This is the default mode if the option is not set. Since most sites do not need any sort of persistence before the first POST which generally is a login request, this is a very efficient method to optimize caching without risking to find a persistence cookie in the cache. The new documentations are available here: Contrary to maxidle, this value is not refreshed, only the first visit date counts. This is the default mode if the option is not set.


By default, unless the "indirect" option is added, the server will see the cookies emitted by the client. Due to caching effects, it is generally wise to add the "nocache" or "postonly" keywords see below. The "insert" keyword is not compatible with "rewrite" and "prefix". This may be needed in some specific environments where the client does not support more than one single cookie and the application already needs it.

The prefix will be removed from all client requests so that the server still finds the cookie it emitted. Since all requests and responses are subject to being modified, this mode doesn't work with tunnel mode. The "prefix" keyword is not compatible with "rewrite" and "insert".

If the server sets such a cookie itself, it will be removed, unless the "preserve" option is also set. In "insert" mode, this will additionally remove cookies from the requests transmitted to the server, making the persistence mechanism totally transparent from an application point of view. This is important because if all persistence cookies are added on a cacheable home page for instance, then all customers will then fetch the page from an outer cache and will all share the same persistence cookie, leading to one server receiving much more traffic than others.

See also the "insert" and "postonly" options. It is an alternative to the "nocache" option, because POST responses are not cacheable, so this ensures that the persistence cookie will never get cached. Since most sites do not need any sort of persistence before the first POST which generally is a login request, this is a very efficient method to optimize caching without risking to find a persistence cookie in the cache. See also the "insert" and "nocache" options.

It allows the server to emit the persistence cookie itself. In this case, if a cookie is found in the response, haproxy will leave it untouched.

This is useful in order to end persistence after a logout request for instance. For this, the server just has to emit a cookie with an invalid value e. By combining this mechanism with the "disable-on" check option, it is possible to perform a completely graceful shutdown because users will definitely leave the server after they logout.

This attribute is used so that a user agent doesn't share the cookie with non-HTTP components. Please check RFC for more information on this attribute. It requires exactly one parameter: If the domain begins with a dot, the browser is allowed to use it for any host ending with that name. It is also possible to specify several domain names by invoking this option multiple times. Some browsers might have small limits on the number of domains, so be careful when doing that.

It only works with insert-mode cookies. When a cookie is sent to the client, the date this cookie was emitted is sent too. Upon further presentations of this cookie, if the date is older than the delay indicated by the parameter in seconds , it will be ignored. Otherwise, it will be refreshed if needed when the response is sent to the client. This is particularly useful to prevent users who never close their browsers from remaining for too long on the same server e.

When this option is set and a cookie has no date, it is always accepted, but gets refreshed in the response. This maintains the ability for admins to access their sites. Cookies that have a date in the future further than 24 hours are ignored. Doing so lets admins fix timezone issues without risking kicking users off the site. It only works with insert mode cookies.

When a cookie is first sent to the client, the date this cookie was emitted is sent too. If the cookie in the request has no date, it is accepted and a date will be set. Contrary to maxidle, this value is not refreshed, only the first visit date counts. Both maxidle and maxlife may be used at the time. This is stronger than the maxidle method in that it forces a redispatch after some absolute delay. When used, a session cookie is dynamically created for each server, based on the IP and port of the server, and a secret key, specified in the " dynamic-cookie-key " backend directive.

The " default-server " keyword accepts an important number of options and has a complete section dedicated to it. Please refer to section 5 for more details. Alphabetically sorted keywords reference Server and default-server options ". Alternatively, a resolvable hostname is supported, but this name will be resolved during start-up. All connections will be sent to this port, and it is not permitted to use port offsets as is possible with normal servers.

The secret key to be used. Peers Alphabetically sorted keywords reference Server and default-server options ". Currently, HAProxy is capable of generating codes , , , , , , , , , , and It is recommended to follow the common practice of appending ". It may contain either a relative URI to an error page hosted on the same site, or an absolute URI designating an error page on another site.

Special care should be given to relative URIs to avoid redirect loops if the URI itself may generate the same error e. Officially supported filters are referenced in section 9. The parsing of these parameters are the responsibility of the filter. Please refer to the documentation of the corresponding filter section 9 for all details on the supported parameters.

The servers will accept between and concurrent connections each and the maximum of will be reached when the backend reaches connections. Performance tuning Alphabetically sorted keywords reference Bind options Server and default-server options ", " server ".

The hashes will be very smooth, will consider weights, but will be static in that weight changes while a server is up will be ignored. This means that there will be no slow start. Also, since a server is selected by its position in the array, most mappings are changed when the server count changes. This means that when a server goes up or down, or when a server is added to a farm, most connections will be redistributed to different servers.

This can be inconvenient with caches for instance. The hash key is looked up in the tree and the closest server is chosen. This hash is dynamic, it supports changing weights while the servers are up, so it is compatible with the slow start feature. It has the advantage that when a server goes up or down, only its associations are moved. When a server is added to the farm, only a few part of the mappings are redistributed, making it an ideal method for caches. However, due to its principle, the distribution will never be very smooth and it may sometimes be necessary to adjust a server's weight or its ID to get a more balanced distribution.

In order to get the same distribution on multiple load balancers, it is important that all servers have the exact same IDs. It was found to do well in scrambling bits, causing better distribution of the keys and fewer splits. It also happens to be a good general hashing function with good distribution, unless the total server weight is a multiple of 64, in which case applying the avalanche modifier may help. Studies have shown that for certain workload this function provides a better distribution than sdbm.

It generally works well with text-based inputs though it can perform extremely poorly with numeric-only input or when the total server weight is a multiple of 33, unless the avalanche modifier is also used. It is not as smooth as the other ones, but is much less sensible to the input data set or to the number of servers.

It is slower than the other ones but may provide a better distribution or less predictable results especially when used on strings. The purpose of this step is to mix the resulting bits from the previous hash in order to avoid any undesired effect when the input contains some limited values or when the number of servers is a multiple of one of the hash's components 64 for SDBM, 33 for DJB2.

Enabling avalanche tends to make the result less predictable, but it's also not as smooth as when using the original function. Some testing might be needed with some workloads. This hash is one of the many proposed by Bob Jenkins. The keyword may be one of " status ", "rstatus", "string", or "rstring". The keyword may be preceded by an exclamation mark "!

Spaces are allowed between the exclamation mark and the keyword. See below for more details on the supported keywords. It may be a string or a regular expression.

Proxy section Alphabetically sorted keywords reference ", section 3. If not set, then the backend name is used as a file name. This is the most common usage. Only one " log global " statement may be used per instance, and this form takes no other parameter. It takes the same format as for the "global" section's logs, and can be one of: If no port is specified, is used by default the standard syslog port. Log lines larger than this value will be truncated before being sent. The reason is that syslog servers act differently on log line length.

All servers support the default value of , but some servers simply drop larger lines while others do log them. If a server supports long lines, it may make sense to set this value here in order to avoid truncating long lines.

Similarly, if a server drops long lines, it is preferable to truncate them before sending them. Accepted values are 80 to inclusive. The default value of is generally fine for all standard usages. Some specific cases of long captures or JSON-formatted logs may require larger values. By default, all messages are sent. If a level is specified, only messages with a severity at least as important as this level will be sent.

An optional minimum level can be specified. If it is set, logs emitted with a more severe level than this one will be capped to this level. This is used to avoid sending "emerg" messages on all terminals on some default syslog configurations. Eight levels are known: Performance tuning Alphabetically sorted keywords reference Bind options Server and default-server options " and cookie persistence.

