3. Starting HAProxy

  1. HAProxy is started by invoking the "haproxy" program with a number of arguments
  2. passed on the command line. The actual syntax is :
  3.  
  4.   $ haproxy [<options>]*

where []* is any number of options. An option always starts with ‘-‘

  1. followed by one of more letters, and possibly followed by one or multiple extra
  2. arguments. Without any option, HAProxy displays the help page with a reminder
  3. about supported options. Available options may vary slightly based on the
  4. operating system. A fair number of these options overlap with an equivalent one
  5. if the "global" section. In this case, the command line always has precedence
  6. over the configuration file, so that the command line can be used to quickly
  7. enforce some settings without touching the configuration files. The current
  8. list of options is :
  9.  
  10.   -- <cfgfile>* : all the arguments following "--" are paths to configuration
  11.     file/directory to be loaded and processed in the declaration order. It is
  12.     mostly useful when relying on the shell to load many files that are
  13.     numerically ordered. See also "-f". The difference between "--" and "-f" is
  14.     that one "-f" must be placed before each file name, while a single "--" is
  15.     needed before all file names. Both options can be used together, the
  16.     command line ordering still applies. When more than one file is specified,
  17.     each file must start on a section boundary, so the first keyword of each
  18.     file must be one of "global", "defaults", "peers", "listen", "frontend",
  19.     "backend", and so on. A file cannot contain just a server list for example.
  20.  
  21.   -f <cfgfile|cfgdir> : adds <cfgfile> to the list of configuration files to be
  22.     loaded. If <cfgdir> is a directory, all the files (and only files) it
  23.     contains are added in lexical order (using LC_COLLATE=C) to the list of
  24.     configuration files to be loaded ; only files with ".cfg" extension are
  25.     added, only non hidden files (not prefixed with ".") are added.
  26.     Configuration files are loaded and processed in their declaration order.
  27.     This option may be specified multiple times to load multiple files. See
  28.     also "--". The difference between "--" and "-f" is that one "-f" must be
  29.     placed before each file name, while a single "--" is needed before all file
  30.     names. Both options can be used together, the command line ordering still
  31.     applies. When more than one file is specified, each file must start on a
  32.     section boundary, so the first keyword of each file must be one of
  33.     "global", "defaults", "peers", "listen", "frontend", "backend", and so on.
  34.     A file cannot contain just a server list for example.
  35.  
  36.   -C <dir> : changes to directory <dir> before loading configuration
  37.     files. This is useful when using relative paths. Warning when using
  38.     wildcards after "--" which are in fact replaced by the shell before
  39.     starting haproxy.
  40.  
  41.   -D : start as a daemon. The process detaches from the current terminal after
  42.     forking, and errors are not reported anymore in the terminal. It is
  43.     equivalent to the "daemon" keyword in the "global" section of the
  44.     configuration. It is recommended to always force it in any init script so
  45.     that a faulty configuration doesn't prevent the system from booting.
  46.  
  47.   -L <name> : change the local peer name to <name>, which defaults to the local
  48.     hostname. This is used only with peers replication. You can use the
  49.     variable $HAPROXY_LOCALPEER in the configuration file to reference the
  50.     peer name.
  51.  
  52.   -N <limit> : sets the default per-proxy maxconn to <limit> instead of the
  53.     builtin default value (usually 2000). Only useful for debugging.
  54.  
  55.   -V : enable verbose mode (disables quiet mode). Reverts the effect of "-q" or
  56.     "quiet".
  57.  
  58.   -W : master-worker mode. It is equivalent to the "master-worker" keyword in
  59.     the "global" section of the configuration. This mode will launch a "master"
  60.     which will monitor the "workers". Using this mode, you can reload HAProxy
  61.     directly by sending a SIGUSR2 signal to the master.  The master-worker mode
  62.     is compatible either with the foreground or daemon mode.  It is
  63.     recommended to use this mode with multiprocess and systemd.
  64.  
  65.   -Ws : master-worker mode with support of `notify` type of systemd service.
  66.     This option is only available when HAProxy was built with `USE_SYSTEMD`
  67.     build option enabled.
  68.  
  69.   -c : only performs a check of the configuration files and exits before trying
  70.     to bind. The exit status is zero if everything is OK, or non-zero if an
  71.     error is encountered.
  72.  
  73.   -d : enable debug mode. This disables daemon mode, forces the process to stay
  74.     in foreground and to show incoming and outgoing events. It is equivalent to
  75.     the "global" section's "debug" keyword. It must never be used in an init
  76.     script.
