"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "doc/configuration.txt" between
haproxy-2.0.13.tar.gz and haproxy-2.0.14.tar.gz

About: HAProxy is a TCP/HTTP reverse proxy which is particularly suited for high availability environments. LTS (Long-Term Support) release.

configuration.txt  (haproxy-2.0.13):configuration.txt  (haproxy-2.0.14)
---------------------- ----------------------
HAProxy HAProxy
Configuration Manual Configuration Manual
---------------------- ----------------------
version 2.0 version 2.0
willy tarreau willy tarreau
2020/02/13 2020/04/02
This document covers the configuration language as implemented in the version This document covers the configuration language as implemented in the version
specified above. It does not provide any hints, examples, or advice. For such specified above. It does not provide any hints, examples, or advice. For such
documentation, please refer to the Reference Manual or the Architecture Manual. documentation, please refer to the Reference Manual or the Architecture Manual.
The summary below is meant to help you find sections by name and navigate The summary below is meant to help you find sections by name and navigate
through the document. through the document.
Note to documentation contributors : Note to documentation contributors :
This document is formatted with 80 columns per line, with even number of This document is formatted with 80 columns per line, with even number of
spaces for indentation and without tabs. Please follow these rules strictly spaces for indentation and without tabs. Please follow these rules strictly
skipping to change at line 835 skipping to change at line 835
Example: Example:
global global
hard-stop-after 30s hard-stop-after 30s
h1-case-adjust <from> <to> h1-case-adjust <from> <to>
Defines the case adjustment to apply, when enabled, to the header name Defines the case adjustment to apply, when enabled, to the header name
<from>, to change it to <to> before sending it to HTTP/1 clients or <from>, to change it to <to> before sending it to HTTP/1 clients or
servers. <from> must be in lower case, and <from> and <to> must not differ servers. <from> must be in lower case, and <from> and <to> must not differ
except for their case. It may be repeated if several header names need to be except for their case. It may be repeated if several header names need to be
ajusted. Duplicate entries are not allowed. If a lot of header names have to adjusted. Duplicate entries are not allowed. If a lot of header names have to
be adjusted, it might be more convenient to use "h1-case-adjust-file". be adjusted, it might be more convenient to use "h1-case-adjust-file".
Please note that no transformation will be applied unless "option Please note that no transformation will be applied unless "option
h1-case-adjust-bogus-client" or "option h1-case-adjust-bogus-server" is h1-case-adjust-bogus-client" or "option h1-case-adjust-bogus-server" is
specified in a proxy. specified in a proxy.
There is no standard case for header names because, as stated in RFC7230, There is no standard case for header names because, as stated in RFC7230,
they are case-insensitive. So applications must handle them in a case- they are case-insensitive. So applications must handle them in a case-
insensitive manner. But some bogus applications violate the standards and insensitive manner. But some bogus applications violate the standards and
erroneously rely on the cases most commonly used by browsers. This problem erroneously rely on the cases most commonly used by browsers. This problem
becomes critical with HTTP/2 because all header names must be exchanged in becomes critical with HTTP/2 because all header names must be exchanged in
skipping to change at line 4448 skipping to change at line 4448
http-request reject [ { if | unless } <condition> ] http-request reject [ { if | unless } <condition> ]
This stops the evaluation of the rules and immediately closes the connection This stops the evaluation of the rules and immediately closes the connection
without sending any response. It acts similarly to the without sending any response. It acts similarly to the
"tcp-request content reject" rules. It can be useful to force an immediate "tcp-request content reject" rules. It can be useful to force an immediate
connection closure on HTTP/2 connections. connection closure on HTTP/2 connections.
http-request replace-header <name> <match-regex> <replace-fmt> http-request replace-header <name> <match-regex> <replace-fmt>
[ { if | unless } <condition> ] [ { if | unless } <condition> ]
This matches the value of all occurences of header field <name> against This matches the value of all occurrences of header field <name> against
<match-regex>. Matching is performed case-sensitively. Matching values are <match-regex>. Matching is performed case-sensitively. Matching values are
completely replaced by <replace-fmt>. Format characters are allowed in completely replaced by <replace-fmt>. Format characters are allowed in
<replace-fmt> and work like <fmt> arguments in "http-request add-header". <replace-fmt> and work like <fmt> arguments in "http-request add-header".
Standard back-references using the backslash ('\') followed by a number are Standard back-references using the backslash ('\') followed by a number are
supported. supported.
