rhaproxy 0.1.0 → 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (10) hide show
  1. data/Changelog +41 -0
  2. data/README +8 -8
  3. data/lib/rhaproxy/backend.rb +29 -4989
  4. data/lib/rhaproxy/defaults.rb +66 -3682
  5. data/lib/rhaproxy/frontend.rb +56 -3226
  6. data/lib/rhaproxy/keywords.rb +6502 -0
  7. data/lib/rhaproxy/listen.rb +3 -6065
  8. data/lib/rhaproxy/mixins.rb +20 -0
  9. data/lib/rhaproxy.rb +2 -0
  10. metadata +6 -4
data/lib/rhaproxy/frontend.rb CHANGED
@@ -14,3238 +14,68 @@
14
14
  # connections.
15
15
  #
16
16
  class RhaproxyFrontend
17
-
18
- #
19
- # acl <aclname> <criterion> [flags] [operator] <value> ...
20
- # Declare or complete an access list.
21
- # May be used in sections : defaults | frontend | listen | backend
22
- # no | yes | yes | yes
23
- # Example:
24
- # acl invalid_src src 0.0.0.0/7 224.0.0.0/3
25
- # acl invalid_src src_port 0:1023
26
- # acl local_dst hdr(host) -i localhost
27
- #
28
- # See section 7 about ACL usage.
29
- #
30
- attr_accessor :acl
31
-
32
- #
33
- # bind [<address>]:<port_range> [, ...]
34
- # bind [<address>]:<port_range> [, ...] interface <interface>
35
- # bind [<address>]:<port_range> [, ...] mss <maxseg>
36
- # bind [<address>]:<port_range> [, ...] transparent
37
- # bind [<address>]:<port_range> [, ...] id <id>
38
- # bind [<address>]:<port_range> [, ...] name <name>
39
- # bind [<address>]:<port_range> [, ...] defer-accept
40
- # bind [<address>]:<port_range> [, ...] accept-proxy
41
- # bind /<path> [, ...]
42
- # bind /<path> [, ...] mode <mode>
43
- # bind /<path> [, ...] [ user <user> | uid <uid> ]
44
- # bind /<path> [, ...] [ group <user> | gid <gid> ]
45
- # Define one or several listening addresses and/or ports in a frontend.
46
- # May be used in sections : defaults | frontend | listen | backend
47
- # no | yes | yes | no
48
- # Arguments :
49
- # <address> is optional and can be a host name, an IPv4 address, an IPv6
50
- # address, or '*'. It designates the address the frontend will
51
- # listen on. If unset, all IPv4 addresses of the system will be
52
- # listened on. The same will apply for '*' or the system's
53
- # special address "0.0.0.0".
54
- #
55
- # <port_range> is either a unique TCP port, or a port range for which the
56
- # proxy will accept connections for the IP address specified
57
- # above. The port is mandatory for TCP listeners. Note that in
58
- # the case of an IPv6 address, the port is always the number
59
- # after the last colon (':'). A range can either be :
60
- # - a numerical port (ex: '80')
61
- # - a dash-delimited ports range explicitly stating the lower
62
- # and upper bounds (ex: '2000-2100') which are included in
63
- # the range.
64
- #
65
- # Particular care must be taken against port ranges, because
66
- # every <address:port> couple consumes one socket (= a file
67
- # descriptor), so it's easy to consume lots of descriptors
68
- # with a simple range, and to run out of sockets. Also, each
69
- # <address:port> couple must be used only once among all
70
- # instances running on a same system. Please note that binding
71
- # to ports lower than 1024 generally require particular
72
- # privileges to start the program, which are independant of
73
- # the 'uid' parameter.
74
- #
75
- # <path> is a UNIX socket path beginning with a slash ('/'). This is
76
- # alternative to the TCP listening port. Haproxy will then
77
- # receive UNIX connections on the socket located at this place.
78
- # The path must begin with a slash and by default is absolute.
79
- # It can be relative to the prefix defined by "unix-bind" in
80
- # the global section. Note that the total length of the prefix
81
- # followed by the socket path cannot exceed some system limits
82
- # for UNIX sockets, which commonly are set to 107 characters.
83
- #
84
- # <interface> is an optional physical interface name. This is currently
85
- # only supported on Linux. The interface must be a physical
86
- # interface, not an aliased interface. When specified, all
87
- # addresses on the same line will only be accepted if the
88
- # incoming packet physically come through the designated
89
- # interface. It is also possible to bind multiple frontends to
90
- # the same address if they are bound to different interfaces.
91
- # Note that binding to a physical interface requires root
92
- # privileges. This parameter is only compatible with TCP
93
- # sockets.
94
- #
95
- # <maxseg> is an optional TCP Maximum Segment Size (MSS) value to be
96
- # advertised on incoming connections. This can be used to force
97
- # a lower MSS for certain specific ports, for instance for
98
- # connections passing through a VPN. Note that this relies on a
99
- # kernel feature which is theorically supported under Linux but
100
- # was buggy in all versions prior to 2.6.28. It may or may not
101
- # work on other operating systems. The commonly advertised
102
- # value on Ethernet networks is 1460 = 1500(MTU) - 40(IP+TCP).
103
- # This parameter is only compatible with TCP sockets.
104
- #
105
- # <id> is a persistent value for socket ID. Must be positive and
106
- # unique in the proxy. An unused value will automatically be
107
- # assigned if unset. Can only be used when defining only a
108
- # single socket.
109
- #
110
- # <name> is an optional name provided for stats
111
- #
112
- # <mode> is the octal mode used to define access permissions on the
113
- # UNIX socket. It can also be set by default in the global
114
- # section's "unix-bind" statement. Note that some platforms
115
- # simply ignore this.
116
- #
117
- # <user> is the name of user that will be marked owner of the UNIX
118
- # socket. It can also be set by default in the global
119
- # section's "unix-bind" statement. Note that some platforms
120
- # simply ignore this.
121
- #
122
- # <group> is the name of a group that will be used to create the UNIX
123
- # socket. It can also be set by default in the global section's
124
- # "unix-bind" statement. Note that some platforms simply ignore
125
- # this.
126
- #
127
- # <uid> is the uid of user that will be marked owner of the UNIX
128
- # socket. It can also be set by default in the global section's
129
- # "unix-bind" statement. Note that some platforms simply ignore
130
- # this.
131
- #
132
- # <gid> is the gid of a group that will be used to create the UNIX
133
- # socket. It can also be set by default in the global section's
134
- # "unix-bind" statement. Note that some platforms simply ignore
135
- # this.
136
- #
137
- # transparent is an optional keyword which is supported only on certain
138
- # Linux kernels. It indicates that the addresses will be bound
139
- # even if they do not belong to the local machine. Any packet
140
- # targeting any of these addresses will be caught just as if
141
- # the address was locally configured. This normally requires
142
- # that IP forwarding is enabled. Caution! do not use this with
143
- # the default address '*', as it would redirect any traffic for
144
- # the specified port. This keyword is available only when
145
- # HAProxy is built with USE_LINUX_TPROXY=1. This parameter is
146
- # only compatible with TCP sockets.
147
- #
148
- # defer-accept is an optional keyword which is supported only on certain
149
- # Linux kernels. It states that a connection will only be
150
- # accepted once some data arrive on it, or at worst after the
151
- # first retransmit. This should be used only on protocols for
152
- # which the client talks first (eg: HTTP). It can slightly
153
- # improve performance by ensuring that most of the request is
154
- # already available when the connection is accepted. On the
155
- # other hand, it will not be able to detect connections which
156
- # don't talk. It is important to note that this option is
157
- # broken in all kernels up to 2.6.31, as the connection is
158
- # never accepted until the client talks. This can cause issues
159
- # with front firewalls which would see an established
160
- # connection while the proxy will only see it in SYN_RECV.
161
- #
162
- # accept-proxy is an optional keyword which enforces use of the PROXY
163
- # protocol over any connection accepted by this listener. The
164
- # PROXY protocol dictates the layer 3/4 addresses of the
165
- # incoming connection to be used everywhere an address is used,
166
- # with the only exception of "tcp-request connection" rules
167
- # which will only see the real connection address. Logs will
168
- # reflect the addresses indicated in the protocol, unless it is
169
- # violated, in which case the real address will still be used.
170
- # This keyword combined with support from external components
171
- # can be used as an efficient and reliable alternative to the
172
- # X-Forwarded-For mechanism which is not always reliable and
173
- # not even always usable.
174
- #
175
- # It is possible to specify a list of address:port combinations delimited by
176
- # commas. The frontend will then listen on all of these addresses. There is no
177
- # fixed limit to the number of addresses and ports which can be listened on in
178
- # a frontend, as well as there is no limit to the number of "bind" statements
179
- # in a frontend.
180
- #
181
- # Example :
182
- # listen http_proxy
183
- # bind :80,:443
184
- # bind 10.0.0.1:10080,10.0.0.1:10443
185
- # bind /var/run/ssl-frontend.sock user root mode 600 accept-proxy
186
- #
187
- # See also : "source", "option forwardfor", "unix-bind" and the PROXY protocol
188
- # documentation.
189
- #
190
- attr_accessor :bind
191
-
192
- #
193
- # block { if | unless } <condition>
194
- # Block a layer 7 request if/unless a condition is matched
195
- # May be used in sections : defaults | frontend | listen | backend
196
- # no | yes | yes | yes
197
- #
198
- # The HTTP request will be blocked very early in the layer 7 processing
199
- # if/unless <condition> is matched. A 403 error will be returned if the request
200
- # is blocked. The condition has to reference ACLs (see section 7). This is
201
- # typically used to deny access to certain sensible resources if some
202
- # conditions are met or not met. There is no fixed limit to the number of
203
- # "block" statements per instance.
204
- #
205
- # Example:
206
- # acl invalid_src src 0.0.0.0/7 224.0.0.0/3
207
- # acl invalid_src src_port 0:1023
208
- # acl local_dst hdr(host) -i localhost
209
- # block if invalid_src || local_dst
210
- #
211
- # See section 7 about ACL usage.
212
- #
213
- attr_accessor :block
214
-
215
- #
216
- # capture cookie <name> len <length>
217
- # Capture and log a cookie in the request and in the response.
218
- # May be used in sections : defaults | frontend | listen | backend
219
- # no | yes | yes | no
220
- # Arguments :
221
- # <name> is the beginning of the name of the cookie to capture. In order
222
- # to match the exact name, simply suffix the name with an equal
223
- # sign ('='). The full name will appear in the logs, which is
224
- # useful with application servers which adjust both the cookie name
225
- # and value (eg: ASPSESSIONXXXXX).
226
- #
227
- # <length> is the maximum number of characters to report in the logs, which
228
- # include the cookie name, the equal sign and the value, all in the
229
- # standard "name=value" form. The string will be truncated on the
230
- # right if it exceeds <length>.
231
- #
232
- # Only the first cookie is captured. Both the "cookie" request headers and the
233
- # "set-cookie" response headers are monitored. This is particularly useful to
234
- # check for application bugs causing session crossing or stealing between
235
- # users, because generally the user's cookies can only change on a login page.
236
- #
237
- # When the cookie was not presented by the client, the associated log column
238
- # will report "-". When a request does not cause a cookie to be assigned by the
239
- # server, a "-" is reported in the response column.
240
- #
241
- # The capture is performed in the frontend only because it is necessary that
242
- # the log format does not change for a given frontend depending on the
243
- # backends. This may change in the future. Note that there can be only one
244
- # "capture cookie" statement in a frontend. The maximum capture length is
245
- # configured in the sources by default to 64 characters. It is not possible to
246
- # specify a capture in a "defaults" section.
247
- #
248
- # Example:
249
- # capture cookie ASPSESSION len 32
250
- #
251
- # See also : "capture request header", "capture response header" as well as
252
- # section 8 about logging.
253
- #
254
- attr_accessor :capture_cookie
255
-
256
- #
257
- # capture request header <name> len <length>
258
- # Capture and log the first occurrence of the specified request header.
259
- # May be used in sections : defaults | frontend | listen | backend
260
- # no | yes | yes | no
261
- # Arguments :
262
- # <name> is the name of the header to capture. The header names are not
263
- # case-sensitive, but it is a common practice to write them as they
264
- # appear in the requests, with the first letter of each word in
265
- # upper case. The header name will not appear in the logs, only the
266
- # value is reported, but the position in the logs is respected.
267
- #
268
- # <length> is the maximum number of characters to extract from the value and
269
- # report in the logs. The string will be truncated on the right if
270
- # it exceeds <length>.
271
- #
272
- # Only the first value of the last occurrence of the header is captured. The
273
- # value will be added to the logs between braces ('{}'). If multiple headers
274
- # are captured, they will be delimited by a vertical bar ('|') and will appear
275
- # in the same order they were declared in the configuration. Non-existent
276
- # headers will be logged just as an empty string. Common uses for request
277
- # header captures include the "Host" field in virtual hosting environments, the
278
- # "Content-length" when uploads are supported, "User-agent" to quickly
279
- # differentiate between real users and robots, and "X-Forwarded-For" in proxied
280
- # environments to find where the request came from.
281
- #
282
- # Note that when capturing headers such as "User-agent", some spaces may be
283
- # logged, making the log analysis more difficult. Thus be careful about what
284
- # you log if you know your log parser is not smart enough to rely on the
285
- # braces.
286
- #
287
- # There is no limit to the number of captured request headers, but each capture
288
- # is limited to 64 characters. In order to keep log format consistent for a
289
- # same frontend, header captures can only be declared in a frontend. It is not
290
- # possible to specify a capture in a "defaults" section.
291
- #
292
- # Example:
293
- # capture request header Host len 15
294
- # capture request header X-Forwarded-For len 15
295
- # capture request header Referrer len 15
296
- #
297
- # See also : "capture cookie", "capture response header" as well as section 8
298
- # about logging.
299
- #
300
- attr_accessor :capture_request_header
301
-
302
- #
303
- # capture response header <name> len <length>
304
- # Capture and log the first occurrence of the specified response header.
305
- # May be used in sections : defaults | frontend | listen | backend
306
- # no | yes | yes | no
307
- # Arguments :
308
- # <name> is the name of the header to capture. The header names are not
309
- # case-sensitive, but it is a common practice to write them as they
310
- # appear in the response, with the first letter of each word in
311
- # upper case. The header name will not appear in the logs, only the
312
- # value is reported, but the position in the logs is respected.
313
- #
314
- # <length> is the maximum number of characters to extract from the value and
315
- # report in the logs. The string will be truncated on the right if
316
- # it exceeds <length>.
317
- #
318
- # Only the first value of the last occurrence of the header is captured. The
319
- # result will be added to the logs between braces ('{}') after the captured
320
- # request headers. If multiple headers are captured, they will be delimited by
321
- # a vertical bar ('|') and will appear in the same order they were declared in
322
- # the configuration. Non-existent headers will be logged just as an empty
323
- # string. Common uses for response header captures include the "Content-length"
324
- # header which indicates how many bytes are expected to be returned, the
325
- # "Location" header to track redirections.
326
- #
327
- # There is no limit to the number of captured response headers, but each
328
- # capture is limited to 64 characters. In order to keep log format consistent
329
- # for a same frontend, header captures can only be declared in a frontend. It
330
- # is not possible to specify a capture in a "defaults" section.
331
- #
332
- # Example:
333
- # capture response header Content-length len 9
334
- # capture response header Location len 15
335
- #
336
- # See also : "capture cookie", "capture request header" as well as section 8
337
- # about logging.
338
- #
339
- attr_accessor :capture_response_header
340
-
341
- #
342
- # force-persist { if | unless } <condition>
343
- # Declare a condition to force persistence on down servers
344
- # May be used in sections: defaults | frontend | listen | backend
345
- # no | yes | yes | yes
346
- #
347
- # By default, requests are not dispatched to down servers. It is possible to
348
- # force this using "option persist", but it is unconditional and redispatches
349
- # to a valid server if "option redispatch" is set. That leaves with very little
350
- # possibilities to force some requests to reach a server which is artificially
351
- # marked down for maintenance operations.
352
- #
353
- # The "force-persist" statement allows one to declare various ACL-based
354
- # conditions which, when met, will cause a request to ignore the down status of
355
- # a server and still try to connect to it. That makes it possible to start a
356
- # server, still replying an error to the health checks, and run a specially
357
- # configured browser to test the service. Among the handy methods, one could
358
- # use a specific source IP address, or a specific cookie. The cookie also has
359
- # the advantage that it can easily be added/removed on the browser from a test
360
- # page. Once the service is validated, it is then possible to open the service
361
- # to the world by returning a valid response to health checks.
362
- #
363
- # The forced persistence is enabled when an "if" condition is met, or unless an
364
- # "unless" condition is met. The final redispatch is always disabled when this
365
- # is used.
366
- #
367
- # See also : "option redispatch", "ignore-persist", "persist",
368
- # and section 7 about ACL usage.
369
- #
370
- attr_accessor :force_persist
371
-
372
- #
373
- # http-request { allow | deny | auth [realm <realm>] }
374
- # [ { if | unless } <condition> ]
375
- # Access control for Layer 7 requests
376
- #
377
- # May be used in sections: defaults | frontend | listen | backend
378
- # no | yes | yes | yes
379
- #
380
- # These set of options allow to fine control access to a
381
- # frontend/listen/backend. Each option may be followed by if/unless and acl.
382
- # First option with matched condition (or option without condition) is final.
383
- # For "deny" a 403 error will be returned, for "allow" normal processing is
384
- # performed, for "auth" a 401/407 error code is returned so the client
385
- # should be asked to enter a username and password.
386
- #
387
- # There is no fixed limit to the number of http-request statements per
388
- # instance.
389
- #
390
- # Example:
391
- # acl nagios src 192.168.129.3
392
- # acl local_net src 192.168.0.0/16
393
- # acl auth_ok http_auth(L1)
394
- #
395
- # http-request allow if nagios
396
- # http-request allow if local_net auth_ok
397
- # http-request auth realm Gimme if local_net auth_ok
398
- # http-request deny
399
- #
400
- # Example:
401
- # acl auth_ok http_auth_group(L1) G1
402
- #
403
- # http-request auth unless auth_ok
404
- #
405
- # See also : "stats http-request", section 3.4 about userlists and section 7
406
- # about ACL usage.
407
- #
408
- attr_accessor :http_request
409
-
410
- # id <value>
411
- # Set a persistent ID to a proxy.
412
- # May be used in sections : defaults | frontend | listen | backend
413
- # no | yes | yes | yes
414
- # Arguments : none
415
- #
416
- # Set a persistent ID for the proxy. This ID must be unique and positive.
