Log SNI in TCP mode


#1

Is it possible to log a request’s SNI in mode tcp? You can access the SNI for routing decisions, so ideally you could access it for logging as well.

Currently using version 1.7.8

Ideally something like the following not working config:

defaults
  log global
  mode tcp
  balance roundrobin

frontend https-in
  mode tcp
  tcp-request inspect-delay 3s
  tcp-request content accept if { req_ssl_hello_type 1 }
  # ideally could capture the SNI something like this
  tcp-request content capture req.ssl_sni len 10
  # log capture slot 0#
  log-format "capture0: %[capture.req.hdr(0)]"
  use_backend test_0 if req.ssl_sni -m end /test

backend test_0

A more full config containing the above settings will log an empty line: capture0: -


#2

After some digging I figured it out… from a closer reading of the documentation (and code), of course. :sweat_smile:

During the ‘TCP content inspection’ phase, the the ‘tcp-request content’ rules are evaluated until ‘until either an
"accept" or a “reject” rule matches’. This means I simply need to move the capture to occur before the accept.

defaults
  log global
  mode tcp
  balance roundrobin

frontend https-in
  mode tcp
  tcp-request inspect-delay 3s
  tcp-request content capture req.ssl_sni len 10
  log-format "capture0: %[capture.req.hdr(0)]"
  tcp-request content accept if { req_ssl_hello_type 1 }
  use_backend test_0 if req.ssl_sni -m end /test

backend test_0