mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-25 07:41:36 +02:00
Code Issues Projects Releases Wiki Activity

DOC: server: Add docs for "server" and "default-server" new "no-*" and other settings.

Browse Source 
New boolean settings have been added to disable others. Most of them have "no-" as prefix.

"enabled" disables "disabled" setting,
"no-agent-check" disables "agent-check",
"no-backup" disables "backup",
"no-check" disables "check",
"no-check-ssl" disables "check-ssl",
"no-force-sslv3" disables "force-sslv3",
"no-force-tlsv10" disables "force-tlsv10",
"no-force-tlsv11" disables "force-tlsv11",
"no-force-tlsv12" disables "force-tlsv12,
"no-send-proxy" disables "send-proxy",
"no-send-proxy-v2" disables "send-proxy-v2",
"no-send-proxy-v2-ssl" disables "send-proxy-v2-ssl",
"no-send-proxy-v2-ssl-cn" disables "send-proxy-v2-ssl-cn",
"no-ssl" disables "ssl",
"no-verifyhost" disables "verifyhost",
"sslv3" disables "no-sslv3",
"ssl-reuse" disables "no-ssl-reuse",
"stick" disables "non-stick",
"tlsv10" disables "no-tlsv10",
"tlsv11" disables "no-tlsv11",
"tlsv12" disables "no-tlsv12",
"tls-tickets" disables "no-tls-tickets".

Settings with arguments are now supported on "default-server" lines:

"addr", "ca-file", "ciphers", "crl-file", "crt", "cookie", "namespace", "observe",
"redir", "sni", "source", "tcp-ut" and "track".

From now on, all server "settings" including the new ones above are supported by
"default-server" except "id" which is only supported on "server" lines.
This commit is contained in:
Frdric Lcaille 2017-03-21 18:52:12 +01:00 committed by Willy Tarreau
parent 6e0843c0e0
commit d237627d3b
1 changed files with 181 additions and 125 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

306
doc/configuration.txt
View File

@ -10656,6 +10656,9 @@ address if they are used:
server <name> <address>[:port] [settings ...] server <name> <address>[:port] [settings ...]
default-server [settings ...] default-server [settings ...]
Note that all these settings are supported both by "server" and "default-server"
keywords, except "id" which is only supported by "server".
The currently supported settings are the following ones. The currently supported settings are the following ones.
addr <ipv4|ipv6> addr <ipv4|ipv6>
@ -10666,8 +10669,6 @@ addr <ipv4|ipv6>
This parameter is ignored if the "check" parameter is not set. See also the This parameter is ignored if the "check" parameter is not set. See also the
"port" parameter. "port" parameter.
Supported in default-server: No
agent-check agent-check
Enable an auxiliary agent check which is run independently of a regular Enable an auxiliary agent check which is run independently of a regular
health check. An agent health check is performed by making a TCP connection health check. An agent health check is performed by making a TCP connection
@ -10727,9 +10728,7 @@ agent-check
force an agent's result in order to work around a bogus agent if needed. force an agent's result in order to work around a bogus agent if needed.
Requires the "agent-port" parameter to be set. See also the "agent-inter" Requires the "agent-port" parameter to be set. See also the "agent-inter"
parameter. and "no-agent-check" parameters.
Supported in default-server: No
agent-send <string> agent-send <string>
If this option is specified, haproxy will send the given string (verbatim) If this option is specified, haproxy will send the given string (verbatim)
@ -10754,8 +10753,6 @@ agent-inter <delay>
See also the "agent-check" and "agent-port" parameters. See also the "agent-check" and "agent-port" parameters.
Supported in default-server: Yes
agent-addr <addr> agent-addr <addr>
The "agent-addr" parameter sets address for agent check. The "agent-addr" parameter sets address for agent check.
@ -10769,25 +10766,19 @@ agent-port <port>
See also the "agent-check" and "agent-inter" parameters. See also the "agent-check" and "agent-inter" parameters.
Supported in default-server: Yes
backup backup
When "backup" is present on a server line, the server is only used in load When "backup" is present on a server line, the server is only used in load
balancing when all other non-backup servers are unavailable. Requests coming balancing when all other non-backup servers are unavailable. Requests coming
with a persistence cookie referencing the server will always be served with a persistence cookie referencing the server will always be served
though. By default, only the first operational backup server is used, unless though. By default, only the first operational backup server is used, unless
the "allbackups" option is set in the backend. See also the "allbackups" the "allbackups" option is set in the backend. See also the "no-backup" and
option. "allbackups" options.
Supported in default-server: No
ca-file <cafile> ca-file <cafile>
This setting is only available when support for OpenSSL was built in. It This setting is only available when support for OpenSSL was built in. It
designates a PEM file from which to load CA certificates used to verify designates a PEM file from which to load CA certificates used to verify
server's certificate. server's certificate.
