>From b2b7b543da9c46b23c27672ed567d77df254848f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= <flecai...@haproxy.com> Date: Tue, 21 Mar 2017 18:52:12 +0100 Subject: [PATCH 31/31] DOC: server: Add docs for "server" and "default-server" new "no-*" and other settings. X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
New boolean settings have been added to disable others. Most of them have "no-" as prefix. "enabled" disables "disabled" setting, "no-agent-check" disables "agent-check", "no-backup" disables "backup", "no-check" disables "check", "no-check-ssl" disables "check-ssl", "no-force-sslv3" disables "force-sslv3", "no-force-tlsv10" disables "force-tlsv10", "no-force-tlsv11" disables "force-tlsv11", "no-force-tlsv12" disables "force-tlsv12, "no-send-proxy" disables "send-proxy", "no-send-proxy-v2" disables "send-proxy-v2", "no-send-proxy-v2-ssl" disables "send-proxy-v2-ssl", "no-send-proxy-v2-ssl-cn" disables "send-proxy-v2-ssl-cn", "no-ssl" disables "ssl", "no-verifyhost" disables "verifyhost", "sslv2" disables "no-sslv3", "ssl-reuse" disables "no-ssl-reuse", "stick" disables "non-stick", "tlsv10" disables "no-tlsv10", "tlsv11" disables "no-tlsv11", "tlsv12" disables "no-tlsv12", "tls-tickets" disables "no-tls-tickets". Settings with arguments are now supported on "default-server" lines: "addr", "ca-file", "ciphers", "crl-file", "crt", "cookie", "namespace", "observe", "redir", "sni", "source", "tcp-ut" and "track". >From now on, all server "settings" including the new ones above are supported by "default-server" except "id" which is only supported on "server" lines. --- doc/configuration.txt | 306 +++++++++++++++++++++++++++++--------------------- 1 file changed, 181 insertions(+), 125 deletions(-) X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 diff --git a/doc/configuration.txt b/doc/configuration.txt index 73a4f4b..0241ab1 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -10639,6 +10639,9 @@ address if they are used: server <name> <address>[:port] [settings ...] default-server [settings ...] +Note that all these settings are supported both by "server" and "default-server" +keywords, except "id" which is only supported by "server". + The currently supported settings are the following ones. addr <ipv4|ipv6> @@ -10649,8 +10652,6 @@ addr <ipv4|ipv6> This parameter is ignored if the "check" parameter is not set. See also the "port" parameter. - Supported in default-server: No - agent-check Enable an auxiliary agent check which is run independently of a regular health check. An agent health check is performed by making a TCP connection @@ -10710,9 +10711,7 @@ agent-check force an agent's result in order to work around a bogus agent if needed. Requires the "agent-port" parameter to be set. See also the "agent-inter" - parameter. - - Supported in default-server: No + and "no-agent-check" parameters. agent-send <string> If this option is specified, haproxy will send the given string (verbatim) @@ -10737,8 +10736,6 @@ agent-inter <delay> See also the "agent-check" and "agent-port" parameters. - Supported in default-server: Yes - agent-addr <addr> The "agent-addr" parameter sets address for agent check. @@ -10752,25 +10749,19 @@ agent-port <port> See also the "agent-check" and "agent-inter" parameters. - Supported in default-server: Yes - backup When "backup" is present on a server line, the server is only used in load balancing when all other non-backup servers are unavailable. Requests coming with a persistence cookie referencing the server will always be served though. By default, only the first operational backup server is used, unless - the "allbackups" option is set in the backend. See also the "allbackups" - option. - - Supported in default-server: No + the "allbackups" option is set in the backend. See also the "no-backup" and + "allbackups" options. ca-file <cafile> This setting is only available when support for OpenSSL was built in. It designates a PEM file from which to load CA certificates used to verify server's certificate. - Supported in default-server: No - check This option enables health checks on the server. By default, a server is always considered available. If "check" is set, the server is available when @@ -10782,9 +10773,8 @@ check address, and the interval and timers using the "inter", "rise" and "fall" parameters. The request method is define in the backend using the "httpchk", "smtpchk", "mysql-check", "pgsql-check" and "ssl-hello-chk" options. Please - refer to those options and parameters for more information. - - Supported in default-server: No + refer to those options and parameters for more information. See also + "no-check" option. check-send-proxy This option forces emission of a PROXY protocol line with outgoing health @@ -10795,8 +10785,6 @@ check-send-proxy "check-send-proxy" option needs to be used to