4

I've got an HAProxy instance configured to log to a special home-grown daemon that chucks the log files into a database. I've seen some issues on some log messages where the host_header field is truncated for no specific reason. For example, instead of:

56:34 haproxy[892]: 1.2.3.4:17907 [14/May/2012:13:56:33.999] app.prod app.prod/webp01 0/0/0/161/524 200 33627 - - --NI 0/0/0/0/0 0/0 {application.example.com} "GET /?feed=rss2 HTTP/1.0"

I see:

56:34 haproxy[892]: 1.2.3.4:17907 [14/May/2012:13:56:33.999] app.prod app.prod/webp01 0/0/0/161/524 200 33627 - - --NI 0/0/0/0/0 0/0 {application.examp} "GET /?feed=rss2 HTTP/1.0"

Note the host_header has been truncated from application.example.com to application.examp.

This is throwing a few spanners in the works of trying to farm through these logs, so is there any reason why this is happening?

HAProxy version is 1.4.18-0ubuntu1 running on Ubuntu 12.04.

growse
  • 8,020
  • 13
  • 74
  • 115

2 Answers2

5

Since these have the exact same time stamps and timings, I am guessing you are not including actual examples.

Without those examples the best I can think of is to try setting the length of those header field manually with something like:

capture request header Host len 50

Also note that since syslog traffic is UDP a certain amount of corruption is to be expected (although this sounds more specific than that). There is also a max length setting in HAProxy. I never followed through with increasing this but if you want to try here is my correspondence with the HAProxy author:

> Can I increase the length of syslog messages sent out by HAProxy?
>
> Would it be as simple as changing:
> #define MAX_SYSLOG_LEN          1024
> In
> include/types/log.h
>
> Or is there more to it than that?

You can try, but it may do anything depending on your syslog server.
Some accept those messages, some do truncate the lines, YMMV."
Kyle Brandt
  • 83,619
  • 74
  • 305
  • 448
  • I should have made clear that, yes, the examples I gave were based on an actual message, but copied/pasted with the `host_header` altered to illustrate the issue. I can grab exact examples if necessary. I'll also look into manually setting the length, and see if that helps. – growse May 14 '12 at 14:50
  • Just checked, I already had `capture request header Host len 255` enabled. – growse May 14 '12 at 15:36
3

From what I'm seeing in the code, this should not be possible at all (check capture_headers() in proto_http.c). The headers are truncated to the length that was requested. For this reason, if you're certain that you're seeing this behaviour on requests for a same host passing through the same frontend, the only possibility I can think of is that you sometimes have two header fields, one with the shortened value and another one with the normal one, and that haproxy only logs the first one while the server uses the last one.

Willy Tarreau
  • 3,896
  • 1
  • 20
  • 12
  • Not sure what you mean 'two header fields' - do you mean the client is submitting two hostname header fields in the request? – growse May 21 '12 at 10:12