7. Using ACLs and fetching samples - 7.3. Fetching samples - 《HAProxy 2.0 Configuration Manual》

Sample fetch methods may be combined with transformations to be applied on top
of the fetched sample (also called "converters"). These combinations form what
is called "sample expressions" and the result is a "sample". Initially this
was only supported by "" and "stick store-request" directives but this
has now be extended to all places where samples may be used (ACLs, log-format,
unique-id-format, add-header, ...).
 
These transformations are enumerated as a series of specific keywords after the
sample fetch method. These keywords may equally be appended immediately after
the fetch keyword's argument, delimited by a comma. These keywords can also
support some arguments (e.g. a netmask) which must be passed in parenthesis.
 
A certain category of converters are bitwise and arithmetic operators which
support performing basic operations on integers. Some bitwise operations are
supported (and, or, xor, cpl) and some arithmetic operations are supported
(add, sub, mul, div, mod, neg). Some comparators are provided (odd, even, not,
bool) which make it possible to report a match without having to write an ACL.
 
The currently available list of transformation keywords include :

Returns values for the properties requested as a string, where values are
separated by the delimiter specified with "".
The device is identified using the User-Agent header passed to the
converter. The function can be passed up to five property names, and if a
property name can't be found, the value "NoData" is returned.

Example :


# containing values for the three properties requested by using the
# User-Agent passed to the converter.
frontend http-in
  bind *:8081
  default_backend servers
  http-request set-header X-51D-DeviceTypeMobileTablet \
    %[req.fhdr(User-Agent),51d.single(DeviceType,IsMobile,IsTablet)]

add()

Adds <value> to the input value of type signed integer, and returns the
result as a signed integer. <value> can be a numeric value or a variable
name. The name of the variable starts with an indication about its scope. The
scopes allowed are:
  "" : the variable is shared with the whole process
  "sess" : the variable is shared with the whole session
  "txn"  : the variable is shared with the transaction (request and response)
  "req"  : the variable is shared only during request processing
  "res"  : the variable is shared only during response processing
This prefix is followed by a name. The separator is a '.'. The name may only
contain characters 'a-z', 'A-Z', '0-9', '.' and '_'.

aes_gcm_dec(,,,)

Decrypts the raw byte input using the AES128-GCM, AES192-GCM or
AES256-GCM algorithm, depending on the <bits> parameter. All other parameters
need to be base64 encoded and the returned result is in raw byte format.
If the <aead_tag> validation fails, the converter doesn't return any data.
The <nonce>, <key> and <aead_tag> can either be strings or variables. This
converter requires at least OpenSSL 1.0.1.

Example:

http-response set-header X-Decrypted-Text %[var(txn.enc),\
  aes_gcm_dec(128,txn.nonce,Zm9vb2Zvb29mb29wZm9vbw==,txn.aead_tag)]

()

Performs a bitwise "AND" between <value> and the input value of type signed
integer, and returns the result as an signed integer. <value> can be a
numeric value or a variable name. The name of the variable starts with an
indication about its scope. The scopes allowed are:
  "proc" : the variable is shared with the whole process
  "sess" : the variable is shared with the whole session
  "txn"  : the variable is shared with the transaction (request and response)
  "req"  : the variable is shared only during request processing
  "res"  : the variable is shared only during response processing
This prefix is followed by a name. The separator is a '.'. The name may only
contain characters 'a-z', 'A-Z', '0-9', '.' and '_'.

Converts (decodes) a base64 encoded input string to its binary
representation. It performs the inverse operation of base64().

base64

Converts a binary input sample to a base64 string. It is used to log or
transfer binary content in a way that can be reliably transferred (e.g.
an SSL ID can be copied in a header).

Returns a boolean TRUE if the input value of type signed integer is
non-null, otherwise returns FALSE. Used in conjunction with and(), it can be
used to report true/false for bit testing on input values (e.g. verify the
presence of a flag).

bytes([,])

Extracts some bytes from an input binary sample. The result is a binary
sample starting at an offset (in bytes) of the original sample and
optionally truncated at the given length.

([],[],[])

Concatenates up to 3 fields after the current sample which is then turned to
a string. The first one, <start>, is a constant string, that will be appended
immediately after the existing sample. It may be omitted if not used. The
second one, <var>, is a variable name. The variable will be looked up, its
contents converted to a string, and it will be appended immediately after the
<first> part. If the variable is not found, nothing is appended. It may be
omitted as well. The third field, <end> is a constant string that will be
appended after the variable. It may also be omitted. Together, these elements
allow to concatenate variables with delimiters to an existing set of
variables. This can be used to build new variables made of a succession of
other variables, such as colon-delimited values. Note that due to the config
parser, it is not possible to use a comma nor a closing parenthesis as
delimiters.

Example:

tcp-request session set-var(sess.src) src
tcp-request session set-var(sess.dn)  ssl_c_s_dn
tcp-request session set-var(txn.sig) str(),concat(<ip=,sess.ip,>),concat(<dn=,sess.dn,>)
http-request set-header x-hap-sig %[var(txn.sig)]

cpl

Takes the input value of type signed integer, applies a ones-complement
(flips all bits) and returns the result as an signed integer.

([])

Hashes a binary input sample into an unsigned 32-bit quantity using the CRC32
hash function. Optionally, it is possible to apply a full avalanche hash
function to the output if the optional <avalanche> argument equals 1. This
converter uses the same functions as used by the various hash-based load
balancing algorithms, so it will provide exactly the same results. It is
provided for compatibility with other software which want a CRC32 to be
computed on some input keys, so it follows the most common implementation as
found in Ethernet, Gzip, PNG, etc... It is slower than the other algorithms
but may provide a better or at least less predictable distribution. It must
not be used for security purposes as a 32-bit hash is trivial to break. See
also "djb2", "", "wt6", "" and the "hash-type" directive.

([])

Hashes a binary input sample into an unsigned 32-bit quantity using the CRC32C
hash function. Optionally, it is possible to apply a full avalanche hash
function to the output if the optional <avalanche> argument equals 1. This
converter uses the same functions as described in RFC4960, Appendix B [8].
It is provided for compatibility with other software which want a CRC32C to be
computed on some input keys. It is slower than the other algorithms and it must
not be used for security purposes as a 32-bit hash is trivial to break. See
also "djb2", "", "wt6", "" and the "hash-type" directive.

([,*])

Asks the DeviceAtlas converter to identify the User Agent string passed on
input, and to emit a string made of the concatenation of the properties
enumerated in argument, delimited by the separator defined by the global
keyword "deviceatlas-property-separator", or by default the pipe character
('|'). There's a limit of 12 different properties imposed by the haproxy
configuration language.

Example:

frontend www
  bind *:8881
  default_backend servers
  http-request set-header X-DeviceAtlas-Data %[req.fhdr(User-Agent),da-csv(primaryHardwareType,osName,osVersion,browserName,browserVersion,browserRenderingEngine)]

debug

This converter is used as debug tool. It dumps on screen the content and the
type of the input sample. The sample is returned as is on its output. This
converter only exists when haproxy was built with debugging enabled.

()

Divides the input value of type signed integer by <value>, and returns the
result as an signed integer. If <value> is null, the largest unsigned
integer is returned (typically 2^63-1). <value> can be a numeric value or a
variable name. The name of the variable starts with an indication about its
scope. The scopes allowed are:
  "proc" : the variable is shared with the whole process
  "sess" : the variable is shared with the whole session
  "txn"  : the variable is shared with the transaction (request and response)
  "req"  : the variable is shared only during request processing
  "res"  : the variable is shared only during response processing
This prefix is followed by a name. The separator is a '.'. The name may only
contain characters 'a-z', 'A-Z', '0-9', '.' and '_'.

([])

Hashes a binary input sample into an unsigned 32-bit quantity using the DJB2
hash function. Optionally, it is possible to apply a full avalanche hash
function to the output if the optional <avalanche> argument equals 1. This
converter uses the same functions as used by the various hash-based load
balancing algorithms, so it will provide exactly the same results. It is
mostly intended for debugging, but can be used as a stick-table entry to
collect rough statistics. It must not be used for security purposes as a
32-bit hash is trivial to break. See also "crc32", "", "wt6", "",
and the "hash-type" directive.

Returns a boolean TRUE if the input value of type signed integer is even
otherwise returns FALSE. It is functionally equivalent to "not,and(1),bool".

field(,[,])

Extracts the substring at the given index counting from the beginning
(positive index) or from the end (negative index) considering given delimiters
from an input string. Indexes start at 1 or -1 and delimiters are a string
formatted list of chars. Optionally you can specify <count> of fields to
extract (default: 1). Value of 0 indicates extraction of all remaining
fields.

Example :

str(f1_f2_f3__f5),field(5,_)    # f5
str(f1_f2_f3__f5),field(2,_,0)  # f2_f3__f5
str(f1_f2_f3__f5),field(2,_,2)  # f2_f3
str(f1_f2_f3__f5),field(-2,_,3) # f2_f3_
str(f1_f2_f3__f5),field(-3,_,0) # f1_f2_f3

Converts a binary input sample to a hex string containing two hex digits per
input byte. It is used to log or transfer hex dumps of some binary input data
in a way that can be reliably transferred (e.g. an SSL ID can be copied in a
header).

hex2i

Converts a hex string containing two hex digits per input byte to an
integer. If the input value cannot be converted, then zero is returned.

([])

Converts an integer supposed to contain a date since epoch to a string
representing this date in a format suitable for use in HTTP header fields. If
an offset value is specified, then it is a number of seconds that is added to
the date before the conversion is operated. This is particularly useful to
emit Date header fields, Expires values in responses when combined with a
positive offset, or Last-Modified values when the offset is negative.

in_table(

)

  Uses the string representation of the input sample to perform a look up in
  the specified table. If the key is not found in the table, a boolean false
  is returned. Otherwise a boolean true is returned. This can be used to verify
  the presence of a certain key in a table tracking some elements (e.g. whether
  or not a source IP address or an Authorization header was already seen).
 
ipmask(<mask4>, [<mask6>])
  Apply a mask to an IP address, and use the result for lookups and storage.
  This can be used to make all hosts within a certain mask to share the same
  table entries and as such use the same server. The mask4 can be passed in
  dotted form (e.g. 255.255.255.0) or in CIDR form (e.g. 24). The mask6 can
  be passed in quadruplet form (e.g. ffff:ffff::) or in CIDR form (e.g. 64).
  If no mask6 is given IPv6 addresses will fail to convert for backwards
  compatibility reasons.

([])

Escapes the input string and produces an ASCII output string ready to use as a
JSON string. The converter tries to decode the input string according to the
<input-code> parameter. It can be "ascii", "utf8", "utf8s", "utf8p" or
"utf8ps". The "ascii" decoder never fails. The "utf8" decoder detects 3 types
of errors:
 - bad UTF-8 sequence (lone continuation byte, bad number of continuation
   bytes, ...)
 - invalid range (the decoded value is within a UTF-8 prohibited range),
 - code overlong (the value is encoded with more bytes than necessary).
 
The UTF-8 JSON encoding can produce a "too long value" error when the UTF-8
character is greater than 0xffff because the JSON string escape specification
only authorizes 4 hex digits for the value encoding. The UTF-8 decoder exists
in 4 variants designated by a combination of two suffix letters : "p" for
"permissive" and "s" for "silently ignore". The behaviors of the decoders
are :
 - "ascii"  : never fails;
 - "utf8"   : fails on any detected errors;
 - "utf8s"  : never fails, but removes characters corresponding to errors;
 - "utf8p"  : accepts and fixes the overlong errors, but fails on any other
              error;
 - "utf8ps" : never fails, accepts and fixes the overlong errors, but removes
              characters corresponding to the other errors.
 
This converter is particularly useful for building properly escaped JSON for
logging to servers which consume JSON-formatted traffic logs.

Example:

capture request header Host len 15
capture request header user-agent len 150
log-format &#x27;{"ip":"%[src]","user-agent":"%[capture.req.hdr(1),json(utf8s)]"}'

Input request from client 127.0.0.1:
   GET / HTTP/1.0
   User-Agent: Very "Ugly" UA 1/2
 
Output log:
   {"ip":"127.0.0.1","user-agent":"Very \"Ugly\" UA 1\/2"}

language([,])

Returns the value with the highest q-factor from a list as extracted from the
"accept-language" header using "". Values with no q-factor have a
q-factor of 1. Values with a q-factor of 0 are dropped. Only values which
belong to the list of semi-colon delimited <values> will be considered. The
argument <value> syntax is "lang[;lang[;lang[;...]]]". If no value matches the
given list and a default value is provided, it is returned. Note that language
names may have a variant after a dash ('-'). If this variant is present in the
list, it will be matched, but if it is not, only the base language is checked.
The match is case-sensitive, and the output string is always one of those
provided in arguments. The ordering of arguments is meaningless, only the
ordering of the values in the request counts, as the first value among
multiple sharing the same q-factor is used.

Example :

# this configuration switches to the backend matching a
# given language based on the request :
acl es req.fhdr(accept-language),language(es;fr;en) -m str es
acl fr req.fhdr(accept-language),language(es;fr;en) -m str fr
acl en req.fhdr(accept-language),language(es;fr;en) -m str en
use_backend spanish if es
use_backend french  if fr
use_backend english if en
default_backend choose_your_language

length

Get the length of the string. This can only be placed after a string
sample fetch function or after a transformation keyword returning a string
type. The result is of type integer.

Convert a string sample to lower case. This can only be placed after a string
sample fetch function or after a transformation keyword returning a string
type. The result is of type string.

ltime([,])

Converts an integer supposed to contain a date since epoch to a string
representing this date in local time using a format defined by the <format>
string using strftime(3). The purpose is to allow any date format to be used
in logs. An optional <offset> in seconds may be applied to the input date
(positive or negative). See the strftime() man page for the format supported
by your operating system. See also the utime converter.

Example :

# Emit two colons, one with the local time and another with ip:port
# e.g.  20140710162350 127.0.0.1:57325
log-format %[date,ltime(%Y%m%d%H%M%S)]\ %ci:%cp

([,])

map_<match_type>(<map_file>[,<default_value>])
map_<match_type>_<output_type>(<map_file>[,<default_value>])
  Search the input value from <map_file> using the <match_type> matching method,
  and return the associated value converted to the type <output_type>. If the
  input value cannot be found in the <map_file>, the converter returns the
  <default_value>. If the <default_value> is not set, the converter fails and
  acts as if no input value could be fetched. If the <match_type> is not set, it
  defaults to "str". Likewise, if the <output_type> is not set, it defaults to
  "". For convenience, the "map" keyword is an alias for "map_str" and maps a
  string to another string.
 
  It is important to avoid overlapping between the keys : IP addresses and
  strings are stored in trees, so the first of the finest match will be used.
  Other keys are stored in lists, so the first matching occurrence will be used.
 
  The following array contains the list of all map functions available sorted by
  input type, match type and output type.

input type	match method	output type str	output type int	output type ip
str	str	map_str	map_str_int	map_str_ip
str	beg	map_beg	map_beg_int	map_end_ip
str	sub	map_sub	map_sub_int	map_sub_ip
str	dir	map_dir	map_dir_int	map_dir_ip
str	dom	map_dom	map_dom_int	map_dom_ip
str	end	map_end	map_end_int	map_end_ip
str	reg	map_reg	map_reg_int	map_reg_ip
str	reg	map_regm	map_reg_int	map_reg_ip
int	int	map_int	map_int_int	map_int_ip
ip	ip	map_ip	map_ip_int	map_ip_ip

The special map called "map_regm" expect matching zone in the regular
expression and modify the output replacing back reference (like "\1") by
the corresponding match text.
 
