rhaproxy 0.1.0 → 0.1.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (10) hide show
  1. data/Changelog +41 -0
  2. data/README +8 -8
  3. data/lib/rhaproxy/backend.rb +29 -4989
  4. data/lib/rhaproxy/defaults.rb +66 -3682
  5. data/lib/rhaproxy/frontend.rb +56 -3226
  6. data/lib/rhaproxy/keywords.rb +6502 -0
  7. data/lib/rhaproxy/listen.rb +3 -6065
  8. data/lib/rhaproxy/mixins.rb +20 -0
  9. data/lib/rhaproxy.rb +2 -0
  10. metadata +6 -4
data/lib/rhaproxy/frontend.rb CHANGED
@@ -14,3238 +14,68 @@
14
14
  # connections.
15
15
  #
16
16
  class RhaproxyFrontend
17
-
18
- #
19
- # acl <aclname> <criterion> [flags] [operator] <value> ...
20
- # Declare or complete an access list.
21
- # May be used in sections : defaults | frontend | listen | backend
22
- # no | yes | yes | yes
23
- # Example:
24
- # acl invalid_src src 0.0.0.0/7 224.0.0.0/3
25
- # acl invalid_src src_port 0:1023
26
- # acl local_dst hdr(host) -i localhost
27
- #
28
- # See section 7 about ACL usage.
29
- #
30
- attr_accessor :acl
31
-
32
- #
33
- # bind [<address>]:<port_range> [, ...]
34
- # bind [<address>]:<port_range> [, ...] interface <interface>
35
- # bind [<address>]:<port_range> [, ...] mss <maxseg>
36
- # bind [<address>]:<port_range> [, ...] transparent
37
- # bind [<address>]:<port_range> [, ...] id <id>
38
- # bind [<address>]:<port_range> [, ...] name <name>
39
- # bind [<address>]:<port_range> [, ...] defer-accept
40
- # bind [<address>]:<port_range> [, ...] accept-proxy
41
- # bind /<path> [, ...]
42
- # bind /<path> [, ...] mode <mode>
43
- # bind /<path> [, ...] [ user <user> | uid <uid> ]
44
- # bind /<path> [, ...] [ group <user> | gid <gid> ]
45
- # Define one or several listening addresses and/or ports in a frontend.
46
- # May be used in sections : defaults | frontend | listen | backend
47
- # no | yes | yes | no
48
- # Arguments :
49
- # <address> is optional and can be a host name, an IPv4 address, an IPv6
50
- # address, or '*'. It designates the address the frontend will
51
- # listen on. If unset, all IPv4 addresses of the system will be
52
- # listened on. The same will apply for '*' or the system's
53
- # special address "0.0.0.0".
54
- #
55
- # <port_range> is either a unique TCP port, or a port range for which the
56
- # proxy will accept connections for the IP address specified
57
- # above. The port is mandatory for TCP listeners. Note that in
58
- # the case of an IPv6 address, the port is always the number
59
- # after the last colon (':'). A range can either be :
60
- # - a numerical port (ex: '80')
61
- # - a dash-delimited ports range explicitly stating the lower
62
- # and upper bounds (ex: '2000-2100') which are included in
63
- # the range.
64
- #
65
- # Particular care must be taken against port ranges, because
66
- # every <address:port> couple consumes one socket (= a file
67
- # descriptor), so it's easy to consume lots of descriptors
68
- # with a simple range, and to run out of sockets. Also, each
69
- # <address:port> couple must be used only once among all
70
- # instances running on a same system. Please note that binding
71
- # to ports lower than 1024 generally require particular
72
- # privileges to start the program, which are independant of
73
- # the 'uid' parameter.
74
- #
75
- # <path> is a UNIX socket path beginning with a slash ('/'). This is
76
- # alternative to the TCP listening port. Haproxy will then
77
- # receive UNIX connections on the socket located at this place.
78
- # The path must begin with a slash and by default is absolute.
79
- # It can be relative to the prefix defined by "unix-bind" in
80
- # the global section. Note that the total length of the prefix
81
- # followed by the socket path cannot exceed some system limits
82
- # for UNIX sockets, which commonly are set to 107 characters.
83
- #
84
- # <interface> is an optional physical interface name. This is currently
85
- # only supported on Linux. The interface must be a physical
86
- # interface, not an aliased interface. When specified, all
87
- # addresses on the same line will only be accepted if the
88
- # incoming packet physically come through the designated
89
- # interface. It is also possible to bind multiple frontends to
90
- # the same address if they are bound to different interfaces.
91
- # Note that binding to a physical interface requires root
92
- # privileges. This parameter is only compatible with TCP
93
- # sockets.
94
- #
95
- # <maxseg> is an optional TCP Maximum Segment Size (MSS) value to be
96
- # advertised on incoming connections. This can be used to force
97
- # a lower MSS for certain specific ports, for instance for
98
- # connections passing through a VPN. Note that this relies on a
99
- # kernel feature which is theorically supported under Linux but
100
- # was buggy in all versions prior to 2.6.28. It may or may not
101
- # work on other operating systems. The commonly advertised
102
- # value on Ethernet networks is 1460 = 1500(MTU) - 40(IP+TCP).
103
- # This parameter is only compatible with TCP sockets.
104
- #
105
- # <id> is a persistent value for socket ID. Must be positive and
106
- # unique in the proxy. An unused value will automatically be
107
- # assigned if unset. Can only be used when defining only a
108
- # single socket.
109
- #
110
- # <name> is an optional name provided for stats
111
- #
112
- # <mode> is the octal mode used to define access permissions on the
113
- # UNIX socket. It can also be set by default in the global
114
- # section's "unix-bind" statement. Note that some platforms
115
- # simply ignore this.
116
- #
117
- # <user> is the name of user that will be marked owner of the UNIX
118
- # socket. It can also be set by default in the global
119
- # section's "unix-bind" statement. Note that some platforms
120
- # simply ignore this.
121
- #
122
- # <group> is the name of a group that will be used to create the UNIX
123
- # socket. It can also be set by default in the global section's
124
- # "unix-bind" statement. Note that some platforms simply ignore
125
- # this.
126
- #
127
- # <uid> is the uid of user that will be marked owner of the UNIX
128
- # socket. It can also be set by default in the global section's
129
- # "unix-bind" statement. Note that some platforms simply ignore
130
- # this.
131
- #
132
- # <gid> is the gid of a group that will be used to create the UNIX
133
- # socket. It can also be set by default in the global section's
134
- # "unix-bind" statement. Note that some platforms simply ignore
135
- # this.
136
- #
137
- # transparent is an optional keyword which is supported only on certain
138
- # Linux kernels. It indicates that the addresses will be bound
139
- # even if they do not belong to the local machine. Any packet
140
- # targeting any of these addresses will be caught just as if
141
- # the address was locally configured. This normally requires
142
- # that IP forwarding is enabled. Caution! do not use this with
143
- # the default address '*', as it would redirect any traffic for
144
- # the specified port. This keyword is available only when
145
- # HAProxy is built with USE_LINUX_TPROXY=1. This parameter is
146
- # only compatible with TCP sockets.
147
- #
148
- # defer-accept is an optional keyword which is supported only on certain
149
- # Linux kernels. It states that a connection will only be
150
- # accepted once some data arrive on it, or at worst after the
151
- # first retransmit. This should be used only on protocols for
152
- # which the client talks first (eg: HTTP). It can slightly
153
- # improve performance by ensuring that most of the request is
154
- # already available when the connection is accepted. On the
155
- # other hand, it will not be able to detect connections which
156
- # don't talk. It is important to note that this option is
157
- # broken in all kernels up to 2.6.31, as the connection is
158
- # never accepted until the client talks. This can cause issues
159
- # with front firewalls which would see an established
160
- # connection while the proxy will only see it in SYN_RECV.
161
- #
162
- # accept-proxy is an optional keyword which enforces use of the PROXY
163
- # protocol over any connection accepted by this listener. The
164
- # PROXY protocol dictates the layer 3/4 addresses of the
165
- # incoming connection to be used everywhere an address is used,
166
- # with the only exception of "tcp-request connection" rules
167
- # which will only see the real connection address. Logs will
168
- # reflect the addresses indicated in the protocol, unless it is
169
- # violated, in which case the real address will still be used.
170
- # This keyword combined with support from external components
171
- # can be used as an efficient and reliable alternative to the
172
- # X-Forwarded-For mechanism which is not always reliable and
173
- # not even always usable.
174
- #
175
- # It is possible to specify a list of address:port combinations delimited by
176
- # commas. The frontend will then listen on all of these addresses. There is no
177
- # fixed limit to the number of addresses and ports which can be listened on in
178
- # a frontend, as well as there is no limit to the number of "bind" statements
179
- # in a frontend.
180
- #
181
- # Example :
182
- # listen http_proxy
183
- # bind :80,:443
184
- # bind 10.0.0.1:10080,10.0.0.1:10443
185
- # bind /var/run/ssl-frontend.sock user root mode 600 accept-proxy
186
- #
187
- # See also : "source", "option forwardfor", "unix-bind" and the PROXY protocol
188
- # documentation.
189
- #
190
- attr_accessor :bind
191
-
192
- #
193
- # block { if | unless } <condition>
194
- # Block a layer 7 request if/unless a condition is matched
195
- # May be used in sections : defaults | frontend | listen | backend
196
- # no | yes | yes | yes
197
- #
198
- # The HTTP request will be blocked very early in the layer 7 processing
199
- # if/unless <condition> is matched. A 403 error will be returned if the request
200
- # is blocked. The condition has to reference ACLs (see section 7). This is
201
- # typically used to deny access to certain sensible resources if some
202
- # conditions are met or not met. There is no fixed limit to the number of
203
- # "block" statements per instance.
204
- #
205
- # Example:
206
- # acl invalid_src src 0.0.0.0/7 224.0.0.0/3
207
- # acl invalid_src src_port 0:1023
208
- # acl local_dst hdr(host) -i localhost
209
- # block if invalid_src || local_dst
210
- #
211
- # See section 7 about ACL usage.
212
- #
213
- attr_accessor :block
214
-
215
- #
216
- # capture cookie <name> len <length>
217
- # Capture and log a cookie in the request and in the response.
218
- # May be used in sections : defaults | frontend | listen | backend
219
- # no | yes | yes | no
220
- # Arguments :
221
- # <name> is the beginning of the name of the cookie to capture. In order
222
- # to match the exact name, simply suffix the name with an equal
223
- # sign ('='). The full name will appear in the logs, which is
224
- # useful with application servers which adjust both the cookie name
225
- # and value (eg: ASPSESSIONXXXXX).
226
- #
227
- # <length> is the maximum number of characters to report in the logs, which
228
- # include the cookie name, the equal sign and the value, all in the
229
- # standard "name=value" form. The string will be truncated on the
230
- # right if it exceeds <length>.
231
- #
232
- # Only the first cookie is captured. Both the "cookie" request headers and the
233
- # "set-cookie" response headers are monitored. This is particularly useful to
234
- # check for application bugs causing session crossing or stealing between
235
- # users, because generally the user's cookies can only change on a login page.
236
- #
237
- # When the cookie was not presented by the client, the associated log column
238
- # will report "-". When a request does not cause a cookie to be assigned by the
239
- # server, a "-" is reported in the response column.
240
- #
241
- # The capture is performed in the frontend only because it is necessary that
242
- # the log format does not change for a given frontend depending on the
243
- # backends. This may change in the future. Note that there can be only one
244
- # "capture cookie" statement in a frontend. The maximum capture length is
245
- # configured in the sources by default to 64 characters. It is not possible to
246
- # specify a capture in a "defaults" section.
247
- #
248
- # Example:
249
- # capture cookie ASPSESSION len 32
250
- #
251
- # See also : "capture request header", "capture response header" as well as
252
- # section 8 about logging.
253
- #
254
- attr_accessor :capture_cookie
255
-
256
- #
257
- # capture request header <name> len <length>
258
- # Capture and log the first occurrence of the specified request header.
259
- # May be used in sections : defaults | frontend | listen | backend
260
- # no | yes | yes | no
261
- # Arguments :
262
- # <name> is the name of the header to capture. The header names are not
263
- # case-sensitive, but it is a common practice to write them as they
264
- # appear in the requests, with the first letter of each word in
265
- # upper case. The header name will not appear in the logs, only the
266
- # value is reported, but the position in the logs is respected.
267
- #
268
- # <length> is the maximum number of characters to extract from the value and
269
- # report in the logs. The string will be truncated on the right if
270
- # it exceeds <length>.
271
- #
272
- # Only the first value of the last occurrence of the header is captured. The
273
- # value will be added to the logs between braces ('{}'). If multiple headers
274
- # are captured, they will be delimited by a vertical bar ('|') and will appear
275
- # in the same order they were declared in the configuration. Non-existent
276
- # headers will be logged just as an empty string. Common uses for request
277
- # header captures include the "Host" field in virtual hosting environments, the
278
- # "Content-length" when uploads are supported, "User-agent" to quickly
279
- # differentiate between real users and robots, and "X-Forwarded-For" in proxied
280
- # environments to find where the request came from.
281
- #
282
- # Note that when capturing headers such as "User-agent", some spaces may be
283
- # logged, making the log analysis more difficult. Thus be careful about what
284
- # you log if you know your log parser is not smart enough to rely on the
285
- # braces.
286
- #
287
- # There is no limit to the number of captured request headers, but each capture
288
- # is limited to 64 characters. In order to keep log format consistent for a
289
- # same frontend, header captures can only be declared in a frontend. It is not
290
- # possible to specify a capture in a "defaults" section.
291
- #
292
- # Example:
293
- # capture request header Host len 15
294
- # capture request header X-Forwarded-For len 15
295
- # capture request header Referrer len 15
296
- #
297
- # See also : "capture cookie", "capture response header" as well as section 8
298
- # about logging.
299
- #
300
- attr_accessor :capture_request_header
301
-
302
- #
303
- # capture response header <name> len <length>
304
- # Capture and log the first occurrence of the specified response header.
305
- # May be used in sections : defaults | frontend | listen | backend
306
- # no | yes | yes | no
307
- # Arguments :
308
- # <name> is the name of the header to capture. The header names are not
309
- # case-sensitive, but it is a common practice to write them as they
310
- # appear in the response, with the first letter of each word in
311
- # upper case. The header name will not appear in the logs, only the
312
- # value is reported, but the position in the logs is respected.
313
- #
314
- # <length> is the maximum number of characters to extract from the value and
315
- # report in the logs. The string will be truncated on the right if
316
- # it exceeds <length>.
317
- #
318
- # Only the first value of the last occurrence of the header is captured. The
319
- # result will be added to the logs between braces ('{}') after the captured
320
- # request headers. If multiple headers are captured, they will be delimited by
321
- # a vertical bar ('|') and will appear in the same order they were declared in
322
- # the configuration. Non-existent headers will be logged just as an empty
323
- # string. Common uses for response header captures include the "Content-length"
324
- # header which indicates how many bytes are expected to be returned, the
325
- # "Location" header to track redirections.
326
- #
327
- # There is no limit to the number of captured response headers, but each
328
- # capture is limited to 64 characters. In order to keep log format consistent
329
- # for a same frontend, header captures can only be declared in a frontend. It
330
- # is not possible to specify a capture in a "defaults" section.
331
- #
332
- # Example:
333
- # capture response header Content-length len 9
334
- # capture response header Location len 15
335
- #
336
- # See also : "capture cookie", "capture request header" as well as section 8
337
- # about logging.
338
- #
339
- attr_accessor :capture_response_header
340
-
341
- #
342
- # force-persist { if | unless } <condition>
343
- # Declare a condition to force persistence on down servers
344
- # May be used in sections: defaults | frontend | listen | backend
345
- # no | yes | yes | yes
346
- #
347
- # By default, requests are not dispatched to down servers. It is possible to
348
- # force this using "option persist", but it is unconditional and redispatches
349
- # to a valid server if "option redispatch" is set. That leaves with very little
350
- # possibilities to force some requests to reach a server which is artificially
351
- # marked down for maintenance operations.
352
- #
353
- # The "force-persist" statement allows one to declare various ACL-based
354
- # conditions which, when met, will cause a request to ignore the down status of
355
- # a server and still try to connect to it. That makes it possible to start a
356
- # server, still replying an error to the health checks, and run a specially
357
- # configured browser to test the service. Among the handy methods, one could
358
- # use a specific source IP address, or a specific cookie. The cookie also has
359
- # the advantage that it can easily be added/removed on the browser from a test
360
- # page. Once the service is validated, it is then possible to open the service
361
- # to the world by returning a valid response to health checks.
362
- #
363
- # The forced persistence is enabled when an "if" condition is met, or unless an
364
- # "unless" condition is met. The final redispatch is always disabled when this
365
- # is used.
366
- #
367
- # See also : "option redispatch", "ignore-persist", "persist",
368
- # and section 7 about ACL usage.
369
- #
370
- attr_accessor :force_persist
371
-
372
- #
373
- # http-request { allow | deny | auth [realm <realm>] }
374
- # [ { if | unless } <condition> ]
375
- # Access control for Layer 7 requests
376
- #
377
- # May be used in sections: defaults | frontend | listen | backend
378
- # no | yes | yes | yes
379
- #
380
- # These set of options allow to fine control access to a
381
- # frontend/listen/backend. Each option may be followed by if/unless and acl.
382
- # First option with matched condition (or option without condition) is final.
383
- # For "deny" a 403 error will be returned, for "allow" normal processing is
384
- # performed, for "auth" a 401/407 error code is returned so the client
385
- # should be asked to enter a username and password.
386
- #
387
- # There is no fixed limit to the number of http-request statements per
388
- # instance.
389
- #
390
- # Example:
391
- # acl nagios src 192.168.129.3
392
- # acl local_net src 192.168.0.0/16
393
- # acl auth_ok http_auth(L1)
394
- #
395
- # http-request allow if nagios
396
- # http-request allow if local_net auth_ok
397
- # http-request auth realm Gimme if local_net auth_ok
398
- # http-request deny
399
- #
400
- # Example:
401
- # acl auth_ok http_auth_group(L1) G1
402
- #
403
- # http-request auth unless auth_ok
404
- #
405
- # See also : "stats http-request", section 3.4 about userlists and section 7
406
- # about ACL usage.
407
- #
408
- attr_accessor :http_request
409
-
410
- # id <value>
411
- # Set a persistent ID to a proxy.
412
- # May be used in sections : defaults | frontend | listen | backend
413
- # no | yes | yes | yes
414
- # Arguments : none
415
- #
416
- # Set a persistent ID for the proxy. This ID must be unique and positive.
