rhaproxy 0.1.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (16) hide show
  1. data/Changelog +0 -0
  2. data/MIT-LICENSE +21 -0
  3. data/README +58 -0
  4. data/lib/rhaproxy/backend.rb +5014 -0
  5. data/lib/rhaproxy/defaults.rb +3713 -0
  6. data/lib/rhaproxy/frontend.rb +3251 -0
  7. data/lib/rhaproxy/global.rb +590 -0
  8. data/lib/rhaproxy/listen.rb +6090 -0
  9. data/lib/rhaproxy/peers.rb +110 -0
  10. data/lib/rhaproxy/userlist.rb +93 -0
  11. data/lib/rhaproxy/version.rb +17 -0
  12. data/lib/rhaproxy.rb +9 -0
  13. data/setup.rb +1585 -0
  14. data/test/test_helper.rb +2 -0
  15. data/test/test_rhaproxy.rb +11 -0
  16. metadata +81 -0
data/lib/rhaproxy/frontend.rb ADDED
@@ -0,0 +1,3251 @@
1
+ # = rhaproxy - A HAproxy gem for Ruby
2
+ #
3
+ # Homepage:: http://github.com/jjuliano/rhaproxy
4
+ # Author:: Joel Bryan Juliano
5
+ # Copyright:: (cc) 2011 Joel Bryan Juliano
6
+ # License:: MIT
7
+
8
+ #
9
+ # class RhaproxyFrontend.new( array, str, array)
10
+ #
11
+
12
+ #
13
+ # A "frontend" section describes a set of listening sockets accepting client
14
+ # connections.
15
+ #
16
+ class RhaproxyFrontend
17
+
18
+ #
19
+ # acl <aclname> <criterion> [flags] [operator] <value> ...
20
+ # Declare or complete an access list.
21
+ # May be used in sections : defaults | frontend | listen | backend
22
+ # no | yes | yes | yes
23
+ # Example:
24
+ # acl invalid_src src 0.0.0.0/7 224.0.0.0/3
25
+ # acl invalid_src src_port 0:1023
26
+ # acl local_dst hdr(host) -i localhost
27
+ #
28
+ # See section 7 about ACL usage.
29
+ #
30
+ attr_accessor :acl
31
+
32
+ #
33
+ # bind [<address>]:<port_range> [, ...]
34
+ # bind [<address>]:<port_range> [, ...] interface <interface>
35
+ # bind [<address>]:<port_range> [, ...] mss <maxseg>
36
+ # bind [<address>]:<port_range> [, ...] transparent
37
+ # bind [<address>]:<port_range> [, ...] id <id>
38
+ # bind [<address>]:<port_range> [, ...] name <name>
39
+ # bind [<address>]:<port_range> [, ...] defer-accept
40
+ # bind [<address>]:<port_range> [, ...] accept-proxy
41
+ # bind /<path> [, ...]
42
+ # bind /<path> [, ...] mode <mode>
43
+ # bind /<path> [, ...] [ user <user> | uid <uid> ]
44
+ # bind /<path> [, ...] [ group <user> | gid <gid> ]
45
+ # Define one or several listening addresses and/or ports in a frontend.
46
+ # May be used in sections : defaults | frontend | listen | backend
47
+ # no | yes | yes | no
48
+ # Arguments :
49
+ # <address> is optional and can be a host name, an IPv4 address, an IPv6
50
+ # address, or '*'. It designates the address the frontend will
51
+ # listen on. If unset, all IPv4 addresses of the system will be
52
+ # listened on. The same will apply for '*' or the system's
53
+ # special address "0.0.0.0".
54
+ #
55
+ # <port_range> is either a unique TCP port, or a port range for which the
56
+ # proxy will accept connections for the IP address specified
57
+ # above. The port is mandatory for TCP listeners. Note that in
58
+ # the case of an IPv6 address, the port is always the number
59
+ # after the last colon (':'). A range can either be :
60
+ # - a numerical port (ex: '80')
61
+ # - a dash-delimited ports range explicitly stating the lower
62
+ # and upper bounds (ex: '2000-2100') which are included in
63
+ # the range.
64
+ #
65
+ # Particular care must be taken against port ranges, because
66
+ # every <address:port> couple consumes one socket (= a file
67
+ # descriptor), so it's easy to consume lots of descriptors
68
+ # with a simple range, and to run out of sockets. Also, each
69
+ # <address:port> couple must be used only once among all
70
+ # instances running on a same system. Please note that binding
71
+ # to ports lower than 1024 generally require particular
72
+ # privileges to start the program, which are independant of
73
+ # the 'uid' parameter.
74
+ #
75
+ # <path> is a UNIX socket path beginning with a slash ('/'). This is
76
+ # alternative to the TCP listening port. Haproxy will then
77
+ # receive UNIX connections on the socket located at this place.
78
+ # The path must begin with a slash and by default is absolute.
79
+ # It can be relative to the prefix defined by "unix-bind" in
80
+ # the global section. Note that the total length of the prefix
81
+ # followed by the socket path cannot exceed some system limits
82
+ # for UNIX sockets, which commonly are set to 107 characters.
83
+ #
84
+ # <interface> is an optional physical interface name. This is currently
85
+ # only supported on Linux. The interface must be a physical
86
+ # interface, not an aliased interface. When specified, all
87
+ # addresses on the same line will only be accepted if the
88
+ # incoming packet physically come through the designated
89
+ # interface. It is also possible to bind multiple frontends to
90
+ # the same address if they are bound to different interfaces.
91
+ # Note that binding to a physical interface requires root
92
+ # privileges. This parameter is only compatible with TCP
93
+ # sockets.
94
+ #
95
+ # <maxseg> is an optional TCP Maximum Segment Size (MSS) value to be
96
+ # advertised on incoming connections. This can be used to force
97
+ # a lower MSS for certain specific ports, for instance for
98
+ # connections passing through a VPN. Note that this relies on a
99
+ # kernel feature which is theorically supported under Linux but
100
+ # was buggy in all versions prior to 2.6.28. It may or may not
101
+ # work on other operating systems. The commonly advertised
102
+ # value on Ethernet networks is 1460 = 1500(MTU) - 40(IP+TCP).
103
+ # This parameter is only compatible with TCP sockets.
104
+ #
105
+ # <id> is a persistent value for socket ID. Must be positive and
106
+ # unique in the proxy. An unused value will automatically be
107
+ # assigned if unset. Can only be used when defining only a
108
+ # single socket.
109
+ #
110
+ # <name> is an optional name provided for stats
111
+ #
112
+ # <mode> is the octal mode used to define access permissions on the
113
+ # UNIX socket. It can also be set by default in the global
114
+ # section's "unix-bind" statement. Note that some platforms
115
+ # simply ignore this.
116
+ #
117
+ # <user> is the name of user that will be marked owner of the UNIX
118
+ # socket. It can also be set by default in the global
119
+ # section's "unix-bind" statement. Note that some platforms
120
+ # simply ignore this.
121
+ #
122
+ # <group> is the name of a group that will be used to create the UNIX
123
+ # socket. It can also be set by default in the global section's
124
+ # "unix-bind" statement. Note that some platforms simply ignore
125
+ # this.
126
+ #
127
+ # <uid> is the uid of user that will be marked owner of the UNIX
128
+ # socket. It can also be set by default in the global section's
129
+ # "unix-bind" statement. Note that some platforms simply ignore
130
+ # this.
131
+ #
132
+ # <gid> is the gid of a group that will be used to create the UNIX
133
+ # socket. It can also be set by default in the global section's
134
+ # "unix-bind" statement. Note that some platforms simply ignore
135
+ # this.
136
+ #
137
+ # transparent is an optional keyword which is supported only on certain
138
+ # Linux kernels. It indicates that the addresses will be bound
139
+ # even if they do not belong to the local machine. Any packet
140
+ # targeting any of these addresses will be caught just as if
141
+ # the address was locally configured. This normally requires
142
+ # that IP forwarding is enabled. Caution! do not use this with
143
+ # the default address '*', as it would redirect any traffic for
144
+ # the specified port. This keyword is available only when
145
+ # HAProxy is built with USE_LINUX_TPROXY=1. This parameter is
146
+ # only compatible with TCP sockets.
147
+ #
148
+ # defer-accept is an optional keyword which is supported only on certain
149
+ # Linux kernels. It states that a connection will only be
150
+ # accepted once some data arrive on it, or at worst after the
151
+ # first retransmit. This should be used only on protocols for
152
+ # which the client talks first (eg: HTTP). It can slightly
153
+ # improve performance by ensuring that most of the request is
154
+ # already available when the connection is accepted. On the
155
+ # other hand, it will not be able to detect connections which
156
+ # don't talk. It is important to note that this option is
157
+ # broken in all kernels up to 2.6.31, as the connection is
158
+ # never accepted until the client talks. This can cause issues
159
+ # with front firewalls which would see an established
160
+ # connection while the proxy will only see it in SYN_RECV.
161
+ #
162
+ # accept-proxy is an optional keyword which enforces use of the PROXY
163
+ # protocol over any connection accepted by this listener. The
164
+ # PROXY protocol dictates the layer 3/4 addresses of the
165
+ # incoming connection to be used everywhere an address is used,
166
+ # with the only exception of "tcp-request connection" rules
167
+ # which will only see the real connection address. Logs will
168
+ # reflect the addresses indicated in the protocol, unless it is
169
+ # violated, in which case the real address will still be used.
170
+ # This keyword combined with support from external components
171
+ # can be used as an efficient and reliable alternative to the
172
+ # X-Forwarded-For mechanism which is not always reliable and
173
+ # not even always usable.
174
+ #
175
+ # It is possible to specify a list of address:port combinations delimited by
176
+ # commas. The frontend will then listen on all of these addresses. There is no
177
+ # fixed limit to the number of addresses and ports which can be listened on in
178
+ # a frontend, as well as there is no limit to the number of "bind" statements
179
+ # in a frontend.
180
+ #
181
+ # Example :
182
+ # listen http_proxy
183
+ # bind :80,:443
184
+ # bind 10.0.0.1:10080,10.0.0.1:10443
185
+ # bind /var/run/ssl-frontend.sock user root mode 600 accept-proxy
186
+ #
187
+ # See also : "source", "option forwardfor", "unix-bind" and the PROXY protocol
188
+ # documentation.
189
+ #
190
+ attr_accessor :bind
191
+
192
+ #
193
+ # block { if | unless } <condition>
194
+ # Block a layer 7 request if/unless a condition is matched
195
+ # May be used in sections : defaults | frontend | listen | backend
196
+ # no | yes | yes | yes
197
+ #
198
+ # The HTTP request will be blocked very early in the layer 7 processing
199
+ # if/unless <condition> is matched. A 403 error will be returned if the request
200
+ # is blocked. The condition has to reference ACLs (see section 7). This is
201
+ # typically used to deny access to certain sensible resources if some
202
+ # conditions are met or not met. There is no fixed limit to the number of
203
+ # "block" statements per instance.
204
+ #
205
+ # Example:
206
+ # acl invalid_src src 0.0.0.0/7 224.0.0.0/3
207
+ # acl invalid_src src_port 0:1023
208
+ # acl local_dst hdr(host) -i localhost
209
+ # block if invalid_src || local_dst
210
+ #
211
+ # See section 7 about ACL usage.
212
+ #
213
+ attr_accessor :block
214
+
215
+ #
216
+ # capture cookie <name> len <length>
217
+ # Capture and log a cookie in the request and in the response.
218
+ # May be used in sections : defaults | frontend | listen | backend
219
+ # no | yes | yes | no
220
+ # Arguments :
221
+ # <name> is the beginning of the name of the cookie to capture. In order
222
+ # to match the exact name, simply suffix the name with an equal
223
+ # sign ('='). The full name will appear in the logs, which is
224
+ # useful with application servers which adjust both the cookie name
225
+ # and value (eg: ASPSESSIONXXXXX).
226
+ #
227
+ # <length> is the maximum number of characters to report in the logs, which
228
+ # include the cookie name, the equal sign and the value, all in the
229
+ # standard "name=value" form. The string will be truncated on the
230
+ # right if it exceeds <length>.
231
+ #
232
+ # Only the first cookie is captured. Both the "cookie" request headers and the
233
+ # "set-cookie" response headers are monitored. This is particularly useful to
234
+ # check for application bugs causing session crossing or stealing between
235
+ # users, because generally the user's cookies can only change on a login page.
236
+ #
237
+ # When the cookie was not presented by the client, the associated log column
238
+ # will report "-". When a request does not cause a cookie to be assigned by the
239
+ # server, a "-" is reported in the response column.
240
+ #
241
+ # The capture is performed in the frontend only because it is necessary that
242
+ # the log format does not change for a given frontend depending on the
243
+ # backends. This may change in the future. Note that there can be only one
244
+ # "capture cookie" statement in a frontend. The maximum capture length is
245
+ # configured in the sources by default to 64 characters. It is not possible to
246
+ # specify a capture in a "defaults" section.
247
+ #
248
+ # Example:
249
+ # capture cookie ASPSESSION len 32
250
+ #
251
+ # See also : "capture request header", "capture response header" as well as
252
+ # section 8 about logging.
253
+ #
254
+ attr_accessor :capture_cookie
255
+
256
+ #
257
+ # capture request header <name> len <length>
258
+ # Capture and log the first occurrence of the specified request header.
259
+ # May be used in sections : defaults | frontend | listen | backend
260
+ # no | yes | yes | no
261
+ # Arguments :
262
+ # <name> is the name of the header to capture. The header names are not
263
+ # case-sensitive, but it is a common practice to write them as they
264
+ # appear in the requests, with the first letter of each word in
265
+ # upper case. The header name will not appear in the logs, only the
266
+ # value is reported, but the position in the logs is respected.
267
+ #
268
+ # <length> is the maximum number of characters to extract from the value and
269
+ # report in the logs. The string will be truncated on the right if
270
+ # it exceeds <length>.
271
+ #
272
+ # Only the first value of the last occurrence of the header is captured. The
273
+ # value will be added to the logs between braces ('{}'). If multiple headers
274
+ # are captured, they will be delimited by a vertical bar ('|') and will appear
275
+ # in the same order they were declared in the configuration. Non-existent
276
+ # headers will be logged just as an empty string. Common uses for request
277
+ # header captures include the "Host" field in virtual hosting environments, the
278
+ # "Content-length" when uploads are supported, "User-agent" to quickly
279
+ # differentiate between real users and robots, and "X-Forwarded-For" in proxied
280
+ # environments to find where the request came from.
281
+ #
282
+ # Note that when capturing headers such as "User-agent", some spaces may be
283
+ # logged, making the log analysis more difficult. Thus be careful about what
284
+ # you log if you know your log parser is not smart enough to rely on the
285
+ # braces.
286
+ #
287
+ # There is no limit to the number of captured request headers, but each capture
288
+ # is limited to 64 characters. In order to keep log format consistent for a
289
+ # same frontend, header captures can only be declared in a frontend. It is not
290
+ # possible to specify a capture in a "defaults" section.
291
+ #
292
+ # Example:
293
+ # capture request header Host len 15
294
+ # capture request header X-Forwarded-For len 15
295
+ # capture request header Referrer len 15
296
+ #
297
+ # See also : "capture cookie", "capture response header" as well as section 8
298
+ # about logging.
299
+ #
300
+ attr_accessor :capture_request_header
301
+
302
+ #
303
+ # capture response header <name> len <length>
304
+ # Capture and log the first occurrence of the specified response header.
305
+ # May be used in sections : defaults | frontend | listen | backend
306
+ # no | yes | yes | no
307
+ # Arguments :
308
+ # <name> is the name of the header to capture. The header names are not
309
+ # case-sensitive, but it is a common practice to write them as they
310
+ # appear in the response, with the first letter of each word in
311
+ # upper case. The header name will not appear in the logs, only the
312
+ # value is reported, but the position in the logs is respected.
313
+ #
314
+ # <length> is the maximum number of characters to extract from the value and
315
+ # report in the logs. The string will be truncated on the right if
316
+ # it exceeds <length>.
317
+ #
318
+ # Only the first value of the last occurrence of the header is captured. The
319
+ # result will be added to the logs between braces ('{}') after the captured
320
+ # request headers. If multiple headers are captured, they will be delimited by
321
+ # a vertical bar ('|') and will appear in the same order they were declared in
322
+ # the configuration. Non-existent headers will be logged just as an empty
323
+ # string. Common uses for response header captures include the "Content-length"
324
+ # header which indicates how many bytes are expected to be returned, the
325
+ # "Location" header to track redirections.
326
+ #
327
+ # There is no limit to the number of captured response headers, but each
328
+ # capture is limited to 64 characters. In order to keep log format consistent
329
+ # for a same frontend, header captures can only be declared in a frontend. It
330
+ # is not possible to specify a capture in a "defaults" section.
331
+ #
332
+ # Example:
333
+ # capture response header Content-length len 9
334
+ # capture response header Location len 15
335
+ #
336
+ # See also : "capture cookie", "capture request header" as well as section 8
337
+ # about logging.
338
+ #
339
+ attr_accessor :capture_response_header
340
+
341
+ #
342
+ # force-persist { if | unless } <condition>
343
+ # Declare a condition to force persistence on down servers
344
+ # May be used in sections: defaults | frontend | listen | backend
345
+ # no | yes | yes | yes
346
+ #
347
+ # By default, requests are not dispatched to down servers. It is possible to
348
+ # force this using "option persist", but it is unconditional and redispatches
349
+ # to a valid server if "option redispatch" is set. That leaves with very little
350
+ # possibilities to force some requests to reach a server which is artificially
351
+ # marked down for maintenance operations.
352
+ #
353
+ # The "force-persist" statement allows one to declare various ACL-based
354
+ # conditions which, when met, will cause a request to ignore the down status of
355
+ # a server and still try to connect to it. That makes it possible to start a
356
+ # server, still replying an error to the health checks, and run a specially
357
+ # configured browser to test the service. Among the handy methods, one could
358
+ # use a specific source IP address, or a specific cookie. The cookie also has
359
+ # the advantage that it can easily be added/removed on the browser from a test
360
+ # page. Once the service is validated, it is then possible to open the service
361
+ # to the world by returning a valid response to health checks.
362
+ #
363
+ # The forced persistence is enabled when an "if" condition is met, or unless an
364
+ # "unless" condition is met. The final redispatch is always disabled when this
365
+ # is used.
366
+ #
367
+ # See also : "option redispatch", "ignore-persist", "persist",
368
+ # and section 7 about ACL usage.
369
+ #
370
+ attr_accessor :force_persist
371
+
372
+ #
373
+ # http-request { allow | deny | auth [realm <realm>] }
374
+ # [ { if | unless } <condition> ]
375
+ # Access control for Layer 7 requests
376
+ #
377
+ # May be used in sections: defaults | frontend | listen | backend
378
+ # no | yes | yes | yes
379
+ #
380
+ # These set of options allow to fine control access to a
381
+ # frontend/listen/backend. Each option may be followed by if/unless and acl.
382
+ # First option with matched condition (or option without condition) is final.
383
+ # For "deny" a 403 error will be returned, for "allow" normal processing is
384
+ # performed, for "auth" a 401/407 error code is returned so the client
385
+ # should be asked to enter a username and password.
386
+ #
387
+ # There is no fixed limit to the number of http-request statements per
388
+ # instance.
