Add TLS version and cipher to the accessLog
This commit is contained in:
parent
41d22ef17e
commit
b05a5c818d
6 changed files with 54 additions and 17 deletions
|
@ -209,7 +209,7 @@ accessLog:
|
||||||
| `RequestScheme` | The HTTP scheme requested `http` or `https`. |
|
| `RequestScheme` | The HTTP scheme requested `http` or `https`. |
|
||||||
| `RequestLine` | `RequestMethod` + `RequestPath` + `RequestProtocol` |
|
| `RequestLine` | `RequestMethod` + `RequestPath` + `RequestProtocol` |
|
||||||
| `RequestContentSize` | The number of bytes in the request entity (a.k.a. body) sent by the client. |
|
| `RequestContentSize` | The number of bytes in the request entity (a.k.a. body) sent by the client. |
|
||||||
| `OriginDuration` | The time taken (in nanoseconds) by the origin server ('upstream') to return its response. |
|
| `OriginDuration` | The time taken (in nanoseconds) by the origin server ('upstream') to return its response. |
|
||||||
| `OriginContentSize` | The content length specified by the origin server, or 0 if unspecified. |
|
| `OriginContentSize` | The content length specified by the origin server, or 0 if unspecified. |
|
||||||
| `OriginStatus` | The HTTP status code returned by the origin server. If the request was handled by this Traefik instance (e.g. with a redirect), then this value will be absent. |
|
| `OriginStatus` | The HTTP status code returned by the origin server. If the request was handled by this Traefik instance (e.g. with a redirect), then this value will be absent. |
|
||||||
| `OriginStatusLine` | `OriginStatus` + Status code explanation |
|
| `OriginStatusLine` | `OriginStatus` + Status code explanation |
|
||||||
|
@ -218,8 +218,10 @@ accessLog:
|
||||||
| `DownstreamContentSize` | The number of bytes in the response entity returned to the client. This is in addition to the "Content-Length" header, which may be present in the origin response. |
|
| `DownstreamContentSize` | The number of bytes in the response entity returned to the client. This is in addition to the "Content-Length" header, which may be present in the origin response. |
|
||||||
| `RequestCount` | The number of requests received since the Traefik instance started. |
|
| `RequestCount` | The number of requests received since the Traefik instance started. |
|
||||||
| `GzipRatio` | The response body compression ratio achieved. |
|
| `GzipRatio` | The response body compression ratio achieved. |
|
||||||
| `Overhead` | The processing time overhead (in nanoseconds) caused by Traefik. |
|
| `Overhead` | The processing time overhead (in nanoseconds) caused by Traefik. |
|
||||||
| `RetryAttempts` | The amount of attempts the request was retried. |
|
| `RetryAttempts` | The amount of attempts the request was retried. |
|
||||||
|
| `TLSVersion` | The TLS version used by the connection (e.g. `1.2`) (if connection is TLS). |
|
||||||
|
| `TLSCipher` | The TLS cipher used by the connection (e.g. `TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`) (if connection is TLS) |
|
||||||
|
|
||||||
## Log Rotation
|
## Log Rotation
|
||||||
|
|
||||||
|
|
|
@ -70,6 +70,11 @@ const (
|
||||||
Overhead = "Overhead"
|
Overhead = "Overhead"
|
||||||
// RetryAttempts is the map key used for the amount of attempts the request was retried.
|
// RetryAttempts is the map key used for the amount of attempts the request was retried.
|
||||||
RetryAttempts = "RetryAttempts"
|
RetryAttempts = "RetryAttempts"
|
||||||
|
|
||||||
|
// TLSVersion is the version of TLS used in the request.
|
||||||
|
TLSVersion = "TLSVersion"
|
||||||
|
// TLSCipher is the cipher used in the request.
|
||||||
|
TLSCipher = "TLSCipher"
|
||||||
)
|
)
|
||||||
|
|
||||||
// These are written out in the default case when no config is provided to specify keys of interest.
|
// These are written out in the default case when no config is provided to specify keys of interest.
|
||||||
|
@ -111,6 +116,8 @@ func init() {
|
||||||
allCoreKeys[StartLocal] = struct{}{}
|
allCoreKeys[StartLocal] = struct{}{}
|
||||||
allCoreKeys[Overhead] = struct{}{}
|
allCoreKeys[Overhead] = struct{}{}
|
||||||
allCoreKeys[RetryAttempts] = struct{}{}
|
allCoreKeys[RetryAttempts] = struct{}{}
|
||||||
|
allCoreKeys[TLSVersion] = struct{}{}
|
||||||
|
allCoreKeys[TLSCipher] = struct{}{}
|
||||||
}
|
}
|
||||||
|
|
||||||
// CoreLogData holds the fields computed from the request/response.
|
// CoreLogData holds the fields computed from the request/response.
