diff options
| author | Haw Loeung <[email protected]> | 2024-12-08 21:15:26 +0000 |
|---|---|---|
| committer | Canonical IS Mergebot <[email protected]> | 2024-12-08 21:15:26 +0000 |
| commit | 080b16cc1d0d9b7f41beaef2227154fcc4a4b790 (patch) | |
| tree | 48630bb8578b55a877b2b9d1d55dd5e6d3664986 | |
| parent | 50a56b6e5d0f0130a87de0ce344b8f5691e318c0 (diff) | |
| parent | d0739a182517ab4d2645411394a26b9b1636056e (diff) | |
Add logging of TLS/SSL protocol and ciphersuites negotiated by clients
Reviewed-on: https://code.launchpad.net/~hloeung/content-cache-charm/+git/content-cache-charm/+merge/477939
Reviewed-by: Paul Collins <[email protected]>
16 files changed, 102 insertions, 3 deletions
diff --git a/files/nginx-logging-format.conf b/files/nginx-logging-format.conf index 7796e6b..d3c5d9f 100644 --- a/files/nginx-logging-format.conf +++ b/files/nginx-logging-format.conf @@ -2,4 +2,4 @@ log_format content_cache '$http_x_forwarded_for $http_x_dest_port $remote_user [ '"$request" $status $bytes_sent ' '"$http_referer" "$http_user_agent" $request_time ' '$upstream_cache_status $upstream_response_time ' - '$http_x_cache_request_id $http_x_orig_host'; + '$http_x_cache_request_id $http_x_orig_host $http_x_ssl_protocol $http_x_ssl_ciphers'; diff --git a/lib/haproxy.py b/lib/haproxy.py index 0ad59c5..891b418 100644 --- a/lib/haproxy.py +++ b/lib/haproxy.py @@ -125,12 +125,15 @@ class HAProxyConf: listen_stanza = """ listen {name} {bind_config} -{indent}capture request header X-Cache-Request-ID len 60 +{ssl_capture}{indent}capture request header X-Cache-Request-ID len 60 {indent}capture request header Host len 60 {redirect_config}{backend_config}{default_backend}""" backend_conf = '{indent}use_backend backend-{backend} if {{ hdr(Host) -i {site_name} }}\n' backend_conf_no_logging = '{indent}http-request set-log-level silent if {{ hdr(Host) -i {site_name} }}\n' redirect_conf = '{indent}redirect scheme https code 301 if {{ hdr(Host) -i {site_name} }} !{{ ssl_fc }}\n' + ssl_capture_conf = ( + '{indent}http-request capture ssl_fc_protocol len 8\n{indent}http-request capture ssl_fc_cipher len 64\n' + ) rendered_output = [] stanza_names = [] @@ -144,6 +147,7 @@ listen {name} backend_config = [] default_backend = '' redirect_config = [] + ssl_capture = '' tls_cert_bundle_paths = [] redirect_http_to_https = False for site, site_conf in config[address_port].items(): @@ -194,6 +198,7 @@ listen {name} paths = sorted(set(tls_cert_bundle_paths)) certs = ' '.join(['crt {}'.format(path) for path in paths]) alpn_protos = 'h2,http/1.1' + ssl_capture = ssl_capture_conf.format(indent=INDENT) tls_config = ' ssl {} alpn {}'.format(certs, alpn_protos) if len(backend_config) + len(redirect_config) == 1: @@ -230,6 +235,7 @@ listen {name} name=name, backend_config=''.join(backend_config), bind_config=bind_config, + ssl_capture=ssl_capture, default_backend=default_backend, redirect_config=''.join(redirect_config), indent=INDENT, @@ -242,7 +248,7 @@ listen {name} backend_stanza = """ backend backend-{name} {indent}{httpchk} -{ratelimit}{orig_host}{dest_port}{indent}http-request set-header Host {site_name} +{ratelimit}{orig_host}{dest_port}{ssl_capture}{indent}http-request set-header Host {site_name} {options}{indent}balance {load_balancing_algorithm} {backends} """ @@ -251,9 +257,17 @@ backend backend-{name} backends = [] orig_host = "" dest_port = "" + ssl_capture = "" if site.startswith('cached-'): orig_host = "{indent}http-request set-header X-Orig-Host %[req.hdr(Host)]\n".format(indent=INDENT) dest_port = "{indent}http-request set-header X-Dest-Port %[dst_port]\n".format(indent=INDENT) + if site_conf.get('tls-cert-bundle-path'): + ssl_capture = "{indent}http-request set-header X-SSL-Protocol %[ssl_fc_protocol]\n".format( + indent=INDENT + ) + ssl_capture += "{indent}http-request set-header X-SSL-Ciphers %[ssl_fc_cipher]\n".format( + indent=INDENT + ) for location, loc_conf in site_conf.get('locations', {}).items(): # No backends, so nothing needed @@ -400,6 +414,7 @@ backend backend-{name} ratelimit=ratelimit, orig_host=orig_host, dest_port=dest_port, + ssl_capture=ssl_capture, indent=INDENT, ) diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output.txt index 965d723..5809119 100644 --- a/tests/unit/files/content_cache_rendered_haproxy_test_output.txt +++ b/tests/unit/files/content_cache_rendered_haproxy_test_output.txt @@ -109,6 +109,8 @@ listen site1-local listen cached-site2-local bind 0.0.0.0:443 ssl crt /etc/haproxy/site2-bundle.crt alpn h2,http/1.1 bind :::443 ssl crt /etc/haproxy/site2-bundle.crt alpn h2,http/1.1 + http-request capture ssl_fc_protocol len 8 + http-request capture ssl_fc_cipher len 64 capture request header X-Cache-Request-ID len 60 capture request header Host len 60 default_backend backend-cached-site2-local @@ -146,6 +148,8 @@ listen site6-local listen combined-444 bind 0.0.0.0:444 ssl crt /etc/haproxy/site7-bundle.crt crt /etc/haproxy/site8-bundle.crt alpn h2,http/1.1 bind :::444 ssl crt /etc/haproxy/site7-bundle.crt crt /etc/haproxy/site8-bundle.crt alpn h2,http/1.1 + http-request capture ssl_fc_protocol len 8 + http-request capture ssl_fc_cipher len 64 capture request header X-Cache-Request-ID len 60 capture request header Host len 60 use_backend backend-cached-site7-local if { hdr(Host) -i site7.local } @@ -209,6 +213,8 @@ backend backend-cached-site2-local option httpchk GET /_status/content-cache-check HTTP/1.1\r\nHost:\ site2.local\r\nUser-Agent:\ haproxy/httpchk http-request set-header X-Orig-Host %[req.hdr(Host)] http-request set-header X-Dest-Port %[dst_port] + http-request set-header X-SSL-Protocol %[ssl_fc_protocol] + http-request set-header X-SSL-Ciphers %[ssl_fc_cipher] http-request set-header Host site2.local http-request set-header X-Forwarded-For %[src] http-request set-var(txn.path) path @@ -300,6 +306,8 @@ backend backend-cached-site7-local option httpchk GET /_status/content-cache-check HTTP/1.1\r\nHost:\ site7.local\r\nUser-Agent:\ haproxy/httpchk http-request set-header X-Orig-Host %[req.hdr(Host)] http-request set-header X-Dest-Port %[dst_port] + http-request set-header X-SSL-Protocol %[ssl_fc_protocol] + http-request set-header X-SSL-Ciphers %[ssl_fc_cipher] http-request set-header Host site7.local http-request set-header X-Forwarded-For %[src] balance leastconn @@ -316,6 +324,8 @@ backend backend-cached-site8-local option httpchk GET /_status/content-cache-check HTTP/1.1\r\nHost:\ site8.local\r\nUser-Agent:\ haproxy/httpchk http-request set-header X-Orig-Host %[req.hdr(Host)] http-request set-header X-Dest-Port %[dst_port] + http-request set-header X-SSL-Protocol %[ssl_fc_protocol] + http-request set-header X-SSL-Ciphers %[ssl_fc_cipher] http-request set-header Host site8.local http-request set-header X-Forwarded-For %[src] balance leastconn diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output2.