Excess connections will be queued by the system in the socket's listen queue and will be served once a connection closes. Performance tuning Alphabetically sorted keywords reference Bind options Server and default-server options ", " fullconn ".

A full-duplex connection will be established between clients and servers, and no layer 7 examination will be performed. This is the default mode. The client request will be analyzed in depth before connecting to any server. Any request which is not RFC-compliant will be rejected. Layer 7 filtering, processing and switching will be possible. This is the mode which brings HAProxy most of its value. It will just reply "OK" to incoming connections and close the connection.

Nothing will be logged in either case. This mode is used to reply to external components health checks. This mode is deprecated and should not be used anymore as it is possible to do the same and even better by combining TCP or HTTP modes with the " monitor " keyword. The condition should describe a combined test which must induce a failure if all conditions are met, for instance a low number of servers both in a backend and its backup.

Such a condition may be based on a test on the presence of a minimum number of active servers in a list of backends. Performance tuning Alphabetically sorted keywords reference Bind options Server and default-server options " and " maxqueue " parameters. Process management and security Alphabetically sorted keywords reference ", " dontlognull ", " log-separate-errors " and section 8 about logging. Process management and security Alphabetically sorted keywords reference ", " http-ignore-probes ", " monitor-net ", " monitor-uri ", and section 8 about logging.

Public HTTP address also used by stunnel on the same machine frontend www mode http option forwardfor except Process management and security Alphabetically sorted keywords reference ", " dontlognull ", " errorfile ", and section 8 about logging. The HTTP transaction model". Any method may be used, though it is not recommended to invent non-standard ones. Query strings are permitted.

You can use this when you need to feed HAProxy's logs through a specific log analyzer which only support the CLF format and which is not extensible. Process management and security Alphabetically sorted keywords reference ", " external-check command ", " external-check path ". Process management and security Alphabetically sorted keywords reference " and section 8 about logging.

Process management and security Alphabetically sorted keywords reference ", " dontlognull ", " dontlog-normal " and section 8 about logging. Original Destination address frontend www mode http option originalto except Positive value P indicates a redispatch is desired on every Pth retry, and negative value N indicate a redispatch is desired on the Nth retry prior to the last retry.

For example, the default of -1 preserves the historical behavior of redispatching on the last retry, a positive value of 1 would indicate a redispatch on every retry, and a positive value of 3 would indicate a redispatch on every third retry.

You can disable redispatches with a value of 0. It is the "hello" command to use. All other values will be turned into the default command "HELO". It may only be specified and is mandatory if the hello command has been specified. By default, "localhost" is used. Alphabetically sorted keywords reference Server and default-server options " keyword, and the " transparent " option of the " bind " keyword. Process management and security Alphabetically sorted keywords reference ", " option external-check ", " external-check path ".

Process management and security Alphabetically sorted keywords reference ", " option external-check ", " external-check command ". If omitted, the default cookie name "msts" will be used. There currently is no valid reason to change this name. Limit the connection rate on SMTP to 10 per second max. When used in an " http-request This keyword is available in sections: It allows one to redirect to the same URL for instance, to insert a cookie. If no "Host" header is found, then an empty host component will be returned, which most recent browsers interpret as redirecting to the same host.

It indicates which type of HTTP redirection is desired. Only codes , , , and are supported, with used by default if no code is specified. Likewise, replaces if the same method must be used. It has no effect with a location-type redirect. It can be useful to ensure that search engines will only see one URL. For this, a return code is preferred. This is sometimes used to indicate that a user has been seen, for instance to protect against some types of DoS. No other cookie option is added, so the cookie will be a session cookie.

Note that for a browser, a sole cookie name without an equal sign is different from a cookie with an equal sign. This will tell the browser to delete this cookie. It is useful for instance on logout pages. Please refer to section 6 about HTTP header manipulation for more information. It makes it possible to ignore this rule when other conditions are not met. SSL" to requests coming via port This is an extended regular expression.

Parenthesis grouping is supported and no preliminary backslash is required. The pattern applies to a full line at a time. The " reqallow " keyword strictly matches case while " reqiallow " ignores case. The " reqdel " keyword strictly matches case while " reqidel " ignores case.

The " reqdeny " keyword strictly matches case while " reqideny " ignores case. The " reqpass " keyword strictly matches case while " reqipass " ignores case. The " reqrep " keyword strictly matches case while " reqirep " ignores case. The " reqtarpit " keyword strictly matches case while " reqitarpit " ignores case. The default value is 3. This is an extended regular expression, so parenthesis grouping is supported and no preliminary backslash is required.

The " rspdel " keyword strictly matches case while " rspidel " ignores case. The " rspdeny " keyword strictly matches case while " rspideny " ignores case. The " rsprep " keyword strictly matches case while " rspirep " ignores case. This name will appear in logs and alerts. If " http-send-name-header " is set, it will be added to the request header sent to the server. It indicates that the connection will be forwarded to the same IP address as the one from the client connection.

This is useful in transparent proxy architectures where the client's connection is intercepted and haproxy must forward to the original destination address. This is more or less what the " transparent " keyword does except that with a server it's possible to limit concurrency and to report statistics. The " init-addr " setting can be used to modify the way IP addresses should be resolved upon startup. If set, all connections will be sent to this port.

If unset, the same port the client connected to will be used. In this case, the server's port will be determined by adding this value to the client's port. The " server " keywords accepts an important number of options and has a complete section dedicated to it. Initializes 3 servers with srv1, srv2 and srv3 as names, google. This address is also used as a source for health checks. The default value of 0. It is normally not needed but may be useful in some very specific contexts.

The default value of zero means the system will select a free port. Note that port ranges are not supported in the backend. If you want to force port ranges, you have to specify them on each " server " line. This is currently only supported on some patched Linux kernels. This is the name of a comma-separated header list which can contain multiple IP addresses.

By default, the last occurrence is used. This is designed to work with the X-Forwarded-For header and to automatically bind to the client's IP address as seen by previous proxy, typically Stunnel. When the header or occurrence is not found, no binding is performed so that the proxy's default IP address is used. Also keep in mind that the header name is case insensitive, as for any HTTP header.

Positive values indicate a position from the first occurrence, 1 being the first one. Negative values indicate positions relative to the last one, -1 being the last one.

This is helpful for situations where an X-Forwarded-For header is set at the entry point of an infrastructure and must be used several proxy layers away. When this value is not specified, -1 is assumed. Passing a zero here disables the feature. On systems supporting this features currently, only Linux , this allows one to bind all traffic to the server to this interface even if it is not the one the system would select based on routing tables. This should be used with extreme care.

Note that using this option requires root privileges. It is more conntrack-friendly. Alphabetically sorted keywords reference Server and default-server options " server option in section 5 , the Tproxy patches for the Linux kernel on www.

Process management and security Fetching samples from internal states ", " bind-process ", section 3. AdMiN stats auth admin2: The browser uses it to display it in the pop-up inviting the user to enter a valid username and password. While the browser is free to apply any delay, it will generally respect it and refresh the page this every seconds. The refresh interval may be specified in any other non-default time unit, by suffixing the unit after the value, as explained at the top of this document.

The special name ". Process management and security Alphabetically sorted keywords reference " in global section. If unspecified, the node name from global section is automatically used instead. This prefix may contain a question mark '? It describes what elements of the incoming request or connection will be analyzed in the hope to find a matching entry in a stickiness table.

