Extract SNI value for logging in TCP mode

shadyabhi · July 1, 2021, 7:04am

I have already confirmed that this ACL rule works to extract SNI from raw TCP packets.

    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }
    acl is_my_domain req.ssl_sni -i www.domain.com
    tcp-request content capture req.ssl_sni len 100

Note tcp-request content capture req.ssl_sni len 100, my intent is to log the SNI value in access logs, so somehow transmit this information so I can use it in log-format.

In log-format, I tried the following but it doesn’t work.

log-format "%[capture.req.ssl_sni]"

I get the following error:-

failed to parse log-format : failed to parse sample expression <capture.req.ssl_sni]

Any help on links to the documentation that my eyes can’t see are appreciated. Thanks!

shadyabhi · July 1, 2021, 10:18pm

Apparently, the answer to this already existed in another thread. Log SNI in TCP mode

The ordering matters, capture has to come before accept. This works for me.

    tcp-request inspect-delay 3s
    tcp-request content capture req.ssl_sni len 100

log-format "%[capture.req.hdr(0)]"

Topic		Replies	Views
Log SNI in TCP mode Help!	1	5321	August 27, 2017
Unexpected queue wait latency while inspecting req.ssl_sni Help!	1	381	July 7, 2021
REQ_SSL_SNI and SSL termination Help!	2	9798	March 19, 2018
Issue with sni routing Help!	5	481	October 23, 2023
ACL HTTP always returns false Help!	0	1215	February 17, 2016

Extract SNI value for logging in TCP mode

Related topics