389
+ #
390
+ # Example:
391
+ # acl nagios src 192.168.129.3
392
+ # acl local_net src 192.168.0.0/16
393
+ # acl auth_ok http_auth(L1)
394
+ #
395
+ # http-request allow if nagios
396
+ # http-request allow if local_net auth_ok
397
+ # http-request auth realm Gimme if local_net auth_ok
398
+ # http-request deny
399
+ #
400
+ # Example:
401
+ # acl auth_ok http_auth_group(L1) G1
402
+ #
403
+ # http-request auth unless auth_ok
404
+ #
405
+ # See also : "stats http-request", section 3.4 about userlists and section 7
406
+ # about ACL usage.
407
+ #
408
+ attr_accessor :http_request
409
+
410
+ # id <value>
411
+ # Set a persistent ID to a proxy.
412
+ # May be used in sections : defaults | frontend | listen | backend
413
+ # no | yes | yes | yes
414
+ # Arguments : none
415
+ #
416
+ # Set a persistent ID for the proxy. This ID must be unique and positive.
417
+ # An unused ID will automatically be assigned if unset. The first assigned
418
+ # value will be 1. This ID is currently only returned in statistics.
419
+ #
420
+ attr_accessor :persistent_id
421
+
422
+ #
423
+ # ignore-persist { if | unless } <condition>
424
+ # Declare a condition to ignore persistence
425
+ # May be used in sections: defaults | frontend | listen | backend
426
+ # no | yes | yes | yes
427
+ #
428
+ # By default, when cookie persistence is enabled, every requests containing
429
+ # the cookie are unconditionally persistent (assuming the target server is up
430
+ # and running).
431
+ #
432
+ # The "ignore-persist" statement allows one to declare various ACL-based
433
+ # conditions which, when met, will cause a request to ignore persistence.
434
+ # This is sometimes useful to load balance requests for static files, which
435
+ # oftenly don't require persistence. This can also be used to fully disable
436
+ # persistence for a specific User-Agent (for example, some web crawler bots).
437
+ #
438
+ # Combined with "appsession", it can also help reduce HAProxy memory usage, as
439
+ # the appsession table won't grow if persistence is ignored.
440
+ #
441
+ # The persistence is ignored when an "if" condition is met, or unless an
442
+ # "unless" condition is met.
443
+ #
444
+ # See also : "force-persist", "cookie", and section 7 about ACL usage.
445
+ #
446
+ attr_accessor :ignore_persist
447
+
448
+ #
449
+ # monitor fail { if | unless } <condition>
450
+ # Add a condition to report a failure to a monitor HTTP request.
451
+ # May be used in sections : defaults | frontend | listen | backend
452
+ # no | yes | yes | no
453
+ # Arguments :
454
+ # if <cond> the monitor request will fail if the condition is satisfied,
455
+ # and will succeed otherwise. The condition should describe a
456
+ # combined test which must induce a failure if all conditions
457
+ # are met, for instance a low number of servers both in a
458
+ # backend and its backup.
459
+ #
460
+ # unless <cond> the monitor request will succeed only if the condition is
461
+ # satisfied, and will fail otherwise. Such a condition may be
462
+ # based on a test on the presence of a minimum number of active
463
+ # servers in a list of backends.
464
+ #
465
+ # This statement adds a condition which can force the response to a monitor
466
+ # request to report a failure. By default, when an external component queries
467
+ # the URI dedicated to monitoring, a 200 response is returned. When one of the
468
+ # conditions above is met, haproxy will return 503 instead of 200. This is
469
+ # very useful to report a site failure to an external component which may base
470
+ # routing advertisements between multiple sites on the availability reported by
471
+ # haproxy. In this case, one would rely on an ACL involving the "nbsrv"
472
+ # criterion. Note that "monitor fail" only works in HTTP mode.
473
+ #
474
+ # Example:
475
+ # frontend www
476
+ # mode http
477
+ # acl site_dead nbsrv(dynamic) lt 2
478
+ # acl site_dead nbsrv(static) lt 2
479
+ # monitor-uri /site_alive
480
+ # monitor fail if site_dead
481
+ #
482
+ # See also : "monitor-net", "monitor-uri"
483
+ #
484
+ attr_accessor :monitor_fail
485
+
486
+ #
487
+ # option ignore-persist { if | unless } <condition>
488
+ # Declare a condition to ignore persistence
489
+ # May be used in sections: defaults | frontend | listen | backend
490
+ # no | yes | yes | yes
491
+ #
492
+ # By default, when cookie persistence is enabled, every requests containing
493
+ # the cookie are unconditionally persistent (assuming the target server is up
494
+ # and running).
495
+ #
496
+ # The "ignore-persist" statement allows one to declare various ACL-based
497
+ # conditions which, when met, will cause a request to ignore persistence.
498
+ # This is sometimes useful to load balance requests for static files, which
499
+ # oftenly don't require persistence. This can also be used to fully disable
500
+ # persistence for a specific User-Agent (for example, some web crawler bots).
501
+ #
502
+ # Combined with "appsession", it can also help reduce HAProxy memory usage, as
503
+ # the appsession table won't grow if persistence is ignored.
504
+ #
505
+ # The persistence is ignored when an "if" condition is met, or unless an
506
+ # "unless" condition is met.
507
+ #
508
+ # See also : "option force-persist", "cookie", and section 7 about ACL usage.
509
+ #
510
+ attr_accessor :option_ignore_presist
511
+
512
+ #
513
+ # redirect location <to> [code <code>] <option> [(if | unless) <condition>]
514
+ # redirect prefix <to> [code <code>] <option> [(if | unless) <condition>]
515
+ # Return an HTTP redirection if/unless a condition is matched
516
+ # May be used in sections : defaults | frontend | listen | backend
517
+ # no | yes | yes | yes
518
+ #
519
+ # If/unless the condition is matched, the HTTP request will lead to a redirect
520
+ # response. If no condition is specified, the redirect applies unconditionally.
521
+ #
522
+ # Arguments :
523
+ # <to> With "redirect location", the exact value in <to> is placed into
524
+ # the HTTP "Location" header. In case of "redirect prefix", the
525
+ # "Location" header is built from the concatenation of <to> and the
526
+ # complete URI, including the query string, unless the "drop-query"
527
+ # option is specified (see below). As a special case, if <to>
528
+ # equals exactly "/" in prefix mode, then nothing is inserted
529
+ # before the original URI. It allows one to redirect to the same
530
+ # URL.
531
+ #
532
+ # <code> The code is optional. It indicates which type of HTTP redirection
533
+ # is desired. Only codes 301, 302 and 303 are supported, and 302 is
534
+ # used if no code is specified. 301 means "Moved permanently", and
535
+ # a browser may cache the Location. 302 means "Moved permanently"
536
+ # and means that the browser should not cache the redirection. 303
537
+ # is equivalent to 302 except that the browser will fetch the
538
+ # location with a GET method.
539
+ #
540
+ # <option> There are several options which can be specified to adjust the
541
+ # expected behaviour of a redirection :
542
+ #
543
+ # - "drop-query"
544
+ # When this keyword is used in a prefix-based redirection, then the
545
+ # location will be set without any possible query-string, which is useful
546
+ # for directing users to a non-secure page for instance. It has no effect
547
+ # with a location-type redirect.
548
+ #
549
+ # - "append-slash"
550
+ # This keyword may be used in conjunction with "drop-query" to redirect
551
+ # users who use a URL not ending with a '/' to the same one with the '/'.
552
+ # It can be useful to ensure that search engines will only see one URL.
553
+ # For this, a return code 301 is preferred.
554
+ #
555
+ # - "set-cookie NAME[=value]"
556
+ # A "Set-Cookie" header will be added with NAME (and optionally "=value")
557
+ # to the response. This is sometimes used to indicate that a user has
558
+ # been seen, for instance to protect against some types of DoS. No other
559
+ # cookie option is added, so the cookie will be a session cookie. Note
560
+ # that for a browser, a sole cookie name without an equal sign is
561
+ # different from a cookie with an equal sign.
562
+ #
563
+ # - "clear-cookie NAME[=]"
564
+ # A "Set-Cookie" header will be added with NAME (and optionally "="), but
565
+ # with the "Max-Age" attribute set to zero. This will tell the browser to
566
+ # delete this cookie. It is useful for instance on logout pages. It is
567
+ # important to note that clearing the cookie "NAME" will not remove a
568
+ # cookie set with "NAME=value". You have to clear the cookie "NAME=" for
569
+ # that, because the browser makes the difference.
570
+ #
571
+ # Example: move the login URL only to HTTPS.
572
+ # acl clear dst_port 80
573
+ # acl secure dst_port 8080
574
+ # acl login_page url_beg /login
575
+ # acl logout url_beg /logout
576
+ # acl uid_given url_reg /login?userid=[^&]+
577
+ # acl cookie_set hdr_sub(cookie) SEEN=1
578
+ #
579
+ # redirect prefix https://mysite.com set-cookie SEEN=1 if !cookie_set
580
+ # redirect prefix https://mysite.com if login_page !secure
581
+ # redirect prefix http://mysite.com drop-query if login_page !uid_given
582
+ # redirect location http://mysite.com/ if !login_page secure
583
+ # redirect location / clear-cookie USERID= if logout
584
+ #
585
+ # Example: send redirects for request for articles without a '/'.
586
+ # acl missing_slash path_reg ^/article/[^/]*$
587
+ # redirect code 301 prefix / drop-query append-slash if missing_slash
588
+ #
589
+ # See section 7 about ACL usage.
590
+ #
591
+ attr_accessor :redirect
592
+
593
+ #
594
+ # reqadd <string> [(if | unless) <cond>]
595
+ # Add a header at the end of the HTTP request
596
+ # May be used in sections : defaults | frontend | listen | backend
597
+ # no | yes | yes | yes
598
+ # Arguments :
599
+ # <string> is the complete line to be added. Any space or known delimiter
600
+ # must be escaped using a backslash ('\'). Please refer to section
601
+ # 6 about HTTP header manipulation for more information.
602
+ #
603
+ # <cond> is an optional matching condition built from ACLs. It makes it
604
+ # possible to ignore this rule when other conditions are not met.
605
+ #
606
+ # A new line consisting in <string> followed by a line feed will be added after
607
+ # the last header of an HTTP request.
608
+ #
609
+ # Header transformations only apply to traffic which passes through HAProxy,
610
+ # and not to traffic generated by HAProxy, such as health-checks or error
611
+ # responses.
612
+ #
613
+ # Example : add "X-Proto: SSL" to requests coming via port 81
614
+ # acl is-ssl dst_port 81
615
+ # reqadd X-Proto:\ SSL if is-ssl
616
+ #
617
+ # See also: "rspadd", section 6 about HTTP header manipulation, and section 7
618
+ # about ACLs.
619
+ #
620
+ attr_accessor :reqadd
621
+
622
+ #
623
+ # reqallow <search> [(if | unless) <cond>]
624
+ # reqiallow <search> [(if | unless) <cond>] (ignore case)
625
+ # Definitely allow an HTTP request if a line matches a regular expression
626
+ # May be used in sections : defaults | frontend | listen | backend
627
+ # no | yes | yes | yes
628
+ # Arguments :
629
+ # <search> is the regular expression applied to HTTP headers and to the
630
+ # request line. This is an extended regular expression. Parenthesis
631
+ # grouping is supported and no preliminary backslash is required.
632
+ # Any space or known delimiter must be escaped using a backslash
633
+ # ('\'). The pattern applies to a full line at a time. The
634
+ # "reqallow" keyword strictly matches case while "reqiallow"
635
+ # ignores case.
636
+ #
637
+ # <cond> is an optional matching condition built from ACLs. It makes it
638
+ # possible to ignore this rule when other conditions are not met.
639
+ #
640
+ # A request containing any line which matches extended regular expression
641
+ # <search> will mark the request as allowed, even if any later test would
642
+ # result in a deny. The test applies both to the request line and to request
643
+ # headers. Keep in mind that URLs in request line are case-sensitive while
644
+ # header names are not.
645
+ #
646
+ # It is easier, faster and more powerful to use ACLs to write access policies.
647
+ # Reqdeny, reqallow and reqpass should be avoided in new designs.
648
+ #
649
+ # Example :
650
+ # # allow www.* but refuse *.local
651
+ # reqiallow ^Host:\ www\.
652
+ # reqideny ^Host:\ .*\.local
653
+ #
654
+ # See also: "reqdeny", "block", section 6 about HTTP header manipulation, and
655
+ # section 7 about ACLs.
656
+ #
657
+ attr_accessor :reqallow
658
+ attr_accessor :reqiallow
659
+
660
+ #
661
+ # reqdel <search> [(if | unless) <cond>]
662
+ # reqidel <search> [(if | unless) <cond>] (ignore case)
663
+ # Delete all headers matching a regular expression in an HTTP request
664
+ # May be used in sections : defaults | frontend | listen | backend
665
+ # no | yes | yes | yes
666
+ # Arguments :
667
+ # <search> is the regular expression applied to HTTP headers and to the
668
+ # request line. This is an extended regular expression. Parenthesis
669
+ # grouping is supported and no preliminary backslash is required.
670
+ # Any space or known delimiter must be escaped using a backslash
671
+ # ('\'). The pattern applies to a full line at a time. The "reqdel"
672
+ # keyword strictly matches case while "reqidel" ignores case.
673
+ #
674
+ # <cond> is an optional matching condition built from ACLs. It makes it
675
+ # possible to ignore this rule when other conditions are not met.
676
+ #
677
+ # Any header line matching extended regular expression <search> in the request
678
+ # will be completely deleted. Most common use of this is to remove unwanted
679
+ # and/or dangerous headers or cookies from a request before passing it to the
680
+ # next servers.
681
+ #
682
+ # Header transformations only apply to traffic which passes through HAProxy,
683
+ # and not to traffic generated by HAProxy, such as health-checks or error
684
+ # responses. Keep in mind that header names are not case-sensitive.
685
+ #
686
+ # Example :
687
+ # # remove X-Forwarded-For header and SERVER cookie
688
+ # reqidel ^X-Forwarded-For:.*
689
+ # reqidel ^Cookie:.*SERVER=
690
+ #
691
+ # See also: "reqadd", "reqrep", "rspdel", section 6 about HTTP header
692
+ # manipulation, and section 7 about ACLs.
693
+ #
694
+ attr_accessor :reqdel
695
+ attr_accessor :reqidel
696
+
697
+ #
698
+ # reqdeny <search> [(if | unless) <cond>]
699
+ # reqideny <search> [(if | unless) <cond>] (ignore case)
700
+ # Deny an HTTP request if a line matches a regular expression
701
+ # May be used in sections : defaults | frontend | listen | backend
702
+ # no | yes | yes | yes
703
+ # Arguments :
704
+ # <search> is the regular expression applied to HTTP headers and to the
705
+ # request line. This is an extended regular expression. Parenthesis
706
+ # grouping is supported and no preliminary backslash is required.
707
+ # Any space or known delimiter must be escaped using a backslash
708
+ # ('\'). The pattern applies to a full line at a time. The
709
+ # "reqdeny" keyword strictly matches case while "reqideny" ignores
710
+ # case.
711
+ #
712
+ # <cond> is an optional matching condition built from ACLs. It makes it
713
+ # possible to ignore this rule when other conditions are not met.
714
+ #
715
+ # A request containing any line which matches extended regular expression
716
+ # <search> will mark the request as denied, even if any later test would
717
+ # result in an allow. The test applies both to the request line and to request
718
+ # headers. Keep in mind that URLs in request line are case-sensitive while
719
+ # header names are not.
720
+ #
721
+ # A denied request will generate an "HTTP 403 forbidden" response once the
722
+ # complete request has been parsed. This is consistent with what is practiced
723
+ # using ACLs.
724
+ #
725
+ # It is easier, faster and more powerful to use ACLs to write access policies.
726
+ # Reqdeny, reqallow and reqpass should be avoided in new designs.
727
+ #
728
+ # Example :
729
+ # # refuse *.local, then allow www.*
730
+ # reqideny ^Host:\ .*\.local
731
+ # reqiallow ^Host:\ www\.
732
+ #
733
+ # See also: "reqallow", "rspdeny", "block", section 6 about HTTP header
734
+ # manipulation, and section 7 about ACLs.
735
+ #
736
+ attr_accessor :reqdeny
737
+ attr_accessor :reqideny
738
+
739
+ #
740
+ # reqpass <search> [(if | unless) <cond>]
741
+ # reqipass <search> [(if | unless) <cond>] (ignore case)
742
+ # Ignore any HTTP request line matching a regular expression in next rules
743
+ # May be used in sections : defaults | frontend | listen | backend
744
+ # no | yes | yes | yes
745
+ # Arguments :
746
+ # <search> is the regular expression applied to HTTP headers and to the
747
+ # request line. This is an extended regular expression. Parenthesis
748
+ # grouping is supported and no preliminary backslash is required.
749
+ # Any space or known delimiter must be escaped using a backslash
750
+ # ('\'). The pattern applies to a full line at a time. The
751
+ # "reqpass" keyword strictly matches case while "reqipass" ignores
752
+ # case.
753
+ #
754
+ # <cond> is an optional matching condition built from ACLs. It makes it
755
+ # possible to ignore this rule when other conditions are not met.
756
+ #
757
+ # A request containing any line which matches extended regular expression
758
+ # <search> will skip next rules, without assigning any deny or allow verdict.
759
+ # The test applies both to the request line and to request headers. Keep in
760
+ # mind that URLs in request line are case-sensitive while header names are not.
761
+ #
762
+ # It is easier, faster and more powerful to use ACLs to write access policies.
763
+ # Reqdeny, reqallow and reqpass should be avoided in new designs.
764
+ #
765
+ # Example :
766
+ # # refuse *.local, then allow www.*, but ignore "www.private.local"
767
+ # reqipass ^Host:\ www.private\.local
768
+ # reqideny ^Host:\ .*\.local
769
+ # reqiallow ^Host:\ www\.
770
+ #
771
+ # See also: "reqallow", "reqdeny", "block", section 6 about HTTP header
772
+ # manipulation, and section 7 about ACLs.
773
+ #
774
+ attr_accessor :reqpass
775
+ attr_accessor :reqipass
776
+
777
+ #
778
+ # reqrep <search> <string> [(if | unless) <cond>]
779
+ # reqirep <search> <string> [(if | unless) <cond>] (ignore case)
780
+ # Replace a regular expression with a string in an HTTP request line
781
+ # May be used in sections : defaults | frontend | listen | backend
782
+ # no | yes | yes | yes
783
+ # Arguments :
784
+ # <search> is the regular expression applied to HTTP headers and to the
785
+ # request line. This is an extended regular expression. Parenthesis
786
+ # grouping is supported and no preliminary backslash is required.
787
+ # Any space or known delimiter must be escaped using a backslash
788
+ # ('\'). The pattern applies to a full line at a time. The "reqrep"
789
+ # keyword strictly matches case while "reqirep" ignores case.
790
+ #
791
+ # <string> is the complete line to be added. Any space or known delimiter
792
+ # must be escaped using a backslash ('\'). References to matched
793
+ # pattern groups are possible using the common \N form, with N
794
+ # being a single digit between 0 and 9. Please refer to section
795
+ # 6 about HTTP header manipulation for more information.
