FANDOM


HAProxy

  • http://www.haproxy.org/
  • Desc. : a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications
  • License:
  • Written in:
  • Sources:

References

  • What HAProxy is and isn't
    • It will not see IP packets nor UDP datagrams, will not perform NAT or even less DSR (direct server return, without passing through the LB again)

Global Parameters

Parameter Description Remarks
log Adds a global syslog server
ulimit-n Sets the maximum number of per-process file-descriptors Recommended not to use this option
ssl-default-bind-options Sets default ssl-options to force on all "bind" lines.

Proxy Keywords

Keywords Description Remarks
mode { tcp|http|health } Set the running mode or protocol of the instance
tcp-request inspect-delay <timeout> Set the maximum allowed time to wait for data during content inspection
tcp-response content <action> [{if | unless} <condition>] Perform an action on a session response depending on a layer 4-7 condition
option httpclose Enable or disable passive HTTP connection closing "Connection: close" header
Deprecated
option forwardfor Enable insertion of the X-Forwarded-For header to requests sent to servers "X-Forwarded-For" header
option socket-stats Enable or disable collecting & providing separate statistics for each socket.
Timeout
Keywords Description Remarks
timeout connect <timeout> Set the maximum time to wait for a connection attempt to a server to succeed
timeout server <timeout> Set the maximum inactivity time on the server side
timeout client <timeout> Set the maximum inactivity time on the client side
timeout tunnel <timeout> Set the maximum inactivity time on the client and server side for tunnels
timeout server-fin <timeout> Set the inactivity timeout on the server side for half-closed connections
timeout client-fin <timeout> Set the inactivity timeout on the client side for half-closed connections
timeout http-request <timeout> Set the maximum allowed time to wait for a complete HTTP request
timeout http-keep-alive <timeout> Set the maximum allowed time to wait for a new HTTP request to appear

Logging

Keywords Description Remarks
option httplog Enable logging of HTTP request, session state and timers
option dontlognull Enable or disable logging of null connections
log-format Specifies the log format string to use for traffic logs

Bind options

Options Description Remarks
ca-ignore-err Sets a comma separated list of errorIDs to ignore during verify at depth > 0
crt-ignore-err Sets a comma separated list of errorIDs to ignore during verify at depth == 0
no-sslv3 Disables support for SSLv3 on any sockets instantiated from the listener when SSL is supported
ssl-min-ver Enforces use of <version> or upper on SSL connections instantiated

from this listener

TLSv1.0 | TLSv1.1 | TLSv1.2 | TLSv1.3

Sample Fetch Methods

Method Type Description Remarks
req.payload_lv binary Extracts a binary block whose size is specified at <offset1> for <length> bytes
res.payload_lv binary extracts a binary block whose size is specified at <offset1> for <length> bytes, and which starts at <offset2> if specified or just after the length in the response buffer.
req.ssl_hello_type integer Returns an integer value containing the type of the SSL hello message found in the request buffer if the buffer contains data that parse as a complete SSL (v3 or superior) client hello message.
res.ssl_hello_type integer Returns an integer value containing the type of the SSL hello message found in the response buffer if the buffer contains data that parses as a complete SSL (v3 or superior) hello message
req.hdr([<name>[,<occ>]]) string Extracts the last occurrence of header <name> in an HTTP request When used from an ACL, all occurrences are iterated over until a match is found
res.hdr([<name>[,<occ>]]) string Extracts the last occurrence of header <name> in an HTTP response.
hdr([<name>[,<occ>]]) string Equivalent to req.hdr() when used on requests, and to res.hdr() when used on responses

Readings

Proxying

SSL

WebSockets

HTTP/2

Load Balancing

Logging and Statistics

Throttling

Wireshark

References

Operator Symbol Description Remarks
eq == Equal
ne != Not Equal
gt > Greater Than
lt < Less Than
ge >= Greater than or Equal to
le <= Less than or Equal to
contains Does the protocol, field or slice contain a value
matches ~ Does the protocol or text string match the given case-insensitive Perl-compatible regex
[i:j] Slices with i = start_offset, j = length
[i-j] Slices with i = start_offset, j = end_offset, inclusive
[i] Slices with i = start_offset, length = 1
[:j] Slices with start_offset = 0, length = j
[i:] Slices with start_offset = i, end_offset = end_of_field
and && Logical AND
or || Logical OR
not ! Logical NOT
Protocol Typical Fields Description Remarks
tcp port Transmission Control Protocol
ip addr, dst, src Internet Protocol Version 4
http Hypertext Transfer Protocol
ssl Secure Sockets Layer
websocket WebSocket

Readings

Tips and Tricks

Typical display filters

ip.src == 192.168.1.31 and ip.addr == 203.252.150.28 and http

tcpdump

tcpdump [ -AbdDefhHIJKlLnNOpqStuUvxX# ] [ -B buffer_size ] 
 
         [ -c count ] [ -C file_size ] 
         [ -E spi@ipaddr algo:secret,... ] 
         [ -F file ] [ -G rotate_seconds ] [ -i interface ] 
         [ --immediate-mode ] [ -j tstamp_type ] [ -m module ] 
         [ -M secret ] [ --number ] [ --print ] [ -Q in|out|inout ] 
         [ -r file ] [ -s snaplen ] [ -T type ] [ --version ] 
         [ -V file ] [ -w file ] [ -W filecount ] [ -y datalinktype ] 
         [ -z postrotate-command ] [ -Z user ] 
         [ --time-stamp-precision=tstamp_precision ] 
         [ expression ]

Options

Option Description Remarks
-n Don't convert addresses
-i interface Listen on interface
-A Print each packet (minus its link level header) in ASCII Handy for capturing web pages
-s n Snarf n bytes of data from each packet rather than the default of 262144 bytes Setting n to 0 sets it to the default of 262144
-x When parsing and printing, in addition to printing the headers of each packet, print the data of each packet (minus its link level header) in hex

Filter Expression

Primitive Description Remarks
dst host host True if the IPv4/v6 destination field of the packet is host
src host host True if the IPv4/v6 source field of the packet is host
host host True if either the IPv4/v6 source or destination of the packet is host