Monitoring HTTP and TLS Versions in use via Awstats

With all the hype and craze around HTTP/2 and various TLS Versions, there is one questions which appears every now and then. I am doing all this upgrading versions allowing new ciphers enabling https etc, but is anyone using them. Also with PCI mandate of closing TLS 1.0 and TLS 1.1 looming large, we need to be in a position to identify what TLS versions are in use on website and what about HTTP Versions.

When we say what’s in use i am specifically talking about what’s used by client and not what is offered by the servers. I have been reading about this for a long time and i spotted multiple resources like this and this. However for all these the instructions stopped at a point where a custom log is created and then we periodically run shell scripts for data extractions.

I wanted something more or rather something simpler, this led me to explore a bit more and i have deviced a strategy by which i basically get the same data parsed and displayed in awstats dashboard.

So to configure this we need to perform multiple steps.

1) We need to modify the accesslog format, i am listing method for nginx simmilar methods should apply for other servers also.

http {
	
	log_format combined_extra '$remote_addr - $remote_user [$time_local] '
                    '"$request" $status $body_bytes_sent '
                    '"$http_referer" "$http_user_agent" "$server_protocol" "$ssl_protocol"';
}

2) We modify the individual site to start logging in new format.

access_log  /logs/nginx/$host-access.log combined_extra;

3) Manually trigger logrotate and force old log to go out.

 sudo logrotate -f /etc/logrotate.d/nginx

4) Edit awstats config file to point correct logformat and Extra Section entries.

LogFormat = "%host %other %logname %time1 %methodurl %code %bytesd %refererquot %uaquot %extra1 %extra2" 


ExtraSectionName1="HTTP Versions" 
ExtraSectionCodeFilter1="200 301 302 404" 
ExtraSectionCondition1="" 
ExtraSectionFirstColumnTitle1="HTTP Versions" 
ExtraSectionFirstColumnValues1="extra1,([^&]+)" 
ExtraSectionFirstColumnFormat1="%s" 
ExtraSectionStatTypes1=HL 
ExtraSectionAddAverageRow1=0 
ExtraSectionAddSumRow1=1 
MaxNbOfExtra1=20 
MinHitExtra1=1

ExtraSectionName2="TLS Versions" 
ExtraSectionCodeFilter2="200 301 302 404" 
ExtraSectionCondition2="" 
ExtraSectionFirstColumnTitle2="TLS Versions" 
ExtraSectionFirstColumnValues2="extra2,([^&]+)" 
ExtraSectionFirstColumnFormat2="%s" 
ExtraSectionStatTypes2=HL 
ExtraSectionAddAverageRow2=0 
ExtraSectionAddSumRow2=1 
MaxNbOfExtra2=20 
MinHitExtra2=1

5) Wait for some traffic to hit the server or manually execute logroate

 sudo logrotate -f /etc/logrotate.d/nginx

Once this setup is done and then you open your awstats config, right at the bottom of the window you should be greated with a section simmilar to the one shown below.

HTTP and TLS Version Tracker
HTTP and TLS Version Tracker

Do you like what you read, What to share it

Leave a Reply

Your email address will not be published. Required fields are marked *