The table below summaries the status of each variable for the different working
modes:
- +--------------------------+---------+------------+-----------+
- | variable | usable | modifiable | listed |
- | +---------+------------+-----------+
- | | M | W | M | W | M | W |
- +--------------------------+----+----+------+-----+-----+-----+
- | HAPROXY_STARTUP_VERSION | X | X | | | X | X |
- | HAPROXY_BRANCH | X | X | | | X | X |
- | HAPROXY_CFGFILES | | | | | X | X |
- | HAPROXY_MWORKER | | | | | X | X |
- | HAPROXY_CLI | | | | | | X |
- | HAPROXY_MASTER_CLI | | | | | X | |
- | HAPROXY_LOCALPEER | | X | | | | X |
- | HAPROXY_HTTP_LOG_FMT | | X | | X | | |
- | HAPROXY_HTTP_CLF_LOG_FMT | | X | | X | | |
- | HAPROXY_HTTPS_LOG_FMT | | X | | X | | |
- | HAPROXY_TCP_LOG_FMT | | X | | X | | |
- +--------------------------+----+----+------+-----+-----+-----+
+ +---------------------------+---------+------------+-----------+
+ | variable | usable | modifiable | listed |
+ | +---------+------------+-----------+
+ | | M | W | M | W | M | W |
+ +---------------------------+----+----+------+-----+-----+-----+
+ | HAPROXY_STARTUP_VERSION | X | X | | | X | X |
+ | HAPROXY_BRANCH | X | X | | | X | X |
+ | HAPROXY_CFGFILES | | | | | X | X |
+ | HAPROXY_MWORKER | | | | | X | X |
+ | HAPROXY_CLI | | | | | | X |
+ | HAPROXY_MASTER_CLI | | | | | X | |
+ | HAPROXY_LOCALPEER | | X | | | | X |
+ | HAPROXY_HTTP_LOG_FMT | | X | | X | | |
+ | HAPROXY_HTTP_CLF_LOG_FMT | | X | | X | | |
+ | HAPROXY_HTTPS_LOG_FMT | | X | | X | | |
+ | HAPROXY_TCP_LOG_FMT | | X | | X | | |
+ | HAPROXY_TCP_CLF_LOG_FMT | | X | | X | | |
+ | HAPROXY_KEYLOG_FC_LOG_FMT | | X | | X | | |
+ | HAPROXY_KEYLOG_BC_LOG_FMT | | X | | X | | |
+ +---------------------------+----+----+------+-----+-----+-----+
The variables in question are the following:
* HAPROXY_TCP_CLF_LOG_FMT: similar to HAPROXY_HTTP_CLF_LOG_FMT but for TCP
CLF log format as defined in section 8.2.2 "TCP log format".
+ * HAPROXY_KEYLOG_FC_LOG_FMT: contains the keylog format for the frontend
+ (client-facing) TLS connection, with key entries separated by newlines so
+ it might not be compatible with your syslog server. "tune.ssl.keylog on" is
+ required.
+
+ * HAPROXY_KEYLOG_BC_LOG_FMT: similar to HAPROXY_KEYLOG_FC_LOG_FMT but for the
+ backend (server-facing) TLS connection. Key entries are separated by
+ newlines so it might not be compatible with your syslog server.
+ "tune.ssl.keylog on" is required.
+
* HAPROXY_MWORKER: In master-worker mode, this variable is set to 1.
* HAPROXY_CLI: configured listeners addresses of the stats socket of every
EXPORTER_SECRET %[ssl_bc_client_random,hex] %[ssl_bc_exporter_secret]\n
EARLY_EXPORTER_SECRET %[ssl_bc_client_random,hex] %[ssl_bc_early_exporter_secret]"
+ HAProxy also provides the above formats as predefined environment variables
+ that can be used directly in a "log-format" directive:
+
+ $HAPROXY_KEYLOG_FC_LOG_FMT frontend (client-facing) connection keys
+ $HAPROXY_KEYLOG_BC_LOG_FMT backend (server-facing) connection keys
+
tune.ssl.lifetime <timeout>
Sets how long a cached SSL session may remain valid. This time is expressed
in seconds and defaults to 300 (5 min). It is important to understand that it
--- /dev/null
+# Example: log HTTP traffic and TLS session keys to separate destinations
+#
+# "option httpslog" sends HTTP access logs to the /dev/log syslog server.
+# TLS session keys are written to 2 ring buffers.
+#
+# Requirements:
+# - HAProxy built with OpenSSL support
+# - "tune.ssl.keylog on" in the global section
+#
+# Retrieve TLS session keys from the ring buffer via the CLI:
+# For frontend connections:
+#
+# (echo "show events keylog-fc -w"; read) | socat /tmp/worker.socket -
+#
+# For backend connections:
+#
+# (echo "show events keylog-bc -w"; read) | socat /tmp/worker.socket -
+#
+# The result is in SSLKEYLOGFILE format and can be saved to a file and loaded
+# into Wireshark to decrypt captured TLS traffic.
+
+global
+ stats socket /tmp/worker.socket mode 0660
+ tune.ssl.keylog on
+
+# Ring buffer for TLS session keys.