The file contains one key + value per line. Lines which start with '#' are
ignored, just like empty lines. Leading tabs and spaces are stripped. The key
is then the first "" (series of non-space/tabs characters), and the value
is what follows this series of space/tab till the end of the line excluding
trailing spaces/tabs.

Example :

# this is a comment and is ignored
   2.22.246.0/23    United Kingdom      \n
<-><-----------><--><------------><---->
 |       |       |         |        `- trailing spaces ignored
 |       |       |         `---------- value
 |       |       `-------------------- middle spaces ignored
 |       `---------------------------- key
 `------------------------------------ leading spaces ignored

mod()

Divides the input value of type signed integer by <value>, and returns the
remainder as an signed integer. If <value> is null, then zero is returned.
<value> can be a numeric value or a variable name. The name of the variable
starts with an indication about its scope. The scopes allowed are:
  "" : the variable is shared with the whole process
  "sess" : the variable is shared with the whole session
  "txn"  : the variable is shared with the transaction (request and response)
  "req"  : the variable is shared only during request processing
  "res"  : the variable is shared only during response processing
This prefix is followed by a name. The separator is a '.'. The name may only
contain characters 'a-z', 'A-Z', '0-9', '.' and '_'.

mul()

Multiplies the input value of type signed integer by <value>, and returns
the product as an signed integer. In case of overflow, the largest possible
value for the sign is returned so that the operation doesn't wrap around.
<value> can be a numeric value or a variable name. The name of the variable
starts with an indication about its scope. The scopes allowed are:
  "" : the variable is shared with the whole process
  "sess" : the variable is shared with the whole session
  "txn"  : the variable is shared with the transaction (request and response)
  "req"  : the variable is shared only during request processing
  "res"  : the variable is shared only during response processing
This prefix is followed by a name. The separator is a '.'. The name may only
contain characters 'a-z', 'A-Z', '0-9', '.' and '_'.

nbsrv

Takes an input value of type string, interprets it as a backend name and
returns the number of usable servers in that backend. Can be used in places
where we want to look up a backend from a dynamic name, like a result of a
map lookup.

Takes the input value of type signed integer, computes the opposite value,
and returns the remainder as an signed integer. 0 is identity. This operator
is provided for reversed subtracts : in order to subtract the input from a
constant, simply perform a "neg,add(value)".

not

Returns a boolean FALSE if the input value of type signed integer is
non-null, otherwise returns TRUE. Used in conjunction with and(), it can be
used to report true/false for bit testing on input values (e.g. verify the
absence of a flag).

Returns a boolean TRUE if the input value of type signed integer is odd
otherwise returns FALSE. It is functionally equivalent to "and(1),bool".

or()

Performs a bitwise "OR" between <value> and the input value of type signed
integer, and returns the result as an signed integer. <value> can be a
numeric value or a variable name. The name of the variable starts with an
indication about its scope. The scopes allowed are:
  "" : the variable is shared with the whole process
  "sess" : the variable is shared with the whole session
  "txn"  : the variable is shared with the transaction (request and response)
  "req"  : the variable is shared only during request processing
  "res"  : the variable is shared only during response processing
This prefix is followed by a name. The separator is a '.'. The name may only
contain characters 'a-z', 'A-Z', '0-9', '.' and '_'.

protobuf(,[])

This extracts the protocol buffers message field in raw mode of an input binary
sample representation of a protocol buffer message with <field_number> as field
number (dotted notation) if <field_type> is not present, or as an integer sample
if this field is present (see also "" below).
The list of the authorized types is the following one: "int32", "int64", "uint32",
"uint64", "sint32", "sint64", "boolThis keyword is available in sections :
Fetching samples from internal states
", "enum" for the "varint" wire type 0
"fixed64", "sfixed64", "double" for the 64bit wire type 1, "fixed32", "sfixed32",
"float" for the wire type 5. Note that "string" is considered as a length-delimited
type, so it does not require any <field_type> argument to be extracted.
More information may be found here about the protocol buffers message field types:
https://developers.google.com/protocol-buffers/docs/encoding

(,[,])

Applies a regex-based substitution to the input string. It does the same
operation as the well-known "sed" utility with "s/<regex>/<subst>/". By
default it will replace in the input string the first occurrence of the
largest part matching the regular expression <regex> with the substitution
string <subst>. It is possible to replace all occurrences instead by adding
the flag "g" in the third argument <flags>. It is also possible to make the
regex case insensitive by adding the flag "i" in <flags>. Since <flags> is a
string, it is made up from the concatenation of all desired flags. Thus if
both "i" and "g" are desired, using "gi" or "ig" will have the same effect.
It is important to note that due to the current limitations of the
configuration parser, some characters such as closing parenthesis, closing
square brackets or comma are not possible to use in the arguments. The first
use of this converter is to replace certain characters or sequence of
characters with other ones.

Example :

# de-duplicate "/" in header "x-path".
# input:  x-path: /////a///b/c/xzxyz/
# output: x-path: /a/b/c/xzxyz/
http-request set-header x-path %[hdr(x-path),regsub(/+,/,g)]

capture-req()

Capture the string entry in the request slot <id> and returns the entry as
is. If the slot doesn't exist, the capture fails silently.

See also: ““, “http-request capture“, ““, “capture.req.hdr“ and ““ (sample fetches).

capture-res()

Capture the string entry in the response slot <id> and returns the entry as
is. If the slot doesn't exist, the capture fails silently.

See also: ““, “http-request capture“, ““, “capture.req.hdr“ and ““ (sample fetches).

sdbm([])

  Hashes a binary input sample into an unsigned 32-bit quantity using the SDBM
  hash function. Optionally, it is possible to apply a full avalanche hash
  function to the output if the optional <avalanche> argument equals 1. This
  converter uses the same functions as used by the various hash-based load
  balancing algorithms, so it will provide exactly the same results. It is
  mostly intended for debugging, but can be used as a stick-table entry to
  collect rough statistics. It must not be used for security purposes as a
  32-bit hash is trivial to break. See also "", "djb2", "", "crc32c",
  and the "" directive.
 
set-var(<var name>)
  Sets a variable with the input content and returns the content on the output
  as-is. The variable keeps the value and the associated input type. The name of
  the variable starts with an indication about its scope. The scopes allowed are:
    "proc" : the variable is shared with the whole process
    "sess" : the variable is shared with the whole session
    "txn"  : the variable is shared with the transaction (request and
             response),
    "req"  : the variable is shared only during request processing,
    "res"  : the variable is shared only during response processing.
  This prefix is followed by a name. The separator is a '.'. The name may only
  contain characters 'a-z', 'A-Z', '0-9', '.' and '_'.

Converts a binary input sample to a SHA1 digest. The result is a binary
sample with length of 20 bytes.

strcmp()

Compares the contents of <var> with the input value of type string. Returns
the result as a signed integer compatible with strcmp(3): 0 if both strings
are identical. A value less than 0 if the left string is lexicographically
smaller than the right string or if the left string is shorter. A value greater
than 0 otherwise (right string greater than left string or the right string is
shorter).

Example :

http-request set-var(txn.host) hdr(host)
# Check whether the client is attempting domain fronting.
acl ssl_sni_http_host_match ssl_fc_sni,strcmp(txn.host) eq 0

()

Subtracts <value> from the input value of type signed integer, and returns
the result as an signed integer. Note: in order to subtract the input from
a constant, simply perform a "neg,add(value)". <value> can be a numeric value
or a variable name. The name of the variable starts with an indication about
its scope. The scopes allowed are:
  "proc" : the variable is shared with the whole process
  "sess" : the variable is shared with the whole session
  "txn"  : the variable is shared with the transaction (request and
           response),
  "req"  : the variable is shared only during request processing,
  "res"  : the variable is shared only during response processing.
This prefix is followed by a name. The separator is a '.'. The name may only
contain characters 'a-z', 'A-Z', '0-9', '.' and '_'.

(

)

Uses the string representation of the input sample to perform a look up in
the specified table. If the key is not found in the table, integer value zero
is returned. Otherwise the converter returns the average client-to-server
bytes rate associated with the input sample in the designated table, measured
in amount of bytes over the period configured in the table. See also the
sc_bytes_in_rate sample fetch keyword.

table_bytes_out_rate(

)

Uses the string representation of the input sample to perform a look up in
the specified table. If the key is not found in the table, integer value zero
is returned. Otherwise the converter returns the average server-to-client
bytes rate associated with the input sample in the designated table, measured
in amount of bytes over the period configured in the table. See also the
sc_bytes_out_rate sample fetch keyword.

(

)

Uses the string representation of the input sample to perform a look up in
the specified table. If the key is not found in the table, integer value zero
is returned. Otherwise the converter returns the cumulative number of incoming
connections associated with the input sample in the designated table. See
also the sc_conn_cnt sample fetch keyword.

table_conn_cur(

)

Uses the string representation of the input sample to perform a look up in
the specified table. If the key is not found in the table, integer value zero
is returned. Otherwise the converter returns the current amount of concurrent
tracked connections associated with the input sample in the designated table.
See also the sc_conn_cur sample fetch keyword.

(

)

Uses the string representation of the input sample to perform a look up in
the specified table. If the key is not found in the table, integer value zero
is returned. Otherwise the converter returns the average incoming connection
rate associated with the input sample in the designated table. See also the
sc_conn_rate sample fetch keyword.

table_gpt0(

)

Uses the string representation of the input sample to perform a look up in
the specified table. If the key is not found in the table, boolean value zero
is returned. Otherwise the converter returns the current value of the first
general purpose tag associated with the input sample in the designated table.
See also the sc_get_gpt0 sample fetch keyword.

(

)

Uses the string representation of the input sample to perform a look up in
the specified table. If the key is not found in the table, integer value zero
is returned. Otherwise the converter returns the current value of the first
general purpose counter associated with the input sample in the designated
table. See also the sc_get_gpc0 sample fetch keyword.

table_gpc0_rate(

)

Uses the string representation of the input sample to perform a look up in
the specified table. If the key is not found in the table, integer value zero
is returned. Otherwise the converter returns the frequency which the gpc0
counter was incremented over the configured period in the table, associated
with the input sample in the designated table. See also the sc_get_gpc0_rate
sample fetch keyword.

(

)

Uses the string representation of the input sample to perform a look up in
the specified table. If the key is not found in the table, integer value zero
is returned. Otherwise the converter returns the current value of the second
general purpose counter associated with the input sample in the designated
table. See also the sc_get_gpc1 sample fetch keyword.

table_gpc1_rate(

)

Uses the string representation of the input sample to perform a look up in
the specified table. If the key is not found in the table, integer value zero
is returned. Otherwise the converter returns the frequency which the gpc1
counter was incremented over the configured period in the table, associated
with the input sample in the designated table. See also the sc_get_gpc1_rate
sample fetch keyword.

(

)

Uses the string representation of the input sample to perform a look up in
the specified table. If the key is not found in the table, integer value zero
is returned. Otherwise the converter returns the cumulative number of HTTP
errors associated with the input sample in the designated table. See also the
sc_http_err_cnt sample fetch keyword.

table_http_err_rate(

)

Uses the string representation of the input sample to perform a look up in
the specified table. If the key is not found in the table, integer value zero
is returned. Otherwise the average rate of HTTP errors associated with the
input sample in the designated table, measured in amount of errors over the
period configured in the table. See also the sc_http_err_rate sample fetch
keyword.

(

)

Uses the string representation of the input sample to perform a look up in
the specified table. If the key is not found in the table, integer value zero
is returned. Otherwise the converter returns the cumulative number of HTTP
requests associated with the input sample in the designated table. See also
the sc_http_req_cnt sample fetch keyword.

table_http_req_rate(

)

Uses the string representation of the input sample to perform a look up in
the specified table. If the key is not found in the table, integer value zero
is returned. Otherwise the average rate of HTTP requests associated with the
input sample in the designated table, measured in amount of requests over the
period configured in the table. See also the sc_http_req_rate sample fetch
keyword.

(

)

Uses the string representation of the input sample to perform a look up in
the specified table. If the key is not found in the table, integer value zero
is returned. Otherwise the converter returns the cumulative number of client-
to-server data associated with the input sample in the designated table,
measured in kilobytes. The test is currently performed on 32-bit integers,
which limits values to 4 terabytes. See also the sc_kbytes_in sample fetch
keyword.

table_kbytes_out(

)

Uses the string representation of the input sample to perform a look up in
the specified table. If the key is not found in the table, integer value zero
is returned. Otherwise the converter returns the cumulative number of server-
to-client data associated with the input sample in the designated table,
measured in kilobytes. The test is currently performed on 32-bit integers,
which limits values to 4 terabytes. See also the sc_kbytes_out sample fetch
keyword.

(

)

Uses the string representation of the input sample to perform a look up in
the specified table. If the key is not found in the table, integer value zero
is returned. Otherwise the converter returns the server ID associated with
the input sample in the designated table. A server ID is associated to a
sample by a "stickThis keyword is available in sections :
Server and default-server options
" rule when a connection to a server succeeds. A server ID
zero means that no server is associated with this key.

(

)

Uses the string representation of the input sample to perform a look up in
the specified table. If the key is not found in the table, integer value zero
is returned. Otherwise the converter returns the cumulative number of incoming
sessions associated with the input sample in the designated table. Note that
a session here refers to an incoming connection being accepted by the
"tcp-request connection" rulesets. See also the sc_sess_cnt sample fetch
keyword.

(

)

Uses the string representation of the input sample to perform a look up in
the specified table. If the key is not found in the table, integer value zero
is returned. Otherwise the converter returns the average incoming session
rate associated with the input sample in the designated table. Note that a
session here refers to an incoming connection being accepted by the
"tcp-request connection" rulesets. See also the sc_sess_rate sample fetch
keyword.

(

)

Uses the string representation of the input sample to perform a look up in
the specified table. If the key is not found in the table, integer value zero
is returned. Otherwise the converter returns the current amount of concurrent
connections tracking the same key as the input sample in the designated
table. It differs from table_conn_cur in that it does not rely on any stored
information but on the table's reference count (the "use" value which is
returned by "show table" on the CLI). This may sometimes be more suited for
layer7 tracking. It can be used to tell a server how many concurrent
connections there are from a given address for example. See also the
sc_trackers sample fetch keyword.

upper

Convert a string sample to upper case. This can only be placed after a string
sample fetch function or after a transformation keyword returning a string
type. The result is of type string.

