Re: Haproxy, Logging more TCP details?

Mon, 22 Nov 2021 22:57:48 -0800 

Hi,

On 11/22/21 16:33, Ben Hart wrote:
Hey there! I’ve got a handful of Haproxy servers that are serving LDAPS and HTTPS front/back ends.  I am new to this, so I built these and reused the config from the older Haproxy servers we had. 


Anyway I mention that because I likely have little idea what I should be 
done here. So far everything is working.. we are able to bind and 
perform lookups successfully. What’s not working like I think it should 
is logging. I have Firewalld setup that is blocking all traffic inbound 
from the same internal subnet as the server, and allowing 0.0.0.0/0 in 
from all other sources for ports 636 and 443.



Rsyslog is matching on program name ‘haproxy’ and the default UNIX 
socket /dev/log and forwarding all info to /var/log/haproxy.log



Rsyslog is matching on program name ‘firewalld’ and sending all info to 
/var/log/firewalld.log



If I tail both files, I see many inbound connections allowed to port 
636, but no corresponding events in the haproxy.log file.  So I’m hoping 



Do you get any logs in haproxy.log ? (Any logs from "frontend 
ecorp_https" ?)



that maybe I have something on the Haproxy side that’s not quite what it 
should be.  The thought is, Maybe the connection attempts are coming in, 
but Haproxy is not fulfilling them for some reason. And I don’t have the 
appropriate log options or formats setup to determine that.


Attached is my sanitized haproxy.cfg


> global
>         log /dev/log    local0
>         log /dev/log    local1 notice
> #   log 127.0.0.1   local1
>         chroot /var/lib/haproxy



You're using chroot, is rsyslog configured to listen to 
/var/lib/haproxy/dev/log ? (And if this is centos/rhel based system 
selinux allows rsyslog to create the socket and haproxy to connect to it).


Have you checked that haproxy sends logs for example with

enable logging to 127.0.0.1 and use tcpdump -nn -XX -i lo port 514 or 
something similar ?


> frontend ecorp_https
>  option                tcplog


You probably don't want to use 
tcplog(https://cbonte.github.io/haproxy-dconv/2.4/configuration.html#4-option%20tcplog) 
with mode http. AFAIK it overrides your custom log-format.


-Jarno

--
Jarno Huuskonen























					Reply via email to