long on the same server (eg: after a farm size change). This
446
- # is stronger than the maxidle method in that it forces a
447
- # redispatch after some absolute delay.
448
- #
449
- # There can be only one persistence cookie per HTTP backend, and it can be
450
- # declared in a defaults section. The value of the cookie will be the value
451
- # indicated after the "cookie" keyword in a "server" statement. If no cookie
452
- # is declared for a given server, the cookie is not set.
453
- #
454
- # Examples :
455
- # cookie JSESSIONID prefix
456
- # cookie SRV insert indirect nocache
457
- # cookie SRV insert postonly indirect
458
- # cookie SRV insert indirect nocache maxidle 30m maxlife 8h
459
- #
460
- # See also : "appsession", "balance source", "capture cookie", "server"
461
- # and "ignore-persist".
462
- #
463
- attr_accessor :cookie
464
-
465
- #
466
- # default-server [param*]
467
- # Change default options for a server in a backend
468
- # May be used in sections : defaults | frontend | listen | backend
469
- # yes | no | yes | yes
470
- # Arguments:
471
- # <param*> is a list of parameters for this server. The "default-server"
472
- # keyword accepts an important number of options and has a complete
473
- # section dedicated to it. Please refer to section 5 for more
474
- # details.
475
- #
476
- # Example :
477
- # default-server inter 1000 weight 13
478
- #
479
- # See also: "server" and section 5 about server options
480
- #
481
- attr_accessor :default_server
482
-
483
- #
484
- # default_backend <backend>
485
- # Specify the backend to use when no "use_backend" rule has been matched.
486
- # May be used in sections : defaults | frontend | listen | backend
487
- # yes | yes | yes | no
488
- # Arguments :
489
- # <backend> is the name of the backend to use.
490
- #
491
- # When doing content-switching between frontend and backends using the
492
- # "use_backend" keyword, it is often useful to indicate which backend will be
493
- # used when no rule has matched. It generally is the dynamic backend which
494
- # will catch all undetermined requests.
495
- #
496
- # Example :
497
- #
498
- # use_backend dynamic if url_dyn
499
- # use_backend static if url_css url_img extension_img
500
- # default_backend dynamic
501
- #
502
- # See also : "use_backend", "reqsetbe", "reqisetbe"
503
- #
504
- attr_accessor :default_backend
505
-
506
- #
507
- # disabled
508
- # Disable a proxy, frontend or backend.
509
- # May be used in sections : defaults | frontend | listen | backend
510
- # yes | yes | yes | yes
511
- # Arguments : none
512
- #
513
- # The "disabled" keyword is used to disable an instance, mainly in order to
514
- # liberate a listening port or to temporarily disable a service. The instance
515
- # will still be created and its configuration will be checked, but it will be
516
- # created in the "stopped" state and will appear as such in the statistics. It
517
- # will not receive any traffic nor will it send any health-checks or logs. It
518
- # is possible to disable many instances at once by adding the "disabled"
519
- # keyword in a "defaults" section.
520
- #
521
- # See also : "enabled"
522
- #
523
- attr_accessor :disabled
524
-
525
- #
526
- # enabled
527
- # Enable a proxy, frontend or backend.
528
- # May be used in sections : defaults | frontend | listen | backend
529
- # yes | yes | yes | yes
530
- # Arguments : none
531
- #
532
- # The "enabled" keyword is used to explicitly enable an instance, when the
533
- # defaults has been set to "disabled". This is very rarely used.
534
- #
535
- # See also : "disabled"
536
- #
537
- attr_accessor :enabled
538
-
539
- #
540
- # errorfile <code> <file>
541
- # Return a file contents instead of errors generated by HAProxy
542
- # May be used in sections : defaults | frontend | listen | backend
543
- # yes | yes | yes | yes
544
- # Arguments :
545
- # <code> is the HTTP status code. Currently, HAProxy is capable of
546
- # generating codes 400, 403, 408, 500, 502, 503, and 504.
547
- #
548
- # <file> designates a file containing the full HTTP response. It is
549
- # recommended to follow the common practice of appending ".http" to
550
- # the filename so that people do not confuse the response with HTML
551
- # error pages, and to use absolute paths, since files are read
552
- # before any chroot is performed.
553
- #
554
- # It is important to understand that this keyword is not meant to rewrite
555
- # errors returned by the server, but errors detected and returned by HAProxy.
556
- # This is why the list of supported errors is limited to a small set.
557
- #
558
- # The files are returned verbatim on the TCP socket. This allows any trick such
559
- # as redirections to another URL or site, as well as tricks to clean cookies,
560
- # force enable or disable caching, etc... The package provides default error
561
- # files returning the same contents as default errors.
562
- #
563
- # The files should not exceed the configured buffer size (BUFSIZE), which
564
- # generally is 8 or 16 kB, otherwise they will be truncated. It is also wise
565
- # not to put any reference to local contents (eg: images) in order to avoid
566
- # loops between the client and HAProxy when all servers are down, causing an
567
- # error to be returned instead of an image. For better HTTP compliance, it is
568
- # recommended that all header lines end with CR-LF and not LF alone.
569
- #
570
- # The files are read at the same time as the configuration and kept in memory.
571
- # For this reason, the errors continue to be returned even when the process is
572
- # chrooted, and no file change is considered while the process is running. A
573
- # simple method for developing those files consists in associating them to the
574
- # 403 status code and interrogating a blocked URL.
575
- #
576
- # See also : "errorloc", "errorloc302", "errorloc303"
577
- #
578
- # Example :
579
- # errorfile 400 /etc/haproxy/errorfiles/400badreq.http
580
- # errorfile 403 /etc/haproxy/errorfiles/403forbid.http
581
- # errorfile 503 /etc/haproxy/errorfiles/503sorry.http
582
- #
583
- attr_accessor :errorfile
584
-
585
- #
586
- # errorloc <code> <url>
587
- # Return an HTTP redirection to a URL instead of errors generated by HAProxy
588
- # May be used in sections : defaults | frontend | listen | backend
589
- # yes | yes | yes | yes
590
- # Arguments :
591
- # <code> is the HTTP status code. Currently, HAProxy is capable of
592
- # generating codes 400, 403, 408, 500, 502, 503, and 504.
593
- #
594
- # <url> it is the exact contents of the "Location" header. It may contain
595
- # either a relative URI to an error page hosted on the same site,
596
- # or an absolute URI designating an error page on another site.
597
- # Special care should be given to relative URIs to avoid redirect
598
- # loops if the URI itself may generate the same error (eg: 500).
599
- #
600
- # It is important to understand that this keyword is not meant to rewrite
601
- # errors returned by the server, but errors detected and returned by HAProxy.
602
- # This is why the list of supported errors is limited to a small set.
603
- #
604
- # Note that both keyword return the HTTP 302 status code, which tells the
605
- # client to fetch the designated URL using the same HTTP method. This can be
606
- # quite problematic in case of non-GET methods such as POST, because the URL
607
- # sent to the client might not be allowed for something other than GET. To
608
- # workaround this problem, please use "errorloc303" which send the HTTP 303
609
- # status code, indicating to the client that the URL must be fetched with a GET
610
- # request.
611
- #
612
- # See also : "errorfile", "errorloc303"
613
- #
614
- attr_accessor :errorloc
615
-
616
- #
617
- # errorloc302 <code> <url>
618
- # Return an HTTP redirection to a URL instead of errors generated by HAProxy
619
- # May be used in sections : defaults | frontend | listen | backend
620
- # yes | yes | yes | yes
621
- # Arguments :
622
- # <code> is the HTTP status code. Currently, HAProxy is capable of
623
- # generating codes 400, 403, 408, 500, 502, 503, and 504.
624
- #
625
- # <url> it is the exact contents of the "Location" header. It may contain
626
- # either a relative URI to an error page hosted on the same site,
627
- # or an absolute URI designating an error page on another site.
628
- # Special care should be given to relative URIs to avoid redirect
629
- # loops if the URI itself may generate the same error (eg: 500).
630
- #
631
- # It is important to understand that this keyword is not meant to rewrite
632
- # errors returned by the server, but errors detected and returned by HAProxy.
633
- # This is why the list of supported errors is limited to a small set.
634
- #
635
- # Note that both keyword return the HTTP 302 status code, which tells the
636
- # client to fetch the designated URL using the same HTTP method. This can be
637
- # quite problematic in case of non-GET methods such as POST, because the URL
638
- # sent to the client might not be allowed for something other than GET. To
639
- # workaround this problem, please use "errorloc303" which send the HTTP 303
640
- # status code, indicating to the client that the URL must be fetched with a GET
641
- # request.
642
- #
643
- # See also : "errorfile", "errorloc303"
644
- #
645
- attr_accessor :errorloc302
646
-
647
- #
648
- # errorloc303 <code> <url>
649
- # Return an HTTP redirection to a URL instead of errors generated by HAProxy
650
- # May be used in sections : defaults | frontend | listen | backend
651
- # yes | yes | yes | yes
652
- # Arguments :
653
- # <code> is the HTTP status code. Currently, HAProxy is capable of
654
- # generating codes 400, 403, 408, 500, 502, 503, and 504.
655
- #
656
- # <url> it is the exact contents of the "Location" header. It may contain
657
- # either a relative URI to an error page hosted on the same site,
658
- # or an absolute URI designating an error page on another site.
659
- # Special care should be given to relative URIs to avoid redirect
660
- # loops if the URI itself may generate the same error (eg: 500).
661
- #
662
- # It is important to understand that this keyword is not meant to rewrite
663
- # errors returned by the server, but errors detected and returned by HAProxy.
664
- # This is why the list of supported errors is limited to a small set.
665
- #
666
- # Note that both keyword return the HTTP 303 status code, which tells the
667
- # client to fetch the designated URL using the same HTTP GET method. This
668
- # solves the usual problems associated with "errorloc" and the 302 code. It is
669
- # possible that some very old browsers designed before HTTP/1.1 do not support
670
- # it, but no such problem has been reported till now.
671
- #
672
- # See also : "errorfile", "errorloc", "errorloc302"
673
- #
674
- attr_accessor :errorloc303
675
-
676
- #
677
- # fullconn <conns>
678
- # Specify at what backend load the servers will reach their maxconn
679
- # May be used in sections : defaults | frontend | listen | backend
680
- # yes | no | yes | yes
681
- # Arguments :
682
- # <conns> is the number of connections on the backend which will make the
683
- # servers use the maximal number of connections.
684
- #
685
- # When a server has a "maxconn" parameter specified, it means that its number
686
- # of concurrent connections will never go higher. Additionally, if it has a
687
- # "minconn" parameter, it indicates a dynamic limit following the backend's
688
- # load. The server will then always accept at least <minconn> connections,
689
- # never more than <maxconn>, and the limit will be on the ramp between both
690
- # values when the backend has less than <conns> concurrent connections. This
691
- # makes it possible to limit the load on the servers during normal loads, but
692
- # push it further for important loads without overloading the servers during
693
- # exceptional loads.
694
- #
695
- # Example :
696
- # # The servers will accept between 100 and 1000 concurrent connections each
697
- # # and the maximum of 1000 will be reached when the backend reaches 10000
698
- # # connections.
699
- # backend dynamic
700
- # fullconn 10000
701
- # server srv1 dyn1:80 minconn 100 maxconn 1000
702
- # server srv2 dyn2:80 minconn 100 maxconn 1000
703
- #
704
- # See also : "maxconn", "server"
705
- #
706
- attr_accessor :fullconn
707
-
708
- #
709
- # grace <time>
710
- # Maintain a proxy operational for some time after a soft stop
711
- # May be used in sections : defaults | frontend | listen | backend
712
- # yes | yes | yes | yes
713
- # Arguments :
714
- # <time> is the time (by default in milliseconds) for which the instance
715
- # will remain operational with the frontend sockets still listening
716
- # when a soft-stop is received via the SIGUSR1 signal.
717
- #
718
- # This may be used to ensure that the services disappear in a certain order.
719
- # This was designed so that frontends which are dedicated to monitoring by an
720
- # external equipment fail immediately while other ones remain up for the time
721
- # needed by the equipment to detect the failure.
722
- #
723
- # Note that currently, there is very little benefit in using this parameter,
724
- # and it may in fact complicate the soft-reconfiguration process more than
725
- # simplify it.
726
- #
727
- attr_accessor :grace
728
-
729
- #
730
- # hash-type <method>
731
- # Specify a method to use for mapping hashes to servers
732
- # May be used in sections : defaults | frontend | listen | backend
733
- # yes | no | yes | yes
734
- # Arguments :
735
- # map-based the hash table is a static array containing all alive servers.
736
- # The hashes will be very smooth, will consider weights, but will
737
- # be static in that weight changes while a server is up will be
738
- # ignored. This means that there will be no slow start. Also,
739
- # since a server is selected by its position in the array, most
740
- # mappings are changed when the server count changes. This means
741
- # that when a server goes up or down, or when a server is added
742
- # to a farm, most connections will be redistributed to different
743
- # servers. This can be inconvenient with caches for instance.
744
- #
745
- # consistent the hash table is a tree filled with many occurrences of each
746
- # server. The hash key is looked up in the tree and the closest
747
- # server is chosen. This hash is dynamic, it supports changing
748
- # weights while the servers are up, so it is compatible with the
749
- # slow start feature. It has the advantage that when a server
750
- # goes up or down, only its associations are moved. When a server
751
- # is added to the farm, only a few part of the mappings are
752
- # redistributed, making it an ideal algorithm for caches.
753
- # However, due to its principle, the algorithm will never be very
754
- # smooth and it may sometimes be necessary to adjust a server's
755
- # weight or its ID to get a more balanced distribution. In order
756
- # to get the same distribution on multiple load balancers, it is
757
- # important that all servers have the same IDs.
758
- #
759
- # The default hash type is "map-based" and is recommended for most usages.
760
- #
761
- # See also : "balance", "server"
762
- #
763
- attr_accessor :hash_type
764
-
765
- #
766
- # http-check disable-on-404
767
- # Enable a maintenance mode upon HTTP/404 response to health-checks
768
- # May be used in sections : defaults | frontend | listen | backend
769
- # yes | no | yes | yes
770
- # Arguments : none
771
- #
772
- # When this option is set, a server which returns an HTTP code 404 will be
773
- # excluded from further load-balancing, but will still receive persistent
774
- # connections. This provides a very convenient method for Web administrators
775
- # to perform a graceful shutdown of their servers. It is also important to note
776
- # that a server which is detected as failed while it was in this mode will not
777
- # generate an alert, just a notice. If the server responds 2xx or 3xx again, it
778
- # will immediately be reinserted into the farm. The status on the stats page
779
- # reports "NOLB" for a server in this mode. It is important to note that this
780
- # option only works in conjunction with the "httpchk" option. If this option
781
- # is used with "http-check expect", then it has precedence over it so that 404
782
- # responses will still be considered as soft-stop.
783
- #
784
- # See also : "option httpchk", "http-check expect"
785
- #
786
- attr_accessor :http_check_disable_on_404
787
-
788
- #
789
- # http-check send-state
790
- # Enable emission of a state header with HTTP health checks
791
- # May be used in sections : defaults | frontend | listen | backend
792
- # yes | no | yes | yes
793
- # Arguments : none
794
- #
795
- # When this option is set, haproxy will systematically send a special header
796
- # "X-Haproxy-Server-State" with a list of parameters indicating to each server
797
- # how they are seen by haproxy. This can be used for instance when a server is
798
- # manipulated without access to haproxy and the operator needs to know whether
799
- # haproxy still sees it up or not, or if the server is the last one in a farm.
800
- #
801
- # The header is composed of fields delimited by semi-colons, the first of which
802
- # is a word ("UP", "DOWN", "NOLB"), possibly followed by a number of valid
803
- # checks on the total number before transition, just as appears in the stats
804
- # interface. Next headers are in the form "<variable>=<value>", indicating in
805
- # no specific order some values available in the stats interface :
806
- # - a variable "name", containing the name of the backend followed by a slash
807
- # ("/") then the name of the server. This can be used when a server is
808
- # checked in multiple backends.
809
- #
810
- # - a variable "node" containing the name of the haproxy node, as set in the
811
- # global "node" variable, otherwise the system's hostname if unspecified.
812
- #
813
- # - a variable "weight" indicating the weight of the server, a slash ("/")
814
- # and the total weight of the farm (just counting usable servers). This
815
- # helps to know if other servers are available to handle the load when this
816
- # one fails.
817
- #
818
- # - a variable "scur" indicating the current number of concurrent connections
819
- # on the server, followed by a slash ("/") then the total number of
820
- # connections on all servers of the same backend.
821
- #
822
- # - a variable "qcur" indicating the current number of requests in the
823
- # server's queue.
824
- #
825
- # Example of a header received by the application server :
826
- # >>> X-Haproxy-Server-State: UP 2/3; name=bck/srv2; node=lb1; weight=1/2; \
827
- # scur=13/22; qcur=0
828
- #
829
- # See also : "option httpchk", "http-check disable-on-404"
830
- #
831
- attr_accessor :http_check_send_state
832
-
833
- # log global
834
- # log <address> <facility> [<level> [<minlevel>]]
835
- # Enable per-instance logging of events and traffic.
836
- # May be used in sections : defaults | frontend | listen | backend
837
- # yes | yes | yes | yes
838
- # Arguments :
839
- # global should be used when the instance's logging parameters are the
840
- # same as the global ones. This is the most common usage. "global"
841
- # replaces <address>, <facility> and <level> with those of the log
842
- # entries found in the "global" section. Only one "log global"
843
- # statement may be used per instance, and this form takes no other
844
- # parameter.
845
- #
846
- # <address> indicates where to send the logs. It takes the same format as
847
- # for the "global" section's logs, and can be one of :
848
- #
849
- # - An IPv4 address optionally followed by a colon (':') and a UDP
850
- # port. If no port is specified, 514 is used by default (the
851
- # standard syslog port).
852
- #
853
- # - A filesystem path to a UNIX domain socket, keeping in mind
854
- # considerations for chroot (be sure the path is accessible
855
- # inside the chroot) and uid/gid (be sure the path is
856
- # appropriately writeable).
