This module allows HAProxy to periodically update content of acl and map whose content is loaded from a file.

Note

this module can be used to update map and acl content without reloading HAProxy

Loading lb-update module in HAProxy

  1. Edit HAProxy's configuration file: browse the LB Layer 7 tab from the GUI.

  2. Create (or update) a global section at the top of the file, with the content below:

global
  module-load  /usr/libexec/haproxy/update.so

lb-update module configuration

Once enabled, lb-update module allows a new HAProxy configuration section named dynamic-update.

This section can contain a single type of directive, named update like below:

update id <id> url <url> [delay <delay>] [timeout <tmout>] [retries <nb>] [map]

With the following parameters:

id <id>

<id> is the file name initially loaded by map or acl; uses the absolute file path

url <url>

<url> is where the file can be downloaded

delay <delay>

<delay> is the download period; by default, its value is 5m

timeout <tmout>

<tmout> is the connection timeout to the download server; by default its value is 5s

retries <nb>

<nb> is the number of tries to establish a connection to the download server

map

informs that the downloaded file must be interpreted as a map file. By Default, the file is interpreted as an acl file.

Some other HAProxy's configuration parameters available for the server directive can also be applied:

  • ciphers

  • crt

  • force-sslv3

  • force-tlsv10

  • force-tlsv11

  • force-tlsv12

  • no-sslv3

  • no-tlsv10

  • no-tlsv11

  • no-tlsv12

  • no-tls-tickets

  • verify

  • verifyhost

Way of working

At startup, HAProxy loads content of the map or acl from the designated file. If an update directive is setup to update this content, then after the <delay> period of time, HAProxy will download the new content from the given <url>.

Note

Content of the downloaded file replaces existing content.

HAProxy updates the content of the map or acl only if the file has been properly downloaded.

If HAProxy can't get connected on the server for <tmout> time, then it's going to retry <nb> times before giving up.

Configuration example

Deliver redirect URLs based on client IP address:

  • HAProxy's configuration frontend with a map definition and a dynamic-update section to define how to update the map:

frontend fe_main
  bind 10.0.0.2:80
  mode http
  http-request redirect location src,map_ip(forbid.map) if { src,map_ip(forbid.map) -m found }

dynamic-update
  update id forbid.map map url http://10.0.0.1:80/forbid.map delay 300s
  • content of the file forbid.map with a list of subnets and associated redirection:

10.0.0.0/8     /maintenance.html
192.168.0.0/16 /forbiden.html
0.0.0.0        /deny.html