1148
1148
Creates a new peer list with name <peersect>. It is an independent section,
1149
1149
which is referenced by one or more stick-tables.
1152
Disables a peers section. It disables both listening and any synchronization
1153
related to this section. This is provided to disable synchronization of stick
1154
tables without having to comment out all "peers" references.
1157
This re-enables a disabled peers section which was previously disabled.
1151
1159
peer <peername> <ip>:<port>
1152
1160
Defines a peer inside a peers section.
1153
1161
If <peername> is set to the local peer name (by default hostname, or forced
1342
1350
option forceclose (*) X X X X
1343
1351
-- keyword -------------------------- defaults - frontend - listen -- backend -
1344
1352
option forwardfor X X X X
1353
option http-ignore-probes (*) X X X -
1345
1354
option http-keep-alive (*) X X X X
1346
1355
option http-no-delay (*) X X X X
1347
1356
option http-pretend-keepalive (*) X X X X
3747
3756
yes | yes | yes | no
3748
3757
Arguments : none
3750
By default, HAProxy complies with RFC2616 in terms of message parsing. This
3759
By default, HAProxy complies with RFC7230 in terms of message parsing. This
3751
3760
means that invalid characters in header names are not permitted and cause an
3752
3761
error to be returned to the client. This is the desired behaviour as such
3753
3762
forbidden characters are essentially used to build attacks exploiting server
3760
3769
chars 0-31, 32 (space), 34 ('"'), 60 ('<'), 62 ('>'), 92 ('\'), 94 ('^'), 96
3761
3770
('`'), 123 ('{'), 124 ('|'), 125 ('}'), 127 (delete) and anything above are
3762
3771
not allowed at all. Haproxy always blocks a number of them (0..32, 127). The
3763
remaining ones are blocked by default unless this option is enabled.
3772
remaining ones are blocked by default unless this option is enabled. This
3773
option also relaxes the test on the HTTP version format, it allows multiple
3774
digits for both the major and the minor version.
3765
3776
This option should never be enabled by default as it hides application bugs
3766
3777
and open security breaches. It should only be deployed after a problem has
3786
3797
yes | no | yes | yes
3787
3798
Arguments : none
3789
By default, HAProxy complies with RFC2616 in terms of message parsing. This
3800
By default, HAProxy complies with RFC7230 in terms of message parsing. This
3790
3801
means that invalid characters in header names are not permitted and cause an
3791
3802
error to be returned to the client. This is the desired behaviour as such
3792
3803
forbidden characters are essentially used to build attacks exploiting server
3794
3805
server will emit invalid header names for whatever reason (configuration,
3795
3806
implementation) and the issue will not be immediately fixed. In such a case,
3796
3807
it is possible to relax HAProxy's header name parser to accept any character
3797
even if that does not make sense, by specifying this option.
3808
even if that does not make sense, by specifying this option. This option also
3809
relaxes the test on the HTTP version format, it allows multiple digits for
3810
both the major and the minor version.
3799
3812
This option should never be enabled by default as it hides application bugs
3800
3813
and open security breaches. It should only be deployed after a problem has
3970
3983
simple port probe or scan will produce a log. If those connections pollute
3971
3984
the logs too much, it is possible to enable option "dontlognull" to indicate
3972
3985
that a connection on which no data has been transferred will not be logged,
3973
which typically corresponds to those probes.
3986
which typically corresponds to those probes. Note that errors will still be
3987
returned to the client and accounted for in the stats. If this is not what is
3988
desired, option http-ignore-probes can be used instead.
3975
3990
It is generally recommended not to use this option in uncontrolled
3976
3991
environments (eg: internet), otherwise scans and other malicious activities
3979
3994
If this option has been enabled in a "defaults" section, it can be disabled
3980
3995
in a specific instance by prepending the "no" keyword before it.
3982
See also : "log", "monitor-net", "monitor-uri" and section 8 about logging.
3997
See also : "log", "http-ignore-probes", "monitor-net", "monitor-uri", and
3998
section 8 about logging.
3985
4001
option forceclose
4075
4091
"option forceclose", "option http-keep-alive"
4094
option http-ignore-probes
4095
no option http-ignore-probes
4096
Enable or disable logging of null connections and request timeouts
4097
May be used in sections : defaults | frontend | listen | backend
4098
yes | yes | yes | no
4101
Recently some browsers started to implement a "pre-connect" feature
4102
consisting in speculatively connecting to some recently visited web sites
4103
just in case the user would like to visit them. This results in many
4104
connections being established to web sites, which end up in 408 Request
4105
Timeout if the timeout strikes first, or 400 Bad Request when the browser
4106
decides to close them first. These ones pollute the log and feed the error
4107
counters. There was already "option dontlognull" but it's insufficient in
4108
this case. Instead, this option does the following things :
4109
- prevent any 400/408 message from being sent to the client if nothing
4110
was received over a connection before it was closed ;
4111
- prevent any log from being emitted in this situation ;
4112
- prevent any error counter from being incremented
4114
That way the empty connection is silently ignored. Note that it is better
4115
not to use this unless it is clear that it is needed, because it will hide
4116
real problems. The most common reason for not receiving a request and seeing
4117
a 408 is due to an MTU inconsistency between the client and an intermediary
4118
element such as a VPN, which blocks too large packets. These issues are
4119
generally seen with POST requests as well as GET with large cookies. The logs
4120
are often the only way to detect them.
