diff --git a/.bleep b/.bleep index bb498b0..123da4a 100644 --- a/.bleep +++ b/.bleep @@ -1 +1 @@ -0775e5b029eff49c2d40283139e58f0a44528a5c +ad5273b5919ad8d29b7dda93fa9381d10c93f02e \ No newline at end of file diff --git a/pingora-core/src/connectors/mod.rs b/pingora-core/src/connectors/mod.rs index a8a907e..4f41764 100644 --- a/pingora-core/src/connectors/mod.rs +++ b/pingora-core/src/connectors/mod.rs @@ -47,6 +47,10 @@ pub struct ConnectorOptions { /// /// Each individual connection can use their own cert key to override this. pub cert_key_file: Option<(String, String)>, + /// When enabled allows TLS keys to be written to a file specified by the SSLKEYLOG + /// env variable. This can be used by tools like Wireshark to decrypt traffic + /// for debugging purposes. + pub debug_ssl_keylog: bool, /// How many connections to keepalive pub keepalive_pool_size: usize, /// Optionally offload the connection establishment to dedicated thread pools @@ -95,6 +99,7 @@ impl ConnectorOptions { ConnectorOptions { ca_file: server_conf.ca_file.clone(), cert_key_file: None, // TODO: use it + debug_ssl_keylog: server_conf.upstream_debug_ssl_keylog, keepalive_pool_size: server_conf.upstream_keepalive_pool_size, offload_threadpool, bind_to_v4, @@ -107,6 +112,7 @@ impl ConnectorOptions { ConnectorOptions { ca_file: None, cert_key_file: None, + debug_ssl_keylog: false, keepalive_pool_size, offload_threadpool: None, bind_to_v4: vec![], diff --git a/pingora-core/src/connectors/tls.rs b/pingora-core/src/connectors/tls.rs index 1950d8f..7cdbab0 100644 --- a/pingora-core/src/connectors/tls.rs +++ b/pingora-core/src/connectors/tls.rs @@ -121,6 +121,21 @@ impl Connector { builder.set_private_key_file(key, SslFiletype::PEM).unwrap(); } + if conf.debug_ssl_keylog { + // write TLS keys to file specified by SSLKEYLOGFILE if it exists + if let Some(keylog) = std::env::var_os("SSLKEYLOGFILE").and_then(|path| { + std::fs::OpenOptions::new() + .append(true) + .create(true) + .open(path) + .ok() + }) { + use std::io::Write; + builder.set_keylog_callback(move |_, line| { + let _ = writeln!(&keylog, "{}", line); + }); + } + } } else { init_ssl_cert_env_vars(); builder.set_default_verify_paths().unwrap(); diff --git a/pingora-core/src/server/configuration/mod.rs b/pingora-core/src/server/configuration/mod.rs index 4da530c..b556cc7 100644 --- a/pingora-core/src/server/configuration/mod.rs +++ b/pingora-core/src/server/configuration/mod.rs @@ -83,6 +83,11 @@ pub struct ServerConf { /// See [`ConnectorOptions`]. /// Note: this is an _unstable_ field that may be renamed or removed in the future. pub upstream_connect_offload_thread_per_pool: Option, + /// When enabled allows TLS keys to be written to a file specified by the SSLKEYLOG + /// env variable. This can be used by tools like Wireshark to decrypt upstream traffic + /// for debugging purposes. + /// Note: this is an _unstable_ field that may be renamed or removed in the future. + pub upstream_debug_ssl_keylog: bool, } impl Default for ServerConf { @@ -94,6 +99,7 @@ impl Default for ServerConf { ca_file: None, daemon: false, error_log: None, + upstream_debug_ssl_keylog: false, pid_file: "/tmp/pingora.pid".to_string(), upgrade_sock: "/tmp/pingora_upgrade.sock".to_string(), user: None, @@ -239,6 +245,7 @@ mod tests { ca_file: None, daemon: false, error_log: None, + upstream_debug_ssl_keylog: false, pid_file: "".to_string(), upgrade_sock: "".to_string(), user: None,