Supported in default-server: No
check check
This option enables health checks on the server. By default, a server is This option enables health checks on the server. By default, a server is
always considered available. If "check" is set, the server is available when always considered available. If "check" is set, the server is available when
@ -10799,9 +10790,8 @@ check
address, and the interval and timers using the "inter", "rise" and "fall" address, and the interval and timers using the "inter", "rise" and "fall"
parameters. The request method is define in the backend using the "httpchk", parameters. The request method is define in the backend using the "httpchk",
"smtpchk", "mysql-check", "pgsql-check" and "ssl-hello-chk" options. Please "smtpchk", "mysql-check", "pgsql-check" and "ssl-hello-chk" options. Please
refer to those options and parameters for more information. refer to those options and parameters for more information. See also
"no-check" option.
Supported in default-server: No
check-send-proxy check-send-proxy
This option forces emission of a PROXY protocol line with outgoing health This option forces emission of a PROXY protocol line with outgoing health
@ -10812,8 +10802,6 @@ check-send-proxy
"check-send-proxy" option needs to be used to force the use of the "check-send-proxy" option needs to be used to force the use of the
protocol. See also the "send-proxy" option for more information. protocol. See also the "send-proxy" option for more information.
Supported in default-server: No
check-ssl check-ssl
This option forces encryption of all health checks over SSL, regardless of This option forces encryption of all health checks over SSL, regardless of
whether the server uses SSL or not for the normal traffic. This is generally whether the server uses SSL or not for the normal traffic. This is generally
@ -10823,9 +10811,8 @@ check-ssl
check becomes an SSL connect, which replaces the old ssl-hello-chk. The most check becomes an SSL connect, which replaces the old ssl-hello-chk. The most
common use is to send HTTPS checks by combining "httpchk" with SSL checks. common use is to send HTTPS checks by combining "httpchk" with SSL checks.
All SSL settings are common to health checks and traffic (eg: ciphers). All SSL settings are common to health checks and traffic (eg: ciphers).
See the "ssl" option for more information. See the "ssl" option for more information and "no-check-ssl" to disable
this option.
Supported in default-server: No
ciphers <ciphers> ciphers <ciphers>
This option sets the string describing the list of cipher algorithms that is This option sets the string describing the list of cipher algorithms that is
@ -10837,8 +10824,6 @@ ciphers <ciphers>
Some algorithms such as RC4-SHA1 are reasonably cheap. If no security at all Some algorithms such as RC4-SHA1 are reasonably cheap. If no security at all
is needed and just connectivity, using DES can be appropriate. is needed and just connectivity, using DES can be appropriate.
Supported in default-server: No
cookie <value> cookie <value>
The "cookie" parameter sets the cookie value assigned to the server to The "cookie" parameter sets the cookie value assigned to the server to
<value>. This value will be checked in incoming requests, and the first <value>. This value will be checked in incoming requests, and the first
@ -10848,15 +10833,11 @@ cookie <value>
the same cookie value, and it is in fact somewhat common between normal and the same cookie value, and it is in fact somewhat common between normal and
backup servers. See also the "cookie" keyword in backend section. backup servers. See also the "cookie" keyword in backend section.
Supported in default-server: No
crl-file <crlfile> crl-file <crlfile>
This setting is only available when support for OpenSSL was built in. It This setting is only available when support for OpenSSL was built in. It
designates a PEM file from which to load certificate revocation list used designates a PEM file from which to load certificate revocation list used
to verify server's certificate. to verify server's certificate.
Supported in default-server: No
crt <cert> crt <cert>
This setting is only available when support for OpenSSL was built in. This setting is only available when support for OpenSSL was built in.
It designates a PEM file from which to load both a certificate and the It designates a PEM file from which to load both a certificate and the
@ -10864,24 +10845,26 @@ crt <cert>
files into one. This certificate will be sent if the server send a client files into one. This certificate will be sent if the server send a client
certificate request. certificate request.
Supported in default-server: No
disabled disabled
The "disabled" keyword starts the server in the "disabled" state. That means The "disabled" keyword starts the server in the "disabled" state. That means
that it is marked down in maintenance mode, and no connection other than the that it is marked down in maintenance mode, and no connection other than the
ones allowed by persist mode will reach it. It is very well suited to setup ones allowed by persist mode will reach it. It is very well suited to setup
new servers, because normal traffic will never reach them, while it is still new servers, because normal traffic will never reach them, while it is still
possible to test the service by making use of the force-persist mechanism. possible to test the service by making use of the force-persist mechanism.
See also "enabled" setting.