This action acts on whole header lines, regardless of the number of values This action acts on whole header lines, regardless of the number of values
they may contain. Thus it is well-suited to process headers naturally they may contain. Thus it is well-suited to process headers naturally
containing commas in their value, such as If-Modified-Since. Headers that containing commas in their value, such as If-Modified-Since. Headers that
contain a comma-separated list of values, such as Accept, should be processed contain a comma-separated list of values, such as Accept, should be processed
skipping to change at line 8435 skipping to change at line 8435
set, then backend name is used. If <file> starts with a slash '/', then it is set, then backend name is used. If <file> starts with a slash '/', then it is
considered as an absolute path. Otherwise, <file> is concatenated to the considered as an absolute path. Otherwise, <file> is concatenated to the
global directive "server-state-file-base". global directive "server-state-file-base".
Example: the minimal configuration below would make HAProxy look for the Example: the minimal configuration below would make HAProxy look for the
state server file '/etc/haproxy/states/bk': state server file '/etc/haproxy/states/bk':
global global
server-state-file-base /etc/haproxy/states server-state-file-base /etc/haproxy/states
backend bk backend bk
load-server-state-from-file load-server-state-from-file
See also: "server-state-file-base", "load-server-state-from-file", and See also: "server-state-file-base", "load-server-state-from-file", and
"show servers state" "show servers state"
server-template <prefix> <num | range> <fqdn>[:<port>] [params*] server-template <prefix> <num | range> <fqdn>[:<port>] [params*]
Set a template to initialize servers with shared parameters. Set a template to initialize servers with shared parameters.
The names of these servers are built from <prefix> and <num | range> parameter s. The names of these servers are built from <prefix> and <num | range> parameter s.
May be used in sections : defaults | frontend | listen | backend May be used in sections : defaults | frontend | listen | backend
no | no | yes | yes no | no | yes | yes
skipping to change at line 11580 skipping to change at line 11580
be enabled using any configuration option. This option is also available on be enabled using any configuration option. This option is also available on
global statement "ssl-default-bind-options". Use "ssl-min-ver" and global statement "ssl-default-bind-options". Use "ssl-min-ver" and
"ssl-max-ver" instead. "ssl-max-ver" instead.
no-tls-tickets no-tls-tickets
This setting is only available when support for OpenSSL was built in. It This setting is only available when support for OpenSSL was built in. It
disables the stateless session resumption (RFC 5077 TLS Ticket disables the stateless session resumption (RFC 5077 TLS Ticket
extension) and force to use stateful session resumption. Stateless extension) and force to use stateful session resumption. Stateless
session resumption is more expensive in CPU usage. This option is also session resumption is more expensive in CPU usage. This option is also
available on global statement "ssl-default-bind-options". available on global statement "ssl-default-bind-options".
The TLS ticket mechanism is only used up to TLS 1.2.
Forward Secrecy is compromised with TLS tickets, unless ticket keys
are periodically rotated (via reload or by using "tls-ticket-keys").
no-tlsv10 no-tlsv10
This setting is only available when support for OpenSSL was built in. It This setting is only available when support for OpenSSL was built in. It
disables support for TLSv1.0 on any sockets instantiated from the listener disables support for TLSv1.0 on any sockets instantiated from the listener
when SSL is supported. Note that SSLv2 is forced disabled in the code and when SSL is supported. Note that SSLv2 is forced disabled in the code and
cannot be enabled using any configuration option. This option is also cannot be enabled using any configuration option. This option is also
available on global statement "ssl-default-bind-options". Use "ssl-min-ver" available on global statement "ssl-default-bind-options". Use "ssl-min-ver"
and "ssl-max-ver" instead. and "ssl-max-ver" instead.
no-tlsv11 no-tlsv11
skipping to change at line 12279 skipping to change at line 12282
using any configuration option. Use "ssl-min-ver" and "ssl-max-ver" instead. using any configuration option. Use "ssl-min-ver" and "ssl-max-ver" instead.
Supported in default-server: No Supported in default-server: No
no-tls-tickets no-tls-tickets
This setting is only available when support for OpenSSL was built in. It This setting is only available when support for OpenSSL was built in. It
disables the stateless session resumption (RFC 5077 TLS Ticket disables the stateless session resumption (RFC 5077 TLS Ticket
extension) and force to use stateful session resumption. Stateless extension) and force to use stateful session resumption. Stateless
session resumption is more expensive in CPU usage for servers. This option session resumption is more expensive in CPU usage for servers. This option
is also available on global statement "ssl-default-server-options". is also available on global statement "ssl-default-server-options".
The TLS ticket mechanism is only used up to TLS 1.2.
Forward Secrecy is compromised with TLS tickets, unless ticket keys
are periodically rotated (via reload or by using "tls-ticket-keys").