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output2.txt index cf4914b..0b99f79 100644 --- a/tests/unit/files/content_cache_rendered_haproxy_test_output2.txt +++ b/tests/unit/files/content_cache_rendered_haproxy_test_output2.txt @@ -82,6 +82,8 @@ listen stats listen cached-site1-local bind 0.0.0.0:443 ssl crt /var/lib/haproxy/certs alpn h2,http/1.1 bind :::443 ssl crt /var/lib/haproxy/certs alpn h2,http/1.1 + http-request capture ssl_fc_protocol len 8 + http-request capture ssl_fc_cipher len 64 capture request header X-Cache-Request-ID len 60 capture request header Host len 60 default_backend backend-cached-site1-local @@ -96,6 +98,8 @@ backend backend-cached-site1-local option httpchk GET /_status/content-cache-check HTTP/1.1\r\nHost:\ site1.local\r\nUser-Agent:\ haproxy/httpchk http-request set-header X-Orig-Host %[req.hdr(Host)] http-request set-header X-Dest-Port %[dst_port] + http-request set-header X-SSL-Protocol %[ssl_fc_protocol] + http-request set-header X-SSL-Ciphers %[ssl_fc_cipher] http-request set-header Host site1.local http-request set-header X-Forwarded-For %[src] balance leastconn diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output3.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output3.txt index a1d27e2..780751e 100644 --- a/tests/unit/files/content_cache_rendered_haproxy_test_output3.txt +++ b/tests/unit/files/content_cache_rendered_haproxy_test_output3.txt @@ -89,6 +89,8 @@ listen redirect-site1-local listen cached-site1-local bind 0.0.0.0:443 ssl crt /var/lib/haproxy/certs alpn h2,http/1.1 bind :::443 ssl crt /var/lib/haproxy/certs alpn h2,http/1.1 + http-request capture ssl_fc_protocol len 8 + http-request capture ssl_fc_cipher len 64 capture request header X-Cache-Request-ID len 60 capture request header Host len 60 default_backend backend-cached-site1-local @@ -103,6 +105,8 @@ backend backend-cached-site1-local option httpchk GET /_status/content-cache-check HTTP/1.1\r\nHost:\ site1.local\r\nUser-Agent:\ haproxy/httpchk http-request set-header X-Orig-Host %[req.hdr(Host)] http-request set-header X-Dest-Port %[dst_port] + http-request set-header X-SSL-Protocol %[ssl_fc_protocol] + http-request set-header X-SSL-Ciphers %[ssl_fc_cipher] http-request set-header Host site1.local http-request set-header X-Forwarded-For %[src] balance leastconn diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output_auto_maxconns.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output_auto_maxconns.txt index e38bfb7..a34b08c 100644 --- a/tests/unit/files/content_cache_rendered_haproxy_test_output_auto_maxconns.txt +++ b/tests/unit/files/content_cache_rendered_haproxy_test_output_auto_maxconns.txt @@ -109,6 +109,8 @@ listen site1-local listen cached-site2-local bind 0.0.0.0:443 ssl crt /etc/haproxy/site2-bundle.crt alpn h2,http/1.1 bind :::443 ssl crt /etc/haproxy/site2-bundle.crt alpn h2,http/1.1 + http-request capture ssl_fc_protocol len 8 + http-request capture ssl_fc_cipher len 64 capture request header X-Cache-Request-ID len 60 capture request header Host len 60 default_backend backend-cached-site2-local @@ -146,6 +148,8 @@ listen site6-local listen combined-444 bind 0.0.0.0:444 ssl crt /etc/haproxy/site7-bundle.crt crt /etc/haproxy/site8-bundle.crt alpn h2,http/1.1 bind :::444 ssl crt /etc/haproxy/site7-bundle.crt crt /etc/haproxy/site8-bundle.crt alpn h2,http/1.1 + http-request capture ssl_fc_protocol len 8 + http-request capture ssl_fc_cipher len 64 capture request header X-Cache-Request-ID len 60 capture request header Host len 60 use_backend backend-cached-site7-local if { hdr(Host) -i site7.local } @@ -209,6 +213,8 @@ backend backend-cached-site2-local option httpchk GET /_status/content-cache-check HTTP/1.1\r\nHost:\ site2.local\r\nUser-Agent:\ haproxy/httpchk http-request set-header X-Orig-Host %[req.hdr(Host)] http-request set-header X-Dest-Port %[dst_port] + http-request set-header X-SSL-Protocol %[ssl_fc_protocol] + http-request set-header X-SSL-Ciphers %[ssl_fc_cipher] http-request set-header Host site2.local http-request set-header X-Forwarded-For %[src] http-request set-var(txn.path) path @@ -300,6 +306,8 @@ backend backend-cached-site7-local option httpchk GET /_status/content-cache-check HTTP/1.1\r\nHost:\ site7.local\r\nUser-Agent:\ haproxy/httpchk http-request set-header X-Orig-Host %[req.hdr(Host)] http-request set-header X-Dest-Port %[dst_port] + http-request set-header X-SSL-Protocol %[ssl_fc_protocol] + http-request set-header X-SSL-Ciphers %[ssl_fc_cipher] http-request set-header Host site7.local http-request set-header X-Forwarded-For %[src] balance leastconn @@ -316,6 +324,8 @@ backend backend-cached-site8-local option httpchk GET /_status/content-cache-check HTTP/1.1\r\nHost:\ site8.local\r\nUser-Agent:\ haproxy/httpchk http-request set-header X-Orig-Host %[req.hdr(Host)] http-request set-header X-Dest-Port %[dst_port] + http-request set-header X-SSL-Protocol %[ssl_fc_protocol] + http-request set-header X-SSL-Ciphers %[ssl_fc_cipher] http-request set-header Host site8.local http-request set-header X-Forwarded-For %[src] balance leastconn diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output_load_balancing_algorithm.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output_load_balancing_algorithm.txt index e91cebc..e2c212c 100644 --- a/tests/unit/files/content_cache_rendered_haproxy_test_output_load_balancing_algorithm.txt +++ b/tests/unit/files/content_cache_rendered_haproxy_test_output_load_balancing_algorithm.txt @@ -109,6 +109,8 @@ listen site1-local listen cached-site2-local bind 0.0.0.0:443 ssl crt /etc/haproxy/site2-bundle.crt alpn h2,http/1.1 bind :::443 ssl crt /etc/haproxy/site2-bundle.crt alpn h2,http/1.1 + http-request capture ssl_fc_protocol len 8 + http-request capture ssl_fc_cipher len 64 capture request header X-Cache-Request-ID len 60 capture request header Host len 60 default_backend backend-cached-site2-local @@ -146,6 +148,8 @@ listen site6-local listen combined-444 bind 0.0.0.0:444 ssl crt /etc/haproxy/site7-bundle.crt crt /etc/haproxy/site8-bundle.crt alpn h2,http/1.1 bind :::444 ssl crt /etc/haproxy/site7-bundle.crt crt /etc/haproxy/site8-bundle.crt alpn h2,http/1.1 + http-request capture ssl_fc_protocol len 8 + http-request capture ssl_fc_cipher len 64 capture request header X-Cache-Request-ID len 60 capture request header Host len 60 use_backend backend-cached-site7-local if { hdr(Host) -i site7.local } @@ -209,6 +213,8 @@ backend backend-cached-site2-local option httpchk GET /_status/content-cache-check HTTP/1.1\r\nHost:\ site2.local\r\nUser-Agent:\ haproxy/httpchk http-request set-header X-Orig-Host %[req.hdr(Host)] http-request set-header X-Dest-Port %[dst_port] + http-request set-header X-SSL-Protocol %[ssl_fc_protocol] + http-request set-header X-SSL-Ciphers %[ssl_fc_cipher] http-request set-header Host site2.local http-request set-header X-Forwarded-For %[src] http-request set-var(txn.path) path @@ -300,6 +306,8 @@ backend backend-cached-site7-local option httpchk GET /_status/content-cache-check HTTP/1.1\r\nHost:\ site7.local\r\nUser-Agent:\ haproxy/httpchk http-request set-header X-Orig-Host %[req.hdr(Host)] http-request set-header X-Dest-Port %[dst_port] + http-request set-header X-SSL-Protocol %[ssl_fc_protocol] + http-request set-header