Add TLS version and cipher to the accessLog

This commit is contained in:
na4ma4 2021-01-19 18:52:06 +10:00 committed by GitHub
parent 41d22ef17e
commit b05a5c818d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 54 additions and 17 deletions

View file

@ -220,6 +220,8 @@ accessLog:
| `GzipRatio` | The response body compression ratio achieved. | | `GzipRatio` | The response body compression ratio achieved. |
| `Overhead` | The processing time overhead (in nanoseconds) caused by Traefik. | | `Overhead` | The processing time overhead (in nanoseconds) caused by Traefik. |
| `RetryAttempts` | The amount of attempts the request was retried. | | `RetryAttempts` | The amount of attempts the request was retried. |
| `TLSVersion` | The TLS version used by the connection (e.g. `1.2`) (if connection is TLS). |
| `TLSCipher` | The TLS cipher used by the connection (e.g. `TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`) (if connection is TLS) |
## Log Rotation ## Log Rotation

View file

@ -70,6 +70,11 @@ const (
Overhead = "Overhead" Overhead = "Overhead"
// RetryAttempts is the map key used for the amount of attempts the request was retried. // RetryAttempts is the map key used for the amount of attempts the request was retried.
RetryAttempts = "RetryAttempts" RetryAttempts = "RetryAttempts"
// TLSVersion is the version of TLS used in the request.
TLSVersion = "TLSVersion"
// TLSCipher is the cipher used in the request.
TLSCipher = "TLSCipher"
) )
// These are written out in the default case when no config is provided to specify keys of interest. // These are written out in the default case when no config is provided to specify keys of interest.
@ -111,6 +116,8 @@ func init() {
allCoreKeys[StartLocal] = struct{}{} allCoreKeys[StartLocal] = struct{}{}
allCoreKeys[Overhead] = struct{}{} allCoreKeys[Overhead] = struct{}{}
allCoreKeys[RetryAttempts] = struct{}{} allCoreKeys[RetryAttempts] = struct{}{}
allCoreKeys[TLSVersion] = struct{}{}
allCoreKeys[TLSCipher] = struct{}{}
} }
// CoreLogData holds the fields computed from the request/response. // CoreLogData holds the fields computed from the request/response.

View file

@ -18,6 +18,7 @@ import (
"github.com/sirupsen/logrus" "github.com/sirupsen/logrus"
ptypes "github.com/traefik/paerser/types" ptypes "github.com/traefik/paerser/types"
"github.com/traefik/traefik/v2/pkg/log" "github.com/traefik/traefik/v2/pkg/log"
traefiktls "github.com/traefik/traefik/v2/pkg/tls"
"github.com/traefik/traefik/v2/pkg/types" "github.com/traefik/traefik/v2/pkg/types"
) )
@ -209,6 +210,8 @@ func (h *Handler) ServeHTTP(rw http.ResponseWriter, req *http.Request, next http
core[RequestScheme] = "http" core[RequestScheme] = "http"
if req.TLS != nil { if req.TLS != nil {
core[RequestScheme] = "https" core[RequestScheme] = "https"
core[TLSVersion] = getRequestTLSVersion(req)
core[TLSCipher] = getRequestTLSCipher(req)
} }
core[ClientAddr] = req.RemoteAddr core[ClientAddr] = req.RemoteAddr
@ -382,3 +385,19 @@ var requestCounter uint64 // Request ID
func nextRequestCount() uint64 { func nextRequestCount() uint64 {
return atomic.AddUint64(&requestCounter, 1) return atomic.AddUint64(&requestCounter, 1)
} }
func getRequestTLSVersion(req *http.Request) string {
if version, ok := traefiktls.VersionsReversed[req.TLS.Version]; ok {
return version
}
return "unknown"
}
func getRequestTLSCipher(req *http.Request) string {
if cypher, ok := traefiktls.CipherSuitesReversed[req.TLS.CipherSuite]; ok {
return cypher
}
return "unknown"
}

View file

@ -355,9 +355,11 @@ func TestLoggerJSON(t *testing.T) {
Duration: assertFloat64NotZero(), Duration: assertFloat64NotZero(),
Overhead: assertFloat64NotZero(), Overhead: assertFloat64NotZero(),
RetryAttempts: assertFloat64(float64(testRetryAttempts)), RetryAttempts: assertFloat64(float64(testRetryAttempts)),
TLSVersion: assertString("1.3"),
TLSCipher: assertString("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"),
"time": assertNotEmpty(), "time": assertNotEmpty(),
"StartLocal": assertNotEmpty(), StartLocal: assertNotEmpty(),
"StartUTC": assertNotEmpty(), StartUTC: assertNotEmpty(),
}, },
}, },
{ {
@ -772,7 +774,10 @@ func doLoggingTLSOpt(t *testing.T, config *types.AccessLog, enableTLS bool) {
}, },
} }
if enableTLS { if enableTLS {
req.TLS = &tls.ConnectionState{} req.TLS = &tls.ConnectionState{
Version: tls.VersionTLS13,
CipherSuite: tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
}
} }
logger.ServeHTTP(httptest.NewRecorder(), req, http.HandlerFunc(logWriterTestHandlerFunc)) logger.ServeHTTP(httptest.NewRecorder(), req, http.HandlerFunc(logWriterTestHandlerFunc))

View file

@ -2,7 +2,6 @@ package metrics
import ( import (
"context" "context"
"crypto/tls"
"net/http" "net/http"
"strconv" "strconv"
"strings" "strings"
@ -148,18 +147,11 @@ func getMethod(r *http.Request) string {
} }
func getRequestTLSVersion(req *http.Request) string { func getRequestTLSVersion(req *http.Request) string {
switch req.TLS.Version { if version, ok := traefiktls.VersionsReversed[req.TLS.Version]; ok {
case tls.VersionTLS10: return version
return "1.0"
case tls.VersionTLS11:
return "1.1"
case tls.VersionTLS12:
return "1.2"
case tls.VersionTLS13:
return "1.3"
default:
return "unknown"
} }
return "unknown"
} }
func getRequestTLSCipher(req *http.Request) string { func getRequestTLSCipher(req *http.Request) string {

12
pkg/tls/version.go Normal file
View file

@ -0,0 +1,12 @@
package tls
import "crypto/tls"
// VersionsReversed Map of TLS versions from crypto/tls
// Available TLS versions defined at https://golang.org/pkg/crypto/tls/#pkg-constants
var VersionsReversed = map[uint16]string{
tls.VersionTLS10: "1.0",
tls.VersionTLS11: "1.1",
tls.VersionTLS12: "1.2",
tls.VersionTLS13: "1.3",
}