HAProxy Enterprise Documentation 1.6
Configuration
These options can be stored in a ConfigMap, Ingress or Service definition. A ConfigMap affects the behavior of all routes, an Ingress affects a particular route, and a Service affects all routes for a particular service.
| Option | ConfigMap | Ingress | Service |
|---|---|---|---|
auth-type Enables the selected HTTP authentication strategy. | |||
auth-secret Selects the Kubernetes Secret where authentication data can be found. | |||
auth-realm Provides the HTTP Authentication Realm | |||
blacklist Blocks given IP addresses and/or IP address ranges. | |||
check Enables TCP level health checks on pods and attempts a TCP connection periodically. | |||
check-http Enables HTTP level health checks on pods and sends an HTTP request periodically. The check setting must be true. | |||
check-interval Sets the interval between health checks when check is enabled. | |||
clean-certs Switches certificates clean up. By default controller cleans up unused certificates in haproxy cert directory. In the case where certificates may be handled by a side-car container, it is useful not to remove certificates unkown to controller. | |||
client-ca Sets the client certificate authority enabling HAProxy to check clients certificate (TLS authentication), thus enabling client mTLS. | |||
client-crt-optional If enabled, certificate verification will be optional which means haproxy will still accept the client connection even if the certificate verification fails. If disabled haproxy will enforce verification of client certificates and only accepts client with valid certificate. | |||
cors-enable Enables CORS rules for corresponding Ingress traffic. | |||
cors-allow-origin Sets the Access-Control-Allow-Origin response header to tell browsers which origin is allowed to access the requested resource. | |||
cors-allow-methods Sets the Access-Control-Allow-Methods response header to tell browsers the HTTP methods allowed when accessing the request resource. | |||
cors-allow-credentials Sets the Access-Control-Allow-Credentials response header to tell browsers if credentials can be used to access the requested resource. | |||
cors-allow-headers Sets the Access-Control-Allow-Headers response header to tell browsers which HTTP headers can be used when accessing the request resource. | |||
cors-max-age Sets the Access-Control-Allow-Age response header to tell browsers how long the result of a preflight request can be cached. | |||
global-config-snippet Defines a group of configuration directives to insert the HAProxy global section. | |||
frontend-config-snippet Defines a group of configuration directives to insert in the main HTTP/HTTPS frontends. | |||
stats-config-snippet Defines a group of configuration directives to insert in the stats frontend. | |||
backend-config-snippet Defines a group of configuration directives to add directly to a HAProxy backend section. | |||
cookie-persistence Enables persistent connections between a client and a pod by inserting a cookie into the client’s browser that is used to remember which backend pod they connected to before. | |||
dontlognull Do not log connections that sends no data, which can happen with monitoring systems. | |||
src-ip-header Set the source IP from a header rather than the L3 connection. | |||
forwarded-for Adds the X-Forwarded-For HTTP header to requests to capture and relay the client’s source IP address to backend pods. | |||
hard-stop-after Defines the maximum time allowed to perform a clean soft-stop. | |||
http-keep-alive Enables HTTP Keep-Alive both from the client to HAProxy and from HAProxy to the backend. | |||
http-server-close Disables HTTP Keep-Alive between HAProxy and the backend, while allowing it to stay enabled from the client to HAProxy. | |||
ingress.class Identifies the ingress controller to be used. If this value is the same as the –ingress.class controller arg, the ingress resource will be processed. Starting from kubernetes 1.18, a new ingressClassName field has been added to the Ingress spec resource. This fields should reference an IngressClass and HAProxy Ingress controller will process the Ingress resource if the controller value of the referenced IngressClass is haproxy.org/ingress-controller. More About how IngressClass mechanism can be found in official kubernetes documentation. | |||
load-balance Sets the load-balancing algorithm to use. | |||
log-format Sets the log format string to use for HTTP traffic. | |||
logasap Logs request and response data as soon as the server returns a complete set of HTTP response headers, instead of waiting for the response to finish sending all data. | |||
maxconn Sets the maximum number of concurrent connections that HAProxy will accept. | |||
nbthread Sets the number of worker threads that the HAProxy process will start. If not set, HAProxy will create a thread for each available processor. | |||
path-rewrite Replaces the entire URL path with the given value. | |||
