Add tls upstream support for SSLKEYLOG to allow decryption of traffic for debugging purposes

.bleep

@@ -1 +1 @@
-0775e5b029eff49c2d40283139e58f0a44528a5c
+ad5273b5919ad8d29b7dda93fa9381d10c93f02e

pingora-core/src/connectors/mod.rs

@@ -47,6 +47,10 @@ pub struct ConnectorOptions {
     ///
     /// Each individual connection can use their own cert key to override this.
     pub cert_key_file: Option<(String, String)>,
+    /// When enabled allows TLS keys to be written to a file specified by the SSLKEYLOG
+    /// env variable. This can be used by tools like Wireshark to decrypt traffic
+    /// for debugging purposes.
+    pub debug_ssl_keylog: bool,
     /// How many connections to keepalive
     pub keepalive_pool_size: usize,
     /// Optionally offload the connection establishment to dedicated thread pools
@@ -95,6 +99,7 @@ impl ConnectorOptions {
         ConnectorOptions {
             ca_file: server_conf.ca_file.clone(),
             cert_key_file: None, // TODO: use it
+            debug_ssl_keylog: server_conf.upstream_debug_ssl_keylog,
             keepalive_pool_size: server_conf.upstream_keepalive_pool_size,
             offload_threadpool,
             bind_to_v4,
@@ -107,6 +112,7 @@ impl ConnectorOptions {
         ConnectorOptions {
             ca_file: None,
             cert_key_file: None,
+            debug_ssl_keylog: false,
             keepalive_pool_size,
             offload_threadpool: None,
             bind_to_v4: vec![],

pingora-core/src/connectors/tls.rs

@@ -121,6 +121,21 @@ impl Connector {
 
                 builder.set_private_key_file(key, SslFiletype::PEM).unwrap();
             }
+            if conf.debug_ssl_keylog {
+                // write TLS keys to file specified by SSLKEYLOGFILE if it exists
+                if let Some(keylog) = std::env::var_os("SSLKEYLOGFILE").and_then(|path| {
+                    std::fs::OpenOptions::new()
+                        .append(true)
+                        .create(true)
+                        .open(path)
+                        .ok()
+                }) {
+                    use std::io::Write;
+                    builder.set_keylog_callback(move |_, line| {
+                        let _ = writeln!(&keylog, "{}", line);
+                    });
+                }
+            }
         } else {
             init_ssl_cert_env_vars();
             builder.set_default_verify_paths().unwrap();

pingora-core/src/server/configuration/mod.rs

@@ -83,6 +83,11 @@ pub struct ServerConf {
     /// See [`ConnectorOptions`].
     /// Note: this is an _unstable_ field that may be renamed or removed in the future.
     pub upstream_connect_offload_thread_per_pool: Option<usize>,
+    /// When enabled allows TLS keys to be written to a file specified by the SSLKEYLOG
+    /// env variable. This can be used by tools like Wireshark to decrypt upstream traffic
+    /// for debugging purposes.
+    /// Note: this is an _unstable_ field that may be renamed or removed in the future.
+    pub upstream_debug_ssl_keylog: bool,
 }
 
 impl Default for ServerConf {
@@ -94,6 +99,7 @@ impl Default for ServerConf {
             ca_file: None,
             daemon: false,
             error_log: None,
+            upstream_debug_ssl_keylog: false,
             pid_file: "/tmp/pingora.pid".to_string(),
             upgrade_sock: "/tmp/pingora_upgrade.sock".to_string(),
             user: None,
@@ -239,6 +245,7 @@ mod tests {
             ca_file: None,
             daemon: false,
             error_log: None,
+            upstream_debug_ssl_keylog: false,
             pid_file: "".to_string(),
             upgrade_sock: "".to_string(),
             user: None,