1 ----------------------
2 HAProxy how-to
3 ----------------------
4 version 1.7
5 willy tarreau
6 2021/03/31
7
8
91) How to build it
10------------------
11
12This version is a stable version, which means that it belongs to a branch which
13will get some fixes for bugs as they are discovered. Versions which include the
14suffix "-dev" are development versions and should be avoided in production. If
15you are not used to build from sources or if you are not used to follow updates
16then it is recommended that instead you use the packages provided by your
17software vendor or Linux distribution. Most of them are taking this task
18seriously and are doing a good job at backporting important fixes. If for any
19reason you'd prefer a different version than the one packaged for your system,
20you want to be certain to have all the fixes or to get some commercial support,
21other choices are available at :
22
23 http://www.haproxy.com/
24
25To build haproxy, you will need :
26 - GNU make. Neither Solaris nor OpenBSD's make work with the GNU Makefile.
27 If you get many syntax errors when running "make", you may want to retry
28 with "gmake" which is the name commonly used for GNU make on BSD systems.
29 - GCC between 2.95 and 4.8. Others may work, but not tested.
30 - GNU ld
31
32Also, you might want to build with libpcre support, which will provide a very
33efficient regex implementation and will also fix some badness on Solaris' one.
34
35To build haproxy, you have to choose your target OS amongst the following ones
36and assign it to the TARGET variable :
37
38 - linux22 for Linux 2.2
39 - linux24 for Linux 2.4 and above (default)
40 - linux24e for Linux 2.4 with support for a working epoll (> 0.21)
41 - linux26 for Linux 2.6 and above
42 - linux2628 for Linux 2.6.28, 3.x, and above (enables splice and tproxy)
43 - solaris for Solaris 8 or 10 (others untested)
44 - freebsd for FreeBSD 5 to 10 (others untested)
45 - netbsd for NetBSD
46 - osx for Mac OS/X
47 - openbsd for OpenBSD 5.7 and above
48 - aix51 for AIX 5.1
49 - aix52 for AIX 5.2
50 - cygwin for Cygwin
51 - haiku for Haiku
52 - generic for any other OS or version.
53 - custom to manually adjust every setting
54
55You may also choose your CPU to benefit from some optimizations. This is
56particularly important on UltraSparc machines. For this, you can assign
57one of the following choices to the CPU variable :
58
59 - i686 for intel PentiumPro, Pentium 2 and above, AMD Athlon
60 - i586 for intel Pentium, AMD K6, VIA C3.
61 - ultrasparc : Sun UltraSparc I/II/III/IV processor
62 - native : use the build machine's specific processor optimizations. Use with
63 extreme care, and never in virtualized environments (known to break).
64 - generic : any other processor or no CPU-specific optimization. (default)
65
66Alternatively, you may just set the CPU_CFLAGS value to the optimal GCC options
67for your platform.
68
69You may want to build specific target binaries which do not match your native
70compiler's target. This is particularly true on 64-bit systems when you want
71to build a 32-bit binary. Use the ARCH variable for this purpose. Right now
72it only knows about a few x86 variants (i386,i486,i586,i686,x86_64), two
73generic ones (32,64) and sets -m32/-m64 as well as -march=<arch> accordingly.
74
75If your system supports PCRE (Perl Compatible Regular Expressions), then you
76really should build with libpcre which is between 2 and 10 times faster than
77other libc implementations. Regex are used for header processing (deletion,
78rewriting, allow, deny). The only inconvenient of libpcre is that it is not
79yet widely spread, so if you build for other systems, you might get into
80trouble if they don't have the dynamic library. In this situation, you should
81statically link libpcre into haproxy so that it will not be necessary to
82install it on target systems. Available build options for PCRE are :
83
84 - USE_PCRE=1 to use libpcre, in whatever form is available on your system
85 (shared or static)
86
87 - USE_STATIC_PCRE=1 to use a static version of libpcre even if the dynamic
88 one is available. This will enhance portability.
89
90 - with no option, use your OS libc's standard regex implementation (default).
91 Warning! group references on Solaris seem broken. Use static-pcre whenever
92 possible.
93
94If your system doesn't provide PCRE, you are encouraged to download it from
95http://www.pcre.org/ and build it yourself, it's fast and easy.
96
97Recent systems can resolve IPv6 host names using getaddrinfo(). This primitive
98is not present in all libcs and does not work in all of them either. Support in
99glibc was broken before 2.3. Some embedded libs may not properly work either,
100thus, support is disabled by default, meaning that some host names which only
101resolve as IPv6 addresses will not resolve and configs might emit an error
102during parsing. If you know that your OS libc has reliable support for
103getaddrinfo(), you can add USE_GETADDRINFO=1 on the make command line to enable
104it. This is the recommended option for most Linux distro packagers since it's
105working fine on all recent mainstream distros. It is automatically enabled on
106Solaris 8 and above, as it's known to work.
