upstream/haproxy
1
0
Fork 0
mirror of https://github.com/haproxy/haproxy.git synced 2026-02-20 00:10:41 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 14
haproxy/include/types/global.h

275 lines
10 KiB
C
Raw Normal View History

[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
/*
[MEDIUM] http: revert to use a swap buffer for realignment The bounce realign function was algorithmically good but as expected it was not cache-friendly. Using it with large requests caused so many cache thrashing that the function itself could drain 70% of the total CPU time for only 0.5% of the calls ! Revert back to a standard memcpy() using a specially allocated swap buffer. We're now back to 2M req/s on pipelined requests.
2010-02-26 05:12:27 -05:00
* include/types/global.h
* Global variables.
*
MAJOR: polling: replace epoll with sepoll and remove sepoll Now that all pollers make use of speculative I/O, there is no point having two epoll implementations, so replace epoll with the sepoll code and remove sepoll which has just become the standard epoll method.
2012-11-11 11:42:00 -05:00
* Copyright (C) 2000-2012 Willy Tarreau - w@1wt.eu
[MEDIUM] http: revert to use a swap buffer for realignment The bounce realign function was algorithmically good but as expected it was not cache-friendly. Using it with large requests caused so many cache thrashing that the function itself could drain 70% of the total CPU time for only 0.5% of the calls ! Revert back to a standard memcpy() using a specially allocated swap buffer. We're now back to 2M req/s on pipelined requests.
2010-02-26 05:12:27 -05:00
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation, version 2.1
* exclusively.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
#ifndef _TYPES_GLOBAL_H
#define _TYPES_GLOBAL_H
#include <netinet/in.h>
[CLEANUP] included common/version.h everywhere
2006-06-29 12:54:54 -04:00
#include <common/config.h>
BUILD: fix dependencies between config and compat.h compat.h only depends on the system, and config needs compat, not the opposite. global.h was fixed to explicitly include standard.h for LONGBITS.
2014-07-15 12:05:58 -04:00
#include <common/standard.h>
CLEANUP: global: remove one ifdef USE_DEVICEATLAS The include file already has the ifdef, let's remove it from the global file.
2015-06-01 09:38:33 -04:00
#include <import/da.h>
REORG: buffers: split buffers into chunk,buffer,channel Many parts of the channel definition still make use of the "buffer" word.
2012-08-24 13:22:53 -04:00
#include <types/freq_ctr.h>
REORG: split "protocols" files into protocol and listener It was becoming confusing to have protocols and listeners in the same files, split them.
2012-09-12 16:58:11 -04:00
#include <types/listener.h>
[MEDIUM] make the global stats socket part of a frontend Creating a frontend for the global stats socket will help merge unix sockets management with the other socket management. Since frontends are huge structs, we only allocate it if required.
2009-08-16 11:41:45 -04:00
#include <types/proxy.h>
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
#include <types/task.h>
MEDIUM: vars: Add a per-process scope for variables Now it is possible to use variables attached to a process. The scope name is 'proc'. These variables are released only when HAProxy is stopped. 'tune.vars.proc-max-size' directive has been added to confiure the maximum amount of memory used by "proc" variables. And because memory accounting is hierachical for variables, memory for "proc" vars includes memory for "sess" vars.
2016-11-09 05:36:17 -05:00
#include <types/vars.h>
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
MINOR: global: add several 51Degrees members to global These are : fiftyoneDegreesDataSet _51d_data_set char *_51d_data_file_path char _51d_property_seperator struct list _51d_property_names
2015-05-12 10:47:24 -04:00
#ifdef USE_51DEGREES
MEDIUM: 51Degrees code refactoring and cleanup Moved 51Degrees code from src/haproxy.c, src/sample.c and src/cfgparse.c into a separate files src/51d.c and include/import/51d.h. Added two new functions init_51degrees() and deinit_51degrees(), updated Makefile and other code reorganizations related to 51Degrees.
2015-06-29 10:43:25 -04:00
#include <import/51d.h>
MINOR: global: add several 51Degrees members to global These are : fiftyoneDegreesDataSet _51d_data_set char *_51d_data_file_path char _51d_property_seperator struct list _51d_property_names
2015-05-12 10:47:24 -04:00
#endif
MINOR: ssl: add 'crt-base' and 'ca-base' global statements. 'crt-base' sets root directory used for relative certificates paths. 'ca-base' sets root directory used for relative CAs and CRLs paths.
2012-10-02 12:42:10 -04:00
#ifndef UNIX_MAX_PATH
#define UNIX_MAX_PATH 108
#endif
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
/* modes of operation (global.mode) */
[MEDIUM] introduce the "stats" keyword in global section Removed old unused MODE_LOG and MODE_STATS, and replaced the "stats" keyword in the global section. The new "stats" keyword in the global section is used to create a UNIX socket on which the statistics will be accessed. The client must issue a "show stat\n" command in order to get a CSV-formated output similar to the output on the HTTP socket in CSV mode.
2007-10-18 07:53:22 -04:00
#define MODE_DEBUG 0x01
#define MODE_DAEMON 0x02
#define MODE_QUIET 0x04
#define MODE_CHECK 0x08
#define MODE_VERBOSE 0x10
#define MODE_STARTING 0x20
#define MODE_FOREGROUND 0x40
MEDIUM: New cli option -Ds for systemd compatibility This patch adds a new option "-Ds" which is exactly like "-D", but instead of forking n times to get n jobs running and then exiting, prefers to wait for all the children it just created. With this done, haproxy becomes more systemd-compliant, without changing anything for other systems. Signed-off-by: Marc-Antoine Perennou <Marc-Antoine@Perennou.com>
2013-02-12 04:53:52 -05:00
#define MODE_SYSTEMD 0x80
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
[MAJOR] support for source binding via cttproxy Using the cttproxy kernel patch, it's possible to bind to any source address. It is highly recommended to use the 03-natdel patch with the other ones. A new keyword appears as a complement to the "source" keyword : "usesrc". The source address is mandatory and must be valid on the interface which will see the packets. The "usesrc" option supports "client" (for full client_ip:client_port spoofing), "client_ip" (for client_ip spoofing) and any 'IP[:port]' combination to pretend to be another machine. Right now, the source binding is missing from server health-checks if set to another address. It must be implemented (think restricted firewalls). The doc is still missing too.
2006-11-12 17:57:19 -05:00
/* list of last checks to perform, depending on config options */
#define LSTCHK_CAP_BIND 0x00000001 /* check that we can bind to any port */
MAJOR: tproxy: remove support for cttproxy This was the first transparent proxy technology supported by haproxy circa 2005 but it was obsoleted in 2007 by Tproxy 4.0 which removed a lot of the earlier versions' shortcomings and was finally merged into the kernel. Since nobody has been using cttproxy for many years now and nobody has even just tried to compile the files, it's time to remove it. The doc was updated as well.
2015-08-20 13:35:14 -04:00
#define LSTCHK_NETADM 0x00000002 /* check that we have CAP_NET_ADMIN */
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
[MEDIUM] move global tuning options to the global structure The global tuning options right now only concern the polling mechanisms, and they are not in the global struct itself. It's not very practical to add other options so let's move them to the global struct and remove types/polling.h which was not used for anything else.
2009-01-25 09:42:27 -05:00
/* Global tuning options */
/* available polling mechanisms */
#define GTUNE_USE_SELECT (1<<0)
#define GTUNE_USE_POLL (1<<1)
#define GTUNE_USE_EPOLL (1<<2)
#define GTUNE_USE_KQUEUE (1<<3)
[MEDIUM] splice: add the global "nosplice" option Setting "nosplice" in the global section will disable the use of TCP splicing (both tcpsplice and linux 2.6 splice). The same will be achieved using the "-dS" parameter on the command line.
2009-01-25 10:03:28 -05:00
/* platform-specific options */
MAJOR: polling: replace epoll with sepoll and remove sepoll Now that all pollers make use of speculative I/O, there is no point having two epoll implementations, so replace epoll with the sepoll code and remove sepoll which has just become the standard epoll method.