796
+ #
797
+ # <cond> is an optional matching condition built from ACLs. It makes it
798
+ # possible to ignore this rule when other conditions are not met.
799
+ #
800
+ # Any line matching extended regular expression <search> in the request (both
801
+ # the request line and header lines) will be completely replaced with <string>.
802
+ # Most common use of this is to rewrite URLs or domain names in "Host" headers.
803
+ #
804
+ # Header transformations only apply to traffic which passes through HAProxy,
805
+ # and not to traffic generated by HAProxy, such as health-checks or error
806
+ # responses. Note that for increased readability, it is suggested to add enough
807
+ # spaces between the request and the response. Keep in mind that URLs in
808
+ # request line are case-sensitive while header names are not.
809
+ #
810
+ # Example :
811
+ # # replace "/static/" with "/" at the beginning of any request path.
812
+ # reqrep ^([^\ ]*)\ /static/(.*) \1\ /\2
813
+ # # replace "www.mydomain.com" with "www" in the host name.
814
+ # reqirep ^Host:\ www.mydomain.com Host:\ www
815
+ #
816
+ # See also: "reqadd", "reqdel", "rsprep", section 6 about HTTP header
817
+ # manipulation, and section 7 about ACLs.
818
+ #
819
+ attr_accessor :reqrep
820
+ attr_accessor :reqirep
821
+
822
+ #
823
+ # reqtarpit <search> [(if | unless) <cond>]
824
+ # reqitarpit <search> [(if | unless) <cond>] (ignore case)
825
+ # Tarpit an HTTP request containing a line matching a regular expression
826
+ # May be used in sections : defaults | frontend | listen | backend
827
+ # no | yes | yes | yes
828
+ # Arguments :
829
+ # <search> is the regular expression applied to HTTP headers and to the
830
+ # request line. This is an extended regular expression. Parenthesis
831
+ # grouping is supported and no preliminary backslash is required.
832
+ # Any space or known delimiter must be escaped using a backslash
833
+ # ('\'). The pattern applies to a full line at a time. The
834
+ # "reqtarpit" keyword strictly matches case while "reqitarpit"
835
+ # ignores case.
836
+ #
837
+ # <cond> is an optional matching condition built from ACLs. It makes it
838
+ # possible to ignore this rule when other conditions are not met.
839
+ #
840
+ # A request containing any line which matches extended regular expression
841
+ # <search> will be tarpitted, which means that it will connect to nowhere, will
842
+ # be kept open for a pre-defined time, then will return an HTTP error 500 so
843
+ # that the attacker does not suspect it has been tarpitted. The status 500 will
844
+ # be reported in the logs, but the completion flags will indicate "PT". The
845
+ # delay is defined by "timeout tarpit", or "timeout connect" if the former is
846
+ # not set.
847
+ #
848
+ # The goal of the tarpit is to slow down robots attacking servers with
849
+ # identifiable requests. Many robots limit their outgoing number of connections
850
+ # and stay connected waiting for a reply which can take several minutes to
851
+ # come. Depending on the environment and attack, it may be particularly
852
+ # efficient at reducing the load on the network and firewalls.
853
+ #
854
+ # Examples :
855
+ # # ignore user-agents reporting any flavour of "Mozilla" or "MSIE", but
856
+ # # block all others.
857
+ # reqipass ^User-Agent:\.*(Mozilla|MSIE)
858
+ # reqitarpit ^User-Agent:
859
+ #
860
+ # # block bad guys
861
+ # acl badguys src 10.1.0.3 172.16.13.20/28
862
+ # reqitarpit . if badguys
863
+ #
864
+ # See also: "reqallow", "reqdeny", "reqpass", section 6 about HTTP header
865
+ # manipulation, and section 7 about ACLs.
866
+ #
867
+ attr_accessor :reqtarpit
868
+ attr_accessor :reqitarpit
869
+
870
+ #
871
+ # rspadd <string> [(if | unless) <cond>]
872
+ # Add a header at the end of the HTTP response
873
+ # May be used in sections : defaults | frontend | listen | backend
874
+ # no | yes | yes | yes
875
+ # Arguments :
876
+ # <string> is the complete line to be added. Any space or known delimiter
877
+ # must be escaped using a backslash ('\'). Please refer to section
878
+ # 6 about HTTP header manipulation for more information.
879
+ #
880
+ # <cond> is an optional matching condition built from ACLs. It makes it
881
+ # possible to ignore this rule when other conditions are not met.
882
+ #
883
+ # A new line consisting in <string> followed by a line feed will be added after
884
+ # the last header of an HTTP response.
885
+ #
886
+ # Header transformations only apply to traffic which passes through HAProxy,
887
+ # and not to traffic generated by HAProxy, such as health-checks or error
888
+ # responses.
889
+ #
890
+ # See also: "reqadd", section 6 about HTTP header manipulation, and section 7
891
+ # about ACLs.
892
+ #
893
+ attr_accessor :rspadd
894
+
895
+ #
896
+ # rspdel <search> [(if | unless) <cond>]
897
+ # rspidel <search> [(if | unless) <cond>] (ignore case)
898
+ # Delete all headers matching a regular expression in an HTTP response
899
+ # May be used in sections : defaults | frontend | listen | backend
900
+ # no | yes | yes | yes
901
+ # Arguments :
902
+ # <search> is the regular expression applied to HTTP headers and to the
903
+ # response line. This is an extended regular expression, so
904
+ # parenthesis grouping is supported and no preliminary backslash
905
+ # is required. Any space or known delimiter must be escaped using
906
+ # a backslash ('\'). The pattern applies to a full line at a time.
907
+ # The "rspdel" keyword strictly matches case while "rspidel"
908
+ # ignores case.
909
+ #
910
+ # <cond> is an optional matching condition built from ACLs. It makes it
911
+ # possible to ignore this rule when other conditions are not met.
912
+ #
913
+ # Any header line matching extended regular expression <search> in the response
914
+ # will be completely deleted. Most common use of this is to remove unwanted
915
+ # and/or sensible headers or cookies from a response before passing it to the
916
+ # client.
917
+ #
918
+ # Header transformations only apply to traffic which passes through HAProxy,
919
+ # and not to traffic generated by HAProxy, such as health-checks or error
920
+ # responses. Keep in mind that header names are not case-sensitive.
921
+ #
922
+ # Example :
923
+ # # remove the Server header from responses
924
+ # reqidel ^Server:.*
925
+ #
926
+ # See also: "rspadd", "rsprep", "reqdel", section 6 about HTTP header
927
+ # manipulation, and section 7 about ACLs.
928
+ #
929
+ attr_accessor :rspdel
930
+ attr_accessor :rspidel
931
+
932
+ #
933
+ # rspdeny <search> [(if | unless) <cond>]
934
+ # rspideny <search> [(if | unless) <cond>] (ignore case)
935
+ # Block an HTTP response if a line matches a regular expression
936
+ # May be used in sections : defaults | frontend | listen | backend
937
+ # no | yes | yes | yes
938
+ # Arguments :
939
+ # <search> is the regular expression applied to HTTP headers and to the
940
+ # response line. This is an extended regular expression, so
941
+ # parenthesis grouping is supported and no preliminary backslash
942
+ # is required. Any space or known delimiter must be escaped using
943
+ # a backslash ('\'). The pattern applies to a full line at a time.
944
+ # The "rspdeny" keyword strictly matches case while "rspideny"
945
+ # ignores case.
946
+ #
947
+ # <cond> is an optional matching condition built from ACLs. It makes it
948
+ # possible to ignore this rule when other conditions are not met.
949
+ #
950
+ # A response containing any line which matches extended regular expression
951
+ # <search> will mark the request as denied. The test applies both to the
952
+ # response line and to response headers. Keep in mind that header names are not
953
+ # case-sensitive.
954
+ #
955
+ # Main use of this keyword is to prevent sensitive information leak and to
956
+ # block the response before it reaches the client. If a response is denied, it
957
+ # will be replaced with an HTTP 502 error so that the client never retrieves
958
+ # any sensitive data.
959
+ #
960
+ # It is easier, faster and more powerful to use ACLs to write access policies.
961
+ # Rspdeny should be avoided in new designs.
962
+ #
963
+ # Example :
964
+ # # Ensure that no content type matching ms-word will leak
965
+ # rspideny ^Content-type:\.*/ms-word
966
+ #
967
+ # See also: "reqdeny", "acl", "block", section 6 about HTTP header manipulation
968
+ # and section 7 about ACLs.
969
+ #
970
+ attr_accessor :rspdeny
971
+ attr_accessor :rspideny
972
+
973
+ #
974
+ # rsprep <search> <string> [(if | unless) <cond>]
975
+ # rspirep <search> <string> [(if | unless) <cond>] (ignore case)
976
+ # Replace a regular expression with a string in an HTTP response line
977
+ # May be used in sections : defaults | frontend | listen | backend
978
+ # no | yes | yes | yes
979
+ # Arguments :
980
+ # <search> is the regular expression applied to HTTP headers and to the
981
+ # response line. This is an extended regular expression, so
982
+ # parenthesis grouping is supported and no preliminary backslash
983
+ # is required. Any space or known delimiter must be escaped using
984
+ # a backslash ('\'). The pattern applies to a full line at a time.
985
+ # The "rsprep" keyword strictly matches case while "rspirep"
986
+ # ignores case.
987
+ #
988
+ # <string> is the complete line to be added. Any space or known delimiter
989
+ # must be escaped using a backslash ('\'). References to matched
990
+ # pattern groups are possible using the common \N form, with N
991
+ # being a single digit between 0 and 9. Please refer to section
992
+ # 6 about HTTP header manipulation for more information.
993
+ #
994
+ # <cond> is an optional matching condition built from ACLs. It makes it
995
+ # possible to ignore this rule when other conditions are not met.
996
+ #
997
+ # Any line matching extended regular expression <search> in the response (both
998
+ # the response line and header lines) will be completely replaced with
999
+ # <string>. Most common use of this is to rewrite Location headers.
1000
+ #
1001
+ # Header transformations only apply to traffic which passes through HAProxy,
1002
+ # and not to traffic generated by HAProxy, such as health-checks or error
1003
+ # responses. Note that for increased readability, it is suggested to add enough
1004
+ # spaces between the request and the response. Keep in mind that header names
1005
+ # are not case-sensitive.
1006
+ #
1007
+ # Example :
1008
+ # # replace "Location: 127.0.0.1:8080" with "Location: www.mydomain.com"
1009
+ # rspirep ^Location:\ 127.0.0.1:8080 Location:\ www.mydomain.com
1010
+ #
1011
+ # See also: "rspadd", "rspdel", "reqrep", section 6 about HTTP header
1012
+ # manipulation, and section 7 about ACLs.
1013
+ #
1014
+ attr_accessor :rsprep
1015
+ attr_accessor :rspirep
1016
+
1017
+ #
1018
+ # tcp-request connection <action> [(if | unless) <condition>]
1019
+ # Perform an action on an incoming connection depending on a layer 4 condition
1020
+ # May be used in sections : defaults | frontend | listen | backend
1021
+ # no | yes | yes | no
1022
+ # Arguments :
1023
+ # <action> defines the action to perform if the condition applies. Valid
1024
+ # actions include : "accept", "reject", "track-sc1", "track-sc2".
1025
+ # See below for more details.
1026
+ #
1027
+ # <condition> is a standard layer4-only ACL-based condition (see section 7).
1028
+ #
1029
+ # Immediately after acceptance of a new incoming connection, it is possible to
1030
+ # evaluate some conditions to decide whether this connection must be accepted
1031
+ # or dropped or have its counters tracked. Those conditions cannot make use of
1032
+ # any data contents because the connection has not been read from yet, and the
1033
+ # buffers are not yet allocated. This is used to selectively and very quickly
1034
+ # accept or drop connections from various sources with a very low overhead. If
1035
+ # some contents need to be inspected in order to take the decision, the
1036
+ # "tcp-request content" statements must be used instead.
1037
+ #
1038
+ # The "tcp-request connection" rules are evaluated in their exact declaration
1039
+ # order. If no rule matches or if there is no rule, the default action is to
1040
+ # accept the incoming connection. There is no specific limit to the number of
1041
+ # rules which may be inserted.
1042
+ #
1043
+ # Three types of actions are supported :
1044
+ # - accept :
1045
+ # accepts the connection if the condition is true (when used with "if")
1046
+ # or false (when used with "unless"). The first such rule executed ends
1047
+ # the rules evaluation.
1048
+ #
1049
+ # - reject :
1050
+ # rejects the connection if the condition is true (when used with "if")
1051
+ # or false (when used with "unless"). The first such rule executed ends
1052
+ # the rules evaluation. Rejected connections do not even become a
1053
+ # session, which is why they are accounted separately for in the stats,
1054
+ # as "denied connections". They are not considered for the session
1055
+ # rate-limit and are not logged either. The reason is that these rules
1056
+ # should only be used to filter extremely high connection rates such as
1057
+ # the ones encountered during a massive DDoS attack. Under these extreme
1058
+ # conditions, the simple action of logging each event would make the
1059
+ # system collapse and would considerably lower the filtering capacity. If
1060
+ # logging is absolutely desired, then "tcp-request content" rules should
1061
+ # be used instead.
1062
+ #
1063
+ # - { track-sc1 | track-sc2 } <key> [table <table>] :
1064
+ # enables tracking of sticky counters from current connection. These
1065
+ # rules do not stop evaluation and do not change default action. Two sets
1066
+ # of counters may be simultaneously tracked by the same connection. The
1067
+ # first "track-sc1" rule executed enables tracking of the counters of the
1068
+ # specified table as the first set. The first "track-sc2" rule executed
1069
+ # enables tracking of the counters of the specified table as the second
1070
+ # set. It is a recommended practice to use the first set of counters for
1071
+ # the per-frontend counters and the second set for the per-backend ones.
1072
+ #
1073
+ # These actions take one or two arguments :
1074
+ # <key> is mandatory, and defines the criterion the tracking key will
1075
+ # be derived from. At the moment, only "src" is supported. With
1076
+ # it, the key will be the connection's source IPv4 address.
1077
+ #
1078
+ # <table> is an optional table to be used instead of the default one,
1079
+ # which is the stick-table declared in the current proxy. All
1080
+ # the counters for the matches and updates for the key will
1081
+ # then be performed in that table until the session ends.
1082
+ #
1083
+ # Once a "track-sc*" rule is executed, the key is looked up in the table
1084
+ # and if it is not found, an entry is allocated for it. Then a pointer to
1085
+ # that entry is kept during all the session's life, and this entry's
1086
+ # counters are updated as often as possible, every time the session's
1087
+ # counters are updated, and also systematically when the session ends.
1088
+ # If the entry tracks concurrent connection counters, one connection is
1089
+ # counted for as long as the entry is tracked, and the entry will not
1090
+ # expire during that time. Tracking counters also provides a performance
1091
+ # advantage over just checking the keys, because only one table lookup is
1092
+ # performed for all ACL checks that make use of it.
1093
+ #
1094
+ # Note that the "if/unless" condition is optional. If no condition is set on
1095
+ # the action, it is simply performed unconditionally. That can be useful for
1096
+ # "track-sc*" actions as well as for changing the default action to a reject.
1097
+ #
1098
+ # Example: accept all connections from white-listed hosts, reject too fast
1099
+ # connection without counting them, and track accepted connections.
1100
+ # This results in connection rate being capped from abusive sources.
1101
+ #
1102
+ # tcp-request connection accept if { src -f /etc/haproxy/whitelist.lst }
1103
+ # tcp-request connection reject if { src_conn_rate gt 10 }
1104
+ # tcp-request connection track-sc1 src
1105
+ #
1106
+ # Example: accept all connections from white-listed hosts, count all other
1107
+ # connections and reject too fast ones. This results in abusive ones
1108
+ # being blocked as long as they don't slow down.
1109
+ #
1110
+ # tcp-request connection accept if { src -f /etc/haproxy/whitelist.lst }
1111
+ # tcp-request connection track-sc1 src
1112
+ # tcp-request connection reject if { sc1_conn_rate gt 10 }
1113
+ #
1114
+ # See section 7 about ACL usage.
1115
+ #
1116
+ # See also : "tcp-request content", "stick-table"
1117
+ #
1118
+ attr_accessor :tcp_request_connection
1119
+
1120
+ #
1121
+ # tcp-request content <action> [(if | unless) <condition>]
1122
+ # Perform an action on a new session depending on a layer 4-7 condition
1123
+ # May be used in sections : defaults | frontend | listen | backend
1124
+ # no | yes | yes | yes
1125
+ # Arguments :
1126
+ # <action> defines the action to perform if the condition applies. Valid
1127
+ # actions include : "accept", "reject", "track-sc1", "track-sc2".
1128
+ # See "tcp-request connection" above for their signification.
1129
+ #
1130
+ # <condition> is a standard layer 4-7 ACL-based condition (see section 7).
1131
+ #
1132
+ # A request's contents can be analysed at an early stage of request processing
1133
+ # called "TCP content inspection". During this stage, ACL-based rules are
1134
+ # evaluated every time the request contents are updated, until either an
1135
+ # "accept" or a "reject" rule matches, or the TCP request inspection delay
1136
+ # expires with no matching rule.
1137
+ #
1138
+ # The first difference between these rules and "tcp-request connection" rules
1139
+ # is that "tcp-request content" rules can make use of contents to take a
1140
+ # decision. Most often, these decisions will consider a protocol recognition or
1141
+ # validity. The second difference is that content-based rules can be used in
1142
+ # both frontends and backends. In frontends, they will be evaluated upon new
1143
+ # connections. In backends, they will be evaluated once a session is assigned
1144
+ # a backend. This means that a single frontend connection may be evaluated
1145
+ # several times by one or multiple backends when a session gets reassigned
1146
+ # (for instance after a client-side HTTP keep-alive request).
1147
+ #
1148
+ # Content-based rules are evaluated in their exact declaration order. If no
1149
+ # rule matches or if there is no rule, the default action is to accept the
1150
+ # contents. There is no specific limit to the number of rules which may be
1151
+ # inserted.
1152
+ #
1153
+ # Three types of actions are supported :
1154
+ # - accept :
1155
+ # - reject :
1156
+ # - { track-sc1 | track-sc2 } <key> [table <table>]
1157
+ #
1158
+ # They have the same meaning as their counter-parts in "tcp-request connection"
1159
+ # so please refer to that section for a complete description.
1160
+ #
1161
+ # Also, it is worth noting that if sticky counters are tracked from a rule
1162
+ # defined in a backend, this tracking will automatically end when the session
1163
+ # releases the backend. That allows per-backend counter tracking even in case
1164
+ # of HTTP keep-alive requests when the backend changes. While there is nothing
1165
+ # mandatory about it, it is recommended to use the track-sc1 pointer to track
1166
+ # per-frontend counters and track-sc2 to track per-backend counters.
1167
+ #
1168
+ # Note that the "if/unless" condition is optional. If no condition is set on
1169
+ # the action, it is simply performed unconditionally. That can be useful for
1170
+ # "track-sc*" actions as well as for changing the default action to a reject.
1171
+ #
1172
+ # It is perfectly possible to match layer 7 contents with "tcp-request content"
1173
+ # rules, but then it is important to ensure that a full request has been
1174
+ # buffered, otherwise no contents will match. In order to achieve this, the
1175
+ # best solution involves detecting the HTTP protocol during the inspection
1176
+ # period.
