3.1. Process management and security

ca-base 

  1. Assigns a default directory to fetch SSL CA certificates and CRLs from when a
  2. relative path is used with "ca-file" or "crl-file" directives. Absolute
  3. locations specified in "ca-file" and "crl-file" prevail and ignore "ca-base".

chroot 

  1. Changes current directory to <jail dir> and performs a chroot() there before
  2. dropping privileges. This increases the security level in case an unknown
  3. vulnerability would be exploited, since it would make it very hard for the
  4. attacker to exploit the system. This only works when the process is started
  5. with superuser privileges. It is important to ensure that <jail_dir> is both
  6. empty and non-writable to anyone.

cpu-map [auto:][/] 

  1. On Linux 2.6 and above, it is possible to bind a process or a thread to a
  2. specific CPU set. This means that the process or the thread will never run on
  3. other CPUs. The "cpu-map" directive specifies CPU sets for process or thread
  4. sets. The first argument is a process set, eventually followed by a thread
  5. set. These sets have the format
  6.  
  7.     all | odd | even | number[-[number]]
  8.  
  9. <number>> must be a number between 1 and 32 or 64, depending on the machine's
  10. word size. Any process IDs above nbproc and any thread IDs above nbthread are
  11. ignored. It is possible to specify a range with two such number delimited by
  12. a dash ('-'). It also is possible to specify all processes at once using
  13. "all", only odd numbers using "odd" or even numbers using "even", just like
  14. with the "bind-process" directive. The second and forthcoming arguments are
  15. CPU sets. Each CPU set is either a unique number between 0 and 31 or 63 or a
  16. range with two such numbers delimited by a dash ('-'). Multiple CPU numbers
  17. or ranges may be specified, and the processes or threads will be allowed to
  18. bind to all of them. Obviously, multiple "cpu-map" directives may be
  19. specified. Each "cpu-map" directive will replace the previous ones when they
  20. overlap. A thread will be bound on the intersection of its mapping and the
  21. one of the process on which it is attached. If the intersection is null, no
  22. specific binding will be set for the thread.
  23.  
  24. Ranges can be partially defined. The higher bound can be omitted. In such
  25. case, it is replaced by the corresponding maximum value, 32 or 64 depending
  26. on the machine's word size.
  27.  
  28. The prefix "auto:" can be added before the process set to let HAProxy
  29. automatically bind a process or a thread to a CPU by incrementing
  30. process/thread and CPU sets. To be valid, both sets must have the same
  31. size. No matter the declaration order of the CPU sets, it will be bound from
  32. the lowest to the highest bound. Having a process and a thread range with the
  33. "auto:" prefix is not supported. Only one range is supported, the other one
  34. must be a fixed number.

Examples:

  1. cpu-map 1-4 0-3   # bind processes 1 to 4 on the first 4 CPUs
  3. cpu-map 1/all 0-3 # bind all threads of the first process on the
  4.                   # first 4 CPUs
  6. cpu-map 1- 0-     # will be replaced by "cpu-map 1-64 0-63"
  7.                   # or "cpu-map 1-32 0-31" depending on the machine's
  8.                   # word size.
  10. # all these lines bind the process 1 to the cpu 0, the process 2 to cpu 1
  11. # and so on.
  12. cpu-map auto:1-4   0-3
  13. cpu-map auto:1-4   0-1 2-3
  14. cpu-map auto:1-4   3 2 1 0
  16. # all these lines bind the thread 1 to the cpu 0, the thread 2 to cpu 1
  17. # and so on.
  18. cpu-map auto:1/1-4   0-3
  19. cpu-map auto:1/1-4   0-1 2-3
  20. cpu-map auto:1/1-4   3 2 1 0
  22. # bind each process to exactly one CPU using all/odd/even keyword
  23. cpu-map auto:all   0-63
  24. cpu-map auto:even  0-31
  25. cpu-map auto:odd   32-63
  27. # invalid cpu-map because process and CPU sets have different sizes.
  28. cpu-map auto:1-4   0    # invalid
  29. cpu-map auto:1     0-3  # invalid
  31. # invalid cpu-map because automatic binding is used with a process range
  32. # and a thread range.
  33. cpu-map auto:all/all   0 # invalid
  34. cpu-map auto:all/1-4   0 # invalid
  35. cpu-map auto:1-4/all   0 # invalid

crt-base 

  1. Assigns a default directory to fetch SSL certificates from when a relative
  2. path is used with "crtfile" directives. Absolute locations specified after
  3. "crtfile" prevail and ignore "crt-base".

daemon

  1. Makes the process fork into background. This is the recommended mode of
  2. operation. It is equivalent to the command line "-D" argument. It can be
  3. disabled by the command line "-db" argument. This option is ignored in
  4. systemd mode.

deviceatlas-json-file 

  1. Sets the path of the DeviceAtlas JSON data file to be loaded by the API.
  2. The path must be a valid JSON data file and accessible by HAProxy process.

deviceatlas-log-level 

  1. Sets the level of information returned by the API. This directive is
  2. optional and set to 0 by default if not set.

deviceatlas-separator 

  1. Sets the character separator for the API properties results. This directive
  2. is optional and set to | by default if not set.

deviceatlas-properties-cookie 

  1. Sets the client cookie's name used for the detection if the DeviceAtlas
  2. Client-side component was used during the request. This directive is optional
  3. and set to DAPROPS by default if not set.

external-check

  1. Allows the use of an external agent to perform health checks.
  2. This is disabled by default as a security precaution.
  3. See "option external-check".

gid 

  1. Changes the process' group ID to <number>. It is recommended that the group
  2. ID is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
  3. be started with a user belonging to this group, or with superuser privileges.
  4. Note that if haproxy is started from a user having supplementary groups, it
  5. will only be able to drop these groups if started with superuser privileges.
  6. See also "group" and "uid".

group 

  1. Similar to "gid" but uses the GID of group name <group name> from /etc/group.
  2. See also "gid" and "user".

hard-stop-after 

  1. Defines the maximum time allowed to perform a clean soft-stop.

Arguments :

  1. <time>  is the maximum time (by default in milliseconds) for which the
  2.         instance will remain alive when a soft-stop is received via the
  3.         SIGUSR1 signal.
  1. This may be used to ensure that the instance will quit even if connections
  2. remain opened during a soft-stop (for example with long timeouts for a proxy
  3. in tcp mode). It applies both in TCP and HTTP mode.

Example:

  1. global
  2.   hard-stop-after 30s

h1-case-adjust 

  1. Defines the case adjustment to apply, when enabled, to the header name
  2. <from>, to change it to <to> before sending it to HTTP/1 clients or
  3. servers. <from> must be in lower case, and <from> and <to> must not differ
  4. except for their case. It may be repeated if several header names need to be
  5. adjusted. Duplicate entries are not allowed. If a lot of header names have to
  6. be adjusted, it might be more convenient to use "h1-case-adjust-file".
  7. Please note that no transformation will be applied unless "option
  8. h1-case-adjust-bogus-client" or "option h1-case-adjust-bogus-server" is
  9. specified in a proxy.
  10.  
  11. There is no standard case for header names because, as stated in RFC7230,
  12. they are case-insensitive. So applications must handle them in a case-
  13. insensitive manner. But some bogus applications violate the standards and
  14. erroneously rely on the cases most commonly used by browsers. This problem
  15. becomes critical with HTTP/2 because all header names must be exchanged in
  16. lower case, and HAProxy follows the same convention. All header names are
  17. sent in lower case to clients and servers, regardless of the HTTP version.
  18.  
  19. Applications which fail to properly process requests or responses may require
  20. to temporarily use such workarounds to adjust header names sent to them for
  21. the time it takes the application to be fixed. Please note that an
  22. application which requires such workarounds might be vulnerable to content
  23. smuggling attacks and must absolutely be fixed.