857
- #
858
- # <facility> must be one of the 24 standard syslog facilities :
859
- #
860
- # kern user mail daemon auth syslog lpr news
861
- # uucp cron auth2 ftp ntp audit alert cron2
862
- # local0 local1 local2 local3 local4 local5 local6 local7
863
- #
864
- # <level> is optional and can be specified to filter outgoing messages. By
865
- # default, all messages are sent. If a level is specified, only
866
- # messages with a severity at least as important as this level
867
- # will be sent. An optional minimum level can be specified. If it
868
- # is set, logs emitted with a more severe level than this one will
869
- # be capped to this level. This is used to avoid sending "emerg"
870
- # messages on all terminals on some default syslog configurations.
871
- # Eight levels are known :
872
- #
873
- # emerg alert crit err warning notice info debug
874
- #
875
- # Note that up to two "log" entries may be specified per instance. However, if
876
- # "log global" is used and if the "global" section already contains 2 log
877
- # entries, then additional log entries will be ignored.
878
- #
879
- # Also, it is important to keep in mind that it is the frontend which decides
880
- # what to log from a connection, and that in case of content switching, the log
881
- # entries from the backend will be ignored. Connections are logged at level
882
- # "info".
883
- #
884
- # However, backend log declaration define how and where servers status changes
885
- # will be logged. Level "notice" will be used to indicate a server going up,
886
- # "warning" will be used for termination signals and definitive service
887
- # termination, and "alert" will be used for when a server goes down.
888
- #
889
- # Note : According to RFC3164, messages are truncated to 1024 bytes before
890
- # being emitted.
891
- #
892
- # Example :
893
- # log global
894
- # log 127.0.0.1:514 local0 notice # only send important events
895
- # log 127.0.0.1:514 local0 notice notice # same but limit output level
896
- #
897
- attr_accessor :log
898
-
899
- #
900
- # maxconn <conns>
901
- # Fix the maximum number of concurrent connections on a frontend
902
- # May be used in sections : defaults | frontend | listen | backend
903
- # yes | yes | yes | no
904
- # Arguments :
905
- # <conns> is the maximum number of concurrent connections the frontend will
906
- # accept to serve. Excess connections will be queued by the system
907
- # in the socket's listen queue and will be served once a connection
908
- # closes.
909
- #
910
- # If the system supports it, it can be useful on big sites to raise this limit
911
- # very high so that haproxy manages connection queues, instead of leaving the
912
- # clients with unanswered connection attempts. This value should not exceed the
913
- # global maxconn. Also, keep in mind that a connection contains two buffers
914
- # of 8kB each, as well as some other data resulting in about 17 kB of RAM being
915
- # consumed per established connection. That means that a medium system equipped
916
- # with 1GB of RAM can withstand around 40000-50000 concurrent connections if
917
- # properly tuned.
918
- #
919
- # Also, when <conns> is set to large values, it is possible that the servers
920
- # are not sized to accept such loads, and for this reason it is generally wise
921
- # to assign them some reasonable connection limits.
922
- #
923
- # See also : "server", global section's "maxconn", "fullconn"
924
- #
925
- attr_accessor :maxconn
926
-
927
- #
928
- # mode { tcp|http|health }
929
- # Set the running mode or protocol of the instance
930
- # May be used in sections : defaults | frontend | listen | backend
931
- # yes | yes | yes | yes
932
- # Arguments :
933
- # tcp The instance will work in pure TCP mode. A full-duplex connection
934
- # will be established between clients and servers, and no layer 7
935
- # examination will be performed. This is the default mode. It
936
- # should be used for SSL, SSH, SMTP, ...
937
- #
938
- # http The instance will work in HTTP mode. The client request will be
939
- # analyzed in depth before connecting to any server. Any request
940
- # which is not RFC-compliant will be rejected. Layer 7 filtering,
941
- # processing and switching will be possible. This is the mode which
942
- # brings HAProxy most of its value.
943
- #
944
- # health The instance will work in "health" mode. It will just reply "OK"
945
- # to incoming connections and close the connection. Nothing will be
946
- # logged. This mode is used to reply to external components health
947
- # checks. This mode is deprecated and should not be used anymore as
948
- # it is possible to do the same and even better by combining TCP or
949
- # HTTP modes with the "monitor" keyword.
950
- #
951
- # When doing content switching, it is mandatory that the frontend and the
952
- # backend are in the same mode (generally HTTP), otherwise the configuration
953
- # will be refused.
954
- #
955
- # Example :
956
- # defaults http_instances
957
- # mode http
958
- #
959
- # See also : "monitor", "monitor-net"
960
- #
961
- attr_accessor :mode
962
-
963
- #
964
- # monitor-net <source>
965
- # Declare a source network which is limited to monitor requests
966
- # May be used in sections : defaults | frontend | listen | backend
967
- # yes | yes | yes | no
968
- # Arguments :
969
- # <source> is the source IPv4 address or network which will only be able to
970
- # get monitor responses to any request. It can be either an IPv4
971
- # address, a host name, or an address followed by a slash ('/')
972
- # followed by a mask.
973
- #
974
- # In TCP mode, any connection coming from a source matching <source> will cause
975
- # the connection to be immediately closed without any log. This allows another
976
- # equipment to probe the port and verify that it is still listening, without
977
- # forwarding the connection to a remote server.
978
- #
979
- # In HTTP mode, a connection coming from a source matching <source> will be
980
- # accepted, the following response will be sent without waiting for a request,
981
- # then the connection will be closed : "HTTP/1.0 200 OK". This is normally
982
- # enough for any front-end HTTP probe to detect that the service is UP and
983
- # running without forwarding the request to a backend server.
984
- #
985
- # Monitor requests are processed very early. It is not possible to block nor
986
- # divert them using ACLs. They cannot be logged either, and it is the intended
987
- # purpose. They are only used to report HAProxy's health to an upper component,
988
- # nothing more. Right now, it is not possible to set failure conditions on
989
- # requests caught by "monitor-net".
990
- #
991
- # Last, please note that only one "monitor-net" statement can be specified in
992
- # a frontend. If more than one is found, only the last one will be considered.
993
- #
994
- # Example :
995
- # # addresses .252 and .253 are just probing us.
996
- # frontend www
997
- # monitor-net 192.168.0.252/31
998
- #
999
- # See also : "monitor fail", "monitor-uri"
1000
- #
1001
- attr_accessor :monitor_net
1002
-
1003
- #
1004
- # monitor-uri <uri>
1005
- # Intercept a URI used by external components' monitor requests
1006
- # May be used in sections : defaults | frontend | listen | backend
1007
- # yes | yes | yes | no
1008
- # Arguments :
1009
- # <uri> is the exact URI which we want to intercept to return HAProxy's
1010
- # health status instead of forwarding the request.
1011
- #
1012
- # When an HTTP request referencing <uri> will be received on a frontend,
1013
- # HAProxy will not forward it nor log it, but instead will return either
1014
- # "HTTP/1.0 200 OK" or "HTTP/1.0 503 Service unavailable", depending on failure
1015
- # conditions defined with "monitor fail". This is normally enough for any
1016
- # front-end HTTP probe to detect that the service is UP and running without
1017
- # forwarding the request to a backend server. Note that the HTTP method, the
1018
- # version and all headers are ignored, but the request must at least be valid
1019
- # at the HTTP level. This keyword may only be used with an HTTP-mode frontend.
1020
- #
1021
- # Monitor requests are processed very early. It is not possible to block nor
1022
- # divert them using ACLs. They cannot be logged either, and it is the intended
1023
- # purpose. They are only used to report HAProxy's health to an upper component,
1024
- # nothing more. However, it is possible to add any number of conditions using
1025
- # "monitor fail" and ACLs so that the result can be adjusted to whatever check
1026
- # can be imagined (most often the number of available servers in a backend).
1027
- #
1028
- # Example :
1029
- # # Use /haproxy_test to report haproxy's status
1030
- # frontend www
1031
- # mode http
1032
- # monitor-uri /haproxy_test
1033
- #
1034
- # See also : "monitor fail", "monitor-net"
1035
- #
1036
- attr_accessor :monitor_uri
1037
-
1038
- #
1039
- # option abortonclose
1040
- # no option abortonclose
1041
- # Enable or disable early dropping of aborted requests pending in queues.
1042
- # May be used in sections : defaults | frontend | listen | backend
1043
- # yes | no | yes | yes
1044
- # Arguments : none
1045
- #
1046
- # In presence of very high loads, the servers will take some time to respond.
1047
- # The per-instance connection queue will inflate, and the response time will
1048
- # increase respective to the size of the queue times the average per-session
1049
- # response time. When clients will wait for more than a few seconds, they will
1050
- # often hit the "STOP" button on their browser, leaving a useless request in
1051
- # the queue, and slowing down other users, and the servers as well, because the
1052
- # request will eventually be served, then aborted at the first error
1053
- # encountered while delivering the response.
1054
- #
1055
- # As there is no way to distinguish between a full STOP and a simple output
1056
- # close on the client side, HTTP agents should be conservative and consider
1057
- # that the client might only have closed its output channel while waiting for
1058
- # the response. However, this introduces risks of congestion when lots of users
1059
- # do the same, and is completely useless nowadays because probably no client at
1060
- # all will close the session while waiting for the response. Some HTTP agents
1061
- # support this behaviour (Squid, Apache, HAProxy), and others do not (TUX, most
1062
- # hardware-based load balancers). So the probability for a closed input channel
1063
- # to represent a user hitting the "STOP" button is close to 100%, and the risk
1064
- # of being the single component to break rare but valid traffic is extremely
1065
- # low, which adds to the temptation to be able to abort a session early while
1066
- # still not served and not pollute the servers.
1067
- #
1068
- # In HAProxy, the user can choose the desired behaviour using the option
1069
- # "abortonclose". By default (without the option) the behaviour is HTTP
1070
- # compliant and aborted requests will be served. But when the option is
1071
- # specified, a session with an incoming channel closed will be aborted while
1072
- # it is still possible, either pending in the queue for a connection slot, or
1073
- # during the connection establishment if the server has not yet acknowledged
1074
- # the connection request. This considerably reduces the queue size and the load
1075
- # on saturated servers when users are tempted to click on STOP, which in turn
1076
- # reduces the response time for other users.
1077
- #
1078
- # If this option has been enabled in a "defaults" section, it can be disabled
1079
- # in a specific instance by prepending the "no" keyword before it.
1080
- #
1081
- # See also : "timeout queue" and server's "maxconn" and "maxqueue" parameters
1082
- #
1083
- attr_accessor :option_abortonclose
1084
-
1085
- #
1086
- # option accept-invalid-http-request
1087
- # no option accept-invalid-http-request
1088
- # Enable or disable relaxing of HTTP request parsing
1089
- # May be used in sections : defaults | frontend | listen | backend
1090
- # yes | yes | yes | no
1091
- # Arguments : none
1092
- #
1093
- # By default, HAProxy complies with RFC2616 in terms of message parsing. This
1094
- # means that invalid characters in header names are not permitted and cause an
1095
- # error to be returned to the client. This is the desired behaviour as such
1096
- # forbidden characters are essentially used to build attacks exploiting server
1097
- # weaknesses, and bypass security filtering. Sometimes, a buggy browser or
1098
- # server will emit invalid header names for whatever reason (configuration,
1099
- # implementation) and the issue will not be immediately fixed. In such a case,
1100
- # it is possible to relax HAProxy's header name parser to accept any character
1101
- # even if that does not make sense, by specifying this option.
1102
- #
1103
- # This option should never be enabled by default as it hides application bugs
1104
- # and open security breaches. It should only be deployed after a problem has
1105
- # been confirmed.
1106
- #
1107
- # When this option is enabled, erroneous header names will still be accepted in
1108
- # requests, but the complete request will be captured in order to permit later
1109
- # analysis using the "show errors" request on the UNIX stats socket. Doing this
1110
- # also helps confirming that the issue has been solved.
1111
- #
1112
- # If this option has been enabled in a "defaults" section, it can be disabled
1113
- # in a specific instance by prepending the "no" keyword before it.
1114
- #
1115
- # See also : "option accept-invalid-http-response" and "show errors" on the
1116
- # stats socket.
1117
- #
1118
- attr_accessor :option_accept_invalid_http_request
1119
-
1120
- #
1121
- # option accept-invalid-http-response
1122
- # no option accept-invalid-http-response
1123
- # Enable or disable relaxing of HTTP response parsing
1124
- # May be used in sections : defaults | frontend | listen | backend
1125
- # yes | no | yes | yes
1126
- # Arguments : none
1127
- #
1128
- # By default, HAProxy complies with RFC2616 in terms of message parsing. This
1129
- # means that invalid characters in header names are not permitted and cause an
1130
- # error to be returned to the client. This is the desired behaviour as such
1131
- # forbidden characters are essentially used to build attacks exploiting server
1132
- # weaknesses, and bypass security filtering. Sometimes, a buggy browser or
1133
- # server will emit invalid header names for whatever reason (configuration,
1134
- # implementation) and the issue will not be immediately fixed. In such a case,
1135
- # it is possible to relax HAProxy's header name parser to accept any character
1136
- # even if that does not make sense, by specifying this option.
1137
- #
1138
- # This option should never be enabled by default as it hides application bugs
1139
- # and open security breaches. It should only be deployed after a problem has
1140
- # been confirmed.
1141
- #
1142
- # When this option is enabled, erroneous header names will still be accepted in
1143
- # responses, but the complete response will be captured in order to permit
1144
- # later analysis using the "show errors" request on the UNIX stats socket.
1145
- # Doing this also helps confirming that the issue has been solved.
1146
- #
1147
- # If this option has been enabled in a "defaults" section, it can be disabled
1148
- # in a specific instance by prepending the "no" keyword before it.
1149
- #
1150
- # See also : "option accept-invalid-http-request" and "show errors" on the
1151
- # stats socket.
1152
- #
1153
- attr_accessor :option_accept_invalid_http_response
1154
-
1155
- #
1156
- # option allbackups
1157
- # no option allbackups
1158
- # Use either all backup servers at a time or only the first one
1159
- # May be used in sections : defaults | frontend | listen | backend
1160
- # yes | no | yes | yes
1161
- # Arguments : none
1162
- #
1163
- # By default, the first operational backup server gets all traffic when normal
1164
- # servers are all down. Sometimes, it may be preferred to use multiple backups
1165
- # at once, because one will not be enough. When "option allbackups" is enabled,
1166
- # the load balancing will be performed among all backup servers when all normal
1167
- # ones are unavailable. The same load balancing algorithm will be used and the
1168
- # servers' weights will be respected. Thus, there will not be any priority
1169
- # order between the backup servers anymore.
1170
- #
1171
- # This option is mostly used with static server farms dedicated to return a
1172
- # "sorry" page when an application is completely offline.
1173
- #
1174
- # If this option has been enabled in a "defaults" section, it can be disabled
1175
- # in a specific instance by prepending the "no" keyword before it.
1176
- #
1177
- attr_accessor :option_allbackups
1178
-
1179
- #
1180
- # option checkcache
1181
- # no option checkcache
1182
- # Analyze all server responses and block requests with cacheable cookies
1183
- # May be used in sections : defaults | frontend | listen | backend
1184
- # yes | no | yes | yes
1185
- # Arguments : none
1186
- #
1187
- # Some high-level frameworks set application cookies everywhere and do not
1188
- # always let enough control to the developer to manage how the responses should
1189
- # be cached. When a session cookie is returned on a cacheable object, there is a
1190
- # high risk of session crossing or stealing between users traversing the same
1191
- # caches. In some situations, it is better to block the response than to let
1192
- # some sensible session information go in the wild.
1193
- #
1194
- # The option "checkcache" enables deep inspection of all server responses for
1195
- # strict compliance with HTTP specification in terms of cacheability. It
1196
- # carefully checks "Cache-control", "Pragma" and "Set-cookie" headers in server
1197
- # response to check if there's a risk of caching a cookie on a client-side
1198
- # proxy. When this option is enabled, the only responses which can be delivered
1199
- # to the client are :
1200
- # - all those without "Set-Cookie" header ;
1201
- # - all those with a return code other than 200, 203, 206, 300, 301, 410,
1202
- # provided that the server has not set a "Cache-control: public" header ;
1203
- # - all those that come from a POST request, provided that the server has not
1204
- # set a 'Cache-Control: public' header ;
1205
- # - those with a 'Pragma: no-cache' header
1206
- # - those with a 'Cache-control: private' header
1207
- # - those with a 'Cache-control: no-store' header
1208
- # - those with a 'Cache-control: max-age=0' header
1209
- # - those with a 'Cache-control: s-maxage=0' header
1210
- # - those with a 'Cache-control: no-cache' header
1211
- # - those with a 'Cache-control: no-cache="set-cookie"' header
1212
- # - those with a 'Cache-control: no-cache="set-cookie,' header
1213
- # (allowing other fields after set-cookie)
1214
- #
1215
- # If a response doesn't respect these requirements, then it will be blocked
1216
- # just as if it was from an "rspdeny" filter, with an "HTTP 502 bad gateway".
1217
- # The session state shows "PH--" meaning that the proxy blocked the response
1218
- # during headers processing. Additionally, an alert will be sent in the logs so
1219
- # that admins are informed that there's something to be fixed.
1220
- #
1221
- # Due to the high impact on the application, the application should be tested
1222
- # in depth with the option enabled before going to production. It is also a
1223
- # good practice to always activate it during tests, even if it is not used in
1224
- # production, as it will report potentially dangerous application behaviours.
1225
- #
1226
- # If this option has been enabled in a "defaults" section, it can be disabled
1227
- # in a specific instance by prepending the "no" keyword before it.
1228
- #
1229
- attr_accessor :option_checkcache
1230
-
1231
- #
1232
- # option clitcpka
1233
- # no option clitcpka
1234
- # Enable or disable the sending of TCP keepalive packets on the client side
1235
- # May be used in sections : defaults | frontend | listen | backend
1236
- # yes | yes | yes | no
1237
- # Arguments : none
1238
- #
1239
- # When there is a firewall or any session-aware component between a client and
1240
- # a server, and when the protocol involves very long sessions with long idle
1241
- # periods (eg: remote desktops), there is a risk that one of the intermediate
1242
- # components decides to expire a session which has remained idle for too long.
1243
- #
1244
- # Enabling socket-level TCP keep-alives makes the system regularly send packets
1245
- # to the other end of the connection, leaving it active. The delay between
1246
- # keep-alive probes is controlled by the system only and depends both on the
1247
- # operating system and its tuning parameters.
