Administration

Dynamic data updates

On this page

This page applies to:

  • HAProxy ALOHA 13.0 and newer

You can regularly update the contents of ACL files, map files, or TLS ticket key files loaded in memory without reloading HAProxy ALOHA thanks to the Update module (lb-update).

At startup, HAProxy ALOHA loads the contents of static files. Then, at a set interval, it downloads updates from a given endpoint. The content of the downloaded files replaces the existing content in memory.

Important

  • Static files are not updated.
  • When you reload HAProxy ALOHA, it will run an outdated version of the static files until their contents are updated in memory. You then might consider updating static files or using the xdelay parameter to update files almost immediately (after 100ms, for example).

In a cluster, each instance checks for changes independently.

Update the contents of ACL files, map files, or TLS ticket key files Jump to heading

In this example, we will update two map files every minute. One map file will be updated 100 milliseconds after HAProxy ALOHA starts or reloads, then every minute.

  1. Create key/value pair map files with a text editor.

    • Create the file forbid.map, that contains a list of subnets and associated redirections:

      10.0.0.0/8     /maintenance.html
192.168.0.0/16 /forbidden.html
0.0.0.0        /deny.html
      10.0.0.0/8     /maintenance.html
192.168.0.0/16 /forbidden.html
0.0.0.0        /deny.html

    • Create the file routes.map, that contains a list of domain names and associated HAProxy ALOHA backends:

      www.example.com     webservers
api.example.com     apiservers
static.example.com  cacheservers
      www.example.com     webservers
api.example.com     apiservers
static.example.com  cacheservers

  2. In the HAProxy ALOHA web UI, select the Tools tab. Then upload your map files in /etc/haproxy/extra/ through the File Manager.

    upload map file

  3. To load the Update module, select the LB Layer7 tab. Then add the following line to the global section. Create the global section if it does not exist.

    haproxy
    global
      module-load hapee-lb-update.so
    haproxy
    global
      module-load hapee-lb-update.so
    haproxy
    global
      module-load update.so
    haproxy
    global
      module-load update.so

  4. Use your map files through map converters in frontend or backend sections.

    haproxy
    frontend fe_main
      bind *:80
      mode http
      http-request redirect location %[src,map_ip(/etc/haproxy/extra/forbid.map)] if { src,map_ip(/etc/haproxy/extra/forbid.map) -m found }
      use_backend %[req.hdr(host),map(/etc/haproxy/extra/routes.map,webservers)]
    haproxy
    frontend fe_main
      bind *:80
      mode http
      http-request redirect location %[src,map_ip(/etc/haproxy/extra/forbid.map)] if { src,map_ip(/etc/haproxy/extra/forbid.map) -m found }
      use_backend %[req.hdr(host),map(/etc/haproxy/extra/routes.map,webservers)]

    You can access a map file by using the map converter or one of its variants, such as map_ip. Its first argument is the absolute path to the map file. Its second argument sets a default value and is optional.

  5. Create a dynamic-update section.

    Specify the paths to the local map files as the id.

    haproxy
    dynamic-update
      update id /etc/haproxy/extra/forbid.map url http://15.236.163.114/forbid.map delay 1m timeout 5s retries 3 map log
      update id /etc/haproxy/extra/routes.map url http://15.236.163.114/routes.map xdelay 1m 1m 100ms 5m timeout 5s retries 3 map log
    haproxy
    dynamic-update
      update id /etc/haproxy/extra/forbid.map url http://15.236.163.114/forbid.map delay 1m timeout 5s retries 3 map log
      update id /etc/haproxy/extra/routes.map url http://15.236.163.114/routes.map xdelay 1m 1m 100ms 5m timeout 5s retries 3 map log

    We won’t include the dontlog-normal directive so that we can check in the logs that the files are correctly updated.

  6. Optionally, update a map, ACL, or TLS session ticket from an HTTPS URL. Follow the same steps as for a non-secure endpoint, above, but add the ssl parameter to the update directive.

    haproxy
    dynamic-update
      update id /etc/hapee-3.1/redirects.map map url https://192.168.0.1:80/redirects.map delay 5m ssl
    haproxy
    dynamic-update
      update id /etc/hapee-3.1/redirects.map map url https://192.168.0.1:80/redirects.map delay 5m ssl

  7. Click OK and then Apply to save the changes.

  8. To make your changes persistent after a reboot, click the Setup tab. Then click Save under Configuration.

  9. Upload updated versions of your map files to an endpoint through an FTP client or any other means.

    For example, upload your map files to http://15.236.163.114/forbid.map, and http://15.236.163.114/routes.map.

