T6539: add logging options to load-balancer reverse-proxy (backport #3753)

[mergify]

Change Summary

Add logging configuration options to load-balancer reverse-proxy

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Code style update (formatting, renaming)
• Refactoring (no functional changes)
• Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
• Other (please describe):

Related Task(s)

• https://vyos.dev/T6539

Related PR(s)

Component(s) name

• load-balancer reverse-proxy (haproxy)

Proposed changes

The current configuration of haproxy (load-balancing reverse-proxy) includes two statically configured global options in haproxy.cfg:

global
  log /dev/log local0
  log /dev/log local1 notice

This does not provide flexibility to the user. Additionally, the current configuration logs all connection attempts across all services. This can be problematic for busy systems by producing large logs of unnecessary information.

This task aims to provide configuration options to allow the user to configure the syslog facility and severity of messages received. New options are provided as global-parameters, as well as within each service and backend:

[edit load-balancing reverse-proxy]
vyos@vyos# show
 backend BACKEND {
     logging {
         facility local1 {
             level err
         }
     }
 }
 global-parameters {
     logging {
         facility local0 {
         }
     }
 }
 service TEST {
     logging {
         facility local7 {
             level debug
         }
     }
 }

Multiple logging facilities may be specified for each of the attachment points and this hierarchy allows for additional logging configuration options in the future (i.e. format, etc).

Reference haproxy documentation: https://www.haproxy.com/documentation/haproxy-configuration-manual/latest/#8

When none of these options are specified, the original behavior is preserved and the original global logging configuration will be present in haproxy.cfg.

How to test

Configure logging options

set load-balancer reverse-proxy global-parameters logging facility local0 level notice

Ensure the configuration has been rendered:

vyos@vyos# cat /run/haproxy/haproxy.cfg | grep log
    log /dev/log local0 notice

Ensure the service has been reloaded and is running (valid configuration):

vyos@vyos# systemctl status haproxy
● haproxy.service - HAProxy Load Balancer
     Loaded: loaded (/lib/systemd/system/haproxy.service; disabled; preset: enabled)
    Drop-In: /run/systemd/system/haproxy.service.d
             └─10-override.conf
     Active: active (running) since Tue 2024-07-02 18:21:55 UTC; 3s ago

Smoketest result

New test ensures that original logging behavior is preserved if not configured. Also tests multiple facilities configured for global-parameters, service and backend items:

vyos@vyos:~$ /usr/libexec/vyos/tests/smoke/cli/test_load-balancing_reverse-proxy.py
[...]
test_09_lb_reverse_proxy_logging (__main__.TestLoadBalancingReverseProxy.test_09_lb_reverse_proxy_logging) ... ok

----------------------------------------------------------------------
Ran 9 tests in 131.619s

OK

Checklist:

• I have read the CONTRIBUTING document
• I have linked this PR to one or more Phabricator Task(s)
• I have run the components SMOKETESTS if applicable
• My commit headlines contain a valid Task id
• My change requires a change to the documentation
• I have updated the documentation accordingly

---

This is an automatic backport of pull request #3753 done by [Mergify](https://mergify.com).

[github-actions]

👍
No issues in PR Title / Commit Title

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[sever-sever]

vyos@r15:~$ /usr/libexec/vyos/tests/smoke/cli/test_load-balancing_reverse-proxy.py
test_01_lb_reverse_proxy_domain (__main__.TestLoadBalancingReverseProxy.test_01_lb_reverse_proxy_domain) ... ok
test_02_lb_reverse_proxy_cert_not_exists (__main__.TestLoadBalancingReverseProxy.test_02_lb_reverse_proxy_cert_not_exists) ... 
PKI does not contain any certificates!


Certificate "cert" not found in configuration!

ok
test_03_lb_reverse_proxy_ca_not_exists (__main__.TestLoadBalancingReverseProxy.test_03_lb_reverse_proxy_ca_not_exists) ... 
PKI does not contain any CA certificates!


CA Certificate "ca-test" not found in configuration!

ok
test_04_lb_reverse_proxy_backend_ssl_no_verify (__main__.TestLoadBalancingReverseProxy.test_04_lb_reverse_proxy_backend_ssl_no_verify) ... 
backend bk-01 cannot have both ssl options no-verify and ca-certificate
set!

ok
test_05_lb_reverse_proxy_backend_http_check (__main__.TestLoadBalancingReverseProxy.test_05_lb_reverse_proxy_backend_http_check) ... 
backend "bk-01" can only be configured with ldap health-check whilst in
TCP mode!

ok
test_06_lb_reverse_proxy_tcp_mode (__main__.TestLoadBalancingReverseProxy.test_06_lb_reverse_proxy_tcp_mode) ... ok
test_07_lb_reverse_proxy_http_response_headers (__main__.TestLoadBalancingReverseProxy.test_07_lb_reverse_proxy_http_response_headers) ... 
service https_front must be set to http mode to use
http_response_headers!

ok
test_08_lb_reverse_proxy_tcp_health_checks (__main__.TestLoadBalancingReverseProxy.test_08_lb_reverse_proxy_tcp_health_checks) ... ok
test_09_lb_reverse_proxy_logging (__main__.TestLoadBalancingReverseProxy.test_09_lb_reverse_proxy_logging) ... ok

----------------------------------------------------------------------
Ran 9 tests in 57.684s

OK
vyos@r15:~$