I have a web application behind HAProxy Load balancer set up in SSL termination mode to handle/decrypt the SSL connection. The frontend and backend sections of haproxy.cfg are as follows:
frontend web_applications
mode http
option httplog
option forwardfor
capture request header Referer len 2000
capture request header User-Agent len 250
capture request header Host len 100
capture request header X-Forwarded-For len 50
reqadd X-Forwarded-Proto:\ https
default_backend web_applications
bind *:443 ssl crt /etc/haproxy/certs/cert.pem ciphers AES256
backend web_applications
mode http
balance roundrobin
server web_applications webappserver.net:80 check
Now, I'm required to enhance the backend application's tomcat access log to log the ciphers bound with the HAProxy. So in this case 'AES256'. I'm looking for a way to access this information in the pattern defined in the AccessLogValve of the tomcat server config file. Here's a snippet of the current pattern:
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="/var/cps"
prefix="access_log"
suffix=".txt"
locale="en_US"
rotatable="false"
maxLogMessageBufferSize="512"
pattern="%{X-Forwarded-For}i %a %{begin:yyyy-MM-dd-HH:mm:ss.SSSZ}t %{end:yyyy-MM-dd-HH:mm:ss.SSSZ}t "%r" %s %b" />
Is there a way to access this cipher information from the HTTP request received at the backend application? I was thinking if there's a way I can put it as an attribute in the HttpServetRequest using a custom Filter and add a %{xxx}r pattern code to log it out. Of course, I'm open to better solutions as well.
Thanks!