capturing arbitrary cookies and multiple X-Forwarded-For values

Tue, 25 Sep 2012 15:44:18 -0700 

one question/feature request, and one possible bug.

first, the bug:

haproxy is logging to a local syslog process with

====
global
        log 127.0.0.1 local5
====

and syslog listening with:

====
local5.* /var/log/haproxy
====

haproxy.cfg contains the following frontend definition:
====
frontend http_proxy
        bind *:80
        mode http
        option forwardfor
        option http-server-close
        option http-pretend-keepalive
        option httplog
        default_backend apache_ui
====

if I add the following two directives to my frontend definition, I get
no log output *at all* (although "haproxy -c" returns success):
====
        capture request header X-Forwarded-For len 15
        capture cookie openx3_access_token len 63
====

however, if instead add the following two headers, I get both an
X-Forwarded-For value and a cookie value (presumably the last cookie
specified if there are multiple) in my log output (pipe-delimited
inside braces), along with the rest of the typical output for "option
httplog":
====
        capture request header X-Forwarded-For len 15
        capture request header Cookie len 63
====

is this a bug? should haproxy fail to log any output using "capture
request header" and "capture cookie" directives in the same frontend?
it appears to be legal syntax.

now the question: is there a method to log (as you can see I'm
attempting above) multiple cookies in log output?

what about arbitrary cookie names? (software devs have stated that
they'd like all cookies sent by the client dumped, even if they're not
ones we're expecting, which means I can't specify the cookie names
ahead of time because I don't know what they might be).

in a similar vein, is there a method to log the entirety of the
X-Forwarded-For header as passed in the HTTP request, and not just the
first instance of the last value? We frequently get X-Forwarded-For
headers that have 3-4 comma-separated values, and cannot currently
change the rest of the infrastructure to transparently pass HTTP
requests (multiple L7 proxies involved; no way to avoid multiple
values in X-Forwarded-For, and we'd like to log the entire chain for
forensic purposes).

thanks all!
-- 
       Scott Francis | darkuncle(at)darkuncle(dot)net | 0x5537F527
                        Less and less is done
                     until non-action is achieved
             when nothing is done, nothing is left undone.
                                    -- the Tao of Sysadmin

Reply via email to