maxconn X X X -
mode X X X X
monitor fail - X X -
-monitor-net X X X -
monitor-uri X X X -
option abortonclose (*) X - X X
option accept-invalid-http-request (*) X X X -
monitor-uri /site_alive
monitor fail if site_dead
- See also : "monitor-net", "monitor-uri", "errorfile", "errorloc"
-
-
-monitor-net <source>
- Declare a source network which is limited to monitor requests
- May be used in sections : defaults | frontend | listen | backend
- yes | yes | yes | no
- Arguments :
- <source> is the source IPv4 address or network which will only be able to
- get monitor responses to any request. It can be either an IPv4
- address, a host name, or an address followed by a slash ('/')
- followed by a mask.
-
- In TCP mode, any connection coming from a source matching <source> will cause
- the connection to be immediately closed without any log. This allows another
- equipment to probe the port and verify that it is still listening, without
- forwarding the connection to a remote server.
-
- In HTTP mode, a connection coming from a source matching <source> will be
- accepted, the following response will be sent without waiting for a request,
- then the connection will be closed : "HTTP/1.0 200 OK". This is normally
- enough for any front-end HTTP probe to detect that the service is UP and
- running without forwarding the request to a backend server. Note that this
- response is sent in raw format, without any transformation. This is important
- as it means that it will not be SSL-encrypted on SSL listeners.
-
- Monitor requests are processed very early, just after tcp-request connection
- ACLs which are the only ones able to block them. These connections are short
- lived and never wait for any data from the client. They cannot be logged, and
- it is the intended purpose. They are only used to report HAProxy's health to
- an upper component, nothing more. Please note that "monitor fail" rules do
- not apply to connections intercepted by "monitor-net".
-
- Last, please note that only one "monitor-net" statement can be specified in
- a frontend. If more than one is found, only the last one will be considered.
-
- Example :
- # addresses .252 and .253 are just probing us.
- frontend www
- monitor-net 192.168.0.252/31
-
- See also : "monitor fail", "monitor-uri"
+ See also : "monitor-uri", "errorfile", "errorloc"
monitor-uri <uri>
mode http
monitor-uri /haproxy_test
- See also : "monitor fail", "monitor-net"
+ See also : "monitor fail"
option abortonclose
If this option has been enabled in a "defaults" section, it can be disabled
in a specific instance by prepending the "no" keyword before it.
- See also : "log", "http-ignore-probes", "monitor-net", "monitor-uri", and
+ See also : "log", "http-ignore-probes", "monitor-uri", and
section 8 about logging.
setting "option dontlognull" in the frontend. It also disables logging of
port scans, which may or may not be desired.
- - if the connection come from a known source network, use "monitor-net" to
- declare this network as monitoring only. Any host in this network will then
- only be able to perform health checks, and their requests will not be
- logged. This is generally appropriate to designate a list of equipment
- such as other load-balancers.
+ - it is possible to use the "http-request set-log-level silent" action using
+ a variety of conditions (source networks, paths, user-agents, etc).