This rule is mandatory. If unspecified, the same backend's table is used. A stickiness table is declared using the " stick-table " statement. It makes it possible to match on a certain criterion only when other conditions are met or not met. For instance, it could be used to match on a source IP address except when a request passes through a known proxy, in which case we'd match on a header containing that IP address. Process management and security Fetching samples from internal states ", " bind-process " and section 7 about ACLs and samples fetching.

Share the same table between both accesses. It describes what elements of the incoming request or connection will be analyzed, extracted and stored in the table once a server is selected. It makes it possible to store certain criteria only when some conditions are met or not met. For instance, it could be used to store the source IP address except when the request passes through a known proxy, in which case we'd store a converted form of a header containing that IP address.

Process management and security Fetching samples from internal states ", " bind-process " and section 7 about ACLs and sample fetching. This form is very compact about 50 bytes per entry and allows very fast entry lookup and stores with almost no overhead. This is mainly used to store client source IP addresses.

This form is very compact about 60 bytes per entry and allows very fast entry lookup and stores with almost no overhead. When not specified, the string is automatically limited to 32 characters. When not specified, the block is automatically limited to 32 bytes.

Or the number of bytes of the block in "binary" type table. Be careful when changing this parameter as memory usage will proportionally increase. This value directly impacts memory usage. Count approximately 50 bytes per entry, plus the size of a string if any.

When not specified and the table is full when haproxy wants to store an entry in it, it will flush a few of the oldest entries in order to release some space for the new ones. This is most often the desired behavior. In some specific cases, it be desirable to refuse new entries instead of purging the older ones. That may be the case when the amount of data to store is far above the hardware limits and we prefer not to offer access to new clients than to reject the ones already connected.

When using this parameter, be sure to properly set the "expire" parameter see below. Entries which associate keys to server IDs are kept synchronized with the remote peers declared in this section. All entries are also automatically learned from the local peer old process during a soft restart. The expiration delay is defined using the standard time format, similarly as the various timeouts. The maximum duration is slightly above 24 days.

If this delay is not specified, the session won't automatically expire, but older entries will be removed once full. Be sure not to use the "nopurge" parameter if not expiration delay is specified.

This may be used by ACLs in order to control various criteria related to the activity of the client matching the stick-table. For each item specified here, the size of each entry will be inflated so that the additional data can fit. Several data types may be stored with an entry. Multiple data types may be specified after the "store" keyword, as a comma-separated list. Alternatively, it is possible to repeat the "store" keyword followed by one or several data types.

Some data types require an argument which must be passed just after the type between parenthesis. See below for the supported data types and their arguments. Keep track of counters of up to 1 million IP addresses over 5 minutes and store a general purpose counter and the average connection rate computed over a sliding window of 30 seconds.

It describes what elements of the response or connection will be analyzed, extracted and stored in the table once a server is selected. Its length is coded on 1 byte at offset 43 and its value starts at offset Match and learn on request if client hello. The keyword may be one of "string", "rstring" or binary. If the match is set to binary, then the pattern must be passed as a series of hexadecimal digits in an even number. Each sequence of two digits will represent a byte.

The hexadecimal digits may be used upper or lower case. Accept all connections from white-listed hosts, reject too fast connection without counting them, and track accepted connections. This results in connection rate being capped from abusive sources. Accept all connections from white-listed hosts, count all other connections and reject too fast ones.

This results in abusive ones being blocked as long as they don't slow down. Track the last IP stick-table type string from X-Forwarded-For tcp-request inspect-delay 10s tcp-request content track-sc0 hdr x-forwarded-for,-1 Or track the last IP stick-table type ip ipv6 from X-Forwarded-For tcp-request content track-sc0 req.

Track per-frontend and per-backend counters, block abusers at the frontend when the backend detects abuse and marks gpc0.

The HTTP transaction model 1. The request line 1. The request headers 1. The response line 1. The response headers 2. Configuration file format 2. Quoting and escaping 2. Process management and security 3. Proxy keywords matrix 4. Alphabetically sorted keywords reference 5. Bind and server options 5. Server and default-server options 5. Server DNS resolution 5. The resolvers section 6. HTTP header manipulation 7. Using ACLs and fetching samples 7. Matching regular expressions regexes 7.

Matching arbitrary data blocks 7. Matching IPv4 and IPv6 addresses 7. Using ACLs to form conditions 7. Fetching samples from internal states 7. Fetching samples at Layer 4 7. Fetching samples at Layer 5 7. Fetching samples from buffer contents Layer 6 7.

Default log format 8. TCP log format 8. HTTP log format 8. Custom log format 8. Error log format 8. Advanced logging options 8. Disabling logging of external tests 8. Logging before waiting for the session to terminate 8. Raising log level upon errors 8. Disabling logging of successful connections 8. Session state at disconnection 8.

Capturing HTTP cookies 8. Capturing HTTP headers 8. Examples of logs 9. Proxy section Filter 5 51d. Quick reminder about HTTP When HAProxy is running in HTTP mode, both the request and the response are fully analyzed and indexed, thus it becomes possible to build matching criteria on almost anything found in the contents. The Request line Line 1 is the "request line".

The request headers The headers start at the second line. The response line Line 1 is the "response line". The response headers Response headers work exactly like request headers, and as such, HAProxy uses the same parsing function for both. Configuration file format HAProxy's configuration process involves 3 major sources of parameters: Quoting and escaping HAProxy's configuration introduces a quoting and escaping system similar to many programming languages.

Environment variables HAProxy's configuration supports environment variables. Time format Some parameters involve values representing time, such as timeouts. Examples Simple configuration for an HTTP proxy listening on port 80 on all interfaces and forwarding requests to a single backend "servers" with a single server "server1" listening on Global parameters Parameters in the "global" section are process-wide and often OS-specific.

Bind options Server and default-server options " or " crl-file This keyword is available in sections: Bind options Server and default-server options " directives. Absolute locations specified in " ca-file This keyword is available in sections: Bind options Server and default-server options " and " crl-file This keyword is available in sections: Bind options Server and default-server options " prevail and ignore " ca-base ".

This increases the security level in case an unknown vulnerability would be exploited, since it would make it very hard for the attacker to exploit the system. This only works when the process is started with superuser privileges.

This means that the process or the thread will never run on other CPUs. The " cpu-map " directive specifies CPU sets for process or thread sets. The first argument is a process set, eventually followed by a thread set. Any process IDs above nbproc and any thread IDs above nbthread are ignored.

It is possible to specify a range with two such number delimited by a dash '-'. It also is possible to specify all processes at once using "all", only odd numbers using " odd " or even numbers using " even ", just like with the " bind-process " directive. The second and forthcoming arguments are CPU sets. Each CPU set is either a unique number between 0 and 31 or 63 or a range with two such numbers delimited by a dash '-'.

Multiple CPU numbers or ranges may be specified, and the processes or threads will be allowed to bind to all of them. Obviously, multiple " cpu-map " directives may be specified. Each " cpu-map " directive will replace the previous ones when they overlap. A thread will be bound on the intersection of its mapping and the one of the process on which it is attached.

If the intersection is null, no specific binding will be set for the thread. In such case, it is replaced by the corresponding maximum value, 32 or 64 depending on the machine's word size. To be valid, both sets must have the same size. No matter the declaration order of the CPU sets, it will be bound from the lowest to the highest bound. Having a process and a thread range with the "auto: Only one range is supported, the other one must be a fixed number.

