{"host": "cp1111.eqiad.wmnet", "state": "core_diff", "description": "Differences to core resources", "diff": {"full": {"total": 3981, "only_in_self": [], "only_in_other": [], "resource_diffs": [{"resource": "Confd::File[/etc/haproxy/conf.d/tls.cfg]"}, {"resource": "File[/etc/haproxy/haproxy.cfg]", "content": "--- /etc/haproxy/haproxy.cfg.orig\n+++ /etc/haproxy/haproxy.cfg\n@@ -43,7 +43,7 @@\n defaults\n     mode       http\n     log-format \"%rt %Tr %Tw %Tc %ST {%[capture.req.hdr(0)]} {%[capture.res.hdr(0)]} %ts\"\n-    log-format-sd %{+E}o\\ [haproxykafka@0\\ server_pid=\\\"%pid\\\"\\ ip=\\\"%ci\\\"\\ sequence=\\\"%rt\\\"\\ dt=\\\"%tr\\\"\\ time_backend_response=\\\"%Tr\\\"\\ http_status=\\\"%ST\\\"\\ response_size=\\\"%B\\\"\\ termination_state=\\\"%ts\\\"\\ uri_host=\\\"%[capture.req.hdr(0),lua.utf8ps]\\\"\\ referer=\\\"%[capture.req.hdr(1),lua.utf8ps]\\\"\\ user_agent=\\\"%[capture.req.hdr(2),lua.utf8ps]\\\"\\ accept_language=\\\"%[capture.req.hdr(3),lua.utf8ps]\\\"\\ range=\\\"%[capture.req.hdr(4),lua.utf8ps]\\\"\\ accept=\\\"%[capture.req.hdr(5),lua.utf8ps]\\\"\\ tls=\\\"%[var(txn.tls)]\\\"\\ cache_status=\\\"%[var(txn.x_cache_status)]\\\"\\ content_type=\\\"%[var(txn.content_type)]\\\"\\ x_analytics=\\\"%[var(txn.x_analytics)]\\\"\\ x_cache=\\\"%[var(txn.x_cache)]\\\"\\ backend=\\\"%[var(txn.server)]\\\"\\ http_method=\\\"%HM\\\"\\ uri_path=\\\"%HPO\\\"\\ uri_query=\\\"%HQ\\\"]\n+    log-format-sd %{+E}o\\ [haproxykafka@0\\ server_pid=\\\"%pid\\\"\\ ip=\\\"%ci\\\"\\ sequence=\\\"%rt\\\"\\ dt=\\\"%tr\\\"\\ time_backend_response=\\\"%Tr\\\"\\ http_status=\\\"%ST\\\"\\ response_size=\\\"%B\\\"\\ termination_state=\\\"%ts\\\"\\ uri_host=\\\"%[capture.req.hdr(0),lua.utf8ps]\\\"\\ referer=\\\"%[capture.req.hdr(1),lua.utf8ps]\\\"\\ user_agent=\\\"%[capture.req.hdr(2),lua.utf8ps]\\\"\\ accept_language=\\\"%[capture.req.hdr(3),lua.utf8ps]\\\"\\ range=\\\"%[capture.req.hdr(4),lua.utf8ps]\\\"\\ accept=\\\"%[capture.req.hdr(5),lua.utf8ps]\\\"\\ tls=\\\"%[var(txn.tls)]\\\"\\ cache_status=\\\"%[var(txn.x_cache_status)]\\\"\\ content_type=\\\"%[var(txn.content_type)]\\\"\\ x_analytics=\\\"%[var(txn.x_analytics)]\\\"\\ x_cache=\\\"%[var(txn.x_cache)]\\\"\\ backend=\\\"%[var(txn.server)]\\\"\\ provenance=\\\"%[var(sess.provenance)]\\\"\\ http_method=\\\"%HM\\\"\\ uri_path=\\\"%HPO\\\"\\ uri_query=\\\"%HQ\\\"]\n \n     option     dontlognull\n     option     accept-unsafe-violations-in-http-request"}, {"resource": "File[/etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl]", "content": "--- /etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl.orig\n+++ /etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl\n@@ -168,37 +168,37 @@\n     # A for net=wikimedia_trust|internal\n     # F for abuse=\n     # E otherwise\n-    http-request set-var(req.provenance,ifnotexists) str('net=wikimedia-trust') if wikimedia_trust\n+    http-request set-var(sess.provenance,ifnotexists) str('net=wikimedia-trust') if wikimedia_trust\n     acl is_private_network src 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 127.0.0.0/8 ::1\n-    http-request set-var(req.provenance,ifnotexists) str('net=internal') if is_private_network\n+    http-request set-var(sess.provenance,ifnotexists) str('net=internal') if is_private_network\n     # AWS Elastic IPs used by the Wikimedia Enterprise project reported in the following tasks over time:\n     # T255524 T294798 T370294\n     acl is_wme_client src 3.23.12.83/32 3.211.48.168/32 44.206.140.241/32 35.168.168.219/32 35.172.30.169/32 3.222.74.115/32\n-    http-request set-var(req.provenance,ifnotexists) str('net=wme') if is_wme_client\n-    http-request set-var(req.trusted_request) str(A) if { var(req.provenance) -m found }\n+    http-request set-var(sess.provenance,ifnotexists) str('net=wme') if is_wme_client\n+    http-request set-var(req.trusted_request) str(A) if { var(sess.provenance) -m found }\n     # check if the IP is included in one of our ipblocks\n-    http-request set-var(req.provenance,ifnotexists,ifnotempty) src,map_ip(/etc/haproxy/ipblocks.d/all.map)\n+    http-request set-var(sess.provenance,ifnotexists,ifnotempty) src,map_ip(/etc/haproxy/ipblocks.d/all.map)\n     # ensure that WMCS is marked as trusted.