haproxy/examples/keylog-test.cfg

# Example: log HTTP traffic and TLS session keys to separate destinations
#
# "option httpslog" sends HTTP access logs to the /dev/log syslog server.
# TLS session keys are written to 2 ring buffers.
#
# Requirements:
#   - HAProxy built with OpenSSL support
#   - "tune.ssl.keylog on" in the global section
#
# Retrieve TLS session keys from the ring buffer via the CLI:
#   For frontend connections:
#
#   (echo "show events keylog-fc -w"; read) | socat /tmp/worker.socket -
#
#   For backend connections:
#
#   (echo "show events keylog-bc -w"; read) | socat /tmp/worker.socket -
#
# The result is in SSLKEYLOGFILE format and can be saved to a file and loaded
# into Wireshark to decrypt captured TLS traffic.

global
    stats socket /tmp/worker.socket mode 0660
    tune.ssl.keylog on

# Ring buffer for TLS session keys.
# "format raw" stores only the log message text, without any syslog envelope,
# producing output in the SSLKEYLOGFILE format directly.
ring keylog-fc
    description "TLS session key frontend log"
    format raw
    maxlen 2048
    size 1M

ring keylog-bc
    description "TLS session key backend log"
    format raw
    maxlen 2048
    size 1M


defaults
    mode http
    timeout client  30s
    timeout server  30s
    timeout connect  5s

log-profile keylog-fc
    on any format "${HAPROXY_KEYLOG_FC_LOG_FMT}"

log-profile keylog-bc
    on any format "${HAPROXY_KEYLOG_BC_LOG_FMT}"

frontend https-in
    bind :443 ssl crt "common.pem"

    option httpslog

    # HTTPs access logs sent to the syslog server
    log /dev/log format raw local0

    # TLS session keys written to the ring buffer
    log ring@keylog-fc len 2048 profile keylog-fc local1
    log ring@keylog-bc len 2048 profile keylog-bc local1

    default_backend be1

backend be1
    server s1 10.0.0.123:443 ssl verify none