- if the tests are performed on a known URI, use "monitor-uri" to declare
this URI as dedicated to monitoring. Any host sending this request will
#define LI_O_DEF_ACCEPT 0x0008 /* wait up to 1 second for data before accepting */
#define LI_O_TCP_L4_RULES 0x0010 /* run TCP L4 rules checks on the incoming connection */
#define LI_O_TCP_L5_RULES 0x0020 /* run TCP L5 rules checks on the incoming session */
-#define LI_O_CHK_MONNET 0x0040 /* check the source against a monitor-net rule */
+/* unused 0x0040 */
#define LI_O_ACC_PROXY 0x0080 /* find the proxied address in the first request line */
#define LI_O_UNLIMITED 0x0100 /* listener not subject to global limits (peers & stats socket) */
#define LI_O_TCP_FO 0x0200 /* enable TCP Fast Open (linux >= 3.7) */
int options; /* PR_O_REDISP, PR_O_TRANSP, ... */
int options2; /* PR_O2_* */
int max_out_conns; /* Max number of idling connections we keep for a session */
- struct in_addr mon_net, mon_mask; /* don't forward connections from this net (network order) FIXME: should support IPv6 */
unsigned int ck_opts; /* PR_CK_* (cookie options) */
unsigned int fe_req_ana, be_req_ana; /* bitmap of common request protocol analysers for the frontend and backend */
unsigned int fe_rsp_ana, be_rsp_ana; /* bitmap of common response protocol analysers for the frontend and backend */
curproxy->timeout.tarpit = defproxy.timeout.tarpit;
curproxy->timeout.httpreq = defproxy.timeout.httpreq;
curproxy->timeout.httpka = defproxy.timeout.httpka;
- curproxy->mon_net = defproxy.mon_net;
- curproxy->mon_mask = defproxy.mon_mask;
if (defproxy.monitor_uri)
curproxy->monitor_uri = strdup(defproxy.monitor_uri);
curproxy->monitor_uri_len = defproxy.monitor_uri_len;
goto out;
}
else if (!strcmp(args[0], "monitor-net")) { /* set the range of IPs to ignore */
- if (!*args[1] || !str2net(args[1], 1, &curproxy->mon_net, &curproxy->mon_mask)) {
- ha_alert("parsing [%s:%d] : '%s' expects address[/mask].\n",
- file, linenum, args[0]);
- err_code |= ERR_ALERT | ERR_FATAL;
- goto out;
- }
- if (warnifnotcap(curproxy, PR_CAP_FE, file, linenum, args[0], NULL))
- err_code |= ERR_WARN;
-
- /* flush useless bits */
- curproxy->mon_net.s_addr &= curproxy->mon_mask.s_addr;
+ ha_alert("parsing [%s:%d] : 'monitor-net' doesn't exist anymore. Please use 'http-request return status 200 if { src %s }' instead.\n", file, linenum, args[1]);
+ err_code |= ERR_ALERT | ERR_FATAL;
goto out;
}
else if (!strcmp(args[0], "monitor-uri")) { /* set the URI to intercept */
if (!LIST_ISEMPTY(&curproxy->tcp_req.l5_rules))
listener->options |= LI_O_TCP_L5_RULES;
- if (curproxy->mon_mask.s_addr)
- listener->options |= LI_O_CHK_MONNET;
-
/* smart accept mode is automatic in HTTP mode */
if ((curproxy->options2 & PR_O2_SMARTACC) ||
((curproxy->mode == PR_MODE_HTTP || listener->bind_conf->is_ssl) &&
goto out_free_sess;
}
- /* monitor-net and health mode are processed immediately after TCP
- * connection rules. This way it's possible to block them, but they
- * never use the lower data layers, they send directly over the socket,
- * as they were designed for. We first flush the socket receive buffer
- * in order to avoid emission of an RST by the system. We ignore any
- * error.
- */
- if (unlikely(((l->options & LI_O_CHK_MONNET) &&
- addr->ss_family == AF_INET &&
- (((struct sockaddr_in *)addr)->sin_addr.s_addr & p->mon_mask.s_addr) == p->mon_net.s_addr))) {
- /* we have 4 possibilities here :
- * - HTTP mode, from monitoring address => send "HTTP/1.0 200 OK"
- * - HEALTH mode with HTTP check => send "HTTP/1.0 200 OK"
- * - HEALTH mode without HTTP check => just send "OK"
- * - TCP mode from monitoring address => just close
- */
- if (l->rx.proto->drain)
- l->rx.proto->drain(cfd);
- if (p->mode == PR_MODE_HTTP)
- send(cfd, "HTTP/1.0 200 OK\r\n\r\n", 19, MSG_DONTWAIT|MSG_NOSIGNAL|MSG_MORE);
- ret = 0;
- goto out_free_sess;
- }
-
/* Adjust some socket options */
if (l->rx.addr.ss_family == AF_INET || l->rx.addr.ss_family == AF_INET6) {
setsockopt(cfd, IPPROTO_TCP, TCP_NODELAY, (char *) &one, sizeof(one));
projects / thirdparty / haproxy.git / commitdiff