107
108It is possible to add native support for SSL using the GNU makefile, by passing
109"USE_OPENSSL=1" on the make command line. The libssl and libcrypto will
110automatically be linked with haproxy. Some systems also require libz, so if the
111build fails due to missing symbols such as deflateInit(), then try again with
112"ADDLIB=-lz".
113
114Your are strongly encouraged to always use an up-to-date version of OpenSSL, as
115found on https://www.openssl.org/ as vulnerabilities are occasionally found and
116you don't want them on your systems. HAProxy is known to build correctly on all
117currently supported branches (0.9.8, 1.0.0, 1.0.1, 1.0.2 and 1.1.0 at the time
118of writing). Branch 1.0.2 is currently recommended for the best combination of
119features and stability. Asynchronous engines require OpenSSL 1.1.0 though. It's
120worth mentionning that some OpenSSL derivatives are also reported to work but
121may occasionally break. Patches to fix them are welcome but please read the
122CONTRIBUTING file first.
123
124To link OpenSSL statically against haproxy, build OpenSSL with the no-shared
125keyword and install it to a local directory, so your system is not affected :
126
127 $ export STATICLIBSSL=/tmp/staticlibssl
128 $ ./config --prefix=$STATICLIBSSL no-shared
129 $ make && make install_sw
130
131When building haproxy, pass that path via SSL_INC and SSL_LIB to make and
132include additional libs with ADDLIB if needed (in this case for example libdl):
133
134 $ make TARGET=linux26 USE_OPENSSL=1 SSL_INC=$STATICLIBSSL/include SSL_LIB=$STATICLIBSSL/lib ADDLIB=-ldl
135
136It is also possible to include native support for zlib to benefit from HTTP
137compression. For this, pass "USE_ZLIB=1" on the "make" command line and ensure
138that zlib is present on the system. Alternatively it is possible to use libslz
139for a faster, memory less, but slightly less efficient compression, by passing
140"USE_SLZ=1".
141
142Zlib is commonly found on most systems, otherwise updates can be retrieved from
143http://www.zlib.net/. It is easy and fast to build. Libslz can be downloaded
144from http://1wt.eu/projects/libslz/ and is even easier to build.
145
146By default, the DEBUG variable is set to '-g' to enable debug symbols. It is
147not wise to disable it on uncommon systems, because it's often the only way to
148get a complete core when you need one. Otherwise, you can set DEBUG to '-s' to
149strip the binary.
150
151For example, I use this to build for Solaris 8 :
152
153 $ make TARGET=solaris CPU=ultrasparc USE_STATIC_PCRE=1
154
155And I build it this way on OpenBSD or FreeBSD :
156
157 $ gmake TARGET=freebsd USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1
158
159And on a classic Linux with SSL and ZLIB support (eg: Red Hat 5.x) :
160
161 $ make TARGET=linux26 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1
162
163And on a recent Linux >= 2.6.28 with SSL and ZLIB support :
164
165 $ make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1
166
167In order to build a 32-bit binary on an x86_64 Linux system with SSL support
168without support for compression but when OpenSSL requires ZLIB anyway :
169
170 $ make TARGET=linux26 ARCH=i386 USE_OPENSSL=1 ADDLIB=-lz
171
172The SSL stack supports session cache synchronization between all running
173processes. This involves some atomic operations and synchronization operations
174which come in multiple flavors depending on the system and architecture :
175
176 Atomic operations :
177 - internal assembler versions for x86/x86_64 architectures
178
179 - gcc builtins for other architectures. Some architectures might not
180 be fully supported or might require a more recent version of gcc.
181 If your architecture is not supported, you willy have to either use
182 pthread if supported, or to disable the shared cache.
183
184 - pthread (posix threads). Pthreads are very common but inter-process
185 support is not that common, and some older operating systems did not
186 report an error when enabling multi-process mode, so they used to
187 silently fail, possibly causing crashes. Linux's implementation is
188 fine. OpenBSD doesn't support them and doesn't build. FreeBSD 9 builds
189 and reports an error at runtime, while certain older versions might
190 silently fail. Pthreads are enabled using USE_PTHREAD_PSHARED=1.
191
192 Synchronization operations :
193 - internal spinlock : this mode is OS-independant, light but will not
194 scale well to many processes. However, accesses to the session cache
195 are rare enough that this mode could certainly always be used. This
196 is the default mode.
197
198 - Futexes, which are Linux-specific highly scalable light weight mutexes
199 implemented in user-space with some limited assistance from the kernel.
200 This is the default on Linux 2.6 and above and is enabled by passing
201 USE_FUTEX=1
202
203 - pthread (posix threads). See above.