force the use of the protocol. See also the "send-proxy" option for more information. - Supported in default-server: No - check-ssl This option forces encryption of all health checks over SSL, regardless of whether the server uses SSL or not for the normal traffic. This is generally @@ -10806,9 +10794,8 @@ check-ssl check becomes an SSL connect, which replaces the old ssl-hello-chk. The most common use is to send HTTPS checks by combining "httpchk" with SSL checks. All SSL settings are common to health checks and traffic (eg: ciphers). - See the "ssl" option for more information. - - Supported in default-server: No + See the "ssl" option for more information and "no-check-ssl" to disable + this option. ciphers <ciphers> This option sets the string describing the list of cipher algorithms that is @@ -10820,8 +10807,6 @@ ciphers <ciphers> Some algorithms such as RC4-SHA1 are reasonably cheap. If no security at all is needed and just connectivity, using DES can be appropriate. - Supported in default-server: No - cookie <value> The "cookie" parameter sets the cookie value assigned to the server to <value>. This value will be checked in incoming requests, and the first @@ -10831,15 +10816,11 @@ cookie <value> the same cookie value, and it is in fact somewhat common between normal and backup servers. See also the "cookie" keyword in backend section. - Supported in default-server: No - crl-file <crlfile> This setting is only available when support for OpenSSL was built in. It designates a PEM file from which to load certificate revocation list used to verify server's certificate. - Supported in default-server: No - crt <cert> This setting is only available when support for OpenSSL was built in. It designates a PEM file from which to load both a certificate and the @@ -10847,24 +10828,26 @@ crt <cert> files into one. This certificate will be sent if the server send a client certificate request. - Supported in default-server: No - disabled The "disabled" keyword starts the server in the "disabled" state. That means that it is marked down in maintenance mode, and no connection other than the ones allowed by persist mode will reach it. It is very well suited to setup new servers, because normal traffic will never reach them, while it is still possible to test the service by making use of the force-persist mechanism. + See also "enabled" setting. - Supported in default-server: No +enabled + This option may be used as 'server' setting to reset any 'disabled' + setting which would have been inherited from 'default-server' directive as + default value. + It may also be used as 'default-server' setting to reset any previous + 'default-server' 'disabled' setting. error-limit <count> If health observing is enabled, the "error-limit" parameter specifies the number of consecutive errors that triggers event selected by the "on-error" option. By default it is set to 10 consecutive errors. - Supported in default-server: Yes - See also the "check", "error-limit" and "on-error". fall <count> @@ -10872,44 +10855,32 @@ fall <count> <count> consecutive unsuccessful health checks. This value defaults to 3 if unspecified. See also the "check", "inter" and "rise" parameters. - Supported in default-server: Yes - force-sslv3 This option enforces use of SSLv3 only when SSL is used to communicate with the server. SSLv3 is generally less expensive than the TLS counterparts for high connection rates. This option is also available on global statement - "ssl-default-server-options". See also "no-tlsv*", "no-sslv3". - - Supported in default-server: No + "ssl-default-server-options". See also "no-force-sslv3", "no-tlsv*", "no-sslv3". force-tlsv10 This option enforces use of TLSv1.0 only when SSL is used to communicate with the server. This option is also available on global statement - "ssl-default-server-options". See also "no-tlsv*", "no-sslv3". - - Supported in default-server: No + "ssl-default-server-options". See also "no-force-tlsv10", "no-tlsv*", "no-sslv3". force-tlsv11 This option enforces use of TLSv1.1 only when SSL is used to communicate with the server. This option is also available on global statement - "ssl-default-server-options". See also "no-tlsv*", "no-sslv3". - - Supported in default-server: No + "ssl-default-server-options". See also "no-force-tlsv11", "no-tlsv*", "no-sslv3". force-tlsv12 This option enforces use of TLSv1.2 only when SSL is used to communicate with the server. This option is also available on global statement - "ssl-default-server-options". See also "no-tlsv*", "no-sslv3". - - Supported in default-server: No + "ssl-default-server-options". See also "no-force-tlsv12", "no-tlsv*", "no-sslv3". id <value> Set a persistent ID for the server. This ID must be positive and unique for the proxy. An unused ID will automatically be assigned if unset. The first assigned value will be 1. This ID is currently only returned in statistics. - Supported in default-server: No - init-addr {last | libc | none | <ip>},[...]