1248
- #
1249
- # It is important to understand that keep-alive packets are neither emitted nor
1250
- # received at the application level. It is only the network stacks which sees
1251
- # them. For this reason, even if one side of the proxy already uses keep-alives
1252
- # to maintain its connection alive, those keep-alive packets will not be
1253
- # forwarded to the other side of the proxy.
1254
- #
1255
- # Please note that this has nothing to do with HTTP keep-alive.
1256
- #
1257
- # Using option "clitcpka" enables the emission of TCP keep-alive probes on the
1258
- # client side of a connection, which should help when session expirations are
1259
- # noticed between HAProxy and a client.
1260
- #
1261
- # If this option has been enabled in a "defaults" section, it can be disabled
1262
- # in a specific instance by prepending the "no" keyword before it.
1263
- #
1264
- # See also : "option srvtcpka", "option tcpka"
1265
- #
1266
- attr_accessor :option_clitcpka
1267
-
1268
- #
1269
- # option contstats
1270
- # Enable continuous traffic statistics updates
1271
- # May be used in sections : defaults | frontend | listen | backend
1272
- # yes | yes | yes | no
1273
- # Arguments : none
1274
- #
1275
- # By default, counters used for statistics calculation are incremented
1276
- # only when a session finishes. It works quite well when serving small
1277
- # objects, but with big ones (for example large images or archives) or
1278
- # with A/V streaming, a graph generated from haproxy counters looks like
1279
- # a hedgehog. With this option enabled counters get incremented continuously,
1280
- # during a whole session. Recounting touches a hotpath directly so
1281
- # it is not enabled by default, as it has small performance impact (~0.5%).
1282
- #
1283
- attr_accessor :option_contstats
1284
-
1285
- #
1286
- # option dontlog-normal
1287
- # no option dontlog-normal
1288
- # Enable or disable logging of normal, successful connections
1289
- # May be used in sections : defaults | frontend | listen | backend
1290
- # yes | yes | yes | no
1291
- # Arguments : none
1292
- #
1293
- # There are large sites dealing with several thousand connections per second
1294
- # and for which logging is a major pain. Some of them are even forced to turn
1295
- # logs off and cannot debug production issues. Setting this option ensures that
1296
- # normal connections, those which experience no error, no timeout, no retry nor
1297
- # redispatch, will not be logged. This leaves disk space for anomalies. In HTTP
1298
- # mode, the response status code is checked and return codes 5xx will still be
1299
- # logged.
1300
- #
1301
- # It is strongly discouraged to use this option as most of the time, the key to
1302
- # complex issues is in the normal logs which will not be logged here. If you
1303
- # need to separate logs, see the "log-separate-errors" option instead.
1304
- #
1305
- # See also : "log", "dontlognull", "log-separate-errors" and section 8 about
1306
- # logging.
1307
- #
1308
- attr_accessor :option_dontlog_normal
1309
-
1310
- #
1311
- # option dontlognull
1312
- # no option dontlognull
1313
- # Enable or disable logging of null connections
1314
- # May be used in sections : defaults | frontend | listen | backend
1315
- # yes | yes | yes | no
1316
- # Arguments : none
1317
- #
1318
- # In certain environments, there are components which will regularly connect to
1319
- # various systems to ensure that they are still alive. It can be the case from
1320
- # another load balancer as well as from monitoring systems. By default, even a
1321
- # simple port probe or scan will produce a log. If those connections pollute
1322
- # the logs too much, it is possible to enable option "dontlognull" to indicate
1323
- # that a connection on which no data has been transferred will not be logged,
1324
- # which typically corresponds to those probes.
1325
- #
1326
- # It is generally recommended not to use this option in uncontrolled
1327
- # environments (eg: internet), otherwise scans and other malicious activities
1328
- # would not be logged.
1329
- #
1330
- # If this option has been enabled in a "defaults" section, it can be disabled
1331
- # in a specific instance by prepending the "no" keyword before it.
1332
- #
1333
- # See also : "log", "monitor-net", "monitor-uri" and section 8 about logging.
1334
- #
1335
- attr_accessor :option_dontlognull
1336
-
1337
- #
1338
- # option forceclose
1339
- # no option forceclose
1340
- # Enable or disable active connection closing after response is transferred.
1341
- # May be used in sections : defaults | frontend | listen | backend
1342
- # yes | yes | yes | yes
1343
- # Arguments : none
1344
- #
1345
- # Some HTTP servers do not necessarily close the connections when they receive
1346
- # the "Connection: close" set by "option httpclose", and if the client does not
1347
- # close either, then the connection remains open till the timeout expires. This
1348
- # causes high number of simultaneous connections on the servers and shows high
1349
- # global session times in the logs.
1350
- #
1351
- # When this happens, it is possible to use "option forceclose". It will
1352
- # actively close the outgoing server channel as soon as the server has finished
1353
- # to respond. This option implicitly enables the "httpclose" option. Note that
1354
- # this option also enables the parsing of the full request and response, which
1355
- # means we can close the connection to the server very quickly, releasing some
1356
- # resources earlier than with httpclose.
1357
- #
1358
- # This option may also be combined with "option http-pretend-keepalive", which
1359
- # will disable sending of the "Connection: close" header, but will still cause
1360
- # the connection to be closed once the whole response is received.
1361
- #
1362
- # If this option has been enabled in a "defaults" section, it can be disabled
1363
- # in a specific instance by prepending the "no" keyword before it.
1364
- #
1365
- # See also : "option httpclose" and "option http-pretend-keepalive"
1366
- #
1367
- attr_accessor :option_forceclose
1368
-
1369
- #
1370
- # option forwardfor [ except <network> ] [ header <name> ]
1371
- # Enable insertion of the X-Forwarded-For header to requests sent to servers
1372
- # May be used in sections : defaults | frontend | listen | backend
1373
- # yes | yes | yes | yes
1374
- # Arguments :
1375
- # <network> is an optional argument used to disable this option for sources
1376
- # matching <network>
1377
- # <name> an optional argument to specify a different "X-Forwarded-For"
1378
- # header name.
1379
- #
1380
- # Since HAProxy works in reverse-proxy mode, the servers see its IP address as
1381
- # their client address. This is sometimes annoying when the client's IP address
1382
- # is expected in server logs. To solve this problem, the well-known HTTP header
1383
- # "X-Forwarded-For" may be added by HAProxy to all requests sent to the server.
1384
- # This header contains a value representing the client's IP address. Since this
1385
- # header is always appended at the end of the existing header list, the server
1386
- # must be configured to always use the last occurrence of this header only. See
1387
- # the server's manual to find how to enable use of this standard header. Note
1388
- # that only the last occurrence of the header must be used, since it is really
1389
- # possible that the client has already brought one.
1390
- #
1391
- # The keyword "header" may be used to supply a different header name to replace
1392
- # the default "X-Forwarded-For". This can be useful where you might already
1393
- # have a "X-Forwarded-For" header from a different application (eg: stunnel),
1394
- # and you need preserve it. Also if your backend server doesn't use the
1395
- # "X-Forwarded-For" header and requires different one (eg: Zeus Web Servers
1396
- # require "X-Cluster-Client-IP").
1397
- #
1398
- # Sometimes, a same HAProxy instance may be shared between a direct client
1399
- # access and a reverse-proxy access (for instance when an SSL reverse-proxy is
1400
- # used to decrypt HTTPS traffic). It is possible to disable the addition of the
1401
- # header for a known source address or network by adding the "except" keyword
1402
- # followed by the network address. In this case, any source IP matching the
1403
- # network will not cause an addition of this header. Most common uses are with
1404
- # private networks or 127.0.0.1.
1405
- #
1406
- # This option may be specified either in the frontend or in the backend. If at
1407
- # least one of them uses it, the header will be added. Note that the backend's
1408
- # setting of the header subargument takes precedence over the frontend's if
1409
- # both are defined.
1410
- #
1411
- # It is important to note that as long as HAProxy does not support keep-alive
1412
- # connections, only the first request of a connection will receive the header.
1413
- # For this reason, it is important to ensure that "option httpclose" is set
1414
- # when using this option.
1415
- #
1416
- # Examples :
1417
- # # Public HTTP address also used by stunnel on the same machine
1418
- # frontend www
1419
- # mode http
1420
- # option forwardfor except 127.0.0.1 # stunnel already adds the header
1421
- #
1422
- # # Those servers want the IP Address in X-Client
1423
- # backend www
1424
- # mode http
1425
- # option forwardfor header X-Client
1426
- #
1427
- # See also : "option httpclose"
1428
- #
1429
- attr_accessor :option_forwardfor
1430
-
1431
- #
1432
- # option http-pretend-keepalive
1433
- # no option http-pretend-keepalive
1434
- # Define whether haproxy will announce keepalive to the server or not
1435
- # May be used in sections : defaults | frontend | listen | backend
1436
- # yes | yes | yes | yes
1437
- # Arguments : none
1438
- #
1439
- # When running with "option http-server-close" or "option forceclose", haproxy
1440
- # adds a "Connection: close" header to the request forwarded to the server.
1441
- # Unfortunately, when some servers see this header, they automatically refrain
1442
- # from using the chunked encoding for responses of unknown length, while this
1443
- # is totally unrelated. The immediate effect is that this prevents haproxy from
1444
- # maintaining the client connection alive. A second effect is that a client or
1445
- # a cache could receive an incomplete response without being aware of it, and
1446
- # consider the response complete.
1447
- #
1448
- # By setting "option http-pretend-keepalive", haproxy will make the server
1449
- # believe it will keep the connection alive. The server will then not fall back
1450
- # to the abnormal undesired above. When haproxy gets the whole response, it
1451
- # will close the connection with the server just as it would do with the
1452
- # "forceclose" option. That way the client gets a normal response and the
1453
- # connection is correctly closed on the server side.
1454
- #
1455
- # It is recommended not to enable this option by default, because most servers
1456
- # will more efficiently close the connection themselves after the last packet,
1457
- # and release its buffers slightly earlier. Also, the added packet on the
1458
- # network could slightly reduce the overall peak performance. However it is
1459
- # worth noting that when this option is enabled, haproxy will have slightly
1460
- # less work to do. So if haproxy is the bottleneck on the whole architecture,
1461
- # enabling this option might save a few CPU cycles.
1462
- #
1463
- # This option may be set both in a frontend and in a backend. It is enabled if
1464
- # at least one of the frontend or backend holding a connection has it enabled.
1465
- # This option may be compbined with "option httpclose", which will cause
1466
- # keepalive to be announced to the server and close to be announced to the
1467
- # client. This practice is discouraged though.
1468
- #
1469
- # If this option has been enabled in a "defaults" section, it can be disabled
1470
- # in a specific instance by prepending the "no" keyword before it.
1471
- #
1472
- # See also : "option forceclose" and "option http-server-close"
1473
- #
1474
- attr_accessor :option_http_pretend_keepalive
1475
-
1476
- #
1477
- # option http-server-close
1478
- # no option http-server-close
1479
- # Enable or disable HTTP connection closing on the server side
1480
- # May be used in sections : defaults | frontend | listen | backend
1481
- # yes | yes | yes | yes
1482
- # Arguments : none
1483
- #
1484
- # By default, when a client communicates with a server, HAProxy will only
1485
- # analyze, log, and process the first request of each connection. Setting
1486
- # "option http-server-close" enables HTTP connection-close mode on the server
1487
- # side while keeping the ability to support HTTP keep-alive and pipelining on
1488
- # the client side. This provides the lowest latency on the client side (slow
1489
- # network) and the fastest session reuse on the server side to save server
1490
- # resources, similarly to "option forceclose". It also permits non-keepalive
1491
- # capable servers to be served in keep-alive mode to the clients if they
1492
- # conform to the requirements of RFC2616. Please note that some servers do not
1493
- # always conform to those requirements when they see "Connection: close" in the
1494
- # request. The effect will be that keep-alive will never be used. A workaround
1495
- # consists in enabling "option http-pretend-keepalive".
1496
- #
1497
- # At the moment, logs will not indicate whether requests came from the same
1498
- # session or not. The accept date reported in the logs corresponds to the end
1499
- # of the previous request, and the request time corresponds to the time spent
1500
- # waiting for a new request. The keep-alive request time is still bound to the
1501
- # timeout defined by "timeout http-keep-alive" or "timeout http-request" if
1502
- # not set.
1503
- #
1504
- # This option may be set both in a frontend and in a backend. It is enabled if
1505
- # at least one of the frontend or backend holding a connection has it enabled.
1506
- # It is worth noting that "option forceclose" has precedence over "option
1507
- # http-server-close" and that combining "http-server-close" with "httpclose"
1508
- # basically achieve the same result as "forceclose".
1509
- #
1510
- # If this option has been enabled in a "defaults" section, it can be disabled
1511
- # in a specific instance by prepending the "no" keyword before it.
1512
- #
1513
- # See also : "option forceclose", "option http-pretend-keepalive",
1514
- # "option httpclose" and "1.1. The HTTP transaction model".
1515
- #
1516
- attr_accessor :option_http_server_close
1517
-
1518
- #
1519
- # option http-use-proxy-header
1520
- # no option http-use-proxy-header
1521
- # Make use of non-standard Proxy-Connection header instead of Connection
1522
- # May be used in sections : defaults | frontend | listen | backend
1523
- # yes | yes | yes | no
1524
- # Arguments : none
1525
- #
1526
- # While RFC2616 explicitly states that HTTP/1.1 agents must use the
1527
- # Connection header to indicate their wish of persistent or non-persistent
1528
- # connections, both browsers and proxies ignore this header for proxied
1529
- # connections and make use of the undocumented, non-standard Proxy-Connection
1530
- # header instead. The issue begins when trying to put a load balancer between
1531
- # browsers and such proxies, because there will be a difference between what
1532
- # haproxy understands and what the client and the proxy agree on.
1533
- #
1534
- # By setting this option in a frontend, haproxy can automatically switch to use
1535
- # that non-standard header if it sees proxied requests. A proxied request is
1536
- # defined here as one where the URI begins with neither a '/' nor a '*'. The
1537
- # choice of header only affects requests passing through proxies making use of
1538
- # one of the "httpclose", "forceclose" and "http-server-close" options. Note
1539
- # that this option can only be specified in a frontend and will affect the
1540
- # request along its whole life.
1541
- #
1542
- # Also, when this option is set, a request which requires authentication will
1543
- # automatically switch to use proxy authentication headers if it is itself a
1544
- # proxied request. That makes it possible to check or enforce authentication in
1545
- # front of an existing proxy.
1546
- #
1547
- # This option should normally never be used, except in front of a proxy.
1548
- #
1549
- # See also : "option httpclose", "option forceclose" and "option
1550
- # http-server-close".
1551
- #
1552
- attr_accessor :option_http_use_proxy_header
1553
-
1554
- #
1555
- # option httpchk
1556
- # option httpchk <uri>
1557
- # option httpchk <method> <uri>
1558
- # option httpchk <method> <uri> <version>
1559
- # Enable HTTP protocol to check on the servers health
1560
- # May be used in sections : defaults | frontend | listen | backend
1561
- # yes | no | yes | yes
1562
- # Arguments :
1563
- # <method> is the optional HTTP method used with the requests. When not set,
1564
- # the "OPTIONS" method is used, as it generally requires low server
1565
- # processing and is easy to filter out from the logs. Any method
1566
- # may be used, though it is not recommended to invent non-standard
1567
- # ones.
1568
- #
1569
- # <uri> is the URI referenced in the HTTP requests. It defaults to " / "
1570
- # which is accessible by default on almost any server, but may be
1571
- # changed to any other URI. Query strings are permitted.
1572
- #
1573
- # <version> is the optional HTTP version string. It defaults to "HTTP/1.0"
1574
- # but some servers might behave incorrectly in HTTP 1.0, so turning
1575
- # it to HTTP/1.1 may sometimes help. Note that the Host field is
1576
- # mandatory in HTTP/1.1, and as a trick, it is possible to pass it
1577
- # after "\r\n" following the version string.
1578
- #
1579
- # By default, server health checks only consist in trying to establish a TCP
1580
- # connection. When "option httpchk" is specified, a complete HTTP request is
1581
- # sent once the TCP connection is established, and responses 2xx and 3xx are
1582
- # considered valid, while all other ones indicate a server failure, including
1583
- # the lack of any response.
1584
- #
1585
- # The port and interval are specified in the server configuration.
1586
- #
1587
- # This option does not necessarily require an HTTP backend, it also works with
1588
- # plain TCP backends. This is particularly useful to check simple scripts bound
1589
- # to some dedicated ports using the inetd daemon.
1590
- #
1591
- # Examples :
1592
- # # Relay HTTPS traffic to Apache instance and check service availability
1593
- # # using HTTP request "OPTIONS * HTTP/1.1" on port 80.
1594
- # backend https_relay
1595
- # mode tcp
1596
- # option httpchk OPTIONS * HTTP/1.1\r\nHost:\ www
1597
- # server apache1 192.168.1.1:443 check port 80
1598
- #
1599
- # See also : "option ssl-hello-chk", "option smtpchk", "option mysql-check",
1600
- # "http-check" and the "check", "port" and "inter" server options.
1601
- #
1602
- attr_accessor :option_httpchk
1603
-
1604
- #
1605
- # option httpclose
1606
- # no option httpclose
1607
- # Enable or disable passive HTTP connection closing
1608
- # May be used in sections : defaults | frontend | listen | backend
1609
- # yes | yes | yes | yes
1610
- # Arguments : none
1611
- #
1612
- # By default, when a client communicates with a server, HAProxy will only
1613
- # analyze, log, and process the first request of each connection. If "option
1614
- # httpclose" is set, it will check if a "Connection: close" header is already
1615
- # set in each direction, and will add one if missing. Each end should react to
1616
- # this by actively closing the TCP connection after each transfer, thus
1617
- # resulting in a switch to the HTTP close mode. Any "Connection" header
1618
- # different from "close" will also be removed.
1619
- #
1620
- # It seldom happens that some servers incorrectly ignore this header and do not
1621
- # close the connection eventhough they reply "Connection: close". For this
1622
- # reason, they are not compatible with older HTTP 1.0 browsers. If this happens
1623
- # it is possible to use the "option forceclose" which actively closes the
1624
- # request connection once the server responds. Option "forceclose" also
1625
- # releases the server connection earlier because it does not have to wait for
1626
- # the client to acknowledge it.
1627
- #
1628
- # This option may be set both in a frontend and in a backend. It is enabled if
1629
- # at least one of the frontend or backend holding a connection has it enabled.
