vfarcic
diff --git a/‎Dockerfile‎
Lines changed: 1 addition & 0 deletions b/‎Dockerfile‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎docs/config.md‎
Lines changed: 29 additions & 28 deletions b/‎docs/config.md‎
Lines changed: 29 additions & 28 deletions
@@ -21,6 +21,7 @@ RUN mkdir /lib64 && ln -s /lib/libc.musl-x86_64.so.1 /lib64/ld-linux-x86-64.so.2
 RUN mkdir -p /cfg/tmpl /consul_templates /templates /certs /logs
 
 ENV CERTS="" \
+    CAPTURE_REQUEST_HEADER="" \
     CFG_TEMPLATE_PATH="/cfg/tmpl/haproxy.tmpl" \
     CHECK_RESOLVERS=false \
     CONNECTION_MODE="http-keep-alive" \
 
@@ -11,46 +11,47 @@ The following environment variables can be used to configure the *Docker Flow Pr
 
 |Variable           |Description                                               |
 |-------------------|----------------------------------------------------------|
-|BIND_PORTS         |Ports to bind in addition to `80` and `443`. Multiple values can be separated with comma. If a port is specified with the `srcPort` reconfigure parameter, it is not required to specify it in this environment variable. Those values will be used as default ports used for services that do not specify `srcPort`.<br>Example: 8085, 8086|
-|CA_FILE            |Path to a PEM file from which to load CA certificates that will be used to verify client's certificate. Preferably, the file should be provided as a Docker secret.<br>Example: /run/secrets/ca-file|
+|BIND_PORTS         |Ports to bind in addition to `80` and `443`. Multiple values can be separated with comma. If a port is specified with the `srcPort` reconfigure parameter, it is not required to specify it in this environment variable. Those values will be used as default ports used for services that do not specify `srcPort`.<br>**Example:** 8085, 8086|
+|CA_FILE            |Path to a PEM file from which to load CA certificates that will be used to verify client's certificate. Preferably, the file should be provided as a Docker secret.<br>**Example:** /run/secrets/ca-file|
+|CAPTURE_REQUEST_HEADER|Allows capturing specific request headers. This feature is useful if debugging is enabled (e.g. `DEBUG=true`) and the format is customized with `DEBUG_HTTP_FORMAT` or `DEBUG_TCP_FORMAT` to output headers. Header name and lenght in bytes must be separated with colon (e.g. `Host:15`). Multiple headers should be separated with colon (e.g. `Host:15,X-Forwarded-For:20`).<br>**Example:** `Host:15,X-Forwarded-For:20,Referer:15`|
 |CFG_TEMPLATE_PATH  |Path to the configuration template. The path can be absolute (starting with `/`) or relative to `/cfg/tmpl`.<br>**Default value:** `/cfg/tmpl/haproxy.tmpl`|
 |CHECK_RESOLVERS    |Enable `docker` as a resolver. Provides higher reliability at the cost of backend initialization time. If enabled, it might take a few seconds until a backend is resolved and operational.<br>**Default value:** `false`|
 |CERTS              |This parameter is **deprecated** as of February 2017. All the certificates from the `/cets/` directory are now loaded automatically.|
-|COMPRESSION_ALGO   |Enable HTTP compression. The currently supported algorithms are:<br>**identity**: this is mostly for debugging.<br>**gzip**: applies gzip compression. This setting is only available when support for zlib or libslz was built in.<br>**deflate** same as *gzip*, but with deflate algorithm and zlib format. Note that this algorithm has ambiguous support on many browsers and no support at all from recent ones. It is strongly recommended not to use it for anything else than experimentation. This setting is only available when support for zlib or libslz was built in.<br>**raw-deflate**: same as *deflate* without the zlib wrapper, and used as an alternative when the browser wants "deflate". All major browsers understand it and despite violating the standards, it is known to work better than *deflate*, at least on MSIE and some versions of Safari. This setting is only available when support for zlib or libslz was built in.