Supported in default-server: No enabled
This option may be used as 'server' setting to reset any 'disabled'
setting which would have been inherited from 'default-server' directive as
default value.
It may also be used as 'default-server' setting to reset any previous
'default-server' 'disabled' setting.
error-limit <count> error-limit <count>
If health observing is enabled, the "error-limit" parameter specifies the If health observing is enabled, the "error-limit" parameter specifies the
number of consecutive errors that triggers event selected by the "on-error" number of consecutive errors that triggers event selected by the "on-error"
option. By default it is set to 10 consecutive errors. option. By default it is set to 10 consecutive errors.
Supported in default-server: Yes
See also the "check", "error-limit" and "on-error". See also the "check", "error-limit" and "on-error".
fall <count> fall <count>
@ -10889,44 +10872,32 @@ fall <count>
<count> consecutive unsuccessful health checks. This value defaults to 3 if <count> consecutive unsuccessful health checks. This value defaults to 3 if
unspecified. See also the "check", "inter" and "rise" parameters. unspecified. See also the "check", "inter" and "rise" parameters.
Supported in default-server: Yes
force-sslv3 force-sslv3
This option enforces use of SSLv3 only when SSL is used to communicate with This option enforces use of SSLv3 only when SSL is used to communicate with
the server. SSLv3 is generally less expensive than the TLS counterparts for the server. SSLv3 is generally less expensive than the TLS counterparts for
high connection rates. This option is also available on global statement high connection rates. This option is also available on global statement
"ssl-default-server-options". See also "no-tlsv*", "no-sslv3". "ssl-default-server-options". See also "no-force-sslv3", "no-tlsv*", "no-sslv3".
Supported in default-server: No
force-tlsv10 force-tlsv10
This option enforces use of TLSv1.0 only when SSL is used to communicate with This option enforces use of TLSv1.0 only when SSL is used to communicate with
the server. This option is also available on global statement the server. This option is also available on global statement
"ssl-default-server-options". See also "no-tlsv*", "no-sslv3". "ssl-default-server-options". See also "no-force-tlsv10", "no-tlsv*", "no-sslv3".
Supported in default-server: No
force-tlsv11 force-tlsv11
This option enforces use of TLSv1.1 only when SSL is used to communicate with This option enforces use of TLSv1.1 only when SSL is used to communicate with
the server. This option is also available on global statement the server. This option is also available on global statement
"ssl-default-server-options". See also "no-tlsv*", "no-sslv3". "ssl-default-server-options". See also "no-force-tlsv11", "no-tlsv*", "no-sslv3".
Supported in default-server: No
force-tlsv12 force-tlsv12
This option enforces use of TLSv1.2 only when SSL is used to communicate with This option enforces use of TLSv1.2 only when SSL is used to communicate with
the server. This option is also available on global statement the server. This option is also available on global statement
"ssl-default-server-options". See also "no-tlsv*", "no-sslv3". "ssl-default-server-options". See also "no-force-tlsv12", "no-tlsv*", "no-sslv3".
Supported in default-server: No
id <value> id <value>
Set a persistent ID for the server. This ID must be positive and unique for Set a persistent ID for the server. This ID must be positive and unique for
the proxy. An unused ID will automatically be assigned if unset. The first the proxy. An unused ID will automatically be assigned if unset. The first
assigned value will be 1. This ID is currently only returned in statistics. assigned value will be 1. This ID is currently only returned in statistics.
Supported in default-server: No
init-addr {last | libc | none | <ip>},[...]* init-addr {last | libc | none | <ip>},[...]*
Indicate in what order the server's address should be resolved upon startup Indicate in what order the server's address should be resolved upon startup
if it uses an FQDN. Attempts are made to resolve the address by applying in if it uses an FQDN. Attempts are made to resolve the address by applying in
@ -10954,8 +10925,6 @@ init-addr {last | libc | none | <ip>},[...]*
# never fail on address resolution # never fail on address resolution
default-server init-addr last,libc,none default-server init-addr last,libc,none
Supported in default-server: Yes
inter <delay> inter <delay>
fastinter <delay> fastinter <delay>
downinter <delay> downinter <delay>
@ -10986,8 +10955,6 @@ downinter <delay>
global "spread-checks" keyword. This makes sense for instance when a lot global "spread-checks" keyword. This makes sense for instance when a lot
of backends use the same servers. of backends use the same servers.
Supported in default-server: Yes
maxconn <maxconn> maxconn <maxconn>
The "maxconn" parameter specifies the maximal number of concurrent The "maxconn" parameter specifies the maximal number of concurrent
connections that will be sent to this server. If the number of incoming connections that will be sent to this server. If the number of incoming
@ -10998,8 +10965,6 @@ maxconn <maxconn>
which means unlimited. See also the "minconn" and "maxqueue" parameters, and which means unlimited. See also the "minconn" and "maxqueue" parameters, and
the backend's "fullconn" keyword. the backend's "fullconn" keyword.