+# "format raw" stores only the log message text, without any syslog envelope,
+# producing output in the SSLKEYLOGFILE format directly.
+ring keylog-fc
+ description "TLS session key frontend log"
+ format raw
+ maxlen 2000
+ size 1M
+
+ring keylog-bc
+ description "TLS session key backend log"
+ format raw
+ maxlen 2000
+ size 1M
+
+
+defaults
+ mode http
+ timeout client 30s
+ timeout server 30s
+ timeout connect 5s
+
+log-profile keylog-fc
+ on any format "${HAPROXY_KEYLOG_FC_LOG_FMT}"
+
+log-profile keylog-bc
+ on any format "${HAPROXY_KEYLOG_BC_LOG_FMT}"
+
+frontend https-in
+ bind :443 ssl crt "common.pem"
+
+ option httpslog
+
+ # HTTPs access logs sent to the syslog server
+ log /dev/log format raw local0
+
+ # TLS session keys written to the ring buffer
+ log ring@keylog-fc profile keylog-fc local1
+ log ring@keylog-bc profile keylog-bc local1
+
+ default_backend be1
+
+backend be1
+ server s1 10.0.0.123:443 ssl verify none
extern char default_http_log_format[];
extern char clf_http_log_format[];
extern char default_https_log_format[];
+extern char keylog_format_fc[];
+extern char keylog_format_bc[];
extern char default_rfc5424_sd_log_format[];
setenv("HAPROXY_HTTPS_LOG_FMT", default_https_log_format, 1);
setenv("HAPROXY_TCP_LOG_FMT", default_tcp_log_format, 1);
setenv("HAPROXY_TCP_CLF_LOG_FMT", clf_tcp_log_format, 1);
+ setenv("HAPROXY_KEYLOG_FC_LOG_FMT", keylog_format_fc, 1);
+ setenv("HAPROXY_KEYLOG_BC_LOG_FMT", keylog_format_bc, 1);
setenv("HAPROXY_BRANCH", PRODUCT_BRANCH, 1);
list_for_each_entry(cfg, &cfg_cfgfiles, list) {
int ret;
char clf_tcp_log_format[] = "%{+Q}o %{-Q}ci - - [%T] \"TCP \" 000 %B \"\" \"\" %cp %ms %ft %b %s %Th %Tw %Tc %Tt %U %ts-- %ac %fc %bc %sc %rc %sq %bq \"\" \"\" ";
char *log_format = NULL;
+char keylog_format_bc[] = "CLIENT_EARLY_TRAFFIC_SECRET %[ssl_bc_client_random,hex] %[ssl_bc_client_early_traffic_secret]\n"
+ "CLIENT_HANDSHAKE_TRAFFIC_SECRET %[ssl_bc_client_random,hex] %[ssl_bc_client_handshake_traffic_secret]\n"
+ "SERVER_HANDSHAKE_TRAFFIC_SECRET %[ssl_bc_client_random,hex] %[ssl_bc_server_handshake_traffic_secret]\n"
+ "CLIENT_TRAFFIC_SECRET_0 %[ssl_bc_client_random,hex] %[ssl_bc_client_traffic_secret_0]\n"
+ "SERVER_TRAFFIC_SECRET_0 %[ssl_bc_client_random,hex] %[ssl_bc_server_traffic_secret_0]\n"
+ "EXPORTER_SECRET %[ssl_bc_client_random,hex] %[ssl_bc_exporter_secret]\n"
+ "EARLY_EXPORTER_SECRET %[ssl_bc_client_random,hex] %[ssl_bc_early_exporter_secret]";
+
+char keylog_format_fc[] = "CLIENT_EARLY_TRAFFIC_SECRET %[ssl_fc_client_random,hex] %[ssl_fc_client_early_traffic_secret]\n"
+ "CLIENT_HANDSHAKE_TRAFFIC_SECRET %[ssl_fc_client_random,hex] %[ssl_fc_client_handshake_traffic_secret]\n"
+ "SERVER_HANDSHAKE_TRAFFIC_SECRET %[ssl_fc_client_random,hex] %[ssl_fc_server_handshake_traffic_secret]\n"
+ "CLIENT_TRAFFIC_SECRET_0 %[ssl_fc_client_random,hex] %[ssl_fc_client_traffic_secret_0]\n"
+ "SERVER_TRAFFIC_SECRET_0 %[ssl_fc_client_random,hex] %[ssl_fc_server_traffic_secret_0]\n"
+ "EXPORTER_SECRET %[ssl_fc_client_random,hex] %[ssl_fc_exporter_secret]\n"
+ "EARLY_EXPORTER_SECRET %[ssl_fc_client_random,hex] %[ssl_fc_early_exporter_secret]";
+
+
/* Default string used for structured-data part in RFC5424 formatted
* syslog messages.
*/
str == clf_http_log_format ||
str == default_tcp_log_format ||
str == clf_tcp_log_format ||
- str == default_rfc5424_sd_log_format;
+ str == default_rfc5424_sd_log_format ||
+ str == keylog_format_bc ||
+ str == keylog_format_fc;
}
/* free logformat str if it is not a default (static) one */
projects / thirdparty / haproxy.git / commitdiff