417
- # An unused ID will automatically be assigned if unset. The first assigned
418
- # value will be 1. This ID is currently only returned in statistics.
419
- #
420
- attr_accessor :persistent_id
421
-
422
- #
423
- # ignore-persist { if | unless } <condition>
424
- # Declare a condition to ignore persistence
425
- # May be used in sections: defaults | frontend | listen | backend
426
- # no | yes | yes | yes
427
- #
428
- # By default, when cookie persistence is enabled, every requests containing
429
- # the cookie are unconditionally persistent (assuming the target server is up
430
- # and running).
431
- #
432
- # The "ignore-persist" statement allows one to declare various ACL-based
433
- # conditions which, when met, will cause a request to ignore persistence.
434
- # This is sometimes useful to load balance requests for static files, which
435
- # oftenly don't require persistence. This can also be used to fully disable
436
- # persistence for a specific User-Agent (for example, some web crawler bots).
437
- #
438
- # Combined with "appsession", it can also help reduce HAProxy memory usage, as
439
- # the appsession table won't grow if persistence is ignored.
440
- #
441
- # The persistence is ignored when an "if" condition is met, or unless an
442
- # "unless" condition is met.
443
- #
444
- # See also : "force-persist", "cookie", and section 7 about ACL usage.
445
- #
446
- attr_accessor :ignore_persist
447
-
448
- #
449
- # monitor fail { if | unless } <condition>
450
- # Add a condition to report a failure to a monitor HTTP request.
451
- # May be used in sections : defaults | frontend | listen | backend
452
- # no | yes | yes | no
453
- # Arguments :
454
- # if <cond> the monitor request will fail if the condition is satisfied,
455
- # and will succeed otherwise. The condition should describe a
456
- # combined test which must induce a failure if all conditions
457
- # are met, for instance a low number of servers both in a
458
- # backend and its backup.
459
- #
460
- # unless <cond> the monitor request will succeed only if the condition is
461
- # satisfied, and will fail otherwise. Such a condition may be
462
- # based on a test on the presence of a minimum number of active
463
- # servers in a list of backends.
464
- #
465
- # This statement adds a condition which can force the response to a monitor
466
- # request to report a failure. By default, when an external component queries
467
- # the URI dedicated to monitoring, a 200 response is returned. When one of the
468
- # conditions above is met, haproxy will return 503 instead of 200. This is
469
- # very useful to report a site failure to an external component which may base
470
- # routing advertisements between multiple sites on the availability reported by
471
- # haproxy. In this case, one would rely on an ACL involving the "nbsrv"
472
- # criterion. Note that "monitor fail" only works in HTTP mode.
473
- #
474
- # Example:
475
- # frontend www
476
- # mode http
477
- # acl site_dead nbsrv(dynamic) lt 2
478
- # acl site_dead nbsrv(static) lt 2
479
- # monitor-uri /site_alive
480
- # monitor fail if site_dead
481
- #
482
- # See also : "monitor-net", "monitor-uri"
483
- #
484
- attr_accessor :monitor_fail
485
-
486
- #
487
- # option ignore-persist { if | unless } <condition>
488
- # Declare a condition to ignore persistence
489
- # May be used in sections: defaults | frontend | listen | backend
490
- # no | yes | yes | yes
491
- #
492
- # By default, when cookie persistence is enabled, every requests containing
493
- # the cookie are unconditionally persistent (assuming the target server is up
494
- # and running).
495
- #
496
- # The "ignore-persist" statement allows one to declare various ACL-based
497
- # conditions which, when met, will cause a request to ignore persistence.
498
- # This is sometimes useful to load balance requests for static files, which
499
- # oftenly don't require persistence. This can also be used to fully disable
500
- # persistence for a specific User-Agent (for example, some web crawler bots).
501
- #
502
- # Combined with "appsession", it can also help reduce HAProxy memory usage, as
503
- # the appsession table won't grow if persistence is ignored.
504
- #
505
- # The persistence is ignored when an "if" condition is met, or unless an
506
- # "unless" condition is met.
507
- #
508
- # See also : "option force-persist", "cookie", and section 7 about ACL usage.
509
- #
510
- attr_accessor :option_ignore_presist
511
-
512
- #
513
- # redirect location <to> [code <code>] <option> [(if | unless) <condition>]
514
- # redirect prefix <to> [code <code>] <option> [(if | unless) <condition>]
515
- # Return an HTTP redirection if/unless a condition is matched
516
- # May be used in sections : defaults | frontend | listen | backend
517
- # no | yes | yes | yes
518
- #
519
- # If/unless the condition is matched, the HTTP request will lead to a redirect
520
- # response. If no condition is specified, the redirect applies unconditionally.
521
- #
522
- # Arguments :
523
- # <to> With "redirect location", the exact value in <to> is placed into
524
- # the HTTP "Location" header. In case of "redirect prefix", the
525
- # "Location" header is built from the concatenation of <to> and the
526
- # complete URI, including the query string, unless the "drop-query"
527
- # option is specified (see below). As a special case, if <to>
528
- # equals exactly "/" in prefix mode, then nothing is inserted
529
- # before the original URI. It allows one to redirect to the same
530
- # URL.
531
- #
532
- # <code> The code is optional. It indicates which type of HTTP redirection
533
- # is desired. Only codes 301, 302 and 303 are supported, and 302 is
534
- # used if no code is specified. 301 means "Moved permanently", and
535
- # a browser may cache the Location. 302 means "Moved permanently"
536
- # and means that the browser should not cache the redirection. 303
537
- # is equivalent to 302 except that the browser will fetch the
538
- # location with a GET method.
539
- #
540
- # <option> There are several options which can be specified to adjust the
541
- # expected behaviour of a redirection :
542
- #
543
- # - "drop-query"
544
- # When this keyword is used in a prefix-based redirection, then the
545
- # location will be set without any possible query-string, which is useful
546
- # for directing users to a non-secure page for instance. It has no effect
547
- # with a location-type redirect.
548
- #
549
- # - "append-slash"
550
- # This keyword may be used in conjunction with "drop-query" to redirect
551
- # users who use a URL not ending with a '/' to the same one with the '/'.
552
- # It can be useful to ensure that search engines will only see one URL.
553
- # For this, a return code 301 is preferred.
554
- #
555
- # - "set-cookie NAME[=value]"
556
- # A "Set-Cookie" header will be added with NAME (and optionally "=value")
557
- # to the response. This is sometimes used to indicate that a user has
558
- # been seen, for instance to protect against some types of DoS. No other
559
- # cookie option is added, so the cookie will be a session cookie. Note
560
- # that for a browser, a sole cookie name without an equal sign is
561
- # different from a cookie with an equal sign.
562
- #
563
- # - "clear-cookie NAME[=]"
564
- # A "Set-Cookie" header will be added with NAME (and optionally "="), but
565
- # with the "Max-Age" attribute set to zero. This will tell the browser to
566
- # delete this cookie. It is useful for instance on logout pages. It is
567
- # important to note that clearing the cookie "NAME" will not remove a
568
- # cookie set with "NAME=value". You have to clear the cookie "NAME=" for
569
- # that, because the browser makes the difference.
570
- #
571
- # Example: move the login URL only to HTTPS.
572
- # acl clear dst_port 80
573
- # acl secure dst_port 8080
574
- # acl login_page url_beg /login
575
- # acl logout url_beg /logout
576
- # acl uid_given url_reg /login?userid=[^&]+
577
- # acl cookie_set hdr_sub(cookie) SEEN=1
578
- #
579
- # redirect prefix https://mysite.com set-cookie SEEN=1 if !cookie_set
580
- # redirect prefix https://mysite.com if login_page !secure
581
- # redirect prefix http://mysite.com drop-query if login_page !uid_given
582
- # redirect location http://mysite.com/ if !login_page secure
583
- # redirect location / clear-cookie USERID= if logout
584
- #
585
- # Example: send redirects for request for articles without a '/'.
586
- # acl missing_slash path_reg ^/article/[^/]*$
587
- # redirect code 301 prefix / drop-query append-slash if missing_slash
588
- #
589
- # See section 7 about ACL usage.
590
- #
591
- attr_accessor :redirect
592
-
593
- #
594
- # reqadd <string> [(if | unless) <cond>]
595
- # Add a header at the end of the HTTP request
596
- # May be used in sections : defaults | frontend | listen | backend
597
- # no | yes | yes | yes
598
- # Arguments :
599
- # <string> is the complete line to be added. Any space or known delimiter
600
- # must be escaped using a backslash ('\'). Please refer to section
601
- # 6 about HTTP header manipulation for more information.
602
- #
603
- # <cond> is an optional matching condition built from ACLs. It makes it
604
- # possible to ignore this rule when other conditions are not met.
605
- #
606
- # A new line consisting in <string> followed by a line feed will be added after
607
- # the last header of an HTTP request.
608
- #
609
- # Header transformations only apply to traffic which passes through HAProxy,
610
- # and not to traffic generated by HAProxy, such as health-checks or error
611
- # responses.
612
- #
613
- # Example : add "X-Proto: SSL" to requests coming via port 81
614
- # acl is-ssl dst_port 81
615
- # reqadd X-Proto:\ SSL if is-ssl
616
- #
617
- # See also: "rspadd", section 6 about HTTP header manipulation, and section 7
618
- # about ACLs.
619
- #
620
- attr_accessor :reqadd
621
-
622
- #
623
- # reqallow <search> [(if | unless) <cond>]
624
- # reqiallow <search> [(if | unless) <cond>] (ignore case)
625
- # Definitely allow an HTTP request if a line matches a regular expression
626
- # May be used in sections : defaults | frontend | listen | backend
627
- # no | yes | yes | yes
628
- # Arguments :
629
- # <search> is the regular expression applied to HTTP headers and to the
630
- # request line. This is an extended regular expression. Parenthesis
631
- # grouping is supported and no preliminary backslash is required.
632
- # Any space or known delimiter must be escaped using a backslash
633
- # ('\'). The pattern applies to a full line at a time. The
634
- # "reqallow" keyword strictly matches case while "reqiallow"
635
- # ignores case.
636
- #
637
- # <cond> is an optional matching condition built from ACLs. It makes it
638
- # possible to ignore this rule when other conditions are not met.
639
- #
640
- # A request containing any line which matches extended regular expression
641
- # <search> will mark the request as allowed, even if any later test would
642
- # result in a deny. The test applies both to the request line and to request
643
- # headers. Keep in mind that URLs in request line are case-sensitive while
644
- # header names are not.
645
- #
646
- # It is easier, faster and more powerful to use ACLs to write access policies.
647
- # Reqdeny, reqallow and reqpass should be avoided in new designs.
648
- #
649
- # Example :
650
- # # allow www.* but refuse *.local
651
- # reqiallow ^Host:\ www\.
652
- # reqideny ^Host:\ .*\.local
653
- #
654
- # See also: "reqdeny", "block", section 6 about HTTP header manipulation, and
655
- # section 7 about ACLs.
656
- #
657
- attr_accessor :reqallow
658
- attr_accessor :reqiallow
659
-
660
- #
661
- # reqdel <search> [(if | unless) <cond>]
662
- # reqidel <search> [(if | unless) <cond>] (ignore case)
663
- # Delete all headers matching a regular expression in an HTTP request
664
- # May be used in sections : defaults | frontend | listen | backend
665
- # no | yes | yes | yes
666
- # Arguments :
667
- # <search> is the regular expression applied to HTTP headers and to the
668
- # request line. This is an extended regular expression. Parenthesis
669
- # grouping is supported and no preliminary backslash is required.
670
- # Any space or known delimiter must be escaped using a backslash
671
- # ('\'). The pattern applies to a full line at a time. The "reqdel"
672
- # keyword strictly matches case while "reqidel" ignores case.
673
- #
674
- # <cond> is an optional matching condition built from ACLs. It makes it
675
- # possible to ignore this rule when other conditions are not met.
676
- #
677
- # Any header line matching extended regular expression <search> in the request
678
- # will be completely deleted. Most common use of this is to remove unwanted
679
- # and/or dangerous headers or cookies from a request before passing it to the
680
- # next servers.
681
- #
682
- # Header transformations only apply to traffic which passes through HAProxy,
683
- # and not to traffic generated by HAProxy, such as health-checks or error
684
- # responses. Keep in mind that header names are not case-sensitive.
685
- #
686
- # Example :
687
- # # remove X-Forwarded-For header and SERVER cookie
688
- # reqidel ^X-Forwarded-For:.*
689
- # reqidel ^Cookie:.*SERVER=
690
- #
691
- # See also: "reqadd", "reqrep", "rspdel", section 6 about HTTP header
692
- # manipulation, and section 7 about ACLs.
693
- #
694
- attr_accessor :reqdel
695
- attr_accessor :reqidel
696
-
697
- #
698
- # reqdeny <search> [(if | unless) <cond>]
699
- # reqideny <search> [(if | unless) <cond>] (ignore case)
700
- # Deny an HTTP request if a line matches a regular expression
701
- # May be used in sections : defaults | frontend | listen | backend
702
- # no | yes | yes | yes
703
- # Arguments :
704
- # <search> is the regular expression applied to HTTP headers and to the
705
- # request line. This is an extended regular expression. Parenthesis
706
- # grouping is supported and no preliminary backslash is required.
707
- # Any space or known delimiter must be escaped using a backslash
708
- # ('\'). The pattern applies to a full line at a time. The
709
- # "reqdeny" keyword strictly matches case while "reqideny" ignores
710
- # case.
711
- #
712
- # <cond> is an optional matching condition built from ACLs. It makes it
713
- # possible to ignore this rule when other conditions are not met.
714
- #
715
- # A request containing any line which matches extended regular expression
716
- # <search> will mark the request as denied, even if any later test would
717
- # result in an allow. The test applies both to the request line and to request
718
- # headers. Keep in mind that URLs in request line are case-sensitive while
719
- # header names are not.
720
- #
721
- # A denied request will generate an "HTTP 403 forbidden" response once the
722
- # complete request has been parsed. This is consistent with what is practiced
723
- # using ACLs.
724
- #
725
- # It is easier, faster and more powerful to use ACLs to write access policies.
726
- # Reqdeny, reqallow and reqpass should be avoided in new designs.
727
- #
728
- # Example :
729
- # # refuse *.local, then allow www.*
730
- # reqideny ^Host:\ .*\.local
731
- # reqiallow ^Host:\ www\.
732
- #
733
- # See also: "reqallow", "rspdeny", "block", section 6 about HTTP header
734
- # manipulation, and section 7 about ACLs.
735
- #
736
- attr_accessor :reqdeny
737
- attr_accessor :reqideny
738
-
739
- #
740
- # reqpass <search> [(if | unless) <cond>]
741
- # reqipass <search> [(if | unless) <cond>] (ignore case)
742
- # Ignore any HTTP request line matching a regular expression in next rules
743
- # May be used in sections : defaults | frontend | listen | backend
744
- # no | yes | yes | yes
745
- # Arguments :
746
- # <search> is the regular expression applied to HTTP headers and to the
747
- # request line. This is an extended regular expression. Parenthesis
748
- # grouping is supported and no preliminary backslash is required.
749
- # Any space or known delimiter must be escaped using a backslash
750
- # ('\'). The pattern applies to a full line at a time. The
751
- # "reqpass" keyword strictly matches case while "reqipass" ignores
752
- # case.
753
- #
754
- # <cond> is an optional matching condition built from ACLs. It makes it
755
- # possible to ignore this rule when other conditions are not met.
756
- #
757
- # A request containing any line which matches extended regular expression
758
- # <search> will skip next rules, without assigning any deny or allow verdict.
759
- # The test applies both to the request line and to request headers. Keep in
760
- # mind that URLs in request line are case-sensitive while header names are not.
761
- #
762
- # It is easier, faster and more powerful to use ACLs to write access policies.
763
- # Reqdeny, reqallow and reqpass should be avoided in new designs.
764
- #
765
- # Example :
766
- # # refuse *.local, then allow www.*, but ignore "www.private.local"
767
- # reqipass ^Host:\ www.private\.local
768
- # reqideny ^Host:\ .*\.local
769
- # reqiallow ^Host:\ www\.
770
- #
771
- # See also: "reqallow", "reqdeny", "block", section 6 about HTTP header
772
- # manipulation, and section 7 about ACLs.
773
- #
774
- attr_accessor :reqpass
775
- attr_accessor :reqipass
776
-
777
- #
778
- # reqrep <search> <string> [(if | unless) <cond>]
779
- # reqirep <search> <string> [(if | unless) <cond>] (ignore case)
780
- # Replace a regular expression with a string in an HTTP request line
781
- # May be used in sections : defaults | frontend | listen | backend
782
- # no | yes | yes | yes
783
- # Arguments :
784
- # <search> is the regular expression applied to HTTP headers and to the
785
- # request line. This is an extended regular expression. Parenthesis
786
- # grouping is supported and no preliminary backslash is required.
787
- # Any space or known delimiter must be escaped using a backslash
788
- # ('\'). The pattern applies to a full line at a time. The "reqrep"
789
- # keyword strictly matches case while "reqirep" ignores case.
790
- #
791
- # <string> is the complete line to be added. Any space or known delimiter
792
- # must be escaped using a backslash ('\'). References to matched
793
- # pattern groups are possible using the common \N form, with N
794
- # being a single digit between 0 and 9. Please refer to section
795
- # 6 about HTTP header manipulation for more information.
796
- #
797
- # <cond> is an optional matching condition built from ACLs. It makes it
798
- # possible to ignore this rule when other conditions are not met.
799
- #
800
- # Any line matching extended regular expression <search> in the request (both
801
- # the request line and header lines) will be completely replaced with <string>.
802
- # Most common use of this is to rewrite URLs or domain names in "Host" headers.
803
- #
804
- # Header transformations only apply to traffic which passes through HAProxy,
805
- # and not to traffic generated by HAProxy, such as health-checks or error
806
- # responses. Note that for increased readability, it is suggested to add enough
807
- # spaces between the request and the response. Keep in mind that URLs in
808
- # request line are case-sensitive while header names are not.
809
- #
810
- # Example :
811
- # # replace "/static/" with "/" at the beginning of any request path.
812
- # reqrep ^([^\ ]*)\ /static/(.*) \1\ /\2
813
- # # replace "www.mydomain.com" with "www" in the host name.
814
- # reqirep ^Host:\ www.mydomain.com Host:\ www
815
- #
816
- # See also: "reqadd", "reqdel", "rsprep", section 6 about HTTP header
817
- # manipulation, and section 7 about ACLs.