417
- # An unused ID will automatically be assigned if unset. The first assigned
418
- # value will be 1. This ID is currently only returned in statistics.
419
- #
420
- attr_accessor :persistent_id
421
-
422
- #
423
- # ignore-persist { if | unless } <condition>
424
- # Declare a condition to ignore persistence
425
- # May be used in sections: defaults | frontend | listen | backend
426
- # no | yes | yes | yes
427
- #
428
- # By default, when cookie persistence is enabled, every requests containing
429
- # the cookie are unconditionally persistent (assuming the target server is up
430
- # and running).
431
- #
432
- # The "ignore-persist" statement allows one to declare various ACL-based
433
- # conditions which, when met, will cause a request to ignore persistence.
434
- # This is sometimes useful to load balance requests for static files, which
435
- # oftenly don't require persistence. This can also be used to fully disable
436
- # persistence for a specific User-Agent (for example, some web crawler bots).
437
- #
438
- # Combined with "appsession", it can also help reduce HAProxy memory usage, as
439
- # the appsession table won't grow if persistence is ignored.
440
- #
441
- # The persistence is ignored when an "if" condition is met, or unless an
442
- # "unless" condition is met.
443
- #
444
- # See also : "force-persist", "cookie", and section 7 about ACL usage.
445
- #
446
- attr_accessor :ignore_persist
447
-
448
- #
449
- # monitor fail { if | unless } <condition>
450
- # Add a condition to report a failure to a monitor HTTP request.
451
- # May be used in sections : defaults | frontend | listen | backend
452
- # no | yes | yes | no
453
- # Arguments :
454
- # if <cond> the monitor request will fail if the condition is satisfied,
455
- # and will succeed otherwise. The condition should describe a
456
- # combined test which must induce a failure if all conditions
457
- # are met, for instance a low number of servers both in a
458
- # backend and its backup.
459
- #
460
- # unless <cond> the monitor request will succeed only if the condition is
461
- # satisfied, and will fail otherwise. Such a condition may be
462
- # based on a test on the presence of a minimum number of active
463
- # servers in a list of backends.
464
- #
465
- # This statement adds a condition which can force the response to a monitor
466
- # request to report a failure. By default, when an external component queries
467
- # the URI dedicated to monitoring, a 200 response is returned. When one of the
468
- # conditions above is met, haproxy will return 503 instead of 200. This is
469
- # very useful to report a site failure to an external component which may base
470
- # routing advertisements between multiple sites on the availability reported by
471
- # haproxy. In this case, one would rely on an ACL involving the "nbsrv"
472
- # criterion. Note that "monitor fail" only works in HTTP mode.
473
- #
474
- # Example:
475
- # frontend www
476
- # mode http
477
- # acl site_dead nbsrv(dynamic) lt 2
478
- # acl site_dead nbsrv(static) lt 2
479
- # monitor-uri /site_alive
480
- # monitor fail if site_dead
481
- #
482
- # See also : "monitor-net", "monitor-uri"
483
- #
484
- attr_accessor :monitor_fail
485
-
486
- #
487
- # option ignore-persist { if | unless } <condition>
488
- # Declare a condition to ignore persistence
489
- # May be used in sections: defaults | frontend | listen | backend
490
- # no | yes | yes | yes
491
- #
492
- # By default, when cookie persistence is enabled, every requests containing
493
- # the cookie are unconditionally persistent (assuming the target server is up
494
- # and running).
495
- #
496
- # The "ignore-persist" statement allows one to declare various ACL-based
497
- # conditions which, when met, will cause a request to ignore persistence.
498
- # This is sometimes useful to load balance requests for static files, which
499
- # oftenly don't require persistence. This can also be used to fully disable
500
- # persistence for a specific User-Agent (for example, some web crawler bots).
501
- #
502
- # Combined with "appsession", it can also help reduce HAProxy memory usage, as
503
- # the appsession table won't grow if persistence is ignored.
504
- #
505
- # The persistence is ignored when an "if" condition is met, or unless an
506
- # "unless" condition is met.
507
- #
508
- # See also : "option force-persist", "cookie", and section 7 about ACL usage.
509
- #
510
- attr_accessor :option_ignore_presist
511
-
512
- #
513
- # redirect location <to> [code <code>] <option> [(if | unless) <condition>]
514
- # redirect prefix <to> [code <code>] <option> [(if | unless) <condition>]
515
- # Return an HTTP redirection if/unless a condition is matched
516
- # May be used in sections : defaults | frontend | listen | backend
517
- # no | yes | yes | yes
518
- #
519
- # If/unless the condition is matched, the HTTP request will lead to a redirect
520
- # response. If no condition is specified, the redirect applies unconditionally.
521
- #
522
- # Arguments :
523
- # <to> With "redirect location", the exact value in <to> is placed into
524
- # the HTTP "Location" header. In case of "redirect prefix", the
525
- # "Location" header is built from the concatenation of <to> and the
526
- # complete URI, including the query string, unless the "drop-query"
527
- # option is specified (see below). As a special case, if <to>
528
- # equals exactly "/" in prefix mode, then nothing is inserted
529
- # before the original URI. It allows one to redirect to the same
530
- # URL.
531
- #
532
- # <code> The code is optional. It indicates which type of HTTP redirection
533
- # is desired. Only codes 301, 302 and 303 are supported, and 302 is
534
- # used if no code is specified. 301 means "Moved permanently", and
535
- # a browser may cache the Location. 302 means "Moved permanently"
536
- # and means that the browser should not cache the redirection. 303
537
- # is equivalent to 302 except that the browser will fetch the
538
- # location with a GET method.
539
- #
540
- # <option> There are several options which can be specified to adjust the
541
- # expected behaviour of a redirection :
542
- #
543
- # - "drop-query"
544
- # When this keyword is used in a prefix-based redirection, then the
545
- # location will be set without any possible query-string, which is useful
546
- # for directing users to a non-secure page for instance. It has no effect
547
- # with a location-type redirect.
548
- #
549
- # - "append-slash"
550
- # This keyword may be used in conjunction with "drop-query" to redirect
551
- # users who use a URL not ending with a '/' to the same one with the '/'.
552
- # It can be useful to ensure that search engines will only see one URL.
553
- # For this, a return code 301 is preferred.
554
- #
555
- # - "set-cookie NAME[=value]"
556
- # A "Set-Cookie" header will be added with NAME (and optionally "=value")
557
- # to the response. This is sometimes used to indicate that a user has
558
- # been seen, for instance to protect against some types of DoS. No other
559
- # cookie option is added, so the cookie will be a session cookie. Note
560
- # that for a browser, a sole cookie name without an equal sign is
561
- # different from a cookie with an equal sign.
562
- #
563
- # - "clear-cookie NAME[=]"
564
- # A "Set-Cookie" header will be added with NAME (and optionally "="), but
565
- # with the "Max-Age" attribute set to zero. This will tell the browser to
566
- # delete this cookie. It is useful for instance on logout pages. It is
567
- # important to note that clearing the cookie "NAME" will not remove a
568
- # cookie set with "NAME=value". You have to clear the cookie "NAME=" for
569
- # that, because the browser makes the difference.
570
- #
571
- # Example: move the login URL only to HTTPS.
572
- # acl clear dst_port 80
573
- # acl secure dst_port 8080
574
- # acl login_page url_beg /login
575
- # acl logout url_beg /logout
576
- # acl uid_given url_reg /login?userid=[^&]+
577
- # acl cookie_set hdr_sub(cookie) SEEN=1
578
- #
579
- # redirect prefix https://mysite.com set-cookie SEEN=1 if !cookie_set
580
- # redirect prefix https://mysite.com if login_page !secure
581
- # redirect prefix http://mysite.com drop-query if login_page !uid_given
582
- # redirect location http://mysite.com/ if !login_page secure
583
- # redirect location / clear-cookie USERID= if logout
584
- #
585
- # Example: send redirects for request for articles without a '/'.
586
- # acl missing_slash path_reg ^/article/[^/]*$
587
- # redirect code 301 prefix / drop-query append-slash if missing_slash
588
- #
589
- # See section 7 about ACL usage.
590
- #
591
- attr_accessor :redirect
592
-
593
- #
594
- # reqadd <string> [(if | unless) <cond>]
595
- # Add a header at the end of the HTTP request
596
- # May be used in sections : defaults | frontend | listen | backend
597
- # no | yes | yes | yes
598
- # Arguments :
599
- # <string> is the complete line to be added. Any space or known delimiter
600
- # must be escaped using a backslash ('\'). Please refer to section
601
- # 6 about HTTP header manipulation for more information.
602
- #
603
- # <cond> is an optional matching condition built from ACLs. It makes it
604
- # possible to ignore this rule when other conditions are not met.
605
- #
606
- # A new line consisting in <string> followed by a line feed will be added after
607
- # the last header of an HTTP request.
608
- #
609
- # Header transformations only apply to traffic which passes through HAProxy,
610
- # and not to traffic generated by HAProxy, such as health-checks or error
611
- # responses.
612
- #
613
- # Example : add "X-Proto: SSL" to requests coming via port 81
614
- # acl is-ssl dst_port 81
615
- # reqadd X-Proto:\ SSL if is-ssl
616
- #
617
- # See also: "rspadd", section 6 about HTTP header manipulation, and section 7
618
- # about ACLs.
619
- #
620
- attr_accessor :reqadd
621
-
622
- #
623
- # reqallow <search> [(if | unless) <cond>]
624
- # reqiallow <search> [(if | unless) <cond>] (ignore case)
625
- # Definitely allow an HTTP request if a line matches a regular expression
626
- # May be used in sections : defaults | frontend | listen | backend
627
- # no | yes | yes | yes
628
- # Arguments :
629
- # <search> is the regular expression applied to HTTP headers and to the
630
- # request line. This is an extended regular expression. Parenthesis
631
- # grouping is supported and no preliminary backslash is required.
632
- # Any space or known delimiter must be escaped using a backslash
633
- # ('\'). The pattern applies to a full line at a time. The
634
- # "reqallow" keyword strictly matches case while "reqiallow"
635
- # ignores case.
636
- #
637
- # <cond> is an optional matching condition built from ACLs. It makes it
638
- # possible to ignore this rule when other conditions are not met.
639
- #
640
- # A request containing any line which matches extended regular expression
641
- # <search> will mark the request as allowed, even if any later test would
642
- # result in a deny. The test applies both to the request line and to request
643
- # headers. Keep in mind that URLs in request line are case-sensitive while
644
- # header names are not.
645
- #
646
- # It is easier, faster and more powerful to use ACLs to write access policies.
647
- # Reqdeny, reqallow and reqpass should be avoided in new designs.
648
- #
649
- # Example :
650
- # # allow www.* but refuse *.local
651
- # reqiallow ^Host:\ www\.
652
- # reqideny ^Host:\ .*\.local
653
- #
654
- # See also: "reqdeny", "block", section 6 about HTTP header manipulation, and
655
- # section 7 about ACLs.
656
- #
657
- attr_accessor :reqallow
658
- attr_accessor :reqiallow
659
-
660
- #
661
- # reqdel <search> [(if | unless) <cond>]
662
- # reqidel <search> [(if | unless) <cond>] (ignore case)
663
- # Delete all headers matching a regular expression in an HTTP request
664
- # May be used in sections : defaults | frontend | listen | backend
665
- # no | yes | yes | yes
666
- # Arguments :
667
- # <search> is the regular expression applied to HTTP headers and to the
668
- # request line. This is an extended regular expression. Parenthesis
669
- # grouping is supported and no preliminary backslash is required.
670
- # Any space or known delimiter must be escaped using a backslash
671
- # ('\'). The pattern applies to a full line at a time. The "reqdel"
672
- # keyword strictly matches case while "reqidel" ignores case.
673
- #
674
- # <cond> is an optional matching condition built from ACLs. It makes it
675
- # possible to ignore this rule when other conditions are not met.
676
- #
677
- # Any header line matching extended regular expression <search> in the request
678
- # will be completely deleted. Most common use of this is to remove unwanted
679
- # and/or dangerous headers or cookies from a request before passing it to the
680
- # next servers.
681
- #
682
- # Header transformations only apply to traffic which passes through HAProxy,
683
- # and not to traffic generated by HAProxy, such as health-checks or error
684
- # responses. Keep in mind that header names are not case-sensitive.
685
- #
686
- # Example :
687
- # # remove X-Forwarded-For header and SERVER cookie
688
- # reqidel ^X-Forwarded-For:.*
689
- # reqidel ^Cookie:.*SERVER=
690
- #
691
- # See also: "reqadd", "reqrep", "rspdel", section 6 about HTTP header
692
- # manipulation, and section 7 about ACLs.
693
- #
694
- attr_accessor :reqdel
695
- attr_accessor :reqidel
696
-
697
- #
698
- # reqdeny <search> [(if | unless) <cond>]
699
- # reqideny <search> [(if | unless) <cond>] (ignore case)
700
- # Deny an HTTP request if a line matches a regular expression
701
- # May be used in sections : defaults | frontend | listen | backend
702
- # no | yes | yes | yes
703
- # Arguments :
704
- # <search> is the regular expression applied to HTTP headers and to the
705
- # request line. This is an extended regular expression. Parenthesis
706
- # grouping is supported and no preliminary backslash is required.
707
- # Any space or known delimiter must be escaped using a backslash
708
- # ('\'). The pattern applies to a full line at a time. The
709
- # "reqdeny" keyword strictly matches case while "reqideny" ignores
710
- # case.
711
- #
712
- # <cond> is an optional matching condition built from ACLs. It makes it
713
- # possible to ignore this rule when other conditions are not met.
714
- #
715
- # A request containing any line which matches extended regular expression
716
- # <search> will mark the request as denied, even if any later test would
717
- # result in an allow. The test applies both to the request line and to request
718
- # headers. Keep in mind that URLs in request line are case-sensitive while
719
- # header names are not.
720
- #
721
- # A denied request will generate an "HTTP 403 forbidden" response once the
722
- # complete request has been parsed. This is consistent with what is practiced
723
- # using ACLs.
724
- #
725
- # It is easier, faster and more powerful to use ACLs to write access policies.
726
- # Reqdeny, reqallow and reqpass should be avoided in new designs.
727
- #
728
- # Example :
729
- # # refuse *.local, then allow www.*
730
- # reqideny ^Host:\ .*\.local
731
- # reqiallow ^Host:\ www\.
732
- #
733
- # See also: "reqallow", "rspdeny", "block", section 6 about HTTP header
734
- # manipulation, and section 7 about ACLs.
735
- #
736
- attr_accessor :reqdeny
737
- attr_accessor :reqideny
738
-
739
- #
740
- # reqpass <search> [(if | unless) <cond>]
741
- # reqipass <search> [(if | unless) <cond>] (ignore case)
742
- # Ignore any HTTP request line matching a regular expression in next rules
743
- # May be used in sections : defaults | frontend | listen | backend
744
- # no | yes | yes | yes
745
- # Arguments :
746
- # <search> is the regular expression applied to HTTP headers and to the
747
- # request line. This is an extended regular expression. Parenthesis
748
- # grouping is supported and no preliminary backslash is required.
749
- # Any space or known delimiter must be escaped using a backslash
750
- # ('\'). The pattern applies to a full line at a time. The
751
- # "reqpass" keyword strictly matches case while "reqipass" ignores
752
- # case.
753
- #
754
- # <cond> is an optional matching condition built from ACLs. It makes it
755
- # possible to ignore this rule when other conditions are not met.
756
- #
757
- # A request containing any line which matches extended regular expression
758
- # <search> will skip next rules, without assigning any deny or allow verdict.
759
- # The test applies both to the request line and to request headers. Keep in
760
- # mind that URLs in request line are case-sensitive while header names are not.
761
- #
762
- # It is easier, faster and more powerful to use ACLs to write access policies.
763
- # Reqdeny, reqallow and reqpass should be avoided in new designs.
764
- #
765
- # Example :
766
- # # refuse *.local, then allow www.*, but ignore "www.private.local"
767
- # reqipass ^Host:\ www.private\.local
768
- # reqideny ^Host:\ .*\.local
769
- # reqiallow ^Host:\ www\.
770
- #
771
- # See also: "reqallow", "reqdeny", "block", section 6 about HTTP header
772
- # manipulation, and section 7 about ACLs.
773
- #
774
- attr_accessor :reqpass
775
- attr_accessor :reqipass
776
-
777
- #
778
- # reqrep <search> <string> [(if | unless) <cond>]
779
- # reqirep <search> <string> [(if | unless) <cond>] (ignore case)
780
- # Replace a regular expression with a string in an HTTP request line
781
- # May be used in sections : defaults | frontend | listen | backend
782
- # no | yes | yes | yes
783
- # Arguments :
784
- # <search> is the regular expression applied to HTTP headers and to the
785
- # request line. This is an extended regular expression. Parenthesis
786
- # grouping is supported and no preliminary backslash is required.
787
- # Any space or known delimiter must be escaped using a backslash
788
- # ('\'). The pattern applies to a full line at a time. The "reqrep"
789
- # keyword strictly matches case while "reqirep" ignores case.
790
- #
791
- # <string> is the complete line to be added. Any space or known delimiter
792
- # must be escaped using a backslash ('\'). References to matched
793
- # pattern groups are possible using the common \N form, with N
794
- # being a single digit between 0 and 9. Please refer to section
795
- # 6 about HTTP header manipulation for more information.
796
- #
797
- # <cond> is an optional matching condition built from ACLs. It makes it
798
- # possible to ignore this rule when other conditions are not met.
799
- #
800
- # Any line matching extended regular expression <search> in the request (both
801
- # the request line and header lines) will be completely replaced with <string>.
802
- # Most common use of this is to rewrite URLs or domain names in "Host" headers.
803
- #
804
- # Header transformations only apply to traffic which passes through HAProxy,
805
- # and not to traffic generated by HAProxy, such as health-checks or error
806
- # responses. Note that for increased readability, it is suggested to add enough
807
- # spaces between the request and the response. Keep in mind that URLs in
808
- # request line are case-sensitive while header names are not.
809
- #
810
- # Example :
811
- # # replace "/static/" with "/" at the beginning of any request path.
812
- # reqrep ^([^\ ]*)\ /static/(.*) \1\ /\2
813
- # # replace "www.mydomain.com" with "www" in the host name.
814
- # reqirep ^Host:\ www.mydomain.com Host:\ www
815
- #
816
- # See also: "reqadd", "reqdel", "rsprep", section 6 about HTTP header
817
- # manipulation, and section 7 about ACLs.
