From: Willy Tarreau Date: Mon, 26 May 2025 07:21:36 +0000 (+0200) Subject: DOC: config: fix alphabetical ordering of layer 5 sample fetch functions X-Git-Tag: v3.2.0~22 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=770098f5e3242958b045bdbb8f44753e3e538994;p=thirdparty%2Fhaproxy.git DOC: config: fix alphabetical ordering of layer 5 sample fetch functions Some misordering has been accumulating over time, making some of them hard to spot. --- diff --git a/doc/configuration.txt b/doc/configuration.txt index 105eb22ce..16c930c11 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -23718,24 +23718,24 @@ ssl_bc boolean ssl_bc_alg_keysize integer ssl_bc_alpn string ssl_bc_cipher string -ssl_bc_client_random binary ssl_bc_client_early_traffic_secret string ssl_bc_client_handshake_traffic_secret string +ssl_bc_client_random binary ssl_bc_client_traffic_secret_0 string -ssl_bc_exporter_secret string -ssl_bc_early_exporter_secret string ssl_bc_curve string +ssl_bc_early_exporter_secret string ssl_bc_err integer ssl_bc_err_str string +ssl_bc_exporter_secret string ssl_bc_is_resumed boolean ssl_bc_npn string ssl_bc_protocol string -ssl_bc_unique_id binary ssl_bc_server_handshake_traffic_secret string -ssl_bc_server_traffic_secret_0 string ssl_bc_server_random binary +ssl_bc_server_traffic_secret_0 string ssl_bc_session_id binary ssl_bc_session_key binary +ssl_bc_unique_id binary ssl_bc_use_keysize integer ssl_c_ca_err integer ssl_c_ca_err_depth integer @@ -23773,18 +23773,18 @@ ssl_fc_cipherlist_bin([]) binary ssl_fc_cipherlist_hex([]) string ssl_fc_cipherlist_str([]) string ssl_fc_cipherlist_xxh integer -ssl_fc_curve string -ssl_fc_ecformats_bin binary -ssl_fc_eclist_bin([]) binary -ssl_fc_extlist_bin([]) binary -ssl_fc_client_random binary ssl_fc_client_early_traffic_secret string ssl_fc_client_handshake_traffic_secret string +ssl_fc_client_random binary ssl_fc_client_traffic_secret_0 string -ssl_fc_exporter_secret string +ssl_fc_curve string ssl_fc_early_exporter_secret string +ssl_fc_ecformats_bin binary +ssl_fc_eclist_bin([]) binary ssl_fc_err integer ssl_fc_err_str string +ssl_fc_exporter_secret string +ssl_fc_extlist_bin([]) binary ssl_fc_has_crt boolean ssl_fc_has_early boolean ssl_fc_has_sni boolean @@ -23792,22 +23792,22 @@ ssl_fc_is_resumed boolean ssl_fc_npn string ssl_fc_protocol string ssl_fc_protocol_hello_id integer -ssl_fc_unique_id binary ssl_fc_server_handshake_traffic_secret string -ssl_fc_server_traffic_secret_0 string ssl_fc_server_random binary +ssl_fc_server_traffic_secret_0 string ssl_fc_session_id binary ssl_fc_session_key binary ssl_fc_sigalgs_bin([]) binary ssl_fc_sni string ssl_fc_supported_versions_bin([]) binary +ssl_fc_unique_id binary ssl_fc_use_keysize integer -ssl_s_der binary ssl_s_chain_der binary +ssl_s_der binary +ssl_s_i_dn([[,[,]]]) string ssl_s_key_alg string ssl_s_notafter string ssl_s_notbefore string -ssl_s_i_dn([[,[,]]]) string ssl_s_s_dn([[,[,]]]) string ssl_s_serial binary ssl_s_sha1 binary @@ -23871,12 +23871,6 @@ bs.rst_code : integer the server is returned. The sample fetch fails if no abort was received or if the server stream is not an H2/QUIC stream. -ssl_bc : boolean - Returns true when the back connection was made via an SSL/TLS transport - layer and is locally deciphered. This means the outgoing connection was made - to a server with the "ssl" option. It can be used in a tcp-check or an - http-check ruleset. - fs.aborted : boolean Returns true is an abort was received from the client for the current stream. Otherwise false is returned. @@ -23914,6 +23908,12 @@ fs.rst_code : integer the client is returned. The sample fetch fails if no abort was received or if the client stream is not an H2/QUIC stream. +ssl_bc : boolean + Returns true when the back connection was made via an SSL/TLS transport + layer and is locally deciphered. This means the