code_public/ja4-platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(ja4ebpf): split bpf2go generate into Ja4Tc + Ja4Ssl, fix RPM systemd-rpm-macros

Browse Source 
- Use two separate //go:generate directives (Ja4Tc for tc_capture.c, Ja4Ssl
  for uprobe_ssl.c) to avoid duplicate LICENSE symbol and multi-file clang issue
- Update loader.go to hold tcObjs/sslObjs separately with correct field names:
  UprobeSslSetFd, UprobeSslReadEntry, UretprobeSslReadExit,
  KprobeAccept4Entry, KretprobeAccept4Exit
- Add systemd-rpm-macros to all three RPM build stages (el8/el9/el10)
  so that %{_unitdir} macro resolves correctly
- RPMs now build successfully for el8, el9, el10

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This commit is contained in:
toto
2026-04-11 23:21:11 +02:00
parent a1e4c1dad5
commit 3b047b680a
155 changed files with 197011 additions and 599 deletions
Download Patch File Download Diff File Expand all files Collapse all files

77
tests/integration/apache/docker-compose.yml Normal file
View File

@ -0,0 +1,77 @@
# =============================================================================
# Stack apache — tests d'intégration ja4ebpf
#
# Architecture :
# traffic-gen ─HTTPS→ Apache HTTPD (TLS, HTTP/1.1+h2) ─→ ClickHouse
# ↑
# ja4ebpf (uprobe httpd + hook TC ingress)
# =============================================================================
services:
clickhouse:
image: clickhouse/clickhouse-server:24.8
hostname: clickhouse
environment:
CLICKHOUSE_DB: ja4_processing
CLICKHOUSE_USER: default
CLICKHOUSE_DEFAULT_ACCESS_MANAGEMENT: 1
volumes:
- ../platform/clickhouse-init.sh:/docker-entrypoint-initdb.d/00_init.sh
- ../../../shared/clickhouse/00_database.sql:/initdb-src/00_database.sql:ro
- ../../../shared/clickhouse/01_raw_tables.sql:/initdb-src/01_raw_tables.sql:ro
- ../../../shared/clickhouse/02_dictionaries.sql:/initdb-src/02_dictionaries.sql:ro
- ../../../shared/clickhouse/03_anubis_tables.sql:/initdb-src/03_anubis_tables.sql:ro
- ../../../shared/clickhouse/04_mv_http_logs.sql:/initdb-src/04_mv_http_logs.sql:ro
- ../../../shared/clickhouse/05_aggregation_tables.sql:/initdb-src/05_aggregation_tables.sql:ro
- ../../../shared/clickhouse/06_ml_tables.sql:/initdb-src/06_ml_tables.sql:ro
- ../../../shared/clickhouse/07_ai_features_view.sql:/initdb-src/07_ai_features_view.sql:ro
- ../../../shared/clickhouse/08_users.sql:/initdb-src/08_users.sql:ro
- ../../../shared/clickhouse/09_audit_table.sql:/initdb-src/09_audit_table.sql:ro
- ../../../shared/clickhouse/10_perf_indexes.sql:/initdb-src/10_perf_indexes.sql:ro
- ../../../shared/clickhouse/11_views.sql:/initdb-src/11_views.sql:ro
- ../../../shared/clickhouse/12_thesis_features.sql:/initdb-src/12_thesis_features.sql:ro
- ../../../shared/data/browser_h2.csv:/initdb-src/browser_h2.csv:ro
- ../platform/csv-stubs:/var/lib/clickhouse/user_files
ports: ["9000:9000","8123:8123"]
healthcheck:
test: ["CMD","clickhouse-client","--query","SELECT 1"]
interval: 5s
timeout: 3s
retries: 30
networks: [ja4net]
platform:
build:
context: ../../..
dockerfile: tests/integration/apache/platform/Dockerfile
args:
BASE_IMAGE: ${PLATFORM_BASE_IMAGE:-rockylinux:9}
hostname: platform
cap_add: [NET_ADMIN, BPF, SYS_PTRACE]
privileged: true
environment:
JA4EBPF_CH_ADDR: "clickhouse:9000"
depends_on:
clickhouse:
condition: service_healthy
ports: ["443:443","80:80"]
healthcheck:
test: ["CMD","curl","-sfk","https://localhost/health"]
interval: 5s
timeout: 3s
retries: 30
networks: [ja4net]
traffic-gen:
build:
context: ../traffic-gen
hostname: traffic-gen
depends_on:
platform:
condition: service_healthy
networks: [ja4net]
networks:
ja4net:
driver: bridge

