mirror of
https://github.com/cloudflare/pingora.git
synced 2024-09-20 02:31:35 +02:00
Add tls upstream support for SSLKEYLOG to allow decryption of traffic for debugging purposes
This commit is contained in:
parent
61b046bb5b
commit
fca0532950
4 changed files with 29 additions and 1 deletions
2
.bleep
2
.bleep
|
@ -1 +1 @@
|
|||
0775e5b029eff49c2d40283139e58f0a44528a5c
|
||||
ad5273b5919ad8d29b7dda93fa9381d10c93f02e
|
|
@ -47,6 +47,10 @@ pub struct ConnectorOptions {
|
|||
///
|
||||
/// Each individual connection can use their own cert key to override this.
|
||||
pub cert_key_file: Option<(String, String)>,
|
||||
/// When enabled allows TLS keys to be written to a file specified by the SSLKEYLOG
|
||||
/// env variable. This can be used by tools like Wireshark to decrypt traffic
|
||||
/// for debugging purposes.
|
||||
pub debug_ssl_keylog: bool,
|
||||
/// How many connections to keepalive
|
||||
pub keepalive_pool_size: usize,
|
||||
/// Optionally offload the connection establishment to dedicated thread pools
|
||||
|
@ -95,6 +99,7 @@ impl ConnectorOptions {
|
|||
ConnectorOptions {
|
||||
ca_file: server_conf.ca_file.clone(),
|
||||
cert_key_file: None, // TODO: use it
|
||||
debug_ssl_keylog: server_conf.upstream_debug_ssl_keylog,
|
||||
keepalive_pool_size: server_conf.upstream_keepalive_pool_size,
|
||||
offload_threadpool,
|
||||
bind_to_v4,
|
||||
|
@ -107,6 +112,7 @@ impl ConnectorOptions {
|
|||
ConnectorOptions {
|
||||
ca_file: None,
|
||||
cert_key_file: None,
|
||||
debug_ssl_keylog: false,
|
||||
keepalive_pool_size,
|
||||
offload_threadpool: None,
|
||||
bind_to_v4: vec![],
|
||||
|
|
|
@ -121,6 +121,21 @@ impl Connector {
|
|||
|
||||
builder.set_private_key_file(key, SslFiletype::PEM).unwrap();
|
||||
}
|
||||
if conf.debug_ssl_keylog {
|
||||
// write TLS keys to file specified by SSLKEYLOGFILE if it exists
|
||||
if let Some(keylog) = std::env::var_os("SSLKEYLOGFILE").and_then(|path| {
|
||||
std::fs::OpenOptions::new()
|
||||
.append(true)
|
||||
.create(true)
|
||||
.open(path)
|
||||
.ok()
|
||||
}) {
|
||||
use std::io::Write;
|
||||
builder.set_keylog_callback(move |_, line| {
|
||||
let _ = writeln!(&keylog, "{}", line);
|
||||
});
|
||||
}
|
||||
}
|
||||
} else {
|
||||
init_ssl_cert_env_vars();
|
||||
builder.set_default_verify_paths().unwrap();
|
||||
|
|
|
@ -83,6 +83,11 @@ pub struct ServerConf {
|
|||
/// See [`ConnectorOptions`].
|
||||
/// Note: this is an _unstable_ field that may be renamed or removed in the future.
|
||||
pub upstream_connect_offload_thread_per_pool: Option<usize>,
|
||||
/// When enabled allows TLS keys to be written to a file specified by the SSLKEYLOG
|
||||
/// env variable. This can be used by tools like Wireshark to decrypt upstream traffic
|
||||
/// for debugging purposes.
|
||||
/// Note: this is an _unstable_ field that may be renamed or removed in the future.
|
||||
pub upstream_debug_ssl_keylog: bool,
|
||||
}
|
||||
|
||||
impl Default for ServerConf {
|
||||
|
@ -94,6 +99,7 @@ impl Default for ServerConf {
|
|||
ca_file: None,
|
||||
daemon: false,
|
||||
error_log: None,
|
||||
upstream_debug_ssl_keylog: false,
|
||||
pid_file: "/tmp/pingora.pid".to_string(),
|
||||
upgrade_sock: "/tmp/pingora_upgrade.sock".to_string(),
|
||||
user: None,
|
||||
|
@ -239,6 +245,7 @@ mod tests {
|
|||
ca_file: None,
|
||||
daemon: false,
|
||||
error_log: None,
|
||||
upstream_debug_ssl_keylog: false,
|
||||
pid_file: "".to_string(),
|
||||
upgrade_sock: "".to_string(),
|
||||
user: None,
|
||||
|
|
Loading…
Reference in a new issue