1630
- # If "option forceclose" is specified too, it has precedence over "httpclose".
1631
- # If "option http-server-close" is enabled at the same time as "httpclose", it
1632
- # basically achieves the same result as "option forceclose".
1633
- #
1634
- # If this option has been enabled in a "defaults" section, it can be disabled
1635
- # in a specific instance by prepending the "no" keyword before it.
1636
- #
1637
- # See also : "option forceclose", "option http-server-close" and
1638
- # "1.1. The HTTP transaction model".
1639
- #
1640
- attr_accessor :option_httpclose
1641
-
1642
- #
1643
- # option httplog [ clf ]
1644
- # Enable logging of HTTP request, session state and timers
1645
- # May be used in sections : defaults | frontend | listen | backend
1646
- # yes | yes | yes | yes
1647
- # Arguments :
1648
- # clf if the "clf" argument is added, then the output format will be
1649
- # the CLF format instead of HAProxy's default HTTP format. You can
1650
- # use this when you need to feed HAProxy's logs through a specific
1651
- # log analyser which only support the CLF format and which is not
1652
- # extensible.
1653
- #
1654
- # By default, the log output format is very poor, as it only contains the
1655
- # source and destination addresses, and the instance name. By specifying
1656
- # "option httplog", each log line turns into a much richer format including,
1657
- # but not limited to, the HTTP request, the connection timers, the session
1658
- # status, the connections numbers, the captured headers and cookies, the
1659
- # frontend, backend and server name, and of course the source address and
1660
- # ports.
1661
- #
1662
- # This option may be set either in the frontend or the backend.
1663
- #
1664
- # If this option has been enabled in a "defaults" section, it can be disabled
1665
- # in a specific instance by prepending the "no" keyword before it. Specifying
1666
- # only "option httplog" will automatically clear the 'clf' mode if it was set
1667
- # by default.
1668
- #
1669
- # See also : section 8 about logging.
1670
- #
1671
- attr_accessor :option_httplog
1672
-
1673
- #
1674
- # option http_proxy
1675
- # no option http_proxy
1676
- # Enable or disable plain HTTP proxy mode
1677
- # May be used in sections : defaults | frontend | listen | backend
1678
- # yes | yes | yes | yes
1679
- # Arguments : none
1680
- #
1681
- # It sometimes happens that people need a pure HTTP proxy which understands
1682
- # basic proxy requests without caching nor any fancy feature. In this case,
1683
- # it may be worth setting up an HAProxy instance with the "option http_proxy"
1684
- # set. In this mode, no server is declared, and the connection is forwarded to
1685
- # the IP address and port found in the URL after the "http://" scheme.
1686
- #
1687
- # No host address resolution is performed, so this only works when pure IP
1688
- # addresses are passed. Since this option's usage perimeter is rather limited,
1689
- # it will probably be used only by experts who know they need exactly it. Last,
1690
- # if the clients are susceptible of sending keep-alive requests, it will be
1691
- # needed to add "option http_close" to ensure that all requests will correctly
1692
- # be analyzed.
1693
- #
1694
- # If this option has been enabled in a "defaults" section, it can be disabled
1695
- # in a specific instance by prepending the "no" keyword before it.
1696
- #
1697
- # Example :
1698
- # # this backend understands HTTP proxy requests and forwards them directly.
1699
- # backend direct_forward
1700
- # option httpclose
1701
- # option http_proxy
1702
- #
1703
- # See also : "option httpclose"
1704
- #
1705
- attr_accessor :option_http_proxy
1706
-
1707
- #
1708
- # option independant-streams
1709
- # no option independant-streams
1710
- # Enable or disable independant timeout processing for both directions
1711
- # May be used in sections : defaults | frontend | listen | backend
1712
- # yes | yes | yes | yes
1713
- # Arguments : none
1714
- #
1715
- # By default, when data is sent over a socket, both the write timeout and the
1716
- # read timeout for that socket are refreshed, because we consider that there is
1717
- # activity on that socket, and we have no other means of guessing if we should
1718
- # receive data or not.
1719
- #
1720
- # While this default behaviour is desirable for almost all applications, there
1721
- # exists a situation where it is desirable to disable it, and only refresh the
1722
- # read timeout if there are incoming data. This happens on sessions with large
1723
- # timeouts and low amounts of exchanged data such as telnet session. If the
1724
- # server suddenly disappears, the output data accumulates in the system's
1725
- # socket buffers, both timeouts are correctly refreshed, and there is no way
1726
- # to know the server does not receive them, so we don't timeout. However, when
1727
- # the underlying protocol always echoes sent data, it would be enough by itself
1728
- # to detect the issue using the read timeout. Note that this problem does not
1729
- # happen with more verbose protocols because data won't accumulate long in the
1730
- # socket buffers.
1731
- #
1732
- # When this option is set on the frontend, it will disable read timeout updates
1733
- # on data sent to the client. There probably is little use of this case. When
1734
- # the option is set on the backend, it will disable read timeout updates on
1735
- # data sent to the server. Doing so will typically break large HTTP posts from
1736
- # slow lines, so use it with caution.
1737
- #
1738
- # See also : "timeout client" and "timeout server"
1739
- #
1740
- attr_accessor :option_independant_streams
1741
-
1742
- #
1743
- # option ldap-check
1744
- # Use LDAPv3 health checks for server testing
1745
- # May be used in sections : defaults | frontend | listen | backend
1746
- # yes | no | yes | yes
1747
- # Arguments : none
1748
- #
1749
- # It is possible to test that the server correctly talks LDAPv3 instead of just
1750
- # testing that it accepts the TCP connection. When this option is set, an
1751
- # LDAPv3 anonymous simple bind message is sent to the server, and the response
1752
- # is analyzed to find an LDAPv3 bind response message.
1753
- #
1754
- # The server is considered valid only when the LDAP response contains success
1755
- # resultCode (http://tools.ietf.org/html/rfc4511#section-4.1.9).
1756
- #
1757
- # Logging of bind requests is server dependent see your documentation how to
1758
- # configure it.
1759
- #
1760
- # Example :
1761
- # option ldap-check
1762
- #
1763
- # See also : "option httpchk"
1764
- #
1765
- attr_accessor :option_ldap_check
1766
-
1767
- #
1768
- # option log-health-checks
1769
- # no option log-health-checks
1770
- # Enable or disable logging of health checks
1771
- # May be used in sections : defaults | frontend | listen | backend
1772
- # yes | no | yes | yes
1773
- # Arguments : none
1774
- #
1775
- # Enable health checks logging so it possible to check for example what
1776
- # was happening before a server crash. Failed health check are logged if
1777
- # server is UP and succeeded health checks if server is DOWN, so the amount
1778
- # of additional information is limited.
1779
- #
1780
- # If health check logging is enabled no health check status is printed
1781
- # when servers is set up UP/DOWN/ENABLED/DISABLED.
1782
- #
1783
- # See also: "log" and section 8 about logging.
1784
- #
1785
- attr_accessor :option_log_health_checks
1786
-
1787
- #
1788
- # option log-separate-errors
1789
- # no option log-separate-errors
1790
- # Change log level for non-completely successful connections
1791
- # May be used in sections : defaults | frontend | listen | backend
1792
- # yes | yes | yes | no
1793
- # Arguments : none
1794
- #
1795
- # Sometimes looking for errors in logs is not easy. This option makes haproxy
1796
- # raise the level of logs containing potentially interesting information such
1797
- # as errors, timeouts, retries, redispatches, or HTTP status codes 5xx. The
1798
- # level changes from "info" to "err". This makes it possible to log them
1799
- # separately to a different file with most syslog daemons. Be careful not to
1800
- # remove them from the original file, otherwise you would lose ordering which
1801
- # provides very important information.
1802
- #
1803
- # Using this option, large sites dealing with several thousand connections per
1804
- # second may log normal traffic to a rotating buffer and only archive smaller
1805
- # error logs.
1806
- #
1807
- # See also : "log", "dontlognull", "dontlog-normal" and section 8 about
1808
- # logging.
1809
- #
1810
- attr_accessor :option_log_separate_errors
1811
-
1812
- #
1813
- # option logasap
1814
- # no option logasap
1815
- # Enable or disable early logging of HTTP requests
1816
- # May be used in sections : defaults | frontend | listen | backend
1817
- # yes | yes | yes | no
1818
- # Arguments : none
1819
- #
1820
- # By default, HTTP requests are logged upon termination so that the total
1821
- # transfer time and the number of bytes appear in the logs. When large objects
1822
- # are being transferred, it may take a while before the request appears in the
1823
- # logs. Using "option logasap", the request gets logged as soon as the server
1824
- # sends the complete headers. The only missing information in the logs will be
1825
- # the total number of bytes which will indicate everything except the amount
1826
- # of data transferred, and the total time which will not take the transfer
1827
- # time into account. In such a situation, it's a good practice to capture the
1828
- # "Content-Length" response header so that the logs at least indicate how many
1829
- # bytes are expected to be transferred.
1830
- #
1831
- # Examples :
1832
- # listen http_proxy 0.0.0.0:80
1833
- # mode http
1834
- # option httplog
1835
- # option logasap
1836
- # log 192.168.2.200 local3
1837
- #
1838
- # >>> Feb 6 12:14:14 localhost \
1839
- # haproxy[14389]: 10.0.1.2:33317 [06/Feb/2009:12:14:14.655] http-in \
1840
- # static/srv1 9/10/7/14/+30 200 +243 - - ---- 3/1/1/1/0 1/0 \
1841
- # "GET /image.iso HTTP/1.0"
1842
- #
1843
- # See also : "option httplog", "capture response header", and section 8 about
1844
- # logging.
1845
- #
1846
- attr_accessor :option_logasap
1847
-
1848
- #
1849
- # option mysql-check [ user <username> ]
1850
- # Use MySQL health checks for server testing
1851
- # May be used in sections : defaults | frontend | listen | backend
1852
- # yes | no | yes | yes
1853
- # Arguments :
1854
- # user <username> This is the username which will be used when connecting
1855
- # to MySQL server.
1856
- #
1857
- # If you specify a username, the check consists of sending two MySQL packet,
1858
- # one Client Authentication packet, and one QUIT packet, to correctly close
1859
- # MySQL session. We then parse the MySQL Handshake Initialisation packet and/or
1860
- # Error packet. It is a basic but useful test which does not produce error nor
1861
- # aborted connect on the server. However, it requires adding an authorization
1862
- # in the MySQL table, like this :
1863
- #
1864
- # USE mysql;
1865
- # INSERT INTO user (Host,User) values ('<ip_of_haproxy>','<username>');
1866
- # FLUSH PRIVILEGES;
1867
- #
1868
- # If you don't specify a username (it is deprecated and not recommended), the
1869
- # check only consists in parsing the Mysql Handshake Initialisation packet or
1870
- # Error packet, we don't send anything in this mode. It was reported that it
1871
- # can generate lockout if check is too frequent and/or if there is not enough
1872
- # traffic. In fact, you need in this case to check MySQL "max_connect_errors"
1873
- # value as if a connection is established successfully within fewer than MySQL
1874
- # "max_connect_errors" attempts after a previous connection was interrupted,
1875
- # the error count for the host is cleared to zero. If HAProxy's server get
1876
- # blocked, the "FLUSH HOSTS" statement is the only way to unblock it.
1877
- #
1878
- # Remember that this does not check database presence nor database consistency.
1879
- # To do this, you can use an external check with xinetd for example.
1880
- #
1881
- # The check requires MySQL >=4.0, for older version, please use TCP check.
1882
- #
1883
- # Most often, an incoming MySQL server needs to see the client's IP address for
1884
- # various purposes, including IP privilege matching and connection logging.
1885
- # When possible, it is often wise to masquerade the client's IP address when
1886
- # connecting to the server using the "usesrc" argument of the "source" keyword,
1887
- # which requires the cttproxy feature to be compiled in, and the MySQL server
1888
- # to route the client via the machine hosting haproxy.
1889
- #
1890
- # See also: "option httpchk"
1891
- #
1892
- attr_accessor :option_mysql_check
1893
-
1894
- #
1895
- # option nolinger
1896
- # no option nolinger
1897
- # Enable or disable immediate session resource cleaning after close
1898
- # May be used in sections: defaults | frontend | listen | backend
1899
- # yes | yes | yes | yes
1900
- # Arguments : none
1901
- #
1902
- # When clients or servers abort connections in a dirty way (eg: they are
1903
- # physically disconnected), the session timeouts triggers and the session is
1904
- # closed. But it will remain in FIN_WAIT1 state for some time in the system,
1905
- # using some resources and possibly limiting the ability to establish newer
1906
- # connections.
1907
- #
1908
- # When this happens, it is possible to activate "option nolinger" which forces
1909
- # the system to immediately remove any socket's pending data on close. Thus,
1910
- # the session is instantly purged from the system's tables. This usually has
1911
- # side effects such as increased number of TCP resets due to old retransmits
1912
- # getting immediately rejected. Some firewalls may sometimes complain about
1913
- # this too.
1914
- #
1915
- # For this reason, it is not recommended to use this option when not absolutely
1916
- # needed. You know that you need it when you have thousands of FIN_WAIT1
1917
- # sessions on your system (TIME_WAIT ones do not count).
1918
- #
1919
- # This option may be used both on frontends and backends, depending on the side
1920
- # where it is required. Use it on the frontend for clients, and on the backend
1921
- # for servers.
1922
- #
1923
- # If this option has been enabled in a "defaults" section, it can be disabled
1924
- # in a specific instance by prepending the "no" keyword before it.
1925
- #
1926
- attr_accessor :option_nolinger
1927
-
1928
- #
1929
- # option originalto [ except <network> ] [ header <name> ]
1930
- # Enable insertion of the X-Original-To header to requests sent to servers
1931
- # May be used in sections : defaults | frontend | listen | backend
1932
- # yes | yes | yes | yes
1933
- # Arguments :
1934
- # <network> is an optional argument used to disable this option for sources
1935
- # matching <network>
1936
- # <name> an optional argument to specify a different "X-Original-To"
1937
- # header name.
1938
- #
1939
- # Since HAProxy can work in transparent mode, every request from a client can
1940
- # be redirected to the proxy and HAProxy itself can proxy every request to a
1941
- # complex SQUID environment and the destination host from SO_ORIGINAL_DST will
1942
- # be lost. This is annoying when you want access rules based on destination ip
1943
- # addresses. To solve this problem, a new HTTP header "X-Original-To" may be
1944
- # added by HAProxy to all requests sent to the server. This header contains a
1945
- # value representing the original destination IP address. Since this must be
1946
- # configured to always use the last occurrence of this header only. Note that
1947
- # only the last occurrence of the header must be used, since it is really
1948
- # possible that the client has already brought one.
1949
- #
1950
- # The keyword "header" may be used to supply a different header name to replace
1951
- # the default "X-Original-To". This can be useful where you might already
1952
- # have a "X-Original-To" header from a different application, and you need
1953
- # preserve it. Also if your backend server doesn't use the "X-Original-To"
1954
- # header and requires different one.
1955
- #
1956
- # Sometimes, a same HAProxy instance may be shared between a direct client
1957
- # access and a reverse-proxy access (for instance when an SSL reverse-proxy is
1958
- # used to decrypt HTTPS traffic). It is possible to disable the addition of the
1959
- # header for a known source address or network by adding the "except" keyword
1960
- # followed by the network address. In this case, any source IP matching the
1961
- # network will not cause an addition of this header. Most common uses are with
1962
- # private networks or 127.0.0.1.
1963
- #
1964
- # This option may be specified either in the frontend or in the backend. If at
1965
- # least one of them uses it, the header will be added. Note that the backend's
1966
- # setting of the header subargument takes precedence over the frontend's if
1967
- # both are defined.
1968
- #
1969
- # It is important to note that as long as HAProxy does not support keep-alive
1970
- # connections, only the first request of a connection will receive the header.
1971
- # For this reason, it is important to ensure that "option httpclose" is set
1972
- # when using this option.
1973
- #
1974
- # Examples :
1975
- # # Original Destination address
1976
- # frontend www
1977
- # mode http
1978
- # option originalto except 127.0.0.1
1979
- #
1980
- # # Those servers want the IP Address in X-Client-Dst
1981
- # backend www
1982
- # mode http
1983
- # option originalto header X-Client-Dst
1984
- #
1985
- # See also : "option httpclose"
1986
- #
1987
- attr_accessor :option_originalto
1988
-
1989
- #
1990
- # option persist
1991
- # no option persist
1992
- # Enable or disable forced persistence on down servers
1993
- # May be used in sections: defaults | frontend | listen | backend
1994
- # yes | no | yes | yes
1995
- # Arguments : none
1996
- #
1997
- # When an HTTP request reaches a backend with a cookie which references a dead
1998
- # server, by default it is redispatched to another server. It is possible to
1999
- # force the request to be sent to the dead server first using "option persist"
2000
- # if absolutely needed. A common use case is when servers are under extreme
2001
- # load and spend their time flapping. In this case, the users would still be
2002
- # directed to the server they opened the session on, in the hope they would be
2003
- # correctly served. It is recommended to use "option redispatch" in conjunction
2004
- # with this option so that in the event it would not be possible to connect to
2005
- # the server at all (server definitely dead), the client would finally be
2006
- # redirected to another valid server.
2007
- #
2008
- # If this option has been enabled in a "defaults" section, it can be disabled
2009
- # in a specific instance by prepending the "no" keyword before it.
2010
- #
2011
- # See also : "option redispatch", "retries", "force-persist"
2012
- #
2013
- attr_accessor :option_persist
2014
-
2015
- #
2016
- # option redispatch
2017
- # no option redispatch
2018
- # Enable or disable session redistribution in case of connection failure
2019
- # May be used in sections: defaults | frontend | listen | backend
2020
- # yes | no | yes | yes
2021
- # Arguments : none
2022
- #
2023
- # In HTTP mode, if a server designated by a cookie is down, clients may
2024
- # definitely stick to it because they cannot flush the cookie, so they will not
2025
- # be able to access the service anymore.
2026
- #
2027
- # Specifying "option redispatch" will allow the proxy to break their
2028
- # persistence and redistribute them to a working server.
2029
- #
2030
- # It also allows to retry last connection to another server in case of multiple
2031
- # connection failures. Of course, it requires having "retries" set to a nonzero
2032
- # value.