2012-11-11 11:42:00 -05:00
#define GTUNE_USE_SPLICE (1<<4)
BUG/MINOR: Fix name lookup ordering when compiled with USE_GETADDRINFO When compiled with USE_GETADDRINFO, make sure we use getaddrinfo(3) to perform name lookups. On default dual-stack setups this will change the behavior of using IPv6 first. Global configuration option 'nogetaddrinfo' can be used to revert to deprecated gethostbyname(3).
2014-04-14 09:56:58 -04:00
#define GTUNE_USE_GAI (1<<5)
MEDIUM: make SO_REUSEPORT configurable With Linux officially introducing SO_REUSEPORT support in 3.9 and its mainstream adoption we have seen more people running into strange SO_REUSEPORT related issues (a process management issue turning into hard to diagnose problems because the kernel load-balances between the new and an obsolete haproxy instance). Also some people simply want the guarantee that the bind fails when the old process is still bound. This change makes SO_REUSEPORT configurable, introducing the command line argument "-dR" and the noreuseport configuration directive. A backport to 1.6 should be considered.
2016-09-12 17:42:20 -04:00
#define GTUNE_USE_REUSEPORT (1<<6)
MINOR: init: add -dr to ignore server address resolution failures It is very common when validating a configuration out of production not to have access to the same resolvers and to fail on server address resolution, making it difficult to test a configuration. This option simply appends the "none" method to the list of address resolution methods for all servers, ensuring that even if the libc fails to resolve an address, the startup sequence is not interrupted.
2016-11-07 15:03:16 -05:00
#define GTUNE_RESOLVE_DONTFAIL (1<<7)
[MEDIUM] move global tuning options to the global structure The global tuning options right now only concern the polling mechanisms, and they are not in the global struct itself. It's not very practical to add other options so let's move them to the global struct and remove types/polling.h which was not used for anything else.
2009-01-25 09:42:27 -05:00
[MEDIUM] add access restrictions to the stats socket The stats socket can now run at 3 different levels : - user - operator (default one) - admin These levels are used to restrict access to some information and commands. Only the admin can clear all stats. A user cannot clear anything nor access sensible data such as sessions or errors.
2009-10-10 11:13:00 -04:00
/* Access level for a stats socket */
#define ACCESS_LVL_NONE 0
#define ACCESS_LVL_USER 1
#define ACCESS_LVL_OPER 2
#define ACCESS_LVL_ADMIN 3
[MEDIUM] move global tuning options to the global structure The global tuning options right now only concern the polling mechanisms, and they are not in the global struct itself. It's not very practical to add other options so let's move them to the global struct and remove types/polling.h which was not used for anything else.
2009-01-25 09:42:27 -05:00
MEDIUM: ssl: Set verify 'required' as global default for servers side. If no CA file specified on a server line, the config parser will show an error. Adds an cmdline option '-dV' to re-set verify 'none' as global default on servers side (previous behavior). Also adds 'ssl-server-verify' global statement to set global default to 'none' or 'required'. WARNING: this changes the default verify mode from "none" to "required" on the server side, and it *will* break insecure setups.
2014-01-29 06:24:34 -05:00
/* SSL server verify mode */
enum {
SSL_SERVER_VERIFY_NONE = 0,
SSL_SERVER_VERIFY_REQUIRED = 1,
};
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
/* FIXME : this will have to be redefined correctly */
struct global {
MINOR: ssl: add 'crt-base' and 'ca-base' global statements. 'crt-base' sets root directory used for relative certificates paths. 'ca-base' sets root directory used for relative CAs and CRLs paths.
2012-10-02 12:42:10 -04:00
#ifdef USE_OPENSSL
char *crt_base; /* base directory path for certificates */
char *ca_base; /* base directory path for CAs and CRLs */
#endif
[MAJOR] support for source binding via cttproxy Using the cttproxy kernel patch, it's possible to bind to any source address. It is highly recommended to use the 03-natdel patch with the other ones. A new keyword appears as a complement to the "source" keyword : "usesrc". The source address is mandatory and must be valid on the interface which will see the packets. The "usesrc" option supports "client" (for full client_ip:client_port spoofing), "client_ip" (for client_ip spoofing) and any 'IP[:port]' combination to pretend to be another machine. Right now, the source binding is missing from server health-checks if set to another address. It must be implemented (think restricted firewalls). The doc is still missing too.
2006-11-12 17:57:19 -05:00
int uid;
int gid;
MEDIUM: Add external check Add an external check which makes use of an external process to check the status of a server.
2014-06-19 23:30:16 -04:00
int external_check;
[MAJOR] support for source binding via cttproxy Using the cttproxy kernel patch, it's possible to bind to any source address. It is highly recommended to use the 03-natdel patch with the other ones. A new keyword appears as a complement to the "source" keyword : "usesrc". The source address is mandatory and must be valid on the interface which will see the packets. The "usesrc" option supports "client" (for full client_ip:client_port spoofing), "client_ip" (for client_ip spoofing) and any 'IP[:port]' combination to pretend to be another machine. Right now, the source binding is missing from server health-checks if set to another address. It must be implemented (think restricted firewalls). The doc is still missing too.
2006-11-12 17:57:19 -05:00
int nbproc;
[MEDIUM] stats: add the "set maxconn" setting to the command line interface This option permits to change the global maxconn setting within the limit that was set by the initial value, which is now reported as the hard maxconn value. This allows to immediately accept more concurrent connections or to stop accepting new ones until the value passes below the indicated setting. The main use of this option is on systems where many haproxy instances are loaded and admins need to re-adjust resource sharing at run time to regain a bit of fairness between processes.
2011-09-07 08:38:31 -04:00
int maxconn, hardmaxconn;
MEDIUM: config: implement maxsslconn in the global section SSL connections take a huge amount of memory, and unfortunately openssl does not check malloc() returns and easily segfaults when too many connections are used. The only solution against this is to provide a global maxsslconn setting to reject SSL connections above the limit in order to avoid reaching unsafe limits.
2012-09-06 05:58:37 -04:00
int maxsslconn;
MINOR: global: report information about the cost of SSL connections An SSL connection takes some memory when it exists and during handshakes. We measured up to 16kB for an established endpoint, and up to 76 extra kB during a handshake. The SSL layer stores these values into the global struct during initialization. If other SSL libs are used, it's easy to change these values. Anyway they'll only be used as gross estimates in order to guess the max number of SSL conns that can be established when memory is constrained and the limit is not set.
2015-01-15 15:34:39 -05:00
int ssl_session_max_cost; /* how many bytes an SSL session may cost */
int ssl_handshake_max_cost; /* how many bytes an SSL handshake may use */
MINOR: global: always export some SSL-specific metrics We'll need to know the number of SSL connections, their use and their cost soon. In order to avoid getting tons of ifdefs everywhere, always export SSL information in the global section. We add two flags to know whether or not SSL is used in a frontend and in a backend.
2015-01-15 15:32:40 -05:00
int ssl_used_frontend; /* non-zero if SSL is used in a frontend */
int ssl_used_backend; /* non-zero if SSL is used in a backend */
#ifdef USE_OPENSSL
MINOR: ssl: add defines LISTEN_DEFAULT_CIPHERS and CONNECT_DEFAULT_CIPHERS. These ones are used to set the default ciphers suite on "bind" lines and "server" lines respectively, instead of using OpenSSL's defaults. These are probably mainly useful for distro packagers.
2012-10-05 09:47:31 -04:00
char *listen_default_ciphers;
char *connect_default_ciphers;
MINOR: ssl: add statement to force some ssl options in global. Adds global statements 'ssl-default-server-options' and 'ssl-default-bind-options' to force on 'server' and 'bind' lines some ssl options. Currently available options are 'no-sslv3', 'no-tlsv10', 'no-tlsv11', 'no-tlsv12', 'force-sslv3', 'force-tlsv10', 'force-tlsv11', 'force-tlsv12', and 'no-tls-tickets'. Example: global ssl-default-server-options no-sslv3 ssl-default-bind-options no-sslv3
2014-10-30 10:56:50 -04:00
int listen_default_ssloptions;
int connect_default_ssloptions;
MEDIUM: config: implement maxsslconn in the global section SSL connections take a huge amount of memory, and unfortunately openssl does not check malloc() returns and easily segfaults when too many connections are used. The only solution against this is to provide a global maxsslconn setting to reject SSL connections above the limit in order to avoid reaching unsafe limits.
