3rdstage's Wiki
Register
(47 intermediate revisions by the same user not shown)
Line 14: Line 14:
   
 
* [http://www.haproxy.org/#docs HAProxy official documentation]
 
* [http://www.haproxy.org/#docs HAProxy official documentation]
* '''1.8'''
+
* '''HAProxy 1.8'''
 
** [http://cbonte.github.io/haproxy-dconv/1.8/intro.html HAProxy Starter Guide]
 
** [http://cbonte.github.io/haproxy-dconv/1.8/intro.html HAProxy Starter Guide]
 
** [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html HAProxy Configuration Manual]
 
** [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html HAProxy Configuration Manual]
Line 29: Line 29:
 
*** [http://cbonte.github.io/haproxy-dconv/1.8/management.html#3 Starting HAProxy]
 
*** [http://cbonte.github.io/haproxy-dconv/1.8/management.html#3 Starting HAProxy]
 
*** [http://cbonte.github.io/haproxy-dconv/1.8/management.html#4 Stopping and restarting HAProxy]
 
*** [http://cbonte.github.io/haproxy-dconv/1.8/management.html#4 Stopping and restarting HAProxy]
  +
  +
* [https://www.haproxy.com/documentation/aloha/ ALOHA Documentation]
  +
* '''ALOHA 11.0'''
  +
** [https://www.haproxy.com/documentation/aloha/11-0/ ALOHA 11.0 Documentation]
  +
** [https://www.haproxy.com/documentation/aloha/11-0/traffic-management/lb-layer7/health-checks/ Performing Health Checks]
   
 
* [https://en.wikipedia.org/wiki/Proxy_server Proxy Server]
 
* [https://en.wikipedia.org/wiki/Proxy_server Proxy Server]
Line 88: Line 93:
 
| Adds a global syslog server ||
 
| Adds a global syslog server ||
 
|-
 
|-
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#3.1-nbproc '''<tt>nbproc &lt;number&gt;</tt>''']
+
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#3.1-log-tag <tt>'''log-tag''' &lt;string&gt;</tt>]
  +
| Sets the tag field in the syslog header to this string. ||
  +
|-
  +
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#3.1-nbproc <tt>'''nbproc''' &lt;number&gt;</tt>]
 
| Creates &lt;number&gt; processes when going daemon || default: 1
 
| Creates &lt;number&gt; processes when going daemon || default: 1
 
|-
 
|-
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#3.1-nbthread '''<tt>nbthread &lt;number&gt;</tt>''']
+
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#3.1-nbthread <tt>'''nbthread''' &lt;number&gt;</tt>]
 
| Creates &lt;number&gt; threads for each created processes ||
 
| Creates &lt;number&gt; threads for each created processes ||
 
|-
 
|-
Line 99: Line 107:
 
|-
 
|-
 
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#ssl-default-bind-options '''<tt>ssl-default-bind-options</tt>''']
 
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#ssl-default-bind-options '''<tt>ssl-default-bind-options</tt>''']
| Sets default ssl-options to force on all "bind" lines.
+
| Sets default ssl-options to force on all "bind" lines. ||
|
+
|-
  +
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#3.1-stats%20socket '''<tt>stats socket</tt>''']
  +
| Binds a UNIX socket to ''path'' or a TCPv4/v6 address to ''address'':''port''. ||
 
|}
 
|}
   
Line 108: Line 118:
 
! Parameter !! Description !! Remarks
 
! Parameter !! Description !! Remarks
 
|-
 
|-
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#3.2-tune.ssl.cachesize '''<tt>tune.ssl.cachesize &lt;number&gt;</tt>''']
+
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#3.2-maxconn <tt>'''maxconn''' &lt;number&gt;</tt>]
  +
| Sets the maximum per-process number of concurrent connections to &lt;number&gt;.
  +
| <tt>-n</tt> option
  +
|-
  +
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#3.2-maxsslconn <tt>'''maxsslconn''' &lt;number&gt;</tt>]
  +
| Sets the maximum per-process number of concurrent SSL connections to &lt;number&gt;.
  +
| default : = <tt>maxconn</tt>
  +
|-
  +
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#3.2-tune.ssl.cachesize <tt>'''tune.ssl.cachesize''' &lt;number&gt;</tt>]
 
| Sets the size of the global SSL session cache, in a number of blocks.
 
| Sets the size of the global SSL session cache, in a number of blocks.
 
| default: 20,000
 
| default: 20,000
 
|-
 
|-
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#3.2-tune.ssl.lifetime '''<tt>tune.ssl.lifetime &lt;timeout&gt;</tt>''']
+
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#3.2-tune.ssl.lifetime <tt>'''tune.ssl.lifetime''' &lt;timeout&gt;</tt>]
 
| Sets how long a cached SSL session may remain valid in seconds. || default: 300s (5 min)
 
| Sets how long a cached SSL session may remain valid in seconds. || default: 300s (5 min)
 
|}
 
|}
Line 128: Line 146:
   
 
* [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.1 Proxy keywords matrix]
 
* [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.1 Proxy keywords matrix]
  +
  +
=====General=====
   
 
{| class='wikitable'
 
{| class='wikitable'
 
! Keywords !! Description !! DF/FE/LI/BE !! Remarks
 
! Keywords !! Description !! DF/FE/LI/BE !! Remarks
 
|-
 
|-
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-mode <tt><nowiki>mode { tcp|http|health }</nowiki></tt>]
+
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-mode <tt>'''mode''' <nowiki>{ tcp|http|health }</nowiki></tt>]
| Set the running mode or protocol of the instance
+
| Set the running mode or protocol of the instance || ||
| ||
 
 
|-
 
|-
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-bind <tt><nowiki>bind [<address>]:<port_range> [, ...] [param*]</nowiki></tt>]
+
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-monitor-uri <tt>'''monitor-uri''' &lt;uri&gt;</tt>]
  +
| Intercept a URI used by external components' monitor requests || O/O/O/X || Monitor requests cannot be logged either.
  +
|-
  +
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-retries <tt>'''retries''' &lt;value&gt;</tt>]
  +
| Set the number of retries to perform on a server after a connection failure || O/X/O/O
  +
| applies to the number of connection attempts, not full requests
  +
|-
  +
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-bind <tt>'''bind''' <nowiki>[<address>]:<port_range> [, ...] [param*]</nowiki></tt>]
 
| Define one or several listening addresses and/or ports in a frontend
 
| Define one or several listening addresses and/or ports in a frontend
 
| X/O/O/X ||
 
| X/O/O/X ||
 
|-
 
|-
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-tcp-request%20inspect-delay <tt><nowiki>tcp-request inspect-delay <timeout></nowiki></tt>]
+
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-tcp-request%20inspect-delay <tt>'''tcp-request''' <nowiki>inspect-delay <timeout></nowiki></tt>]
 
| Set the maximum allowed time to wait for data during content inspection
 
| Set the maximum allowed time to wait for data during content inspection
 
| ||
 
| ||
 
|-
 
|-
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-tcp-response%20content <tt><nowiki>tcp-response content <action> &#91;{if | unless} <condition>&#93;</nowiki></tt>]
+
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-tcp-response%20content <tt>'''tcp-response''' <nowiki>content <action> &#91;{if | unless} <condition>&#93;</nowiki></tt>]
 
| Perform an action on a session response depending on a layer 4-7 condition
 
| Perform an action on a session response depending on a layer 4-7 condition
 
| ||
 
| ||
 
|-
 
|-
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-option%20http_proxy <tt>option http_proxy</tt>]
+
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-option%20http_proxy <tt>'''option http_proxy'''</tt>]
 
| Enable or disable plain HTTP proxy mode
 
| Enable or disable plain HTTP proxy mode
 
| || Forward Proxy
 
| || Forward Proxy
 
|-
 
|-
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#option%20http-keep-alive <tt>option http-keep-alive</tt>]
+
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#option%20http-keep-alive <tt>'''option http-keep-alive'''</tt>]
 
| Enable or disable HTTP keep-alive from client to server
 
| Enable or disable HTTP keep-alive from client to server
 
| ||
 
| ||
 
|-
 
|-
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-option%20httpclose <tt>option httpclose</tt>]
+
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-option%20httpclose <tt>'''option httpclose'''</tt>]
 
| Enable or disable passive HTTP connection closing
 
| Enable or disable passive HTTP connection closing
 
| || <code>"Connection: close"</code> header<br/>Deprecated
 
| || <code>"Connection: close"</code> header<br/>Deprecated
 
|-
 
|-
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-option%20forwardfor <tt>option forwardfor</tt>]
+
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-option%20forwardfor <tt>'''option forwardfor'''</tt>]
 
| Enable insertion of the X-Forwarded-For header to requests sent to servers
 
| Enable insertion of the X-Forwarded-For header to requests sent to servers
 
| || <code>"X-Forwarded-For"</code> header
 
| || <code>"X-Forwarded-For"</code> header
 
|-
 
|-
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-option%20socket-stats <tt>option socket-stats</tt>]
+
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-option%20socket-stats <tt>'''option socket-stats'''</tt>]
| Enable or disable collecting & providing separate statistics for each socket.
+
| Enable or disable collecting & providing separate statistics for each socket. || ||
| ||
 
 
|-
 
|-
| style="white-space: nowrap;" | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-capture%20request%20header <tt>capture request header &lt;name&gt; len &lt;length&gt;</tt>]
+
| style="white-space: nowrap;" | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-capture%20request%20header <tt>'''capture request header''' &lt;name&gt; len &lt;length&gt;</tt>]
 
| Capture and log the last occurrence of the specified request header.
 