Supported in default-server: Yes
maxqueue <maxqueue> maxqueue <maxqueue>
The "maxqueue" parameter specifies the maximal number of connections which The "maxqueue" parameter specifies the maximal number of connections which
will wait in the queue for this server. If this limit is reached, next will wait in the queue for this server. If this limit is reached, next
@ -11009,8 +10974,6 @@ maxqueue <maxqueue>
default value is "0" which means the queue is unlimited. See also the default value is "0" which means the queue is unlimited. See also the
"maxconn" and "minconn" parameters. "maxconn" and "minconn" parameters.
Supported in default-server: Yes
minconn <minconn> minconn <minconn>
When the "minconn" parameter is set, the maxconn limit becomes a dynamic When the "minconn" parameter is set, the maxconn limit becomes a dynamic
limit following the backend's load. The server will always accept at least limit following the backend's load. The server will always accept at least
@ -11021,37 +10984,121 @@ minconn <minconn>
overloading the server during exceptional loads. See also the "maxconn" overloading the server during exceptional loads. See also the "maxconn"
and "maxqueue" parameters, as well as the "fullconn" backend keyword. and "maxqueue" parameters, as well as the "fullconn" backend keyword.
Supported in default-server: Yes
namespace <name> namespace <name>
On Linux, it is possible to specify which network namespace a socket will On Linux, it is possible to specify which network namespace a socket will
belong to. This directive makes it possible to explicitly bind a server to belong to. This directive makes it possible to explicitly bind a server to
a namespace different from the default one. Please refer to your operating a namespace different from the default one. Please refer to your operating
system's documentation to find more details about network namespaces. system's documentation to find more details about network namespaces.
no-agent-check
This option may be used as "server" setting to reset any "agent-check"
setting which would have been inherited from "default-server" directive as
default value.
It may also be used as "default-server" setting to reset any previous
"default-server" "agent-check" setting.
no-backup
This option may be used as "server" setting to reset any "backup"
setting which would have been inherited from "default-server" directive as
default value.
It may also be used as "default-server" setting to reset any previous
"default-server" "backup" setting.
no-check
This option may be used as "server" setting to reset any "check"
setting which would have been inherited from "default-server" directive as
default value.
It may also be used as "default-server" setting to reset any previous
"default-server" "check" setting.
no-check-ssl
This option may be used as "server" setting to reset any "check-ssl"
setting which would have been inherited from "default-server" directive as
default value.
It may also be used as "default-server" setting to reset any previous
"default-server" "check-ssl" setting.
no-force-sslv3
This option may be used as "server" setting to reset any "force-sslv3"
setting which would have been inherited from "default-server" directive as
default value.
It may also be used as "default-server" setting to reset any previous
"default-server" "force-sslv3" setting.
no-force-tlsv10
This option may be used as "server" setting to reset any "force-tlsv10"
setting which would have been inherited from "default-server" directive as
default value.
It may also be used as "default-server" setting to reset any previous
"default-server" "force-tlsv10" setting.
no-force-tlsv11
This option may be used as "server" setting to reset any "force-tlsv11"
setting which would have been inherited from "default-server" directive as
default value.
It may also be used as "default-server" setting to reset any previous
"default-server" "force-tlsv11" setting.
no-force-tlsv12
This option may be used as "server" setting to reset any "force-tlsv12"
setting which would have been inherited from "default-server" directive as
default value.
It may also be used as "default-server" setting to reset any previous
"default-server" "force-tlsv12" setting.
no-send-proxy
This option may be used as "server" setting to reset any "send-proxy"
setting which would have been inherited from "default-server" directive as
default value.
It may also be used as "default-server" setting to reset any previous
"default-server" "send-proxy" setting.
no-send-proxy-v2
This option may be used as "server" setting to reset any "send-proxy-v2"
setting which would have been inherited from "default-server" directive as
default value.
It may also be used as "default-server" setting to reset any previous
"default-server" "send-proxy-v2" setting.
no-send-proxy-v2-ssl
This option may be used as "server" setting to reset any "send-proxy-v2-ssl"
setting which would have been inherited from "default-server" directive as
default value.
It may also be used as "default-server" setting to reset any previous
"default-server" "send-proxy-v2-ssl" setting.
no-send-proxy-v2-ssl-cn
This option may be used as "server" setting to reset any "send-proxy-v2-ssl-cn"
setting which would have been inherited from "default-server" directive as
default value.
It may also be used as "default-server" setting to reset any previous
"default-server" "send-proxy-v2-ssl-cn" setting.
no-ssl
This option may be used as "server" setting to reset any "ssl"
setting which would have been inherited from "default-server" directive as
default value.
