r/dch-proxy: Include host name in log messages

When troubleshooting configuration or connection issues, it will be helpful to have the value of the HTTP Host header present in log messages emitted by HAProxy. This will help reason about HAProxy's routing decisions. For TLS connections, of course, we don't have access to the Host header, but we can use the value of the TLS SNI field. Note that the requisite `content set-var` directive MUST come before the `content accept`; HAProxy stops processing all `tcp-request content ...` directives once it has encountered a decision.
2024-11-05 06:32:49 -06:00
parent 370a1df7ac
commit 90351ce59e
1 changed files with 7 additions and 0 deletions
--- a/roles/dch-proxy/templates/haproxy.cfg.j2
+++ b/roles/dch-proxy/templates/haproxy.cfg.j2
@@ -7,9 +7,13 @@ acl blocklist src {{ dch_proxy_blocklist|join(' ') }}
 frontend main
    bind :::80

+    log-format "${HAPROXY_HTTP_LOG_FMT} %[var(txn.http_host)]"
+
    {{ acls() | indent(4) }}
    tcp-request connection reject if blocklist !allowlist

+    http-request set-var(txn.http_host) req.hdr(host)
+
 {% for site in dch_proxy_sites %}
    use_backend {{ site.backend }} if { hdr(host) -i {% if site.matcher|d %}-m {{ site.matcher }} {% endif %}{{ site.match }} }
 {% endfor %}
@@ -20,9 +24,12 @@ frontend main-tls
    mode tcp
    option tcplog

+    log-format "${HAPROXY_TCP_LOG_FMT} %[var(txn.ssl_sni)]"
+
    {{ acls() | indent(4) }}
    tcp-request connection reject if blocklist !allowlist
    tcp-request inspect-delay 5s
+    tcp-request content set-var(txn.ssl_sni) req.ssl_sni
    tcp-request content accept if { req.ssl_hello_type 1 }

 {% for site in dch_proxy_sites %}