Example:

  1. global
  2.   h1-case-adjust content-length Content-Length
  1. See "h1-case-adjust-file", "option h1-case-adjust-bogus-client" and
  2. "option h1-case-adjust-bogus-server".

h1-case-adjust-file 

  1. Defines a file containing a list of key/value pairs used to adjust the case
  2. of some header names before sending them to HTTP/1 clients or servers. The
  3. file <hdrs-file> must contain 2 header names per line. The first one must be
  4. in lower case and both must not differ except for their case. Lines which
  5. start with '#' are ignored, just like empty lines. Leading and trailing tabs
  6. and spaces are stripped. Duplicate entries are not allowed. Please note that
  7. no transformation will be applied unless "option h1-case-adjust-bogus-client"
  8. or "option h1-case-adjust-bogus-server" is specified in a proxy.
  9.  
  10. If this directive is repeated, only the last one will be processed.  It is an
  11. alternative to the directive "h1-case-adjust" if a lot of header names need
  12. to be adjusted. Please read the risks associated with using this.
  13.  
  14. See "h1-case-adjust", "option h1-case-adjust-bogus-client" and
  15. "option h1-case-adjust-bogus-server".

log

[len ] [format ] [sample :] [max level [min level]]

  1. Adds a global syslog server. Several global servers can be defined. They
  2. will receive logs for starts and exits, as well as all logs from proxies
  3. configured with "log global".
  4.  
  5. <address> can be one of:
  6.  
  7.       - An IPv4 address optionally followed by a colon and a UDP port. If
  8.         no port is specified, 514 is used by default (the standard syslog
  9.         port).
  10.  
  11.       - An IPv6 address followed by a colon and optionally a UDP port. If
  12.         no port is specified, 514 is used by default (the standard syslog
  13.         port).
  14.  
  15.       - A filesystem path to a datagram UNIX domain socket, keeping in mind
  16.         considerations for chroot (be sure the path is accessible inside
  17.         the chroot) and uid/gid (be sure the path is appropriately
  18.         writable).
  19.  
  20.       - A file descriptor number in the form "fd@<number>", which may point
  21.         to a pipe, terminal, or socket. In this case unbuffered logs are used
  22.         and one writev() call per log is performed. This is a bit expensive
  23.         but acceptable for most workloads. Messages sent this way will not be
  24.         truncated but may be dropped, in which case the DroppedLogs counter
  25.         will be incremented. The writev() call is atomic even on pipes for
  26.         messages up to PIPE_BUF size, which POSIX recommends to be at least
  27.         512 and which is 4096 bytes on most modern operating systems. Any
  28.         larger message may be interleaved with messages from other processes.
  29.         Exceptionally for debugging purposes the file descriptor may also be
  30.         directed to a file, but doing so will significantly slow haproxy down
  31.         as non-blocking calls will be ignored. Also there will be no way to
  32.         purge nor rotate this file without restarting the process. Note that
  33.         the configured syslog format is preserved, so the output is suitable
  34.         for use with a TCP syslog server. See also the "short" and "raw"
  35.         format below.
  36.  
  37.       - "stdout" / "stderr", which are respectively aliases for "fd@1" and
  38.         "fd@2", see above.
  39.  
  40.       You may want to reference some environment variables in the address
  41.       parameter, see section 2.3 about environment variables.
  42.  
  43. <length> is an optional maximum line length. Log lines larger than this value
  44.          will be truncated before being sent. The reason is that syslog
  45.          servers act differently on log line length. All servers support the
  46.          default value of 1024, but some servers simply drop larger lines
  47.          while others do log them. If a server supports long lines, it may
  48.          make sense to set this value here in order to avoid truncating long
  49.          lines. Similarly, if a server drops long lines, it is preferable to
  50.          truncate them before sending them. Accepted values are 80 to 65535
  51.          inclusive. The default value of 1024 is generally fine for all
  52.          standard usages. Some specific cases of long captures or
  53.          JSON-formatted logs may require larger values. You may also need to
  54.          increase "tune.http.logurilen" if your request URIs are truncated.
  55.  
  56. <format> is the log format used when generating syslog messages. It may be
  57.          one of the following :
  58.  
  59.   rfc3164   The RFC3164 syslog message format. This is the default.
  60.             (https://tools.ietf.org/html/rfc3164)
  61.  
  62.   rfc5424   The RFC5424 syslog message format.
  63.             (https://tools.ietf.org/html/rfc5424)
  64.  
  65.   short     A message containing only a level between angle brackets such as
  66.             '<3>', followed by the text. The PID, date, time, process name
  67.             and system name are omitted. This is designed to be used with a
  68.             local log server. This format is compatible with what the systemd
  69.             logger consumes.
  70.  
  71.   raw       A message containing only the text. The level, PID, date, time,
  72.             process name and system name are omitted. This is designed to be
  73.             used in containers or during development, where the severity only
  74.             depends on the file descriptor used (stdout/stderr).
  75.  
  76. <ranges>   A list of comma-separated ranges to identify the logs to sample.
  77.            This is used to balance the load of the logs to send to the log
  78.            server. The limits of the ranges cannot be null. They are numbered
  79.            from 1. The size or period (in number of logs) of the sample must be
  80.            set with <sample_size> parameter.
  81.  
  82. <sample_size>
  83.            The size of the sample in number of logs to consider when balancing
  84.            their logging loads. It is used to balance the load of the logs to
  85.            send to the syslog server. This size must be greater or equal to the
  86.            maximum of the high limits of the ranges.
  87.            (see also <ranges> parameter).
  88.  
  89. <facility> must be one of the 24 standard syslog facilities :
  90.  
  91.                kern   user   mail   daemon auth   syslog lpr    news
  92.                uucp   cron   auth2  ftp    ntp    audit  alert  cron2
  93.                local0 local1 local2 local3 local4 local5 local6 local7
  94.  
  95.            Note that the facility is ignored for the "short" and "raw"
  96.            formats, but still required as a positional field. It is
  97.            recommended to use "daemon" in this case to make it clear that
  98.            it's only supposed to be used locally.
  99.  
  100. An optional level can be specified to filter outgoing messages. By default,
  101. all messages are sent. If a maximum level is specified, only messages with a
  102. severity at least as important as this level will be sent. An optional minimum
  103. level can be specified. If it is set, logs emitted with a more severe level
  104. than this one will be capped to this level. This is used to avoid sending
  105. "emerg" messages on all terminals on some default syslog configurations.
  106. Eight levels are known :
  107.  
  108.         emerg  alert  crit   err    warning notice info  debug