818
- #
819
- attr_accessor :reqrep
820
- attr_accessor :reqirep
821
-
822
- #
823
- # reqtarpit <search> [(if | unless) <cond>]
824
- # reqitarpit <search> [(if | unless) <cond>] (ignore case)
825
- # Tarpit an HTTP request containing a line matching a regular expression
826
- # May be used in sections : defaults | frontend | listen | backend
827
- # no | yes | yes | yes
828
- # Arguments :
829
- # <search> is the regular expression applied to HTTP headers and to the
830
- # request line. This is an extended regular expression. Parenthesis
831
- # grouping is supported and no preliminary backslash is required.
832
- # Any space or known delimiter must be escaped using a backslash
833
- # ('\'). The pattern applies to a full line at a time. The
834
- # "reqtarpit" keyword strictly matches case while "reqitarpit"
835
- # ignores case.
836
- #
837
- # <cond> is an optional matching condition built from ACLs. It makes it
838
- # possible to ignore this rule when other conditions are not met.
839
- #
840
- # A request containing any line which matches extended regular expression
841
- # <search> will be tarpitted, which means that it will connect to nowhere, will
842
- # be kept open for a pre-defined time, then will return an HTTP error 500 so
843
- # that the attacker does not suspect it has been tarpitted. The status 500 will
844
- # be reported in the logs, but the completion flags will indicate "PT". The
845
- # delay is defined by "timeout tarpit", or "timeout connect" if the former is
846
- # not set.
847
- #
848
- # The goal of the tarpit is to slow down robots attacking servers with
849
- # identifiable requests. Many robots limit their outgoing number of connections
850
- # and stay connected waiting for a reply which can take several minutes to
851
- # come. Depending on the environment and attack, it may be particularly
852
- # efficient at reducing the load on the network and firewalls.
853
- #
854
- # Examples :
855
- # # ignore user-agents reporting any flavour of "Mozilla" or "MSIE", but
856
- # # block all others.
857
- # reqipass ^User-Agent:\.*(Mozilla|MSIE)
858
- # reqitarpit ^User-Agent:
859
- #
860
- # # block bad guys
861
- # acl badguys src 10.1.0.3 172.16.13.20/28
862
- # reqitarpit . if badguys
863
- #
864
- # See also: "reqallow", "reqdeny", "reqpass", section 6 about HTTP header
865
- # manipulation, and section 7 about ACLs.
866
- #
867
- attr_accessor :reqtarpit
868
- attr_accessor :reqitarpit
869
-
870
- #
871
- # rspadd <string> [(if | unless) <cond>]
872
- # Add a header at the end of the HTTP response
873
- # May be used in sections : defaults | frontend | listen | backend
874
- # no | yes | yes | yes
875
- # Arguments :
876
- # <string> is the complete line to be added. Any space or known delimiter
877
- # must be escaped using a backslash ('\'). Please refer to section
878
- # 6 about HTTP header manipulation for more information.
879
- #
880
- # <cond> is an optional matching condition built from ACLs. It makes it
881
- # possible to ignore this rule when other conditions are not met.
882
- #
883
- # A new line consisting in <string> followed by a line feed will be added after
884
- # the last header of an HTTP response.
885
- #
886
- # Header transformations only apply to traffic which passes through HAProxy,
887
- # and not to traffic generated by HAProxy, such as health-checks or error
888
- # responses.
889
- #
890
- # See also: "reqadd", section 6 about HTTP header manipulation, and section 7
891
- # about ACLs.
892
- #
893
- attr_accessor :rspadd
894
-
895
- #
896
- # rspdel <search> [(if | unless) <cond>]
897
- # rspidel <search> [(if | unless) <cond>] (ignore case)
898
- # Delete all headers matching a regular expression in an HTTP response
899
- # May be used in sections : defaults | frontend | listen | backend
900
- # no | yes | yes | yes
901
- # Arguments :
902
- # <search> is the regular expression applied to HTTP headers and to the
903
- # response line. This is an extended regular expression, so
904
- # parenthesis grouping is supported and no preliminary backslash
905
- # is required. Any space or known delimiter must be escaped using
906
- # a backslash ('\'). The pattern applies to a full line at a time.
907
- # The "rspdel" keyword strictly matches case while "rspidel"
908
- # ignores case.
909
- #
910
- # <cond> is an optional matching condition built from ACLs. It makes it
911
- # possible to ignore this rule when other conditions are not met.
912
- #
913
- # Any header line matching extended regular expression <search> in the response
914
- # will be completely deleted. Most common use of this is to remove unwanted
915
- # and/or sensible headers or cookies from a response before passing it to the
916
- # client.
917
- #
918
- # Header transformations only apply to traffic which passes through HAProxy,
919
- # and not to traffic generated by HAProxy, such as health-checks or error
920
- # responses. Keep in mind that header names are not case-sensitive.
921
- #
922
- # Example :
923
- # # remove the Server header from responses
924
- # reqidel ^Server:.*
925
- #
926
- # See also: "rspadd", "rsprep", "reqdel", section 6 about HTTP header
927
- # manipulation, and section 7 about ACLs.
928
- #
929
- attr_accessor :rspdel
930
- attr_accessor :rspidel
931
-
932
- #
933
- # rspdeny <search> [(if | unless) <cond>]
934
- # rspideny <search> [(if | unless) <cond>] (ignore case)
935
- # Block an HTTP response if a line matches a regular expression
936
- # May be used in sections : defaults | frontend | listen | backend
937
- # no | yes | yes | yes
938
- # Arguments :
939
- # <search> is the regular expression applied to HTTP headers and to the
940
- # response line. This is an extended regular expression, so
941
- # parenthesis grouping is supported and no preliminary backslash
942
- # is required. Any space or known delimiter must be escaped using
943
- # a backslash ('\'). The pattern applies to a full line at a time.
944
- # The "rspdeny" keyword strictly matches case while "rspideny"
945
- # ignores case.
946
- #
947
- # <cond> is an optional matching condition built from ACLs. It makes it
948
- # possible to ignore this rule when other conditions are not met.
949
- #
950
- # A response containing any line which matches extended regular expression
951
- # <search> will mark the request as denied. The test applies both to the
952
- # response line and to response headers. Keep in mind that header names are not
953
- # case-sensitive.
954
- #
955
- # Main use of this keyword is to prevent sensitive information leak and to
956
- # block the response before it reaches the client. If a response is denied, it
957
- # will be replaced with an HTTP 502 error so that the client never retrieves
958
- # any sensitive data.
959
- #
960
- # It is easier, faster and more powerful to use ACLs to write access policies.
961
- # Rspdeny should be avoided in new designs.
962
- #
963
- # Example :
964
- # # Ensure that no content type matching ms-word will leak
965
- # rspideny ^Content-type:\.*/ms-word
966
- #
967
- # See also: "reqdeny", "acl", "block", section 6 about HTTP header manipulation
968
- # and section 7 about ACLs.
969
- #
970
- attr_accessor :rspdeny
971
- attr_accessor :rspideny
972
-
973
- #
974
- # rsprep <search> <string> [(if | unless) <cond>]
975
- # rspirep <search> <string> [(if | unless) <cond>] (ignore case)
976
- # Replace a regular expression with a string in an HTTP response line
977
- # May be used in sections : defaults | frontend | listen | backend
978
- # no | yes | yes | yes
979
- # Arguments :
980
- # <search> is the regular expression applied to HTTP headers and to the
981
- # response line. This is an extended regular expression, so
982
- # parenthesis grouping is supported and no preliminary backslash
983
- # is required. Any space or known delimiter must be escaped using
984
- # a backslash ('\'). The pattern applies to a full line at a time.
985
- # The "rsprep" keyword strictly matches case while "rspirep"
986
- # ignores case.
987
- #
988
- # <string> is the complete line to be added. Any space or known delimiter
989
- # must be escaped using a backslash ('\'). References to matched
990
- # pattern groups are possible using the common \N form, with N
991
- # being a single digit between 0 and 9. Please refer to section
992
- # 6 about HTTP header manipulation for more information.
993
- #
994
- # <cond> is an optional matching condition built from ACLs. It makes it
995
- # possible to ignore this rule when other conditions are not met.
996
- #
997
- # Any line matching extended regular expression <search> in the response (both
998
- # the response line and header lines) will be completely replaced with
999
- # <string>. Most common use of this is to rewrite Location headers.
1000
- #
1001
- # Header transformations only apply to traffic which passes through HAProxy,
1002
- # and not to traffic generated by HAProxy, such as health-checks or error
1003
- # responses. Note that for increased readability, it is suggested to add enough
1004
- # spaces between the request and the response. Keep in mind that header names
1005
- # are not case-sensitive.
1006
- #
1007
- # Example :
1008
- # # replace "Location: 127.0.0.1:8080" with "Location: www.mydomain.com"
1009
- # rspirep ^Location:\ 127.0.0.1:8080 Location:\ www.mydomain.com
1010
- #
1011
- # See also: "rspadd", "rspdel", "reqrep", section 6 about HTTP header
1012
- # manipulation, and section 7 about ACLs.
1013
- #
1014
- attr_accessor :rsprep
1015
- attr_accessor :rspirep
1016
-
1017
- #
1018
- # tcp-request connection <action> [(if | unless) <condition>]
1019
- # Perform an action on an incoming connection depending on a layer 4 condition
1020
- # May be used in sections : defaults | frontend | listen | backend
1021
- # no | yes | yes | no
1022
- # Arguments :
1023
- # <action> defines the action to perform if the condition applies. Valid
1024
- # actions include : "accept", "reject", "track-sc1", "track-sc2".
1025
- # See below for more details.
1026
- #
1027
- # <condition> is a standard layer4-only ACL-based condition (see section 7).
1028
- #
1029
- # Immediately after acceptance of a new incoming connection, it is possible to
1030
- # evaluate some conditions to decide whether this connection must be accepted
1031
- # or dropped or have its counters tracked. Those conditions cannot make use of
1032
- # any data contents because the connection has not been read from yet, and the
1033
- # buffers are not yet allocated. This is used to selectively and very quickly
1034
- # accept or drop connections from various sources with a very low overhead. If
1035
- # some contents need to be inspected in order to take the decision, the
1036
- # "tcp-request content" statements must be used instead.
1037
- #
1038
- # The "tcp-request connection" rules are evaluated in their exact declaration
1039
- # order. If no rule matches or if there is no rule, the default action is to
1040
- # accept the incoming connection. There is no specific limit to the number of
1041
- # rules which may be inserted.
1042
- #
1043
- # Three types of actions are supported :
1044
- # - accept :
1045
- # accepts the connection if the condition is true (when used with "if")
1046
- # or false (when used with "unless"). The first such rule executed ends
1047
- # the rules evaluation.
1048
- #
1049
- # - reject :
1050
- # rejects the connection if the condition is true (when used with "if")
1051
- # or false (when used with "unless"). The first such rule executed ends
1052
- # the rules evaluation. Rejected connections do not even become a
1053
- # session, which is why they are accounted separately for in the stats,
1054
- # as "denied connections". They are not considered for the session
1055
- # rate-limit and are not logged either. The reason is that these rules
1056
- # should only be used to filter extremely high connection rates such as
1057
- # the ones encountered during a massive DDoS attack. Under these extreme
1058
- # conditions, the simple action of logging each event would make the
1059
- # system collapse and would considerably lower the filtering capacity. If
1060
- # logging is absolutely desired, then "tcp-request content" rules should
1061
- # be used instead.
1062
- #
1063
- # - { track-sc1 | track-sc2 } <key> [table <table>] :
1064
- # enables tracking of sticky counters from current connection. These
1065
- # rules do not stop evaluation and do not change default action. Two sets
1066
- # of counters may be simultaneously tracked by the same connection. The
1067
- # first "track-sc1" rule executed enables tracking of the counters of the
1068
- # specified table as the first set. The first "track-sc2" rule executed
1069
- # enables tracking of the counters of the specified table as the second
1070
- # set. It is a recommended practice to use the first set of counters for
1071
- # the per-frontend counters and the second set for the per-backend ones.
1072
- #
1073
- # These actions take one or two arguments :
1074
- # <key> is mandatory, and defines the criterion the tracking key will
1075
- # be derived from. At the moment, only "src" is supported. With
1076
- # it, the key will be the connection's source IPv4 address.
1077
- #
1078
- # <table> is an optional table to be used instead of the default one,
1079
- # which is the stick-table declared in the current proxy. All
1080
- # the counters for the matches and updates for the key will
1081
- # then be performed in that table until the session ends.
1082
- #
1083
- # Once a "track-sc*" rule is executed, the key is looked up in the table
1084
- # and if it is not found, an entry is allocated for it. Then a pointer to
1085
- # that entry is kept during all the session's life, and this entry's
1086
- # counters are updated as often as possible, every time the session's
1087
- # counters are updated, and also systematically when the session ends.
1088
- # If the entry tracks concurrent connection counters, one connection is
1089
- # counted for as long as the entry is tracked, and the entry will not
1090
- # expire during that time. Tracking counters also provides a performance
1091
- # advantage over just checking the keys, because only one table lookup is
1092
- # performed for all ACL checks that make use of it.
1093
- #
1094
- # Note that the "if/unless" condition is optional. If no condition is set on
1095
- # the action, it is simply performed unconditionally. That can be useful for
1096
- # "track-sc*" actions as well as for changing the default action to a reject.
1097
- #
1098
- # Example: accept all connections from white-listed hosts, reject too fast
1099
- # connection without counting them, and track accepted connections.
1100
- # This results in connection rate being capped from abusive sources.
1101
- #
1102
- # tcp-request connection accept if { src -f /etc/haproxy/whitelist.lst }
1103
- # tcp-request connection reject if { src_conn_rate gt 10 }
1104
- # tcp-request connection track-sc1 src
1105
- #
1106
- # Example: accept all connections from white-listed hosts, count all other
1107
- # connections and reject too fast ones. This results in abusive ones
1108
- # being blocked as long as they don't slow down.
1109
- #
1110
- # tcp-request connection accept if { src -f /etc/haproxy/whitelist.lst }
1111
- # tcp-request connection track-sc1 src
1112
- # tcp-request connection reject if { sc1_conn_rate gt 10 }
1113
- #
1114
- # See section 7 about ACL usage.
1115
- #
1116
- # See also : "tcp-request content", "stick-table"
1117
- #
1118
- attr_accessor :tcp_request_connection
1119
-
1120
- #
1121
- # tcp-request content <action> [(if | unless) <condition>]
1122
- # Perform an action on a new session depending on a layer 4-7 condition
1123
- # May be used in sections : defaults | frontend | listen | backend
1124
- # no | yes | yes | yes
1125
- # Arguments :
1126
- # <action> defines the action to perform if the condition applies. Valid
1127
- # actions include : "accept", "reject", "track-sc1", "track-sc2".
1128
- # See "tcp-request connection" above for their signification.
1129
- #
1130
- # <condition> is a standard layer 4-7 ACL-based condition (see section 7).
1131
- #
1132
- # A request's contents can be analysed at an early stage of request processing
1133
- # called "TCP content inspection". During this stage, ACL-based rules are
1134
- # evaluated every time the request contents are updated, until either an
1135
- # "accept" or a "reject" rule matches, or the TCP request inspection delay
1136
- # expires with no matching rule.
1137
- #
1138
- # The first difference between these rules and "tcp-request connection" rules
1139
- # is that "tcp-request content" rules can make use of contents to take a
1140
- # decision. Most often, these decisions will consider a protocol recognition or
1141
- # validity. The second difference is that content-based rules can be used in
1142
- # both frontends and backends. In frontends, they will be evaluated upon new
1143
- # connections. In backends, they will be evaluated once a session is assigned
1144
- # a backend. This means that a single frontend connection may be evaluated
1145
- # several times by one or multiple backends when a session gets reassigned
1146
- # (for instance after a client-side HTTP keep-alive request).
1147
- #
1148
- # Content-based rules are evaluated in their exact declaration order. If no
1149
- # rule matches or if there is no rule, the default action is to accept the
1150
- # contents. There is no specific limit to the number of rules which may be
1151
- # inserted.
1152
- #
1153
- # Three types of actions are supported :
1154
- # - accept :
1155
- # - reject :
1156
- # - { track-sc1 | track-sc2 } <key> [table <table>]
1157
- #
1158
- # They have the same meaning as their counter-parts in "tcp-request connection"
1159
- # so please refer to that section for a complete description.
1160
- #
1161
- # Also, it is worth noting that if sticky counters are tracked from a rule
1162
- # defined in a backend, this tracking will automatically end when the session
1163
- # releases the backend. That allows per-backend counter tracking even in case
1164
- # of HTTP keep-alive requests when the backend changes. While there is nothing
1165
- # mandatory about it, it is recommended to use the track-sc1 pointer to track
1166
- # per-frontend counters and track-sc2 to track per-backend counters.
1167
- #
1168
- # Note that the "if/unless" condition is optional. If no condition is set on
1169
- # the action, it is simply performed unconditionally. That can be useful for
1170
- # "track-sc*" actions as well as for changing the default action to a reject.
1171
- #
1172
- # It is perfectly possible to match layer 7 contents with "tcp-request content"
1173
- # rules, but then it is important to ensure that a full request has been
1174
- # buffered, otherwise no contents will match. In order to achieve this, the
1175
- # best solution involves detecting the HTTP protocol during the inspection
1176
- # period.
1177
- #
1178
- # Example:
1179
- # # Accept HTTP requests containing a Host header saying "example.com"
1180
- # # and reject everything else.
1181
- # acl is_host_com hdr(Host) -i example.com
1182
- # tcp-request inspect-delay 30s
1183
- # tcp-request content accept if HTTP is_host_com
1184
- # tcp-request content reject
1185
- #
1186
- # Example:
1187
- # # reject SMTP connection if client speaks first
1188
- # tcp-request inspect-delay 30s
1189
- # acl content_present req_len gt 0
1190
- # tcp-request content reject if content_present
1191
- #
1192
- # # Forward HTTPS connection only if client speaks
1193
- # tcp-request inspect-delay 30s
1194
- # acl content_present req_len gt 0
1195
- # tcp-request content accept if content_present
1196
- # tcp-request content reject
1197
- #
1198
- # Example: track per-frontend and per-backend counters, block abusers at the
1199
- # frontend when the backend detects abuse.
1200
- #
1201
- # frontend http
1202
- # # Use General Purpose Couter 0 in SC1 as a global abuse counter
1203
- # # protecting all our sites
1204
- # stick-table type ip size 1m expire 5m store gpc0
1205
- # tcp-request connection track-sc1 src
1206
- # tcp-request connection reject if { sc1_get_gpc0 gt 0 }
1207
- # ...