2012-09-06 05:58:37 -04:00
#endif
MEDIUM: ssl: Set verify 'required' as global default for servers side. If no CA file specified on a server line, the config parser will show an error. Adds an cmdline option '-dV' to re-set verify 'none' as global default on servers side (previous behavior). Also adds 'ssl-server-verify' global statement to set global default to 'none' or 'required'. WARNING: this changes the default verify mode from "none" to "required" on the server side, and it *will* break insecure setups.
2014-01-29 06:24:34 -05:00
unsigned int ssl_server_verify; /* default verify mode on servers side */
[MEDIUM] add support for global.maxconnrate to limit the per-process conn rate. This one enforces a per-process connection rate limit, regardless of what may be set per frontend. It can be a way to limit the CPU usage of a process being severely attacked. The side effect is that the global process connection rate is now measured for each incoming connection, so it will be possible to report it.
2011-09-07 09:17:21 -04:00
struct freq_ctr conn_per_sec;
MEDIUM: listener: add support for limiting the session rate in addition to the connection rate It's sometimes useful to be able to limit the connection rate on a machine running many haproxy instances (eg: per customer) but it removes the ability for that machine to defend itself against a DoS. Thus, better also provide a limit on the session rate, which does not include the connections rejected by "tcp-request connection" rules. This permits to have much higher limits on the connection rate without having to raise the session rate limit to insane values. The limit can be changed on the CLI using "set rate-limit sessions global", or in the global section using "maxsessrate".
2013-10-07 12:51:07 -04:00
struct freq_ctr sess_per_sec;
MEDIUM: listener: apply a limit on the session rate submitted to SSL Just like the previous commit, we sometimes want to limit the rate of incoming SSL connections. While it can be done for a frontend, it was not possible for a whole process, which makes sense when multiple processes are running on a system to server multiple customers. The new global "maxsslrate" setting is usable to fix a limit on the session rate going to the SSL frontends. The limits applies before the SSL handshake and not after, so that it saves the SSL stack from expensive key computations that would finally be aborted before being accounted for. The same setting may be changed at run time on the CLI using "set rate-limit ssl-session global".
2013-10-07 14:01:52 -04:00
struct freq_ctr ssl_per_sec;
MINOR: stats: report SSL key computations per second It's commonly needed to know how many SSL asymmetric keys are computed per second on either side (frontend or backend), and to know the SSL session reuse ratio. Now we compute these values and report them in "show info".
2014-05-28 06:28:58 -04:00
struct freq_ctr ssl_fe_keys_per_sec;
struct freq_ctr ssl_be_keys_per_sec;
MINOR: compression: maximum compression rate limit This patch adds input and output rate calcutation on the HTTP compresion feature. Compression can be limited with a maximum rate value in kilobytes per second. The rate is set with the global 'maxcomprate' option. You can change this value dynamicaly with 'set rate-limit http-compression global' on the UNIX socket.
2012-11-09 11:05:39 -05:00
struct freq_ctr comp_bps_in; /* bytes per second, before http compression */
struct freq_ctr comp_bps_out; /* bytes per second, after http compression */
[MEDIUM] add support for global.maxconnrate to limit the per-process conn rate. This one enforces a per-process connection rate limit, regardless of what may be set per frontend. It can be a way to limit the CPU usage of a process being severely attacked. The side effect is that the global process connection rate is now measured for each incoming connection, so it will be possible to report it.
2011-09-07 09:17:21 -04:00
int cps_lim, cps_max;
MEDIUM: listener: add support for limiting the session rate in addition to the connection rate It's sometimes useful to be able to limit the connection rate on a machine running many haproxy instances (eg: per customer) but it removes the ability for that machine to defend itself against a DoS. Thus, better also provide a limit on the session rate, which does not include the connections rejected by "tcp-request connection" rules. This permits to have much higher limits on the connection rate without having to raise the session rate limit to insane values. The limit can be changed on the CLI using "set rate-limit sessions global", or in the global section using "maxsessrate".
2013-10-07 12:51:07 -04:00
int sps_lim, sps_max;
MEDIUM: listener: apply a limit on the session rate submitted to SSL Just like the previous commit, we sometimes want to limit the rate of incoming SSL connections. While it can be done for a frontend, it was not possible for a whole process, which makes sense when multiple processes are running on a system to server multiple customers. The new global "maxsslrate" setting is usable to fix a limit on the session rate going to the SSL frontends. The limits applies before the SSL handshake and not after, so that it saves the SSL stack from expensive key computations that would finally be aborted before being accounted for. The same setting may be changed at run time on the CLI using "set rate-limit ssl-session global".
2013-10-07 14:01:52 -04:00
int ssl_lim, ssl_max;
MINOR: stats: report SSL key computations per second It's commonly needed to know how many SSL asymmetric keys are computed per second on either side (frontend or backend), and to know the SSL session reuse ratio. Now we compute these values and report them in "show info".
2014-05-28 06:28:58 -04:00
int ssl_fe_keys_max, ssl_be_keys_max;
MINOR: stats: add counters for SSL cache lookups and misses One important aspect of SSL performance tuning is the cache size, but there's no metric to know whether it's large enough or not. This commit introduces two counters, one for the cache lookups and another one for cache misses. These counters are reported on "show info" on the stats socket. This way, it suffices to see the cache misses counter constantly grow to know that a larger cache could possibly help.
2014-05-28 10:47:01 -04:00
unsigned int shctx_lookups, shctx_misses;
MINOR: compression: maximum compression rate limit This patch adds input and output rate calcutation on the HTTP compresion feature. Compression can be limited with a maximum rate value in kilobytes per second. The rate is set with the global 'maxcomprate' option. You can change this value dynamicaly with 'set rate-limit http-compression global' on the UNIX socket.
2012-11-09 11:05:39 -05:00
int comp_rate_lim; /* HTTP compression rate limit */
[MINOR] global.maxpipes: add the ability to reserve file descriptors for pipes This will be needed to use linux's splice() syscall.
2009-01-18 14:39:42 -05:00
int maxpipes; /* max # of pipes */
[MAJOR] support for source binding via cttproxy Using the cttproxy kernel patch, it's possible to bind to any source address. It is highly recommended to use the 03-natdel patch with the other ones. A new keyword appears as a complement to the "source" keyword : "usesrc". The source address is mandatory and must be valid on the interface which will see the packets. The "usesrc" option supports "client" (for full client_ip:client_port spoofing), "client_ip" (for client_ip spoofing) and any 'IP[:port]' combination to pretend to be another machine. Right now, the source binding is missing from server health-checks if set to another address. It must be implemented (think restricted firewalls). The doc is still missing too.
2006-11-12 17:57:19 -05:00
int maxsock; /* max # of sockets */
int rlimit_nofile; /* default ulimit-n value : 0=unset */
BUG/MEDIUM: config: properly adjust maxconn with nbproc when memmax is forced When memmax is forced using "-m", the per-process memory limit is enforced using setrlimit(), but this value is not used to compute the automatic maxconn limit. In addition, the per-process memory limit didn't consider the fact that the shared SSL cache only needs to be accounted once. The doc was also fixed to clearly state that "-m" is global and not per process. It makes sense because people who use -m want to protect the system's resources regardless of whatever appears in the configuration.
2015-12-14 06:46:07 -05:00
int rlimit_memmax_all; /* default all-process memory limit in megs ; 0=unset */
int rlimit_memmax; /* default per-process memory limit in megs ; 0=unset */
MINOR: compression: report zlib memory usage Show the memory usage and the max memory available for zlib. The value stored is now the memory used instead of the remaining available memory.
2012-11-20 05:25:20 -05:00
long maxzlibmem; /* max RAM for zlib in bytes */
[MAJOR] support for source binding via cttproxy Using the cttproxy kernel patch, it's possible to bind to any source address. It is highly recommended to use the 03-natdel patch with the other ones. A new keyword appears as a complement to the "source" keyword : "usesrc". The source address is mandatory and must be valid on the interface which will see the packets. The "usesrc" option supports "client" (for full client_ip:client_port spoofing), "client_ip" (for client_ip spoofing) and any 'IP[:port]' combination to pretend to be another machine. Right now, the source binding is missing from server health-checks if set to another address. It must be implemented (think restricted firewalls). The doc is still missing too.