<br>Compression will be activated depending on the Accept-Encoding request header. With identity, it does not take care of that header. If backend servers support HTTP compression, these directives will be no-op: haproxy will see the compressed response and will not compress again. If backend servers do not support HTTP compression and there is Accept-Encoding header in request, haproxy will compress the matching response.<br>Compression is disabled when:<br>* the request does not advertise a supported compression algorithm in the "Accept-Encoding" header<br>* the response message is not HTTP/1.1<br>* HTTP status code is not 200<br>* response header "Transfer-Encoding" contains "chunked" (Temporary Workaround)<br>* response contain neither a "Content-Length" header nor a "Transfer-Encoding" whose last value is "chunked"<br>* response contains a "Content-Type" header whose first value starts with "multipart"<br>* the response contains the "no-transform" value in the "Cache-control" header<br>* User-Agent matches "Mozilla/4" unless it is MSIE 6 with XP SP2, or MSIE 7 and later<br>* The response contains a "Content-Encoding" header, indicating that the response is already compressed (see compression offload)<br>Example: gzip|
-|COMPRESSION_TYPE   |The type of files that will be compressed.<br>Example: text/css text/html text/javascript application/javascript text/plain text/xml application/json|
-|CONNECTION_MODE    |HAProxy supports 5 connection modes.<br><br>`http-keep-alive`: all requests and responses are processed.<br>`http-tunnel`: only the first request and response are processed, everything else is forwarded with no analysis.<br>`httpclose`: tunnel with "Connection: close" added in both directions.<br>`http-server-close`: the server-facing connection is closed after the response.<br>`forceclose`: the connection is actively closed after end of response.<br><br>In general, it is preferred to use `http-server-close` with application servers, and some static servers might benefit from `http-keep-alive`.<br>Example: `http-server-close`<br>**Default value:** `http-keep-alive`|
-|DEBUG              |Enables logging of each request sent through the proxy. Please consult [Debug Format](#debug-format) for info about the log entries. This feature should be used with caution. **Do not enable debugging in production unless necessary.**<br>Example: true<br>**Default value:** `false`|
-|DEBUG_ERRORS_ONLY  |If set to `true`, only requests that resulted in an error, timeout, retry, and redispatch will be logged. If a request is HTTP, responses with a status 5xx will be logged too. This variable will take effect only if `DEBUG` is set to `true`.<br>Example: true<br>**Default value:** `false`|
+|COMPRESSION_ALGO   |Enable HTTP compression. The currently supported algorithms are:<br>**identity**: this is mostly for debugging.<br>**gzip**: applies gzip compression. This setting is only available when support for zlib or libslz was built in.<br>**deflate** same as *gzip*, but with deflate algorithm and zlib format. Note that this algorithm has ambiguous support on many browsers and no support at all from recent ones. It is strongly recommended not to use it for anything else than experimentation. This setting is only available when support for zlib or libslz was built in.<br>**raw-deflate**: same as *deflate* without the zlib wrapper, and used as an alternative when the browser wants "deflate". All major browsers understand it and despite violating the standards, it is known to work better than *deflate*, at least on MSIE and some versions of Safari. This setting is only available when support for zlib or libslz was built in.<br>Compression will be activated depending on the Accept-Encoding request header. With identity, it does not take care of that header. If backend servers support HTTP compression, these directives will be no-op: haproxy will see the compressed response and will not compress again. If backend servers do not support HTTP compression and there is Accept-Encoding header in request, haproxy will compress the matching response.