818
- #
819
- attr_accessor :reqrep
820
- attr_accessor :reqirep
821
-
822
- #
823
- # reqtarpit <search> [(if | unless) <cond>]
824
- # reqitarpit <search> [(if | unless) <cond>] (ignore case)
825
- # Tarpit an HTTP request containing a line matching a regular expression
826
- # May be used in sections : defaults | frontend | listen | backend
827
- # no | yes | yes | yes
828
- # Arguments :
829
- # <search> is the regular expression applied to HTTP headers and to the
830
- # request line. This is an extended regular expression. Parenthesis
831
- # grouping is supported and no preliminary backslash is required.
832
- # Any space or known delimiter must be escaped using a backslash
833
- # ('\'). The pattern applies to a full line at a time. The
834
- # "reqtarpit" keyword strictly matches case while "reqitarpit"
835
- # ignores case.
836
- #
837
- # <cond> is an optional matching condition built from ACLs. It makes it
838
- # possible to ignore this rule when other conditions are not met.
839
- #
840
- # A request containing any line which matches extended regular expression
841
- # <search> will be tarpitted, which means that it will connect to nowhere, will
842
- # be kept open for a pre-defined time, then will return an HTTP error 500 so
843
- # that the attacker does not suspect it has been tarpitted. The status 500 will
844
- # be reported in the logs, but the completion flags will indicate "PT". The
845
- # delay is defined by "timeout tarpit", or "timeout connect" if the former is
846
- # not set.
847
- #
848
- # The goal of the tarpit is to slow down robots attacking servers with
849
- # identifiable requests. Many robots limit their outgoing number of connections
850
- # and stay connected waiting for a reply which can take several minutes to
851
- # come. Depending on the environment and attack, it may be particularly
852
- # efficient at reducing the load on the network and firewalls.
853
- #
854
- # Examples :
855
- # # ignore user-agents reporting any flavour of "Mozilla" or "MSIE", but
856
- # # block all others.
857
- # reqipass ^User-Agent:\.*(Mozilla|MSIE)
858
- # reqitarpit ^User-Agent:
859
- #
860
- # # block bad guys
861
- # acl badguys src 10.1.0.3 172.16.13.20/28
862
- # reqitarpit . if badguys
863
- #
864
- # See also: "reqallow", "reqdeny", "reqpass", section 6 about HTTP header
865
- # manipulation, and section 7 about ACLs.
866
- #
867
- attr_accessor :reqtarpit
868
- attr_accessor :reqitarpit
869
-
870
- #
871
- # rspadd <string> [(if | unless) <cond>]
872
- # Add a header at the end of the HTTP response
873
- # May be used in sections : defaults | frontend | listen | backend
874
- # no | yes | yes | yes
875
- # Arguments :
876
- # <string> is the complete line to be added. Any space or known delimiter
877
- # must be escaped using a backslash ('\'). Please refer to section
878
- # 6 about HTTP header manipulation for more information.
879
- #
880
- # <cond> is an optional matching condition built from ACLs. It makes it
881
- # possible to ignore this rule when other conditions are not met.
882
- #
883
- # A new line consisting in <string> followed by a line feed will be added after
884
- # the last header of an HTTP response.
885
- #
886
- # Header transformations only apply to traffic which passes through HAProxy,
887
- # and not to traffic generated by HAProxy, such as health-checks or error
888
- # responses.
889
- #
890
- # See also: "reqadd", section 6 about HTTP header manipulation, and section 7
891
- # about ACLs.
892
- #
893
- attr_accessor :rspadd
894
-
895
- #
896
- # rspdel <search> [(if | unless) <cond>]
897
- # rspidel <search> [(if | unless) <cond>] (ignore case)
898
- # Delete all headers matching a regular expression in an HTTP response
899
- # May be used in sections : defaults | frontend | listen | backend
900
- # no | yes | yes | yes
901
- # Arguments :
902
- # <search> is the regular expression applied to HTTP headers and to the
903
- # response line. This is an extended regular expression, so
904
- # parenthesis grouping is supported and no preliminary backslash
905
- # is required. Any space or known delimiter must be escaped using
906
- # a backslash ('\'). The pattern applies to a full line at a time.
907
- # The "rspdel" keyword strictly matches case while "rspidel"
908
- # ignores case.
909
- #
910
- # <cond> is an optional matching condition built from ACLs. It makes it
911
- # possible to ignore this rule when other conditions are not met.
912
- #
913
- # Any header line matching extended regular expression <search> in the response
914
- # will be completely deleted. Most common use of this is to remove unwanted
915
- # and/or sensible headers or cookies from a response before passing it to the
916
- # client.
917
- #
918
- # Header transformations only apply to traffic which passes through HAProxy,
919
- # and not to traffic generated by HAProxy, such as health-checks or error
920
- # responses. Keep in mind that header names are not case-sensitive.
921
- #
922
- # Example :
923
- # # remove the Server header from responses
924
- # reqidel ^Server:.*
925
- #
926
- # See also: "rspadd", "rsprep", "reqdel", section 6 about HTTP header
927
- # manipulation, and section 7 about ACLs.
928
- #
929
- attr_accessor :rspdel
930
- attr_accessor :rspidel
931
-
932
- #
933
- # rspdeny <search> [(if | unless) <cond>]
934
- # rspideny <search> [(if | unless) <cond>] (ignore case)
935
- # Block an HTTP response if a line matches a regular expression
936
- # May be used in sections : defaults | frontend | listen | backend
937
- # no | yes | yes | yes
938
- # Arguments :
939
- # <search> is the regular expression applied to HTTP headers and to the
940
- # response line. This is an extended regular expression, so
941
- # parenthesis grouping is supported and no preliminary backslash
942
- # is required. Any space or known delimiter must be escaped using
943
- # a backslash ('\'). The pattern applies to a full line at a time.
944
- # The "rspdeny" keyword strictly matches case while "rspideny"
945
- # ignores case.
946
- #
947
- # <cond> is an optional matching condition built from ACLs. It makes it
948
- # possible to ignore this rule when other conditions are not met.
949
- #
950
- # A response containing any line which matches extended regular expression
951
- # <search> will mark the request as denied. The test applies both to the
952
- # response line and to response headers. Keep in mind that header names are not
953
- # case-sensitive.
954
- #
955
- # Main use of this keyword is to prevent sensitive information leak and to
956
- # block the response before it reaches the client. If a response is denied, it
957
- # will be replaced with an HTTP 502 error so that the client never retrieves
958
- # any sensitive data.
959
- #
960
- # It is easier, faster and more powerful to use ACLs to write access policies.
961
- # Rspdeny should be avoided in new designs.
962
- #
963
- # Example :
964
- # # Ensure that no content type matching ms-word will leak
965
- # rspideny ^Content-type:\.*/ms-word
966
- #
967
- # See also: "reqdeny", "acl", "block", section 6 about HTTP header manipulation
968
- # and section 7 about ACLs.
969
- #
970
- attr_accessor :rspdeny
971
- attr_accessor :rspideny
972
-
973
- #
974
- # rsprep <search> <string> [(if | unless) <cond>]
975
- # rspirep <search> <string> [(if | unless) <cond>] (ignore case)
976
- # Replace a regular expression with a string in an HTTP response line
977
- # May be used in sections : defaults | frontend | listen | backend
978
- # no | yes | yes | yes
979
- # Arguments :
980
- # <search> is the regular expression applied to HTTP headers and to the
981
- # response line. This is an extended regular expression, so
982
- # parenthesis grouping is supported and no preliminary backslash
983
- # is required. Any space or known delimiter must be escaped using
984
- # a backslash ('\'). The pattern applies to a full line at a time.
985
- # The "rsprep" keyword strictly matches case while "rspirep"
986
- # ignores case.
987
- #
988
- # <string> is the complete line to be added. Any space or known delimiter
989
- # must be escaped using a backslash ('\'). References to matched
990
- # pattern groups are possible using the common \N form, with N
991
- # being a single digit between 0 and 9. Please refer to section
992
- # 6 about HTTP header manipulation for more information.
993
- #
994
- # <cond> is an optional matching condition built from ACLs. It makes it
995
- # possible to ignore this rule when other conditions are not met.
996
- #
997
- # Any line matching extended regular expression <search> in the response (both
998
- # the response line and header lines) will be completely replaced with
999
- # <string>. Most common use of this is to rewrite Location headers.
1000
- #
1001
- # Header transformations only apply to traffic which passes through HAProxy,
1002
- # and not to traffic generated by HAProxy, such as health-checks or error
1003
- # responses. Note that for increased readability, it is suggested to add enough
1004
- # spaces between the request and the response. Keep in mind that header names
1005
- # are not case-sensitive.
1006
- #
1007
- # Example :
1008
- # # replace "Location: 127.0.0.1:8080" with "Location: www.mydomain.com"
1009
- # rspirep ^Location:\ 127.0.0.1:8080 Location:\ www.mydomain.com
1010
- #
1011
- # See also: "rspadd", "rspdel", "reqrep", section 6 about HTTP header
1012
- # manipulation, and section 7 about ACLs.
1013
- #
1014
- attr_accessor :rsprep
1015
- attr_accessor :rspirep
1016
-
1017
- #
1018
- # tcp-request connection <action> [(if | unless) <condition>]
1019
- # Perform an action on an incoming connection depending on a layer 4 condition
1020
- # May be used in sections : defaults | frontend | listen | backend
1021
- # no | yes | yes | no
1022
- # Arguments :
1023
- # <action> defines the action to perform if the condition applies. Valid
1024
- # actions include : "accept", "reject", "track-sc1", "track-sc2".
1025
- # See below for more details.
1026
- #
1027
- # <condition> is a standard layer4-only ACL-based condition (see section 7).
1028
- #
1029
- # Immediately after acceptance of a new incoming connection, it is possible to
1030
- # evaluate some conditions to decide whether this connection must be accepted
1031
- # or dropped or have its counters tracked. Those conditions cannot make use of
1032
- # any data contents because the connection has not been read from yet, and the
1033
- # buffers are not yet allocated. This is used to selectively and very quickly
1034
- # accept or drop connections from various sources with a very low overhead. If
1035
- # some contents need to be inspected in order to take the decision, the
1036
- # "tcp-request content" statements must be used instead.
1037
- #
1038
- # The "tcp-request connection" rules are evaluated in their exact declaration
1039
- # order. If no rule matches or if there is no rule, the default action is to
1040
- # accept the incoming connection. There is no specific limit to the number of
1041
- # rules which may be inserted.
1042
- #
1043
- # Three types of actions are supported :
1044
- # - accept :
1045
- # accepts the connection if the condition is true (when used with "if")
1046
- # or false (when used with "unless"). The first such rule executed ends
1047
- # the rules evaluation.
1048
- #
1049
- # - reject :
1050
- # rejects the connection if the condition is true (when used with "if")
1051
- # or false (when used with "unless"). The first such rule executed ends
1052
- # the rules evaluation. Rejected connections do not even become a
1053
- # session, which is why they are accounted separately for in the stats,
1054
- # as "denied connections". They are not considered for the session
1055
- # rate-limit and are not logged either. The reason is that these rules
1056
- # should only be used to filter extremely high connection rates such as
1057
- # the ones encountered during a massive DDoS attack. Under these extreme
1058
- # conditions, the simple action of logging each event would make the
1059
- # system collapse and would considerably lower the filtering capacity. If
1060
- # logging is absolutely desired, then "tcp-request content" rules should
1061
- # be used instead.
1062
- #
1063
- # - { track-sc1 | track-sc2 } <key> [table <table>] :
1064
- # enables tracking of sticky counters from current connection. These
1065
- # rules do not stop evaluation and do not change default action. Two sets
1066
- # of counters may be simultaneously tracked by the same connection. The
1067
- # first "track-sc1" rule executed enables tracking of the counters of the
1068
- # specified table as the first set. The first "track-sc2" rule executed
1069
- # enables tracking of the counters of the specified table as the second
1070
- # set. It is a recommended practice to use the first set of counters for
1071
- # the per-frontend counters and the second set for the per-backend ones.
1072
- #
1073
- # These actions take one or two arguments :
1074
- # <key> is mandatory, and defines the criterion the tracking key will
1075
- # be derived from. At the moment, only "src" is supported. With
1076
- # it, the key will be the connection's source IPv4 address.
1077
- #
1078
- # <table> is an optional table to be used instead of the default one,
1079
- # which is the stick-table declared in the current proxy. All
1080
- # the counters for the matches and updates for the key will
1081
- # then be performed in that table until the session ends.
1082
- #
1083
- # Once a "track-sc*" rule is executed, the key is looked up in the table
1084
- # and if it is not found, an entry is allocated for it. Then a pointer to
1085
- # that entry is kept during all the session's life, and this entry's
1086
- # counters are updated as often as possible, every time the session's
1087
- # counters are updated, and also systematically when the session ends.
1088
- # If the entry tracks concurrent connection counters, one connection is
1089
- # counted for as long as the entry is tracked, and the entry will not
1090
- # expire during that time. Tracking counters also provides a performance
1091
- # advantage over just checking the keys, because only one table lookup is
1092
- # performed for all ACL checks that make use of it.
1093
- #
1094
- # Note that the "if/unless" condition is optional. If no condition is set on
1095
- # the action, it is simply performed unconditionally. That can be useful for
1096
- # "track-sc*" actions as well as for changing the default action to a reject.
1097
- #
1098
- # Example: accept all connections from white-listed hosts, reject too fast
1099
- # connection without counting them, and track accepted connections.
1100
- # This results in connection rate being capped from abusive sources.
1101
- #
1102
- # tcp-request connection accept if { src -f /etc/haproxy/whitelist.lst }
1103
- # tcp-request connection reject if { src_conn_rate gt 10 }
1104
- # tcp-request connection track-sc1 src
1105
- #
1106
- # Example: accept all connections from white-listed hosts, count all other
1107
- # connections and reject too fast ones. This results in abusive ones
1108
- # being blocked as long as they don't slow down.
1109
- #
1110
- # tcp-request connection accept if { src -f /etc/haproxy/whitelist.lst }
1111
- # tcp-request connection track-sc1 src
1112
- # tcp-request connection reject if { sc1_conn_rate gt 10 }
1113
- #
1114
- # See section 7 about ACL usage.
1115
- #
1116
- # See also : "tcp-request content", "stick-table"
1117
- #
1118
- attr_accessor :tcp_request_connection
1119
-
1120
- #
1121
- # tcp-request content <action> [(if | unless) <condition>]
1122
- # Perform an action on a new session depending on a layer 4-7 condition
1123
- # May be used in sections : defaults | frontend | listen | backend
1124
- # no | yes | yes | yes
1125
- # Arguments :
1126
- # <action> defines the action to perform if the condition applies. Valid
1127
- # actions include : "accept", "reject", "track-sc1", "track-sc2".
1128
- # See "tcp-request connection" above for their signification.
1129
- #
1130
- # <condition> is a standard layer 4-7 ACL-based condition (see section 7).
1131
- #
1132
- # A request's contents can be analysed at an early stage of request processing
1133
- # called "TCP content inspection". During this stage, ACL-based rules are
1134
- # evaluated every time the request contents are updated, until either an
1135
- # "accept" or a "reject" rule matches, or the TCP request inspection delay
1136
- # expires with no matching rule.
1137
- #
1138
- # The first difference between these rules and "tcp-request connection" rules
1139
- # is that "tcp-request content" rules can make use of contents to take a
1140
- # decision. Most often, these decisions will consider a protocol recognition or
1141
- # validity. The second difference is that content-based rules can be used in
1142
- # both frontends and backends. In frontends, they will be evaluated upon new
1143
- # connections. In backends, they will be evaluated once a session is assigned
1144
- # a backend. This means that a single frontend connection may be evaluated
1145
- # several times by one or multiple backends when a session gets reassigned
1146
- # (for instance after a client-side HTTP keep-alive request).
1147
- #
1148
- # Content-based rules are evaluated in their exact declaration order. If no
1149
- # rule matches or if there is no rule, the default action is to accept the
1150
- # contents. There is no specific limit to the number of rules which may be
1151
- # inserted.
1152
- #
1153
- # Three types of actions are supported :
1154
- # - accept :
1155
- # - reject :
1156
- # - { track-sc1 | track-sc2 } <key> [table <table>]
1157
- #
1158
- # They have the same meaning as their counter-parts in "tcp-request connection"
1159
- # so please refer to that section for a complete description.
1160
- #
1161
- # Also, it is worth noting that if sticky counters are tracked from a rule
1162
- # defined in a backend, this tracking will automatically end when the session
1163
- # releases the backend. That allows per-backend counter tracking even in case
1164
- # of HTTP keep-alive requests when the backend changes. While there is nothing
1165
- # mandatory about it, it is recommended to use the track-sc1 pointer to track
1166
- # per-frontend counters and track-sc2 to track per-backend counters.
1167
- #
1168
- # Note that the "if/unless" condition is optional. If no condition is set on
1169
- # the action, it is simply performed unconditionally. That can be useful for
1170
- # "track-sc*" actions as well as for changing the default action to a reject.
1171
- #
1172
- # It is perfectly possible to match layer 7 contents with "tcp-request content"
1173
- # rules, but then it is important to ensure that a full request has been
1174
- # buffered, otherwise no contents will match. In order to achieve this, the
1175
- # best solution involves detecting the HTTP protocol during the inspection
1176
- # period.
1177
- #
1178
- # Example:
1179
- # # Accept HTTP requests containing a Host header saying "example.com"
1180
- # # and reject everything else.
1181
- # acl is_host_com hdr(Host) -i example.com
1182
- # tcp-request inspect-delay 30s
1183
- # tcp-request content accept if HTTP is_host_com
1184
- # tcp-request content reject
1185
- #
1186
- # Example:
1187
- # # reject SMTP connection if client speaks first
1188
- # tcp-request inspect-delay 30s
1189
- # acl content_present req_len gt 0
1190
- # tcp-request content reject if content_present
1191
- #
1192
- # # Forward HTTPS connection only if client speaks
1193
- # tcp-request inspect-delay 30s
1194
- # acl content_present req_len gt 0
1195
- # tcp-request content accept if content_present
1196
- # tcp-request content reject
1197
- #
1198
- # Example: track per-frontend and per-backend counters, block abusers at the
1199
- # frontend when the backend detects abuse.
1200
- #
1201
- # frontend http
1202
- # # Use General Purpose Couter 0 in SC1 as a global abuse counter
1203
- # # protecting all our sites
1204
- # stick-table type ip size 1m expire 5m store gpc0
1205
- # tcp-request connection track-sc1 src
1206
- # tcp-request connection reject if { sc1_get_gpc0 gt 0 }
1207
- # ...