1208
- # use_backend http_dynamic if { path_end .php }
1209
- #
1210
- # backend http_dynamic
1211
- # # if a source makes too fast requests to this dynamic site (tracked
1212
- # # by SC2), block it globally in the frontend.
1213
- # stick-table type ip size 1m expire 5m store http_req_rate(10s)
1214
- # acl click_too_fast sc2_http_req_rate gt 10
1215
- # acl mark_as_abuser sc1_inc_gpc0
1216
- # tcp-request content track-sc2 src
1217
- # tcp-request content reject if click_too_fast mark_as_abuser
1218
- #
1219
- # See section 7 about ACL usage.
1220
- #
1221
- # See also : "tcp-request connection", "tcp-request inspect-delay"
1222
- #
1223
- attr_accessor :tcp_request_content
1224
-
1225
- #
1226
- # tcp-request inspect-delay <timeout>
1227
- # Set the maximum allowed time to wait for data during content inspection
1228
- # May be used in sections : defaults | frontend | listen | backend
1229
- # no | yes | yes | yes
1230
- # Arguments :
1231
- # <timeout> is the timeout value specified in milliseconds by default, but
1232
- # can be in any other unit if the number is suffixed by the unit,
1233
- # as explained at the top of this document.
1234
- #
1235
- # People using haproxy primarily as a TCP relay are often worried about the
1236
- # risk of passing any type of protocol to a server without any analysis. In
1237
- # order to be able to analyze the request contents, we must first withhold
1238
- # the data then analyze them. This statement simply enables withholding of
1239
- # data for at most the specified amount of time.
1240
- #
1241
- # TCP content inspection applies very early when a connection reaches a
1242
- # frontend, then very early when the connection is forwarded to a backend. This
1243
- # means that a connection may experience a first delay in the frontend and a
1244
- # second delay in the backend if both have tcp-request rules.
1245
- #
1246
- # Note that when performing content inspection, haproxy will evaluate the whole
1247
- # rules for every new chunk which gets in, taking into account the fact that
1248
- # those data are partial. If no rule matches before the aforementioned delay,
1249
- # a last check is performed upon expiration, this time considering that the
1250
- # contents are definitive. If no delay is set, haproxy will not wait at all
1251
- # and will immediately apply a verdict based on the available information.
1252
- # Obviously this is unlikely to be very useful and might even be racy, so such
1253
- # setups are not recommended.
1254
- #
1255
- # As soon as a rule matches, the request is released and continues as usual. If
1256
- # the timeout is reached and no rule matches, the default policy will be to let
1257
- # it pass through unaffected.
1258
- #
1259
- # For most protocols, it is enough to set it to a few seconds, as most clients
1260
- # send the full request immediately upon connection. Add 3 or more seconds to
1261
- # cover TCP retransmits but that's all. For some protocols, it may make sense
1262
- # to use large values, for instance to ensure that the client never talks
1263
- # before the server (eg: SMTP), or to wait for a client to talk before passing
1264
- # data to the server (eg: SSL). Note that the client timeout must cover at
1265
- # least the inspection delay, otherwise it will expire first. If the client
1266
- # closes the connection or if the buffer is full, the delay immediately expires
1267
- # since the contents will not be able to change anymore.
1268
- #
1269
- # See also : "tcp-request content accept", "tcp-request content reject",
1270
- # "timeout client".
1271
- #
1272
- attr_accessor :tcp_request_inspect_delay
1273
-
1274
- #
1275
- # use_backend <backend> if <condition>
1276
- # use_backend <backend> unless <condition>
1277
- # Switch to a specific backend if/unless an ACL-based condition is matched.
1278
- # May be used in sections : defaults | frontend | listen | backend
1279
- # no | yes | yes | no
1280
- # Arguments :
1281
- # <backend> is the name of a valid backend or "listen" section.
1282
- #
1283
- # <condition> is a condition composed of ACLs, as described in section 7.
1284
- #
1285
- # When doing content-switching, connections arrive on a frontend and are then
1286
- # dispatched to various backends depending on a number of conditions. The
1287
- # relation between the conditions and the backends is described with the
1288
- # "use_backend" keyword. While it is normally used with HTTP processing, it can
1289
- # also be used in pure TCP, either without content using stateless ACLs (eg:
1290
- # source address validation) or combined with a "tcp-request" rule to wait for
1291
- # some payload.
1292
- #
1293
- # There may be as many "use_backend" rules as desired. All of these rules are
1294
- # evaluated in their declaration order, and the first one which matches will
1295
- # assign the backend.
1296
- #
1297
- # In the first form, the backend will be used if the condition is met. In the
1298
- # second form, the backend will be used if the condition is not met. If no
1299
- # condition is valid, the backend defined with "default_backend" will be used.
1300
- # If no default backend is defined, either the servers in the same section are
1301
- # used (in case of a "listen" section) or, in case of a frontend, no server is
1302
- # used and a 503 service unavailable response is returned.
1303
- #
1304
- # Note that it is possible to switch from a TCP frontend to an HTTP backend. In
1305
- # this case, either the frontend has already checked that the protocol is HTTP,
1306
- # and backend processing will immediately follow, or the backend will wait for
1307
- # a complete HTTP request to get in. This feature is useful when a frontend
1308
- # must decode several protocols on a unique port, one of them being HTTP.
1309
- #
1310
- # See also: "default_backend", "tcp-request", and section 7 about ACLs.
1311
- #
1312
- attr_accessor :use_backend
1313
-
1314
- #
1315
- # description <text>
1316
- # Add a text that describes the instance.
1317
- #
1318
- # Please note that it is required to escape certain characters (# for example)
1319
- # and this text is inserted into a html page so you should avoid using
1320
- # "<" and ">" characters.
1321
- #
1322
- attr_accessor :description
1323
-
1324
- #
1325
- # backlog <conns>
1326
- # Give hints to the system about the approximate listen backlog desired size
1327
- # May be used in sections : defaults | frontend | listen | backend
1328
- # yes | yes | yes | no
1329
- # Arguments :
1330
- # <conns> is the number of pending connections. Depending on the operating
1331
- # system, it may represent the number of already acknowledged
1332
- # connections, of non-acknowledged ones, or both.
1333
- #
1334
- # In order to protect against SYN flood attacks, one solution is to increase
1335
- # the system's SYN backlog size. Depending on the system, sometimes it is just
1336
- # tunable via a system parameter, sometimes it is not adjustable at all, and
1337
- # sometimes the system relies on hints given by the application at the time of
1338
- # the listen() syscall. By default, HAProxy passes the frontend's maxconn value
1339
- # to the listen() syscall. On systems which can make use of this value, it can
1340
- # sometimes be useful to be able to specify a different value, hence this
1341
- # backlog parameter.
1342
- #
1343
- # On Linux 2.4, the parameter is ignored by the system. On Linux 2.6, it is
1344
- # used as a hint and the system accepts up to the smallest greater power of
1345
- # two, and never more than some limits (usually 32768).
1346
- #
1347
- # See also : "maxconn" and the target operating system's tuning guide.
1348
- #
1349
- attr_accessor :backlog
1350
-
1351
- #
1352
- # bind-process [ all | odd | even | <number 1-32> ] ...
1353
- # Limit visibility of an instance to a certain set of processes numbers.
1354
- # May be used in sections : defaults | frontend | listen | backend
1355
- # yes | yes | yes | yes
1356
- # Arguments :
1357
- # all All process will see this instance. This is the default. It
1358
- # may be used to override a default value.
1359
- #
1360
- # odd This instance will be enabled on processes 1,3,5,...31. This
1361
- # option may be combined with other numbers.
1362
- #
1363
- # even This instance will be enabled on processes 2,4,6,...32. This
1364
- # option may be combined with other numbers. Do not use it
1365
- # with less than 2 processes otherwise some instances might be
1366
- # missing from all processes.
1367
- #
1368
- # number The instance will be enabled on this process number, between
1369
- # 1 and 32. You must be careful not to reference a process
1370
- # number greater than the configured global.nbproc, otherwise
1371
- # some instances might be missing from all processes.
1372
- #
1373
- # This keyword limits binding of certain instances to certain processes. This
1374
- # is useful in order not to have too many processes listening to the same
1375
- # ports. For instance, on a dual-core machine, it might make sense to set
1376
- # 'nbproc 2' in the global section, then distributes the listeners among 'odd'
1377
- # and 'even' instances.
1378
- #
1379
- # At the moment, it is not possible to reference more than 32 processes using
1380
- # this keyword, but this should be more than enough for most setups. Please
1381
- # note that 'all' really means all processes and is not limited to the first
1382
- # 32.
1383
- #
1384
- # If some backends are referenced by frontends bound to other processes, the
1385
- # backend automatically inherits the frontend's processes.
1386
- #
1387
- # Example :
1388
- # listen app_ip1
1389
- # bind 10.0.0.1:80
1390
- # bind-process odd
1391
- #
1392
- # listen app_ip2
1393
- # bind 10.0.0.2:80
1394
- # bind-process even
1395
- #
1396
- # listen management
1397
- # bind 10.0.0.3:80
1398
- # bind-process 1 2 3 4
1399
- #
1400
- # See also : "nbproc" in global section.
1401
- #
1402
- attr_accessor :bind_process
1403
-
1404
- #
1405
- # default_backend <backend>
1406
- # Specify the backend to use when no "use_backend" rule has been matched.
1407
- # May be used in sections : defaults | frontend | listen | backend
1408
- # yes | yes | yes | no
1409
- # Arguments :
1410
- # <backend> is the name of the backend to use.
1411
- #
1412
- # When doing content-switching between frontend and backends using the
1413
- # "use_backend" keyword, it is often useful to indicate which backend will be
1414
- # used when no rule has matched. It generally is the dynamic backend which
1415
- # will catch all undetermined requests.
1416
- #
1417
- # Example :
1418
- #
1419
- # use_backend dynamic if url_dyn
1420
- # use_backend static if url_css url_img extension_img
1421
- # default_backend dynamic
1422
- #
1423
- # See also : "use_backend", "reqsetbe", "reqisetbe"
1424
- #
1425
- attr_accessor :default_backend
1426
-
1427
- #
1428
- # disabled
1429
- # Disable a proxy, frontend or backend.
1430
- # May be used in sections : defaults | frontend | listen | backend
1431
- # yes | yes | yes | yes
1432
- # Arguments : none
1433
- #
1434
- # The "disabled" keyword is used to disable an instance, mainly in order to
1435
- # liberate a listening port or to temporarily disable a service. The instance
1436
- # will still be created and its configuration will be checked, but it will be
1437
- # created in the "stopped" state and will appear as such in the statistics. It
1438
- # will not receive any traffic nor will it send any health-checks or logs. It
1439
- # is possible to disable many instances at once by adding the "disabled"
1440
- # keyword in a "defaults" section.
1441
- #
1442
- # See also : "enabled"
1443
- #
1444
- attr_accessor :disabled
1445
-
1446
- #
1447
- # enabled
1448
- # Enable a proxy, frontend or backend.
1449
- # May be used in sections : defaults | frontend | listen | backend
1450
- # yes | yes | yes | yes
1451
- # Arguments : none
1452
- #
1453
- # The "enabled" keyword is used to explicitly enable an instance, when the
1454
- # defaults has been set to "disabled". This is very rarely used.
1455
- #
1456
- # See also : "disabled"
1457
- #
1458
- attr_accessor :enabled
1459
-
1460
- #
1461
- # errorfile <code> <file>
1462
- # Return a file contents instead of errors generated by HAProxy
1463
- # May be used in sections : defaults | frontend | listen | backend
1464
- # yes | yes | yes | yes
1465
- # Arguments :
1466
- # <code> is the HTTP status code. Currently, HAProxy is capable of
1467
- # generating codes 400, 403, 408, 500, 502, 503, and 504.
1468
- #
1469
- # <file> designates a file containing the full HTTP response. It is
1470
- # recommended to follow the common practice of appending ".http" to
1471
- # the filename so that people do not confuse the response with HTML
1472
- # error pages, and to use absolute paths, since files are read
1473
- # before any chroot is performed.
1474
- #
1475
- # It is important to understand that this keyword is not meant to rewrite
1476
- # errors returned by the server, but errors detected and returned by HAProxy.
1477
- # This is why the list of supported errors is limited to a small set.
1478
- #
1479
- # The files are returned verbatim on the TCP socket. This allows any trick such
1480
- # as redirections to another URL or site, as well as tricks to clean cookies,
1481
- # force enable or disable caching, etc... The package provides default error
1482
- # files returning the same contents as default errors.
1483
- #
1484
- # The files should not exceed the configured buffer size (BUFSIZE), which
1485
- # generally is 8 or 16 kB, otherwise they will be truncated. It is also wise
1486
- # not to put any reference to local contents (eg: images) in order to avoid
1487
- # loops between the client and HAProxy when all servers are down, causing an
1488
- # error to be returned instead of an image. For better HTTP compliance, it is
1489
- # recommended that all header lines end with CR-LF and not LF alone.
1490
- #
1491
- # The files are read at the same time as the configuration and kept in memory.
1492
- # For this reason, the errors continue to be returned even when the process is
1493
- # chrooted, and no file change is considered while the process is running. A
1494
- # simple method for developing those files consists in associating them to the
1495
- # 403 status code and interrogating a blocked URL.
1496
- #
1497
- # See also : "errorloc", "errorloc302", "errorloc303"
1498
- #
1499
- # Example :
1500
- # errorfile 400 /etc/haproxy/errorfiles/400badreq.http
1501
- # errorfile 403 /etc/haproxy/errorfiles/403forbid.http
1502
- # errorfile 503 /etc/haproxy/errorfiles/503sorry.http
1503
- #
1504
- attr_accessor :errorfile
1505
-
1506
- #
1507
- # errorloc <code> <url>
1508
- # Return an HTTP redirection to a URL instead of errors generated by HAProxy
1509
- # May be used in sections : defaults | frontend | listen | backend
1510
- # yes | yes | yes | yes
1511
- # Arguments :
1512
- # <code> is the HTTP status code. Currently, HAProxy is capable of
1513
- # generating codes 400, 403, 408, 500, 502, 503, and 504.
1514
- #
1515
- # <url> it is the exact contents of the "Location" header. It may contain
1516
- # either a relative URI to an error page hosted on the same site,
1517
- # or an absolute URI designating an error page on another site.
1518
- # Special care should be given to relative URIs to avoid redirect
1519
- # loops if the URI itself may generate the same error (eg: 500).
1520
- #
1521
- # It is important to understand that this keyword is not meant to rewrite
1522
- # errors returned by the server, but errors detected and returned by HAProxy.
1523
- # This is why the list of supported errors is limited to a small set.
1524
- #
1525
- # Note that both keyword return the HTTP 302 status code, which tells the
1526
- # client to fetch the designated URL using the same HTTP method. This can be
1527
- # quite problematic in case of non-GET methods such as POST, because the URL
1528
- # sent to the client might not be allowed for something other than GET. To
1529
- # workaround this problem, please use "errorloc303" which send the HTTP 303
1530
- # status code, indicating to the client that the URL must be fetched with a GET
1531
- # request.
1532
- #
1533
- # See also : "errorfile", "errorloc303"
1534
- #
1535
- attr_accessor :errorloc
1536
-
1537
- #
1538
- # errorloc302 <code> <url>
1539
- # Return an HTTP redirection to a URL instead of errors generated by HAProxy
1540
- # May be used in sections : defaults | frontend | listen | backend
1541
- # yes | yes | yes | yes
1542
- # Arguments :
1543
- # <code> is the HTTP status code. Currently, HAProxy is capable of
1544
- # generating codes 400, 403, 408, 500, 502, 503, and 504.
1545
- #
1546
- # <url> it is the exact contents of the "Location" header. It may contain
1547
- # either a relative URI to an error page hosted on the same site,
1548
- # or an absolute URI designating an error page on another site.
1549
- # Special care should be given to relative URIs to avoid redirect
1550
- # loops if the URI itself may generate the same error (eg: 500).
1551
- #
1552
- # It is important to understand that this keyword is not meant to rewrite
1553
- # errors returned by the server, but errors detected and returned by HAProxy.
1554
- # This is why the list of supported errors is limited to a small set.
1555
- #
1556
- # Note that both keyword return the HTTP 302 status code, which tells the
1557
- # client to fetch the designated URL using the same HTTP method. This can be
1558
- # quite problematic in case of non-GET methods such as POST, because the URL
1559
- # sent to the client might not be allowed for something other than GET. To
1560
- # workaround this problem, please use "errorloc303" which send the HTTP 303
1561
- # status code, indicating to the client that the URL must be fetched with a GET
1562
- # request.
1563
- #
1564
- # See also : "errorfile", "errorloc303"
1565
- #
1566
- attr_accessor :errorloc302
1567
-
1568
- #
1569
- # errorloc303 <code> <url>
1570
- # Return an HTTP redirection to a URL instead of errors generated by HAProxy
1571
- # May be used in sections : defaults | frontend | listen | backend
1572
- # yes | yes | yes | yes
1573
- # Arguments :
1574
- # <code> is the HTTP status code. Currently, HAProxy is capable of
1575
- # generating codes 400, 403, 408, 500, 502, 503, and 504.
1576
- #
1577
- # <url> it is the exact contents of the "Location" header. It may contain
1578
- # either a relative URI to an error page hosted on the same site,
1579
- # or an absolute URI designating an error page on another site.
1580
- # Special care should be given to relative URIs to avoid redirect
1581
- # loops if the URI itself may generate the same error (eg: 500).
1582
- #
1583
- # It is important to understand that this keyword is not meant to rewrite
1584
- # errors returned by the server, but errors detected and returned by HAProxy.
1585
- # This is why the list of supported errors is limited to a small set.
1586
- #
1587
- # Note that both keyword return the HTTP 303 status code, which tells the
1588
- # client to fetch the designated URL using the same HTTP GET method. This
1589
- # solves the usual problems associated with "errorloc" and the 302 code. It is
1590
- # possible that some very old browsers designed before HTTP/1.1 do not support
1591
- # it, but no such problem has been reported till now.
1592
- #
1593
- # See also : "errorfile", "errorloc", "errorloc302"
1594
- #
1595
- attr_accessor :errorloc303
1596
-
1597
- #
1598
- # grace <time>
1599
- # Maintain a proxy operational for some time after a soft stop
1600
- # May be used in sections : defaults | frontend | listen | backend
1601
- # yes | yes | yes | yes
1602
- # Arguments :
1603
- # <time> is the time (by default in milliseconds) for which the instance
1604
- # will remain operational with the frontend sockets still listening
1605
- # when a soft-stop is received via the SIGUSR1 signal.