Absolute locations specified after "crtfile" prevail and ignore " crt-base ". This is the recommended mode of operation. It is equivalent to the command line "-D" argument.

It can be disabled by the command line "-db" argument. This option is ignored in systemd mode. This directive is optional and set to 0 by default if not set. This directive is optional and set to by default if not set. This is disabled by default as a security precaution.

See " option external-check ". HAProxy must be started with a user belonging to this group, or with superuser privileges. Note that if haproxy is started from a user having supplementary groups, it will only be able to drop these groups if started with superuser privileges. See also " group This keyword is available in sections: Process management and security Userlists Bind options " and " uid This keyword is available in sections: Process management and security Bind options ".

This may be used to ensure that the instance will quit even if connections remain opened during a soft-stop for example with long timeouts for a proxy in tcp mode. See also " gid This keyword is available in sections: Process management and security Bind options " and " user This keyword is available in sections: Process management and security Userlists Bind options ".

Several global servers can be defined. They will receive logs for starts and exits, as well as all logs from proxies configured with " log global ". You may also need to increase " tune. It may be one of the following: If a maximum level is specified, only messages with a severity at least as important as this level will be sent. If optional "string" parameter is set the header is set to the string contents, otherwise uses the hostname of the system.

Generally used if one is not relaying logs through an intermediate syslog server or for simply customizing the hostname printed in the logs.

It defaults to the program name as launched from the command line, which usually is "haproxy". Sometimes it can be useful to differentiate between multiple processes running on the same host.

See also the per-proxy " log-tag This keyword is available in sections: Process management and security Alphabetically sorted keywords reference " directive. This directive can be used multiple times.

It is equivalent to the command line "-W" argument. This mode will launch a "master" which will monitor the "workers". The master-worker mode is compatible either with the foreground or daemon mode. It is recommended to use this mode with multiprocess and systemd. By default, if a worker exits with a bad return code, in the case of a segfault for example, all workers will be killed, and the master will leave. If you don't want this behavior, you must use the keyword "no-exit-on-failure".

See also "-W" in the management guide. This requires the " daemon " mode. By default, only one process is created, which is the recommended mode of operation.

For systems limited to small sets of file descriptors per process, it may be needed to fork multiple daemons. See also " daemon ". See also " nbproc This keyword is available in sections: Process management and security Fetching samples from internal states ".

This option is equivalent to the "-p" command line argument. The file must be accessible to the user starting the process. If the variable exists, it is NOT overwritten. The changes immediately take effect so that the next line in the configuration file sees the new value. See also " setenv ", " resetenv ", and " unsetenv ". It allows to use a clean controlled environment before setting new values with setenv or unsetenv. Please note that some internal functions may make use of some environment variables, such as time manipulation functions, but also OpenSSL or even external checks.

This must be used with extreme care and only after complete validation. The changes immediately take effect so that the next line in the configuration file sees the new environment. See also " setenv ", " presetenv ", and " unsetenv ". Limits the stats socket to a certain set of processes numbers. By default the stats socket is bound to all processes, causing a warning to be emitted when nbproc is greater than 1 because there is no way to select the target process when connecting.

However, by using this setting, it becomes possible to pin the stats socket to a specific set of processes, typically the first one. The warning will automatically be disabled when this setting is used, whatever the number of processes used.

The maximum process ID depends on the machine's word size 32 or A better option consists in using the " process " setting of the "stats socket" line to force the process on each line.

See also " server-state-file ", " load-server-state-from-file " and " server-state-file-name ". Before reloading HAProxy, it is possible to save the servers' current state using the stats command "show servers state". When starting up, before handling traffic, HAProxy will read, load and apply state for each server found in the file and available in its current running configuration. If the variable exists, it is overwritten. See also " presetenv ", " resetenv ", and " unsetenv ".

Please check the " bind " keyword for more information. This setting is only available when support for OpenSSL was built in. It sets default ssl-options to force on all " bind " lines.

Please check the " bind " keyword to see available options. The format of the string is defined in "man 1 ciphers". Please check the " server " keyword for more information.

It sets default ssl-options to force on all " server " lines. Please check the " server " keyword to see available options. It will be overridden by custom DH parameters found in a bind certificate file if any. If custom DH parameters are not specified either by using ssl-dh-param-file or by setting them directly in the certificate file, pre-generated DH parameters of the size specified by tune. Custom parameters are known to be more secure and therefore their use is recommended.

If specified to 'none', servers certificates are not verified. The default is 'required' except if forced using cmdline option '-dV'. Connections to this socket will return various statistics outputs and even allow some commands to be issued to change some runtime settings.

Please consult section 9. All parameters supported by " bind " lines are supported, for instance to restrict access to some users or their access rights. Please consult section 5. It is possible to change this value with " stats timeout ". It is possible to change this value with " stats maxconn ". HAProxy must be started with superuser privileges in order to be able to switch to another one.

By default, it is automatically computed, so it is recommended not to use this option. This is mainly used to simplify declaration of those UNIX sockets and reduce the risk of errors, since those settings are most commonly required but are also process-specific. This might be needed to access another component's chroot. Note that those paths are resolved before haproxy chroots itself, so they are absolute. If both are specified, the " bind " statement has priority, meaning that the " unix-bind " settings may be seen as process-wide default settings.

This can be useful to hide some sensitive information that are occasionally inherited from the user's environment during some operations. Variables which did not exist are silently ignored so that after the operation, it is certain that none of these variables remain. The changes immediately take effect so that the next line in the configuration file will not see these variables.

See also " setenv ", " presetenv ", and " resetenv ". See also " uid This keyword is available in sections: Process management and security Bind options " and " group This keyword is available in sections: This statement is useful in HA configurations where two or more processes or servers share the same IP address.

By setting a different node-name on all nodes, it becomes easy to immediately spot what server is handling the traffic. The file should be unzipped and accessible by HAProxy with relevant permissions. A full list of names is available on the 51Degrees website: If not set that will be set as ','. This is an LRU cache which reminds previous device detections and their results.

By default, this cache is disabled. The file should be accessible by HAProxy with relevant permissions. A full list of capability and virtual capability names is available on the Scientiamobile website: If not set that a comma ',' will be used by default.

Note that patches are loaded during startup thus before the chroot. You can choose between 'accuracy' or 'performance' targets. In performance mode, desktop web browser detection is done programmatically without referencing the WURFL data. If either performance or accuracy are not defined, performance mode is enabled by default. There are three possibilities here: This is the highest performing option.

The principle is to avoid hammering services running on the same server. The hashes will be very smooth, will consider weights, but will be static in that weight changes while a server is up will be ignored. This means that there will be no slow start. Also, since a server is selected by its position in the array, most mappings are changed when the server count changes.

This means that when a server goes up or down, or when a server is added to a farm, most connections will be redistributed to different servers. This can be inconvenient with caches for instance. The hash key is looked up in the tree and the closest server is chosen. This hash is dynamic, it supports changing weights while the servers are up, so it is compatible with the slow start feature. It has the advantage that when a server goes up or down, only its associations are moved.

When a server is added to the farm, only a few part of the mappings are redistributed, making it an ideal algorithm for caches. However, due to its principle, the algorithm will never be very smooth and it may sometimes be necessary to adjust a server's weight or its ID to get a more balanced distribution. In order to get the same distribution on multiple load balancers, it is important that all servers have the same IDs. The keyword may be one of " status ", "rstatus", "string", or "rstring".

