nghttpx: Add client fingerprint and subject name to accesslog
This commit is contained in:
parent
f2b8edd1e2
commit
cb376bcd80
|
@ -191,6 +191,8 @@ LOGVARS = [
|
||||||
"tls_session_id",
|
"tls_session_id",
|
||||||
"tls_session_reused",
|
"tls_session_reused",
|
||||||
"tls_sni",
|
"tls_sni",
|
||||||
|
"tls_client_fingerprint",
|
||||||
|
"tls_client_subject_name",
|
||||||
"backend_host",
|
"backend_host",
|
||||||
"backend_port",
|
"backend_port",
|
||||||
]
|
]
|
||||||
|
|
|
@ -2482,6 +2482,10 @@ Logging:
|
||||||
the response. For HTTP/1, ALPN is always http/1.1,
|
the response. For HTTP/1, ALPN is always http/1.1,
|
||||||
regardless of minor version.
|
regardless of minor version.
|
||||||
* $tls_cipher: cipher used for SSL/TLS connection.
|
* $tls_cipher: cipher used for SSL/TLS connection.
|
||||||
|
* $tls_client_fingerprint: SHA-256 fingerprint of client
|
||||||
|
certificate.
|
||||||
|
* $tls_client_subject_name: subject name in client
|
||||||
|
certificate.
|
||||||
* $tls_protocol: protocol for SSL/TLS connection.
|
* $tls_protocol: protocol for SSL/TLS connection.
|
||||||
* $tls_session_id: session ID for SSL/TLS connection.
|
* $tls_session_id: session ID for SSL/TLS connection.
|
||||||
* $tls_session_reused: "r" if SSL/TLS session was
|
* $tls_session_reused: "r" if SSL/TLS session was
|
||||||
|
|
|
@ -510,6 +510,24 @@ LogFragmentType log_var_lookup_token(const char *name, size_t namelen) {
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
case 22:
|
||||||
|
switch (name[21]) {
|
||||||
|
case 't':
|
||||||
|
if (util::strieq_l("tls_client_fingerprin", name, 21)) {
|
||||||
|
return SHRPX_LOGF_TLS_CLIENT_FINGERPRINT;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
case 23:
|
||||||
|
switch (name[22]) {
|
||||||
|
case 'e':
|
||||||
|
if (util::strieq_l("tls_client_subject_nam", name, 22)) {
|
||||||
|
return SHRPX_LOGF_TLS_CLIENT_SUBJECT_NAME;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
return SHRPX_LOGF_NONE;
|
return SHRPX_LOGF_NONE;
|
||||||
}
|
}
|
||||||
|
|
|
@ -533,6 +533,45 @@ void upstream_accesslog(const std::vector<LogFragment> &lfv,
|
||||||
}
|
}
|
||||||
std::tie(p, last) = copy_escape(lgsp.sni, p, last);
|
std::tie(p, last) = copy_escape(lgsp.sni, p, last);
|
||||||
break;
|
break;
|
||||||
|
case SHRPX_LOGF_TLS_CLIENT_FINGERPRINT: {
|
||||||
|
if (!lgsp.ssl) {
|
||||||
|
std::tie(p, last) = copy('-', p, last);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
auto x = SSL_get_peer_certificate(lgsp.ssl);
|
||||||
|
if (!x) {
|
||||||
|
std::tie(p, last) = copy('-', p, last);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
std::array<uint8_t, 32> buf;
|
||||||
|
auto len = tls::get_x509_fingerprint(buf.data(), buf.size(), x);
|
||||||
|
X509_free(x);
|
||||||
|
if (len <= 0) {
|
||||||
|
std::tie(p, last) = copy('-', p, last);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
std::tie(p, last) = copy_hex_low(buf.data(), len, p, last);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
case SHRPX_LOGF_TLS_CLIENT_SUBJECT_NAME: {
|
||||||
|
if (!lgsp.ssl) {
|
||||||
|
std::tie(p, last) = copy('-', p, last);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
auto x = SSL_get_peer_certificate(lgsp.ssl);
|
||||||
|
if (!x) {
|
||||||
|
std::tie(p, last) = copy('-', p, last);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
auto name = tls::get_x509_subject_name(balloc, x);
|
||||||
|
X509_free(x);
|
||||||
|
if (name.empty()) {
|
||||||
|
std::tie(p, last) = copy('-', p, last);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
std::tie(p, last) = copy(name, p, last);
|
||||||
|
break;
|
||||||
|
}
|
||||||
case SHRPX_LOGF_BACKEND_HOST:
|
case SHRPX_LOGF_BACKEND_HOST:
|
||||||
if (!downstream_addr) {
|
if (!downstream_addr) {
|
||||||
std::tie(p, last) = copy('-', p, last);
|
std::tie(p, last) = copy('-', p, last);
|
||||||
|
|
|
@ -138,6 +138,8 @@ enum LogFragmentType {
|
||||||
SHRPX_LOGF_TLS_SESSION_REUSED,
|
SHRPX_LOGF_TLS_SESSION_REUSED,
|
||||||
SHRPX_LOGF_SSL_SESSION_REUSED = SHRPX_LOGF_TLS_SESSION_REUSED,
|
SHRPX_LOGF_SSL_SESSION_REUSED = SHRPX_LOGF_TLS_SESSION_REUSED,
|
||||||
SHRPX_LOGF_TLS_SNI,
|
SHRPX_LOGF_TLS_SNI,
|
||||||
|
SHRPX_LOGF_TLS_CLIENT_FINGERPRINT,
|
||||||
|
SHRPX_LOGF_TLS_CLIENT_SUBJECT_NAME,
|
||||||
SHRPX_LOGF_BACKEND_HOST,
|
SHRPX_LOGF_BACKEND_HOST,
|
||||||
SHRPX_LOGF_BACKEND_PORT,
|
SHRPX_LOGF_BACKEND_PORT,
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in New Issue