1208
- # use_backend http_dynamic if { path_end .php }
1209
- #
1210
- # backend http_dynamic
1211
- # # if a source makes too fast requests to this dynamic site (tracked
1212
- # # by SC2), block it globally in the frontend.
1213
- # stick-table type ip size 1m expire 5m store http_req_rate(10s)
1214
- # acl click_too_fast sc2_http_req_rate gt 10
1215
- # acl mark_as_abuser sc1_inc_gpc0
1216
- # tcp-request content track-sc2 src
1217
- # tcp-request content reject if click_too_fast mark_as_abuser
1218
- #
1219
- # See section 7 about ACL usage.
1220
- #
1221
- # See also : "tcp-request connection", "tcp-request inspect-delay"
1222
- #
1223
- attr_accessor :tcp_request_content
1224
-
1225
- #
1226
- # tcp-request inspect-delay <timeout>
1227
- # Set the maximum allowed time to wait for data during content inspection
1228
- # May be used in sections : defaults | frontend | listen | backend
1229
- # no | yes | yes | yes
1230
- # Arguments :
1231
- # <timeout> is the timeout value specified in milliseconds by default, but
1232
- # can be in any other unit if the number is suffixed by the unit,
1233
- # as explained at the top of this document.
1234
- #
1235
- # People using haproxy primarily as a TCP relay are often worried about the
1236
- # risk of passing any type of protocol to a server without any analysis. In
1237
- # order to be able to analyze the request contents, we must first withhold
1238
- # the data then analyze them. This statement simply enables withholding of
1239
- # data for at most the specified amount of time.
1240
- #
1241
- # TCP content inspection applies very early when a connection reaches a
1242
- # frontend, then very early when the connection is forwarded to a backend. This
1243
- # means that a connection may experience a first delay in the frontend and a
1244
- # second delay in the backend if both have tcp-request rules.
1245
- #
1246
- # Note that when performing content inspection, haproxy will evaluate the whole
1247
- # rules for every new chunk which gets in, taking into account the fact that
1248
- # those data are partial. If no rule matches before the aforementioned delay,
1249
- # a last check is performed upon expiration, this time considering that the
1250
- # contents are definitive. If no delay is set, haproxy will not wait at all
1251
- # and will immediately apply a verdict based on the available information.
1252
- # Obviously this is unlikely to be very useful and might even be racy, so such
1253
- # setups are not recommended.
1254
- #
1255
- # As soon as a rule matches, the request is released and continues as usual. If
1256
- # the timeout is reached and no rule matches, the default policy will be to let
1257
- # it pass through unaffected.
1258
- #
1259
- # For most protocols, it is enough to set it to a few seconds, as most clients
1260
- # send the full request immediately upon connection. Add 3 or more seconds to
1261
- # cover TCP retransmits but that's all. For some protocols, it may make sense
1262
- # to use large values, for instance to ensure that the client never talks
1263
- # before the server (eg: SMTP), or to wait for a client to talk before passing
1264
- # data to the server (eg: SSL). Note that the client timeout must cover at
1265
- # least the inspection delay, otherwise it will expire first. If the client
1266
- # closes the connection or if the buffer is full, the delay immediately expires
1267
- # since the contents will not be able to change anymore.
1268
- #
1269
- # See also : "tcp-request content accept", "tcp-request content reject",
1270
- # "timeout client".
1271
- #
1272
- attr_accessor :tcp_request_inspect_delay
1273
-
1274
- #
1275
- # use_backend <backend> if <condition>
1276
- # use_backend <backend> unless <condition>
1277
- # Switch to a specific backend if/unless an ACL-based condition is matched.
1278
- # May be used in sections : defaults | frontend | listen | backend
1279
- # no | yes | yes | no
1280
- # Arguments :
1281
- # <backend> is the name of a valid backend or "listen" section.
1282
- #
1283
- # <condition> is a condition composed of ACLs, as described in section 7.
1284
- #
1285
- # When doing content-switching, connections arrive on a frontend and are then
1286
- # dispatched to various backends depending on a number of conditions. The
1287
- # relation between the conditions and the backends is described with the
1288
- # "use_backend" keyword. While it is normally used with HTTP processing, it can
1289
- # also be used in pure TCP, either without content using stateless ACLs (eg:
1290
- # source address validation) or combined with a "tcp-request" rule to wait for
1291
- # some payload.
1292
- #
1293
- # There may be as many "use_backend" rules as desired. All of these rules are
1294
- # evaluated in their declaration order, and the first one which matches will
1295
- # assign the backend.
1296
- #
1297
- # In the first form, the backend will be used if the condition is met. In the
1298
- # second form, the backend will be used if the condition is not met. If no
1299
- # condition is valid, the backend defined with "default_backend" will be used.
1300
- # If no default backend is defined, either the servers in the same section are
1301
- # used (in case of a "listen" section) or, in case of a frontend, no server is
1302
- # used and a 503 service unavailable response is returned.
1303
- #
1304
- # Note that it is possible to switch from a TCP frontend to an HTTP backend. In
1305
- # this case, either the frontend has already checked that the protocol is HTTP,
1306
- # and backend processing will immediately follow, or the backend will wait for
1307
- # a complete HTTP request to get in. This feature is useful when a frontend
1308
- # must decode several protocols on a unique port, one of them being HTTP.
1309
- #
1310
- # See also: "default_backend", "tcp-request", and section 7 about ACLs.
1311
- #
1312
- attr_accessor :use_backend
1313
-
1314
- #
1315
- # description <text>
1316
- # Add a text that describes the instance.
1317
- #
1318
- # Please note that it is required to escape certain characters (# for example)
1319
- # and this text is inserted into a html page so you should avoid using
1320
- # "<" and ">" characters.
1321
- #
1322
- attr_accessor :description
1323
-
1324
- #
1325
- # backlog <conns>
1326
- # Give hints to the system about the approximate listen backlog desired size
1327
- # May be used in sections : defaults | frontend | listen | backend
1328
- # yes | yes | yes | no
1329
- # Arguments :
1330
- # <conns> is the number of pending connections. Depending on the operating
1331
- # system, it may represent the number of already acknowledged
1332
- # connections, of non-acknowledged ones, or both.
1333
- #
1334
- # In order to protect against SYN flood attacks, one solution is to increase
1335
- # the system's SYN backlog size. Depending on the system, sometimes it is just
1336
- # tunable via a system parameter, sometimes it is not adjustable at all, and
1337
- # sometimes the system relies on hints given by the application at the time of
1338
- # the listen() syscall. By default, HAProxy passes the frontend's maxconn value
1339
- # to the listen() syscall. On systems which can make use of this value, it can
1340
- # sometimes be useful to be able to specify a different value, hence this
1341
- # backlog parameter.
1342
- #
1343
- # On Linux 2.4, the parameter is ignored by the system. On Linux 2.6, it is
1344
- # used as a hint and the system accepts up to the smallest greater power of
1345
- # two, and never more than some limits (usually 32768).
1346
- #
1347
- # See also : "maxconn" and the target operating system's tuning guide.
1348
- #
1349
- attr_accessor :backlog
1350
-
1351
- #
1352
- # bind-process [ all | odd | even | <number 1-32> ] ...
1353
- # Limit visibility of an instance to a certain set of processes numbers.
1354
- # May be used in sections : defaults | frontend | listen | backend
1355
- # yes | yes | yes | yes
1356
- # Arguments :
1357
- # all All process will see this instance. This is the default. It
1358
- # may be used to override a default value.
1359
- #
1360
- # odd This instance will be enabled on processes 1,3,5,...31. This
1361
- # option may be combined with other numbers.
1362
- #
1363
- # even This instance will be enabled on processes 2,4,6,...32. This
1364
- # option may be combined with other numbers. Do not use it
1365
- # with less than 2 processes otherwise some instances might be
1366
- # missing from all processes.
1367
- #
1368
- # number The instance will be enabled on this process number, between
1369
- # 1 and 32. You must be careful not to reference a process
1370
- # number greater than the configured global.nbproc, otherwise
1371
- # some instances might be missing from all processes.
1372
- #
1373
- # This keyword limits binding of certain instances to certain processes. This
1374
- # is useful in order not to have too many processes listening to the same
1375
- # ports. For instance, on a dual-core machine, it might make sense to set
1376
- # 'nbproc 2' in the global section, then distributes the listeners among 'odd'
1377
- # and 'even' instances.
1378
- #
1379
- # At the moment, it is not possible to reference more than 32 processes using
1380
- # this keyword, but this should be more than enough for most setups. Please
1381
- # note that 'all' really means all processes and is not limited to the first
1382
- # 32.
1383
- #
1384
- # If some backends are referenced by frontends bound to other processes, the
1385
- # backend automatically inherits the frontend's processes.
1386
- #
1387
- # Example :
1388
- # listen app_ip1
1389
- # bind 10.0.0.1:80
1390
- # bind-process odd
1391
- #
1392
- # listen app_ip2
1393
- # bind 10.0.0.2:80
1394
- # bind-process even
1395
- #
1396
- # listen management
1397
- # bind 10.0.0.3:80
1398
- # bind-process 1 2 3 4
1399
- #
1400
- # See also : "nbproc" in global section.
1401
- #
1402
- attr_accessor :bind_process
1403
-
1404
- #
1405
- # default_backend <backend>
1406
- # Specify the backend to use when no "use_backend" rule has been matched.
1407
- # May be used in sections : defaults | frontend | listen | backend
1408
- # yes | yes | yes | no
1409
- # Arguments :
1410
- # <backend> is the name of the backend to use.
1411
- #
1412
- # When doing content-switching between frontend and backends using the
1413
- # "use_backend" keyword, it is often useful to indicate which backend will be
1414
- # used when no rule has matched. It generally is the dynamic backend which
1415
- # will catch all undetermined requests.
1416
- #
1417
- # Example :
1418
- #
1419
- # use_backend dynamic if url_dyn
1420
- # use_backend static if url_css url_img extension_img
1421
- # default_backend dynamic
1422
- #
1423
- # See also : "use_backend", "reqsetbe", "reqisetbe"
1424
- #
1425
- attr_accessor :default_backend
1426
-
1427
- #
1428
- # disabled
1429
- # Disable a proxy, frontend or backend.
1430
- # May be used in sections : defaults | frontend | listen | backend
1431
- # yes | yes | yes | yes
1432
- # Arguments : none
1433
- #
1434
- # The "disabled" keyword is used to disable an instance, mainly in order to
1435
- # liberate a listening port or to temporarily disable a service. The instance
1436
- # will still be created and its configuration will be checked, but it will be
1437
- # created in the "stopped" state and will appear as such in the statistics. It
1438
- # will not receive any traffic nor will it send any health-checks or logs. It
1439
- # is possible to disable many instances at once by adding the "disabled"
1440
- # keyword in a "defaults" section.
1441
- #
1442
- # See also : "enabled"
1443
- #
1444
- attr_accessor :disabled
1445
-
1446
- #
1447
- # enabled
1448
- # Enable a proxy, frontend or backend.
1449
- # May be used in sections : defaults | frontend | listen | backend
1450
- # yes | yes | yes | yes
1451
- # Arguments : none
1452
- #
1453
- # The "enabled" keyword is used to explicitly enable an instance, when the
1454
- # defaults has been set to "disabled". This is very rarely used.
1455
- #
1456
- # See also : "disabled"
1457
- #
1458
- attr_accessor :enabled
1459
-
1460
- #
1461
- # errorfile <code> <file>
1462
- # Return a file contents instead of errors generated by HAProxy
1463
- # May be used in sections : defaults | frontend | listen | backend
1464
- # yes | yes | yes | yes
1465
- # Arguments :
1466
- # <code> is the HTTP status code. Currently, HAProxy is capable of
1467
- # generating codes 400, 403, 408, 500, 502, 503, and 504.
1468
- #
1469
- # <file> designates a file containing the full HTTP response. It is
1470
- # recommended to follow the common practice of appending ".http" to
1471
- # the filename so that people do not confuse the response with HTML
1472
- # error pages, and to use absolute paths, since files are read
1473
- # before any chroot is performed.
1474
- #
1475
- # It is important to understand that this keyword is not meant to rewrite
1476
- # errors returned by the server, but errors detected and returned by HAProxy.
1477
- # This is why the list of supported errors is limited to a small set.
1478
- #
1479
- # The files are returned verbatim on the TCP socket. This allows any trick such
1480
- # as redirections to another URL or site, as well as tricks to clean cookies,
1481
- # force enable or disable caching, etc... The package provides default error
1482
- # files returning the same contents as default errors.
1483
- #
1484
- # The files should not exceed the configured buffer size (BUFSIZE), which
1485
- # generally is 8 or 16 kB, otherwise they will be truncated. It is also wise
1486
- # not to put any reference to local contents (eg: images) in order to avoid
1487
- # loops between the client and HAProxy when all servers are down, causing an
1488
- # error to be returned instead of an image. For better HTTP compliance, it is
1489
- # recommended that all header lines end with CR-LF and not LF alone.
1490
- #
1491
- # The files are read at the same time as the configuration and kept in memory.
1492
- # For this reason, the errors continue to be returned even when the process is
1493
- # chrooted, and no file change is considered while the process is running. A
1494
- # simple method for developing those files consists in associating them to the
1495
- # 403 status code and interrogating a blocked URL.
1496
- #
1497
- # See also : "errorloc", "errorloc302", "errorloc303"
1498
- #
1499
- # Example :
1500
- # errorfile 400 /etc/haproxy/errorfiles/400badreq.http
1501
- # errorfile 403 /etc/haproxy/errorfiles/403forbid.http
1502
- # errorfile 503 /etc/haproxy/errorfiles/503sorry.http
1503
- #
1504
- attr_accessor :errorfile
1505
-
1506
- #
1507
- # errorloc <code> <url>
1508
- # Return an HTTP redirection to a URL instead of errors generated by HAProxy
1509
- # May be used in sections : defaults | frontend | listen | backend
1510
- # yes | yes | yes | yes
1511
- # Arguments :
1512
- # <code> is the HTTP status code. Currently, HAProxy is capable of
1513
- # generating codes 400, 403, 408, 500, 502, 503, and 504.
1514
- #
1515
- # <url> it is the exact contents of the "Location" header. It may contain
1516
- # either a relative URI to an error page hosted on the same site,
1517
- # or an absolute URI designating an error page on another site.
1518
- # Special care should be given to relative URIs to avoid redirect
1519
- # loops if the URI itself may generate the same error (eg: 500).
1520
- #
1521
- # It is important to understand that this keyword is not meant to rewrite
1522
- # errors returned by the server, but errors detected and returned by HAProxy.
1523
- # This is why the list of supported errors is limited to a small set.
1524
- #
1525
- # Note that both keyword return the HTTP 302 status code, which tells the
1526
- # client to fetch the designated URL using the same HTTP method. This can be
1527
- # quite problematic in case of non-GET methods such as POST, because the URL
1528
- # sent to the client might not be allowed for something other than GET. To
1529
- # workaround this problem, please use "errorloc303" which send the HTTP 303
1530
- # status code, indicating to the client that the URL must be fetched with a GET
1531
- # request.
1532
- #
1533
- # See also : "errorfile", "errorloc303"
1534
- #
1535
- attr_accessor :errorloc
1536
-
1537
- #
1538
- # errorloc302 <code> <url>
1539
- # Return an HTTP redirection to a URL instead of errors generated by HAProxy
1540
- # May be used in sections : defaults | frontend | listen | backend
1541
- # yes | yes | yes | yes
1542
- # Arguments :
1543
- # <code> is the HTTP status code. Currently, HAProxy is capable of
1544
- # generating codes 400, 403, 408, 500, 502, 503, and 504.
1545
- #
1546
- # <url> it is the exact contents of the "Location" header. It may contain
1547
- # either a relative URI to an error page hosted on the same site,
1548
- # or an absolute URI designating an error page on another site.
1549
- # Special care should be given to relative URIs to avoid redirect
1550
- # loops if the URI itself may generate the same error (eg: 500).
1551
- #
1552
- # It is important to understand that this keyword is not meant to rewrite
1553
- # errors returned by the server, but errors detected and returned by HAProxy.
1554
- # This is why the list of supported errors is limited to a small set.
1555
- #
1556
- # Note that both keyword return the HTTP 302 status code, which tells the
1557
- # client to fetch the designated URL using the same HTTP method. This can be
1558
- # quite problematic in case of non-GET methods such as POST, because the URL
1559
- # sent to the client might not be allowed for something other than GET. To
1560
- # workaround this problem, please use "errorloc303" which send the HTTP 303
1561
- # status code, indicating to the client that the URL must be fetched with a GET
1562
- # request.
1563
- #
1564
- # See also : "errorfile", "errorloc303"
1565
- #
1566
- attr_accessor :errorloc302
1567
-
1568
- #
1569
- # errorloc303 <code> <url>
1570
- # Return an HTTP redirection to a URL instead of errors generated by HAProxy
1571
- # May be used in sections : defaults | frontend | listen | backend
1572
- # yes | yes | yes | yes
1573
- # Arguments :
1574
- # <code> is the HTTP status code. Currently, HAProxy is capable of
1575
- # generating codes 400, 403, 408, 500, 502, 503, and 504.
1576
- #
1577
- # <url> it is the exact contents of the "Location" header. It may contain
1578
- # either a relative URI to an error page hosted on the same site,
1579
- # or an absolute URI designating an error page on another site.
1580
- # Special care should be given to relative URIs to avoid redirect
1581
- # loops if the URI itself may generate the same error (eg: 500).
1582
- #
1583
- # It is important to understand that this keyword is not meant to rewrite
1584
- # errors returned by the server, but errors detected and returned by HAProxy.
1585
- # This is why the list of supported errors is limited to a small set.
1586
- #
1587
- # Note that both keyword return the HTTP 303 status code, which tells the
1588
- # client to fetch the designated URL using the same HTTP GET method. This
1589
- # solves the usual problems associated with "errorloc" and the 302 code. It is
1590
- # possible that some very old browsers designed before HTTP/1.1 do not support
1591
- # it, but no such problem has been reported till now.
1592
- #
1593
- # See also : "errorfile", "errorloc", "errorloc302"
1594
- #
1595
- attr_accessor :errorloc303
1596
-
1597
- #
1598
- # grace <time>
1599
- # Maintain a proxy operational for some time after a soft stop
1600
- # May be used in sections : defaults | frontend | listen | backend
1601
- # yes | yes | yes | yes
1602
- # Arguments :
1603
- # <time> is the time (by default in milliseconds) for which the instance
1604
- # will remain operational with the frontend sockets still listening
1605
- # when a soft-stop is received via the SIGUSR1 signal.