See also "tls-tickets". See also "tls-tickets".
no-tlsv10 no-tlsv10
This option disables support for TLSv1.0 when SSL is used to communicate with This option disables support for TLSv1.0 when SSL is used to communicate with
the server. Note that SSLv2 is disabled in the code and cannot be enabled the server. Note that SSLv2 is disabled in the code and cannot be enabled
using any configuration option. TLSv1 is more expensive than SSLv3 so it using any configuration option. TLSv1 is more expensive than SSLv3 so it
often makes sense to disable it when communicating with local servers. This often makes sense to disable it when communicating with local servers. This
option is also available on global statement "ssl-default-server-options". option is also available on global statement "ssl-default-server-options".
Use "ssl-min-ver" and "ssl-max-ver" instead. Use "ssl-min-ver" and "ssl-max-ver" instead.
skipping to change at line 12703 skipping to change at line 12709
This option enables ability to set the current state of the server by tracking This option enables ability to set the current state of the server by tracking
another one. It is possible to track a server which itself tracks another another one. It is possible to track a server which itself tracks another
server, provided that at the end of the chain, a server has health checks server, provided that at the end of the chain, a server has health checks
enabled. If <proxy> is omitted the current one is used. If disable-on-404 is enabled. If <proxy> is omitted the current one is used. If disable-on-404 is
used, it has to be enabled on both proxies. used, it has to be enabled on both proxies.
tls-tickets tls-tickets
This option may be used as "server" setting to reset any "no-tls-tickets" This option may be used as "server" setting to reset any "no-tls-tickets"
setting which would have been inherited from "default-server" directive as setting which would have been inherited from "default-server" directive as
default value. default value.
The TLS ticket mechanism is only used up to TLS 1.2.
Forward Secrecy is compromised with TLS tickets, unless ticket keys
are periodically rotated (via reload or by using "tls-ticket-keys").
It may also be used as "default-server" setting to reset any previous It may also be used as "default-server" setting to reset any previous
"default-server" "no-tlsv-tickets" setting. "default-server" "no-tls-tickets" setting.
verify [none|required] verify [none|required]
This setting is only available when support for OpenSSL was built in. If set This setting is only available when support for OpenSSL was built in. If set
to 'none', server certificate is not verified. In the other case, The to 'none', server certificate is not verified. In the other case, The
certificate provided by the server is verified using CAs from 'ca-file' and certificate provided by the server is verified using CAs from 'ca-file' and
optional CRLs from 'crl-file' after having checked that the names provided in optional CRLs from 'crl-file' after having checked that the names provided in
the certificate's subject and subjectAlternateNames attributes match either the certificate's subject and subjectAlternateNames attributes match either
the name passed using the "sni" directive, or if not provided, the static the name passed using the "sni" directive, or if not provided, the static
host name passed using the "verifyhost" directive. When no name is found, the host name passed using the "verifyhost" directive. When no name is found, the
certificate's names are ignored. For this reason, without SNI it's important certificate's names are ignored. For this reason, without SNI it's important
skipping to change at line 15244 skipping to change at line 15253
count (the "use" value which is returned by "show table" on the CLI). This count (the "use" value which is returned by "show table" on the CLI). This
may sometimes be more suited for layer7 tracking. It can be used to tell a may sometimes be more suited for layer7 tracking. It can be used to tell a
server how many concurrent connections there are from a given address for server how many concurrent connections there are from a given address for
example. example.
so_id : integer so_id : integer
Returns an integer containing the current listening socket's id. It is useful Returns an integer containing the current listening socket's id. It is useful
in frontends involving many "bind" lines, or to stick all users coming via a in frontends involving many "bind" lines, or to stick all users coming via a
same socket to the same server. same socket to the same server.
so_name : string
Returns a string containing the current listening socket's name, as defined
with name on a "bind" line. It can serve the same purposes as so_id but with
strings instead of integers.
src : ip src : ip
This is the source IPv4 address of the client of the session. It is of type This is the source IPv4 address of the client of the session. It is of type
IP and works on both IPv4 and IPv6 tables. On IPv6 tables, IPv4 addresses are IP and works on both IPv4 and IPv6 tables. On IPv6 tables, IPv4 addresses are
mapped to their IPv6 equivalent, according to RFC 4291. Note that it is the mapped to their IPv6 equivalent, according to RFC 4291. Note that it is the
TCP-level source address which is used, and not the address of a client TCP-level source address which is used, and not the address of a client
behind a proxy. However if the "accept-proxy" or "accept-netscaler-cip" bind behind a proxy. However if the "accept-proxy" or "accept-netscaler-cip" bind
directive is used, it can be the address of a client behind another directive is used, it can be the address of a client behind another
PROXY-protocol compatible component for all rule sets except PROXY-protocol compatible component for all rule sets except
"tcp-request connection" which sees the real address. When the incoming "tcp-request connection" which sees the real address. When the incoming
connection passed through address translation or redirection involving connection passed through address translation or redirection involving
 End of changes. 9 change blocks. 
5 lines changed or deleted 19 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)