2033
- #
2034
- # This form is the preferred form, which replaces both the "redispatch" and
2035
- # "redisp" keywords.
2036
- #
2037
- # If this option has been enabled in a "defaults" section, it can be disabled
2038
- # in a specific instance by prepending the "no" keyword before it.
2039
- #
2040
- # See also : "redispatch", "retries", "force-persist"
2041
- #
2042
- attr_accessor :option_redispatch
2043
-
2044
- #
2045
- # option smtpchk
2046
- # option smtpchk <hello> <domain>
2047
- # Use SMTP health checks for server testing
2048
- # May be used in sections : defaults | frontend | listen | backend
2049
- # yes | no | yes | yes
2050
- # Arguments :
2051
- # <hello> is an optional argument. It is the "hello" command to use. It can
2052
- # be either "HELO" (for SMTP) or "EHLO" (for ESTMP). All other
2053
- # values will be turned into the default command ("HELO").
2054
- #
2055
- # <domain> is the domain name to present to the server. It may only be
2056
- # specified (and is mandatory) if the hello command has been
2057
- # specified. By default, "localhost" is used.
2058
- #
2059
- # When "option smtpchk" is set, the health checks will consist in TCP
2060
- # connections followed by an SMTP command. By default, this command is
2061
- # "HELO localhost". The server's return code is analyzed and only return codes
2062
- # starting with a "2" will be considered as valid. All other responses,
2063
- # including a lack of response will constitute an error and will indicate a
2064
- # dead server.
2065
- #
2066
- # This test is meant to be used with SMTP servers or relays. Depending on the
2067
- # request, it is possible that some servers do not log each connection attempt,
2068
- # so you may want to experiment to improve the behaviour. Using telnet on port
2069
- # 25 is often easier than adjusting the configuration.
2070
- #
2071
- # Most often, an incoming SMTP server needs to see the client's IP address for
2072
- # various purposes, including spam filtering, anti-spoofing and logging. When
2073
- # possible, it is often wise to masquerade the client's IP address when
2074
- # connecting to the server using the "usesrc" argument of the "source" keyword,
2075
- # which requires the cttproxy feature to be compiled in.
2076
- #
2077
- # Example :
2078
- # option smtpchk HELO mydomain.org
2079
- #
2080
- # See also : "option httpchk", "source"
2081
- #
2082
- attr_accessor :option_smtpchk
2083
-
2084
- #
2085
- # option socket-stats
2086
- # no option socket-stats
2087
- #
2088
- # Enable or disable collecting & providing separate statistics for each socket.
2089
- # May be used in sections : defaults | frontend | listen | backend
2090
- # yes | yes | yes | no
2091
- #
2092
- # Arguments : none
2093
- #
2094
- attr_accessor :option_socket_stats
2095
-
2096
- #
2097
- # option splice-auto
2098
- # no option splice-auto
2099
- # Enable or disable automatic kernel acceleration on sockets in both directions
2100
- # May be used in sections : defaults | frontend | listen | backend
2101
- # yes | yes | yes | yes
2102
- # Arguments : none
2103
- #
2104
- # When this option is enabled either on a frontend or on a backend, haproxy
2105
- # will automatically evaluate the opportunity to use kernel tcp splicing to
2106
- # forward data between the client and the server, in either direction. Haproxy
2107
- # uses heuristics to estimate if kernel splicing might improve performance or
2108
- # not. Both directions are handled independently. Note that the heuristics used
2109
- # are not much aggressive in order to limit excessive use of splicing. This
2110
- # option requires splicing to be enabled at compile time, and may be globally
2111
- # disabled with the global option "nosplice". Since splice uses pipes, using it
2112
- # requires that there are enough spare pipes.
2113
- #
2114
- # Important note: kernel-based TCP splicing is a Linux-specific feature which
2115
- # first appeared in kernel 2.6.25. It offers kernel-based acceleration to
2116
- # transfer data between sockets without copying these data to user-space, thus
2117
- # providing noticeable performance gains and CPU cycles savings. Since many
2118
- # early implementations are buggy, corrupt data and/or are inefficient, this
2119
- # feature is not enabled by default, and it should be used with extreme care.
2120
- # While it is not possible to detect the correctness of an implementation,
2121
- # 2.6.29 is the first version offering a properly working implementation. In
2122
- # case of doubt, splicing may be globally disabled using the global "nosplice"
2123
- # keyword.
2124
- #
2125
- # Example :
2126
- # option splice-auto
2127
- #
2128
- # If this option has been enabled in a "defaults" section, it can be disabled
2129
- # in a specific instance by prepending the "no" keyword before it.
2130
- #
2131
- # See also : "option splice-request", "option splice-response", and global
2132
- # options "nosplice" and "maxpipes"
2133
- #
2134
- attr_accessor :option_splice_auto
2135
-
2136
- #
2137
- # option splice-request
2138
- # no option splice-request
2139
- # Enable or disable automatic kernel acceleration on sockets for requests
2140
- # May be used in sections : defaults | frontend | listen | backend
2141
- # yes | yes | yes | yes
2142
- # Arguments : none
2143
- #
2144
- # When this option is enabled either on a frontend or on a backend, haproxy
2145
- # will user kernel tcp splicing whenever possible to forward data going from
2146
- # the client to the server. It might still use the recv/send scheme if there
2147
- # are no spare pipes left. This option requires splicing to be enabled at
2148
- # compile time, and may be globally disabled with the global option "nosplice".
2149
- # Since splice uses pipes, using it requires that there are enough spare pipes.
2150
- #
2151
- # Important note: see "option splice-auto" for usage limitations.
2152
- #
2153
- # Example :
2154
- # option splice-request
2155
- #
2156
- # If this option has been enabled in a "defaults" section, it can be disabled
2157
- # in a specific instance by prepending the "no" keyword before it.
2158
- #
2159
- # See also : "option splice-auto", "option splice-response", and global options
2160
- # "nosplice" and "maxpipes"
2161
- #
2162
- attr_accessor :option_splice_request
2163
-
2164
- #
2165
- # option splice-response
2166
- # no option splice-response
2167
- # Enable or disable automatic kernel acceleration on sockets for responses
2168
- # May be used in sections : defaults | frontend | listen | backend
2169
- # yes | yes | yes | yes
2170
- # Arguments : none
2171
- #
2172
- # When this option is enabled either on a frontend or on a backend, haproxy
2173
- # will user kernel tcp splicing whenever possible to forward data going from
2174
- # the server to the client. It might still use the recv/send scheme if there
2175
- # are no spare pipes left. This option requires splicing to be enabled at
2176
- # compile time, and may be globally disabled with the global option "nosplice".
2177
- # Since splice uses pipes, using it requires that there are enough spare pipes.
2178
- #
2179
- # Important note: see "option splice-auto" for usage limitations.
2180
- #
2181
- # Example :
2182
- # option splice-response
2183
- #
2184
- # If this option has been enabled in a "defaults" section, it can be disabled
2185
- # in a specific instance by prepending the "no" keyword before it.
2186
- #
2187
- # See also : "option splice-auto", "option splice-request", and global options
2188
- # "nosplice" and "maxpipes"
2189
- #
2190
- attr_accessor :option_splice_response
2191
-
2192
- #
2193
- # option srvtcpka
2194
- # no option srvtcpka
2195
- # Enable or disable the sending of TCP keepalive packets on the server side
2196
- # May be used in sections : defaults | frontend | listen | backend
2197
- # yes | no | yes | yes
2198
- # Arguments : none
2199
- #
2200
- # When there is a firewall or any session-aware component between a client and
2201
- # a server, and when the protocol involves very long sessions with long idle
2202
- # periods (eg: remote desktops), there is a risk that one of the intermediate
2203
- # components decides to expire a session which has remained idle for too long.
2204
- #
2205
- # Enabling socket-level TCP keep-alives makes the system regularly send packets
2206
- # to the other end of the connection, leaving it active. The delay between
2207
- # keep-alive probes is controlled by the system only and depends both on the
2208
- # operating system and its tuning parameters.
2209
- #
2210
- # It is important to understand that keep-alive packets are neither emitted nor
2211
- # received at the application level. It is only the network stacks which sees
2212
- # them. For this reason, even if one side of the proxy already uses keep-alives
2213
- # to maintain its connection alive, those keep-alive packets will not be
2214
- # forwarded to the other side of the proxy.
2215
- #
2216
- # Please note that this has nothing to do with HTTP keep-alive.
2217
- #
2218
- # Using option "srvtcpka" enables the emission of TCP keep-alive probes on the
2219
- # server side of a connection, which should help when session expirations are
2220
- # noticed between HAProxy and a server.
2221
- #
2222
- # If this option has been enabled in a "defaults" section, it can be disabled
2223
- # in a specific instance by prepending the "no" keyword before it.
2224
- #
2225
- # See also : "option clitcpka", "option tcpka"
2226
- #
2227
- attr_accessor :option_srvtcpka
2228
-
2229
- #
2230
- # option ssl-hello-chk
2231
- # Use SSLv3 client hello health checks for server testing
2232
- # May be used in sections : defaults | frontend | listen | backend
2233
- # yes | no | yes | yes
2234
- # Arguments : none
2235
- #
2236
- # When some SSL-based protocols are relayed in TCP mode through HAProxy, it is
2237
- # possible to test that the server correctly talks SSL instead of just testing
2238
- # that it accepts the TCP connection. When "option ssl-hello-chk" is set, pure
2239
- # SSLv3 client hello messages are sent once the connection is established to
2240
- # the server, and the response is analyzed to find an SSL server hello message.
2241
- # The server is considered valid only when the response contains this server
2242
- # hello message.
2243
- #
2244
- # All servers tested till there correctly reply to SSLv3 client hello messages,
2245
- # and most servers tested do not even log the requests containing only hello
2246
- # messages, which is appreciable.
2247
- #
2248
- # See also: "option httpchk"
2249
- #
2250
- attr_accessor :option_ssl_hello_chk
2251
-
2252
- #
2253
- # option tcp-smart-accept
2254
- # no option tcp-smart-accept
2255
- # Enable or disable the saving of one ACK packet during the accept sequence
2256
- # May be used in sections : defaults | frontend | listen | backend
2257
- # yes | yes | yes | no
2258
- # Arguments : none
2259
- #
2260
- # When an HTTP connection request comes in, the system acknowledges it on
2261
- # behalf of HAProxy, then the client immediately sends its request, and the
2262
- # system acknowledges it too while it is notifying HAProxy about the new
2263
- # connection. HAProxy then reads the request and responds. This means that we
2264
- # have one TCP ACK sent by the system for nothing, because the request could
2265
- # very well be acknowledged by HAProxy when it sends its response.
2266
- #
2267
- # For this reason, in HTTP mode, HAProxy automatically asks the system to avoid
2268
- # sending this useless ACK on platforms which support it (currently at least
2269
- # Linux). It must not cause any problem, because the system will send it anyway
2270
- # after 40 ms if the response takes more time than expected to come.
2271
- #
2272
- # During complex network debugging sessions, it may be desirable to disable
2273
- # this optimization because delayed ACKs can make troubleshooting more complex
2274
- # when trying to identify where packets are delayed. It is then possible to
2275
- # fall back to normal behaviour by specifying "no option tcp-smart-accept".
2276
- #
2277
- # It is also possible to force it for non-HTTP proxies by simply specifying
2278
- # "option tcp-smart-accept". For instance, it can make sense with some services
2279
- # such as SMTP where the server speaks first.
2280
- #
2281
- # It is recommended to avoid forcing this option in a defaults section. In case
2282
- # of doubt, consider setting it back to automatic values by prepending the
2283
- # "default" keyword before it, or disabling it using the "no" keyword.
2284
- #
2285
- # See also : "option tcp-smart-connect"
2286
- #
2287
- attr_accessor :option_tcp_smart_accept
2288
-
2289
- #
2290
- # option tcp-smart-connect
2291
- # no option tcp-smart-connect
2292
- # Enable or disable the saving of one ACK packet during the connect sequence
2293
- # May be used in sections : defaults | frontend | listen | backend
2294
- # yes | no | yes | yes
2295
- # Arguments : none
2296
- #
2297
- # On certain systems (at least Linux), HAProxy can ask the kernel not to
2298
- # immediately send an empty ACK upon a connection request, but to directly
2299
- # send the buffer request instead. This saves one packet on the network and
2300
- # thus boosts performance. It can also be useful for some servers, because they
2301
- # immediately get the request along with the incoming connection.
2302
- #
2303
- # This feature is enabled when "option tcp-smart-connect" is set in a backend.
2304
- # It is not enabled by default because it makes network troubleshooting more
2305
- # complex.
2306
- #
2307
- # It only makes sense to enable it with protocols where the client speaks first
2308
- # such as HTTP. In other situations, if there is no data to send in place of
2309
- # the ACK, a normal ACK is sent.
2310
- #
2311
- # If this option has been enabled in a "defaults" section, it can be disabled
2312
- # in a specific instance by prepending the "no" keyword before it.
2313
- #
2314
- # See also : "option tcp-smart-accept"
2315
- #
2316
- attr_accessor :option_tcp_smart_connect
2317
-
2318
- #
2319
- # option tcpka
2320
- # Enable or disable the sending of TCP keepalive packets on both sides
2321
- # May be used in sections : defaults | frontend | listen | backend
2322
- # yes | yes | yes | yes
2323
- # Arguments : none
2324
- #
2325
- # When there is a firewall or any session-aware component between a client and
2326
- # a server, and when the protocol involves very long sessions with long idle
2327
- # periods (eg: remote desktops), there is a risk that one of the intermediate
2328
- # components decides to expire a session which has remained idle for too long.
2329
- #
2330
- # Enabling socket-level TCP keep-alives makes the system regularly send packets
2331
- # to the other end of the connection, leaving it active. The delay between
2332
- # keep-alive probes is controlled by the system only and depends both on the
2333
- # operating system and its tuning parameters.
2334
- #
2335
- # It is important to understand that keep-alive packets are neither emitted nor
2336
- # received at the application level. It is only the network stacks which sees
2337
- # them. For this reason, even if one side of the proxy already uses keep-alives
2338
- # to maintain its connection alive, those keep-alive packets will not be
2339
- # forwarded to the other side of the proxy.
2340
- #
2341
- # Please note that this has nothing to do with HTTP keep-alive.
2342
- #
2343
- # Using option "tcpka" enables the emission of TCP keep-alive probes on both
2344
- # the client and server sides of a connection. Note that this is meaningful
2345
- # only in "defaults" or "listen" sections. If this option is used in a
2346
- # frontend, only the client side will get keep-alives, and if this option is
2347
- # used in a backend, only the server side will get keep-alives. For this
2348
- # reason, it is strongly recommended to explicitly use "option clitcpka" and
2349
- # "option srvtcpka" when the configuration is split between frontends and
2350
- # backends.
2351
- #
2352
- # See also : "option clitcpka", "option srvtcpka"
2353
- #
2354
- attr_accessor :option_tcpka
2355
-
2356
- #
2357
- # option tcplog
2358
- # Enable advanced logging of TCP connections with session state and timers
2359
- # May be used in sections : defaults | frontend | listen | backend
2360
- # yes | yes | yes | yes
2361
- # Arguments : none
2362
- #
2363
- # By default, the log output format is very poor, as it only contains the
2364
- # source and destination addresses, and the instance name. By specifying
2365
- # "option tcplog", each log line turns into a much richer format including, but
2366
- # not limited to, the connection timers, the session status, the connections
2367
- # numbers, the frontend, backend and server name, and of course the source
2368
- # address and ports. This option is useful for pure TCP proxies in order to
2369
- # find which of the client or server disconnects or times out. For normal HTTP
2370
- # proxies, it's better to use "option httplog" which is even more complete.
2371
- #
2372
- # This option may be set either in the frontend or the backend.
2373
- #
2374
- # See also : "option httplog", and section 8 about logging.
2375
- #
2376
- attr_accessor :option_tcplog
2377
-
2378
- #
2379
- # option transparent
2380
- # no option transparent
2381
- # Enable client-side transparent proxying
2382
- # May be used in sections : defaults | frontend | listen | backend
2383
- # yes | no | yes | yes
2384
- # Arguments : none
2385
- #
2386
- # This option was introduced in order to provide layer 7 persistence to layer 3
2387
- # load balancers. The idea is to use the OS's ability to redirect an incoming
2388
- # connection for a remote address to a local process (here HAProxy), and let
2389
- # this process know what address was initially requested. When this option is
2390
- # used, sessions without cookies will be forwarded to the original destination
2391
- # IP address of the incoming request (which should match that of another
2392
- # equipment), while requests with cookies will still be forwarded to the
2393
- # appropriate server.
2394
- #
2395
- # Note that contrary to a common belief, this option does NOT make HAProxy
2396
- # present the client's IP to the server when establishing the connection.
2397
- #
2398
- # See also: the "usersrc" argument of the "source" keyword, and the
2399
- # "transparent" option of the "bind" keyword.
2400
- #
2401
- attr_accessor :option_transparent
2402
-
2403
- #
2404
- # persist rdp-cookie
2405
- # persist rdp-cookie(name)
2406
- # Enable RDP cookie-based persistence
2407
- # May be used in sections : defaults | frontend | listen | backend
2408
- # yes | no | yes | yes
2409
- # Arguments :
2410
- # <name> is the optional name of the RDP cookie to check. If omitted, the
2411
- # default cookie name "msts" will be used. There currently is no
2412
- # valid reason to change this name.
2413
- #
2414
- # This statement enables persistence based on an RDP cookie. The RDP cookie
2415
- # contains all information required to find the server in the list of known
2416
- # servers. So when this option is set in the backend, the request is analysed
2417
- # and if an RDP cookie is found, it is decoded. If it matches a known server
2418
- # which is still UP (or if "option persist" is set), then the connection is
2419
- # forwarded to this server.
2420
- #
2421
- # Note that this only makes sense in a TCP backend, but for this to work, the
2422
- # frontend must have waited long enough to ensure that an RDP cookie is present
2423
- # in the request buffer. This is the same requirement as with the "rdp-cookie"
2424
- # load-balancing method. Thus it is highly recommended to put all statements in
2425
- # a single "listen" section.
2426
- #
2427
- # Also, it is important to understand that the terminal server will emit this
2428
- # RDP cookie only if it is configured for "token redirection mode", which means
2429
- # that the "IP address redirection" option is disabled.
