Hi, I recently tried to enhance the logs with SSL information for HAProxy 1.6.3 running in TCP mode for SSL forwarding.
While using the SSL session ID for session persistence across the backend servers works great, I was not able to make HAProxy log the SSL version and SNI hostname from the client request. I'm aware that these are part of the request, which are not available anymore at the time they are logged (response), so I first tried to go for variables: listen lb-gebco.fat.DOMAIN bind 10.15.18.44:33342 mode tcp balance roundrobin # SSL session ID stickiness # # Maximum SSL session ID length is 32 bytes stick-table type binary len 32 size 4k expire 15m #peers haproxy-cluster acl clienthello req.ssl_hello_type 1 acl serverhello res.ssl_hello_type 2 # Use tcp content accepts to detects ssl client and server hello tcp-request inspect-delay 5s tcp-request content accept if clienthello # No timeout on response inspect delay by default tcp-response content accept if serverhello # SSL session ID (SSLID) may be present on a client or server hello. # Its length is coded on 1 byte at offset 43 and its value starts # at offset 44. Match and learn on request if client hello. stick on payload_lv(43,1) if clienthello # Learn on response if server hello. stick store-response payload_lv(43,1) if serverhello # Log SSL details tcp-request content set-var(sess.ssl_ver) req.ssl_ver tcp-request content set-var(sess.ssl_sni) req.ssl_sni log-format "sve:%[var(sess.ssl_ver),hex] sni:%{+Q}[var(sess.ssl_sni)]" Unfortunately it does not make any difference, as if the variables would have been empty (I also tried with transaction (txn) instead of session (sess) variables, same result): haproxy[29995]: sve:- sni:"" Next I tried with captures: # Log SSL details tcp-request content capture req.ssl_ver len 8 tcp-request content capture req.ssl_sni len 32 log-format "sve:%[capture.req.hdr(0),hex] sni:%{+Q}[capture.req.hdr(1)]" But the same result: haproxy[30219]: sve:- sni:"" I'm sure something obvious is missing, but no idea what. Any hints would be helpful. Thx, Peter