outgoing connection was made + to a server with the "ssl" option. It can be used in a tcp-check or an + http-check ruleset. + ssl_bc_alg_keysize : integer Returns the symmetric cipher key size supported in bits when the outgoing connection was made over an SSL/TLS transport layer. It can be used in a @@ -23936,12 +23936,6 @@ ssl_bc_cipher : string over an SSL/TLS transport layer. It can be used in a tcp-check or an http-check ruleset. -ssl_bc_client_random : binary - Returns the client random of the back connection when the incoming connection - was made over an SSL/TLS transport layer. It is useful to to decrypt traffic - sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or BoringSSL. - It can be used in a tcp-check or an http-check ruleset. - ssl_bc_client_early_traffic_secret : string Return the CLIENT_EARLY_TRAFFIC_SECRET as an hexadecimal string for the back connection when the outgoing connection was made over a TLS 1.3 @@ -23960,6 +23954,12 @@ ssl_bc_client_handshake_traffic_secret : string activated with "tune.ssl.keylog on" in the global section. See also "tune.ssl.keylog" +ssl_bc_client_random : binary + Returns the client random of the back connection when the incoming connection + was made over an SSL/TLS transport layer. It is useful to to decrypt traffic + sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or BoringSSL. + It can be used in a tcp-check or an http-check ruleset. + ssl_bc_client_traffic_secret_0 : string Return the CLIENT_TRAFFIC_SECRET_0 as an hexadecimal string for the back connection when the outgoing connection was made over a TLS 1.3 @@ -23969,14 +23969,10 @@ ssl_bc_client_traffic_secret_0 : string activated with "tune.ssl.keylog on" in the global section. See also "tune.ssl.keylog" -ssl_bc_exporter_secret : string - Return the EXPORTER_SECRET as an hexadecimal string for the - back connection when the outgoing connection was made over a TLS 1.3 - transport layer. - Require OpenSSL >= 1.1.1. This is one of the keys dumped by the OpenSSL - keylog callback to generate the SSLKEYLOGFILE. The SSL Key logging must be - activated with "tune.ssl.keylog on" in the global section. See also - "tune.ssl.keylog" +ssl_bc_curve : string + Returns the name of the curve used in the key agreement when the outgoing + connection was made over an SSL/TLS transport layer. This requires + OpenSSL >= 3.0.0. ssl_bc_early_exporter_secret : string Return the EARLY_EXPORTER_SECRET as an hexadecimal string for the @@ -23987,11 +23983,6 @@ ssl_bc_early_exporter_secret : string activated with "tune.ssl.keylog on" in the global section. See also "tune.ssl.keylog" -ssl_bc_curve : string - Returns the name of the curve used in the key agreement when the outgoing - connection was made over an SSL/TLS transport layer. This requires - OpenSSL >= 3.0.0. - ssl_bc_err : integer When the outgoing connection was made over an SSL/TLS transport layer, returns the ID of the last error of the first error stack raised on the @@ -24008,6 +23999,15 @@ ssl_bc_err_str : string that was raised on the connection from the backend's perspective. See also "ssl_fc_err". +ssl_bc_exporter_secret : string + Return the EXPORTER_SECRET as an hexadecimal string for the + back connection when the outgoing connection was made over a TLS 1.3 + transport layer. + Require OpenSSL >= 1.1.1. This is one of the keys dumped by the OpenSSL + keylog callback to generate the SSLKEYLOGFILE. The SSL Key logging must be + activated with "tune.ssl.keylog on" in the global section. See also + "tune.ssl.keylog" + ssl_bc_is_resumed : boolean Returns true when the back connection was made over an SSL/TLS transport layer and the newly created SSL session was resumed using a cached @@ -24030,12 +24030,6 @@ ssl_bc_protocol : string over an SSL/TLS transport layer. It can be used in a tcp-check or an http-check ruleset. -ssl_bc_unique_id : binary - When the outgoing connection was made over an SSL/TLS transport layer, - returns the TLS unique ID as defined in RFC5929 section 3. The unique id - can be encoded to base64 using the converter: "ssl_bc_unique_id,base64". It - can be used in a tcp-check or an http-check ruleset. - ssl_bc_server_handshake_traffic_secret : string Return the SERVER_HANDSHAKE_TRAFFIC_SECRET as an hexadecimal string for the back connection when the outgoing connection was made over a TLS 1.3 @@ -24045,6 +24039,12 @@ ssl_bc_server_handshake_traffic_secret : string activated with "tune.ssl.keylog on" in the global section. See also "tune.ssl.keylog" +ssl_bc_server_random : binary + Returns the server random of the back connection when the incoming connection + was made over an SSL/TLS transport layer. It is useful to to decrypt traffic + sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or BoringSSL. + It can be used in a tcp-check or an http-check ruleset. + ssl_bc_server_traffic_secret_0 : string Return the SERVER_TRAFFIC_SECRET_0 as an hexadecimal string for the back connection when the outgoing connection was made over an TLS 1.3 @@ -24054,12 +24054,6 @@ ssl_bc_server_traffic_secret_0 : string activated with "tune.ssl.keylog on" in the global section. See also "tune.ssl.keylog" -ssl_bc_server_random : binary - Returns the server random of the back connection when the incoming connection - was made over an SSL/TLS transport layer. It is useful to to decrypt traffic - sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or BoringSSL. - It can be used in a tcp-check or an http-check ruleset. - ssl_bc_session_id : binary Returns the SSL ID of the back connection when the outgoing connection was made over an SSL/TLS transport layer. It is useful to log if we want to know @@ -24072,6 +24066,12 @@ ssl_bc_session_key : binary traffic sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or BoringSSL. It can be used in a tcp-check or an http-check ruleset. +ssl_bc_unique_id : binary + When the outgoing connection was made over an SSL/TLS transport layer, + returns the TLS unique ID as defined in RFC5929 section 3. The unique id + can be encoded to base64 using the converter: "ssl_bc_unique_id,base64". It + can be used in a tcp-check or an http-check ruleset. + ssl_bc_use_keysize : integer Returns the symmetric cipher key size used in bits when the outgoing connection was made over an SSL/TLS transport layer. It can be used in a @@ -24362,11 +24362,52 @@ ssl_fc_cipherlist_xxh : integer "tune.ssl.capture-buffer-size" is set greater than 0, however the hash take into account all the data of the cipher list. +ssl_fc_client_early_traffic_secret : string + Return the CLIENT_EARLY_TRAFFIC_SECRET as an hexadecimal string for the + front connection when the incoming connection was made over a TLS 1.3 + transport layer. + Require OpenSSL >= 1.1.1. This is one of the keys dumped by the OpenSSL + keylog callback to generate the SSLKEYLOGFILE. The SSL Key logging must be + activated with "tune.ssl.keylog on" in the global section. See also + "tune.ssl.keylog" + +ssl_fc_client_handshake_traffic_secret : string + Return the CLIENT_HANDSHAKE_TRAFFIC_SECRET as an hexadecimal string for the + front connection when the incoming connection was made over a TLS 1.3 + transport layer. + Require OpenSSL >= 1.1.1. This is one of the keys dumped by the OpenSSL + keylog callback to generate the SSLKEYLOGFILE. The SSL Key logging must be + activated with "tune.ssl.keylog on" in the global section. See also + "tune.ssl.keylog" + +ssl_fc_client_random : binary + Returns the client random of the front connection when the incoming connection + was made over an SSL/TLS transport layer. It is useful to to decrypt traffic + sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or BoringSSL. + +ssl_fc_client_traffic_secret_0 : string + Return the