1177
+ #
1178
+ # Example:
1179
+ # # Accept HTTP requests containing a Host header saying "example.com"
1180
+ # # and reject everything else.
1181
+ # acl is_host_com hdr(Host) -i example.com
1182
+ # tcp-request inspect-delay 30s
1183
+ # tcp-request content accept if HTTP is_host_com
1184
+ # tcp-request content reject
1185
+ #
1186
+ # Example:
1187
+ # # reject SMTP connection if client speaks first
1188
+ # tcp-request inspect-delay 30s
1189
+ # acl content_present req_len gt 0
1190
+ # tcp-request content reject if content_present
1191
+ #
1192
+ # # Forward HTTPS connection only if client speaks
1193
+ # tcp-request inspect-delay 30s
1194
+ # acl content_present req_len gt 0
1195
+ # tcp-request content accept if content_present
1196
+ # tcp-request content reject
1197
+ #
1198
+ # Example: track per-frontend and per-backend counters, block abusers at the
1199
+ # frontend when the backend detects abuse.
1200
+ #
1201
+ # frontend http
1202
+ # # Use General Purpose Couter 0 in SC1 as a global abuse counter
1203
+ # # protecting all our sites
1204
+ # stick-table type ip size 1m expire 5m store gpc0
1205
+ # tcp-request connection track-sc1 src
1206
+ # tcp-request connection reject if { sc1_get_gpc0 gt 0 }
1207
+ # ...
1208
+ # use_backend http_dynamic if { path_end .php }
1209
+ #
1210
+ # backend http_dynamic
1211
+ # # if a source makes too fast requests to this dynamic site (tracked
1212
+ # # by SC2), block it globally in the frontend.
1213
+ # stick-table type ip size 1m expire 5m store http_req_rate(10s)
1214
+ # acl click_too_fast sc2_http_req_rate gt 10
1215
+ # acl mark_as_abuser sc1_inc_gpc0
1216
+ # tcp-request content track-sc2 src
1217
+ # tcp-request content reject if click_too_fast mark_as_abuser
1218
+ #
1219
+ # See section 7 about ACL usage.
1220
+ #
1221
+ # See also : "tcp-request connection", "tcp-request inspect-delay"
1222
+ #
1223
+ attr_accessor :tcp_request_content
1224
+
1225
+ #
1226
+ # tcp-request inspect-delay <timeout>
1227
+ # Set the maximum allowed time to wait for data during content inspection
1228
+ # May be used in sections : defaults | frontend | listen | backend
1229
+ # no | yes | yes | yes
1230
+ # Arguments :
1231
+ # <timeout> is the timeout value specified in milliseconds by default, but
1232
+ # can be in any other unit if the number is suffixed by the unit,
1233
+ # as explained at the top of this document.
1234
+ #
1235
+ # People using haproxy primarily as a TCP relay are often worried about the
1236
+ # risk of passing any type of protocol to a server without any analysis. In
1237
+ # order to be able to analyze the request contents, we must first withhold
1238
+ # the data then analyze them. This statement simply enables withholding of
1239
+ # data for at most the specified amount of time.
1240
+ #
1241
+ # TCP content inspection applies very early when a connection reaches a
1242
+ # frontend, then very early when the connection is forwarded to a backend. This
1243
+ # means that a connection may experience a first delay in the frontend and a
1244
+ # second delay in the backend if both have tcp-request rules.
1245
+ #
1246
+ # Note that when performing content inspection, haproxy will evaluate the whole
1247
+ # rules for every new chunk which gets in, taking into account the fact that
1248
+ # those data are partial. If no rule matches before the aforementioned delay,
1249
+ # a last check is performed upon expiration, this time considering that the
1250
+ # contents are definitive. If no delay is set, haproxy will not wait at all
1251
+ # and will immediately apply a verdict based on the available information.
1252
+ # Obviously this is unlikely to be very useful and might even be racy, so such
1253
+ # setups are not recommended.
1254
+ #
1255
+ # As soon as a rule matches, the request is released and continues as usual. If
1256
+ # the timeout is reached and no rule matches, the default policy will be to let
1257
+ # it pass through unaffected.
1258
+ #
1259
+ # For most protocols, it is enough to set it to a few seconds, as most clients
1260
+ # send the full request immediately upon connection. Add 3 or more seconds to
1261
+ # cover TCP retransmits but that's all. For some protocols, it may make sense
1262
+ # to use large values, for instance to ensure that the client never talks
1263
+ # before the server (eg: SMTP), or to wait for a client to talk before passing
1264
+ # data to the server (eg: SSL). Note that the client timeout must cover at
1265
+ # least the inspection delay, otherwise it will expire first. If the client
1266
+ # closes the connection or if the buffer is full, the delay immediately expires
1267
+ # since the contents will not be able to change anymore.
1268
+ #
1269
+ # See also : "tcp-request content accept", "tcp-request content reject",
1270
+ # "timeout client".
1271
+ #
1272
+ attr_accessor :tcp_request_inspect_delay
1273
+
1274
+ #
1275
+ # use_backend <backend> if <condition>
1276
+ # use_backend <backend> unless <condition>
1277
+ # Switch to a specific backend if/unless an ACL-based condition is matched.
1278
+ # May be used in sections : defaults | frontend | listen | backend
1279
+ # no | yes | yes | no
1280
+ # Arguments :
1281
+ # <backend> is the name of a valid backend or "listen" section.
1282
+ #
1283
+ # <condition> is a condition composed of ACLs, as described in section 7.
1284
+ #
1285
+ # When doing content-switching, connections arrive on a frontend and are then
1286
+ # dispatched to various backends depending on a number of conditions. The
1287
+ # relation between the conditions and the backends is described with the
1288
+ # "use_backend" keyword. While it is normally used with HTTP processing, it can
1289
+ # also be used in pure TCP, either without content using stateless ACLs (eg:
1290
+ # source address validation) or combined with a "tcp-request" rule to wait for
1291
+ # some payload.
1292
+ #
1293
+ # There may be as many "use_backend" rules as desired. All of these rules are
1294
+ # evaluated in their declaration order, and the first one which matches will
1295
+ # assign the backend.
1296
+ #
1297
+ # In the first form, the backend will be used if the condition is met. In the
1298
+ # second form, the backend will be used if the condition is not met. If no
1299
+ # condition is valid, the backend defined with "default_backend" will be used.
1300
+ # If no default backend is defined, either the servers in the same section are
1301
+ # used (in case of a "listen" section) or, in case of a frontend, no server is
1302
+ # used and a 503 service unavailable response is returned.
1303
+ #
1304
+ # Note that it is possible to switch from a TCP frontend to an HTTP backend. In
1305
+ # this case, either the frontend has already checked that the protocol is HTTP,
1306
+ # and backend processing will immediately follow, or the backend will wait for
1307
+ # a complete HTTP request to get in. This feature is useful when a frontend
1308
+ # must decode several protocols on a unique port, one of them being HTTP.
1309
+ #
1310
+ # See also: "default_backend", "tcp-request", and section 7 about ACLs.
1311
+ #
1312
+ attr_accessor :use_backend
1313
+
1314
+ #
1315
+ # description <text>
1316
+ # Add a text that describes the instance.
1317
+ #
1318
+ # Please note that it is required to escape certain characters (# for example)
1319
+ # and this text is inserted into a html page so you should avoid using
1320
+ # "<" and ">" characters.
1321
+ #
1322
+ attr_accessor :description
1323
+
1324
+ #
1325
+ # backlog <conns>
1326
+ # Give hints to the system about the approximate listen backlog desired size
1327
+ # May be used in sections : defaults | frontend | listen | backend
1328
+ # yes | yes | yes | no
1329
+ # Arguments :
1330
+ # <conns> is the number of pending connections. Depending on the operating
1331
+ # system, it may represent the number of already acknowledged
1332
+ # connections, of non-acknowledged ones, or both.
1333
+ #
1334
+ # In order to protect against SYN flood attacks, one solution is to increase
1335
+ # the system's SYN backlog size. Depending on the system, sometimes it is just
1336
+ # tunable via a system parameter, sometimes it is not adjustable at all, and
1337
+ # sometimes the system relies on hints given by the application at the time of
1338
+ # the listen() syscall. By default, HAProxy passes the frontend's maxconn value
1339
+ # to the listen() syscall. On systems which can make use of this value, it can
1340
+ # sometimes be useful to be able to specify a different value, hence this
1341
+ # backlog parameter.
1342
+ #
1343
+ # On Linux 2.4, the parameter is ignored by the system. On Linux 2.6, it is
1344
+ # used as a hint and the system accepts up to the smallest greater power of
1345
+ # two, and never more than some limits (usually 32768).
1346
+ #
1347
+ # See also : "maxconn" and the target operating system's tuning guide.
1348
+ #
1349
+ attr_accessor :backlog
1350
+
1351
+ #
1352
+ # bind-process [ all | odd | even | <number 1-32> ] ...
1353
+ # Limit visibility of an instance to a certain set of processes numbers.
1354
+ # May be used in sections : defaults | frontend | listen | backend
1355
+ # yes | yes | yes | yes
1356
+ # Arguments :
1357
+ # all All process will see this instance. This is the default. It
1358
+ # may be used to override a default value.
1359
+ #
1360
+ # odd This instance will be enabled on processes 1,3,5,...31. This
1361
+ # option may be combined with other numbers.
1362
+ #
1363
+ # even This instance will be enabled on processes 2,4,6,...32. This
1364
+ # option may be combined with other numbers. Do not use it
1365
+ # with less than 2 processes otherwise some instances might be
1366
+ # missing from all processes.
1367
+ #
1368
+ # number The instance will be enabled on this process number, between
1369
+ # 1 and 32. You must be careful not to reference a process
1370
+ # number greater than the configured global.nbproc, otherwise
1371
+ # some instances might be missing from all processes.
1372
+ #
1373
+ # This keyword limits binding of certain instances to certain processes. This
1374
+ # is useful in order not to have too many processes listening to the same
1375
+ # ports. For instance, on a dual-core machine, it might make sense to set
1376
+ # 'nbproc 2' in the global section, then distributes the listeners among 'odd'
1377
+ # and 'even' instances.
1378
+ #
1379
+ # At the moment, it is not possible to reference more than 32 processes using
1380
+ # this keyword, but this should be more than enough for most setups. Please
1381
+ # note that 'all' really means all processes and is not limited to the first
1382
+ # 32.
1383
+ #
1384
+ # If some backends are referenced by frontends bound to other processes, the
1385
+ # backend automatically inherits the frontend's processes.
1386
+ #
1387
+ # Example :
1388
+ # listen app_ip1
1389
+ # bind 10.0.0.1:80
1390
+ # bind-process odd
1391
+ #
1392
+ # listen app_ip2
1393
+ # bind 10.0.0.2:80
1394
+ # bind-process even
1395
+ #
1396
+ # listen management
1397
+ # bind 10.0.0.3:80
1398
+ # bind-process 1 2 3 4
1399
+ #
1400
+ # See also : "nbproc" in global section.
1401
+ #
1402
+ attr_accessor :bind_process
1403
+
1404
+ #
1405
+ # default_backend <backend>
1406
+ # Specify the backend to use when no "use_backend" rule has been matched.
1407
+ # May be used in sections : defaults | frontend | listen | backend
1408
+ # yes | yes | yes | no
1409
+ # Arguments :
1410
+ # <backend> is the name of the backend to use.
1411
+ #
1412
+ # When doing content-switching between frontend and backends using the
1413
+ # "use_backend" keyword, it is often useful to indicate which backend will be
1414
+ # used when no rule has matched. It generally is the dynamic backend which
1415
+ # will catch all undetermined requests.
1416
+ #
1417
+ # Example :
1418
+ #
1419
+ # use_backend dynamic if url_dyn
1420
+ # use_backend static if url_css url_img extension_img
1421
+ # default_backend dynamic
1422
+ #
1423
+ # See also : "use_backend", "reqsetbe", "reqisetbe"
1424
+ #
1425
+ attr_accessor :default_backend
1426
+
1427
+ #
1428
+ # disabled
1429
+ # Disable a proxy, frontend or backend.
1430
+ # May be used in sections : defaults | frontend | listen | backend
1431
+ # yes | yes | yes | yes
1432
+ # Arguments : none
1433
+ #
1434
+ # The "disabled" keyword is used to disable an instance, mainly in order to
1435
+ # liberate a listening port or to temporarily disable a service. The instance
1436
+ # will still be created and its configuration will be checked, but it will be
1437
+ # created in the "stopped" state and will appear as such in the statistics. It
1438
+ # will not receive any traffic nor will it send any health-checks or logs. It
1439
+ # is possible to disable many instances at once by adding the "disabled"
1440
+ # keyword in a "defaults" section.
1441
+ #
1442
+ # See also : "enabled"
1443
+ #
1444
+ attr_accessor :disabled
1445
+
1446
+ #
1447
+ # enabled
1448
+ # Enable a proxy, frontend or backend.
1449
+ # May be used in sections : defaults | frontend | listen | backend
1450
+ # yes | yes | yes | yes
1451
+ # Arguments : none
1452
+ #
1453
+ # The "enabled" keyword is used to explicitly enable an instance, when the
1454
+ # defaults has been set to "disabled". This is very rarely used.
1455
+ #
1456
+ # See also : "disabled"
1457
+ #
1458
+ attr_accessor :enabled
1459
+
1460
+ #
1461
+ # errorfile <code> <file>
1462
+ # Return a file contents instead of errors generated by HAProxy
1463
+ # May be used in sections : defaults | frontend | listen | backend
1464
+ # yes | yes | yes | yes
1465
+ # Arguments :
1466
+ # <code> is the HTTP status code. Currently, HAProxy is capable of
1467
+ # generating codes 400, 403, 408, 500, 502, 503, and 504.
1468
+ #
1469
+ # <file> designates a file containing the full HTTP response. It is
1470
+ # recommended to follow the common practice of appending ".http" to
1471
+ # the filename so that people do not confuse the response with HTML
1472
+ # error pages, and to use absolute paths, since files are read
1473
+ # before any chroot is performed.
1474
+ #
1475
+ # It is important to understand that this keyword is not meant to rewrite
1476
+ # errors returned by the server, but errors detected and returned by HAProxy.
1477
+ # This is why the list of supported errors is limited to a small set.
1478
+ #
1479
+ # The files are returned verbatim on the TCP socket. This allows any trick such
1480
+ # as redirections to another URL or site, as well as tricks to clean cookies,
1481
+ # force enable or disable caching, etc... The package provides default error
1482
+ # files returning the same contents as default errors.
1483
+ #
1484
+ # The files should not exceed the configured buffer size (BUFSIZE), which
1485
+ # generally is 8 or 16 kB, otherwise they will be truncated. It is also wise
1486
+ # not to put any reference to local contents (eg: images) in order to avoid
1487
+ # loops between the client and HAProxy when all servers are down, causing an
1488
+ # error to be returned instead of an image. For better HTTP compliance, it is
1489
+ # recommended that all header lines end with CR-LF and not LF alone.
1490
+ #
1491
+ # The files are read at the same time as the configuration and kept in memory.
1492
+ # For this reason, the errors continue to be returned even when the process is
1493
+ # chrooted, and no file change is considered while the process is running. A
1494
+ # simple method for developing those files consists in associating them to the
1495
+ # 403 status code and interrogating a blocked URL.
1496
+ #
1497
+ # See also : "errorloc", "errorloc302", "errorloc303"
1498
+ #
1499
+ # Example :
1500
+ # errorfile 400 /etc/haproxy/errorfiles/400badreq.http
1501
+ # errorfile 403 /etc/haproxy/errorfiles/403forbid.http
1502
+ # errorfile 503 /etc/haproxy/errorfiles/503sorry.http
1503
+ #
1504
+ attr_accessor :errorfile
1505
+
1506
+ #
1507
+ # errorloc <code> <url>
1508
+ # Return an HTTP redirection to a URL instead of errors generated by HAProxy
1509
+ # May be used in sections : defaults | frontend | listen | backend
1510
+ # yes | yes | yes | yes
1511
+ # Arguments :
1512
+ # <code> is the HTTP status code. Currently, HAProxy is capable of
1513
+ # generating codes 400, 403, 408, 500, 502, 503, and 504.
1514
+ #
1515
+ # <url> it is the exact contents of the "Location" header. It may contain
1516
+ # either a relative URI to an error page hosted on the same site,
1517
+ # or an absolute URI designating an error page on another site.
1518
+ # Special care should be given to relative URIs to avoid redirect
1519
+ # loops if the URI itself may generate the same error (eg: 500).
1520
+ #
1521
+ # It is important to understand that this keyword is not meant to rewrite
1522
+ # errors returned by the server, but errors detected and returned by HAProxy.
1523
+ # This is why the list of supported errors is limited to a small set.
1524
+ #
1525
+ # Note that both keyword return the HTTP 302 status code, which tells the
1526
+ # client to fetch the designated URL using the same HTTP method. This can be
1527
+ # quite problematic in case of non-GET methods such as POST, because the URL
1528
+ # sent to the client might not be allowed for something other than GET. To
1529
+ # workaround this problem, please use "errorloc303" which send the HTTP 303
1530
+ # status code, indicating to the client that the URL must be fetched with a GET
1531
+ # request.
1532
+ #
1533
+ # See also : "errorfile", "errorloc303"
1534
+ #
1535
+ attr_accessor :errorloc
1536
+
1537
+ #
1538
+ # errorloc302 <code> <url>
1539
+ # Return an HTTP redirection to a URL instead of errors generated by HAProxy
1540
+ # May be used in sections : defaults | frontend | listen | backend
1541
+ # yes | yes | yes | yes
1542
+ # Arguments :
1543
+ # <code> is the HTTP status code. Currently, HAProxy is capable of
1544
+ # generating codes 400, 403, 408, 500, 502, 503, and 504.
1545
+ #
1546
+ # <url> it is the exact contents of the "Location" header. It may contain
1547
+ # either a relative URI to an error page hosted on the same site,
1548
+ # or an absolute URI designating an error page on another site.
1549
+ # Special care should be given to relative URIs to avoid redirect
1550
+ # loops if the URI itself may generate the same error (eg: 500).
1551
+ #
1552
+ # It is important to understand that this keyword is not meant to rewrite
1553
+ # errors returned by the server, but errors detected and returned by HAProxy.
1554
+ # This is why the list of supported errors is limited to a small set.
1555
+ #
1556
+ # Note that both keyword return the HTTP 302 status code, which tells the
1557
+ # client to fetch the designated URL using the same HTTP method. This can be
1558
+ # quite problematic in case of non-GET methods such as POST, because the URL
1559
+ # sent to the client might not be allowed for something other than GET. To
1560
+ # workaround this problem, please use "errorloc303" which send the HTTP 303
1561
+ # status code, indicating to the client that the URL must be fetched with a GET
1562
+ # request.
1563
+ #
1564
+ # See also : "errorfile", "errorloc303"
1565
+ #
1566
+ attr_accessor :errorloc302
1567
+
1568
+ #
1569
+ # errorloc303 <code> <url>
1570
+ # Return an HTTP redirection to a URL instead of errors generated by HAProxy
1571
+ # May be used in sections : defaults | frontend | listen | backend
1572
+ # yes | yes | yes | yes
1573
+ # Arguments :
1574
+ # <code> is the HTTP status code. Currently, HAProxy is capable of
1575
+ # generating codes 400, 403, 408, 500, 502, 503, and 504.