2430
- #
2431
- # Example :
2432
- # listen tse-farm
2433
- # bind :3389
2434
- # # wait up to 5s for an RDP cookie in the request
2435
- # tcp-request inspect-delay 5s
2436
- # tcp-request content accept if RDP_COOKIE
2437
- # # apply RDP cookie persistence
2438
- # persist rdp-cookie
2439
- # # if server is unknown, let's balance on the same cookie.
2440
- # # alternatively, "balance leastconn" may be useful too.
2441
- # balance rdp-cookie
2442
- # server srv1 1.1.1.1:3389
2443
- # server srv2 1.1.1.2:3389
2444
- #
2445
- # See also : "balance rdp-cookie", "tcp-request" and the "req_rdp_cookie" ACL.
2446
- #
2447
- attr_accessor :persist_rdp_cookie
2448
-
2449
- #
2450
- # rate-limit sessions <rate>
2451
- # Set a limit on the number of new sessions accepted per second on a frontend
2452
- # May be used in sections : defaults | frontend | listen | backend
2453
- # yes | yes | yes | no
2454
- # Arguments :
2455
- # <rate> The <rate> parameter is an integer designating the maximum number
2456
- # of new sessions per second to accept on the frontend.
2457
- #
2458
- # When the frontend reaches the specified number of new sessions per second, it
2459
- # stops accepting new connections until the rate drops below the limit again.
2460
- # During this time, the pending sessions will be kept in the socket's backlog
2461
- # (in system buffers) and haproxy will not even be aware that sessions are
2462
- # pending. When applying very low limit on a highly loaded service, it may make
2463
- # sense to increase the socket's backlog using the "backlog" keyword.
2464
- #
2465
- # This feature is particularly efficient at blocking connection-based attacks
2466
- # or service abuse on fragile servers. Since the session rate is measured every
2467
- # millisecond, it is extremely accurate. Also, the limit applies immediately,
2468
- # no delay is needed at all to detect the threshold.
2469
- #
2470
- # Example : limit the connection rate on SMTP to 10 per second max
2471
- # listen smtp
2472
- # mode tcp
2473
- # bind :25
2474
- # rate-limit sessions 10
2475
- # server 127.0.0.1:1025
2476
- #
2477
- # Note : when the maximum rate is reached, the frontend's status appears as
2478
- # "FULL" in the statistics, exactly as when it is saturated.
2479
- #
2480
- # See also : the "backlog" keyword and the "fe_sess_rate" ACL criterion.
2481
- #
2482
- attr_accessor :rate_limit_sessions
2483
-
2484
- #
2485
- # retries <value>
2486
- # Set the number of retries to perform on a server after a connection failure
2487
- # May be used in sections: defaults | frontend | listen | backend
2488
- # yes | no | yes | yes
2489
- # Arguments :
2490
- # <value> is the number of times a connection attempt should be retried on
2491
- # a server when a connection either is refused or times out. The
2492
- # default value is 3.
2493
- #
2494
- # It is important to understand that this value applies to the number of
2495
- # connection attempts, not full requests. When a connection has effectively
2496
- # been established to a server, there will be no more retry.
2497
- #
2498
- # In order to avoid immediate reconnections to a server which is restarting,
2499
- # a turn-around timer of 1 second is applied before a retry occurs.
2500
- #
2501
- # When "option redispatch" is set, the last retry may be performed on another
2502
- # server even if a cookie references a different server.
2503
- #
2504
- # See also : "option redispatch"
2505
- #
2506
- attr_accessor :retries
2507
-
2508
- #
2509
- # source <addr>[:<port>] [usesrc { <addr2>[:<port2>] | client | clientip } ]
2510
- # source <addr>[:<port>] [usesrc { <addr2>[:<port2>] | hdr_ip(<hdr>[,<occ>]) } ]
2511
- # source <addr>[:<port>] [interface <name>]
2512
- # Set the source address for outgoing connections
2513
- # May be used in sections : defaults | frontend | listen | backend
2514
- # yes | no | yes | yes
2515
- # Arguments :
2516
- # <addr> is the IPv4 address HAProxy will bind to before connecting to a
2517
- # server. This address is also used as a source for health checks.
2518
- # The default value of 0.0.0.0 means that the system will select
2519
- # the most appropriate address to reach its destination.
2520
- #
2521
- # <port> is an optional port. It is normally not needed but may be useful
2522
- # in some very specific contexts. The default value of zero means
2523
- # the system will select a free port. Note that port ranges are not
2524
- # supported in the backend. If you want to force port ranges, you
2525
- # have to specify them on each "server" line.
2526
- #
2527
- # <addr2> is the IP address to present to the server when connections are
2528
- # forwarded in full transparent proxy mode. This is currently only
2529
- # supported on some patched Linux kernels. When this address is
2530
- # specified, clients connecting to the server will be presented
2531
- # with this address, while health checks will still use the address
2532
- # <addr>.
2533
- #
2534
- # <port2> is the optional port to present to the server when connections
2535
- # are forwarded in full transparent proxy mode (see <addr2> above).
2536
- # The default value of zero means the system will select a free
2537
- # port.
2538
- #
2539
- # <hdr> is the name of a HTTP header in which to fetch the IP to bind to.
2540
- # This is the name of a comma-separated header list which can
2541
- # contain multiple IP addresses. By default, the last occurrence is
2542
- # used. This is designed to work with the X-Forwarded-For header
2543
- # and to automatically bind to the the client's IP address as seen
2544
- # by previous proxy, typically Stunnel. In order to use another
2545
- # occurrence from the last one, please see the <occ> parameter
2546
- # below. When the header (or occurrence) is not found, no binding
2547
- # is performed so that the proxy's default IP address is used. Also
2548
- # keep in mind that the header name is case insensitive, as for any
2549
- # HTTP header.
2550
- #
2551
- # <occ> is the occurrence number of a value to be used in a multi-value
2552
- # header. This is to be used in conjunction with "hdr_ip(<hdr>)",
2553
- # in order to specificy which occurrence to use for the source IP
2554
- # address. Positive values indicate a position from the first
2555
- # occurrence, 1 being the first one. Negative values indicate
2556
- # positions relative to the last one, -1 being the last one. This
2557
- # is helpful for situations where an X-Forwarded-For header is set
2558
- # at the entry point of an infrastructure and must be used several
2559
- # proxy layers away. When this value is not specified, -1 is
2560
- # assumed. Passing a zero here disables the feature.
2561
- #
2562
- # <name> is an optional interface name to which to bind to for outgoing
2563
- # traffic. On systems supporting this features (currently, only
2564
- # Linux), this allows one to bind all traffic to the server to
2565
- # this interface even if it is not the one the system would select
2566
- # based on routing tables. This should be used with extreme care.
2567
- # Note that using this option requires root privileges.
2568
- #
2569
- # The "source" keyword is useful in complex environments where a specific
2570
- # address only is allowed to connect to the servers. It may be needed when a
2571
- # private address must be used through a public gateway for instance, and it is
2572
- # known that the system cannot determine the adequate source address by itself.
2573
- #
2574
- # An extension which is available on certain patched Linux kernels may be used
2575
- # through the "usesrc" optional keyword. It makes it possible to connect to the
2576
- # servers with an IP address which does not belong to the system itself. This
2577
- # is called "full transparent proxy mode". For this to work, the destination
2578
- # servers have to route their traffic back to this address through the machine
2579
- # running HAProxy, and IP forwarding must generally be enabled on this machine.
2580
- #
2581
- # In this "full transparent proxy" mode, it is possible to force a specific IP
2582
- # address to be presented to the servers. This is not much used in fact. A more
2583
- # common use is to tell HAProxy to present the client's IP address. For this,
2584
- # there are two methods :
2585
- #
2586
- # - present the client's IP and port addresses. This is the most transparent
2587
- # mode, but it can cause problems when IP connection tracking is enabled on
2588
- # the machine, because a same connection may be seen twice with different
2589
- # states. However, this solution presents the huge advantage of not
2590
- # limiting the system to the 64k outgoing address+port couples, because all
2591
- # of the client ranges may be used.
2592
- #
2593
- # - present only the client's IP address and select a spare port. This
2594
- # solution is still quite elegant but slightly less transparent (downstream
2595
- # firewalls logs will not match upstream's). It also presents the downside
2596
- # of limiting the number of concurrent connections to the usual 64k ports.
2597
- # However, since the upstream and downstream ports are different, local IP
2598
- # connection tracking on the machine will not be upset by the reuse of the
2599
- # same session.
2600
- #
2601
- # Note that depending on the transparent proxy technology used, it may be
2602
- # required to force the source address. In fact, cttproxy version 2 requires an
2603
- # IP address in <addr> above, and does not support setting of "0.0.0.0" as the
2604
- # IP address because it creates NAT entries which much match the exact outgoing
2605
- # address. Tproxy version 4 and some other kernel patches which work in pure
2606
- # forwarding mode generally will not have this limitation.
2607
- #
2608
- # This option sets the default source for all servers in the backend. It may
2609
- # also be specified in a "defaults" section. Finer source address specification
2610
- # is possible at the server level using the "source" server option. Refer to
2611
- # section 5 for more information.
2612
- #
2613
- # Examples :
2614
- # backend private
2615
- # # Connect to the servers using our 192.168.1.200 source address
2616
- # source 192.168.1.200
2617
- #
2618
- # backend transparent_ssl1
2619
- # # Connect to the SSL farm from the client's source address
2620
- # source 192.168.1.200 usesrc clientip
2621
- #
2622
- # backend transparent_ssl2
2623
- # # Connect to the SSL farm from the client's source address and port
2624
- # # not recommended if IP conntrack is present on the local machine.
2625
- # source 192.168.1.200 usesrc client
2626
- #
2627
- # backend transparent_ssl3
2628
- # # Connect to the SSL farm from the client's source address. It
2629
- # # is more conntrack-friendly.
2630
- # source 192.168.1.200 usesrc clientip
2631
- #
2632
- # backend transparent_smtp
2633
- # # Connect to the SMTP farm from the client's source address/port
2634
- # # with Tproxy version 4.
2635
- # source 0.0.0.0 usesrc clientip
2636
- #
2637
- # backend transparent_http
2638
- # # Connect to the servers using the client's IP as seen by previous
2639
- # # proxy.
2640
- # source 0.0.0.0 usesrc hdr_ip(x-forwarded-for,-1)
2641
- #
2642
- # See also : the "source" server option in section 5, the Tproxy patches for
2643
- # the Linux kernel on www.balabit.com, the "bind" keyword.
2644
- #
2645
- attr_accessor :source
2646
-
2647
- #
2648
- # stats auth <user>:<passwd>
2649
- # Enable statistics with authentication and grant access to an account
2650
- # May be used in sections : defaults | frontend | listen | backend
2651
- # yes | no | yes | yes
2652
- # Arguments :
2653
- # <user> is a user name to grant access to
2654
- #
2655
- # <passwd> is the cleartext password associated to this user
2656
- #
2657
- # This statement enables statistics with default settings, and restricts access
2658
- # to declared users only. It may be repeated as many times as necessary to
2659
- # allow as many users as desired. When a user tries to access the statistics
2660
- # without a valid account, a "401 Forbidden" response will be returned so that
2661
- # the browser asks the user to provide a valid user and password. The real
2662
- # which will be returned to the browser is configurable using "stats realm".
2663
- #
2664
- # Since the authentication method is HTTP Basic Authentication, the passwords
2665
- # circulate in cleartext on the network. Thus, it was decided that the
2666
- # configuration file would also use cleartext passwords to remind the users
2667
- # that those ones should not be sensible and not shared with any other account.
2668
- #
2669
- # It is also possible to reduce the scope of the proxies which appear in the
2670
- # report using "stats scope".
2671
- #
2672
- # Though this statement alone is enough to enable statistics reporting, it is
2673
- # recommended to set all other settings in order to avoid relying on default
2674
- # unobvious parameters.
2675
- #
2676
- # Example :
2677
- # # public access (limited to this backend only)
2678
- # backend public_www
2679
- # server srv1 192.168.0.1:80
2680
- # stats enable
2681
- # stats hide-version
2682
- # stats scope .
2683
- # stats uri /admin?stats
2684
- # stats realm Haproxy\ Statistics
2685
- # stats auth admin1:AdMiN123
2686
- # stats auth admin2:AdMiN321
2687
- #
2688
- # # internal monitoring access (unlimited)
2689
- # backend private_monitoring
2690
- # stats enable
2691
- # stats uri /admin?stats
2692
- # stats refresh 5s
2693
- #
2694
- # See also : "stats enable", "stats realm", "stats scope", "stats uri"
2695
- #
2696
- attr_accessor :stats_auth
2697
-
2698
- #
2699
- # stats enable
2700
- # Enable statistics reporting with default settings
2701
- # May be used in sections : defaults | frontend | listen | backend
2702
- # yes | no | yes | yes
2703
- # Arguments : none
2704
- #
2705
- # This statement enables statistics reporting with default settings defined
2706
- # at build time. Unless stated otherwise, these settings are used :
2707
- # - stats uri : /haproxy?stats
2708
- # - stats realm : "HAProxy Statistics"
2709
- # - stats auth : no authentication
2710
- # - stats scope : no restriction
2711
- #
2712
- # Though this statement alone is enough to enable statistics reporting, it is
2713
- # recommended to set all other settings in order to avoid relying on default
2714
- # unobvious parameters.
2715
- #
2716
- # Example :
2717
- # # public access (limited to this backend only)
2718
- # backend public_www
2719
- # server srv1 192.168.0.1:80
2720
- # stats enable
2721
- # stats hide-version
2722
- # stats scope .
2723
- # stats uri /admin?stats
2724
- # stats realm Haproxy\ Statistics
2725
- # stats auth admin1:AdMiN123
2726
- # stats auth admin2:AdMiN321
2727
- #
2728
- # # internal monitoring access (unlimited)
2729
- # backend private_monitoring
2730
- # stats enable
2731
- # stats uri /admin?stats
2732
- # stats refresh 5s
2733
- #
2734
- # See also : "stats auth", "stats realm", "stats uri"
2735
- #
2736
- attr_accessor :stats_enable
2737
-
2738
- #
2739
- # stats hide-version
2740
- # Enable statistics and hide HAProxy version reporting
2741
- # May be used in sections : defaults | frontend | listen | backend
2742
- # yes | no | yes | yes
2743
- # Arguments : none
2744
- #
2745
- # By default, the stats page reports some useful status information along with
2746
- # the statistics. Among them is HAProxy's version. However, it is generally
2747
- # considered dangerous to report precise version to anyone, as it can help them
2748
- # target known weaknesses with specific attacks. The "stats hide-version"
2749
- # statement removes the version from the statistics report. This is recommended
2750
- # for public sites or any site with a weak login/password.
2751
- #
2752
- # Though this statement alone is enough to enable statistics reporting, it is
2753
- # recommended to set all other settings in order to avoid relying on default
2754
- # unobvious parameters.
2755
- #
2756
- # Example :
2757
- # # public access (limited to this backend only)
2758
- # backend public_www
2759
- # server srv1 192.168.0.1:80
2760
- # stats enable
2761
- # stats hide-version
2762
- # stats scope .
2763
- # stats uri /admin?stats
2764
- # stats realm Haproxy\ Statistics
2765
- # stats auth admin1:AdMiN123
2766
- # stats auth admin2:AdMiN321
2767
- #
2768
- # # internal monitoring access (unlimited)
2769
- # backend private_monitoring
2770
- # stats enable
2771
- # stats uri /admin?stats
2772
- # stats refresh 5s
2773
- #
2774
- # See also : "stats auth", "stats enable", "stats realm", "stats uri"
2775
- #
2776
- attr_accessor :stats_hide_version
2777
-
2778
- #
2779
- # stats realm <realm>
2780
- # Enable statistics and set authentication realm
2781
- # May be used in sections : defaults | frontend | listen | backend
2782
- # yes | no | yes | yes
2783
- # Arguments :
2784
- # <realm> is the name of the HTTP Basic Authentication realm reported to
2785
- # the browser. The browser uses it to display it in the pop-up
2786
- # inviting the user to enter a valid username and password.
2787
- #
2788
- # The realm is read as a single word, so any spaces in it should be escaped
2789
- # using a backslash ('\').
2790
- #
2791
- # This statement is useful only in conjunction with "stats auth" since it is
2792
- # only related to authentication.
2793
- #
2794
- # Though this statement alone is enough to enable statistics reporting, it is
2795
- # recommended to set all other settings in order to avoid relying on default
2796
- # unobvious parameters.
2797
- #
2798
- # Example :
2799
- # # public access (limited to this backend only)
2800
- # backend public_www
2801
- # server srv1 192.168.0.1:80
2802
- # stats enable
2803
- # stats hide-version
2804
- # stats scope .
2805
- # stats uri /admin?stats
2806
- # stats realm Haproxy\ Statistics
2807
- # stats auth admin1:AdMiN123
2808
- # stats auth admin2:AdMiN321
2809
- #
2810
- # # internal monitoring access (unlimited)
2811
- # backend private_monitoring
2812
- # stats enable
2813
- # stats uri /admin?stats
2814
- # stats refresh 5s
2815
- #
2816
- # See also : "stats auth", "stats enable", "stats uri"
2817
- #
2818
- attr_accessor :stats_realm
2819
-
2820
- #
2821
- # stats refresh <delay>
2822
- # Enable statistics with automatic refresh
2823
- # May be used in sections : defaults | frontend | listen | backend
2824
- # yes | no | yes | yes
2825
- # Arguments :
2826
- # <delay> is the suggested refresh delay, specified in seconds, which will
2827
- # be returned to the browser consulting the report page. While the
2828
- # browser is free to apply any delay, it will generally respect it
2829
- # and refresh the page this every seconds. The refresh interval may
2830
- # be specified in any other non-default time unit, by suffixing the
2831
- # unit after the value, as explained at the top of this document.
2832
- #
2833
- # This statement is useful on monitoring displays with a permanent page
2834
- # reporting the load balancer's activity. When set, the HTML report page will
2835
- # include a link "refresh"/"stop refresh" so that the user can select whether
2836
- # he wants automatic refresh of the page or not.
2837
- #
2838
- # Though this statement alone is enough to enable statistics reporting, it is
2839
- # recommended to set all other settings in order to avoid relying on default
2840
- # unobvious parameters.