| Capture and log the last occurrence of the specified request header.
 
| X/O/O/X || Not for Back-end
 
| X/O/O/X || Not for Back-end
 
|-
 
|-
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-source <tt><nowiki>source <addr>[:<port>] [usesrc ...]</nowiki></tt>]
+
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-use_backend <tt>'''use_backend''' <nowiki><backend> [{if | unless} <condition>]</nowiki></tt>]
  +
| Switch to a specific backend if/unless an ACL-based condition is matched.
| Set the source address for outgoing connections
 
| ||
+
| X/O/O/X ||
 
|-
 
|-
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-server <tt><nowiki>server <name> <address>[:[port]] [param*]</nowiki></tt>]
+
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-source <tt>'''source''' <nowiki><addr>[:<port>] [usesrc ...]</nowiki></tt>]
  +
| Set the source address for outgoing connections || ||
| Declare a server in a backend
 
  +
|-
| ||
 
  +
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-server <tt>'''server''' <nowiki><name> <address>[:[port]] [param*]</nowiki></tt>]
  +
| Declare a server in a backend || ||
  +
|-
  +
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-default-server <tt>'''default-server''' <nowiki>[param*]</nowiki></tt>]
  +
| Change default options for a server in a backend || O/X/O/O || <tt>default-server inter 4s rise 2 fall 3</tt>
 
|}
 
|}
   
* [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-http-request <tt>http-request</tt>]
+
* [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-http-request <tt>'''http-request'''</tt>]
 
** defines a set of rules which apply to layer 7 processing.
 
** defines a set of rules which apply to layer 7 processing.
   
Line 187: Line 217:
 
! Action !! Description !! Remarks
 
! Action !! Description !! Remarks
 
|-
 
|-
| style='white-space:nowrap' | <tt>http-request allow</tt> || Stops the evaluation of the rules and lets the request pass the check. ||
+
| <tt>'''http-request allow'''</tt> || Stops the evaluation of the rules and lets the request pass the check. ||
  +
|-
  +
| <tt>'''http-request deny'''</tt> || Stops the evaluation of the rules and immediately rejects the request. ||
  +
|-
  +
| <tt>'''http-request auth'''</tt> || Stops the evaluation of the rules and immediately responds with an HTTP 401 or 407 error code to invite the user to present a valid user name and password ||
  +
|-
  +
| <tt>'''http-request add-header''' <nowiki><name> <fmt></nowiki></tt> || Appends an HTTP header field whose name is specified in <tt>&lt;name&gt;</tt> and whose value is defined by <tt>&lt;fmt&gt;</tt> ||
  +
|-
  +
| <tt>'''http-request set-header''' <nowiki><name> <fmt></nowiki></tt> || the header name is first removed if it existed ||
  +
|-
  +
| <tt>'''http-request del-header''' <nowiki><name></nowiki></tt> || removes all HTTP header fields whose name is specified in <tt>&lt;name&gt;</tt>. ||
  +
|-
  +
| style='white-space:nowrap' | <tt>'''http-request replace-header''' <nowiki><name> <match-regex> <replace-fmt></nowiki></tt> || ||
 
|-
 
|-
  +
| <tt>'''http-request capture''' <nowiki><sample> [ len <length> | id <id> ]</nowiki></tt> || Captures sample expression <tt>&lt;sample&gt;</tt> from the request buffer, and converts it to a string of at most <tt>&lt;len&gt;</tt> characters. ||
| <tt>http-request deny</tt> || Stops the evaluation of the rules and immediately rejects the request. ||
 
 
|-
 
|-
| <tt>http-request auth</tt> || Stops the evaluation of the rules and immediately responds with an HTTP 401 or 407 error code to invite the user to present a valid user name and password ||
+
| <tt>'''http-request set-log-level''' &lt;level&gt;</tt> || Change the log level of the current request when a certain condition is met. || <tt>emerg | alert | crit | err | warning | notice | info | debug | silent</tt>
 
|}
 
|}
   
Line 232: Line 274:
 
|}
 
|}
   
=====Logging=====
+
=====Logging/Tracing=====
   
 
{| class='wikitable'
 
{| class='wikitable'
Line 241: Line 283:
 
|-
 
|-
 
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-option%20dontlognull '''<tt>option dontlognull</tt>''']
 
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-option%20dontlognull '''<tt>option dontlognull</tt>''']
| Enable or disable logging of null connections ||
+
| Enable or disable logging of null connections || O/O/O/X ||
 
|-
 
|-
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-option%20dontlognull '''<tt>option dontlog-normal</tt>''']
+
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-option%20dontlog-normal '''<tt>option dontlog-normal</tt>''']
| Enable or disable logging of normal, successful connections ||
+
| Enable or disable logging of normal, successful connections || O/O/O/X ||
 
|-
 
|-
 
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-option%20log-health-checks '''<tt>option log-health-checks</tt>''']
 
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-option%20log-health-checks '''<tt>option log-health-checks</tt>''']
| Enable or disable logging of health checks status updates ||
+
| Enable or disable logging of health checks status updates || O/X/O/O ||
 
|-
 
|-
 
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-log-format '''<tt>log-format</tt>''']
 
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-log-format '''<tt>log-format</tt>''']
| Specifies the log format string to use for traffic logs ||
+
| Specifies the log format string to use for traffic logs || O/O/O/X ||
  +
|-
  +
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-log-tag <tt>'''log-tag''' &lt;string&gt;</tt>]
  +
| Specifies the log tag to use for all outgoing logs || O/O/O/O || global <tt>log-tag</tt>
  +
|-
  +
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-unique-id-format <tt>'''unique-id-format''' &lt;string&gt;</tt>]
  +
| Generate a unique ID for each request. || O/O/O/X || <tt>unique-id-header</tt>
  +
|-
  +
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-unique-id-header <tt>'''unique-id-header''' &lt;name&gt;</tt>]
  +
| Add a unique ID header in the HTTP request. || O/O/O/X || <tt>X-Unique-ID</tt>
 
|}
 
|}
   
Line 316: Line 367:
 
{| class='wikitable' style='margin-left:40px'
 
{| class='wikitable' style='margin-left:40px'
 
! Options !! Description !! Remarks
 
! Options !! Description !! Remarks
  +
|-
  +
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5.2-maxconn '''<tt>maxconn</tt>''']
  +
| specifies the maximal number of concurrent connections that will be sent to this server. ||
 
|-
 
|-
 
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5-check '''<tt>check</tt>''']
 
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5-check '''<tt>check</tt>''']
| Enables health checks on the server. ||
+
| Enables health checks on the server. || <tt>addr</tt>, <tt>port</tt>, <tt>source</tt>, <tt>inter</tt>, <tt>rise</tt>, <tt>fall</tt>
 
|-
 
|-
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5-inter '''<tt>inter &lt;delay&gt;</tt>''']
+
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5-inter <tt>'''inter''' &lt;delay&gt;</tt>]
 
| Sets the interval between two consecutive health checks to &lt;delay&gt; milliseconds. || default: 2000ms
 
| Sets the interval between two consecutive health checks to &lt;delay&gt; milliseconds. || default: 2000ms
 
|-
 
|-
Line 329: Line 383:
 
| Enables SSL ciphering on outgoing connections to the server. ||
 
| Enables SSL ciphering on outgoing connections to the server. ||
 
|-
 
|-
| style='white-space:nowrap' | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5-verify '''<tt><nowiki>verify [none|required]</nowiki></tt>''']
+
| style='white-space:nowrap' | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5-verify <tt>'''verify''' <nowiki>[none|required]</nowiki></tt>]
 
| ||
 
| ||
 
|}
 
|}
Line 348: Line 402:
 
| Flags (<tt>flags</tt>) || || <tt>-i</tt>, <tt>-f</tt>, <tt>-m</tt>, <tt>-n</tt>, <tt>-M</tt>, <tt>-u</tt>, <tt>--</tt>
 
| Flags (<tt>flags</tt>) || || <tt>-i</tt>, <tt>-f</tt>, <tt>-m</tt>, <tt>-n</tt>, <tt>-M</tt>, <tt>-u</tt>, <tt>--</tt>
 
|}
 
|}
  +
  +
* [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.4 Pre-defined ACLs]
   
