(47 intermediate revisions by the same user not shown) | |||
Line 14: | Line 14: | ||
* [http://www.haproxy.org/#docs HAProxy official documentation] |
* [http://www.haproxy.org/#docs HAProxy official documentation] |
||
− | * '''1.8''' |
+ | * '''HAProxy 1.8''' |
** [http://cbonte.github.io/haproxy-dconv/1.8/intro.html HAProxy Starter Guide] |
** [http://cbonte.github.io/haproxy-dconv/1.8/intro.html HAProxy Starter Guide] |
||
** [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html HAProxy Configuration Manual] |
** [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html HAProxy Configuration Manual] |
||
Line 29: | Line 29: | ||
*** [http://cbonte.github.io/haproxy-dconv/1.8/management.html#3 Starting HAProxy] |
*** [http://cbonte.github.io/haproxy-dconv/1.8/management.html#3 Starting HAProxy] |
||
*** [http://cbonte.github.io/haproxy-dconv/1.8/management.html#4 Stopping and restarting HAProxy] |
*** [http://cbonte.github.io/haproxy-dconv/1.8/management.html#4 Stopping and restarting HAProxy] |
||
+ | |||
+ | * [https://www.haproxy.com/documentation/aloha/ ALOHA Documentation] |
||
+ | * '''ALOHA 11.0''' |
||
+ | ** [https://www.haproxy.com/documentation/aloha/11-0/ ALOHA 11.0 Documentation] |
||
+ | ** [https://www.haproxy.com/documentation/aloha/11-0/traffic-management/lb-layer7/health-checks/ Performing Health Checks] |
||
* [https://en.wikipedia.org/wiki/Proxy_server Proxy Server] |
* [https://en.wikipedia.org/wiki/Proxy_server Proxy Server] |
||
Line 88: | Line 93: | ||
| Adds a global syslog server || |
| Adds a global syslog server || |
||
|- |
|- |
||
− | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#3.1- |
+ | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#3.1-log-tag <tt>'''log-tag''' <string></tt>] |
+ | | Sets the tag field in the syslog header to this string. || |
||
+ | |- |
||
+ | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#3.1-nbproc <tt>'''nbproc''' <number></tt>] |
||
| Creates <number> processes when going daemon || default: 1 |
| Creates <number> processes when going daemon || default: 1 |
||
|- |
|- |
||
− | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#3.1-nbthread |
+ | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#3.1-nbthread <tt>'''nbthread''' <number></tt>] |
| Creates <number> threads for each created processes || |
| Creates <number> threads for each created processes || |
||
|- |
|- |
||
Line 99: | Line 107: | ||
|- |
|- |
||
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#ssl-default-bind-options '''<tt>ssl-default-bind-options</tt>'''] |
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#ssl-default-bind-options '''<tt>ssl-default-bind-options</tt>'''] |
||
− | | Sets default ssl-options to force on all "bind" lines. |
+ | | Sets default ssl-options to force on all "bind" lines. || |
− | | |
+ | |- |
+ | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#3.1-stats%20socket '''<tt>stats socket</tt>'''] |
||
+ | | Binds a UNIX socket to ''path'' or a TCPv4/v6 address to ''address'':''port''. || |
||
|} |
|} |
||
Line 108: | Line 118: | ||
! Parameter !! Description !! Remarks |
! Parameter !! Description !! Remarks |
||
|- |
|- |
||
− | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#3.2- |
+ | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#3.2-maxconn <tt>'''maxconn''' <number></tt>] |
+ | | Sets the maximum per-process number of concurrent connections to <number>. |
||
+ | | <tt>-n</tt> option |
||
+ | |- |
||
+ | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#3.2-maxsslconn <tt>'''maxsslconn''' <number></tt>] |
||
+ | | Sets the maximum per-process number of concurrent SSL connections to <number>. |
||
+ | | default : = <tt>maxconn</tt> |
||
+ | |- |
||
+ | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#3.2-tune.ssl.cachesize <tt>'''tune.ssl.cachesize''' <number></tt>] |
||
| Sets the size of the global SSL session cache, in a number of blocks. |
| Sets the size of the global SSL session cache, in a number of blocks. |
||
| default: 20,000 |
| default: 20,000 |
||
|- |
|- |
||
− | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#3.2-tune.ssl.lifetime |
+ | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#3.2-tune.ssl.lifetime <tt>'''tune.ssl.lifetime''' <timeout></tt>] |
| Sets how long a cached SSL session may remain valid in seconds. || default: 300s (5 min) |
| Sets how long a cached SSL session may remain valid in seconds. || default: 300s (5 min) |
||
|} |
|} |
||
Line 128: | Line 146: | ||
* [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.1 Proxy keywords matrix] |
* [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.1 Proxy keywords matrix] |
||
+ | |||
+ | =====General===== |
||
{| class='wikitable' |
{| class='wikitable' |
||
! Keywords !! Description !! DF/FE/LI/BE !! Remarks |
! Keywords !! Description !! DF/FE/LI/BE !! Remarks |
||
|- |
|- |
||
− | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-mode <tt><nowiki> |
+ | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-mode <tt>'''mode''' <nowiki>{ tcp|http|health }</nowiki></tt>] |
− | | Set the running mode or protocol of the instance |
+ | | Set the running mode or protocol of the instance || || |
− | | || |
||
|- |
|- |
||
− | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4- |
+ | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-monitor-uri <tt>'''monitor-uri''' <uri></tt>] |
+ | | Intercept a URI used by external components' monitor requests || O/O/O/X || Monitor requests cannot be logged either. |
||
+ | |- |
||
+ | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-retries <tt>'''retries''' <value></tt>] |
||
+ | | Set the number of retries to perform on a server after a connection failure || O/X/O/O |
||
+ | | applies to the number of connection attempts, not full requests |
||
+ | |- |
||
+ | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-bind <tt>'''bind''' <nowiki>[<address>]:<port_range> [, ...] [param*]</nowiki></tt>] |
||
| Define one or several listening addresses and/or ports in a frontend |
| Define one or several listening addresses and/or ports in a frontend |
||
| X/O/O/X || |
| X/O/O/X || |
||
|- |
|- |
||
− | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-tcp-request%20inspect-delay <tt> |
+ | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-tcp-request%20inspect-delay <tt>'''tcp-request''' <nowiki>inspect-delay <timeout></nowiki></tt>] |
| Set the maximum allowed time to wait for data during content inspection |
| Set the maximum allowed time to wait for data during content inspection |
||
| || |
| || |
||
|- |
|- |
||
− | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-tcp-response%20content <tt> |
+ | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-tcp-response%20content <tt>'''tcp-response''' <nowiki>content <action> [{if | unless} <condition>]</nowiki></tt>] |
| Perform an action on a session response depending on a layer 4-7 condition |
| Perform an action on a session response depending on a layer 4-7 condition |
||
| || |
| || |
||
|- |
|- |
||
− | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-option%20http_proxy <tt>option http_proxy</tt>] |
+ | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-option%20http_proxy <tt>'''option http_proxy'''</tt>] |
| Enable or disable plain HTTP proxy mode |
| Enable or disable plain HTTP proxy mode |
||
| || Forward Proxy |
| || Forward Proxy |
||
|- |
|- |
||
− | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#option%20http-keep-alive <tt>option http-keep-alive</tt>] |
+ | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#option%20http-keep-alive <tt>'''option http-keep-alive'''</tt>] |
| Enable or disable HTTP keep-alive from client to server |
| Enable or disable HTTP keep-alive from client to server |
||
| || |
| || |
||
|- |
|- |
||
− | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-option%20httpclose <tt>option httpclose</tt>] |
+ | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-option%20httpclose <tt>'''option httpclose'''</tt>] |
| Enable or disable passive HTTP connection closing |
| Enable or disable passive HTTP connection closing |
||
| || <code>"Connection: close"</code> header<br/>Deprecated |
| || <code>"Connection: close"</code> header<br/>Deprecated |
||
|- |
|- |
||
− | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-option%20forwardfor <tt>option forwardfor</tt>] |
+ | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-option%20forwardfor <tt>'''option forwardfor'''</tt>] |
| Enable insertion of the X-Forwarded-For header to requests sent to servers |
| Enable insertion of the X-Forwarded-For header to requests sent to servers |
||
| || <code>"X-Forwarded-For"</code> header |
| || <code>"X-Forwarded-For"</code> header |
||
|- |
|- |
||
− | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-option%20socket-stats <tt>option socket-stats</tt>] |
+ | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-option%20socket-stats <tt>'''option socket-stats'''</tt>] |
− | | Enable or disable collecting & providing separate statistics for each socket. |
+ | | Enable or disable collecting & providing separate statistics for each socket. || || |
− | | || |
||
|- |
|- |
||
− | | style="white-space: nowrap;" | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-capture%20request%20header <tt>capture request header <name> len <length></tt>] |