It may also be used as "default-server" setting to reset any previous
"default-server" "ssl" setting.
no-ssl-reuse no-ssl-reuse
This option disables SSL session reuse when SSL is used to communicate with This option disables SSL session reuse when SSL is used to communicate with
the server. It will force the server to perform a full handshake for every the server. It will force the server to perform a full handshake for every
new connection. It's probably only useful for benchmarking, troubleshooting, new connection. It's probably only useful for benchmarking, troubleshooting,
and for paranoid users. and for paranoid users.
Supported in default-server: No
no-sslv3 no-sslv3
This option disables support for SSLv3 when SSL is used to communicate with This option disables support for SSLv3 when SSL is used to communicate with
the server. Note that SSLv2 is disabled in the code and cannot be enabled the server. Note that SSLv2 is disabled in the code and cannot be enabled
using any configuration option. See also "force-sslv3", "force-tlsv*". using any configuration option. See also "force-sslv3", "force-tlsv*".
Supported in default-server: No
no-tls-tickets no-tls-tickets
This setting is only available when support for OpenSSL was built in. It This setting is only available when support for OpenSSL was built in. It
disables the stateless session resumption (RFC 5077 TLS Ticket disables the stateless session resumption (RFC 5077 TLS Ticket
extension) and force to use stateful session resumption. Stateless extension) and force to use stateful session resumption. Stateless
session resumption is more expensive in CPU usage for servers. This option session resumption is more expensive in CPU usage for servers. This option
is also available on global statement "ssl-default-server-options". is also available on global statement "ssl-default-server-options".
See also "tls-tickets".
Supported in default-server: No
no-tlsv10 no-tlsv10
This option disables support for TLSv1.0 when SSL is used to communicate with This option disables support for TLSv1.0 when SSL is used to communicate with
@ -11059,9 +11106,7 @@ no-tlsv10
using any configuration option. TLSv1 is more expensive than SSLv3 so it using any configuration option. TLSv1 is more expensive than SSLv3 so it
often makes sense to disable it when communicating with local servers. This often makes sense to disable it when communicating with local servers. This
option is also available on global statement "ssl-default-server-options". option is also available on global statement "ssl-default-server-options".
See also "force-sslv3", "force-tlsv*". See also "tlsv10", "force-sslv3", "force-tlsv*".
Supported in default-server: No
no-tlsv11 no-tlsv11
This option disables support for TLSv1.1 when SSL is used to communicate with This option disables support for TLSv1.1 when SSL is used to communicate with
@ -11069,9 +11114,7 @@ no-tlsv11
using any configuration option. TLSv1 is more expensive than SSLv3 so it using any configuration option. TLSv1 is more expensive than SSLv3 so it
often makes sense to disable it when communicating with local servers. This often makes sense to disable it when communicating with local servers. This
option is also available on global statement "ssl-default-server-options". option is also available on global statement "ssl-default-server-options".
See also "force-sslv3", "force-tlsv*". See also "tlsv11", "force-sslv3", "force-tlsv*".
Supported in default-server: No
no-tlsv12 no-tlsv12
This option disables support for TLSv1.2 when SSL is used to communicate with This option disables support for TLSv1.2 when SSL is used to communicate with
@ -11079,17 +11122,20 @@ no-tlsv12
using any configuration option. TLSv1 is more expensive than SSLv3 so it using any configuration option. TLSv1 is more expensive than SSLv3 so it
often makes sense to disable it when communicating with local servers. This often makes sense to disable it when communicating with local servers. This
option is also available on global statement "ssl-default-server-options". option is also available on global statement "ssl-default-server-options".
See also "force-sslv3", "force-tlsv*". See also "tlsv12", "force-sslv3", "force-tlsv*".
Supported in default-server: No no-verifyhost
This option may be used as "server" setting to reset any "verifyhost"
setting which would have been inherited from "default-server" directive as
default value.
It may also be used as "default-server" setting to reset any previous
"default-server" "verifyhost" setting.
non-stick non-stick
Never add connections allocated to this sever to a stick-table. Never add connections allocated to this sever to a stick-table.
This may be used in conjunction with backup to ensure that This may be used in conjunction with backup to ensure that
stick-table persistence is disabled for backup servers. stick-table persistence is disabled for backup servers.
Supported in default-server: No
observe <mode> observe <mode>
This option enables health adjusting based on observing communication with This option enables health adjusting based on observing communication with
the server. By default this functionality is disabled and enabling it also the server. By default this functionality is disabled and enabling it also
@ -11099,8 +11145,6 @@ observe <mode>
received from server are verified, like valid/wrong http code, unparsable received from server are verified, like valid/wrong http code, unparsable
headers, a timeout, etc. Valid status codes include 100 to 499, 501 and 505. headers, a timeout, etc. Valid status codes include 100 to 499, 501 and 505.
