Configuring the lb-update module

The ‘lb-update’ module allows HAProxy to update periodically the content of acl and map which is loaded from a file.

You can also use this module to update acl and map content without reloading HAProxy.

Understanding the “lb-update” module

At startup, HAProxy loads the content of map or acl from the designated file. If there is an update directive set up to update this content, HAProxy downloads the new content from the specified URL <url> after a specified period of time <delay> .

The content of the downloaded file replaces the existing content.
  • HAProxy updates the content of the map or acl only if the file was properly downloaded.
  • If HAProxy cannot connect to the server within the time defined in <tmout>, it retries for the number of times defined in <nb> before it quits.

Load the lb-update module

  1. Edit HAProxy‘s configuration file /etc/hapee-1.6/hapee-lb.conf.
  2. Add or uncomment the line below in the global section:
module-load  hapee-lb-update.so

Configure the lb-update module

Once enabled, the lb-update module creates a new HAProxy configuration section named dynamic-update.

This section can contain a single type of directive, called update, as follows:

update id <id> url <url> [delay <delay>] [timeout <tmout>] [retries <nb>] [map]

with the following parameters:

id <id> <id> is the file name initially loaded by map or acl; uses the absolute file path
url <url> <url> is where the file can be downloaded
delay <delay> <delay> is the download period; by default, its value is 5m
timeout <tmout> <tmout> is the connection timeout to the download server; by default its value is 5s
retries <nb> <nb> is the number of tries to establish a connection to the download server
map

informs that the downloaded file must be interpreted as a map file. By Default, the file is interpreted as an acl file.

The following are other HAProxy configuration parameters available for the server directive:

  • ciphers
  • crt
  • force-sslv3
  • force-tlsv10
  • force-tlsv11
  • force-tlsv12
  • no-sslv3
  • no-tlsv10
  • no-tlsv11
  • no-tlsv12
  • no-tls-tickets
  • verify
  • verifyhost

Configuration Example

The following example delivers redirect URLs based on the client IP address:

  • HAProxy‘s configuration frontend, with a map definition and a dynamic-update section to define how to update the map:
frontend fe_main
	bind 10.0.0.2:80
	mode http
	acl maintenance_required src,map_ip(/etc/haproxy/forbid.map) -m found
	http-request redirect location src,map_ip(/etc/haproxy/forbid.map) if maintenance_required


dynamic-update
update id /etc/haproxy/forbid.map map url http://10.0.0.1:80/forbid.map delay 300s
  • content of the file /etc/haproxy/forbid.map with a list of subnets and associated redirection:
10.0.0.0/8     /maintenance.html
192.168.0.0/16 /forbiden.html
0.0.0.0        /deny.html