mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-24 07:11:20 +02:00
Code Issues Projects Releases Wiki Activity

MINOR: ssl: adds fetchs and ACLs for ssl back connection.

Browse Source 
Adds ssl fetchs and ACLs for outgoinf SSL/Transport layer connection with their
docs:
ssl_bc, ssl_bc_alg_keysize, ssl_bc_cipher, ssl_bc_protocol, ssl_bc_unique_id,
ssl_bc_session_id and ssl_bc_use_keysize.
This commit is contained in:
Emeric Brun 2014-04-30 14:21:06 +02:00 committed by Willy Tarreau
parent 5bd99b4bd6
commit 645ae79b40
2 changed files with 77 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
doc/configuration.txt
View File

@ -10279,6 +10279,37 @@ when no content is yet made available. The fetch methods described here are
usable as low as the "tcp-request content" rule sets unless they require some usable as low as the "tcp-request content" rule sets unless they require some
future information. Those generally include the results of SSL negotiations. future information. Those generally include the results of SSL negotiations.
ssl_bc : boolean
Returns true when the back connection was made via an SSL/TLS transport
layer and is locally deciphered. This means the outgoing connection was made
other a server with the "ssl" option.
ssl_bc_alg_keysize : integer
Returns the symmetric cipher key size supported in bits when the outgoing
connection was made over an SSL/TLS transport layer.
ssl_bc_cipher : string
Returns the name of the used cipher when the outgoing connection was made
over an SSL/TLS transport layer.
ssl_bc_protocol : string
Returns the name of the used protocol when the outgoing connection was made
over an SSL/TLS transport layer.
ssl_bc_unique_id : string
When the outgoing connection was made over an SSL/TLS transport layer,
returns a base64 encoded string containing the TLS unique ID as defined
in RFC5929 section 3.
ssl_bc_session_id : binary
Returns the SSL ID of the back connection when the outgoing connection was
made over an SSL/TLS transport layer. It is useful to log if we want to know
if session was reused or not.
ssl_bc_use_keysize : integer
Returns the symmetric cipher key size used in bits when the outgoing
connection was made over an SSL/TLS transport layer.
ssl_c_ca_err : integer ssl_c_ca_err : integer
When the incoming connection was made over an SSL/TLS transport layer, When the incoming connection was made over an SSL/TLS transport layer,
returns the ID of the first error detected during verification of the client returns the ID of the first error detected during verification of the client

