mirror of
https://git.haproxy.org/git/haproxy.git/
synced 2025-11-29 23:01:03 +01:00
MINOR: ssl/cli: add negative filters to "show ssl sni"
The 'show ssl sni' output can be confusing when using crt-list, because the wildcards can be completed with negative filters, and they need to be associated to the same line. Having a negative filter on its line alone does not make much sense, this patch adds a new 'Negative Filter' column that show the exception applied on a wildcard from a crt-list line.
This commit is contained in:
parent
da28cd08f5
commit
a6b3080966
@ -3777,6 +3777,10 @@ show ssl sni [-f <frontend>]
|
|||||||
explicitely by 'default-crt' or is implicitely the first certificate of a bind
|
explicitely by 'default-crt' or is implicitely the first certificate of a bind
|
||||||
line when no 'strict-sni' is used) shows the '*' character in the SNI column.
|
line when no 'strict-sni' is used) shows the '*' character in the SNI column.
|
||||||
|
|
||||||
|
The 'Negative Filter' column is the list of negative filters associated to a
|
||||||
|
wildcard, this will show all negatives filters that are on the same crt-list
|
||||||
|
line. A dash character is displayed if there are none.
|
||||||
|
|
||||||
The 'Type' column shows the encryption algorithm type, it can be "rsa", "ecdsa" or "dsa".
|
The 'Type' column shows the encryption algorithm type, it can be "rsa", "ecdsa" or "dsa".
|
||||||
|
|
||||||
The 'Filename' column can be either a filename from the configuration, or an
|
The 'Filename' column can be either a filename from the configuration, or an
|
||||||
@ -3787,12 +3791,14 @@ show ssl sni [-f <frontend>]
|
|||||||
|
|
||||||
Example:
|
Example:
|
||||||
$ echo "@1 show ssl sni" | socat /var/run/haproxy-master.sock - | column -t -s $'\t'
|
$ echo "@1 show ssl sni" | socat /var/run/haproxy-master.sock - | column -t -s $'\t'
|
||||||
# Frontend/Bind SNI Type Filename NotAfter NotBefore
|
# Frontend/Bind SNI Negative Filter Type Filename NotAfter NotBefore
|
||||||
li1/haproxy.cfg:10021 machine10 rsa machine10.pem.rsa Jun 13 13:37:21 2024 GMT May 14 13:37:21 2024 GMT
|
li1/haproxy.cfg:10021 *.ex.lan !m1.ex.lan rsa example.lan.pem Jun 13 13:37:21 2024 GMT May 14 13:37:21 2024 GMT
|
||||||
li1/haproxy.cfg:10021 machine10 ecdsa machine10.pem.ecdsa Jun 13 13:37:21 2024 GMT May 14 13:37:21 2024 GMT
|
li1/haproxy.cfg:10021 machine10 - ecdsa machine10.pem.ecdsa Jun 13 13:37:21 2024 GMT May 14 13:37:21 2024 GMT
|
||||||
li1/haproxy.cfg:10021 localhost rsa localhost.pem.rsa Jun 13 13:37:11 2024 GMT May 14 13:37:11 2024 GMT
|
li1/haproxy.cfg:10021 machine10 - rsa machine10.pem.rsa Jun 13 13:37:21 2024 GMT May 14 13:37:21 2024 GMT
|
||||||
li1/haproxy.cfg:10021 localhost ecdsa localhost.pem.ecdsa Jun 13 13:37:10 2024 GMT May 14 13:37:10 2024 GMT
|
li1/haproxy.cfg:10021 machine10 - ecdsa machine10.pem.ecdsa Jun 13 13:37:21 2024 GMT May 14 13:37:21 2024 GMT
|
||||||
li1/haproxy.cfg:10021 * rsa localhost.pem.rsa Jun 13 13:37:11 2024 GMT May 14 13:37:11 2024 GMT
|
li1/haproxy.cfg:10021 localhost - rsa localhost.pem.rsa Jun 13 13:37:11 2024 GMT May 14 13:37:11 2024 GMT
|
||||||
|
li1/haproxy.cfg:10021 localhost - ecdsa localhost.pem.ecdsa Jun 13 13:37:10 2024 GMT May 14 13:37:10 2024 GMT
|
||||||
|
