explicitely by 'default-crt' or is implicitely the first certificate of a bind
line when no 'strict-sni' is used) shows the '*' character in the SNI column.
+ The 'Negative Filter' column is the list of negative filters associated to a
+ wildcard, this will show all negatives filters that are on the same crt-list
+ line. A dash character is displayed if there are none.
+
The 'Type' column shows the encryption algorithm type, it can be "rsa", "ecdsa" or "dsa".
The 'Filename' column can be either a filename from the configuration, or an
Example:
$ echo "@1 show ssl sni" | socat /var/run/haproxy-master.sock - | column -t -s $'\t'
- # Frontend/Bind SNI Type Filename NotAfter NotBefore
- li1/haproxy.cfg:10021 machine10 rsa machine10.pem.rsa Jun 13 13:37:21 2024 GMT May 14 13:37:21 2024 GMT
- li1/haproxy.cfg:10021 machine10 ecdsa machine10.pem.ecdsa Jun 13 13:37:21 2024 GMT May 14 13:37:21 2024 GMT
- li1/haproxy.cfg:10021 localhost rsa localhost.pem.rsa Jun 13 13:37:11 2024 GMT May 14 13:37:11 2024 GMT
- li1/haproxy.cfg:10021 localhost ecdsa localhost.pem.ecdsa Jun 13 13:37:10 2024 GMT May 14 13:37:10 2024 GMT
- li1/haproxy.cfg:10021 * rsa localhost.pem.rsa Jun 13 13:37:11 2024 GMT May 14 13:37:11 2024 GMT
+ # Frontend/Bind SNI Negative Filter Type Filename NotAfter NotBefore
+ li1/haproxy.cfg:10021 *.ex.lan !m1.ex.lan rsa example.lan.pem Jun 13 13:37:21 2024 GMT May 14 13:37:21 2024 GMT
+ li1/haproxy.cfg:10021 machine10 - ecdsa machine10.pem.ecdsa Jun 13 13:37:21 2024 GMT May 14 13:37:21 2024 GMT
+ li1/haproxy.cfg:10021 machine10 - rsa machine10.pem.rsa Jun 13 13:37:21 2024 GMT May 14 13:37:21 2024 GMT
+ li1/haproxy.cfg:10021 machine10 - ecdsa machine10.pem.ecdsa Jun 13 13:37:21 2024 GMT May 14 13:37:21 2024 GMT
+ li1/haproxy.cfg:10021 localhost - rsa localhost.pem.rsa Jun 13 13:37:11 2024 GMT May 14 13:37:11 2024 GMT
+ li1/haproxy.cfg:10021 localhost - ecdsa localhost.pem.ecdsa Jun 13 13:37:10 2024 GMT May 14 13:37:10 2024 GMT
+ li1/haproxy.cfg:10021 * - rsa localhost.pem.rsa Jun 13 13:37:11 2024 GMT May 14 13:37:11 2024 GMT
show startup-logs
Dump all messages emitted during the startup of the current haproxy process,
/* ctx->bind is NULL only once we finished dumping a frontend or when starting
* so let's dump the header in these cases*/
if (ctx->bind == NULL && (ctx->onefrontend == 1 || (ctx->onefrontend == 0 && ctx->px == proxies_list)))
- chunk_appendf(trash, "# Frontend/Bind\tSNI\tType\tFilename\tNotAfter\tNotBefore\n");
+ chunk_appendf(trash, "# Frontend/Bind\tSNI\tNegative Filter\tType\tFilename\tNotAfter\tNotBefore\n");
if (applet_putchk(appctx, trash) == -1)
goto yield;
if (!n)
continue;
- while (n) {
+ for (; n; n = ebmb_next(n)) {
struct sni_ctx *sni;
const char *name;
const char *certalg;
-
- chunk_appendf(trash, "%s/%s:%d\t", bind->frontend->id, bind->file, bind->line);
+ int isneg = 0; /* is there any negative filters associated to this node */
sni = ebmb_entry(n, struct sni_ctx, name);
+ if (sni->neg)
+ continue;
+
+ chunk_appendf(trash, "%s/%s:%d\t", bind->frontend->id, bind->file, bind->line);
+
name = (char *)sni->name.key;
chunk_appendf(trash, "%s%s%s\t", sni->neg ? "!" : "", type ? "*" : "", name);
+ /* we are looking at wildcards, let's check the negative filters */
+ if (type == 1) {
+ struct sni_ctx *sni_tmp;
+ list_for_each_entry(sni_tmp, &sni->ckch_inst->sni_ctx, by_ckch_inst) {
+ if (sni_tmp->neg) {
+ chunk_appendf(trash, "%s%s ", sni_tmp->neg ? "!" : "", (char *)sni_tmp->name.key);
+ isneg = 1;
+ }
+ }
+ }
+ chunk_appendf(trash, "%s\t", isneg ? "" : "-");
+
switch (sni->kinfo.sig) {
case TLSEXT_signature_ecdsa:
certalg = "ecdsa";
goto yield;
}
- n = ebmb_next(n);
}
ctx->n = NULL;
}
projects / thirdparty / haproxy.git / commitdiff
