nghttpx: Add client fingerprint and subject name to accesslog

This commit is contained in:
Tatsuhiro Tsujikawa 2017-10-29 21:44:51 +09:00
parent f2b8edd1e2
commit cb376bcd80
5 changed files with 65 additions and 0 deletions

View File

@ -191,6 +191,8 @@ LOGVARS = [
"tls_session_id", "tls_session_id",
"tls_session_reused", "tls_session_reused",
"tls_sni", "tls_sni",
"tls_client_fingerprint",
"tls_client_subject_name",
"backend_host", "backend_host",
"backend_port", "backend_port",
] ]

View File

@ -2482,6 +2482,10 @@ Logging:
the response. For HTTP/1, ALPN is always http/1.1, the response. For HTTP/1, ALPN is always http/1.1,
regardless of minor version. regardless of minor version.
* $tls_cipher: cipher used for SSL/TLS connection. * $tls_cipher: cipher used for SSL/TLS connection.
* $tls_client_fingerprint: SHA-256 fingerprint of client
certificate.
* $tls_client_subject_name: subject name in client
certificate.
* $tls_protocol: protocol for SSL/TLS connection. * $tls_protocol: protocol for SSL/TLS connection.
* $tls_session_id: session ID for SSL/TLS connection. * $tls_session_id: session ID for SSL/TLS connection.
* $tls_session_reused: "r" if SSL/TLS session was * $tls_session_reused: "r" if SSL/TLS session was

View File

@ -510,6 +510,24 @@ LogFragmentType log_var_lookup_token(const char *name, size_t namelen) {
break; break;
} }
break; break;
case 22:
switch (name[21]) {
case 't':
if (util::strieq_l("tls_client_fingerprin", name, 21)) {
return SHRPX_LOGF_TLS_CLIENT_FINGERPRINT;
}
break;
}
break;
case 23:
switch (name[22]) {
case 'e':
if (util::strieq_l("tls_client_subject_nam", name, 22)) {
return SHRPX_LOGF_TLS_CLIENT_SUBJECT_NAME;
}
break;
}
break;
} }
return SHRPX_LOGF_NONE; return SHRPX_LOGF_NONE;
} }

View File

@ -533,6 +533,45 @@ void upstream_accesslog(const std::vector<LogFragment> &lfv,
} }
std::tie(p, last) = copy_escape(lgsp.sni, p, last); std::tie(p, last) = copy_escape(lgsp.sni, p, last);
break; break;
case SHRPX_LOGF_TLS_CLIENT_FINGERPRINT: {
if (!lgsp.ssl) {
std::tie(p, last) = copy('-', p, last);
break;
}
auto x = SSL_get_peer_certificate(lgsp.ssl);
if (!x) {
std::tie(p, last) = copy('-', p, last);
break;
}
std::array<uint8_t, 32> buf;
auto len = tls::get_x509_fingerprint(buf.data(), buf.size(), x);
X509_free(x);
if (len <= 0) {
std::tie(p, last) = copy('-', p, last);
break;
}
std::tie(p, last) = copy_hex_low(buf.data(), len, p, last);
break;
}
case SHRPX_LOGF_TLS_CLIENT_SUBJECT_NAME: {
if (!lgsp.ssl) {
std::tie(p, last) = copy('-', p, last);
break;
}
auto x = SSL_get_peer_certificate(lgsp.ssl);
if (!x) {
std::tie(p, last) = copy('-', p, last);
break;
}
auto name = tls::get_x509_subject_name(balloc, x);
X509_free(x);
if (name.empty()) {
std::tie(p, last) = copy('-', p, last);
break;
}
std::tie(p, last) = copy(name, p, last);
break;
}
case SHRPX_LOGF_BACKEND_HOST: case SHRPX_LOGF_BACKEND_HOST:
if (!downstream_addr) { if (!downstream_addr) {
std::tie(p, last) = copy('-', p, last); std::tie(p, last) = copy('-', p, last);

View File

@ -138,6 +138,8 @@ enum LogFragmentType {
SHRPX_LOGF_TLS_SESSION_REUSED, SHRPX_LOGF_TLS_SESSION_REUSED,
SHRPX_LOGF_SSL_SESSION_REUSED = SHRPX_LOGF_TLS_SESSION_REUSED, SHRPX_LOGF_SSL_SESSION_REUSED = SHRPX_LOGF_TLS_SESSION_REUSED,
SHRPX_LOGF_TLS_SNI, SHRPX_LOGF_TLS_SNI,
SHRPX_LOGF_TLS_CLIENT_FINGERPRINT,
SHRPX_LOGF_TLS_CLIENT_SUBJECT_NAME,
SHRPX_LOGF_BACKEND_HOST, SHRPX_LOGF_BACKEND_HOST,
SHRPX_LOGF_BACKEND_PORT, SHRPX_LOGF_BACKEND_PORT,
}; };