X-SSL-Ciphers %[ssl_fc_cipher] http-request set-header Host site7.local http-request set-header X-Forwarded-For %[src] balance roundrobin @@ -316,6 +324,8 @@ backend backend-cached-site8-local option httpchk GET /_status/content-cache-check HTTP/1.1\r\nHost:\ site8.local\r\nUser-Agent:\ haproxy/httpchk http-request set-header X-Orig-Host %[req.hdr(Host)] http-request set-header X-Dest-Port %[dst_port] + http-request set-header X-SSL-Protocol %[ssl_fc_protocol] + http-request set-header X-SSL-Ciphers %[ssl_fc_cipher] http-request set-header Host site8.local http-request set-header X-Forwarded-For %[src] balance roundrobin diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output_override_backend_site.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output_override_backend_site.txt index f4e9b30..673bdeb 100644 --- a/tests/unit/files/content_cache_rendered_haproxy_test_output_override_backend_site.txt +++ b/tests/unit/files/content_cache_rendered_haproxy_test_output_override_backend_site.txt @@ -82,6 +82,8 @@ listen stats listen combined-443 bind 0.0.0.0:443 ssl crt /var/lib/haproxy/certs alpn h2,http/1.1 bind :::443 ssl crt /var/lib/haproxy/certs alpn h2,http/1.1 + http-request capture ssl_fc_protocol len 8 + http-request capture ssl_fc_cipher len 64 capture request header X-Cache-Request-ID len 60 capture request header Host len 60 use_backend backend-cached-site1-local if { hdr(Host) -i site1.local } @@ -103,6 +105,8 @@ backend backend-cached-site1-local option httpchk GET /_status/content-cache-check HTTP/1.1\r\nHost:\ site1.local\r\nUser-Agent:\ haproxy/httpchk http-request set-header X-Orig-Host %[req.hdr(Host)] http-request set-header X-Dest-Port %[dst_port] + http-request set-header X-SSL-Protocol %[ssl_fc_protocol] + http-request set-header X-SSL-Ciphers %[ssl_fc_cipher] http-request set-header Host site1.local http-request set-header X-Forwarded-For %[src] balance leastconn @@ -119,6 +123,8 @@ backend backend-cached-site2-local option httpchk GET /_status/content-cache-check HTTP/1.1\r\nHost:\ site2.local\r\nUser-Agent:\ haproxy/httpchk http-request set-header X-Orig-Host %[req.hdr(Host)] http-request set-header X-Dest-Port %[dst_port] + http-request set-header X-SSL-Protocol %[ssl_fc_protocol] + http-request set-header X-SSL-Ciphers %[ssl_fc_cipher] http-request set-header Host site2.local http-request set-header X-Forwarded-For %[src] balance leastconn diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads.txt index 1e44c54..718ebb1 100644 --- a/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads.txt +++ b/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads.txt @@ -110,6 +110,8 @@ listen site1-local listen cached-site2-local bind 0.0.0.0:443 ssl crt /etc/haproxy/site2-bundle.crt alpn h2,http/1.1 bind :::443 ssl crt /etc/haproxy/site2-bundle.crt alpn h2,http/1.1 + http-request capture ssl_fc_protocol len 8 + http-request capture ssl_fc_cipher len 64 capture request header X-Cache-Request-ID len 60 capture request header Host len 60 default_backend backend-cached-site2-local @@ -147,6 +149,8 @@ listen site6-local listen combined-444 bind 0.0.0.0:444 ssl crt /etc/haproxy/site7-bundle.crt crt /etc/haproxy/site8-bundle.crt alpn h2,http/1.1 bind :::444 ssl crt /etc/haproxy/site7-bundle.crt crt /etc/haproxy/site8-bundle.crt alpn h2,http/1.1 + http-request capture ssl_fc_protocol len 8 + http-request capture ssl_fc_cipher len 64 capture request header X-Cache-Request-ID len 60 capture request header Host len 60 use_backend backend-cached-site7-local