1606
- #
1607
- # This may be used to ensure that the services disappear in a certain order.
1608
- # This was designed so that frontends which are dedicated to monitoring by an
1609
- # external equipment fail immediately while other ones remain up for the time
1610
- # needed by the equipment to detect the failure.
1611
- #
1612
- # Note that currently, there is very little benefit in using this parameter,
1613
- # and it may in fact complicate the soft-reconfiguration process more than
1614
- # simplify it.
1615
- #
1616
- attr_accessor :grace
1617
-
1618
- # log global
1619
- # log <address> <facility> [<level> [<minlevel>]]
1620
- # Enable per-instance logging of events and traffic.
1621
- # May be used in sections : defaults | frontend | listen | backend
1622
- # yes | yes | yes | yes
1623
- # Arguments :
1624
- # global should be used when the instance's logging parameters are the
1625
- # same as the global ones. This is the most common usage. "global"
1626
- # replaces <address>, <facility> and <level> with those of the log
1627
- # entries found in the "global" section. Only one "log global"
1628
- # statement may be used per instance, and this form takes no other
1629
- # parameter.
1630
- #
1631
- # <address> indicates where to send the logs. It takes the same format as
1632
- # for the "global" section's logs, and can be one of :
1633
- #
1634
- # - An IPv4 address optionally followed by a colon (':') and a UDP
1635
- # port. If no port is specified, 514 is used by default (the
1636
- # standard syslog port).
1637
- #
1638
- # - A filesystem path to a UNIX domain socket, keeping in mind
1639
- # considerations for chroot (be sure the path is accessible
1640
- # inside the chroot) and uid/gid (be sure the path is
1641
- # appropriately writeable).
1642
- #
1643
- # <facility> must be one of the 24 standard syslog facilities :
1644
- #
1645
- # kern user mail daemon auth syslog lpr news
1646
- # uucp cron auth2 ftp ntp audit alert cron2
1647
- # local0 local1 local2 local3 local4 local5 local6 local7
1648
- #
1649
- # <level> is optional and can be specified to filter outgoing messages. By
1650
- # default, all messages are sent. If a level is specified, only
1651
- # messages with a severity at least as important as this level
1652
- # will be sent. An optional minimum level can be specified. If it
1653
- # is set, logs emitted with a more severe level than this one will
1654
- # be capped to this level. This is used to avoid sending "emerg"
1655
- # messages on all terminals on some default syslog configurations.
1656
- # Eight levels are known :
1657
- #
1658
- # emerg alert crit err warning notice info debug
1659
- #
1660
- # Note that up to two "log" entries may be specified per instance. However, if
1661
- # "log global" is used and if the "global" section already contains 2 log
1662
- # entries, then additional log entries will be ignored.
1663
- #
1664
- # Also, it is important to keep in mind that it is the frontend which decides
1665
- # what to log from a connection, and that in case of content switching, the log
1666
- # entries from the backend will be ignored. Connections are logged at level
1667
- # "info".
1668
- #
1669
- # However, backend log declaration define how and where servers status changes
1670
- # will be logged. Level "notice" will be used to indicate a server going up,
1671
- # "warning" will be used for termination signals and definitive service
1672
- # termination, and "alert" will be used for when a server goes down.
1673
- #
1674
- # Note : According to RFC3164, messages are truncated to 1024 bytes before
1675
- # being emitted.
1676
- #
1677
- # Example :
1678
- # log global
1679
- # log 127.0.0.1:514 local0 notice # only send important events
1680
- # log 127.0.0.1:514 local0 notice notice # same but limit output level
1681
- #
1682
- attr_accessor :log
1683
-
1684
- #
1685
- # maxconn <conns>
1686
- # Fix the maximum number of concurrent connections on a frontend
1687
- # May be used in sections : defaults | frontend | listen | backend
1688
- # yes | yes | yes | no
1689
- # Arguments :
1690
- # <conns> is the maximum number of concurrent connections the frontend will
1691
- # accept to serve. Excess connections will be queued by the system
1692
- # in the socket's listen queue and will be served once a connection
1693
- # closes.
1694
- #
1695
- # If the system supports it, it can be useful on big sites to raise this limit
1696
- # very high so that haproxy manages connection queues, instead of leaving the
1697
- # clients with unanswered connection attempts. This value should not exceed the
1698
- # global maxconn. Also, keep in mind that a connection contains two buffers
1699
- # of 8kB each, as well as some other data resulting in about 17 kB of RAM being
1700
- # consumed per established connection. That means that a medium system equipped
1701
- # with 1GB of RAM can withstand around 40000-50000 concurrent connections if
1702
- # properly tuned.
1703
- #
1704
- # Also, when <conns> is set to large values, it is possible that the servers
1705
- # are not sized to accept such loads, and for this reason it is generally wise
1706
- # to assign them some reasonable connection limits.
1707
- #
1708
- # See also : "server", global section's "maxconn", "fullconn"
1709
- #
1710
- attr_accessor :maxconn
1711
-
1712
- #
1713
- # mode { tcp|http|health }
1714
- # Set the running mode or protocol of the instance
1715
- # May be used in sections : defaults | frontend | listen | backend
1716
- # yes | yes | yes | yes
1717
- # Arguments :
1718
- # tcp The instance will work in pure TCP mode. A full-duplex connection
1719
- # will be established between clients and servers, and no layer 7
1720
- # examination will be performed. This is the default mode. It
1721
- # should be used for SSL, SSH, SMTP, ...
1722
- #
1723
- # http The instance will work in HTTP mode. The client request will be
1724
- # analyzed in depth before connecting to any server. Any request
1725
- # which is not RFC-compliant will be rejected. Layer 7 filtering,
1726
- # processing and switching will be possible. This is the mode which
1727
- # brings HAProxy most of its value.
1728
- #
1729
- # health The instance will work in "health" mode. It will just reply "OK"
1730
- # to incoming connections and close the connection. Nothing will be
1731
- # logged. This mode is used to reply to external components health
1732
- # checks. This mode is deprecated and should not be used anymore as
1733
- # it is possible to do the same and even better by combining TCP or
1734
- # HTTP modes with the "monitor" keyword.
1735
- #
1736
- # When doing content switching, it is mandatory that the frontend and the
1737
- # backend are in the same mode (generally HTTP), otherwise the configuration
1738
- # will be refused.
1739
- #
1740
- # Example :
1741
- # defaults http_instances
1742
- # mode http
1743
- #
1744
- # See also : "monitor", "monitor-net"
1745
- #
1746
- attr_accessor :mode
1747
-
1748
- #
1749
- # monitor-net <source>
1750
- # Declare a source network which is limited to monitor requests
1751
- # May be used in sections : defaults | frontend | listen | backend
1752
- # yes | yes | yes | no
1753
- # Arguments :
1754
- # <source> is the source IPv4 address or network which will only be able to
1755
- # get monitor responses to any request. It can be either an IPv4
1756
- # address, a host name, or an address followed by a slash ('/')
1757
- # followed by a mask.
1758
- #
1759
- # In TCP mode, any connection coming from a source matching <source> will cause
1760
- # the connection to be immediately closed without any log. This allows another
1761
- # equipment to probe the port and verify that it is still listening, without
1762
- # forwarding the connection to a remote server.
1763
- #
1764
- # In HTTP mode, a connection coming from a source matching <source> will be
1765
- # accepted, the following response will be sent without waiting for a request,
1766
- # then the connection will be closed : "HTTP/1.0 200 OK". This is normally
1767
- # enough for any front-end HTTP probe to detect that the service is UP and
1768
- # running without forwarding the request to a backend server.
1769
- #
1770
- # Monitor requests are processed very early. It is not possible to block nor
1771
- # divert them using ACLs. They cannot be logged either, and it is the intended
1772
- # purpose. They are only used to report HAProxy's health to an upper component,
1773
- # nothing more. Right now, it is not possible to set failure conditions on
1774
- # requests caught by "monitor-net".
1775
- #
1776
- # Last, please note that only one "monitor-net" statement can be specified in
1777
- # a frontend. If more than one is found, only the last one will be considered.
1778
- #
1779
- # Example :
1780
- # # addresses .252 and .253 are just probing us.
1781
- # frontend www
1782
- # monitor-net 192.168.0.252/31
1783
- #
1784
- # See also : "monitor fail", "monitor-uri"
1785
- #
1786
- attr_accessor :monitor_net
1787
-
1788
- #
1789
- # monitor-uri <uri>
1790
- # Intercept a URI used by external components' monitor requests
1791
- # May be used in sections : defaults | frontend | listen | backend
1792
- # yes | yes | yes | no
1793
- # Arguments :
1794
- # <uri> is the exact URI which we want to intercept to return HAProxy's
1795
- # health status instead of forwarding the request.
1796
- #
1797
- # When an HTTP request referencing <uri> will be received on a frontend,
1798
- # HAProxy will not forward it nor log it, but instead will return either
1799
- # "HTTP/1.0 200 OK" or "HTTP/1.0 503 Service unavailable", depending on failure
1800
- # conditions defined with "monitor fail". This is normally enough for any
1801
- # front-end HTTP probe to detect that the service is UP and running without
1802
- # forwarding the request to a backend server. Note that the HTTP method, the
1803
- # version and all headers are ignored, but the request must at least be valid
1804
- # at the HTTP level. This keyword may only be used with an HTTP-mode frontend.
1805
- #
1806
- # Monitor requests are processed very early. It is not possible to block nor
1807
- # divert them using ACLs. They cannot be logged either, and it is the intended
1808
- # purpose. They are only used to report HAProxy's health to an upper component,
1809
- # nothing more. However, it is possible to add any number of conditions using
1810
- # "monitor fail" and ACLs so that the result can be adjusted to whatever check
1811
- # can be imagined (most often the number of available servers in a backend).
1812
- #
1813
- # Example :
1814
- # # Use /haproxy_test to report haproxy's status
1815
- # frontend www
1816
- # mode http
1817
- # monitor-uri /haproxy_test
1818
- #
1819
- # See also : "monitor fail", "monitor-net"
1820
- #
1821
- attr_accessor :monitor_uri
1822
-
1823
- #
1824
- # option accept-invalid-http-request
1825
- # no option accept-invalid-http-request
1826
- # Enable or disable relaxing of HTTP request parsing
1827
- # May be used in sections : defaults | frontend | listen | backend
1828
- # yes | yes | yes | no
1829
- # Arguments : none
1830
- #
1831
- # By default, HAProxy complies with RFC2616 in terms of message parsing. This
1832
- # means that invalid characters in header names are not permitted and cause an
1833
- # error to be returned to the client. This is the desired behaviour as such
1834
- # forbidden characters are essentially used to build attacks exploiting server
1835
- # weaknesses, and bypass security filtering. Sometimes, a buggy browser or
1836
- # server will emit invalid header names for whatever reason (configuration,
1837
- # implementation) and the issue will not be immediately fixed. In such a case,
1838
- # it is possible to relax HAProxy's header name parser to accept any character
1839
- # even if that does not make sense, by specifying this option.
1840
- #
1841
- # This option should never be enabled by default as it hides application bugs
1842
- # and open security breaches. It should only be deployed after a problem has
1843
- # been confirmed.
1844
- #
1845
- # When this option is enabled, erroneous header names will still be accepted in
1846
- # requests, but the complete request will be captured in order to permit later
1847
- # analysis using the "show errors" request on the UNIX stats socket. Doing this
1848
- # also helps confirming that the issue has been solved.
1849
- #
1850
- # If this option has been enabled in a "defaults" section, it can be disabled
1851
- # in a specific instance by prepending the "no" keyword before it.
1852
- #
1853
- # See also : "option accept-invalid-http-response" and "show errors" on the
1854
- # stats socket.
1855
- #
1856
- attr_accessor :option_accept_invalid_http_request
1857
-
1858
- #
1859
- # option clitcpka
1860
- # no option clitcpka
1861
- # Enable or disable the sending of TCP keepalive packets on the client side
1862
- # May be used in sections : defaults | frontend | listen | backend
1863
- # yes | yes | yes | no
1864
- # Arguments : none
1865
- #
1866
- # When there is a firewall or any session-aware component between a client and
1867
- # a server, and when the protocol involves very long sessions with long idle
1868
- # periods (eg: remote desktops), there is a risk that one of the intermediate
1869
- # components decides to expire a session which has remained idle for too long.
1870
- #
1871
- # Enabling socket-level TCP keep-alives makes the system regularly send packets
1872
- # to the other end of the connection, leaving it active. The delay between
1873
- # keep-alive probes is controlled by the system only and depends both on the
1874
- # operating system and its tuning parameters.
1875
- #
1876
- # It is important to understand that keep-alive packets are neither emitted nor
1877
- # received at the application level. It is only the network stacks which sees
1878
- # them. For this reason, even if one side of the proxy already uses keep-alives
1879
- # to maintain its connection alive, those keep-alive packets will not be
1880
- # forwarded to the other side of the proxy.
1881
- #
1882
- # Please note that this has nothing to do with HTTP keep-alive.
1883
- #
1884
- # Using option "clitcpka" enables the emission of TCP keep-alive probes on the
1885
- # client side of a connection, which should help when session expirations are
1886
- # noticed between HAProxy and a client.
1887
- #
1888
- # If this option has been enabled in a "defaults" section, it can be disabled
1889
- # in a specific instance by prepending the "no" keyword before it.
1890
- #
1891
- # See also : "option srvtcpka", "option tcpka"
1892
- #
1893
- attr_accessor :option_clitcpka
1894
-
1895
- #
1896
- # option contstats
1897
- # Enable continuous traffic statistics updates
1898
- # May be used in sections : defaults | frontend | listen | backend
1899
- # yes | yes | yes | no
1900
- # Arguments : none
1901
- #
1902
- # By default, counters used for statistics calculation are incremented
1903
- # only when a session finishes. It works quite well when serving small
1904
- # objects, but with big ones (for example large images or archives) or
1905
- # with A/V streaming, a graph generated from haproxy counters looks like
1906
- # a hedgehog. With this option enabled counters get incremented continuously,
1907
- # during a whole session. Recounting touches a hotpath directly so
1908
- # it is not enabled by default, as it has small performance impact (~0.5%).
1909
- #
1910
- attr_accessor :option_contstats
1911
-
1912
- #
1913
- # option dontlog-normal
1914
- # no option dontlog-normal
1915
- # Enable or disable logging of normal, successful connections
1916
- # May be used in sections : defaults | frontend | listen | backend
1917
- # yes | yes | yes | no
1918
- # Arguments : none
1919
- #
1920
- # There are large sites dealing with several thousand connections per second
1921
- # and for which logging is a major pain. Some of them are even forced to turn
1922
- # logs off and cannot debug production issues. Setting this option ensures that
1923
- # normal connections, those which experience no error, no timeout, no retry nor
1924
- # redispatch, will not be logged. This leaves disk space for anomalies. In HTTP
1925
- # mode, the response status code is checked and return codes 5xx will still be
1926
- # logged.
1927
- #
1928
- # It is strongly discouraged to use this option as most of the time, the key to
1929
- # complex issues is in the normal logs which will not be logged here. If you
1930
- # need to separate logs, see the "log-separate-errors" option instead.
1931
- #
1932
- # See also : "log", "dontlognull", "log-separate-errors" and section 8 about
1933
- # logging.
1934
- #
1935
- attr_accessor :option_dontlog_normal
1936
-
1937
- #
1938
- # option dontlognull
1939
- # no option dontlognull
1940
- # Enable or disable logging of null connections
1941
- # May be used in sections : defaults | frontend | listen | backend
1942
- # yes | yes | yes | no
1943
- # Arguments : none
1944
- #
1945
- # In certain environments, there are components which will regularly connect to
1946
- # various systems to ensure that they are still alive. It can be the case from
1947
- # another load balancer as well as from monitoring systems. By default, even a
1948
- # simple port probe or scan will produce a log. If those connections pollute
1949
- # the logs too much, it is possible to enable option "dontlognull" to indicate
1950
- # that a connection on which no data has been transferred will not be logged,
1951
- # which typically corresponds to those probes.
1952
- #
1953
- # It is generally recommended not to use this option in uncontrolled
1954
- # environments (eg: internet), otherwise scans and other malicious activities
1955
- # would not be logged.
1956
- #
1957
- # If this option has been enabled in a "defaults" section, it can be disabled
1958
- # in a specific instance by prepending the "no" keyword before it.
1959
- #
1960
- # See also : "log", "monitor-net", "monitor-uri" and section 8 about logging.
1961
- #
1962
- attr_accessor :option_dontlognull
1963
-
1964
- #
1965
- # option forceclose
1966
- # no option forceclose
1967
- # Enable or disable active connection closing after response is transferred.
1968
- # May be used in sections : defaults | frontend | listen | backend
1969
- # yes | yes | yes | yes
1970
- # Arguments : none
1971
- #
1972
- # Some HTTP servers do not necessarily close the connections when they receive
1973
- # the "Connection: close" set by "option httpclose", and if the client does not
1974
- # close either, then the connection remains open till the timeout expires. This
1975
- # causes high number of simultaneous connections on the servers and shows high
1976
- # global session times in the logs.
1977
- #
1978
- # When this happens, it is possible to use "option forceclose". It will
1979
- # actively close the outgoing server channel as soon as the server has finished
1980
- # to respond. This option implicitly enables the "httpclose" option. Note that
1981
- # this option also enables the parsing of the full request and response, which
1982
- # means we can close the connection to the server very quickly, releasing some
1983
- # resources earlier than with httpclose.
1984
- #
1985
- # This option may also be combined with "option http-pretend-keepalive", which
1986
- # will disable sending of the "Connection: close" header, but will still cause
1987
- # the connection to be closed once the whole response is received.
1988
- #
1989
- # If this option has been enabled in a "defaults" section, it can be disabled
1990
- # in a specific instance by prepending the "no" keyword before it.
1991
- #
1992
- # See also : "option httpclose" and "option http-pretend-keepalive"
1993
- #
1994
- attr_accessor :option_forceclose
1995
-
1996
- #
1997
- # option forwardfor [ except <network> ] [ header <name> ]
1998
- # Enable insertion of the X-Forwarded-For header to requests sent to servers
1999
- # May be used in sections : defaults | frontend | listen | backend
2000
- # yes | yes | yes | yes
2001
- # Arguments :
2002
- # <network> is an optional argument used to disable this option for sources
2003
- # matching <network>
2004
- # <name> an optional argument to specify a different "X-Forwarded-For"
2005
- # header name.
