Logging body content

Lioh · February 8, 2021, 3:06pm

Hi all.

I am trying to log the request body with haproxy like this:

capture request header User-Agent len 400
capture request header Host len 150
http-request capture req.body len 10000
capture request header authorization len 80
capture request header X-Client-Auth len 80

log-format "%trg client_address=%ci, client_port=%cp, server_address=%si, server_port=%sp, path=%r, response_status=%ST, total_time=%Tt, bytes=%U, user_agent=%{+Q}[capture.req.hdr(0)], requested_host=%{+Q}[capture.req.hdr(1)], body=%{+Q}[capture.req.hdr(2),regsub(\n,\\n,g)]"

Sadly the result is empty in most of the cases.

I have noticed that there is a length limit so I tried to increase that as well (not sure if I have done it right, though):

log /dev/log len 10000 local0

Still the body is empty in the log file:

Feb 8 15:02:02 … haproxy[27865]: 08/Feb/2021:15:02:02 +0000 client_address=…, client_port=50500, server_address=…, server_port=8001, path=…, response_status=200, total_time=247, bytes=2118, user_agent=“Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36”, requested_host=“…”, body=“”

Am I missing something?

Greetings
Lioh

lukastribus · February 8, 2021, 9:38pm

This certainly a bad idea (pushing binary data from the wire directly into a string based logging system without any protections) and most likely not supported, but if this would ever work, you’d probably need option http-buffer-request so that the buffer actually contains something.

Lioh · February 9, 2021, 3:56pm

Thanks for your answer. I don’t really understand your concerns. Could you please elaborate which negative effect one could expect by doing this?

lukastribus · February 10, 2021, 11:27pm

Non-printable characters would need to be sanitized. Can’t just shove binary, attacked controlled content into code paths made for ASCII.

CVE-2009-4487, CVE-2009-4488, CVE-2009-4489, CVE-2009-4490, CVE-2009-4491, CVE-2009-4492, CVE-2009-4493, CVE-2009-4494, CVE-2009-4495, CVE-2009-4496 are vulnerabilities about missing sanitation in HTTP headers. For the body it’s even worse, there are no rules for it at all.

Topic		Replies	Views
Logging body return empty data Help!	0	357	July 20, 2023
Log http request body and performance impact Help!	1	1030	September 15, 2021
Capture request header "*" Help!	0	1051	February 24, 2021
Haproxy logging - fetch ALL request headers (names and values) Help!	0	4162	September 3, 2019
Haproxy log limit 985 characters Help!	1	334	January 6, 2021

Logging body content

Related topics