RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-03-31 23:58:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

MINOR: conf: rename all ssl modules fetches using prefix 'ssl_fc' and 'ssl_c'

Browse Source 
SSL fetches were renamed :
  ssl_fc_* = Front Connection (attributes of the connection itself)
  ssl_c_*  = Client side certificate
This commit is contained in:
Emeric Brun 2012-10-18 15:59:43 +02:00 committed by Willy Tarreau
parent 3476364ce9
commit 2525b6bb92
2 changed files with 109 additions and 102 deletions

129
doc/configuration.txt
View File

@ -8272,15 +8272,6 @@ during analysis. This requires that some data has been buffered, for instance
through TCP request content inspection. Please see the "tcp-request content"
keyword for more detailed information on the subject.
client_crt
Returns true if a client certificate is present in an incoming connection over
SSL/TLS transport layer. Useful if 'verify' statement is set to 'optional'.
is_ssl
Returns true when the incoming connection was made via an SSL/TLS transport
layer and is locally deciphered. This means it has matched a socket declared
with a "bind" line having the "ssl" option.
rep_ssl_hello_type <integer>
Returns true when data in the response buffer looks like a complete SSL (v3
or superior) hello message and handshake type is equal to <integer>.
@ -8364,14 +8355,47 @@ req_ssl_ver <decimal>
SSL transport layer, so this will not work with "bind" lines having the "ssl"
option.
ssl_has_sni
ssl_c_ca_err <integer>
Returns true when the incoming connection was made over an SSL/TLS transport
layer, and the ID of the first error detected during verification of the
client certificate at depth > 0 matches the specified value (check man verify
for possible values). Note that error zero means no error was encountered
during this verification process.
ssl_c_ca_err_depth <integer>
Returns true when the incoming connection was made over an SSL/TLS transport
layer, and the depth in the CA chain of the first error detected during the
verification of the client certificate matches the specified value. When no
error is found, depth 0 is returned.
ssl_c_err <integer>
Returns true when the incoming connection was made over an SSL/TLS transport
layer, and the ID of the first error detected during verification at depth==0
matches the specified value (check man verify for possible values). Note that
error zero means no error was encountered during this verification process.
ssl_c_verify <integer>
Returns true when the incoming connection was made over an SSL/TLS transport
layer, and the verify result matches the specified value (check man verify
for possible values). Zero indicates no error was detected.
ssl_fc
Returns true when the front connection was made via an SSL/TLS transport
layer and is locally deciphered. This means it has matched a socket declared
with a "bind" line having the "ssl" option.
ssl_fc_has_crt
Returns true if a client certificate is present in an incoming connection over
SSL/TLS transport layer. Useful if 'verify' statement is set to 'optional'.
ssl_fc_has_sni
This is used to check for presence of a Server Name Indication TLS extension
in an incoming connection was made over an SSL/TLS transport layer. Returns
true when the incoming connection presents a TLS SNI field. This requires
that the SSL library is build with support for TLS extensions enabled (check
haproxy -vv).
ssl_npn <string>
ssl_fc_npn <string>
Returns true when the incoming connection was made over an SSL/TLS transport
layer which deciphered it and found a Next Protocol Negociation TLS extension
sent by the client, matching the specified string. This requires that the SSL
@ -8380,17 +8404,18 @@ ssl_npn <string>
the "bind" line specifies a protocol list. Also, nothing forces the client to
pick a protocol from this list, any other one may be requested.
ssl_sni <string>
ssl_fc_sni <string>
Returns true when the incoming connection was made over an SSL/TLS transport
layer which deciphered it and found a Server Name Indication TLS extension
sent by the client, matching the specified string. In HTTPS, the SNI field
(when present) is equal to the requested host name. This match is different
from "req_ssl_sni" above in that it applies to the connection being
deciphered by haproxy and not to SSL contents being blindly forwarded.