2006
- #
2007
- # Since HAProxy works in reverse-proxy mode, the servers see its IP address as
2008
- # their client address. This is sometimes annoying when the client's IP address
2009
- # is expected in server logs. To solve this problem, the well-known HTTP header
2010
- # "X-Forwarded-For" may be added by HAProxy to all requests sent to the server.
2011
- # This header contains a value representing the client's IP address. Since this
2012
- # header is always appended at the end of the existing header list, the server
2013
- # must be configured to always use the last occurrence of this header only. See
2014
- # the server's manual to find how to enable use of this standard header. Note
2015
- # that only the last occurrence of the header must be used, since it is really
2016
- # possible that the client has already brought one.
2017
- #
2018
- # The keyword "header" may be used to supply a different header name to replace
2019
- # the default "X-Forwarded-For". This can be useful where you might already
2020
- # have a "X-Forwarded-For" header from a different application (eg: stunnel),
2021
- # and you need preserve it. Also if your backend server doesn't use the
2022
- # "X-Forwarded-For" header and requires different one (eg: Zeus Web Servers
2023
- # require "X-Cluster-Client-IP").
2024
- #
2025
- # Sometimes, a same HAProxy instance may be shared between a direct client
2026
- # access and a reverse-proxy access (for instance when an SSL reverse-proxy is
2027
- # used to decrypt HTTPS traffic). It is possible to disable the addition of the
2028
- # header for a known source address or network by adding the "except" keyword
2029
- # followed by the network address. In this case, any source IP matching the
2030
- # network will not cause an addition of this header. Most common uses are with
2031
- # private networks or 127.0.0.1.
2032
- #
2033
- # This option may be specified either in the frontend or in the backend. If at
2034
- # least one of them uses it, the header will be added. Note that the backend's
2035
- # setting of the header subargument takes precedence over the frontend's if
2036
- # both are defined.
2037
- #
2038
- # It is important to note that as long as HAProxy does not support keep-alive
2039
- # connections, only the first request of a connection will receive the header.
2040
- # For this reason, it is important to ensure that "option httpclose" is set
2041
- # when using this option.
2042
- #
2043
- # Examples :
2044
- # # Public HTTP address also used by stunnel on the same machine
2045
- # frontend www
2046
- # mode http
2047
- # option forwardfor except 127.0.0.1 # stunnel already adds the header
2048
- #
2049
- # # Those servers want the IP Address in X-Client
2050
- # backend www
2051
- # mode http
2052
- # option forwardfor header X-Client
2053
- #
2054
- # See also : "option httpclose"
2055
- #
2056
- attr_accessor :option_forwardfor
2057
-
2058
- #
2059
- # option http-pretend-keepalive
2060
- # no option http-pretend-keepalive
2061
- # Define whether haproxy will announce keepalive to the server or not
2062
- # May be used in sections : defaults | frontend | listen | backend
2063
- # yes | yes | yes | yes
2064
- # Arguments : none
2065
- #
2066
- # When running with "option http-server-close" or "option forceclose", haproxy
2067
- # adds a "Connection: close" header to the request forwarded to the server.
2068
- # Unfortunately, when some servers see this header, they automatically refrain
2069
- # from using the chunked encoding for responses of unknown length, while this
2070
- # is totally unrelated. The immediate effect is that this prevents haproxy from
2071
- # maintaining the client connection alive. A second effect is that a client or
2072
- # a cache could receive an incomplete response without being aware of it, and
2073
- # consider the response complete.
2074
- #
2075
- # By setting "option http-pretend-keepalive", haproxy will make the server
2076
- # believe it will keep the connection alive. The server will then not fall back
2077
- # to the abnormal undesired above. When haproxy gets the whole response, it
2078
- # will close the connection with the server just as it would do with the
2079
- # "forceclose" option. That way the client gets a normal response and the
2080
- # connection is correctly closed on the server side.
2081
- #
2082
- # It is recommended not to enable this option by default, because most servers
2083
- # will more efficiently close the connection themselves after the last packet,
2084
- # and release its buffers slightly earlier. Also, the added packet on the
2085
- # network could slightly reduce the overall peak performance. However it is
2086
- # worth noting that when this option is enabled, haproxy will have slightly
2087
- # less work to do. So if haproxy is the bottleneck on the whole architecture,
2088
- # enabling this option might save a few CPU cycles.
2089
- #
2090
- # This option may be set both in a frontend and in a backend. It is enabled if
2091
- # at least one of the frontend or backend holding a connection has it enabled.
2092
- # This option may be compbined with "option httpclose", which will cause
2093
- # keepalive to be announced to the server and close to be announced to the
2094
- # client. This practice is discouraged though.
2095
- #
2096
- # If this option has been enabled in a "defaults" section, it can be disabled
2097
- # in a specific instance by prepending the "no" keyword before it.
2098
- #
2099
- # See also : "option forceclose" and "option http-server-close"
2100
- #
2101
- attr_accessor :option_http_pretend_keepalive
2102
-
2103
- #
2104
- # option http-server-close
2105
- # no option http-server-close
2106
- # Enable or disable HTTP connection closing on the server side
2107
- # May be used in sections : defaults | frontend | listen | backend
2108
- # yes | yes | yes | yes
2109
- # Arguments : none
2110
- #
2111
- # By default, when a client communicates with a server, HAProxy will only
2112
- # analyze, log, and process the first request of each connection. Setting
2113
- # "option http-server-close" enables HTTP connection-close mode on the server
2114
- # side while keeping the ability to support HTTP keep-alive and pipelining on
2115
- # the client side. This provides the lowest latency on the client side (slow
2116
- # network) and the fastest session reuse on the server side to save server
2117
- # resources, similarly to "option forceclose". It also permits non-keepalive
2118
- # capable servers to be served in keep-alive mode to the clients if they
2119
- # conform to the requirements of RFC2616. Please note that some servers do not
2120
- # always conform to those requirements when they see "Connection: close" in the
2121
- # request. The effect will be that keep-alive will never be used. A workaround
2122
- # consists in enabling "option http-pretend-keepalive".
2123
- #
2124
- # At the moment, logs will not indicate whether requests came from the same
2125
- # session or not. The accept date reported in the logs corresponds to the end
2126
- # of the previous request, and the request time corresponds to the time spent
2127
- # waiting for a new request. The keep-alive request time is still bound to the
2128
- # timeout defined by "timeout http-keep-alive" or "timeout http-request" if
2129
- # not set.
2130
- #
2131
- # This option may be set both in a frontend and in a backend. It is enabled if
2132
- # at least one of the frontend or backend holding a connection has it enabled.
2133
- # It is worth noting that "option forceclose" has precedence over "option
2134
- # http-server-close" and that combining "http-server-close" with "httpclose"
2135
- # basically achieve the same result as "forceclose".
2136
- #
2137
- # If this option has been enabled in a "defaults" section, it can be disabled
2138
- # in a specific instance by prepending the "no" keyword before it.
2139
- #
2140
- # See also : "option forceclose", "option http-pretend-keepalive",
2141
- # "option httpclose" and "1.1. The HTTP transaction model".
2142
- #
2143
- attr_accessor :option_http_server_close
2144
-
2145
- #
2146
- # option http-use-proxy-header
2147
- # no option http-use-proxy-header
2148
- # Make use of non-standard Proxy-Connection header instead of Connection
2149
- # May be used in sections : defaults | frontend | listen | backend
2150
- # yes | yes | yes | no
2151
- # Arguments : none
2152
- #
2153
- # While RFC2616 explicitly states that HTTP/1.1 agents must use the
2154
- # Connection header to indicate their wish of persistent or non-persistent
2155
- # connections, both browsers and proxies ignore this header for proxied
2156
- # connections and make use of the undocumented, non-standard Proxy-Connection
2157
- # header instead. The issue begins when trying to put a load balancer between
2158
- # browsers and such proxies, because there will be a difference between what
2159
- # haproxy understands and what the client and the proxy agree on.
2160
- #
2161
- # By setting this option in a frontend, haproxy can automatically switch to use
2162
- # that non-standard header if it sees proxied requests. A proxied request is
2163
- # defined here as one where the URI begins with neither a '/' nor a '*'. The
2164
- # choice of header only affects requests passing through proxies making use of
2165
- # one of the "httpclose", "forceclose" and "http-server-close" options. Note
2166
- # that this option can only be specified in a frontend and will affect the
2167
- # request along its whole life.
2168
- #
2169
- # Also, when this option is set, a request which requires authentication will
2170
- # automatically switch to use proxy authentication headers if it is itself a
2171
- # proxied request. That makes it possible to check or enforce authentication in
2172
- # front of an existing proxy.
2173
- #
2174
- # This option should normally never be used, except in front of a proxy.
2175
- #
2176
- # See also : "option httpclose", "option forceclose" and "option
2177
- # http-server-close".
2178
- #
2179
- attr_accessor :option_http_use_proxy_header
2180
-
2181
- #
2182
- # option httpclose
2183
- # no option httpclose
2184
- # Enable or disable passive HTTP connection closing
2185
- # May be used in sections : defaults | frontend | listen | backend
2186
- # yes | yes | yes | yes
2187
- # Arguments : none
2188
- #
2189
- # By default, when a client communicates with a server, HAProxy will only
2190
- # analyze, log, and process the first request of each connection. If "option
2191
- # httpclose" is set, it will check if a "Connection: close" header is already
2192
- # set in each direction, and will add one if missing. Each end should react to
2193
- # this by actively closing the TCP connection after each transfer, thus
2194
- # resulting in a switch to the HTTP close mode. Any "Connection" header
2195
- # different from "close" will also be removed.
2196
- #
2197
- # It seldom happens that some servers incorrectly ignore this header and do not
2198
- # close the connection eventhough they reply "Connection: close". For this
2199
- # reason, they are not compatible with older HTTP 1.0 browsers. If this happens
2200
- # it is possible to use the "option forceclose" which actively closes the
2201
- # request connection once the server responds. Option "forceclose" also
2202
- # releases the server connection earlier because it does not have to wait for
2203
- # the client to acknowledge it.
2204
- #
2205
- # This option may be set both in a frontend and in a backend. It is enabled if
2206
- # at least one of the frontend or backend holding a connection has it enabled.
2207
- # If "option forceclose" is specified too, it has precedence over "httpclose".
2208
- # If "option http-server-close" is enabled at the same time as "httpclose", it
2209
- # basically achieves the same result as "option forceclose".
2210
- #
2211
- # If this option has been enabled in a "defaults" section, it can be disabled
2212
- # in a specific instance by prepending the "no" keyword before it.
2213
- #
2214
- # See also : "option forceclose", "option http-server-close" and
2215
- # "1.1. The HTTP transaction model".
2216
- #
2217
- attr_accessor :option_httpclose
2218
-
2219
- #
2220
- # option httplog [ clf ]
2221
- # Enable logging of HTTP request, session state and timers
2222
- # May be used in sections : defaults | frontend | listen | backend
2223
- # yes | yes | yes | yes
2224
- # Arguments :
2225
- # clf if the "clf" argument is added, then the output format will be
2226
- # the CLF format instead of HAProxy's default HTTP format. You can
2227
- # use this when you need to feed HAProxy's logs through a specific
2228
- # log analyser which only support the CLF format and which is not
2229
- # extensible.
2230
- #
2231
- # By default, the log output format is very poor, as it only contains the
2232
- # source and destination addresses, and the instance name. By specifying
2233
- # "option httplog", each log line turns into a much richer format including,
2234
- # but not limited to, the HTTP request, the connection timers, the session
2235
- # status, the connections numbers, the captured headers and cookies, the
2236
- # frontend, backend and server name, and of course the source address and
2237
- # ports.
2238
- #
2239
- # This option may be set either in the frontend or the backend.
2240
- #
2241
- # If this option has been enabled in a "defaults" section, it can be disabled
2242
- # in a specific instance by prepending the "no" keyword before it. Specifying
2243
- # only "option httplog" will automatically clear the 'clf' mode if it was set
2244
- # by default.
2245
- #
2246
- # See also : section 8 about logging.
2247
- #
2248
- attr_accessor :option_httplog
2249
-
2250
- #
2251
- # option http_proxy
2252
- # no option http_proxy
2253
- # Enable or disable plain HTTP proxy mode
2254
- # May be used in sections : defaults | frontend | listen | backend
2255
- # yes | yes | yes | yes
2256
- # Arguments : none
2257
- #
2258
- # It sometimes happens that people need a pure HTTP proxy which understands
2259
- # basic proxy requests without caching nor any fancy feature. In this case,
2260
- # it may be worth setting up an HAProxy instance with the "option http_proxy"
2261
- # set. In this mode, no server is declared, and the connection is forwarded to
2262
- # the IP address and port found in the URL after the "http://" scheme.
2263
- #
2264
- # No host address resolution is performed, so this only works when pure IP
2265
- # addresses are passed. Since this option's usage perimeter is rather limited,
2266
- # it will probably be used only by experts who know they need exactly it. Last,
2267
- # if the clients are susceptible of sending keep-alive requests, it will be
2268
- # needed to add "option http_close" to ensure that all requests will correctly
2269
- # be analyzed.
2270
- #
2271
- # If this option has been enabled in a "defaults" section, it can be disabled
2272
- # in a specific instance by prepending the "no" keyword before it.
2273
- #
2274
- # Example :
2275
- # # this backend understands HTTP proxy requests and forwards them directly.
2276
- # backend direct_forward
2277
- # option httpclose
2278
- # option http_proxy
2279
- #
2280
- # See also : "option httpclose"
2281
- #
2282
- attr_accessor :option_http_proxy
2283
-
2284
- #
2285
- # option independant-streams
2286
- # no option independant-streams
2287
- # Enable or disable independant timeout processing for both directions
2288
- # May be used in sections : defaults | frontend | listen | backend
2289
- # yes | yes | yes | yes
2290
- # Arguments : none
2291
- #
2292
- # By default, when data is sent over a socket, both the write timeout and the
2293
- # read timeout for that socket are refreshed, because we consider that there is
2294
- # activity on that socket, and we have no other means of guessing if we should
2295
- # receive data or not.
2296
- #
2297
- # While this default behaviour is desirable for almost all applications, there
2298
- # exists a situation where it is desirable to disable it, and only refresh the
2299
- # read timeout if there are incoming data. This happens on sessions with large
2300
- # timeouts and low amounts of exchanged data such as telnet session. If the
2301
- # server suddenly disappears, the output data accumulates in the system's
2302
- # socket buffers, both timeouts are correctly refreshed, and there is no way
2303
- # to know the server does not receive them, so we don't timeout. However, when
2304
- # the underlying protocol always echoes sent data, it would be enough by itself
2305
- # to detect the issue using the read timeout. Note that this problem does not
2306
- # happen with more verbose protocols because data won't accumulate long in the
2307
- # socket buffers.
2308
- #
2309
- # When this option is set on the frontend, it will disable read timeout updates
2310
- # on data sent to the client. There probably is little use of this case. When
2311
- # the option is set on the backend, it will disable read timeout updates on
2312
- # data sent to the server. Doing so will typically break large HTTP posts from
2313
- # slow lines, so use it with caution.
2314
- #
2315
- # See also : "timeout client" and "timeout server"
2316
- #
2317
- attr_accessor :option_independant_streams
2318
-
2319
- #
2320
- # option log-separate-errors
2321
- # no option log-separate-errors
2322
- # Change log level for non-completely successful connections
2323
- # May be used in sections : defaults | frontend | listen | backend
2324
- # yes | yes | yes | no
2325
- # Arguments : none
2326
- #
2327
- # Sometimes looking for errors in logs is not easy. This option makes haproxy
2328
- # raise the level of logs containing potentially interesting information such
2329
- # as errors, timeouts, retries, redispatches, or HTTP status codes 5xx. The
2330
- # level changes from "info" to "err". This makes it possible to log them
2331
- # separately to a different file with most syslog daemons. Be careful not to
2332
- # remove them from the original file, otherwise you would lose ordering which
2333
- # provides very important information.
2334
- #
2335
- # Using this option, large sites dealing with several thousand connections per
2336
- # second may log normal traffic to a rotating buffer and only archive smaller
2337
- # error logs.
2338
- #
2339
- # See also : "log", "dontlognull", "dontlog-normal" and section 8 about
2340
- # logging.
2341
- #
2342
- attr_accessor :option_log_separate_errors
2343
-
2344
- #
2345
- # option logasap
2346
- # no option logasap
2347
- # Enable or disable early logging of HTTP requests
2348
- # May be used in sections : defaults | frontend | listen | backend
2349
- # yes | yes | yes | no
2350
- # Arguments : none
2351
- #
2352
- # By default, HTTP requests are logged upon termination so that the total
2353
- # transfer time and the number of bytes appear in the logs. When large objects
2354
- # are being transferred, it may take a while before the request appears in the
2355
- # logs. Using "option logasap", the request gets logged as soon as the server
2356
- # sends the complete headers. The only missing information in the logs will be
2357
- # the total number of bytes which will indicate everything except the amount
2358
- # of data transferred, and the total time which will not take the transfer
2359
- # time into account. In such a situation, it's a good practice to capture the
2360
- # "Content-Length" response header so that the logs at least indicate how many
2361
- # bytes are expected to be transferred.
2362
- #
2363
- # Examples :
2364
- # listen http_proxy 0.0.0.0:80
2365
- # mode http
2366
- # option httplog
2367
- # option logasap
2368
- # log 192.168.2.200 local3
2369
- #
2370
- # >>> Feb 6 12:14:14 localhost \
2371
- # haproxy[14389]: 10.0.1.2:33317 [06/Feb/2009:12:14:14.655] http-in \
2372
- # static/srv1 9/10/7/14/+30 200 +243 - - ---- 3/1/1/1/0 1/0 \
2373
- # "GET /image.iso HTTP/1.0"
2374
- #
2375
- # See also : "option httplog", "capture response header", and section 8 about
2376
- # logging.
2377
- #
2378
- attr_accessor :option_logasap
2379
-
2380
- #
2381
- # option nolinger
2382
- # no option nolinger
2383
- # Enable or disable immediate session resource cleaning after close
2384
- # May be used in sections: defaults | frontend | listen | backend
2385
- # yes | yes | yes | yes
2386
- # Arguments : none
2387
- #
2388
- # When clients or servers abort connections in a dirty way (eg: they are
2389
- # physically disconnected), the session timeouts triggers and the session is
2390
- # closed. But it will remain in FIN_WAIT1 state for some time in the system,
2391
- # using some resources and possibly limiting the ability to establish newer
2392
- # connections.