Takes an url-encoded string provided as input and returns the decoded
version as output. The input and the output are of type string.

ungrpc(,[])

This extracts the protocol buffers message field in raw mode of an input binary
sample representation of a gRPC message with <field_number> as field number
(dotted notation) if <field_type> is not present, or as an integer sample if this
field is present.
The list of the authorized types is the following one: "int32", "int64", "uint32",
"uint64", "sint32", "sint64", "This keyword is available in sections :
Converters
", "enum" for the "varint" wire type 0
"fixed64", "sfixed64", "double" for the 64bit wire type 1, "fixed32", "sfixed32",
"float" for the wire type 5. Note that "string" is considered as a length-delimited
type, so it does not require any <field_type> argument to be extracted.
More information may be found here about the protocol buffers message field types:
https://developers.google.com/protocol-buffers/docs/encoding

Example:

// with such a protocol buffer .proto file content adapted from
// https://github.com/grpc/grpc/blob/master/examples/protos/route_guide.proto
message Point {
  int32 latitude = 1;
  int32 longitude = 2;
}
message PPoint {
  Point point = 59;
}
message Rectangle {
  // One corner of the rectangle.
  PPoint lo = 48;
  // The other corner of the rectangle.
  PPoint hi = 49;
}
let&#x27;s say a body request is made of a "Rectangle" object value (two PPoint
protocol buffers messages), the four protocol buffers fields could be
extracted with these "ungrpc" directives:
req.body,ungrpc(48.59.2,int32) # "longitude" of "lo" first PPoint
req.body,ungrpc(49.59.1,int32) # "latitude" of "hi" second PPoint
req.body,ungrpc(49.59.2,int32) # "longitude" of "hi" second PPoint
We could also extract the intermediary 48.59 field as a binary sample as follows:
req.body,ungrpc(48.59)
As a gRPC message is always made of a gRPC header followed by protocol buffers
messages, in the previous example the "latitude" of "lo" first PPoint
could be extracted with these equivalent directives:
req.body,ungrpc(48.59),protobuf(1,int32)
req.body,ungrpc(48),protobuf(59.1,int32)
req.body,ungrpc(48),protobuf(59),protobuf(1,int32)
Note that the first convert must be "ungrpc", the remaining ones must be
"protobuf" and only the last one may have or not a second argument to
interpret the previous binary sample.

unset-var(<var name>)
  Unsets a variable if the input content is defined. The name of the variable
  starts with an indication about its scope. The scopes allowed are:
    "proc" : the variable is shared with the whole process
    "sess" : the variable is shared with the whole session
    "txn"  : the variable is shared with the transaction (request and
             response),
    "req"  : the variable is shared only during request processing,
    "res"  : the variable is shared only during response processing.
  This prefix is followed by a name. The separator is a '.'. The name may only
  contain characters 'a-z', 'A-Z', '0-9', '.' and '_'.

([,])

Converts an integer supposed to contain a date since epoch to a string
representing this date in UTC time using a format defined by the <format>
string using strftime(3). The purpose is to allow any date format to be used
in logs. An optional <offset> in seconds may be applied to the input date
(positive or negative). See the strftime() man page for the format supported
by your operating system. See also the ltime converter.

Example :

# Emit two colons, one with the UTC time and another with ip:port
# e.g.  20140710162350 127.0.0.1:57325
log-format %[date,utime(%Y%m%d%H%M%S)]\ %ci:%cp

word(,[,])

Extracts the nth word counting from the beginning (positive index) or from
the end (negative index) considering given delimiters from an input string.
Indexes start at 1 or -1 and delimiters are a string formatted list of chars.
Delimiters at the beginning or end of the input string are ignored.
Optionally you can specify <count> of words to extract (default: 1).
Value of 0 indicates extraction of all remaining words.

Example :

str(f1_f2_f3__f5),word(4,_)    # f5
str(f1_f2_f3__f5),word(2,_,0)  # f2_f3__f5
str(f1_f2_f3__f5),word(3,_,2)  # f3__f5
str(f1_f2_f3__f5),word(-2,_,3) # f1_f2_f3
str(f1_f2_f3__f5),word(-3,_,0) # f1_f2
str(/f1/f2/f3/f4),word(1,/)    # f1

([])

Hashes a binary input sample into an unsigned 32-bit quantity using the WT6
hash function. Optionally, it is possible to apply a full avalanche hash
function to the output if the optional <avalanche> argument equals 1. This
converter uses the same functions as used by the various hash-based load
balancing algorithms, so it will provide exactly the same results. It is
mostly intended for debugging, but can be used as a stick-table entry to
collect rough statistics. It must not be used for security purposes as a
32-bit hash is trivial to break. See also "crc32", "", "sdbm", "",
and the "hash-type" directive.

()

Performs a bitwise "XOR" (exclusive OR) between <value> and the input value
of type signed integer, and returns the result as an signed integer.
<value> can be a numeric value or a variable name. The name of the variable
starts with an indication about its scope. The scopes allowed are:
  "proc" : the variable is shared with the whole process
  "sess" : the variable is shared with the whole session
  "txn"  : the variable is shared with the transaction (request and
           response),
  "req"  : the variable is shared only during request processing,
  "res"  : the variable is shared only during response processing.
This prefix is followed by a name. The separator is a '.'. The name may only
contain characters 'a-z', 'A-Z', '0-9', '.' and '_'.

([])

Hashes a binary input sample into an unsigned 32-bit quantity using the 32-bit
variant of the XXHash hash function. This hash supports a seed which defaults
to zero but a different value maybe passed as the <seed> argument. This hash
is known to be very good and very fast so it can be used to hash URLs and/or
URL parameters for use as stick-table keys to collect statistics with a low
collision rate, though care must be taken as the algorithm is not considered
as cryptographically secure.

xxh64([])

Hashes a binary input sample into a signed 64-bit quantity using the 64-bit
variant of the XXHash hash function. This hash supports a seed which defaults
to zero but a different value maybe passed as the <seed> argument. This hash
is known to be very good and very fast so it can be used to hash URLs and/or
URL parameters for use as stick-table keys to collect statistics with a low
collision rate, though care must be taken as the algorithm is not considered
as cryptographically secure.

7.3.2. Fetching samples from internal states

A first set of sample fetch methods applies to internal information which does
not even relate to any client information. These ones are sometimes used with
"monitor-fail" directives to report an internal status to external watchers.
The sample fetch methods described in this section are usable anywhere.

always_false : boolean

Always returns the boolean "false" value. It may be used with ACLs as a
temporary replacement for another one when adjusting configurations.

: boolean

Always returns the boolean "true" value. It may be used with ACLs as a
temporary replacement for another one when adjusting configurations.

avg_queue([]) : integer

Returns the total number of queued connections of the designated backend
divided by the number of active servers. The current backend is used if no
backend is specified. This is very similar to "" except that the size of
the farm is considered, in order to give a more accurate measurement of the
time it may take for a new connection to be processed. The main usage is with
ACL to return a sorry page to new users when it becomes certain they will get
a degraded service, or to pass to the backend servers in a header so that
they decide to work in degraded mode or to disable some functions to speed up
the processing a bit. Note that in the event there would not be any active
server anymore, twice the number of queued connections would be considered as
the measured value. This is a fair estimate, as we expect one server to get
back soon anyway, but we still prefer to send new traffic to another backend
if in better shape. See also the "queue", "", and "be_sess_rate"
sample fetches.

([]) : integer

Applies to the number of currently established connections on the backend,
possibly including the connection being evaluated. If no backend name is
specified, the current one is used. But it is also possible to check another
backend. It can be used to use a specific farm when the nominal one is full.
See also the "fe_conn", "", "be_conn_free", and "" criteria.

be_conn_free([]) : integer

Returns an integer value corresponding to the number of available connections
across available servers in the backend. Queue slots are not included. Backup
servers are also not included, unless all other servers are down. If no
backend name is specified, the current one is used. But it is also possible
to check another backend. It can be used to use a specific farm when the
nominal one is full. See also the "", "connslots", and ""
criteria.
 
OTHER CAVEATS AND NOTES: if any of the server maxconn, or maxqueue is 0
(meaning unlimited), then this fetch clearly does not make sense, in which
case the value returned will be -1.

be_sess_rate([]) : integer

Returns an integer value corresponding to the sessions creation rate on the
backend, in number of new sessions per second. This is used with ACLs to
switch to an alternate backend when an expensive or fragile one reaches too
high a session rate, or to limit abuse of service (e.g. prevent sucking of an
online dictionary). It can also be useful to add this element to logs using a
log-format directive.

Example :

# Redirect to an error page if the dictionary is requested too often
backend dynamic
    mode http
    acl being_scanned be_sess_rate gt 100
    redirect location /denied.html if being_scanned

() : bin

Returns a binary chain. The input is the hexadecimal representation
of the string.

bool() : bool

Returns a boolean value. <bool> can be 'true', 'false', '1' or '0'.
'false' and '0' are the same. 'true' and '1' are the same.

([]) : integer

Returns an integer value corresponding to the number of connection slots
still available in the backend, by totaling the maximum amount of
connections on all servers and the maximum queue size. This is probably only
used with ACLs.
 
The basic idea here is to be able to measure the number of connection "slots"
still available (connection + queue), so that anything beyond that (intended
usage; see "use_backend" keyword) can be redirected to a different backend.
 
'connslots' = number of available server connection slots, + number of
available server queue slots.
 
Note that while "" may be used, "connslots" comes in especially
useful when you have a case of traffic going to one single ip, splitting into
multiple backends (perhaps using ACLs to do name-based load balancing) and
you want to be able to differentiate between different backends, and their
available "". Also, whereas "nbsrvThis keyword is available in sections :
Fetching samples from internal states
" only measures servers that are
actually *down*, this fetch is more fine-grained and looks into the number of
available connection slots as well. See also "" and "avg_queue".
 
OTHER CAVEATS AND NOTES: at this point in time, the code does not take care
of dynamic connections. Also, if any of the server maxconn, or maxqueue is 0,
then this fetch clearly does not make sense, in which case the value returned
will be -1.

: integer

Returns the number of calls to the task processing the stream or current
request since it was allocated. This number is reset for each new request on
the same connections in case of HTTP keep-alive. This value should usually be
low and stable (around 2 calls for a typically simple request) but may become
high if some processing (compression, caching or analysis) is performed. This
is purely for performance monitoring purposes.

cpu_ns_avg : integer

Returns the average number of nanoseconds spent in each call to the task
processing the stream or current request. This number is reset for each new
request on the same connections in case of HTTP keep-alive. This value
indicates the overall cost of processing the request or the connection for
each call. There is no good nor bad value but the time spent in a call
automatically causes latency for other processing (see lat_ns_avg below),
and may affect other connection's apparent response time. Certain operations
like compression, complex regex matching or heavy Lua operations may directly
affect this value, and having it in the logs will make it easier to spot the
Note: this value is exactly cpu_ns_tot divided by cpu_calls.

: integer

Returns the total number of nanoseconds spent in each call to the task
processing the stream or current request. This number is reset for each new
request on the same connections in case of HTTP keep-alive. This value
indicates the overall cost of processing the request or the connection for
each call. There is no good nor bad value but the time spent in a call
automatically causes latency for other processing (see lat_ns_avg below),
induces CPU costs on the machine, and may affect other connection's apparent
response time. Certain operations like compression, complex regex matching or
heavy Lua operations may directly affect this value, and having it in the
logs will make it easier to spot the faulty processing that needs to be fixed
to recover decent performance. The value may be artificially high due to a
high cpu_calls count, for example when processing many HTTP chunks, and for
this reason it is often preferred to log cpu_ns_avg instead.

date([]) : integer

Returns the current date as the epoch (number of seconds since 01/01/1970).
If an offset value is specified, then it is a number of seconds that is added
to the current date before returning the value. This is particularly useful
to compute relative dates, as both positive and negative offsets are allowed.
It is useful combined with the http_date converter.

Example :

# set an expires header to now+1 hour in every response
http-response set-header Expires %[date(3600),http_date]

: integer

Return the microseconds part of the date (the "second" part is returned by
date sample). This sample is coherent with the date sample as it is comes
from the same timeval structure.

distcc_body([,]) : binary

Parses a distcc message and returns the body associated to occurrence #<occ>
of the token <token>. Occurrences start at 1, and when unspecified, any may
match though in practice only the first one is checked for now. This can be
used to extract file names or arguments in files built using distcc through
haproxy. Please refer to distcc's protocol documentation for the complete
list of supported tokens.

([,]) : integer

Parses a distcc message and returns the parameter associated to occurrence
#<occ> of the token <token>. Occurrences start at 1, and when unspecified,
any may match though in practice only the first one is checked for now. This
can be used to extract certain information such as the protocol version, the
file size or the argument in files built using distcc through haproxy.
Another use case consists in waiting for the start of the preprocessed file
contents before connecting to the server to avoid keeping idle connections.
Please refer to distcc's protocol documentation for the complete list of
supported tokens.

Example :

# wait up to 20s for the pre-processed file to be uploaded
tcp-request inspect-delay 20s
tcp-request content accept if { distcc_param(DOTI) -m found }
# send large files to the big farm
use_backend big_farm if { distcc_param(DOTI) gt 1000000 }

env() : string

Returns a string containing the value of environment variable <name>. As a
reminder, environment variables are per-process and are sampled when the
process starts. This can be useful to pass some information to a next hop
server, or with ACLs to take specific action when the process is started a
certain way.

Examples :

# Pass the Via header to next hop with the local hostname in it
http-request add-header Via 1.1\ %[env(HOSTNAME)]
# reject cookie-less requests when the STOP environment variable is set
http-request deny if !{ cook(SESSIONID) -m found } { env(STOP) -m found }

([]) : integer

Returns the number of currently established connections on the frontend,
possibly including the connection being evaluated. If no frontend name is
specified, the current one is used. But it is also possible to check another
frontend. It can be used to return a sorry page before hard-blocking, or to
use a specific backend to drain new requests when the farm is considered
full. This is mostly used with ACLs but can also be used to pass some
statistics to servers in HTTP headers. See also the "dst_conn", "",
"fe_sess_rate" fetches.

([]) : integer

Returns an integer value corresponding to the number of HTTP requests per
second sent to a frontend. This number can differ from "fe_sess_rate" in
situations where client-side keep-alive is enabled.

([]) : integer

Returns an integer value corresponding to the sessions creation rate on the
frontend, in number of new sessions per second. This is used with ACLs to
limit the incoming session rate to an acceptable range in order to prevent
abuse of service at the earliest moment, for example when combined with other
layer 4 ACLs in order to force the clients to wait a bit for the rate to go
down below the limit. It can also be useful to add this element to logs using
a log-format directive. See also the "rate-limit sessions" directive for use
in frontends.

Example :

# This frontend limits incoming mails to 10/s with a max of 100
# concurrent connections. We accept any connection below 10/s, and
# force excess clients to wait for 100 ms. Since clients are limited to
# 100 max, there cannot be more than 10 incoming mails per second.
frontend mail
    bind :25
    mode tcp
    maxconn 100
    acl too_fast fe_sess_rate ge 10
    tcp-request inspect-delay 100ms
    tcp-request content accept if ! too_fast
    tcp-request content accept if WAIT_END

: string

Returns the system hostname.

int() : signed integer

Returns a signed integer.

() : ipv4

Returns an ipv4.

ipv6() : ipv6

Returns an ipv6.

: integer

Returns the average number of nanoseconds spent between the moment the task
handling the stream is woken up and the moment it is effectively called. This
number is reset for each new request on the same connections in case of HTTP
keep-alive. This value indicates the overall latency inflicted to the current
request by all other requests being processed in parallel, and is a direct
indicator of perceived performance due to noisy neighbours. In order to keep
the value low, it is possible to reduce the scheduler's run queue depth using
"tune.runqueue-depth", to reduce the number of concurrent events processed at
once using "", to decrease the stream's nice value using
the "nice" option on the "This keyword is available in sections :
Peers
" lines or in the frontend, or to look for
other heavy requests in logs (those exhibiting large values of "cpu_ns_avg"),
whose processing needs to be adjusted or fixed. Compression of large buffers
could be a culprit, like heavy regex or long lists of regex.
Note: this value is exactly lat_ns_tot divided by cpu_calls.

: integer

Returns the total number of nanoseconds spent between the moment the task
handling the stream is woken up and the moment it is effectively called. This
number is reset for each new request on the same connections in case of HTTP
keep-alive. This value indicates the overall latency inflicted to the current
request by all other requests being processed in parallel, and is a direct
indicator of perceived performance due to noisy neighbours. In order to keep
the value low, it is possible to reduce the scheduler's run queue depth using
"tune.runqueue-depth", to reduce the number of concurrent events processed at
once using "", to decrease the stream's nice value using
the "nice" option on the "This keyword is available in sections :
Peers
" lines or in the frontend, or to look for
other heavy requests in logs (those exhibiting large values of "cpu_ns_avg"),
whose processing needs to be adjusted or fixed. Compression of large buffers
could be a culprit, like heavy regex or long lists of regex. Note: while it
may intuitively seem that the total latency adds to a transfer time, it is
almost never true because while a task waits for the CPU, network buffers
continue to fill up and the next call will process more at once. The value
may be artificially high due to a high cpu_calls count, for example when
processing many HTTP chunks, and for this reason it is often preferred to log
lat_ns_avg instead, which is a more relevant performance indicator.

() : method

Returns a method.

nbproc : integer

Returns an integer value corresponding to the number of processes that were
started (it equals the global "This keyword is available in sections :
Process management and security
" setting). This is useful for logging
and debugging purposes.

nbsrv([]) : integer

: integer

Returns the priority class of the current session for http mode or connection
for tcp mode. The value will be that set by the last call to "http-request
set-priority-class" or "tcp-request content set-priority-class".

prio_offset : integer

Returns the priority offset of the current session for http mode or
connection for tcp mode. The value will be that set by the last call to
"" or "tcp-request content
set-priority-offset".

proc : integer

Returns an integer value corresponding to the position of the process calling
the function, between 1 and global.nbproc. This is useful for logging and
debugging purposes.

([]) : integer

Returns the total number of queued connections of the designated backend,
including all the connections in server queues. If no backend name is
specified, the current one is used, but it is also possible to check another
one. This is useful with ACLs or to pass statistics to backend servers. This
can be used to take actions when queuing goes above a known level, generally
indicating a surge of traffic or a massive slowdown on the servers. One
possible action could be to reject new users but still accept old ones. See
also the "avg_queue", "", and "be_sess_rate" fetches.

([]) : integer

Returns a random integer value within a range of <range> possible values,
starting at zero. If the range is not specified, it defaults to 2^32, which
gives numbers between 0 and 4294967295. It can be useful to pass some values
needed to take some routing decisions for example, or just for debugging
purposes. This random must not be used for security purposes.

uuid([]) : string

Returns a UUID following the RFC4122 standard. If the version is not
specified, a UUID version 4 (fully random) is returned.
Currently, only version 4 is supported.

([/]) : integer

Returns an integer value corresponding to the number of currently established
connections on the designated server, possibly including the connection being
evaluated. If <backend> is omitted, then the server is looked up in the
current backend. It can be used to use a specific farm when one server is
full, or to inform the server about our view of the number of active
connections with it. See also the "fe_conn", "", "queue", and
"" fetch methods.

srv_conn_free([/]) : integer

Returns an integer value corresponding to the number of available connections
on the designated server, possibly including the connection being evaluated.
The value does not include queue slots. If <backend> is omitted, then the
server is looked up in the current backend. It can be used to use a specific
farm when one server is full, or to inform the server about our view of the
number of active connections with it. See also the "" and
"srv_conn" fetch methods.
 
OTHER CAVEATS AND NOTES: If the server maxconn is 0, then this fetch clearly
does not make sense, in which case the value returned will be -1.

([/]) : boolean

Returns true when the designated server is UP, and false when it is either
DOWN or in maintenance mode. If <backend> is omitted, then the server is
looked up in the current backend. It is mainly used to take action based on
an external status reported via a health check (e.g. a geographical site's
availability). Another possible use which is more of a hack consists in
using dummy servers as boolean variables that can be enabled or disabled from
the CLI, so that rules depending on those ACLs can be tweaked in realtime.

srv_queue([/]) : integer

Returns an integer value corresponding to the number of connections currently
pending in the designated server's queue. If <backend> is omitted, then the
server is looked up in the current backend. It can sometimes be used together
with the "" directive to force to use a known faster server when it
is not much loaded. See also the "srv_conn", "" and "queue" sample
fetch methods.

([/]) : integer

Returns an integer corresponding to the sessions creation rate on the
designated server, in number of new sessions per second. If <backend> is
omitted, then the server is looked up in the current backend. This is mostly
used with ACLs but can make sense with logs too. This is used to switch to an
alternate backend when an expensive or fragile one reaches too high a session
rate, or to limit abuse of service (e.g. prevent latent requests from
overloading servers).

Example :

# Redirect to a separate back
acl srv1_full srv_sess_rate(be1/srv1) gt 50
acl srv2_full srv_sess_rate(be1/srv2) gt 50
use_backend be2 if srv1_full or srv2_full

stopping : boolean

Returns TRUE if the process calling the function is currently stopping. This
can be useful for logging, or for relaxing certain checks or helping close
certain connections upon graceful shutdown.

() : string

Returns a string.

table_avl([

]) : integer

Returns the total number of available entries in the current proxy's
stick-table or in the designated stick-table. See also table_cnt.

([

]) : integer

Returns the total number of entries currently in use in the current proxy's
stick-table or in the designated stick-table. See also src_conn_cnt and
table_avl for other entry counting methods.

thread : integer

Returns an integer value corresponding to the position of the thread calling
the function, between 0 and (global.nbthread-1). This is useful for logging
and debugging purposes.

() : undefined

Returns a variable with the stored type. If the variable is not set, the
sample fetch fails. The name of the variable starts with an indication
about its scope. The scopes allowed are:
  "proc" : the variable is shared with the whole process
  "sess" : the variable is shared with the whole session
  "txn"  : the variable is shared with the transaction (request and
           response),
  "req"  : the variable is shared only during request processing,
  "res"  : the variable is shared only during response processing.
This prefix is followed by a name. The separator is a '.'. The name may only
contain characters 'a-z', 'A-Z', '0-9', '.' and '_'.

The layer 4 usually describes just the transport layer which in haproxy is
closest to the connection, where no content is yet made available. The fetch
methods described here are usable as low as the "" rule
sets unless they require some future information. Those generally include
TCP/IP addresses and ports, as well as elements from stick-tables related to
the incoming connection. For retrieving a value from a sticky counters, the
counter number can be explicitly set as 0, 1, or 2 using the pre-defined
"sc0_", "sc1_", or "sc2_" prefix. These three pre-defined prefixes can only be
used if MAX_SESS_STKCTR value does not exceed 3, otherwise the counter number
can be specified as the first integer argument when using the "sc_" prefix.
Starting from "sc_0" to "sc_N" where N is (MAX_SESS_STKCTR-1). An optional
table may be specified with the "sc*" form, in which case the currently
tracked key will be looked up into this alternate table instead of the table
currently being tracked.

bc_http_major : integer

Returns the backend connection's HTTP major version encoding, which may be 1
for HTTP/0.9 to HTTP/1.1 or 2 for HTTP/2. Note, this is based on the on-wire
encoding and not the version present in the request header.

: integer

Returns an integer containing the current backend's id. It can be used in
frontends with responses to check which backend processed the request.

be_name : string

Returns a string containing the current backend's name. It can be used in
frontends with responses to check which backend processed the request.

: ip

This is the destination IPv4 address of the connection on the client side,
which is the address the client connected to. It can be useful when running
in transparent mode. It is of type IP and works on both IPv4 and IPv6 tables.
On IPv6 tables, IPv4 address is mapped to its IPv6 equivalent, according to
RFC 4291. When the incoming connection passed through address translation or
redirection involving connection tracking, the original destination address
before the redirection will be reported. On Linux systems, the source and
destination may seldom appear reversed if the nf_conntrack_tcp_loose sysctl
is set, because a late response may reopen a timed out connection and switch
what is believed to be the source and the destination.

dst_conn : integer

Returns an integer value corresponding to the number of currently established
connections on the same socket including the one being evaluated. It is
normally used with ACLs but can as well be used to pass the information to
servers in an HTTP header or in logs. It can be used to either return a sorry
page before hard-blocking, or to use a specific backend to drain new requests
when the socket is considered saturated. This offers the ability to assign
different limits to different listening ports or addresses. See also the
"" and "be_conn" fetches.

: boolean

Returns true if the destination address of the incoming connection is local
to the system, or false if the address doesn't exist on the system, meaning
that it was intercepted in transparent mode. It can be useful to apply
certain rules by default to forwarded traffic and other rules to the traffic
targeting the real address of the machine. For example the stats page could
be delivered only on this address, or SSH access could be locally redirected.
Please note that the check involves a few system calls, so it's better to do
it only once per connection.

dst_port : integer

Returns an integer value corresponding to the destination TCP port of the
connection on the client side, which is the port the client connected to.
This might be used when running in transparent mode, when assigning dynamic
ports to some clients for a whole application session, to stick all users to
a same server, or to pass the destination port information to a server using
an HTTP header.

: integer

Reports the front connection's HTTP major version encoding, which may be 1
for HTTP/0.9 to HTTP/1.1 or 2 for HTTP/2. Note, this is based on the on-wire
encoding and not on the version present in the request header.

fc_rcvd_proxy : boolean

Returns true if the client initiated the connection with a PROXY protocol
header.

() : integer

Returns the Round Trip Time (RTT) measured by the kernel for the client
connection. <unit> is facultative, by default the unit is milliseconds. <unit>
can be set to "ms" for milliseconds or "us" for microseconds. If the server
connection is not established, if the connection is not TCP or if the
operating system does not support TCP_INFO, for example Linux kernels before
2.4, the sample fetch fails.

fc_rttvar() : integer

Returns the Round Trip Time (RTT) variance measured by the kernel for the
client connection. <unit> is facultative, by default the unit is milliseconds.
<unit> can be set to "ms" for milliseconds or "us" for microseconds. If the
server connection is not established, if the connection is not TCP or if the
operating system does not support TCP_INFO, for example Linux kernels before
2.4, the sample fetch fails.

: integer

Returns the unacked counter measured by the kernel for the client connection.
If the server connection is not established, if the connection is not TCP or
if the operating system does not support TCP_INFO, for example Linux kernels
before 2.4, the sample fetch fails.

fc_sacked : integer

Returns the sacked counter measured by the kernel for the client connection.
If the server connection is not established, if the connection is not TCP or
if the operating system does not support TCP_INFO, for example Linux kernels
before 2.4, the sample fetch fails.

: integer

Returns the retransmits counter measured by the kernel for the client
connection. If the server connection is not established, if the connection is
not TCP or if the operating system does not support TCP_INFO, for example
Linux kernels before 2.4, the sample fetch fails.

fc_fackets : integer

Returns the fack counter measured by the kernel for the client
connection. If the server connection is not established, if the connection is
not TCP or if the operating system does not support TCP_INFO, for example
Linux kernels before 2.4, the sample fetch fails.

: integer

Returns the lost counter measured by the kernel for the client
connection. If the server connection is not established, if the connection is
not TCP or if the operating system does not support TCP_INFO, for example
Linux kernels before 2.4, the sample fetch fails.

fc_reordering : integer

Returns the reordering counter measured by the kernel for the client
connection. If the server connection is not established, if the connection is
not TCP or if the operating system does not support TCP_INFO, for example
Linux kernels before 2.4, the sample fetch fails.

: string

Returns a string containing the frontend's default backend name. It can be
used in frontends to check which backend will handle requests by default.

fe_id : integer

Returns an integer containing the current frontend's id. It can be used in
backends to check from which frontend it was called, or to stick all users
coming via a same frontend to the same server.

: string

Returns a string containing the current frontend's name. It can be used in
backends to check from which frontend it was called, or to stick all users
coming via a same frontend to the same server.

sc_bytes_in_rate([,

]) : integer

([

]) : integer

sc1_bytes_in_rate([

]) : integer

([

]) : integer

Returns the average client-to-server bytes rate from the currently tracked
counters, measured in amount of bytes over the period configured in the
table. See also src_bytes_in_rate.

sc_bytes_out_rate([,

]) : integer

([

]) : integer

sc1_bytes_out_rate([

]) : integer

([

]) : integer

Returns the average server-to-client bytes rate from the currently tracked
counters, measured in amount of bytes over the period configured in the
table. See also src_bytes_out_rate.

sc_clr_gpc0([,

]) : integer

([

]) : integer

sc2_clr_gpc0([

]) : integer

Clears the first General Purpose Counter associated to the currently tracked
counters, and returns its previous value. Before the first invocation, the
stored value is zero, so first invocation will always return zero. This is
typically used as a second ACL in an expression in order to mark a connection
when a first ACL was verified :

Example:

# block if 5 consecutive requests continue to come faster than 10 sess
# per second, and reset the counter as soon as the traffic slows down.
acl abuse sc0_http_req_rate gt 10
acl kill  sc0_inc_gpc0 gt 5
acl save  sc0_clr_gpc0 ge 0
tcp-request connection accept if !abuse save
tcp-request connection reject if abuse kill

([,

]) : integer

sc0_clr_gpc1([

]) : integer

([

]) : integer

sc2_clr_gpc1([

]) : integer

Clears the second General Purpose Counter associated to the currently tracked
counters, and returns its previous value. Before the first invocation, the
stored value is zero, so first invocation will always return zero. This is
typically used as a second ACL in an expression in order to mark a connection
when a first ACL was verified.

([,

]) : integer

sc0_conn_cnt([

]) : integer

([

]) : integer

sc2_conn_cnt([

]) : integer

Returns the cumulative number of incoming connections from currently tracked
counters. See also src_conn_cnt.

([,

]) : integer

sc0_conn_cur([

]) : integer

([

]) : integer

sc2_conn_cur([

]) : integer

Returns the current amount of concurrent connections tracking the same
tracked counters. This number is automatically incremented when tracking
begins and decremented when tracking stops. See also src_conn_cur.

([,

]) : integer

sc0_conn_rate([

]) : integer

([

]) : integer

sc2_conn_rate([

]) : integer

Returns the average connection rate from the currently tracked counters,
measured in amount of connections over the period configured in the table.
See also src_conn_rate.

([,

]) : integer

sc0_get_gpc0([

]) : integer

([

]) : integer

sc2_get_gpc0([

]) : integer

Returns the value of the first General Purpose Counter associated to the
currently tracked counters. See also src_get_gpc0 and sc/sc0/sc1/sc2_inc_gpc0.

([,

]) : integer

sc0_get_gpc1([

]) : integer

([

]) : integer

sc2_get_gpc1([

]) : integer

Returns the value of the second General Purpose Counter associated to the
currently tracked counters. See also src_get_gpc1 and sc/sc0/sc1/sc2_inc_gpc1.

([,

]) : integer

sc0_get_gpt0([

]) : integer

([

]) : integer

sc2_get_gpt0([

]) : integer

Returns the value of the first General Purpose Tag associated to the
currently tracked counters. See also src_get_gpt0.

([,

]) : integer

sc0_gpc0_rate([

]) : integer

([

]) : integer

sc2_gpc0_rate([

]) : integer

Returns the average increment rate of the first General Purpose Counter
associated to the currently tracked counters. It reports the frequency
which the gpc0 counter was incremented over the configured period. See also
src_gpc0_rate, sc/sc0/sc1/sc2_get_gpc0, and sc/sc0/sc1/sc2_inc_gpc0. Note
that the "gpc0_rate" counter must be stored in the stick-table for a value to
be returned, as "gpc0" only holds the event count.