  10. Reload the haproxy service from the Services tab.

    In our example, the contents of the static forbid.map and routes.map files will be replaced in memory with the contents of the http://15.236.163.114/forbid.map and http://15.236.163.114/routes.map files, respectively, every minute.

    routes.map is updated 100 milliseconds after you reload HAProxy ALOHA.

  11. Check in the Logs tab that the files were successfully updated.

    dynamic updates log

Check the update status through the CLI Jump to heading

If you can access the instance through SSH, you can also run the following CLI command:

Available since

Since HAProxy ALOHA version 13.5 you can also access the instance via Launch a terminal in the web UI’s Tools tab.

nix
echo lb-update status | sudo socat stdio /var/run/haproxy.stat
nix
echo lb-update status | sudo socat stdio /var/run/haproxy.stat
output
text
lb-update module status
------------------------------------------------------------------------------
initialized:          yes
SMP update
  configuration:      /var/state/haproxy.run:5
  entry:              /etc/haproxy/extra/forbid.map
  generation id:      0 1
  count:              3 0 / 3
  url:                http://15.236.163.114/forbid.map
  http status count:  0 17 0 0 0 / 0
  period/delay:       1m / 5s 10s 5s
  use modified:       no
  reload/retry count: 17 0 0 / 0 0
  reload time:        2021-09-09 10:53:11 / <NEVER> / <NEVER>
  download time:      2021-09-09 10:53:11 / <NEVER>
  next update in:     53s
output
text
lb-update module status
------------------------------------------------------------------------------
initialized:          yes
SMP update
  configuration:      /var/state/haproxy.run:5
  entry:              /etc/haproxy/extra/forbid.map
  generation id:      0 1
  count:              3 0 / 3
  url:                http://15.236.163.114/forbid.map
  http status count:  0 17 0 0 0 / 0
  period/delay:       1m / 5s 10s 5s
  use modified:       no
  reload/retry count: 17 0 0 / 0 0
  reload time:        2021-09-09 10:53:11 / <NEVER> / <NEVER>
  download time:      2021-09-09 10:53:11 / <NEVER>
  next update in:     53s

Description of the lb-update status output.

Value Description
initialized Whether the module was initialized.
configuration Configuration file and line number in which the update item is specified.
entry Item update identifier (what is specified after the id parameter in the configuration).
count The number of ACL or Map entries from the currently active generation divided by total number of entries (curr / total). Generation here means the incremental number of the current file. In case new data is being downloaded, the number of currently loaded entries is also displayed (curr new / total).
url The item download URL. HTTP and HTTPS are supported.
http status count The download HTTP status code, sorted by status classes 1xx 2xx 3xx 4xx, and 5xx. The final number after the slash is a count of responses that had a non-standard HTTP status code outside of the 100-599 range.
period The download period.
delay delay, start, next, and retry values.
use modified Whether the time from the Last-Modified response HTTP header was used to update the data using the If-Modified-Since request HTTP header.
reload count The number of times the update occurred, did not occur because the data did not differ from the current data, or failed because the data was incorrect.
retry count The number of unsuccessful downloads and the number of final unsuccessful downloads. For example, if each download is attempted 3 times (the first number), and if that fails, then the second number is increased by 1. After that, the subsequent download attempt is aborted for the respective cycle and the next attempt starts at the next cycle.
reload time The last time the update occurred, did not occur because the data did not differ from the current data, or failed because the data was incorrect.
download time Indicates the date of the last successful download and the date of the last unsuccessful download.
next update in Delay before the next download or information about the current download. In cases where the download has not yet finished, you will see a currently updating section instead.

Other available CLI commands are as follows:

Command Description
lb-update force-update <id> Forces the update of the specified (<id> is what you specified on the upload line after the id parameter in the configuration).
lb-update list Lists configured entries.

How the Update module works Jump to heading

At startup, HAProxy ALOHA loads the content of map files or ACL files from a designated file.

If there is an update directive set up to update this content, HAProxy ALOHA downloads the new content from a given endpoint after the designated period of time.

  • HAProxy ALOHA updates the content of the map files or ACL files only after the file downloads correctly.
  • If HAProxy ALOHA cannot connect to the server, it retries the number of times you specify.

The content of the downloaded file replaces the existing content in memory.

Update directive syntax Jump to heading

The Update module’s configuration section, dynamic-update, can contain one or several update directives.

haproxy
update id <id> url <url> [delay <delay> | xdelay <delay start next retry>] [timeout <tmout>] [retries <nb>] [modified | xmodified ] [source <addr>[:<port>]] [log] [dontlog-normal] [map] [purge <count> [<interval> [<id>]]] [tls-ticket-keys] [param*]
haproxy
update id <id> url <url> [delay <delay> | xdelay <delay start next retry>] [timeout <tmout>] [retries <nb>] [modified | xmodified ] [source <addr>[:<port>]] [log] [dontlog-normal] [map] [purge <count> [<interval> [<id>]]] [tls-ticket-keys] [param*]

The following arguments are required:

Argument Description
id <path> Sets the path of the file initially loaded from map or acl directives. Uses an absolute path.
url <url> Sets the endpoint from which to download updates. If the endpoint is HTTPS, the ssl parameter is also required.