pod-maxconn Sets the maximum number of concurrent backend connections allowed. | |||
proxy-protocol Enables Proxy Protocol on client side for a comma-delimited list of IP addresses and/or CIDR ranges. The 0.0.0.0/0 CIDR will enable Proxy Protocol for all incoming traffic. | |||
rate-limit-period Sets the period of time over which requests are tracked for a given source IP address. | |||
rate-limit-status-code Sets the status code to return when rate limiting has been triggered. | |||
rate-limit-requests Sets the maximum number of requests that will be accepted from a source IP address during the rate-limit-period. | |||
rate-limit-size Sets how many source IP addresses to track, after which older entries are replaced by new entries. | |||
request-capture When you include %hr in the log-format string, which is included in the default log format, it captures custom information in the logs, which you define with this field. For example, you can capture specific cookie values or HTTP header values. | |||
request-capture-len Sets how many characters to allocate for fields captured by request-capture. | |||
request-set-header Sets an HTTP header in the request before it is passed to the backend service. | |||
request-redirect Enables HTTP request redirection based on host and port substitution in original request. | |||
request-redirect-code Defines the HTTP redirection code used in redirection set with request-redirect. | |||
response-set-header Sets an HTTP header in the response before it is passed to the client. | |||
route-acl Insert a custom route (use_backend rule) to route ingress traffic to the annotated service based on the provided ACL. | |||
send-proxy-protocol Uses the PROXY Protocol when connecting to backend servers. | |||
server-ca Sets the certificate authority for backend servers enabling HAProxy to check backend certificates (TLS authentication) when sending encrypted traffic to the kubernetes applications. | |||
server-crt Specifies the path of a secret containing a certificate that HAProxy can provide during TLS communication with the backend servers. | |||
server-proto HTTP/1.1 is the default protocol for backend servers communication. Currently, the server-proto annotation supports only “h2” as a value (supporting fcgi is also planned) which transmits HTTP/2 messages in the clear to the backend servers. However, when SSL is enabled on the backend, server-proto is ignored and both HTTP/1.1 and HTTP/2 are advertised via ALPN and transmitted as encrypted messages. | |||
server-ssl Enables SSL to pods. | |||
set-host Sets the Host header to send to backend services. | |||
scale-server-slots Sets the number of server slots to provision in order for HAProxy to scale dynamically with no reload. If this number is greater than the available endpoints/addresses, the remaining slots will be disabled (put on stand-by) and ready to be used. If this number is lower, the remaining endpoints/addresses will be added after scaling the HAProxy backend with a reload. | |||
ssl-certificate Sets the name of the Kubernetes secret that contains both the TLS key and certificate. | |||
ssl-passthrough Passes SSL/TLS traffic through at Layer 4 directly to the backend service without Layer 7 inspection. | |||
ssl-redirect Sets whether to redirect traffic from HTTP to HTTPS. | |||
ssl-redirect-code Sets the HTTP status code to use when ssl-redirect is true. | |||
ssl-redirect-port Sets the HTTPS port to redirect to when HTTP to HTTPS traffic redirection is enabled when ssl-redirect is true. | |||
syslog-server Sets one or more Syslog servers where logs should be forwarded. Each server is placed onto its own line. A line supports the following arguments, which are separated by commas | |||
timeout-check Sets an additional check timeout, but only after a connection has been already established. | |||
timeout-client Set the maximum inactivity time on the client side. | |||
timeout-client-fin Sets the inactivity timeout on the client side for half-closed connections. | |||
timeout-connect Sets the maximum time to wait for a connection attempt to a server to succeed. | |||
timeout-http-request Sets the maximum allowed time to wait for a complete HTTP request. | |||
timeout-http-keep-alive Sets the maximum allowed time to wait for a new HTTP request to appear. | |||
timeout-queue Sets the maximum time to wait in the queue for a connection slot to be free. | |||
timeout-server Sets the maximum inactivity time on the server side. | |||
timeout-server-fin Sets the inactivity timeout on the server side for half-closed connections. | |||
timeout-tunnel Set the maximum inactivity time on the client and server side for tunnels. | |||
whitelist Blocks all IP addresses except the whitelisted ones (annotation value). | |||
tls-alpn Define the TLS ALPN extension advertisement. This will change the alpn advertisement for the https frontend when ssl is enabled. |
Next up
Controllers Arguments