1
votes

I have a web application behind HAProxy Load balancer set up in SSL termination mode to handle/decrypt the SSL connection. The frontend and backend sections of haproxy.cfg are as follows:

frontend web_applications
  mode http
  option httplog
  option forwardfor
  capture request header Referer len 2000
  capture request header User-Agent len 250
  capture request header Host len 100
  capture request header X-Forwarded-For len 50
  reqadd X-Forwarded-Proto:\ https
  default_backend web_applications
  bind *:443 ssl crt /etc/haproxy/certs/cert.pem ciphers AES256

backend web_applications
  mode http
  balance roundrobin
  server web_applications webappserver.net:80 check

Now, I'm required to enhance the backend application's tomcat access log to log the ciphers bound with the HAProxy. So in this case 'AES256'. I'm looking for a way to access this information in the pattern defined in the AccessLogValve of the tomcat server config file. Here's a snippet of the current pattern:

<Valve className="org.apache.catalina.valves.AccessLogValve" 
                    directory="/var/cps" 
                    prefix="access_log" 
                    suffix=".txt"
                    locale="en_US"
                    rotatable="false"
                    maxLogMessageBufferSize="512"
                    pattern="%{X-Forwarded-For}i %a %{begin:yyyy-MM-dd-HH:mm:ss.SSSZ}t %{end:yyyy-MM-dd-HH:mm:ss.SSSZ}t &quot;%r&quot; %s %b" />

Is there a way to access this cipher information from the HTTP request received at the backend application? I was thinking if there's a way I can put it as an attribute in the HttpServetRequest using a custom Filter and add a %{xxx}r pattern code to log it out. Of course, I'm open to better solutions as well.

Thanks!

2

2 Answers

1
votes

I was able to get the SSL cipher in Tomcat's access log by setting the ssl_fc_cipher as a custom HTTP header in the haproxy.cfg:

frontend web_applications
  mode http
  option httplog
  option forwardfor
  capture request header Referer len 2000
  capture request header User-Agent len 250
  capture request header Host len 100
  capture request header X-Forwarded-For len 50
  reqadd X-Forwarded-Proto:\ https
  default_backend web_applications
  bind *:443 ssl crt /etc/haproxy/certs/cert.pem ciphers AES256
  http-request set-header X-SSL-Cipher %[ssl_fc_cipher]

backend web_applications
  mode http
  balance roundrobin
  server web_applications webappserver.net:80 check

Capture the X-SSL-Cipher custom header in the AccessLog Valve:

<Valve className="org.apache.catalina.valves.AccessLogValve" 
                    directory="/var/cps" 
                    prefix="access_log" 
                    suffix=".txt"
                    locale="en_US"
                    rotatable="false"
                    maxLogMessageBufferSize="512"
                    pattern="%{X-Forwarded-For}i %a %{begin:yyyy-MM-dd-HH:mm:ss.SSSZ}t %{end:yyyy-MM-dd-HH:mm:ss.SSSZ}t &quot;%r&quot; %s %b %X-SSL-Cipher}i" />
0
votes

In haproxy you can use the custom logging ability to specify logging the cipher information. See the haproxy documentation for custom logging.

'%sslc' - ssl_ciphers (ex: AES-SHA)

An example custom log string including the cipher logging:

defaults
  log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \ %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %sslc"