\n-    http-request set-var(req.trusted_request,ifnotexists) str(A) if { var(req.provenance) -m sub \"cloud=wmcs\" }\n-    http-request set-var(req.trusted_request,ifnotexists) str(F) if { var(req.provenance) -m beg \"abuse=\" }\n+    http-request set-var(req.trusted_request,ifnotexists) str(A) if { var(sess.provenance) -m sub \"cloud=wmcs\" }\n+    http-request set-var(req.trusted_request,ifnotexists) str(F) if { var(sess.provenance) -m beg \"abuse=\" }\n     # If everything else failed, find an isp in maxmind\n-    http-request set-var(req.provenance,ifnotexists,ifnotempty) lua.fetch_isp,lower,bytes(0,64)\n+    http-request set-var(sess.provenance,ifnotexists,ifnotempty) lua.fetch_isp,lower,bytes(0,64)\n \n     # lookup failed\n-    http-request set-var(req.provenance,ifnotset) str('net=unknown')\n+    http-request set-var(sess.provenance,ifnotset) str('net=unknown')\n \n     http-request set-var(req.ip_reputation,ifnotexists,ifnotempty) src,map_ip_key(/etc/haproxy/ip-reputation.d/top_10000_ips_requestctl_webrequest_text_7days.map)\n     http-request set-var(req.ip_reputation,ifnotexists,ifnotempty) src,map_ip_key(/etc/haproxy/ip-reputation.d/top_10000_ips_requestctl_webrequest_upload_7days.map)\n-    http-request set-var(req.provenance) var(req.provenance),add_item(\";\",,\"top_historical_webrequest=true\") if { var(req.ip_reputation) -m found }\n+    http-request set-var(sess.provenance) var(sess.provenance),add_item(\";\",,\"top_historical_webrequest=true\") if { var(req.ip_reputation) -m found }\n     # Check if the request originates from a known datacenter.\n     http-request lua.is_datacenter\n-    http-request set-var(req.provenance) var(req.provenance),add_item(\";\",,\"datacenter=true\") if { var(txn.is_datacenter) -m bool }\n+    http-request set-var(sess.provenance) var(sess.provenance),add_item(\";\",,\"datacenter=true\") if { var(txn.is_datacenter) -m bool }\n     http-request lua.cidergrinder_mmdb_lookup unless { var(sess.cidergrinder_mmdb_result) -m found }\n     http-request set-var(sess.prehashed) src,ipmask(32,64),xxh3 unless { var(sess.cidergrinder_mmdb_result) -m found } || { var(sess.prehashed) -m found }\n     http-request lua.bloom_lookup unless { var(sess.cidergrinder_mmdb_result) -m bool }\n-    http-request set-var(req.provenance) var(req.provenance),add_item(\";\",,\"likely_resiproxy=true\") if { var(sess.cidergrinder_mmdb_result) -m bool } || { var(sess.bloom_result) -m bool }\n+    http-request set-var(sess.provenance) var(sess.provenance),add_item(\";\",,\"likely_resiproxy=true\") if { var(sess.cidergrinder_mmdb_result) -m bool } || { var(sess.bloom_result) -m bool }\n     http-request lua.res_proxy  # sets var txn.res_proxy to `proxy=foo` (or, doesn't)\n-    http-request set-var(req.provenance) var(req.provenance),add_item(\";\",txn.res_proxy,\"\") if { var(txn.res_proxy) -m found }\n+    http-request set-var(sess.provenance) var(sess.provenance),add_item(\";\",txn.res_proxy,\"\") if { var(txn.res_proxy) -m found }\n \n     # txn.x_requestctl gets populated by matching requestctl rules. Here, we prepare to log it via\n     # txn.x_analytics. The ifnotexists here is purely defensive.\n@@ -247,7 +247,10 @@\n     {{- end }}\n \n     # Requestctl known-client identification rules are enabled.\n-    # NOTE: known-client rules fetch req.provenance and may set both req.provenance and req.trusted_request.\n+    # NOTE: known-client rules fetch sess.provenance and may set both sess.provenance and req.trusted_request.\n+    # NOTE: temporary copying sess.provenance to req.provenance as workaround until new HP\n+    # version is deployed to use the correct prefix\n+    http-request set-var(req.provenance,ifnotempty) var(sess.provenance)\n \n     {{- $path := \"/request-haproxy-known-client-dsl/common/eqiad\" -}}\n     {{- if not (exists $path) }}\n@@ -259,8 +262,11 @@\n     {{- end }}\n     {{- end }}\n \n+    # NOTE: copying back req.provenance set by HP to sess.provenance, temporary workaround (see above)\n+    http-request set-var(sess.provenance,ifnotempty) var(req.provenance)\n+\n     # Set X-Provenance to its final authoritative value, if available.\n-    http-request set-header X-Provenance %[var(req.provenance)] if { var(req.provenance) -m found }\n+    http-request set-header X-Provenance %[var(sess.provenance)] if { var(sess.provenance) -m found }\n \n     # Image provenance.\n     # Set image link generator, possible values are defined by MediaWiki, See:"}, {"resource": "Class[Haproxy]", "parameters": "--- Class[Haproxy].orig\n+++ Class[Haproxy]\n\n@@\n-    config_content => # Note: This file is managed by puppet.\nglobal\n    user haproxy\n    group haproxy\n    stats socket /run/haproxy/haproxy.sock mode 600 expose-fd listeners level admin\n    log /var/lib/haproxy/dev/log local0 info\n    log /var/run/haproxykafka/haproxykafka.sock len 8192 format rfc5424 local0 info\n    tune.http.logurilen 2048\n    # do not keep old processes longer than 1m after a reload\n    hard-stop-after 1m\n    set-dumpable\n    nbthread 48\n    warn-blocked-traffic-after 500ms\n    # NB: mapping too many cores (>~60) will cause HAProxy to complain about\n    # too long of a line and fail to start\n    cpu-map 1/1- 0 48 2 50 4 52 6 54 8 56 10 58 12 60 14 62 16 64 18 66 20 68 22 70 24 72 26 74 28 76 30 78 32 80 34 82 36 84 38 86 40 88 42 90 44 92 46 94\n\n    tune.lua.bool-sample-conversion pre-3.1-bug\n    lua-prepend-path /etc/haproxy/lua/private/?.lua\n    lua-load-per-thread /etc/haproxy/lua/private/main.lua\n    lua-load-per-thread /etc/haproxy/lua/maxmind-lookup.lua\n    tune.ssl.capture-buffer-size 