2006-11-12 17:57:19 -05:00
int mode;
BUG/MEDIUM: unique_id: HTTP request counter is not stable Patrick Hemmer reported that using unique_id_format and logs did not report the same unique ID counter since commit 9f09521 ("BUG/MEDIUM: unique_id: HTTP request counter must be unique!"). This is because the increment was done while producing the log message, so it was performed twice. A better solution consists in fetching a new value once per request and saving it in the request or session context for all of this request's life. It happens that sessions already have a unique ID field which is used for debugging and reporting errors, and which differs from the one sent in logs and unique_id header. So let's change this to reuse this field to have coherent IDs everywhere. As of now, a session gets a new unique ID once it is instanciated. This means that TCP sessions will also benefit from a unique ID that can be logged. And this ID is renewed for each extra HTTP request received on an existing session. Thus, all TCP sessions and HTTP requests will have distinct IDs that will be stable along all their life, and coherent between all places where they're used (logs, unique_id header, "show sess", "show errors"). This feature is 1.5-specific, no backport to 1.4 is needed.
2014-01-25 05:01:50 -05:00
unsigned int req_count; /* request counter (HTTP or TCP session) for logs and unique_id */
[MAJOR] support for source binding via cttproxy Using the cttproxy kernel patch, it's possible to bind to any source address. It is highly recommended to use the 03-natdel patch with the other ones. A new keyword appears as a complement to the "source" keyword : "usesrc". The source address is mandatory and must be valid on the interface which will see the packets. The "usesrc" option supports "client" (for full client_ip:client_port spoofing), "client_ip" (for client_ip spoofing) and any 'IP[:port]' combination to pretend to be another machine. Right now, the source binding is missing from server health-checks if set to another address. It must be implemented (think restricted firewalls). The doc is still missing too.
2006-11-12 17:57:19 -05:00
int last_checks;
[MEDIUM] Spread health checks even more When one server appears at the same position in multiple backends, it receives all the checks from all the backends exactly at the same time because the health-checks are only spread within a backend but not globally. Attached patch implements per-server start delay in a different way. Checks are now spread globally - not locally to one backend. It also makes them start faster - IMHO there is no need to add a 'server->inter' when calculating first execution. Calculation were moved from cfgparse.c to checks.c. There is a new function start_checks() and now it is not called when haproxy is started in MODE_CHECK. With this patch it is also possible to set a global 'spread-checks' parameter. It takes a percentage value (1..50, probably something near 5..10 is a good idea) so haproxy adds or removes that many percent to the original interval after each check. My test shows that with 18 backends, 54 servers total and 10000ms/5% it takes about 45m to mix them completely. I decided to use rand/srand pseudo-random number generator. I am aware it is not recommend for a good randomness but a) we do not need a good random generator here b) it is probably the most portable one.
2007-10-14 17:40:01 -04:00
int spread_checks;
MINOR: checks: add a new global max-spread-checks directive This directive ensures that checks with a huge interval do not start too far apart at the beginning.
2014-04-25 04:46:47 -04:00
int max_spread_checks;
MEDIUM: log: support a user-configurable max log line length With all the goodies supported by logformat, people find that the limit of 1024 chars for log lines is too short. Some servers do not support larger lines and can simply drop them, so changing the default value is not always the best choice. This patch takes a different approach. Log line length is specified per log server on the "log" line, with a value between 80 and 65535. That way it's possibly to satisfy all needs, even with some fat local servers and small remote ones.
2014-06-27 12:10:07 -04:00
int max_syslog_len;
[MAJOR] support for source binding via cttproxy Using the cttproxy kernel patch, it's possible to bind to any source address. It is highly recommended to use the 03-natdel patch with the other ones. A new keyword appears as a complement to the "source" keyword : "usesrc". The source address is mandatory and must be valid on the interface which will see the packets. The "usesrc" option supports "client" (for full client_ip:client_port spoofing), "client_ip" (for client_ip spoofing) and any 'IP[:port]' combination to pretend to be another machine. Right now, the source binding is missing from server health-checks if set to another address. It must be implemented (think restricted firewalls). The doc is still missing too.
2006-11-12 17:57:19 -05:00
char *chroot;
char *pidfile;
[MINOR] add "description", "node" and show-node"/"show-desc", remove "node-name", v2 This patch implements "description" (proxy and global) and "node" (global) options, removes "node-name" and adds "show-node" & "show-desc" options for "stats". It also changes the way the header lines (with proxy name) and the statistics are displayed, so stats no longer look so clumsy with very long names. Instead of "node-name" it is possible to use show-node/show-desc with an optional parameter that overrides a default node/description. backend cust-0045 # report specific values for this customer stats show-node Europe stats show-desc Master node for Europe, Asia, Africa
2009-10-02 16:51:14 -04:00
char *node, *desc; /* node name & description */
BUG/MEDIUM: logs: segfault writing to log from Lua Michael Ezzell reported a bug causing haproxy to segfault during startup when trying to send syslog message from Lua. The function __send_log() can be called with *p that is NULL and/or when the configuration is not fully parsed, as is the case with Lua. This patch fixes this problem by using individual vectors instead of the pre-generated strings log_htp and log_htp_rfc5424. Also, this patch fixes a problem causing haproxy to write the wrong pid in the logs -- the log_htp(_rfc5424) strings were generated at the haproxy start, but "pid" value would be changed after haproxy is started in daemon/systemd mode.
2015-10-01 07:18:13 -04:00
struct chunk log_tag; /* name for syslog */
MEDIUM: log: Use linked lists for loggers This patch settles the 2 loggers limitation. Loggers are now stored in linked lists. Using "global log", the global loggers list content is added at the end of the current proxy list. Each "log" entries are added at the end of the proxy list. "no log" flush a logger list.
2011-10-12 11:50:54 -04:00
struct list logsrvs;
[MINOR] log: add support for passing the forwarded hostname Haproxy does not include the hostname rather the IP of the machine in the syslog headers it sends. Unfortunately this means that for each log line rsyslog does a reverse dns on the client IP and in the case of non-routable IPs one gets the public hostname not the internal one. While this is valid according to RFC3164 as one might imagine this is troublsome if you have some machines with public IPs, internal IPs, no reverse DNS entries, etc and you want a standardized hostname based log directory structure. The rfc says the preferred value is the hostname. This patch adds a global "log-send-hostname" statement which accepts an optional string to force the host name. If unset, the local host name is used.
2010-12-29 11:05:48 -05:00
char *log_send_hostname; /* set hostname in syslog header */
MINOR: config: new global directive server-state-base This new global directive can be used to provide a base directory where all the server state files could be loaded. If a server state file name starts with a slash '/', then this directive must not be applied.
2015-08-23 03:22:25 -04:00
char *server_state_base; /* path to a directory where server state files can be found */
MINOR: config: new global section directive: server-state-file This new global section directive is used to store the path to the file where HAProxy will be able to retrieve server states across reloads. The file pointed by this path is used to store a file which can contains state of all servers from all backends.
2015-08-23 03:54:31 -04:00
char *server_state_file; /* path to the file where server states are loaded from */
[MEDIUM] limit the number of events returned by *poll* By default, epoll/kqueue used to return as many events as possible. This could sometimes cause huge latencies (latencies of up to 400 ms have been observed with many thousands of fds at once). Limiting the number of events returned also reduces the latency by avoiding too many blind processing. The value is set to 200 by default and can be changed in the global section using the tune.maxpollevents parameter.
2007-06-03 11:16:49 -04:00
struct {
int maxpollevents; /* max number of poll events at once */
[OPTIM] introduce global parameter "tune.maxaccept" This new parameter makes it possible to override the default number of consecutive incoming connections which can be accepted on a socket. By default it is not limited on single process mode, and limited to 8 in multi-process mode.
