plugins: net/haproxy: Request logging not working

Important notices Our forum is located at https://forum.opnsense.org , please consider joining discussions there in stead of using GitHub for these matters.

Before you ask a new question, we ask you kindly to acknowledge the following:

[X] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md

[X] I have searched the existing issues and I’m convinced that mine is new.

Description I’m facing issue similar to: https://github.com/opnsense/plugins/issues/280 https://github.com/opnsense/plugins/issues/2386

HAProxy just writes its startup progress into the log, but then nothing. It’s configured to log requests in a decent form (option httplog) including some additional info (via capture directives), my test requests reach it, but nothing appears in the log at all.

Both my 2 frontends are layer 7 (http) types and their config is (when it comes to logging) identical to what I use at another systems (RHEL Linux, pfSense) where the logging works as expected. Here for some strange reason that I haven’t figured out yet, it just doesn’t work. I tried to change some settings (I even tried clearing the syslog level filter which shouldn’t be really necessary), but none had any effect so far.

Note that at one RHEL system I also use several layer 4 (tcp) frontends with the option tcplog and the logging works fine.

So far it looks to me like some bug/oversight in this HAProxy build, but I’m not sure, hence this being opened as a question.

Relevant parts of the generated config below.

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbproc                      1
    nbthread                    1
    maxconn                     10000
    tune.ssl.default-dh-param   2048
    spread-checks               2
    tune.chksize                16384
    tune.bufsize                16384
    tune.lua.maxmem             0
    log /var/run/log local0 info
    ssl-default-bind-options no-tls-tickets prefer-client-ciphers ssl-min-ver TLSv1.2
    ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    # WARNING: pass through options below this line
    hard-stop-after		2m

defaults
    log     global
    option redispatch -1
    timeout client 2m
    timeout connect 5s
    timeout server 2m
    retries 1
    default-server init-addr last,libc
    # WARNING: pass through options below this line

    timeout http-request	10s
    timeout queue		1m
    timeout http-keep-alive	5s
    timeout client-fin		30s
    timeout tunnel		10m
    #option			dontlognull
    #option			http-ignore-probes
    http-reuse			safe
    #default-server		maxconn 50 maxqueue 100
    compression algo		gzip
    compression type		text/html text/plain text/css application/javascript text/javascript application/x-javascript text/xml application/xml application/json image/svg+xml image/x-icon image/vnd.microsoft.icon application/vnd.ms-fontobject application/font-sfnt application/x-font-ttf application/x-font-truetype application/x-font-otf application/x-font-opentype

# Frontend: main-TLS ()
frontend main-TLS
    http-response set-header Strict-Transport-Security "max-age=15768000; includeSubDomains"
    bind ...:443 name ...:443 ssl alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/61684e2b978e96.93997209.certlist 
    mode http
    option http-keep-alive
    default_backend deny-all
    option forwardfor
    # tuning options
    timeout client 2m

    # logging options
    option log-separate-errors
    option httplog
    # ACL: robots_txt
    acl acl_616855d9518773.71576200 path -i /robots.txt
    # ACL: Connection_HTTPS
    acl acl_616a390c7e7c67.68553522 ssl_fc
    # ACL: Redirect_response
    acl acl_616877f36f00e1.90563227 res.hdr(Location) -m found

    # ACTION: robots_txt
    use_backend robots.txt if acl_616855d9518773.71576200
    # ACTION: Header_X-Forwarded-Proto_HTTPS
    http-request set-header X-Forwarded-Proto https if acl_616a390c7e7c67.68553522
    # ACTION: Header_WL-Proxy-SSL
    http-request set-header WL-Proxy-SSL true if acl_616a390c7e7c67.68553522
    # ACTION: Header_Host_capture
    # NOTE: actions with no ACLs/conditions will always match
    http-request set-var(txn.Host) req.hdr(Host) 
    # ACTION: Redirect_response_fixup_HTTPS
    http-response replace-header Location ^https?://[^\:]*:\d{1,5}(/?.*)$ https://%[var(txn.Host)]\1 if acl_616877f36f00e1.90563227 !acl_61687a373cef43.12748158 !acl_61687a5a386dd9.79307452

    # WARNING: pass through options below this line
    filter			compression
    http-response set-header Keep-Alive timeout=5
    capture request header	Host len 24
    capture response header	X-AUSERNAME len 12

# Frontend: main ()
frontend main
    bind ...:80 name ...:80 
    mode http
    option http-keep-alive
    default_backend deny-all
    option forwardfor
    # tuning options
    timeout client 2m

    # logging options
    option log-separate-errors
    option httplog
    # ACL: robots_txt
    acl acl_616855d9518773.71576200 path -i /robots.txt
    # ACL: Connection_HTTP
    acl acl_616a3afc73b2e9.50283476 ssl_fc
    # ACL: Redirect_response
    acl acl_616877f36f00e1.90563227 res.hdr(Location) -m found

    # ACTION: Redirect_to_HTTPS
    http-request redirect scheme https if !acl_616c71f02a0f03.49287692 !acl_616c7213deff00.65946525
    # ACTION: robots_txt
    use_backend robots.txt if acl_616855d9518773.71576200
    # ACTION: Header_X-Robots-Tag
    # NOTE: actions with no ACLs/conditions will always match
    http-request set-header X-Robots-Tag noindex 
    # ACTION: Header_X-Forwarded-Proto_HTTP
    http-request set-header X-Forwarded-Proto http if !acl_616a3afc73b2e9.50283476
    # ACTION: Header_Host_capture
    # NOTE: actions with no ACLs/conditions will always match
    http-request set-var(txn.Host) req.hdr(Host) 
    # ACTION: Redirect_response_fixup_HTTP
    http-response replace-header Location ^https?://[^\:]*:\d{1,5}(/?.*)$ http://%[var(txn.Host)]\1 if acl_616877f36f00e1.90563227 !acl_61687a373cef43.12748158 !acl_61687a5a386dd9.79307452

    # WARNING: pass through options below this line
    filter			compression
    http-response set-header Keep-Alive timeout=5

# Backend: deny-all ()
backend deny-all
    # HINT: no servers configured for this backend.
    # health checking is DISABLED
    mode http
    balance source

    # tuning options
    timeout connect 0
    timeout server 0
    # WARNING: pass through options below this line
    retries 0
    http-request deny

# Backend: robots.txt ()
backend robots.txt
    # HINT: no servers configured for this backend.
    # health checking is DISABLED
    mode http
    balance source

    # tuning options
    timeout connect 0
    timeout server 0
    # ERROR FILE: robots_txt
    errorfile 503 /tmp/haproxy/errorfiles/61683af6880c75.39336130.txt

    # WARNING: pass through options below this line
    retries 0

... 

listen local_statistics
    bind            127.0.0.1:8822
    mode            http
    stats uri       /haproxy?stats
    stats realm     HAProxy\ statistics
    stats admin     if TRUE

# statistics are DISABLED

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Reactions: 1
  • Comments: 27 (25 by maintainers)

Most upvoted comments

@AdSchellevis the template is enough, if whitespace is an issue we should likely fix that in the template which imports these.

+1
AdSchellevis on Oct 29, 2021
Read more comments on GitHub
← plugins: net/frr7 - completely broken in 20.7
plugins: sysutils/monit: filesystem statistics error -- cannot parse device '/dev/gpt/rootfs' →