Re: Logging denied req and SSL question...

From: Willy Tarreau <w#1wt.eu>
Date: Wed, 29 Oct 2008 20:32:54 +0100


Hi Boris,

On Tue, Oct 28, 2008 at 02:30:22PM +0100, boris17480#gmail.com wrote:
> Since the last message about logging. I log some things... I try some
> "configs" options, but I can't find the way to log only "problems" like
> *denied* or *Errors*.

There's no such option. At the "info" level, all traffic is logged, whether it is a 200, a 400 or a 500, it does not make any difference. You're not the first one to ask for this feature, and I think it will be taken into account for future evolutions.

> Another question about SSL...
> Currently I use it for https :
> my https config :
> listen SSL-TracKer-GuiKs 85.17.XXX.XXX:443
> option ssl-hello-chk
> option forwardfor
> mode tcp
> contimeout 5000
> clitimeout 180000
> srvtimeout 180000
> retries 5
> maxconn 500
> balance roundrobin
> server anais-444 85.17.XXX.XXX:444 weight 100 maxconn 250 check
> maxqueue 1000 inter 10000 fall 2 rise 1
>
> [... other servers]
> redispatch
>
>
> It works "nice", but I can't do the same things that I do for http like:
> reqideny ^[^:\ ]*\ .*union
> reqideny ^[^:\ ]*\ .*<script

It is because you're in TCP mode. You can't see the HTTP inside is since it's encrypted. Otherwise you would defeat the purpose of SSL :-)

If you want to see HTTP inside HTTPS, you have to decrypt it first. People generally use stunnel (I do too) because it does not consider HTTP at all, it just takes TCP out of SSL. Others use nginx or pound though. Then you forward this to haproxy which will perform HTTP load balancing. But your servers will have to accept HTTP connections for this.

> I apologize for my english (I'm french). And I hope you "understand" my
> message.

yes, I'm french too and I understand it :-)

Regards,
Willy Received on 2008/10/29 20:32

This archive was generated by hypermail 2.2.0 : 2008/10/29 20:46 CET