bind [<address>]:<port_range> [, ...] [param*]

bind /<path> [, ...] [param*]

Define one or several listening addresses and/or ports in a frontend. May be used in sections :

defaults frontend listen backend no no yes yes yes yes no no

Arguments :

  • <address> is optional and can be a host name, an IPv4 address, an IPv6 address, or ''. It designates the address the frontend will listen on. If unset, all IPv4 addresses of the system will be listened on. The same will apply for '' or the system's special address "0.0.0.0". The IPv6 equivalent is '::'. Optionally, an address family prefix may be used before the address to force the family regardless of the address format, which can be useful to specify a path to a unix socket with no slash ('/'). Currently supported prefixes are :

    • 'ipv4@' -> address is always IPv4
    • 'ipv6@' -> address is always IPv6
    • 'unix@' -> address is a path to a local unix socket
    • 'abns@' -> address is in abstract namespace (Linux only).

      Note: since abstract sockets are not "rebindable", they do not cope well with multi-process mode during soft-restart, so it is better to avoid them if nbproc is greater than 1. The effect is that if the new process fails to start, only one of the old ones will be able to rebind to the socket.

      • 'fd@<n>' -> use file descriptor <n> inherited from the parent. The fd must be bound and may or may not already be listening. You may want to reference some environment variables in the address parameter, see section 2.3 about environment variables.
  • <port_range> is either a unique TCP port, or a port range for which the proxy will accept connections for the IP address specified above. The port is mandatory for TCP listeners. Note that in the case of an IPv6 address, the port is always the number after the last colon (':'). A range can either be :

    • a numerical port (ex: '80')
    • a dash-delimited ports range explicitly stating the lower and upper bounds (ex: '2000-2100') which are included in the range.

      Particular care must be taken against port ranges, because every couple consumes one socket (= a file descriptor), so it's easy to consume lots of descriptors with a simple range, and to run out of sockets. Also, each couple must be used only once among all instances running on a same system. Please note that binding to ports lower than 1024 generally require particular privileges to start the program, which are independent of the 'uid' parameter.

  • <path> is a UNIX socket path beginning with a slash ('/'). This is alternative to the TCP listening port. Haproxy will then receive UNIX connections on the socket located at this place. The path must begin with a slash and by default is absolute. It can be relative to the prefix defined by "unix-bind" in the global section. Note that the total length of the prefix followed by the socket path cannot exceed some system limits for UNIX sockets, which commonly are set to 107 characters.

  • <param*> is a list of parameters common to all sockets declared on the same line. These numerous parameters depend on OS and build options and have a complete section dedicated to them. Please refer to section 5 to for more details. It is possible to specify a list of address:port combinations delimited by commas. The frontend will then listen on all of these addresses. There is no fixed limit to the number of addresses and ports which can be listened on in a frontend, as well as there is no limit to the number of "bind" statements in a frontend.

Example :

listen http_proxy
    bind :80,:443
    bind 10.0.0.1:10080,10.0.0.1:10443
    bind /var/run/ssl-frontend.sock user root mode 600 accept-proxy

listen http_https_proxy
    bind :80
    bind :443 ssl crt /etc/haproxy/site.pem

listen http_https_proxy_explicit
    bind ipv6@:80
    bind ipv4@public_ssl:443 ssl crt /etc/haproxy/site.pem
    bind [email protected] user root mode 600 accept-proxy

listen external_bind_app1
    bind "fd@${FD_APP1}"

Note: regarding Linux's abstract namespace sockets, HAProxy uses the whole sun_path length is used for the address length. Some other programs such as socat use the string length only by default. Pass the option",unix-tightsocklen=0" to any abstract socket definition in socat to make it compatible with HAProxy's.

See also : "source", "option forwardfor", "unix-bind" and the PROXY protocol documentation, and section 5 about bind options.

results matching ""

    No results matching ""