Client Side Certificate SSL - Error Loging for HAProxy

Posted on May 13, 2016

Hello

I have a setup with HAProxy Client side certificate verification required.

I want to log Client Side Certificate SSL errors including the source-ip & client side certificate CN and CA CN when SSL Handshake fails.

Please suggest a config logging command to log source-ip & client side certificate CN and CA CN for SSL handshake error case

But below config does not list client certificate details for SSL handshake error

HAProxy logs for SSL Error: 10.128.41.12:33085 [10/May/2016:23:03:45.324] http-in/1: SSL handshake failure

HAProxy logs for SSL success: 10.128.41.12:33099 [10/May/2016:23:56:38.797] http-in~ app/app1 93/0/1/2/96 200 289 - - ---- 1/1/0/1/0 0/0 {0,“/C=IN/ST=Karnataka/L=Bengaluru/CN=client1”,“/C=IN/ST=Karnataka/L=Bengaluru/CN=ca”} “GET /whoami.html HTTP/1.1”

HAProxy Config:

frontend http-in
mode http
log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%[ssl_c_verify],%{+Q}[ssl_c_s_dn],%{+Q}[ssl_c_i_dn]}\ %{+Q}r

bind *:443 ssl crt /etc/haproxy/server.pem ca-file /etc/haproxy/ca.crt verify required

use_backend app
default_backend app
reqadd X-Forwarded-Proto:\ https if { ssl_fc }
option forwardfor

Thanks, Deepak

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.