1576
+ #
1577
+ # <url> it is the exact contents of the "Location" header. It may contain
1578
+ # either a relative URI to an error page hosted on the same site,
1579
+ # or an absolute URI designating an error page on another site.
1580
+ # Special care should be given to relative URIs to avoid redirect
1581
+ # loops if the URI itself may generate the same error (eg: 500).
1582
+ #
1583
+ # It is important to understand that this keyword is not meant to rewrite
1584
+ # errors returned by the server, but errors detected and returned by HAProxy.
1585
+ # This is why the list of supported errors is limited to a small set.
1586
+ #
1587
+ # Note that both keyword return the HTTP 303 status code, which tells the
1588
+ # client to fetch the designated URL using the same HTTP GET method. This
1589
+ # solves the usual problems associated with "errorloc" and the 302 code. It is
1590
+ # possible that some very old browsers designed before HTTP/1.1 do not support
1591
+ # it, but no such problem has been reported till now.
1592
+ #
1593
+ # See also : "errorfile", "errorloc", "errorloc302"
1594
+ #
1595
+ attr_accessor :errorloc303
1596
+
1597
+ #
1598
+ # grace <time>
1599
+ # Maintain a proxy operational for some time after a soft stop
1600
+ # May be used in sections : defaults | frontend | listen | backend
1601
+ # yes | yes | yes | yes
1602
+ # Arguments :
1603
+ # <time> is the time (by default in milliseconds) for which the instance
1604
+ # will remain operational with the frontend sockets still listening
1605
+ # when a soft-stop is received via the SIGUSR1 signal.
1606
+ #
1607
+ # This may be used to ensure that the services disappear in a certain order.
1608
+ # This was designed so that frontends which are dedicated to monitoring by an
1609
+ # external equipment fail immediately while other ones remain up for the time
1610
+ # needed by the equipment to detect the failure.
1611
+ #
1612
+ # Note that currently, there is very little benefit in using this parameter,
1613
+ # and it may in fact complicate the soft-reconfiguration process more than
1614
+ # simplify it.
1615
+ #
1616
+ attr_accessor :grace
1617
+
1618
+ # log global
1619
+ # log <address> <facility> [<level> [<minlevel>]]
1620
+ # Enable per-instance logging of events and traffic.
1621
+ # May be used in sections : defaults | frontend | listen | backend
1622
+ # yes | yes | yes | yes
1623
+ # Arguments :
1624
+ # global should be used when the instance's logging parameters are the
1625
+ # same as the global ones. This is the most common usage. "global"
1626
+ # replaces <address>, <facility> and <level> with those of the log
1627
+ # entries found in the "global" section. Only one "log global"
1628
+ # statement may be used per instance, and this form takes no other
1629
+ # parameter.
1630
+ #
1631
+ # <address> indicates where to send the logs. It takes the same format as
1632
+ # for the "global" section's logs, and can be one of :
1633
+ #
1634
+ # - An IPv4 address optionally followed by a colon (':') and a UDP
1635
+ # port. If no port is specified, 514 is used by default (the
1636
+ # standard syslog port).
1637
+ #
1638
+ # - A filesystem path to a UNIX domain socket, keeping in mind
1639
+ # considerations for chroot (be sure the path is accessible
1640
+ # inside the chroot) and uid/gid (be sure the path is
1641
+ # appropriately writeable).
1642
+ #
1643
+ # <facility> must be one of the 24 standard syslog facilities :
1644
+ #
1645
+ # kern user mail daemon auth syslog lpr news
1646
+ # uucp cron auth2 ftp ntp audit alert cron2
1647
+ # local0 local1 local2 local3 local4 local5 local6 local7
1648
+ #
1649
+ # <level> is optional and can be specified to filter outgoing messages. By
1650
+ # default, all messages are sent. If a level is specified, only
1651
+ # messages with a severity at least as important as this level
1652
+ # will be sent. An optional minimum level can be specified. If it
1653
+ # is set, logs emitted with a more severe level than this one will
1654
+ # be capped to this level. This is used to avoid sending "emerg"
1655
+ # messages on all terminals on some default syslog configurations.
1656
+ # Eight levels are known :
1657
+ #
1658
+ # emerg alert crit err warning notice info debug
1659
+ #
1660
+ # Note that up to two "log" entries may be specified per instance. However, if
1661
+ # "log global" is used and if the "global" section already contains 2 log
1662
+ # entries, then additional log entries will be ignored.
1663
+ #
1664
+ # Also, it is important to keep in mind that it is the frontend which decides
1665
+ # what to log from a connection, and that in case of content switching, the log
1666
+ # entries from the backend will be ignored. Connections are logged at level
1667
+ # "info".
1668
+ #
1669
+ # However, backend log declaration define how and where servers status changes
1670
+ # will be logged. Level "notice" will be used to indicate a server going up,
1671
+ # "warning" will be used for termination signals and definitive service
1672
+ # termination, and "alert" will be used for when a server goes down.
1673
+ #
1674
+ # Note : According to RFC3164, messages are truncated to 1024 bytes before
1675
+ # being emitted.
1676
+ #
1677
+ # Example :
1678
+ # log global
1679
+ # log 127.0.0.1:514 local0 notice # only send important events
1680
+ # log 127.0.0.1:514 local0 notice notice # same but limit output level
1681
+ #
1682
+ attr_accessor :log
1683
+
1684
+ #
1685
+ # maxconn <conns>
1686
+ # Fix the maximum number of concurrent connections on a frontend
1687
+ # May be used in sections : defaults | frontend | listen | backend
1688
+ # yes | yes | yes | no
1689
+ # Arguments :
1690
+ # <conns> is the maximum number of concurrent connections the frontend will
1691
+ # accept to serve. Excess connections will be queued by the system
1692
+ # in the socket's listen queue and will be served once a connection
1693
+ # closes.
1694
+ #
1695
+ # If the system supports it, it can be useful on big sites to raise this limit
1696
+ # very high so that haproxy manages connection queues, instead of leaving the
1697
+ # clients with unanswered connection attempts. This value should not exceed the
1698
+ # global maxconn. Also, keep in mind that a connection contains two buffers
1699
+ # of 8kB each, as well as some other data resulting in about 17 kB of RAM being
1700
+ # consumed per established connection. That means that a medium system equipped
1701
+ # with 1GB of RAM can withstand around 40000-50000 concurrent connections if
1702
+ # properly tuned.
1703
+ #
1704
+ # Also, when <conns> is set to large values, it is possible that the servers
1705
+ # are not sized to accept such loads, and for this reason it is generally wise
1706
+ # to assign them some reasonable connection limits.
1707
+ #
1708
+ # See also : "server", global section's "maxconn", "fullconn"
1709
+ #
1710
+ attr_accessor :maxconn
1711
+
1712
+ #
1713
+ # mode { tcp|http|health }
1714
+ # Set the running mode or protocol of the instance
1715
+ # May be used in sections : defaults | frontend | listen | backend
1716
+ # yes | yes | yes | yes
1717
+ # Arguments :
1718
+ # tcp The instance will work in pure TCP mode. A full-duplex connection
1719
+ # will be established between clients and servers, and no layer 7
1720
+ # examination will be performed. This is the default mode. It
1721
+ # should be used for SSL, SSH, SMTP, ...
1722
+ #
1723
+ # http The instance will work in HTTP mode. The client request will be
1724
+ # analyzed in depth before connecting to any server. Any request
1725
+ # which is not RFC-compliant will be rejected. Layer 7 filtering,
1726
+ # processing and switching will be possible. This is the mode which
1727
+ # brings HAProxy most of its value.
1728
+ #
1729
+ # health The instance will work in "health" mode. It will just reply "OK"
1730
+ # to incoming connections and close the connection. Nothing will be
1731
+ # logged. This mode is used to reply to external components health
1732
+ # checks. This mode is deprecated and should not be used anymore as
1733
+ # it is possible to do the same and even better by combining TCP or
1734
+ # HTTP modes with the "monitor" keyword.
1735
+ #
1736
+ # When doing content switching, it is mandatory that the frontend and the
1737
+ # backend are in the same mode (generally HTTP), otherwise the configuration
1738
+ # will be refused.
1739
+ #
1740
+ # Example :
1741
+ # defaults http_instances
1742
+ # mode http
1743
+ #
1744
+ # See also : "monitor", "monitor-net"
1745
+ #
1746
+ attr_accessor :mode
1747
+
1748
+ #
1749
+ # monitor-net <source>
1750
+ # Declare a source network which is limited to monitor requests
1751
+ # May be used in sections : defaults | frontend | listen | backend
1752
+ # yes | yes | yes | no
1753
+ # Arguments :
1754
+ # <source> is the source IPv4 address or network which will only be able to
1755
+ # get monitor responses to any request. It can be either an IPv4
1756
+ # address, a host name, or an address followed by a slash ('/')
1757
+ # followed by a mask.
1758
+ #
1759
+ # In TCP mode, any connection coming from a source matching <source> will cause
1760
+ # the connection to be immediately closed without any log. This allows another
1761
+ # equipment to probe the port and verify that it is still listening, without
1762
+ # forwarding the connection to a remote server.
1763
+ #
1764
+ # In HTTP mode, a connection coming from a source matching <source> will be
1765
+ # accepted, the following response will be sent without waiting for a request,
1766
+ # then the connection will be closed : "HTTP/1.0 200 OK". This is normally
1767
+ # enough for any front-end HTTP probe to detect that the service is UP and
1768
+ # running without forwarding the request to a backend server.
1769
+ #
1770
+ # Monitor requests are processed very early. It is not possible to block nor
1771
+ # divert them using ACLs. They cannot be logged either, and it is the intended
1772
+ # purpose. They are only used to report HAProxy's health to an upper component,
1773
+ # nothing more. Right now, it is not possible to set failure conditions on
1774
+ # requests caught by "monitor-net".
1775
+ #
1776
+ # Last, please note that only one "monitor-net" statement can be specified in
1777
+ # a frontend. If more than one is found, only the last one will be considered.
1778
+ #
1779
+ # Example :
1780
+ # # addresses .252 and .253 are just probing us.
1781
+ # frontend www
1782
+ # monitor-net 192.168.0.252/31
1783
+ #
1784
+ # See also : "monitor fail", "monitor-uri"
1785
+ #
1786
+ attr_accessor :monitor_net
1787
+
1788
+ #
1789
+ # monitor-uri <uri>
1790
+ # Intercept a URI used by external components' monitor requests
1791
+ # May be used in sections : defaults | frontend | listen | backend
1792
+ # yes | yes | yes | no
1793
+ # Arguments :
1794
+ # <uri> is the exact URI which we want to intercept to return HAProxy's
1795
+ # health status instead of forwarding the request.
1796
+ #
1797
+ # When an HTTP request referencing <uri> will be received on a frontend,
1798
+ # HAProxy will not forward it nor log it, but instead will return either
1799
+ # "HTTP/1.0 200 OK" or "HTTP/1.0 503 Service unavailable", depending on failure
1800
+ # conditions defined with "monitor fail". This is normally enough for any
1801
+ # front-end HTTP probe to detect that the service is UP and running without
1802
+ # forwarding the request to a backend server. Note that the HTTP method, the
1803
+ # version and all headers are ignored, but the request must at least be valid
1804
+ # at the HTTP level. This keyword may only be used with an HTTP-mode frontend.
1805
+ #
1806
+ # Monitor requests are processed very early. It is not possible to block nor
1807
+ # divert them using ACLs. They cannot be logged either, and it is the intended
1808
+ # purpose. They are only used to report HAProxy's health to an upper component,
1809
+ # nothing more. However, it is possible to add any number of conditions using
1810
+ # "monitor fail" and ACLs so that the result can be adjusted to whatever check
1811
+ # can be imagined (most often the number of available servers in a backend).
1812
+ #
1813
+ # Example :
1814
+ # # Use /haproxy_test to report haproxy's status
1815
+ # frontend www
1816
+ # mode http
1817
+ # monitor-uri /haproxy_test
1818
+ #
1819
+ # See also : "monitor fail", "monitor-net"
1820
+ #
1821
+ attr_accessor :monitor_uri
1822
+
1823
+ #
1824
+ # option accept-invalid-http-request
1825
+ # no option accept-invalid-http-request
1826
+ # Enable or disable relaxing of HTTP request parsing
1827
+ # May be used in sections : defaults | frontend | listen | backend
1828
+ # yes | yes | yes | no
1829
+ # Arguments : none
1830
+ #
1831
+ # By default, HAProxy complies with RFC2616 in terms of message parsing. This
1832
+ # means that invalid characters in header names are not permitted and cause an
1833
+ # error to be returned to the client. This is the desired behaviour as such
1834
+ # forbidden characters are essentially used to build attacks exploiting server
1835
+ # weaknesses, and bypass security filtering. Sometimes, a buggy browser or
1836
+ # server will emit invalid header names for whatever reason (configuration,
1837
+ # implementation) and the issue will not be immediately fixed. In such a case,
1838
+ # it is possible to relax HAProxy's header name parser to accept any character
1839
+ # even if that does not make sense, by specifying this option.
1840
+ #
1841
+ # This option should never be enabled by default as it hides application bugs
1842
+ # and open security breaches. It should only be deployed after a problem has
1843
+ # been confirmed.
1844
+ #
1845
+ # When this option is enabled, erroneous header names will still be accepted in
1846
+ # requests, but the complete request will be captured in order to permit later
1847
+ # analysis using the "show errors" request on the UNIX stats socket. Doing this
1848
+ # also helps confirming that the issue has been solved.
1849
+ #
1850
+ # If this option has been enabled in a "defaults" section, it can be disabled
1851
+ # in a specific instance by prepending the "no" keyword before it.
1852
+ #
1853
+ # See also : "option accept-invalid-http-response" and "show errors" on the
1854
+ # stats socket.
1855
+ #
1856
+ attr_accessor :option_accept_invalid_http_request
1857
+
1858
+ #
1859
+ # option clitcpka
1860
+ # no option clitcpka
1861
+ # Enable or disable the sending of TCP keepalive packets on the client side
1862
+ # May be used in sections : defaults | frontend | listen | backend
1863
+ # yes | yes | yes | no
1864
+ # Arguments : none
1865
+ #
1866
+ # When there is a firewall or any session-aware component between a client and
1867
+ # a server, and when the protocol involves very long sessions with long idle
1868
+ # periods (eg: remote desktops), there is a risk that one of the intermediate
1869
+ # components decides to expire a session which has remained idle for too long.
1870
+ #
1871
+ # Enabling socket-level TCP keep-alives makes the system regularly send packets
1872
+ # to the other end of the connection, leaving it active. The delay between
1873
+ # keep-alive probes is controlled by the system only and depends both on the
1874
+ # operating system and its tuning parameters.
1875
+ #
1876
+ # It is important to understand that keep-alive packets are neither emitted nor
1877
+ # received at the application level. It is only the network stacks which sees
1878
+ # them. For this reason, even if one side of the proxy already uses keep-alives
1879
+ # to maintain its connection alive, those keep-alive packets will not be
1880
+ # forwarded to the other side of the proxy.
1881
+ #
1882
+ # Please note that this has nothing to do with HTTP keep-alive.
1883
+ #
1884
+ # Using option "clitcpka" enables the emission of TCP keep-alive probes on the
1885
+ # client side of a connection, which should help when session expirations are
1886
+ # noticed between HAProxy and a client.
1887
+ #
1888
+ # If this option has been enabled in a "defaults" section, it can be disabled
1889
+ # in a specific instance by prepending the "no" keyword before it.
1890
+ #
1891
+ # See also : "option srvtcpka", "option tcpka"
1892
+ #
1893
+ attr_accessor :option_clitcpka
1894
+
1895
+ #
1896
+ # option contstats
1897
+ # Enable continuous traffic statistics updates
1898
+ # May be used in sections : defaults | frontend | listen | backend
1899
+ # yes | yes | yes | no
1900
+ # Arguments : none
1901
+ #
1902
+ # By default, counters used for statistics calculation are incremented
1903
+ # only when a session finishes. It works quite well when serving small
1904
+ # objects, but with big ones (for example large images or archives) or
1905
+ # with A/V streaming, a graph generated from haproxy counters looks like
1906
+ # a hedgehog. With this option enabled counters get incremented continuously,
1907
+ # during a whole session. Recounting touches a hotpath directly so
1908
+ # it is not enabled by default, as it has small performance impact (~0.5%).
1909
+ #
1910
+ attr_accessor :option_contstats
1911
+
1912
+ #
1913
+ # option dontlog-normal
1914
+ # no option dontlog-normal
1915
+ # Enable or disable logging of normal, successful connections
1916
+ # May be used in sections : defaults | frontend | listen | backend
1917
+ # yes | yes | yes | no
1918
+ # Arguments : none
1919
+ #
1920
+ # There are large sites dealing with several thousand connections per second
1921
+ # and for which logging is a major pain. Some of them are even forced to turn
1922
+ # logs off and cannot debug production issues. Setting this option ensures that
1923
+ # normal connections, those which experience no error, no timeout, no retry nor
1924
+ # redispatch, will not be logged. This leaves disk space for anomalies. In HTTP
1925
+ # mode, the response status code is checked and return codes 5xx will still be
1926
+ # logged.
1927
+ #
1928
+ # It is strongly discouraged to use this option as most of the time, the key to
1929
+ # complex issues is in the normal logs which will not be logged here. If you
1930
+ # need to separate logs, see the "log-separate-errors" option instead.
1931
+ #
1932
+ # See also : "log", "dontlognull", "log-separate-errors" and section 8 about
1933
+ # logging.
1934
+ #
1935
+ attr_accessor :option_dontlog_normal
1936
+
1937
+ #
1938
+ # option dontlognull
1939
+ # no option dontlognull
1940
+ # Enable or disable logging of null connections
1941
+ # May be used in sections : defaults | frontend | listen | backend
1942
+ # yes | yes | yes | no
1943
+ # Arguments : none
1944
+ #
1945
+ # In certain environments, there are components which will regularly connect to
1946
+ # various systems to ensure that they are still alive. It can be the case from
1947
+ # another load balancer as well as from monitoring systems. By default, even a
1948
+ # simple port probe or scan will produce a log. If those connections pollute
1949
+ # the logs too much, it is possible to enable option "dontlognull" to indicate
1950
+ # that a connection on which no data has been transferred will not be logged,
1951
+ # which typically corresponds to those probes.
1952
+ #
1953
+ # It is generally recommended not to use this option in uncontrolled
1954
+ # environments (eg: internet), otherwise scans and other malicious activities
1955
+ # would not be logged.
1956
+ #
1957
+ # If this option has been enabled in a "defaults" section, it can be disabled
1958
+ # in a specific instance by prepending the "no" keyword before it.
1959
+ #
1960
+ # See also : "log", "monitor-net", "monitor-uri" and section 8 about logging.
1961
+ #
1962
+ attr_accessor :option_dontlognull
1963
+
1964
+ #
1965
+ # option forceclose
1966
+ # no option forceclose
1967
+ # Enable or disable active connection closing after response is transferred.