  77.  
  78.   -dG : disable use of getaddrinfo() to resolve host names into addresses. It
  79.     can be used when suspecting that getaddrinfo() doesn't work as expected.
  80.     This option was made available because many bogus implementations of
  81.     getaddrinfo() exist on various systems and cause anomalies that are
  82.     difficult to troubleshoot.
  83.  
  84.   -dM[<byte>] : forces memory poisoning, which means that each and every
  85.     memory region allocated with malloc() or pool_alloc() will be filled with
  86.     <byte> before being passed to the caller. When <byte> is not specified, it
  87.     defaults to 0x50 ('P'). While this slightly slows down operations, it is
  88.     useful to reliably trigger issues resulting from missing initializations in
  89.     the code that cause random crashes. Note that -dM0 has the effect of
  90.     turning any malloc() into a calloc(). In any case if a bug appears or
  91.     disappears when using this option it means there is a bug in haproxy, so
  92.     please report it.
  93.  
  94.   -dS : disable use of the splice() system call. It is equivalent to the
  95.     "global" section's "nosplice" keyword. This may be used when splice() is
  96.     suspected to behave improperly or to cause performance issues, or when
  97.     using strace to see the forwarded data (which do not appear when using
  98.     splice()).
  99.  
  100.   -dV : disable SSL verify on the server side. It is equivalent to having
  101.     "ssl-server-verify none" in the "global" section. This is useful when
  102.     trying to reproduce production issues out of the production
  103.     environment. Never use this in an init script as it degrades SSL security
  104.     to the servers.
  105.  
  106.   -db : disable background mode and multi-process mode. The process remains in
  107.     foreground. It is mainly used during development or during small tests, as
  108.     Ctrl-C is enough to stop the process. Never use it in an init script.
  109.  
  110.   -de : disable the use of the "epoll" poller. It is equivalent to the "global"
  111.     section's keyword "noepoll". It is mostly useful when suspecting a bug
  112.     related to this poller. On systems supporting epoll, the fallback will
  113.     generally be the "poll" poller.
  114.  
  115.   -dk : disable the use of the "kqueue" poller. It is equivalent to the
  116.     "global" section's keyword "nokqueue". It is mostly useful when suspecting
  117.     a bug related to this poller. On systems supporting kqueue, the fallback
  118.     will generally be the "poll" poller.
  119.  
  120.   -dp : disable the use of the "poll" poller. It is equivalent to the "global"
  121.     section's keyword "nopoll". It is mostly useful when suspecting a bug
  122.     related to this poller. On systems supporting poll, the fallback will
  123.     generally be the "select" poller, which cannot be disabled and is limited
  124.     to 1024 file descriptors.
  125.  
  126.   -dr : ignore server address resolution failures. It is very common when
  127.     validating a configuration out of production not to have access to the same
  128.     resolvers and to fail on server address resolution, making it difficult to
  129.     test a configuration. This option simply appends the "none" method to the
  130.     list of address resolution methods for all servers, ensuring that even if
  131.     the libc fails to resolve an address, the startup sequence is not
  132.     interrupted.
  133.  
  134.   -m <limit> : limit the total allocatable memory to <limit> megabytes across
  135.     all processes. This may cause some connection refusals or some slowdowns
  136.     depending on the amount of memory needed for normal operations. This is
  137.     mostly used to force the processes to work in a constrained resource usage
  138.     scenario. It is important to note that the memory is not shared between
  139.     processes, so in a multi-process scenario, this value is first divided by
  140.     global.nbproc before forking.
  141.  
  142.   -n <limit> : limits the per-process connection limit to <limit>. This is
  143.     equivalent to the global section's keyword "maxconn". It has precedence
  144.     over this keyword. This may be used to quickly force lower limits to avoid
  145.     a service outage on systems where resource limits are too low.
  146.  
  147.   -p <file> : write all processes' pids into <file> during startup. This is
  148.     equivalent to the "global" section's keyword "pidfile". The file is opened
  149.     before entering the chroot jail, and after doing the chdir() implied by
  150.     "-C". Each pid appears on its own line.
  151.  
  152.   -q : set "quiet" mode. This disables some messages during the configuration
  153.     parsing and during startup. It can be used in combination with "-c" to
  154.     just check if a configuration file is valid or not.
  155.  