 
=====ACL Flags=====
 
=====ACL Flags=====
Line 373: Line 429:
 
|-
 
|-
 
| '''<tt>-m end</tt>''' || suffix match ||
 
| '''<tt>-m end</tt>''' || suffix match ||
  +
|}
  +
  +
====Sample Fetch Methods====
  +
  +
* [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.3 Fetching samples at Layer 4] : TCP/IP
  +
  +
{| class='wikitable' style='margin-left:40px'
  +
! Method !! Type !! Description !! Remarks
  +
|-
  +
| style='white-space: nowrap;' | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.3-src <code>src</code>]
  +
| ip
  +
| This is the source IPv4 address of the client of the session
  +
|
  +
|}
  +
  +
* [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.4 Fetching samples at Layer 5] : SSL
  +
* [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.5 Fetching samples at Layer 6] :
  +
  +
{| class='wikitable' style='margin-left:40px'
  +
! Method !! Type !! Description !! Remarks
  +
|-
  +
| style='white-space: nowrap;' | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.5-req.payload_lv <code>req.payload_lv</code>]
  +
| binary
  +
| Extracts a binary block whose size is specified at &lt;offset1&gt; for &lt;length&gt; bytes
  +
|
  +
|-
  +
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.5-res.payload_lv <code>res.payload_lv</code>]
  +
| binary
  +
| extracts a binary block whose size is specified at &lt;offset1&gt; for &lt;length&gt; bytes, and which starts at &lt;offset2&gt; if specified or just after the length in the response buffer.
  +
|
  +
|-
  +
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.5-req.ssl_hello_type <code>req.ssl_hello_type</code>]
  +
| integer
  +
| Returns an integer value containing the type of the SSL hello message found in the request buffer if the buffer contains data that parse as a complete SSL (v3 or superior) client hello message.
  +
|
  +
|-
  +
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.5-res.ssl_hello_type <code>res.ssl_hello_type</code>]
  +
| integer
  +
| Returns an integer value containing the type of the SSL hello message found in the response buffer if the buffer contains data that parses as a complete SSL (v3 or superior) hello message
  +
|
  +
|}
  +
  +
* [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.6 Fetching samples at Layer 7] : HTTP
  +
  +
{| class='wikitable' style='margin-left:40px'
  +
! Method !! Type !! Description !! Remarks
  +
|-
  +
| style='white-space: nowrap;' | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.6-req.hdr <tt>'''req.hdr'''<nowiki>([<name>[,<occ>]])</nowiki></tt>] || string
  +
| Extracts the last occurrence of header &lt;name&gt; in an HTTP request
  +
| When used from an ACL, all occurrences are iterated over until a match is found
  +
|-
  +
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.6-res.hdr <tt>'''res.hdr'''<nowiki>([<name>[,<occ>]])</nowiki></tt>]
  +
| string || Extracts the last occurrence of header &lt;name&gt; in an HTTP response. ||
  +
|-
  +
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.6-hdr <tt>'''hdr'''<nowiki>([<name>[,<occ>]])</nowiki></tt>]
  +
| string || Equivalent to <tt>req.hdr()</tt> when used on requests, and to <tt>'''res.hdr'''()</tt> when used on responses ||
  +
|-
  +
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.6-http_auth <tt>'''http_auth'''<nowiki>(<userlist>)</nowiki></tt>]
  +
| boolean || Returns a boolean indicating whether the authentication data received from the client match a username & password stored in the specified userlist. ||
  +
|-
  +
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.6-http_auth_group <tt>'''http_auth_group'''<nowiki>(<userlist>)</nowiki></tt>]
  +
| string || Returns a string corresponding to the user name found in the authentication data received from the client if both the user name and password are valid according to the specified userlist. || ACL derivatives
  +
|-
  +
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.6-path <tt>'''path'''</tt>]
  +
| string || Extracts the request's URL path, which starts at the first slash and ends before the question mark (without the host part). ||
 
|}
 
|}
   
 
====Logging====
 
====Logging====
   
  +
* [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#8 Logging]
=====Log Fields=====
 
  +
  +
* Log Variable Syntax
  +
<syntaxhighlight lang='bnf' enclose='div' style='margin-left:40px'>
  +
flag = "Q" | "E" | "X"
  +
flag-part = "+" | "-", flag
  +
variable = "%", [ "{", flag-part, 2 * [ ",", flag-part ], "}" ], ( field | "[", sample-expr , "]" )
  +
</syntaxhighlight>
  +
  +
* Default HTTP Log Format
  +
<syntaxhighlight lang='text' enclose='div' style='margin-left:40px'>
  +
"%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
  +
</syntaxhighlight>
  +
  +
=====Log Variables=====
   
 
{| class='wikitable'
 
{| class='wikitable'
! Field !! Name !! Type !! Description !! Remarks
+
! Variable !! Name !! Type !! Description !! Remarks
  +
|-
  +
| '''<tt>%o</tt>''' || special variable || || apply flags on all next var || <tt>Q</tt>, <tt>E</tt>, <tt>X</tt>
 
|-
 
|-
 
| '''<tt>%ci</tt>''' || client_ip || IP || ||
 
| '''<tt>%ci</tt>''' || client_ip || IP || ||
  +
|-
  +
| '''<tt>%cp</tt>''' || client_port || numeric || ||
 
|-
 
|-
 
| '''<tt>%ft</tt>''' || frontend_name_transport || string || || '~' suffix for SSL
 
| '''<tt>%ft</tt>''' || frontend_name_transport || string || || '~' suffix for SSL
  +
|-
  +
| '''<tt>%fi</tt>''' || frontend_ip || IP || ||
  +
|-
  +
| '''<tt>%fp</tt>''' || frontend_port || ||
 
|-
 
|-
 
| '''<tt>%b</tt>''' || backend_name || string || ||
 
| '''<tt>%b</tt>''' || backend_name || string || ||
 
|-
 
|-
 
| '''<tt>%si</tt>''' || server_IP || IP || target address ||
 
| '''<tt>%si</tt>''' || server_IP || IP || target address ||
  +
|-
  +
| '''<tt>%Ts</tt>''' || timestamp || numeric || ||
 
|-
 
|-
 
| '''<tt>%Tq</tt>''' || <tt>Th + Ti + TR</tt> || numeric
 
| '''<tt>%Tq</tt>''' || <tt>Th + Ti + TR</tt> || numeric
Line 418: Line 563:
 
|-
 
|-
 
| '''<tt>%r</tt>''' || http_request || string || || HTTP mode only
 
| '''<tt>%r</tt>''' || http_request || string || || HTTP mode only
  +
|-
  +
| '''<tt>%rt</tt>''' || request_counter || numeric || ||
  +
|-
  +
| '''<tt>%ID</tt>''' || unique-id || string || Unique ID generated by <tt>unique-id-header</tt> directive ||
  +
|}
  +
  +
=====Flags=====
  +
  +
{| class='wikitable'
  +
! Flag !! Description !! Remarks
  +
|-
  +
| '''<tt>Q</tt>''' || quote a string ||
  +
|-
  +
| '''<tt>X</tt>''' || hexadecimal representation ||
  +
|-
  +
| '''<tt>E</tt>''' || escape characters '<tt>"</tt>', '<tt>\</tt>' and '<tt><nowiki>]</nowiki></tt>' in a string with '<tt>\</tt>' as prefix || RFC5424
 
|}
 
|}
   
Line 460: Line 621:
 
|}
 
|}
   
====Sample Fetch Methods====
+
====Monitoring====
   
* [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.3 Fetching samples at Layer 4] : TCP/IP
+
* [https://cbonte.github.io/haproxy-dconv/1.8/management.html#9 Statistics and monitoring]
   
{| class='wikitable' style='margin-left:40px'
+
{| class='wikitable'
! Method !! Type !! Description !! Remarks
+
! Metric !! Types !! Description !! Remarks
 
|-
 
|-
  +
| '''<tt>pxname</tt>''' || LFBS || proxy name ||
| style='white-space: nowrap;' | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.3-src <code>src</code>]
 
| ip
 
| This is the source IPv4 address of the client of the session
 
|
 
|}
 
 
* [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.4 Fetching samples at Layer 5] : SSL
 
