сб, 3 июл. 2021 г. в 16:22, Aleksandar Lazic <[email protected]>:
> Hi Remi. > > On 02.07.21 16:26, Remi Tricot-Le Breton wrote: > > Hello list, > > > > Some work in ongoing to ease connection error and SSL handshake error > logging. > > This will rely on some new sample fetches that could be added to a custom > > log-format string. > > In order to ease SSL logging and debugging, we will also add a new > default log > > format for SSL connections. Now is then the good time to find the best > format > > for everyone. > > The proposed format looks like the HTTP one to which the SSL specific > > information is added. But if anybody sees a missing information that > could be > > beneficial for everybody, feel free to tell it, nothing is set in stone > yet. > > > > The format would look like this : > > >>> Jul 1 18:11:31 haproxy[143338]: 127.0.0.1:37740 > [01/Jul/2021:18:11:31.517] \ > > ssl_frontend~ ssl_frontend/s2 0/0/0/7/+7 \ > > 0/0/0/0 2750 ---- 1/1/1/1/0 0/0 TLSv1.3 TLS_AES_256_GCM_SHA384 > > > > Field Format Extract from the > example above > > 1 process_name '[' pid ']:' > haproxy[143338]: > > 2 client_ip ':' client_port > 127.0.0.1:37740 > > 3 '[' request_date ']' > [01/Jul/2021:18:11:31.517] > > 4 frontend_name > ssl_frontend~ > > 5 backend_name '/' server_name > ssl_frontend/s2 > > 6 TR '/' Tw '/' Tc '/' Tr '/' Ta* > 0/0/0/7/+7 > > 7 *conn_status '/' SSL hsk error '/' SSL vfy '/' SSL CA vfy* > 0/0/0/0 > > 8 bytes_read* > 2750 > > 9 termination_state > ---- > > 10 actconn '/' feconn '/' beconn '/' srv_conn '/' retries* > 1/1/1/1/0 > > 11 srv_queue '/' > backend_queue 0/0 > > 12 *ssl_version* > TLSv1.3 > > 13 *ssl_ciphers* > TLS_AES_256_GCM_SHA384 > > > > > > The equivalent log-format string would be the following : > > "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta \ > > %[conn_err_code]/%[ssl_fc_hsk_err]/%[ssl_c_err]/%[ssl_c_ca_err] \ > > %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq %sslv %sslc > > > > The fields in bold are the SSL specific ones and the statuses ones will > come > > from a not yet submitted code so the names and format might slightly > change. > > > > Feel free to suggest any missing data, which could come from log-format > > specific fields or already existing sample fetches. > > How about to combine ssl_version/ssl_ciphers in one line. > > It would be helpful to see also the backend status. > Maybe add a 14th and 15th line with following fields > > *backend_name '/' conn_status '/' SSL hsk error '/' SSL vfy '/' SSL CA vfy* > *backend_name '/' ssl_version '/' ssl_ciphers* > > I had in the past several issues with the backend where the backend CA > wasn't in the CA File which was quite > difficult to debug. > > +1 to the suggestion from Илья Шипицин to use iso8601 which is already in > haproxy since 2019/10/01:2.1-dev2. > > I haven't found sub second format parameter in strftime call therefore I > assume the strftime call have this > ".000000" as fix value. > > ``` > strftime(iso_time_str, sizeof(iso_time_str), > "%Y-%m-%dT%H:%M:%S.000000+00:00", &tm) > ``` > > Maybe another option is to use TAI for timestamps. > many analysis tools, for example Microsoft LogParser, ClickHouse, can perform queries right on top of TSV files with iso8601 time. > > https://en.wikipedia.org/wiki/International_Atomic_Time > https://cr.yp.to/proto/utctai.html > http://www.madore.org/~david/computers/unix-leap-seconds.html > > > Thanks > > > > Rémi > > Jm2c > > Alex > >
