Log SNI in TCP mode

truechimer · August 23, 2017, 9:28pm

Is it possible to log a request’s SNI in mode tcp? You can access the SNI for routing decisions, so ideally you could access it for logging as well.

Currently using version 1.7.8

Ideally something like the following not working config:

defaults
  log global
  mode tcp
  balance roundrobin

frontend https-in
  mode tcp
  tcp-request inspect-delay 3s
  tcp-request content accept if { req_ssl_hello_type 1 }
  # ideally could capture the SNI something like this
  tcp-request content capture req.ssl_sni len 10
  # log capture slot 0#
  log-format "capture0: %[capture.req.hdr(0)]"
  use_backend test_0 if req.ssl_sni -m end /test

backend test_0

A more full config containing the above settings will log an empty line: capture0: -

truechimer · August 27, 2017, 1:21am

After some digging I figured it out… from a closer reading of the documentation (and code), of course.

During the ‘TCP content inspection’ phase, the the ‘tcp-request content’ rules are evaluated until ‘until either an
"accept" or a “reject” rule matches’. This means I simply need to move the capture to occur before the accept.

defaults
  log global
  mode tcp
  balance roundrobin

frontend https-in
  mode tcp
  tcp-request inspect-delay 3s
  tcp-request content capture req.ssl_sni len 10
  log-format "capture0: %[capture.req.hdr(0)]"
  tcp-request content accept if { req_ssl_hello_type 1 }
  use_backend test_0 if req.ssl_sni -m end /test

backend test_0

Topic		Replies	Views
Extract SNI value for logging in TCP mode Help!	1	1853	July 1, 2021
REQ_SSL_SNI and SSL termination Help!	2	9695	March 19, 2018
Unexpected queue wait latency while inspecting req.ssl_sni Help!	1	380	July 7, 2021
Issue with sni routing Help!	5	422	October 23, 2023
Enable conditional HTTP logging Help!	1	1581	June 21, 2018

Log SNI in TCP mode

Related Topics