* [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.5 Fetching samples at Layer 6] :
 
 
{| class='wikitable' style='margin-left:40px'
 
! Method !! Type !! Description !! Remarks
 
 
|-
 
|-
  +
| '''<tt>svname</tt>''' || LFBS || service name || <tt><nowiki>FRONTEND | BACKEND | ...</nowiki></tt>
| style='white-space: nowrap;' | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.5-req.payload_lv <code>req.payload_lv</code>]
 
| binary
 
| Extracts a binary block whose size is specified at &lt;offset1&gt; for &lt;length&gt; bytes
 
|
 
 
|-
 
|-
  +
| '''<tt>qcur</tt>''' || ..BS || current queued requests ||
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.5-res.payload_lv <code>res.payload_lv</code>]
 
| binary
 
| extracts a binary block whose size is specified at &lt;offset1&gt; for &lt;length&gt; bytes, and which starts at &lt;offset2&gt; if specified or just after the length in the response buffer.
 
|
 
 
|-
 
|-
  +
| '''<tt>qmax</tt>''' || ..BS || max value of <tt>qcur</tt> ||
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.5-req.ssl_hello_type <code>req.ssl_hello_type</code>]
 
| integer
 
| Returns an integer value containing the type of the SSL hello message found in the request buffer if the buffer contains data that parse as a complete SSL (v3 or superior) client hello message.
 
|
 
 
|-
 
|-
  +
| '''<tt>scur</tt>''' || LFBS || current sessions ||
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.5-res.ssl_hello_type <code>res.ssl_hello_type</code>]
 
  +
|-
| integer
 
  +
| '''<tt>smax</tt>''' || LFBS || max sessions ||
| Returns an integer value containing the type of the SSL hello message found in the response buffer if the buffer contains data that parses as a complete SSL (v3 or superior) hello message
 
|
+
|-
  +
| '''<tt>slim</tt>''' || LFBS || configured session limit ||
  +
|-
  +
| '''<tt>stot</tt>''' || LFBS || cumulative number of sessions ||
 
|}
 
|}
   
  +
====CLI====
* [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.6 Fetching samples at Layer 7] : HTTP
 
   
{| class='wikitable' style='margin-left:40px'
+
{| class='wikitable'
! Method !! Type !! Description !! Remarks
+
! Option !! Description !! Remarks
 
|-
 
|-
  +
| '''<tt>-D</tt>''' || goes daemon ||
| style='white-space: nowrap;' | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.6-req.hdr <tt><nowiki>req.hdr([<name>[,<occ>]])</nowiki></tt>]
 
| string
 
| Extracts the last occurrence of header &lt;name&gt; in an HTTP request
 
| When used from an ACL, all occurrences are iterated over until a match is found
 
 
|-
 
|-
  +
| '''<tt>-Ws</tt>''' || master-worker mode with systemd notify support ||
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.6-res.hdr <tt><nowiki>res.hdr([<name>[,<occ>]])</nowiki></tt>]
 
| string || Extracts the last occurrence of header &lt;name&gt; in an HTTP response.
 
|
 
 
|-
 
|-
  +
| '''<tt>-c</tt>''' || only check config files and exit || check mode
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.6-hdr <tt><nowiki>hdr([<name>[,<occ>]])</nowiki></tt>]
 
| string || Equivalent to <tt>req.hdr()</tt> when used on requests, and to <tt>res.hdr()</tt> when used on responses
 
|
 
 
|-
 
|-
  +
| '''<tt>-V</tt>''' || enters verbose mode (disables quiet mode) ||
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.6-http_auth <tt><nowiki>http_auth(<userlist>)</nowiki></tt>]
 
  +
|-
| boolean || Returns a boolean indicating whether the authentication data received from the client match a username & password stored in the specified userlist.
 
  +
| <tt>'''-p''' &lt;pidfile&gt;</tt> || writes pids of all children to this file ||
|
 
 
|-
 
|-
  +
| '''<tt>-sf</tt>''' || finishes/terminates old pids ||
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.6-http_auth_group <tt><nowiki>http_auth_group(<userlist>)</nowiki></tt>]
 
| string || Returns a string corresponding to the user name found in the authentication data received from the client if both the user name and password are valid according to the specified userlist.
 
| ACL derivatives
 
 
|}
 
|}
   
Line 544: Line 680:
 
* [https://www.linangran.com/?p=547 Use HAProxy to load balance 300k concurrent tcp socket connections: Port Exhaustion, Keep-alive and others]
 
* [https://www.linangran.com/?p=547 Use HAProxy to load balance 300k concurrent tcp socket connections: Port Exhaustion, Keep-alive and others]
 
* [https://serverfault.com/questions/622567/haproxy-error-some-configuration-options-require-full-privileges-so-global-uid HAProxy error: Some configuration options require full privileges, so global.uid cannot be changed] (Aug 19 '14)
 
* [https://serverfault.com/questions/622567/haproxy-error-some-configuration-options-require-full-privileges-so-global-uid HAProxy error: Some configuration options require full privileges, so global.uid cannot be changed] (Aug 19 '14)
  +
* [https://www.slideshare.net/WillyTarreau/observability-tips-for-haproxy '''Observability tips for HAProxy'''] (Jun 5, 2018)
   
 
====ACL====
 
====ACL====
Line 591: Line 728:
 
* [https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/ Enhanced SSL load-balancing with Server Name Indication (SNI) TLS extension] (Apr 13, 2012)
 
* [https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/ Enhanced SSL load-balancing with Server Name Indication (SNI) TLS extension] (Apr 13, 2012)
   
====Logging and Statistics====
+
====Logging, Tracing and Statistics====
   
 
* [https://kvz.io/blog/2010/08/11/haproxy-logging/ HAProxy Logging in Ubuntu Lucid] (2010/08/11)
 
* [https://kvz.io/blog/2010/08/11/haproxy-logging/ HAProxy Logging in Ubuntu Lucid] (2010/08/11)
Line 597: Line 734:
 
* [https://serverfault.com/questions/168443/logging-haproxy-check-results-problems Logging haproxy check results / problems] (Aug 9 '10)
 
* [https://serverfault.com/questions/168443/logging-haproxy-check-results-problems Logging haproxy check results / problems] (Aug 9 '10)
 
** <tt>option log-health-checks</tt>
 
** <tt>option log-health-checks</tt>
  +
* [https://stackoverflow.com/questions/46531909/setting-a-unique-http-request-id-with-haproxys-http-request-set-header Setting a unique http request id with haproxy's http-request set-header] (Oct 2 '17)
  +
** <tt>unique-id-format</tt>, <tt>unique-id-header</tt>
  +
* [https://devcenter.heroku.com/articles/http-request-id HTTP Request IDs] (17 June 2019)
   
 
* [https://www.haproxy.com/blog/introduction-to-haproxy-logging/ Introduction to HAProxy Logging] (Feb 8, 2019)
 
* [https://www.haproxy.com/blog/introduction-to-haproxy-logging/ Introduction to HAProxy Logging] (Feb 8, 2019)
Line 611: Line 751:
   
 
* [https://www.haproxy.com/blog/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/ Use a Load Balancer as a First Row of Defense Against DDOS] (Feb 27, 2012)
 
* [https://www.haproxy.com/blog/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/ Use a Load Balancer as a First Row of Defense Against DDOS] (Feb 27, 2012)
  +
  +
====Mapping====
  +
  +
* [https://www.haproxy.com/blog/introduction-to-haproxy-maps/ Introduction to HAProxy Maps] (Oct 17, 2018)
   
 
===Samples===
 
===Samples===
Line 631: Line 775:
 
crt-base /etc/haproxy/ssl
 
crt-base /etc/haproxy/ssl
   
  +
# https://disablessl3.com/
maxconn 2048
 
  +
ssl-default-bind-options no-sslv3
  +
  +
# 'stats socket' would generate the specified socket file if not exists
  +
stats socket /var/run/haproxy.sock mode 660
  +
  +
maxconn 2000
 
tune.ssl.default-dh-param 2048
 
tune.ssl.default-dh-param 2048
   
  +
#https://disablessl3.com/
 
ssl-default-bind-options no-sslv3
 
 
 
defaults
 
defaults
 
mode http
 
mode http
  +
monitor-uri /liveness
  +
 
log global
 
log global
  +
option httplog
  +
option dontlognull
  +
no option log-health-checks
  +
# http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#8.2.4
  +
log-format %ci\ %ft\ %b\ %si\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %ts\ %sq/%bq\ %hr\ %{+Q}r
   
