Blogging Techstacks

One of the really cool things about mod_ssl in apache is that you can configure your apache logs to record the SSL protocol version and cipher used per connection. This provides some of the more arrogant web server administrators among us with even more reasons to scoff at some folks connecting to our sites. "Hey Chris! Look! Not only is this guy using IE4 with the FunWebProducts toolbar but he connected using SSL2 over a 40-bit channel! Ha-ha-ha-snort!"

If, however, you are front-ending your site with an F5 BigIP LTM and terminating SSL at the BigIP, you probably would not normally then connect with SSL to your apache servers as well. (Regardless, even if you did, the F5 would be acting as the ssl client and you'd only see the cipher the BigIP used to connect to your apache servers, not the actual client's info).

Because I don't want to let anyone down, I thought it would be fun getting the BigIP to forward this information through to the apache server, similar to how the F5 will forward an X-Forwarded-For header containing the client IP address. Since it's been a while since I've published an article on iRules, here we go. This particular solution is a hybrid bigip-apache solution, similar, as previously mentioned, to the X-Forwarded-For setup. With this solution, you'll insert a couple of custom HTTP headers that will be passed along to your apache servers and you'll modify your apache server's log format to append this data to your apache server's access logs. Below is the iRule used to insert these headers:

 when HTTP_REQUEST {
 HTTP::header insert "SSL_PROTOCOL" [SSL::cipher version]
 HTTP::header insert "SSL_CIPHER" [SSL::cipher name]
}

Then, you'll modify the LogFormat directive for your apache logs. For this particular test, I simply modified an existing combined logging format that had already been modified to include the X-Forwarded-For header as the client ip. I changed the format from this:

LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Cookie}i\" \"%{Set-Cookie}o\"" common_bigip

to this (changes are bolded):

LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Cookie}i\" \"%{Set-Cookie}o\" %{SSL_PROTOCOL}i %{SSL_CIPHER}i" common_bigip

Please note here that the additional values added to the LogFormat directive do not use mod_ssl's syntax of ending the value with an "x" but instead we're ending it with an "i"—this is an http header value that is getting inserted, not an environment variable extension.

An example that displays what is now stored in the access log follows:

XX.XX.XX.XXX - - [09/Jul/2009:23:32:11 -0400] "GET /WebApp/ HTTP/1.1" 200 4366 "JSESSIONID=C5E4444A9F324BCB9DEDE6BD4A711C59.jspRouteID" "-" TLSv1 RC4-MD5

What's nice about this is that with only 4 lines of code in an irule and some relatively minor changes to the LogFormat on your apache servers, you can regain some functionality that we might have lost when we rolled those BigIP's out.  Another nice thing about this is that if you're using tomcat instead of apache, you can make similar changes to the tomcat access logging valve and you get the same results.  My apologies though go out to the IIS administrators out there who might be interested in getting this kind of data.  I haven't figured out how to get that yet.  If anyone out there knows of a way to log custom http header data into the IIS web server logs, I'd appreciate it if you'd let me know.