54
src/ssl_sock.c
View File

@ -2318,12 +2318,16 @@ smp_fetch_ssl_c_key_alg(struct proxy *px, struct session *l4, void *l7, unsigned
return 1; return 1;
} }
/* boolean, returns true if front conn. transport layer is SSL */ /* boolean, returns true if front conn. transport layer is SSL.
* This function is also usable on backend conn if the fetch keyword 5th
* char is 'b'.
*/
static int static int
smp_fetch_ssl_fc(struct proxy *px, struct session *l4, void *l7, unsigned int opt, smp_fetch_ssl_fc(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
const struct arg *args, struct sample *smp, const char *kw) const struct arg *args, struct sample *smp, const char *kw)
{ {
struct connection *conn = objt_conn(l4->si[0].end); int back_conn = (kw[4] == 'b') ? 1 : 0;
struct connection *conn = objt_conn(l4->si[back_conn].end);
smp->type = SMP_T_BOOL; smp->type = SMP_T_BOOL;
smp->data.uint = (conn && conn->xprt == &ssl_sock); smp->data.uint = (conn && conn->xprt == &ssl_sock);
@ -2671,10 +2675,15 @@ out:
return ret; return ret;
} }
/* string, returns the used cipher if front conn. transport layer is SSL.
* This function is also usable on backend conn if the fetch keyword 5th
* char is 'b'.
*/
static int static int
smp_fetch_ssl_fc_cipher(struct proxy *px, struct session *l4, void *l7, unsigned int opt, smp_fetch_ssl_fc_cipher(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
const struct arg *args, struct sample *smp, const char *kw) const struct arg *args, struct sample *smp, const char *kw)
{ {
int back_conn = (kw[4] == 'b') ? 1 : 0;
struct connection *conn; struct connection *conn;
smp->flags = 0; smp->flags = 0;
@ -2682,7 +2691,7 @@ smp_fetch_ssl_fc_cipher(struct proxy *px, struct session *l4, void *l7, unsigned
if (!l4) if (!l4)
return 0; return 0;
conn = objt_conn(l4->si[0].end); conn = objt_conn(l4->si[back_conn].end);
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock) if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
return 0; return 0;
@ -2697,10 +2706,16 @@ smp_fetch_ssl_fc_cipher(struct proxy *px, struct session *l4, void *l7, unsigned
return 1; return 1;
} }
/* integer, returns the algoritm's keysize if front conn. transport layer
* is SSL.
* This function is also usable on backend conn if the fetch keyword 5th
* char is 'b'.
*/
static int static int
smp_fetch_ssl_fc_alg_keysize(struct proxy *px, struct session *l4, void *l7, unsigned int opt, smp_fetch_ssl_fc_alg_keysize(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
const struct arg *args, struct sample *smp, const char *kw) const struct arg *args, struct sample *smp, const char *kw)
{ {
int back_conn = (kw[4] == 'b') ? 1 : 0;
struct connection *conn; struct connection *conn;
smp->flags = 0; smp->flags = 0;
@ -2708,7 +2723,7 @@ smp_fetch_ssl_fc_alg_keysize(struct proxy *px, struct session *l4, void *l7, uns
if (!l4) if (!l4)
return 0; return 0;
conn = objt_conn(l4->si[0].end); conn = objt_conn(l4->si[back_conn].end);
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock) if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
return 0; return 0;
@ -2720,10 +2735,15 @@ smp_fetch_ssl_fc_alg_keysize(struct proxy *px, struct session *l4, void *l7, uns
return 1; return 1;
} }
/* integer, returns the used keysize if front conn. transport layer is SSL.
* This function is also usable on backend conn if the fetch keyword 5th
* char is 'b'.
*/
static int static int
smp_fetch_ssl_fc_use_keysize(struct proxy *px, struct session *l4, void *l7, unsigned int opt, smp_fetch_ssl_fc_use_keysize(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
const struct arg *args, struct sample *smp, const char *kw) const struct arg *args, struct sample *smp, const char *kw)
{ {
int back_conn = (kw[4] == 'b') ? 1 : 0;
struct connection *conn; struct connection *conn;
smp->flags = 0; smp->flags = 0;
@ -2731,7 +2751,7 @@ smp_fetch_ssl_fc_use_keysize(struct proxy *px, struct session *l4, void *l7, uns
if (!l4) if (!l4)
return 0; return 0;
conn = objt_conn(l4->si[0].end); conn = objt_conn(l4->si[back_conn].end);
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock) if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
return 0; return 0;
@ -2800,10 +2820,15 @@ smp_fetch_ssl_fc_alpn(struct proxy *px, struct session *l4, void *l7, unsigned i
} }
#endif #endif
/* string, returns the used protocol if front conn. transport layer is SSL.