The keyword may be preceeded by an exclamation mark "! Spaces are allowed between the exclamation mark and the keyword. See below for more details on the supported keywords. It may be a string or a regular expression.

Alphabetically sorted keywords reference Server and default-server options ", and section 7 about ACL usage. This is the most common usage. Only one " log global " statement may be used per instance, and this form takes no other parameter. It takes the same format as for the "global" section's logs, and can be one of: If no port is specified, is used by default the standard syslog port.

By default, all messages are sent. If a level is specified, only messages with a severity at least as important as this level will be sent. An optional minimum level can be specified. If it is set, logs emitted with a more severe level than this one will be capped to this level. This is used to avoid sending "emerg" messages on all terminals on some default syslog configurations. Eight levels are known: Excess connections will be queued by the system in the socket's listen queue and will be served once a connection closes.

Performance tuning Alphabetically sorted keywords reference Server and default-server options ", " fullconn ". A full-duplex connection will be established between clients and servers, and no layer 7 examination will be performed. This is the default mode. The client request will be analyzed in depth before connecting to any server.

Any request which is not RFC-compliant will be rejected. Layer 7 filtering, processing and switching will be possible. This is the mode which brings HAProxy most of its value. It will just reply "OK" to incoming connections and close the connection. Nothing will be logged. This mode is used to reply to external components health checks. This mode is deprecated and should not be used anymore as it is possible to do the same and even better by combining TCP or HTTP modes with the " monitor " keyword.

The condition should describe a combined test which must induce a failure if all conditions are met, for instance a low number of servers both in a backend and its backup. Such a condition may be based on a test on the presence of a minimum number of active servers in a list of backends.

Performance tuning Alphabetically sorted keywords reference Server and default-server options " and " maxqueue " parameters. Process management and security Alphabetically sorted keywords reference ", " dontlognull ", " log-separate-errors " and section 8 about logging.

Process management and security Alphabetically sorted keywords reference ", " monitor-net ", " monitor-uri " and section 8 about logging.

Public HTTP address also used by stunnel on the same machine frontend www mode http option forwardfor except The HTTP transaction model". Any method may be used, though it is not recommended to invent non-standard ones. Query strings are permitted. You can use this when you need to feed HAProxy's logs through a specific log analyser which only support the CLF format and which is not extensible.

Process management and security Alphabetically sorted keywords reference " and section 8 about logging. Process management and security Alphabetically sorted keywords reference ", " dontlognull ", " dontlog-normal " and section 8 about logging. Original Destination address frontend www mode http option originalto except It is the "hello" command to use. All other values will be turned into the default command "HELO".

It may only be specified and is mandatory if the hello command has been specified. By default, "localhost" is used. Alphabetically sorted keywords reference Server and default-server options " keyword, and the " transparent " option of the " bind " keyword.

If omitted, the default cookie name "msts" will be used. There currently is no valid reason to change this name. Limit the connection rate on SMTP to 10 per second max.

It allows one to redirect to the same URL for instance, to insert a cookie. If no "Host" header is found, then an empty host component will be returned, which most recent browsers interprete as redirecting to the same host.

It indicates which type of HTTP redirection is desired. Only codes , , , and are supported, with used by default if no code is specified. Likewise, replaces if the same method must be used. It has no effect with a location-type redirect. It can be useful to ensure that search engines will only see one URL. For this, a return code is preferred. This is sometimes used to indicate that a user has been seen, for instance to protect against some types of DoS.

No other cookie option is added, so the cookie will be a session cookie. Note that for a browser, a sole cookie name without an equal sign is different from a cookie with an equal sign. This will tell the browser to delete this cookie.

It is useful for instance on logout pages. Please refer to section 6 about HTTP header manipulation for more information. It makes it possible to ignore this rule when other conditions are not met. SSL" to requests coming via port This is an extended regular expression. Parenthesis grouping is supported and no preliminary backslash is required. The pattern applies to a full line at a time.

The " reqallow " keyword strictly matches case while " reqiallow " ignores case. The " reqdel " keyword strictly matches case while " reqidel " ignores case. The " reqdeny " keyword strictly matches case while " reqideny " ignores case. The " reqpass " keyword strictly matches case while " reqipass " ignores case. The " reqrep " keyword strictly matches case while " reqirep " ignores case. The " reqtarpit " keyword strictly matches case while " reqitarpit " ignores case.

The default value is 3. This is an extended regular expression, so parenthesis grouping is supported and no preliminary backslash is required. The " rspdel " keyword strictly matches case while " rspidel " ignores case. The " rspdeny " keyword strictly matches case while " rspideny " ignores case.

The " rsprep " keyword strictly matches case while " rspirep " ignores case. This name will appear in logs and alerts. If "http-send-server-name" is set, it will be added to the request header sent to the server.

Alternatively, a resolvable hostname is supported, but this name will be resolved during start-up. If no address is specified in front of the port, or if address "0. This makes it possible to relay connections for many IPs on a different port or to perform transparent forwarding with connection limitation. If set, all connections will be sent to this port. If unset, the same port the client connected to will be used. In this case, the server's port will be determined by adding this value to the client's port.

The " server " keywords accepts an important number of options and has a complete section dedicated to it. This address is also used as a source for health checks.

The default value of 0. It is normally not needed but may be useful in some very specific contexts. The default value of zero means the system will select a free port. Note that port ranges are not supported in the backend. If you want to force port ranges, you have to specify them on each " server " line.

This is currently only supported on some patched Linux kernels. This is the name of a comma-separated header list which can contain multiple IP addresses. By default, the last occurrence is used. This is designed to work with the X-Forwarded-For header and to automatically bind to the the client's IP address as seen by previous proxy, typically Stunnel. When the header or occurrence is not found, no binding is performed so that the proxy's default IP address is used.

Also keep in mind that the header name is case insensitive, as for any HTTP header. Positive values indicate a position from the first occurrence, 1 being the first one.

Negative values indicate positions relative to the last one, -1 being the last one. This is helpful for situations where an X-Forwarded-For header is set at the entry point of an infrastructure and must be used several proxy layers away.

When this value is not specified, -1 is assumed. Passing a zero here disables the feature. On systems supporting this features currently, only Linux , this allows one to bind all traffic to the server to this interface even if it is not the one the system would select based on routing tables.

This should be used with extreme care. Note that using this option requires root privileges. It is more conntrack-friendly. Alphabetically sorted keywords reference Server and default-server options " server option in section 5 , the Tproxy patches for the Linux kernel on www. AdMiN stats auth admin2: The browser uses it to display it in the pop-up inviting the user to enter a valid username and password. While the browser is free to apply any delay, it will generally respect it and refresh the page this every seconds.

The refresh interval may be specified in any other non-default time unit, by suffixing the unit after the value, as explained at the top of this document. The special name ". If unspecified, the node name from global section is automatically used instead. This prefix may contain a question mark '?

It describes what elements of the incoming request or connection will be analysed in the hope to find a matching entry in a stickiness table.

This rule is mandatory. If unspecified, the same backend's table is used. A stickiness table is declared using the " stick-table " statement. It makes it possible to match on a certain criterion only when other conditions are met or not met. For instance, it could be used to match on a source IP address except when a request passes through a known proxy, in which case we'd match on a header containing that IP address.

Share the same table between both accesses. It describes what elements of the incoming request or connection will be analysed, extracted and stored in the table once a server is selected. It makes it possible to store certain criteria only when some conditions are met or not met.