See also "ssl_sni_end" and "ssl_sni_req" below. This requires that the SSL
library is build with support for TLS extensions enabled (check haproxy -vv).
See also "ssl_fc_sni_end" and "ssl_fc_sni_req" below. This requires that the
SSL library is build with support for TLS extensions enabled (check
haproxy -vv).
ssl_sni_end <string>
ssl_fc_sni_end <string>
Returns true when the incoming connection was made over an SSL/TLS transport
layer which deciphered it and found a Server Name Indication TLS extension
sent by the client, ending like the specified string. In HTTPS, the SNI field
@ -8400,7 +8425,7 @@ ssl_sni_end <string>
requires that the SSL library is build with support for TLS extensions
enabled (check haproxy -vv).
ssl_sni_req <regex>
ssl_fc_sni_reg <regex>
Returns true when the incoming connection was made over an SSL/TLS transport
layer which deciphered it and found a Server Name Indication TLS extension
sent by the client, matching the specified regex. In HTTPS, the SNI field
@ -8410,25 +8435,6 @@ ssl_sni_req <regex>
requires that the SSL library is build with support for TLS extensions
enabled (check haproxy -vv).
ssl_verify_caerr <errorID>
Returns true when the incoming connection was made over an SSL/TLS transport
layer and the ID of the first error detected during verify at depth > 0 match
the errorID.
ssl_verify_caerr_depth <depth>
Returns true when the incoming connection was made over an SSL/TLS transport
layer and the depth of the first error detected during verify match the
depth.
ssl_verify_crterr <errorID>
Returns true when the incoming connection was made over an SSL/TLS transport
layer and the ID of the first error detected during verify at depth == 0
match the errorID.
ssl_verify_result <errorID>
Returns true when the incoming connection was made over an SSL/TLS transport
layer and the verify result match the errorID.
wait_end
Waits for the end of the analysis period to return true. This may be used in
conjunction with content analysis to avoid returning a wrong verdict early.
@ -8969,9 +8975,6 @@ The list of currently supported pattern fetch functions is the following :
shared caches efficiency. Using this with a limited size stick
table also allows one to collect statistics about most commonly
requested objects by host/path.
client_crt
Returns 1 if a client certificate is present in an incoming
connection over SSL/TLS transport layer, otherwise 0.
src This is the source IPv4 address of the client of the session.
It is of type IPv4 and works on both IPv4 and IPv6 tables.
@ -9000,10 +9003,6 @@ The list of currently supported pattern fetch functions is the following :
last one. A typical use is with the X-Forwarded-For header once
converted to IP, associated with an IP stick-table.
is_ssl This checks the transport layer used by incoming connection, and
returns 1 if the connection was made via an SSL/TLS transport
layer, otherwise zero.
path This extracts the request's URL path (without the host part). A
typical use is with prefetch-capable caches, and with portals
which need to aggregate multiple information from databases and
@ -9031,41 +9030,49 @@ The list of currently supported pattern fetch functions is the following :
that this function will be useful but it's available at no cost.
It is of type integer and only works with such tables.
ssl_has_sni This checks the transport layer used by incoming connection, and
ssl_c_ca_err Returns the ID of the first error detected during verify of the
client certificate at depth > 0, or 0 if no error was detected.
ssl_c_ca_err_depth
Returns the depth of the first error detected during verify. If
no error is encountered in the CA chain, zero is returned.
ssl_c_err Returns the ID of the first error detected during verify of the
client certificate at depth == 0, or 0 if no errors.
ssl_c_verify Returns the verify result errorID when the incoming connection
was made over an SSL/TLS transport layer, otherwise zero if no
error is encountered.
ssl_fc This checks the transport layer used on the front connection,
and returns 1 if it was made via an SSL/TLS transport layer,
otherwise zero.
ssl_fc_has_crt
Returns 1 if a client certificate is present in the front
connection over SSL/TLS transport layer, otherwise 0.