CLIENT_TRAFFIC_SECRET_0 as an hexadecimal string for the + front connection when the incoming connection was made over a TLS 1.3 + transport layer. + Require OpenSSL >= 1.1.1. This is one of the keys dumped by the OpenSSL + keylog callback to generate the SSLKEYLOGFILE. The SSL Key logging must be + activated with "tune.ssl.keylog on" in the global section. See also + "tune.ssl.keylog" + ssl_fc_curve : string Returns the name of the curve used in the key agreement when the incoming connection was made over an SSL/TLS transport layer. This requires OpenSSL >= 3.0.0. +ssl_fc_early_exporter_secret : string + Return the EARLY_EXPORTER_SECRET as an hexadecimal string for the + front connection when the incoming connection was made over an TLS 1.3 + transport layer. + Require OpenSSL >= 1.1.1. This is one of the keys dumped by the OpenSSL + keylog callback to generate the SSLKEYLOGFILE. The SSL Key logging must be + activated with "tune.ssl.keylog on" in the global section. See also + "tune.ssl.keylog" + ssl_fc_ecformats_bin : binary Return the binary form of the client hello supported elliptic curve point formats. The maximum returned value length is limited by the shared capture @@ -24402,75 +24443,6 @@ ssl_fc_eclist_bin([]) : binary http-request set-header X-Malware True if is_malware http-request set-header X-Malware False if !is_malware -ssl_fc_extlist_bin([]) : binary - Returns the binary form of the client hello extension list. The maximum - returned value length is limited by the shared capture buffer size - controlled by "tune.ssl.capture-buffer-size" setting. Setting - allows to filter returned data. Accepted values: - 0 : return the full list of extensions (default) - 1 : exclude GREASE (RFC8701) values from the output - - Example: - http-request set-header X-SSL-JA3 %[ssl_fc_protocol_hello_id],\ - %[ssl_fc_cipherlist_bin(1),be2dec(-,2)],\ - %[ssl_fc_extlist_bin(1),be2dec(-,2)],\ - %[ssl_fc_eclist_bin(1),be2dec(-,2)],\ - %[ssl_fc_ecformats_bin,be2dec(-,1)] - acl is_malware req.fhdr(x-ssl-ja3),digest(md5),hex \ - -f /path/to/file/with/malware-ja3.lst - http-request set-header X-Malware True if is_malware - http-request set-header X-Malware False if !is_malware - -ssl_fc_client_random : binary - Returns the client random of the front connection when the incoming connection - was made over an SSL/TLS transport layer. It is useful to to decrypt traffic - sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or BoringSSL. - -ssl_fc_client_early_traffic_secret : string - Return the CLIENT_EARLY_TRAFFIC_SECRET as an hexadecimal string for the - front connection when the incoming connection was made over a TLS 1.3 - transport layer. - Require OpenSSL >= 1.1.1. This is one of the keys dumped by the OpenSSL - keylog callback to generate the SSLKEYLOGFILE. The SSL Key logging must be - activated with "tune.ssl.keylog on" in the global section. See also - "tune.ssl.keylog" - -ssl_fc_client_handshake_traffic_secret : string - Return the CLIENT_HANDSHAKE_TRAFFIC_SECRET as an hexadecimal string for the - front connection when the incoming connection was made over a TLS 1.3 - transport layer. - Require OpenSSL >= 1.1.1. This is one of the keys dumped by the OpenSSL - keylog callback to generate the SSLKEYLOGFILE. The SSL Key logging must be - activated with "tune.ssl.keylog on" in the global section. See also - "tune.ssl.keylog" - -ssl_fc_client_traffic_secret_0 : string - Return the CLIENT_TRAFFIC_SECRET_0 as an hexadecimal string for the - front connection when the incoming connection was made over a TLS 1.3 - transport layer. - Require OpenSSL >= 1.1.1. This is one of the keys dumped by the OpenSSL - keylog callback to generate the SSLKEYLOGFILE. The SSL Key logging must be - activated with "tune.ssl.keylog on" in the global section. See also - "tune.ssl.keylog" - -ssl_fc_exporter_secret : string - Return