+ | | style="white-space: nowrap;" | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-capture%20request%20header <tt>'''capture request header''' <name> len <length></tt>] |
| Capture and log the last occurrence of the specified request header. |
| Capture and log the last occurrence of the specified request header. |
||
| X/O/O/X || Not for Back-end |
| X/O/O/X || Not for Back-end |
||
|- |
|- |
||
− | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4- |
+ | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-use_backend <tt>'''use_backend''' <nowiki><backend> [{if | unless} <condition>]</nowiki></tt>] |
+ | | Switch to a specific backend if/unless an ACL-based condition is matched. |
||
− | | Set the source address for outgoing connections |
||
− | | |
+ | | X/O/O/X || |
|- |
|- |
||
− | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4- |
+ | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-source <tt>'''source''' <nowiki><addr>[:<port>] [usesrc ...]</nowiki></tt>] |
+ | | Set the source address for outgoing connections || || |
||
− | | Declare a server in a backend |
||
+ | |- |
||
− | | || |
||
+ | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-server <tt>'''server''' <nowiki><name> <address>[:[port]] [param*]</nowiki></tt>] |
||
+ | | Declare a server in a backend || || |
||
+ | |- |
||
+ | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-default-server <tt>'''default-server''' <nowiki>[param*]</nowiki></tt>] |
||
+ | | Change default options for a server in a backend || O/X/O/O || <tt>default-server inter 4s rise 2 fall 3</tt> |
||
|} |
|} |
||
− | * [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-http-request <tt>http-request</tt>] |
+ | * [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-http-request <tt>'''http-request'''</tt>] |
** defines a set of rules which apply to layer 7 processing. |
** defines a set of rules which apply to layer 7 processing. |
||
Line 187: | Line 217: | ||
! Action !! Description !! Remarks |
! Action !! Description !! Remarks |
||
|- |
|- |
||
− | + | | <tt>'''http-request allow'''</tt> || Stops the evaluation of the rules and lets the request pass the check. || |
|
+ | |- |
||
+ | | <tt>'''http-request deny'''</tt> || Stops the evaluation of the rules and immediately rejects the request. || |
||
+ | |- |
||
+ | | <tt>'''http-request auth'''</tt> || Stops the evaluation of the rules and immediately responds with an HTTP 401 or 407 error code to invite the user to present a valid user name and password || |
||
+ | |- |
||
+ | | <tt>'''http-request add-header''' <nowiki><name> <fmt></nowiki></tt> || Appends an HTTP header field whose name is specified in <tt><name></tt> and whose value is defined by <tt><fmt></tt> || |
||
+ | |- |
||
+ | | <tt>'''http-request set-header''' <nowiki><name> <fmt></nowiki></tt> || the header name is first removed if it existed || |
||
+ | |- |
||
+ | | <tt>'''http-request del-header''' <nowiki><name></nowiki></tt> || removes all HTTP header fields whose name is specified in <tt><name></tt>. || |
||
+ | |- |
||
+ | | style='white-space:nowrap' | <tt>'''http-request replace-header''' <nowiki><name> <match-regex> <replace-fmt></nowiki></tt> || || |
||
|- |
|- |
||
+ | | <tt>'''http-request capture''' <nowiki><sample> [ len <length> | id <id> ]</nowiki></tt> || Captures sample expression <tt><sample></tt> from the request buffer, and converts it to a string of at most <tt><len></tt> characters. || |
||
− | | <tt>http-request deny</tt> || Stops the evaluation of the rules and immediately rejects the request. || |
||
|- |
|- |
||
− | | <tt>http-request |
+ | | <tt>'''http-request set-log-level''' <level></tt> || Change the log level of the current request when a certain condition is met. || <tt>emerg | alert | crit | err | warning | notice | info | debug | silent</tt> |
|} |
|} |
||
Line 232: | Line 274: | ||
|} |
|} |
||
− | =====Logging===== |
+ | =====Logging/Tracing===== |
{| class='wikitable' |
{| class='wikitable' |
||
Line 241: | Line 283: | ||
|- |
|- |
||
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-option%20dontlognull '''<tt>option dontlognull</tt>'''] |
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-option%20dontlognull '''<tt>option dontlognull</tt>'''] |
||
− | | Enable or disable logging of null connections || |
+ | | Enable or disable logging of null connections || O/O/O/X || |
|- |
|- |
||
− | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-option% |
+ | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-option%20dontlog-normal '''<tt>option dontlog-normal</tt>'''] |
− | | Enable or disable logging of normal, successful connections || |
+ | | Enable or disable logging of normal, successful connections || O/O/O/X || |
|- |
|- |
||
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-option%20log-health-checks '''<tt>option log-health-checks</tt>'''] |
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-option%20log-health-checks '''<tt>option log-health-checks</tt>'''] |
||
− | | Enable or disable logging of health checks status updates || |
+ | | Enable or disable logging of health checks status updates || O/X/O/O || |
|- |
|- |
||
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-log-format '''<tt>log-format</tt>'''] |
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-log-format '''<tt>log-format</tt>'''] |
||
− | | Specifies the log format string to use for traffic logs || |
+ | | Specifies the log format string to use for traffic logs || O/O/O/X || |
+ | |- |
||
+ | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-log-tag <tt>'''log-tag''' <string></tt>] |
||
+ | | Specifies the log tag to use for all outgoing logs || O/O/O/O || global <tt>log-tag</tt> |
||
+ | |- |
||
+ | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-unique-id-format <tt>'''unique-id-format''' <string></tt>] |
||
+ | | Generate a unique ID for each request. || O/O/O/X || <tt>unique-id-header</tt> |
||
+ | |- |
||
+ | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-unique-id-header <tt>'''unique-id-header''' <name></tt>] |
||
+ | | Add a unique ID header in the HTTP request. || O/O/O/X || <tt>X-Unique-ID</tt> |
||
|} |
|} |
||
Line 316: | Line 367: | ||
{| class='wikitable' style='margin-left:40px' |
{| class='wikitable' style='margin-left:40px' |
||
! Options !! Description !! Remarks |
! Options !! Description !! Remarks |
||
+ | |- |
||
+ | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5.2-maxconn '''<tt>maxconn</tt>'''] |
||
+ | | specifies the maximal number of concurrent connections that will be sent to this server. || |
||
|- |
|- |
||
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5-check '''<tt>check</tt>'''] |
| [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5-check '''<tt>check</tt>'''] |
||
− | | Enables health checks on the server. || |
+ | | Enables health checks on the server. || <tt>addr</tt>, <tt>port</tt>, <tt>source</tt>, <tt>inter</tt>, <tt>rise</tt>, <tt>fall</tt> |
|- |
|- |
||
− | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5-inter |
+ | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5-inter <tt>'''inter''' <delay></tt>] |
| Sets the interval between two consecutive health checks to <delay> milliseconds. || default: 2000ms |
| Sets the interval between two consecutive health checks to <delay> milliseconds. || default: 2000ms |
||
|- |
|- |
||
Line 329: | Line 383: | ||
| Enables SSL ciphering on outgoing connections to the server. || |
| Enables SSL ciphering on outgoing connections to the server. || |
||
|- |
|- |
||
− | | style='white-space:nowrap' | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5-verify ''' |
+ | | style='white-space:nowrap' | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5-verify <tt>'''verify''' <nowiki>[none|required]</nowiki></tt>] |
| || |
| || |
||
|} |
|} |
||
Line 348: | Line 402: | ||
| Flags (<tt>flags</tt>) || || <tt>-i</tt>, <tt>-f</tt>, <tt>-m</tt>, <tt>-n</tt>, <tt>-M</tt>, <tt>-u</tt>, <tt>--</tt> |
| Flags (<tt>flags</tt>) || || <tt>-i</tt>, <tt>-f</tt>, <tt>-m</tt>, <tt>-n</tt>, <tt>-M</tt>, <tt>-u</tt>, <tt>--</tt> |
||
|} |
|} |
||
+ | |||
+ | * [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.4 Pre-defined ACLs] |
||
=====ACL Flags===== |
=====ACL Flags===== |
||
Line 373: | Line 429: | ||
|- |
|- |
||
| '''<tt>-m end</tt>''' || suffix match || |
| '''<tt>-m end</tt>''' || suffix match || |
||
+ | |} |
||
+ | |||
+ | ====Sample Fetch Methods==== |
||
+ | |||
+ | * [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.3 Fetching samples at Layer 4] : TCP/IP |
||
+ | |||
+ | {| class='wikitable' style='margin-left:40px' |
||
+ | ! Method !! Type !! Description !! Remarks |
||
+ | |- |
||
+ | | style='white-space: nowrap;' | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.3-src <code>src</code>] |
||
+ | | ip |
||
+ | | This is the source IPv4 address of the client of the session |
||
+ | | |
||
+ | |} |
||
+ | |||
+ | * [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.4 Fetching samples at Layer 5] : SSL |
||
+ | * [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.5 Fetching samples at Layer 6] : |
||
+ | |||
+ | {| class='wikitable' style='margin-left:40px' |
||
+ | ! Method !! Type !! Description !! Remarks |
||
+ | |- |
||