ssl_fc_has_sni
This checks the transport layer used by the front connection, and
returns 1 if the connection was made via an SSL/TLS transport
layer and the client sent a Server Name Indication TLS extension,
otherwise zero. This requires that the SSL library is build with
support for TLS extensions enabled (check haproxy -vv).
ssl_npn This extracts the Next Protocol Negociation field from an
ssl_fc_npn This extracts the Next Protocol Negociation field from an
incoming connection made via an SSL/TLS transport layer and
locally deciphered by haproxy. The result is a string containing
the protocol name advertised by the client. The SSL library must
have been built with support for TLS extensions enabled (check
haproxy -vv).
haproxy -vv). See also the "npn" bind keyword.
ssl_sni This extracts the Server Name Indication field from an incoming
ssl_fc_sni This extracts the Server Name Indication field from an incoming
connection made via an SSL/TLS transport layer and locally
deciphered by haproxy. The result typically is a string matching
the HTTPS host name (253 chars or less). The SSL library must
have been built with support for TLS extensions enabled (check
haproxy -vv).
ssl_verify_caerr
Returns the ID of the first error detected during verify at
depth > 0 or 0 if no errors.
ssl_verify_caerr_depth
Returns the depth of the first error detected during verify.
ssl_verify_crterr
Returns the ID of the first error detected during verify at
depth == 0 or 0 if no errors.
ssl_verify_result
Returns the verify result errorID when the incoming connection
was made over an SSL/TLS transport layer.
url This extracts the request's URL as presented in the request. A
typical use is with prefetch-capable caches, and with portals
which need to aggregate multiple information from databases and

82
src/ssl_sock.c
View File

@ -1099,8 +1099,8 @@ const char *ssl_sock_get_proto_version(struct connection *conn)
/* boolean, returns true if client cert was present */
static int
smp_fetch_client_crt(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
const struct arg *args, struct sample *smp)
smp_fetch_ssl_fc_has_crt(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
const struct arg *args, struct sample *smp)
{
if (!l4 || l4->si[0].conn.xprt != &ssl_sock)
return 0;
@ -1118,9 +1118,9 @@ smp_fetch_client_crt(struct proxy *px, struct session *l4, void *l7, unsigned in
}
/* boolean, returns true if transport layer is SSL */
/* boolean, returns true if front conn. transport layer is SSL */
static int
smp_fetch_is_ssl(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
smp_fetch_ssl_fc(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
const struct arg *args, struct sample *smp)
{
smp->type = SMP_T_BOOL;
@ -1128,10 +1128,10 @@ smp_fetch_is_ssl(struct proxy *px, struct session *l4, void *l7, unsigned int op
return 1;
}
/* boolean, returns true if transport layer is SSL */
/* boolean, returns true if client present a SNI */
static int
smp_fetch_has_sni(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
const struct arg *args, struct sample *smp)
smp_fetch_ssl_fc_has_sni(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
const struct arg *args, struct sample *smp)
{
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
smp->type = SMP_T_BOOL;
@ -1146,8 +1146,8 @@ smp_fetch_has_sni(struct proxy *px, struct session *l4, void *l7, unsigned int o
#ifdef OPENSSL_NPN_NEGOTIATED
static int
smp_fetch_ssl_npn(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
const struct arg *args, struct sample *smp)
smp_fetch_ssl_fc_npn(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
const struct arg *args, struct sample *smp)
{
smp->flags = 0;
smp->type = SMP_T_CSTR;
@ -1167,8 +1167,8 @@ smp_fetch_ssl_npn(struct proxy *px, struct session *l4, void *l7, unsigned int o
#endif
static int
smp_fetch_ssl_sni(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
const struct arg *args, struct sample *smp)
smp_fetch_ssl_fc_sni(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
const struct arg *args, struct sample *smp)
{
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
smp->flags = 0;
@ -1188,9 +1188,9 @@ smp_fetch_ssl_sni(struct proxy *px, struct session *l4, void *l7, unsigned int o