* Indicate in what order the server's address should be resolved upon startup if it uses an FQDN. Attempts are made to resolve the address by applying in @@ -10937,8 +10908,6 @@ init-addr {last | libc | none | <ip>},[...]* # never fail on address resolution default-server init-addr last,libc,none - Supported in default-server: Yes - inter <delay> fastinter <delay> downinter <delay> @@ -10969,8 +10938,6 @@ downinter <delay> global "spread-checks" keyword. This makes sense for instance when a lot of backends use the same servers. - Supported in default-server: Yes - maxconn <maxconn> The "maxconn" parameter specifies the maximal number of concurrent connections that will be sent to this server. If the number of incoming @@ -10981,8 +10948,6 @@ maxconn <maxconn> which means unlimited. See also the "minconn" and "maxqueue" parameters, and the backend's "fullconn" keyword. - Supported in default-server: Yes - maxqueue <maxqueue> The "maxqueue" parameter specifies the maximal number of connections which will wait in the queue for this server. If this limit is reached, next @@ -10992,8 +10957,6 @@ maxqueue <maxqueue> default value is "0" which means the queue is unlimited. See also the "maxconn" and "minconn" parameters. - Supported in default-server: Yes - minconn <minconn> When the "minconn" parameter is set, the maxconn limit becomes a dynamic limit following the backend's load. The server will always accept at least @@ -11004,37 +10967,121 @@ minconn <minconn> overloading the server during exceptional loads. See also the "maxconn" and "maxqueue" parameters, as well as the "fullconn" backend keyword. - Supported in default-server: Yes - namespace <name> On Linux, it is possible to specify which network namespace a socket will belong to. This directive makes it possible to explicitly bind a server to a namespace different from the default one. Please refer to your operating system's documentation to find more details about network namespaces. +no-agent-check + This option may be used as "server" setting to reset any "agent-check" + setting which would have been inherited from "default-server" directive as + default value. + It may also be used as "default-server" setting to reset any previous + "default-server" "agent-check" setting. + +no-backup + This option may be used as "server" setting to reset any "backup" + setting which would have been inherited from "default-server" directive as + default value. + It may also be used as "default-server" setting to reset any previous + "default-server" "backup" setting. + +no-check + This option may be used as "server" setting to reset any "check" + setting which would have been inherited from "default-server" directive as + default value. + It may also be used as "default-server" setting to reset any previous + "default-server" "check" setting. + +no-check-ssl + This option may be used as "server" setting to reset any "check-ssl" + setting which would have been inherited from "default-server" directive as + default value. + It may also be used as "default-server" setting to reset any previous + "default-server" "check-ssl" setting. + +no-force-sslv3 + This option may be used as "server" setting to reset any "force-sslv3" + setting which would have been inherited from "default-server" directive as + default value. + It may also be used as "default-server" setting to reset any previous + "default-server" "force-sslv3" setting. + +no-force-tlsv10 + This option may be used as "server" setting to reset any "force-tlsv10" + setting which would have been inherited from "default-server" directive as + default value. + It may also be used as "default-server" setting to reset any previous + "default-server" "force-tlsv10" setting. + +no-force-tlsv11 + This option may be used as "server" setting to reset any "force-tlsv11" + setting which would have been inherited from "default-server" directive as + default value. + It may also be used as "default-server" setting to reset any previous + "default-server" "force-tlsv11" setting. + +no-force-tlsv12 + This option may be used as "server" setting to reset any "force-tlsv12" + setting which would have been inherited from "default-server" directive as + default value. + It may also be used as "default-server" setting to reset any previous + "default-server" "force-tlsv12" setting. + +no-send-proxy + This option may be used as "server" setting to reset any "send-proxy" + setting which would have been inherited from "default-server" directive as + default value. + It may also be used as "default-server" setting to reset any previous + "default-server" "send-proxy" setting. + +no-send-proxy-v2 + This option may be used as "server" setting to reset any "send-proxy-v2" + setting which would have been inherited from "default-server" directive as + default value. + It may also be used as "default-server" setting to reset any previous + "default-server" "send-proxy-v2" setting. + +no-send-proxy-v2-ssl + This option may be used as "server" setting to reset any "send-proxy-v2-ssl" + setting which would have been inherited from "default-server" directive as + default value. + It may also be used as "default-server" setting to reset any previous + "default-server" "send-proxy-v2-ssl" setting. + +no-send-proxy-v2-ssl-cn + This option may be used as "server" setting to reset any "send-proxy-v2-ssl-cn" + setting which would have been inherited from "default-server" directive as + default value. + It may also be used as "default-server" setting to reset any previous + "default-server" "send-proxy-v2-ssl-cn" setting. + +no-ssl + This option may be used as "server" setting to reset any "ssl" + setting which would have been inherited from "default-server" directive as + default value. + It may also be used as "default-server" setting to reset any previous + "default-server" "ssl" setting. + no-ssl-reuse This option disables SSL session reuse when SSL is used to communicate with the server. It will force the server to perform a full handshake for every new connection. It's probably only useful for benchmarking, troubleshooting, and for paranoid users. - Supported in default-server: No - no-sslv3 This option disables support for SSLv3 when SSL is used to communicate with the server. Note that SSLv2 is disabled in the code and cannot be enabled using any configuration option. See also "force-sslv3", "force-tlsv*". - Supported in default-server: No - no-tls-tickets This setting is only available when support for OpenSSL was built in. It disables the stateless session resumption (RFC 5077 TLS Ticket extension) and force to use stateful session resumption. Stateless session resumption is more expensive in CPU usage for servers. This option is also available on global statement "ssl-default-server-options". - - Supported in default-server: No + See also "tls-tickets". no-tlsv10 This option disables support for TLSv1.0 when SSL is used to communicate with @@ -11042,9 +11089,7 @@ no-tlsv10 using any configuration option. TLSv1 is more expensive than SSLv3 so it often makes sense to disable it when communicating with local servers. This option is also available on global statement "ssl-default-server-options". - See also "force-sslv3", "force-tlsv*". - - Supported in default-server: No + See also "tlsv10", "force-sslv3", "force-tlsv*". no-tlsv11 This option disables support for TLSv1.1 when SSL is used to communicate with @@ -11052,9 +11097,7 @@ no-tlsv11 using any configuration option. TLSv1 is more expensive than SSLv3 so it often makes sense to disable it when communicating with local servers. This option is also available on global statement "ssl-default-server-options". - See also "force-sslv3", "force-tlsv*". - - Supported in default-server: No + See also "tlsv11", "force-sslv3", "force-tlsv*". no-tlsv12 This option disables support for TLSv1.2 when SSL is used to communicate with @@ -11062,17 +11105,20 @@ no-tlsv12 using any configuration option. TLSv1 is more expensive than SSLv3 so it often makes sense to disable it when communicating with local servers. This option is also available on global statement "ssl-default-server-options". - See also "force-sslv3", "force-tlsv*". + See also "tlsv12", "force-sslv3", "force-tlsv*". - Supported in default-server: No +no-verifyhost + This option may be used as "server" setting to reset any "verifyhost" + setting which would have been inherited from "default-server" directive as + default value. + It may also be used as "default-server" setting to reset any previous + "default-server" "verifyhost" setting. non-stick Never add connections allocated to this sever to a stick-table. This may be used in conjunction with backup to ensure that stick-table persistence is disabled for backup servers. - Supported in default-server: No - observe <mode> This option enables health adjusting based on observing communication with the server. By default this functionality is disabled and enabling it also @@ -11082,8 +11128,6 @@ observe <mode> received from server are verified, like valid/wrong http code, unparsable headers, a timeout, etc. Valid status codes include 100 to 499, 501 and 505. - Supported in default-server: No - See also the "check", "on-error" and "error-limit". on-error <mode> @@ -11095,8 +11139,6 @@ on-error <mode> check will mark a server down, forces fastinter - mark-down: mark the server immediately down and force fastinter - Supported in default-server: Yes - See also the "check", "observe" and "error-limit". on-marked-down <action> @@ -11113,8 +11155,6 @@ on-marked-down <action> Actions are disabled by default - Supported in default-server: Yes - on-marked-up <action> Modify what occurs when a server is marked up. Currently one action is available: @@ -11129,8 +11169,6 @@ on-marked-up <action> Actions are disabled by default - Supported in default-server: Yes - port <port> Using the "port" parameter, it becomes possible to use a different port to send health-checks. On some servers, it may be desirable to dedicate a port @@ -11139,8 +11177,6 @@ port <port> inetd for instance. This parameter is ignored if the "check" parameter is not set. See also the "addr" parameter. - Supported in default-server: Yes - redir <prefix> The "redir" parameter enables the redirection mode for all GET and HEAD requests addressing this server. This means that instead of having HAProxy @@ -11159,15 +11195,11 @@ redir <prefix> Example : server srv1 192.168.1.1:80 redir http://image1.mydomain.com check - Supported in default-server: No - rise <count> The "rise" parameter states that a server will be considered as operational after <count> consecutive successful health checks. This value defaults to 2 if unspecified. See also the "check", "inter" and "fall" parameters. - Supported in default-server: Yes - resolve-prefer <family> When DNS resolution is enabled for a server and multiple IP addresses from different families are returned, HAProxy will prefer using an IP address @@ -11176,8 +11208,6 @@ resolve-prefer <family> Default value: ipv6 - Supported in default-server: Yes - Example: server s1 app1.domain.com:80 resolvers mydns resolve-prefer ipv6 @@ -11190,8 +11220,6 @@ resolve-net <network>[,<network[,...]] this patch permitsto prefers a local datacenter. If none address matchs the configured network, another address is selected. - Supported in default-server: Yes - Example: server s1 app1.domain.com:80 resolvers mydns resolve-net 10.0.0.0/8 @@ -11204,8 +11232,6 @@ resolvers <id> You must precise one 'resolvers' parameter on each server line where DNS resolution is required. - Supported in default-server: No - Example: server s1 app1.domain.com:80 check resolvers mydns @@ -11227,10 +11253,8 @@ send-proxy protocol is automatically used when this option is set, unless there is an explicit "port" or "addr" directive, in which case an explicit "check-send-proxy" directive would also be needed to use the PROXY protocol. - See also the "accept-proxy" and "accept-netscaler-cip" option of the "bind" - keyword. - - Supported in default-server: No + See also the "no-send-proxy" option of this section and "accept-proxy" and + "accept-netscaler-cip" option of the "bind" keyword. send-proxy-v2 The "send-proxy-v2" parameter enforces use of the PROXY protocol version 2 @@ -11238,10 +11262,9 @@ send-proxy-v2 the other end about the layer 3/4 addresses of the incoming connection, so that it can know the client's address or the public address it accessed to, whatever the upper layer protocol. This setting must not be used if the - server isn't aware of this version of the protocol. See also the "send-proxy" - option of the "bind" keyword. - - Supported in default-server: No + server isn't aware of this version of the protocol. See also the + "no-send-proxy-v2" option of this section and send-proxy" option of the + "bind" keyword. send-proxy-v2-ssl The "send-proxy-v2-ssl" parameter enforces use of the PROXY protocol version @@ -11251,9 +11274,8 @@ send-proxy-v2-ssl whatever the upper layer protocol. In addition, the SSL information extension of the PROXY protocol is added to the PROXY protocol header. This setting must not be used if the server isn't aware of this version of the protocol. - See also the "send-proxy-v2" option of the "bind" keyword. - - Supported in default-server: No + See also the "no-send-proxy-v2-ssl" option of this section and the + "send-proxy-v2" option of the "bind" keyword. send-proxy-v2-ssl-cn The "send-proxy-v2-ssl" parameter enforces use of the PROXY protocol version @@ -11264,9 +11286,8 @@ send-proxy-v2-ssl-cn of the PROXY protocol, along along with the Common Name from the subject of the client certificate (if any), is added to the PROXY protocol header. This setting must not be used if the server isn't aware of this version of the - protocol. See also the "send-proxy-v2" option of the "bind" keyword. - - Supported in default-server: No + protocol. See also the "no-send-proxy-v2-ssl-cn" option of this section and the + "send-proxy-v2" option of the "bind" keyword. slowstart <start_time_in_ms> The "slowstart" parameter for a server accepts a value in milliseconds which @@ -11288,8 +11309,6 @@ slowstart <start_time_in_ms> trouble to running servers. It only applies when a server has been previously seen as failed. - Supported in default-server: Yes - sni <expression> The "sni" parameter evaluates the sample fetch expression, converts it to a