2008-01-06 05:22:57 -05:00
int maxaccept; /* max number of consecutive accept() */
[MEDIUM] move global tuning options to the global structure The global tuning options right now only concern the polling mechanisms, and they are not in the global struct itself. It's not very practical to add other options so let's move them to the global struct and remove types/polling.h which was not used for anything else.
2009-01-25 09:42:27 -05:00
int options; /* various tuning options */
[OPTIM] stream_sock: don't retry to read after a large read If we get very large data at once, it's almost certain that it's worthless trying to read again, because we got everything we could get. Doing this has made all -EAGAIN disappear from splice reads. The threshold has been put in the global tunable structures so that if we one day want to make it accessible from user config, it will be easy to do so.
2009-03-21 15:43:57 -04:00
int recv_enough; /* how many input bytes at once are "enough" */
[MEDIUM] make it possible to change the buffer size in the configuration The new tune.bufsize and tune.maxrewrite global directives allow one to change the buffer size and the maxrewrite size. Right now, setting bufsize too low will block stats sockets which will not be able to write at all. An error checking must be added to buffer_write_chunk() so that if it cannot write its message to an empty buffer, it causes the caller to abort.
2009-08-17 01:23:33 -04:00
int bufsize; /* buffer size in bytes, defaults to BUFSIZE */
int maxrewrite; /* buffer max rewrite size in bytes, defaults to MAXREWRITE */
MAJOR: session: only wake up as many sessions as available buffers permit We've already experimented with three wake up algorithms when releasing buffers : the first naive one used to wake up far too many sessions, causing many of them not to get any buffer. The second approach which was still in use prior to this patch consisted in waking up either 1 or 2 sessions depending on the number of FDs we had released. And this was still inaccurate. The third one tried to cover the accuracy issues of the second and took into consideration the number of FDs the sessions would be willing to use, but most of the time we ended up waking up too many of them for nothing, or deadlocking by lack of buffers. This patch completely removes the need to allocate two buffers at once. Instead it splits allocations into critical and non-critical ones and implements a reserve in the pool for this. The deadlock situation happens when all buffers are be allocated for requests pending in a maxconn-limited server queue, because then there's no more way to allocate buffers for responses, and these responses are critical to release the servers's connection in order to release the pending requests. In fact maxconn on a server creates a dependence between sessions and particularly between oldest session's responses and latest session's requests. Thus, it is mandatory to get a free buffer for a response in order to release a server connection which will permit to release a request buffer. Since we definitely have non-symmetrical buffers, we need to implement this logic in the buffer allocation mechanism. What this commit does is implement a reserve of buffers which can only be allocated for responses and that will never be allocated for requests. This is made possible by the requester indicating how much margin it wants to leave after the allocation succeeds. Thus it is a cooperative allocation mechanism : the requester (process_session() in general) prefers not to get a buffer in order to respect other's need for response buffers. The session management code always knows if a buffer will be used for requests or responses, so that is not difficult : - either there's an applet on the initiator side and we really need the request buffer (since currently the applet is called in the context of the session) - or we have a connection and we really need the response buffer (in order to support building and sending an error message back) This reserve ensures that we don't take all allocatable buffers for requests waiting in a queue. The downside is that all the extra buffers are really allocated to ensure they can be allocated. But with small values it is not an issue. With this change, we don't observe any more deadlocks even when running with maxconn 1 on a server under severely constrained memory conditions. The code becomes a bit tricky, it relies on the scheduler's run queue to estimate how many sessions are already expected to run so that it doesn't wake up everyone with too few resources. A better solution would probably consist in having two queues, one for urgent requests and one for normal requests. A failed allocation for a session dealing with an error, a connection event, or the need for a response (or request when there's an applet on the left) would go to the urgent request queue, while other requests would go to the other queue. Urgent requests would be served from 1 entry in the pool, while the regular ones would be served only according to the reserve. Despite not yet having this, it works remarkably well. This mechanism is quite efficient, we don't perform too many wake up calls anymore. For 1 million sessions elapsed during massive memory contention, we observe about 4.5M calls to process_session() compared to 4.0M without memory constraints. Previously we used to observe up to 16M calls, which rougly means 12M failures. During a test run under high memory constraints (limit enforced to 27 MB instead of the 58 MB normally needed), performance used to drop by 53% prior to this patch. Now with this patch instead it *increases* by about 1.5%. The best effect of this change is that by limiting the memory usage to about 2/3 to 3/4 of what is needed by default, it's possible to increase performance by up to about 18% mainly due to the fact that pools are reused more often and remain hot in the CPU cache (observed on regular HTTP traffic with 20k objects, buffers.limit = maxconn/10, buffers.reserve = limit/2). Below is an example of scenario which used to cause a deadlock previously : - connection is received - two buffers are allocated in process_session() then released - one is allocated when receiving an HTTP request - the second buffer is allocated then released in process_session() for request parsing then connection establishment. - poll() says we can send, so the request buffer is sent and released - process session gets notified that the connection is now established and allocates two buffers then releases them - all other sessions do the same till one cannot get the request buffer without hitting the margin - and now the server responds. stream_interface allocates the response buffer and manages to get it since it's higher priority being for a response. - but process_session() cannot allocate the request buffer anymore => We could end up with all buffers used by responses so that none may be allocated for a request in process_session(). When the applet processing leaves the session context, the test will have to be changed so that we always allocate a response buffer regardless of the left side (eg: H2->H1 gateway). A final improvement would consists in being able to only retry the failed I/O operation without waking up a task, but to date all experiments to achieve this have proven not to be reliable enough.
2014-11-26 19:11:56 -05:00
int reserved_bufs; /* how many buffers can only be allocated for response */
MINOR: config: implement global setting tune.buffers.limit This setting is used to limit memory usage without causing the alloc failures caused by "-m". Unexpectedly, tests have shown a performance boost of up to about 18% on HTTP traffic when limiting the number of buffers to about 10% of the amount of concurrent connections. tune.buffers.limit <number> Sets a hard limit on the number of buffers which may be allocated per process. The default value is zero which means unlimited. The minimum non-zero value will always be greater than "tune.buffers.reserve" and should ideally always be about twice as large. Forcing this value can be particularly useful to limit the amount of memory a process may take, while retaining a sane behaviour. When this limit is reached, sessions which need a buffer wait for another one to be released by another session. Since buffers are dynamically allocated and released, the waiting time is very short and not perceptible provided that limits remain reasonable. In fact sometimes reducing the limit may even increase performance by increasing the CPU cache's efficiency. Tests have shown good results on average HTTP traffic with a limit to 1/10 of the expected global maxconn setting, which also significantly reduces memory usage. The memory savings come from the fact that a number of connections will not allocate 2*tune.bufsize. It is best not to touch this value unless advised to do so by an haproxy core developer.
2014-12-23 16:52:37 -05:00
int buf_limit; /* if not null, how many total buffers may only be allocated */
[MINOR] add the ability to force kernel socket buffer size. Sometimes we need to be able to change the default kernel socket buffer size (recv and send). Four new global settings have been added for this : - tune.rcvbuf.client - tune.rcvbuf.server - tune.sndbuf.client - tune.sndbuf.server Those can be used to reduce kernel memory footprint with large numbers of concurrent connections, and to reduce risks of write timeouts with very slow clients due to excessive kernel buffering.
2010-01-21 11:43:04 -05:00
int client_sndbuf; /* set client sndbuf to this value if not null */
int client_rcvbuf; /* set client rcvbuf to this value if not null */
int server_sndbuf; /* set server sndbuf to this value if not null */
int server_rcvbuf; /* set server rcvbuf to this value if not null */
[MINOR] global: add "tune.chksize" to change the default check buffer size HTTP content-based health checks will be involved in searching text in pages. Some pages may not fit in the default buffer (16kB) and sometimes it might be desired to have larger buffers in order to find patterns. Running checks on smaller URIs is always preferred of course. (cherry picked from commit 043f44aeb835f3d0b57626c4276581a73600b6b1)
2010-10-04 14:39:20 -04:00
int chksize; /* check buffer size in bytes, defaults to BUFSIZE */
OPTIM/MINOR: make it possible to change pipe size (tune.pipesize) By default, pipes are the default size for the system. But sometimes when using TCP splicing, it can improve performance to increase pipe sizes, especially if it is suspected that pipes are not filled and that many calls to splice() are performed. This has an impact on the kernel's memory footprint, so this must not be changed if impacts are not understood.