1606
- #
1607
- # This may be used to ensure that the services disappear in a certain order.
1608
- # This was designed so that frontends which are dedicated to monitoring by an
1609
- # external equipment fail immediately while other ones remain up for the time
1610
- # needed by the equipment to detect the failure.
1611
- #
1612
- # Note that currently, there is very little benefit in using this parameter,
1613
- # and it may in fact complicate the soft-reconfiguration process more than
1614
- # simplify it.
1615
- #
1616
- attr_accessor :grace
1617
-
1618
- # log global
1619
- # log <address> <facility> [<level> [<minlevel>]]
1620
- # Enable per-instance logging of events and traffic.
1621
- # May be used in sections : defaults | frontend | listen | backend
1622
- # yes | yes | yes | yes
1623
- # Arguments :
1624
- # global should be used when the instance's logging parameters are the
1625
- # same as the global ones. This is the most common usage. "global"
1626
- # replaces <address>, <facility> and <level> with those of the log
1627
- # entries found in the "global" section. Only one "log global"
1628
- # statement may be used per instance, and this form takes no other
1629
- # parameter.
1630
- #
1631
- # <address> indicates where to send the logs. It takes the same format as
1632
- # for the "global" section's logs, and can be one of :
1633
- #
1634
- # - An IPv4 address optionally followed by a colon (':') and a UDP
1635
- # port. If no port is specified, 514 is used by default (the
1636
- # standard syslog port).
1637
- #
1638
- # - A filesystem path to a UNIX domain socket, keeping in mind
1639
- # considerations for chroot (be sure the path is accessible
1640
- # inside the chroot) and uid/gid (be sure the path is
1641
- # appropriately writeable).
1642
- #
1643
- # <facility> must be one of the 24 standard syslog facilities :
1644
- #
1645
- # kern user mail daemon auth syslog lpr news
1646
- # uucp cron auth2 ftp ntp audit alert cron2
1647
- # local0 local1 local2 local3 local4 local5 local6 local7
1648
- #
1649
- # <level> is optional and can be specified to filter outgoing messages. By
1650
- # default, all messages are sent. If a level is specified, only
1651
- # messages with a severity at least as important as this level
1652
- # will be sent. An optional minimum level can be specified. If it
1653
- # is set, logs emitted with a more severe level than this one will
1654
- # be capped to this level. This is used to avoid sending "emerg"
1655
- # messages on all terminals on some default syslog configurations.
1656
- # Eight levels are known :
1657
- #
1658
- # emerg alert crit err warning notice info debug
1659
- #
1660
- # Note that up to two "log" entries may be specified per instance. However, if
1661
- # "log global" is used and if the "global" section already contains 2 log
1662
- # entries, then additional log entries will be ignored.
1663
- #
1664
- # Also, it is important to keep in mind that it is the frontend which decides
1665
- # what to log from a connection, and that in case of content switching, the log
1666
- # entries from the backend will be ignored. Connections are logged at level
1667
- # "info".
1668
- #
1669
- # However, backend log declaration define how and where servers status changes
1670
- # will be logged. Level "notice" will be used to indicate a server going up,
1671
- # "warning" will be used for termination signals and definitive service
1672
- # termination, and "alert" will be used for when a server goes down.
1673
- #
1674
- # Note : According to RFC3164, messages are truncated to 1024 bytes before
1675
- # being emitted.
1676
- #
1677
- # Example :
1678
- # log global
1679
- # log 127.0.0.1:514 local0 notice # only send important events
1680
- # log 127.0.0.1:514 local0 notice notice # same but limit output level
1681
- #
1682
- attr_accessor :log
1683
-
1684
- #
1685
- # maxconn <conns>
1686
- # Fix the maximum number of concurrent connections on a frontend
1687
- # May be used in sections : defaults | frontend | listen | backend
1688
- # yes | yes | yes | no
1689
- # Arguments :
1690
- # <conns> is the maximum number of concurrent connections the frontend will
1691
- # accept to serve. Excess connections will be queued by the system
1692
- # in the socket's listen queue and will be served once a connection
1693
- # closes.
1694
- #
1695
- # If the system supports it, it can be useful on big sites to raise this limit
1696
- # very high so that haproxy manages connection queues, instead of leaving the
1697
- # clients with unanswered connection attempts. This value should not exceed the
1698
- # global maxconn. Also, keep in mind that a connection contains two buffers
1699
- # of 8kB each, as well as some other data resulting in about 17 kB of RAM being
1700
- # consumed per established connection. That means that a medium system equipped
1701
- # with 1GB of RAM can withstand around 40000-50000 concurrent connections if
1702
- # properly tuned.
1703
- #
1704
- # Also, when <conns> is set to large values, it is possible that the servers
1705
- # are not sized to accept such loads, and for this reason it is generally wise
1706
- # to assign them some reasonable connection limits.
1707
- #
1708
- # See also : "server", global section's "maxconn", "fullconn"
1709
- #
1710
- attr_accessor :maxconn
1711
-
1712
- #
1713
- # mode { tcp|http|health }
1714
- # Set the running mode or protocol of the instance
1715
- # May be used in sections : defaults | frontend | listen | backend
1716
- # yes | yes | yes | yes
1717
- # Arguments :
1718
- # tcp The instance will work in pure TCP mode. A full-duplex connection
1719
- # will be established between clients and servers, and no layer 7
1720
- # examination will be performed. This is the default mode. It
1721
- # should be used for SSL, SSH, SMTP, ...
1722
- #
1723
- # http The instance will work in HTTP mode. The client request will be
1724
- # analyzed in depth before connecting to any server. Any request
1725
- # which is not RFC-compliant will be rejected. Layer 7 filtering,
1726
- # processing and switching will be possible. This is the mode which
1727
- # brings HAProxy most of its value.
1728
- #
1729
- # health The instance will work in "health" mode. It will just reply "OK"
1730
- # to incoming connections and close the connection. Nothing will be
1731
- # logged. This mode is used to reply to external components health
1732
- # checks. This mode is deprecated and should not be used anymore as
1733
- # it is possible to do the same and even better by combining TCP or
1734
- # HTTP modes with the "monitor" keyword.
1735
- #
1736
- # When doing content switching, it is mandatory that the frontend and the
1737
- # backend are in the same mode (generally HTTP), otherwise the configuration
1738
- # will be refused.
1739
- #
1740
- # Example :
1741
- # defaults http_instances
1742
- # mode http
1743
- #
1744
- # See also : "monitor", "monitor-net"
1745
- #
1746
- attr_accessor :mode
1747
-
1748
- #
1749
- # monitor-net <source>
1750
- # Declare a source network which is limited to monitor requests
1751
- # May be used in sections : defaults | frontend | listen | backend
1752
- # yes | yes | yes | no
1753
- # Arguments :
1754
- # <source> is the source IPv4 address or network which will only be able to
1755
- # get monitor responses to any request. It can be either an IPv4
1756
- # address, a host name, or an address followed by a slash ('/')
1757
- # followed by a mask.
1758
- #
1759
- # In TCP mode, any connection coming from a source matching <source> will cause
1760
- # the connection to be immediately closed without any log. This allows another
1761
- # equipment to probe the port and verify that it is still listening, without
1762
- # forwarding the connection to a remote server.
1763
- #
1764
- # In HTTP mode, a connection coming from a source matching <source> will be
1765
- # accepted, the following response will be sent without waiting for a request,
1766
- # then the connection will be closed : "HTTP/1.0 200 OK". This is normally
1767
- # enough for any front-end HTTP probe to detect that the service is UP and
1768
- # running without forwarding the request to a backend server.
1769
- #
1770
- # Monitor requests are processed very early. It is not possible to block nor
1771
- # divert them using ACLs. They cannot be logged either, and it is the intended
1772
- # purpose. They are only used to report HAProxy's health to an upper component,
1773
- # nothing more. Right now, it is not possible to set failure conditions on
1774
- # requests caught by "monitor-net".
1775
- #
1776
- # Last, please note that only one "monitor-net" statement can be specified in
1777
- # a frontend. If more than one is found, only the last one will be considered.
1778
- #
1779
- # Example :
1780
- # # addresses .252 and .253 are just probing us.
1781
- # frontend www
1782
- # monitor-net 192.168.0.252/31
1783
- #
1784
- # See also : "monitor fail", "monitor-uri"
1785
- #
1786
- attr_accessor :monitor_net
1787
-
1788
- #
1789
- # monitor-uri <uri>
1790
- # Intercept a URI used by external components' monitor requests
1791
- # May be used in sections : defaults | frontend | listen | backend
1792
- # yes | yes | yes | no
1793
- # Arguments :
1794
- # <uri> is the exact URI which we want to intercept to return HAProxy's
1795
- # health status instead of forwarding the request.
1796
- #
1797
- # When an HTTP request referencing <uri> will be received on a frontend,
1798
- # HAProxy will not forward it nor log it, but instead will return either
1799
- # "HTTP/1.0 200 OK" or "HTTP/1.0 503 Service unavailable", depending on failure
1800
- # conditions defined with "monitor fail". This is normally enough for any
1801
- # front-end HTTP probe to detect that the service is UP and running without
1802
- # forwarding the request to a backend server. Note that the HTTP method, the
1803
- # version and all headers are ignored, but the request must at least be valid
1804
- # at the HTTP level. This keyword may only be used with an HTTP-mode frontend.
1805
- #
1806
- # Monitor requests are processed very early. It is not possible to block nor
1807
- # divert them using ACLs. They cannot be logged either, and it is the intended
1808
- # purpose. They are only used to report HAProxy's health to an upper component,
1809
- # nothing more. However, it is possible to add any number of conditions using
1810
- # "monitor fail" and ACLs so that the result can be adjusted to whatever check
1811
- # can be imagined (most often the number of available servers in a backend).
1812
- #
1813
- # Example :
1814
- # # Use /haproxy_test to report haproxy's status
1815
- # frontend www
1816
- # mode http
1817
- # monitor-uri /haproxy_test
1818
- #
1819
- # See also : "monitor fail", "monitor-net"
1820
- #
1821
- attr_accessor :monitor_uri
1822
-
1823
- #
1824
- # option accept-invalid-http-request
1825
- # no option accept-invalid-http-request
1826
- # Enable or disable relaxing of HTTP request parsing
1827
- # May be used in sections : defaults | frontend | listen | backend
1828
- # yes | yes | yes | no
1829
- # Arguments : none
1830
- #
1831
- # By default, HAProxy complies with RFC2616 in terms of message parsing. This
1832
- # means that invalid characters in header names are not permitted and cause an
1833
- # error to be returned to the client. This is the desired behaviour as such
1834
- # forbidden characters are essentially used to build attacks exploiting server
1835
- # weaknesses, and bypass security filtering. Sometimes, a buggy browser or
1836
- # server will emit invalid header names for whatever reason (configuration,
1837
- # implementation) and the issue will not be immediately fixed. In such a case,
1838
- # it is possible to relax HAProxy's header name parser to accept any character
1839
- # even if that does not make sense, by specifying this option.
1840
- #
1841
- # This option should never be enabled by default as it hides application bugs
1842
- # and open security breaches. It should only be deployed after a problem has
1843
- # been confirmed.
1844
- #
1845
- # When this option is enabled, erroneous header names will still be accepted in
1846
- # requests, but the complete request will be captured in order to permit later
1847
- # analysis using the "show errors" request on the UNIX stats socket. Doing this
1848
- # also helps confirming that the issue has been solved.
1849
- #
1850
- # If this option has been enabled in a "defaults" section, it can be disabled
1851
- # in a specific instance by prepending the "no" keyword before it.
1852
- #
1853
- # See also : "option accept-invalid-http-response" and "show errors" on the
1854
- # stats socket.
1855
- #
1856
- attr_accessor :option_accept_invalid_http_request
1857
-
1858
- #
1859
- # option clitcpka
1860
- # no option clitcpka
1861
- # Enable or disable the sending of TCP keepalive packets on the client side
1862
- # May be used in sections : defaults | frontend | listen | backend
1863
- # yes | yes | yes | no
1864
- # Arguments : none
1865
- #
1866
- # When there is a firewall or any session-aware component between a client and
1867
- # a server, and when the protocol involves very long sessions with long idle
1868
- # periods (eg: remote desktops), there is a risk that one of the intermediate
1869
- # components decides to expire a session which has remained idle for too long.
1870
- #
1871
- # Enabling socket-level TCP keep-alives makes the system regularly send packets
1872
- # to the other end of the connection, leaving it active. The delay between
1873
- # keep-alive probes is controlled by the system only and depends both on the
1874
- # operating system and its tuning parameters.
1875
- #
1876
- # It is important to understand that keep-alive packets are neither emitted nor
1877
- # received at the application level. It is only the network stacks which sees
1878
- # them. For this reason, even if one side of the proxy already uses keep-alives
1879
- # to maintain its connection alive, those keep-alive packets will not be
1880
- # forwarded to the other side of the proxy.
1881
- #
1882
- # Please note that this has nothing to do with HTTP keep-alive.
1883
- #
1884
- # Using option "clitcpka" enables the emission of TCP keep-alive probes on the
1885
- # client side of a connection, which should help when session expirations are
1886
- # noticed between HAProxy and a client.
1887
- #
1888
- # If this option has been enabled in a "defaults" section, it can be disabled
1889
- # in a specific instance by prepending the "no" keyword before it.
1890
- #
1891
- # See also : "option srvtcpka", "option tcpka"
1892
- #
1893
- attr_accessor :option_clitcpka
1894
-
1895
- #
1896
- # option contstats
1897
- # Enable continuous traffic statistics updates
1898
- # May be used in sections : defaults | frontend | listen | backend
1899
- # yes | yes | yes | no
1900
- # Arguments : none
1901
- #
1902
- # By default, counters used for statistics calculation are incremented
1903
- # only when a session finishes. It works quite well when serving small
1904
- # objects, but with big ones (for example large images or archives) or
1905
- # with A/V streaming, a graph generated from haproxy counters looks like
1906
- # a hedgehog. With this option enabled counters get incremented continuously,
1907
- # during a whole session. Recounting touches a hotpath directly so
1908
- # it is not enabled by default, as it has small performance impact (~0.5%).
1909
- #
1910
- attr_accessor :option_contstats
1911
-
1912
- #
1913
- # option dontlog-normal
1914
- # no option dontlog-normal
1915
- # Enable or disable logging of normal, successful connections
1916
- # May be used in sections : defaults | frontend | listen | backend
1917
- # yes | yes | yes | no
1918
- # Arguments : none
1919
- #
1920
- # There are large sites dealing with several thousand connections per second
1921
- # and for which logging is a major pain. Some of them are even forced to turn
1922
- # logs off and cannot debug production issues. Setting this option ensures that
1923
- # normal connections, those which experience no error, no timeout, no retry nor
1924
- # redispatch, will not be logged. This leaves disk space for anomalies. In HTTP
1925
- # mode, the response status code is checked and return codes 5xx will still be
1926
- # logged.
1927
- #
1928
- # It is strongly discouraged to use this option as most of the time, the key to
1929
- # complex issues is in the normal logs which will not be logged here. If you
1930
- # need to separate logs, see the "log-separate-errors" option instead.
1931
- #
1932
- # See also : "log", "dontlognull", "log-separate-errors" and section 8 about
1933
- # logging.
1934
- #
1935
- attr_accessor :option_dontlog_normal
1936
-
1937
- #
1938
- # option dontlognull
1939
- # no option dontlognull
1940
- # Enable or disable logging of null connections
1941
- # May be used in sections : defaults | frontend | listen | backend
1942
- # yes | yes | yes | no
1943
- # Arguments : none
1944
- #
1945
- # In certain environments, there are components which will regularly connect to
1946
- # various systems to ensure that they are still alive. It can be the case from
1947
- # another load balancer as well as from monitoring systems. By default, even a
1948
- # simple port probe or scan will produce a log. If those connections pollute
1949
- # the logs too much, it is possible to enable option "dontlognull" to indicate
1950
- # that a connection on which no data has been transferred will not be logged,
1951
- # which typically corresponds to those probes.
1952
- #
1953
- # It is generally recommended not to use this option in uncontrolled
1954
- # environments (eg: internet), otherwise scans and other malicious activities
1955
- # would not be logged.
1956
- #
1957
- # If this option has been enabled in a "defaults" section, it can be disabled
1958
- # in a specific instance by prepending the "no" keyword before it.
1959
- #
1960
- # See also : "log", "monitor-net", "monitor-uri" and section 8 about logging.
1961
- #
1962
- attr_accessor :option_dontlognull
1963
-
1964
- #
1965
- # option forceclose
1966
- # no option forceclose
1967
- # Enable or disable active connection closing after response is transferred.
1968
- # May be used in sections : defaults | frontend | listen | backend
1969
- # yes | yes | yes | yes
1970
- # Arguments : none
1971
- #
1972
- # Some HTTP servers do not necessarily close the connections when they receive
1973
- # the "Connection: close" set by "option httpclose", and if the client does not
1974
- # close either, then the connection remains open till the timeout expires. This
1975
- # causes high number of simultaneous connections on the servers and shows high
1976
- # global session times in the logs.
1977
- #
1978
- # When this happens, it is possible to use "option forceclose". It will
1979
- # actively close the outgoing server channel as soon as the server has finished
1980
- # to respond. This option implicitly enables the "httpclose" option. Note that
1981
- # this option also enables the parsing of the full request and response, which
1982
- # means we can close the connection to the server very quickly, releasing some
1983
- # resources earlier than with httpclose.
1984
- #
1985
- # This option may also be combined with "option http-pretend-keepalive", which
1986
- # will disable sending of the "Connection: close" header, but will still cause
1987
- # the connection to be closed once the whole response is received.
1988
- #
1989
- # If this option has been enabled in a "defaults" section, it can be disabled
1990
- # in a specific instance by prepending the "no" keyword before it.
1991
- #
1992
- # See also : "option httpclose" and "option http-pretend-keepalive"
1993
- #
1994
- attr_accessor :option_forceclose
1995
-
1996
- #
1997
- # option forwardfor [ except <network> ] [ header <name> ]
1998
- # Enable insertion of the X-Forwarded-For header to requests sent to servers
1999
- # May be used in sections : defaults | frontend | listen | backend
2000
- # yes | yes | yes | yes
2001
- # Arguments :
2002
- # <network> is an optional argument used to disable this option for sources
2003
- # matching <network>
2004
- # <name> an optional argument to specify a different "X-Forwarded-For"
2005
- # header name.