  +
# Add 'X-Forwared-For' header automatically
 
option forwardfor
 
option forwardfor
  +
#option http-server-close
 
 
 
timeout connect 5s
 
timeout connect 5s
Line 659: Line 816:
 
errorfile 503 /etc/haproxy/errors/503.http
 
errorfile 503 /etc/haproxy/errors/503.http
 
errorfile 504 /etc/haproxy/errors/504.http
 
errorfile 504 /etc/haproxy/errors/504.http
  +
  +
default-server inter 5s rise 2 fall 3
  +
   
 
listen stats
 
listen stats
Line 664: Line 824:
 
 
 
stats enable
 
stats enable
  +
stats admin if FALSE
  +
stats auth haproxystat:dontuse1234
 
stats hide-version
 
stats hide-version
 
stats realm HAProxy\ Statistics
 
stats realm HAProxy\ Statistics
Line 671: Line 833:
 
bind 192.168.1.11:8080
 
bind 192.168.1.11:8080
 
 
  +
capture request header Host len 20
option httplog
 
  +
#capture request header Forwarded len 50
option dontlognull
 
  +
capture request header X-Forwarded-For len 20
log-format %ci\ [%t]\ %ft\ %b\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %ts\ %sq/%bq\ %{+Q}r
 
   
http-request set-header X-Haproxy-Current-Date %T
+
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
 
http-request set-header X-Forwarded-Proto http
 
http-request set-header X-Forwarded-Proto http
  +
 
default_backend http-rear
 
default_backend http-rear
   
   
 
frontend https
 
frontend https
  +
# http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5.1-verify
bind 192.168.1.11:8443 ssl crt server-tls.pem ca-file ca.crt
 
  +
bind 192.168.1.11:8443 ssl crt server-tls.pem ca-file ca.crt verify none
 
# bind 192.168.1.11:8443 ssl crt server-tls.pem ca-file ca.crt verify optional crt-ignore-err all ca-ignore-err all # For mutual auth
 
# bind 192.168.1.11:8443 ssl crt server-tls.pem ca-file ca.crt verify optional crt-ignore-err all ca-ignore-err all # For mutual auth
   
  +
capture request header Host len 20
option httplog
 
  +
#capture request header Forwarded len 50
option dontlognull
 
  +
capture request header X-Forwarded-For len 20
log-format %ci\ %ft\ %b\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %ts\ %sq/%bq\ %{+Q}r
 
   
 
#http-request deny deny_status 400 unless { ssl_fc }
 
#http-request deny deny_status 400 unless { ssl_fc }
Line 694: Line 858:
 
# setup request header for logging or backend usage
 
# setup request header for logging or backend usage
 
# https://www.haproxy.com/blog/ssl-client-certificate-information-in-http-headers-and-logs/
 
# https://www.haproxy.com/blog/ssl-client-certificate-information-in-http-headers-and-logs/
# https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-http-request
 
http-request set-header X-Haproxy-Current-Date %T
 
 
http-request set-header X-SSL %[ssl_fc]
 
http-request set-header X-SSL %[ssl_fc]
 
http-request set-header X-SSL-Session_ID %[ssl_fc_session_id,hex]
 
http-request set-header X-SSL-Session_ID %[ssl_fc_session_id,hex]
Line 704: Line 866:
 
http-request set-header X-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore]
 
http-request set-header X-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore]
 
http-request set-header X-SSL-Client-NotAfter %{+Q}[ssl_c_notafter]
 
http-request set-header X-SSL-Client-NotAfter %{+Q}[ssl_c_notafter]
  +
http-request set-header X-Forwarded-Proto https
 
  +
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
  +
http-request set-header X-Forwarded-Proto http
   
 
default_backend http-rear
 
default_backend http-rear
Line 711: Line 875:
 
frontend ws
 
frontend ws
 
bind 192.168.1.11:8090
 
bind 192.168.1.11:8090
  +
  +
capture request header Host len 20
  +
#capture request header Forwarded len 50
  +
capture request header X-Forwarded-For len 20
   
 
acl is_connection_upgrade hdr(Connection) -i upgrade
 
acl is_connection_upgrade hdr(Connection) -i upgrade
Line 718: Line 886:
   
 
http-request deny unless is_connection_upgrade is_upgrade_websocket has_websocket_key has_websocket_ver
 
http-request deny unless is_connection_upgrade is_upgrade_websocket has_websocket_key has_websocket_ver
  +
  +
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
  +
http-request set-header X-Forwarded-Proto http
   
 
default_backend ws-rear
 
default_backend ws-rear
Line 723: Line 894:
   
 
frontend wss
 
frontend wss
bind 192.168.1.11:8453 ssl crt server-tls.pem ca-file ca.crt
+
bind 192.168.1.11:8453 ssl crt server-tls.pem ca-file ca.crt verify none
 
# bind 192.168.1.11:8453 ssl crt server-tls.pem ca-file ca.crt verify optional crt-ignore-err all ca-ignore-err all # For mutual auth
 
# bind 192.168.1.11:8453 ssl crt server-tls.pem ca-file ca.crt verify optional crt-ignore-err all ca-ignore-err all # For mutual auth
  +
  +
capture request header Host len 20
  +
#capture request header Forwarded len 50
  +
capture request header X-Forwarded-For len 20
   
 
#http-request deny deny_status 400 unless { ssl_fc }
 
#http-request deny deny_status 400 unless { ssl_fc }
Line 736: Line 911:
   
 
http-request deny unless is_connection_upgrade is_upgrade_websocket has_websocket_key has_websocket_ver
 
http-request deny unless is_connection_upgrade is_upgrade_websocket has_websocket_key has_websocket_ver
  +
  +
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
  +
http-request set-header X-Forwarded-Proto http
   
 
default_backend ws-rear
 
default_backend ws-rear
  +
   
 
backend http-rear
 
backend http-rear
  +
# https://serverfault.com/questions/622567/haproxy-error-some-configuration-options-require-full-privileges-so-global-uid
  +
#source 0.0.0.0 usesrc clientip
  +
  +
option http-keep-alive
  +
http-request set-header X-User ...
  +
http-request set-header Authorization 'Basic ...'
  +
  +
option httpchk POST / HTTP/1.1\r\nHost:\ 127.0.0.1\r\nContent-Length:\ 25\r\nAuthorization:\ Basic\ ...\r\nX-User:\ ...\r\n\r\n
  +
 
server s1 127.0.0.1:80 check
 
server s1 127.0.0.1:80 check
  +
   
 
backend ws-rear
 
backend ws-rear
  +
# https://serverfault.com/questions/622567/haproxy-error-some-configuration-options-require-full-privileges-so-global-uid
  +
#source 0.0.0.0 usesrc clientip
  +
  +
option http-keep-alive
  +
http-request set-header X-User ...
  +
http-request set-header Authorization 'Basic ...'
  +
 
server s1 127.0.0.1:90 check
 
server s1 127.0.0.1:90 check
   
Line 826: Line 1,022:
 
option http_proxy
 
option http_proxy
 
</syntaxhighlight>
 
</syntaxhighlight>
  +
  +
====Log Format and Grok Pattern====
  +
  +
* [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#8.2.4 HAProxy custom log format]
  +
* [https://github.com/logstash-plugins/logstash-patterns-core/blob/master/patterns/grok-patterns Logstash built-in Grok patterns]
  +
  +
*
  +
{| class='wikitable'
  +
| Log Format
  +
| <tt><nowiki>%ci\ %ft\ %b\ %si\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %ts\ %sq/%bq\ %hr\ %{+Q}r</nowiki></tt>
  +
|-
  +
| Grok Pattern
  +
| <tt><nowiki>%{IPV4:client_ip} %{NOTSPACE:fe} %{NOTSPACE:be} %{IPV4:server_ip} %{NONNEGINT:tq}/%{NONNEGINT:tw}/%{NONNEGINT:tc}/%{NONNEGINT:tr}/${NONNEGINT:tt} %{POSINT:resp_code} %{NONNEGINT:read_byte} %{NOTSPACE:term_state} %{NOTSPACE:server_q}/%{NOTSPACE:be_q} {%{NOTSPACE:client}(?:|)%{NOTSPACE:host}} %{DATA:req}</nowiki></tt>
  +
|}
   
 
==Wireshark==
 
==Wireshark==
Line 964: Line 1,174:
 