2011-10-23 15:14:29 -04:00
int pipesize; /* pipe size in bytes, system defaults if zero */
MEDIUM: tune.http.maxhdr makes it possible to configure the maximum number of HTTP headers For a long time, the max number of headers was taken as a part of the buffer size. Since the header size can be configured at runtime, it does not make much sense anymore. Nothing was making it necessary to have a static value, so let's turn this into a tunable with a default value of 101 which equals what was previously used.
2011-10-24 13:14:41 -04:00
int max_http_hdr; /* max number of HTTP headers, use MAX_HTTP_HDR if zero */
MINOR: http: allow the cookie capture size to be changed Some users need more than 64 characters to log large cookies. The limit was set to 63 characters (and not 64 as previously documented). Now it is possible to change this using the global "tune.http.cookielen" setting if required.
2012-11-21 18:17:38 -05:00
int cookie_len; /* max length of cookie captures */
MAJOR: pattern: add LRU-based cache on pattern matching The principle of this cache is to have a global cache for all pattern matching operations which rely on lists (reg, sub, dir, dom, ...). The input data, the expression and a random seed are used as a hashing key. The cached entries contains a pointer to the expression and a revision number for that expression so that we don't accidently used obsolete data after a pattern update or a very unlikely hash collision. Regarding the risk of collisions, 10k entries at 10k req/s mean 1% risk of a collision after 60 years, that's already much less than the memory's reliability in most machines and more durable than most admin's life expectancy. A collision will result in a valid result to be returned for a different entry from the same list. If this is not acceptable, the cache can be disabled using tune.pattern.cache-size. A test on a file containing 10k small regex showed that the regex matching was limited to 6k/s instead of 70k with regular strings. When enabling the LRU cache, the performance was back to 70k/s.
2015-04-29 10:24:50 -04:00
int pattern_cache; /* max number of entries in the pattern cache. */
MINOR: ssl add global setting tune.sslcachesize to set SSL session cache size. This new global setting allows the user to change the SSL cache size in number of sessions. It defaults to 20000.
2012-09-03 06:10:29 -04:00
int sslcachesize; /* SSL cache size in session, defaults to 20000 */
MINOR: global: always export some SSL-specific metrics We'll need to know the number of SSL connections, their use and their cost soon. In order to avoid getting tons of ifdefs everywhere, always export SSL information in the global section. We add two flags to know whether or not SSL is used in a frontend and in a backend.
2015-01-15 15:32:40 -05:00
#ifdef USE_OPENSSL
MINOR: ssl: add global statement tune.ssl.force-private-cache. Boolean: used to force a private ssl session cache for each process in case of nbproc > 1.
2014-05-09 07:52:00 -04:00
int sslprivatecache; /* Force to use a private session cache even if nbproc > 1 */
MINOR: ssl: Add tune.ssl.lifetime statement in global. Sets the ssl session <lifetime> in seconds. Openssl default is 300 seconds.
2012-11-16 09:11:00 -05:00
unsigned int ssllifetime; /* SSL session lifetime in seconds */
MINOR: ssl: add a global tunable for the max SSL/TLS record size Add new tunable "tune.ssl.maxrecord". Over SSL/TLS, the client can decipher the data only once it has received a full record. With large records, it means that clients might have to download up to 16kB of data before starting to process them. Limiting the record size can improve page load times on browsers located over high latency or low bandwidth networks. It is suggested to find optimal values which fit into 1 or 2 TCP segments (generally 1448 bytes over Ethernet with TCP timestamps enabled, or 1460 when timestamps are disabled), keeping in mind that SSL/TLS add some overhead. Typical values of 1419 and 2859 gave good results during tests. Use "strace -e trace=write" to find the best value. This trick was first suggested by Mike Belshe : http://www.belshe.com/2010/12/17/performance-and-the-tls-record-size/ Then requested again by Ilya Grigorik who provides some hints here : http://ofps.oreilly.com/titles/9781449344764/_transport_layer_security_tls.html#ch04_00000101
2013-02-21 01:46:09 -05:00
unsigned int ssl_max_record; /* SSL max record size */
MEDIUM: ssl: Add the option to use standardized DH parameters >= 1024 bits When no static DH parameters are specified, this patch makes haproxy use standardized (rfc 2409 / rfc 3526) DH parameters with prime lenghts of 1024, 2048, 4096 or 8192 bits for DHE key exchange. The size of the temporary/ephemeral DH key is computed as the minimum of the RSA/DSA server key size and the value of a new option named tune.ssl.default-dh-param.
2014-06-12 08:58:40 -04:00
unsigned int ssl_default_dh_param; /* SSL maximum DH parameter size */
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
int ssl_ctx_cache; /* max number of entries in the ssl_ctx cache. */
MINOR: compression: memlevel and windowsize The window size and the memlevel of the zlib are now configurable using global options tune.zlib.memlevel and tune.zlib.windowsize. It affects the memory consumption of the zlib.
2012-11-07 10:54:34 -05:00
#endif
#ifdef USE_ZLIB
int zlibmemlevel; /* zlib memlevel */
int zlibwindowsize; /* zlib window size */
MINOR: ssl add global setting tune.sslcachesize to set SSL session cache size. This new global setting allows the user to change the SSL cache size in number of sessions. It defaults to 20000.
2012-09-03 06:10:29 -04:00
#endif
MINOR: compression: tune.comp.maxlevel This option allows you to set the maximum compression level usable by the compression algorithm. It affects CPU usage.
2012-11-09 06:33:10 -05:00
int comp_maxlevel; /* max HTTP compression level */
MINOR: config: make the stream interface idle timer user-configurable The new tune.idletimer value allows one to set a different value for idle stream detection. The default value remains set to one second. It is possible to disable it using zero, and to change the default value at build time using DEFAULT_IDLE_TIMER.
2014-02-12 10:35:14 -05:00
unsigned short idle_timer; /* how long before an empty buffer is considered idle (ms) */
[MEDIUM] limit the number of events returned by *poll* By default, epoll/kqueue used to return as many events as possible. This could sometimes cause huge latencies (latencies of up to 400 ms have been observed with many thousands of fds at once). Limiting the number of events returned also reduces the latency by avoiding too many blind processing. The value is set to 200 by default and can be changed in the global section using the tune.maxpollevents parameter.
2007-06-03 11:16:49 -04:00
} tune;
[MEDIUM] Add supports of bind on unix sockets.
2010-10-22 11:59:25 -04:00
struct {
char *prefix; /* path prefix of unix bind socket */
struct { /* UNIX socket permissions */
uid_t uid; /* -1 to leave unchanged */
gid_t gid; /* -1 to leave unchanged */
mode_t mode; /* 0 to leave unchanged */
} ux;
} unix_bind;
MEDIUM: global: add support for CPU binding on Linux ("cpu-map") The new "cpu-map" directive allows one to assign the CPU sets that a process is allowed to bind to. This is useful in combination with the "nbproc" and "bind-process" directives. The support is implicit on Linux 2.6.28 and above.
2012-11-16 10:12:27 -05:00
#ifdef USE_CPU_AFFINITY
MEDIUM: config: limit nbproc to the machine's word size Some consistency checks cannot be performed between frontends, backends and peers at the moment because there is no way to check for intersection between processes bound to some processes when the number of processes is higher than the number of bits in a word. So first, let's limit the number of processes to the machine's word size. This means nbproc will be limited to 32 on 32-bit machines and 64 on 64-bit machines. This is far more than enough considering that configs rarely go above 16 processes due to scalability and management issues, so 32 or 64 should be fine. This way we'll ensure we can always build a mask of all the processes a section is bound to.
2013-01-18 05:29:29 -05:00
unsigned long cpu_map[LONGBITS]; /* list of CPU masks for the 32/64 first processes */
MEDIUM: global: add support for CPU binding on Linux ("cpu-map") The new "cpu-map" directive allows one to assign the CPU sets that a process is allowed to bind to. This is useful in combination with the "nbproc" and "bind-process" directives. The support is implicit on Linux 2.6.28 and above.