<br>Compression is disabled when:<br>* the request does not advertise a supported compression algorithm in the "Accept-Encoding" header<br>* the response message is not HTTP/1.1<br>* HTTP status code is not 200<br>* response header "Transfer-Encoding" contains "chunked" (Temporary Workaround)<br>* response contain neither a "Content-Length" header nor a "Transfer-Encoding" whose last value is "chunked"<br>* response contains a "Content-Type" header whose first value starts with "multipart"<br>* the response contains the "no-transform" value in the "Cache-control" header<br>* User-Agent matches "Mozilla/4" unless it is MSIE 6 with XP SP2, or MSIE 7 and later<br>* The response contains a "Content-Encoding" header, indicating that the response is already compressed (see compression offload)<br>**Example:** gzip|
+|COMPRESSION_TYPE   |The type of files that will be compressed.<br>**Example:** text/css text/html text/javascript application/javascript text/plain text/xml application/json|
+|CONNECTION_MODE    |HAProxy supports 5 connection modes.<br><br>`http-keep-alive`: all requests and responses are processed.<br>`http-tunnel`: only the first request and response are processed, everything else is forwarded with no analysis.<br>`httpclose`: tunnel with "Connection: close" added in both directions.<br>`http-server-close`: the server-facing connection is closed after the response.<br>`forceclose`: the connection is actively closed after end of response.<br><br>In general, it is preferred to use `http-server-close` with application servers, and some static servers might benefit from `http-keep-alive`.<br>**Example:** `http-server-close`<br>**Default value:** `http-keep-alive`|
+|DEBUG              |Enables logging of each request sent through the proxy. Please consult [Debug Format](#debug-format) for info about the log entries. This feature should be used with caution. **Do not enable debugging in production unless necessary.**<br>**Example:** true<br>**Default value:** `false`|
+|DEBUG_ERRORS_ONLY  |If set to `true`, only requests that resulted in an error, timeout, retry, and redispatch will be logged. If a request is HTTP, responses with a status 5xx will be logged too. This variable will take effect only if `DEBUG` is set to `true`.<br>**Example:** true<br>**Default value:** `false`|
 |DEBUG_HTTP_FORMAT  |Logging format that will be used with HTTP requests. Please consult [Custom log format](https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#8.2.4) for more info about the available options.|
 |DEBUG_TCP_FORMAT   |Logging format that will be used with TCP requests. Please consult [Custom log format](https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#8.2.4) for more info about the available options.|
 |DEFAULT_PORTS      |The default ports used by the proxy. Multiple values can be separated with comma (`,`). If a port should be for SSL connections, append it with `:ssl`. Additional binding options can be added after a port. For example, `80 accept-proxy,443 accept-proxy:ssl` adds `accept-proxy` to the defalt binding options.<br>**Default value:** `80,443:ssl`|
 |EXTRA_FRONTEND     |Value will be added to the default `frontend` configuration. Multiple lines should be separated with comma (*,*).|
 |EXTRA_GLOBAL       |Value will be added to the default `global` configuration. Multiple lines should be separated with comma (*,*).|
-|LISTENER_ADDRESS   |The address of the [Docker Flow: Swarm Listener](https://github.com/vfarcic/docker-flow-swarm-listener) used for automatic proxy configuration.<br>Example: swarm-listener|
-|MODE               |Two modes are supported. The *default* mode should be used for general purpose. **This mode is deprecated and will be removed soon**. The *swarm* mode is designed to work with new features introduced in Docker 1.12 and assumes that containers are deployed as Docker services (new Swarm).<br>Example: swarm|
+|LISTENER_ADDRESS   |The address of the [Docker Flow: Swarm Listener](https://github.com/vfarcic/docker-flow-swarm-listener) used for automatic proxy configuration.<br>**Example:** swarm-listener|