** '''<code>tcpdump -n -i eth0 -A tcp port 80</code>'''
 
** '''<code>tcpdump -n -i eth0 -A tcp port 80</code>'''
 
* [https://stackoverflow.com/questions/9874093/how-to-filter-tcpdump-output-based-on-packet-length How to filter tcpdump output based on packet length] (Mar 26 '12)
 
* [https://stackoverflow.com/questions/9874093/how-to-filter-tcpdump-output-based-on-packet-length How to filter tcpdump output based on packet length] (Mar 26 '12)
** <code>tcpdump -n -i eth0 -A -x tcp port 443 and greater 100</code>
+
** <code>tcpdump -nAx -s 0 -i eth0 tcp port 443 and greater 100</code>
   
 
===Filter Expression===
 
===Filter Expression===

Revision as of 10:15, 6 August 2019

HAProxy

  • http://www.haproxy.org/
  • Desc. : a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications
  • License:
  • Written in:
  • Sources:

References

  
  Proxy ----------- Gateway
             |
             +----- Forward Proxy
             |
             +----- Reverse Proxy ----------- SSL Acceleration Proxy
                                       |
                                       +----- SSL Termination Proxy
                                       |
                                       +----- Load Balancer
  • HAProxy Configuration
config = global + defaults* + frontend* + backend* + listen*

global = process management and security parameters 
         + performance tuning parameters 
         + debugging parameters
         + user lists
         + peers
         + mailers

Global Parameters

Process management and security parameters
Parameter Description Remarks
cpu-map Specifies CPU sets for process or thread sets Linux 2.6+,
log Adds a global syslog server
log-tag <string> Sets the tag field in the syslog header to this string.
nbproc <number> Creates <number> processes when going daemon default: 1
nbthread <number> Creates <number> threads for each created processes
ulimit-n Sets the maximum number of per-process file-descriptors Recommended not to use this option
ssl-default-bind-options Sets default ssl-options to force on all "bind" lines.
stats socket Binds a UNIX socket to path or a TCPv4/v6 address to address:port.
Performance tuning parameters
Parameter Description Remarks
maxconn <number> Sets the maximum per-process number of concurrent connections to <number>. -n option
maxsslconn <number> Sets the maximum per-process number of concurrent SSL connections to <number>. default : = maxconn
tune.ssl.cachesize <number> Sets the size of the global SSL session cache, in a number of blocks. default: 20,000
tune.ssl.lifetime <timeout> Sets how long a cached SSL session may remain valid in seconds. default: 300s (5 min)
Access control parameters
Parameter Description Remarks
user <username> [password|insecure-password <password>] [groups <group>,<group>,(...)] Adds user <username> to the current userlist.

Proxy Keywords

General
Keywords Description DF/FE/LI/BE Remarks
mode { tcp|http|health } Set the running mode or protocol of the instance
monitor-uri <uri> Intercept a URI used by external components' monitor requests O/O/O/X Monitor requests cannot be logged either.
retries <value> Set the number of retries to perform on a server after a connection failure O/X/O/O applies to the number of connection attempts, not full requests
bind [<address>]:<port_range> [, ...] [param*] Define one or several listening addresses and/or ports in a frontend X/O/O/X
tcp-request inspect-delay <timeout> Set the maximum allowed time to wait for data during content inspection
tcp-response content <action> [{if | unless} <condition>] Perform an action on a session response depending on a layer 4-7 condition
option http_proxy Enable or disable plain HTTP proxy mode Forward Proxy
option http-keep-alive Enable or disable HTTP keep-alive from client to server
option httpclose Enable or disable passive HTTP connection closing "Connection: close" header
Deprecated
option forwardfor Enable insertion of the X-Forwarded-For header to requests sent to servers "X-Forwarded-For" header
option socket-stats Enable or disable collecting & providing separate statistics for each socket.
capture request header <name> len <length> Capture and log the last occurrence of the specified request header. X/O/O/X Not for Back-end
use_backend <backend> [{if | unless} <condition>] Switch to a specific backend if/unless an ACL-based condition is matched. X/O/O/X
source <addr>[:<port>] [usesrc ...] Set the source address for outgoing connections
server <name> <address>[:[port]] [param*] Declare a server in a backend
default-server [param*] Change default options for a server in a backend O/X/O/O default-server inter 4s rise 2 fall 3
  • http-request
    • defines a set of rules which apply to layer 7 processing.
Action Description Remarks
http-request allow Stops the evaluation of the rules and lets the request pass the check.
http-request deny Stops the evaluation of the rules and immediately rejects the request.
http-request auth Stops the evaluation of the rules and immediately responds with an HTTP 401 or 407 error code to invite the user to present a valid user name and password
http-request add-header <name> <fmt> Appends an HTTP header field whose name is specified in <name> and whose value is defined by <fmt>
http-request set-header <name> <fmt> the header name is first removed if it existed
http-request del-header <name> removes all HTTP header fields whose name is specified in <name>.
http-request replace-header <name> <match-regex> <replace-fmt>
http-request capture <sample> [ len <length> | id <id> ] Captures sample expression <sample> from the request buffer, and converts it to a string of at most <len> characters.
http-request set-log-level <level> Change the log level of the current request when a certain condition is met. alert | crit | err | warning | notice | info | debug | silent
Timeout
Keywords Description Remarks
timeout connect <timeout> Set the maximum time to wait for a connection attempt to a server to succeed
timeout server <timeout> Set the maximum inactivity time on the server side
timeout client <timeout> Set the maximum inactivity time on the client side
timeout tunnel <timeout> Set the maximum inactivity time on the client and server side for tunnels
timeout server-fin <timeout> Set the inactivity timeout on the server side for half-closed connections
timeout client-fin <timeout> Set the inactivity timeout on the client side for half-closed connections
timeout http-request <timeout> Set the maximum allowed time to wait for a complete HTTP request
timeout http-keep-alive <timeout> Set the maximum allowed time to wait for a new HTTP request to appear
Logging/Tracing
Keywords Description DF/FE/LI/BE Remarks
option httplog Enable logging of HTTP request, session state and timers O/O/O/X Not for Back-end
option dontlognull Enable or disable logging of null connections O/O/O/X
option dontlog-normal Enable or disable logging of normal, successful connections O/O/O/X
option log-health-checks Enable or disable logging of health checks status updates O/X/O/O
log-format Specifies the log format string to use for traffic logs O/O/O/X
log-tag <string> Specifies the log tag to use for all outgoing logs O/O/O/O global log-tag
unique-id-format <string> Generate a unique ID for each request. O/O/O/X unique-id-header
unique-id-header <name> Add a unique ID header in the HTTP request. O/O/O/X X-Unique-ID
Health Check
Keywords Description Remarks
option httpchk <method> <uri> <version> Enable HTTP protocol to check on the servers health
Statistics
Keywords Description DF/FE/LI/BE Remarks
stats enable Enable statistics reporting with default settings O/O/O/O
stats admin { if | unless } <cond> Enable statistics admin level if/unless a condition is matched X/O/O/O
stats auth <user>:<passwd> Enable statistics with authentication and grant access to an account O/O/O/O

Bind Options

Options Description Remarks
ca-ignore-err Sets a comma separated list of errorIDs to ignore during verify at depth > 0
crt-ignore-err Sets a comma separated list of errorIDs to ignore during verify at depth == 0
no-sslv3 Disables support for SSLv3 on any sockets instantiated from the listener when SSL is supported
ssl-min-ver Enforces use of <version> or upper on SSL connections instantiated

from this listener

TLSv1.0 | TLSv1.1 | TLSv1.2 | TLSv1.3
alpn Enables the TLS ALPN extension and advertises the specified protocol list as supported on top of ALPN. ALPN (on Wikipedia)
npn Enables the NPN TLS extension and advertises the specified protocol list as supported on top of NPN.

