Hello list,
Some work in ongoing to ease connection error and SSL handshake error
logging.
This will rely on some new sample fetches that could be added to a custom
log-format string.
In order to ease SSL logging and debugging, we will also add a new
default log
format for SSL connections. Now is then the good time to find the best
format
for everyone.
The proposed format looks like the HTTP one to which the SSL specific
information is added. But if anybody sees a missing information that
could be
beneficial for everybody, feel free to tell it, nothing is set in stone yet.
The format would look like this :
>>> Jul 1 18:11:31 haproxy[143338]: 127.0.0.1:37740
[01/Jul/2021:18:11:31.517] \
ssl_frontend~ ssl_frontend/s2 0/0/0/7/+7 \
0/0/0/0 2750 ---- 1/1/1/1/0 0/0 TLSv1.3 TLS_AES_256_GCM_SHA384
Field Format Extract from the
example above
1 process_name '[' pid ']:' haproxy[143338]:
2 client_ip ':' client_port 127.0.0.1:37740
3 '[' request_date ']' [01/Jul/2021:18:11:31.517]
4 frontend_name ssl_frontend~
5 backend_name '/' server_name ssl_frontend/s2
6 TR '/' Tw '/' Tc '/' Tr '/' Ta*
0/0/0/7/+7
7 *conn_status '/' SSL hsk error '/' SSL vfy '/' SSL CA vfy*
0/0/0/0
8 bytes_read* 2750
9 termination_state ----
10 actconn '/' feconn '/' beconn '/' srv_conn '/' retries*
1/1/1/1/0
11 srv_queue '/'
backend_queue 0/0
12 *ssl_version* TLSv1.3
13 *ssl_ciphers* TLS_AES_256_GCM_SHA384
The equivalent log-format string would be the following :
"%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta \
%[conn_err_code]/%[ssl_fc_hsk_err]/%[ssl_c_err]/%[ssl_c_ca_err] \
%B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq %sslv %sslc
The fields in bold are the SSL specific ones and the statuses ones will come
from a not yet submitted code so the names and format might slightly change.
Feel free to suggest any missing data, which could come from log-format
specific fields or already existing sample fetches.
Thanks
Rémi