57
tests/integration/apache/platform/Dockerfile Normal file
View File

@ -0,0 +1,57 @@
# =============================================================================
# Platform apache — Multi-distro (Rocky Linux 9 par défaut)
#
# Architecture :
# traffic-gen ─HTTPS→ Apache HTTPD (TLS, HTTP/2) → ClickHouse
# ↑
# ja4ebpf (uprobe httpd/libssl + hook TC ingress)
#
# ja4ebpf attache ses uprobes sur /usr/sbin/httpd qui lie OpenSSL.
# Le hook TC ingress capture TCP SYN + TLS ClientHello sur eth0.
# =============================================================================
# ── Stage 1 : build ja4ebpf ──────────────────────────────────────────────────
FROM golang:1.24-bookworm AS go-builder
RUN apt-get update && apt-get install -y clang llvm libbpf-dev && rm -rf /var/lib/apt/lists/*
WORKDIR /build
COPY go.work go.work.sum* ./
COPY shared/go/ja4common/go.mod shared/go/ja4common/go.sum* ./shared/go/ja4common/
COPY services/ja4ebpf/go.mod services/ja4ebpf/go.sum* ./services/ja4ebpf/
RUN cd services/ja4ebpf && go mod download 2>/dev/null; true
COPY shared/go/ja4common/ ./shared/go/ja4common/
COPY services/ja4ebpf/ ./services/ja4ebpf/
WORKDIR /build/services/ja4ebpf
RUN GOWORK=off go generate ./internal/loader/ && \
GOWORK=off CGO_ENABLED=0 GOOS=linux GOARCH=amd64 \
go build -ldflags="-s -w" -o /out/ja4ebpf ./cmd/ja4ebpf/
# ── Stage 2 : runtime Apache HTTPD + ja4ebpf ─────────────────────────────────
ARG BASE_IMAGE=rockylinux:9
FROM ${BASE_IMAGE}
RUN dnf install -y epel-release 2>/dev/null; \
dnf install -y httpd mod_ssl mod_http2 openssl curl && \
dnf clean all
COPY --from=go-builder /out/ja4ebpf /usr/local/bin/ja4ebpf
# Certificat TLS auto-signé pour Apache
RUN openssl req -x509 -nodes -days 365 \
-subj "/CN=platform.test" \
-newkey rsa:2048 \
-keyout /etc/pki/tls/private/apache.key \
-out /etc/pki/tls/certs/apache.crt && \
mkdir -p /var/www/html /var/log/httpd && \
echo '{"status":"ok","stack":"apache"}' > /var/www/html/health
COPY tests/integration/apache/platform/httpd-ssl.conf /etc/httpd/conf.d/ssl.conf
COPY tests/integration/apache/platform/ja4ebpf.yml /etc/ja4ebpf/config.yml
COPY tests/integration/apache/platform/entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh
EXPOSE 80 443
CMD ["/entrypoint.sh"]

26
tests/integration/apache/platform/entrypoint.sh Normal file
View File

@ -0,0 +1,26 @@
#!/usr/bin/env bash
# =============================================================================
# entrypoint.sh — Stack Apache HTTPD + ja4ebpf
# Démarre Apache en foreground et lance ja4ebpf en arrière-plan.
# =============================================================================
set -euo pipefail
# Activer le module HTTP/2 si pas déjà chargé
if ! httpd -M 2>/dev/null | grep -q http2_module; then
echo "LoadModule http2_module modules/mod_http2.so" >> /etc/httpd/conf.modules.d/00-base.conf
fi
# Créer les répertoires de run nécessaires
mkdir -p /run/httpd /var/log/httpd
# Démarrer ja4ebpf en arrière-plan
/usr/local/bin/ja4ebpf -config /etc/ja4ebpf/config.yml &
JA4_PID=$!
echo "[entrypoint] ja4ebpf démarré (PID $JA4_PID)"
# Attendre que ja4ebpf charge ses programmes eBPF
sleep 2
# Démarrer Apache HTTPD en foreground
echo "[entrypoint] Démarrage d'Apache HTTPD..."
exec /usr/sbin/httpd -DFOREGROUND