+ | | style='white-space: nowrap;' | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.5-req.payload_lv <code>req.payload_lv</code>] |
||
+ | | binary |
||
+ | | Extracts a binary block whose size is specified at <offset1> for <length> bytes |
||
+ | | |
||
+ | |- |
||
+ | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.5-res.payload_lv <code>res.payload_lv</code>] |
||
+ | | binary |
||
+ | | extracts a binary block whose size is specified at <offset1> for <length> bytes, and which starts at <offset2> if specified or just after the length in the response buffer. |
||
+ | | |
||
+ | |- |
||
+ | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.5-req.ssl_hello_type <code>req.ssl_hello_type</code>] |
||
+ | | integer |
||
+ | | Returns an integer value containing the type of the SSL hello message found in the request buffer if the buffer contains data that parse as a complete SSL (v3 or superior) client hello message. |
||
+ | | |
||
+ | |- |
||
+ | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.5-res.ssl_hello_type <code>res.ssl_hello_type</code>] |
||
+ | | integer |
||
+ | | Returns an integer value containing the type of the SSL hello message found in the response buffer if the buffer contains data that parses as a complete SSL (v3 or superior) hello message |
||
+ | | |
||
+ | |} |
||
+ | |||
+ | * [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.6 Fetching samples at Layer 7] : HTTP |
||
+ | |||
+ | {| class='wikitable' style='margin-left:40px' |
||
+ | ! Method !! Type !! Description !! Remarks |
||
+ | |- |
||
+ | | style='white-space: nowrap;' | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.6-req.hdr <tt>'''req.hdr'''<nowiki>([<name>[,<occ>]])</nowiki></tt>] || string |
||
+ | | Extracts the last occurrence of header <name> in an HTTP request |
||
+ | | When used from an ACL, all occurrences are iterated over until a match is found |
||
+ | |- |
||
+ | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.6-res.hdr <tt>'''res.hdr'''<nowiki>([<name>[,<occ>]])</nowiki></tt>] |
||
+ | | string || Extracts the last occurrence of header <name> in an HTTP response. || |
||
+ | |- |
||
+ | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.6-hdr <tt>'''hdr'''<nowiki>([<name>[,<occ>]])</nowiki></tt>] |
||
+ | | string || Equivalent to <tt>req.hdr()</tt> when used on requests, and to <tt>'''res.hdr'''()</tt> when used on responses || |
||
+ | |- |
||
+ | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.6-http_auth <tt>'''http_auth'''<nowiki>(<userlist>)</nowiki></tt>] |
||
+ | | boolean || Returns a boolean indicating whether the authentication data received from the client match a username & password stored in the specified userlist. || |
||
+ | |- |
||
+ | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.6-http_auth_group <tt>'''http_auth_group'''<nowiki>(<userlist>)</nowiki></tt>] |
||
+ | | string || Returns a string corresponding to the user name found in the authentication data received from the client if both the user name and password are valid according to the specified userlist. || ACL derivatives |
||
+ | |- |
||
+ | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.6-path <tt>'''path'''</tt>] |
||
+ | | string || Extracts the request's URL path, which starts at the first slash and ends before the question mark (without the host part). || |
||
|} |
|} |
||
====Logging==== |
====Logging==== |
||
+ | * [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#8 Logging] |
||
− | =====Log Fields===== |
||
+ | |||
+ | * Log Variable Syntax |
||
+ | <syntaxhighlight lang='bnf' enclose='div' style='margin-left:40px'> |
||
+ | flag = "Q" | "E" | "X" |
||
+ | flag-part = "+" | "-", flag |
||
+ | variable = "%", [ "{", flag-part, 2 * [ ",", flag-part ], "}" ], ( field | "[", sample-expr , "]" ) |
||
+ | </syntaxhighlight> |
||
+ | |||
+ | * Default HTTP Log Format |
||
+ | <syntaxhighlight lang='text' enclose='div' style='margin-left:40px'> |
||
+ | "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r" |
||
+ | </syntaxhighlight> |
||
+ | |||
+ | =====Log Variables===== |
||
{| class='wikitable' |
{| class='wikitable' |
||
− | ! |
+ | ! Variable !! Name !! Type !! Description !! Remarks |
+ | |- |
||
+ | | '''<tt>%o</tt>''' || special variable || || apply flags on all next var || <tt>Q</tt>, <tt>E</tt>, <tt>X</tt> |
||
|- |
|- |
||
| '''<tt>%ci</tt>''' || client_ip || IP || || |
| '''<tt>%ci</tt>''' || client_ip || IP || || |
||
+ | |- |
||
+ | | '''<tt>%cp</tt>''' || client_port || numeric || || |
||
|- |
|- |
||
| '''<tt>%ft</tt>''' || frontend_name_transport || string || || '~' suffix for SSL |
| '''<tt>%ft</tt>''' || frontend_name_transport || string || || '~' suffix for SSL |
||
+ | |- |
||
+ | | '''<tt>%fi</tt>''' || frontend_ip || IP || || |
||
+ | |- |
||
+ | | '''<tt>%fp</tt>''' || frontend_port || || |
||
|- |
|- |
||
| '''<tt>%b</tt>''' || backend_name || string || || |
| '''<tt>%b</tt>''' || backend_name || string || || |
||
|- |
|- |
||
| '''<tt>%si</tt>''' || server_IP || IP || target address || |
| '''<tt>%si</tt>''' || server_IP || IP || target address || |
||
+ | |- |
||
+ | | '''<tt>%Ts</tt>''' || timestamp || numeric || || |
||
|- |
|- |
||
| '''<tt>%Tq</tt>''' || <tt>Th + Ti + TR</tt> || numeric |
| '''<tt>%Tq</tt>''' || <tt>Th + Ti + TR</tt> || numeric |
||
Line 418: | Line 563: | ||
|- |
|- |
||
| '''<tt>%r</tt>''' || http_request || string || || HTTP mode only |
| '''<tt>%r</tt>''' || http_request || string || || HTTP mode only |
||
+ | |- |
||
+ | | '''<tt>%rt</tt>''' || request_counter || numeric || || |
||
+ | |- |
||
+ | | '''<tt>%ID</tt>''' || unique-id || string || Unique ID generated by <tt>unique-id-header</tt> directive || |
||
+ | |} |
||
+ | |||
+ | =====Flags===== |
||
+ | |||
+ | {| class='wikitable' |
||
+ | ! Flag !! Description !! Remarks |
||
+ | |- |
||
+ | | '''<tt>Q</tt>''' || quote a string || |
||
+ | |- |
||
+ | | '''<tt>X</tt>''' || hexadecimal representation || |
||
+ | |- |
||
+ | | '''<tt>E</tt>''' || escape characters '<tt>"</tt>', '<tt>\</tt>' and '<tt><nowiki>]</nowiki></tt>' in a string with '<tt>\</tt>' as prefix || RFC5424 |
||
|} |
|} |
||
Line 460: | Line 621: | ||
|} |
|} |
||
− | ==== |
+ | ====Monitoring==== |
− | * [ |
+ | * [https://cbonte.github.io/haproxy-dconv/1.8/management.html#9 Statistics and monitoring] |
− | {| class='wikitable |
+ | {| class='wikitable' |
− | ! |
+ | ! Metric !! Types !! Description !! Remarks |
|- |
|- |
||
+ | | '''<tt>pxname</tt>''' || LFBS || proxy name || |
||
− | | style='white-space: nowrap;' | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.3-src <code>src</code>] |
||
− | | ip |
||
− | | This is the source IPv4 address of the client of the session |
||
− | | |
||
− | |} |
||
− | |||
− | * [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.4 Fetching samples at Layer 5] : SSL |
||
− | * [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.5 Fetching samples at Layer 6] : |
||
− | |||
− | {| class='wikitable' style='margin-left:40px' |
||
− | ! Method !! Type !! Description !! Remarks |
||
|- |
|- |
||
+ | | '''<tt>svname</tt>''' || LFBS || service name || <tt><nowiki>FRONTEND | BACKEND | ...</nowiki></tt> |
||
− | | style='white-space: nowrap;' | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.5-req.payload_lv <code>req.payload_lv</code>] |
||
− | | binary |
||
− | | Extracts a binary block whose size is specified at <offset1> for <length> bytes |
||
− | | |
||
|- |
|- |
||
+ | | '''<tt>qcur</tt>''' || ..BS || current queued requests || |
||
− | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.5-res.payload_lv <code>res.payload_lv</code>] |
||
− | | binary |
||
− | | extracts a binary block whose size is specified at <offset1> for <length> bytes, and which starts at <offset2> if specified or just after the length in the response buffer. |
||
− | | |
||
|- |
|- |
||
+ | | '''<tt>qmax</tt>''' || ..BS || max value of <tt>qcur</tt> || |
||
− | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.5-req.ssl_hello_type <code>req.ssl_hello_type</code>] |
||
− | | integer |
||
− | | Returns an integer value containing the type of the SSL hello message found in the request buffer if the buffer contains data that parse as a complete SSL (v3 or superior) client hello message. |
||
− | | |
||
|- |
|- |
||
+ | | '''<tt>scur</tt>''' || LFBS || current sessions || |
||
− | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.5-res.ssl_hello_type <code>res.ssl_hello_type</code>] |
||
+ | |- |
||
− | | integer |
||
+ | | '''<tt>smax</tt>''' || LFBS || max sessions || |
||
− | | Returns an integer value containing the type of the SSL hello message found in the response buffer if the buffer contains data that parses as a complete SSL (v3 or superior) hello message |
||
− | | |
+ | |- |
+ | | '''<tt>slim</tt>''' || LFBS || configured session limit || |
||
+ | |- |
||
+ | | '''<tt>stot</tt>''' || LFBS || cumulative number of sessions || |
||
|} |
|} |
||
+ | ====CLI==== |
||
− | * [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.6 Fetching samples at Layer 7] : HTTP |
||
− | {| class='wikitable |
+ | {| class='wikitable' |
− | ! |
+ | ! Option !! Description !! Remarks |
|- |
|- |
||
+ | | '''<tt>-D</tt>''' || goes daemon || |
||
− | | style='white-space: nowrap;' | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.6-req.hdr <tt><nowiki>req.hdr([<name>[,<occ>]])</nowiki></tt>] |
