nghttpx: Add client fingerprint and subject name to accesslog
This commit is contained in:
parent
f2b8edd1e2
commit
cb376bcd80
|
@ -191,6 +191,8 @@ LOGVARS = [
|
|||
"tls_session_id",
|
||||
"tls_session_reused",
|
||||
"tls_sni",
|
||||
"tls_client_fingerprint",
|
||||
"tls_client_subject_name",
|
||||
"backend_host",
|
||||
"backend_port",
|
||||
]
|
||||
|
|
|
@ -2482,6 +2482,10 @@ Logging:
|
|||
the response. For HTTP/1, ALPN is always http/1.1,
|
||||
regardless of minor version.
|
||||
* $tls_cipher: cipher used for SSL/TLS connection.
|
||||
* $tls_client_fingerprint: SHA-256 fingerprint of client
|
||||
certificate.
|
||||
* $tls_client_subject_name: subject name in client
|
||||
certificate.
|
||||
* $tls_protocol: protocol for SSL/TLS connection.
|
||||
* $tls_session_id: session ID for SSL/TLS connection.
|
||||
* $tls_session_reused: "r" if SSL/TLS session was
|
||||
|
|
|
@ -510,6 +510,24 @@ LogFragmentType log_var_lookup_token(const char *name, size_t namelen) {
|
|||
break;
|
||||
}
|
||||
break;
|
||||
case 22:
|
||||
switch (name[21]) {
|
||||
case 't':
|
||||
if (util::strieq_l("tls_client_fingerprin", name, 21)) {
|
||||
return SHRPX_LOGF_TLS_CLIENT_FINGERPRINT;
|
||||
}
|
||||
break;
|
||||
}
|
||||
break;
|
||||
case 23:
|
||||
switch (name[22]) {
|
||||
case 'e':
|
||||
if (util::strieq_l("tls_client_subject_nam", name, 22)) {
|
||||
return SHRPX_LOGF_TLS_CLIENT_SUBJECT_NAME;
|
||||
}
|
||||
break;
|
||||
}
|
||||
break;
|
||||
}
|
||||
return SHRPX_LOGF_NONE;
|
||||
}
|
||||
|
|
|
@ -533,6 +533,45 @@ void upstream_accesslog(const std::vector<LogFragment> &lfv,
|
|||
}
|
||||
std::tie(p, last) = copy_escape(lgsp.sni, p, last);
|
||||
break;
|
||||
case SHRPX_LOGF_TLS_CLIENT_FINGERPRINT: {
|
||||
if (!lgsp.ssl) {
|
||||
std::tie(p, last) = copy('-', p, last);
|
||||
break;
|
||||
}
|
||||
auto x = SSL_get_peer_certificate(lgsp.ssl);
|
||||
if (!x) {
|
||||
std::tie(p, last) = copy('-', p, last);
|
||||
break;
|
||||
}
|
||||
std::array<uint8_t, 32> buf;
|
||||
auto len = tls::get_x509_fingerprint(buf.data(), buf.size(), x);
|
||||
X509_free(x);
|
||||
if (len <= 0) {
|
||||
std::tie(p, last) = copy('-', p, last);
|
||||
break;
|
||||
}
|
||||
std::tie(p, last) = copy_hex_low(buf.data(), len, p, last);
|
||||
break;
|
||||
}
|
||||
case SHRPX_LOGF_TLS_CLIENT_SUBJECT_NAME: {
|
||||
if (!lgsp.ssl) {
|
||||
std::tie(p, last) = copy('-', p, last);
|
||||
break;
|
||||
}
|
||||
auto x = SSL_get_peer_certificate(lgsp.ssl);
|
||||
if (!x) {
|
||||
std::tie(p, last) = copy('-', p, last);
|
||||
break;
|
||||
}
|
||||
auto name = tls::get_x509_subject_name(balloc, x);
|
||||
X509_free(x);
|
||||
if (name.empty()) {
|
||||
std::tie(p, last) = copy('-', p, last);
|
||||
break;
|
||||
}
|
||||
std::tie(p, last) = copy(name, p, last);
|
||||
break;
|
||||
}
|
||||
case SHRPX_LOGF_BACKEND_HOST:
|
||||
if (!downstream_addr) {
|
||||
std::tie(p, last) = copy('-', p, last);
|
||||
|
|
|
@ -138,6 +138,8 @@ enum LogFragmentType {
|
|||
SHRPX_LOGF_TLS_SESSION_REUSED,
|
||||
SHRPX_LOGF_SSL_SESSION_REUSED = SHRPX_LOGF_TLS_SESSION_REUSED,
|
||||
SHRPX_LOGF_TLS_SNI,
|
||||
SHRPX_LOGF_TLS_CLIENT_FINGERPRINT,
|
||||
SHRPX_LOGF_TLS_CLIENT_SUBJECT_NAME,
|
||||
SHRPX_LOGF_BACKEND_HOST,
|
||||
SHRPX_LOGF_BACKEND_PORT,
|
||||
};
|
||||
|
|
Loading…
Reference in New Issue