How to log HTTP headers when doing SSL-bridging?

Help!
1

Hi

I’m interesting in logging http headers, in order to log Source IP etc.

My “/etc/rsyslog.d/haproxy.conf”

$ModLoad imudp.so
$UDPServerAddress 127.0.0.1
$UDPServerRun 514

local0.* /var/log/haproxy-traffic.log
local0.notice /var/log/haproxy-admin.log

The log part of haproxy.conf

global
log 127.0.0.1:514 local0

defaults
log global
option httplog
option dontlognull

And finally the headers I wan’t to capture:

frontend MyFrontend
mode http
option forwardfor
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-MS-Forwarded-Client-IP %[src]

In advance, thanks

'Adder

2

When you decrypt and rencrypt SSL, you access HTTP headers normally, there is no difference with or without SSL.

If the situation is more complex, please provide the full configuration.

3

I’m guessing here but isn’t the problem that because you have HAProxy adding those headers it makes them harder (Impossible…?) to log…

I did a very quick check on my side and I cannot get HAProxy to log headers that it adds but I have no problem if they were added upstream before HAProxy.

I’m trying to use:

capture request header X-Forwarded-For len 15

And a custom log format:

log-format %[capture.req.hdr(0)]:%cp\ [%t]\ %f\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ {%hrl}\ {%hsl}\ %{+Q}r

However, it might just be a mistake in my config so my apologies if I’m being stupid or unhelpful.

4

That’s right, you probably cannot access headers you are setting yourself, but then again, does that make sense in the first place?

5

Hi Guys

And thanks :slight_smile:

We are using keepalived, and the full config is as follows:

global
log 127.0.0.1:514 local0
maxconn 6000
daemon
chroot /var/lib/haproxy
maxcompcpuusage 90
maxcomprate 0
nbproc 1
ssl-server-verify required
user root
group root
tune.ssl.default-dh-param 2048
ssl-default-server-options force-tlsv12 no-tls-tickets
ssl-default-server-ciphers ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options force-tlsv12 no-tls-tickets
ssl-default-bind-ciphers ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS

defaults
log global
option httplog
option dontlognull
retries 3
option redispatch
maxconn 2000
timeout connect 5000
timeout client 50000
timeout server 50000
timeout check 50000
timeout http-keep-alive 50000
timeout http-request 50000

peers adfslb01_02
peer adfslb01 10.0.1.161:8081
peer adfslb02 10.0.1.162:8081

frontend ADFSFrontend
bind 10.0.1.160:80
bind 10.0.1.160:443 ssl crt /etc/haproxy/StarFull.pem
mode http
option forwardfor
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-MS-Forwarded-Client-IP %[src]
http-request set-header X-MS-Proxy HAProxy
redirect scheme https if !{ ssl_fc }
default_backend ADFSBackend

backend ADFSBackend
balance roundrobin
mode http
option httpchk GET /adfs/ls/idpInitiatedSignon.aspx
http-check expect status 200
server adfs01 10.0.1.101:443 ssl verify none check check-sni adfs.mydomain.com sni ssl_fc_sni inter 3s rise 2 fall 3
server adfs02 10.0.1.102:443 ssl verify none check check-sni adfs.mydomain.com sni ssl_fc_sni inter 3s rise 2 fall 3
stick-table type ip size 20k peers adfslb01_02

backend Stats
listen stats
bind :9000
mode http
stats enable
stats hide-version
stats refresh 10s
stats show-desc ADFS
stats show-legends
stats realm HAProxy\ Statistics
stats auth Admin:Password
stats uri /Stats
stats scope ADFSFrontend
stats scope ADFSBackend
stats scope stats

Does it make sense logging the things we are setting ourself? properly not, but it’s demanded :slight_smile:

On the other hand it might end up being outdated, as we made the config due to demand for Adding a specific header… and now we are most likely going to make it via a transparent HAProxy instead - we use that in front of the WAP servers, funny enough the same setup won’t work with the ADFS servers so guess that’s my next task :smiley:

Best regards
'Adder

6

The back end would be a proper place to log the headers except if you do not have access to it.

7

you have to use http-request capture to capture headers you set on the same haproxy.
https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#http-request%20capture

ie:
http-request set-header foo bar
http-request capture hdr(foo) len 3

they will show up in between {} in the default httplog format.

8

thanks - I will further into it