||
− | | string |
||
− | | Extracts the last occurrence of header <name> in an HTTP request |
||
− | | When used from an ACL, all occurrences are iterated over until a match is found |
||
|- |
|- |
||
+ | | '''<tt>-Ws</tt>''' || master-worker mode with systemd notify support || |
||
− | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.6-res.hdr <tt><nowiki>res.hdr([<name>[,<occ>]])</nowiki></tt>] |
||
− | | string || Extracts the last occurrence of header <name> in an HTTP response. |
||
− | | |
||
|- |
|- |
||
+ | | '''<tt>-c</tt>''' || only check config files and exit || check mode |
||
− | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.6-hdr <tt><nowiki>hdr([<name>[,<occ>]])</nowiki></tt>] |
||
− | | string || Equivalent to <tt>req.hdr()</tt> when used on requests, and to <tt>res.hdr()</tt> when used on responses |
||
− | | |
||
|- |
|- |
||
+ | | '''<tt>-V</tt>''' || enters verbose mode (disables quiet mode) || |
||
− | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.6-http_auth <tt><nowiki>http_auth(<userlist>)</nowiki></tt>] |
||
+ | |- |
||
− | | boolean || Returns a boolean indicating whether the authentication data received from the client match a username & password stored in the specified userlist. |
||
+ | | <tt>'''-p''' <pidfile></tt> || writes pids of all children to this file || |
||
− | | |
||
|- |
|- |
||
+ | | '''<tt>-sf</tt>''' || finishes/terminates old pids || |
||
− | | [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.6-http_auth_group <tt><nowiki>http_auth_group(<userlist>)</nowiki></tt>] |
||
− | | string || Returns a string corresponding to the user name found in the authentication data received from the client if both the user name and password are valid according to the specified userlist. |
||
− | | ACL derivatives |
||
|} |
|} |
||
Line 544: | Line 680: | ||
* [https://www.linangran.com/?p=547 Use HAProxy to load balance 300k concurrent tcp socket connections: Port Exhaustion, Keep-alive and others] |
* [https://www.linangran.com/?p=547 Use HAProxy to load balance 300k concurrent tcp socket connections: Port Exhaustion, Keep-alive and others] |
||
* [https://serverfault.com/questions/622567/haproxy-error-some-configuration-options-require-full-privileges-so-global-uid HAProxy error: Some configuration options require full privileges, so global.uid cannot be changed] (Aug 19 '14) |
* [https://serverfault.com/questions/622567/haproxy-error-some-configuration-options-require-full-privileges-so-global-uid HAProxy error: Some configuration options require full privileges, so global.uid cannot be changed] (Aug 19 '14) |
||
+ | * [https://www.slideshare.net/WillyTarreau/observability-tips-for-haproxy '''Observability tips for HAProxy'''] (Jun 5, 2018) |
||
====ACL==== |
====ACL==== |
||
Line 591: | Line 728: | ||
* [https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/ Enhanced SSL load-balancing with Server Name Indication (SNI) TLS extension] (Apr 13, 2012) |
* [https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/ Enhanced SSL load-balancing with Server Name Indication (SNI) TLS extension] (Apr 13, 2012) |
||
− | ====Logging and Statistics==== |
+ | ====Logging, Tracing and Statistics==== |
* [https://kvz.io/blog/2010/08/11/haproxy-logging/ HAProxy Logging in Ubuntu Lucid] (2010/08/11) |
* [https://kvz.io/blog/2010/08/11/haproxy-logging/ HAProxy Logging in Ubuntu Lucid] (2010/08/11) |
||
Line 597: | Line 734: | ||
* [https://serverfault.com/questions/168443/logging-haproxy-check-results-problems Logging haproxy check results / problems] (Aug 9 '10) |
* [https://serverfault.com/questions/168443/logging-haproxy-check-results-problems Logging haproxy check results / problems] (Aug 9 '10) |
||
** <tt>option log-health-checks</tt> |
** <tt>option log-health-checks</tt> |
||
+ | * [https://stackoverflow.com/questions/46531909/setting-a-unique-http-request-id-with-haproxys-http-request-set-header Setting a unique http request id with haproxy's http-request set-header] (Oct 2 '17) |
||
+ | ** <tt>unique-id-format</tt>, <tt>unique-id-header</tt> |
||
+ | * [https://devcenter.heroku.com/articles/http-request-id HTTP Request IDs] (17 June 2019) |
||
* [https://www.haproxy.com/blog/introduction-to-haproxy-logging/ Introduction to HAProxy Logging] (Feb 8, 2019) |
* [https://www.haproxy.com/blog/introduction-to-haproxy-logging/ Introduction to HAProxy Logging] (Feb 8, 2019) |
||
Line 611: | Line 751: | ||
* [https://www.haproxy.com/blog/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/ Use a Load Balancer as a First Row of Defense Against DDOS] (Feb 27, 2012) |
* [https://www.haproxy.com/blog/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/ Use a Load Balancer as a First Row of Defense Against DDOS] (Feb 27, 2012) |
||
+ | |||
+ | ====Mapping==== |
||
+ | |||
+ | * [https://www.haproxy.com/blog/introduction-to-haproxy-maps/ Introduction to HAProxy Maps] (Oct 17, 2018) |
||
===Samples=== |
===Samples=== |
||
Line 631: | Line 775: | ||
crt-base /etc/haproxy/ssl |
crt-base /etc/haproxy/ssl |
||
+ | # https://disablessl3.com/ |
||
− | maxconn 2048 |
||
+ | ssl-default-bind-options no-sslv3 |
||
+ | |||
+ | # 'stats socket' would generate the specified socket file if not exists |
||
+ | stats socket /var/run/haproxy.sock mode 660 |
||
+ | |||
+ | maxconn 2000 |
||
tune.ssl.default-dh-param 2048 |
tune.ssl.default-dh-param 2048 |
||
+ | |||
− | #https://disablessl3.com/ |
||
− | ssl-default-bind-options no-sslv3 |
||
− | |||
defaults |
defaults |
||
mode http |
mode http |
||
+ | monitor-uri /liveness |
||
+ | |||
log global |
log global |
||
+ | option httplog |
||
+ | option dontlognull |
||
+ | no option log-health-checks |
||
+ | # http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#8.2.4 |
||
+ | log-format %ci\ %ft\ %b\ %si\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %ts\ %sq/%bq\ %hr\ %{+Q}r |
||
+ | # Add 'X-Forwared-For' header automatically |
||
option forwardfor |
option forwardfor |
||
+ | #option http-server-close |
||
timeout connect 5s |
timeout connect 5s |
||
Line 659: | Line 816: | ||
errorfile 503 /etc/haproxy/errors/503.http |
errorfile 503 /etc/haproxy/errors/503.http |
||
errorfile 504 /etc/haproxy/errors/504.http |
errorfile 504 /etc/haproxy/errors/504.http |
||
+ | |||
+ | default-server inter 5s rise 2 fall 3 |
||
+ | |||
listen stats |
listen stats |
||
Line 664: | Line 824: | ||
stats enable |
stats enable |
||
+ | stats admin if FALSE |
||
+ | stats auth haproxystat:dontuse1234 |
||
stats hide-version |
stats hide-version |
||
stats realm HAProxy\ Statistics |
stats realm HAProxy\ Statistics |
||
Line 671: | Line 833: | ||
bind 192.168.1.11:8080 |
bind 192.168.1.11:8080 |
||
+ | capture request header Host len 20 |
||
− | option httplog |
||
+ | #capture request header Forwarded len 50 |
||
− | option dontlognull |
||
+ | capture request header X-Forwarded-For len 20 |
||
− | log-format %ci\ [%t]\ %ft\ %b\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %ts\ %sq/%bq\ %{+Q}r |
||
− | http-request set-header X- |
+ | http-request set-header X-Forwarded-Host %[req.hdr(Host)] |
http-request set-header X-Forwarded-Proto http |
http-request set-header X-Forwarded-Proto http |
||
+ | |||
default_backend http-rear |
default_backend http-rear |
||
frontend https |
frontend https |
||
+ | # http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5.1-verify |
||
− | bind 192.168.1.11:8443 ssl crt server-tls.pem ca-file ca.crt |
||
+ | bind 192.168.1.11:8443 ssl crt server-tls.pem ca-file ca.crt verify none |
||
# bind 192.168.1.11:8443 ssl crt server-tls.pem ca-file ca.crt verify optional crt-ignore-err all ca-ignore-err all # For mutual auth |
# bind 192.168.1.11:8443 ssl crt server-tls.pem ca-file ca.crt verify optional crt-ignore-err all ca-ignore-err all # For mutual auth |
||
+ | capture request header Host len 20 |
||
− | option httplog |
||
+ | #capture request header Forwarded len 50 |
||
− | option dontlognull |
||
+ | capture request header X-Forwarded-For len 20 |
||
− | log-format %ci\ %ft\ %b\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %ts\ %sq/%bq\ %{+Q}r |
||
#http-request deny deny_status 400 unless { ssl_fc } |
#http-request deny deny_status 400 unless { ssl_fc } |
||
Line 694: | Line 858: | ||
# setup request header for logging or backend usage |
# setup request header for logging or backend usage |
||
# https://www.haproxy.com/blog/ssl-client-certificate-information-in-http-headers-and-logs/ |
# https://www.haproxy.com/blog/ssl-client-certificate-information-in-http-headers-and-logs/ |
||
− | # https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-http-request |
||
− | http-request set-header X-Haproxy-Current-Date %T |
||
http-request set-header X-SSL %[ssl_fc] |
http-request set-header X-SSL %[ssl_fc] |
||
http-request set-header X-SSL-Session_ID %[ssl_fc_session_id,hex] |
http-request set-header X-SSL-Session_ID %[ssl_fc_session_id,hex] |
||
Line 704: | Line 866: | ||
http-request set-header X-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore] |
http-request set-header X-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore] |
||
http-request set-header X-SSL-Client-NotAfter %{+Q}[ssl_c_notafter] |
http-request set-header X-SSL-Client-NotAfter %{+Q}[ssl_c_notafter] |
||
+ | |||
− | http-request set-header X-Forwarded-Proto https |