#endif
}
/* integer, returns the first verify error ID in CA */
/* integer, returns the first verify error in CA chain of client certificate chain. */
static int
smp_fetch_verify_caerr(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
smp_fetch_ssl_c_ca_err(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
const struct arg *args, struct sample *smp)
{
if (!l4 || l4->si[0].conn.xprt != &ssl_sock)
@ -1208,9 +1208,9 @@ smp_fetch_verify_caerr(struct proxy *px, struct session *l4, void *l7, unsigned
return 1;
}
/* integer, returns the depth of the first verify error in CA */
/* integer, returns the depth of the first verify error in CA chain of client certificate chain. */
static int
smp_fetch_verify_caerr_depth(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
smp_fetch_ssl_c_ca_err_depth(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
const struct arg *args, struct sample *smp)
{
if (!l4 || l4->si[0].conn.xprt != &ssl_sock)
@ -1228,10 +1228,10 @@ smp_fetch_verify_caerr_depth(struct proxy *px, struct session *l4, void *l7, uns
return 1;
}
/* integer, returns the depth of the first verify error in CA */
/* integer, returns the first verify error on client certificate */
static int
smp_fetch_verify_crterr(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
const struct arg *args, struct sample *smp)
smp_fetch_ssl_c_err(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
const struct arg *args, struct sample *smp)
{
if (!l4 || l4->si[0].conn.xprt != &ssl_sock)
return 0;
@ -1248,10 +1248,10 @@ smp_fetch_verify_crterr(struct proxy *px, struct session *l4, void *l7, unsigned
return 1;
}
/* integer, returns the verify result */
/* integer, returns the verify result on client cert */
static int
smp_fetch_verify_result(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
const struct arg *args, struct sample *smp)
smp_fetch_ssl_c_verify(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
const struct arg *args, struct sample *smp)
{
if (!l4 || l4->si[0].conn.xprt != &ssl_sock)
return 0;
@ -1755,17 +1755,17 @@ static int srv_parse_verify(char **args, int *cur_arg, struct proxy *px, struct
* Please take care of keeping this list alphabetically sorted.
*/
static struct sample_fetch_kw_list sample_fetch_keywords = {{ },{
{ "client_crt", smp_fetch_client_crt, 0, NULL, SMP_T_BOOL, SMP_CAP_REQ|SMP_CAP_RES },
{ "is_ssl", smp_fetch_is_ssl, 0, NULL, SMP_T_BOOL, SMP_CAP_REQ|SMP_CAP_RES },
{ "ssl_has_sni", smp_fetch_has_sni, 0, NULL, SMP_T_BOOL, SMP_CAP_REQ|SMP_CAP_RES },
{ "ssl_c_ca_err", smp_fetch_ssl_c_ca_err, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
{ "ssl_c_ca_err_depth", smp_fetch_ssl_c_ca_err_depth, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
{ "ssl_c_err", smp_fetch_ssl_c_err, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
{ "ssl_c_verify", smp_fetch_ssl_c_verify, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
{ "ssl_fc", smp_fetch_ssl_fc, 0, NULL, SMP_T_BOOL, SMP_CAP_REQ|SMP_CAP_RES },
{ "ssl_fc_has_crt", smp_fetch_ssl_fc_has_crt, 0, NULL, SMP_T_BOOL, SMP_CAP_REQ|SMP_CAP_RES },
{ "ssl_fc_has_sni", smp_fetch_ssl_fc_has_sni, 0, NULL, SMP_T_BOOL, SMP_CAP_REQ|SMP_CAP_RES },
#ifdef OPENSSL_NPN_NEGOTIATED
{ "ssl_npn", smp_fetch_ssl_npn, 0, NULL, SMP_T_CSTR, SMP_CAP_REQ|SMP_CAP_RES },
{ "ssl_fc_npn", smp_fetch_ssl_fc_npn, 0, NULL, SMP_T_CSTR, SMP_CAP_REQ|SMP_CAP_RES },
#endif
{ "ssl_sni", smp_fetch_ssl_sni, 0, NULL, SMP_T_CSTR, SMP_CAP_REQ|SMP_CAP_RES },
{ "ssl_verify_caerr", smp_fetch_verify_caerr, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
{ "ssl_verify_caerr_depth", smp_fetch_verify_caerr_depth, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
{ "ssl_verify_crterr", smp_fetch_verify_crterr, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
{ "ssl_verify_result", smp_fetch_verify_result, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
{ "ssl_fc_sni", smp_fetch_ssl_fc_sni, 0, NULL, SMP_T_CSTR, SMP_CAP_REQ|SMP_CAP_RES },
{ NULL, NULL, 0, 0, 0 },
}};
@ -1773,19 +1773,19 @@ static struct sample_fetch_kw_list sample_fetch_keywords = {{ },{
* Please take care of keeping this list alphabetically sorted.
