Tag Archives: tcp-request content

7.3.4. Fetching samples at Layer 5



The layer 5 usually describes just the session layer which in haproxy is closest to the session once all the connection handshakes are finished, but when no content is yet made available.

The fetch methods described here are usable as low as the “tcp-request content” rule sets unless they require some future information. Those generally include the results of SSL negotiations.

ssl_bc : boolean
Returns true when the back connection was made via an SSL/TLS transport layer and is locally deciphered. This means the outgoing connection was made other a server with the “ssl” option.

ssl_bc_alg_keysize : integer
Returns the symmetric cipher key size supported in bits when the outgoing connection was made over an SSL/TLS transport layer.

ssl_bc_cipher : string
Returns the name of the used cipher when the outgoing connection was made over an SSL/TLS transport layer.

ssl_bc_protocol : string
Returns the name of the used protocol when the outgoing connection was made over an SSL/TLS transport layer.

ssl_bc_unique_id : binary
When the outgoing connection was made over an SSL/TLS transport layer, returns the TLS unique ID as defined in RFC5929 section 3. The unique id can be encoded to base64 using the converter: “ssl_bc_unique_id,base64”.

ssl_bc_session_id : binary
Returns the SSL ID of the back connection when the outgoing connection was made over an SSL/TLS transport layer. It is useful to log if we want to know if session was reused or not.

ssl_bc_use_keysize : integer
Returns the symmetric cipher key size used in bits when the outgoing connection was made over an SSL/TLS transport layer.

ssl_c_ca_err : integer
When the incoming connection was made over an SSL/TLS transport layer, returns the ID of the first error detected during verification of the client certificate at depth > 0, or 0 if no error was encountered during this verification process. Please refer to your SSL library’s documentation to find the exhaustive list of error codes.

ssl_c_ca_err_depth : integer
When the incoming connection was made over an SSL/TLS transport layer, returns the depth in the CA chain of the first error detected during the verification of the client certificate. If no error is encountered, 0 is returned.

ssl_c_err : integer
When the incoming connection was made over an SSL/TLS transport layer, returns the ID of the first error detected during verification at depth 0, or 0 if no error was encountered during this verification process. Please refer to your SSL library’s documentation to find the exhaustive list of error codes.

ssl_c_i_dn([<entry>[,<occ>]]) : string
When the incoming connection was made over an SSL/TLS transport layer, returns the full distinguished name of the issuer of the certificate presented by the client when no <entry> is specified, or the value of the first given entry found from the beginning of the DN. If a positive/negative occurrence number is specified as the optional second argument, it returns the value of the nth given entry value from the beginning/end of the DN. For instance, “ssl_c_i_dn(OU,2)” the second organization unit, and “ssl_c_i_dn(CN)” retrieves the common name.

ssl_c_key_alg : string
Returns the name of the algorithm used to generate the key of the certificate presented by the client when the incoming connection was made over an SSL/TLS transport layer.

ssl_c_notafter : string
Returns the end date presented by the client as a formatted string YYMMDDhhmmss[Z] when the incoming connection was made over an SSL/TLS transport layer.

ssl_c_notbefore : string
Returns the start date presented by the client as a formatted string YYMMDDhhmmss[Z] when the incoming connection was made over an SSL/TLS transport layer.

ssl_c_s_dn([<entry>[,<occ>]]) : string
When the incoming connection was made over an SSL/TLS transport layer, returns the full distinguished name of the subject of the certificate presented by the client when no <entry> is specified, or the value of the first given entry found from the beginning of the DN. If a positive/negative occurrence number is specified as the optional second argument, it returns the value of the nth given entry value from the beginning/end of the DN. For instance, “ssl_c_s_dn(OU,2)” the second organization unit, and “ssl_c_s_dn(CN)” retrieves the common name.

ssl_c_serial : binary
Returns the serial of the certificate presented by the client when the incoming connection was made over an SSL/TLS transport layer. When used for an ACL, the value(s) to match against can be passed in hexadecimal form.

ssl_c_sha1 : binary
Returns the SHA-1 fingerprint of the certificate presented by the client when the incoming connection was made over an SSL/TLS transport layer. This can be used to stick a client to a server, or to pass this information to a server.
Note that the output is binary, so if you want to pass that signature to the server, you need to encode it in hex or base64, such as in the example below:

     http-request set-header X-SSL-Client-SHA1 %[ssl_c_sha1,hex]

ssl_c_sig_alg : string
Returns the name of the algorithm used to sign the certificate presented by the client when the incoming connection was made over an SSL/TLS transport layer.

ssl_c_used : boolean
Returns true if current SSL session uses a client certificate even if current connection uses SSL session resumption. See also “ssl_fc_has_crt”.

ssl_c_verify : integer
Returns the verify result error ID when the incoming connection was made over an SSL/TLS transport layer, otherwise zero if no error is encountered. Please refer to your SSL library’s documentation for an exhaustive list of error codes.

ssl_c_version : integer
Returns the version of the certificate presented by the client when the incoming connection was made over an SSL/TLS transport layer.

ssl_f_i_dn([<entry>[,<occ>]]) : string
When the incoming connection was made over an SSL/TLS transport layer, returns the full distinguished name of the issuer of the certificate presented by the frontend when no <entry> is specified, or the value of the first given entry found from the beginning of the DN. If a positive/negative occurrence number is specified as the optional second argument, it returns the value of the nth given entry value from the beginning/end of the DN.
For instance, “ssl_f_i_dn(OU,2)” the second organization unit, and “ssl_f_i_dn(CN)” retrieves the common name.