1968
+ # May be used in sections : defaults | frontend | listen | backend
1969
+ # yes | yes | yes | yes
1970
+ # Arguments : none
1971
+ #
1972
+ # Some HTTP servers do not necessarily close the connections when they receive
1973
+ # the "Connection: close" set by "option httpclose", and if the client does not
1974
+ # close either, then the connection remains open till the timeout expires. This
1975
+ # causes high number of simultaneous connections on the servers and shows high
1976
+ # global session times in the logs.
1977
+ #
1978
+ # When this happens, it is possible to use "option forceclose". It will
1979
+ # actively close the outgoing server channel as soon as the server has finished
1980
+ # to respond. This option implicitly enables the "httpclose" option. Note that
1981
+ # this option also enables the parsing of the full request and response, which
1982
+ # means we can close the connection to the server very quickly, releasing some
1983
+ # resources earlier than with httpclose.
1984
+ #
1985
+ # This option may also be combined with "option http-pretend-keepalive", which
1986
+ # will disable sending of the "Connection: close" header, but will still cause
1987
+ # the connection to be closed once the whole response is received.
1988
+ #
1989
+ # If this option has been enabled in a "defaults" section, it can be disabled
1990
+ # in a specific instance by prepending the "no" keyword before it.
1991
+ #
1992
+ # See also : "option httpclose" and "option http-pretend-keepalive"
1993
+ #
1994
+ attr_accessor :option_forceclose
1995
+
1996
+ #
1997
+ # option forwardfor [ except <network> ] [ header <name> ]
1998
+ # Enable insertion of the X-Forwarded-For header to requests sent to servers
1999
+ # May be used in sections : defaults | frontend | listen | backend
2000
+ # yes | yes | yes | yes
2001
+ # Arguments :
2002
+ # <network> is an optional argument used to disable this option for sources
2003
+ # matching <network>
2004
+ # <name> an optional argument to specify a different "X-Forwarded-For"
2005
+ # header name.
2006
+ #
2007
+ # Since HAProxy works in reverse-proxy mode, the servers see its IP address as
2008
+ # their client address. This is sometimes annoying when the client's IP address
2009
+ # is expected in server logs. To solve this problem, the well-known HTTP header
2010
+ # "X-Forwarded-For" may be added by HAProxy to all requests sent to the server.
2011
+ # This header contains a value representing the client's IP address. Since this
2012
+ # header is always appended at the end of the existing header list, the server
2013
+ # must be configured to always use the last occurrence of this header only. See
2014
+ # the server's manual to find how to enable use of this standard header. Note
2015
+ # that only the last occurrence of the header must be used, since it is really
2016
+ # possible that the client has already brought one.
2017
+ #
2018
+ # The keyword "header" may be used to supply a different header name to replace
2019
+ # the default "X-Forwarded-For". This can be useful where you might already
2020
+ # have a "X-Forwarded-For" header from a different application (eg: stunnel),
2021
+ # and you need preserve it. Also if your backend server doesn't use the
2022
+ # "X-Forwarded-For" header and requires different one (eg: Zeus Web Servers
2023
+ # require "X-Cluster-Client-IP").
2024
+ #
2025
+ # Sometimes, a same HAProxy instance may be shared between a direct client
2026
+ # access and a reverse-proxy access (for instance when an SSL reverse-proxy is
2027
+ # used to decrypt HTTPS traffic). It is possible to disable the addition of the
2028
+ # header for a known source address or network by adding the "except" keyword
2029
+ # followed by the network address. In this case, any source IP matching the
2030
+ # network will not cause an addition of this header. Most common uses are with
2031
+ # private networks or 127.0.0.1.
2032
+ #
2033
+ # This option may be specified either in the frontend or in the backend. If at
2034
+ # least one of them uses it, the header will be added. Note that the backend's
2035
+ # setting of the header subargument takes precedence over the frontend's if
2036
+ # both are defined.
2037
+ #
2038
+ # It is important to note that as long as HAProxy does not support keep-alive
2039
+ # connections, only the first request of a connection will receive the header.
2040
+ # For this reason, it is important to ensure that "option httpclose" is set
2041
+ # when using this option.
2042
+ #
2043
+ # Examples :
2044
+ # # Public HTTP address also used by stunnel on the same machine
2045
+ # frontend www
2046
+ # mode http
2047
+ # option forwardfor except 127.0.0.1 # stunnel already adds the header
2048
+ #
2049
+ # # Those servers want the IP Address in X-Client
2050
+ # backend www
2051
+ # mode http
2052
+ # option forwardfor header X-Client
2053
+ #
2054
+ # See also : "option httpclose"
2055
+ #
2056
+ attr_accessor :option_forwardfor
2057
+
2058
+ #
2059
+ # option http-pretend-keepalive
2060
+ # no option http-pretend-keepalive
2061
+ # Define whether haproxy will announce keepalive to the server or not
2062
+ # May be used in sections : defaults | frontend | listen | backend
2063
+ # yes | yes | yes | yes
2064
+ # Arguments : none
2065
+ #
2066
+ # When running with "option http-server-close" or "option forceclose", haproxy
2067
+ # adds a "Connection: close" header to the request forwarded to the server.
2068
+ # Unfortunately, when some servers see this header, they automatically refrain
2069
+ # from using the chunked encoding for responses of unknown length, while this
2070
+ # is totally unrelated. The immediate effect is that this prevents haproxy from
2071
+ # maintaining the client connection alive. A second effect is that a client or
2072
+ # a cache could receive an incomplete response without being aware of it, and
2073
+ # consider the response complete.
2074
+ #
2075
+ # By setting "option http-pretend-keepalive", haproxy will make the server
2076
+ # believe it will keep the connection alive. The server will then not fall back
2077
+ # to the abnormal undesired above. When haproxy gets the whole response, it
2078
+ # will close the connection with the server just as it would do with the
2079
+ # "forceclose" option. That way the client gets a normal response and the
2080
+ # connection is correctly closed on the server side.
2081
+ #
2082
+ # It is recommended not to enable this option by default, because most servers
2083
+ # will more efficiently close the connection themselves after the last packet,
2084
+ # and release its buffers slightly earlier. Also, the added packet on the
2085
+ # network could slightly reduce the overall peak performance. However it is
2086
+ # worth noting that when this option is enabled, haproxy will have slightly
2087
+ # less work to do. So if haproxy is the bottleneck on the whole architecture,
2088
+ # enabling this option might save a few CPU cycles.
2089
+ #
2090
+ # This option may be set both in a frontend and in a backend. It is enabled if
2091
+ # at least one of the frontend or backend holding a connection has it enabled.
2092
+ # This option may be compbined with "option httpclose", which will cause
2093
+ # keepalive to be announced to the server and close to be announced to the
2094
+ # client. This practice is discouraged though.
2095
+ #
2096
+ # If this option has been enabled in a "defaults" section, it can be disabled
2097
+ # in a specific instance by prepending the "no" keyword before it.
2098
+ #
2099
+ # See also : "option forceclose" and "option http-server-close"
2100
+ #
2101
+ attr_accessor :option_http_pretend_keepalive
2102
+
2103
+ #
2104
+ # option http-server-close
2105
+ # no option http-server-close
2106
+ # Enable or disable HTTP connection closing on the server side
2107
+ # May be used in sections : defaults | frontend | listen | backend
2108
+ # yes | yes | yes | yes
2109
+ # Arguments : none
2110
+ #
2111
+ # By default, when a client communicates with a server, HAProxy will only
2112
+ # analyze, log, and process the first request of each connection. Setting
2113
+ # "option http-server-close" enables HTTP connection-close mode on the server
2114
+ # side while keeping the ability to support HTTP keep-alive and pipelining on
2115
+ # the client side. This provides the lowest latency on the client side (slow
2116
+ # network) and the fastest session reuse on the server side to save server
2117
+ # resources, similarly to "option forceclose". It also permits non-keepalive
2118
+ # capable servers to be served in keep-alive mode to the clients if they
2119
+ # conform to the requirements of RFC2616. Please note that some servers do not
2120
+ # always conform to those requirements when they see "Connection: close" in the
2121
+ # request. The effect will be that keep-alive will never be used. A workaround
2122
+ # consists in enabling "option http-pretend-keepalive".
2123
+ #
2124
+ # At the moment, logs will not indicate whether requests came from the same
2125
+ # session or not. The accept date reported in the logs corresponds to the end
2126
+ # of the previous request, and the request time corresponds to the time spent
2127
+ # waiting for a new request. The keep-alive request time is still bound to the
2128
+ # timeout defined by "timeout http-keep-alive" or "timeout http-request" if
2129
+ # not set.
2130
+ #
2131
+ # This option may be set both in a frontend and in a backend. It is enabled if
2132
+ # at least one of the frontend or backend holding a connection has it enabled.
2133
+ # It is worth noting that "option forceclose" has precedence over "option
2134
+ # http-server-close" and that combining "http-server-close" with "httpclose"
2135
+ # basically achieve the same result as "forceclose".
2136
+ #
2137
+ # If this option has been enabled in a "defaults" section, it can be disabled
2138
+ # in a specific instance by prepending the "no" keyword before it.
2139
+ #
2140
+ # See also : "option forceclose", "option http-pretend-keepalive",
2141
+ # "option httpclose" and "1.1. The HTTP transaction model".
2142
+ #
2143
+ attr_accessor :option_http_server_close
2144
+
2145
+ #
2146
+ # option http-use-proxy-header
2147
+ # no option http-use-proxy-header
2148
+ # Make use of non-standard Proxy-Connection header instead of Connection
2149
+ # May be used in sections : defaults | frontend | listen | backend
2150
+ # yes | yes | yes | no
2151
+ # Arguments : none
2152
+ #
2153
+ # While RFC2616 explicitly states that HTTP/1.1 agents must use the
2154
+ # Connection header to indicate their wish of persistent or non-persistent
2155
+ # connections, both browsers and proxies ignore this header for proxied
2156
+ # connections and make use of the undocumented, non-standard Proxy-Connection
2157
+ # header instead. The issue begins when trying to put a load balancer between
2158
+ # browsers and such proxies, because there will be a difference between what
2159
+ # haproxy understands and what the client and the proxy agree on.
2160
+ #
2161
+ # By setting this option in a frontend, haproxy can automatically switch to use
2162
+ # that non-standard header if it sees proxied requests. A proxied request is
2163
+ # defined here as one where the URI begins with neither a '/' nor a '*'. The
2164
+ # choice of header only affects requests passing through proxies making use of
2165
+ # one of the "httpclose", "forceclose" and "http-server-close" options. Note
2166
+ # that this option can only be specified in a frontend and will affect the
2167
+ # request along its whole life.
2168
+ #
2169
+ # Also, when this option is set, a request which requires authentication will
2170
+ # automatically switch to use proxy authentication headers if it is itself a
2171
+ # proxied request. That makes it possible to check or enforce authentication in
2172
+ # front of an existing proxy.
2173
+ #
2174
+ # This option should normally never be used, except in front of a proxy.
2175
+ #
2176
+ # See also : "option httpclose", "option forceclose" and "option
2177
+ # http-server-close".
2178
+ #
2179
+ attr_accessor :option_http_use_proxy_header
2180
+
2181
+ #
2182
+ # option httpclose
2183
+ # no option httpclose
2184
+ # Enable or disable passive HTTP connection closing
2185
+ # May be used in sections : defaults | frontend | listen | backend
2186
+ # yes | yes | yes | yes
2187
+ # Arguments : none
2188
+ #
2189
+ # By default, when a client communicates with a server, HAProxy will only
2190
+ # analyze, log, and process the first request of each connection. If "option
2191
+ # httpclose" is set, it will check if a "Connection: close" header is already
2192
+ # set in each direction, and will add one if missing. Each end should react to
2193
+ # this by actively closing the TCP connection after each transfer, thus
2194
+ # resulting in a switch to the HTTP close mode. Any "Connection" header
2195
+ # different from "close" will also be removed.
2196
+ #
2197
+ # It seldom happens that some servers incorrectly ignore this header and do not
2198
+ # close the connection eventhough they reply "Connection: close". For this
2199
+ # reason, they are not compatible with older HTTP 1.0 browsers. If this happens
2200
+ # it is possible to use the "option forceclose" which actively closes the
2201
+ # request connection once the server responds. Option "forceclose" also
2202
+ # releases the server connection earlier because it does not have to wait for
2203
+ # the client to acknowledge it.
2204
+ #
2205
+ # This option may be set both in a frontend and in a backend. It is enabled if
2206
+ # at least one of the frontend or backend holding a connection has it enabled.
2207
+ # If "option forceclose" is specified too, it has precedence over "httpclose".
2208
+ # If "option http-server-close" is enabled at the same time as "httpclose", it
2209
+ # basically achieves the same result as "option forceclose".
2210
+ #
2211
+ # If this option has been enabled in a "defaults" section, it can be disabled
2212
+ # in a specific instance by prepending the "no" keyword before it.
2213
+ #
2214
+ # See also : "option forceclose", "option http-server-close" and
2215
+ # "1.1. The HTTP transaction model".
2216
+ #
2217
+ attr_accessor :option_httpclose
2218
+
2219
+ #
2220
+ # option httplog [ clf ]
2221
+ # Enable logging of HTTP request, session state and timers
2222
+ # May be used in sections : defaults | frontend | listen | backend
2223
+ # yes | yes | yes | yes
2224
+ # Arguments :
2225
+ # clf if the "clf" argument is added, then the output format will be
2226
+ # the CLF format instead of HAProxy's default HTTP format. You can
2227
+ # use this when you need to feed HAProxy's logs through a specific
2228
+ # log analyser which only support the CLF format and which is not
2229
+ # extensible.
2230
+ #
2231
+ # By default, the log output format is very poor, as it only contains the
2232
+ # source and destination addresses, and the instance name. By specifying
2233
+ # "option httplog", each log line turns into a much richer format including,
2234
+ # but not limited to, the HTTP request, the connection timers, the session
2235
+ # status, the connections numbers, the captured headers and cookies, the
2236
+ # frontend, backend and server name, and of course the source address and
2237
+ # ports.
2238
+ #
2239
+ # This option may be set either in the frontend or the backend.
2240
+ #
2241
+ # If this option has been enabled in a "defaults" section, it can be disabled
2242
+ # in a specific instance by prepending the "no" keyword before it. Specifying
2243
+ # only "option httplog" will automatically clear the 'clf' mode if it was set
2244
+ # by default.
2245
+ #
2246
+ # See also : section 8 about logging.
2247
+ #
2248
+ attr_accessor :option_httplog
2249
+
2250
+ #
2251
+ # option http_proxy
2252
+ # no option http_proxy
2253
+ # Enable or disable plain HTTP proxy mode
2254
+ # May be used in sections : defaults | frontend | listen | backend
2255
+ # yes | yes | yes | yes
2256
+ # Arguments : none
2257
+ #
2258
+ # It sometimes happens that people need a pure HTTP proxy which understands
2259
+ # basic proxy requests without caching nor any fancy feature. In this case,
2260
+ # it may be worth setting up an HAProxy instance with the "option http_proxy"
2261
+ # set. In this mode, no server is declared, and the connection is forwarded to
2262
+ # the IP address and port found in the URL after the "http://" scheme.
2263
+ #
2264
+ # No host address resolution is performed, so this only works when pure IP
2265
+ # addresses are passed. Since this option's usage perimeter is rather limited,
2266
+ # it will probably be used only by experts who know they need exactly it. Last,
2267
+ # if the clients are susceptible of sending keep-alive requests, it will be
2268
+ # needed to add "option http_close" to ensure that all requests will correctly
2269
+ # be analyzed.
2270
+ #
2271
+ # If this option has been enabled in a "defaults" section, it can be disabled
2272
+ # in a specific instance by prepending the "no" keyword before it.
2273
+ #
2274
+ # Example :
2275
+ # # this backend understands HTTP proxy requests and forwards them directly.
2276
+ # backend direct_forward
2277
+ # option httpclose
2278
+ # option http_proxy
2279
+ #
2280
+ # See also : "option httpclose"
2281
+ #
2282
+ attr_accessor :option_http_proxy
2283
+
2284
+ #
2285
+ # option independant-streams
2286
+ # no option independant-streams
2287
+ # Enable or disable independant timeout processing for both directions
2288
+ # May be used in sections : defaults | frontend | listen | backend
2289
+ # yes | yes | yes | yes
2290
+ # Arguments : none
2291
+ #
2292
+ # By default, when data is sent over a socket, both the write timeout and the
2293
+ # read timeout for that socket are refreshed, because we consider that there is
2294
+ # activity on that socket, and we have no other means of guessing if we should
2295
+ # receive data or not.
2296
+ #
2297
+ # While this default behaviour is desirable for almost all applications, there
2298
+ # exists a situation where it is desirable to disable it, and only refresh the
2299
+ # read timeout if there are incoming data. This happens on sessions with large
2300
+ # timeouts and low amounts of exchanged data such as telnet session. If the
2301
+ # server suddenly disappears, the output data accumulates in the system's
2302
+ # socket buffers, both timeouts are correctly refreshed, and there is no way
2303
+ # to know the server does not receive them, so we don't timeout. However, when
2304
+ # the underlying protocol always echoes sent data, it would be enough by itself
2305
+ # to detect the issue using the read timeout. Note that this problem does not
2306
+ # happen with more verbose protocols because data won't accumulate long in the
2307
+ # socket buffers.
2308
+ #
2309
+ # When this option is set on the frontend, it will disable read timeout updates
2310
+ # on data sent to the client. There probably is little use of this case. When
2311
+ # the option is set on the backend, it will disable read timeout updates on
2312
+ # data sent to the server. Doing so will typically break large HTTP posts from
2313
+ # slow lines, so use it with caution.
2314
+ #
2315
+ # See also : "timeout client" and "timeout server"
2316
+ #
2317
+ attr_accessor :option_independant_streams
2318
+
2319
+ #
2320
+ # option log-separate-errors
2321
+ # no option log-separate-errors
2322
+ # Change log level for non-completely successful connections
2323
+ # May be used in sections : defaults | frontend | listen | backend
2324
+ # yes | yes | yes | no
2325
+ # Arguments : none
2326
+ #
2327
+ # Sometimes looking for errors in logs is not easy. This option makes haproxy
2328
+ # raise the level of logs containing potentially interesting information such
2329
+ # as errors, timeouts, retries, redispatches, or HTTP status codes 5xx. The
2330
+ # level changes from "info" to "err". This makes it possible to log them
2331
+ # separately to a different file with most syslog daemons. Be careful not to
2332
+ # remove them from the original file, otherwise you would lose ordering which
2333
+ # provides very important information.
2334
+ #
2335
+ # Using this option, large sites dealing with several thousand connections per
2336
+ # second may log normal traffic to a rotating buffer and only archive smaller
2337
+ # error logs.
2338
+ #
2339
+ # See also : "log", "dontlognull", "dontlog-normal" and section 8 about
2340
+ # logging.
2341
+ #
2342
+ attr_accessor :option_log_separate_errors
2343
+
2344
+ #
2345
+ # option logasap
2346
+ # no option logasap
2347
+ # Enable or disable early logging of HTTP requests
2348
+ # May be used in sections : defaults | frontend | listen | backend
2349
+ # yes | yes | yes | no
2350
+ # Arguments : none
2351
+ #
2352
+ # By default, HTTP requests are logged upon termination so that the total
2353
+ # transfer time and the number of bytes appear in the logs. When large objects
2354
+ # are being transferred, it may take a while before the request appears in the
2355
+ # logs. Using "option logasap", the request gets logged as soon as the server
2356
+ # sends the complete headers. The only missing information in the logs will be
2357
+ # the total number of bytes which will indicate everything except the amount
2358
+ # of data transferred, and the total time which will not take the transfer
2359
+ # time into account. In such a situation, it's a good practice to capture the
2360
+ # "Content-Length" response header so that the logs at least indicate how many
2361
+ # bytes are expected to be transferred.
