Greetings,
To do it without logging the only other ways I can think of to get it
out of HAProxy will ether be headers to the backends for logging there,
or doing it via stick tables (or sending the stick table stats via a
header to the backend for logging).
To cover the stick table option as it sounds most like what you seek,
try the following to check for sslv3:
<above the frontend>
backend sslv3-count
stick-table type integer size 10 expire 24h store
http_req_rate(24h),gpc0,gpc0_rate(24h)
<inside your frontend>
tcp-request inspect-delay 10s
tcp-request content track-sc0 fe_id() table sslv3-count if {
ssl_fc }
http-request allow if sslv3 { sc_inc_gpc0(0) }
Then to look at the values:
user@server$ echo "show table sslv3-count" | socat stdio
/var/run/haproxy.sock
# table: sslv3-count, type: integer, size:10, used:1
0x273e69c: key=7 use=0 exp=86398154 gpc0=0 gpc0_rate(86400000)=0
http_req_rate(86400000)=2
In this case there have been two requests using SSL in the last 24
hours, none of which have used SSLv3.
I've not really tested this, more just wrote up a quick configuration
for the concept, so if it doesn't work let me know and I can use openssl
to actually try an sslv3 configuration.
Various other SSL values can be tracked by increasing the sc0 and adding
another backend for it; the SSL related variables can be found at
https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#7.3.4. If
your looking for something that you can't see a way to craft let me know
and I can provide more details.
As a side note SSLv3 isn't really considered secure any longer, but
using the above to keep track of its use is a good step towards
removing/restricting it.
- Chad
On 03/08/2016 11:18 AM, Stefan Johansson wrote:
Hi,
is it possible somehow to extract statistics on cipher used (total
SSLv3, total RC4 etc.) without necessarily turning on connection
logging and extract the data from there?
Thank you.
Regards,
Stefan
