HAProxy community

How to log HTTP headers when doing SSL-bridging?

Hi

I’m interesting in logging http headers, in order to log Source IP etc.

My “/etc/rsyslog.d/haproxy.conf”

$ModLoad imudp.so
$UDPServerAddress 127.0.0.1
$UDPServerRun 514

local0.* /var/log/haproxy-traffic.log
local0.notice /var/log/haproxy-admin.log

The log part of haproxy.conf

global
log 127.0.0.1:514 local0

defaults
log global
option httplog
option dontlognull

And finally the headers I wan’t to capture:

frontend MyFrontend
mode http
option forwardfor
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-MS-Forwarded-Client-IP %[src]

In advance, thanks

'Adder

When you decrypt and rencrypt SSL, you access HTTP headers normally, there is no difference with or without SSL.

If the situation is more complex, please provide the full configuration.

I’m guessing here but isn’t the problem that because you have HAProxy adding those headers it makes them harder (Impossible…?) to log…

I did a very quick check on my side and I cannot get HAProxy to log headers that it adds but I have no problem if they were added upstream before HAProxy.

I’m trying to use:

capture request header X-Forwarded-For len 15

And a custom log format:

log-format %[capture.req.hdr(0)]:%cp\ [%t]\ %f\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ {%hrl}\ {%hsl}\ %{+Q}r

However, it might just be a mistake in my config so my apologies if I’m being stupid or unhelpful.

That’s right, you probably cannot access headers you are setting yourself, but then again, does that make sense in the first place?

Hi Guys

And thanks :slight_smile:

We are using keepalived, and the full config is as follows:

global
log 127.0.0.1:514 local0
maxconn 6000
daemon
chroot /var/lib/haproxy
maxcompcpuusage 90
maxcomprate 0
nbproc 1
ssl-server-verify required
user root
group root
tune.ssl.default-dh-param 2048
ssl-default-server-options force-tlsv12 no-tls-tickets
ssl-default-server-ciphers ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options force-tlsv12 no-tls-tickets
ssl-default-bind-ciphers ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS

defaults
log global
option httplog
option dontlognull
retries 3
option redispatch
maxconn 2000
timeout connect 5000
timeout client 50000
timeout server 50000
timeout check 50000
timeout http-keep-alive 50000
timeout http-request 50000

peers adfslb01_02
peer adfslb01 10.0.1.161:8081
peer adfslb02 10.0.1.162:8081

frontend ADFSFrontend
bind 10.0.1.160:80
bind 10.0.1.160:443 ssl crt /etc/haproxy/StarFull.pem
mode http
option forwardfor
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-MS-Forwarded-Client-IP %[src]
http-request set-header X-MS-Proxy HAProxy
redirect scheme https if !{ ssl_fc }
default_backend ADFSBackend

backend ADFSBackend
balance roundrobin
mode http
option httpchk GET /adfs/ls/idpInitiatedSignon.aspx
http-check expect status 200
server adfs01 10.0.1.101:443 ssl verify none check check-sni adfs.mydomain.com sni ssl_fc_sni inter 3s rise 2 fall 3
server adfs02 10.0.1.102:443 ssl verify none check check-sni adfs.mydomain.com sni ssl_fc_sni inter 3s rise 2 fall 3
stick-table type ip size 20k peers adfslb01_02

backend Stats
listen stats
bind :9000
mode http
stats enable
stats hide-version
stats refresh 10s
stats show-desc ADFS
stats show-legends
stats realm HAProxy\ Statistics
stats auth Admin:Password
stats uri /Stats
stats scope ADFSFrontend
stats scope ADFSBackend
stats scope stats

Does it make sense logging the things we are setting ourself? properly not, but it’s demanded :slight_smile:

On the other hand it might end up being outdated, as we made the config due to demand for Adding a specific header… and now we are most likely going to make it via a transparent HAProxy instead - we use that in front of the WAP servers, funny enough the same setup won’t work with the ADFS servers so guess that’s my next task :smiley:

Best regards
'Adder

The back end would be a proper place to log the headers except if you do not have access to it.

you have to use http-request capture to capture headers you set on the same haproxy.
https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#http-request%20capture

ie:
http-request set-header foo bar
http-request capture hdr(foo) len 3

they will show up in between {} in the default httplog format.