2012-11-16 10:12:27 -05:00
#endif
[MEDIUM] make the global stats socket part of a frontend Creating a frontend for the global stats socket will help merge unix sockets management with the other socket management. Since frontends are huge structs, we only allocate it if required.
2009-08-16 11:41:45 -04:00
struct proxy *stats_fe; /* the frontend holding the stats settings */
MEDIUM: vars: Add a per-process scope for variables Now it is possible to use variables attached to a process. The scope name is 'proc'. These variables are released only when HAProxy is stopped. 'tune.vars.proc-max-size' directive has been added to confiure the maximum amount of memory used by "proc" variables. And because memory accounting is hierachical for variables, memory for "proc" vars includes memory for "sess" vars.
2016-11-09 05:36:17 -05:00
struct vars vars; /* list of variables for the process scope. */
MEDIUM: global: add the DeviceAtlas required elements to struct global This diff is the raw C struct definition of all DeviceAtlas module data needed added to the main global struct haproxy configuration. The three first members are needed for both init and deinit phases as some dynamic memory allocations are done. The useragentid serves to hold during the whole lifecycle of the module the User-Agent HTTP Header identifier from the DeviceAtlas data during the init process.
2015-06-01 07:53:01 -04:00
#ifdef USE_DEVICEATLAS
struct {
void *atlasimgptr;
char *jsonpath;
MINOR: global: Few new struct fields for da module The name and length of the client cookie, useful for extracting cookie value's function and a simple bitfield one to define if set or not.
2015-09-25 09:13:44 -04:00
char *cookiename;
size_t cookienamelen;
MEDIUM: global: add the DeviceAtlas required elements to struct global This diff is the raw C struct definition of all DeviceAtlas module data needed added to the main global struct haproxy configuration. The three first members are needed for both init and deinit phases as some dynamic memory allocations are done. The useragentid serves to hold during the whole lifecycle of the module the User-Agent HTTP Header identifier from the DeviceAtlas data during the init process.
2015-06-01 07:53:01 -04:00
da_atlas_t atlas;
da_evidence_id_t useragentid;
da_severity_t loglevel;
char separator;
MINOR: global: Few new struct fields for da module The name and length of the client cookie, useful for extracting cookie value's function and a simple bitfield one to define if set or not.
2015-09-25 09:13:44 -04:00
unsigned char daset:1;
MEDIUM: global: add the DeviceAtlas required elements to struct global This diff is the raw C struct definition of all DeviceAtlas module data needed added to the main global struct haproxy configuration. The three first members are needed for both init and deinit phases as some dynamic memory allocations are done. The useragentid serves to hold during the whole lifecycle of the module the User-Agent HTTP Header identifier from the DeviceAtlas data during the init process.
2015-06-01 07:53:01 -04:00
} deviceatlas;
#endif
MINOR: global: add several 51Degrees members to global These are : fiftyoneDegreesDataSet _51d_data_set char *_51d_data_file_path char _51d_property_seperator struct list _51d_property_names
2015-05-12 10:47:24 -04:00
#ifdef USE_51DEGREES
MEDIUM: 51Degrees code refactoring and cleanup Moved 51Degrees code from src/haproxy.c, src/sample.c and src/cfgparse.c into a separate files src/51d.c and include/import/51d.h. Added two new functions init_51degrees() and deinit_51degrees(), updated Makefile and other code reorganizations related to 51Degrees.
2015-06-29 10:43:25 -04:00
struct {
char property_separator; /* the separator to use in the response for the values. this is taken from 51degrees-property-separator from config. */
struct list property_names; /* list of properties to load into the data set. this is taken from 51degrees-property-name-list from config. */
char *data_file_path;
MINOR: global: Added new fields for 51Degrees device detection Added support for version 3.2 of 51Degrees C library. Added fields to store HTTP header names important to device detection other than User-Agent. Included a pool of worksets for use with Pattern device detection.
2015-09-18 12:13:47 -04:00
int header_count; /* number of HTTP headers related to device detection. */
struct chunk *header_names; /* array of HTTP header names. */
BUILD/MAJOR:updated 51d Trie implementation to incorperate latest update to 51Degrees.c Trie now uses a dataset structure just like Pattern, so this has been defined in includes/types/global.h for both Pattern and Trie where it was just Pattern. In src/51d.c all functions used by the Trie implementation which need a dataset as an argument now use the global dataset. The fiftyoneDegreesDestroy method has now been replaced with fiftyoneDegreesDataSetFree which is common to Pattern and Trie. In addition, two extra dataset init status' have been added to the switch statement in init_51degrees.
2016-07-06 07:07:21 -04:00
fiftyoneDegreesDataSet data_set; /* data set used with the pattern and trie detection methods. */
MEDIUM: sample: add trie support to 51Degrees Trie or pattern algorithm is used depending on what 51Degrees source files are provided to MAKE.
2015-05-29 07:54:25 -04:00
#ifdef FIFTYONEDEGREES_H_PATTERN_INCLUDED
MINOR: global: Added new fields for 51Degrees device detection Added support for version 3.2 of 51Degrees C library. Added fields to store HTTP header names important to device detection other than User-Agent. Included a pool of worksets for use with Pattern device detection.
2015-09-18 12:13:47 -04:00
fiftyoneDegreesWorksetPool *pool; /* pool of worksets to avoid creating a new one for each request. */
#endif
#ifdef FIFTYONEDEGREES_H_TRIE_INCLUDED
int32_t *header_offsets; /* offsets to the HTTP header name string. */
fiftyoneDegreesDeviceOffsets device_offsets; /* Memory used for device offsets. */
MEDIUM: sample: add trie support to 51Degrees Trie or pattern algorithm is used depending on what 51Degrees source files are provided to MAKE.
2015-05-29 07:54:25 -04:00
#endif
MEDIUM: 51d: add LRU-based cache on User-Agent string detection This cache is used by 51d converter. The input User-Agent string, the converter args and a random seed are used as a hashing key. The cached entries contains a pointer to the resulting string for specific User-Agent string detection. The cache size can be tuned using 51degrees-cache-size parameter.
2015-06-29 10:43:26 -04:00
int cache_size;
MEDIUM: 51Degrees code refactoring and cleanup Moved 51Degrees code from src/haproxy.c, src/sample.c and src/cfgparse.c into a separate files src/51d.c and include/import/51d.h. Added two new functions init_51degrees() and deinit_51degrees(), updated Makefile and other code reorganizations related to 51Degrees.
2015-06-29 10:43:25 -04:00
} _51degrees;
MINOR: global: add several 51Degrees members to global These are : fiftyoneDegreesDataSet _51d_data_set char *_51d_data_file_path char _51d_property_seperator struct list _51d_property_names
2015-05-12 10:47:24 -04:00
#endif
MEDIUM: wurfl: add Scientiamobile WURFL device detection module WURFL is a high-performance and low-memory footprint mobile device detection software component that can quickly and accurately detect over 500 capabilities of visiting devices. It can differentiate between portable mobile devices, desktop devices, SmartTVs and any other types of devices on which a web browser can be installed. In order to add WURFL device detection support, you would need to download Scientiamobile InFuze C API and install it on your system. Refer to www.scientiamobile.com to obtain a valid InFuze license. Any useful information on how to configure HAProxy working with WURFL may be found in: doc/WURFL-device-detection.txt doc/configuration.txt examples/wurfl-example.cfg Please find more information about WURFL device detection API detection at https://docs.scientiamobile.com/documentation/infuze/infuze-c-api-user-guide
2016-11-04 05:55:08 -04:00
#ifdef USE_WURFL
struct {
char *data_file; /* the WURFL data file */
char *cache_size; /* the WURFL cache parameters */
int engine_mode; /* the WURFL engine mode */
int useragent_priority; /* the WURFL ua priority */
struct list patch_file_list; /* the list of WURFL patch file to use */
char information_list_separator; /* the separator used in request to separate values */
struct list information_list; /* the list of WURFL data to return into request */
CLEANUP: wurfl: reduce exposure in the rest of the code The only reason wurfl/wurfl.h was needed outside of wurfl.c was to expose wurfl_handle which is a pointer to a structure, referenced by global.h. By just storing a void* there instead, we can confine all wurfl code to wurfl.c, which is really nice.