96\n    lua-load-per-thread /etc/haproxy/lua/ja3n.lua\n    lua-load-per-thread /etc/haproxy/lua/ja4h.lua\n    lua-load-per-thread /etc/haproxy/lua/utf8ps.lua\n    lua-load-per-thread /etc/haproxy/lua/contact_info.lua\n    lua-load-per-thread /etc/haproxy/lua/cidergrinder_mmdb.lua /usr/share/CIDERGRINDER/anonymous-residential.cider.mmdb\n    lua-load-per-thread /etc/haproxy/lua/cidergrinder_bloom.lua /usr/share/CIDERGRINDER/anonymous-residential.cider.bloom\n\n    ssl-default-bind-options ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3\n    ssl-default-bind-ciphers -ALL:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256\n    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384\n    ssl-dh-param-file /etc/ssl/dhparam.pem\n    tune.ssl.cachesize 512000\n    tune.ssl.lifetime 86400\n    maxconn 200000\n\n\n    tune.h2.header-table-size 4096\n    tune.h2.max-concurrent-streams 100\n\n\ndefaults\n    mode       http\n    log-format \"%rt %Tr %Tw %Tc %ST {%[capture.req.hdr(0)]} {%[capture.res.hdr(0)]} %ts\"\n    log-format-sd %{+E}o\\ [haproxykafka@0\\ server_pid=\\\"%pid\\\"\\ ip=\\\"%ci\\\"\\ sequence=\\\"%rt\\\"\\ dt=\\\"%tr\\\"\\ time_backend_response=\\\"%Tr\\\"\\ http_status=\\\"%ST\\\"\\ response_size=\\\"%B\\\"\\ termination_state=\\\"%ts\\\"\\ uri_host=\\\"%[capture.req.hdr(0),lua.utf8ps]\\\"\\ referer=\\\"%[capture.req.hdr(1),lua.utf8ps]\\\"\\ user_agent=\\\"%[capture.req.hdr(2),lua.utf8ps]\\\"\\ accept_language=\\\"%[capture.req.hdr(3),lua.utf8ps]\\\"\\ range=\\\"%[capture.req.hdr(4),lua.utf8ps]\\\"\\ accept=\\\"%[capture.req.hdr(5),lua.utf8ps]\\\"\\ tls=\\\"%[var(txn.tls)]\\\"\\ cache_status=\\\"%[var(txn.x_cache_status)]\\\"\\ content_type=\\\"%[var(txn.content_type)]\\\"\\ x_analytics=\\\"%[var(txn.x_analytics)]\\\"\\ x_cache=\\\"%[var(txn.x_cache)]\\\"\\ backend=\\\"%[var(txn.server)]\\\"\\ http_method=\\\"%HM\\\"\\ uri_path=\\\"%HPO\\\"\\ uri_query=\\\"%HQ\\\"]\n\n    option     dontlognull\n    option     accept-unsafe-violations-in-http-request\n    option     accept-unsafe-violations-in-http-response\n    option     http-ignore-probes\n    retries    1\n    timeout    connect 50000\n    timeout    client 500000\n    timeout    server 500000\n\n+    config_content => # Note: This file is managed by puppet.\nglobal\n    user haproxy\n    group haproxy\n    stats socket /run/haproxy/haproxy.sock mode 600 expose-fd listeners level admin\n    log /var/lib/haproxy/dev/log local0 info\n    log /var/run/haproxykafka/haproxykafka.sock len 8192 format rfc5424 local0 info\n    tune.http.logurilen 2048\n    # do not keep old processes longer than 1m after a reload\n    hard-stop-after 1m\n    set-dumpable\n    nbthread 48\n    warn-blocked-traffic-after 500ms\n    # NB: mapping too many cores (>~60) will cause HAProxy to complain about\n    # too long of a line and fail to start\n    cpu-map 1/1- 0 48 2 50 4 52 6 54 8 56 10 58 12 60 14 62 16 64 18 66 20 68 22 70 24 72 26 74 28 76 30 78 32 80 34 82 36 84 38 86 40 88 42 90 44 92 46 94\n\n    tune.lua.bool-sample-conversion pre-3.1-bug\n    lua-prepend-path /etc/haproxy/lua/private/?.lua\n    lua-load-per-thread /etc/haproxy/lua/private/main.lua\n    lua-load-per-thread /etc/haproxy/lua/maxmind-lookup.lua\n    tune.ssl.capture-buffer-size 96\n    lua-load-per-thread /etc/haproxy/lua/ja3n.lua\n    lua-load-per-thread /etc/haproxy/lua/ja4h.lua\n    lua-load-per-thread /etc/haproxy/lua/utf8ps.lua\n    lua-load-per-thread /etc/haproxy/lua/contact_info.lua\n    lua-load-per-thread /etc/haproxy/lua/cidergrinder_mmdb.lua /usr/share/CIDERGRINDER/anonymous-residential.cider.mmdb\n    lua-load-per-thread /etc/haproxy/lua/cidergrinder_bloom.lua /usr/share/CIDERGRINDER/anonymous-residential.cider.bloom\n\n    ssl-default-bind-options ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3\n    ssl-default-bind-ciphers -ALL:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256\n    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384\n    ssl-dh-param-file /etc/ssl/dhparam.pem\n    tune.ssl.cachesize 512000\n    tune.ssl.lifetime 86400\n    maxconn 200000\n\n\n    tune.h2.header-table-size 4096\n    tune.h2.max-concurrent-streams 100\n\n\ndefaults\n    mode       http\n    log-format \"%rt %Tr %Tw %Tc %ST {%[capture.req.hdr(0)]} {%[capture.res.hdr(0)]} %ts\"\n    log-format-sd %{+E}o\\ [haproxykafka@0\\ server_pid=\\\"%pid\\\"\\ ip=\\\"%ci\\\"\\ sequence=\\\"%rt\\\"\\ dt=\\\"%tr\\\"\\ time_backend_response=\\\"%Tr\\\"\\ http_status=\\\"%ST\\\"\\ response_size=\\\"%B\\\"\\ termination_state=\\\"%ts\\\"\\ uri_host=\\\"%[capture.req.hdr(0),lua.utf8ps]\\\"\\ referer=\\\"%[capture.req.hdr(1),lua.utf8ps]\\\"\\ user_agent=\\\"%[capture.req.hdr(2),lua.utf8ps]\\\"\\ accept_language=\\\"%[capture.req.hdr(3),lua.utf8ps]\\\"\\ range=\\\"%[capture.req.hdr(4),lua.utf8ps]\\\"\\ accept=\\\"%[capture.req.hdr(5),lua.utf8ps]\\\"\\ tls=\\\"%[var(txn.tls)]\\\"\\ cache_status=\\\"%[var(txn.x_cache_status)]\\\"\\ content_type=\\\"%[var(txn.content_type)]\\\"\\ x_analytics=\\\"%[var(txn.x_analytics)]\\\"\\ x_cache=\\\"%[var(txn.x_cache)]\\\"\\ backend=\\\"%[var(txn.server)]\\\"\\ provenance=\\\"%[var(sess.provenance)]\\\"\\ http_method=\\\"%HM\\\"\\ uri_path=\\\"%HPO\\\"\\ uri_query=\\\"%HQ\\\"]\n\n    option     dontlognull\n    option     accept-unsafe-violations-in-http-request\n    option     accept-unsafe-violations-in-http-response\n    option     http-ignore-probes\n    retries    1\n    timeout    connect 50000\n    timeout    client 500000\n    timeout    server 500000\n\n"}, {"resource": "Haproxy::Confd_site[tls]"}], "perc_changed": "0.13%"}, "core": {"total": 3981, "only_in_self": [], "only_in_other": [], "resource_diffs": [{"resource": "File[/etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl]", "content": "--- /etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl.orig\n+++ /etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl\n@@ -168,37 +168,37 @@\n     # A for net=wikimedia_trust|internal\n     # F for abuse=\n     # E otherwise\n-    http-request set-var(req.provenance,ifnotexists) str('net=wikimedia-trust') if wikimedia_trust\n+    http-request set-var(sess.provenance,ifnotexists) str('net=wikimedia-trust') if wikimedia_trust\n     acl is_private_network src 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 127.0.0.0/8 ::1\n-    http-request set-var(req.provenance,ifnotexists) str('net=internal') if is_private_network\n+    http-request set-var(sess.provenance,ifnotexists) str('net=internal') if is_private_network\n     # AWS Elastic IPs used by the Wikimedia Enterprise project reported in the following tasks over time:\n     # T255524 T294798 T370294\n     acl is_wme_client src 3.23.12.83/32 3.211.48.168/32 44.206.140.241/32 35.168.168.219/32 35.172.30.169/32 3.222.74.115/32\n-    http-request set-var(req.provenance,ifnotexists) str('net=wme') if is_wme_client\n-    http-request set-var(req.trusted_request) str(A) if { var(req.provenance) -m found }\n+    http-request set-var(sess.provenance,ifnotexists) str('net=wme') if is_wme_client\n+    http-request set-var(req.trusted_request) str(A) if { var(sess.provenance) -m found }\n     # check if the IP is included in one of our ipblocks\n-    http-request set-var(req.provenance,ifnotexists,ifnotempty) src,map_ip(/etc/haproxy/ipblocks.d/all.map)\n+    http-request set-var(sess.provenance,ifnotexists,ifnotempty) src,map_ip(/etc/haproxy/ipblocks.d/all.map)\n     # ensure that WMCS is marked as trusted.\n-    http-request set-var(req.trusted_request,ifnotexists) str(A) if { var(req.provenance) -m sub \"cloud=wmcs\" }\n-    http-request set-var(req.trusted_request,ifnotexists) str(F) if { var(req.provenance) -m beg \"abuse=\" }\n+    http-request set-var(req.trusted_request,ifnotexists) str(A) if { var(sess.provenance) -m sub \"cloud=wmcs\" }\n+    http-request set-var(req.trusted_request,ifnotexists) str(F) if { var(sess.provenance) -m beg \"abuse=\" }\n     # If everything else failed, find an isp in maxmind\n-    http-request set-var(req.provenance,ifnotexists,ifnotempty) lua.fetch_isp,lower,bytes(0,64)\n+    http-request set-var(sess.provenance,ifnotexists,ifnotempty) lua.fetch_isp,lower,bytes(0,64)\n \n     # lookup failed\n-    http-request set-var(req.provenance,ifnotset) str('net=unknown')\n+    http-request set-var(sess.provenance,ifnotset) str('net=unknown')\n \n     http-request set-var(req.ip_reputation,ifnotexists,ifnotempty) src,map_ip_key(/etc/haproxy/ip-reputation.d/top_10000_ips_requestctl_webrequest_text_7days.map)\n     http-request set-var(req.ip_reputation,ifnotexists,ifnotempty) src,map_ip_key(/etc/haproxy/ip-reputation.d/top_10000_ips_requestctl_webrequest_upload_7days.map)\n-    http-request set-var(req.provenance) var(req.provenance),add_item(\";\",,\"top_historical_webrequest=true\") if { var(req.ip_reputation) -m found }\n+    http-request set-var(sess.provenance) var(sess.provenance),add_item(\";\",,\"top_historical_webrequest=true\") if { var(req.ip_reputation) -m found }\n     # Check if the request originates from a known datacenter.\n     http-request lua.is_datacenter\n-    http-request set-var(req.provenance) var(req.provenance),add_item(\";\",,\"datacenter=true\") if { var(txn.is_datacenter) -m bool }\n+    http-request set-var(sess.provenance) var(sess.provenance),add_item(\";\",,\"datacenter=true\") if { var(txn.is_datacenter) -m bool }\n     http-request lua.cidergrinder_mmdb_lookup unless { var(sess.cidergrinder_mmdb_result) -m found }\n     http-request set-var(sess.prehashed) src,ipmask(32,64),xxh3 unless { var(sess.cidergrinder_mmdb_result) -m found } || { var(sess.prehashed) -m found }\n     http-request lua.bloom_lookup unless { var(sess.cidergrinder_mmdb_result) -m bool }\n-    http-request set-var(req.provenance) var(req.provenance),add_item(\";\",,\"likely_resiproxy=true\") if { var(sess.cidergrinder_mmdb_result) -m bool } || { var(sess.bloom_result) -m bool }\n+    http-request set-var(sess.provenance) var(sess.provenance),add_item(\";\",,\"likely_resiproxy=true\") if { var(sess.cidergrinder_mmdb_result) -m bool } || { var(sess.bloom_result) -m bool }\n     http-request lua.res_proxy  # sets var txn.res_proxy to `proxy=foo` (or, doesn't)\n-    http-request set-var(req.provenance) var(req.provenance),add_item(\";\",txn.res_proxy,\"\") if { var(txn.res_proxy) -m found }\n+    http-request set-var(sess.provenance) var(sess.provenance),add_item(\";\",txn.res_proxy,\"\") if { var(txn.res_proxy) -m found }\n \n     # txn.x_requestctl gets populated by matching requestctl rules. Here, we prepare to log it via\n     # txn.x_analytics. The ifnotexists here is purely defensive.\n@@ -247,7 +247,10 @@\n     {{- end }}\n \n     # Requestctl known-client identification rules are enabled.\n-    # NOTE: known-client rules fetch req.provenance and may set both req.provenance and req.trusted_request.\n+    # NOTE: known-client rules fetch sess.provenance and may set both sess.provenance and req.trusted_request.\n+    # NOTE: temporary copying sess.provenance to req.provenance as workaround until new HP\n+    # version is deployed to use the correct prefix\n+    http-request set-var(req.provenance,ifnotempty) var(sess.provenance)\n \n     {{- $path := \"/request-haproxy-known-client-dsl/common/eqiad\" -}}\n     {{- if not (exists $path) }}\n@@ -259,8 +262,11 @@\n     {{- end }}\n     {{- end }}\n \n+    # NOTE: copying back req.provenance set by HP to sess.provenance, temporary workaround (see above)\n+    http-request set-var(sess.provenance,ifnotempty) var(req.provenance)\n+\n     # Set X-Provenance to its final authoritative value, if available.\n-    http-request set-header X-Provenance %[var(req.provenance)] if { var(req.provenance) -m found }\n+    http-request set-header X-Provenance %[var(sess.provenance)] if { var(sess.provenance) -m found }\n \n     # Image provenance.\n     # Set image link generator, possible values are defined by MediaWiki, See:"}, {"resource": "File[/etc/haproxy/haproxy.cfg]", "content": "--- /etc/haproxy/haproxy.cfg.orig\n+++ /etc/haproxy/haproxy.cfg\n@@ -43,7 +43,7 @@\n defaults\n     mode       http\n     log-format \"%rt %Tr %Tw %Tc %ST {%[capture.req.hdr(0)]} {%[capture.res.hdr(0)]} %ts\"\n-    log-format-sd %{+E}o\\ [haproxykafka@0\\ server_pid=\\\"%pid\\\"\\ ip=\\\"%ci\\\"\\ sequence=\\\"%rt\\\"\\ dt=\\\"%tr\\\"\\ time_backend_response=\\\"%Tr\\\"\\ http_status=\\\"%ST\\\"\\ response_size=\\\"%B\\\"\\ termination_state=\\\"%ts\\\"\\ uri_host=\\\"%[capture.req.hdr(0),lua.utf8ps]\\\"\\ referer=\\\"%[capture.req.hdr(1),lua.utf8ps]\\\"\\ user_agent=\\\"%[capture.req.hdr(2),lua.utf8ps]\\\"\\ accept_language=\\\"%[capture.req.hdr(3),lua.utf8ps]\\\"\\ range=\\\"%[capture.req.hdr(4),lua.utf8ps]\\\"\\ accept=\\\"%[capture.req.hdr(5),lua.utf8ps]\\\"\\ tls=\\\"%[var(txn.tls)]\\\"\\ cache_status=\\\"%[var(txn.x_cache_status)]\\\"\\ content_type=\\\"%[var(txn.content_type)]\\\"\\ x_analytics=\\\"%[var(txn.x_analytics)]\\\"\\ x_cache=\\\"%[var(txn.x_cache)]\\\"\\ backend=\\\"%[var(txn.server)]\\\"\\ http_method=\\\"%HM\\\"\\ uri_path=\\\"%HPO\\\"\\ uri_query=\\\"%HQ\\\"]\n+    log-format-sd %{+E}o\\ [haproxykafka@0\\ server_pid=\\\"%pid\\\"\\ ip=\\\"%ci\\\"\\ sequence=\\\"%rt\\\"\\ dt=\\\"%tr\\\"\\ time_backend_response=\\\"%Tr\\\"\\ http_status=\\\"%ST\\\"\\ response_size=\\\"%B\\\"\\ termination_state=\\\"%ts\\\"\\ uri_host=\\\"%[capture.req.hdr(0),lua.utf8ps]\\\"\\ referer=\\\"%[capture.req.hdr(1),lua.utf8ps]\\\"\\ user_agent=\\\"%[capture.req.hdr(2),lua.utf8ps]\\\"\\ accept_language=\\\"%[capture.req.hdr(3),lua.utf8ps]\\\"\\ range=\\\"%[capture.req.hdr(4),lua.utf8ps]\\\"\\ accept=\\\"%[capture.req.hdr(5),lua.utf8ps]\\\"\\ tls=\\\"%[var(txn.tls)]\\\"\\ cache_status=\\\"%[var(txn.x_cache_status)]\\\"\\ content_type=\\\"%[var(txn.content_type)]\\\"\\ x_analytics=\\\"%[var(txn.x_analytics)]\\\"\\ x_cache=\\\"%[var(txn.x_cache)]\\\"\\ backend=\\\"%[var(txn.server)]\\\"\\ provenance=\\\"%[var(sess.provenance)]\\\"\\ http_method=\\\"%HM\\\"\\ uri_path=\\\"%HPO\\\"\\ uri_query=\\\"%HQ\\\"]\n \n     option     dontlognull\n     option     accept-unsafe-violations-in-http-request"}], "perc_changed": "0.05%"}, "main": {"total": 3981, "only_in_self": [], "only_in_other": [], "resource_diffs": [{"resource": "File[/etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl]", "content": "--- /etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl.orig\n+++ /etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl\n@@ -168,37 +168,37 @@\n     # A for net=wikimedia_trust|internal\n     # F for abuse=\n     # E otherwise\n-    http-request set-var(req.provenance,ifnotexists) str('net=wikimedia-trust') if wikimedia_trust\n+    http-request set-var(sess.provenance,ifnotexists) str('net=wikimedia-trust') if