|
||||||
|
|
|
@ -18,6 +18,7 @@ import (
|
||||||
"github.com/sirupsen/logrus"
|
"github.com/sirupsen/logrus"
|
||||||
ptypes "github.com/traefik/paerser/types"
|
ptypes "github.com/traefik/paerser/types"
|
||||||
"github.com/traefik/traefik/v2/pkg/log"
|
"github.com/traefik/traefik/v2/pkg/log"
|
||||||
|
traefiktls "github.com/traefik/traefik/v2/pkg/tls"
|
||||||
"github.com/traefik/traefik/v2/pkg/types"
|
"github.com/traefik/traefik/v2/pkg/types"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -209,6 +210,8 @@ func (h *Handler) ServeHTTP(rw http.ResponseWriter, req *http.Request, next http
|
||||||
core[RequestScheme] = "http"
|
core[RequestScheme] = "http"
|
||||||
if req.TLS != nil {
|
if req.TLS != nil {
|
||||||
core[RequestScheme] = "https"
|
core[RequestScheme] = "https"
|
||||||
|
core[TLSVersion] = getRequestTLSVersion(req)
|
||||||
|
core[TLSCipher] = getRequestTLSCipher(req)
|
||||||
}
|
}
|
||||||
|
|
||||||
core[ClientAddr] = req.RemoteAddr
|
core[ClientAddr] = req.RemoteAddr
|
||||||
|
@ -382,3 +385,19 @@ var requestCounter uint64 // Request ID
|
||||||
func nextRequestCount() uint64 {
|
func nextRequestCount() uint64 {
|
||||||
return atomic.AddUint64(&requestCounter, 1)
|
return atomic.AddUint64(&requestCounter, 1)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func getRequestTLSVersion(req *http.Request) string {
|
||||||
|
if version, ok := traefiktls.VersionsReversed[req.TLS.Version]; ok {
|
||||||
|
return version
|
||||||
|
}
|
||||||
|
|
||||||
|
return "unknown"
|
||||||
|
}
|
||||||
|
|
||||||
|
func getRequestTLSCipher(req *http.Request) string {
|
||||||
|
if cypher, ok := traefiktls.CipherSuitesReversed[req.TLS.CipherSuite]; ok {
|
||||||
|
return cypher
|
||||||
|
}
|
||||||
|
|
||||||
|
return "unknown"
|
||||||
|
}
|
||||||
|
|
|
@ -355,9 +355,11 @@ func TestLoggerJSON(t *testing.T) {
|
||||||
Duration: assertFloat64NotZero(),
|
Duration: assertFloat64NotZero(),
|
||||||
Overhead: assertFloat64NotZero(),
|
Overhead: assertFloat64NotZero(),
|
||||||
RetryAttempts: assertFloat64(float64(testRetryAttempts)),
|
RetryAttempts: assertFloat64(float64(testRetryAttempts)),
|
||||||
|
TLSVersion: assertString("1.3"),
|
||||||
|
TLSCipher: assertString("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"),
|
||||||
"time": assertNotEmpty(),
|
"time": assertNotEmpty(),
|
||||||
"StartLocal": assertNotEmpty(),
|
StartLocal: assertNotEmpty(),
|
||||||
"StartUTC": assertNotEmpty(),
|
StartUTC: assertNotEmpty(),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
@ -772,7 +774,10 @@ func doLoggingTLSOpt(t *testing.T, config *types.AccessLog, enableTLS bool) {
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
if enableTLS {
|
if enableTLS {
|
||||||
req.TLS = &tls.ConnectionState{}
|
req.TLS = &tls.ConnectionState{
|
||||||
|
Version: tls.VersionTLS13,
|
||||||
|
CipherSuite: tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
logger.ServeHTTP(httptest.NewRecorder(), req, http.HandlerFunc(logWriterTestHandlerFunc))
|
logger.ServeHTTP(httptest.NewRecorder(), req, http.HandlerFunc(logWriterTestHandlerFunc))
|
||||||
|
|
|
@ -2,7 +2,6 @@ package metrics
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
"crypto/tls"
|
|
||||||
"net/http"
|
"net/http"
|
||||||
"strconv"
|
"strconv"
|
||||||
"strings"
|
"strings"
|
||||||
|
@ -148,18 +147,11 @@ func getMethod(r *http.Request) string {
|
||||||
}
|
}
|
||||||
|
|
||||||
func getRequestTLSVersion(req *http.Request) string {
|
func getRequestTLSVersion(req *http.Request) string {
|
||||||
switch req.TLS.Version {
|
if version, ok := traefiktls.VersionsReversed[req.TLS.Version]; ok {
|
||||||
case tls.VersionTLS10:
|
return version
|
||||||
return "1.0"
|
|
||||||
case tls.VersionTLS11:
|
|
||||||
return "1.1"
|
|
||||||
case tls.VersionTLS12:
|
|
||||||
return "1.2"
|
|
||||||
case tls.VersionTLS13:
|
|
||||||
return "1.3"
|
|
||||||
default:
|
|
||||||
return "unknown"
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
return "unknown"
|
||||||
}
|
}
|
||||||
|
|
||||||
func getRequestTLSCipher(req *http.Request) string {
|
func getRequestTLSCipher(req *http.Request) string {
|
||||||
|
|
12
pkg/tls/version.go
Normal file
12
pkg/tls/version.go
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
package tls
|
||||||
|
|
||||||
|
import "crypto/tls"
|
||||||
|
|
||||||
|
// VersionsReversed Map of TLS versions from crypto/tls
|
||||||
|
// Available TLS versions defined at https://golang.org/pkg/crypto/tls/#pkg-constants
|
||||||
|
var VersionsReversed = map[uint16]string{
|
||||||
|
tls.VersionTLS10: "1.0",
|
||||||
|
tls.VersionTLS11: "1.1",
|
||||||
|
tls.VersionTLS12: "1.2",
|
||||||
|
tls.VersionTLS13: "1.3",
|
||||||
|
}
|
Loading…
Reference in a new issue