Hello,
you can dump the symmetric keys from the browser and import them in
wireshark to decrypt PFS protected TLS sessions [1] or downgrade your
ciphers settings to non-PF ciphers. Properly decrypting the TLS session
is the only way to really make sure you see what happens, even if there
is a TLS related bug in the client or server (haproxy).
Some other idea's are:
- if your backend traffic is unencrypted, you may want to capture the
traffic there.
- if haproxy is rejecting the request, check "show errors" on the admin
socket.
As you said, the best solution is to not depend on haproxy specific
features, as you don't want to modify existing infrastructure in a
troubleshooting case.
Another proxy layer means that you decrypt TLS on the front-end proxy,
while you sniff the plaintext traffic between the front-end and the
second tier proxy. You can probably do this with a single haproxy
instance recirculating the traffic through a unix socket and capture the
traffic on it, but it would require some trial and error and definitely
some testing.
I believe the SSLKEYLOGFILE approach [1] to be the most efficient and
simplest approach.
cheers,
lukas
[1]
https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/