2393
- #
2394
- # When this happens, it is possible to activate "option nolinger" which forces
2395
- # the system to immediately remove any socket's pending data on close. Thus,
2396
- # the session is instantly purged from the system's tables. This usually has
2397
- # side effects such as increased number of TCP resets due to old retransmits
2398
- # getting immediately rejected. Some firewalls may sometimes complain about
2399
- # this too.
2400
- #
2401
- # For this reason, it is not recommended to use this option when not absolutely
2402
- # needed. You know that you need it when you have thousands of FIN_WAIT1
2403
- # sessions on your system (TIME_WAIT ones do not count).
2404
- #
2405
- # This option may be used both on frontends and backends, depending on the side
2406
- # where it is required. Use it on the frontend for clients, and on the backend
2407
- # for servers.
2408
- #
2409
- # If this option has been enabled in a "defaults" section, it can be disabled
2410
- # in a specific instance by prepending the "no" keyword before it.
2411
- #
2412
- attr_accessor :option_nolinger
2413
-
2414
- #
2415
- # option originalto [ except <network> ] [ header <name> ]
2416
- # Enable insertion of the X-Original-To header to requests sent to servers
2417
- # May be used in sections : defaults | frontend | listen | backend
2418
- # yes | yes | yes | yes
2419
- # Arguments :
2420
- # <network> is an optional argument used to disable this option for sources
2421
- # matching <network>
2422
- # <name> an optional argument to specify a different "X-Original-To"
2423
- # header name.
2424
- #
2425
- # Since HAProxy can work in transparent mode, every request from a client can
2426
- # be redirected to the proxy and HAProxy itself can proxy every request to a
2427
- # complex SQUID environment and the destination host from SO_ORIGINAL_DST will
2428
- # be lost. This is annoying when you want access rules based on destination ip
2429
- # addresses. To solve this problem, a new HTTP header "X-Original-To" may be
2430
- # added by HAProxy to all requests sent to the server. This header contains a
2431
- # value representing the original destination IP address. Since this must be
2432
- # configured to always use the last occurrence of this header only. Note that
2433
- # only the last occurrence of the header must be used, since it is really
2434
- # possible that the client has already brought one.
2435
- #
2436
- # The keyword "header" may be used to supply a different header name to replace
2437
- # the default "X-Original-To". This can be useful where you might already
2438
- # have a "X-Original-To" header from a different application, and you need
2439
- # preserve it. Also if your backend server doesn't use the "X-Original-To"
2440
- # header and requires different one.
2441
- #
2442
- # Sometimes, a same HAProxy instance may be shared between a direct client
2443
- # access and a reverse-proxy access (for instance when an SSL reverse-proxy is
2444
- # used to decrypt HTTPS traffic). It is possible to disable the addition of the
2445
- # header for a known source address or network by adding the "except" keyword
2446
- # followed by the network address. In this case, any source IP matching the
2447
- # network will not cause an addition of this header. Most common uses are with
2448
- # private networks or 127.0.0.1.
2449
- #
2450
- # This option may be specified either in the frontend or in the backend. If at
2451
- # least one of them uses it, the header will be added. Note that the backend's
2452
- # setting of the header subargument takes precedence over the frontend's if
2453
- # both are defined.
2454
- #
2455
- # It is important to note that as long as HAProxy does not support keep-alive
2456
- # connections, only the first request of a connection will receive the header.
2457
- # For this reason, it is important to ensure that "option httpclose" is set
2458
- # when using this option.
2459
- #
2460
- # Examples :
2461
- # # Original Destination address
2462
- # frontend www
2463
- # mode http
2464
- # option originalto except 127.0.0.1
2465
- #
2466
- # # Those servers want the IP Address in X-Client-Dst
2467
- # backend www
2468
- # mode http
2469
- # option originalto header X-Client-Dst
2470
- #
2471
- # See also : "option httpclose"
2472
- #
2473
- attr_accessor :option_originalto
2474
-
2475
- #
2476
- # option socket-stats
2477
- # no option socket-stats
2478
- #
2479
- # Enable or disable collecting & providing separate statistics for each socket.
2480
- # May be used in sections : defaults | frontend | listen | backend
2481
- # yes | yes | yes | no
2482
- #
2483
- # Arguments : none
2484
- #
2485
- attr_accessor :option_socket_stats
2486
-
2487
- #
2488
- # option splice-auto
2489
- # no option splice-auto
2490
- # Enable or disable automatic kernel acceleration on sockets in both directions
2491
- # May be used in sections : defaults | frontend | listen | backend
2492
- # yes | yes | yes | yes
2493
- # Arguments : none
2494
- #
2495
- # When this option is enabled either on a frontend or on a backend, haproxy
2496
- # will automatically evaluate the opportunity to use kernel tcp splicing to
2497
- # forward data between the client and the server, in either direction. Haproxy
2498
- # uses heuristics to estimate if kernel splicing might improve performance or
2499
- # not. Both directions are handled independently. Note that the heuristics used
2500
- # are not much aggressive in order to limit excessive use of splicing. This
2501
- # option requires splicing to be enabled at compile time, and may be globally
2502
- # disabled with the global option "nosplice". Since splice uses pipes, using it
2503
- # requires that there are enough spare pipes.
2504
- #
2505
- # Important note: kernel-based TCP splicing is a Linux-specific feature which
2506
- # first appeared in kernel 2.6.25. It offers kernel-based acceleration to
2507
- # transfer data between sockets without copying these data to user-space, thus
2508
- # providing noticeable performance gains and CPU cycles savings. Since many
2509
- # early implementations are buggy, corrupt data and/or are inefficient, this
2510
- # feature is not enabled by default, and it should be used with extreme care.
2511
- # While it is not possible to detect the correctness of an implementation,
2512
- # 2.6.29 is the first version offering a properly working implementation. In
2513
- # case of doubt, splicing may be globally disabled using the global "nosplice"
2514
- # keyword.
2515
- #
2516
- # Example :
2517
- # option splice-auto
2518
- #
2519
- # If this option has been enabled in a "defaults" section, it can be disabled
2520
- # in a specific instance by prepending the "no" keyword before it.
2521
- #
2522
- # See also : "option splice-request", "option splice-response", and global
2523
- # options "nosplice" and "maxpipes"
2524
- #
2525
- attr_accessor :option_splice_auto
2526
-
2527
- #
2528
- # option splice-request
2529
- # no option splice-request
2530
- # Enable or disable automatic kernel acceleration on sockets for requests
2531
- # May be used in sections : defaults | frontend | listen | backend
2532
- # yes | yes | yes | yes
2533
- # Arguments : none
2534
- #
2535
- # When this option is enabled either on a frontend or on a backend, haproxy
2536
- # will user kernel tcp splicing whenever possible to forward data going from
2537
- # the client to the server. It might still use the recv/send scheme if there
2538
- # are no spare pipes left. This option requires splicing to be enabled at
2539
- # compile time, and may be globally disabled with the global option "nosplice".
2540
- # Since splice uses pipes, using it requires that there are enough spare pipes.
2541
- #
2542
- # Important note: see "option splice-auto" for usage limitations.
2543
- #
2544
- # Example :
2545
- # option splice-request
2546
- #
2547
- # If this option has been enabled in a "defaults" section, it can be disabled
2548
- # in a specific instance by prepending the "no" keyword before it.
2549
- #
2550
- # See also : "option splice-auto", "option splice-response", and global options
2551
- # "nosplice" and "maxpipes"
2552
- #
2553
- attr_accessor :option_splice_request
2554
-
2555
- #
2556
- # option splice-response
2557
- # no option splice-response
2558
- # Enable or disable automatic kernel acceleration on sockets for responses
2559
- # May be used in sections : defaults | frontend | listen | backend
2560
- # yes | yes | yes | yes
2561
- # Arguments : none
2562
- #
2563
- # When this option is enabled either on a frontend or on a backend, haproxy
2564
- # will user kernel tcp splicing whenever possible to forward data going from
2565
- # the server to the client. It might still use the recv/send scheme if there
2566
- # are no spare pipes left. This option requires splicing to be enabled at
2567
- # compile time, and may be globally disabled with the global option "nosplice".
2568
- # Since splice uses pipes, using it requires that there are enough spare pipes.
2569
- #
2570
- # Important note: see "option splice-auto" for usage limitations.
2571
- #
2572
- # Example :
2573
- # option splice-response
2574
- #
2575
- # If this option has been enabled in a "defaults" section, it can be disabled
2576
- # in a specific instance by prepending the "no" keyword before it.
2577
- #
2578
- # See also : "option splice-auto", "option splice-request", and global options
2579
- # "nosplice" and "maxpipes"
2580
- #
2581
- attr_accessor :option_splice_response
2582
-
2583
- #
2584
- # option tcp-smart-accept
2585
- # no option tcp-smart-accept
2586
- # Enable or disable the saving of one ACK packet during the accept sequence
2587
- # May be used in sections : defaults | frontend | listen | backend
2588
- # yes | yes | yes | no
2589
- # Arguments : none
2590
- #
2591
- # When an HTTP connection request comes in, the system acknowledges it on
2592
- # behalf of HAProxy, then the client immediately sends its request, and the
2593
- # system acknowledges it too while it is notifying HAProxy about the new
2594
- # connection. HAProxy then reads the request and responds. This means that we
2595
- # have one TCP ACK sent by the system for nothing, because the request could
2596
- # very well be acknowledged by HAProxy when it sends its response.
2597
- #
2598
- # For this reason, in HTTP mode, HAProxy automatically asks the system to avoid
2599
- # sending this useless ACK on platforms which support it (currently at least
2600
- # Linux). It must not cause any problem, because the system will send it anyway
2601
- # after 40 ms if the response takes more time than expected to come.
2602
- #
2603
- # During complex network debugging sessions, it may be desirable to disable
2604
- # this optimization because delayed ACKs can make troubleshooting more complex
2605
- # when trying to identify where packets are delayed. It is then possible to
2606
- # fall back to normal behaviour by specifying "no option tcp-smart-accept".
2607
- #
2608
- # It is also possible to force it for non-HTTP proxies by simply specifying
2609
- # "option tcp-smart-accept". For instance, it can make sense with some services
2610
- # such as SMTP where the server speaks first.
2611
- #
2612
- # It is recommended to avoid forcing this option in a defaults section. In case
2613
- # of doubt, consider setting it back to automatic values by prepending the
2614
- # "default" keyword before it, or disabling it using the "no" keyword.
2615
- #
2616
- # See also : "option tcp-smart-connect"
2617
- #
2618
- attr_accessor :option_tcp_smart_accept
2619
-
2620
- #
2621
- # option tcpka
2622
- # Enable or disable the sending of TCP keepalive packets on both sides
2623
- # May be used in sections : defaults | frontend | listen | backend
2624
- # yes | yes | yes | yes
2625
- # Arguments : none
2626
- #
2627
- # When there is a firewall or any session-aware component between a client and
2628
- # a server, and when the protocol involves very long sessions with long idle
2629
- # periods (eg: remote desktops), there is a risk that one of the intermediate
2630
- # components decides to expire a session which has remained idle for too long.
2631
- #
2632
- # Enabling socket-level TCP keep-alives makes the system regularly send packets
2633
- # to the other end of the connection, leaving it active. The delay between
2634
- # keep-alive probes is controlled by the system only and depends both on the
2635
- # operating system and its tuning parameters.
2636
- #
2637
- # It is important to understand that keep-alive packets are neither emitted nor
2638
- # received at the application level. It is only the network stacks which sees
2639
- # them. For this reason, even if one side of the proxy already uses keep-alives
2640
- # to maintain its connection alive, those keep-alive packets will not be
2641
- # forwarded to the other side of the proxy.
2642
- #
2643
- # Please note that this has nothing to do with HTTP keep-alive.
2644
- #
2645
- # Using option "tcpka" enables the emission of TCP keep-alive probes on both
2646
- # the client and server sides of a connection. Note that this is meaningful
2647
- # only in "defaults" or "listen" sections. If this option is used in a
2648
- # frontend, only the client side will get keep-alives, and if this option is
2649
- # used in a backend, only the server side will get keep-alives. For this
2650
- # reason, it is strongly recommended to explicitly use "option clitcpka" and
2651
- # "option srvtcpka" when the configuration is split between frontends and
2652
- # backends.
2653
- #
2654
- # See also : "option clitcpka", "option srvtcpka"
2655
- #
2656
- attr_accessor :option_tcpka
2657
-
2658
- #
2659
- # option tcplog
2660
- # Enable advanced logging of TCP connections with session state and timers
2661
- # May be used in sections : defaults | frontend | listen | backend
2662
- # yes | yes | yes | yes
2663
- # Arguments : none
2664
- #
2665
- # By default, the log output format is very poor, as it only contains the
2666
- # source and destination addresses, and the instance name. By specifying
2667
- # "option tcplog", each log line turns into a much richer format including, but
2668
- # not limited to, the connection timers, the session status, the connections
2669
- # numbers, the frontend, backend and server name, and of course the source
2670
- # address and ports. This option is useful for pure TCP proxies in order to
2671
- # find which of the client or server disconnects or times out. For normal HTTP
2672
- # proxies, it's better to use "option httplog" which is even more complete.
2673
- #
2674
- # This option may be set either in the frontend or the backend.
2675
- #
2676
- # See also : "option httplog", and section 8 about logging.
2677
- #
2678
- attr_accessor :option_tcplog
2679
-
2680
- #
2681
- # rate-limit sessions <rate>
2682
- # Set a limit on the number of new sessions accepted per second on a frontend
2683
- # May be used in sections : defaults | frontend | listen | backend
2684
- # yes | yes | yes | no
2685
- # Arguments :
2686
- # <rate> The <rate> parameter is an integer designating the maximum number
2687
- # of new sessions per second to accept on the frontend.
2688
- #
2689
- # When the frontend reaches the specified number of new sessions per second, it
2690
- # stops accepting new connections until the rate drops below the limit again.
2691
- # During this time, the pending sessions will be kept in the socket's backlog
2692
- # (in system buffers) and haproxy will not even be aware that sessions are
2693
- # pending. When applying very low limit on a highly loaded service, it may make
2694
- # sense to increase the socket's backlog using the "backlog" keyword.
2695
- #
2696
- # This feature is particularly efficient at blocking connection-based attacks
2697
- # or service abuse on fragile servers. Since the session rate is measured every
2698
- # millisecond, it is extremely accurate. Also, the limit applies immediately,
2699
- # no delay is needed at all to detect the threshold.
2700
- #
2701
- # Example : limit the connection rate on SMTP to 10 per second max
2702
- # listen smtp
2703
- # mode tcp
2704
- # bind :25
2705
- # rate-limit sessions 10
2706
- # server 127.0.0.1:1025
2707
- #
2708
- # Note : when the maximum rate is reached, the frontend's status appears as
2709
- # "FULL" in the statistics, exactly as when it is saturated.
2710
- #
2711
- # See also : the "backlog" keyword and the "fe_sess_rate" ACL criterion.
2712
- #
2713
- attr_accessor :rate_limit_sessions
2714
-
2715
- #
2716
- # timeout client <timeout>
2717
- # timeout clitimeout <timeout> (deprecated)
2718
- # Set the maximum inactivity time on the client side.
2719
- # May be used in sections : defaults | frontend | listen | backend
2720
- # yes | yes | yes | no
2721
- # Arguments :
2722
- # <timeout> is the timeout value specified in milliseconds by default, but
2723
- # can be in any other unit if the number is suffixed by the unit,
2724
- # as explained at the top of this document.
2725
- #
2726
- # The inactivity timeout applies when the client is expected to acknowledge or
2727
- # send data. In HTTP mode, this timeout is particularly important to consider
2728
- # during the first phase, when the client sends the request, and during the
2729
- # response while it is reading data sent by the server. The value is specified
2730
- # in milliseconds by default, but can be in any other unit if the number is
2731
- # suffixed by the unit, as specified at the top of this document. In TCP mode
2732
- # (and to a lesser extent, in HTTP mode), it is highly recommended that the
2733
- # client timeout remains equal to the server timeout in order to avoid complex
2734
- # situations to debug. It is a good practice to cover one or several TCP packet
2735
- # losses by specifying timeouts that are slightly above multiples of 3 seconds
2736
- # (eg: 4 or 5 seconds).
2737
- #
2738
- # This parameter is specific to frontends, but can be specified once for all in
2739
- # "defaults" sections. This is in fact one of the easiest solutions not to
2740
- # forget about it. An unspecified timeout results in an infinite timeout, which
2741
- # is not recommended. Such a usage is accepted and works but reports a warning
2742
- # during startup because it may results in accumulation of expired sessions in
2743
- # the system if the system's timeouts are not configured either.
2744
- #
2745
- # This parameter replaces the old, deprecated "clitimeout". It is recommended
2746
- # to use it to write new configurations. The form "timeout clitimeout" is
2747
- # provided only by backwards compatibility but its use is strongly discouraged.
2748
- #
2749
- # See also : "clitimeout", "timeout server".
2750
- #
2751
- attr_accessor :timeout_client
2752
-
2753
- #
2754
- # timeout http-keep-alive <timeout>
2755
- # Set the maximum allowed time to wait for a new HTTP request to appear
2756
- # May be used in sections : defaults | frontend | listen | backend
2757
- # yes | yes | yes | yes
2758
- # Arguments :
2759
- # <timeout> is the timeout value specified in milliseconds by default, but
2760
- # can be in any other unit if the number is suffixed by the unit,
2761
- # as explained at the top of this document.
2762
- #
2763
- # By default, the time to wait for a new request in case of keep-alive is set
2764
- # by "timeout http-request". However this is not always convenient because some
2765
- # people want very short keep-alive timeouts in order to release connections
2766
- # faster, and others prefer to have larger ones but still have short timeouts
2767
- # once the request has started to present itself.
2768
- #
2769
- # The "http-keep-alive" timeout covers these needs. It will define how long to
2770
- # wait for a new HTTP request to start coming after a response was sent. Once
2771
- # the first byte of request has been seen, the "http-request" timeout is used
2772
- # to wait for the complete request to come. Note that empty lines prior to a
2773
- # new request do not refresh the timeout and are not counted as a new request.
2774
- #
2775
- # There is also another difference between the two timeouts : when a connection
2776
- # expires during timeout http-keep-alive, no error is returned, the connection
2777
- # just closes. If the connection expires in "http-request" while waiting for a
2778
- # connection to complete, a HTTP 408 error is returned.