if { hdr(Host) -i site7.local } @@ -210,6 +214,8 @@ backend backend-cached-site2-local option httpchk GET /_status/content-cache-check HTTP/1.1\r\nHost:\ site2.local\r\nUser-Agent:\ haproxy/httpchk http-request set-header X-Orig-Host %[req.hdr(Host)] http-request set-header X-Dest-Port %[dst_port] + http-request set-header X-SSL-Protocol %[ssl_fc_protocol] + http-request set-header X-SSL-Ciphers %[ssl_fc_cipher] http-request set-header Host site2.local http-request set-header X-Forwarded-For %[src] http-request set-var(txn.path) path @@ -301,6 +307,8 @@ backend backend-cached-site7-local option httpchk GET /_status/content-cache-check HTTP/1.1\r\nHost:\ site7.local\r\nUser-Agent:\ haproxy/httpchk http-request set-header X-Orig-Host %[req.hdr(Host)] http-request set-header X-Dest-Port %[dst_port] + http-request set-header X-SSL-Protocol %[ssl_fc_protocol] + http-request set-header X-SSL-Ciphers %[ssl_fc_cipher] http-request set-header Host site7.local http-request set-header X-Forwarded-For %[src] balance leastconn @@ -317,6 +325,8 @@ backend backend-cached-site8-local option httpchk GET /_status/content-cache-check HTTP/1.1\r\nHost:\ site8.local\r\nUser-Agent:\ haproxy/httpchk http-request set-header X-Orig-Host %[req.hdr(Host)] http-request set-header X-Dest-Port %[dst_port] + http-request set-header X-SSL-Protocol %[ssl_fc_protocol] + http-request set-header X-SSL-Ciphers %[ssl_fc_cipher] http-request set-header Host site8.local http-request set-header X-Forwarded-For %[src] balance leastconn diff --git a/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads_haproxy2.txt b/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads_haproxy2.txt index 63e128d..c90bd13 100644 --- a/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads_haproxy2.txt +++ b/tests/unit/files/content_cache_rendered_haproxy_test_output_processes_and_threads_haproxy2.txt @@ -109,6 +109,8 @@ listen site1-local listen cached-site2-local bind 0.0.0.0:443 ssl crt /etc/haproxy/site2-bundle.crt alpn h2,http/1.1 bind :::443 ssl crt /etc/haproxy/site2-bundle.crt alpn h2,http/1.1 + http-request capture ssl_fc_protocol len 8 + http-request capture ssl_fc_cipher len 64 capture request header X-Cache-Request-ID len 60 capture request header Host len 60 default_backend backend-cached-site2-local @@ -146,6 +148,8 @@ listen site6-local listen combined-444 bind 0.0.0.0:444 ssl crt /etc/haproxy/site7-bundle.crt crt /etc/haproxy/site8-bundle.crt alpn h2,http/1.1 bind :::444 ssl crt /etc/haproxy/site7-bundle.crt crt /etc/haproxy/site8-bundle.crt alpn h2,http/1.1 + http-request capture ssl_fc_protocol len 8 + http-request capture ssl_fc_cipher len 64 capture request header X-Cache-Request-ID len 60 capture request header Host len 60 use_backend backend-cached-site7-local if { hdr(Host) -i site7.local } @@ -213,6 +217,8 @@ backend backend-cached-site2-local http-check send hdr Host site2.local hdr User-Agent haproxy/httpchk http-request set-header X-Orig-Host %[req.hdr(Host)] http-request set-header X-Dest-Port %[dst_port] + http-request set-header X-SSL-Protocol %[ssl_fc_protocol] + http-request set-header X-SSL-Ciphers %[ssl_fc_cipher] http-request set-header Host site2.local http-request set-header X-Forwarded-For %[src] http-request set-var(txn.path) path @@ -319,6 +325,8 @@ backend backend-cached-site7-local http-check send hdr Host site7.local hdr User-Agent haproxy/httpchk http-request set-header X-Orig-Host %[req.hdr(Host)] http-request set-header X-Dest-Port %[dst_port] + http-request set-header