57
tests/integration/apache/platform/httpd-ssl.conf Normal file
View File

@ -0,0 +1,57 @@
# Configuration Apache HTTPD — HTTPS + HTTP/2 pour les tests ja4ebpf
# Remplace /etc/httpd/conf.d/ssl.conf
Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
SSLCryptoDevice builtin
# Désactiver SSLv2/v3 et TLSv1.0/1.1 pour forcer JA4 modernes
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
# Suites de chiffrement compatibles HTTP/2 + TLS 1.2/1.3
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384
SSLHonorCipherOrder off
<VirtualHost _default_:443>
ServerName platform.test
DocumentRoot /var/www/html
# Activation HTTP/2 (ALPN h2)
Protocols h2 http/1.1
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/apache.crt
SSLCertificateKeyFile /etc/pki/tls/private/apache.key
<Directory /var/www/html>
AllowOverride None
Require all granted
</Directory>
# Route healthcheck
Alias /health /var/www/html/health
<Location /health>
Header always set Content-Type "application/json"
</Location>
# Logs
ErrorLog /var/log/httpd/ssl_error.log
CustomLog /var/log/httpd/ssl_access.log combined
</VirtualHost>
# VirtualHost HTTP (port 80) pour capturer le trafic en clair
<VirtualHost *:80>
ServerName platform.test
DocumentRoot /var/www/html
<Directory /var/www/html>
AllowOverride None
Require all granted
</Directory>
ErrorLog /var/log/httpd/access_error.log
CustomLog /var/log/httpd/access_log combined
</VirtualHost>

22
tests/integration/apache/platform/ja4ebpf.yml Normal file
View File

@ -0,0 +1,22 @@
# Configuration ja4ebpf — stack Apache
# Fichier monté dans /etc/ja4ebpf/config.yml
interface: eth0
# Cibles uprobe : httpd lie OpenSSL via libssl.so.
# Sur RHEL/Rocky, le binaire est /usr/sbin/httpd.
targets:
- binary: /usr/sbin/httpd
- binary: /usr/lib64/httpd/modules/mod_ssl.so
clickhouse:
addr: "${JA4EBPF_CH_ADDR:-clickhouse:9000}"
database: ja4_logs
table: http_logs_raw
batch_size: 200
flush_interval_ms: 500
session:
timeout_ms: 500
slowloris_timeout_s: 10
gc_interval_ms: 100