* This function is also usable on backend conn if the fetch keyword 5th
* char is 'b'.
*/
static int static int
smp_fetch_ssl_fc_protocol(struct proxy *px, struct session *l4, void *l7, unsigned int opt, smp_fetch_ssl_fc_protocol(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
const struct arg *args, struct sample *smp, const char *kw) const struct arg *args, struct sample *smp, const char *kw)
{ {
int back_conn = (kw[4] == 'b') ? 1 : 0;
struct connection *conn; struct connection *conn;
smp->flags = 0; smp->flags = 0;
@ -2811,7 +2836,7 @@ smp_fetch_ssl_fc_protocol(struct proxy *px, struct session *l4, void *l7, unsign
if (!l4) if (!l4)
return 0; return 0;
conn = objt_conn(l4->si[0].end); conn = objt_conn(l4->si[back_conn].end);
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock) if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
return 0; return 0;
@ -2826,11 +2851,16 @@ smp_fetch_ssl_fc_protocol(struct proxy *px, struct session *l4, void *l7, unsign
return 1; return 1;
} }
/* binary, returns the SSL session id if front conn. transport layer is SSL.
* This function is also usable on backend conn if the fetch keyword 5th
* char is 'b'.
*/
static int static int
smp_fetch_ssl_fc_session_id(struct proxy *px, struct session *l4, void *l7, unsigned int opt, smp_fetch_ssl_fc_session_id(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
const struct arg *args, struct sample *smp, const char *kw) const struct arg *args, struct sample *smp, const char *kw)
{ {
#if OPENSSL_VERSION_NUMBER > 0x0090800fL #if OPENSSL_VERSION_NUMBER > 0x0090800fL
int back_conn = (kw[4] == 'b') ? 1 : 0;
SSL_SESSION *sess; SSL_SESSION *sess;
struct connection *conn; struct connection *conn;
@ -2840,7 +2870,7 @@ smp_fetch_ssl_fc_session_id(struct proxy *px, struct session *l4, void *l7, unsi
if (!l4) if (!l4)
return 0; return 0;
conn = objt_conn(l4->si[0].end); conn = objt_conn(l4->si[back_conn].end);
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock) if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
return 0; return 0;
@ -2891,6 +2921,7 @@ smp_fetch_ssl_fc_unique_id(struct proxy *px, struct session *l4, void *l7, unsig
const struct arg *args, struct sample *smp, const char *kw) const struct arg *args, struct sample *smp, const char *kw)
{ {
#if OPENSSL_VERSION_NUMBER > 0x0090800fL #if OPENSSL_VERSION_NUMBER > 0x0090800fL
int back_conn = (kw[4] == 'b') ? 1 : 0;
struct connection *conn; struct connection *conn;
int finished_len; int finished_len;
int b64_len; int b64_len;
@ -2902,7 +2933,7 @@ smp_fetch_ssl_fc_unique_id(struct proxy *px, struct session *l4, void *l7, unsig
if (!l4) if (!l4)
return 0; return 0;
conn = objt_conn(l4->si[0].end); conn = objt_conn(l4->si[back_conn].end);
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock) if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
return 0; return 0;
@ -3629,6 +3660,13 @@ static int srv_parse_verifyhost(char **args, int *cur_arg, struct proxy *px, str
* Please take care of keeping this list alphabetically sorted. * Please take care of keeping this list alphabetically sorted.
*/ */
static struct sample_fetch_kw_list sample_fetch_keywords = {ILH, { static struct sample_fetch_kw_list sample_fetch_keywords = {ILH, {
{ "ssl_bc", smp_fetch_ssl_fc, 0, NULL, SMP_T_BOOL, SMP_USE_L5SRV },
{ "ssl_bc_alg_keysize", smp_fetch_ssl_fc_alg_keysize, 0, NULL, SMP_T_UINT, SMP_USE_L5SRV },
{ "ssl_bc_cipher", smp_fetch_ssl_fc_cipher, 0, NULL, SMP_T_STR, SMP_USE_L5SRV },
{ "ssl_bc_protocol", smp_fetch_ssl_fc_protocol, 0, NULL, SMP_T_STR, SMP_USE_L5SRV },
{ "ssl_bc_unique_id", smp_fetch_ssl_fc_unique_id, 0, NULL, SMP_T_STR, SMP_USE_L5SRV },
{ "ssl_bc_use_keysize", smp_fetch_ssl_fc_use_keysize, 0, NULL, SMP_T_UINT, SMP_USE_L5SRV },
{ "ssl_bc_session_id", smp_fetch_ssl_fc_session_id, 0, NULL, SMP_T_BIN, SMP_USE_L5SRV },
{ "ssl_c_ca_err", smp_fetch_ssl_c_ca_err, 0, NULL, SMP_T_UINT, SMP_USE_L5CLI }, { "ssl_c_ca_err", smp_fetch_ssl_c_ca_err, 0, NULL, SMP_T_UINT, SMP_USE_L5CLI },
{ "ssl_c_ca_err_depth", smp_fetch_ssl_c_ca_err_depth, 0, NULL, SMP_T_UINT, SMP_USE_L5CLI }, { "ssl_c_ca_err_depth", smp_fetch_ssl_c_ca_err_depth, 0, NULL, SMP_T_UINT, SMP_USE_L5CLI },
{ "ssl_c_err", smp_fetch_ssl_c_err, 0, NULL, SMP_T_UINT, SMP_USE_L5CLI }, { "ssl_c_err", smp_fetch_ssl_c_err, 0, NULL, SMP_T_UINT, SMP_USE_L5CLI },