Skip to content

Prometheus metrics: expose SSL library name + version #3251

New issue
New issue
Open
Open
Prometheus metrics: expose SSL library name + version#3251
Labels
type: featureThis issue describes a feature request / wishlist.
@juliusrickert

Description

@juliusrickert
juliusrickert
opened on Jan 20, 2026

Your Feature Request

I'd love to see HAProxy expose the SSL library it's built with and running with as a Prometheus metric.

What are you trying to do?

I want to be able to observe the SSL library HAProxy is running with.

We are currently running a patched version of HAProxy that exposes this information in the haproxy_process_build_info metric:

haproxy_process_build_info{…, version="3.3.1-9c24c11-hc20260113", ssl_library="AWS-LC 1.66.0"} 1

I'd like to see this functionality upstreamed.

I have no cue whether that's an appropriate place to put this information.
We have implemented it like this which may serve as an example implementation:

diff --git a/addons/promex/service-prometheus.c b/addons/promex/service-prometheus.c
index 60f927553..d0c696315 100644
--- a/addons/promex/service-prometheus.c
+++ b/addons/promex/service-prometheus.c
@@ -28,6 +28,7 @@
 #include <haproxy/list.h>
 #include <haproxy/listener.h>
 #include <haproxy/log.h>
+#include <haproxy/openssl-compat.h>
 #include <haproxy/pool.h>
 #include <haproxy/proxy.h>
 #include <haproxy/sample.h>
@@ -469,6 +470,11 @@ static int promex_dump_global_metrics(struct appctx *appctx, struct htx *htx)
 				labels[lb_idx].name  = ist("version");
 				labels[lb_idx].value = ist(HAPROXY_VERSION);
 				lb_idx++;
+#ifdef USE_OPENSSL
+				labels[lb_idx].name = ist("ssl_library");
+				labels[lb_idx].value = ist(OpenSSL_version(OPENSSL_VERSION));
+				lb_idx++;
+#endif
 				val = mkf_u32(FN_GAUGE, 1);
 				break;

It does not cover the SSL library HAProxy has been build with, just the version it's running with.

Output of haproxy -vv

HAProxy version 3.3.1-9c24c11-hc20260113 2025/12/19 - https://haproxy.org/
Status: stable branch - will stop receiving fixes around Q1 2027.
Known bugs: http://www.haproxy.org/bugs/bugs-3.3.1.html
Running on: Linux 6.5.0-44-generic #44-Ubuntu SMP PREEMPT_DYNAMIC Fri Jun  7 19:27:11 UTC 2024 x86_64
Build options :
  TARGET  = linux-glibc
  CC      = cc
  CFLAGS  = -O2 -g -fwrapv -fvect-cost-model=very-cheap
  OPTIONS = USE_LIBCRYPT= USE_GETADDRINFO=1 USE_OPENSSL=yes USE_OPENSSL_AWSLC=yes USE_ZLIB=yes USE_QUIC=yes USE_PROMEX=yes USE_PCRE2=yes USE_PCRE2_JIT=yes
  DEBUG   =

Feature list : -51DEGREES +ACCEPT4 +BACKTRACE -CLOSEFROM +CPU_AFFINITY +CRYPT_H -DEVICEATLAS +DL -ECH -ENGINE +EPOLL -EVPORTS +GETADDRINFO -KQUEUE +KTLS -LIBATOMIC -LIBCRYPT +LINUX_CAP +LINUX_SPLICE +LINUX_TPROXY -LUA -MATH -MEMORY_PROFILING +NETFILTER +NS -OBSOLETE_LINKER +OPENSSL +OPENSSL_AWSLC -OPENSSL_WOLFSSL -OT -PCRE +PCRE2 +PCRE2_JIT -PCRE_JIT +POLL +PRCTL -PROCCTL +PROMEX -PTHREAD_EMULATION +QUIC -QUIC_OPENSSL_COMPAT +RT +SHM_OPEN -SLZ +SSL -STATIC_PCRE -STATIC_PCRE2 +TFO +THREAD +THREAD_DUMP +TPROXY -WURFL +ZLIB +ACME

Default settings :
  bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_TGROUPS=32, MAX_THREADS=1024, default=2).
Built with SSL library version : OpenSSL 1.1.1 (compatible; AWS-LC 1.66.0)
Running on SSL library version : AWS-LC 1.66.0
SSL library supports TLS extensions : yes
SSL library supports SNI : yes
SSL library FIPS mode : no
SSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
QUIC: connection sock-per-conn mode support : yes
QUIC: GSO emission support : yes
Built with the Prometheus exporter as a service
Built with network namespace support.
Built with zlib version : 1.3.1
Running on zlib version : 1.3.1
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with PCRE2 version : 10.46 2025-08-27
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): no
Built with gcc compiler version 15.2.0

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
       quic : mode=HTTP  side=FE|BE  mux=QUIC  flags=HTX|NO_UPG|FRAMED
         h2 : mode=HTTP  side=FE|BE  mux=H2    flags=HTX|HOL_RISK|NO_UPG
  <default> : mode=HTTP  side=FE|BE  mux=H1    flags=HTX
         h1 : mode=HTTP  side=FE|BE  mux=H1    flags=HTX|NO_UPG
       fcgi : mode=HTTP  side=BE     mux=FCGI  flags=HTX|HOL_RISK|NO_UPG
  <default> : mode=SPOP  side=BE     mux=SPOP  flags=HOL_RISK|NO_UPG
       spop : mode=SPOP  side=BE     mux=SPOP  flags=HOL_RISK|NO_UPG
  <default> : mode=TCP   side=FE|BE  mux=PASS  flags=
       none : mode=TCP   side=FE|BE  mux=PASS  flags=NO_UPG

Available services : prometheus-exporter
Available filters :
        [BWLIM] bwlim-in
        [BWLIM] bwlim-out
        [CACHE] cache
        [COMP] compression
        [FCGI] fcgi-app
        [SPOE] spoe
        [TRACE] trace

Metadata

Metadata

Assignees

No one assigned

    Labels

    type: featureThis issue describes a feature request / wishlist.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions