@@ -15848,19 +15848,6 @@ backlog <backlog>
1584815848 Sets the socket's backlog to this value. If unspecified or 0, the frontend's
1584915849 backlog is used instead, which generally defaults to the maxconn value.
1585015850
15851- curves <curves>
15852- This setting is only available when support for OpenSSL was built in. It sets
15853- the string describing the list of elliptic curves algorithms ("curve suite")
15854- that are negotiated during the SSL/TLS handshake with ECDHE. The format of the
15855- string is a colon-delimited list of curve name.
15856- Example: "X25519:P-256" (without quote)
15857- When "curves" is set, "ecdhe" parameter is ignored.
15858-
15859- ecdhe <named curve>
15860- This setting is only available when support for OpenSSL was built in. It sets
15861- the named curve (RFC 4492) used to generate ECDH ephemeral keys. By default,
15862- used named curve is prime256v1.
15863-
1586415851ca-file <cafile>
1586515852 This setting is only available when support for OpenSSL was built in. It
1586615853 designates a PEM file from which to load CA certificates used to verify
@@ -16143,6 +16130,14 @@ default-crt <cert>
1614316130
1614416131 See also the "crt" keyword.
1614516132
16133+ curves <curves>
16134+ This setting is only available when support for OpenSSL was built in. It sets
16135+ the string describing the list of elliptic curves algorithms ("curve suite")
16136+ that are negotiated during the SSL/TLS handshake with ECDHE. The format of the
16137+ string is a colon-delimited list of curve name.
16138+ Example: "X25519:P-256" (without quote)
16139+ When "curves" is set, "ecdhe" parameter is ignored.
16140+
1614616141defer-accept
1614716142 Is an optional keyword which is supported only on certain Linux kernels. It
1614816143 states that a connection will only be accepted once some data arrive on it,
@@ -16156,6 +16151,11 @@ defer-accept
1615616151 an established connection while the proxy will only see it in SYN_RECV. This
1615716152 option is only supported on TCPv4/TCPv6 sockets and ignored by other ones.
1615816153
16154+ ecdhe <named curve>
16155+ This setting is only available when support for OpenSSL was built in. It sets
16156+ the named curve (RFC 4492) used to generate ECDH ephemeral keys. By default,
16157+ used named curve is prime256v1.
16158+
1615916159expose-fd listeners
1616016160 This option is only usable with the stats socket. It gives your stats socket
1616116161 the capability to pass listeners FD to another HAProxy process.
@@ -16260,18 +16260,6 @@ level <level>
1626016260 - "admin" should be used with care, as everything is permitted (e.g. clear
1626116261 all counters).
1626216262
16263- severity-output <format>
16264- This setting is used with the stats sockets only to configure severity
16265- level output prepended to informational feedback messages. Severity
16266- level of messages can range between 0 and 7, conforming to syslog
16267- rfc5424. Valid and successful socket commands requesting data
16268- (i.e. "show map", "get acl foo" etc.) will never have a severity level
16269- prepended. It is ignored by other sockets. <format> can be one of :
16270- - "none" (default) no severity level is prepended to feedback messages.
16271- - "number" severity level is prepended as a number.
16272- - "string" severity level is prepended as a string following the
16273- rfc5424 convention.
16274-
1627516263maxconn <maxconn>
1627616264 Limits the sockets to this number of concurrent connections. Extraneous
1627716265 connections will remain in the system's backlog until a connection is
@@ -16478,6 +16466,18 @@ quic-socket [ connection | listener ]
1647816466 the specific listeners. See "tune.quic.socket-owner" for a full description
1647916467 of its usage.
1648016468
16469+ severity-output <format>
16470+ This setting is used with the stats sockets only to configure severity
16471+ level output prepended to informational feedback messages. Severity
16472+ level of messages can range between 0 and 7, conforming to syslog
16473+ rfc5424. Valid and successful socket commands requesting data
16474+ (i.e. "show map", "get acl foo" etc.) will never have a severity level
16475+ prepended. It is ignored by other sockets. <format> can be one of :
16476+ - "none" (default) no severity level is prepended to feedback messages.
16477+ - "number" severity level is prepended as a number.
16478+ - "string" severity level is prepended as a string following the
16479+ rfc5424 convention.
16480+
1648116481shards <number> | by-thread | by-group
1648216482 In multi-threaded mode, on operating systems supporting multiple listeners on
1648316483 the same IP:port, this will automatically create this number of multiple
@@ -16660,20 +16660,6 @@ transparent
1666016660 kernel version. Some distribution kernels include backports of the feature,
1666116661 so check for support with your vendor.
1666216662
16663- v4v6
16664- Is an optional keyword which is supported only on most recent systems
16665- including Linux kernels >= 2.4.21. It is used to bind a socket to both IPv4
16666- and IPv6 when it uses the default address. Doing so is sometimes necessary
16667- on systems which bind to IPv6 only by default. It has no effect on non-IPv6
16668- sockets, and is overridden by the "v6only" option.
16669-
16670- v6only
16671- Is an optional keyword which is supported only on most recent systems
16672- including Linux kernels >= 2.4.21. It is used to bind a socket to IPv6 only
16673- when it uses the default address. Doing so is sometimes preferred to doing it
16674- system-wide as it is per-listener. It has no effect on non-IPv6 sockets and
16675- has precedence over the "v4v6" option.
16676-
1667716663uid <uid>
1667816664 Sets the owner of the UNIX sockets to the designated system uid. It can also
1667916665 be set by default in the global section's "unix-bind" statement. Note that
@@ -16688,6 +16674,20 @@ user <user>
1668816674 setting except that the user name is used instead of its uid. This setting is
1668916675 ignored by non UNIX sockets.
1669016676
16677+ v4v6
16678+ Is an optional keyword which is supported only on most recent systems
16679+ including Linux kernels >= 2.4.21. It is used to bind a socket to both IPv4
16680+ and IPv6 when it uses the default address. Doing so is sometimes necessary
16681+ on systems which bind to IPv6 only by default. It has no effect on non-IPv6
16682+ sockets, and is overridden by the "v6only" option.
16683+
16684+ v6only
16685+ Is an optional keyword which is supported only on most recent systems
16686+ including Linux kernels >= 2.4.21. It is used to bind a socket to IPv6 only
16687+ when it uses the default address. Doing so is sometimes preferred to doing it
16688+ system-wide as it is per-listener. It has no effect on non-IPv6 sockets and
16689+ has precedence over the "v4v6" option.
16690+
1669116691verify [none|optional|required]
1669216692 This setting is only available when support for OpenSSL was built in. If set
1669316693 to 'none', client certificate is not requested. This is the default. In other
0 commit comments