+|MODE               |Two modes are supported. The *default* mode should be used for general purpose. **This mode is deprecated and will be removed soon**. The *swarm* mode is designed to work with new features introduced in Docker 1.12 and assumes that containers are deployed as Docker services (new Swarm).<br>**Example:** swarm|
 PROXY_INSTANCE_NAME|The name of the proxy instance. Useful if multiple proxies are running inside a cluster.<br>**Default value:** `docker-flow`|
-|SERVICE_NAME       |The name of the service. It must be the same as the value of the `--name` argument used to create the proxy service. Used only in the *swarm* mode.<br>Example: `my-proxy`<br>**Default value:** `proxy`|
+|SERVICE_NAME       |The name of the service. It must be the same as the value of the `--name` argument used to create the proxy service. Used only in the *swarm* mode.<br>**Example:** `my-proxy`<br>**Default value:** `proxy`|
 |RELOAD_INTERVAL    |Defines the frequency (in milliseconds) between automatic config reloads from Swarm Listener.<br>**Default value:** `5000`|
-|REPEAT_RELOAD      |If set to `true`, the proxy will periodically reload the config, using `RELOAD_INTERVAL` as pause between iterations.<br>Example: `true`<br>**Default value:** `false`|
-|SKIP_ADDRESS_VALIDATION|Whether to skip validating service address before reconfiguring the proxy.<br>Example: false<br>**Default value:** `true`|
+|REPEAT_RELOAD      |If set to `true`, the proxy will periodically reload the config, using `RELOAD_INTERVAL` as pause between iterations.<br>**Example:** `true`<br>**Default value:** `false`|
+|SKIP_ADDRESS_VALIDATION|Whether to skip validating service address before reconfiguring the proxy.<br>**Example:** false<br>**Default value:** `true`|
 |SSL_BIND_CIPHERS   |Sets the default string describing the list of cipher algorithms ("cipher suite") that are negotiated during the SSL/TLS handshake for all "bind" lines which do not explicitly define theirs. The format of the string is defined in "man 1 ciphers" from OpenSSL man pages, and can be for instance a string such as `AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH`.<br>**Default value:** see [Dockerfile](https://github.com/vfarcic/docker-flow-proxy/blob/master/Dockerfile#L31)|
 |SSL_BIND_OPTIONS   |Sets default ssl-options to force on all "bind" lines.<br>**Default value:** `no-sslv3`|
-|STATS_USER         |Username for the statistics page. If not set, stats will not be available. If both `STATS_USER` and `STATS_PASS` are set to `none`, statistics will be available without authentication.<br>Example: my-user<br>**Default value:** `admin`|
-|STATS_USER_ENV     |The name of the environment variable that holds the username for the statistics page.<br>Example: MY_USER<br>**Default value:** `STATS_USER`|
-|STATS_PASS         |Password for the statistics page. If not set, stats will not be available. If both `STATS_USER` and `STATS_PASS` are set to `none`, statistics will be available without authentication.<br>Example: my-pass<br>**Default value:** `admin`|
-|STATS_PASS_ENV     |The name of the environment variable that holds the password for the statistics page.<br>Example: MY_PASS|STATS_PASS|
-|STATS_URI          |URI for the statistics page.<br>Example: `/proxyStats`<br>**Default value:** `/admin?proxy`|
-|STATS_URI_ENV      |The name of the environment variable that holds the URI for the statistics page.<br>Example: `MY_URI`<br>**Default value:** `STATS_URI`|
-|TERMINATE_ON_RELOAD|Whether to terminate the proxy process every time a reload request is received. If set to `false`, a new process will spawn and all the existing requests will terminate through the old process. The downside of this approach is that the system might end up with zombie processes. If set to `true`, zombie processes will be removed but the existing requests to the proxy might be cut.<br>Example: `true`<br>**Default value:** `false`|
-|TIMEOUT_CLIENT     |The client timeout in seconds.<br>Example: `5`<br>**Default value:** `20`|
-|TIMEOUT_CONNECT    |The connect timeout in seconds.<br>Example: `3`<br>**Default value:** `5`|