204
205If none of these mechanisms is supported by your platform, you may need to
206build with USE_PRIVATE_CACHE=1 to totally disable SSL cache sharing. Then
207it is better not to run SSL on multiple processes.
208
209If you need to pass other defines, includes, libraries, etc... then please
210check the Makefile to see which ones will be available in your case, and
211use the USE_* variables in the Makefile.
212
213AIX 5.3 is known to work with the generic target. However, for the binary to
214also run on 5.2 or earlier, you need to build with DEFINE="-D_MSGQSUPPORT",
215otherwise __fd_select() will be used while not being present in the libc, but
216this is easily addressed using the "aix52" target. If you get build errors
217because of strange symbols or section mismatches, simply remove -g from
218DEBUG_CFLAGS.
219
220You can easily define your own target with the GNU Makefile. Unknown targets
221are processed with no default option except USE_POLL=default. So you can very
222well use that property to define your own set of options. USE_POLL can even be
223disabled by setting USE_POLL="". For example :
224
225 $ gmake TARGET=tiny USE_POLL="" TARGET_CFLAGS=-fomit-frame-pointer
226
227
2281.1) Device Detection
229---------------------
230
231HAProxy supports several device detection modules relying on third party
232products. Some of them may provide free code, others free libs, others free
233evaluation licenses. Please read about their respective details in the
234following files :
235
236 doc/DeviceAtlas-device-detection.txt for DeviceAtlas
237 doc/51Degrees-device-detection.txt for 51Degrees
238 doc/WURFL-device-detection.txt for Scientiamobile WURFL
239
240
2412) How to install it
242--------------------
243
244To install haproxy, you can either copy the single resulting binary to the
245place you want, or run :
246
247 $ sudo make install
248
249If you're packaging it for another system, you can specify its root directory
250in the usual DESTDIR variable.
251
252
2533) How to set it up
254-------------------
255
256There is some documentation in the doc/ directory :
257
258 - intro.txt : this is an introduction to haproxy, it explains what it is
259 what it is not. Useful for beginners or to re-discover it when planning
260 for an upgrade.
261
262 - architecture.txt : this is the architecture manual. It is quite old and
263 does not tell about the nice new features, but it's still a good starting
264 point when you know what you want but don't know how to do it.
265
266 - configuration.txt : this is the configuration manual. It recalls a few
267 essential HTTP basic concepts, and details all the configuration file
268 syntax (keywords, units). It also describes the log and stats format. It
269 is normally always up to date. If you see that something is missing from
270 it, please report it as this is a bug. Please note that this file is
271 huge and that it's generally more convenient to review Cyril Bont�'s
272 HTML translation online here :
273
274 http://cbonte.github.io/haproxy-dconv/configuration-1.6.html
275
276 - management.txt : it explains how to start haproxy, how to manage it at
277 runtime, how to manage it on multiple nodes, how to proceed with seamless
278 upgrades.
279
280 - gpl.txt / lgpl.txt : the copy of the licenses covering the software. See
281 the 'LICENSE' file at the top for more information.
282
283 - the rest is mainly for developers.
284
285There are also a number of nice configuration examples in the "examples"
286directory as well as on several sites and articles on the net which are linked
287to from the haproxy web site.
288
289
2904) How to report a bug
291----------------------
292
293It is possible that from time to time you'll find a bug. A bug is a case where
294what you see is not what is documented. Otherwise it can be a misdesign. If you
295find that something is stupidly design, please discuss it on the list (see the
296"how to contribute" section below). If you feel like you're proceeding right
297and haproxy doesn't obey, then first ask yourself if it is possible that nobody
298before you has even encountered this issue. If it's unlikely, the you probably
299have an issue in your setup. Just in case of doubt, please consult the mailing
300list archives :
301
302 http://marc.info/?l=haproxy
303
304Otherwise, please try to gather the maximum amount of information to help
305reproduce the issue and send that to the mailing list :
306
307 haproxy@formilux.org
308
309Please include your configuration and logs. You can mask your IP addresses and
310passwords, we don't need them. But it's essential that you post your config if
311you want people to guess what is happening.
312
313Also, keep in mind that haproxy is designed to NEVER CRASH. If you see it die
314without any reason, then it definitely is a critical bug that must be reported
315and urgently fixed. It has happened a couple of times in the past, essentially
316on development versions running on new architectures. If you think your setup
317is fairly common, then it is possible that the issue is totally unrelated.
318Anyway, if that happens, feel free to contact me directly, as I will give you
319instructions on how to collect a usable core file, and will probably ask for
320other captures that you'll not want to share with the list.
321
322
3235) How to contribute
324--------------------
325
326Please carefully read the CONTRIBUTING file that comes with the sources. It is
327mandatory.
328
329-- end
330