layer and is locally deciphered. This means it has matched a socket declared
with a "bind" line having the "ssl" option.
+ssl_fc_alg_keysize <integer>
+ Returns true when the incoming connection was made over an SSL/TLS transport
+ layer and the symmetric cipher key size supported in bits matches the value.
+
+ssl_fc_cipher <string>
+ returns true when the incoming connection was made over an ssl/tls transport
+ layer and the name of the used cipher matches the string.
+
ssl_fc_has_crt
Returns true if a client certificate is present in an incoming connection over
SSL/TLS transport layer. Useful if 'verify' statement is set to 'optional'.
the "bind" line specifies a protocol list. Also, nothing forces the client to
pick a protocol from this list, any other one may be requested.
+ssl_fc_protocol <string>
+ Returns true when the incoming connection was made over an SSL/TLS transport
+ layer and the name of the used protocol matches the string.
+
ssl_fc_sni <string>
Returns true when the incoming connection was made over an SSL/TLS transport
layer which deciphered it and found a Server Name Indication TLS extension
requires that the SSL library is build with support for TLS extensions
enabled (check haproxy -vv).
+ssl_fc_use_keysize <integer>
+ Returns true when the incoming connection was made over an SSL/TLS transport
+ layer and the symmetric cipher key size used in bits matches the value.
+
wait_end
Waits for the end of the analysis period to return true. This may be used in
conjunction with content analysis to avoid returning a wrong verdict early.
and returns 1 if it was made via an SSL/TLS transport layer,
otherwise zero.
+ ssl_fc_alg_keysize
+ Returns the symmetric cipher key size support d in bits when the
+ incoming connection was made over an SSL/TLS transport layer.
+
+ ssl_fc_cipher
+ Returns the name of the used cipher when the incoming connection
+ was made over an SSL/TLS transport layer.
+
ssl_fc_has_crt
Returns 1 if a client certificate is present in the front
connection over SSL/TLS transport layer, otherwise 0.
have been built with support for TLS extensions enabled (check
haproxy -vv). See also the "npn" bind keyword.
+ ssl_fc_protocol
+ Returns the name of the used protocol when the incoming connection
+ was made over an SSL/TLS transport layer.
+
ssl_fc_sni This extracts the Server Name Indication field from an incoming
connection made via an SSL/TLS transport layer and locally
deciphered by haproxy. The result typically is a string matching
have been built with support for TLS extensions enabled (check
haproxy -vv).
+ ssl_fc_use_keysize
+ Returns the symmetric cipher key size used in bits when the
+ incoming connection was made over an SSL/TLS transport layer.
+
url This extracts the request's URL as presented in the request. A
typical use is with prefetch-capable caches, and with portals
which need to aggregate multiple information from databases and
#endif
}
+static int
+smp_fetch_ssl_fc_cipher(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
+ const struct arg *args, struct sample *smp)
+{
+ smp->flags = 0;
+
+ if (!l4 || !l4->si[0].conn.xprt_ctx || l4->si[0].conn.xprt != &ssl_sock)
+ return 0;
+
+ smp->data.str.str = (char *)SSL_get_cipher_name(l4->si[0].conn.xprt_ctx);
+ if (!smp->data.str.str)
+ return 0;
+
+ smp->type = SMP_T_CSTR;
+ smp->data.str.len = strlen(smp->data.str.str);
+
+ return 1;
+}
+
+static int
+smp_fetch_ssl_fc_alg_keysize(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
+ const struct arg *args, struct sample *smp)
+{
+ smp->flags = 0;
+
+ if (!l4 || !l4->si[0].conn.xprt_ctx || l4->si[0].conn.xprt != &ssl_sock)
+ return 0;
+
+ if (!SSL_get_cipher_bits(l4->si[0].conn.xprt_ctx, (int *)&smp->data.uint))
+ return 0;
+
+ smp->type = SMP_T_UINT;
+
+ return 1;
