Welcome! Log In Create A New Profile

Advanced

rsyslog -> tcp -> ssl -> SNI -> ssl -> rsyslog

Posted by Aleksandar Lazic 
Aleksandar Lazic
rsyslog -> tcp -> ssl -> SNI -> ssl -> rsyslog
March 17, 2017 06:40PM
Hi.

The subject looks strange so let me the explain the setup a little bit.

I have a old rsyslog without ssl module.
I need to send syslog messages via tcp to a remote syslog server.

Between the local server and the remote server is a haproxy which I can
only use as https-sni-forwarder.

https://docs.openshift.com/container-platform/3.4/architecture/core_concepts/routes.html#secured-routes
-> Passthrough mode

I was able to run my docker image on the old rsyslog server.

####
docker run -it --rm --name rsylog-forwarder \
-e SERVICE_DEST=logcollect.${DOMAIN} -e TZ=Europe/Vienna \
-e SERVICE_NAME=rsylog-forwarder -e SERVICE_DEST_PORT=13443 \
-e SYSLOG_ADDRESS=127.0.0.1 -e SERVICE_TCP_PORT=13443 \
-e STATS_PORT=13444 -e
CONFIG_FILE=/mnt/config/haproxy-sslforwarder.conf \
-e DEBUG=true -v /etc/rsylog-forwarder/conf:/mnt/config \
-v /etc/rsylog-forwarder/ssl:/mnt/certs \
--expose 13443 --expose 13444 \
--health-cmd 'curl -sS http://127.0.0.1:${STATS_PORT}' \
--health-interval 5s --health-timeout 3s --entrypoint /bin/bash \
-p 13443:13443 me2digital/haproxy17

in the container: bash -x container-entrypoint.sh
####

When I now call

logger --tcp --server 127.0.0.1 --port 13443 --tag aushape test aleks

Then I can see that the logger connects to the local haproxy but the
haproxy does note connect to the 'logcollect.${DOMAIN}'

But when I call

curl -vk https://logcollect.${DOMAIN}/

I reach the haproxy inside via the openshift router.
So finally the setup works when I'am able to configure haproxy in that
way that he acts like curl ;-)

Do you think this is possible?

Haproxy version 1.7.3
=> https://gitlab.com/aleks001/haproxy17-centos

Config 'local ssl forwarder tcp -> https'
=> https://gitlab.com/snippets/1654829

Config 'remote forwarder https -> tcp'
=> https://gitlab.com/snippets/1654828

Thanks for any feedback.

Cheers
aleks
Sorry, only registered users may post in this forum.

Click here to login