Supported in default-server: No
See also the "check", "on-error" and "error-limit". See also the "check", "on-error" and "error-limit".
on-error <mode> on-error <mode>
@ -11112,8 +11156,6 @@ on-error <mode>
check will mark a server down, forces fastinter check will mark a server down, forces fastinter
- mark-down: mark the server immediately down and force fastinter - mark-down: mark the server immediately down and force fastinter
Supported in default-server: Yes
See also the "check", "observe" and "error-limit". See also the "check", "observe" and "error-limit".
on-marked-down <action> on-marked-down <action>
@ -11130,8 +11172,6 @@ on-marked-down <action>
Actions are disabled by default Actions are disabled by default
Supported in default-server: Yes
on-marked-up <action> on-marked-up <action>
Modify what occurs when a server is marked up. Modify what occurs when a server is marked up.
Currently one action is available: Currently one action is available:
@ -11146,8 +11186,6 @@ on-marked-up <action>
Actions are disabled by default Actions are disabled by default
Supported in default-server: Yes
port <port> port <port>
Using the "port" parameter, it becomes possible to use a different port to Using the "port" parameter, it becomes possible to use a different port to
send health-checks. On some servers, it may be desirable to dedicate a port send health-checks. On some servers, it may be desirable to dedicate a port
@ -11156,8 +11194,6 @@ port <port>
inetd for instance. This parameter is ignored if the "check" parameter is not inetd for instance. This parameter is ignored if the "check" parameter is not
set. See also the "addr" parameter. set. See also the "addr" parameter.
Supported in default-server: Yes
redir <prefix> redir <prefix>
The "redir" parameter enables the redirection mode for all GET and HEAD The "redir" parameter enables the redirection mode for all GET and HEAD
requests addressing this server. This means that instead of having HAProxy requests addressing this server. This means that instead of having HAProxy
@ -11176,15 +11212,11 @@ redir <prefix>
Example : server srv1 192.168.1.1:80 redir http://image1.mydomain.com check Example : server srv1 192.168.1.1:80 redir http://image1.mydomain.com check
Supported in default-server: No
rise <count> rise <count>
The "rise" parameter states that a server will be considered as operational The "rise" parameter states that a server will be considered as operational
after <count> consecutive successful health checks. This value defaults to 2 after <count> consecutive successful health checks. This value defaults to 2
if unspecified. See also the "check", "inter" and "fall" parameters. if unspecified. See also the "check", "inter" and "fall" parameters.
Supported in default-server: Yes
resolve-prefer <family> resolve-prefer <family>
When DNS resolution is enabled for a server and multiple IP addresses from When DNS resolution is enabled for a server and multiple IP addresses from
different families are returned, HAProxy will prefer using an IP address different families are returned, HAProxy will prefer using an IP address
@ -11193,8 +11225,6 @@ resolve-prefer <family>
Default value: ipv6 Default value: ipv6
Supported in default-server: Yes
Example: Example:
server s1 app1.domain.com:80 resolvers mydns resolve-prefer ipv6 server s1 app1.domain.com:80 resolvers mydns resolve-prefer ipv6
@ -11207,8 +11237,6 @@ resolve-net <network>[,<network[,...]]
this patch permitsto prefers a local datacenter. If none address matchs the this patch permitsto prefers a local datacenter. If none address matchs the
configured network, another address is selected. configured network, another address is selected.
Supported in default-server: Yes
Example: Example:
server s1 app1.domain.com:80 resolvers mydns resolve-net 10.0.0.0/8 server s1 app1.domain.com:80 resolvers mydns resolve-net 10.0.0.0/8
@ -11221,8 +11249,6 @@ resolvers <id>
You must precise one 'resolvers' parameter on each server line where DNS You must precise one 'resolvers' parameter on each server line where DNS
resolution is required. resolution is required.
Supported in default-server: No
Example: Example:
server s1 app1.domain.com:80 check resolvers mydns server s1 app1.domain.com:80 check resolvers mydns
@ -11244,10 +11270,8 @@ send-proxy
protocol is automatically used when this option is set, unless there is an protocol is automatically used when this option is set, unless there is an
explicit "port" or "addr" directive, in which case an explicit explicit "port" or "addr" directive, in which case an explicit
"check-send-proxy" directive would also be needed to use the PROXY protocol. "check-send-proxy" directive would also be needed to use the PROXY protocol.
See also the "accept-proxy" and "accept-netscaler-cip" option of the "bind" See also the "no-send-proxy" option of this section and "accept-proxy" and
keyword. "accept-netscaler-cip" option of the "bind" keyword.