||
+ | http-request set-header X-Forwarded-Host %[req.hdr(Host)] |
||
+ | http-request set-header X-Forwarded-Proto http |
||
default_backend http-rear |
default_backend http-rear |
||
Line 711: | Line 875: | ||
frontend ws |
frontend ws |
||
bind 192.168.1.11:8090 |
bind 192.168.1.11:8090 |
||
+ | |||
+ | capture request header Host len 20 |
||
+ | #capture request header Forwarded len 50 |
||
+ | capture request header X-Forwarded-For len 20 |
||
acl is_connection_upgrade hdr(Connection) -i upgrade |
acl is_connection_upgrade hdr(Connection) -i upgrade |
||
Line 718: | Line 886: | ||
http-request deny unless is_connection_upgrade is_upgrade_websocket has_websocket_key has_websocket_ver |
http-request deny unless is_connection_upgrade is_upgrade_websocket has_websocket_key has_websocket_ver |
||
+ | |||
+ | http-request set-header X-Forwarded-Host %[req.hdr(Host)] |
||
+ | http-request set-header X-Forwarded-Proto http |
||
default_backend ws-rear |
default_backend ws-rear |
||
Line 723: | Line 894: | ||
frontend wss |
frontend wss |
||
− | bind 192.168.1.11:8453 ssl crt server-tls.pem ca-file ca.crt |
+ | bind 192.168.1.11:8453 ssl crt server-tls.pem ca-file ca.crt verify none |
# bind 192.168.1.11:8453 ssl crt server-tls.pem ca-file ca.crt verify optional crt-ignore-err all ca-ignore-err all # For mutual auth |
# bind 192.168.1.11:8453 ssl crt server-tls.pem ca-file ca.crt verify optional crt-ignore-err all ca-ignore-err all # For mutual auth |
||
+ | |||
+ | capture request header Host len 20 |
||
+ | #capture request header Forwarded len 50 |
||
+ | capture request header X-Forwarded-For len 20 |
||
#http-request deny deny_status 400 unless { ssl_fc } |
#http-request deny deny_status 400 unless { ssl_fc } |
||
Line 736: | Line 911: | ||
http-request deny unless is_connection_upgrade is_upgrade_websocket has_websocket_key has_websocket_ver |
http-request deny unless is_connection_upgrade is_upgrade_websocket has_websocket_key has_websocket_ver |
||
+ | |||
+ | http-request set-header X-Forwarded-Host %[req.hdr(Host)] |
||
+ | http-request set-header X-Forwarded-Proto http |
||
default_backend ws-rear |
default_backend ws-rear |
||
+ | |||
backend http-rear |
backend http-rear |
||
+ | # https://serverfault.com/questions/622567/haproxy-error-some-configuration-options-require-full-privileges-so-global-uid |
||
+ | #source 0.0.0.0 usesrc clientip |
||
+ | |||
+ | option http-keep-alive |
||
+ | http-request set-header X-User ... |
||
+ | http-request set-header Authorization 'Basic ...' |
||
+ | |||
+ | option httpchk POST / HTTP/1.1\r\nHost:\ 127.0.0.1\r\nContent-Length:\ 25\r\nAuthorization:\ Basic\ ...\r\nX-User:\ ...\r\n\r\n |
||
+ | |||
server s1 127.0.0.1:80 check |
server s1 127.0.0.1:80 check |
||
+ | |||
backend ws-rear |
backend ws-rear |
||
+ | # https://serverfault.com/questions/622567/haproxy-error-some-configuration-options-require-full-privileges-so-global-uid |
||
+ | #source 0.0.0.0 usesrc clientip |
||
+ | |||
+ | option http-keep-alive |
||
+ | http-request set-header X-User ... |
||
+ | http-request set-header Authorization 'Basic ...' |
||
+ | |||
server s1 127.0.0.1:90 check |
server s1 127.0.0.1:90 check |
||
Line 826: | Line 1,022: | ||
option http_proxy |
option http_proxy |
||
</syntaxhighlight> |
</syntaxhighlight> |
||
+ | |||
+ | ====Log Format and Grok Pattern==== |
||
+ | |||
+ | * [http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#8.2.4 HAProxy custom log format] |
||
+ | * [https://github.com/logstash-plugins/logstash-patterns-core/blob/master/patterns/grok-patterns Logstash built-in Grok patterns] |
||
+ | |||
+ | * |
||
+ | {| class='wikitable' |
||
+ | | Log Format |
||
+ | | <tt><nowiki>%ci\ %ft\ %b\ %si\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %ts\ %sq/%bq\ %hr\ %{+Q}r</nowiki></tt> |
||
+ | |- |
||
+ | | Grok Pattern |
||
+ | | <tt><nowiki>%{IPV4:client_ip} %{NOTSPACE:fe} %{NOTSPACE:be} %{IPV4:server_ip} %{NONNEGINT:tq}/%{NONNEGINT:tw}/%{NONNEGINT:tc}/%{NONNEGINT:tr}/${NONNEGINT:tt} %{POSINT:resp_code} %{NONNEGINT:read_byte} %{NOTSPACE:term_state} %{NOTSPACE:server_q}/%{NOTSPACE:be_q} {%{NOTSPACE:client}(?:|)%{NOTSPACE:host}} %{DATA:req}</nowiki></tt> |
||
+ | |} |
||
==Wireshark== |
==Wireshark== |
||
Line 964: | Line 1,174: | ||
** '''<code>tcpdump -n -i eth0 -A tcp port 80</code>''' |
** '''<code>tcpdump -n -i eth0 -A tcp port 80</code>''' |
||
* [https://stackoverflow.com/questions/9874093/how-to-filter-tcpdump-output-based-on-packet-length How to filter tcpdump output based on packet length] (Mar 26 '12) |
* [https://stackoverflow.com/questions/9874093/how-to-filter-tcpdump-output-based-on-packet-length How to filter tcpdump output based on packet length] (Mar 26 '12) |
||
− | ** <code>tcpdump - |
+ | ** <code>tcpdump -nAx -s 0 -i eth0 tcp port 443 and greater 100</code> |
===Filter Expression=== |
===Filter Expression=== |
Revision as of 10:15, 6 August 2019
HAProxy
- http://www.haproxy.org/
- Desc. : a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications
- License:
- Written in:
- Sources:
References
- HAProxy official documentation
- HAProxy 1.8
Proxy ----------- Gateway
|
+----- Forward Proxy
|
+----- Reverse Proxy ----------- SSL Acceleration Proxy
|
+----- SSL Termination Proxy
|
+----- Load Balancer
- SSL Forward Proxy Overview
- SSL Forward Proxy
- TLS termination proxy
- SSL pass-through proxy
- What HAProxy is and isn't
- It will not see IP packets nor UDP datagrams, will not perform NAT or even less DSR (direct server return, without passing through the LB again)
- Everything curl > Proxies
- HAProxy Configuration
config = global + defaults* + frontend* + backend* + listen*
global = process management and security parameters
+ performance tuning parameters
+ debugging parameters
+ user lists
+ peers
+ mailers
Global Parameters
Process management and security parameters
Parameter | Description | Remarks |
---|---|---|
cpu-map | Specifies CPU sets for process or thread sets | Linux 2.6+, |
log | Adds a global syslog server | |
log-tag <string> | Sets the tag field in the syslog header to this string. | |
nbproc <number> | Creates <number> processes when going daemon | default: 1 |
nbthread <number> | Creates <number> threads for each created processes | |
ulimit-n | Sets the maximum number of per-process file-descriptors | Recommended not to use this option |
ssl-default-bind-options | Sets default ssl-options to force on all "bind" lines. | |
stats socket | Binds a UNIX socket to path or a TCPv4/v6 address to address:port. |
Performance tuning parameters
Parameter | Description | Remarks |
---|---|---|
maxconn <number> | Sets the maximum per-process number of concurrent connections to <number>. | -n option |
maxsslconn <number> | Sets the maximum per-process number of concurrent SSL connections to <number>. | default : = maxconn |
tune.ssl.cachesize <number> | Sets the size of the global SSL session cache, in a number of blocks. | default: 20,000 |
tune.ssl.lifetime <timeout> | Sets how long a cached SSL session may remain valid in seconds. | default: 300s (5 min) |
Access control parameters
Parameter | Description | Remarks |
---|---|---|
user <username> [password|insecure-password <password>] [groups <group>,<group>,(...)] | Adds user <username> to the current userlist. |
Proxy Keywords
General
Keywords | Description | DF/FE/LI/BE | Remarks |
---|---|---|---|
mode { tcp|http|health } | Set the running mode or protocol of the instance | ||
monitor-uri <uri> | Intercept a URI used by external components' monitor requests | O/O/O/X | Monitor requests cannot be logged either. |
retries <value> | Set the number of retries to perform on a server after a connection failure | O/X/O/O | applies to the number of connection attempts, not full requests |
bind [<address>]:<port_range> [, ...] [param*] | Define one or several listening addresses and/or ports in a frontend | X/O/O/X | |
tcp-request inspect-delay <timeout> | Set the maximum allowed time to wait for data during content inspection | ||
tcp-response content <action> [{if | unless} <condition>] | Perform an action on a session response depending on a layer 4-7 condition | ||
option http_proxy | Enable or disable plain HTTP proxy mode | Forward Proxy | |
option http-keep-alive | Enable or disable HTTP keep-alive from client to server | ||
option httpclose | Enable or disable passive HTTP connection closing | "Connection: close" headerDeprecated | |
option forwardfor | Enable insertion of the X-Forwarded-For header to requests sent to servers | "X-Forwarded-For" header
| |
option socket-stats | Enable or disable collecting & providing separate statistics for each socket. | ||
capture request header <name> len <length> | Capture and log the last occurrence of the specified request header. | X/O/O/X | Not for Back-end |
use_backend <backend> [{if | unless} <condition>] | Switch to a specific backend if/unless an ACL-based condition is matched. | X/O/O/X | |
source <addr>[:<port>] [usesrc ...] | Set the source address for outgoing connections | ||
server <name> <address>[:[port]] [param*] | Declare a server in a backend | ||
default-server [param*] | Change default options for a server in a backend | O/X/O/O | default-server inter 4s rise 2 fall 3 |
- http-request
- defines a set of rules which apply to layer 7 processing.
