How to silent 'SSL handshake failure' logs

Hey Guys, I recently updated my config to use the latest ciphers and TLS1.2+ version, which should be fine for the valid traffic. However, I’m now seeing a lot of “SSL handshake failure” logs that I suspect are related to non-legitimate traffic. Is there any way to filter out or silence these logs?

global
  chroot  /var/lib/haproxy
  daemon  
  group  haproxy
  hard-stop-after  12h
  log  syslog.example.com:514 len 4096 format rfc5424 syslog
  maxconn  210000
  nbthread  3
  spread-checks  3
  ssl-default-bind-ciphers  ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
  ssl-default-bind-options  ssl-min-ver TLSv1.2 no-tls-tickets
  ssl-default-server-ciphers  ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
  ssl-default-server-options  ssl-min-ver TLSv1.2 no-tls-tickets
  stats  socket /var/lib/haproxy/stats uid 0 gid 0 mode 0640 level admin expose-fd listeners
  stats  socket /var/lib/haproxy/monitoring user root group monitoring mode 0660 level user
  stats  bind-process all
  tune.bufsize  16384
  tune.h2.max-concurrent-streams  8096
  tune.maxrewrite  1024
  tune.ssl.cachesize  100000
  tune.ssl.default-dh-param  2048
  tune.ssl.lifetime  600
  ulimit-n  500000
  user  haproxy

defaults
  errorfile  400 /etc/haproxy/errors/400.html
  errorfile  401 /etc/haproxy/errors/401.html
  errorfile  403 /etc/haproxy/errors/403.html
  errorfile  405 /etc/haproxy/errors/405.html
  errorfile  408 /etc/haproxy/errors/408.html
  errorfile  429 /etc/haproxy/errors/429.html
  errorfile  500 /etc/haproxy/errors/500.html
  errorfile  502 /etc/haproxy/errors/502.html
  errorfile  503 /etc/haproxy/errors/503.html
  errorfile  504 /etc/haproxy/errors/504.html
  log  global
  log-format  "{ \"haproxy_log_format\":\"http\", \"haproxy_client_ip\":\"%ci\", \"haproxy_x_forwarded_for\":%{+Q}[capture.req.hdr(2)], \"haproxy_client_port\":\"%cp\", \"haproxy_date_time\":\"%t\", \"haproxy_frontend_name_transport\":\"%ft\", \"haproxy_backend_name\":\"%b\", \"haproxy_server_name\":\"%s\", \"haproxy_total_time\":%TR, \"haproxy_time_establish_tcp\":%Tc, \"haproxy_total_session_duration_time\":%Tt, \"haproxy_connection_handshake_time\":%Th, \"haproxy_bytes_read\":%B, \"haproxy_bytes_uploaded\":%U, \"haproxy_termination_state\":\"%ts\", \"haproxy_process_concurrent_connections\":%ac, \"haproxy_frontend_current_connections\":%fc, \"haproxy_backend_current_connections\":%bc, \"haproxy_server_concurrent_connections\":%sc, \"haproxy_retries\":%rc, \"haproxy_server_queue\":%sq, \"haproxy_backend_source_ip\":\"%bi\", \"haproxy_backend_source_port\":\"%bp\", \"haproxy_backend_queue\":%bq, \"haproxy_req_hrd_host\":%{+Q}[capture.req.hdr(0)], \"haproxy_req_hrd_user_agent\":%{+Q}[capture.req.hdr(1)], \"haproxy_ssl_ciphers\":\"%sslc\", \"haproxy_ssl_version\":\"%sslv\", \"haproxy_http_method\":\"%HM\", \"haproxy_http_ver\":\"%HV\", \"haproxy_request_url\":\"%HU\", \"haproxy_status_code\":%ST }"
  maxconn  120000
  mode  http
  option  redispatch
  option  dontlognull
  retries  3
  timeout  http-request 302s
  timeout  queue 60s
  timeout  connect 5s
  timeout  client 302s
  timeout  server 302s
  timeout  check 1s

haproxy -vv
HAProxy version 2.6.15-1.el7 2023/08/09 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2027.
Known bugs: http://www.haproxy.org/bugs/bugs-2.6.15.html
Running on: Linux 3.10.0-1160.99.1.el7.x86_64 #1 SMP Wed Sep 13 14:19:20 UTC 2023 x86_64
Build options :
  TARGET  = linux-glibc
  CPU     = generic
  CC      = cc
  CFLAGS  = -O2 -g -Wall -Wextra -Wundef -Wdeclaration-after-statement -Wfatal-errors -Wtype-limits -fwrapv -Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers -Wno-cast-function-type -Wno-string-plus-int -Wno-atomic-alignment
  OPTIONS = USE_PCRE=1 USE_OPENSSL=1 USE_LUA=1 USE_ZLIB=1 USE_DL=1 USE_SYSTEMD=1
  DEBUG   = -DDEBUG_STRICT -DDEBUG_MEMORY_POOLS

Feature list : -51DEGREES +ACCEPT4 +BACKTRACE -CLOSEFROM +CPU_AFFINITY +CRYPT_H -DEVICEATLAS +DL -ENGINE +EPOLL -EVPORTS +GETADDRINFO -KQUEUE +LIBCRYPT +LINUX_SPLICE +LINUX_TPROXY +LUA -MEMORY_PROFILING +NETFILTER +NS -OBSOLETE_LINKER +OPENSSL -OT +PCRE -PCRE2 -PCRE2_JIT -PCRE_JIT +POLL +PRCTL -PROCCTL -PROMEX -QUIC +RT -SLZ -STATIC_PCRE -STATIC_PCRE2 +SYSTEMD +TFO +THREAD +THREAD_DUMP +TPROXY -WURFL +ZLIB

Default settings :
  bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_THREADS=64, default=3).
Built with OpenSSL version : OpenSSL 1.0.2k-fips  26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-fips  26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Built with Lua version : Lua 5.4.6
Built with network namespace support.
Support for malloc_trim() is enabled.
Built with zlib version : 1.2.7
Running on zlib version : 1.2.7
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with PCRE version : 8.32 2012-11-30
Running on PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Encrypted password support via crypt(3): yes
Built with gcc compiler version 4.8.5 20150623 (Red Hat 4.8.5-44)

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
         h2 : mode=HTTP  side=FE|BE  mux=H2    flags=HTX|HOL_RISK|NO_UPG
       fcgi : mode=HTTP  side=BE     mux=FCGI  flags=HTX|HOL_RISK|NO_UPG
  <default> : mode=HTTP  side=FE|BE  mux=H1    flags=HTX
         h1 : mode=HTTP  side=FE|BE  mux=H1    flags=HTX|NO_UPG
  <default> : mode=TCP   side=FE|BE  mux=PASS  flags=
       none : mode=TCP   side=FE|BE  mux=PASS  flags=NO_UPG

Available services : none

Available filters :
	[CACHE] cache
	[COMP] compression
	[FCGI] fcgi-app
	[SPOE] spoe
	[TRACE] trace

2 posts - 2 participants

Read full topic