([,

]) : integer

sc0_gpc1_rate([

]) : integer

([

]) : integer

sc2_gpc1_rate([

]) : integer

Returns the average increment rate of the second General Purpose Counter
associated to the currently tracked counters. It reports the frequency
which the gpc1 counter was incremented over the configured period. See also
src_gpcA_rate, sc/sc0/sc1/sc2_get_gpc1, and sc/sc0/sc1/sc2_inc_gpc1. Note
that the "gpc1_rate" counter must be stored in the stick-table for a value to
be returned, as "gpc1" only holds the event count.

([,

]) : integer

sc0_http_err_cnt([

]) : integer

([

]) : integer

sc2_http_err_cnt([

]) : integer

Returns the cumulative number of HTTP errors from the currently tracked
counters. This includes the both request errors and 4xx error responses.
See also src_http_err_cnt.

([,

]) : integer

sc0_http_err_rate([

]) : integer

([

]) : integer

sc2_http_err_rate([

]) : integer

Returns the average rate of HTTP errors from the currently tracked counters,
measured in amount of errors over the period configured in the table. This
includes the both request errors and 4xx error responses. See also
src_http_err_rate.

([,

]) : integer

sc0_http_req_cnt([

]) : integer

([

]) : integer

sc2_http_req_cnt([

]) : integer

Returns the cumulative number of HTTP requests from the currently tracked
counters. This includes every started request, valid or not. See also
src_http_req_cnt.

([,

]) : integer

sc0_http_req_rate([

]) : integer

([

]) : integer

sc2_http_req_rate([

]) : integer

Returns the average rate of HTTP requests from the currently tracked
counters, measured in amount of requests over the period configured in
the table. This includes every started request, valid or not. See also
src_http_req_rate.

([,

]) : integer

sc0_inc_gpc0([

]) : integer

([

]) : integer

sc2_inc_gpc0([

]) : integer

Increments the first General Purpose Counter associated to the currently
tracked counters, and returns its new value. Before the first invocation,
the stored value is zero, so first invocation will increase it to 1 and will
return 1. This is typically used as a second ACL in an expression in order
to mark a connection when a first ACL was verified :

Example:

acl abuse sc0_http_req_rate gt 10
acl kill  sc0_inc_gpc0 gt 0
tcp-request connection reject if abuse kill

([,

]) : integer

sc0_inc_gpc1([

]) : integer

([

]) : integer

sc2_inc_gpc1([

]) : integer

Increments the second General Purpose Counter associated to the currently
tracked counters, and returns its new value. Before the first invocation,
the stored value is zero, so first invocation will increase it to 1 and will
return 1. This is typically used as a second ACL in an expression in order
to mark a connection when a first ACL was verified.

([,

]) : integer

sc0_kbytes_in([

]) : integer

([

]) : integer

sc2_kbytes_in([

]) : integer

Returns the total amount of client-to-server data from the currently tracked
counters, measured in kilobytes. The test is currently performed on 32-bit
integers, which limits values to 4 terabytes. See also src_kbytes_in.

([,

]) : integer

sc0_kbytes_out([

]) : integer

([

]) : integer

sc2_kbytes_out([

]) : integer

Returns the total amount of server-to-client data from the currently tracked
counters, measured in kilobytes. The test is currently performed on 32-bit
integers, which limits values to 4 terabytes. See also src_kbytes_out.

([,

]) : integer

sc0_sess_cnt([

]) : integer

([

]) : integer

sc2_sess_cnt([

]) : integer

Returns the cumulative number of incoming connections that were transformed
into sessions, which means that they were accepted by a "tcp-request
connection" rule, from the currently tracked counters. A backend may count
more sessions than connections because each connection could result in many
backend sessions if some HTTP keep-alive is performed over the connection
with the client. See also src_sess_cnt.

([,

]) : integer

sc0_sess_rate([

]) : integer

([

]) : integer

sc2_sess_rate([

]) : integer

Returns the average session rate from the currently tracked counters,
measured in amount of sessions over the period configured in the table. A
session is a connection that got past the early ""
rules. A backend may count more sessions than connections because each
connection could result in many backend sessions if some HTTP keep-alive is
performed over the connection with the client. See also src_sess_rate.

sc_tracked([,

]) : boolean

([

]) : boolean

sc1_tracked([

]) : boolean

([

]) : boolean

Returns true if the designated session counter is currently being tracked by
the current session. This can be useful when deciding whether or not we want
to set some values in a header passed to the server.

sc_trackers([,

]) : integer

([

]) : integer

sc1_trackers([

]) : integer

([

]) : integer

Returns the current amount of concurrent connections tracking the same
tracked counters. This number is automatically incremented when tracking
begins and decremented when tracking stops. It differs from sc0_conn_cur in
that it does not rely on any stored information but on the table's reference
count (the "use" value which is returned by "show table" on the CLI). This
may sometimes be more suited for layer7 tracking. It can be used to tell a
server how many concurrent connections there are from a given address for
example.

so_id : integer

Returns an integer containing the current listening socket's id. It is useful
in frontends involving many "This keyword is available in sections :
Peers
" lines, or to stick all users coming via a
same socket to the same server.

so_name : string

Returns a string containing the current listening socket's name, as defined
with name on a "This keyword is available in sections :
Peers
" line. It can serve the same purposes as so_id but with
strings instead of integers.

src : ip

This is the source IPv4 address of the client of the session. It is of type
IP and works on both IPv4 and IPv6 tables. On IPv6 tables, IPv4 addresses are
mapped to their IPv6 equivalent, according to RFC 4291. Note that it is the
TCP-level source address which is used, and not the address of a client
behind a proxy. However if the "" or "accept-netscaler-cip" bind
directive is used, it can be the address of a client behind another
PROXY-protocol compatible component for all rule sets except
"" which sees the real address. When the incoming
connection passed through address translation or redirection involving
connection tracking, the original destination address before the redirection
will be reported. On Linux systems, the source and destination may seldom
appear reversed if the nf_conntrack_tcp_loose sysctl is set, because a late
response may reopen a timed out connection and switch what is believed to be
the source and the destination.

Example:

# add an HTTP header in requests with the originating address' country
http-request set-header X-Country %[src,map_ip(geoip.lst)]

src_bytes_in_rate([

]) : integer

Returns the average bytes rate from the incoming connection's source address
in the current proxy's stick-table or in the designated stick-table, measured
in amount of bytes over the period configured in the table. If the address is
not found, zero is returned. See also sc/sc0/sc1/sc2_bytes_in_rate.

([

]) : integer

Returns the average bytes rate to the incoming connection's source address in
the current proxy's stick-table or in the designated stick-table, measured in
amount of bytes over the period configured in the table. If the address is
not found, zero is returned. See also sc/sc0/sc1/sc2_bytes_out_rate.

src_clr_gpc0([

]) : integer

Clears the first General Purpose Counter associated to the incoming
connection's source address in the current proxy's stick-table or in the
designated stick-table, and returns its previous value. If the address is not
found, an entry is created and 0 is returned. This is typically used as a
second ACL in an expression in order to mark a connection when a first ACL
was verified :

Example:

# block if 5 consecutive requests continue to come faster than 10 sess
# per second, and reset the counter as soon as the traffic slows down.
acl abuse src_http_req_rate gt 10
acl save  src_clr_gpc0 ge 0
tcp-request connection accept if !abuse save
tcp-request connection reject if abuse kill

([

]) : integer

Clears the second General Purpose Counter associated to the incoming
connection's source address in the current proxy's stick-table or in the
designated stick-table, and returns its previous value. If the address is not
found, an entry is created and 0 is returned. This is typically used as a
second ACL in an expression in order to mark a connection when a first ACL
was verified.

src_conn_cnt([

]) : integer

Returns the cumulative number of connections initiated from the current
incoming connection's source address in the current proxy's stick-table or in
the designated stick-table. If the address is not found, zero is returned.
See also sc/sc0/sc1/sc2_conn_cnt.

([

]) : integer

Returns the current amount of concurrent connections initiated from the
current incoming connection's source address in the current proxy's
stick-table or in the designated stick-table. If the address is not found,
zero is returned. See also sc/sc0/sc1/sc2_conn_cur.

src_conn_rate([

]) : integer

Returns the average connection rate from the incoming connection's source
address in the current proxy's stick-table or in the designated stick-table,
measured in amount of connections over the period configured in the table. If
the address is not found, zero is returned. See also sc/sc0/sc1/sc2_conn_rate.

([

]) : integer

Returns the value of the first General Purpose Counter associated to the
incoming connection's source address in the current proxy's stick-table or in
the designated stick-table. If the address is not found, zero is returned.
See also sc/sc0/sc1/sc2_get_gpc0 and src_inc_gpc0.

src_get_gpc1([

]) : integer

Returns the value of the second General Purpose Counter associated to the
incoming connection's source address in the current proxy's stick-table or in
the designated stick-table. If the address is not found, zero is returned.
See also sc/sc0/sc1/sc2_get_gpc1 and src_inc_gpc1.

([

]) : integer

Returns the value of the first General Purpose Tag associated to the
incoming connection's source address in the current proxy's stick-table or in
the designated stick-table. If the address is not found, zero is returned.
See also sc/sc0/sc1/sc2_get_gpt0.

src_gpc0_rate([

]) : integer

Returns the average increment rate of the first General Purpose Counter
associated to the incoming connection's source address in the current proxy's
stick-table or in the designated stick-table. It reports the frequency
which the gpc0 counter was incremented over the configured period. See also
sc/sc0/sc1/sc2_gpc0_rate, src_get_gpc0, and sc/sc0/sc1/sc2_inc_gpc0. Note
that the "gpc0_rate" counter must be stored in the stick-table for a value to
be returned, as "gpc0" only holds the event count.

([

]) : integer

Returns the average increment rate of the second General Purpose Counter
associated to the incoming connection's source address in the current proxy's
stick-table or in the designated stick-table. It reports the frequency
which the gpc1 counter was incremented over the configured period. See also
sc/sc0/sc1/sc2_gpc1_rate, src_get_gpc1, and sc/sc0/sc1/sc2_inc_gpc1. Note
that the "gpc1_rate" counter must be stored in the stick-table for a value to
be returned, as "gpc1" only holds the event count.

]) : integer

Returns the cumulative number of HTTP errors from the incoming connection's
source address in the current proxy's stick-table or in the designated
stick-table. This includes the both request errors and 4xx error responses.
See also sc/sc0/sc1/sc2_http_err_cnt. If the address is not found, zero is
returned.

src_http_err_rate([

]) : integer

Returns the average rate of HTTP errors from the incoming connection's source
address in the current proxy's stick-table or in the designated stick-table,
measured in amount of errors over the period configured in the table. This
includes the both request errors and 4xx error responses. If the address is
not found, zero is returned. See also sc/sc0/sc1/sc2_http_err_rate.

([

]) : integer

Returns the cumulative number of HTTP requests from the incoming connection's
source address in the current proxy's stick-table or in the designated stick-
table. This includes every started request, valid or not. If the address is
not found, zero is returned. See also sc/sc0/sc1/sc2_http_req_cnt.

src_http_req_rate([

]) : integer

Returns the average rate of HTTP requests from the incoming connection's
source address in the current proxy's stick-table or in the designated stick-
table, measured in amount of requests over the period configured in the
table. This includes every started request, valid or not. If the address is
not found, zero is returned. See also sc/sc0/sc1/sc2_http_req_rate.

([

]) : integer

Increments the first General Purpose Counter associated to the incoming
connection's source address in the current proxy's stick-table or in the
designated stick-table, and returns its new value. If the address is not
found, an entry is created and 1 is returned. See also sc0/sc2/sc2_inc_gpc0.
This is typically used as a second ACL in an expression in order to mark a
connection when a first ACL was verified :

Example:

acl abuse src_http_req_rate gt 10
acl kill  src_inc_gpc0 gt 0
tcp-request connection reject if abuse kill

src_inc_gpc1([

]) : integer

Increments the second General Purpose Counter associated to the incoming
connection's source address in the current proxy's stick-table or in the
designated stick-table, and returns its new value. If the address is not
found, an entry is created and 1 is returned. See also sc0/sc2/sc2_inc_gpc1.
This is typically used as a second ACL in an expression in order to mark a
connection when a first ACL was verified.

: boolean

Returns true if the source address of the incoming connection is local to the
system, or false if the address doesn't exist on the system, meaning that it
comes from a remote machine. Note that UNIX addresses are considered local.
It can be useful to apply certain access restrictions based on where the
client comes from (e.g. require auth or https for remote machines). Please
note that the check involves a few system calls, so it's better to do it only
once per connection.

src_kbytes_in([

]) : integer

Returns the total amount of data received from the incoming connection's
source address in the current proxy's stick-table or in the designated
stick-table, measured in kilobytes. If the address is not found, zero is
returned. The test is currently performed on 32-bit integers, which limits
values to 4 terabytes. See also sc/sc0/sc1/sc2_kbytes_in.

([

]) : integer

Returns the total amount of data sent to the incoming connection's source
address in the current proxy's stick-table or in the designated stick-table,
measured in kilobytes. If the address is not found, zero is returned. The
test is currently performed on 32-bit integers, which limits values to 4
terabytes. See also sc/sc0/sc1/sc2_kbytes_out.

src_port : integer

Returns an integer value corresponding to the TCP source port of the
connection on the client side, which is the port the client connected from.
Usage of this function is very limited as modern protocols do not care much
about source ports nowadays.

([

]) : integer

Returns the cumulative number of connections initiated from the incoming
connection's source IPv4 address in the current proxy's stick-table or in the
designated stick-table, that were transformed into sessions, which means that
they were accepted by "tcp-request" rules. If the address is not found, zero
is returned. See also sc/sc0/sc1/sc2_sess_cnt.

([

]) : integer

Returns the average session rate from the incoming connection's source
address in the current proxy's stick-table or in the designated stick-table,
measured in amount of sessions over the period configured in the table. A
session is a connection that went past the early "tcp-request" rules. If the
address is not found, zero is returned. See also sc/sc0/sc1/sc2_sess_rate.

([

]) : integer

Creates or updates the entry associated to the incoming connection's source
address in the current proxy's stick-table or in the designated stick-table.
This table must be configured to store the "conn_cnt" data type, otherwise
the match will be ignored. The current count is incremented by one, and the
expiration timer refreshed. The updated count is returned, so this match
can't return zero. This was used to reject service abusers based on their
source address. Note: it is recommended to use the more complete "track-sc*"
actions in "tcp-request" rules instead.

Example :

# This frontend limits incoming SSH connections to 3 per 10 second for
# each source address, and rejects excess connections until a 10 second
# silence is observed. At most 20 addresses are tracked.
listen ssh
    bind :22
    mode tcp
    maxconn 100
    stick-table type ip size 20 expire 10s store conn_cnt
    tcp-request content reject if { src_updt_conn_cnt gt 3 }
    server local 127.0.0.1:22

: integer

Returns an integer containing the server's id when processing the response.
While it's almost only used with ACLs, it may be used for logging or
debugging.

7.3.4. Fetching samples at Layer 5

The layer 5 usually describes just the session layer which in haproxy is
closest to the session once all the connection handshakes are finished, but
when no content is yet made available. The fetch methods described here are
usable as low as the "" rule sets unless they require some
future information. Those generally include the results of SSL negotiations.

51d.all([,*]) : string

Returns values for the properties requested as a string, where values are
separated by the delimiter specified with "".
The device is identified using all the important HTTP headers from the
request. The function can be passed up to five property names, and if a
property name can't be found, the value "NoData" is returned.

Example :

# Here the header "X-51D-DeviceTypeMobileTablet" is added to the request
# containing the three properties requested using all relevant headers from
# the request.
frontend http-in
  bind *:8081
  default_backend servers
  http-request set-header X-51D-DeviceTypeMobileTablet \
    %[51d.all(DeviceType,IsMobile,IsTablet)]

ssl_bc : boolean

Returns true when the back connection was made via an SSL/TLS transport
layer and is locally deciphered. This means the outgoing connection was made
other a server with the "This keyword is available in sections :
Bind options
" option.

ssl_bc_alg_keysize : integer

Returns the symmetric cipher key size supported in bits when the outgoing
connection was made over an SSL/TLS transport layer.

: string

This extracts the Application Layer Protocol Negotiation field from an
outgoing connection made via a TLS transport layer.
The result is a string containing the protocol name negotiated with the
server. The SSL library must have been built with support for TLS
extensions enabled (check haproxy -vv). Note that the TLS ALPN extension is
not advertised unless the "alpnThis keyword is available in sections :
Server and default-server options
" keyword on the "This keyword is available in sections :
Peers
" line specifies a
protocol list. Also, nothing forces the server to pick a protocol from this
list, any other one may be requested. The TLS ALPN extension is meant to
replace the TLS NPN extension. See also "ssl_bc_npn".

: string

Returns the name of the used cipher when the outgoing connection was made
over an SSL/TLS transport layer.

ssl_bc_client_random : binary

Returns the client random of the back connection when the incoming connection
was made over an SSL/TLS transport layer. It is useful to to decrypt traffic
sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or BoringSSL.

: boolean

Returns true when the back connection was made over an SSL/TLS transport
layer and the newly created SSL session was resumed using a cached
session or a TLS ticket.

ssl_bc_npn : string

This extracts the Next Protocol Negotiation field from an outgoing connection
made via a TLS transport layer. The result is a string containing the
protocol name negotiated with the server . The SSL library must have been
built with support for TLS extensions enabled (check haproxy -vv). Note that
the TLS NPN extension is not advertised unless the "This keyword is available in sections :
Bind options
" keyword on the
"serverThis keyword is available in sections :
Alphabetically sorted keywords reference
" line specifies a protocol list. Also, nothing forces the server to
pick a protocol from this list, any other one may be used. Please note that
the TLS NPN extension was replaced with ALPN.

: string

Returns the name of the used protocol when the outgoing connection was made
over an SSL/TLS transport layer.

ssl_bc_unique_id : binary

When the outgoing connection was made over an SSL/TLS transport layer,
returns the TLS unique ID as defined in RFC5929 . The unique id
can be encoded to base64 using the converter: "ssl_bc_unique_id,base64".

ssl_bc_server_random : binary

Returns the server random of the back connection when the incoming connection
was made over an SSL/TLS transport layer. It is useful to to decrypt traffic
sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or BoringSSL.

: binary

Returns the SSL ID of the back connection when the outgoing connection was
made over an SSL/TLS transport layer. It is useful to log if we want to know
if session was reused or not.

ssl_bc_session_key : binary

Returns the SSL session master key of the back connection when the outgoing
connection was made over an SSL/TLS transport layer. It is useful to decrypt
traffic sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or
BoringSSL.

: integer

Returns the symmetric cipher key size used in bits when the outgoing
connection was made over an SSL/TLS transport layer.

ssl_c_ca_err : integer

When the incoming connection was made over an SSL/TLS transport layer,
returns the ID of the first error detected during verification of the client
certificate at depth > 0, or 0 if no error was encountered during this
verification process. Please refer to your SSL library's documentation to
find the exhaustive list of error codes.

: integer

When the incoming connection was made over an SSL/TLS transport layer,
returns the depth in the CA chain of the first error detected during the
verification of the client certificate. If no error is encountered, 0 is
returned.

ssl_c_der : binary

Returns the DER formatted certificate presented by the client when the
incoming connection was made over an SSL/TLS transport layer. When used for
an ACL, the value(s) to match against can be passed in hexadecimal form.

: integer

When the incoming connection was made over an SSL/TLS transport layer,
returns the ID of the first error detected during verification at depth 0, or
0 if no error was encountered during this verification process. Please refer
to your SSL library's documentation to find the exhaustive list of error
codes.

ssl_c_i_dn([[,]]) : string

When the incoming connection was made over an SSL/TLS transport layer,
returns the full distinguished name of the issuer of the certificate
presented by the client when no <entry> is specified, or the value of the
first given entry found from the beginning of the DN. If a positive/negative
occurrence number is specified as the optional second argument, it returns
the value of the nth given entry value from the beginning/end of the DN.
For instance, "ssl_c_i_dn(OU,2)" the second organization unit, and
"ssl_c_i_dn(CN)" retrieves the common name.

: string

Returns the name of the algorithm used to generate the key of the certificate
presented by the client when the incoming connection was made over an SSL/TLS
transport layer.

ssl_c_notafter : string

Returns the end date presented by the client as a formatted string
YYMMDDhhmmss[Z] when the incoming connection was made over an SSL/TLS
transport layer.

: string

Returns the start date presented by the client as a formatted string
YYMMDDhhmmss[Z] when the incoming connection was made over an SSL/TLS
transport layer.

ssl_c_s_dn([[,]]) : string

When the incoming connection was made over an SSL/TLS transport layer,
returns the full distinguished name of the subject of the certificate
presented by the client when no <entry> is specified, or the value of the
first given entry found from the beginning of the DN. If a positive/negative
occurrence number is specified as the optional second argument, it returns
the value of the nth given entry value from the beginning/end of the DN.
For instance, "ssl_c_s_dn(OU,2)" the second organization unit, and
"ssl_c_s_dn(CN)" retrieves the common name.

: binary

Returns the serial of the certificate presented by the client when the
incoming connection was made over an SSL/TLS transport layer. When used for
an ACL, the value(s) to match against can be passed in hexadecimal form.

ssl_c_sha1 : binary

Example:

http-request set-header X-SSL-Client-SHA1 %[ssl_c_sha1,hex]

: string

Returns the name of the algorithm used to sign the certificate presented by
the client when the incoming connection was made over an SSL/TLS transport
layer.

ssl_c_used : boolean

Returns true if current SSL session uses a client certificate even if current
connection uses SSL session resumption. See also "".

ssl_c_verify : integer

Returns the verify result error ID when the incoming connection was made over
an SSL/TLS transport layer, otherwise zero if no error is encountered. Please
refer to your SSL library's documentation for an exhaustive list of error
codes.

: integer

Returns the version of the certificate presented by the client when the
incoming connection was made over an SSL/TLS transport layer.

ssl_f_der : binary

Returns the DER formatted certificate presented by the frontend when the
incoming connection was made over an SSL/TLS transport layer. When used for
an ACL, the value(s) to match against can be passed in hexadecimal form.

([[,]]) : string

When the incoming connection was made over an SSL/TLS transport layer,
returns the full distinguished name of the issuer of the certificate
presented by the frontend when no <entry> is specified, or the value of the
first given entry found from the beginning of the DN. If a positive/negative
occurrence number is specified as the optional second argument, it returns
the value of the nth given entry value from the beginning/end of the DN.
For instance, "ssl_f_i_dn(OU,2)" the second organization unit, and
"ssl_f_i_dn(CN)" retrieves the common name.

ssl_f_key_alg : string

Returns the name of the algorithm used to generate the key of the certificate
presented by the frontend when the incoming connection was made over an
SSL/TLS transport layer.

: string

Returns the end date presented by the frontend as a formatted string
YYMMDDhhmmss[Z] when the incoming connection was made over an SSL/TLS
transport layer.

ssl_f_notbefore : string

Returns the start date presented by the frontend as a formatted string
YYMMDDhhmmss[Z] when the incoming connection was made over an SSL/TLS
transport layer.

([[,]]) : string

When the incoming connection was made over an SSL/TLS transport layer,
returns the full distinguished name of the subject of the certificate
presented by the frontend when no <entry> is specified, or the value of the
first given entry found from the beginning of the DN. If a positive/negative
occurrence number is specified as the optional second argument, it returns
the value of the nth given entry value from the beginning/end of the DN.
"ssl_f_s_dn(CN)" retrieves the common name.

ssl_f_serial : binary

Returns the serial of the certificate presented by the frontend when the
incoming connection was made over an SSL/TLS transport layer. When used for
an ACL, the value(s) to match against can be passed in hexadecimal form.

: binary

Returns the SHA-1 fingerprint of the certificate presented by the frontend
when the incoming connection was made over an SSL/TLS transport layer. This
can be used to know which certificate was chosen using SNI.

ssl_f_sig_alg : string

Returns the name of the algorithm used to sign the certificate presented by
the frontend when the incoming connection was made over an SSL/TLS transport
layer.

: integer

Returns the version of the certificate presented by the frontend when the
incoming connection was made over an SSL/TLS transport layer.

ssl_fc : boolean

Returns true when the front connection was made via an SSL/TLS transport
layer and is locally deciphered. This means it has matched a socket declared
with a "This keyword is available in sections :
Peers
" line having the "sslThis keyword is available in sections :
Server and default-server options
" option.

Example :

# This passes "X-Proto: https" to servers when client connects over SSL
listen http-https
    bind :80
    bind :443 ssl crt /etc/haproxy.pem
    http-request add-header X-Proto https if { ssl_fc }

: integer

Returns the symmetric cipher key size supported in bits when the incoming
connection was made over an SSL/TLS transport layer.

ssl_fc_alpn : string

This extracts the Application Layer Protocol Negotiation field from an
incoming connection made via a TLS transport layer and locally deciphered by
haproxy. The result is a string containing the protocol name advertised by
the client. The SSL library must have been built with support for TLS
extensions enabled (check haproxy -vv). Note that the TLS ALPN extension is
not advertised unless the "This keyword is available in sections :
Bind options
" keyword on the "bindThis keyword is available in sections :
Alphabetically sorted keywords reference
" line specifies a
protocol list. Also, nothing forces the client to pick a protocol from this
list, any other one may be requested. The TLS ALPN extension is meant to
replace the TLS NPN extension. See also "".

ssl_fc_cipher : string

Returns the name of the used cipher when the incoming connection was made
over an SSL/TLS transport layer.

: binary

Returns the binary form of the client hello cipher list. The maximum returned
value length is according with the value of
"tune.ssl.capture-cipherlist-size".

: string

Returns the binary form of the client hello cipher list encoded as
hexadecimal. The maximum returned value length is according with the value of
"tune.ssl.capture-cipherlist-size".

: string

Returns the decoded text form of the client hello cipher list. The maximum
number of ciphers returned is according with the value of
"tune.ssl.capture-cipherlist-size". Note that this sample-fetch is only
available with OpenSSL >= 1.0.2. If the function is not enabled, this
sample-fetch returns the hash like "".

ssl_fc_cipherlist_xxh : integer

Returns a xxh64 of the cipher list. This hash can be return only is the value
"" is set greater than 0, however the hash
take in account all the data of the cipher list.

ssl_fc_client_random : binary

Returns the client random of the front connection when the incoming connection
was made over an SSL/TLS transport layer. It is useful to to decrypt traffic
sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or BoringSSL.

: boolean

Returns true if a client certificate is present in an incoming connection over
SSL/TLS transport layer. Useful if 'verify' statement is set to 'optional'.
Note: on SSL session resumption with Session ID or TLS ticket, client
certificate is not present in the current connection but may be retrieved
from the cache or the ticket. So prefer "ssl_c_used" if you want to check if
current SSL session uses a client certificate.

: boolean

Returns true if early data were sent, and the handshake didn't happen yet. As
it has security implications, it is useful to be able to refuse those, or
wait until the handshake happened.

ssl_fc_has_sni : boolean

This checks for the presence of a Server Name Indication TLS extension (SNI)
in an incoming connection was made over an SSL/TLS transport layer. Returns
true when the incoming connection presents a TLS SNI field. This requires
that the SSL library is built with support for TLS extensions enabled (check
haproxy -vv).

: boolean

Returns true if the SSL/TLS session has been resumed through the use of
SSL session cache or TLS tickets on an incoming connection over an SSL/TLS
transport layer.

ssl_fc_npn : string

This extracts the Next Protocol Negotiation field from an incoming connection
made via a TLS transport layer and locally deciphered by haproxy. The result
is a string containing the protocol name advertised by the client. The SSL
library must have been built with support for TLS extensions enabled (check
haproxy -vv). Note that the TLS NPN extension is not advertised unless the
"This keyword is available in sections :
Bind options
" keyword on the "bindThis keyword is available in sections :
Alphabetically sorted keywords reference
" line specifies a protocol list. Also, nothing
forces the client to pick a protocol from this list, any other one may be
requested. Please note that the TLS NPN extension was replaced with ALPN.

: string

Returns the name of the used protocol when the incoming connection was made
over an SSL/TLS transport layer.

ssl_fc_unique_id : binary

When the incoming connection was made over an SSL/TLS transport layer,
returns the TLS unique ID as defined in RFC5929 . The unique id
can be encoded to base64 using the converter: "ssl_bc_unique_id,base64".

ssl_fc_server_random : binary

Returns the server random of the front connection when the incoming connection
was made over an SSL/TLS transport layer. It is useful to to decrypt traffic
sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or BoringSSL.

: binary

Returns the SSL ID of the front connection when the incoming connection was
made over an SSL/TLS transport layer. It is useful to stick a given client to
a server. It is important to note that some browsers refresh their session ID
every few minutes.

ssl_fc_session_key : binary

Returns the SSL session master key of the front connection when the incoming
connection was made over an SSL/TLS transport layer. It is useful to decrypt
traffic sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or
BoringSSL.

: string

This extracts the Server Name Indication TLS extension (SNI) field from an
incoming connection made via an SSL/TLS transport layer and locally
deciphered by haproxy. The result (when present) typically is a string
matching the HTTPS host name (253 chars or less). The SSL library must have
been built with support for TLS extensions enabled (check haproxy -vv).
 
This fetch is different from "req_ssl_sni" above in that it applies to the
connection being deciphered by haproxy and not to SSL contents being blindly
forwarded. See also "ssl_fc_sni_end" and "ssl_fc_sni_reg" below. This
requires that the SSL library is built with support for TLS extensions
enabled (check haproxy -vv).
 
ACL derivatives :
  ssl_fc_sni_end : suffix match
  ssl_fc_sni_reg : regex match

: integer

Returns the symmetric cipher key size used in bits when the incoming
connection was made over an SSL/TLS transport layer.

Fetching samples from buffer contents is a bit different from the previous
sample fetches above because the sampled data are ephemeral. These data can
only be used when they're available and will be lost when they're forwarded.
For this reason, samples fetched from buffer contents during a request cannot
be used in a response for example. Even while the data are being fetched, they
can change. Sometimes it is necessary to set some delays or combine multiple
sample fetch methods to ensure that the expected data are complete and usable,
for example through TCP request content inspection. Please see the "tcp-request
content" keyword for more detailed information on the subject.

payload(,) : binary (deprecated)

This is an alias for "" when used in the context of a request (e.g.
"stick on", ""), and for "res.payload" when used in the context of
a response such as in "stick store response".

(,[,]) : binary (deprecated)

This is an alias for "req.payload_lv" when used in the context of a request
(e.g. "", "stick match"), and for "" when used in the
context of a response such as in "stick store response".

req.hdrs : string

Returns the current request headers as string including the last empty line
separating headers from the request body. The last empty line can be used to
detect a truncated header block. This sample fetch is useful for some SPOE
headers analyzers and for advanced logging.