wikimedia_trust\n     acl is_private_network src 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 127.0.0.0/8 ::1\n-    http-request set-var(req.provenance,ifnotexists) str('net=internal') if is_private_network\n+    http-request set-var(sess.provenance,ifnotexists) str('net=internal') if is_private_network\n     # AWS Elastic IPs used by the Wikimedia Enterprise project reported in the following tasks over time:\n     # T255524 T294798 T370294\n     acl is_wme_client src 3.23.12.83/32 3.211.48.168/32 44.206.140.241/32 35.168.168.219/32 35.172.30.169/32 3.222.74.115/32\n-    http-request set-var(req.provenance,ifnotexists) str('net=wme') if is_wme_client\n-    http-request set-var(req.trusted_request) str(A) if { var(req.provenance) -m found }\n+    http-request set-var(sess.provenance,ifnotexists) str('net=wme') if is_wme_client\n+    http-request set-var(req.trusted_request) str(A) if { var(sess.provenance) -m found }\n     # check if the IP is included in one of our ipblocks\n-    http-request set-var(req.provenance,ifnotexists,ifnotempty) src,map_ip(/etc/haproxy/ipblocks.d/all.map)\n+    http-request set-var(sess.provenance,ifnotexists,ifnotempty) src,map_ip(/etc/haproxy/ipblocks.d/all.map)\n     # ensure that WMCS is marked as trusted.\n-    http-request set-var(req.trusted_request,ifnotexists) str(A) if { var(req.provenance) -m sub \"cloud=wmcs\" }\n-    http-request set-var(req.trusted_request,ifnotexists) str(F) if { var(req.provenance) -m beg \"abuse=\" }\n+    http-request set-var(req.trusted_request,ifnotexists) str(A) if { var(sess.provenance) -m sub \"cloud=wmcs\" }\n+    http-request set-var(req.trusted_request,ifnotexists) str(F) if { var(sess.provenance) -m beg \"abuse=\" }\n     # If everything else failed, find an isp in maxmind\n-    http-request set-var(req.provenance,ifnotexists,ifnotempty) lua.fetch_isp,lower,bytes(0,64)\n+    http-request set-var(sess.provenance,ifnotexists,ifnotempty) lua.fetch_isp,lower,bytes(0,64)\n \n     # lookup failed\n-    http-request set-var(req.provenance,ifnotset) str('net=unknown')\n+    http-request set-var(sess.provenance,ifnotset) str('net=unknown')\n \n     http-request set-var(req.ip_reputation,ifnotexists,ifnotempty) src,map_ip_key(/etc/haproxy/ip-reputation.d/top_10000_ips_requestctl_webrequest_text_7days.map)\n     http-request set-var(req.ip_reputation,ifnotexists,ifnotempty) src,map_ip_key(/etc/haproxy/ip-reputation.d/top_10000_ips_requestctl_webrequest_upload_7days.map)\n-    http-request set-var(req.provenance) var(req.provenance),add_item(\";\",,\"top_historical_webrequest=true\") if { var(req.ip_reputation) -m found }\n+    http-request set-var(sess.provenance) var(sess.provenance),add_item(\";\",,\"top_historical_webrequest=true\") if { var(req.ip_reputation) -m found }\n     # Check if the request originates from a known datacenter.\n     http-request lua.is_datacenter\n-    http-request set-var(req.provenance) var(req.provenance),add_item(\";\",,\"datacenter=true\") if { var(txn.is_datacenter) -m bool }\n+    http-request set-var(sess.provenance) var(sess.provenance),add_item(\";\",,\"datacenter=true\") if { var(txn.is_datacenter) -m bool }\n     http-request lua.cidergrinder_mmdb_lookup unless { var(sess.cidergrinder_mmdb_result) -m found }\n     http-request set-var(sess.prehashed) src,ipmask(32,64),xxh3 unless { var(sess.cidergrinder_mmdb_result) -m found } || { var(sess.prehashed) -m found }\n     http-request lua.bloom_lookup unless { var(sess.cidergrinder_mmdb_result) -m bool }\n-    http-request set-var(req.provenance) var(req.provenance),add_item(\";\",,\"likely_resiproxy=true\") if { var(sess.cidergrinder_mmdb_result) -m bool } || { var(sess.bloom_result) -m bool }\n+    http-request set-var(sess.provenance) var(sess.provenance),add_item(\";\",,\"likely_resiproxy=true\") if { var(sess.cidergrinder_mmdb_result) -m bool } || { var(sess.bloom_result) -m bool }\n     http-request lua.res_proxy  # sets var txn.res_proxy to `proxy=foo` (or, doesn't)\n-    http-request set-var(req.provenance) var(req.provenance),add_item(\";\",txn.res_proxy,\"\") if { var(txn.res_proxy) -m found }\n+    http-request set-var(sess.provenance) var(sess.provenance),add_item(\";\",txn.res_proxy,\"\") if { var(txn.res_proxy) -m found }\n \n     # txn.x_requestctl gets populated by matching requestctl rules. Here, we prepare to log it via\n     # txn.x_analytics. The ifnotexists here is purely defensive.\n@@ -247,7 +247,10 @@\n     {{- end }}\n \n     # Requestctl known-client identification rules are enabled.\n-    # NOTE: known-client rules fetch req.provenance and may set both req.provenance and req.trusted_request.\n+    # NOTE: known-client rules fetch sess.provenance and may set both sess.provenance and req.trusted_request.