haproxy/examples/keylog-test.cfg

# Example: log HTTP traffic and TLS session keys to separate destinations
#
# "option httpslog" sends HTTP access logs to the /dev/log syslog server.
# TLS session keys are written to 2 ring buffers.
#
# Requirements:
#   - HAProxy built with OpenSSL support
#   - "tune.ssl.keylog on" in the global section
#
# Retrieve TLS session keys from the ring buffer via the CLI:
#   For frontend connections:
#
#   (echo "show events keylog-fc -w"; read) | socat /tmp/worker.socket -
#
#   For backend connections:
#
#   (echo "show events keylog-bc -w"; read) | socat /tmp/worker.socket -
#
# The result is in SSLKEYLOGFILE format and can be saved to a file and loaded
# into Wireshark to decrypt captured TLS traffic.

global
    stats socket /tmp/worker.socket mode 0660
    tune.ssl.keylog on

# Ring buffer for TLS session keys.
# "format raw" stores only the log message text, without any syslog envelope,
# producing output in the SSLKEYLOGFILE format directly.
ring keylog-fc
    description "TLS session key frontend log"
    format raw
    maxlen 2000
    size 1M

ring keylog-bc
    description "TLS session key backend log"
    format raw
    maxlen 2000
    size 1M


defaults
    mode http
    timeout client  30s
    timeout server  30s
    timeout connect  5s

log-profile keylog-fc
    on any format "${HAPROXY_KEYLOG_FC_LOG_FMT}"

log-profile keylog-bc
    on any format "${HAPROXY_KEYLOG_BC_LOG_FMT}"

frontend https-in
    bind :443 ssl crt "common.pem"

    option httpslog

    # HTTPs access logs sent to the syslog server
    log /dev/log format raw local0

    # TLS session keys written to the ring buffer
    log ring@keylog-fc profile keylog-fc local1
    log ring@keylog-bc profile keylog-bc local1

    default_backend be1

backend be1
    server s1 10.0.0.123:443 ssl verify none
MINOR: ssl/log: add keylog format variables and env vars Add keylog_format_fc and keylog_format_bc global variables containing the SSLKEYLOGFILE log-format strings for the frontend (client-facing) and backend (server-facing) TLS connections respectively. These produce output compatible with the SSLKEYLOGFILE format described at: https://tlswg.org/sslkeylogfile/draft-ietf-tls-keylogfile.html Both formats are also exported as environment variables at startup: HAPROXY_KEYLOG_FC_LOG_FMT HAPROXY_KEYLOG_BC_LOG_FMT These variables contains \n so they might not be compatible with syslog servers, using them with stderr or a sink might be required. These can be referenced directly in "log-format" directives to produce SSLKEYLOGFILE-compatible output, usable by network analyzers such as Wireshark to decrypt captured TLS traffic. 2026-04-01 04:56:24 -04:00			`# Example: log HTTP traffic and TLS session keys to separate destinations`
			`#`
			`# "option httpslog" sends HTTP access logs to the /dev/log syslog server.`
			`# TLS session keys are written to 2 ring buffers.`
			`#`
			`# Requirements:`
			`# - HAProxy built with OpenSSL support`
			`# - "tune.ssl.keylog on" in the global section`
			`#`
			`# Retrieve TLS session keys from the ring buffer via the CLI:`
			`# For frontend connections:`
			`#`
			`# (echo "show events keylog-fc -w"; read) \| socat /tmp/worker.socket -`
			`#`
			`# For backend connections:`
			`#`
			`# (echo "show events keylog-bc -w"; read) \| socat /tmp/worker.socket -`
			`#`
			`# The result is in SSLKEYLOGFILE format and can be saved to a file and loaded`
			`# into Wireshark to decrypt captured TLS traffic.`

			`global`
			`stats socket /tmp/worker.socket mode 0660`
			`tune.ssl.keylog on`

			`# Ring buffer for TLS session keys.`
			`# "format raw" stores only the log message text, without any syslog envelope,`
			`# producing output in the SSLKEYLOGFILE format directly.`
			`ring keylog-fc`
			`description "TLS session key frontend log"`
			`format raw`
			`maxlen 2000`
			`size 1M`

			`ring keylog-bc`
			`description "TLS session key backend log"`
			`format raw`
			`maxlen 2000`
			`size 1M`


			`defaults`
			`mode http`
			`timeout client 30s`
			`timeout server 30s`
			`timeout connect 5s`

			`log-profile keylog-fc`
			`on any format "${HAPROXY_KEYLOG_FC_LOG_FMT}"`

			`log-profile keylog-bc`
			`on any format "${HAPROXY_KEYLOG_BC_LOG_FMT}"`

			`frontend https-in`
			`bind :443 ssl crt "common.pem"`

			`option httpslog`

			`# HTTPs access logs sent to the syslog server`
			`log /dev/log format raw local0`

			`# TLS session keys written to the ring buffer`
			`log ring@keylog-fc profile keylog-fc local1`
			`log ring@keylog-bc profile keylog-bc local1`

			`default_backend be1`

			`backend be1`
			`server s1 10.0.0.123:443 ssl verify none`