li1/haproxy.cfg:10021 * - rsa localhost.pem.rsa Jun 13 13:37:11 2024 GMT May 14 13:37:11 2024 GMT
|
||||||
|
|
||||||
show startup-logs
|
show startup-logs
|
||||||
Dump all messages emitted during the startup of the current haproxy process,
|
Dump all messages emitted during the startup of the current haproxy process,
|
||||||
|
|||||||
@ -1571,7 +1571,7 @@ static int cli_io_handler_show_sni(struct appctx *appctx)
|
|||||||
/* ctx->bind is NULL only once we finished dumping a frontend or when starting
|
/* ctx->bind is NULL only once we finished dumping a frontend or when starting
|
||||||
* so let's dump the header in these cases*/
|
* so let's dump the header in these cases*/
|
||||||
if (ctx->bind == NULL && (ctx->onefrontend == 1 || (ctx->onefrontend == 0 && ctx->px == proxies_list)))
|
if (ctx->bind == NULL && (ctx->onefrontend == 1 || (ctx->onefrontend == 0 && ctx->px == proxies_list)))
|
||||||
chunk_appendf(trash, "# Frontend/Bind\tSNI\tType\tFilename\tNotAfter\tNotBefore\n");
|
chunk_appendf(trash, "# Frontend/Bind\tSNI\tNegative Filter\tType\tFilename\tNotAfter\tNotBefore\n");
|
||||||
if (applet_putchk(appctx, trash) == -1)
|
if (applet_putchk(appctx, trash) == -1)
|
||||||
goto yield;
|
goto yield;
|
||||||
|
|
||||||
@ -1605,19 +1605,35 @@ static int cli_io_handler_show_sni(struct appctx *appctx)
|
|||||||
if (!n)
|
if (!n)
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
while (n) {
|
for (; n; n = ebmb_next(n)) {
|
||||||
struct sni_ctx *sni;
|
struct sni_ctx *sni;
|
||||||
const char *name;
|
const char *name;
|
||||||
const char *certalg;
|
const char *certalg;
|
||||||
|
int isneg = 0; /* is there any negative filters associated to this node */
|
||||||
chunk_appendf(trash, "%s/%s:%d\t", bind->frontend->id, bind->file, bind->line);
|
|
||||||
|
|
||||||
sni = ebmb_entry(n, struct sni_ctx, name);
|
sni = ebmb_entry(n, struct sni_ctx, name);
|
||||||
|
|
||||||
|
if (sni->neg)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
chunk_appendf(trash, "%s/%s:%d\t", bind->frontend->id, bind->file, bind->line);
|
||||||
|
|
||||||
name = (char *)sni->name.key;
|
name = (char *)sni->name.key;
|
||||||
|
|
||||||
chunk_appendf(trash, "%s%s%s\t", sni->neg ? "!" : "", type ? "*" : "", name);
|
chunk_appendf(trash, "%s%s%s\t", sni->neg ? "!" : "", type ? "*" : "", name);
|
||||||
|
|
||||||
|
/* we are looking at wildcards, let's check the negative filters */
|
||||||
|
if (type == 1) {
|
||||||
|
struct sni_ctx *sni_tmp;
|
||||||
|
list_for_each_entry(sni_tmp, &sni->ckch_inst->sni_ctx, by_ckch_inst) {
|
||||||
|
if (sni_tmp->neg) {
|
||||||
|
chunk_appendf(trash, "%s%s ", sni_tmp->neg ? "!" : "", (char *)sni_tmp->name.key);
|
||||||
|
isneg = 1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
chunk_appendf(trash, "%s\t", isneg ? "" : "-");
|
||||||
|
|
||||||
switch (sni->kinfo.sig) {
|
switch (sni->kinfo.sig) {
|
||||||
case TLSEXT_signature_ecdsa:
|
case TLSEXT_signature_ecdsa:
|
||||||
certalg = "ecdsa";
|
certalg = "ecdsa";
|
||||||
@ -1642,7 +1658,6 @@ static int cli_io_handler_show_sni(struct appctx *appctx)
|
|||||||
goto yield;
|
goto yield;
|
||||||
}
|
}
|
||||||
|
|
||||||
n = ebmb_next(n);
|
|
||||||
}
|
}
|
||||||
ctx->n = NULL;
|
ctx->n = NULL;
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user