Missing frontend logs

wilvh · March 14, 2025, 4:24pm

Hi,

I’m using the config file below and I have many more logs entries from “dummy_frontend_without_client_cert~ backend_app1/myapp1server” than from the “real” frontend “tcp-443” !
I’ve explained why I use this config in this post : Display client certificate informations when SSL client certificate is not trusted - #3 by wilvh

For example, for one entry in the frontend “tcp-443” I have 3 request that are redirected to my backend server “myapp1server” !

How is it possible to have more request “outputs” than “inputs” ? I’ve checked on the application server “myapp1server” and the 3 requests from HAProxy are indeed three different requests that should have appeared in the http frontend !

frontend tcp-443
  bind *:443
  mode tcp
  option tcplog       
  tcp-request inspect-delay 5s
  tcp-request content accept if { req_ssl_hello_type 1 }

  # App1 is not protected by client cert
  acl sni_prodroc req_ssl_sni -i app1-without-client-cert.mydomain.com
  use_backend dummy_backend_without_client_cert if app1-without-client-cert.mydomain.com

backend dummy_backend_without_client_cert
  mode tcp
  server dummy_frontend_without_client_cert 127.0.0.1:5401 send-proxy

frontend dummy_frontend_without_client_cert
  bind 127.0.0.1:5401 accept-proxy ssl crt /ssl/app1-without-client-cert.mydomain.com strict-sni
  mode http
  option forwardfor
  use_backend backend_app1

backend backend_app1
  mode http
  server myapp1server 192.168.1.10:8080

Thank you

adarragon · March 18, 2025, 10:17am

Perhaps that’s because dummy_frontend_without_client_cert frontend is in http mode (http aware) and not the primary frontend (tcp-443) . Thus the http frontend will report one event per http transaction, even if the same connection is being reused for multiple requests, while the tcp backend will report a single event for the whole tcp session (from connect to teardown)

wilvh · March 19, 2025, 10:28am

Thank you for your help.

Do you know if there’s a way to prevent the TCP connection from being reused after the first HTTP request has been processed so that the client has to set up a new connection (while keeping the frontend in TCP mode)?

adarragon · March 19, 2025, 8:46pm

http-reuse and option httpclose may help

wilvh · March 20, 2025, 8:44am

Thank you, I will try these options.

Topic		Replies	Views
Need help with HAPROXY https when apps share the SSL cert Help!	2	309	August 25, 2023
Multiple ssl/sni frontend configs without sharing config settings between sni names Help!	6	3131	July 29, 2020
Use tcp backend based on map and ssl_c_s_dn Help!	3	1064	October 30, 2020
TCP frontend verify SNI, then redirect HTTP and HTTPS traffic Help!	0	680	December 5, 2023
Inconsistent frontend logging from an external health check Help!	0	186	December 14, 2023

Missing frontend logs

Related topics