  156.   -S <bind>[,bind_options...]: in master-worker mode, bind a master CLI, which
  157.     allows the access to every processes, running or leaving ones.
  158.     For security reasons, it is recommended to bind the master CLI to a local
  159.     UNIX socket. The bind options are the same as the keyword "bind" in
  160.     the configuration file with words separated by commas instead of spaces.
  161.  
  162.     Note that this socket can't be used to retrieve the listening sockets from
  163.     an old process during a seamless reload.
  164.  
  165.   -sf <pid>* : send the "finish" signal (SIGUSR1) to older processes after boot
  166.     completion to ask them to finish what they are doing and to leave. <pid>
  167.     is a list of pids to signal (one per argument). The list ends on any
  168.     option starting with a "-". It is not a problem if the list of pids is
  169.     empty, so that it can be built on the fly based on the result of a command
  170.     like "pidof" or "pgrep".
  171.  
  172.   -st <pid>* : send the "terminate" signal (SIGTERM) to older processes after
  173.     boot completion to terminate them immediately without finishing what they
  174.     were doing. <pid> is a list of pids to signal (one per argument). The list
  175.     is ends on any option starting with a "-". It is not a problem if the list
  176.     of pids is empty, so that it can be built on the fly based on the result of
  177.     a command like "pidof" or "pgrep".
  178.  
  179.   -v : report the version and build date.
  180.  
  181.   -vv : display the version, build options, libraries versions and usable
  182.     pollers. This output is systematically requested when filing a bug report.
  183.  
  184.   -x <unix_socket> : connect to the specified socket and try to retrieve any
  185.     listening sockets from the old process, and use them instead of trying to
  186.     bind new ones. This is useful to avoid missing any new connection when
  187.     reloading the configuration on Linux. The capability must be enable on the
  188.     stats socket using "expose-fd listeners" in your configuration.
  189.  
  190. A safe way to start HAProxy from an init file consists in forcing the daemon
  191. mode, storing existing pids to a pid file and using this pid file to notify
  192. older processes to finish before leaving :
  193.  
  194.    haproxy -f /etc/haproxy.cfg \
  195.            -D -p /var/run/haproxy.pid -sf $(cat /var/run/haproxy.pid)
  196.  
  197. When the configuration is split into a few specific files (eg: tcp vs http),
  198. it is recommended to use the "-f" option :
  199.  
  200.    haproxy -f /etc/haproxy/global.cfg -f /etc/haproxy/stats.cfg \
  201.            -f /etc/haproxy/default-tcp.cfg -f /etc/haproxy/tcp.cfg \
  202.            -f /etc/haproxy/default-http.cfg -f /etc/haproxy/http.cfg \
  203.            -D -p /var/run/haproxy.pid -sf $(cat /var/run/haproxy.pid)
  204.  
  205. When an unknown number of files is expected, such as customer-specific files,
  206. it is recommended to assign them a name starting with a fixed-size sequence
  207. number and to use "--" to load them, possibly after loading some defaults :
  208.  
  209.    haproxy -f /etc/haproxy/global.cfg -f /etc/haproxy/stats.cfg \
  210.            -f /etc/haproxy/default-tcp.cfg -f /etc/haproxy/tcp.cfg \
  211.            -f /etc/haproxy/default-http.cfg -f /etc/haproxy/http.cfg \
  212.            -D -p /var/run/haproxy.pid -sf $(cat /var/run/haproxy.pid) \
  213.            -f /etc/haproxy/default-customers.cfg -- /etc/haproxy/customers/*
  214.  
  215. Sometimes a failure to start may happen for whatever reason. Then it is
  216. important to verify if the version of HAProxy you are invoking is the expected
  217. version and if it supports the features you are expecting (eg: SSL, PCRE,
  218. compression, Lua, etc). This can be verified using "haproxy -vv". Some
  219. important information such as certain build options, the target system and
  220. the versions of the libraries being used are reported there. It is also what
  221. you will systematically be asked for when posting a bug report :
  222.  
  223.   $ haproxy -vv
  224.   HA-Proxy version 1.6-dev7-a088d3-4 2015/10/08
  225.   Copyright 2000-2015 Willy Tarreau <willy@haproxy.org>
  226.  
  227.   Build options :
  228.     TARGET  = linux2628
  229.     CPU     = generic
  230.     CC      = gcc
  231.     CFLAGS  = -pg -O0 -g -fno-strict-aliasing -Wdeclaration-after-statement \
  232.               -DBUFSIZE=8030 -DMAXREWRITE=1030 -DSO_MARK=36 -DTCP_REPAIR=19
  233.     OPTIONS = USE_ZLIB=1 USE_DLMALLOC=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1
  234.  