For instance, it could be used to store the source IP address except when the request passes through a known proxy, in which case we'd store a converted form of a header containing that IP address. This form is very compact about 50 bytes per entry and allows very fast entry lookup and stores with almost no overhead. This is mainly used to store client source IP addresses.

When not specified, the string is automatically limited to 31 characters. See type "string" above. Be careful when changing this parameter as memory usage will proportionally increase. This value directly impacts memory usage. Count approximately 50 bytes per entry, plus the size of a string if any.

When not specified and the table is full when haproxy wants to store an entry in it, it will flush a few of the oldest entries in order to release some space for the new ones.

This is most often the desired behaviour. In some specific cases, it be desirable to refuse new entries instead of purging the older ones. That may be the case when the amount of data to store is far above the hardware limits and we prefer not to offer access to new clients than to reject the ones already connected. When using this parameter, be sure to properly set the "expire" parameter see below. The expiration delay is defined using the standard time format, similarly as the various timeouts.

The maximum duration is slightly above 24 days. If this delay is not specified, the session won't automatically expire, but older entries will be removed once full. Be sure not to use the "nopurge" parameter if not expiration delay is specified. Server and default-server options.

The " server " and " default-server " keywords support a certain number of settings which are all passed as arguments on the server line.

The order in which those arguments appear does not count, and they are all optional. Some of those settings are single words booleans while others expect one or several values after them. In this case, the values must immediately follow the setting name.

Except default-server, all those settings must be specified after the server's address if they are used: In HTTP mode, it is possible to rewrite, add or delete some of the request and response headers based on regular expressions. It is also possible to block a request or a response if a particular header matches a regular expression, which is enough to stop most elementary protocol attacks, and to protect against information leak from the internal network.

But there is a limitation to this: All subsequent headers will be considered data only and not analyzed. Furthermore, HAProxy never touches data contents, it stops analysis at the end of headers. There is an exception though. When such messages are seen, normal processing still occurs on the next non-informational messages. This section covers common usage of the following keywords, described in detail in section 4.

Other characters may be prefixed with a backslash to change their meaning: This practice is very common to users of the "sed" program. It can also use special character sequences above. Notes related to these keywords: It is strongly recommended to use ACLs with the " block " keyword instead, resulting in far more flexible and manageable rules.

It is not possible to reference a header name only or a value only. This is important because of the way headers are written notably the number of spaces after the colon.

This should normally be far more than enough for most usages. If it is too short on occasional usages, it is possible to gain some space by removing some useless headers before adding new ones. The reverse path is applied to responses. Using ACLs and pattern extraction. The use of Access Control Lists ACL provides a flexible solution to perform content switching and generally to take decisions based on content extracted from the request, the response or any environmental status.

The principle is simple: In order to define a test, the " acl " keyword is used. Some criteria also support an operator which may be specified before the set of values. The values are of the type supported by the criterion, and are separated by spaces.

There is no enforced limit to the number of ACLs. The unused ones do not affect performance, they just consume a small amount of memory.

The following ACL flags are currently supported: Useful when a string looks like one of the flags. The "-f" flag is special as it loads all of the lines it finds in the file specified in argument and loads all of them before continuing. It is even possible to pass multiple "-f" arguments if the patterns are to be loaded from multiple files.

Empty lines as well as lines beginning with a sharp ' ' will be ignored. All leading spaces and tabs will be stripped. If it is absolutely needed to insert a valid pattern beginning with a sharp, just prefix it with a space so that it is not taken for a comment. Depending on the data type and match method, haproxy may load the lines into a binary tree, allowing very fast lookups. This is true for IPv4 and exact string matching.

In this case, duplicates will automatically be removed. Also, note that the "-i" flag applies to subsequent entries and not to entries loaded from files preceeding it. Then each line of "generic-ua" will be case-insensitively matched. Then the word "test" will be insensitively matched too. Note that right now it is difficult for the ACL parsers to report errors, so if a file is unreadable or unparsable, the most you'll get is a parse error in the ACL.

Thus, file-based ACLs should only be produced by reliable processes. Supported types of values are: Matching integers is special in that ranges and operators are permitted. Note that integer matching only applies to positive values. A range is a value expressed with a lower and an upper bound separated with a colon, both of which may be omitted. As a special case, some ACL functions support decimal numbers which are in fact two integers separated by a dot. This is used with some version checks for instance.

All integer properties apply to those decimal numbers, including ranges and operators. For an easier usage, comparison operators are also supported. Note that using operators with ranges does not make much sense and is strongly discouraged. Similarly, it does not make much sense to perform order comparisons with a set of values. Available operators for integer matching are: If the "-i" flag is passed before the first string, then the matching will be performed ignoring the case.

In order to match the string "-i", either set it second, or pass the "--" flag before the first string. Same applies of course to match the string "--". If the "-i" flag is passed before the first regex, then the matching will be performed ignoring the case. Same principle applies of course to match the string "--".

IPv4 addresses values can be specified either as plain addresses or with a netmask appended, in which case the IPv4 address matches whenever it is within the network. Plain addresses may also be replaced with a resolvable host name, but this practice is generally discouraged as it makes it more difficult to read and debug configurations.

A first set of criteria applies to information which does not require any analysis of the request or response contents. Since clients are limited to max, there cannot be more than 10 incoming mails per second.

A second set of criteria depends on data found in buffers, but which can change during analysis. This requires that some data has been buffered, for instance through TCP request content inspection. Please see the " tcp-request " keyword for more detailed information on the subject. A third set of criteria applies to information which can be found at the application layer layer 7. Those require that a full HTTP request has been read, and are only evaluated then.

They may require slightly more CPU resources than the layer 4 ones, but not much since the request and response are indexed. Some predefined ACLs are hard-coded so that they do not have to be declared in every frontend which needs them. They all have their names in upper case in order to avoid confusion. Their equivalence is provided below. Some actions are only performed upon a valid condition.

A condition is a combination of ACLs with operators. Such conditions are generally used after an "if" or "unless" statement, indicating when the condition will trigger the action. Use backend "www" for the rest. Those are unnamed ACL expressions that are built on the fly without needing to be declared. They must be enclosed between braces, with a space before and after each brace because the braces must be seen as independant words.

However, for very simple rules matching only one source IP address for instance, it can make more sense to use them than to declare ACLs with random names. Another example of good use is the following: The stickiness features relies on pattern extraction in the request and response. Sometimes the data needs to be converted first before being stored, for instance converted from ASCII to IP or upper case to lower case. All these operations of data extraction and conversion are defined as "pattern extraction rules".

A pattern rule always has the same format. It begins with a single pattern fetch word, potentially followed by a list of arguments within parenthesis then an optional list of transformations. As much as possible, the pattern fetch functions use the same name as their equivalent used in ACLs. The list of currently supported pattern fetch functions is the following: It is of type IP and only works with such tables.

It can be useful when running in transparent mode. This might be used when running in transparent mode or when assigning dynamic ports to some clients for a whole application session. It is of type integer and only works with such tables.

This IP address is then used to match the table. A typical use is with the x-forwarded-for header. The currently available list of transformations include: This can only be placed after a string pattern fetch function or after a conversion function returning a string type.

The result is of type string. This can be used to make all hosts within a certain mask to share the same table entries and as such use the same server. The mask can be passed in dotted form eg: One of HAProxy's strong points certainly lies is its precise logs. It probably provides the finest level of information available for such a product, which is very important for troubleshooting complex environments.