ssl_f_key_alg : string
Returns the name of the algorithm used to generate the key of the certificate presented by the frontend when the incoming connection was made over an SSL/TLS transport layer.

ssl_f_notafter : string
Returns the end date presented by the frontend as a formatted string YYMMDDhhmmss[Z] when the incoming connection was made over an SSL/TLS transport layer.

ssl_f_notbefore : string
Returns the start date presented by the frontend as a formatted string YYMMDDhhmmss[Z] when the incoming connection was made over an SSL/TLS transport layer.

ssl_f_s_dn([<entry>[,<occ>]]) : string
When the incoming connection was made over an SSL/TLS transport layer, returns the full distinguished name of the subject of the certificate presented by the frontend when no <entry> is specified, or the value of the first given entry found from the beginning of the DN. If a positive/negative occurrence number is specified as the optional second argument, it returns the value of the nth given entry value from the beginning/end of the DN.
For instance, “ssl_f_s_dn(OU,2)” the second organization unit, and “ssl_f_s_dn(CN)” retrieves the common name.

ssl_f_serial : binary
Returns the serial of the certificate presented by the frontend when the incoming connection was made over an SSL/TLS transport layer. When used for an ACL, the value(s) to match against can be passed in hexadecimal form.

ssl_f_sha1 : binary
Returns the SHA-1 fingerprint of the certificate presented by the frontend when the incoming connection was made over an SSL/TLS transport layer. This can be used to know which certificate was chosen using SNI.

ssl_f_sig_alg : string
Returns the name of the algorithm used to sign the certificate presented by the frontend when the incoming connection was made over an SSL/TLS transport layer.

ssl_f_version : integer
Returns the version of the certificate presented by the frontend when the incoming connection was made over an SSL/TLS transport layer.

ssl_fc : boolean
Returns true when the front connection was made via an SSL/TLS transport layer and is locally deciphered. This means it has matched a socket declared with a “bind” line having the “ssl” option.

Example :

        # This passes "X-Proto: https" to servers when client connects over SSL
        listen http-https
            bind :80
            bind :443 ssl crt /etc/haproxy.pem
            http-request add-header X-Proto https if { ssl_fc }

ssl_fc_alg_keysize : integer
Returns the symmetric cipher key size supported in bits when the incoming connection was made over an SSL/TLS transport layer.

ssl_fc_alpn : string
This extracts the Application Layer Protocol Negotiation field from an incoming connection made via a TLS transport layer and locally deciphered by haproxy. The result is a string containing the protocol name advertised by the client. The SSL library must have been built with support for TLS extensions enabled (check haproxy -vv). Note that the TLS ALPN extension is not advertised unless the “alpn” keyword on the “bind” line specifies a protocol list. Also, nothing forces the client to pick a protocol from this list, any other one may be requested. The TLS ALPN extension is meant to replace the TLS NPN extension. See also “ssl_fc_npn”.

ssl_fc_cipher : string
Returns the name of the used cipher when the incoming connection was made over an SSL/TLS transport layer.

ssl_fc_has_crt : boolean
Returns true if a client certificate is present in an incoming connection over SSL/TLS transport layer. Useful if ‘verify’ statement is set to ‘optional’.
Note: on SSL session resumption with Session ID or TLS ticket, client certificate is not present in the current connection but may be retrieved from the cache or the ticket. So prefer “ssl_c_used” if you want to check if current SSL session uses a client certificate.

ssl_fc_has_sni : boolean
This checks for the presence of a Server Name Indication TLS extension (SNI) in an incoming connection was made over an SSL/TLS transport layer. Returns true when the incoming connection presents a TLS SNI field. This requires that the SSL library is build with support for TLS extensions enabled (check haproxy -vv).

ssl_fc_npn : string
This extracts the Next Protocol Negotiation field from an incoming connection made via a TLS transport layer and locally deciphered by haproxy. The result is a string containing the protocol name advertised by the client. The SSL library must have been built with support for TLS extensions enabled (check haproxy -vv). Note that the TLS NPN extension is not advertised unless the “npn” keyword on the “bind” line specifies a protocol list. Also, nothing forces the client to pick a protocol from this list, any other one may be requested. Please note that the TLS NPN extension was replaced with ALPN.

ssl_fc_protocol : string
Returns the name of the used protocol when the incoming connection was made over an SSL/TLS transport layer.

ssl_fc_unique_id : binary
When the incoming connection was made over an SSL/TLS transport layer, returns the TLS unique ID as defined in RFC5929 section 3. The unique id can be encoded to base64 using the converter: “ssl_bc_unique_id,base64”.

ssl_fc_session_id : binary
Returns the SSL ID of the front connection when the incoming connection was made over an SSL/TLS transport layer. It is useful to stick a given client to a server. It is important to note that some browsers refresh their session ID every few minutes.

ssl_fc_sni : string
This extracts the Server Name Indication TLS extension (SNI) field from an incoming connection made via an SSL/TLS transport layer and locally deciphered by haproxy. The result (when present) typically is a string matching the HTTPS host name (253 chars or less). The SSL library must have been built with support for TLS extensions enabled (check haproxy -vv).

This fetch is different from “req_ssl_sni” above in that it applies to the connection being deciphered by haproxy and not to SSL contents being blindly forwarded. See also “ssl_fc_sni_end” and “ssl_fc_sni_reg” below. This requires that the SSL library is build with support for TLS extensions enabled (check haproxy -vv).

ACL derivatives :
ssl_fc_sni_end : suffix match
ssl_fc_sni_reg : regex match

ssl_fc_use_keysize : integer
Returns the symmetric cipher key size used in bits when the incoming connection was made over an SSL/TLS transport layer.

Share Button