Log TLS client subject

This commit is contained in:
xmessi 2022-11-21 10:18:05 +01:00 committed by GitHub
parent 630de7481e
commit 27c02b5a56
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 13 additions and 0 deletions

View file

@ -229,6 +229,7 @@ accessLog:
| `RetryAttempts` | The amount of attempts the request was retried. | | `RetryAttempts` | The amount of attempts the request was retried. |
| `TLSVersion` | The TLS version used by the connection (e.g. `1.2`) (if connection is TLS). | | `TLSVersion` | The TLS version used by the connection (e.g. `1.2`) (if connection is TLS). |
| `TLSCipher` | The TLS cipher used by the connection (e.g. `TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`) (if connection is TLS) | | `TLSCipher` | The TLS cipher used by the connection (e.g. `TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`) (if connection is TLS) |
| `TLSClientSubject` | The string representation of the TLS client certificate's Subject (e.g. `CN=username,O=organization`) |
## Log Rotation ## Log Rotation

View file

@ -75,6 +75,8 @@ const (
TLSVersion = "TLSVersion" TLSVersion = "TLSVersion"
// TLSCipher is the cipher used in the request. // TLSCipher is the cipher used in the request.
TLSCipher = "TLSCipher" TLSCipher = "TLSCipher"
// TLSClientSubject is the string representation of the TLS client certificate's Subject.
TLSClientSubject = "TLSClientSubject"
) )
// These are written out in the default case when no config is provided to specify keys of interest. // These are written out in the default case when no config is provided to specify keys of interest.
@ -118,6 +120,7 @@ func init() {
allCoreKeys[RetryAttempts] = struct{}{} allCoreKeys[RetryAttempts] = struct{}{}
allCoreKeys[TLSVersion] = struct{}{} allCoreKeys[TLSVersion] = struct{}{}
allCoreKeys[TLSCipher] = struct{}{} allCoreKeys[TLSCipher] = struct{}{}
allCoreKeys[TLSClientSubject] = struct{}{}
} }
// CoreLogData holds the fields computed from the request/response. // CoreLogData holds the fields computed from the request/response.

View file

@ -218,6 +218,9 @@ func (h *Handler) ServeHTTP(rw http.ResponseWriter, req *http.Request, next http
core[RequestScheme] = "https" core[RequestScheme] = "https"
core[TLSVersion] = traefiktls.GetVersion(req.TLS) core[TLSVersion] = traefiktls.GetVersion(req.TLS)
core[TLSCipher] = traefiktls.GetCipherName(req.TLS) core[TLSCipher] = traefiktls.GetCipherName(req.TLS)
if len(req.TLS.PeerCertificates) > 0 && req.TLS.PeerCertificates[0] != nil {
core[TLSClientSubject] = req.TLS.PeerCertificates[0].Subject.String()
}
} }
core[ClientAddr] = req.RemoteAddr core[ClientAddr] = req.RemoteAddr

View file

@ -3,6 +3,8 @@ package accesslog
import ( import (
"bytes" "bytes"
"crypto/tls" "crypto/tls"
"crypto/x509"
"crypto/x509/pkix"
"encoding/json" "encoding/json"
"fmt" "fmt"
"io" "io"
@ -370,6 +372,7 @@ func TestLoggerJSON(t *testing.T) {
Duration: assertFloat64NotZero(), Duration: assertFloat64NotZero(),
Overhead: assertFloat64NotZero(), Overhead: assertFloat64NotZero(),
RetryAttempts: assertFloat64(float64(testRetryAttempts)), RetryAttempts: assertFloat64(float64(testRetryAttempts)),
TLSClientSubject: assertString("CN=foobar"),
TLSVersion: assertString("1.3"), TLSVersion: assertString("1.3"),
TLSCipher: assertString("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"), TLSCipher: assertString("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"),
"time": assertNotEmpty(), "time": assertNotEmpty(),
@ -780,6 +783,9 @@ func doLoggingTLSOpt(t *testing.T, config *types.AccessLog, enableTLS bool) {
req.TLS = &tls.ConnectionState{ req.TLS = &tls.ConnectionState{
Version: tls.VersionTLS13, Version: tls.VersionTLS13,
CipherSuite: tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, CipherSuite: tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
PeerCertificates: []*x509.Certificate{{
Subject: pkix.Name{CommonName: "foobar"},
}},
} }
} }