2841
- #
2842
- # Example :
2843
- # # public access (limited to this backend only)
2844
- # backend public_www
2845
- # server srv1 192.168.0.1:80
2846
- # stats enable
2847
- # stats hide-version
2848
- # stats scope .
2849
- # stats uri /admin?stats
2850
- # stats realm Haproxy\ Statistics
2851
- # stats auth admin1:AdMiN123
2852
- # stats auth admin2:AdMiN321
2853
- #
2854
- # # internal monitoring access (unlimited)
2855
- # backend private_monitoring
2856
- # stats enable
2857
- # stats uri /admin?stats
2858
- # stats refresh 5s
2859
- #
2860
- # See also : "stats auth", "stats enable", "stats realm", "stats uri"
2861
- #
2862
- attr_accessor :stats_refresh
2863
-
2864
- #
2865
- # stats scope { <name> | "." }
2866
- # Enable statistics and limit access scope
2867
- # May be used in sections : defaults | frontend | listen | backend
2868
- # yes | no | yes | yes
2869
- # Arguments :
2870
- # <name> is the name of a listen, frontend or backend section to be
2871
- # reported. The special name "." (a single dot) designates the
2872
- # section in which the statement appears.
2873
- #
2874
- # When this statement is specified, only the sections enumerated with this
2875
- # statement will appear in the report. All other ones will be hidden. This
2876
- # statement may appear as many times as needed if multiple sections need to be
2877
- # reported. Please note that the name checking is performed as simple string
2878
- # comparisons, and that it is never checked that a give section name really
2879
- # exists.
2880
- #
2881
- # Though this statement alone is enough to enable statistics reporting, it is
2882
- # recommended to set all other settings in order to avoid relying on default
2883
- # unobvious parameters.
2884
- #
2885
- # Example :
2886
- # # public access (limited to this backend only)
2887
- # backend public_www
2888
- # server srv1 192.168.0.1:80
2889
- # stats enable
2890
- # stats hide-version
2891
- # stats scope .
2892
- # stats uri /admin?stats
2893
- # stats realm Haproxy\ Statistics
2894
- # stats auth admin1:AdMiN123
2895
- # stats auth admin2:AdMiN321
2896
- #
2897
- # # internal monitoring access (unlimited)
2898
- # backend private_monitoring
2899
- # stats enable
2900
- # stats uri /admin?stats
2901
- # stats refresh 5s
2902
- #
2903
- # See also : "stats auth", "stats enable", "stats realm", "stats uri"
2904
- #
2905
- attr_accessor :stats_scope
2906
-
2907
- #
2908
- # stats show-desc [ <desc> ]
2909
- # Enable reporting of a description on the statistics page.
2910
- # May be used in sections : defaults | frontend | listen | backend
2911
- # yes | no | yes | yes
2912
- #
2913
- # <desc> is an optional description to be reported. If unspecified, the
2914
- # description from global section is automatically used instead.
2915
- #
2916
- # This statement is useful for users that offer shared services to their
2917
- # customers, where node or description should be different for each customer.
2918
- #
2919
- # Though this statement alone is enough to enable statistics reporting, it is
2920
- # recommended to set all other settings in order to avoid relying on default
2921
- # unobvious parameters.
2922
- #
2923
- # Example :
2924
- # # internal monitoring access (unlimited)
2925
- # backend private_monitoring
2926
- # stats enable
2927
- # stats show-desc Master node for Europe, Asia, Africa
2928
- # stats uri /admin?stats
2929
- # stats refresh 5s
2930
- #
2931
- # See also: "show-node", "stats enable", "stats uri" and "description" in
2932
- # global section.
2933
- #
2934
- attr_accessor :stats_show_desc
2935
-
2936
- #
2937
- # stats show-legends
2938
- # Enable reporting additional informations on the statistics page :
2939
- # - cap: capabilities (proxy)
2940
- # - mode: one of tcp, http or health (proxy)
2941
- # - id: SNMP ID (proxy, socket, server)
2942
- # - IP (socket, server)
2943
- # - cookie (backend, server)
2944
- #
2945
- # Though this statement alone is enough to enable statistics reporting, it is
2946
- # recommended to set all other settings in order to avoid relying on default
2947
- # unobvious parameters.
2948
- #
2949
- # See also: "stats enable", "stats uri".
2950
- #
2951
- attr_accessor :stats_show_legends
2952
-
2953
- #
2954
- # stats show-node [ <name> ]
2955
- # Enable reporting of a host name on the statistics page.
2956
- # May be used in sections : defaults | frontend | listen | backend
2957
- # yes | no | yes | yes
2958
- # Arguments:
2959
- # <name> is an optional name to be reported. If unspecified, the
2960
- # node name from global section is automatically used instead.
2961
- #
2962
- # This statement is useful for users that offer shared services to their
2963
- # customers, where node or description might be different on a stats page
2964
- # provided for each customer.
2965
- #
2966
- # Though this statement alone is enough to enable statistics reporting, it is
2967
- # recommended to set all other settings in order to avoid relying on default
2968
- # unobvious parameters.
2969
- #
2970
- # Example:
2971
- # # internal monitoring access (unlimited)
2972
- # backend private_monitoring
2973
- # stats enable
2974
- # stats show-node Europe-1
2975
- # stats uri /admin?stats
2976
- # stats refresh 5s
2977
- #
2978
- # See also: "show-desc", "stats enable", "stats uri", and "node" in global
2979
- # section.
2980
- #
2981
- attr_accessor :stats_show_node
2982
-
2983
- #
2984
- # stats uri <prefix>
2985
- # Enable statistics and define the URI prefix to access them
2986
- # May be used in sections : defaults | frontend | listen | backend
2987
- # yes | no | yes | yes
2988
- # Arguments :
2989
- # <prefix> is the prefix of any URI which will be redirected to stats. This
2990
- # prefix may contain a question mark ('?') to indicate part of a
2991
- # query string.
2992
- #
2993
- # The statistics URI is intercepted on the relayed traffic, so it appears as a
2994
- # page within the normal application. It is strongly advised to ensure that the
2995
- # selected URI will never appear in the application, otherwise it will never be
2996
- # possible to reach it in the application.
2997
- #
2998
- # The default URI compiled in haproxy is "/haproxy?stats", but this may be
2999
- # changed at build time, so it's better to always explicitly specify it here.
3000
- # It is generally a good idea to include a question mark in the URI so that
3001
- # intermediate proxies refrain from caching the results. Also, since any string
3002
- # beginning with the prefix will be accepted as a stats request, the question
3003
- # mark helps ensuring that no valid URI will begin with the same words.
3004
- #
3005
- # It is sometimes very convenient to use "/" as the URI prefix, and put that
3006
- # statement in a "listen" instance of its own. That makes it easy to dedicate
3007
- # an address or a port to statistics only.
3008
- #
3009
- # Though this statement alone is enough to enable statistics reporting, it is
3010
- # recommended to set all other settings in order to avoid relying on default
3011
- # unobvious parameters.
3012
- #
3013
- # Example :
3014
- # # public access (limited to this backend only)
3015
- # backend public_www
3016
- # server srv1 192.168.0.1:80
3017
- # stats enable
3018
- # stats hide-version
3019
- # stats scope .
3020
- # stats uri /admin?stats
3021
- # stats realm Haproxy\ Statistics
3022
- # stats auth admin1:AdMiN123
3023
- # stats auth admin2:AdMiN321
3024
- #
3025
- # # internal monitoring access (unlimited)
3026
- # backend private_monitoring
3027
- # stats enable
3028
- # stats uri /admin?stats
3029
- # stats refresh 5s
3030
- #
3031
- # See also : "stats auth", "stats enable", "stats realm"
3032
- #
3033
- attr_accessor :stats_uri
3034
-
3035
- #
3036
- # timeout check <timeout>
3037
- # Set additional check timeout, but only after a connection has been already
3038
- # established.
3039
- #
3040
- # May be used in sections: defaults | frontend | listen | backend
3041
- # yes | no | yes | yes
3042
- # Arguments:
3043
- # <timeout> is the timeout value specified in milliseconds by default, but
3044
- # can be in any other unit if the number is suffixed by the unit,
3045
- # as explained at the top of this document.
3046
- #
3047
- # If set, haproxy uses min("timeout connect", "inter") as a connect timeout
3048
- # for check and "timeout check" as an additional read timeout. The "min" is
3049
- # used so that people running with *very* long "timeout connect" (eg. those
3050
- # who needed this due to the queue or tarpit) do not slow down their checks.
3051
- # (Please also note that there is no valid reason to have such long connect
3052
- # timeouts, because "timeout queue" and "timeout tarpit" can always be used to
3053
- # avoid that).
3054
- #
3055
- # If "timeout check" is not set haproxy uses "inter" for complete check
3056
- # timeout (connect + read) exactly like all <1.3.15 version.
3057
- #
3058
- # In most cases check request is much simpler and faster to handle than normal
3059
- # requests and people may want to kick out laggy servers so this timeout should
3060
- # be smaller than "timeout server".
3061
- #
3062
- # This parameter is specific to backends, but can be specified once for all in
3063
- # "defaults" sections. This is in fact one of the easiest solutions not to
3064
- # forget about it.
3065
- #
3066
- # See also: "timeout connect", "timeout queue", "timeout server",
3067
- # "timeout tarpit".
3068
- #
3069
- attr_accessor :timeout_check
3070
-
3071
- #
3072
- # timeout client <timeout>
3073
- # timeout clitimeout <timeout> (deprecated)
3074
- # Set the maximum inactivity time on the client side.
3075
- # May be used in sections : defaults | frontend | listen | backend
3076
- # yes | yes | yes | no
3077
- # Arguments :
3078
- # <timeout> is the timeout value specified in milliseconds by default, but
3079
- # can be in any other unit if the number is suffixed by the unit,
3080
- # as explained at the top of this document.
3081
- #
3082
- # The inactivity timeout applies when the client is expected to acknowledge or
3083
- # send data. In HTTP mode, this timeout is particularly important to consider
3084
- # during the first phase, when the client sends the request, and during the
3085
- # response while it is reading data sent by the server. The value is specified
3086
- # in milliseconds by default, but can be in any other unit if the number is
3087
- # suffixed by the unit, as specified at the top of this document. In TCP mode
3088
- # (and to a lesser extent, in HTTP mode), it is highly recommended that the
3089
- # client timeout remains equal to the server timeout in order to avoid complex
3090
- # situations to debug. It is a good practice to cover one or several TCP packet
3091
- # losses by specifying timeouts that are slightly above multiples of 3 seconds
3092
- # (eg: 4 or 5 seconds).
3093
- #
3094
- # This parameter is specific to frontends, but can be specified once for all in
3095
- # "defaults" sections. This is in fact one of the easiest solutions not to
3096
- # forget about it. An unspecified timeout results in an infinite timeout, which
3097
- # is not recommended. Such a usage is accepted and works but reports a warning
3098
- # during startup because it may results in accumulation of expired sessions in
3099
- # the system if the system's timeouts are not configured either.
3100
- #
3101
- # This parameter replaces the old, deprecated "clitimeout". It is recommended
3102
- # to use it to write new configurations. The form "timeout clitimeout" is
3103
- # provided only by backwards compatibility but its use is strongly discouraged.
3104
- #
3105
- # See also : "clitimeout", "timeout server".
3106
- #
3107
- attr_accessor :timeout_client
3108
-
3109
- #
3110
- # timeout connect <timeout>
3111
- # timeout contimeout <timeout> (deprecated)
3112
- # Set the maximum time to wait for a connection attempt to a server to succeed.
3113
- # May be used in sections : defaults | frontend | listen | backend
3114
- # yes | no | yes | yes
3115
- # Arguments :
3116
- # <timeout> is the timeout value specified in milliseconds by default, but
3117
- # can be in any other unit if the number is suffixed by the unit,
3118
- # as explained at the top of this document.
3119
- #
3120
- # If the server is located on the same LAN as haproxy, the connection should be
3121
- # immediate (less than a few milliseconds). Anyway, it is a good practice to
3122
- # cover one or several TCP packet losses by specifying timeouts that are
3123
- # slightly above multiples of 3 seconds (eg: 4 or 5 seconds). By default, the
3124
- # connect timeout also presets both queue and tarpit timeouts to the same value
3125
- # if these have not been specified.
3126
- #
3127
- # This parameter is specific to backends, but can be specified once for all in
3128
- # "defaults" sections. This is in fact one of the easiest solutions not to
3129
- # forget about it. An unspecified timeout results in an infinite timeout, which
3130
- # is not recommended. Such a usage is accepted and works but reports a warning
3131
- # during startup because it may results in accumulation of failed sessions in
3132
- # the system if the system's timeouts are not configured either.
3133
- #
3134
- # This parameter replaces the old, deprecated "contimeout". It is recommended
3135
- # to use it to write new configurations. The form "timeout contimeout" is
3136
- # provided only by backwards compatibility but its use is strongly discouraged.
3137
- #
3138
- # See also: "timeout check", "timeout queue", "timeout server", "contimeout",
3139
- # "timeout tarpit".
3140
- #
3141
- attr_accessor :timeout_connect
3142
-
3143
- #
3144
- # timeout http-keep-alive <timeout>
3145
- # Set the maximum allowed time to wait for a new HTTP request to appear
3146
- # May be used in sections : defaults | frontend | listen | backend
3147
- # yes | yes | yes | yes
3148
- # Arguments :
3149
- # <timeout> is the timeout value specified in milliseconds by default, but
3150
- # can be in any other unit if the number is suffixed by the unit,
3151
- # as explained at the top of this document.
3152
- #
3153
- # By default, the time to wait for a new request in case of keep-alive is set
3154
- # by "timeout http-request". However this is not always convenient because some
3155
- # people want very short keep-alive timeouts in order to release connections
3156
- # faster, and others prefer to have larger ones but still have short timeouts
3157
- # once the request has started to present itself.
3158
- #
3159
- # The "http-keep-alive" timeout covers these needs. It will define how long to
3160
- # wait for a new HTTP request to start coming after a response was sent. Once
3161
- # the first byte of request has been seen, the "http-request" timeout is used
3162
- # to wait for the complete request to come. Note that empty lines prior to a
3163
- # new request do not refresh the timeout and are not counted as a new request.
3164
- #
3165
- # There is also another difference between the two timeouts : when a connection
3166
- # expires during timeout http-keep-alive, no error is returned, the connection
3167
- # just closes. If the connection expires in "http-request" while waiting for a
3168
- # connection to complete, a HTTP 408 error is returned.
3169
- #
3170
- # In general it is optimal to set this value to a few tens to hundreds of
3171
- # milliseconds, to allow users to fetch all objects of a page at once but
3172
- # without waiting for further clicks. Also, if set to a very small value (eg:
3173
- # 1 millisecond) it will probably only accept pipelined requests but not the
3174
- # non-pipelined ones. It may be a nice trade-off for very large sites running
3175
- # with tens to hundreds of thousands of clients.
3176
- #
3177
- # If this parameter is not set, the "http-request" timeout applies, and if both
3178
- # are not set, "timeout client" still applies at the lower level. It should be
3179
- # set in the frontend to take effect, unless the frontend is in TCP mode, in
3180
- # which case the HTTP backend's timeout will be used.
3181
- #
3182
- # See also : "timeout http-request", "timeout client".
3183
- #
3184
- attr_accessor :timeout_http_keep_alive
3185
-
3186
- #
3187
- # timeout http-request <timeout>
3188
- # Set the maximum allowed time to wait for a complete HTTP request
3189
- # May be used in sections : defaults | frontend | listen | backend
3190
- # yes | yes | yes | yes
3191
- # Arguments :
3192
- # <timeout> is the timeout value specified in milliseconds by default, but
3193
- # can be in any other unit if the number is suffixed by the unit,
3194
- # as explained at the top of this document.
3195
- #
3196
- # In order to offer DoS protection, it may be required to lower the maximum
3197
- # accepted time to receive a complete HTTP request without affecting the client
3198
- # timeout. This helps protecting against established connections on which
3199
- # nothing is sent. The client timeout cannot offer a good protection against
3200
- # this abuse because it is an inactivity timeout, which means that if the
3201
- # attacker sends one character every now and then, the timeout will not
3202
- # trigger. With the HTTP request timeout, no matter what speed the client
3203
- # types, the request will be aborted if it does not complete in time.
3204
- #
3205
- # Note that this timeout only applies to the header part of the request, and
3206
- # not to any data. As soon as the empty line is received, this timeout is not
3207
- # used anymore. It is used again on keep-alive connections to wait for a second
3208
- # request if "timeout http-keep-alive" is not set.
3209
- #
3210
- # Generally it is enough to set it to a few seconds, as most clients send the
3211
- # full request immediately upon connection. Add 3 or more seconds to cover TCP
3212
- # retransmits but that's all. Setting it to very low values (eg: 50 ms) will
3213
- # generally work on local networks as long as there are no packet losses. This
3214
- # will prevent people from sending bare HTTP requests using telnet.
3215
- #
3216
- # If this parameter is not set, the client timeout still applies between each
3217
- # chunk of the incoming request. It should be set in the frontend to take
3218
- # effect, unless the frontend is in TCP mode, in which case the HTTP backend's
3219
- # timeout will be used.
3220
- #
3221
- # See also : "timeout http-keep-alive", "timeout client".
3222
- #
3223
- attr_accessor :timeout_http_request
3224
-
3225
- #
3226
- # timeout queue <timeout>
3227
- # Set the maximum time to wait in the queue for a connection slot to be free
3228
- # May be used in sections : defaults | frontend | listen | backend
3229
- # yes | no | yes | yes
3230
- # Arguments :
3231
- # <timeout> is the timeout value specified in milliseconds by default, but
3232
- # can be in any other unit if the number is suffixed by the unit,
3233
- # as explained at the top of this document.
3234
- #
3235
- # When a server's maxconn is reached, connections are left pending in a queue
3236
- # which may be server-specific or global to the backend. In order not to wait
3237
- # indefinitely, a timeout is applied to requests pending in the queue. If the
3238
- # timeout is reached, it is considered that the request will almost never be
3239
- # served, so it is dropped and a 503 error is returned to the client.
3240
- #
3241
- # The "timeout queue" statement allows to fix the maximum time for a request to
3242
- # be left pending in a queue. If unspecified, the same value as the backend's
3243
- # connection timeout ("timeout connect") is used, for backwards compatibility
3244
- # with older versions with no "timeout queue" parameter.
3245
- #
3246
- # See also : "timeout connect", "contimeout".