4122
If this option has been enabled in a "defaults" section, it can be disabled
4123
in a specific instance by prepending the "no" keyword before it.
4125
See also : "log", "dontlognull", "errorfile", and section 8 about logging.
4078
4128
option http-keep-alive
4079
4129
no option http-keep-alive
4080
4130
Enable or disable HTTP keep-alive from client to server
7868
7918
about the problem, and the connection is closed. The logs will report
7869
7919
termination codes "cR". Some recent browsers are having problems with this
7870
7920
standard, well-documented behaviour, so it might be needed to hide the 408
7871
code using "errorfile 408 /dev/null". See more details in the explanations of
7872
the "cR" termination code in section 8.5.
7921
code using "option http-ignore-probes" or "errorfile 408 /dev/null". See
7922
more details in the explanations of the "cR" termination code in section 8.5.
7874
7924
Note that this timeout only applies to the header part of the request, and
7875
7925
not to any data. As soon as the empty line is received, this timeout is not
7887
7937
effect, unless the frontend is in TCP mode, in which case the HTTP backend's
7888
7938
timeout will be used.
7890
See also : "errorfile", "timeout http-keep-alive", "timeout client".
7940
See also : "errorfile", "http-ignore-probes", "timeout http-keep-alive", and
7893
7944
timeout queue <timeout>
12765
12816
the request was typed by hand using a telnet client, and aborted
12766
12817
too early. The HTTP status code is likely a 400 here. Sometimes this
12767
12818
might also be caused by an IDS killing the connection between haproxy
12819
and the client. "option http-ignore-probes" can be used to ignore
12820
connections without any data transfer.
12770
12822
cR The "timeout http-request" stroke before the client sent a full HTTP
12771
12823
request. This is sometimes caused by too large TCP MSS values on the
12773
12825
packets, or by clients sending requests by hand and not typing fast
12774
12826
enough, or forgetting to enter the empty line at the end of the
12775
12827
request. The HTTP status code is likely a 408 here. Note: recently,
12776
some browsers such as Google Chrome started to break the deployed Web
12777
infrastructure by aggressively implementing a new "pre-connect"
12778
feature, consisting in sending connections to sites recently visited
12779
without sending any request on them until the user starts to browse
12780
the site. This mechanism causes massive disruption among resource-
12781
limited servers, and causes a lot of 408 errors in HAProxy logs.
12782
Worse, some people report that sometimes the browser displays the 408
12783
error when the user expects to see the actual content (Mozilla fixed
12784
this bug in 2004, while Chrome users continue to report it in 2014),
12785
so in this case, using "errorfile 408 /dev/null" can be used as a
12786
workaround. More information on the subject is available here :
12787
https://bugzilla.mozilla.org/show_bug.cgi?id=248827
12788
https://code.google.com/p/chromium/issues/detail?id=85229
12828
some browsers started to implement a "pre-connect" feature consisting
12829
in speculatively connecting to some recently visited web sites just
12830
in case the user would like to visit them. This results in many
12831
connections being established to web sites, which end up in 408
12832
Request Timeout if the timeout strikes first, or 400 Bad Request when
12833
the browser decides to close them first. These ones pollute the log
12834
and feed the error counters. Some versions of some browsers have even
12835
been reported to display the error code. It is possible to work
12836
around the undesirable effects of this behaviour by adding "option
12837
http-ignore-probes" in the frontend, resulting in connections with
12838
zero data transfer to be totally ignored. This will definitely hide
12839
the errors of people experiencing connectivity issues though.
12790
12841
CT The client aborted while its session was tarpitted. It is important to
12791
12842
check if this happens on valid requests, in order to be sure that no
13220
13271
INI -> initializing
13221
13272
SOCKERR -> socket error
13222
13273
L4OK -> check passed on layer 4, no upper layers testing enabled
13223
L4TMOUT -> layer 1-4 timeout
13274
L4TOUT -> layer 1-4 timeout
13224
13275
L4CON -> layer 1-4 connection problem, for example
13225
13276
"Connection refused" (tcp rst) or "No route to host" (icmp)
13226
13277
L6OK -> check passed on layer 6