Logging SSL request information in TCP mode

Mon, 29 Feb 2016 06:33:44 -0800 

Hi,

I recently tried to enhance the logs with SSL information for HAProxy 1.6.3
running in TCP mode for SSL forwarding.

While using the SSL session ID for session persistence across the backend
servers works great, I was not able to make HAProxy log the SSL version and
SNI hostname from the client request.

I'm aware that these are part of the request, which are not available anymore
at the time they are logged (response), so I first tried to go for variables:

listen lb-gebco.fat.DOMAIN
   bind 10.15.18.44:33342
   mode tcp
   balance roundrobin

   # SSL session ID stickiness
   #
   # Maximum SSL session ID length is 32 bytes
   stick-table type binary len 32 size 4k expire 15m #peers haproxy-cluster

   acl clienthello req.ssl_hello_type 1
   acl serverhello res.ssl_hello_type 2

   # Use tcp content accepts to detects ssl client and server hello
   tcp-request inspect-delay 5s
   tcp-request content accept if clienthello

   # No timeout on response inspect delay by default
   tcp-response content accept if serverhello

   # SSL session ID (SSLID) may be present on a client or server hello.
   # Its length is coded on 1 byte at offset 43 and its value starts
   # at offset 44. Match and learn on request if client hello.
   stick on payload_lv(43,1) if clienthello

   # Learn on response if server hello.
   stick store-response payload_lv(43,1) if serverhello

   # Log SSL details
   tcp-request content set-var(sess.ssl_ver) req.ssl_ver
   tcp-request content set-var(sess.ssl_sni) req.ssl_sni
   log-format "sve:%[var(sess.ssl_ver),hex] sni:%{+Q}[var(sess.ssl_sni)]"

Unfortunately it does not make any difference, as if the variables would have
been empty (I also tried with transaction (txn) instead of session (sess)
variables, same result):

   haproxy[29995]: sve:- sni:""

Next I tried with captures:

   # Log SSL details
   tcp-request content capture req.ssl_ver len 8
   tcp-request content capture req.ssl_sni len 32
   log-format "sve:%[capture.req.hdr(0),hex] sni:%{+Q}[capture.req.hdr(1)]"

But the same result:

   haproxy[30219]: sve:- sni:""

I'm sure something obvious is missing, but no idea what. Any hints would be
helpful.


Thx,
Peter

Reply via email to