Poor man's HAProxy SSL debugging

2025-03-03 Discuss on Mastodon

• HAProxy

I spent way too much time debugging a hairy reverse proxy connectivity issue. Turned out a misconfiguration on my part resulted in the wrong certificate being presented by default. This was very much non-obvious, because there were multiple proxies in a row, and only one of them was under my control.

Being able to log which certificate HAProxy was presenting was very helpful. It took more searching than I care to admit, so here it is for posterity:

frontend foo
    # your bindings and other config go here
    log-format "SSL Certificate: %[ssl_f_s_dn]"

That’s it. That’s all it took.

The log output then looks like:

SSL Certificate: /CN=foo.example.com

You can obviously decorate this with other useful things, like the date or other request details.

— Elric