2362
+ #
2363
+ # Examples :
2364
+ # listen http_proxy 0.0.0.0:80
2365
+ # mode http
2366
+ # option httplog
2367
+ # option logasap
2368
+ # log 192.168.2.200 local3
2369
+ #
2370
+ # >>> Feb 6 12:14:14 localhost \
2371
+ # haproxy[14389]: 10.0.1.2:33317 [06/Feb/2009:12:14:14.655] http-in \
2372
+ # static/srv1 9/10/7/14/+30 200 +243 - - ---- 3/1/1/1/0 1/0 \
2373
+ # "GET /image.iso HTTP/1.0"
2374
+ #
2375
+ # See also : "option httplog", "capture response header", and section 8 about
2376
+ # logging.
2377
+ #
2378
+ attr_accessor :option_logasap
2379
+
2380
+ #
2381
+ # option nolinger
2382
+ # no option nolinger
2383
+ # Enable or disable immediate session resource cleaning after close
2384
+ # May be used in sections: defaults | frontend | listen | backend
2385
+ # yes | yes | yes | yes
2386
+ # Arguments : none
2387
+ #
2388
+ # When clients or servers abort connections in a dirty way (eg: they are
2389
+ # physically disconnected), the session timeouts triggers and the session is
2390
+ # closed. But it will remain in FIN_WAIT1 state for some time in the system,
2391
+ # using some resources and possibly limiting the ability to establish newer
2392
+ # connections.
2393
+ #
2394
+ # When this happens, it is possible to activate "option nolinger" which forces
2395
+ # the system to immediately remove any socket's pending data on close. Thus,
2396
+ # the session is instantly purged from the system's tables. This usually has
2397
+ # side effects such as increased number of TCP resets due to old retransmits
2398
+ # getting immediately rejected. Some firewalls may sometimes complain about
2399
+ # this too.
2400
+ #
2401
+ # For this reason, it is not recommended to use this option when not absolutely
2402
+ # needed. You know that you need it when you have thousands of FIN_WAIT1
2403
+ # sessions on your system (TIME_WAIT ones do not count).
2404
+ #
2405
+ # This option may be used both on frontends and backends, depending on the side
2406
+ # where it is required. Use it on the frontend for clients, and on the backend
2407
+ # for servers.
2408
+ #
2409
+ # If this option has been enabled in a "defaults" section, it can be disabled
2410
+ # in a specific instance by prepending the "no" keyword before it.
2411
+ #
2412
+ attr_accessor :option_nolinger
2413
+
2414
+ #
2415
+ # option originalto [ except <network> ] [ header <name> ]
2416
+ # Enable insertion of the X-Original-To header to requests sent to servers
2417
+ # May be used in sections : defaults | frontend | listen | backend
2418
+ # yes | yes | yes | yes
2419
+ # Arguments :
2420
+ # <network> is an optional argument used to disable this option for sources
2421
+ # matching <network>
2422
+ # <name> an optional argument to specify a different "X-Original-To"
2423
+ # header name.
2424
+ #
2425
+ # Since HAProxy can work in transparent mode, every request from a client can
2426
+ # be redirected to the proxy and HAProxy itself can proxy every request to a
2427
+ # complex SQUID environment and the destination host from SO_ORIGINAL_DST will
2428
+ # be lost. This is annoying when you want access rules based on destination ip
2429
+ # addresses. To solve this problem, a new HTTP header "X-Original-To" may be
2430
+ # added by HAProxy to all requests sent to the server. This header contains a
2431
+ # value representing the original destination IP address. Since this must be
2432
+ # configured to always use the last occurrence of this header only. Note that
2433
+ # only the last occurrence of the header must be used, since it is really
2434
+ # possible that the client has already brought one.
2435
+ #
2436
+ # The keyword "header" may be used to supply a different header name to replace
2437
+ # the default "X-Original-To". This can be useful where you might already
2438
+ # have a "X-Original-To" header from a different application, and you need
2439
+ # preserve it. Also if your backend server doesn't use the "X-Original-To"
2440
+ # header and requires different one.
2441
+ #
2442
+ # Sometimes, a same HAProxy instance may be shared between a direct client
2443
+ # access and a reverse-proxy access (for instance when an SSL reverse-proxy is
2444
+ # used to decrypt HTTPS traffic). It is possible to disable the addition of the
2445
+ # header for a known source address or network by adding the "except" keyword
2446
+ # followed by the network address. In this case, any source IP matching the
2447
+ # network will not cause an addition of this header. Most common uses are with
2448
+ # private networks or 127.0.0.1.
2449
+ #
2450
+ # This option may be specified either in the frontend or in the backend. If at
2451
+ # least one of them uses it, the header will be added. Note that the backend's
2452
+ # setting of the header subargument takes precedence over the frontend's if
2453
+ # both are defined.
2454
+ #
2455
+ # It is important to note that as long as HAProxy does not support keep-alive
2456
+ # connections, only the first request of a connection will receive the header.
2457
+ # For this reason, it is important to ensure that "option httpclose" is set
2458
+ # when using this option.
2459
+ #
2460
+ # Examples :
2461
+ # # Original Destination address
2462
+ # frontend www
2463
+ # mode http
2464
+ # option originalto except 127.0.0.1
2465
+ #
2466
+ # # Those servers want the IP Address in X-Client-Dst
2467
+ # backend www
2468
+ # mode http
2469
+ # option originalto header X-Client-Dst
2470
+ #
2471
+ # See also : "option httpclose"
2472
+ #
2473
+ attr_accessor :option_originalto
2474
+
2475
+ #
2476
+ # option socket-stats
2477
+ # no option socket-stats
2478
+ #
2479
+ # Enable or disable collecting & providing separate statistics for each socket.
2480
+ # May be used in sections : defaults | frontend | listen | backend
2481
+ # yes | yes | yes | no
2482
+ #
2483
+ # Arguments : none
2484
+ #
2485
+ attr_accessor :option_socket_stats
2486
+
2487
+ #
2488
+ # option splice-auto
2489
+ # no option splice-auto
2490
+ # Enable or disable automatic kernel acceleration on sockets in both directions
2491
+ # May be used in sections : defaults | frontend | listen | backend
2492
+ # yes | yes | yes | yes
2493
+ # Arguments : none
2494
+ #
2495
+ # When this option is enabled either on a frontend or on a backend, haproxy
2496
+ # will automatically evaluate the opportunity to use kernel tcp splicing to
2497
+ # forward data between the client and the server, in either direction. Haproxy
2498
+ # uses heuristics to estimate if kernel splicing might improve performance or
2499
+ # not. Both directions are handled independently. Note that the heuristics used
2500
+ # are not much aggressive in order to limit excessive use of splicing. This
2501
+ # option requires splicing to be enabled at compile time, and may be globally
2502
+ # disabled with the global option "nosplice". Since splice uses pipes, using it
2503
+ # requires that there are enough spare pipes.
2504
+ #
2505
+ # Important note: kernel-based TCP splicing is a Linux-specific feature which
2506
+ # first appeared in kernel 2.6.25. It offers kernel-based acceleration to
2507
+ # transfer data between sockets without copying these data to user-space, thus
2508
+ # providing noticeable performance gains and CPU cycles savings. Since many
2509
+ # early implementations are buggy, corrupt data and/or are inefficient, this
2510
+ # feature is not enabled by default, and it should be used with extreme care.
2511
+ # While it is not possible to detect the correctness of an implementation,
2512
+ # 2.6.29 is the first version offering a properly working implementation. In
2513
+ # case of doubt, splicing may be globally disabled using the global "nosplice"
2514
+ # keyword.
2515
+ #
2516
+ # Example :
2517
+ # option splice-auto
2518
+ #
2519
+ # If this option has been enabled in a "defaults" section, it can be disabled
2520
+ # in a specific instance by prepending the "no" keyword before it.
2521
+ #
2522
+ # See also : "option splice-request", "option splice-response", and global
2523
+ # options "nosplice" and "maxpipes"
2524
+ #
2525
+ attr_accessor :option_splice_auto
2526
+
2527
+ #
2528
+ # option splice-request
2529
+ # no option splice-request
2530
+ # Enable or disable automatic kernel acceleration on sockets for requests
2531
+ # May be used in sections : defaults | frontend | listen | backend
2532
+ # yes | yes | yes | yes
2533
+ # Arguments : none
2534
+ #
2535
+ # When this option is enabled either on a frontend or on a backend, haproxy
2536
+ # will user kernel tcp splicing whenever possible to forward data going from
2537
+ # the client to the server. It might still use the recv/send scheme if there
2538
+ # are no spare pipes left. This option requires splicing to be enabled at
2539
+ # compile time, and may be globally disabled with the global option "nosplice".
2540
+ # Since splice uses pipes, using it requires that there are enough spare pipes.
2541
+ #
2542
+ # Important note: see "option splice-auto" for usage limitations.
2543
+ #
2544
+ # Example :
2545
+ # option splice-request
2546
+ #
2547
+ # If this option has been enabled in a "defaults" section, it can be disabled
2548
+ # in a specific instance by prepending the "no" keyword before it.
2549
+ #
2550
+ # See also : "option splice-auto", "option splice-response", and global options
2551
+ # "nosplice" and "maxpipes"
2552
+ #
2553
+ attr_accessor :option_splice_request
2554
+
2555
+ #
2556
+ # option splice-response
2557
+ # no option splice-response
2558
+ # Enable or disable automatic kernel acceleration on sockets for responses
2559
+ # May be used in sections : defaults | frontend | listen | backend
2560
+ # yes | yes | yes | yes
2561
+ # Arguments : none
2562
+ #
2563
+ # When this option is enabled either on a frontend or on a backend, haproxy
2564
+ # will user kernel tcp splicing whenever possible to forward data going from
2565
+ # the server to the client. It might still use the recv/send scheme if there
2566
+ # are no spare pipes left. This option requires splicing to be enabled at
2567
+ # compile time, and may be globally disabled with the global option "nosplice".
2568
+ # Since splice uses pipes, using it requires that there are enough spare pipes.
2569
+ #
2570
+ # Important note: see "option splice-auto" for usage limitations.
2571
+ #
2572
+ # Example :
2573
+ # option splice-response
2574
+ #
2575
+ # If this option has been enabled in a "defaults" section, it can be disabled
2576
+ # in a specific instance by prepending the "no" keyword before it.
2577
+ #
2578
+ # See also : "option splice-auto", "option splice-request", and global options
2579
+ # "nosplice" and "maxpipes"
2580
+ #
2581
+ attr_accessor :option_splice_response
2582
+
2583
+ #
2584
+ # option tcp-smart-accept
2585
+ # no option tcp-smart-accept
2586
+ # Enable or disable the saving of one ACK packet during the accept sequence
2587
+ # May be used in sections : defaults | frontend | listen | backend
2588
+ # yes | yes | yes | no
2589
+ # Arguments : none
2590
+ #
2591
+ # When an HTTP connection request comes in, the system acknowledges it on
2592
+ # behalf of HAProxy, then the client immediately sends its request, and the
2593
+ # system acknowledges it too while it is notifying HAProxy about the new
2594
+ # connection. HAProxy then reads the request and responds. This means that we
2595
+ # have one TCP ACK sent by the system for nothing, because the request could
2596
+ # very well be acknowledged by HAProxy when it sends its response.
2597
+ #
2598
+ # For this reason, in HTTP mode, HAProxy automatically asks the system to avoid
2599
+ # sending this useless ACK on platforms which support it (currently at least
2600
+ # Linux). It must not cause any problem, because the system will send it anyway
2601
+ # after 40 ms if the response takes more time than expected to come.
2602
+ #
2603
+ # During complex network debugging sessions, it may be desirable to disable
2604
+ # this optimization because delayed ACKs can make troubleshooting more complex
2605
+ # when trying to identify where packets are delayed. It is then possible to
2606
+ # fall back to normal behaviour by specifying "no option tcp-smart-accept".
2607
+ #
2608
+ # It is also possible to force it for non-HTTP proxies by simply specifying
2609
+ # "option tcp-smart-accept". For instance, it can make sense with some services
2610
+ # such as SMTP where the server speaks first.
2611
+ #
2612
+ # It is recommended to avoid forcing this option in a defaults section. In case
2613
+ # of doubt, consider setting it back to automatic values by prepending the
2614
+ # "default" keyword before it, or disabling it using the "no" keyword.
2615
+ #
2616
+ # See also : "option tcp-smart-connect"
2617
+ #
2618
+ attr_accessor :option_tcp_smart_accept
2619
+
2620
+ #
2621
+ # option tcpka
2622
+ # Enable or disable the sending of TCP keepalive packets on both sides
2623
+ # May be used in sections : defaults | frontend | listen | backend
2624
+ # yes | yes | yes | yes
2625
+ # Arguments : none
2626
+ #
2627
+ # When there is a firewall or any session-aware component between a client and
2628
+ # a server, and when the protocol involves very long sessions with long idle
2629
+ # periods (eg: remote desktops), there is a risk that one of the intermediate
2630
+ # components decides to expire a session which has remained idle for too long.
2631
+ #
2632
+ # Enabling socket-level TCP keep-alives makes the system regularly send packets
2633
+ # to the other end of the connection, leaving it active. The delay between
2634
+ # keep-alive probes is controlled by the system only and depends both on the
2635
+ # operating system and its tuning parameters.
2636
+ #
2637
+ # It is important to understand that keep-alive packets are neither emitted nor
2638
+ # received at the application level. It is only the network stacks which sees
2639
+ # them. For this reason, even if one side of the proxy already uses keep-alives
2640
+ # to maintain its connection alive, those keep-alive packets will not be
2641
+ # forwarded to the other side of the proxy.
2642
+ #
2643
+ # Please note that this has nothing to do with HTTP keep-alive.
2644
+ #
2645
+ # Using option "tcpka" enables the emission of TCP keep-alive probes on both
2646
+ # the client and server sides of a connection. Note that this is meaningful
2647
+ # only in "defaults" or "listen" sections. If this option is used in a
2648
+ # frontend, only the client side will get keep-alives, and if this option is
2649
+ # used in a backend, only the server side will get keep-alives. For this
2650
+ # reason, it is strongly recommended to explicitly use "option clitcpka" and
2651
+ # "option srvtcpka" when the configuration is split between frontends and
2652
+ # backends.
2653
+ #
2654
+ # See also : "option clitcpka", "option srvtcpka"
2655
+ #
2656
+ attr_accessor :option_tcpka
2657
+
2658
+ #
2659
+ # option tcplog
2660
+ # Enable advanced logging of TCP connections with session state and timers
2661
+ # May be used in sections : defaults | frontend | listen | backend
2662
+ # yes | yes | yes | yes
2663
+ # Arguments : none
2664
+ #
2665
+ # By default, the log output format is very poor, as it only contains the
2666
+ # source and destination addresses, and the instance name. By specifying
2667
+ # "option tcplog", each log line turns into a much richer format including, but
2668
+ # not limited to, the connection timers, the session status, the connections
2669
+ # numbers, the frontend, backend and server name, and of course the source
2670
+ # address and ports. This option is useful for pure TCP proxies in order to
2671
+ # find which of the client or server disconnects or times out. For normal HTTP
2672
+ # proxies, it's better to use "option httplog" which is even more complete.
2673
+ #
2674
+ # This option may be set either in the frontend or the backend.
2675
+ #
2676
+ # See also : "option httplog", and section 8 about logging.
2677
+ #
2678
+ attr_accessor :option_tcplog
2679
+
2680
+ #
2681
+ # rate-limit sessions <rate>
2682
+ # Set a limit on the number of new sessions accepted per second on a frontend
2683
+ # May be used in sections : defaults | frontend | listen | backend
2684
+ # yes | yes | yes | no
2685
+ # Arguments :
2686
+ # <rate> The <rate> parameter is an integer designating the maximum number
2687
+ # of new sessions per second to accept on the frontend.
2688
+ #
2689
+ # When the frontend reaches the specified number of new sessions per second, it
2690
+ # stops accepting new connections until the rate drops below the limit again.
2691
+ # During this time, the pending sessions will be kept in the socket's backlog
2692
+ # (in system buffers) and haproxy will not even be aware that sessions are
2693
+ # pending. When applying very low limit on a highly loaded service, it may make
2694
+ # sense to increase the socket's backlog using the "backlog" keyword.
2695
+ #
2696
+ # This feature is particularly efficient at blocking connection-based attacks
2697
+ # or service abuse on fragile servers. Since the session rate is measured every
2698
+ # millisecond, it is extremely accurate. Also, the limit applies immediately,
2699
+ # no delay is needed at all to detect the threshold.
2700
+ #
2701
+ # Example : limit the connection rate on SMTP to 10 per second max
2702
+ # listen smtp
2703
+ # mode tcp
2704
+ # bind :25
2705
+ # rate-limit sessions 10
2706
+ # server 127.0.0.1:1025
2707
+ #
2708
+ # Note : when the maximum rate is reached, the frontend's status appears as
2709
+ # "FULL" in the statistics, exactly as when it is saturated.
2710
+ #
2711
+ # See also : the "backlog" keyword and the "fe_sess_rate" ACL criterion.
2712
+ #
2713
+ attr_accessor :rate_limit_sessions
2714
+
2715
+ #
2716
+ # timeout client <timeout>
2717
+ # timeout clitimeout <timeout> (deprecated)
2718
+ # Set the maximum inactivity time on the client side.
2719
+ # May be used in sections : defaults | frontend | listen | backend
2720
+ # yes | yes | yes | no
2721
+ # Arguments :
2722
+ # <timeout> is the timeout value specified in milliseconds by default, but
2723
+ # can be in any other unit if the number is suffixed by the unit,
2724
+ # as explained at the top of this document.
2725
+ #
2726
+ # The inactivity timeout applies when the client is expected to acknowledge or
2727
+ # send data. In HTTP mode, this timeout is particularly important to consider
2728
+ # during the first phase, when the client sends the request, and during the
2729
+ # response while it is reading data sent by the server. The value is specified
2730
+ # in milliseconds by default, but can be in any other unit if the number is
2731
+ # suffixed by the unit, as specified at the top of this document. In TCP mode
2732
+ # (and to a lesser extent, in HTTP mode), it is highly recommended that the
2733
+ # client timeout remains equal to the server timeout in order to avoid complex
2734
+ # situations to debug. It is a good practice to cover one or several TCP packet
2735
+ # losses by specifying timeouts that are slightly above multiples of 3 seconds
2736
+ # (eg: 4 or 5 seconds).
2737
+ #
2738
+ # This parameter is specific to frontends, but can be specified once for all in
2739
+ # "defaults" sections. This is in fact one of the easiest solutions not to
2740
+ # forget about it. An unspecified timeout results in an infinite timeout, which
2741
+ # is not recommended. Such a usage is accepted and works but reports a warning
2742
+ # during startup because it may results in accumulation of expired sessions in
2743
+ # the system if the system's timeouts are not configured either.