2016-11-08 12:47:25 -05:00
void *handle; /* the handle to WURFL engine */
MEDIUM: wurfl: add Scientiamobile WURFL device detection module WURFL is a high-performance and low-memory footprint mobile device detection software component that can quickly and accurately detect over 500 capabilities of visiting devices. It can differentiate between portable mobile devices, desktop devices, SmartTVs and any other types of devices on which a web browser can be installed. In order to add WURFL device detection support, you would need to download Scientiamobile InFuze C API and install it on your system. Refer to www.scientiamobile.com to obtain a valid InFuze license. Any useful information on how to configure HAProxy working with WURFL may be found in: doc/WURFL-device-detection.txt doc/configuration.txt examples/wurfl-example.cfg Please find more information about WURFL device detection API detection at https://docs.scientiamobile.com/documentation/infuze/infuze-c-api-user-guide
2016-11-04 05:55:08 -04:00
struct eb_root btree; /* btree containing info (name/type) on WURFL data to return */
} wurfl;
#endif
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
};
extern struct global global;
extern int pid; /* current process id */
[MINOR] stats: report numerical process ID, proxy ID and server ID It is very convenient for SNMP monitoring to have unique process ID, proxy ID and server ID. Those have been added to the CSV outputs. The numbers start at 1. 0 is reserved. For servers, 0 means that the reported name is not a server name but half a proxy (FRONTEND/BACKEND). A remaining hidden "-" in the CSV output has been eliminated too.
2007-11-04 17:35:08 -05:00
extern int relative_pid; /* process id starting at 1 */
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
extern int actconn; /* # of active sessions */
[MINOR] support a global jobs counter This counter is incremented for each incoming connection and each active listener, and is used to prevent haproxy from stopping upon SIGUSR1. It will thus be possible for some tasks in increment this counter in order to prevent haproxy from dying until they have completed their job.
2010-08-31 09:39:26 -04:00
extern int listeners;
extern int jobs; /* # of active jobs */
MEDIUM: make the trash be a chunk instead of a char * The trash is used everywhere to store the results of temporary strings built out of s(n)printf, or as a storage for a chunk when chunks are needed. Using global.tune.bufsize is not the most convenient thing either. So let's replace trash with a chunk and directly use it as such. We can then use trash.size as the natural way to get its size, and get rid of many intermediary chunks that were previously used. The patch is huge because it touches many areas but it makes the code a lot more clear and even outlines places where trash was used without being that obvious.
2012-10-29 11:51:55 -04:00
extern struct chunk trash;
[MEDIUM] http: revert to use a swap buffer for realignment The bounce realign function was algorithmically good but as expected it was not cache-friendly. Using it with large requests caused so many cache thrashing that the function itself could drain 70% of the total CPU time for only 0.5% of the calls ! Revert back to a standard memcpy() using a specially allocated swap buffer. We're now back to 2M req/s on pipelined requests.
2010-02-26 05:12:27 -05:00
extern char *swap_buffer;
[MINOR] startup: don't wait for nothing when no old pid remains In case of binding failure during startup, we wait for some time sending signals to old pids so that they release the ports we need. But if there aren't any old pids anymore, it's useless to wait, we prefer to fail fast. Along with this change, we now have the number of old pids really found in the nb_oldpids variable.
2010-08-25 06:58:59 -04:00
extern int nb_oldpids; /* contains the number of old pids found */
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
extern const int zero;
extern const int one;
[MINOR] add the "nolinger" option to disable data lingering The following patch will give the ability to tweak socket linger mode. You can use this option with "option nolinger" inside fronted or backend configuration declaration. This will help in environments where lots of FIN_WAIT sockets are encountered.
2007-10-11 14:48:58 -04:00
extern const struct linger nolinger;
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
extern int stopping; /* non zero means stopping in progress */
[MINOR] export the hostname variable so that all the code can access it The hostname variable will be used later, export it.
2009-08-16 04:08:02 -04:00
extern char hostname[MAX_HOSTNAME_LEN];
[MAJOR] Add new files src/peer.c, include/proto/peers.h and include/types/peers.h for sync stick table management Add cmdline option -L to configure local peer name
2010-09-23 12:30:22 -04:00
extern char localpeer[MAX_HOSTNAME_LEN];
[MEDIUM] listeners: put listeners in queue upon resource shortage When an accept() fails because of a connection limit or a memory shortage, we now disable it and queue it so that it's dequeued only when a connection is released. This has improved the behaviour of the process near the fd limit as now a listener with a no connection (eg: stats) will not loop forever trying to get its connection accepted. The solution is still not 100% perfect, as we'd like to have this used when proxy limits are reached (use a per-proxy list) and for safety, we'd need to have dedicated tasks to periodically re-enable them (eg: to overcome temporary system-wide resource limitations when no connection is released).
2011-07-24 16:58:00 -04:00
extern struct list global_listener_queue; /* list of the temporarily limited listeners */
[MEDIUM] listeners: add a global listener management task This global task is used to periodically check for end of resource shortage and to try to enable queued listeners again. This is important in case some temporary system-wide shortage is encountered, so that we don't have to wait for an existing connection to be released before checking the queue again. For situations where listeners are queued due to the global maxconn being reached, the task is woken up at least every second. For situations where a system resource shortage is detected (memory, sockets, ...) the task is woken up at least every 100 ms. That way, recovery from severe events can still be achieved under acceptable conditions.
2011-08-01 14:57:55 -04:00
extern struct task *global_listener_queue_task;
MINOR: config: add minimum support for emitting warnings only once This is useful to explain to users what to do during a migration.
2014-04-28 16:27:06 -04:00
extern unsigned int warned; /* bitfield of a few warnings to emit just once */
MEDIUM: dns: implement a DNS resolver Implementation of a DNS client in HAProxy to perform name resolution to IP addresses. It relies on the freshly created UDP client to perform the DNS resolution. For now, all UDP socket calls are performed in the DNS layer, but this might change later when the protocols are extended to be more suited to datagram mode. A new section called 'resolvers' is introduced thanks to this patch. It is used to describe DNS servers IP address and also many parameters.
2015-04-13 17:40:55 -04:00
extern struct list dns_resolvers;
MINOR: config: add minimum support for emitting warnings only once This is useful to explain to users what to do during a migration.
2014-04-28 16:27:06 -04:00
/* bit values to go with "warned" above */
MEDIUM: config: inform the user about the deprecatedness of "block" rules It's just a warning emitted once.
2014-04-28 16:28:02 -04:00
#define WARN_BLOCK_DEPRECATED 0x00000001
MAJOR: config: remove the deprecated reqsetbe / reqisetbe actions These ones were already obsoleted in 1.4, marked for removal in 1.5, and not documented anymore. They used to emit warnings, and do still require quite some code to stay in place. Let's remove them now.
2015-05-26 06:18:29 -04:00
/* unassigned : 0x00000002 */
MEDIUM: config: inform the user only once that "redispatch" is deprecated It may go away in 1.6, but there's no point reporting it for each and every occurrence.
2014-04-28 16:37:32 -04:00
#define WARN_REDISPATCH_DEPRECATED 0x00000004
MEDIUM: config: warn that '{cli,con,srv}timeout' are deprecated It's been like this since version 1.3 in 2007. It's time to clean up configurations. The warning explains what to use depending on the timeout name.
2014-04-28 16:56:38 -04:00
#define WARN_CLITO_DEPRECATED 0x00000008
#define WARN_SRVTO_DEPRECATED 0x00000010
#define WARN_CONTO_DEPRECATED 0x00000020
MINOR: config: add minimum support for emitting warnings only once This is useful to explain to users what to do during a migration.
2014-04-28 16:27:06 -04:00
/* to be used with warned and WARN_* */
static inline int already_warned(unsigned int warning)
{
if (warned & warning)
return 1;
warned |= warning;
return 0;
}
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
#endif /* _TYPES_GLOBAL_H */
/*
* Local variables:
* c-indent-level: 8
* c-basic-offset: 8
* End:
*/
Reference in a new issue Copy permalink