Supported in default-server: No
send-proxy-v2 send-proxy-v2
The "send-proxy-v2" parameter enforces use of the PROXY protocol version 2 The "send-proxy-v2" parameter enforces use of the PROXY protocol version 2
@ -11255,10 +11279,9 @@ send-proxy-v2
the other end about the layer 3/4 addresses of the incoming connection, so the other end about the layer 3/4 addresses of the incoming connection, so
that it can know the client's address or the public address it accessed to, that it can know the client's address or the public address it accessed to,
whatever the upper layer protocol. This setting must not be used if the whatever the upper layer protocol. This setting must not be used if the
server isn't aware of this version of the protocol. See also the "send-proxy" server isn't aware of this version of the protocol. See also the
option of the "bind" keyword. "no-send-proxy-v2" option of this section and send-proxy" option of the
"bind" keyword.
Supported in default-server: No
send-proxy-v2-ssl send-proxy-v2-ssl
The "send-proxy-v2-ssl" parameter enforces use of the PROXY protocol version The "send-proxy-v2-ssl" parameter enforces use of the PROXY protocol version
@ -11268,9 +11291,8 @@ send-proxy-v2-ssl
whatever the upper layer protocol. In addition, the SSL information extension whatever the upper layer protocol. In addition, the SSL information extension
of the PROXY protocol is added to the PROXY protocol header. This setting of the PROXY protocol is added to the PROXY protocol header. This setting
must not be used if the server isn't aware of this version of the protocol. must not be used if the server isn't aware of this version of the protocol.
See also the "send-proxy-v2" option of the "bind" keyword. See also the "no-send-proxy-v2-ssl" option of this section and the
"send-proxy-v2" option of the "bind" keyword.
Supported in default-server: No
send-proxy-v2-ssl-cn send-proxy-v2-ssl-cn
The "send-proxy-v2-ssl" parameter enforces use of the PROXY protocol version The "send-proxy-v2-ssl" parameter enforces use of the PROXY protocol version
@ -11281,9 +11303,8 @@ send-proxy-v2-ssl-cn
of the PROXY protocol, along along with the Common Name from the subject of of the PROXY protocol, along along with the Common Name from the subject of
the client certificate (if any), is added to the PROXY protocol header. This the client certificate (if any), is added to the PROXY protocol header. This
setting must not be used if the server isn't aware of this version of the setting must not be used if the server isn't aware of this version of the
protocol. See also the "send-proxy-v2" option of the "bind" keyword. protocol. See also the "no-send-proxy-v2-ssl-cn" option of this section and the
"send-proxy-v2" option of the "bind" keyword.
Supported in default-server: No
slowstart <start_time_in_ms> slowstart <start_time_in_ms>
The "slowstart" parameter for a server accepts a value in milliseconds which The "slowstart" parameter for a server accepts a value in milliseconds which
@ -11305,8 +11326,6 @@ slowstart <start_time_in_ms>
trouble to running servers. It only applies when a server has been previously trouble to running servers. It only applies when a server has been previously
seen as failed. seen as failed.
Supported in default-server: Yes
sni <expression> sni <expression>
The "sni" parameter evaluates the sample fetch expression, converts it to a The "sni" parameter evaluates the sample fetch expression, converts it to a
string and uses the result as the host name sent in the SNI TLS extension to string and uses the result as the host name sent in the SNI TLS extension to
@ -11314,8 +11333,6 @@ sni <expression>
a bridged HTTPS scenario, using the "ssl_fc_sni" sample fetch for the a bridged HTTPS scenario, using the "ssl_fc_sni" sample fetch for the
expression, though alternatives such as req.hdr(host) can also make sense. expression, though alternatives such as req.hdr(host) can also make sense.
Supported in default-server: no
source <addr>[:<pl>[-<ph>]] [usesrc { <addr2>[:<port2>] | client | clientip } ] source <addr>[:<pl>[-<ph>]] [usesrc { <addr2>[:<port2>] | client | clientip } ]
source <addr>[:<port>] [usesrc { <addr2>[:<port2>] | hdr_ip(<hdr>[,<occ>]) } ] source <addr>[:<port>] [usesrc { <addr2>[:<port2>] | hdr_ip(<hdr>[,<occ>]) } ]
source <addr>[:<pl>[-<ph>]] [interface <name>] ... source <addr>[:<pl>[-<ph>]] [interface <name>] ...
@ -11335,8 +11352,6 @@ source <addr>[:<pl>[-<ph>]] [interface <name>] ...
Since Linux 4.2/libc 2.23 IP_BIND_ADDRESS_NO_PORT is set for connections Since Linux 4.2/libc 2.23 IP_BIND_ADDRESS_NO_PORT is set for connections
specifying the source address without port(s). specifying the source address without port(s).
