MINOR: ssl/cli: add negative filters to "show ssl sni"

The 'show ssl sni' output can be confusing when using crt-list, because the wildcards can be completed with negative filters, and they need to be associated to the same line. Having a negative filter on its line alone does not make much sense, this patch adds a new 'Negative Filter' column that show the exception applied on a wildcard from a crt-list line.
2025-11-28 14:21:00 +01:00 · 2024-12-10 11:19:15 +01:00 · 2024-12-10 11:19:15 +01:00 · a6b3080966
commit a6b3080966
parent da28cd08f5
2 changed files with 32 additions and 11 deletions
--- a/doc/management.txt
+++ b/doc/management.txt
@ -3777,6 +3777,10 @@ show ssl sni [-f <frontend>]
  explicitely by 'default-crt' or is implicitely the first certificate of a bind
  line when no 'strict-sni' is used) shows the '*' character in the SNI column.

+  The 'Negative Filter' column is the list of negative filters associated to a
+  wildcard, this will show all negatives filters that are on the same crt-list
+  line. A dash character is displayed if there are none.
+
  The 'Type' column shows the encryption algorithm type, it can be "rsa", "ecdsa" or "dsa".

  The 'Filename' column can be either a filename from the configuration, or an
@ -3787,12 +3791,14 @@ show ssl sni [-f <frontend>]

  Example:
    $ echo "@1 show ssl sni" | socat /var/run/haproxy-master.sock - | column -t -s $'\t'
-    # Frontend/Bind        SNI        Type   Filename             NotAfter                  NotBefore
-    li1/haproxy.cfg:10021  machine10  rsa    machine10.pem.rsa    Jun 13 13:37:21 2024 GMT  May 14 13:37:21 2024 GMT
-    li1/haproxy.cfg:10021  machine10  ecdsa  machine10.pem.ecdsa  Jun 13 13:37:21 2024 GMT  May 14 13:37:21 2024 GMT
-    li1/haproxy.cfg:10021  localhost  rsa    localhost.pem.rsa    Jun 13 13:37:11 2024 GMT  May 14 13:37:11 2024 GMT
-    li1/haproxy.cfg:10021  localhost  ecdsa  localhost.pem.ecdsa  Jun 13 13:37:10 2024 GMT  May 14 13:37:10 2024 GMT
-    li1/haproxy.cfg:10021  *          rsa    localhost.pem.rsa    Jun 13 13:37:11 2024 GMT  May 14 13:37:11 2024 GMT
+    # Frontend/Bind        SNI        Negative Filter  Type   Filename             NotAfter                  NotBefore
+    li1/haproxy.cfg:10021  *.ex.lan   !m1.ex.lan       rsa    example.lan.pem      Jun 13 13:37:21 2024 GMT  May 14 13:37:21 2024 GMT
+    li1/haproxy.cfg:10021  machine10  -                ecdsa  machine10.pem.ecdsa  Jun 13 13:37:21 2024 GMT  May 14 13:37:21 2024 GMT
+    li1/haproxy.cfg:10021  machine10  -                rsa    machine10.pem.rsa    Jun 13 13:37:21 2024 GMT  May 14 13:37:21 2024 GMT
+    li1/haproxy.cfg:10021  machine10  -                ecdsa  machine10.pem.ecdsa  Jun 13 13:37:21 2024 GMT  May 14 13:37:21 2024 GMT
+    li1/haproxy.cfg:10021  localhost  -                rsa    localhost.pem.rsa    Jun 13 13:37:11 2024 GMT  May 14 13:37:11 2024 GMT
+    li1/haproxy.cfg:10021  localhost  -                ecdsa  localhost.pem.ecdsa  Jun 13 13:37:10 2024 GMT  May 14 13:37:10 2024 GMT
+    li1/haproxy.cfg:10021  *          -                rsa    localhost.pem.rsa    Jun 13 13:37:11 2024 GMT  May 14 13:37:11 2024 GMT

 show startup-logs
  Dump all messages emitted during the startup of the current haproxy process,
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@ -1571,7 +1571,7 @@ static int cli_io_handler_show_sni(struct appctx *appctx)
 	/* ctx->bind is NULL only once we finished dumping a frontend or when starting
 	 * so let's dump the header in these cases*/
 	if (ctx->bind == NULL && (ctx->onefrontend == 1 || (ctx->onefrontend == 0 && ctx->px == proxies_list)))
-		chunk_appendf(trash, "# Frontend/Bind\tSNI\tType\tFilename\tNotAfter\tNotBefore\n");
+		chunk_appendf(trash, "# Frontend/Bind\tSNI\tNegative Filter\tType\tFilename\tNotAfter\tNotBefore\n");
 	if (applet_putchk(appctx, trash) == -1)
 		goto yield;

@ -1605,19 +1605,35 @@ static int cli_io_handler_show_sni(struct appctx *appctx)
 				if (!n)
 					continue;

-				while (n) {
+				for (; n; n = ebmb_next(n)) {
 					struct sni_ctx *sni;
 					const char *name;
 					const char *certalg;
-
-					chunk_appendf(trash, "%s/%s:%d\t", bind->frontend->id, bind->file, bind->line);
+					int isneg = 0; /* is there any negative filters associated to this node */

 					sni = ebmb_entry(n, struct sni_ctx, name);

+					if (sni->neg)
+						continue;
+
+					chunk_appendf(trash, "%s/%s:%d\t", bind->frontend->id, bind->file, bind->line);
+
 					name = (char *)sni->name.key;

 					chunk_appendf(trash, "%s%s%s\t", sni->neg ? "!" : "", type ? "*" : "",  name);

+					/* we are looking at wildcards, let's check the negative filters */
+					if (type == 1) {
+						struct sni_ctx *sni_tmp;
+						list_for_each_entry(sni_tmp, &sni->ckch_inst->sni_ctx, by_ckch_inst) {
+							if (sni_tmp->neg) {
+								chunk_appendf(trash, "%s%s ", sni_tmp->neg ? "!" : "",  (char *)sni_tmp->name.key);
+								isneg = 1;
+							}
+						}
+					}
+					chunk_appendf(trash, "%s\t", isneg ? "" : "-");
+
 					switch (sni->kinfo.sig) {
 						case TLSEXT_signature_ecdsa:
 							certalg = "ecdsa";
@ -1642,7 +1658,6 @@ static int cli_io_handler_show_sni(struct appctx *appctx)
 						goto yield;
 					}

-					n = ebmb_next(n);
 				}
 				ctx->n = NULL;
 			}