: binary

Returns the current request headers contained in preparsed binary form. This
is useful for offloading some processing with SPOE. Each string is described
by a length followed by the number of bytes indicated in the length. The
length is represented using the variable integer encoding detailed in the
SPOE documentation. The end of the list is marked by a couple of empty header
names and values (length of 0 for both).
 
*(<str:header-name><str:header-value>)<empty string><empty string>
 
int:  refer to the SPOE documentation for the encoding
str:  <int:length><bytes>

req.len : integer

: integer (deprecated)

Returns an integer value corresponding to the number of bytes present in the
request buffer. This is mostly used in ACL. It is important to understand
that this test does not return false as long as the buffer is changing. This
means that a check with equality to zero will almost always immediately match
at the beginning of the session, while a test for more data will wait for
that data to come in and return false only when haproxy is certain that no
more data will come in. This test was designed to be used with TCP request
content inspection.

req.payload(,) : binary

This extracts a binary block of <length> bytes and starting at byte <offset>
in the request buffer. As a special case, if the <length> argument is zero,
the the whole buffer from <offset> to the end is extracted. This can be used
with ACLs in order to check for the presence of some content in a buffer at
any location.
 
ACL alternatives :
  payload(<offset>,<length>) : hex binary match

(,[,]) : binary

This extracts a binary block whose size is specified at <offset1> for <length>
bytes, and which starts at <offset2> if specified or just after the length in
the request buffer. The <offset2> parameter also supports relative offsets if
prepended with a '+' or '-' sign.
 
ACL alternatives :
  payload_lv(<offset1>,<length>[,<offset2>]) : hex binary match

Example :

please consult the example from the "stick store-response" keyword.

: boolean

req_proto_http : boolean (deprecated)

Returns true when data in the request buffer look like HTTP and correctly
parses as such. It is the same parser as the common HTTP request parser which
is used so there should be no surprises. The test does not match until the
request is complete, failed or timed out. This test may be used to report the
protocol in TCP logs, but the biggest use is to block TCP request analysis
until a complete HTTP request is present in the buffer, for example to track
a header.

Example:

# track request counts per "base" (concatenation of Host+URL)
tcp-request inspect-delay 10s
tcp-request content reject if !HTTP
tcp-request content track-sc0 base table req-rate

([]) : string

rdp_cookie([]) : string (deprecated)

When the request buffer looks like the RDP protocol, extracts the RDP cookie
<name>, or any cookie if unspecified. The parser only checks for the first
cookie, as illustrated in the RDP protocol specification. The cookie name is
case insensitive. Generally the "MSTS" cookie name will be used, as it can
contain the user name of the client connecting to the server if properly
configured on the client. The "MSTSHASH" cookie is often used as well for
session stickiness to servers.
 
This differs from "balance rdp-cookie" in that any balancing algorithm may be
used and thus the distribution of clients to backend servers is not linked to
a hash of the RDP cookie. It is envisaged that using a balancing algorithm
such as "balance roundrobin" or "balance leastconn" will lead to a more even
distribution of clients to backend servers than the hash used by "balance
rdp-cookie".
 
ACL derivatives :
  req_rdp_cookie([<name>]) : exact string match

Example :

listen tse-farm
    bind 0.0.0.0:3389
    # wait up to 5s for an RDP cookie in the request
    tcp-request inspect-delay 5s
    tcp-request content accept if RDP_COOKIE
    # apply RDP cookie persistence
    persist rdp-cookie
    # Persist based on the mstshash cookie
    # This is only useful makes sense if
    # balance rdp-cookie is not used
    stick-table type string size 204800
    stick on req.rdp_cookie(mstshash)
    server srv1 1.1.1.1:3389
    server srv1 1.1.1.2:3389

See also : “balance rdp-cookie”, ““, “tcp-request“ and the “req_rdp_cookie” ACL.

([name]) : integer

rdp_cookie_cnt([name]) : integer (deprecated)

Tries to parse the request buffer as RDP protocol, then returns an integer
corresponding to the number of RDP cookies found. If an optional cookie name
is passed, only cookies matching this name are considered. This is mostly
used in ACL.
 
ACL derivatives :
  req_rdp_cookie_cnt([<name>]) : integer match

: string

Returns a string containing the values of the Application-Layer Protocol
Negotiation (ALPN) TLS extension (RFC7301), sent by the client within the SSL
ClientHello message. Note that this only applies to raw contents found in the
request buffer and not to the contents deciphered via an SSL data layer, so
this will not work with "bindThis keyword is available in sections :
Alphabetically sorted keywords reference
" lines having the "This keyword is available in sections :
Bind options
" option. This is useful
in ACL to make a routing decision based upon the ALPN preferences of a TLS
client, like in the example below. See also "ssl_fc_alpn".

Examples :

# Wait for a client hello for at most 5 seconds
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend bk_acme if { req.ssl_alpn acme-tls/1 }
default_backend bk_default

: boolean

Returns a boolean identifying if client sent the Supported Elliptic Curves
Extension as defined in RFC4492, section 5.1. within the SSL ClientHello
message. This can be used to present ECC compatible clients with EC
certificate and to use RSA for all others, on the same IP address. Note that
this only applies to raw contents found in the request buffer and not to
contents deciphered via an SSL data layer, so this will not work with "This keyword is available in sections :
Peers
"
lines having the "sslThis keyword is available in sections :
Server and default-server options
" option.

: integer

req_ssl_hello_type : integer (deprecated)

Returns an integer value containing the type of the SSL hello message found
in the request buffer if the buffer contains data that parse as a complete
SSL (v3 or superior) client hello message. Note that this only applies to raw
contents found in the request buffer and not to contents deciphered via an
SSL data layer, so this will not work with "This keyword is available in sections :
Peers
" lines having the "sslThis keyword is available in sections :
Server and default-server options
"
option. This is mostly used in ACL to detect presence of an SSL hello message
that is supposed to contain an SSL session ID usable for stickiness.

: string

req_ssl_sni : string (deprecated)

Returns a string containing the value of the Server Name TLS extension sent
by a client in a TLS stream passing through the request buffer if the buffer
contains data that parse as a complete SSL (v3 or superior) client hello
message. Note that this only applies to raw contents found in the request
buffer and not to contents deciphered via an SSL data layer, so this will not
work with "This keyword is available in sections :
Peers
" lines having the "sslThis keyword is available in sections :
Server and default-server options
" option. SNI normally contains the
name of the host the client tries to connect to (for recent browsers). SNI is
useful for allowing or denying access to certain hosts when SSL/TLS is used
by the client. This test was designed to be used with TCP request content
inspection. If content switching is needed, it is recommended to first wait
for a complete client hello (type 1), like in the example below. See also
"".
 
ACL derivatives :
  req_ssl_sni : exact string match

Examples :

# Wait for a client hello for at most 5 seconds
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend bk_allow if { req_ssl_sni -f allowed_sites }
default_backend bk_sorry_page

req.ssl_st_ext : integer

Returns 0 if the client didn't send a SessionTicket TLS Extension (RFC5077)
Returns 1 if the client sent SessionTicket TLS Extension
Returns 2 if the client also sent non-zero length TLS SessionTicket
Note that this only applies to raw contents found in the request buffer and
not to contents deciphered via an SSL data layer, so this will not work with
"This keyword is available in sections :
Peers
" lines having the "sslThis keyword is available in sections :
Server and default-server options
" option. This can for example be used to detect
whether the client sent a SessionTicket or not and stick it accordingly, if
no SessionTicket then stick on SessionID or don't stick as there's no server
side state is there when SessionTickets are in use.

: integer

req_ssl_ver : integer (deprecated)

Returns an integer value containing the version of the SSL/TLS protocol of a
stream present in the request buffer. Both SSLv2 hello messages and SSLv3
messages are supported. TLSv1 is announced as SSL version 3.1. The value is
composed of the major version multiplied by 65536, added to the minor
version. Note that this only applies to raw contents found in the request
buffer and not to contents deciphered via an SSL data layer, so this will not
work with "This keyword is available in sections :
Peers
" lines having the "sslThis keyword is available in sections :
Server and default-server options
" option. The ACL version of the test
matches against a decimal notation in the form MAJOR.MINOR (e.g. 3.1). This
fetch is mostly used in ACL.
 
ACL derivatives :
  req_ssl_ver : decimal match

: integer

Returns an integer value corresponding to the number of bytes present in the
response buffer. This is mostly used in ACL. It is important to understand
that this test does not return false as long as the buffer is changing. This
means that a check with equality to zero will almost always immediately match
at the beginning of the session, while a test for more data will wait for
that data to come in and return false only when haproxy is certain that no
more data will come in. This test was designed to be used with TCP response
content inspection.

res.payload(,) : binary

This extracts a binary block of <length> bytes and starting at byte <offset>
in the response buffer. As a special case, if the <length> argument is zero,
the the whole buffer from <offset> to the end is extracted. This can be used
with ACLs in order to check for the presence of some content in a buffer at
any location.

(,[,]) : binary

This extracts a binary block whose size is specified at <offset1> for <length>
bytes, and which starts at <offset2> if specified or just after the length in
the response buffer. The <offset2> parameter also supports relative offsets
if prepended with a '+' or '-' sign.

Example :

please consult the example from the "stick store-response" keyword.

: integer

rep_ssl_hello_type : integer (deprecated)

Returns an integer value containing the type of the SSL hello message found
in the response buffer if the buffer contains data that parses as a complete
SSL (v3 or superior) hello message. Note that this only applies to raw
contents found in the response buffer and not to contents deciphered via an
SSL data layer, so this will not work with "This keyword is available in sections :
Peers
" lines having the "sslThis keyword is available in sections :
Server and default-server options
"
option. This is mostly used in ACL to detect presence of an SSL hello message
that is supposed to contain an SSL session ID usable for stickiness.

: boolean

This fetch either returns true when the inspection period is over, or does
not fetch. It is only used in ACLs, in conjunction with content analysis to
avoid returning a wrong verdict early. It may also be used to delay some
actions, such as a delayed reject for some special addresses. Since it either
stops the rules evaluation or immediately returns true, it is recommended to
use this acl as the last one in a rule. Please note that the default ACL
"WAIT_END" is always usable without prior declaration. This test was designed
to be used with TCP request content inspection.

Examples :

# delay every incoming request by 2 seconds
tcp-request inspect-delay 2s
tcp-request content accept if WAIT_END
# don't immediately tell bad guys they are rejected
tcp-request inspect-delay 10s
acl goodguys src 10.0.0.0/24
acl badguys  src 10.0.1.0/24
tcp-request content accept if goodguys
tcp-request content reject if badguys WAIT_END
tcp-request content reject

7.3.6. Fetching HTTP samples (Layer 7)

It is possible to fetch samples from HTTP contents, requests and responses.
This application layer is also called layer 7. It is only possible to fetch the
data in this section when a full HTTP request or response has been parsed from
its respective request or response buffer. This is always the case with all
HTTP specific rules and for sections running with "mode http". When using TCP
content inspection, it may be necessary to support an inspection delay in order
to let the request or response come in first. These fetches may require a bit
more CPU resources than the layer 4 ones, but not much since the request and
response are indexed.

: string

This returns the concatenation of the first Host header and the path part of
the request, which starts at the first slash and ends before the question
mark. It can be useful in virtual hosted environments to detect URL abuses as
well as to improve shared caches efficiency. Using this with a limited size
stick table also allows one to collect statistics about most commonly
requested objects by host/path. With ACLs it can allow simple content
switching rules involving the host and the path at the same time, such as
"www.example.com/favicon.ico". See also "path" and "uri".
 
ACL derivatives :
  base     : exact string match
  base_beg : prefix match
  base_dir : subdir match
  base_dom : domain match
  base_end : suffix match
  base_len : length match
  base_reg : regex match
  base_sub : substring match

: integer

This returns a 32-bit hash of the value returned by the "base" fetch method
above. This is useful to track per-URL activity on high traffic sites without
having to store all URLs. Instead a shorter hash is stored, saving a lot of
memory. The output type is an unsigned integer. The hash function used is
SDBM with full avalanche on the output. Technically, base32 is exactly equal
to "base,sdbm(1)".

: binary

This returns the concatenation of the base32 fetch above and the src fetch
below. The resulting type is of type binary, with a size of 8 or 20 bytes
depending on the source address family. This can be used to track per-IP,
per-URL counters.

capture.req.hdr() : string

This extracts the content of the header captured by the "capture request
header", idx is the position of the capture keyword in the configuration.

See also: ““.

capture.req.method : string

This extracts the METHOD of an HTTP request. It can be used in both request
and response. Unlike "", it can be used in both request and response
because it's allocated.

capture.req.uri : string

This extracts the request's URI, which starts at the first slash and ends
before the first space in the request (without the host part). Unlike ""
and "url", it can be used in both request and response because it's
allocated.

: string

This extracts the request's HTTP version and returns either "HTTP/1.0" or
"HTTP/1.1". Unlike "req.ver", it can be used in both request, response, and
logs because it relies on a persistent flag.

() : string

This extracts the content of the header captured by the "capture response
header", idx is the position of the capture keyword in the configuration.
The first entry is an index of 0.

See also: “capture response header“

: string

This extracts the response's HTTP version and returns either "HTTP/1.0" or
"HTTP/1.1". Unlike "res.ver", it can be used in logs because it relies on a
persistent flag.

: binary

This returns the HTTP request's available body as a block of data. It
requires that the request body has been buffered made available using
"option http-buffer-request". In case of chunked-encoded body, currently only
the first chunk is analyzed.

([) : string

This fetch assumes that the body of the POST request is url-encoded. The user
can check if the "content-type" contains the value
"application/x-www-form-urlencoded". This extracts the first occurrence of the
parameter <name> in the body, which ends before '&'. The parameter name is
case-sensitive. If no name is given, any parameter will match, and the first
one will be returned. The result is a string corresponding to the value of the
parameter <name> as presented in the request body (no URL decoding is
performed). Note that the ACL version of this fetch iterates over multiple
parameters and will iteratively report all parameters values if no name is
given.

req.body_len : integer

This returns the length of the HTTP request's available body in bytes. It may
be lower than the advertised length if the body is larger than the buffer. It
requires that the request body has been buffered made available using
"".

req.body_size : integer

This returns the advertised length of the HTTP request's body in bytes. It
will represent the advertised Content-Length header, or the size of the first
chunk in case of chunked encoding. In order to parse the chunks, it requires
that the request body has been buffered made available using
"".

req.cook([]) : string

([]) : string (deprecated)

This extracts the last occurrence of the cookie name <name> on a "Cookie"
header line from the request, and returns its value as string. If no name is
specified, the first cookie value is returned. When used with ACLs, all
matching cookies are evaluated. Spaces around the name and the value are
ignored as requested by the Cookie header specification (RFC6265). The cookie
name is case-sensitive. Empty cookies are valid, so an empty cookie may very
well return an empty value if it is present. Use the "found" match to detect
presence. Use the res.cook() variant for response cookies sent by the server.
 