+}
+
+static int
+smp_fetch_ssl_fc_use_keysize(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
+ const struct arg *args, struct sample *smp)
+{
+ smp->flags = 0;
+
+ if (!l4 || !l4->si[0].conn.xprt_ctx || l4->si[0].conn.xprt != &ssl_sock)
+ return 0;
+
+ smp->data.uint = (unsigned int)SSL_get_cipher_bits(l4->si[0].conn.xprt_ctx, NULL);
+ if (!smp->data.uint)
+ return 0;
+
+ smp->type = SMP_T_UINT;
+
+ return 1;
+}
+
#ifdef OPENSSL_NPN_NEGOTIATED
static int
smp_fetch_ssl_fc_npn(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
}
#endif
+static int
+smp_fetch_ssl_fc_protocol(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
+ const struct arg *args, struct sample *smp)
+{
+ smp->flags = 0;
+
+ if (!l4 || !l4->si[0].conn.xprt_ctx || l4->si[0].conn.xprt != &ssl_sock)
+ return 0;
+
+ smp->data.str.str = (char *)SSL_get_version(l4->si[0].conn.xprt_ctx);
+ if (!smp->data.str.str)
+ return 0;
+
+ smp->type = SMP_T_CSTR;
+ smp->data.str.len = strlen(smp->data.str.str);
+
+ return 1;
+}
+
static int
smp_fetch_ssl_fc_sni(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
const struct arg *args, struct sample *smp)
{ "ssl_c_err", smp_fetch_ssl_c_err, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
{ "ssl_c_verify", smp_fetch_ssl_c_verify, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
{ "ssl_fc", smp_fetch_ssl_fc, 0, NULL, SMP_T_BOOL, SMP_CAP_REQ|SMP_CAP_RES },
+ { "ssl_fc_alg_keysize", smp_fetch_ssl_fc_alg_keysize, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
+ { "ssl_fc_cipher", smp_fetch_ssl_fc_cipher, 0, NULL, SMP_T_CSTR, SMP_CAP_REQ|SMP_CAP_RES },
{ "ssl_fc_has_crt", smp_fetch_ssl_fc_has_crt, 0, NULL, SMP_T_BOOL, SMP_CAP_REQ|SMP_CAP_RES },
{ "ssl_fc_has_sni", smp_fetch_ssl_fc_has_sni, 0, NULL, SMP_T_BOOL, SMP_CAP_REQ|SMP_CAP_RES },
#ifdef OPENSSL_NPN_NEGOTIATED
{ "ssl_fc_npn", smp_fetch_ssl_fc_npn, 0, NULL, SMP_T_CSTR, SMP_CAP_REQ|SMP_CAP_RES },
#endif
+ { "ssl_fc_protocol", smp_fetch_ssl_fc_protocol, 0, NULL, SMP_T_CSTR, SMP_CAP_REQ|SMP_CAP_RES },
+ { "ssl_fc_use_keysize", smp_fetch_ssl_fc_use_keysize, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
{ "ssl_fc_sni", smp_fetch_ssl_fc_sni, 0, NULL, SMP_T_CSTR, SMP_CAP_REQ|SMP_CAP_RES },
{ NULL, NULL, 0, 0, 0 },
}};
{ "ssl_c_err", acl_parse_int, smp_fetch_ssl_c_err, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
{ "ssl_c_verify", acl_parse_int, smp_fetch_ssl_c_verify, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
{ "ssl_fc", acl_parse_int, smp_fetch_ssl_fc, acl_match_nothing, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
+ { "ssl_fc_alg_keysize", acl_parse_str, smp_fetch_ssl_fc_alg_keysize, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
+ { "ssl_fc_cipher", acl_parse_str, smp_fetch_ssl_fc_cipher, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
{ "ssl_fc_has_crt", acl_parse_int, smp_fetch_ssl_fc_has_crt, acl_match_nothing, ACL_USE_L6REQ_PERMANENT, 0 },
{ "ssl_fc_has_sni", acl_parse_int, smp_fetch_ssl_fc_has_sni, acl_match_nothing, ACL_USE_L6REQ_PERMANENT, 0 },
#ifdef OPENSSL_NPN_NEGOTIATED
{ "ssl_fc_npn", acl_parse_str, smp_fetch_ssl_fc_npn, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
#endif
+ { "ssl_fc_protocol", acl_parse_str, smp_fetch_ssl_fc_protocol, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
+ { "ssl_fc_use_keysize", acl_parse_str, smp_fetch_ssl_fc_use_keysize, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
{ "ssl_fc_sni", acl_parse_str, smp_fetch_ssl_fc_sni, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
{ "ssl_fc_sni_end", acl_parse_str, smp_fetch_ssl_fc_sni, acl_match_end, ACL_USE_L6REQ_PERMANENT, 0 },
{ "ssl_fc_sni_reg", acl_parse_reg, smp_fetch_ssl_fc_sni, acl_match_reg, ACL_USE_L6REQ_PERMANENT, 0 },
projects / thirdparty / haproxy.git / commitdiff