log-send-hostname []

  1. Sets the hostname field in the syslog header. If optional "string" parameter
  2. is set the header is set to the string contents, otherwise uses the hostname
  3. of the system. Generally used if one is not relaying logs through an
  4. intermediate syslog server or for simply customizing the hostname printed in
  5. the logs.

log-tag 

  1. Sets the tag field in the syslog header to this string. It defaults to the
  2. program name as launched from the command line, which usually is "haproxy".
  3. Sometimes it can be useful to differentiate between multiple processes
  4. running on the same host. See also the per-proxy "log-tag" directive.

lua-load 

  1. This global directive loads and executes a Lua file. This directive can be
  2. used multiple times.

master-worker [no-exit-on-failure]

  1. Master-worker mode. It is equivalent to the command line "-W" argument.
  2. This mode will launch a "master" which will monitor the "workers". Using
  3. this mode, you can reload HAProxy directly by sending a SIGUSR2 signal to
  4. the master. The master-worker mode is compatible either with the foreground
  5. or daemon mode. It is recommended to use this mode with multiprocess and
  6. systemd.
  7. By default, if a worker exits with a bad return code, in the case of a
  8. segfault for example, all workers will be killed, and the master will leave.
  9. It is convenient to combine this behavior with Restart=on-failure in a
  10. systemd unit file in order to relaunch the whole process. If you don't want
  11. this behavior, you must use the keyword "no-exit-on-failure".
  12.  
  13. See also "-W" in the management guide.

mworker-max-reloads 

  1. In master-worker mode, this option limits the number of time a worker can
  2. survive to a reload. If the worker did not leave after a reload, once its
  3. number of reloads is greater than this number, the worker will receive a
  4. SIGTERM. This option helps to keep under control the number of workers.
  5. See also "show proc" in the Management Guide.

