Client Side Certificate SSL - Error Loging for HAProxy

Posted May 13, 2016 11.8k views
CentOSMiscellaneousLoad Balancing


I have a setup with HAProxy Client side certificate verification required.

I want to log Client Side Certificate SSL errors including the source-ip & client side certificate CN and CA CN when SSL Handshake fails.

Please suggest a config logging command to log source-ip & client side certificate CN and CA CN for SSL handshake error case

But below config does not list client certificate details for SSL handshake error

HAProxy logs for SSL Error: [10/May/2016:23:03:45.324] http-in/1: SSL handshake failure

HAProxy logs for SSL success: [10/May/2016:23:56:38.797] http-in~ app/app1 93/0/1/2/96 200 289 - - —- 1/1/0/1/0 0/0 {0,“/C=IN/ST=Karnataka/L=Bengaluru/CN=client1”,“/C=IN/ST=Karnataka/L=Bengaluru/CN=ca”} “GET /whoami.html HTTP/1.1”

HAProxy Config:

frontend http-in
mode http
log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%[ssl_c_verify],%{+Q}[ssl_c_s_dn],%{+Q}[ssl_c_i_dn]}\ %{+Q}r

bind *:443 ssl crt /etc/haproxy/server.pem ca-file /etc/haproxy/ca.crt verify required

use_backend app
default_backend app
reqadd X-Forwarded-Proto:\ https if { ssl_fc }
option forwardfor


1 comment

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
1 answer

did you resolve this problem