On 04.11.21 15:28, Willy Tarreau wrote:
Hello,as some of you know, 2.5 will come with a new "option httpslog" to ease logging some useful TLS info by default. While running some tests in production with the error-log-format, I realized that we're not logging the SNI in "httpslog", and that it's probably a significant miss that we ought to fix before the release. I think it could be particularly useful for those using long crt-lists with a default domain, as it will allow to figure which ones have been handled by the default one possibly due to a missing certificate or a misconfiguration. Right now the default HTTPS format is defined this way : log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \ %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r \ %[fc_conn_err]/%[ssl_fc_err,hex]/%[ssl_c_err]/\ %[ssl_c_ca_err]/%[ssl_fc_is_resumed] %sslv/%sslc" As it is, it closely matches the httplog one so that tools configured to process the latter should also work unmodified with the new one. The question is, should we add "ssl_fc_sni" somewhere in this line, and if so, where? Logging it at the end seems sensible to me so that even if it's absent we're not missing anything. But maybe there are better options or opinions on the subject.
A big bold +1 to add the sni header to the log.
Feel free to suggest so that we put something there before tomorrow and have it in a last dev13 before the release. Thanks, Willy