Supported in default-server: No
ssl ssl
This option enables SSL ciphering on outgoing connections to the server. It This option enables SSL ciphering on outgoing connections to the server. It
is critical to verify server certificates using "verify" when using SSL to is critical to verify server certificates using "verify" when using SSL to
@ -11344,9 +11359,29 @@ ssl
the-middle attacks rendering SSL useless. When this option is used, health the-middle attacks rendering SSL useless. When this option is used, health
checks are automatically sent in SSL too unless there is a "port" or an checks are automatically sent in SSL too unless there is a "port" or an
"addr" directive indicating the check should be sent to a different location. "addr" directive indicating the check should be sent to a different location.
See the "check-ssl" option to force SSL health checks. See the "no-ssl" to disable "ssl" option and "check-ssl" option to force
SSL health checks.
Supported in default-server: No sslv3
This option may be used as "server" setting to reset any "no-sslv3"
setting which would have been inherited from "default-server" directive as
default value.
It may also be used as "default-server" setting to reset any previous
"default-server" "no-sslv3" setting.
ssl-reuse
This option may be used as "server" setting to reset any "no-ssl-reuse"
setting which would have been inherited from "default-server" directive as
default value.
It may also be used as "default-server" setting to reset any previous
"default-server" "no-ssl-reuse" setting.
stick
This option may be used as "server" setting to reset any "non-stick"
setting which would have been inherited from "default-server" directive as
default value.
It may also be used as "default-server" setting to reset any previous
"default-server" "non-stick" setting.
tcp-ut <delay> tcp-ut <delay>
Sets the TCP User Timeout for all outgoing connections to this server. This Sets the TCP User Timeout for all outgoing connections to this server. This
@ -11370,7 +11405,33 @@ track [<proxy>/]<server>
enabled. If <proxy> is omitted the current one is used. If disable-on-404 is enabled. If <proxy> is omitted the current one is used. If disable-on-404 is
used, it has to be enabled on both proxies. used, it has to be enabled on both proxies.
Supported in default-server: No tlsv10
This option may be used as "server" setting to reset any "no-tlsv10"
setting which would have been inherited from "default-server" directive as
default value.
It may also be used as "default-server" setting to reset any previous
"default-server" "no-tlsv10" setting.
tlsv11
This option may be used as "server" setting to reset any "no-tlsv11"
setting which would have been inherited from "default-server" directive as
default value.
It may also be used as "default-server" setting to reset any previous
"default-server" "no-tlsv11" setting.
tlsv12
This option may be used as "server" setting to reset any "no-tlsv12"
setting which would have been inherited from "default-server" directive as
default value.
It may also be used as "default-server" setting to reset any previous
"default-server" "no-tlsv12" setting.
tls-tickets
This option may be used as "server" setting to reset any "no-tls-tickets"
setting which would have been inherited from "default-server" directive as
default value.
It may also be used as "default-server" setting to reset any previous
"default-server" "no-tlsv-tickets" setting.
verify [none|required] verify [none|required]
This setting is only available when support for OpenSSL was built in. If set This setting is only available when support for OpenSSL was built in. If set
@ -11382,8 +11443,6 @@ verify [none|required]
using SSL to connect to servers, otherwise the communication is prone to using SSL to connect to servers, otherwise the communication is prone to
trivial man-in-the-middle attacks rendering SSL totally useless. trivial man-in-the-middle attacks rendering SSL totally useless.
Supported in default-server: No
verifyhost <hostname> verifyhost <hostname>
This setting is only available when support for OpenSSL was built in, and This setting is only available when support for OpenSSL was built in, and
only takes effect if 'verify required' is also specified. When set, the only takes effect if 'verify required' is also specified. When set, the
@ -11391,8 +11450,7 @@ verifyhost <hostname>
provided by the server are checked. If none of the hostnames in the provided by the server are checked. If none of the hostnames in the
certificate match the specified hostname, the handshake is aborted. The certificate match the specified hostname, the handshake is aborted. The
hostnames in the server-provided certificate may include wildcards. hostnames in the server-provided certificate may include wildcards.
See also "no-verifyhost" option.
Supported in default-server: No
weight <weight> weight <weight>
The "weight" parameter is used to adjust the server's weight relative to The "weight" parameter is used to adjust the server's weight relative to
@ -11405,8 +11463,6 @@ weight <weight>
can both grow and shrink, for instance between 10 and 100 to leave enough can both grow and shrink, for instance between 10 and 100 to leave enough
room above and below for later adjustments. room above and below for later adjustments.
Supported in default-server: Yes
5.3. Server IP address resolution using DNS 5.3. Server IP address resolution using DNS
------------------------------------------- -------------------------------------------