nbproc 

  1. Creates <number> processes when going daemon. This requires the "daemon"
  2. mode. By default, only one process is created, which is the recommended mode
  3. of operation. For systems limited to small sets of file descriptors per
  4. process, it may be needed to fork multiple daemons. When set to a value
  5. larger than 1, threads are automatically disabled. USING MULTIPLE PROCESSES
  6. IS HARDER TO DEBUG AND IS REALLY DISCOURAGED. See also "daemon" and
  7. "nbthread".

nbthread 

  1. This setting is only available when support for threads was built in. It
  2. makes haproxy run on <number> threads. This is exclusive with "nbproc". While
  3. "nbproc" historically used to be the only way to use multiple processors, it
  4. also involved a number of shortcomings related to the lack of synchronization
  5. between processes (health-checks, peers, stick-tables, stats, ...) which do
  6. not affect threads. As such, any modern configuration is strongly encouraged
  7. to migrate away from "nbproc" to "nbthread". "nbthread" also works when
  8. HAProxy is started in foreground. On some platforms supporting CPU affinity,
  9. when nbproc is not used, the default "nbthread" value is automatically set to
  10. the number of CPUs the process is bound to upon startup. This means that the
  11. thread count can easily be adjusted from the calling process using commands
  12. like "taskset" or "cpuset". Otherwise, this value defaults to 1. The default
  13. value is reported in the output of "haproxy -vv". See also "nbproc".

pidfile 

  1. Writes PIDs of all daemons into file <pidfile>. This option is equivalent to
  2. the "-p" command line argument. The file must be accessible to the user
  3. starting the process. See also "daemon".

presetenv 

  1. Sets environment variable <name> to value <value>. If the variable exists, it
  2. is NOT overwritten. The changes immediately take effect so that the next line
  3. in the configuration file sees the new value. See also "setenv", "resetenv",
  4. and "unsetenv".

resetenv [ …]

  1. Removes all environment variables except the ones specified in argument. It
  2. allows to use a clean controlled environment before setting new values with
  3. setenv or unsetenv. Please note that some internal functions may make use of
  4. some environment variables, such as time manipulation functions, but also
  5. OpenSSL or even external checks. This must be used with extreme care and only
  6. after complete validation. The changes immediately take effect so that the
  7. next line in the configuration file sees the new environment. See also
  8. "setenv", "presetenv", and "unsetenv".

stats bind-process [ all | odd | even | [-[process_num>]] ] …

  1. Limits the stats socket to a certain set of processes numbers. By default the
  2. stats socket is bound to all processes, causing a warning to be emitted when
  3. nbproc is greater than 1 because there is no way to select the target process
  4. when connecting. However, by using this setting, it becomes possible to pin
  5. the stats socket to a specific set of processes, typically the first one. The
  6. warning will automatically be disabled when this setting is used, whatever
  7. the number of processes used. The maximum process ID depends on the machine's
  8. word size (32 or 64). Ranges can be partially defined. The higher bound can
  9. be omitted. In such case, it is replaced by the corresponding maximum
  10. value. A better option consists in using the "process" setting of the "stats
  11. socket" line to force the process on each line.

server-state-base 

  1. Specifies the directory prefix to be prepended in front of all servers state
  2. file names which do not start with a '/'. See also "server-state-file",
  3. "load-server-state-from-file" and "server-state-file-name".

server-state-file 

  1. Specifies the path to the file containing state of servers. If the path starts
  2. with a slash ('/'), it is considered absolute, otherwise it is considered
  3. relative to the directory specified using "server-state-base" (if set) or to
  4. the current directory. Before reloading HAProxy, it is possible to save the
  5. servers' current state using the stats command "show servers state". The
  6. output of this command must be written in the file pointed by <file>. When
  7. starting up, before handling traffic, HAProxy will read, load and apply state
  8. for each server found in the file and available in its current running
  9. configuration. See also "server-state-base" and "show servers state",
  10. "load-server-state-from-file" and "server-state-file-name"

setenv 

  1. Sets environment variable <name> to value <value>. If the variable exists, it
  2. is overwritten. The changes immediately take effect so that the next line in
  3. the configuration file sees the new value. See also "presetenv", "resetenv",
  4. and "unsetenv".