string and uses the result as the host name sent in the SNI TLS extension to @@ -11297,8 +11316,6 @@ sni <expression> a bridged HTTPS scenario, using the "ssl_fc_sni" sample fetch for the expression, though alternatives such as req.hdr(host) can also make sense. - Supported in default-server: no - source <addr>[:<pl>[-<ph>]] [usesrc { <addr2>[:<port2>] | client | clientip } ] source <addr>[:<port>] [usesrc { <addr2>[:<port2>] | hdr_ip(<hdr>[,<occ>]) } ] source <addr>[:<pl>[-<ph>]] [interface <name>] ... @@ -11318,8 +11335,6 @@ source <addr>[:<pl>[-<ph>]] [interface <name>] ... Since Linux 4.2/libc 2.23 IP_BIND_ADDRESS_NO_PORT is set for connections specifying the source address without port(s). - Supported in default-server: No - ssl This option enables SSL ciphering on outgoing connections to the server. It is critical to verify server certificates using "verify" when using SSL to @@ -11327,9 +11342,29 @@ ssl the-middle attacks rendering SSL useless. When this option is used, health checks are automatically sent in SSL too unless there is a "port" or an "addr" directive indicating the check should be sent to a different location. - See the "check-ssl" option to force SSL health checks. + See the "no-ssl" to disable "ssl" option and "check-ssl" option to force + SSL health checks. + +sslv3 + This option may be used as "server" setting to reset any "no-sslv3" + setting which would have been inherited from "default-server" directive as + default value. + It may also be used as "default-server" setting to reset any previous + "default-server" "no-sslv3" setting. - Supported in default-server: No +ssl-reuse + This option may be used as "server" setting to reset any "no-ssl-reuse" + setting which would have been inherited from "default-server" directive as + default value. + It may also be used as "default-server" setting to reset any previous + "default-server" "no-ssl-reuse" setting. + +stick + This option may be used as "server" setting to reset any "non-stick" + setting which would have been inherited from "default-server" directive as + default value. + It may also be used as "default-server" setting to reset any previous + "default-server" "non-stick" setting. tcp-ut <delay> Sets the TCP User Timeout for all outgoing connections to this server. This @@ -11353,7 +11388,33 @@ track [<proxy>/]<server> enabled. If <proxy> is omitted the current one is used. If disable-on-404 is used, it has to be enabled on both proxies. - Supported in default-server: No +tlsv10 + This option may be used as "server" setting to reset any "no-tlsv10" + setting which would have been inherited from "default-server" directive as + default value. + It may also be used as "default-server" setting to reset any previous + "default-server" "no-tlsv10" setting. + +tlsv11 + This option may be used as "server" setting to reset any "no-tlsv11" + setting which would have been inherited from "default-server" directive as + default value. + It may also be used as "default-server" setting to reset any previous + "default-server" "no-tlsv11" setting. + +tlsv12 + This option may be used as "server" setting to reset any "no-tlsv12" + setting which would have been inherited from "default-server" directive as + default value. + It may also be used as "default-server" setting to reset any previous + "default-server" "no-tlsv12" setting. + +tls-tickets + This option may be used as "server" setting to reset any "no-tls-tickets" + setting which would have been inherited from "default-server" directive as + default value. + It may also be used as "default-server" setting to reset any previous + "default-server" "no-tlsv-tickets" setting. verify [none|required] This setting is only available when support for OpenSSL was built in. If set @@ -11365,8 +11426,6 @@ verify [none|required] using SSL to connect to servers, otherwise the communication is prone to trivial man-in-the-middle attacks rendering SSL totally useless. - Supported in default-server: No - verifyhost <hostname> This setting is only available when support for OpenSSL was built in, and only takes effect if 'verify required' is also specified. When set, the @@ -11374,8 +11433,7 @@ verifyhost <hostname> provided by the server are checked. If none of the hostnames in the certificate match the specified hostname, the handshake is aborted. The hostnames in the server-provided certificate may include wildcards. - - Supported in default-server: No + See also "no-verifyhost" option. weight <weight> The "weight" parameter is used to adjust the server's weight relative to @@ -11388,8 +11446,6 @@ weight <weight> can both grow and shrink, for instance between 10 and 100 to leave enough room above and below for later adjustments. - Supported in default-server: Yes - 5.3. Server IP address resolution using DNS ------------------------------------------- -- 2.1.4