On 6/2/23 14:42, Lukas Tribus wrote:
I suggest we make it configurable on the bind line like other ssl
options, so it will work for the common use cases that don't involve
crt-lists, like a simple crt statement pointing to a certificate or a
directory.
It could also be a global option *as well*, but imho it does need to
be a bind line configuration option, just like strict-sni, alpn and
ciphers, so we can enable it specifically (per frontend, per bind
line) without requiring crt-list.
One of the places I tried to add it (which of course did not work) was
ssl-default-bind-options.
It might make sense to have it configurable there. Though that would
imply of course that it is also an option on each bind line, which was
the other place I tried to configure it.
So maybe a completely separate global option makes sense. The crt-list
requirement is not really a burden for me, but for someone who uses a
LOT of certificates that change frequently, it probably would become a
burden.
A question arises on where to log failures in getting OCSP data. I have
haproxy using two different syslog targets, but the way this config
evolved is lost to time.
TL;DR:
In global, I have:
log 127.0.0.1 len 65535 format rfc5424 local0
log 127.0.0.1 len 65535 format rfc5424 local1 notice
tune.http.logurilen 49152
In defaults I have:
log global
option httplog
option dontlognull
In each backend, I have:
no log
log 127.0.0.1 len 65535 format rfc5424 local0 notice err
In /etc/rsyslog.d/99-haproxy.conf I have:
local0.info /var/log/debug-haproxy
local1.* /var/log/haproxy
In /etc/rsyslog.d/0001-remote.conf I have:
module(load="imudp")
input(type="imudp" port="514")
$MaxMessageSize 64k
$template BindLog,"/var/log/rsyslog/bind/log"
$template CudoLog,"/var/log/rsyslog/cudo/log"
$template UFWLog,"/var/log/rsyslog/ufw/log"
$template RemoteLogs,"/var/log/rsyslog/%HOSTNAME%/log"
$template RemoteHostFileFormat,"%TIMESTAMP% %fromhost%
%syslogfacility-text%
%syslogtag%%msg:::sp-if-no-1st-sp%%msg:::space-cc,drop-last-lf%\n"
if $msg contains 'UFW' then {
*.* -?UFWLog;RemoteHostFileFormat
stop
}
if $syslogtag contains 'cudo' then {
*.* -?CudoLog;RemoteHostFileFormat
stop
}
if $syslogtag contains 'named' then {
*.* -?BindLog;RemoteHostFileFormat
stop
}
if $inputname == 'imudp' then {
if $fromhost-ip != '127.0.0.1' then {
if $fromhost != '-' then {
*.* -?RemoteLogs;RemoteHostFileFormat
stop
}
}
}
The effective result of all this is that all log messages are logged to
/var/log/debug-haproxy and anything more severe than a request is also
logged to /var/log/haproxy. This makes it so that I do not need to wade
through megabytes of request logs to see other problems, though I do
have the option of seeing the problem inline with requests in the other
logfile.
I came up with this config back in the 1.4 to 1.5 days, and I cannot
remember how it evolved. There was some valid reason why I needed to do
the "no log" followed by "log" in the backend, but I cannot remember
what that reason was.
Thanks,
Shawn