set-dumpable

  1. This option is better left disabled by default and enabled only upon a
  2. developer's request. It has no impact on performance nor stability but will
  3. try hard to re-enable core dumps that were possibly disabled by file size
  4. limitations (ulimit -f), core size limitations (ulimit -c), or "dumpability"
  5. of a process after changing its UID/GID (such as /proc/sys/fs/suid_dumpable
  6. on Linux). Core dumps might still be limited by the current directory's
  7. permissions (check what directory the file is started from), the chroot
  8. directory's permission (it may be needed to temporarily disable the chroot
  9. directive or to move it to a dedicated writable location), or any other
  10. system-specific constraint. For example, some Linux flavours are notorious
  11. for replacing the default core file with a path to an executable not even
  12. installed on the system (check /proc/sys/kernel/core_pattern). Often, simply
  13. writing "core", "core.%p" or "/var/log/core/core.%p" addresses the issue.
  14. When trying to enable this option waiting for a rare issue to re-appear, it's
  15. often a good idea to first try to obtain such a dump by issuing, for example,
  16. "kill -11" to the haproxy process and verify that it leaves a core where
  17. expected when dying.

ssl-default-bind-ciphers 

  1. This setting is only available when support for OpenSSL was built in. It sets
  2. the default string describing the list of cipher algorithms ("cipher suite")
  3. that are negotiated during the SSL/TLS handshake up to TLSv1.2 for all
  4. "bind" lines which do not explicitly define theirs. The format of the string
  5. is defined in "man 1 ciphers" from OpenSSL man pages. For background
  6. information and recommendations see e.g.
  7. (https://wiki.mozilla.org/Security/Server_Side_TLS) and
  8. (https://mozilla.github.io/server-side-tls/ssl-config-generator/). For TLSv1.3
  9. cipher configuration, please check the "ssl-default-bind-ciphersuites" keyword.
  10. Please check the "bind" keyword for more information.

ssl-default-bind-ciphersuites 

  1. This setting is only available when support for OpenSSL was built in and
  2. OpenSSL 1.1.1 or later was used to build HAProxy. It sets the default string
  3. describing the list of cipher algorithms ("cipher suite") that are negotiated
  4. during the TLSv1.3 handshake for all "bind" lines which do not explicitly define
  5. theirs. The format of the string is defined in
  6. "man 1 ciphers" from OpenSSL man pages under the section "ciphersuites". For
  7. cipher configuration for TLSv1.2 and earlier, please check the
  8. "ssl-default-bind-ciphers" keyword. Please check the "bind" keyword for more
  9. information.

ssl-default-bind-options [

  1. This setting is only available when support for OpenSSL was built in. It sets
  2. default ssl-options to force on all "bind" lines. Please check the "bind"
  3. keyword to see available options.

Example:

  1. global
  2.    ssl-default-bind-options ssl-min-ver TLSv1.0 no-tls-tickets

ssl-default-server-ciphers 

  1. This setting is only available when support for OpenSSL was built in. It
  2. sets the default string describing the list of cipher algorithms that are
  3. negotiated during the SSL/TLS handshake up to TLSv1.2 with the server,
  4. for all "server" lines which do not explicitly define theirs. The format of
  5. the string is defined in "man 1 ciphers" from OpenSSL man pages. For background
  6. information and recommendations see e.g.
  7. (https://wiki.mozilla.org/Security/Server_Side_TLS) and
  8. (https://mozilla.github.io/server-side-tls/ssl-config-generator/).
  9. For TLSv1.3 cipher configuration, please check the
  10. "ssl-default-server-ciphersuites" keyword. Please check the "server" keyword
  11. for more information.

ssl-default-server-ciphersuites 

  1. This setting is only available when support for OpenSSL was built in and
  2. OpenSSL 1.1.1 or later was used to build HAProxy. It sets the default
  3. string describing the list of cipher algorithms that are negotiated during
  4. the TLSv1.3 handshake with the server, for all "server" lines which do not
  5. explicitly define theirs. The format of the string is defined in
  6. "man 1 ciphers" from OpenSSL man pages under the section "ciphersuites". For
  7. cipher configuration for TLSv1.2 and earlier, please check the
  8. "ssl-default-server-ciphers" keyword. Please check the "server" keyword for
  9. more information.

