On Thu, Nov 04, 2021 at 03:54:15PM +0100, Aleksandar Lazic wrote: > On 04.11.21 15:28, Willy Tarreau wrote: > > Hello, > > > > as some of you know, 2.5 will come with a new "option httpslog" to ease > > logging some useful TLS info by default. > > > > While running some tests in production with the error-log-format, I > > realized that we're not logging the SNI in "httpslog", and that it's > > probably a significant miss that we ought to fix before the release. > > I think it could be particularly useful for those using long crt-lists > > with a default domain, as it will allow to figure which ones have been > > handled by the default one possibly due to a missing certificate or a > > misconfiguration. > > > > Right now the default HTTPS format is defined this way : > > > > log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \ > > %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r \ > > %[fc_conn_err]/%[ssl_fc_err,hex]/%[ssl_c_err]/\ > > %[ssl_c_ca_err]/%[ssl_fc_is_resumed] %sslv/%sslc" > > > > As it is, it closely matches the httplog one so that tools configured to > > process the latter should also work unmodified with the new one. > > > > The question is, should we add "ssl_fc_sni" somewhere in this line, and > > if so, where? Logging it at the end seems sensible to me so that even if > > it's absent we're not missing anything. But maybe there are better options > > or opinions on the subject. > > A big bold +1 to add the sni header to the log.
thanks Alex, that comforts me in the fact that I was not alone to miss it :-) Willy