猿问

在 Tomcat 的访问日志中记录 HAProxy 特定的密码

我在 HAProxy 负载均衡器后面有一个 Web 应用程序,设置为 SSL 终止模式来处理/解密 SSL 连接。haproxy.cfg 的前端和后端部分如下:


frontend web_applications

  mode http

  option httplog

  option forwardfor

  capture request header Referer len 2000

  capture request header User-Agent len 250

  capture request header Host len 100

  capture request header X-Forwarded-For len 50

  reqadd X-Forwarded-Proto:\ https

  default_backend web_applications

  bind *:443 ssl crt /etc/haproxy/certs/cert.pem ciphers AES256


backend web_applications

  mode http

  balance roundrobin

  server web_applications webappserver.net:80 check

现在,我需要增强后端应用程序的 tomcat 访问日志以记录与 HAProxy 绑定的密码。所以在这种情况下'AES256'。我正在寻找一种方法来访问在 tomcat 服务器配置文件的 AccessLogValve 中定义的模式中的这些信息。这是当前模式的片段:


<Valve className="org.apache.catalina.valves.AccessLogValve" 

                    directory="/var/cps" 

                    prefix="access_log" 

                    suffix=".txt"

                    locale="en_US"

                    rotatable="false"

                    maxLogMessageBufferSize="512"

                    pattern="%{X-Forwarded-For}i %a %{begin:yyyy-MM-dd-HH:mm:ss.SSSZ}t %{end:yyyy-MM-dd-HH:mm:ss.SSSZ}t &quot;%r&quot; %s %b" />

有没有办法从后端应用程序收到的 HTTP 请求中访问此密码信息?我在想是否有一种方法可以使用自定义过滤器将其作为属性放入 HttpServetRequest 并添加 %{xxx}r 模式代码以将其注销。当然,我也愿意接受更好的解决方案。


谢谢!


慕尼黑5688855
浏览 140回答 2
2回答

饮歌长啸

通过将 ssl_fc_cipher 设置为haproxy.cfg中的自定义 HTTP 标头,我能够在 Tomcat 的访问日志中获取 SSL 密码:frontend web_applications&nbsp; mode http&nbsp; option httplog&nbsp; option forwardfor&nbsp; capture request header Referer len 2000&nbsp; capture request header User-Agent len 250&nbsp; capture request header Host len 100&nbsp; capture request header X-Forwarded-For len 50&nbsp; reqadd X-Forwarded-Proto:\ https&nbsp; default_backend web_applications&nbsp; bind *:443 ssl crt /etc/haproxy/certs/cert.pem ciphers AES256&nbsp; http-request set-header X-SSL-Cipher %[ssl_fc_cipher]backend web_applications&nbsp; mode http&nbsp; balance roundrobin&nbsp; server web_applications webappserver.net:80 check在 AccessLog Valve 中捕获 X-SSL-Cipher 自定义标头:<Valve className="org.apache.catalina.valves.AccessLogValve"&nbsp;&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; directory="/var/cps"&nbsp;&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; prefix="access_log"&nbsp;&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; suffix=".txt"&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; locale="en_US"&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; rotatable="false"&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; maxLogMessageBufferSize="512"&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; pattern="%{X-Forwarded-For}i %a %{begin:yyyy-MM-dd-HH:mm:ss.SSSZ}t %{end:yyyy-MM-dd-HH:mm:ss.SSSZ}t &quot;%r&quot; %s %b %X-SSL-Cipher}i" />

拉莫斯之舞

在 haproxy 中,您可以使用自定义日志记录功能来指定记录密码信息。有关自定义日志记录,请参阅haproxy 文档。'%sslc' - ssl_ciphers (ex: AES-SHA)一个示例自定义日志字符串,包括密码日志记录:defaults &nbsp;&nbsp;log-format&nbsp;"%ci:%cp&nbsp;[%tr]&nbsp;%ft&nbsp;%b/%s&nbsp;%TR/%Tw/%Tc/%Tr/%Ta&nbsp;%ST&nbsp;%B&nbsp;%CC&nbsp;\&nbsp;%CS&nbsp;%tsc&nbsp;%ac/%fc/%bc/%sc/%rc&nbsp;%sq/%bq&nbsp;%hr&nbsp;%hs&nbsp;%{+Q}r&nbsp;%sslc"
随时随地看视频慕课网APP

相关分类

Java
我要回答