How to analyse SNI support by client base

jurgenhaas · June 7, 2018, 10:18am

We are using HaProxy in front of a webserver farm for many different domains which are all delivered over HTTPS, HaProxy is running in http mode.

As we started many years ago where SNI was not yet supported by IE and a few other platforms, we decided to get individual IP addresses for each SSL certificate. But we’re adding mor SSL certs regularely and now consider to expect SNI to be supported widely enough so that we could combine many certs on a single IP address.

It sounds like only Windows XP is being left out and still present. But we would also like to analyse our own traffic to see how many clients were still connecting to our farm not supporting SNI.

Is there an easy way to analyse live traffic for SNI support without interrupting the operations?

lukastribus · June 7, 2018, 10:31am

Sure, SNI is accessible via the ssl_fc_sni variable.

You can log it, you can put it into a HTTP header … whatever you like.

jurgenhaas · June 7, 2018, 10:38am

So if my current log format looks like

log-format %ci:%cp\ [%T]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r

how can I add that extra field to it?

lukastribus · June 7, 2018, 10:49am

Try:

%[ssl_fc_sni]

jurgenhaas · June 7, 2018, 11:04am

This is almost too easy

Topic		Replies	Views
SSL termination and SNI Help!	6	2954	January 2, 2019
REQ_SSL_SNI and SSL termination Help!	2	9257	March 19, 2018
Need help with HAPROXY https when apps share the SSL cert Help!	2	212	August 25, 2023
Logging server name on failed SSL handshakes Help!	6	493	December 9, 2021
TCP frontend verify SNI, then redirect HTTP and HTTPS traffic Help!	0	297	December 5, 2023

How to analyse SNI support by client base

Related Topics