\n+    # NOTE: temporary copying sess.provenance to req.provenance as workaround until new HP\n+    # version is deployed to use the correct prefix\n+    http-request set-var(req.provenance,ifnotempty) var(sess.provenance)\n \n     {{- $path := \"/request-haproxy-known-client-dsl/common/eqiad\" -}}\n     {{- if not (exists $path) }}\n@@ -259,8 +262,11 @@\n     {{- end }}\n     {{- end }}\n \n+    # NOTE: copying back req.provenance set by HP to sess.provenance, temporary workaround (see above)\n+    http-request set-var(sess.provenance,ifnotempty) var(req.provenance)\n+\n     # Set X-Provenance to its final authoritative value, if available.\n-    http-request set-header X-Provenance %[var(req.provenance)] if { var(req.provenance) -m found }\n+    http-request set-header X-Provenance %[var(sess.provenance)] if { var(sess.provenance) -m found }\n \n     # Image provenance.\n     # Set image link generator, possible values are defined by MediaWiki, See:"}, {"resource": "Class[Haproxy]", "parameters": "--- Class[Haproxy].orig\n+++ Class[Haproxy]\n\n@@\n-    config_content => # Note: This file is managed by puppet.\nglobal\n    user haproxy\n    group haproxy\n    stats socket /run/haproxy/haproxy.sock mode 600 expose-fd listeners level admin\n    log /var/lib/haproxy/dev/log local0 info\n    log /var/run/haproxykafka/haproxykafka.sock len 8192 format rfc5424 local0 info\n    tune.http.logurilen 2048\n    # do not keep old processes longer than 1m after a reload\n    hard-stop-after 1m\n    set-dumpable\n    nbthread 48\n    warn-blocked-traffic-after 500ms\n    # NB: mapping too many cores (>~60) will cause HAProxy to complain about\n    # too long of a line and fail to start\n    cpu-map 1/1- 0 48 2 50 4 52 6 54 8 56 10 58 12 60 14 62 16 64 18 66 20 68 22 70 24 72 26 74 28 76 30 78 32 80 34 82 36 84 38 86 40 88 42 90 44 92 46 94\n\n    tune.lua.bool-sample-conversion pre-3.1-bug\n    lua-prepend-path /etc/haproxy/lua/private/?.lua\n    lua-load-per-thread /etc/haproxy/lua/private/main.lua\n    lua-load-per-thread /etc/haproxy/lua/maxmind-lookup.lua\n    tune.ssl.capture-buffer-size 96\n    lua-load-per-thread /etc/haproxy/lua/ja3n.lua\n    lua-load-per-thread /etc/haproxy/lua/ja4h.lua\n    lua-load-per-thread /etc/haproxy/lua/utf8ps.lua\n    lua-load-per-thread /etc/haproxy/lua/contact_info.lua\n    lua-load-per-thread /etc/haproxy/lua/cidergrinder_mmdb.lua /usr/share/CIDERGRINDER/anonymous-residential.cider.mmdb\n    lua-load-per-thread /etc/haproxy/lua/cidergrinder_bloom.lua /usr/share/CIDERGRINDER/anonymous-residential.cider.bloom\n\n    ssl-default-bind-options ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3\n    ssl-default-bind-ciphers -ALL:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256\n    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384\n    ssl-dh-param-file /etc/ssl/dhparam.pem\n    tune.ssl.cachesize 512000\n    tune.ssl.lifetime 86400\n    maxconn 200000\n\n\n    tune.h2.header-table-size 4096\n    tune.h2.max-concurrent-streams 100\n\n\ndefaults\n    mode       http\n    log-format \"%rt %Tr %Tw %Tc %ST {%[capture.req.hdr(0)]} {%[capture.res.hdr(0)]} %ts\"\n    log-format-sd %{+E}o\\ [haproxykafka@0\\ server_pid=\\\"%pid\\\"\\ ip=\\\"%ci\\\"\\ sequence=\\\"%rt\\\"\\ dt=\\\"%tr\\\"\\ time_backend_response=\\\"%Tr\\\"\\ http_status=\\\"%ST\\\"\\ response_size=\\\"%B\\\"\\ termination_state=\\\"%ts\\\"\\ uri_host=\\\"%[capture.req.hdr(0),lua.utf8ps]\\\"\\ referer=\\\"%[capture.req.hdr(1),lua.utf8ps]\\\"\\ user_agent=\\\"%[capture.req.hdr(2),lua.utf8ps]\\\"\\ accept_language=\\\"%[capture.req.hdr(3),lua.utf8ps]\\\"\\ range=\\\"%[capture.req.hdr(4),lua.utf8ps]\\\"\\ accept=\\\"%[capture.req.hdr(5),lua.utf8ps]\\\"\\ tls=\\\"%[var(txn.tls)]\\\"\\ cache_status=\\\"%[var(txn.x_cache_status)]\\\"\\ content_type=\\\"%[var(txn.content_type)]\\\"\\ x_analytics=\\\"%[var(txn.x_analytics)]\\\"\\ x_cache=\\\"%[var(txn.x_cache)]\\\"\\ backend=\\\"%[var(txn.server)]\\\"\\ http_method=\\\"%HM\\\"\\ uri_path=\\\"%HPO\\\"\\ uri_query=\\\"%HQ\\\"]\n\n    option     dontlognull\n    option     accept-unsafe-violations-in-http-request\n    option     accept-unsafe-violations-in-http-response\n    option     http-ignore-probes\n    retries    1\n    timeout    connect 50000\n    timeout    client 500000\n    timeout    server 500000\n\n+    config_content => # Note: This file is managed by puppet.