2779
- #
2780
- # In general it is optimal to set this value to a few tens to hundreds of
2781
- # milliseconds, to allow users to fetch all objects of a page at once but
2782
- # without waiting for further clicks. Also, if set to a very small value (eg:
2783
- # 1 millisecond) it will probably only accept pipelined requests but not the
2784
- # non-pipelined ones. It may be a nice trade-off for very large sites running
2785
- # with tens to hundreds of thousands of clients.
2786
- #
2787
- # If this parameter is not set, the "http-request" timeout applies, and if both
2788
- # are not set, "timeout client" still applies at the lower level. It should be
2789
- # set in the frontend to take effect, unless the frontend is in TCP mode, in
2790
- # which case the HTTP backend's timeout will be used.
2791
- #
2792
- # See also : "timeout http-request", "timeout client".
2793
- #
2794
- attr_accessor :timeout_http_keep_alive
2795
-
2796
- #
2797
- # timeout http-request <timeout>
2798
- # Set the maximum allowed time to wait for a complete HTTP request
2799
- # May be used in sections : defaults | frontend | listen | backend
2800
- # yes | yes | yes | yes
2801
- # Arguments :
2802
- # <timeout> is the timeout value specified in milliseconds by default, but
2803
- # can be in any other unit if the number is suffixed by the unit,
2804
- # as explained at the top of this document.
2805
- #
2806
- # In order to offer DoS protection, it may be required to lower the maximum
2807
- # accepted time to receive a complete HTTP request without affecting the client
2808
- # timeout. This helps protecting against established connections on which
2809
- # nothing is sent. The client timeout cannot offer a good protection against
2810
- # this abuse because it is an inactivity timeout, which means that if the
2811
- # attacker sends one character every now and then, the timeout will not
2812
- # trigger. With the HTTP request timeout, no matter what speed the client
2813
- # types, the request will be aborted if it does not complete in time.
2814
- #
2815
- # Note that this timeout only applies to the header part of the request, and
2816
- # not to any data. As soon as the empty line is received, this timeout is not
2817
- # used anymore. It is used again on keep-alive connections to wait for a second
2818
- # request if "timeout http-keep-alive" is not set.
2819
- #
2820
- # Generally it is enough to set it to a few seconds, as most clients send the
2821
- # full request immediately upon connection. Add 3 or more seconds to cover TCP
2822
- # retransmits but that's all. Setting it to very low values (eg: 50 ms) will
2823
- # generally work on local networks as long as there are no packet losses. This
2824
- # will prevent people from sending bare HTTP requests using telnet.
2825
- #
2826
- # If this parameter is not set, the client timeout still applies between each
2827
- # chunk of the incoming request. It should be set in the frontend to take
2828
- # effect, unless the frontend is in TCP mode, in which case the HTTP backend's
2829
- # timeout will be used.
2830
- #
2831
- # See also : "timeout http-keep-alive", "timeout client".
2832
- #
2833
- attr_accessor :timeout_http_request
2834
-
2835
- #
2836
- # timeout tarpit <timeout>
2837
- # Set the duration for which tarpitted connections will be maintained
2838
- # May be used in sections : defaults | frontend | listen | backend
2839
- # yes | yes | yes | yes
2840
- # Arguments :
2841
- # <timeout> is the tarpit duration specified in milliseconds by default, but
2842
- # can be in any other unit if the number is suffixed by the unit,
2843
- # as explained at the top of this document.
2844
- #
2845
- # When a connection is tarpitted using "reqtarpit", it is maintained open with
2846
- # no activity for a certain amount of time, then closed. "timeout tarpit"
2847
- # defines how long it will be maintained open.
2848
- #
2849
- # The value is specified in milliseconds by default, but can be in any other
2850
- # unit if the number is suffixed by the unit, as specified at the top of this
2851
- # document. If unspecified, the same value as the backend's connection timeout
2852
- # ("timeout connect") is used, for backwards compatibility with older versions
2853
- # with no "timeout tarpit" parameter.
2854
- #
2855
- # See also : "timeout connect", "contimeout".
2856
- #
2857
- attr_accessor :timeout_tarpit
2858
-
2859
- attr_accessor :reqisetbe
2860
- attr_accessor :reqsetbe
2861
-
2862
- #
2863
- # name <name>
2864
- # The frontend name is required.
2865
- #
2866
- attr_accessor :name
17
+ include RhaproxyKeywords,
18
+ :exclude => [
19
+ :appsession,
20
+ :balance,
21
+ :cookie,
22
+ :default_server,
23
+ :dispatch,
24
+ :fullconn,
25
+ :hash_type,
26
+ :http_check_disable_on_404,
27
+ :http_check_expect,
28
+ :http_check_send_state,
29
+ :option_abortonclose,
30
+ :option_accept_invalid_http_response,
31
+ :option_allbackups,
32
+ :option_checkcache,
33
+ :option_httpchk,
34
+ :option_ldap_check,
35
+ :option_log_health_checks,
36
+ :option_mysql_check,
37
+ :option_persist,
38
+ :option_redispatch,
39
+ :option_smtpchk,
40
+ :option_srvtcpka,
41
+ :option_ssl_hello_chk,
42
+ :option_tcp_smart_connect,
43
+ :option_transparent,
44
+ :persist_rdp_cookie,
45
+ :retries,
46
+ :server,
47
+ :source,
48
+ :stats_admin,
49
+ :stats_auth,
50
+ :stats_enable,
51
+ :stats_hide_version,
52
+ :stats_http_request,
53
+ :stats_realm,
54
+ :stats_refresh,
55
+ :stats_scope,
56
+ :stats_show_desc,
57
+ :stats_show_legends,
58
+ :stats_show_node,
59
+ :stats_uri,
60
+ :stick_match,
61
+ :stick_on,
62
+ :stick_store_request,
63
+ :stick_table,
64
+ :tcp_response_content,
65
+ :tcp_response_inspect_delay,
66
+ :timeout_check,
67
+ :timeout_connect,
68
+ :timeout_queue,
69
+ :timeout_server
70
+ ]
2867
71
 
2868
72
  #
2869
73
  # Returns a new RhaproxyFrontend Object
2870
74
  #
2871
75
  def initialize()
76
+ @conf ||= []
77
+ @proxy_type = "frontend"
2872
78
  end
2873
79
 
2874
- #
2875
- # Compile the HAproxy frontend configuration
2876
- #
2877
- def config
2878
-
2879
- if @name
2880
-
2881
- conf = option_string()
2882
-
2883
- return conf
2884
-
2885
- else
2886
-
2887
- puts "frontend name not defined"
2888
-
2889
- return false
2890
-
2891
- end
2892
-
2893
- end
2894
-
2895
- private
2896
-
2897
- def option_string()
2898
-
2899
- ostring = " " + "frontend " + @name + "\n"
2900
-
2901
- if @acl
2902
- ostring += " " + "acl " + @acl.to_s + "\n"
2903
- end
2904
-
2905
- if @bind
2906
- ostring += " " + "bind " + @bind.to_s + "\n"
2907
- end
2908
-
2909
- if @block
2910
- ostring += " " + "block " + @block.to_s + "\n"
2911
- end
2912
-
2913
- if @capture_cookie
2914
- ostring += " " + "capture cookie " + @capture_cookie.to_s + "\n"
2915
- end
2916
-
2917
- if @capture_request_header
2918
- ostring += " " + "capture request header " + @capture_request_header.to_s + "\n"
2919
- end
2920
-
2921
- if @capture_response_header
2922
- ostring += " " + "capture response header " + @capture_response_header.to_s + "\n"
2923
- end
2924
-
2925
- if @force_persist
2926
- ostring += " " + "force-persist " + @force_persist.to_s + "\n"
2927
- end
2928
-
2929
- if @http_request
2930
- ostring += " " + "http-request " + @http_request.to_s + "\n"
2931
- end
2932
-
2933
- if @persistent_id
2934
- ostring += " " + "id " + @persistent_id.to_s + "\n"
2935
- end
2936
-
2937
- if @ignore_persist
2938
- ostring += " " + "ignore persist " + @ignore_persist.to_s + "\n"
2939
- end
2940
-
2941
- if @monitor_fail
2942
- ostring += " " + "monitor fail " + @monitor_fail.to_s + "\n"
2943
- end
2944
-
2945
- if @option_ignore_presist
2946
- ostring += " " + "option ignore-presist " + @option_ignore_presist.to_s + "\n"
2947
- end
2948
-
2949
- if @redirect
2950
- ostring += " " + "redirect " + @redirect.to_s + "\n"
2951
- end
2952
-
2953
- if @reqadd
2954
- ostring += " " + "reqadd " + @reqadd.to_s + "\n"
2955
- end
2956
-
2957
- if @reqallow
2958
- ostring += " " + "reqallow " + @reqallow.to_s + "\n"
2959
- end
2960
-
2961
- if @reqiallow
2962
- ostring += " " + "reqiallow " + @reqiallow.to_s + "\n"
2963
- end
2964
-
2965
- if @reqdel
2966
- ostring += " " + "reqdel " + @reqdel.to_s + "\n"
2967
- end
2968
-
2969
- if @reqidel
2970
- ostring += " " + "reqidel " + @reqidel.to_s + "\n"
2971
- end
2972
-
2973
- if @reqdeny
2974
- ostring += " " + "reqdeny " + @reqdeny.to_s + "\n"
2975
- end
2976
-
2977
- if @reqideny
2978
- ostring += " " + "reqideny " + @reqideny.to_s + "\n"
2979
- end
2980
-
2981
- if @reqpass
2982
- ostring += " " + "reqpass " + @reqpass.to_s + "\n"
2983
- end
2984
-
2985
- if @reqipass
2986
- ostring += " " + "reqipass " + @reqipass.to_s + "\n"
2987
- end
2988
-
2989
- if @reqrep
2990
- ostring += " " + "reqrep " + @reqrep.to_s + "\n"
2991
- end
2992
-
2993
- if @reqirep
2994
- ostring += " " + "reqirep " + @reqirep.to_s + "\n"
2995
- end
2996
-
2997
- if @reqtarpit
2998
- ostring += " " + "reqtarpit " + @reqtarpit.to_s + "\n"
2999
- end
3000
-
3001
- if @reqitarpit
3002
- ostring += " " + "reqitarpit " + @reqitarpit.to_s + "\n"
3003
- end
3004
-
3005
- if @rspadd
3006
- ostring += " " + "rspadd " + @rspadd.to_s + "\n"
3007
- end
3008
-
3009
- if @rspdel
3010
- ostring += " " + "rspdel " + @rspdel.to_s + "\n"
3011
- end
3012
-
3013
- if @rspidel
3014
- ostring += " " + "rspidel " + @rspidel.to_s + "\n"
3015
- end
3016
-
3017
- if @rspdeny
3018
- ostring += " " + "rspdeny " + @rspdeny.to_s + "\n"
3019
- end
3020
-
3021
- if @rspideny
3022
- ostring += " " + "rspideny " + @rspideny.to_s + "\n"
3023
- end
3024
-
3025
- if @rspirep
3026
- ostring += " " + "rspirep " + @rspirep.to_s + "\n"
3027
- end
3028
-
3029
- if @rsprep
3030
- ostring += " " + "rsprep " + @rsprep.to_s + "\n"
3031
- end
3032
-
3033
- if @tcp_request_connection
3034
- ostring += " " + "tcp-request connection " + @tcp_request_connection.to_s + "\n"
3035
- end
3036
-
3037
- if @tcp_request_content
3038
- ostring += " " + "tcp-request content " + @tcp_request_content.to_s + "\n"
3039
- end
3040
-
3041
- if @tcp_request_inspect_delay
3042
- ostring += " " + "tcp-request inspect-delay " + @tcp_request_inspect_delay.to_s + "\n"
3043
- end
3044
-
3045
- if @use_backend
3046
- ostring += " " + "use_backend " + @use_backend.to_s + "\n"
3047
- end
3048
-
3049
- if @description
3050
- ostring += " " + "description " + @description.to_s + "\n"
3051
- end
3052
-
3053
- if @reqisetbe
3054
- ostring += " " + "reqisetbe " + @reqisetbe.to_s + "\n"
3055
- end
3056
-
3057
- if @reqsetbe
3058
- ostring += " " + "reqsetbe " + @reqsetbe.to_s + "\n"
3059
- end
3060
-
3061
- if @backlog
3062
- ostring += " " + "backlog " + @backlog.to_s + "\n"
3063
- end
3064
-
3065
- if @bind_process
3066
- ostring += " " + "bind-process " + @bind_process.to_s + "\n"
3067
- end
3068
-
3069
- if @default_backend
3070
- ostring += " " + "default_backend " + @default_backend.to_s + "\n"
3071
- end
3072
-
3073
- if @disabled
3074
- ostring += " " + "disabled " + "\n"
3075
- end
3076
-
3077
- if @enabled
3078
- ostring += " " + "enabled " + "\n"
3079
- end
3080
-
3081
- if @errorfile
3082
- ostring += " " + "errorfile " + @errorfile.to_s + "\n"
3083
- end
3084
-
3085
- if @errorloc
3086
- ostring += " " + "errorloc " + @errorloc.to_s + "\n"
3087
- end
3088
-
3089
- if @errorloc302
3090
- ostring += " " + "errorloc302 " + @errorloc302.to_s + "\n"
3091
- end
3092
-
3093
- if @errorloc303
3094
- ostring += " " + "errorloc303 " + @errorloc303.to_s + "\n"
3095
- end
3096
-
3097
- if @grace
3098
- ostring += " " + "grace " + @grace.to_s + "\n"
3099
- end
3100
-
3101
- if @log
3102
- ostring += " " + "log " + @log.to_s + "\n"
3103
- end
3104
-
3105
- if @maxconn
3106
- ostring += " " + "maxconn " + @maxconn.to_s + "\n"
3107
- end
3108
-
3109
- if @mode
3110
- ostring += " " + "mode " + @mode.to_s + "\n"
3111
- end
3112
-
3113
- if @monitor_net
3114
- ostring += " " + "monitor-net " + @monitor_net.to_s + "\n"
3115
- end
3116
-
3117
- if @monitor_uri
3118
- ostring += " " + "monitor-uri " + @monitor_uri.to_s + "\n"
3119
- end
3120
-
3121
- if @option_accept_invalid_http_request
3122
- ostring += " " + "option accept-invalid-http-request " + "\n"
3123
- end
3124
-
3125
- if @option_clitcpka
3126
- ostring += " " + "option clitcpka " + "\n"
3127
- end
3128
-
3129
- if @option_contstats
3130
- ostring += " " + "option contstats " + "\n"
3131
- end
3132
-
3133
- if @option_dontlog_normal
3134
- ostring += " " + "option dontlog-normal " + "\n"
3135
- end
3136
-
3137
- if @option_dontlognull
3138
- ostring += " " + "option dontlognull " + "\n"
3139
- end
3140
-
3141
- if @option_forceclose
3142
- ostring += " " + "option forceclose " + "\n"
3143
- end
3144
-
3145
- if @option_forwardfor
3146
- ostring += " " + "option forwardfor " + @option_forwardfor.to_s + "\n"
3147
- end
3148
-
3149
- if @option_http_pretend_keepalive
3150
- ostring += " " + "option http-pretend-keepalive " + "\n"
3151
- end
3152
-
3153
- if @option_http_server_close
3154
- ostring += " " + "option http-server-close " + "\n"
3155
- end
3156
-
3157
- if @option_http_use_proxy_header
3158
- ostring += " " + "option http-use-proxy-header " + "\n"
3159
- end
3160
-
3161
- if @option_httpclose
3162
- ostring += " " + "option httpclose " + "\n"
3163
- end
3164
-
3165
- if @option_httplog
3166
- ostring += " " + "option httplog " + "\n"
3167
- end
3168
-
3169
- if @option_httplog_clf
3170
- ostring += " " + "option httplog " + @option_httplog_clf.to_s + "\n"
3171
- end
3172
-
3173
- if @option_http_proxy
3174
- ostring += " " + "option http_proxy " + "\n"
3175
- end
3176
-
3177
- if @option_independant_streams
3178
- ostring += " " + "option independant-streams " + "\n"
3179
- end
3180
-
3181
- if @option_log_separate_errors
3182
- ostring += " " + "option log-separate-errors " + "\n"
3183
- end
3184
-
3185
- if @option_logasap
3186
- ostring += " " + "option logasap " + "\n"
3187
- end
3188
-
3189
- if @option_nolinger
3190
- ostring += " " + "option nolinger " + "\n"
3191
- end
3192
-
3193
- if @option_originalto
3194
- ostring += " " + "option originalto " + @option_originalto.to_s + "\n"
3195
- end
3196
-
3197
- if @option_socket_stats
3198
- ostring += " " + "option socket-stats " + "\n"
3199
- end
3200
-
3201
- if @option_splice_auto
3202
- ostring += " " + "option splice-auto " + "\n"
3203
- end
3204
-
3205
- if @option_splice_request
3206
- ostring += " " + "option splice-request " + "\n"
3207
- end
3208
-
3209
- if @option_splice_response
3210
- ostring += " " + "option splice-response " + "\n"
3211
- end
3212
-
3213
- if @option_tcp_smart_accept
3214
- ostring += " " + "option tcp-smart-accept " + "\n"
3215
- end
3216
-
3217
- if @option_tcpka
3218
- ostring += " " + "option tcpka " + "\n"
3219
- end
3220
-
3221
- if @option_tcplog
3222
- ostring += " " + "option tcplog " + "\n"
3223
- end
3224
-
3225
- if @rate_limit_sessions
3226
- ostring += " " + "rate-limit sessions " + @rate_limit_sessions.to_s + "\n"
3227
- end
3228
-
3229
- if @timeout_client
3230
- ostring += " " + "timeout client " + @timeout_client.to_s + "\n"
3231
- end
3232
-
3233
- if @timeout_http_keep_alive
3234
- ostring += " " + "timeout http-keep-alive " + @timeout_http_keep_alive.to_s + "\n"
3235
- end
3236
-
3237
- if @timeout_http_request
3238
- ostring += " " + "timeout http-request " + @timeout_http_request.to_s + "\n"
3239
- end
3240
-
3241
- if @timeout_tarpit
3242
- ostring += " " + "timeout tarpit " + @timeout_tarpit.to_s + "\n"
3243
- end
3244
-
3245
- ostring += "\n"
3246
-
3247
- return ostring
3248
-
3249
- end
3250
80
  end
3251
81