In order to improve administrators reactivity, it offers a great transparency about encountered problems, both internal and external, and it is possible to send logs to different sources at the same time with different level filters: The ability to distribute different levels of logs to different log servers allow several production teams to interact and to fix their problems as soon as possible. TCP and HTTP connections can be logged with information such as the date, time, source IP address, destination address, connection duration, response times, HTTP request, HTTP return code, number of bytes transmitted, conditions in which the session ended, and even exchanged cookies values.

For example track a particular user's problems. All messages may be sent to up to two syslog servers. Check the " log This keyword is available in sections: Process management and security Alphabetically sorted keywords reference " keyword in section 4. HAProxy supports 4 log formats. Several fields are common between these formats and will be detailed in the following sections. A few of them may vary slightly with the configuration, due to indicators specific to certain options. The supported formats are as follows: It only provides very basic information about the incoming connection at the moment it is accepted: This mode will eventually disappear so it will not be described to great extents.

This format is enabled when "option tcplog" is set on the frontend. HAProxy will then usually wait for the connection to terminate before logging. This format provides much richer information, such as timers, connection counts, queue size, etc This format is recommended for pure TCP proxies.

This format is enabled when " option httplog " is set on the frontend. It provides the same information as the TCP format with some HTTP-specific fields such as the request, the status code, and captures of headers and cookies. This format is recommended for HTTP proxies.

In this mode, all timers, captures, flags, etc Next sections will go deeper into details for each of these formats. Format specification will be performed on a "field" basis. Unless stated otherwise, a field is a portion of text delimited by any number of spaces. Since syslog servers are susceptible of inserting fields at the beginning of a line, it is always assumed that the first field is the one containing the process name and identifier.

Since log lines may be quite long, the log examples in sections below might be broken into multiple lines. This format is used when no specific option is set. The log is emitted as soon as the connection is accepted. One should note that this currently is the only format which logs the request's destination IP and ports. The TCP format is used when " option tcplog " is specified in the frontend, and is the recommended format for pure TCP proxies.

It provides a lot of precious information for troubleshooting. Since this format includes timers and byte counts, the log is normally emitted at the end of the session.

It can be emitted earlier if " option logasap " is specified, which makes sense in most environments with long sessions such as remote terminals.

Sessions which match the " monitor " rules are never logged. It is also possible not to emit logs for sessions for which no data were exchanged between the client and the server, by specifying " option dontlognull " in the frontend. Successful connections will not be logged if " option dontlog-normal " is specified in the frontend. It is enabled by when " option httplog " is specified in the frontend. Just like the TCP format, the log is usually emitted at the end of the session, unless " option logasap " is specified, which generally only makes sense for download sites.

A session which matches the " monitor " rules will never logged. It is also possible not to log sessions for which no data were sent by the client by specifying " option dontlognull " in the frontend. Most fields are shared with the TCP log, some being different. A few fields may slightly vary depending on some configuration options. Some advanced logging options are often looked for but are not easy to find out just by looking at the various options.

Here is an entry point for the few options which can enable better logging. Please refer to the keywords reference for more information about their usage. It is quite common to have some monitoring tools perform health checks on haproxy. Sometimes it will be a layer 3 load-balancer such as LVS or any commercial load-balancer, and sometimes it will simply be a more complete monitoring system such as Nagios.

When the tests are very frequent, users often ask how to disable logging for those checks. There are three possibilities: It also disables logging of port scans, which may or may not be desired. Any host in this network will then only be able to perform health checks, and their requests will not be logged. This is generally appropriate to designate a list of equipments such as other load-balancers. Any host sending this request will only get the result of a health-check, and the request will not be logged.

The problem with logging at end of connection is that you have no clue about what is happening during very long sessions, such as remote terminal sessions or large file downloads. This problem can be worked around by specifying " option logasap " in the frontend. Haproxy will then log as soon as possible, just before data transfer begins.

This means that in case of TCP, it will still log the connection status to the server, and in case of HTTP, it will log just after processing the server headers. In this case, the number of bytes reported is the number of header bytes sent to the client. Sometimes it is more convenient to separate normal traffic from errors logs, for instance in order to ease error monitoring from log files.

When the option " log-separate-errors " is used, connections which experience errors, timeouts, retries, redispatches or HTTP status codes 5xx will see their syslog level raised from "info" to "err".

This will help a syslog daemon store the log in a separate file. It is very important to keep the errors in the normal traffic file too, so that log ordering is not altered. You should also be careful if you already have configured your syslog daemon to store all logs higher than "notice" in an "admin" file, because the "err" level is higher than "notice". Although this may sound strange at first, some large sites have to deal with multiple thousands of logs per second and are experiencing difficulties keeping them intact for a long time or detecting errors within them.

If the option " dontlog-normal " is set on the frontend, all normal connections will not be logged. In this regard, a normal connection is defined as one without any error, timeout, retry nor redispatch. In HTTP, the status code is checked too, and a response with a status 5xx is not considered normal and will be logged too. Of course, doing is is really discouraged as it will remove most of the useful information from the logs.

Do this only if you have no other alternative. Timers provide a great help in troubleshooting network problems. All values are reported in milliseconds ms.

These timers should be used in conjunction with the session termination flags. It's the time elapsed between the moment the client connection was accepted and the moment the proxy received the last HTTP header. The value "-1" indicates that the end of headers empty line has never been seen. This happens when the client closes prematurely or times out.

It accounts for backend queue as well as the server queues, and depends on the queue size, and the time needed for the server to complete previous requests. The value "-1" means that the request was killed before reaching the queue, which is generally what happens with invalid or denied requests. The value "-1" means that the connection never established.

It's the time elapsed between the moment the TCP connection was established to the server and the moment the server sent its complete response headers.

It purely shows its request processing time, without the network overhead due to the data transmission. It is worth noting that when the client has data to send to the server, for instance during a POST request, the time already runs, and this can distort apparent response time. For this reason, it's generally wise not to trust too much this field for POST requests initiated from clients behind an untrusted network.

A value of "-1" here means that the last the response header empty line was never seen, most likely because the server timeout stroke before the server managed to process the request. The exception is when the " logasap " option is specified.

From this field, we can deduce "Td", the data transmission time, by substracting other timers when valid: Note that "Tt" can never be negative. These timers provide precious indications on trouble causes. Since the TCP protocol defines retransmit delays of 3, 6, Moreover, if "Tt" is close to a timeout value specified in the configuration, it often means that a session has been aborted on timeout. This is very rare on local networks but might happen when clients are on far remote networks and send large requests.

It may happen that values larger than usual appear here without any network cause. Sometimes, during an attack or just after a resource starvation has ended, haproxy may accept thousands of connections in a few milliseconds. The time spent accepting these connections will inevitably slightly delay processing of other connections, and it can happen that request times in the order of a few tens of milliseconds are measured after a few thousands of new connections have been accepted at once. Setting " option http-server-close " may display larger request times since "Tq" also measures the time spent waiting for additional requests.

This value should always be very low, such as 1 ms on local networks and less than a few tens of ms on remote networks. In order to solve this issue, it will be needed to specify " option httpclose " on either the frontend or the backend. If the problem persists, it means that the server ignores the "close" connection mode and expects the client to close.

Then it will be required to use " option forceclose ". Having the smallest possible 'Tt' is important when connection regulation is used with the " maxconn This keyword is available in sections: Performance tuning Alphabetically sorted keywords reference Server and default-server options " option on the servers, since no new connection will be sent to the server until another one is released.

