On Thu, Nov 04, 2021 at 03:54:15PM +0100, Aleksandar Lazic wrote:
> On 04.11.21 15:28, Willy Tarreau wrote:
> > Hello,
> >
> > as some of you know, 2.5 will come with a new "option httpslog" to ease
> > logging some useful TLS info by default.
> >
> > While running some tests in production with the error-log-format, I
> > realized that we're not logging the SNI in "httpslog", and that it's
> > probably a significant miss that we ought to fix before the release.
> > I think it could be particularly useful for those using long crt-lists
> > with a default domain, as it will allow to figure which ones have been
> > handled by the default one possibly due to a missing certificate or a
> > misconfiguration.
> >
> > Right now the default HTTPS format is defined this way :
> >
> > log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \
> > %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r \
> > %[fc_conn_err]/%[ssl_fc_err,hex]/%[ssl_c_err]/\
> > %[ssl_c_ca_err]/%[ssl_fc_is_resumed] %sslv/%sslc"
> >
> > As it is, it closely matches the httplog one so that tools configured to
> > process the latter should also work unmodified with the new one.
> >
> > The question is, should we add "ssl_fc_sni" somewhere in this line, and
> > if so, where? Logging it at the end seems sensible to me so that even if
> > it's absent we're not missing anything. But maybe there are better options
> > or opinions on the subject.
>
> A big bold +1 to add the sni header to the log.
thanks Alex, that comforts me in the fact that I was not alone to
miss it :-)
Willy