*/
static struct acl_kw_list acl_kws = {{ },{
{ "client_crt", acl_parse_int, smp_fetch_client_crt, acl_match_nothing, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
{ "is_ssl", acl_parse_int, smp_fetch_is_ssl, acl_match_nothing, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
{ "ssl_has_sni", acl_parse_int, smp_fetch_has_sni, acl_match_nothing, ACL_USE_L6REQ_PERMANENT, 0 },
{ "ssl_c_ca_err", acl_parse_int, smp_fetch_ssl_c_ca_err, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
{ "ssl_c_ca_err_depth", acl_parse_int, smp_fetch_ssl_c_ca_err_depth, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
{ "ssl_c_err", acl_parse_int, smp_fetch_ssl_c_err, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
{ "ssl_c_verify", acl_parse_int, smp_fetch_ssl_c_verify, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
{ "ssl_fc", acl_parse_int, smp_fetch_ssl_fc, acl_match_nothing, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
{ "ssl_fc_has_crt", acl_parse_int, smp_fetch_ssl_fc_has_crt, acl_match_nothing, ACL_USE_L6REQ_PERMANENT, 0 },
{ "ssl_fc_has_sni", acl_parse_int, smp_fetch_ssl_fc_has_sni, acl_match_nothing, ACL_USE_L6REQ_PERMANENT, 0 },
#ifdef OPENSSL_NPN_NEGOTIATED
{ "ssl_npn", acl_parse_str, smp_fetch_ssl_npn, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
{ "ssl_fc_npn", acl_parse_str, smp_fetch_ssl_fc_npn, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
#endif
{ "ssl_sni", acl_parse_str, smp_fetch_ssl_sni, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
{ "ssl_sni_end", acl_parse_str, smp_fetch_ssl_sni, acl_match_end, ACL_USE_L6REQ_PERMANENT, 0 },
{ "ssl_sni_reg", acl_parse_reg, smp_fetch_ssl_sni, acl_match_reg, ACL_USE_L6REQ_PERMANENT, 0 },
{ "ssl_verify_caerr", acl_parse_int, smp_fetch_verify_caerr, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
{ "ssl_verify_caerr_depth", acl_parse_int, smp_fetch_verify_caerr_depth, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
{ "ssl_verify_crterr", acl_parse_int, smp_fetch_verify_crterr, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
{ "ssl_verify_result", acl_parse_int, smp_fetch_verify_result, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
{ "ssl_fc_sni", acl_parse_str, smp_fetch_ssl_fc_sni, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
{ "ssl_fc_sni_end", acl_parse_str, smp_fetch_ssl_fc_sni, acl_match_end, ACL_USE_L6REQ_PERMANENT, 0 },
{ "ssl_fc_sni_reg", acl_parse_reg, smp_fetch_ssl_fc_sni, acl_match_reg, ACL_USE_L6REQ_PERMANENT, 0 },
{ NULL, NULL, NULL, NULL },
}};