Action | Description | Remarks |
---|---|---|
http-request allow | Stops the evaluation of the rules and lets the request pass the check. | |
http-request deny | Stops the evaluation of the rules and immediately rejects the request. | |
http-request auth | Stops the evaluation of the rules and immediately responds with an HTTP 401 or 407 error code to invite the user to present a valid user name and password | |
http-request add-header <name> <fmt> | Appends an HTTP header field whose name is specified in <name> and whose value is defined by <fmt> | |
http-request set-header <name> <fmt> | the header name is first removed if it existed | |
http-request del-header <name> | removes all HTTP header fields whose name is specified in <name>. | |
http-request replace-header <name> <match-regex> <replace-fmt> | ||
http-request capture <sample> [ len <length> | id <id> ] | Captures sample expression <sample> from the request buffer, and converts it to a string of at most <len> characters. | |
http-request set-log-level <level> | Change the log level of the current request when a certain condition is met. | alert | crit | err | warning | notice | info | debug | silent |
Timeout
Keywords | Description | Remarks |
---|---|---|
timeout connect <timeout> | Set the maximum time to wait for a connection attempt to a server to succeed | |
timeout server <timeout> | Set the maximum inactivity time on the server side | |
timeout client <timeout> | Set the maximum inactivity time on the client side | |
timeout tunnel <timeout> | Set the maximum inactivity time on the client and server side for tunnels | |
timeout server-fin <timeout> | Set the inactivity timeout on the server side for half-closed connections | |
timeout client-fin <timeout> | Set the inactivity timeout on the client side for half-closed connections | |
timeout http-request <timeout> | Set the maximum allowed time to wait for a complete HTTP request | |
timeout http-keep-alive <timeout> | Set the maximum allowed time to wait for a new HTTP request to appear |
Logging/Tracing
Keywords | Description | DF/FE/LI/BE | Remarks |
---|---|---|---|
option httplog | Enable logging of HTTP request, session state and timers | O/O/O/X | Not for Back-end |
option dontlognull | Enable or disable logging of null connections | O/O/O/X | |
option dontlog-normal | Enable or disable logging of normal, successful connections | O/O/O/X | |
option log-health-checks | Enable or disable logging of health checks status updates | O/X/O/O | |
log-format | Specifies the log format string to use for traffic logs | O/O/O/X | |
log-tag <string> | Specifies the log tag to use for all outgoing logs | O/O/O/O | global log-tag |
unique-id-format <string> | Generate a unique ID for each request. | O/O/O/X | unique-id-header |
unique-id-header <name> | Add a unique ID header in the HTTP request. | O/O/O/X | X-Unique-ID |
Health Check
Keywords | Description | Remarks |
---|---|---|
option httpchk <method> <uri> <version> | Enable HTTP protocol to check on the servers health |
Statistics
Keywords | Description | DF/FE/LI/BE | Remarks |
---|---|---|---|
stats enable | Enable statistics reporting with default settings | O/O/O/O | |
stats admin { if | unless } <cond> | Enable statistics admin level if/unless a condition is matched | X/O/O/O | |
stats auth <user>:<passwd> | Enable statistics with authentication and grant access to an account | O/O/O/O |
Bind Options
Options | Description | Remarks |
---|---|---|
ca-ignore-err | Sets a comma separated list of errorIDs to ignore during verify at depth > 0 | |
crt-ignore-err | Sets a comma separated list of errorIDs to ignore during verify at depth == 0 | |
no-sslv3 | Disables support for SSLv3 on any sockets instantiated from the listener when SSL is supported | |
ssl-min-ver | Enforces use of <version> or upper on SSL connections instantiated
from this listener |
TLSv1.0 | TLSv1.1 | TLSv1.2 | TLSv1.3 |
alpn | Enables the TLS ALPN extension and advertises the specified protocol list as supported on top of ALPN. | ALPN (on Wikipedia) |
npn | Enables the NPN TLS extension and advertises the specified protocol list as supported on top of NPN. |
Server Options
Options | Description | Remarks |
---|---|---|
maxconn | specifies the maximal number of concurrent connections that will be sent to this server. | |
check | Enables health checks on the server. | addr, port, source, inter, rise, fall |
inter <delay> | Sets the interval between two consecutive health checks to <delay> milliseconds. | default: 2000ms |
check-ssl | Forces encryption of all health checks over SSL, regardless of whether the server uses SSL or not for the normal traffic. | |
ssl | Enables SSL ciphering on outgoing connections to the server. | |
verify [none|required] |
ACL
acl <aclname> <criterion> [flags] [operator] [<value>] ...
acl <aclname> <sample fetch method> [flags] [operator] [<value>] ...
Element | Description | Remarks |
---|---|---|
ACL Name (aclname) | [-_.:A-Za-z0-9]* | |
Flags (flags) | -i, -f, -m, -n, -M, -u, -- |
ACL Flags
Flag | Description | Remarks |
---|---|---|
-i | ignore case during matching of all subsequent patterns. | |
-m found | only check if the requested sample could be found in the stream, but do not compare it against any pattern. | |
-m bool | check the value as a boolean. | |
-m int | match the value as an integer. | |
-m len | match the sample's length as an integer. | |
-m str | exact match | |
-m sub | substring match | |
-m reg | regex match | |
-m beg | prefix match | |
-m end | suffix match |
Sample Fetch Methods
- Fetching samples at Layer 4 : TCP/IP
Method | Type | Description | Remarks |
---|---|---|---|
src
|
ip | This is the source IPv4 address of the client of the session |
Method | Type | Description | Remarks |
---|---|---|---|
req.payload_lv
|
binary | Extracts a binary block whose size is specified at <offset1> for <length> bytes | |
res.payload_lv
|
binary | extracts a binary block whose size is specified at <offset1> for <length> bytes, and which starts at <offset2> if specified or just after the length in the response buffer. | |
req.ssl_hello_type
|
integer | Returns an integer value containing the type of the SSL hello message found in the request buffer if the buffer contains data that parse as a complete SSL (v3 or superior) client hello message. | |
res.ssl_hello_type
|
integer | Returns an integer value containing the type of the SSL hello message found in the response buffer if the buffer contains data that parses as a complete SSL (v3 or superior) hello message |
- Fetching samples at Layer 7 : HTTP
Method | Type | Description | Remarks |
---|---|---|---|
req.hdr([<name>[,<occ>]]) | string | Extracts the last occurrence of header <name> in an HTTP request | When used from an ACL, all occurrences are iterated over until a match is found |
res.hdr([<name>[,<occ>]]) | string | Extracts the last occurrence of header <name> in an HTTP response. | |
hdr([<name>[,<occ>]]) | string | Equivalent to req.hdr() when used on requests, and to res.hdr() when used on responses | |
http_auth(<userlist>) | boolean | Returns a boolean indicating whether the authentication data received from the client match a username & password stored in the specified userlist. | |
http_auth_group(<userlist>) | string | Returns a string corresponding to the user name found in the authentication data received from the client if both the user name and password are valid according to the specified userlist. | ACL derivatives |
path | string | Extracts the request's URL path, which starts at the first slash and ends before the question mark (without the host part). |
Logging
- Log Variable Syntax
flag = "Q" | "E" | "X"
flag-part = "+" | "-", flag
variable = "%", [ "{", flag-part, 2 * [ ",", flag-part ], "}" ], ( field | "[", sample-expr , "]" )
- Default HTTP Log Format
"%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
Log Variables
Variable | Name | Type | Description | Remarks |
---|---|---|---|---|
%o | special variable | apply flags on all next var | Q, E, X | |
%ci | client_ip | IP | ||
%cp | client_port | numeric | ||
%ft | frontend_name_transport | string | '~' suffix for SSL | |
%fi | frontend_ip | IP | ||
%fp | frontend_port | |||
%b | backend_name | string | ||
%si | server_IP | IP | target address | |
%Ts | timestamp | numeric | ||
%Tq | Th + Ti + TR | numeric | total time to get the client request from the accept date or since the emission of the last byte of the previous response | HTTP mode only |
%Tw | Tw | numeric | total time spent in the queues waiting for a connection slot. | |
%Tc | Tc | numeric | total time to establish the TCP connection to the server. | |
%Tr | response time | numeric | server response time | HTTP mode only |
%Tt | Tt | numeric | total session duration time | |
%ST | status_code | numeric | ||
%B | bytes_read | numeric | from server to client | |
%ts | termination_state | string | ||
%sq | srv_queue | numeric | ||
%bq | backend_queue | numeric | ||
%hr | captured_request_headers | string | default style | |
%r | http_request | string | HTTP mode only | |
%rt | request_counter | numeric | ||
%ID | unique-id | string | Unique ID generated by unique-id-header directive |
Flags
Flag | Description | Remarks |
---|---|---|
Q | quote a string | |
X | hexadecimal representation | |
E | escape characters '"', '\' and ']' in a string with '\' as prefix | RFC5424 |
Timings Events
first request 2nd request
|<-------------------------------->|<-------------- ...
t tr t tr ...