2744
+ #
2745
+ # This parameter replaces the old, deprecated "clitimeout". It is recommended
2746
+ # to use it to write new configurations. The form "timeout clitimeout" is
2747
+ # provided only by backwards compatibility but its use is strongly discouraged.
2748
+ #
2749
+ # See also : "clitimeout", "timeout server".
2750
+ #
2751
+ attr_accessor :timeout_client
2752
+
2753
+ #
2754
+ # timeout http-keep-alive <timeout>
2755
+ # Set the maximum allowed time to wait for a new HTTP request to appear
2756
+ # May be used in sections : defaults | frontend | listen | backend
2757
+ # yes | yes | yes | yes
2758
+ # Arguments :
2759
+ # <timeout> is the timeout value specified in milliseconds by default, but
2760
+ # can be in any other unit if the number is suffixed by the unit,
2761
+ # as explained at the top of this document.
2762
+ #
2763
+ # By default, the time to wait for a new request in case of keep-alive is set
2764
+ # by "timeout http-request". However this is not always convenient because some
2765
+ # people want very short keep-alive timeouts in order to release connections
2766
+ # faster, and others prefer to have larger ones but still have short timeouts
2767
+ # once the request has started to present itself.
2768
+ #
2769
+ # The "http-keep-alive" timeout covers these needs. It will define how long to
2770
+ # wait for a new HTTP request to start coming after a response was sent. Once
2771
+ # the first byte of request has been seen, the "http-request" timeout is used
2772
+ # to wait for the complete request to come. Note that empty lines prior to a
2773
+ # new request do not refresh the timeout and are not counted as a new request.
2774
+ #
2775
+ # There is also another difference between the two timeouts : when a connection
2776
+ # expires during timeout http-keep-alive, no error is returned, the connection
2777
+ # just closes. If the connection expires in "http-request" while waiting for a
2778
+ # connection to complete, a HTTP 408 error is returned.
2779
+ #
2780
+ # In general it is optimal to set this value to a few tens to hundreds of
2781
+ # milliseconds, to allow users to fetch all objects of a page at once but
2782
+ # without waiting for further clicks. Also, if set to a very small value (eg:
2783
+ # 1 millisecond) it will probably only accept pipelined requests but not the
2784
+ # non-pipelined ones. It may be a nice trade-off for very large sites running
2785
+ # with tens to hundreds of thousands of clients.
2786
+ #
2787
+ # If this parameter is not set, the "http-request" timeout applies, and if both
2788
+ # are not set, "timeout client" still applies at the lower level. It should be
2789
+ # set in the frontend to take effect, unless the frontend is in TCP mode, in
2790
+ # which case the HTTP backend's timeout will be used.
2791
+ #
2792
+ # See also : "timeout http-request", "timeout client".
2793
+ #
2794
+ attr_accessor :timeout_http_keep_alive
2795
+
2796
+ #
2797
+ # timeout http-request <timeout>
2798
+ # Set the maximum allowed time to wait for a complete HTTP request
2799
+ # May be used in sections : defaults | frontend | listen | backend
2800
+ # yes | yes | yes | yes
2801
+ # Arguments :
2802
+ # <timeout> is the timeout value specified in milliseconds by default, but
2803
+ # can be in any other unit if the number is suffixed by the unit,
2804
+ # as explained at the top of this document.
2805
+ #
2806
+ # In order to offer DoS protection, it may be required to lower the maximum
2807
+ # accepted time to receive a complete HTTP request without affecting the client
2808
+ # timeout. This helps protecting against established connections on which
2809
+ # nothing is sent. The client timeout cannot offer a good protection against
2810
+ # this abuse because it is an inactivity timeout, which means that if the
2811
+ # attacker sends one character every now and then, the timeout will not
2812
+ # trigger. With the HTTP request timeout, no matter what speed the client
2813
+ # types, the request will be aborted if it does not complete in time.
2814
+ #
2815
+ # Note that this timeout only applies to the header part of the request, and
2816
+ # not to any data. As soon as the empty line is received, this timeout is not
2817
+ # used anymore. It is used again on keep-alive connections to wait for a second
2818
+ # request if "timeout http-keep-alive" is not set.
2819
+ #
2820
+ # Generally it is enough to set it to a few seconds, as most clients send the
2821
+ # full request immediately upon connection. Add 3 or more seconds to cover TCP
2822
+ # retransmits but that's all. Setting it to very low values (eg: 50 ms) will
2823
+ # generally work on local networks as long as there are no packet losses. This
2824
+ # will prevent people from sending bare HTTP requests using telnet.
2825
+ #
2826
+ # If this parameter is not set, the client timeout still applies between each
2827
+ # chunk of the incoming request. It should be set in the frontend to take
2828
+ # effect, unless the frontend is in TCP mode, in which case the HTTP backend's
2829
+ # timeout will be used.
2830
+ #
2831
+ # See also : "timeout http-keep-alive", "timeout client".
2832
+ #
2833
+ attr_accessor :timeout_http_request
2834
+
2835
+ #
2836
+ # timeout tarpit <timeout>
2837
+ # Set the duration for which tarpitted connections will be maintained
2838
+ # May be used in sections : defaults | frontend | listen | backend
2839
+ # yes | yes | yes | yes
2840
+ # Arguments :
2841
+ # <timeout> is the tarpit duration specified in milliseconds by default, but
2842
+ # can be in any other unit if the number is suffixed by the unit,
2843
+ # as explained at the top of this document.
2844
+ #
2845
+ # When a connection is tarpitted using "reqtarpit", it is maintained open with
2846
+ # no activity for a certain amount of time, then closed. "timeout tarpit"
2847
+ # defines how long it will be maintained open.
2848
+ #
2849
+ # The value is specified in milliseconds by default, but can be in any other
2850
+ # unit if the number is suffixed by the unit, as specified at the top of this
2851
+ # document. If unspecified, the same value as the backend's connection timeout
2852
+ # ("timeout connect") is used, for backwards compatibility with older versions
2853
+ # with no "timeout tarpit" parameter.
2854
+ #
2855
+ # See also : "timeout connect", "contimeout".
2856
+ #
2857
+ attr_accessor :timeout_tarpit
2858
+
2859
+ attr_accessor :reqisetbe
2860
+ attr_accessor :reqsetbe
2861
+
2862
+ #
2863
+ # name <name>
2864
+ # The frontend name is required.
2865
+ #
2866
+ attr_accessor :name
2867
+
2868
+ #
2869
+ # Returns a new RhaproxyFrontend Object
2870
+ #
2871
+ def initialize()
2872
+ end
2873
+
2874
+ #
2875
+ # Compile the HAproxy frontend configuration
2876
+ #
2877
+ def config
2878
+
2879
+ if @name
2880
+
2881
+ conf = option_string()
2882
+
2883
+ return conf
2884
+
2885
+ else
2886
+
2887
+ puts "frontend name not defined"
2888
+
2889
+ return false
2890
+
2891
+ end
2892
+
2893
+ end
2894
+
2895
+ private
2896
+
2897
+ def option_string()
2898
+
2899
+ ostring = " " + "frontend " + @name + "\n"
2900
+
2901
+ if @acl
2902
+ ostring += " " + "acl " + @acl.to_s + "\n"
2903
+ end
2904
+
2905
+ if @bind
2906
+ ostring += " " + "bind " + @bind.to_s + "\n"
2907
+ end
2908
+
2909
+ if @block
2910
+ ostring += " " + "block " + @block.to_s + "\n"
2911
+ end
2912
+
2913
+ if @capture_cookie
2914
+ ostring += " " + "capture cookie " + @capture_cookie.to_s + "\n"
2915
+ end
2916
+
2917
+ if @capture_request_header
2918
+ ostring += " " + "capture request header " + @capture_request_header.to_s + "\n"
2919
+ end
2920
+
2921
+ if @capture_response_header
2922
+ ostring += " " + "capture response header " + @capture_response_header.to_s + "\n"
2923
+ end
2924
+
2925
+ if @force_persist
2926
+ ostring += " " + "force-persist " + @force_persist.to_s + "\n"
2927
+ end
2928
+
2929
+ if @http_request
2930
+ ostring += " " + "http-request " + @http_request.to_s + "\n"
2931
+ end
2932
+
2933
+ if @persistent_id
2934
+ ostring += " " + "id " + @persistent_id.to_s + "\n"
2935
+ end
2936
+
2937
+ if @ignore_persist
2938
+ ostring += " " + "ignore persist " + @ignore_persist.to_s + "\n"
2939
+ end
2940
+
2941
+ if @monitor_fail
2942
+ ostring += " " + "monitor fail " + @monitor_fail.to_s + "\n"
2943
+ end
2944
+
2945
+ if @option_ignore_presist
2946
+ ostring += " " + "option ignore-presist " + @option_ignore_presist.to_s + "\n"
2947
+ end
2948
+
2949
+ if @redirect
2950
+ ostring += " " + "redirect " + @redirect.to_s + "\n"
2951
+ end
2952
+
2953
+ if @reqadd
2954
+ ostring += " " + "reqadd " + @reqadd.to_s + "\n"
2955
+ end
2956
+
2957
+ if @reqallow
2958
+ ostring += " " + "reqallow " + @reqallow.to_s + "\n"
2959
+ end
2960
+
2961
+ if @reqiallow
2962
+ ostring += " " + "reqiallow " + @reqiallow.to_s + "\n"
2963
+ end
2964
+
2965
+ if @reqdel
2966
+ ostring += " " + "reqdel " + @reqdel.to_s + "\n"
2967
+ end
2968
+
2969
+ if @reqidel
2970
+ ostring += " " + "reqidel " + @reqidel.to_s + "\n"
2971
+ end
2972
+
2973
+ if @reqdeny
2974
+ ostring += " " + "reqdeny " + @reqdeny.to_s + "\n"
2975
+ end
2976
+
2977
+ if @reqideny
2978
+ ostring += " " + "reqideny " + @reqideny.to_s + "\n"
2979
+ end
2980
+
2981
+ if @reqpass
2982
+ ostring += " " + "reqpass " + @reqpass.to_s + "\n"
2983
+ end
2984
+
2985
+ if @reqipass
2986
+ ostring += " " + "reqipass " + @reqipass.to_s + "\n"
2987
+ end
2988
+
2989
+ if @reqrep
2990
+ ostring += " " + "reqrep " + @reqrep.to_s + "\n"
2991
+ end
2992
+
2993
+ if @reqirep
2994
+ ostring += " " + "reqirep " + @reqirep.to_s + "\n"
2995
+ end
2996
+
2997
+ if @reqtarpit
2998
+ ostring += " " + "reqtarpit " + @reqtarpit.to_s + "\n"
2999
+ end
3000
+
3001
+ if @reqitarpit
3002
+ ostring += " " + "reqitarpit " + @reqitarpit.to_s + "\n"
3003
+ end
3004
+
3005
+ if @rspadd
3006
+ ostring += " " + "rspadd " + @rspadd.to_s + "\n"
3007
+ end
3008
+
3009
+ if @rspdel
3010
+ ostring += " " + "rspdel " + @rspdel.to_s + "\n"
3011
+ end
3012
+
3013
+ if @rspidel
3014
+ ostring += " " + "rspidel " + @rspidel.to_s + "\n"
3015
+ end
3016
+
3017
+ if @rspdeny
3018
+ ostring += " " + "rspdeny " + @rspdeny.to_s + "\n"
3019
+ end
3020
+
3021
+ if @rspideny
3022
+ ostring += " " + "rspideny " + @rspideny.to_s + "\n"
3023
+ end
3024
+
3025
+ if @rspirep
3026
+ ostring += " " + "rspirep " + @rspirep.to_s + "\n"
3027
+ end
3028
+
3029
+ if @rsprep
3030
+ ostring += " " + "rsprep " + @rsprep.to_s + "\n"
3031
+ end
3032
+
3033
+ if @tcp_request_connection
3034
+ ostring += " " + "tcp-request connection " + @tcp_request_connection.to_s + "\n"
3035
+ end
3036
+
3037
+ if @tcp_request_content
3038
+ ostring += " " + "tcp-request content " + @tcp_request_content.to_s + "\n"
3039
+ end
3040
+
3041
+ if @tcp_request_inspect_delay
3042
+ ostring += " " + "tcp-request inspect-delay " + @tcp_request_inspect_delay.to_s + "\n"
3043
+ end
3044
+
3045
+ if @use_backend
3046
+ ostring += " " + "use_backend " + @use_backend.to_s + "\n"
3047
+ end
3048
+
3049
+ if @description
3050
+ ostring += " " + "description " + @description.to_s + "\n"
3051
+ end
3052
+
3053
+ if @reqisetbe
3054
+ ostring += " " + "reqisetbe " + @reqisetbe.to_s + "\n"
3055
+ end
3056
+
3057
+ if @reqsetbe
3058
+ ostring += " " + "reqsetbe " + @reqsetbe.to_s + "\n"
3059
+ end
3060
+
3061
+ if @backlog
3062
+ ostring += " " + "backlog " + @backlog.to_s + "\n"
3063
+ end
3064
+
3065
+ if @bind_process
3066
+ ostring += " " + "bind-process " + @bind_process.to_s + "\n"
3067
+ end
3068
+
3069
+ if @default_backend
3070
+ ostring += " " + "default_backend " + @default_backend.to_s + "\n"
3071
+ end
3072
+
3073
+ if @disabled
3074
+ ostring += " " + "disabled " + "\n"
3075
+ end
3076
+
3077
+ if @enabled
3078
+ ostring += " " + "enabled " + "\n"
3079
+ end
3080
+
3081
+ if @errorfile
3082
+ ostring += " " + "errorfile " + @errorfile.to_s + "\n"
3083
+ end
3084
+
3085
+ if @errorloc
3086
+ ostring += " " + "errorloc " + @errorloc.to_s + "\n"
3087
+ end
3088
+
3089
+ if @errorloc302
3090
+ ostring += " " + "errorloc302 " + @errorloc302.to_s + "\n"
3091
+ end
3092
+
3093
+ if @errorloc303
3094
+ ostring += " " + "errorloc303 " + @errorloc303.to_s + "\n"
3095
+ end
3096
+
3097
+ if @grace
3098
+ ostring += " " + "grace " + @grace.to_s + "\n"
3099
+ end
3100
+
3101
+ if @log
3102
+ ostring += " " + "log " + @log.to_s + "\n"
3103
+ end
3104
+
3105
+ if @maxconn
3106
+ ostring += " " + "maxconn " + @maxconn.to_s + "\n"
3107
+ end
3108
+
3109
+ if @mode
3110
+ ostring += " " + "mode " + @mode.to_s + "\n"
3111
+ end
3112
+
3113
+ if @monitor_net
3114
+ ostring += " " + "monitor-net " + @monitor_net.to_s + "\n"
3115
+ end
3116
+
3117
+ if @monitor_uri
3118
+ ostring += " " + "monitor-uri " + @monitor_uri.to_s + "\n"
3119
+ end
3120
+
3121
+ if @option_accept_invalid_http_request
3122
+ ostring += " " + "option accept-invalid-http-request " + "\n"
3123
+ end
3124
+
3125
+ if @option_clitcpka
3126
+ ostring += " " + "option clitcpka " + "\n"
3127
+ end
3128
+
3129
+ if @option_contstats
3130
+ ostring += " " + "option contstats " + "\n"
3131
+ end
3132
+
3133
+ if @option_dontlog_normal
3134
+ ostring += " " + "option dontlog-normal " + "\n"
3135
+ end
3136
+
3137
+ if @option_dontlognull
3138
+ ostring += " " + "option dontlognull " + "\n"
3139
+ end
3140
+
3141
+ if @option_forceclose
3142
+ ostring += " " + "option forceclose " + "\n"
3143
+ end
3144
+
3145
+ if @option_forwardfor
3146
+ ostring += " " + "option forwardfor " + @option_forwardfor.to_s + "\n"
3147
+ end
3148
+
3149
+ if @option_http_pretend_keepalive
3150
+ ostring += " " + "option http-pretend-keepalive " + "\n"
3151
+ end
3152
+
3153
+ if @option_http_server_close
3154
+ ostring += " " + "option http-server-close " + "\n"
3155
+ end
3156
+
3157
+ if @option_http_use_proxy_header
3158
+ ostring += " " + "option http-use-proxy-header " + "\n"
3159
+ end
3160
+
3161
+ if @option_httpclose
3162
+ ostring += " " + "option httpclose " + "\n"
3163
+ end
3164
+
3165
+ if @option_httplog
3166
+ ostring += " " + "option httplog " + "\n"
3167
+ end
3168
+
3169
+ if @option_httplog_clf
3170
+ ostring += " " + "option httplog " + @option_httplog_clf.to_s + "\n"
3171
+ end
3172
+
3173
+ if @option_http_proxy
3174
+ ostring += " " + "option http_proxy " + "\n"
3175
+ end
3176
+
3177
+ if @option_independant_streams
3178
+ ostring += " " + "option independant-streams " + "\n"
3179
+ end
3180
+
3181
+ if @option_log_separate_errors
3182
+ ostring += " " + "option log-separate-errors " + "\n"
3183
+ end
3184
+
3185
+ if @option_logasap
3186
+ ostring += " " + "option logasap " + "\n"
3187
+ end
3188
+
3189
+ if @option_nolinger
3190
+ ostring += " " + "option nolinger " + "\n"
3191
+ end
3192
+
3193
+ if @option_originalto
3194
+ ostring += " " + "option originalto " + @option_originalto.to_s + "\n"
3195
+ end
3196
+
3197
+ if @option_socket_stats
3198
+ ostring += " " + "option socket-stats " + "\n"
3199
+ end
3200
+
3201
+ if @option_splice_auto
3202
+ ostring += " " + "option splice-auto " + "\n"
3203
+ end
3204
+
3205
+ if @option_splice_request
3206
+ ostring += " " + "option splice-request " + "\n"
3207
+ end
3208
+
3209
+ if @option_splice_response
3210
+ ostring += " " + "option splice-response " + "\n"
3211
+ end
3212
+
3213
+ if @option_tcp_smart_accept
3214
+ ostring += " " + "option tcp-smart-accept " + "\n"
3215
+ end
3216
+
3217
+ if @option_tcpka
3218
+ ostring += " " + "option tcpka " + "\n"
3219
+ end
3220
+
3221
+ if @option_tcplog
3222
+ ostring += " " + "option tcplog " + "\n"
3223
+ end
3224
+
3225
+ if @rate_limit_sessions
3226
+ ostring += " " + "rate-limit sessions " + @rate_limit_sessions.to_s + "\n"
3227
+ end
3228
+
3229
+ if @timeout_client
3230
+ ostring += " " + "timeout client " + @timeout_client.to_s + "\n"
3231
+ end
3232
+
3233
+ if @timeout_http_keep_alive
3234
+ ostring += " " + "timeout http-keep-alive " + @timeout_http_keep_alive.to_s + "\n"
3235
+ end
3236
+
3237
+ if @timeout_http_request
3238
+ ostring += " " + "timeout http-request " + @timeout_http_request.to_s + "\n"
3239
+ end
3240
+
3241
+ if @timeout_tarpit
3242
+ ostring += " " + "timeout tarpit " + @timeout_tarpit.to_s + "\n"
3243
+ end
3244
+
3245
+ ostring += "\n"
3246
+
3247
+ return ostring
3248
+
3249
+ end
3250
+ end
3251
+