mirror of
https://git.haproxy.org/git/haproxy.git/
synced 2026-04-03 18:11:06 +02:00
c8bfd06b57
Add keylog_format_fc and keylog_format_bc global variables containing the SSLKEYLOGFILE log-format strings for the frontend (client-facing) and backend (server-facing) TLS connections respectively. These produce output compatible with the SSLKEYLOGFILE format described at: https://tlswg.org/sslkeylogfile/draft-ietf-tls-keylogfile.html Both formats are also exported as environment variables at startup: HAPROXY_KEYLOG_FC_LOG_FMT HAPROXY_KEYLOG_BC_LOG_FMT These variables contains \n so they might not be compatible with syslog servers, using them with stderr or a sink might be required. These can be referenced directly in "log-format" directives to produce SSLKEYLOGFILE-compatible output, usable by network analyzers such as Wireshark to decrypt captured TLS traffic.
70 lines
1.8 KiB
INI
70 lines
1.8 KiB
INI
# Example: log HTTP traffic and TLS session keys to separate destinations
|
|
#
|
|
# "option httpslog" sends HTTP access logs to the /dev/log syslog server.
|
|
# TLS session keys are written to 2 ring buffers.
|
|
#
|
|
# Requirements:
|
|
# - HAProxy built with OpenSSL support
|
|
# - "tune.ssl.keylog on" in the global section
|
|
#
|
|
# Retrieve TLS session keys from the ring buffer via the CLI:
|
|
# For frontend connections:
|
|
#
|
|
# (echo "show events keylog-fc -w"; read) | socat /tmp/worker.socket -
|
|
#
|
|
# For backend connections:
|
|
#
|
|
# (echo "show events keylog-bc -w"; read) | socat /tmp/worker.socket -
|
|
#
|
|
# The result is in SSLKEYLOGFILE format and can be saved to a file and loaded
|
|
# into Wireshark to decrypt captured TLS traffic.
|
|
|
|
global
|
|
stats socket /tmp/worker.socket mode 0660
|
|
tune.ssl.keylog on
|
|
|
|
# Ring buffer for TLS session keys.
|
|
# "format raw" stores only the log message text, without any syslog envelope,
|
|
# producing output in the SSLKEYLOGFILE format directly.
|
|
ring keylog-fc
|
|
description "TLS session key frontend log"
|
|
format raw
|
|
maxlen 2000
|
|
size 1M
|
|
|
|
ring keylog-bc
|
|
description "TLS session key backend log"
|
|
format raw
|
|
maxlen 2000
|
|
size 1M
|
|
|
|
|
|
defaults
|
|
mode http
|
|
timeout client 30s
|
|
timeout server 30s
|
|
timeout connect 5s
|
|
|
|
log-profile keylog-fc
|
|
on any format "${HAPROXY_KEYLOG_FC_LOG_FMT}"
|
|
|
|
log-profile keylog-bc
|
|
on any format "${HAPROXY_KEYLOG_BC_LOG_FMT}"
|
|
|
|
frontend https-in
|
|
bind :443 ssl crt "common.pem"
|
|
|
|
option httpslog
|
|
|
|
# HTTPs access logs sent to the syslog server
|
|
log /dev/log format raw local0
|
|
|
|
# TLS session keys written to the ring buffer
|
|
log ring@keylog-fc profile keylog-fc local1
|
|
log ring@keylog-bc profile keylog-bc local1
|
|
|
|
default_backend be1
|
|
|
|
backend be1
|
|
server s1 10.0.0.123:443 ssl verify none
|