---|----|----|----|----|----|----|----|----|--
: Th Ti TR Tw Tc Tr Td : Ti ...
:<---- Tq ---->: :
:<-------------- Tt -------------->:
:<--------- Ta --------->:
Event | Name | Description | Remarks |
---|---|---|---|
Th | handshakes | total time to accept tcp connection and execute handshakes for low level protocols. | |
Ti | idle | the idle time before the HTTP request. | |
TR | Request | total time to get the client request. | |
Tq | total time to get the client request from the accept date or since the emission of the last byte of the previous response. | Th + Ti + TR | |
Tw | waiting | total time spent in the queues waiting for a connection slot. | |
Tc | connection | total time to establish the TCP connection to the server. | |
Tr | response | server response time | |
Td | data | the data transmission time | Tt - (Th + Ti + TR + Tw + Tc + Tr) |
Ta | active | total active time for the HTTP request | |
Tt | total | total session duration time |
Monitoring
Metric | Types | Description | Remarks |
---|---|---|---|
pxname | LFBS | proxy name | |
svname | LFBS | service name | FRONTEND | BACKEND | ... |
qcur | ..BS | current queued requests | |
qmax | ..BS | max value of qcur | |
scur | LFBS | current sessions | |
smax | LFBS | max sessions | |
slim | LFBS | configured session limit | |
stot | LFBS | cumulative number of sessions |
CLI
Option | Description | Remarks |
---|---|---|
-D | goes daemon | |
-Ws | master-worker mode with systemd notify support | |
-c | only check config files and exit | check mode |
-V | enters verbose mode (disables quiet mode) | |
-p <pidfile> | writes pids of all children to this file | |
-sf | finishes/terminates old pids |
Readings
- What’s New in HAProxy 1.8(Nov 1, 2017)
- Install and Configure HAProxy Load Balancer on Ubuntu 16.04 (Feb 06, 2017)
- How to install HAProxy 1.8 on Ubuntu 16 (DECEMBER 30, 2017)
ppa:vbernat/haproxy-1.8
- An Introduction to HAProxy and Load Balancing Concepts (May 13, 2014)
- Running HAProxy
haproxy -f /etc/haproxy.cfg
- Rewriting HTTP Requests, Methods, or Headers
- Getting the most out of HAProxy (2013/10/16)
- Use HAProxy to load balance 300k concurrent tcp socket connections: Port Exhaustion, Keep-alive and others
- HAProxy error: Some configuration options require full privileges, so global.uid cannot be changed (Aug 19 '14)
- Observability tips for HAProxy (Jun 5, 2018)
ACL
- Introduction to HAProxy ACLs (Sep 13, 2018)
- Writing Conditions
Proxying
SSL
- SSL offloading impact on web applications (Feb 26, 2013)
- SSL offloading == SSL acceleration
- How To Implement SSL Termination With HAProxy on Ubuntu 14.04 (July 10, 2014)
- SSL Client certificate management at application level (Oct 3, 2012)
- Handling SSL/TLS
- Client Certificate Authentication with HAProxy (August 15, 2017)
- SSL Client certificate information in HTTP headers and logs ( Jun 13, 2013)
- Pass-through SSL with HAProxy (Feb 8, 2015)
- HPKP: HTTP Public Key Pinning with HAProxy(2015-01-27)
- HAProxy and HTTP Strict Transport Security (HSTS) header in HTTP redirects (Jun 9, 2015)
- HAProxy SNI (NOV 30TH, 2016)
- HAProxy - Speeding up SSL (Apr 27, 2017)
- TLS termination: stunnel, nginx & stud (August 23, 2011)
- Scaling out SSL (Nov 7, 2011)
WebSockets
- Websockets load-balancing with HAProxy (Nov 7, 2012)
HTTP/2
- Configuring HAProxy with HTTP2 support (Jan 8, 2018)
- No HTTP/2 is supported for now on the backend
- HTTP/2 support is still considered EXPERIMENTAL
Load Balancing
- AWS : LOAD BALANCING WITH HAPROXY (HIGH AVAILABILITY PROXY)
- Load Balancing with HAProxy (JULY 15, 2014)
- Using HAPROXY as an SSL gateway(January 28th, 2014)
- Enhanced SSL load-balancing with Server Name Indication (SNI) TLS extension (Apr 13, 2012)
Logging, Tracing and Statistics
- HAProxy Logging in Ubuntu Lucid (2010/08/11)
- HAProxy Load Balancer setup including logging on Debian (June 7, 2013)
- Logging haproxy check results / problems (Aug 9 '10)
- option log-health-checks
- Setting a unique http request id with haproxy's http-request set-header (Oct 2 '17)
- unique-id-format, unique-id-header
- HTTP Request IDs (17 June 2019)
- Introduction to HAProxy Logging (Feb 8, 2019)
- How to collect HAProxy metrics (March 9, 2018)
- How to restart rsyslog daemon on ubuntu (Sep 1 '10)
Health Check
- haproxy heartbeat with backend based on http post (Aug 3 '15)
- option httpchk POST ${ENDPOINT} HTTP/1.0\r\nContent-Type:\ application/json\r\nContent-Length:\ 16\r\n\r\n{\"body\":\"json\"}
Throttling
- Use a Load Balancer as a First Row of Defense Against DDOS (Feb 27, 2012)
Mapping
- Introduction to HAProxy Maps (Oct 17, 2018)
Samples
Typical Sample for Reverse Proxy
# References
# http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#3
# http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4
# https://kvz.io/blog/2010/08/11/haproxy-logging/
global
daemon
log /var/lib/haproxy/dev/log local0 info
log /var/lib/haproxy/dev/log local1 notice
ca-base /etc/haproxy/ssl/trusted
crt-base /etc/haproxy/ssl
# https://disablessl3.com/
ssl-default-bind-options no-sslv3
# 'stats socket' would generate the specified socket file if not exists
stats socket /var/run/haproxy.sock mode 660
maxconn 2000
tune.ssl.default-dh-param 2048
defaults
mode http
monitor-uri /liveness
log global
option httplog
option dontlognull
no option log-health-checks
# http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#8.2.4
log-format %ci\ %ft\ %b\ %si\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %ts\ %sq/%bq\ %hr\ %{+Q}r
# Add 'X-Forwared-For' header automatically
option forwardfor
#option http-server-close
timeout connect 5s
timeout client 10s
timeout server 10s
timeout tunnel 600s
timeout server-fin 10s
timeout client-fin 10s
timeout http-request 5s
timeout http-keep-alive 2s
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
default-server inter 5s rise 2 fall 3
listen stats
bind 192.168.1.11:8070
stats enable
stats admin if FALSE
stats auth haproxystat:dontuse1234
stats hide-version
stats realm HAProxy\ Statistics
stats uri /stats
frontend http
bind 192.168.1.11:8080
capture request header Host len 20
#capture request header Forwarded len 50
capture request header X-Forwarded-For len 20
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
http-request set-header X-Forwarded-Proto http
default_backend http-rear
frontend https
# http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5.1-verify
bind 192.168.1.11:8443 ssl crt server-tls.pem ca-file ca.crt verify none
# bind 192.168.1.11:8443 ssl crt server-tls.pem ca-file ca.crt verify optional crt-ignore-err all ca-ignore-err all # For mutual auth
capture request header Host len 20
#capture request header Forwarded len 50
capture request header X-Forwarded-For len 20
#http-request deny deny_status 400 unless { ssl_fc }
#http-request deny deny_status 400 unless { ssl_c_used }
#http-request deny deny_status 400 unless { ssl_c_verify 0 }
# setup request header for logging or backend usage
# https://www.haproxy.com/blog/ssl-client-certificate-information-in-http-headers-and-logs/
http-request set-header X-SSL %[ssl_fc]
http-request set-header X-SSL-Session_ID %[ssl_fc_session_id,hex]
http-request set-header X-SSL-Client-Verify %[ssl_c_verify]
http-request set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn]
http-request set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
http-request set-header X-SSL-Issuer %{+Q}[ssl_c_i_dn]
http-request set-header X-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore]
http-request set-header X-SSL-Client-NotAfter %{+Q}[ssl_c_notafter]
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
http-request set-header X-Forwarded-Proto http
default_backend http-rear
frontend ws
bind 192.168.1.11:8090
capture request header Host len 20
#capture request header Forwarded len 50
capture request header X-Forwarded-For len 20
acl is_connection_upgrade hdr(Connection) -i upgrade
acl is_upgrade_websocket hdr(Upgrade) -i websocket
acl has_websocket_key hdr_cnt(Sec-WebSocket-Key) eq 1
acl has_websocket_ver hdr_cnt(Sec-WebSocket-Version) eq 1
http-request deny unless is_connection_upgrade is_upgrade_websocket has_websocket_key has_websocket_ver
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
http-request set-header X-Forwarded-Proto http
default_backend ws-rear
frontend wss
bind 192.168.1.11:8453 ssl crt server-tls.pem ca-file ca.crt verify none
# bind 192.168.1.11:8453 ssl crt server-tls.pem ca-file ca.crt verify optional crt-ignore-err all ca-ignore-err all # For mutual auth
capture request header Host len 20
#capture request header Forwarded len 50
capture request header X-Forwarded-For len 20
#http-request deny deny_status 400 unless { ssl_fc }
#http-request deny deny_status 400 unless { ssl_c_used }
#http-request deny deny_status 400 unless { ssl_c_verify 0 }
acl is_connection_upgrade hdr(Connection) -i upgrade
acl is_upgrade_websocket hdr(Upgrade) -i websocket
acl has_websocket_key hdr_cnt(Sec-WebSocket-Key) eq 1
acl has_websocket_ver hdr_cnt(Sec-WebSocket-Version) eq 1
http-request deny unless is_connection_upgrade is_upgrade_websocket has_websocket_key has_websocket_ver
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
http-request set-header X-Forwarded-Proto http
default_backend ws-rear
backend http-rear
# https://serverfault.com/questions/622567/haproxy-error-some-configuration-options-require-full-privileges-so-global-uid
#source 0.0.0.0 usesrc clientip
option http-keep-alive
http-request set-header X-User ...