3247
- #
3248
- attr_accessor :timeout_queue
3249
-
3250
- #
3251
- # timeout server <timeout>
3252
- # timeout srvtimeout <timeout> (deprecated)
3253
- # Set the maximum inactivity time on the server side.
3254
- # May be used in sections : defaults | frontend | listen | backend
3255
- # yes | no | yes | yes
3256
- # Arguments :
3257
- # <timeout> is the timeout value specified in milliseconds by default, but
3258
- # can be in any other unit if the number is suffixed by the unit,
3259
- # as explained at the top of this document.
3260
- #
3261
- # The inactivity timeout applies when the server is expected to acknowledge or
3262
- # send data. In HTTP mode, this timeout is particularly important to consider
3263
- # during the first phase of the server's response, when it has to send the
3264
- # headers, as it directly represents the server's processing time for the
3265
- # request. To find out what value to put there, it's often good to start with
3266
- # what would be considered as unacceptable response times, then check the logs
3267
- # to observe the response time distribution, and adjust the value accordingly.
3268
- #
3269
- # The value is specified in milliseconds by default, but can be in any other
3270
- # unit if the number is suffixed by the unit, as specified at the top of this
3271
- # document. In TCP mode (and to a lesser extent, in HTTP mode), it is highly
3272
- # recommended that the client timeout remains equal to the server timeout in
3273
- # order to avoid complex situations to debug. Whatever the expected server
3274
- # response times, it is a good practice to cover at least one or several TCP
3275
- # packet losses by specifying timeouts that are slightly above multiples of 3
3276
- # seconds (eg: 4 or 5 seconds minimum).
3277
- #
3278
- # This parameter is specific to backends, but can be specified once for all in
3279
- # "defaults" sections. This is in fact one of the easiest solutions not to
3280
- # forget about it. An unspecified timeout results in an infinite timeout, which
3281
- # is not recommended. Such a usage is accepted and works but reports a warning
3282
- # during startup because it may results in accumulation of expired sessions in
3283
- # the system if the system's timeouts are not configured either.
3284
- #
3285
- # This parameter replaces the old, deprecated "srvtimeout". It is recommended
3286
- # to use it to write new configurations. The form "timeout srvtimeout" is
3287
- # provided only by backwards compatibility but its use is strongly discouraged.
3288
- #
3289
- # See also : "srvtimeout", "timeout client".
3290
- #
3291
- attr_accessor :timeout_server
3292
-
3293
- #
3294
- # timeout tarpit <timeout>
3295
- # Set the duration for which tarpitted connections will be maintained
3296
- # May be used in sections : defaults | frontend | listen | backend
3297
- # yes | yes | yes | yes
3298
- # Arguments :
3299
- # <timeout> is the tarpit duration specified in milliseconds by default, but
3300
- # can be in any other unit if the number is suffixed by the unit,
3301
- # as explained at the top of this document.
3302
- #
3303
- # When a connection is tarpitted using "reqtarpit", it is maintained open with
3304
- # no activity for a certain amount of time, then closed. "timeout tarpit"
3305
- # defines how long it will be maintained open.
3306
- #
3307
- # The value is specified in milliseconds by default, but can be in any other
3308
- # unit if the number is suffixed by the unit, as specified at the top of this
3309
- # document. If unspecified, the same value as the backend's connection timeout
3310
- # ("timeout connect") is used, for backwards compatibility with older versions
3311
- # with no "timeout tarpit" parameter.
3312
- #
3313
- # See also : "timeout connect", "contimeout".
3314
- #
3315
- attr_accessor :timeout_tarpit
3316
-
3317
- #
3318
- # name <name>
3319
- # The defaults name is encouraged for better readability.
3320
- #
3321
- attr_accessor :name
19
+ include RhaproxyKeywords,
20
+ :exclude => [
21
+ :acl,
22
+ :appsession,
23
+ :bind,
24
+ :block,
25
+ :capture_cookie,
26
+ :capture_request_header,
27
+ :capture_response_header,
28
+ :description,
29
+ :dispatch,
30
+ :force_persist,
31
+ :http_check_expect,
32
+ :http_request,
33
+ :persistent_id,
34
+ :ignore_persist,
35
+ :monitor_fail,
36
+ :name,
37
+ :redirect,
38
+ :reqadd,
39
+ :reqallow,
40
+ :reqdel,
41
+ :reqdeny,
42
+ :reqiallow,
43
+ :reqidel,
44
+ :reqideny,
45
+ :reqipass,
46
+ :reqirep,
47
+ :reqisetbe,
48
+ :reqitarpit,
49
+ :reqpass,
50
+ :reqrep,
51
+ :reqsetbe,
52
+ :reqtarpit,
53
+ :rspadd,
54
+ :rspdel,
55
+ :rspdeny,
56
+ :rspirep,
57
+ :rsprep,
58
+ :server,
59
+ :stats_admin,
60
+ :stats_http_request,
61
+ :stick_match,
62
+ :stick_on,
63
+ :stick_store_request,
64
+ :stick_table,
65
+ :stick_store_response,
66
+ :tcp_request_connection,
67
+ :tcp_request_content,
68
+ :tcp_request_inspect_delay,
69
+ :tcp_response_content,
70
+ :tcp_response_inspect_delay,
71
+ :use_backend
72
+ ]
3322
73
 
3323
74
  #
3324
75
  # Returns a new RhaproxyDefaults Object
3325
76
  #
3326
77
  def initialize()
78
+ @conf ||= []
79
+ @proxy_type = "defaults"
80
+ @conf.push(" " + "#{@proxy_type} " + "\n")
81
+ @name_index = @conf.index(" " + "#{@proxy_type} " + "\n")
3327
82
  end
3328
83
 
3329
84
  #
3330
- # Compile the HAproxy defaults configuration
85
+ # name <name>
86
+ # The defaults name is encouraged for better readability.
3331
87
  #
3332
- def config
3333
-
3334
- conf = option_string()
3335
-
3336
- return conf
3337
-
3338
- end
3339
-
3340
- private
3341
-
3342
- def option_string()
3343
-
3344
- unless @name
3345
- @name = ""
3346
- end
3347
-
3348
- ostring = " " + "defaults " + @name.to_s + "\n"
3349
-
3350
- if @backlog
3351
- ostring += " " + "backlog " + @backlog.to_s + "\n"
3352
- end
3353
-
3354
- if @balance
3355
- ostring += " " + "balance " + @balance.to_s + "\n"
3356
- end
3357
-
3358
- if @bind_process
3359
- ostring += " " + "bind-process " + @bind_process.to_s + "\n"
3360
- end
3361
-
3362
- if @cookie
3363
- ostring += " " + "cookie " + @cookie.to_s + "\n"
3364
- end
3365
-
3366
- if @default_server
3367
- ostring += " " + "default-server " + @default_server.to_s + "\n"
3368
- end
3369
-
3370
- if @default_backend
3371
- ostring += " " + "default_backend " + @default_backend.to_s + "\n"
3372
- end
3373
-
3374
- if @disabled
3375
- ostring += " " + "disabled " + "\n"
3376
- end
3377
-
3378
- if @enabled
3379
- ostring += " " + "enabled " + "\n"
3380
- end
3381
-
3382
- if @errorfile
3383
- ostring += " " + "errorfile " + @errorfile.to_s + "\n"
3384
- end
3385
-
3386
- if @errorloc
3387
- ostring += " " + "errorloc " + @errorloc.to_s + "\n"
3388
- end
3389
-
3390
- if @errorloc302
3391
- ostring += " " + "errorloc302 " + @errorloc302.to_s + "\n"
3392
- end
3393
-
3394
- if @errorloc303
3395
- ostring += " " + "errorloc303 " + @errorloc303.to_s + "\n"
3396
- end
3397
-
3398
- if @fullconn
3399
- ostring += " " + "fullconn " + @fullconn.to_s + "\n"
3400
- end
3401
-
3402
- if @grace
3403
- ostring += " " + "grace " + @grace.to_s + "\n"
3404
- end
3405
-
3406
- if @hash_type
3407
- ostring += " " + "hash_type " + @hash_type.to_s + "\n"
3408
- end
3409
-
3410
- if @http_check_disable_on_404
3411
- ostring += " " + "http-check disable-on-404 " + "\n"
3412
- end
3413
-
3414
- if @http_check_send_state
3415
- ostring += " " + "http-check send-state " + "\n"
3416
- end
3417
-
3418
- if @log
3419
- ostring += " " + "log " + @log.to_s + "\n"
3420
- end
3421
-
3422
- if @maxconn
3423
- ostring += " " + "maxconn " + @maxconn.to_s + "\n"
3424
- end
3425
-
3426
- if @mode
3427
- ostring += " " + "mode " + @mode.to_s + "\n"
3428
- end
3429
-
3430
- if @monitor_net
3431
- ostring += " " + "monitor-net " + @monitor_net.to_s + "\n"
3432
- end
3433
-
3434
- if @monitor_uri
3435
- ostring += " " + "monitor-uri " + @monitor_uri.to_s + "\n"
3436
- end
3437
-
3438
- if @option_abortonclose
3439
- ostring += " " + "option abortonclose " + "\n"
3440
- end
3441
-
3442
- if @option_accept_invalid_http_request
3443
- ostring += " " + "option accept-invalid-http-request " + "\n"
3444
- end
3445
-
3446
- if @option_accept_invalid_http_response
3447
- ostring += " " + "option accept-invalid-http-response " + "\n"
3448
- end
3449
-
3450
- if @option_allbackups
3451
- ostring += " " + "option allbackups " + "\n"
3452
- end
3453
-
3454
- if @option_checkcache
3455
- ostring += " " + "option checkcache " + "\n"
3456
- end
3457
-
3458
- if @option_clitcpka
3459
- ostring += " " + "option clitcpka " + "\n"
3460
- end
3461
-
3462
- if @option_contstats
3463
- ostring += " " + "option contstats " + "\n"
3464
- end
3465
-
3466
- if @option_dontlog_normal
3467
- ostring += " " + "option dontlog-normal " + "\n"
3468
- end
3469
-
3470
- if @option_dontlognull
3471
- ostring += " " + "option dontlognull " + "\n"
3472
- end
3473
-
3474
- if @option_forceclose
3475
- ostring += " " + "option forceclose " + "\n"
3476
- end
3477
-
3478
- if @option_forwardfor
3479
- ostring += " " + "option forwardfor " + @option_forwardfor.to_s + "\n"
3480
- end
3481
-
3482
- if @option_http_pretend_keepalive
3483
- ostring += " " + "option http-pretend-keepalive " + "\n"
3484
- end
3485
-
3486
- if @option_http_server_close
3487
- ostring += " " + "option http-server-close " + "\n"
3488
- end
3489
-
3490
- if @option_http_use_proxy_header
3491
- ostring += " " + "option http-use-proxy-header " + "\n"
3492
- end
3493
-
3494
- if @option_httpchk
3495
- ostring += " " + "option httpchk " + @option_httpchk.to_s + "\n"
3496
- end
3497
-
3498
- if @option_httpchk_complete
3499
- ostring += " " + "option httpchk " + "\n"
3500
- end
3501
-
3502
- if @option_httpclose
3503
- ostring += " " + "option httpclose " + "\n"
3504
- end
3505
-
3506
- if @option_httplog
3507
- ostring += " " + "option httplog " + "\n"
3508
- end
3509
-
3510
- if @option_httplog_clf
3511
- ostring += " " + "option httplog " + @option_httplog_clf.to_s + "\n"
3512
- end
3513
-
3514
- if @option_http_proxy
3515
- ostring += " " + "option http_proxy " + "\n"
3516
- end
3517
-
3518
- if @option_independant_streams
3519
- ostring += " " + "option independant-streams " + "\n"
3520
- end
3521
-
3522
- if @option_ldap_check
3523
- ostring += " " + "option ldap-check " + "\n"
3524
- end
3525
-
3526
- if @option_log_health_checks
3527
- ostring += " " + "option log-health-checks " + "\n"
3528
- end
3529
-
3530
- if @option_log_separate_errors
3531
- ostring += " " + "option log-separate-errors " + "\n"
3532
- end
3533
-
3534
- if @option_logasap
3535
- ostring += " " + "option logasap " + "\n"
3536
- end
3537
-
3538
- if @option_mysql_check
3539
- ostring += " " + "option mysql-check " + @option_mysql_check.to_s + "\n"
3540
- end
3541
-
3542
- if @option_nolinger
3543
- ostring += " " + "option nolinger " + "\n"
3544
- end
3545
-
3546
- if @option_originalto
3547
- ostring += " " + "option originalto " + @option_originalto.to_s + "\n"
3548
- end
3549
-
3550
- if @option_persist
3551
- ostring += " " + "option persist " + "\n"
3552
- end
3553
-
3554
- if @option_redispatch
3555
- ostring += " " + "option redispatch " + "\n"
3556
- end
3557
-
3558
- if @option_smtpchk
3559
- ostring += " " + "option smtpchk " + @option_smtpchk.to_s + "\n"
3560
- end
3561
-
3562
- if @option_smtpchk_complete
3563
- ostring += " " + "option smtpchk " + "\n"
3564
- end
3565
-
3566
- if @option_socket_stats
3567
- ostring += " " + "option socket-stats " + "\n"
3568
- end
3569
-
3570
- if @option_splice_auto
3571
- ostring += " " + "option splice-auto " + "\n"
3572
- end
3573
-
3574
- if @option_splice_request
3575
- ostring += " " + "option splice-request " + "\n"
3576
- end
3577
-
3578
- if @option_splice_response
3579
- ostring += " " + "option splice-response " + "\n"
3580
- end
3581
-
3582
- if @option_srvtcpka
3583
- ostring += " " + "option srvtcpka " + "\n"
3584
- end
3585
-
3586
- if @option_ssl_hello_chk
3587
- ostring += " " + "option ssl-hello-chk " + "\n"
3588
- end
3589
-
3590
- if @option_tcp_smart_accept
3591
- ostring += " " + "option tcp-smart-accept " + "\n"
3592
- end
3593
-
3594
- if @option_tcp_smart_connect
3595
- ostring += " " + "option tcp-smart-connect " + "\n"
3596
- end
3597
-
3598
- if @option_tcpka
3599
- ostring += " " + "option tcpka " + "\n"
3600
- end
3601
-
3602
- if @option_tcplog
3603
- ostring += " " + "option tcplog " + "\n"
3604
- end
3605
-
3606
- if @option_transparent
3607
- ostring += " " + "option transparent " + "\n"
3608
- end
3609
-
3610
- if @persist_rdp_cookie
3611
- ostring += " " + "persist rdp-cookie " + @persist_rdp_cookie.to_s + "\n"
3612
- end
3613
-
3614
- if @persist_rdp_cookie_msts
3615
- ostring += " " + "persist rdp-cookie " + "\n"
3616
- end
3617
-
3618
- if @rate_limit_sessions
3619
- ostring += " " + "rate-limit sessions " + @rate_limit_sessions.to_s + "\n"
3620
- end
3621
-
3622
- if @retries
3623
- ostring += " " + "retries " + @retries.to_s + "\n"
3624
- end
3625
-
3626
- if @source
3627
- ostring += " " + "source " + @source.to_s + "\n"
3628
- end
3629
-
3630
- if @stats_auth
3631
- ostring += " " + "stats auth " + @stats_auth.to_s + "\n"
3632
- end
3633
-
3634
- if @stats_enable
3635
- ostring += " " + "stats enable " + "\n"
3636
- end
3637
-
3638
- if @stats_hide_version
3639
- ostring += " " + "stats hide-version " + "\n"
3640
- end
3641
-
3642
- if @stats_realm
3643
- ostring += " " + "stats realm " + @stats_realm.to_s + "\n"
3644
- end
3645
-
3646
- if @stats_refresh
3647
- ostring += " " + "stats refresh " + @stats_refresh.to_s + "\n"
3648
- end
3649
-
3650
- if @stats_scope
3651
- ostring += " " + "stats scope " + @stats_scope.to_s + "\n"
3652
- end
3653
-
3654
- if @stats_show_desc
3655
- ostring += " " + "stats show-desc " + @stats_show_desc.to_s + "\n"
3656
- end
3657
-
3658
- if @stats_show_legends
3659
- ostring += " " + "stats show-legends " + "\n"
3660
- end
3661
-
3662
- if @stats_show_node
3663
- ostring += " " + "stats show-node " + @stats_show_node.to_s + "\n"
3664
- end
3665
-
3666
- if @stats_show_node_global
3667
- ostring += " " + "stats show-node " + "\n"
3668
- end
3669
-
3670
- if @stats_uri
3671
- ostring += " " + "stats uri " + @stats_uri.to_s + "\n"
3672
- end
3673
-
3674
- if @timeout_check
3675
- ostring += " " + "timeout check " + @timeout_check.to_s + "\n"
3676
- end
3677
-
3678
- if @timeout_client
3679
- ostring += " " + "timeout client " + @timeout_client.to_s + "\n"
3680
- end
3681
-
3682
- if @timeout_connect
3683
- ostring += " " + "timeout connect " + @timeout_connect.to_s + "\n"
3684
- end
3685
-
3686
- if @timeout_http_keep_alive
3687
- ostring += " " + "timeout http-keep-alive " + @timeout_http_keep_alive.to_s + "\n"
3688
- end
3689
-
3690
- if @timeout_http_request
3691
- ostring += " " + "timeout http-request " + @timeout_http_request.to_s + "\n"
3692
- end
3693
-
3694
- if @timeout_queue
3695
- ostring += " " + "timeout queue " + @timeout_queue.to_s + "\n"
3696
- end
3697
-
3698
- if @timeout_server
3699
- ostring += " " + "timeout server " + @timeout_server.to_s + "\n"
3700
- end
3701
-
3702
- if @timeout_tarpit
3703
- ostring += " " + "timeout tarpit " + @timeout_tarpit.to_s + "\n"
3704
- end
3705
-
3706
- ostring += "\n"
3707
-
3708
- return ostring
3709
-
88
+ # NOTE: This will clear the existing values in the array.
89
+ #
90
+ def name(value = nil)
91
+ @conf.replace( [] )
92
+ @conf.push(" " + "#{@proxy_type} " + value.to_s + "\n")
93
+ @name_index = @conf.index(" " + "#{@proxy_type} " + value.to_s + "\n")
3710
94
  end
3711
95
 
3712
96
  end