X-SSL-Protocol %[ssl_fc_protocol] + http-request set-header X-SSL-Ciphers %[ssl_fc_cipher] http-request set-header Host site7.local http-request set-header X-Forwarded-For %[src] balance leastconn @@ -338,6 +346,8 @@ backend backend-cached-site8-local http-check send hdr Host site8.local hdr User-Agent haproxy/httpchk http-request set-header X-Orig-Host %[req.hdr(Host)] http-request set-header X-Dest-Port %[dst_port] + http-request set-header X-SSL-Protocol %[ssl_fc_protocol] + http-request set-header X-SSL-Ciphers %[ssl_fc_cipher] http-request set-header Host site8.local http-request set-header X-Forwarded-For %[src] balance leastconn diff --git a/tests/unit/files/haproxy_config_rendered_listen_stanzas_test_output.txt b/tests/unit/files/haproxy_config_rendered_listen_stanzas_test_output.txt index bae2894..c3747bd 100644 --- a/tests/unit/files/haproxy_config_rendered_listen_stanzas_test_output.txt +++ b/tests/unit/files/haproxy_config_rendered_listen_stanzas_test_output.txt @@ -22,6 +22,8 @@ listen combined-80 listen site2-local bind 0.0.0.0:443 ssl crt /etc/haproxy/site2-bundle.crt alpn h2,http/1.1 bind :::443 ssl crt /etc/haproxy/site2-bundle.crt alpn h2,http/1.1 + http-request capture ssl_fc_protocol len 8 + http-request capture ssl_fc_cipher len 64 capture request header X-Cache-Request-ID len 60 capture request header Host len 60 default_backend backend-site2-local @@ -29,6 +31,8 @@ listen site2-local listen combined-444 bind 0.0.0.0:444 ssl crt /etc/haproxy/site7-bundle.crt crt /etc/haproxy/site8-bundle.crt alpn h2,http/1.1 bind :::444 ssl crt /etc/haproxy/site7-bundle.crt crt /etc/haproxy/site8-bundle.crt alpn h2,http/1.1 + http-request capture ssl_fc_protocol len 8 + http-request capture ssl_fc_cipher len 64 capture request header X-Cache-Request-ID len 60 capture request header Host len 60 use_backend backend-site7-local if { hdr(Host) -i site7.local } diff --git a/tests/unit/files/haproxy_config_rendered_listen_stanzas_test_output2.txt b/tests/unit/files/haproxy_config_rendered_listen_stanzas_test_output2.txt index c7432f5..2cf59de 100644 --- a/tests/unit/files/haproxy_config_rendered_listen_stanzas_test_output2.txt +++ b/tests/unit/files/haproxy_config_rendered_listen_stanzas_test_output2.txt @@ -9,6 +9,8 @@ listen redirect-site1-local listen site1-local bind 0.0.0.0:443 ssl crt /var/lib/haproxy/certs alpn h2,http/1.1 bind :::443 ssl crt /var/lib/haproxy/certs alpn h2,http/1.1 + http-request capture ssl_fc_protocol len 8 + http-request capture ssl_fc_cipher len 64 capture request header X-Cache-Request-ID len 60 capture request header Host len 60 default_backend backend-site1-local diff --git a/tests/unit/files/haproxy_config_rendered_listen_stanzas_test_output3.txt b/tests/unit/files/haproxy_config_rendered_listen_stanzas_test_output3.txt index eece34e..e1fc8b3 100644 --- a/tests/unit/files/haproxy_config_rendered_listen_stanzas_test_output3.txt +++ b/tests/unit/files/haproxy_config_rendered_listen_stanzas_test_output3.txt @@ -13,6 +13,8 @@ listen combined-80 listen combined-443 bind 0.0.0.0:443 ssl crt /var/lib/haproxy/certs alpn h2,http/1.1 bind :::443 ssl crt /var/lib/haproxy/certs alpn h2,http/1.1 + http-request capture ssl_fc_protocol len 8 + http-request capture ssl_fc_cipher len 64 capture request header X-Cache-Request-ID len 60 capture request header Host len 60 use_backend backend-site1-local if { hdr(Host) -i site1.local } diff --git a/tests/unit/files/haproxy_config_rendered_test_output.txt b/tests/unit/files/haproxy_config_rendered_test_output.txt