ssl-default-server-options [

  1. This setting is only available when support for OpenSSL was built in. It sets
  2. default ssl-options to force on all "server" lines. Please check the "server"
  3. keyword to see available options.

ssl-dh-param-file 

  1. This setting is only available when support for OpenSSL was built in. It sets
  2. the default DH parameters that are used during the SSL/TLS handshake when
  3. ephemeral Diffie-Hellman (DHE) key exchange is used, for all "bind" lines
  4. which do not explicitly define theirs. It will be overridden by custom DH
  5. parameters found in a bind certificate file if any. If custom DH parameters
  6. are not specified either by using ssl-dh-param-file or by setting them
  7. directly in the certificate file, pre-generated DH parameters of the size
  8. specified by tune.ssl.default-dh-param will be used. Custom parameters are
  9. known to be more secure and therefore their use is recommended.
  10. Custom DH parameters may be generated by using the OpenSSL command
  11. "openssl dhparam <size>", where size should be at least 2048, as 1024-bit DH
  12. parameters should not be considered secure anymore.

ssl-server-verify [none|required]

  1. The default behavior for SSL verify on servers side. If specified to 'none',
  2. servers certificates are not verified. The default is 'required' except if
  3. forced using cmdline option '-dV'.

stats socket [|] [param*]

  1. Binds a UNIX socket to <path> or a TCPv4/v6 address to <address:port>.
  2. Connections to this socket will return various statistics outputs and even
  3. allow some commands to be issued to change some runtime settings. Please
  4. consult section 9.3 "Unix Socket commands" of Management Guide for more
  5. details.
  6.  
  7. All parameters supported by "bind" lines are supported, for instance to
  8. restrict access to some users or their access rights. Please consult
  9. section 5.1 for more information.

stats timeout 

  1. The default timeout on the stats socket is set to 10 seconds. It is possible
  2. to change this value with "stats timeout". The value must be passed in
  3. milliseconds, or be suffixed by a time unit among { us, ms, s, m, h, d }.

stats maxconn 

  1. By default, the stats socket is limited to 10 concurrent connections. It is
  2. possible to change this value with "stats maxconn".

uid 

  1. Changes the process' user ID to <number>. It is recommended that the user ID
  2. is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
  3. be started with superuser privileges in order to be able to switch to another
  4. one. See also "gid" and "user".

ulimit-n 

  1. Sets the maximum number of per-process file-descriptors to <number>. By
  2. default, it is automatically computed, so it is recommended not to use this
  3. option.

unix-bind [ prefix ] [ mode ] [ user ] [ uid ] [ group ] [ gid ]

  1. Fixes common settings to UNIX listening sockets declared in "bind" statements.
  2. This is mainly used to simplify declaration of those UNIX sockets and reduce
  3. the risk of errors, since those settings are most commonly required but are
  4. also process-specific. The <prefix> setting can be used to force all socket
  5. path to be relative to that directory. This might be needed to access another
  6. component's chroot. Note that those paths are resolved before haproxy chroots
  7. itself, so they are absolute. The <mode>, <user>, <uid>, <group> and <gid>
  8. all have the same meaning as their homonyms used by the "bind" statement. If
  9. both are specified, the "bind" statement has priority, meaning that the
  10. "unix-bind" settings may be seen as process-wide default settings.

unsetenv [ …]

  1. Removes environment variables specified in arguments. This can be useful to
  2. hide some sensitive information that are occasionally inherited from the
  3. user's environment during some operations. Variables which did not exist are
  4. silently ignored so that after the operation, it is certain that none of
  5. these variables remain. The changes immediately take effect so that the next
  6. line in the configuration file will not see these variables. See also
  7. "setenv", "presetenv", and "resetenv".

user 

  1. Similar to "uid" but uses the UID of user name <user name> from /etc/passwd.
  2. See also "uid" and "group".

node 

  1. Only letters, digits, hyphen and underscore are allowed, like in DNS names.
  2.  
  3. This statement is useful in HA configurations where two or more processes or
  4. servers share the same IP address. By setting a different node-name on all
  5. nodes, it becomes easy to immediately spot what server is handling the
  6. traffic.

description 

  1. Add a text that describes the instance.
  2.  
  3. Please note that it is required to escape certain characters (# for example)
  4. and this text is inserted into a html page so you should avoid using
  5. "<" and ">" characters.

