Add TLS version and cipher to the accessLog
This commit is contained in:
parent
41d22ef17e
commit
b05a5c818d
6 changed files with 54 additions and 17 deletions
|
@ -220,6 +220,8 @@ accessLog:
|
|||
| `GzipRatio` | The response body compression ratio achieved. |
|
||||
| `Overhead` | The processing time overhead (in nanoseconds) caused by Traefik. |
|
||||
| `RetryAttempts` | The amount of attempts the request was retried. |
|
||||
| `TLSVersion` | The TLS version used by the connection (e.g. `1.2`) (if connection is TLS). |
|
||||
| `TLSCipher` | The TLS cipher used by the connection (e.g. `TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`) (if connection is TLS) |
|
||||
|
||||
## Log Rotation
|
||||
|
||||
|
|
|
@ -70,6 +70,11 @@ const (
|
|||
Overhead = "Overhead"
|
||||
// RetryAttempts is the map key used for the amount of attempts the request was retried.
|
||||
RetryAttempts = "RetryAttempts"
|
||||
|
||||
// TLSVersion is the version of TLS used in the request.
|
||||
TLSVersion = "TLSVersion"
|
||||
// TLSCipher is the cipher used in the request.
|
||||
TLSCipher = "TLSCipher"
|
||||
)
|
||||
|
||||
// These are written out in the default case when no config is provided to specify keys of interest.
|
||||
|
@ -111,6 +116,8 @@ func init() {
|
|||
allCoreKeys[StartLocal] = struct{}{}
|
||||
allCoreKeys[Overhead] = struct{}{}
|
||||
allCoreKeys[RetryAttempts] = struct{}{}
|
||||
allCoreKeys[TLSVersion] = struct{}{}
|
||||
allCoreKeys[TLSCipher] = struct{}{}
|
||||
}
|
||||
|
||||
// CoreLogData holds the fields computed from the request/response.
|
||||
|
|
|
@ -18,6 +18,7 @@ import (
|
|||
"github.com/sirupsen/logrus"
|
||||
ptypes "github.com/traefik/paerser/types"
|
||||
"github.com/traefik/traefik/v2/pkg/log"
|
||||
traefiktls "github.com/traefik/traefik/v2/pkg/tls"
|
||||
"github.com/traefik/traefik/v2/pkg/types"
|
||||
)
|
||||
|
||||
|
@ -209,6 +210,8 @@ func (h *Handler) ServeHTTP(rw http.ResponseWriter, req *http.Request, next http
|
|||
core[RequestScheme] = "http"
|
||||
if req.TLS != nil {
|
||||
core[RequestScheme] = "https"
|
||||
core[TLSVersion] = getRequestTLSVersion(req)
|
||||
core[TLSCipher] = getRequestTLSCipher(req)
|
||||
}
|
||||
|
||||
core[ClientAddr] = req.RemoteAddr
|
||||
|
@ -382,3 +385,19 @@ var requestCounter uint64 // Request ID
|
|||
func nextRequestCount() uint64 {
|
||||
return atomic.AddUint64(&requestCounter, 1)
|
||||
}
|
||||
|
||||
func getRequestTLSVersion(req *http.Request) string {
|
||||
if version, ok := traefiktls.VersionsReversed[req.TLS.Version]; ok {
|
||||
return version
|
||||
}
|
||||
|
||||
return "unknown"
|
||||
}
|
||||
|
||||
func getRequestTLSCipher(req *http.Request) string {
|
||||
if cypher, ok := traefiktls.CipherSuitesReversed[req.TLS.CipherSuite]; ok {
|
||||
return cypher
|
||||
}
|
||||
|
||||
return "unknown"
|
||||
}
|
||||
|
|
|
@ -355,9 +355,11 @@ func TestLoggerJSON(t *testing.T) {
|
|||
Duration: assertFloat64NotZero(),
|
||||
Overhead: assertFloat64NotZero(),
|
||||
RetryAttempts: assertFloat64(float64(testRetryAttempts)),
|
||||
TLSVersion: assertString("1.3"),
|
||||
TLSCipher: assertString("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"),
|
||||
"time": assertNotEmpty(),
|
||||
"StartLocal": assertNotEmpty(),
|
||||
"StartUTC": assertNotEmpty(),
|
||||
StartLocal: assertNotEmpty(),
|
||||
StartUTC: assertNotEmpty(),
|
||||
},
|
||||
},
|
||||
{
|
||||
|
@ -772,7 +774,10 @@ func doLoggingTLSOpt(t *testing.T, config *types.AccessLog, enableTLS bool) {
|
|||
},
|
||||
}
|
||||
if enableTLS {
|
||||
req.TLS = &tls.ConnectionState{}
|
||||
req.TLS = &tls.ConnectionState{
|
||||
Version: tls.VersionTLS13,
|
||||
CipherSuite: tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
||||
}
|
||||
}
|
||||
|
||||
logger.ServeHTTP(httptest.NewRecorder(), req, http.HandlerFunc(logWriterTestHandlerFunc))
|
||||
|
|
|
@ -2,7 +2,6 @@ package metrics
|
|||
|
||||
import (
|
||||
"context"
|
||||
"crypto/tls"
|
||||
"net/http"
|
||||
"strconv"
|
||||
"strings"
|
||||
|
@ -148,18 +147,11 @@ func getMethod(r *http.Request) string {
|
|||
}
|
||||
|
||||
func getRequestTLSVersion(req *http.Request) string {
|
||||
switch req.TLS.Version {
|
||||
case tls.VersionTLS10:
|
||||
return "1.0"
|
||||
case tls.VersionTLS11:
|
||||
return "1.1"
|
||||
case tls.VersionTLS12:
|
||||
return "1.2"
|
||||
case tls.VersionTLS13:
|
||||
return "1.3"
|
||||
default:
|
||||
return "unknown"
|
||||
if version, ok := traefiktls.VersionsReversed[req.TLS.Version]; ok {
|
||||
return version
|
||||
}
|
||||
|
||||
return "unknown"
|
||||
}
|
||||
|
||||
func getRequestTLSCipher(req *http.Request) string {
|
||||
|
|
12
pkg/tls/version.go
Normal file
12
pkg/tls/version.go
Normal file
|
@ -0,0 +1,12 @@
|
|||
package tls
|
||||
|
||||
import "crypto/tls"
|
||||
|
||||
// VersionsReversed Map of TLS versions from crypto/tls
|
||||
// Available TLS versions defined at https://golang.org/pkg/crypto/tls/#pkg-constants
|
||||
var VersionsReversed = map[uint16]string{
|
||||
tls.VersionTLS10: "1.0",
|
||||
tls.VersionTLS11: "1.1",
|
||||
tls.VersionTLS12: "1.2",
|
||||
tls.VersionTLS13: "1.3",
|
||||
}
|
Loading…
Reference in a new issue