Re: getting on logs in ssl requests

Mon, 09 Nov 2009 12:36:07 -0800 

Hi,

On Mon, Nov 09, 2009 at 12:25:29PM -0200, Gabriel Sosa wrote:
> guys,
> 
> we have setup an haproxy for http and ssl traffic, so far all worked
> as expected. but today looking at the "request logs" each time some
> user goes to the ssl part of the site I can see in the logs
> "<BADREQ>" but the request goes just fine. what does this mean? how do
> I fix this?

Pretty amazing, this bug has been around since almost the beginning it
seems and nobody caught it yet ! This is caused by "option httplog" in
your default settings which gets inherited by the https instance which
then tries to log in http. I thought there was a check for this, and
obviously I was wrong.

defaults
        log             global
        option          httplog
        ^^^^^^^^^^^^^^^^^^^^^^^
        mode            tcp
        ...

listen  load_balanced_https     AAA.BBB.CCC.DDD:443
        balance         source
        option          ssl-hello-chk
        mode            tcp
        ^^^^^^^^^^^^^^^^^^^

Also be careful, the following options are wrong too in HTTPS (since
haproxy can't touch the stream). However they are just harmless, but
may become invalid and cause an error when checks become stricter :

        option          httpclose
        option          forwardfor
        ...


I've committed the following patch which emits a warning in case of
such a wrong setting which might be hard to catch. It also automatically
falls back to tcplog for a TCP proxy.

Thanks for the report!
Willy

>From 5f0bd6537f8b56b643ef485d7a3c96d996d9b01a Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w...@1wt.eu>
Date: Mon, 9 Nov 2009 21:27:51 +0100
Subject: [BUG] config: disable 'option httplog' on TCP proxies

Gabriel Sosa reported that logs were appearing with BADREQ when
'option httplog' was used with a TCP proxy (eg: inherited via a
default instance). This patch detects it and falls back to tcplog
after emitting a warning.
---
 src/proxy.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/src/proxy.c b/src/proxy.c
index 69b070e..15f9b92 100644
--- a/src/proxy.c
+++ b/src/proxy.c
@@ -327,6 +327,11 @@ int proxy_cfg_ensure_no_http(struct proxy *curproxy)
                Warning("config : Layer 7 hash not possible for %s '%s' (needs 
'mode http'). Falling back to round robin.\n",
                        proxy_type_str(curproxy), curproxy->id);
        }
+       if (curproxy->to_log & (LW_REQ | LW_RESP)) {
+               curproxy->to_log &= ~(LW_REQ | LW_RESP);
+               Warning("config : 'option httplog' not usable with %s '%s' 
(needs 'mode http'). Falling back to 'option tcplog'.\n",
+                       proxy_type_str(curproxy), curproxy->id);
+       }
        return 0;
 }
 
-- 
1.6.4.4

Reply via email to