\nglobal\n    user haproxy\n    group haproxy\n    stats socket /run/haproxy/haproxy.sock mode 600 expose-fd listeners level admin\n    log /var/lib/haproxy/dev/log local0 info\n    log /var/run/haproxykafka/haproxykafka.sock len 8192 format rfc5424 local0 info\n    tune.http.logurilen 2048\n    # do not keep old processes longer than 1m after a reload\n    hard-stop-after 1m\n    set-dumpable\n    nbthread 48\n    warn-blocked-traffic-after 500ms\n    # NB: mapping too many cores (>~60) will cause HAProxy to complain about\n    # too long of a line and fail to start\n    cpu-map 1/1- 0 48 2 50 4 52 6 54 8 56 10 58 12 60 14 62 16 64 18 66 20 68 22 70 24 72 26 74 28 76 30 78 32 80 34 82 36 84 38 86 40 88 42 90 44 92 46 94\n\n    tune.lua.bool-sample-conversion pre-3.1-bug\n    lua-prepend-path /etc/haproxy/lua/private/?.lua\n    lua-load-per-thread /etc/haproxy/lua/private/main.lua\n    lua-load-per-thread /etc/haproxy/lua/maxmind-lookup.lua\n    tune.ssl.capture-buffer-size 96\n    lua-load-per-thread /etc/haproxy/lua/ja3n.lua\n    lua-load-per-thread /etc/haproxy/lua/ja4h.lua\n    lua-load-per-thread /etc/haproxy/lua/utf8ps.lua\n    lua-load-per-thread /etc/haproxy/lua/contact_info.lua\n    lua-load-per-thread /etc/haproxy/lua/cidergrinder_mmdb.lua /usr/share/CIDERGRINDER/anonymous-residential.cider.mmdb\n    lua-load-per-thread /etc/haproxy/lua/cidergrinder_bloom.lua /usr/share/CIDERGRINDER/anonymous-residential.cider.bloom\n\n    ssl-default-bind-options ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3\n    ssl-default-bind-ciphers -ALL:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256\n    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384\n    ssl-dh-param-file /etc/ssl/dhparam.pem\n    tune.ssl.cachesize 512000\n    tune.ssl.lifetime 86400\n    maxconn 200000\n\n\n    tune.h2.header-table-size 4096\n    tune.h2.max-concurrent-streams 100\n\n\ndefaults\n    mode       http\n    log-format \"%rt %Tr %Tw %Tc %ST {%[capture.req.hdr(0)]} {%[capture.res.hdr(0)]} %ts\"\n    log-format-sd %{+E}o\\ [haproxykafka@0\\ server_pid=\\\"%pid\\\"\\ ip=\\\"%ci\\\"\\ sequence=\\\"%rt\\\"\\ dt=\\\"%tr\\\"\\ time_backend_response=\\\"%Tr\\\"\\ http_status=\\\"%ST\\\"\\ response_size=\\\"%B\\\"\\ termination_state=\\\"%ts\\\"\\ uri_host=\\\"%[capture.req.hdr(0),lua.utf8ps]\\\"\\ referer=\\\"%[capture.req.hdr(1),lua.utf8ps]\\\"\\ user_agent=\\\"%[capture.req.hdr(2),lua.utf8ps]\\\"\\ accept_language=\\\"%[capture.req.hdr(3),lua.utf8ps]\\\"\\ range=\\\"%[capture.req.hdr(4),lua.utf8ps]\\\"\\ accept=\\\"%[capture.req.hdr(5),lua.utf8ps]\\\"\\ tls=\\\"%[var(txn.tls)]\\\"\\ cache_status=\\\"%[var(txn.x_cache_status)]\\\"\\ content_type=\\\"%[var(txn.content_type)]\\\"\\ x_analytics=\\\"%[var(txn.x_analytics)]\\\"\\ x_cache=\\\"%[var(txn.x_cache)]\\\"\\ backend=\\\"%[var(txn.server)]\\\"\\ provenance=\\\"%[var(sess.provenance)]\\\"\\ http_method=\\\"%HM\\\"\\ uri_path=\\\"%HPO\\\"\\ uri_query=\\\"%HQ\\\"]\n\n    option     dontlognull\n    option     accept-unsafe-violations-in-http-request\n    option     accept-unsafe-violations-in-http-response\n    option     http-ignore-probes\n    retries    1\n    timeout    connect 50000\n    timeout    client 500000\n    timeout    server 500000\n\n"}, {"resource": "Haproxy::Confd_site[tls]"}, {"resource": "Confd::File[/etc/haproxy/conf.d/tls.cfg]"}, {"resource": "File[/etc/haproxy/haproxy.cfg]", "content": "--- /etc/haproxy/haproxy.cfg.orig\n+++ /etc/haproxy/haproxy.cfg\n@@ -43,7 +43,7 @@\n defaults\n     mode       http\n     log-format \"%rt %Tr %Tw %Tc %ST {%[capture.req.hdr(0)]} {%[capture.res.hdr(0)]} %ts\"\n-    log-format-sd %{+E}o\\ [haproxykafka@0\\ server_pid=\\\"%pid\\\"\\ ip=\\\"%ci\\\"\\ sequence=\\\"%rt\\\"\\ dt=\\\"%tr\\\"\\ time_backend_response=\\\"%Tr\\\"\\ http_status=\\\"%ST\\\"\\ response_size=\\\"%B\\\"\\ termination_state=\\\"%ts\\\"\\ uri_host=\\\"%[capture.req.hdr(0),lua.utf8ps]\\\"\\ referer=\\\"%[capture.req.hdr(1),lua.utf8ps]\\\"\\ user_agent=\\\"%[capture.req.hdr(2),lua.utf8ps]\\\"\\ accept_language=\\\"%[capture.req.hdr(3),lua.utf8ps]\\\"\\ range=\\\"%[capture.req.hdr(4),lua.utf8ps]\\\"\\ accept=\\\"%[capture.req.hdr(5),lua.utf8ps]\\\"\\ tls=\\\"%[var(txn.tls)]\\\"\\ cache_status=\\\"%[var(txn.x_cache_status)]\\\"\\ content_type=\\\"%[var(txn.content_type)]\\\"\\ x_analytics=\\\"%[var(txn.x_analytics)]\\\"\\ x_cache=\\\"%[var(txn.x_cache)]\\\"\\ backend=\\\"%[var(txn.server)]\\\"\\ http_method=\\\"%HM\\\"\\ uri_path=\\\"%HPO\\\"\\ uri_query=\\\"%HQ\\\"]\n+    log-format-sd %{+E}o\\ [haproxykafka@0\\ server_pid=\\\"%pid\\\"\\ ip=\\\"%ci\\\"\\ sequence=\\\"%rt\\\"\\ dt=\\\"%tr\\\"\\ time_backend_response=\\\"%Tr\\\"\\ http_status=\\\"%ST\\\"\\ response_size=\\\"%B\\\"\\ termination_state=\\\"%ts\\\"\\ uri_host=\\\"%[capture.req.hdr(0),lua.utf8ps]\\\"\\ referer=\\\"%[capture.req.hdr(1),lua.utf8ps]\\\"\\ user_agent=\\\"%[capture.req.hdr(2),lua.utf8ps]\\\"\\ accept_language=\\\"%[capture.req.hdr(3),lua.utf8ps]\\\"\\ range=\\\"%[capture.req.hdr(4),lua.utf8ps]\\\"\\ accept=\\\"%[capture.req.hdr(5),lua.utf8ps]\\\"\\ tls=\\\"%[var(txn.tls)]\\\"\\ cache_status=\\\"%[var(txn.x_cache_status)]\\\"\\ content_type=\\\"%[var(txn.content_type)]\\\"\\ x_analytics=\\\"%[var(txn.x_analytics)]\\\"\\ x_cache=\\\"%[var(txn.x_cache)]\\\"\\ backend=\\\"%[var(txn.server)]\\\"\\ provenance=\\\"%[var(sess.provenance)]\\\"\\ http_method=\\\"%HM\\\"\\ uri_path=\\\"%HPO\\\"\\ uri_query=\\\"%HQ\\\"]\n \n     option     dontlognull\n     option     accept-unsafe-violations-in-http-request"}], "perc_changed": "0.13%"}}}