Server Options

Options Description Remarks
maxconn specifies the maximal number of concurrent connections that will be sent to this server.
check Enables health checks on the server. addr, port, source, inter, rise, fall
inter <delay> Sets the interval between two consecutive health checks to <delay> milliseconds. default: 2000ms
check-ssl Forces encryption of all health checks over SSL, regardless of whether the server uses SSL or not for the normal traffic.
ssl Enables SSL ciphering on outgoing connections to the server.
verify [none|required]

ACL

acl <aclname> <criterion> [flags] [operator] [<value>] ...

acl <aclname> <sample fetch method> [flags] [operator] [<value>] ...
Element Description Remarks
ACL Name (aclname) [-_.:A-Za-z0-9]*
Flags (flags) -i, -f, -m, -n, -M, -u, --
ACL Flags
Flag Description Remarks
-i ignore case during matching of all subsequent patterns.
-m found only check if the requested sample could be found in the stream, but do not compare it against any pattern.
-m bool check the value as a boolean.
-m int match the value as an integer.
-m len match the sample's length as an integer.
-m str exact match
-m sub substring match
-m reg regex match
-m beg prefix match
-m end suffix match

Sample Fetch Methods

Method Type Description Remarks
src ip This is the source IPv4 address of the client of the session
Method Type Description Remarks
req.payload_lv binary Extracts a binary block whose size is specified at <offset1> for <length> bytes
res.payload_lv binary extracts a binary block whose size is specified at <offset1> for <length> bytes, and which starts at <offset2> if specified or just after the length in the response buffer.
req.ssl_hello_type integer Returns an integer value containing the type of the SSL hello message found in the request buffer if the buffer contains data that parse as a complete SSL (v3 or superior) client hello message.
res.ssl_hello_type integer Returns an integer value containing the type of the SSL hello message found in the response buffer if the buffer contains data that parses as a complete SSL (v3 or superior) hello message
Method Type Description Remarks
req.hdr([<name>[,<occ>]]) string Extracts the last occurrence of header <name> in an HTTP request When used from an ACL, all occurrences are iterated over until a match is found
res.hdr([<name>[,<occ>]]) string Extracts the last occurrence of header <name> in an HTTP response.
hdr([<name>[,<occ>]]) string Equivalent to req.hdr() when used on requests, and to res.hdr() when used on responses
http_auth(<userlist>) boolean Returns a boolean indicating whether the authentication data received from the client match a username & password stored in the specified userlist.
http_auth_group(<userlist>) string Returns a string corresponding to the user name found in the authentication data received from the client if both the user name and password are valid according to the specified userlist. ACL derivatives
path string Extracts the request's URL path, which starts at the first slash and ends before the question mark (without the host part).

Logging

  • Log Variable Syntax
flag = "Q" | "E" | "X"
flag-part = "+" | "-", flag
variable = "%", [ "{", flag-part, 2 * [ ",", flag-part ], "}" ], ( field | "[", sample-expr , "]" )
  • Default HTTP Log Format
"%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
Log Variables
Variable Name Type Description Remarks
%o special variable apply flags on all next var Q, E, X
%ci client_ip IP
%cp client_port numeric
%ft frontend_name_transport string '~' suffix for SSL
%fi frontend_ip IP
%fp frontend_port
%b backend_name string
%si server_IP IP target address
%Ts timestamp numeric
%Tq Th + Ti + TR numeric total time to get the client request from the accept date or since the emission of the last byte of the previous response HTTP mode only
%Tw Tw numeric total time spent in the queues waiting for a connection slot.
%Tc Tc numeric total time to establish the TCP connection to the server.
%Tr response time numeric server response time HTTP mode only
%Tt Tt numeric total session duration time
%ST status_code numeric
%B bytes_read numeric from server to client
%ts termination_state string
%sq srv_queue numeric
%bq backend_queue numeric
%hr captured_request_headers string default style
%r http_request string HTTP mode only
%rt request_counter numeric
%ID unique-id string Unique ID generated by unique-id-header directive
Flags
Flag Description Remarks
Q quote a string
X hexadecimal representation
E escape characters '"', '\' and ']' in a string with '\' as prefix RFC5424
Timings Events
                 first request               2nd request
      |<-------------------------------->|<-------------- ...
      t         tr                       t    tr ...
   ---|----|----|----|----|----|----|----|----|--
      : Th   Ti   TR   Tw   Tc   Tr   Td : Ti   ...
      :<---- Tq ---->:                   :
      :<-------------- Tt -------------->:
                :<--------- Ta --------->:
Event Name Description Remarks
Th handshakes total time to accept tcp connection and execute handshakes for low level protocols.
Ti idle the idle time before the HTTP request.
TR Request total time to get the client request.
Tq total time to get the client request from the accept date or since the emission of the last byte of the previous response. Th + Ti + TR
Tw waiting total time spent in the queues waiting for a connection slot.
Tc connection total time to establish the TCP connection to the server.
Tr response server response time
Td data the data transmission time Tt - (Th + Ti + TR + Tw + Tc + Tr)
Ta active total active time for the HTTP request
Tt total total session duration time

Monitoring

Metric Types Description Remarks
pxname LFBS proxy name
svname LFBS service name FRONTEND | BACKEND | ...
qcur ..BS current queued requests
qmax ..BS max value of qcur
scur LFBS current sessions
smax LFBS max sessions
slim LFBS configured session limit
stot LFBS cumulative number of sessions

CLI

Option Description Remarks
-D goes daemon
-Ws master-worker mode with systemd notify support
-c only check config files and exit check mode
-V enters verbose mode (disables quiet mode)
-p <pidfile> writes pids of all children to this file
-sf finishes/terminates old pids

Readings

ACL

Proxying

SSL

WebSockets

HTTP/2

Load Balancing

Logging, Tracing and Statistics

Health Check

Throttling

Mapping

Samples

Typical Sample for Reverse Proxy

# References
#   http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#3
#   http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4
#   https://kvz.io/blog/2010/08/11/haproxy-logging/

global
  daemon
  log /var/lib/haproxy/dev/log local0 info
  log /var/lib/haproxy/dev/log local1 notice

  ca-base /etc/haproxy/ssl/trusted
  crt-base /etc/haproxy/ssl

  # https://disablessl3.com/
  ssl-default-bind-options no-sslv3

  # 'stats socket' would generate the specified socket file if not exists
  stats socket /var/run/haproxy.sock mode 660

  maxconn 2000
  tune.ssl.default-dh-param 2048 


defaults
  mode http
  monitor-uri /liveness

  log global
  option httplog
  option dontlognull
  no option log-health-checks
  # http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#8.2.4
  log-format %ci\ %ft\ %b\ %si\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %ts\ %sq/%bq\ %hr\ %{+Q}r

  # Add 'X-Forwared-For' header automatically
  option forwardfor
  #option http-server-close
  
  timeout connect 5s
  timeout client 10s
  timeout server 10s
  timeout tunnel 600s
  timeout server-fin 10s
  timeout client-fin 10s
  timeout http-request 5s
  timeout http-keep-alive 2s
  
  errorfile 400 /etc/haproxy/errors/400.http
  errorfile 403 /etc/haproxy/errors/403.http
  errorfile 408 /etc/haproxy/errors/408.http
  errorfile 500 /etc/haproxy/errors/500.http
  errorfile 502 /etc/haproxy/errors/502.http
  errorfile 503 /etc/haproxy/errors/503.http
  errorfile 504 /etc/haproxy/errors/504.http

  default-server inter 5s rise 2 fall 3


listen stats
  bind 192.168.1.11:8070
  
  stats enable
  stats admin if FALSE
  stats auth haproxystat:dontuse1234
  stats hide-version
  stats realm HAProxy\ Statistics
  stats uri /stats

frontend http
  bind 192.168.1.11:8080
  
  capture request header Host len 20
  #capture request header Forwarded len 50
  capture request header X-Forwarded-For len 20

  http-request set-header X-Forwarded-Host %[req.hdr(Host)]
  http-request set-header X-Forwarded-Proto http

  default_backend http-rear


frontend https
  # http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5.1-verify
  bind 192.168.1.11:8443 ssl crt server-tls.pem ca-file ca.crt verify none
  # bind 192.168.1.11:8443 ssl crt server-tls.pem ca-file ca.crt verify optional crt-ignore-err all ca-ignore-err all   # For mutual auth

  capture request header Host len 20
  #capture request header Forwarded len 50
  capture request header X-Forwarded-For len 20

  #http-request deny deny_status 400 unless { ssl_fc }
  #http-request deny deny_status 400 unless { ssl_c_used }
  #http-request deny deny_status 400 unless { ssl_c_verify 0 }
  