The following arguments are optional:

Argument Description
delay <delay> Specifies the period between each attempt to download new data. Default: 5m. Minimum: 1ms.
xdelay <u s b r> <u> specifies the period between each attempt to download a new file version; <s> specifies the initial (first) download delay; <b> is not used in this module and its value is not important. However, its value must be present. Default: 10s; If the download fails, <r> determines the delay for the next attempt; Default values are: <u> = 5m, <s> = 5s, <b> = 10s, and <r> = 30s.
modified Uses the Last-Modified field from the HTTP header in the response to check whether or not to update data based on the If-Modified-Since request HTTP header value.
xmodified Available since version 13.5. The same as modified except that the file modification time is set immediately after reading the file status.
source <addr>[:<port] <addr> sets the IPv4 address HAProxy ALOHA will bind to before connecting to a server. By default, it listens on all IP addresses. If you do not specify the port, HAProxy ALOHA will select a free port.
map Reads the downloaded file as a map file. By default, HAProxy ALOHA reads the file as an ACL file.
purge <count> [<interval> [<id>]] This is available only for map and acl data types. Use the <count> argument to indicate that the module should delete old patterns when it downloads the next set of data. Otherwise, use <interval> and <id> to run a separate purge task. <count> is the number of old and/or invalid patterns that can be purged at once. Allowed values for that parameter are between 1 and 100000. The default is 1000; <interval> is the frequency for calling the pattern purging task. The value is set in milliseconds (if not specified by another time unit). If you specify the interval as 0, the task will be executed as quickly as possible. When setting the interval to 0, it is not recommended to purge a large group at once (a <count> of 100 is the optimal number for interval 0); <interval> has no default, so a value must be specified. <id> assigns a specific id to the purge task. You can use <id> to group certain purging tasks, or you can assign each operation its own task. The default is 1000, which means that all purging operations will be performed in the common task which has an id of 1000.
tls-ticket-keys Specifies that the downloaded file is a TLS ticket keys file (instead of an ACL or Map file).
timeout <timeout> Sets the connection timeout to the download server. It defaults to 5s.
retries <number> Sets the number of times the Update module will try to connect to the download server.
log Logs errors.
dontlog-normal Does not log successful updates.
param* TLS parameters, described below.

You can also specify additional TLS parameters:

Value Description
ciphers Sets the string describing the list of cipher algorithms to negotiate during the SSL/TLS handshake with the server.
crt Designates a PEM file containing both the required certificates and any associated private keys.
force-sslv3 Enforces SSLv3 only on SSL connections instantiated from this listener.
force-tlsv10 Enforces TLSv1.0 only on SSL connections instantiated from this listener.
force-tlsv11 Enforces TLSv1.1 only on SSL connections instantiated from this listener.
force-tslv12 Enforces TLSv1.2 only on SSL connections instantiated from this listener.
no-sslv3 Disables support for SSLv3 on any sockets instantiated from the listener when SSL is supported.
no-tlsv10 Disables support for TLSv1.0 on any sockets instantiated from the listener when SSL is supported.
no-tlsv11 Disables support for TLSv1.1 on any sockets instantiated from the listener when SSL is supported.
no-tlsv12 Disables support for TLSv1.2 on any sockets instantiated from the listener when SSL is supported.
no-tls-tickets Disables stateless session resumption (RFC 5077 TLS Ticket extension) and enforces stateful session resumption.
ssl Required if URL is HTTPS.
verify If set to none, HAProxy ALOHA does not request the client certificate (default). In other cases, a client certificate is requested. If set to required and the client does not provide a certificate after the request, HAProxy ALOHA aborts the handshake; it would succeed only if the parameter is set to optional.
verifyhost Only takes effect if you set verify to required. When set, HAProxy ALOHA checks the hostnames in the subject and subjectAlternateNames fields of the certificate provided by the server. If none of the hostnames in the certificate match the specified hostname, HAProxy ALOHA aborts the handshake. The hostnames in the server-provided certificate may include wildcards. Not supported in default-server directives.

The options checksum and modified are mutually exclusive. If you define them at the same time, the option modified automatically switches off and a warning message prints when the load balancer starts.

Do you have any suggestions on how we can improve the content of this page?

Previous page Administration Next page Factory reset
© 2025 HAProxy Technologies, LLC. All Rights Reserved
Manage Cookie Preferences