I am trying to extend a custom haproxy log-format by adding [req.ssl_sni]. The haproxy version used is 1.6.3 on Ubuntu.
The frontend is configured in the following way:
bind *:443
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
tcp-request content reject
log-format [...]{%[req.ssl_sni]}
Where [...]
denotes other log options which are working fine. The frontend is running in TCP mode, forwarding TLS sessions without decrypting them.
The expected log output would be something similar to {my.server.com}
for valid TLS sessions. The log output I am seeing is always {-}
(a dash instead of the server name), even when the TLS session is successfully handled by the backend server. What do I have to change to see the actual SNI value in the logs?
Using capture before accept solved it for me.
Found solution in here: https://discourse.haproxy.org/t/log-sni-in-tcp-mode/1534/2
Maybe the problem was in the name used? I see "req.ssl_sni" in the question and "req_ssl_sni" in examples for SNI.