Hi Remi.
On 02.07.21 16:26, Remi Tricot-Le Breton wrote:
Hello list,
Some work in ongoing to ease connection error and SSL handshake error logging.
This will rely on some new sample fetches that could be added to a custom
log-format string.
In order to ease SSL logging and debugging, we will also add a new default log
format for SSL connections. Now is then the good time to find the best format
for everyone.
The proposed format looks like the HTTP one to which the SSL specific
information is added. But if anybody sees a missing information that could be
beneficial for everybody, feel free to tell it, nothing is set in stone yet.
The format would look like this :
>>> Jul 1 18:11:31 haproxy[143338]: 127.0.0.1:37740
[01/Jul/2021:18:11:31.517] \
ssl_frontend~ ssl_frontend/s2 0/0/0/7/+7 \
0/0/0/0 2750 ---- 1/1/1/1/0 0/0 TLSv1.3 TLS_AES_256_GCM_SHA384
Field Format Extract from the example above
1 process_name '[' pid ']:' haproxy[143338]:
2 client_ip ':' client_port 127.0.0.1:37740
3 '[' request_date ']' [01/Jul/2021:18:11:31.517]
4 frontend_name ssl_frontend~
5 backend_name '/' server_name ssl_frontend/s2
6 TR '/' Tw '/' Tc '/' Tr '/' Ta* 0/0/0/7/+7
7 *conn_status '/' SSL hsk error '/' SSL vfy '/' SSL CA vfy* 0/0/0/0
8 bytes_read* 2750
9 termination_state ----
10 actconn '/' feconn '/' beconn '/' srv_conn '/' retries* 1/1/1/1/0
11 srv_queue '/' backend_queue 0/0
12 *ssl_version* TLSv1.3
13 *ssl_ciphers* TLS_AES_256_GCM_SHA384
The equivalent log-format string would be the following :
"%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta \
%[conn_err_code]/%[ssl_fc_hsk_err]/%[ssl_c_err]/%[ssl_c_ca_err] \
%B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq %sslv %sslc
The fields in bold are the SSL specific ones and the statuses ones will come
from a not yet submitted code so the names and format might slightly change.
Feel free to suggest any missing data, which could come from log-format
specific fields or already existing sample fetches.
How about to combine ssl_version/ssl_ciphers in one line.
It would be helpful to see also the backend status.
Maybe add a 14th and 15th line with following fields
*backend_name '/' conn_status '/' SSL hsk error '/' SSL vfy '/' SSL CA vfy*
*backend_name '/' ssl_version '/' ssl_ciphers*
I had in the past several issues with the backend where the backend CA wasn't
in the CA File which was quite
difficult to debug.
+1 to the suggestion from Илья Шипицин to use iso8601 which is already in
haproxy since 2019/10/01:2.1-dev2.
I haven't found sub second format parameter in strftime call therefore I assume
the strftime call have this
".000000" as fix value.
```
strftime(iso_time_str, sizeof(iso_time_str), "%Y-%m-%dT%H:%M:%S.000000+00:00",
&tm)
```
Maybe another option is to use TAI for timestamps.
https://en.wikipedia.org/wiki/International_Atomic_Time
https://cr.yp.to/proto/utctai.html
http://www.madore.org/~david/computers/unix-leap-seconds.html
Thanks
Rémi
Jm2c
Alex