  # setup request header for logging or backend usage
  # https://www.haproxy.com/blog/ssl-client-certificate-information-in-http-headers-and-logs/
  http-request set-header X-SSL                  %[ssl_fc]
  http-request set-header X-SSL-Session_ID       %[ssl_fc_session_id,hex]
  http-request set-header X-SSL-Client-Verify    %[ssl_c_verify]    
  http-request set-header X-SSL-Client-DN        %{+Q}[ssl_c_s_dn]
  http-request set-header X-SSL-Client-CN        %{+Q}[ssl_c_s_dn(cn)]
  http-request set-header X-SSL-Issuer           %{+Q}[ssl_c_i_dn]
  http-request set-header X-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore]
  http-request set-header X-SSL-Client-NotAfter  %{+Q}[ssl_c_notafter]
  
  http-request set-header X-Forwarded-Host %[req.hdr(Host)]
  http-request set-header X-Forwarded-Proto http

  default_backend http-rear


frontend ws
  bind 192.168.1.11:8090
  
  capture request header Host len 20
  #capture request header Forwarded len 50
  capture request header X-Forwarded-For len 20

  acl is_connection_upgrade hdr(Connection) -i upgrade
  acl is_upgrade_websocket hdr(Upgrade) -i websocket
  acl has_websocket_key hdr_cnt(Sec-WebSocket-Key) eq 1
  acl has_websocket_ver hdr_cnt(Sec-WebSocket-Version) eq 1

  http-request deny unless is_connection_upgrade is_upgrade_websocket has_websocket_key has_websocket_ver

  http-request set-header X-Forwarded-Host %[req.hdr(Host)]
  http-request set-header X-Forwarded-Proto http

  default_backend ws-rear


frontend wss
  bind 192.168.1.11:8453 ssl crt server-tls.pem ca-file ca.crt verify none
  # bind 192.168.1.11:8453 ssl crt server-tls.pem ca-file ca.crt verify optional crt-ignore-err all ca-ignore-err all   # For mutual auth

  capture request header Host len 20
  #capture request header Forwarded len 50
  capture request header X-Forwarded-For len 20

  #http-request deny deny_status 400 unless { ssl_fc }
  #http-request deny deny_status 400 unless { ssl_c_used }
  #http-request deny deny_status 400 unless { ssl_c_verify 0 }

  acl is_connection_upgrade hdr(Connection) -i upgrade
  acl is_upgrade_websocket hdr(Upgrade) -i websocket
  acl has_websocket_key hdr_cnt(Sec-WebSocket-Key) eq 1
  acl has_websocket_ver hdr_cnt(Sec-WebSocket-Version) eq 1

  http-request deny unless is_connection_upgrade is_upgrade_websocket has_websocket_key has_websocket_ver

  http-request set-header X-Forwarded-Host %[req.hdr(Host)]
  http-request set-header X-Forwarded-Proto http

  default_backend ws-rear


backend http-rear
  # https://serverfault.com/questions/622567/haproxy-error-some-configuration-options-require-full-privileges-so-global-uid
  #source 0.0.0.0 usesrc clientip

  option http-keep-alive
  http-request set-header X-User ...
  http-request set-header Authorization 'Basic ...'

  option httpchk POST / HTTP/1.1\r\nHost:\ 127.0.0.1\r\nContent-Length:\ 25\r\nAuthorization:\ Basic\ ...\r\nX-User:\ ...\r\n\r\n

  server s1 127.0.0.1:80 check


backend ws-rear
  # https://serverfault.com/questions/622567/haproxy-error-some-configuration-options-require-full-privileges-so-global-uid
  #source 0.0.0.0 usesrc clientip

  option http-keep-alive
  http-request set-header X-User ...
  http-request set-header Authorization 'Basic ...'

  server s1 127.0.0.1:90 check

Typical Sample for Forward Proxy

# Sample HAProxy configuration for dedicated forward proxy

# References
#    https://stackoverflow.com/questions/49433417/setup-https-forward-proxy-with-haproxy
#    https://serverfault.com/questions/477642/using-haproxy-for-transparent-forwarding-and-selective-redirection

global
  daemon
  log /var/lib/haproxy/dev/log local0 info
  log /var/lib/haproxy/dev/log local1 notice

  ca-base /etc/haproxy/ssl/trusted
  crt-base /etc/haproxy/ssl

  maxconn 2048
  tune.ssl.default-dh-param 2048
  ssl-default-bind-options no-sslv3

userlist users
  group regular-users

  user tom password ... groups regular-users

defaults
  mode http
  log global

  timeout connect 5s
  timeout client 10s
  timeout server 10s
  timeout tunnel 600s
  timeout server-fin 10s
  timeout client-fin 10s
  timeout http-request 5s
  timeout http-keep-alive 2s

  errorfile 400 /etc/haproxy/errors/400.http
  errorfile 403 /etc/haproxy/errors/403.http
  errorfile 408 /etc/haproxy/errors/408.http
  errorfile 500 /etc/haproxy/errors/500.http
  errorfile 502 /etc/haproxy/errors/502.http
  errorfile 503 /etc/haproxy/errors/503.http
  errorfile 504 /etc/haproxy/errors/504.http

listen stats
  bind 192.168.1.11:8070

  stats enable
  stats hide-version
  stats realm HAProxy\ Statistics
  stats uri /stats
  stats auth proxyadmin:p8dp8d

resolvers dns
  nameserver dns1 8.8.8.8
  nameserver dns2 8.8.4.4
  hold valid 10s

frontend http
  bind 192.168.1.11:8080

  option http-use-proxy-header
  option httplog
  option dontlognull
  log-format %ci\ [%t]\ %ft\ %b\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %ts\ %sq/%bq\ %{+Q}r
  
  acl is-allowed-users http_auth_groups(users) regular-users
  http-request auth unless is-allowed-users   # 407 for unauthorized access

  default_backend outside

backend outside

  option httpclose
  option http_proxy

Log Format and Grok Pattern

Log Format %ci\ %ft\ %b\ %si\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %ts\ %sq/%bq\ %hr\ %{+Q}r
Grok Pattern %{IPV4:client_ip} %{NOTSPACE:fe} %{NOTSPACE:be} %{IPV4:server_ip} %{NONNEGINT:tq}/%{NONNEGINT:tw}/%{NONNEGINT:tc}/%{NONNEGINT:tr}/${NONNEGINT:tt} %{POSINT:resp_code} %{NONNEGINT:read_byte} %{NOTSPACE:term_state} %{NOTSPACE:server_q}/%{NOTSPACE:be_q} {%{NOTSPACE:client}(?:|)%{NOTSPACE:host}} %{DATA:req}

Wireshark

References

Operator Symbol Description Remarks
eq == Equal
ne != Not Equal
gt > Greater Than
lt < Less Than
ge >= Greater than or Equal to
le <= Less than or Equal to
contains Does the protocol, field or slice contain a value
matches ~ Does the protocol or text string match the given case-insensitive Perl-compatible regex
[i:j] Slices with i = start_offset, j = length
[i-j] Slices with i = start_offset, j = end_offset, inclusive
[i] Slices with i = start_offset, length = 1
[:j] Slices with start_offset = 0, length = j
[i:] Slices with start_offset = i, end_offset = end_of_field
and && Logical AND
or || Logical OR
not ! Logical NOT
Protocol Typical Fields Description Remarks
tcp port Transmission Control Protocol
ip addr, dst, src Internet Protocol Version 4
http Hypertext Transfer Protocol
ssl Secure Sockets Layer
websocket WebSocket

Readings

Tips and Tricks

Typical display filters

ip.src == 192.168.1.31 and ip.addr == 203.252.150.28 and http

tcpdump

tcpdump [ -AbdDefhHIJKlLnNOpqStuUvxX# ] [ -B buffer_size ] 

         [ -c count ] [ -C file_size ] 
         [ -E spi@ipaddr algo:secret,... ] 
         [ -F file ] [ -G rotate_seconds ] [ -i interface ] 
         [ --immediate-mode ] [ -j tstamp_type ] [ -m module ] 
         [ -M secret ] [ --number ] [ --print ] [ -Q in|out|inout ] 
         [ -r file ] [ -s snaplen ] [ -T type ] [ --version ] 
         [ -V file ] [ -w file ] [ -W filecount ] [ -y datalinktype ] 
         [ -z postrotate-command ] [ -Z user ] 
         [ --time-stamp-precision=tstamp_precision ] 
         [ expression ]

Options

Option Description Remarks
-n Don't convert addresses
-i interface Listen on interface
-A Print each packet (minus its link level header) in ASCII Handy for capturing web pages
-s n Snarf n bytes of data from each packet rather than the default of 262144 bytes Setting n to 0 sets it to the default of 262144
-x When parsing and printing, in addition to printing the headers of each packet, print the data of each packet (minus its link level header) in hex

Filter Expression

Primitive Description Remarks
host host True if either the IPv4/v6 source or destination of the packet is host
dst host host True if the IPv4/v6 destination field of the packet is host
src host host True if the IPv4/v6 source field of the packet is host
port port True if either the source or destination port of the packet is port.
dst port port True if the packet is ip/tcp, ip/udp, ip6/tcp or ip6/udp and has a destination port value of port.
src port port True if the packet has a source port value of port.
ip proto protocol True if the packet is an IPv4 packet of protocol type protocol.
tcp = ip proto tcp