http-request set-header Authorization 'Basic ...'
option httpchk POST / HTTP/1.1\r\nHost:\ 127.0.0.1\r\nContent-Length:\ 25\r\nAuthorization:\ Basic\ ...\r\nX-User:\ ...\r\n\r\n
server s1 127.0.0.1:80 check
backend ws-rear
# https://serverfault.com/questions/622567/haproxy-error-some-configuration-options-require-full-privileges-so-global-uid
#source 0.0.0.0 usesrc clientip
option http-keep-alive
http-request set-header X-User ...
http-request set-header Authorization 'Basic ...'
server s1 127.0.0.1:90 check
Typical Sample for Forward Proxy
# Sample HAProxy configuration for dedicated forward proxy
# References
# https://stackoverflow.com/questions/49433417/setup-https-forward-proxy-with-haproxy
# https://serverfault.com/questions/477642/using-haproxy-for-transparent-forwarding-and-selective-redirection
global
daemon
log /var/lib/haproxy/dev/log local0 info
log /var/lib/haproxy/dev/log local1 notice
ca-base /etc/haproxy/ssl/trusted
crt-base /etc/haproxy/ssl
maxconn 2048
tune.ssl.default-dh-param 2048
ssl-default-bind-options no-sslv3
userlist users
group regular-users
user tom password ... groups regular-users
defaults
mode http
log global
timeout connect 5s
timeout client 10s
timeout server 10s
timeout tunnel 600s
timeout server-fin 10s
timeout client-fin 10s
timeout http-request 5s
timeout http-keep-alive 2s
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
listen stats
bind 192.168.1.11:8070
stats enable
stats hide-version
stats realm HAProxy\ Statistics
stats uri /stats
stats auth proxyadmin:p8dp8d
resolvers dns
nameserver dns1 8.8.8.8
nameserver dns2 8.8.4.4
hold valid 10s
frontend http
bind 192.168.1.11:8080
option http-use-proxy-header
option httplog
option dontlognull
log-format %ci\ [%t]\ %ft\ %b\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %ts\ %sq/%bq\ %{+Q}r
acl is-allowed-users http_auth_groups(users) regular-users
http-request auth unless is-allowed-users # 407 for unauthorized access
default_backend outside
backend outside
option httpclose
option http_proxy
Log Format and Grok Pattern
Log Format | %ci\ %ft\ %b\ %si\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %ts\ %sq/%bq\ %hr\ %{+Q}r |
Grok Pattern | %{IPV4:client_ip} %{NOTSPACE:fe} %{NOTSPACE:be} %{IPV4:server_ip} %{NONNEGINT:tq}/%{NONNEGINT:tw}/%{NONNEGINT:tc}/%{NONNEGINT:tr}/${NONNEGINT:tt} %{POSINT:resp_code} %{NONNEGINT:read_byte} %{NOTSPACE:term_state} %{NOTSPACE:server_q}/%{NOTSPACE:be_q} {%{NOTSPACE:client}(?:|)%{NOTSPACE:host}} %{DATA:req} |
Wireshark
- http://www.wireshark.org/
- Desc. : lets you capture and interactively browse the traffic running on a computer network.
References
Operator | Symbol | Description | Remarks |
---|---|---|---|
eq |
== |
Equal | |
ne |
!= |
Not Equal | |
gt |
> |
Greater Than | |
lt |
< |
Less Than | |
ge |
>= |
Greater than or Equal to | |
le |
<= |
Less than or Equal to | |
contains |
Does the protocol, field or slice contain a value | ||
matches |
~ |
Does the protocol or text string match the given case-insensitive Perl-compatible regex | |
[i:j] |
Slices with i = start_offset, j = length | ||
[i-j] |
Slices with i = start_offset, j = end_offset, inclusive | ||
[i] |
Slices with i = start_offset, length = 1 | ||
[:j] |
Slices with start_offset = 0, length = j | ||
[i:] |
Slices with start_offset = i, end_offset = end_of_field | ||
and |
&& |
Logical AND | |
or |
|| |
Logical OR | |
not |
! |
Logical NOT |
Protocol | Typical Fields | Description | Remarks |
---|---|---|---|
tcp |
port |
Transmission Control Protocol | |
ip |
addr, dst, src |
Internet Protocol Version 4 | |
http |
Hypertext Transfer Protocol | ||
ssl |
Secure Sockets Layer | ||
websocket | WebSocket |
Readings
- How To Set Up a Capture
- Loopback capture setup
- Wireshark basics 101: A simple concise tutorial for beginners (August 17, 2013)
- How to Use Wireshark to Capture, Filter and Inspect Packets
- Wireshark: A Guide to Color My Packets (1st July 2014)
- Getting Started with Wireshark (11, 07, 2014)
- Let me tell you about Wireshark 2.0 (November 6, 2015)
- Wireshark Wiki / SSL
- Why wireshark cannot display TLS/SSL(23 Jun '14)
Edit -> Preferences -> Protocols -> HTTP -> SSL/TLS Ports
- Wireshark Wiki / WebSocket: websocket filter
Tips and Tricks
Typical display filters
ip.src == 192.168.1.31 and ip.addr == 203.252.150.28 and http
tcpdump
- http://www.tcpdump.org/
- Desc. : a powerful command-line packet analyzer
- License :
- Sources :
tcpdump [ -AbdDefhHIJKlLnNOpqStuUvxX# ] [ -B buffer_size ]
[ -c count ] [ -C file_size ]
[ -E spi@ipaddr algo:secret,... ]
[ -F file ] [ -G rotate_seconds ] [ -i interface ]
[ --immediate-mode ] [ -j tstamp_type ] [ -m module ]
[ -M secret ] [ --number ] [ --print ] [ -Q in|out|inout ]
[ -r file ] [ -s snaplen ] [ -T type ] [ --version ]
[ -V file ] [ -w file ] [ -W filecount ] [ -y datalinktype ]
[ -z postrotate-command ] [ -Z user ]
[ --time-stamp-precision=tstamp_precision ]
[ expression ]
Options
Option | Description | Remarks |
---|---|---|
-n |
Don't convert addresses | |
-i interface |
Listen on interface | |
-A |
Print each packet (minus its link level header) in ASCII | Handy for capturing web pages |
-s n |
Snarf n bytes of data from each packet rather than the default of 262144 bytes | Setting n to 0 sets it to the default of 262144 |
-x |
When parsing and printing, in addition to printing the headers of each packet, print the data of each packet (minus its link level header) in hex |
- 12 Tcpdump Commands – A Network Sniffer Tool (September 13, 2012)
- Capture Packets with Tcpdump (2013-04-25)
- Using tcpdump to see HTTP requests and responses (17 April, 2010)
tcpdump -n -i eth0 -A tcp port 80
- How to filter tcpdump output based on packet length (Mar 26 '12)
tcpdump -nAx -s 0 -i eth0 tcp port 443 and greater 100
Filter Expression
pcap-filter
man page : explains filter expressions
Primitive | Description | Remarks |
---|---|---|
host host | True if either the IPv4/v6 source or destination of the packet is host | |
dst host host | True if the IPv4/v6 destination field of the packet is host | |
src host host | True if the IPv4/v6 source field of the packet is host | |
port port | True if either the source or destination port of the packet is port. | |
dst port port | True if the packet is ip/tcp, ip/udp, ip6/tcp or ip6/udp and has a destination port value of port. | |
src port port | True if the packet has a source port value of port. | |
ip proto protocol | True if the packet is an IPv4 packet of protocol type protocol. | |
tcp | = ip proto tcp |