ACL derivatives :
  cook([<name>])     : exact string match
  cook_beg([<name>]) : prefix match
  cook_dir([<name>]) : subdir match
  cook_dom([<name>]) : domain match
  cook_end([<name>]) : suffix match
  cook_len([<name>]) : length match
  cook_reg([<name>]) : regex match
  cook_sub([<name>]) : substring match

req.cook_cnt([]) : integer

([]) : integer (deprecated)

Returns an integer value representing the number of occurrences of the cookie
<name> in the request, or all cookies if <name> is not specified.

req.cook_val([]) : integer

([]) : integer (deprecated)

This extracts the last occurrence of the cookie name <name> on a "Cookie"
header line from the request, and converts its value to an integer which is
returned. If no name is specified, the first cookie value is returned. When
used in ACLs, all matching names are iterated over until a value matches.

cookie([]) : string (deprecated)

This extracts the last occurrence of the cookie name <name> on a "Cookie"
header line from the request, or a "Set-Cookie" header from the response, and
returns its value as a string. A typical use is to get multiple clients
sharing a same profile use the same server. This can be similar to what
"appsession" did with the "request-learn" statement, but with support for
multi-peer synchronization and state keeping across restarts. If no name is
specified, the first cookie value is returned. This fetch should not be used
anymore and should be replaced by req.cook() or res.cook() instead as it
ambiguously uses the direction based on the context where it is used.

([[,]]) : string

This is equivalent to req.hdr() when used on requests, and to res.hdr() when
used on responses. Please refer to these respective fetches for more details.
In case of doubt about the fetch direction, please use the explicit ones.
Note that contrary to the hdr() sample fetch method, the hdr_* ACL keywords
unambiguously apply to the request headers.

req.fhdr([,]) : string

This extracts the last occurrence of header <name> in an HTTP request. When
used from an ACL, all occurrences are iterated over until a match is found.
Optionally, a specific occurrence might be specified as a position number.
Positive values indicate a position from the first occurrence, with 1 being
the first one. Negative values indicate positions relative to the last one,
with -1 being the last one. It differs from req.hdr() in that any commas
present in the value are returned and are not used as delimiters. This is
sometimes useful with headers such as User-Agent.

([]) : integer

Returns an integer value representing the number of occurrences of request
header field name <name>, or the total number of header fields if <name> is
not specified. Contrary to its req.hdr_cnt() cousin, this function returns
the number of full line headers and does not stop on commas.

req.hdr([[,]]) : string

This extracts the last occurrence of header <name> in an HTTP request. When
used from an ACL, all occurrences are iterated over until a match is found.
Optionally, a specific occurrence might be specified as a position number.
Positive values indicate a position from the first occurrence, with 1 being
the first one. Negative values indicate positions relative to the last one,
with -1 being the last one. A typical use is with the X-Forwarded-For header
once converted to IP, associated with an IP stick-table. The function
considers any comma as a delimiter for distinct values. If full-line headers
are desired instead, use req.fhdr(). Please carefully check RFC7231 to know
how certain headers are supposed to be parsed. Also, some of them are case
insensitive (e.g. Connection).
 
ACL derivatives :
  hdr([<name>[,<occ>]])     : exact string match
  hdr_beg([<name>[,<occ>]]) : prefix match
  hdr_dir([<name>[,<occ>]]) : subdir match
  hdr_dom([<name>[,<occ>]]) : domain match
  hdr_end([<name>[,<occ>]]) : suffix match
  hdr_len([<name>[,<occ>]]) : length match
  hdr_reg([<name>[,<occ>]]) : regex match
  hdr_sub([<name>[,<occ>]]) : substring match

([]) : integer

hdr_cnt([

]) : integer (deprecated)

Returns an integer value representing the number of occurrences of request
header field name <name>, or the total number of header field values if
<name> is not specified. It is important to remember that one header line may
count as several headers if it has several values. The function considers any
comma as a delimiter for distinct values. If full-line headers are desired
instead, req.fhdr_cnt() should be used instead. With ACLs, it can be used to
detect presence, absence or abuse of a specific header, as well as to block
request smuggling attacks by rejecting requests which contain more than one
of certain headers. See "" for more information on header matching.

req.hdr_ip([[,]]) : ip

([[,]]) : ip (deprecated)

This extracts the last occurrence of header <name> in an HTTP request,
converts it to an IPv4 or IPv6 address and returns this address. When used
with ACLs, all occurrences are checked, and if <name> is omitted, every value
of every header is checked. Optionally, a specific occurrence might be
specified as a position number. Positive values indicate a position from the
first occurrence, with 1 being the first one. Negative values indicate
positions relative to the last one, with -1 being the last one. A typical use
is with the X-Forwarded-For and X-Client-IP headers.

req.hdr_val([[,]]) : integer

([[,]]) : integer (deprecated)

This extracts the last occurrence of header <name> in an HTTP request, and
converts it to an integer value. When used with ACLs, all occurrences are
checked, and if <name> is omitted, every value of every header is checked.
Optionally, a specific occurrence might be specified as a position number.
Positive values indicate a position from the first occurrence, with 1 being
the first one. Negative values indicate positions relative to the last one,
with -1 being the last one. A typical use is with the X-Forwarded-For header.

http_auth() : boolean

Returns a boolean indicating whether the authentication data received from
the client match a username & password stored in the specified userlist. This
fetch function is not really useful outside of ACLs. Currently only http
basic auth is supported.

() : string

Returns a string corresponding to the user name found in the authentication
data received from the client if both the user name and password are valid
according to the specified userlist. The main purpose is to use it in ACLs
where it is then checked whether the user belongs to any group within a list.
This fetch function is not really useful outside of ACLs. Currently only http
basic auth is supported.
 
ACL derivatives :
  http_auth_group(<userlist>) : group ...
  Returns true when the user extracted from the request and whose password is
  valid according to the specified userlist belongs to at least one of the
  groups.

http_first_req : boolean

Returns true when the request being processed is the first one of the
connection. This can be used to add or remove headers that may be missing
from some requests when a request is not the first one, or to help grouping
requests in the logs.

: integer + string

Returns an integer value corresponding to the method in the HTTP request. For
example, "GET" equals 1 (check sources to establish the matching). Value 9
means "other method" and may be converted to a string extracted from the
stream. This should not be used directly as a sample, this is only meant to
be used from ACLs, which transparently convert methods from patterns to these
integer + string values. Some predefined ACL already check for most common
methods.
 
ACL derivatives :
  method : case insensitive method match

Example :

# only accept GET and HEAD requests
acl valid_method method GET HEAD
http-request deny if ! valid_method

path : string

This extracts the request's URL path, which starts at the first slash and
ends before the question mark (without the host part). A typical use is with
prefetch-capable caches, and with portals which need to aggregate multiple
information from databases and keep them in caches. Note that with outgoing
caches, it would be wiser to use "" instead. With ACLs, it's typically
used to match exact file names (e.g. "/login.php"), or directory parts using
the derivative forms. See also the "url" and "" fetch methods.
 
ACL derivatives :
  path     : exact string match
  path_beg : prefix match
  path_dir : subdir match
  path_dom : domain match
  path_end : suffix match
  path_len : length match
  path_reg : regex match
  path_sub : substring match

query : string

This extracts the request's query string, which starts after the first
question mark. If no question mark is present, this fetch returns nothing. If
a question mark is present but nothing follows, it returns an empty string.
This means it's possible to easily know whether a query string is present
using the "found" matching method. This fetch is the complement of ""
which stops before the question mark.

req.hdr_names([]) : string

This builds a string made from the concatenation of all header names as they
appear in the request when the rule is evaluated. The default delimiter is
the comma (',') but it may be overridden as an optional argument <delim>. In
this case, only the first character of <delim> is considered.

: string

req_ver : string (deprecated)

Returns the version string from the HTTP request, for example "1.1". This can
be useful for logs, but is mostly there for ACL. Some predefined ACL already
check for versions 1.0 and 1.1.
 
ACL derivatives :
  req_ver : exact string match

: boolean

Returns the boolean "true" value if the response has been compressed by
HAProxy, otherwise returns boolean "false". This may be used to add
information in the logs.

res.comp_algo : string

Returns a string containing the name of the algorithm used if the response
was compressed by HAProxy, for example : "deflate". This may be used to add
some information in the logs.

([]) : string

scook([]) : string (deprecated)

This extracts the last occurrence of the cookie name <name> on a "Set-Cookie"
header line from the response, and returns its value as string. If no name is
specified, the first cookie value is returned.
 
ACL derivatives :
  scook([<name>] : exact string match

([]) : integer

scook_cnt([]) : integer (deprecated)

Returns an integer value representing the number of occurrences of the cookie
<name> in the response, or all cookies if <name> is not specified. This is
mostly useful when combined with ACLs to detect suspicious responses.

([]) : integer

scook_val([]) : integer (deprecated)

This extracts the last occurrence of the cookie name <name> on a "Set-Cookie"
header line from the response, and converts its value to an integer which is
returned. If no name is specified, the first cookie value is returned.

([[,]]) : string

This extracts the last occurrence of header <name> in an HTTP response, or of
the last header if no <name> is specified. Optionally, a specific occurrence
might be specified as a position number. Positive values indicate a position
from the first occurrence, with 1 being the first one. Negative values
indicate positions relative to the last one, with -1 being the last one. It
differs from res.hdr() in that any commas present in the value are returned
and are not used as delimiters. If this is not desired, the res.hdr() fetch
should be used instead. This is sometimes useful with headers such as Date or
Expires.

res.fhdr_cnt([]) : integer

Returns an integer value representing the number of occurrences of response
header field name <name>, or the total number of header fields if <name> is
not specified. Contrary to its res.hdr_cnt() cousin, this function returns
the number of full line headers and does not stop on commas. If this is not
desired, the res.hdr_cnt() fetch should be used instead.

([[,]]) : string

shdr([[,]]) : string (deprecated)

This extracts the last occurrence of header <name> in an HTTP response, or of
the last header if no <name> is specified. Optionally, a specific occurrence
might be specified as a position number. Positive values indicate a position
from the first occurrence, with 1 being the first one. Negative values
indicate positions relative to the last one, with -1 being the last one. This
can be useful to learn some data into a stick-table. The function considers
any comma as a delimiter for distinct values. If this is not desired, the
res.fhdr() fetch should be used instead.
 
ACL derivatives :
  shdr([<name>[,<occ>]])     : exact string match
  shdr_beg([<name>[,<occ>]]) : prefix match
  shdr_dir([<name>[,<occ>]]) : subdir match
  shdr_dom([<name>[,<occ>]]) : domain match
  shdr_end([<name>[,<occ>]]) : suffix match
  shdr_len([<name>[,<occ>]]) : length match
  shdr_reg([<name>[,<occ>]]) : regex match
  shdr_sub([<name>[,<occ>]]) : substring match

([]) : integer

shdr_cnt([]) : integer (deprecated)

Returns an integer value representing the number of occurrences of response
header field name <name>, or the total number of header fields if <name> is
not specified. The function considers any comma as a delimiter for distinct
values. If this is not desired, the res.fhdr_cnt() fetch should be used
instead.

([[,]]) : ip

shdr_ip([[,]]) : ip (deprecated)

This extracts the last occurrence of header <name> in an HTTP response,
convert it to an IPv4 or IPv6 address and returns this address. Optionally, a
specific occurrence might be specified as a position number. Positive values
indicate a position from the first occurrence, with 1 being the first one.
Negative values indicate positions relative to the last one, with -1 being
the last one. This can be useful to learn some data into a stick table.

([]) : string

This builds a string made from the concatenation of all header names as they
appear in the response when the rule is evaluated. The default delimiter is
the comma (',') but it may be overridden as an optional argument <delim>. In
this case, only the first character of <delim> is considered.

res.hdr_val([[,]]) : integer

([[,]]) : integer (deprecated)

This extracts the last occurrence of header <name> in an HTTP response, and
converts it to an integer value. Optionally, a specific occurrence might be
specified as a position number. Positive values indicate a position from the
first occurrence, with 1 being the first one. Negative values indicate
positions relative to the last one, with -1 being the last one. This can be
useful to learn some data into a stick table.

res.ver : string

: string (deprecated)

Returns the version string from the HTTP response, for example "1.1". This
can be useful for logs, but is mostly there for ACL.
 
ACL derivatives :
  resp_ver : exact string match

set-cookie([]) : string (deprecated)

This extracts the last occurrence of the cookie name <name> on a "Set-Cookie"
header line from the response and uses the corresponding value to match. This
can be comparable to what "appsession" did with default options, but with
support for multi-peer synchronization and state keeping across restarts.
 
This fetch function is deprecated and has been superseded by the ""
fetch. This keyword will disappear soon.

status : integer

Returns an integer containing the HTTP status code in the HTTP response, for
example, 302. It is mostly used within ACLs and integer ranges, for example,
to remove any Location header if the response is not a 3xx.

: string

Returns the unique-id attached to the request. The directive
"unique-id-format" must be set. If it is not set, the unique-id sample fetch
fails. Note that the unique-id is usually used with HTTP requests, however this
sample fetch can be used with other protocols. Obviously, if it is used with
other protocols than HTTP, the unique-id-format directive must not contain
HTTP parts. See: unique-id-format and unique-id-header

: string

This extracts the request's URL as presented in the request. A typical use is
with prefetch-capable caches, and with portals which need to aggregate
multiple information from databases and keep them in caches. With ACLs, using
"path" is preferred over using "", because clients may send a full URL as
is normally done with proxies. The only real use is to match "*" which does
not match in "path", and for which there is already a predefined ACL. See
also "" and "base".
 
ACL derivatives :
  url     : exact string match
  url_beg : prefix match
  url_dir : subdir match
  url_dom : domain match
  url_end : suffix match
  url_len : length match
  url_reg : regex match
  url_sub : substring match

: ip

This extracts the IP address from the request's URL when the host part is
presented as an IP address. Its use is very limited. For instance, a
monitoring system might use this field as an alternative for the source IP in
order to test what path a given source address would follow, or to force an
entry in a table for a given source address. With ACLs it can be used to
restrict access to certain systems through a proxy, for example when combined
with option "http_proxy".

: integer

This extracts the port part from the request's URL. Note that if the port is
not specified in the request, port 80 is assumed. With ACLs it can be used to
restrict access to certain systems through a proxy, for example when combined
with option "http_proxy".

([[,]]) : string

url_param([[,]]) : string

This extracts the first occurrence of the parameter <name> in the query
string, which begins after either '?' or <delim>, and which ends before '&',
';' or <delim>. The parameter name is case-sensitive. If no name is given,
any parameter will match, and the first one will be returned. The result is
a string corresponding to the value of the parameter <name> as presented in
the request (no URL decoding is performed). This can be used for session
stickiness based on a client ID, to extract an application cookie passed as a
URL parameter, or in ACLs to apply some checks. Note that the ACL version of
this fetch iterates over multiple parameters and will iteratively report all
parameters values if no name is given
 
ACL derivatives :
  urlp(<name>[,<delim>])     : exact string match
  urlp_beg(<name>[,<delim>]) : prefix match
  urlp_dir(<name>[,<delim>]) : subdir match
  urlp_dom(<name>[,<delim>]) : domain match
  urlp_end(<name>[,<delim>]) : suffix match
  urlp_len(<name>[,<delim>]) : length match
  urlp_reg(<name>[,<delim>]) : regex match
  urlp_sub(<name>[,<delim>]) : substring match

Example :

# match http://example.com/foo?PHPSESSIONID=some_id
stick on urlp(PHPSESSIONID)
stick on urlp(JSESSIONID,;)

([[,]]) : integer

See "urlp" above. This one extracts the URL parameter <name> in the request
and converts it to an integer value. This can be used for session stickiness
based on a user ID for example, or with ACLs to match a page number or price.

: integer

This returns a 32-bit hash of the value obtained by concatenating the first
Host header and the whole URL including parameters (not only the path part of
the request, as in the "base32" fetch above). This is useful to track per-URL
activity. A shorter hash is stored, saving a lot of memory. The output type
is an unsigned integer.

: binary

This returns the concatenation of the "url32" fetch and the "" fetch. The
the source address family. This can be used to track per-IP, per-URL counters.