index ba08267..92d6a91 100644 --- a/tests/unit/files/haproxy_config_rendered_test_output.txt +++ b/tests/unit/files/haproxy_config_rendered_test_output.txt @@ -103,6 +103,8 @@ listen combined-80 listen site2-local bind 0.0.0.0:443 ssl crt /etc/haproxy/site2-bundle.crt alpn h2,http/1.1 bind :::443 ssl crt /etc/haproxy/site2-bundle.crt alpn h2,http/1.1 + http-request capture ssl_fc_protocol len 8 + http-request capture ssl_fc_cipher len 64 capture request header X-Cache-Request-ID len 60 capture request header Host len 60 default_backend backend-site2-local @@ -110,6 +112,8 @@ listen site2-local listen combined-444 bind 0.0.0.0:444 ssl crt /etc/haproxy/site7-bundle.crt crt /etc/haproxy/site8-bundle.crt alpn h2,http/1.1 bind :::444 ssl crt /etc/haproxy/site7-bundle.crt crt /etc/haproxy/site8-bundle.crt alpn h2,http/1.1 + http-request capture ssl_fc_protocol len 8 + http-request capture ssl_fc_cipher len 64 capture request header X-Cache-Request-ID len 60 capture request header Host len 60 use_backend backend-site7-local if { hdr(Host) -i site7.local } diff --git a/tests/unit/files/haproxy_config_rendered_test_output2.txt b/tests/unit/files/haproxy_config_rendered_test_output2.txt index a5b3d08..eca7988 100644 --- a/tests/unit/files/haproxy_config_rendered_test_output2.txt +++ b/tests/unit/files/haproxy_config_rendered_test_output2.txt @@ -103,6 +103,8 @@ listen combined-80 listen site2-local bind 0.0.0.0:443 ssl crt /etc/haproxy/site2-bundle.crt alpn h2,http/1.1 bind :::443 ssl crt /etc/haproxy/site2-bundle.crt alpn h2,http/1.1 + http-request capture ssl_fc_protocol len 8 + http-request capture ssl_fc_cipher len 64 capture request header X-Cache-Request-ID len 60 capture request header Host len 60 default_backend backend-site2-local @@ -110,6 +112,8 @@ listen site2-local listen combined-444 bind 0.0.0.0:444 ssl crt /etc/haproxy/site7-bundle.crt crt /etc/haproxy/site8-bundle.crt alpn h2,http/1.1 bind :::444 ssl crt /etc/haproxy/site7-bundle.crt crt /etc/haproxy/site8-bundle.crt alpn h2,http/1.1 + http-request capture ssl_fc_protocol len 8 + http-request capture ssl_fc_cipher len 64 capture request header X-Cache-Request-ID len 60 capture request header Host len 60 use_backend backend-site7-local if { hdr(Host) -i site7.local } diff --git a/tests/unit/files/haproxy_config_rendered_test_output_with_extra_configs.txt b/tests/unit/files/haproxy_config_rendered_test_output_with_extra_configs.txt index 0ec24fa..ec92513 100644 --- a/tests/unit/files/haproxy_config_rendered_test_output_with_extra_configs.txt +++ b/tests/unit/files/haproxy_config_rendered_test_output_with_extra_configs.txt @@ -103,6 +103,8 @@ listen combined-80 listen site2-local bind 0.0.0.0:443 ssl crt /etc/haproxy/site2-bundle.crt alpn h2,http/1.1 bind :::443 ssl crt /etc/haproxy/site2-bundle.crt alpn h2,http/1.1 + http-request capture ssl_fc_protocol len 8 + http-request capture ssl_fc_cipher len 64 capture request header X-Cache-Request-ID len 60 capture request header Host len 60 default_backend backend-site2-local @@ -110,6 +112,8 @@ listen site2-local listen combined-444 bind 0.0.0.0:444 ssl crt /etc/haproxy/site7-bundle.crt crt /etc/haproxy/site8-bundle.crt alpn h2,http/1.1 bind :::444 ssl crt /etc/haproxy/site7-bundle.crt crt /etc/haproxy/site8-bundle.crt alpn h2,http/1.1 + http-request capture ssl_fc_protocol len 8 + http-request capture ssl_fc_cipher len 64 capture request header X-Cache-Request-ID len 60 capture request header Host len 60 use_backend backend-site7-local if { hdr(Host) -i site7.local } |