the EXPORTER_SECRET as an hexadecimal string for the - front connection when the incoming connection was made over a TLS 1.3 - transport layer. - Require OpenSSL >= 1.1.1. This is one of the keys dumped by the OpenSSL - keylog callback to generate the SSLKEYLOGFILE. The SSL Key logging must be - activated with "tune.ssl.keylog on" in the global section. See also - "tune.ssl.keylog" - -ssl_fc_early_exporter_secret : string - Return the EARLY_EXPORTER_SECRET as an hexadecimal string for the - front connection when the incoming connection was made over an TLS 1.3 - transport layer. - Require OpenSSL >= 1.1.1. This is one of the keys dumped by the OpenSSL - keylog callback to generate the SSLKEYLOGFILE. The SSL Key logging must be - activated with "tune.ssl.keylog on" in the global section. See also - "tune.ssl.keylog" - ssl_fc_err : integer When the incoming connection was made over an SSL/TLS transport layer, returns the ID of the last error of the first error stack raised on the @@ -24493,6 +24465,34 @@ ssl_fc_err_str : string certificate verification process will not be raised through this fetch. See also "ssl_fc_err". +ssl_fc_exporter_secret : string + Return the EXPORTER_SECRET as an hexadecimal string for the + front connection when the incoming connection was made over a TLS 1.3 + transport layer. + Require OpenSSL >= 1.1.1. This is one of the keys dumped by the OpenSSL + keylog callback to generate the SSLKEYLOGFILE. The SSL Key logging must be + activated with "tune.ssl.keylog on" in the global section. See also + "tune.ssl.keylog" + +ssl_fc_extlist_bin([]) : binary + Returns the binary form of the client hello extension list. The maximum + returned value length is limited by the shared capture buffer size + controlled by "tune.ssl.capture-buffer-size" setting. Setting + allows to filter returned data. Accepted values: + 0 : return the full list of extensions (default) + 1 : exclude GREASE (RFC8701) values from the output + + Example: + http-request set-header X-SSL-JA3 %[ssl_fc_protocol_hello_id],\ + %[ssl_fc_cipherlist_bin(1),be2dec(-,2)],\ + %[ssl_fc_extlist_bin(1),be2dec(-,2)],\ + %[ssl_fc_eclist_bin(1),be2dec(-,2)],\ + %[ssl_fc_ecformats_bin,be2dec(-,1)] + acl is_malware req.fhdr(x-ssl-ja3),digest(md5),hex \ + -f /path/to/file/with/malware-ja3.lst + http-request set-header X-Malware True if is_malware + http-request set-header X-Malware False if !is_malware + ssl_fc_has_crt : boolean Returns true if a client certificate is present in an incoming connection over SSL/TLS transport layer. Useful if 'verify' statement is set to 'optional'. @@ -24549,11 +24549,6 @@ ssl_fc_protocol_hello_id : integer http-request set-header X-Malware True if is_malware http-request set-header X-Malware False if !is_malware -ssl_fc_unique_id : binary - When the incoming connection was made over an SSL/TLS transport layer, - returns the TLS unique ID as defined in RFC5929 section 3. The unique id - can be encoded to base64 using the converter: "ssl_fc_unique_id,base64". - ssl_fc_server_handshake_traffic_secret : string Return the SERVER_HANDSHAKE_TRAFFIC_SECRET as an hexadecimal string for the front connection when the incoming connection was made over a TLS 1.3 @@ -24563,6 +24558,11 @@ ssl_fc_server_handshake_traffic_secret : string activated with "tune.ssl.keylog on" in the global section. See also "tune.ssl.keylog" +ssl_fc_server_random : binary + Returns the server random of the front connection when the incoming connection + was made over an SSL/TLS transport layer. It is useful to to decrypt traffic + sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or BoringSSL. + ssl_fc_server_traffic_secret_0 : string Return the SERVER_TRAFFIC_SECRET_0 as an hexadecimal string for the front connection when the incoming connection was made over an TLS 1.3 @@ -24572,11 +24572,6 @@ ssl_fc_server_traffic_secret_0 : string activated with "tune.ssl.keylog on" in the global section. See also "tune.ssl.keylog" -ssl_fc_server_random : binary - Returns the server random of the front connection when the incoming connection - was made over an SSL/TLS transport layer. It is useful to to decrypt traffic - sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or BoringSSL. - ssl_fc_session_id : binary Returns the SSL ID of the front connection when the incoming connection was made over an SSL/TLS transport layer. It is useful to stick a given client to @@ -24638,15 +24633,15 @@ ssl_fc_supported_versions_bin([]) : binary 0 : return the full list of ciphers (default) 1 : exclude GREASE (RFC8701) values from the output +ssl_fc_unique_id : binary + When the incoming connection was made over an SSL/TLS transport layer, + returns the TLS unique ID as defined in RFC5929 section 3. The unique id + can be encoded to base64 using the converter: "ssl_fc_unique_id,base64". + ssl_fc_use_keysize : integer Returns the symmetric cipher key size used in bits when the incoming connection was made over an SSL/TLS transport layer. -ssl_s_der : binary - Returns the DER formatted certificate presented by the server when the - outgoing connection was made over an SSL/TLS transport layer. When used for - an ACL, the value(s) to match against can be passed in hexadecimal form. - ssl_s_chain_der : binary Returns the DER formatted chain certificate presented by the server when the outgoing connection was made over an SSL/TLS transport layer. When used for @@ -24654,20 +24649,10 @@ ssl_s_chain_der : binary can parse the result with any lib accepting ASN.1 DER data. It currently does not support resumed sessions. -ssl_s_key_alg : string - Returns the name of the algorithm used to generate the key of the certificate - presented by the server when the outgoing connection was made over an - SSL/TLS transport layer. - -ssl_s_notafter : string - Returns the end date presented by the server as a formatted string - YYMMDDhhmmss[Z] when the outgoing connection was made over an SSL/TLS - transport layer. - -ssl_s_notbefore : string - Returns the start date presented by the server as a formatted string - YYMMDDhhmmss[Z] when the outgoing connection was made over an SSL/TLS - transport layer. +ssl_s_der : binary + Returns the DER formatted certificate presented by the server when the + outgoing connection was made over an SSL/TLS transport layer. When used for + an ACL, the value(s) to match against can be passed in hexadecimal form. ssl_s_i_dn([[,[,]]]) : string When the outgoing connection was made over an SSL/TLS transport layer, @@ -24684,6 +24669,21 @@ ssl_s_i_dn([[,[,]]]) : string If you'd like to modify the format only you can specify an empty string and zero for the first two parameters. Example: ssl_s_i_dn(,0,rfc2253) +ssl_s_key_alg : string + Returns the name of the algorithm used to generate the key of the certificate + presented by the server when the outgoing connection was made over an + SSL/TLS transport layer. + +ssl_s_notafter : string + Returns the end date presented by the server as a formatted string + YYMMDDhhmmss[Z] when the outgoing connection was made over an SSL/TLS + transport layer. + +ssl_s_notbefore : string + Returns the start date presented by the server as a formatted string + YYMMDDhhmmss[Z] when the outgoing connection was made over an SSL/TLS + transport layer. + ssl_s_s_dn([[,[,]]]) : string When the outgoing connection was made over an SSL/TLS transport layer, returns the full distinguished name of the subject of the certificate @@ -24724,6 +24724,7 @@ txn.timer.user : integer This is the equivalent of %Tu in the log-format and is reported in milliseconds (ms). For more details see Section 8.4 "Timing events" + 7.3.5. Fetching samples from buffer contents (Layer 6) ------------------------------------------------------