-|TIMEOUT_QUEUE      |The queue timeout in seconds.<br>Example: `10`<br>**Default value:** `30`|
-|TIMEOUT_SERVER     |The server timeout in seconds.<br>Example: `15`<br>**Default value:** `20`|
-|TIMEOUT_TUNNEL     |The tunnel timeout in seconds.<br>Example: `1800`<br>**Default value:** `3600`|
-|TIMEOUT_HTTP_REQUEST|The HTTP request timeout in seconds.<br>Example: `3`<br>**Default value:** `5`|
-|TIMEOUT_HTTP_KEEP_ALIVE|The HTTP keep alive timeout in seconds.<br>Example: `10`<br>**Default value:** `15`|
-|USERS              |A comma-separated list of credentials(<user>:<pass>) for HTTP basic auth, which applies to all the backend routes. Presence of `dfp_users` Docker secret (`/run/secrets/dfp_users file`) overrides this setting. When present, credentials are read from it.<br>Example: `user1:pass1, user2:pass2`|
-|USERS_PASS_ENCRYPTED| Indicates if passwords provided through `USERS` or Docker secret `dfp_users` (`/run/secrets/dfp_users` file) are encrypted. Passwords can be encrypted with the `mkpasswd -m sha-512 my-password` command.<br>Example: `true`<br>**Default value:** `false`|
+|STATS_USER         |Username for the statistics page. If not set, stats will not be available. If both `STATS_USER` and `STATS_PASS` are set to `none`, statistics will be available without authentication.<br>**Example:** my-user<br>**Default value:** `admin`|
+|STATS_USER_ENV     |The name of the environment variable that holds the username for the statistics page.<br>**Example:** MY_USER<br>**Default value:** `STATS_USER`|
+|STATS_PASS         |Password for the statistics page. If not set, stats will not be available. If both `STATS_USER` and `STATS_PASS` are set to `none`, statistics will be available without authentication.<br>**Example:** my-pass<br>**Default value:** `admin`|
+|STATS_PASS_ENV     |The name of the environment variable that holds the password for the statistics page.<br>**Example:** MY_PASS|STATS_PASS|
+|STATS_URI          |URI for the statistics page.<br>**Example:** `/proxyStats`<br>**Default value:** `/admin?proxy`|
+|STATS_URI_ENV      |The name of the environment variable that holds the URI for the statistics page.<br>**Example:** `MY_URI`<br>**Default value:** `STATS_URI`|
+|TERMINATE_ON_RELOAD|Whether to terminate the proxy process every time a reload request is received. If set to `false`, a new process will spawn and all the existing requests will terminate through the old process. The downside of this approach is that the system might end up with zombie processes. If set to `true`, zombie processes will be removed but the existing requests to the proxy might be cut.<br>**Example:** `true`<br>**Default value:** `false`|
+|TIMEOUT_CLIENT     |The client timeout in seconds.<br>**Example:** `5`<br>**Default value:** `20`|
+|TIMEOUT_CONNECT    |The connect timeout in seconds.<br>**Example:** `3`<br>**Default value:** `5`|
+|TIMEOUT_QUEUE      |The queue timeout in seconds.<br>**Example:** `10`<br>**Default value:** `30`|
+|TIMEOUT_SERVER     |The server timeout in seconds.<br>**Example:** `15`<br>**Default value:** `20`|
+|TIMEOUT_TUNNEL     |The tunnel timeout in seconds.<br>**Example:** `1800`<br>**Default value:** `3600`|
+|TIMEOUT_HTTP_REQUEST|The HTTP request timeout in seconds.<br>**Example:** `3`<br>**Default value:** `5`|
+|TIMEOUT_HTTP_KEEP_ALIVE|The HTTP keep alive timeout in seconds.<br>**Example:** `10`<br>**Default value:** `15`|
+|USERS              |A comma-separated list of credentials(<user>:<pass>) for HTTP basic auth, which applies to all the backend routes. Presence of `dfp_users` Docker secret (`/run/secrets/dfp_users file`) overrides this setting. When present, credentials are read from it.<br>**Example:** `user1:pass1, user2:pass2`|
+|USERS_PASS_ENCRYPTED| Indicates if passwords provided through `USERS` or Docker secret `dfp_users` (`/run/secrets/dfp_users` file) are encrypted. Passwords can be encrypted with the `mkpasswd -m sha-512 my-password` command.<br>**Example:** `true`<br>**Default value:** `false`|
 
 ## Debug Format