2006
- #
2007
- # Since HAProxy works in reverse-proxy mode, the servers see its IP address as
2008
- # their client address. This is sometimes annoying when the client's IP address
2009
- # is expected in server logs. To solve this problem, the well-known HTTP header
2010
- # "X-Forwarded-For" may be added by HAProxy to all requests sent to the server.
2011
- # This header contains a value representing the client's IP address. Since this
2012
- # header is always appended at the end of the existing header list, the server
2013
- # must be configured to always use the last occurrence of this header only. See
2014
- # the server's manual to find how to enable use of this standard header. Note
2015
- # that only the last occurrence of the header must be used, since it is really
2016
- # possible that the client has already brought one.
2017
- #
2018
- # The keyword "header" may be used to supply a different header name to replace
2019
- # the default "X-Forwarded-For". This can be useful where you might already
2020
- # have a "X-Forwarded-For" header from a different application (eg: stunnel),
2021
- # and you need preserve it. Also if your backend server doesn't use the
2022
- # "X-Forwarded-For" header and requires different one (eg: Zeus Web Servers
2023
- # require "X-Cluster-Client-IP").
2024
- #
2025
- # Sometimes, a same HAProxy instance may be shared between a direct client
2026
- # access and a reverse-proxy access (for instance when an SSL reverse-proxy is
2027
- # used to decrypt HTTPS traffic). It is possible to disable the addition of the
2028
- # header for a known source address or network by adding the "except" keyword
2029
- # followed by the network address. In this case, any source IP matching the
2030
- # network will not cause an addition of this header. Most common uses are with
2031
- # private networks or 127.0.0.1.
2032
- #
2033
- # This option may be specified either in the frontend or in the backend. If at
2034
- # least one of them uses it, the header will be added. Note that the backend's
2035
- # setting of the header subargument takes precedence over the frontend's if
2036
- # both are defined.
2037
- #
2038
- # It is important to note that as long as HAProxy does not support keep-alive
2039
- # connections, only the first request of a connection will receive the header.
2040
- # For this reason, it is important to ensure that "option httpclose" is set
2041
- # when using this option.
2042
- #
2043
- # Examples :
2044
- # # Public HTTP address also used by stunnel on the same machine
2045
- # frontend www
2046
- # mode http
2047
- # option forwardfor except 127.0.0.1 # stunnel already adds the header
2048
- #
2049
- # # Those servers want the IP Address in X-Client
2050
- # backend www
2051
- # mode http
2052
- # option forwardfor header X-Client
2053
- #
2054
- # See also : "option httpclose"
2055
- #
2056
- attr_accessor :option_forwardfor
2057
-
2058
- #
2059
- # option http-pretend-keepalive
2060
- # no option http-pretend-keepalive
2061
- # Define whether haproxy will announce keepalive to the server or not
2062
- # May be used in sections : defaults | frontend | listen | backend
2063
- # yes | yes | yes | yes
2064
- # Arguments : none
2065
- #
2066
- # When running with "option http-server-close" or "option forceclose", haproxy
2067
- # adds a "Connection: close" header to the request forwarded to the server.
2068
- # Unfortunately, when some servers see this header, they automatically refrain
2069
- # from using the chunked encoding for responses of unknown length, while this
2070
- # is totally unrelated. The immediate effect is that this prevents haproxy from
2071
- # maintaining the client connection alive. A second effect is that a client or
2072
- # a cache could receive an incomplete response without being aware of it, and
2073
- # consider the response complete.
2074
- #
2075
- # By setting "option http-pretend-keepalive", haproxy will make the server
2076
- # believe it will keep the connection alive. The server will then not fall back
2077
- # to the abnormal undesired above. When haproxy gets the whole response, it
2078
- # will close the connection with the server just as it would do with the
2079
- # "forceclose" option. That way the client gets a normal response and the
2080
- # connection is correctly closed on the server side.
2081
- #
2082
- # It is recommended not to enable this option by default, because most servers
2083
- # will more efficiently close the connection themselves after the last packet,
2084
- # and release its buffers slightly earlier. Also, the added packet on the
2085
- # network could slightly reduce the overall peak performance. However it is
2086
- # worth noting that when this option is enabled, haproxy will have slightly
2087
- # less work to do. So if haproxy is the bottleneck on the whole architecture,
2088
- # enabling this option might save a few CPU cycles.
2089
- #
2090
- # This option may be set both in a frontend and in a backend. It is enabled if
2091
- # at least one of the frontend or backend holding a connection has it enabled.
2092
- # This option may be compbined with "option httpclose", which will cause
2093
- # keepalive to be announced to the server and close to be announced to the
2094
- # client. This practice is discouraged though.
2095
- #
2096
- # If this option has been enabled in a "defaults" section, it can be disabled
2097
- # in a specific instance by prepending the "no" keyword before it.
2098
- #
2099
- # See also : "option forceclose" and "option http-server-close"
2100
- #
2101
- attr_accessor :option_http_pretend_keepalive
2102
-
2103
- #
2104
- # option http-server-close
2105
- # no option http-server-close
2106
- # Enable or disable HTTP connection closing on the server side
2107
- # May be used in sections : defaults | frontend | listen | backend
2108
- # yes | yes | yes | yes
2109
- # Arguments : none
2110
- #
2111
- # By default, when a client communicates with a server, HAProxy will only
2112
- # analyze, log, and process the first request of each connection. Setting
2113
- # "option http-server-close" enables HTTP connection-close mode on the server
2114
- # side while keeping the ability to support HTTP keep-alive and pipelining on
2115
- # the client side. This provides the lowest latency on the client side (slow
2116
- # network) and the fastest session reuse on the server side to save server
2117
- # resources, similarly to "option forceclose". It also permits non-keepalive
2118
- # capable servers to be served in keep-alive mode to the clients if they
2119
- # conform to the requirements of RFC2616. Please note that some servers do not
2120
- # always conform to those requirements when they see "Connection: close" in the
2121
- # request. The effect will be that keep-alive will never be used. A workaround
2122
- # consists in enabling "option http-pretend-keepalive".
2123
- #
2124
- # At the moment, logs will not indicate whether requests came from the same
2125
- # session or not. The accept date reported in the logs corresponds to the end
2126
- # of the previous request, and the request time corresponds to the time spent
2127
- # waiting for a new request. The keep-alive request time is still bound to the
2128
- # timeout defined by "timeout http-keep-alive" or "timeout http-request" if
2129
- # not set.
2130
- #
2131
- # This option may be set both in a frontend and in a backend. It is enabled if
2132
- # at least one of the frontend or backend holding a connection has it enabled.
2133
- # It is worth noting that "option forceclose" has precedence over "option
2134
- # http-server-close" and that combining "http-server-close" with "httpclose"
2135
- # basically achieve the same result as "forceclose".
2136
- #
2137
- # If this option has been enabled in a "defaults" section, it can be disabled
2138
- # in a specific instance by prepending the "no" keyword before it.
2139
- #
2140
- # See also : "option forceclose", "option http-pretend-keepalive",
2141
- # "option httpclose" and "1.1. The HTTP transaction model".
2142
- #
2143
- attr_accessor :option_http_server_close
2144
-
2145
- #
2146
- # option http-use-proxy-header
2147
- # no option http-use-proxy-header
2148
- # Make use of non-standard Proxy-Connection header instead of Connection
2149
- # May be used in sections : defaults | frontend | listen | backend
2150
- # yes | yes | yes | no
2151
- # Arguments : none
2152
- #
2153
- # While RFC2616 explicitly states that HTTP/1.1 agents must use the
2154
- # Connection header to indicate their wish of persistent or non-persistent
2155
- # connections, both browsers and proxies ignore this header for proxied
2156
- # connections and make use of the undocumented, non-standard Proxy-Connection
2157
- # header instead. The issue begins when trying to put a load balancer between
2158
- # browsers and such proxies, because there will be a difference between what
2159
- # haproxy understands and what the client and the proxy agree on.
2160
- #
2161
- # By setting this option in a frontend, haproxy can automatically switch to use
2162
- # that non-standard header if it sees proxied requests. A proxied request is
2163
- # defined here as one where the URI begins with neither a '/' nor a '*'. The
2164
- # choice of header only affects requests passing through proxies making use of
2165
- # one of the "httpclose", "forceclose" and "http-server-close" options. Note
2166
- # that this option can only be specified in a frontend and will affect the
2167
- # request along its whole life.
2168
- #
2169
- # Also, when this option is set, a request which requires authentication will
2170
- # automatically switch to use proxy authentication headers if it is itself a
2171
- # proxied request. That makes it possible to check or enforce authentication in
2172
- # front of an existing proxy.
2173
- #
2174
- # This option should normally never be used, except in front of a proxy.
2175
- #
2176
- # See also : "option httpclose", "option forceclose" and "option
2177
- # http-server-close".
2178
- #
2179
- attr_accessor :option_http_use_proxy_header
2180
-
2181
- #
2182
- # option httpclose
2183
- # no option httpclose
2184
- # Enable or disable passive HTTP connection closing
2185
- # May be used in sections : defaults | frontend | listen | backend
2186
- # yes | yes | yes | yes
2187
- # Arguments : none
2188
- #
2189
- # By default, when a client communicates with a server, HAProxy will only
2190
- # analyze, log, and process the first request of each connection. If "option
2191
- # httpclose" is set, it will check if a "Connection: close" header is already
2192
- # set in each direction, and will add one if missing. Each end should react to
2193
- # this by actively closing the TCP connection after each transfer, thus
2194
- # resulting in a switch to the HTTP close mode. Any "Connection" header
2195
- # different from "close" will also be removed.
2196
- #
2197
- # It seldom happens that some servers incorrectly ignore this header and do not
2198
- # close the connection eventhough they reply "Connection: close". For this
2199
- # reason, they are not compatible with older HTTP 1.0 browsers. If this happens
2200
- # it is possible to use the "option forceclose" which actively closes the
2201
- # request connection once the server responds. Option "forceclose" also
2202
- # releases the server connection earlier because it does not have to wait for
2203
- # the client to acknowledge it.
2204
- #
2205
- # This option may be set both in a frontend and in a backend. It is enabled if
2206
- # at least one of the frontend or backend holding a connection has it enabled.
2207
- # If "option forceclose" is specified too, it has precedence over "httpclose".
2208
- # If "option http-server-close" is enabled at the same time as "httpclose", it
2209
- # basically achieves the same result as "option forceclose".
2210
- #
2211
- # If this option has been enabled in a "defaults" section, it can be disabled
2212
- # in a specific instance by prepending the "no" keyword before it.
2213
- #
2214
- # See also : "option forceclose", "option http-server-close" and
2215
- # "1.1. The HTTP transaction model".
2216
- #
2217
- attr_accessor :option_httpclose
2218
-
2219
- #
2220
- # option httplog [ clf ]
2221
- # Enable logging of HTTP request, session state and timers
2222
- # May be used in sections : defaults | frontend | listen | backend
2223
- # yes | yes | yes | yes
2224
- # Arguments :
2225
- # clf if the "clf" argument is added, then the output format will be
2226
- # the CLF format instead of HAProxy's default HTTP format. You can
2227
- # use this when you need to feed HAProxy's logs through a specific
2228
- # log analyser which only support the CLF format and which is not
2229
- # extensible.
2230
- #
2231
- # By default, the log output format is very poor, as it only contains the
2232
- # source and destination addresses, and the instance name. By specifying
2233
- # "option httplog", each log line turns into a much richer format including,
2234
- # but not limited to, the HTTP request, the connection timers, the session
2235
- # status, the connections numbers, the captured headers and cookies, the
2236
- # frontend, backend and server name, and of course the source address and
2237
- # ports.
2238
- #
2239
- # This option may be set either in the frontend or the backend.
2240
- #
2241
- # If this option has been enabled in a "defaults" section, it can be disabled
2242
- # in a specific instance by prepending the "no" keyword before it. Specifying
2243
- # only "option httplog" will automatically clear the 'clf' mode if it was set
2244
- # by default.
2245
- #
2246
- # See also : section 8 about logging.
2247
- #
2248
- attr_accessor :option_httplog
2249
-
2250
- #
2251
- # option http_proxy
2252
- # no option http_proxy
2253
- # Enable or disable plain HTTP proxy mode
2254
- # May be used in sections : defaults | frontend | listen | backend
2255
- # yes | yes | yes | yes
2256
- # Arguments : none
2257
- #
2258
- # It sometimes happens that people need a pure HTTP proxy which understands
2259
- # basic proxy requests without caching nor any fancy feature. In this case,
2260
- # it may be worth setting up an HAProxy instance with the "option http_proxy"
2261
- # set. In this mode, no server is declared, and the connection is forwarded to
2262
- # the IP address and port found in the URL after the "http://" scheme.
2263
- #
2264
- # No host address resolution is performed, so this only works when pure IP
2265
- # addresses are passed. Since this option's usage perimeter is rather limited,
2266
- # it will probably be used only by experts who know they need exactly it. Last,
2267
- # if the clients are susceptible of sending keep-alive requests, it will be
2268
- # needed to add "option http_close" to ensure that all requests will correctly
2269
- # be analyzed.
2270
- #
2271
- # If this option has been enabled in a "defaults" section, it can be disabled
2272
- # in a specific instance by prepending the "no" keyword before it.
2273
- #
2274
- # Example :
2275
- # # this backend understands HTTP proxy requests and forwards them directly.
2276
- # backend direct_forward
2277
- # option httpclose
2278
- # option http_proxy
2279
- #
2280
- # See also : "option httpclose"
2281
- #
2282
- attr_accessor :option_http_proxy
2283
-
2284
- #
2285
- # option independant-streams
2286
- # no option independant-streams
2287
- # Enable or disable independant timeout processing for both directions
2288
- # May be used in sections : defaults | frontend | listen | backend
2289
- # yes | yes | yes | yes
2290
- # Arguments : none
2291
- #
2292
- # By default, when data is sent over a socket, both the write timeout and the
2293
- # read timeout for that socket are refreshed, because we consider that there is
2294
- # activity on that socket, and we have no other means of guessing if we should
2295
- # receive data or not.
2296
- #
2297
- # While this default behaviour is desirable for almost all applications, there
2298
- # exists a situation where it is desirable to disable it, and only refresh the
2299
- # read timeout if there are incoming data. This happens on sessions with large
2300
- # timeouts and low amounts of exchanged data such as telnet session. If the
2301
- # server suddenly disappears, the output data accumulates in the system's
2302
- # socket buffers, both timeouts are correctly refreshed, and there is no way
2303
- # to know the server does not receive them, so we don't timeout. However, when
2304
- # the underlying protocol always echoes sent data, it would be enough by itself
2305
- # to detect the issue using the read timeout. Note that this problem does not
2306
- # happen with more verbose protocols because data won't accumulate long in the
2307
- # socket buffers.
2308
- #
2309
- # When this option is set on the frontend, it will disable read timeout updates
2310
- # on data sent to the client. There probably is little use of this case. When
2311
- # the option is set on the backend, it will disable read timeout updates on
2312
- # data sent to the server. Doing so will typically break large HTTP posts from
2313
- # slow lines, so use it with caution.
2314
- #
2315
- # See also : "timeout client" and "timeout server"
2316
- #
2317
- attr_accessor :option_independant_streams
2318
-
2319
- #
2320
- # option log-separate-errors
2321
- # no option log-separate-errors
2322
- # Change log level for non-completely successful connections
2323
- # May be used in sections : defaults | frontend | listen | backend
2324
- # yes | yes | yes | no
2325
- # Arguments : none
2326
- #
2327
- # Sometimes looking for errors in logs is not easy. This option makes haproxy
2328
- # raise the level of logs containing potentially interesting information such
2329
- # as errors, timeouts, retries, redispatches, or HTTP status codes 5xx. The
2330
- # level changes from "info" to "err". This makes it possible to log them
2331
- # separately to a different file with most syslog daemons. Be careful not to
2332
- # remove them from the original file, otherwise you would lose ordering which
2333
- # provides very important information.
2334
- #
2335
- # Using this option, large sites dealing with several thousand connections per
2336
- # second may log normal traffic to a rotating buffer and only archive smaller
2337
- # error logs.
2338
- #
2339
- # See also : "log", "dontlognull", "dontlog-normal" and section 8 about
2340
- # logging.
2341
- #
2342
- attr_accessor :option_log_separate_errors
2343
-
2344
- #
2345
- # option logasap
2346
- # no option logasap
2347
- # Enable or disable early logging of HTTP requests
2348
- # May be used in sections : defaults | frontend | listen | backend
2349
- # yes | yes | yes | no
2350
- # Arguments : none
2351
- #
2352
- # By default, HTTP requests are logged upon termination so that the total
2353
- # transfer time and the number of bytes appear in the logs. When large objects
2354
- # are being transferred, it may take a while before the request appears in the
2355
- # logs. Using "option logasap", the request gets logged as soon as the server
2356
- # sends the complete headers. The only missing information in the logs will be
2357
- # the total number of bytes which will indicate everything except the amount
2358
- # of data transferred, and the total time which will not take the transfer
2359
- # time into account. In such a situation, it's a good practice to capture the
2360
- # "Content-Length" response header so that the logs at least indicate how many
2361
- # bytes are expected to be transferred.
2362
- #
2363
- # Examples :
2364
- # listen http_proxy 0.0.0.0:80
2365
- # mode http
2366
- # option httplog
2367
- # option logasap
2368
- # log 192.168.2.200 local3
2369
- #
2370
- # >>> Feb 6 12:14:14 localhost \
2371
- # haproxy[14389]: 10.0.1.2:33317 [06/Feb/2009:12:14:14.655] http-in \
2372
- # static/srv1 9/10/7/14/+30 200 +243 - - ---- 3/1/1/1/0 1/0 \
2373
- # "GET /image.iso HTTP/1.0"
2374
- #
2375
- # See also : "option httplog", "capture response header", and section 8 about
2376
- # logging.
2377
- #
2378
- attr_accessor :option_logasap
2379
-
2380
- #
2381
- # option nolinger
2382
- # no option nolinger
2383
- # Enable or disable immediate session resource cleaning after close
2384
- # May be used in sections: defaults | frontend | listen | backend
2385
- # yes | yes | yes | yes
2386
- # Arguments : none
2387
- #
2388
- # When clients or servers abort connections in a dirty way (eg: they are
2389
- # physically disconnected), the session timeouts triggers and the session is
2390
- # closed. But it will remain in FIN_WAIT1 state for some time in the system,
2391
- # using some resources and possibly limiting the ability to establish newer
2392
- # connections.
