I missed a config line from Haproxy.conf in my previous reply: Frontend ldaps tcp-request content capture ssl_fc_sni len 25
On 11/23/21, 1:57 AM, "Jarno Huuskonen" <[email protected]> wrote: Hi, On 11/22/21 16:33, Ben Hart wrote: > Hey there! I’ve got a handful of Haproxy servers that are serving LDAPS > and HTTPS front/back ends. I am new to this, so I built these and > reused the config from the older Haproxy servers we had. > > Anyway I mention that because I likely have little idea what I should be > done here. So far everything is working.. we are able to bind and > perform lookups successfully. What’s not working like I think it should > is logging. I have Firewalld setup that is blocking all traffic inbound > from the same internal subnet as the server, and allowing 0.0.0.0/0 in > from all other sources for ports 636 and 443. > > Rsyslog is matching on program name ‘haproxy’ and the default UNIX > socket /dev/log and forwarding all info to /var/log/haproxy.log > > Rsyslog is matching on program name ‘firewalld’ and sending all info to > /var/log/firewalld.log > > If I tail both files, I see many inbound connections allowed to port > 636, but no corresponding events in the haproxy.log file. So I’m hoping Do you get any logs in haproxy.log ? (Any logs from "frontend ecorp_https" ?) > that maybe I have something on the Haproxy side that’s not quite what it > should be. The thought is, Maybe the connection attempts are coming in, > but Haproxy is not fulfilling them for some reason. And I don’t have the > appropriate log options or formats setup to determine that. > > Attached is my sanitized haproxy.cfg > global > log /dev/log local0 > log /dev/log local1 notice > # log 127.0.0.1 local1 > chroot /var/lib/haproxy You're using chroot, is rsyslog configured to listen to /var/lib/haproxy/dev/log ? (And if this is centos/rhel based system selinux allows rsyslog to create the socket and haproxy to connect to it). Have you checked that haproxy sends logs for example with enable logging to 127.0.0.1 and use tcpdump -nn -XX -i lo port 514 or something similar ? > frontend ecorp_https > option tcplog You probably don't want to use tcplog(https://cbonte.github.io/haproxy-dconv/2.4/configuration.html#4-option%20tcplog) with mode http. AFAIK it overrides your custom log-format. -Jarno -- Jarno Huuskonen
