On Fri, Jun 3, 2016 at 3:14 AM, mlist <ml...@apsystems.it> wrote: > Often I need to take tcpdump to analyze haproxy communication to clients > and to backend servers. > > As we use haproxy as SSL termination point (haproxy SSL ofloading), at low > levels (so tcpdump level) > > we see communication with client encrypted. >
If you are not using DHE cyphers (but you should) then you can try ssldump. In case of Diffie-Hellman though new encryption key is generated for each ssl session so you are out of luck here. > There are simple solution so I can do a tcpdump having > > unencrypted communication ? Has haproxy some mechanism ? > Not that I'm aware of but you can try chaining a local proxy where you can see the traffic in clear text before you send the traffic to the backend . > > > I have 3 haproxy LBs with 2 L4 LBs balancing on haproxy LBs so I want to > avoid if possible to make more > > complex infrastructure introducing some other intermediate proxy to do > that, so I make the communication > > path as simple and equal to normal request path as possible. > > > > Roberto > > > > >