Other noticeable HTTP log cases 'xx' means any value to be ignored: All the timers are valid except "Tt" which is shorter than reality. Check the session termination flags then " timeout http-request " and " timeout client " settings.

Check the session termination flags. Check the session termination flags, then check the " timeout connect " setting. Note that the tarpit action might return similar-looking patterns, with "Tw" equal to the time the client connection was maintained open. Check the session termination flags, then check the " timeout server " setting. Usually, this appears during the connection phase, and system logs should contain a copy of the precise error. If this happens, it must be considered as a very serious anomaly which should be fixed as soon as possible by any means.

This should NEVER happen, and you are encouraged to report any log containing this, because this would almost certainly be a bug. It would be wise to preventively restart the process after such an event too, in case it would be caused by memory corruption. Nothing was sent to any server. This can only happen when servers have a 'maxconn' parameter set.

It can also happen in the global queue after a redispatch consecutive to a failed attempt to connect to a dying server. If no redispatch is reported, then no connection attempt was made to any server. The server might at most have noticed a connection attempt.

This one is very rare as it can only happen when the client dies while receiving the last packets. It has been held open with the client during the whole " timeout tarpit " duration or until the client closed, both of which will be reported in the "Tw" timer. This is usually the case for new visitors, so counting the number of occurrences of this flag in the logs generally indicate a valid trend for the site frequentation. The request will be redispatched just as if there was no cookie.

NO cookie was provided by the server, and none was inserted either. Note that in "cookie insert" mode, if the server provides a cookie, it will still be overwritten and reported as "I" here.

This can only happen in insert mode with "maxidle". It happens everytime there is activity at a different date than the date indicated in the cookie. If any other change happens, such as a redispatch, then the cookie will be marked as inserted instead.

The combination of the two first flags gives a lot of information about what was happening when the session terminated, and why it did terminate. It can be helpful to detect server saturation, network troubles, local system resource starvation, attacks, etc The most common termination flags combinations are indicated below. They are alphabetically sorted, with the lowercase set just after the upper case for easier finding and understanding.

Flags Reason -- Normal termination. CC The client aborted before the connection could be established to the server.

This can happen when haproxy tries to connect to a recently dead or unchecked server, and the client aborts while haproxy is waiting for the server to respond or for " timeout connect " to expire. CD The client unexpectedly aborted during data transfer.

This can be caused by a browser crash, by an intermediate equipment between the client and haproxy which decided to actively break the connection, by network routing issues between the client and haproxy, or by a keep-alive session between the server and the client terminated first by the client. This is often caused by network failures on the client side, or the client simply leaving the net uncleanly. CH The client aborted while waiting for the server to start responding.

It might be the server taking too long to respond or the client clicking the 'Stop' button too fast. It can also happen when client timeout is smaller than server timeout and the server takes too long to respond. CQ The client aborted while its session was queued, waiting for a server with enough empty slots to accept it.

It might be that either all the servers were saturated or that the assigned server was taking too long a time to respond. Most likely the request was typed by hand using a telnet client, and aborted too early. The HTTP status code is likely a here. Sometimes this might also be caused by an IDS killing the connection between haproxy and the client. This is sometimes caused by too large TCP MSS values on the client side for PPPoE networks which cannot transport full-sized packets, or by clients sending requests by hand and not typing fast enough, or forgetting to enter the empty line at the end of the request.

CT The client aborted while its session was tarpitted. It is important to check if this happens on valid requests, in order to be sure that no wrong tarpit rules have been written. If a lot of them happen, it might make sense to lower the " timeout tarpit " value to something closer to the average reported "Tw" timer, in order not to consume resources for just a few attackers.

Under some circumstances, it can also be the network stack telling the proxy that the server is unreachable eg: When this happens in HTTP mode, the status code is likely a or here. SD The connection to the server died with an error during the data transfer. This usually means that haproxy has received an RST from the server or an ICMP message from an intermediate equipment while exchanging data with the server.

This can be caused by a server crash or by a network issue on an intermediate equipment. This is often caused by too short timeouts on L4 equipments before the server firewalls, load-balancers, Since a server aborting at this moment is very rare, it would be wise to inspect its logs to control whether it crashed and why.

The logged request may indicate a small set of faulty requests, demonstrating bugs in the application. Sometimes this might also be caused by an IDS killing the connection between haproxy and the server.

This is the most common anomaly, indicating too long transactions, probably caused by server or database saturation. The immediate workaround consists in increasing the " timeout server " setting, but it is important to keep in mind that the user experience will suffer from these long response times. The only long term solution is to fix the application. See the " timeout queue " and " timeout connect " settings to find out how to fix this if it happens too often. PC The proxy refused to establish a connection to the server because the process' socket limit has been reached while attempting to connect.

The global " maxconn This keyword is available in sections: Performance tuning Alphabetically sorted keywords reference Server and default-server options " parameter may be increased in the configuration so that it does not happen anymore. This status is very rare and might happen when the global " ulimit-n " parameter is forced by hand.

PD The proxy blocked an incorrectly formatted chunked encoded message in a request or a response, after the server has emitted its headers. In most cases, this will indicate an invalid message from the server to the client. Haproxy supports chunk sizes of up to 2GB - 1 bytes. Any larger size will be considered as an error. PH The proxy blocked the server's response, because it was invalid, incomplete, dangerous cache control , or matched a security filter.

In any case, an HTTP error is sent to the client. One possible cause for this error is an invalid syntax in an HTTP header name containing unauthorized characters. It is also possible but quite rare, that the proxy blocked a chunked-encoding request from the client due to an invalid syntax, before the server responded.

In this case, an HTTP error is sent to the client and reported in the logs. PT The proxy blocked the client's request and has tarpitted its connection before returning it a server error. Nothing was sent to the server. The connection was maintained open for as long as reported by the "Tw" timer field. RC A local resource has been exhausted memory, sockets, source ports preventing the connection to the server from establishing.

The error logs will tell precisely what was missing. This is very rare and can only be solved by proper system tuning. The combination of the two last flags gives a lot of information about how persistence was handled by the client, the server and by haproxy. This is very important to troubleshoot disconnections, when users complain they have to re-authenticate. The commonly encountered flags are: NN No cookie was provided by the client, none was inserted in the response.

For instance, this can be in insert mode with "postonly" set on a GET request. II A cookie designating an invalid server was provided by the client, a valid one was inserted in the response. This typically happens when a " server " entry is removed from the configuraton, since its cookie value can be presented by a client when no other server knows it.

NI No cookie was provided by the client, one was inserted in the response. This typically happens for first requests from every user in "insert" mode, which makes it an easy way to count real users. VN A cookie was provided by the client, none was inserted in the response. This happens for most responses for which the client has already got a cookie.

VU A cookie was provided by the client, with a last visit date which is not completely up-to-date, so an updated cookie was provided in response. This can also happen if there was no date at all, or if there was a date but the "maxidle" parameter was not set, so that the cookie can be switched to unlimited time. EI A cookie was provided by the client, with a last visit date which is too old for the "maxidle" parameter, so the cookie was ignored and a new cookie was inserted in the response.

OI A cookie was provided by the client, with a first visit date which is too old for the "maxlife" parameter, so the cookie was ignored and a new cookie was inserted in the response. DI The server designated by the cookie was down, a new server was selected and a new cookie was emitted in the response. VI The server designated by the cookie was not marked dead but could not be reached.