2393
- #
2394
- # When this happens, it is possible to activate "option nolinger" which forces
2395
- # the system to immediately remove any socket's pending data on close. Thus,
2396
- # the session is instantly purged from the system's tables. This usually has
2397
- # side effects such as increased number of TCP resets due to old retransmits
2398
- # getting immediately rejected. Some firewalls may sometimes complain about
2399
- # this too.
2400
- #
2401
- # For this reason, it is not recommended to use this option when not absolutely
2402
- # needed. You know that you need it when you have thousands of FIN_WAIT1
2403
- # sessions on your system (TIME_WAIT ones do not count).
2404
- #
2405
- # This option may be used both on frontends and backends, depending on the side
2406
- # where it is required. Use it on the frontend for clients, and on the backend
2407
- # for servers.
2408
- #
2409
- # If this option has been enabled in a "defaults" section, it can be disabled
2410
- # in a specific instance by prepending the "no" keyword before it.
2411
- #
2412
- attr_accessor :option_nolinger
2413
-
2414
- #
2415
- # option originalto [ except <network> ] [ header <name> ]
2416
- # Enable insertion of the X-Original-To header to requests sent to servers
2417
- # May be used in sections : defaults | frontend | listen | backend
2418
- # yes | yes | yes | yes
2419
- # Arguments :
2420
- # <network> is an optional argument used to disable this option for sources
2421
- # matching <network>
2422
- # <name> an optional argument to specify a different "X-Original-To"
2423
- # header name.
2424
- #
2425
- # Since HAProxy can work in transparent mode, every request from a client can
2426
- # be redirected to the proxy and HAProxy itself can proxy every request to a
2427
- # complex SQUID environment and the destination host from SO_ORIGINAL_DST will
2428
- # be lost. This is annoying when you want access rules based on destination ip
2429
- # addresses. To solve this problem, a new HTTP header "X-Original-To" may be
2430
- # added by HAProxy to all requests sent to the server. This header contains a
2431
- # value representing the original destination IP address. Since this must be
2432
- # configured to always use the last occurrence of this header only. Note that
2433
- # only the last occurrence of the header must be used, since it is really
2434
- # possible that the client has already brought one.
2435
- #
2436
- # The keyword "header" may be used to supply a different header name to replace
2437
- # the default "X-Original-To". This can be useful where you might already
2438
- # have a "X-Original-To" header from a different application, and you need
2439
- # preserve it. Also if your backend server doesn't use the "X-Original-To"
2440
- # header and requires different one.
2441
- #
2442
- # Sometimes, a same HAProxy instance may be shared between a direct client
2443
- # access and a reverse-proxy access (for instance when an SSL reverse-proxy is
2444
- # used to decrypt HTTPS traffic). It is possible to disable the addition of the
2445
- # header for a known source address or network by adding the "except" keyword
2446
- # followed by the network address. In this case, any source IP matching the
2447
- # network will not cause an addition of this header. Most common uses are with
2448
- # private networks or 127.0.0.1.
2449
- #
2450
- # This option may be specified either in the frontend or in the backend. If at
2451
- # least one of them uses it, the header will be added. Note that the backend's
2452
- # setting of the header subargument takes precedence over the frontend's if
2453
- # both are defined.
2454
- #
2455
- # It is important to note that as long as HAProxy does not support keep-alive
2456
- # connections, only the first request of a connection will receive the header.
2457
- # For this reason, it is important to ensure that "option httpclose" is set
2458
- # when using this option.
2459
- #
2460
- # Examples :
2461
- # # Original Destination address
2462
- # frontend www
2463
- # mode http
2464
- # option originalto except 127.0.0.1
2465
- #
2466
- # # Those servers want the IP Address in X-Client-Dst
2467
- # backend www
2468
- # mode http
2469
- # option originalto header X-Client-Dst
2470
- #
2471
- # See also : "option httpclose"
2472
- #
2473
- attr_accessor :option_originalto
2474
-
2475
- #
2476
- # option socket-stats
2477
- # no option socket-stats
2478
- #
2479
- # Enable or disable collecting & providing separate statistics for each socket.
2480
- # May be used in sections : defaults | frontend | listen | backend
2481
- # yes | yes | yes | no
2482
- #
2483
- # Arguments : none
2484
- #
2485
- attr_accessor :option_socket_stats
2486
-
2487
- #
2488
- # option splice-auto
2489
- # no option splice-auto
2490
- # Enable or disable automatic kernel acceleration on sockets in both directions
2491
- # May be used in sections : defaults | frontend | listen | backend
2492
- # yes | yes | yes | yes
2493
- # Arguments : none
2494
- #
2495
- # When this option is enabled either on a frontend or on a backend, haproxy
2496
- # will automatically evaluate the opportunity to use kernel tcp splicing to
2497
- # forward data between the client and the server, in either direction. Haproxy
2498
- # uses heuristics to estimate if kernel splicing might improve performance or
2499
- # not. Both directions are handled independently. Note that the heuristics used
2500
- # are not much aggressive in order to limit excessive use of splicing. This
2501
- # option requires splicing to be enabled at compile time, and may be globally
2502
- # disabled with the global option "nosplice". Since splice uses pipes, using it
2503
- # requires that there are enough spare pipes.
2504
- #
2505
- # Important note: kernel-based TCP splicing is a Linux-specific feature which
2506
- # first appeared in kernel 2.6.25. It offers kernel-based acceleration to
2507
- # transfer data between sockets without copying these data to user-space, thus
2508
- # providing noticeable performance gains and CPU cycles savings. Since many
2509
- # early implementations are buggy, corrupt data and/or are inefficient, this
2510
- # feature is not enabled by default, and it should be used with extreme care.
2511
- # While it is not possible to detect the correctness of an implementation,
2512
- # 2.6.29 is the first version offering a properly working implementation. In
2513
- # case of doubt, splicing may be globally disabled using the global "nosplice"
2514
- # keyword.
2515
- #
2516
- # Example :
2517
- # option splice-auto
2518
- #
2519
- # If this option has been enabled in a "defaults" section, it can be disabled
2520
- # in a specific instance by prepending the "no" keyword before it.
2521
- #
2522
- # See also : "option splice-request", "option splice-response", and global
2523
- # options "nosplice" and "maxpipes"
2524
- #
2525
- attr_accessor :option_splice_auto
2526
-
2527
- #
2528
- # option splice-request
2529
- # no option splice-request
2530
- # Enable or disable automatic kernel acceleration on sockets for requests
2531
- # May be used in sections : defaults | frontend | listen | backend
2532
- # yes | yes | yes | yes
2533
- # Arguments : none
2534
- #
2535
- # When this option is enabled either on a frontend or on a backend, haproxy
2536
- # will user kernel tcp splicing whenever possible to forward data going from
2537
- # the client to the server. It might still use the recv/send scheme if there
2538
- # are no spare pipes left. This option requires splicing to be enabled at
2539
- # compile time, and may be globally disabled with the global option "nosplice".
2540
- # Since splice uses pipes, using it requires that there are enough spare pipes.
2541
- #
2542
- # Important note: see "option splice-auto" for usage limitations.
2543
- #
2544
- # Example :
2545
- # option splice-request
2546
- #
2547
- # If this option has been enabled in a "defaults" section, it can be disabled
2548
- # in a specific instance by prepending the "no" keyword before it.
2549
- #
2550
- # See also : "option splice-auto", "option splice-response", and global options
2551
- # "nosplice" and "maxpipes"
2552
- #
2553
- attr_accessor :option_splice_request
2554
-
2555
- #
2556
- # option splice-response
2557
- # no option splice-response
2558
- # Enable or disable automatic kernel acceleration on sockets for responses
2559
- # May be used in sections : defaults | frontend | listen | backend
2560
- # yes | yes | yes | yes
2561
- # Arguments : none
2562
- #
2563
- # When this option is enabled either on a frontend or on a backend, haproxy
2564
- # will user kernel tcp splicing whenever possible to forward data going from
2565
- # the server to the client. It might still use the recv/send scheme if there
2566
- # are no spare pipes left. This option requires splicing to be enabled at
2567
- # compile time, and may be globally disabled with the global option "nosplice".
2568
- # Since splice uses pipes, using it requires that there are enough spare pipes.
2569
- #
2570
- # Important note: see "option splice-auto" for usage limitations.
2571
- #
2572
- # Example :
2573
- # option splice-response
2574
- #
2575
- # If this option has been enabled in a "defaults" section, it can be disabled
2576
- # in a specific instance by prepending the "no" keyword before it.
2577
- #
2578
- # See also : "option splice-auto", "option splice-request", and global options
2579
- # "nosplice" and "maxpipes"
2580
- #
2581
- attr_accessor :option_splice_response
2582
-
2583
- #
2584
- # option tcp-smart-accept
2585
- # no option tcp-smart-accept
2586
- # Enable or disable the saving of one ACK packet during the accept sequence
2587
- # May be used in sections : defaults | frontend | listen | backend
2588
- # yes | yes | yes | no
2589
- # Arguments : none
2590
- #
2591
- # When an HTTP connection request comes in, the system acknowledges it on
2592
- # behalf of HAProxy, then the client immediately sends its request, and the
2593
- # system acknowledges it too while it is notifying HAProxy about the new
2594
- # connection. HAProxy then reads the request and responds. This means that we
2595
- # have one TCP ACK sent by the system for nothing, because the request could
2596
- # very well be acknowledged by HAProxy when it sends its response.
2597
- #
2598
- # For this reason, in HTTP mode, HAProxy automatically asks the system to avoid
2599
- # sending this useless ACK on platforms which support it (currently at least
2600
- # Linux). It must not cause any problem, because the system will send it anyway
2601
- # after 40 ms if the response takes more time than expected to come.
2602
- #
2603
- # During complex network debugging sessions, it may be desirable to disable
2604
- # this optimization because delayed ACKs can make troubleshooting more complex
2605
- # when trying to identify where packets are delayed. It is then possible to
2606
- # fall back to normal behaviour by specifying "no option tcp-smart-accept".
2607
- #
2608
- # It is also possible to force it for non-HTTP proxies by simply specifying
2609
- # "option tcp-smart-accept". For instance, it can make sense with some services
2610
- # such as SMTP where the server speaks first.
2611
- #
2612
- # It is recommended to avoid forcing this option in a defaults section. In case
2613
- # of doubt, consider setting it back to automatic values by prepending the
2614
- # "default" keyword before it, or disabling it using the "no" keyword.
2615
- #
2616
- # See also : "option tcp-smart-connect"
2617
- #
2618
- attr_accessor :option_tcp_smart_accept
2619
-
2620
- #
2621
- # option tcpka
2622
- # Enable or disable the sending of TCP keepalive packets on both sides
2623
- # May be used in sections : defaults | frontend | listen | backend
2624
- # yes | yes | yes | yes
2625
- # Arguments : none
2626
- #
2627
- # When there is a firewall or any session-aware component between a client and
2628
- # a server, and when the protocol involves very long sessions with long idle
2629
- # periods (eg: remote desktops), there is a risk that one of the intermediate
2630
- # components decides to expire a session which has remained idle for too long.
2631
- #
2632
- # Enabling socket-level TCP keep-alives makes the system regularly send packets
2633
- # to the other end of the connection, leaving it active. The delay between
2634
- # keep-alive probes is controlled by the system only and depends both on the
2635
- # operating system and its tuning parameters.
2636
- #
2637
- # It is important to understand that keep-alive packets are neither emitted nor
2638
- # received at the application level. It is only the network stacks which sees
2639
- # them. For this reason, even if one side of the proxy already uses keep-alives
2640
- # to maintain its connection alive, those keep-alive packets will not be
2641
- # forwarded to the other side of the proxy.
2642
- #
2643
- # Please note that this has nothing to do with HTTP keep-alive.
2644
- #
2645
- # Using option "tcpka" enables the emission of TCP keep-alive probes on both
2646
- # the client and server sides of a connection. Note that this is meaningful
2647
- # only in "defaults" or "listen" sections. If this option is used in a
2648
- # frontend, only the client side will get keep-alives, and if this option is
2649
- # used in a backend, only the server side will get keep-alives. For this
2650
- # reason, it is strongly recommended to explicitly use "option clitcpka" and
2651
- # "option srvtcpka" when the configuration is split between frontends and
2652
- # backends.
2653
- #
2654
- # See also : "option clitcpka", "option srvtcpka"
2655
- #
2656
- attr_accessor :option_tcpka
2657
-
2658
- #
2659
- # option tcplog
2660
- # Enable advanced logging of TCP connections with session state and timers
2661
- # May be used in sections : defaults | frontend | listen | backend
2662
- # yes | yes | yes | yes
2663
- # Arguments : none
2664
- #
2665
- # By default, the log output format is very poor, as it only contains the
2666
- # source and destination addresses, and the instance name. By specifying
2667
- # "option tcplog", each log line turns into a much richer format including, but
2668
- # not limited to, the connection timers, the session status, the connections
2669
- # numbers, the frontend, backend and server name, and of course the source
2670
- # address and ports. This option is useful for pure TCP proxies in order to
2671
- # find which of the client or server disconnects or times out. For normal HTTP
2672
- # proxies, it's better to use "option httplog" which is even more complete.
2673
- #
2674
- # This option may be set either in the frontend or the backend.
2675
- #
2676
- # See also : "option httplog", and section 8 about logging.
2677
- #
2678
- attr_accessor :option_tcplog
2679
-
2680
- #
2681
- # rate-limit sessions <rate>
2682
- # Set a limit on the number of new sessions accepted per second on a frontend
2683
- # May be used in sections : defaults | frontend | listen | backend
2684
- # yes | yes | yes | no
2685
- # Arguments :
2686
- # <rate> The <rate> parameter is an integer designating the maximum number
2687
- # of new sessions per second to accept on the frontend.
2688
- #
2689
- # When the frontend reaches the specified number of new sessions per second, it
2690
- # stops accepting new connections until the rate drops below the limit again.
2691
- # During this time, the pending sessions will be kept in the socket's backlog
2692
- # (in system buffers) and haproxy will not even be aware that sessions are
2693
- # pending. When applying very low limit on a highly loaded service, it may make
2694
- # sense to increase the socket's backlog using the "backlog" keyword.
2695
- #
2696
- # This feature is particularly efficient at blocking connection-based attacks
2697
- # or service abuse on fragile servers. Since the session rate is measured every
2698
- # millisecond, it is extremely accurate. Also, the limit applies immediately,
2699
- # no delay is needed at all to detect the threshold.
2700
- #
2701
- # Example : limit the connection rate on SMTP to 10 per second max
2702
- # listen smtp
2703
- # mode tcp
2704
- # bind :25
2705
- # rate-limit sessions 10
2706
- # server 127.0.0.1:1025
2707
- #
2708
- # Note : when the maximum rate is reached, the frontend's status appears as
2709
- # "FULL" in the statistics, exactly as when it is saturated.
2710
- #
2711
- # See also : the "backlog" keyword and the "fe_sess_rate" ACL criterion.
2712
- #
2713
- attr_accessor :rate_limit_sessions
2714
-
2715
- #
2716
- # timeout client <timeout>
2717
- # timeout clitimeout <timeout> (deprecated)
2718
- # Set the maximum inactivity time on the client side.
2719
- # May be used in sections : defaults | frontend | listen | backend
2720
- # yes | yes | yes | no
2721
- # Arguments :
2722
- # <timeout> is the timeout value specified in milliseconds by default, but
2723
- # can be in any other unit if the number is suffixed by the unit,
2724
- # as explained at the top of this document.
2725
- #
2726
- # The inactivity timeout applies when the client is expected to acknowledge or
2727
- # send data. In HTTP mode, this timeout is particularly important to consider
2728
- # during the first phase, when the client sends the request, and during the
2729
- # response while it is reading data sent by the server. The value is specified
2730
- # in milliseconds by default, but can be in any other unit if the number is
2731
- # suffixed by the unit, as specified at the top of this document. In TCP mode
2732
- # (and to a lesser extent, in HTTP mode), it is highly recommended that the
2733
- # client timeout remains equal to the server timeout in order to avoid complex
2734
- # situations to debug. It is a good practice to cover one or several TCP packet
2735
- # losses by specifying timeouts that are slightly above multiples of 3 seconds
2736
- # (eg: 4 or 5 seconds).
2737
- #
2738
- # This parameter is specific to frontends, but can be specified once for all in
2739
- # "defaults" sections. This is in fact one of the easiest solutions not to
2740
- # forget about it. An unspecified timeout results in an infinite timeout, which
2741
- # is not recommended. Such a usage is accepted and works but reports a warning
2742
- # during startup because it may results in accumulation of expired sessions in
2743
- # the system if the system's timeouts are not configured either.
2744
- #
2745
- # This parameter replaces the old, deprecated "clitimeout". It is recommended
2746
- # to use it to write new configurations. The form "timeout clitimeout" is
2747
- # provided only by backwards compatibility but its use is strongly discouraged.
2748
- #
2749
- # See also : "clitimeout", "timeout server".
2750
- #
2751
- attr_accessor :timeout_client
2752
-
2753
- #
2754
- # timeout http-keep-alive <timeout>
2755
- # Set the maximum allowed time to wait for a new HTTP request to appear
2756
- # May be used in sections : defaults | frontend | listen | backend
2757
- # yes | yes | yes | yes
2758
- # Arguments :
2759
- # <timeout> is the timeout value specified in milliseconds by default, but
2760
- # can be in any other unit if the number is suffixed by the unit,
2761
- # as explained at the top of this document.
2762
- #
2763
- # By default, the time to wait for a new request in case of keep-alive is set
2764
- # by "timeout http-request". However this is not always convenient because some
2765
- # people want very short keep-alive timeouts in order to release connections
2766
- # faster, and others prefer to have larger ones but still have short timeouts
2767
- # once the request has started to present itself.
2768
- #
2769
- # The "http-keep-alive" timeout covers these needs. It will define how long to
2770
- # wait for a new HTTP request to start coming after a response was sent. Once
2771
- # the first byte of request has been seen, the "http-request" timeout is used
2772
- # to wait for the complete request to come. Note that empty lines prior to a
2773
- # new request do not refresh the timeout and are not counted as a new request.
2774
- #
2775
- # There is also another difference between the two timeouts : when a connection
2776
- # expires during timeout http-keep-alive, no error is returned, the connection
2777
- # just closes. If the connection expires in "http-request" while waiting for a
2778
- # connection to complete, a HTTP 408 error is returned.