  235.   Default settings :
  236.     maxconn = 2000, bufsize = 8030, maxrewrite = 1030, maxpollevents = 200
  237.  
  238.   Encrypted password support via crypt(3): yes
  239.   Built with zlib version : 1.2.6
  240.   Compression algorithms supported : identity("identity"), deflate("deflate"), \
  241.                                      raw-deflate("deflate"), gzip("gzip")
  242.   Built with OpenSSL version : OpenSSL 1.0.1o 12 Jun 2015
  243.   Running on OpenSSL version : OpenSSL 1.0.1o 12 Jun 2015
  244.   OpenSSL library supports TLS extensions : yes
  245.   OpenSSL library supports SNI : yes
  246.   OpenSSL library supports prefer-server-ciphers : yes
  247.   Built with PCRE version : 8.12 2011-01-15
  248.   PCRE library supports JIT : no (USE_PCRE_JIT not set)
  249.   Built with Lua version : Lua 5.3.1
  250.   Built with transparent proxy support using: IP_TRANSPARENT IP_FREEBIND
  251.  
  252.   Available polling systems :
  253.         epoll : pref=300,  test result OK
  254.          poll : pref=200,  test result OK
  255.        select : pref=150,  test result OK
  256.   Total: 3 (3 usable), will use epoll.
  257.  
  258. The relevant information that many non-developer users can verify here are :
  259.   - the version : 1.6-dev7-a088d3-4 above means the code is currently at commit
  260.     ID "a088d3" which is the 4th one after after official version "1.6-dev7".
  261.     Version 1.6-dev7 would show as "1.6-dev7-8c1ad7". What matters here is in
  262.     fact "1.6-dev7". This is the 7th development version of what will become
  263.     version 1.6 in the future. A development version not suitable for use in
  264.     production (unless you know exactly what you are doing). A stable version
  265.     will show as a 3-numbers version, such as "1.5.14-16f863", indicating the
  266.     14th level of fix on top of version 1.5. This is a production-ready version.
  267.  
  268.   - the release date : 2015/10/08. It is represented in the universal
  269.     year/month/day format. Here this means August 8th, 2015. Given that stable
  270.     releases are issued every few months (1-2 months at the beginning, sometimes
  271.     6 months once the product becomes very stable), if you're seeing an old date
  272.     here, it means you're probably affected by a number of bugs or security
  273.     issues that have since been fixed and that it might be worth checking on the
  274.     official site.
  275.  
  276.   - build options : they are relevant to people who build their packages
  277.     themselves, they can explain why things are not behaving as expected. For
  278.     example the development version above was built for Linux 2.6.28 or later,
  279.     targeting a generic CPU (no CPU-specific optimizations), and lacks any
  280.     code optimization (-O0) so it will perform poorly in terms of performance.
  281.  
  282.   - libraries versions : zlib version is reported as found in the library
  283.     itself. In general zlib is considered a very stable product and upgrades
  284.     are almost never needed. OpenSSL reports two versions, the version used at
  285.     build time and the one being used, as found on the system. These ones may
  286.     differ by the last letter but never by the numbers. The build date is also
  287.     reported because most OpenSSL bugs are security issues and need to be taken
  288.     seriously, so this library absolutely needs to be kept up to date. Seeing a
  289.     4-months old version here is highly suspicious and indeed an update was
  290.     missed. PCRE provides very fast regular expressions and is highly
  291.     recommended. Certain of its extensions such as JIT are not present in all
  292.     versions and still young so some people prefer not to build with them,
  293.     which is why the build status is reported as well. Regarding the Lua
  294.     scripting language, HAProxy expects version 5.3 which is very young since
  295.     it was released a little time before HAProxy 1.6. It is important to check
  296.     on the Lua web site if some fixes are proposed for this branch.
  297.  
  298.   - Available polling systems will affect the process's scalability when
  299.     dealing with more than about one thousand of concurrent connections. These
  300.     ones are only available when the correct system was indicated in the TARGET
  301.     variable during the build. The "epoll" mechanism is highly recommended on
  302.     Linux, and the kqueue mechanism is highly recommended on BSD. Lacking them
  303.     will result in poll() or even select() being used, causing a high CPU usage
  304.     when dealing with a lot of connections.