Searching ALOHA 12.5
Updating MAP and ACL files using Update
Updating MAP and ACL files using Update
The Update module (lb-update) allows HAProxy to update periodically the contents of acl
and map
files without reloading HAProxy.
How the Update module works
At startup, HAProxy loads the content of map
or acl
from a designated file.
If there is an update
directive set up to update this content, HAProxy downloads the new content from a specified URL after the designated period of time.
HAProxy updates the content of the
map
oracl
only after the file downloads correctly.If HAProxy cannot connect to the server over the designated time, it retries for a set number of times before it stops.
Note
The content of the downloaded file replaces the existing content.
Load the Update module in HAProxy
In ALOHA, browse to the LB Layer 7 tab to edit the HAProxy configuration file.
-
Create (or update) a
global
section at the top of the file with the content below:global module-load /usr/libexec/haproxy/update.so
Configure the Update module
Once enabled, the Update module creates a new HAProxy configuration section called dynamic-update
.
This section can contain a single type of directive, named update
, as below:
update id <id> url <url> [delay <delay>] [timeout <tmout>] [retries <nb>] [map]
With the following parameters:
| The file name initially loaded from |
| The location from which to download the file |
| The download period (default: 5m). |
| The connection timeout to the download server (default: 5s). |
| The number of tries to connect to the download server. |
| Reads the downloaded file as a |
Additional parameters
You can also apply other HAProxy configuration parameters available for the server
directive:
| Sets the string describing the list of cipher algorithms to negotiate during the SSL/TLS handshake with the server. |
| Is available only when support for OpenSSL was built in. It designates a PEM file containing both the required certificates and any associated private keys. |
| Enforces use of SSLv3 only on SSL connections instantiated from this listener. |
| Enforces use of TLSv1.0 only on SSL connections instantiated from this listener. |
| Enforces use of TLSv1.1 only on SSL connections instantiated from this listener. |
| Enforces use of TLSv1.2 only on SSL connections instantiated from this listener. |
| Is available only when support for OpenSSL was built in. It disables support for SSLv3 on any sockets instantiated from the listener when SSL is supported. |
| Is available only when support for OpenSSL was built in. It disables support for TLSv1.0 on any sockets instantiated from the listener when SSL is supported. |
| Is available only when support for OpenSSL was built in. It disables support for TLSv1.1 on any sockets instantiated from the listener when SSL is supported. |
| Is available only when support for OpenSSL was built in. It disables support for TLSv1.2 on any sockets instantiated from the listener when SSL is supported. |
| Is available only when support for OpenSSL was built in. It disables the stateless session resumption (RFC 5077 TLS Ticket extension) and forces the use of stateful session resumption. |
| Is available only when support for OpenSSL was built in.
|
| Is available only when support for OpenSSL was built in, and only takes effect if you also specify
|
Configuration example
To deliver redirect URLs based on client IP address:
-
HAProxy's
frontend
configuration with amap
definition and adynamic-update
section to define how to updatemap
:frontend fe_main bind 10.0.0.2:80 mode http http-request redirect location %[src,map_ip(forbid.map)] if { src,map_ip(forbid.map) -m found } dynamic-update update id forbid.map map url http://10.0.0.1:80/forbid.map delay 300s
-
Contents of the file
forbid.map
with a list of subnets and associated redirection:10.0.0.0/8 /maintenance.html 192.168.0.0/16 /forbiden.html 0.0.0.0 /deny.html