51degrees-data-file 

  1. The path of the 51Degrees data file to provide device detection services. The
  2. file should be unzipped and accessible by HAProxy with relevant permissions.
  3.  
  4. Please note that this option is only available when haproxy has been
  5. compiled with USE_51DEGREES.

51degrees-property-name-list [ …]

  1. A list of 51Degrees property names to be load from the dataset. A full list
  2. of names is available on the 51Degrees website:
  3. https://51degrees.com/resources/property-dictionary
  4.  
  5. Please note that this option is only available when haproxy has been
  6. compiled with USE_51DEGREES.

51degrees-property-separator 

  1. A char that will be appended to every property value in a response header
  2. containing 51Degrees results. If not set that will be set as ','.
  3.  
  4. Please note that this option is only available when haproxy has been
  5. compiled with USE_51DEGREES.

51degrees-cache-size 

  1. Sets the size of the 51Degrees converter cache to <number> entries. This
  2. is an LRU cache which reminds previous device detections and their results.
  3. By default, this cache is disabled.
  4.  
  5. Please note that this option is only available when haproxy has been
  6. compiled with USE_51DEGREES.

wurfl-data-file 

  1. The path of the WURFL data file to provide device detection services. The
  2. file should be accessible by HAProxy with relevant permissions.
  3.  
  4. Please note that this option is only available when haproxy has been compiled
  5. with USE_WURFL=1.

wurfl-information-list []*

  1. A space-delimited list of WURFL capabilities, virtual capabilities, property
  2. names we plan to use in injected headers. A full list of capability and
  3. virtual capability names is available on the Scientiamobile website :
  4.  
  5.     https://www.scientiamobile.com/wurflCapability
  6.  
  7. Valid WURFL properties are:
  8. - wurfl_id                    Contains the device ID of the matched device.
  9.  
  10. - wurfl_root_id               Contains the device root ID of the matched
  11.                               device.
  12.  
  13. - wurfl_isdevroot             Tells if the matched device is a root device.
  14.                               Possible values are "TRUE" or "FALSE".
  15.  
  16. - wurfl_useragent             The original useragent coming with this
  17.                               particular web request.
  18.  
  19. - wurfl_api_version           Contains a string representing the currently
  20.                               used Libwurfl API version.
  21.  
  22. - wurfl_info                  A string containing information on the parsed
  23.                               wurfl.xml and its full path.
  24.  
  25. - wurfl_last_load_time        Contains the UNIX timestamp of the last time
  26.                               WURFL has been loaded successfully.
  27.  
  28. - wurfl_normalized_useragent  The normalized useragent.
  29.  
  30. Please note that this option is only available when haproxy has been compiled
  31. with USE_WURFL=1.

wurfl-information-list-separator 

  1. A char that will be used to separate values in a response header containing
  2. WURFL results. If not set that a comma (',') will be used by default.
  3.  
  4. Please note that this option is only available when haproxy has been compiled
  5. with USE_WURFL=1.

wurfl-patch-file []

  1. A list of WURFL patch file paths. Note that patches are loaded during startup
  2. thus before the chroot.
  3.  
  4. Please note that this option is only available when haproxy has been compiled
  5. with USE_WURFL=1.

wurfl-cache-size 

  1. Sets the WURFL Useragent cache size. For faster lookups, already processed user
  2. agents are kept in a LRU cache :
  3. - "0"     : no cache is used.
  4. - <size>  : size of lru cache in elements.
  5.  
  6. Please note that this option is only available when haproxy has been compiled
  7. with USE_WURFL=1.