2779
- #
2780
- # In general it is optimal to set this value to a few tens to hundreds of
2781
- # milliseconds, to allow users to fetch all objects of a page at once but
2782
- # without waiting for further clicks. Also, if set to a very small value (eg:
2783
- # 1 millisecond) it will probably only accept pipelined requests but not the
2784
- # non-pipelined ones. It may be a nice trade-off for very large sites running
2785
- # with tens to hundreds of thousands of clients.
2786
- #
2787
- # If this parameter is not set, the "http-request" timeout applies, and if both
2788
- # are not set, "timeout client" still applies at the lower level. It should be
2789
- # set in the frontend to take effect, unless the frontend is in TCP mode, in
2790
- # which case the HTTP backend's timeout will be used.
2791
- #
2792
- # See also : "timeout http-request", "timeout client".
2793
- #
2794
- attr_accessor :timeout_http_keep_alive
2795
-
2796
- #
2797
- # timeout http-request <timeout>
2798
- # Set the maximum allowed time to wait for a complete HTTP request
2799
- # May be used in sections : defaults | frontend | listen | backend
2800
- # yes | yes | yes | yes
2801
- # Arguments :
2802
- # <timeout> is the timeout value specified in milliseconds by default, but
2803
- # can be in any other unit if the number is suffixed by the unit,
2804
- # as explained at the top of this document.
2805
- #
2806
- # In order to offer DoS protection, it may be required to lower the maximum
2807
- # accepted time to receive a complete HTTP request without affecting the client
2808
- # timeout. This helps protecting against established connections on which
2809
- # nothing is sent. The client timeout cannot offer a good protection against
2810
- # this abuse because it is an inactivity timeout, which means that if the
2811
- # attacker sends one character every now and then, the timeout will not
2812
- # trigger. With the HTTP request timeout, no matter what speed the client
2813
- # types, the request will be aborted if it does not complete in time.
2814
- #
2815
- # Note that this timeout only applies to the header part of the request, and
2816
- # not to any data. As soon as the empty line is received, this timeout is not
2817
- # used anymore. It is used again on keep-alive connections to wait for a second
2818
- # request if "timeout http-keep-alive" is not set.
2819
- #
2820
- # Generally it is enough to set it to a few seconds, as most clients send the
2821
- # full request immediately upon connection. Add 3 or more seconds to cover TCP
2822
- # retransmits but that's all. Setting it to very low values (eg: 50 ms) will
2823
- # generally work on local networks as long as there are no packet losses. This
2824
- # will prevent people from sending bare HTTP requests using telnet.
2825
- #
2826
- # If this parameter is not set, the client timeout still applies between each
2827
- # chunk of the incoming request. It should be set in the frontend to take
2828
- # effect, unless the frontend is in TCP mode, in which case the HTTP backend's
2829
- # timeout will be used.
2830
- #
2831
- # See also : "timeout http-keep-alive", "timeout client".
2832
- #
2833
- attr_accessor :timeout_http_request
2834
-
2835
- #
2836
- # timeout tarpit <timeout>
2837
- # Set the duration for which tarpitted connections will be maintained
2838
- # May be used in sections : defaults | frontend | listen | backend
2839
- # yes | yes | yes | yes
2840
- # Arguments :
2841
- # <timeout> is the tarpit duration specified in milliseconds by default, but
2842
- # can be in any other unit if the number is suffixed by the unit,
2843
- # as explained at the top of this document.
2844
- #
2845
- # When a connection is tarpitted using "reqtarpit", it is maintained open with
2846
- # no activity for a certain amount of time, then closed. "timeout tarpit"
2847
- # defines how long it will be maintained open.
2848
- #
2849
- # The value is specified in milliseconds by default, but can be in any other
2850
- # unit if the number is suffixed by the unit, as specified at the top of this
2851
- # document. If unspecified, the same value as the backend's connection timeout
2852
- # ("timeout connect") is used, for backwards compatibility with older versions
2853
- # with no "timeout tarpit" parameter.
2854
- #
2855
- # See also : "timeout connect", "contimeout".
2856
- #
2857
- attr_accessor :timeout_tarpit
2858
-
2859
- attr_accessor :reqisetbe
2860
- attr_accessor :reqsetbe
2861
-
2862
- #
2863
- # name <name>
2864
- # The frontend name is required.
2865
- #
2866
- attr_accessor :name
17
+ include RhaproxyKeywords,
18
+ :exclude => [
19
+ :appsession,
20
+ :balance,
21
+ :cookie,
22
+ :default_server,
23
+ :dispatch,
24
+ :fullconn,
25
+ :hash_type,
26
+ :http_check_disable_on_404,
27
+ :http_check_expect,
28
+ :http_check_send_state,
29
+ :option_abortonclose,
30
+ :option_accept_invalid_http_response,
31
+ :option_allbackups,
32
+ :option_checkcache,
33
+ :option_httpchk,
34
+ :option_ldap_check,
35
+ :option_log_health_checks,
36
+ :option_mysql_check,
37
+ :option_persist,
38
+ :option_redispatch,
39
+ :option_smtpchk,
40
+ :option_srvtcpka,
41
+ :option_ssl_hello_chk,
42
+ :option_tcp_smart_connect,
43
+ :option_transparent,
44
+ :persist_rdp_cookie,
45
+ :retries,
46
+ :server,
47
+ :source,
48
+ :stats_admin,
49
+ :stats_auth,
50
+ :stats_enable,
51
+ :stats_hide_version,
52
+ :stats_http_request,
53
+ :stats_realm,
54
+ :stats_refresh,
55
+ :stats_scope,
56
+ :stats_show_desc,
57
+ :stats_show_legends,
58
+ :stats_show_node,
59
+ :stats_uri,
60
+ :stick_match,
61
+ :stick_on,
62
+ :stick_store_request,
63
+ :stick_table,
64
+ :tcp_response_content,
65
+ :tcp_response_inspect_delay,
66
+ :timeout_check,
67
+ :timeout_connect,
68
+ :timeout_queue,
69
+ :timeout_server
70
+ ]
2867
71
 
2868
72
  #
2869
73
  # Returns a new RhaproxyFrontend Object
2870
74
  #
2871
75
  def initialize()
76
+ @conf ||= []
77
+ @proxy_type = "frontend"
2872
78
  end
2873
79
 
2874
- #
2875
- # Compile the HAproxy frontend configuration
2876
- #
2877
- def config
2878
-
2879
- if @name
2880
-
2881
- conf = option_string()
2882
-
2883
- return conf
2884
-
2885
- else
2886
-
2887
- puts "frontend name not defined"
2888
-
2889
- return false
2890
-
2891
- end
2892
-
2893
- end
2894
-
2895
- private
2896
-
2897
- def option_string()
2898
-
2899
- ostring = " " + "frontend " + @name + "\n"
2900
-
2901
- if @acl
2902
- ostring += " " + "acl " + @acl.to_s + "\n"
2903
- end
2904
-
2905
- if @bind
2906
- ostring += " " + "bind " + @bind.to_s + "\n"
2907
- end
2908
-
2909
- if @block
2910
- ostring += " " + "block " + @block.to_s + "\n"
2911
- end
2912
-
2913
- if @capture_cookie
2914
- ostring += " " + "capture cookie " + @capture_cookie.to_s + "\n"
2915
- end
2916
-
2917
- if @capture_request_header
2918
- ostring += " " + "capture request header " + @capture_request_header.to_s + "\n"
2919
- end
2920
-
2921
- if @capture_response_header
2922
- ostring += " " + "capture response header " + @capture_response_header.to_s + "\n"
2923
- end
2924
-
2925
- if @force_persist
2926
- ostring += " " + "force-persist " + @force_persist.to_s + "\n"
2927
- end
2928
-
2929
- if @http_request
2930
- ostring += " " + "http-request " + @http_request.to_s + "\n"
2931
- end
2932
-
2933
- if @persistent_id
2934
- ostring += " " + "id " + @persistent_id.to_s + "\n"
2935
- end
2936
-
2937
- if @ignore_persist
2938
- ostring += " " + "ignore persist " + @ignore_persist.to_s + "\n"
2939
- end
2940
-
2941
- if @monitor_fail
2942
- ostring += " " + "monitor fail " + @monitor_fail.to_s + "\n"
2943
- end
2944
-
2945
- if @option_ignore_presist
2946
- ostring += " " + "option ignore-presist " + @option_ignore_presist.to_s + "\n"
2947
- end
2948
-
2949
- if @redirect
2950
- ostring += " " + "redirect " + @redirect.to_s + "\n"
2951
- end
2952
-
2953
- if @reqadd
2954
- ostring += " " + "reqadd " + @reqadd.to_s + "\n"
2955
- end
2956
-
2957
- if @reqallow
2958
- ostring += " " + "reqallow " + @reqallow.to_s + "\n"
2959
- end
2960
-
2961
- if @reqiallow
2962
- ostring += " " + "reqiallow " + @reqiallow.to_s + "\n"
2963
- end
2964
-
2965
- if @reqdel
2966
- ostring += " " + "reqdel " + @reqdel.to_s + "\n"
2967
- end
2968
-
2969
- if @reqidel
2970
- ostring += " " + "reqidel " + @reqidel.to_s + "\n"
2971
- end
2972
-
2973
- if @reqdeny
2974
- ostring += " " + "reqdeny " + @reqdeny.to_s + "\n"
2975
- end
2976
-
2977
- if @reqideny
2978
- ostring += " " + "reqideny " + @reqideny.to_s + "\n"
2979
- end
2980
-
2981
- if @reqpass
2982
- ostring += " " + "reqpass " + @reqpass.to_s + "\n"
2983
- end
2984
-
2985
- if @reqipass
2986
- ostring += " " + "reqipass " + @reqipass.to_s + "\n"
2987
- end
2988
-
2989
- if @reqrep
2990
- ostring += " " + "reqrep " + @reqrep.to_s + "\n"
2991
- end
2992
-
2993
- if @reqirep
2994
- ostring += " " + "reqirep " + @reqirep.to_s + "\n"
2995
- end
2996
-
2997
- if @reqtarpit
2998
- ostring += " " + "reqtarpit " + @reqtarpit.to_s + "\n"
2999
- end
3000
-
3001
- if @reqitarpit
3002
- ostring += " " + "reqitarpit " + @reqitarpit.to_s + "\n"
3003
- end
3004
-
3005
- if @rspadd
3006
- ostring += " " + "rspadd " + @rspadd.to_s + "\n"
3007
- end
3008
-
3009
- if @rspdel
3010
- ostring += " " + "rspdel " + @rspdel.to_s + "\n"
3011
- end
3012
-
3013
- if @rspidel
3014
- ostring += " " + "rspidel " + @rspidel.to_s + "\n"
3015
- end
3016
-
3017
- if @rspdeny
3018
- ostring += " " + "rspdeny " + @rspdeny.to_s + "\n"
3019
- end
3020
-
3021
- if @rspideny
3022
- ostring += " " + "rspideny " + @rspideny.to_s + "\n"
3023
- end
3024
-
3025
- if @rspirep
3026
- ostring += " " + "rspirep " + @rspirep.to_s + "\n"
3027
- end
3028
-
3029
- if @rsprep
3030
- ostring += " " + "rsprep " + @rsprep.to_s + "\n"
3031
- end
3032
-
3033
- if @tcp_request_connection
3034
- ostring += " " + "tcp-request connection " + @tcp_request_connection.to_s + "\n"
3035
- end
3036
-
3037
- if @tcp_request_content
3038
- ostring += " " + "tcp-request content " + @tcp_request_content.to_s + "\n"
3039
- end
3040
-
3041
- if @tcp_request_inspect_delay
3042
- ostring += " " + "tcp-request inspect-delay " + @tcp_request_inspect_delay.to_s + "\n"
3043
- end
3044
-
3045
- if @use_backend
3046
- ostring += " " + "use_backend " + @use_backend.to_s + "\n"
3047
- end
3048
-
3049
- if @description
3050
- ostring += " " + "description " + @description.to_s + "\n"
3051
- end
3052
-
3053
- if @reqisetbe
3054
- ostring += " " + "reqisetbe " + @reqisetbe.to_s + "\n"
3055
- end
3056
-
3057
- if @reqsetbe
3058
- ostring += " " + "reqsetbe " + @reqsetbe.to_s + "\n"
3059
- end
3060
-
3061
- if @backlog
3062
- ostring += " " + "backlog " + @backlog.to_s + "\n"
3063
- end
3064
-
3065
- if @bind_process
3066
- ostring += " " + "bind-process " + @bind_process.to_s + "\n"
3067
- end
3068
-
3069
- if @default_backend
3070
- ostring += " " + "default_backend " + @default_backend.to_s + "\n"
3071
- end
3072
-
3073
- if @disabled
3074
- ostring += " " + "disabled " + "\n"
3075
- end
3076
-
3077
- if @enabled
3078
- ostring += " " + "enabled " + "\n"
3079
- end
3080
-
3081
- if @errorfile
3082
- ostring += " " + "errorfile " + @errorfile.to_s + "\n"
3083
- end
3084
-
3085
- if @errorloc
3086
- ostring += " " + "errorloc " + @errorloc.to_s + "\n"
3087
- end
3088
-
3089
- if @errorloc302
3090
- ostring += " " + "errorloc302 " + @errorloc302.to_s + "\n"
3091
- end
3092
-
3093
- if @errorloc303
3094
- ostring += " " + "errorloc303 " + @errorloc303.to_s + "\n"
3095
- end
3096
-
3097
- if @grace
3098
- ostring += " " + "grace " + @grace.to_s + "\n"
3099
- end
3100
-
3101
- if @log
3102
- ostring += " " + "log " + @log.to_s + "\n"
3103
- end
3104
-
3105
- if @maxconn
3106
- ostring += " " + "maxconn " + @maxconn.to_s + "\n"
3107
- end
3108
-
3109
- if @mode
3110
- ostring += " " + "mode " + @mode.to_s + "\n"
3111
- end
3112
-
3113
- if @monitor_net
3114
- ostring += " " + "monitor-net " + @monitor_net.to_s + "\n"
3115
- end
3116
-
3117
- if @monitor_uri
3118
- ostring += " " + "monitor-uri " + @monitor_uri.to_s + "\n"
3119
- end
3120
-
3121
- if @option_accept_invalid_http_request
3122
- ostring += " " + "option accept-invalid-http-request " + "\n"
3123
- end
3124
-
3125
- if @option_clitcpka
3126
- ostring += " " + "option clitcpka " + "\n"
3127
- end
3128
-
3129
- if @option_contstats
3130
- ostring += " " + "option contstats " + "\n"
3131
- end
3132
-
3133
- if @option_dontlog_normal
3134
- ostring += " " + "option dontlog-normal " + "\n"
3135
- end
3136
-
3137
- if @option_dontlognull
3138
- ostring += " " + "option dontlognull " + "\n"
3139
- end
3140
-
3141
- if @option_forceclose
3142
- ostring += " " + "option forceclose " + "\n"
3143
- end
3144
-
3145
- if @option_forwardfor
3146
- ostring += " " + "option forwardfor " + @option_forwardfor.to_s + "\n"
3147
- end
3148
-
3149
- if @option_http_pretend_keepalive
3150
- ostring += " " + "option http-pretend-keepalive " + "\n"
3151
- end
3152
-
3153
- if @option_http_server_close
3154
- ostring += " " + "option http-server-close " + "\n"
3155
- end
3156
-
3157
- if @option_http_use_proxy_header
3158
- ostring += " " + "option http-use-proxy-header " + "\n"
3159
- end
3160
-
3161
- if @option_httpclose
3162
- ostring += " " + "option httpclose " + "\n"
3163
- end
3164
-
3165
- if @option_httplog
3166
- ostring += " " + "option httplog " + "\n"
3167
- end
3168
-
3169
- if @option_httplog_clf
3170
- ostring += " " + "option httplog " + @option_httplog_clf.to_s + "\n"
3171
- end
3172
-
3173
- if @option_http_proxy
3174
- ostring += " " + "option http_proxy " + "\n"
3175
- end
3176
-
3177
- if @option_independant_streams
3178
- ostring += " " + "option independant-streams " + "\n"
3179
- end
3180
-
3181
- if @option_log_separate_errors
3182
- ostring += " " + "option log-separate-errors " + "\n"
3183
- end
3184
-
3185
- if @option_logasap
3186
- ostring += " " + "option logasap " + "\n"
3187
- end
3188
-
3189
- if @option_nolinger
3190
- ostring += " " + "option nolinger " + "\n"
3191
- end
3192
-
3193
- if @option_originalto
3194
- ostring += " " + "option originalto " + @option_originalto.to_s + "\n"
3195
- end
3196
-
3197
- if @option_socket_stats
3198
- ostring += " " + "option socket-stats " + "\n"
3199
- end
3200
-
3201
- if @option_splice_auto
3202
- ostring += " " + "option splice-auto " + "\n"
3203
- end
3204
-
3205
- if @option_splice_request
3206
- ostring += " " + "option splice-request " + "\n"
3207
- end
3208
-
3209
- if @option_splice_response
3210
- ostring += " " + "option splice-response " + "\n"
3211
- end
3212
-
3213
- if @option_tcp_smart_accept
3214
- ostring += " " + "option tcp-smart-accept " + "\n"
3215
- end
3216
-
3217
- if @option_tcpka
3218
- ostring += " " + "option tcpka " + "\n"
3219
- end
3220
-
3221
- if @option_tcplog
3222
- ostring += " " + "option tcplog " + "\n"
3223
- end
3224
-
3225
- if @rate_limit_sessions
3226
- ostring += " " + "rate-limit sessions " + @rate_limit_sessions.to_s + "\n"
3227
- end
3228
-
3229
- if @timeout_client
3230
- ostring += " " + "timeout client " + @timeout_client.to_s + "\n"
3231
- end
3232
-
3233
- if @timeout_http_keep_alive
3234
- ostring += " " + "timeout http-keep-alive " + @timeout_http_keep_alive.to_s + "\n"
3235
- end
3236
-
3237
- if @timeout_http_request
3238
- ostring += " " + "timeout http-request " + @timeout_http_request.to_s + "\n"
3239
- end
3240
-
3241
- if @timeout_tarpit
3242
- ostring += " " + "timeout tarpit " + @timeout_tarpit.to_s + "\n"
3243
- end
3244
-
3245
- ostring += "\n"
3246
-
3247
- return ostring
3248
-
3249
- end
3250
80
  end
3251
81