107
tests/integration/apache/run-tests.sh Executable file
View File

@ -0,0 +1,107 @@
#!/usr/bin/env bash
# =============================================================================
# run-tests.sh — Tests d'intégration stack Apache HTTPD + ja4ebpf
#
# Usage :
# ./run-tests.sh # build + start + test + down
# ./run-tests.sh --no-down # garder la stack après les tests
# ./run-tests.sh --build-only # build uniquement
# PLATFORM_BASE_IMAGE=almalinux:8 ./run-tests.sh # tester sur el8
# =============================================================================
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
export STACK_NAME="apache"
export COMPOSE_FILE="$SCRIPT_DIR/docker-compose.yml"
for arg in "$@"; do
case "$arg" in
--no-down) export KEEP_UP=true ;;
--build-only) export BUILD_ONLY=true ;;
esac
done
source "$SCRIPT_DIR/../lib/run-stack-tests.sh"
# ── Vérifications spécifiques Apache ─────────────────────────────────────────
stack_verify_extra() {
# Vérifie que httpd répond avec le bon Server header
local server_hdr
server_hdr=$(docker compose -f "$COMPOSE_FILE" exec -T platform \
curl -skI https://localhost/ 2>/dev/null | grep -i "^Server:" | tr -d '\r' || echo "")
if echo "$server_hdr" | grep -qi "apache\|httpd"; then
pass "Header Server: Apache présent dans les réponses HTTPS"
else
warn "Header Server Apache non détecté (réponse: '$server_hdr')"
fi
# Vérifie HTTP/2 ALPN h2 via curl
local alpn_result
alpn_result=$(docker compose -f "$COMPOSE_FILE" exec -T platform \
curl -sk --http2 -w "%{http_version}" -o /dev/null https://localhost/ 2>/dev/null || echo "")
if [ "$alpn_result" = "2" ]; then
pass "HTTP/2 (ALPN h2) négocié avec succès sur Apache"
else
warn "HTTP/2 non négocié (version: '$alpn_result') — vérifier mod_http2 et SSLProtocol"
fi
# Vérifie que ja4ebpf tourne
local ja4_pid
ja4_pid=$(docker compose -f "$COMPOSE_FILE" exec -T platform \
pgrep -x ja4ebpf 2>/dev/null | head -1 || echo "")
if [ -n "$ja4_pid" ]; then
pass "Processus ja4ebpf actif (PID $ja4_pid)"
else
fail "Processus ja4ebpf introuvable dans le conteneur platform"
fi
# Vérifie que httpd tourne
local httpd_count
httpd_count=$(docker compose -f "$COMPOSE_FILE" exec -T platform \
pgrep -c httpd 2>/dev/null || echo "0")
if [ "${httpd_count:-0}" -gt 0 ] 2>/dev/null; then
pass "Apache HTTPD actif ($httpd_count processus httpd)"
else
fail "Aucun processus httpd trouvé"
fi
# Vérifie les données L7 capturées via uprobe httpd
local l7_count
l7_count=$(ch_query "SELECT count() FROM ja4_logs.http_logs_raw WHERE method != ''")
if [ "${l7_count:-0}" -gt 0 ] 2>/dev/null; then
pass "L7 capturé via uprobe httpd : $l7_count requêtes HTTP"
else
warn "Aucune requête L7 — uprobe httpd peut nécessiter que httpd lie directement libssl"
log " Vérifier : ldd /usr/sbin/httpd | grep ssl"
fi
# Vérifie JA4 fingerprint
local ja4_sample
ja4_sample=$(ch_query "SELECT ja4 FROM ja4_logs.http_logs_raw WHERE ja4 != '' LIMIT 1" 2>/dev/null || echo "")
if [ -n "$ja4_sample" ]; then
pass "JA4 fingerprint capturé : $ja4_sample"
else
warn "JA4 fingerprint vide — TC ingress hook peut-être non fonctionnel"
fi
# Vérifie le SNI capturé
local sni_count
sni_count=$(ch_query "SELECT count() FROM ja4_logs.http_logs_raw WHERE sni != ''")
if [ "${sni_count:-0}" -gt 0 ] 2>/dev/null; then
pass "SNI capturé dans $sni_count enregistrements"
else
warn "Aucun SNI capturé"
fi
# Vérifie HTTP port 80 (trafic en clair — kprobe tcp_recvmsg)
local plain_count
plain_count=$(ch_query "SELECT count() FROM ja4_logs.http_logs_raw WHERE correlated = 0 AND method != ''" 2>/dev/null || echo "0")
if [ "${plain_count:-0}" -gt 0 ] 2>/dev/null; then
pass "HTTP en clair capturé : $plain_count requêtes (kprobe tcp_recvmsg)"
else
warn "Aucune requête HTTP port 80 en clair détectée (normal si traffic-gen n'envoie que du HTTPS)"
fi
}
run_all_phases

90
tests/integration/hitch-varnish/docker-compose.yml Normal file
View File

@ -0,0 +1,90 @@
# =============================================================================
# Stack hitch + varnish — tests d'intégration ja4ebpf
#
# Architecture :
# traffic-gen ─HTTPS→ hitch (TLS, port 443, PROXY protocol) ─HTTP→ varnish (port 6081)
# ↓
# backend HTTP (port 8080)
# ↑
# ja4ebpf (uprobe hitch/libssl + hook TC)
#
# Hitch est un TLS offloader dédié : il ne fait QUE la terminaison TLS
# et transmet le trafic cleartext + PROXY protocol header à Varnish.
# Varnish lit le PROXY header pour récupérer l'IP réelle du client.
#
# Différence clé vs nginx+varnish :
# - uprobe sur hitch (/usr/sbin/hitch ou libssl liée par hitch)
# - PROXY protocol header permet à ja4ebpf de récupérer la vraie src_ip
# même si le trafic L3 vient de hitch → varnish (127.0.0.1)
# =============================================================================
services:
clickhouse:
image: clickhouse/clickhouse-server:24.8
hostname: clickhouse
environment:
CLICKHOUSE_DB: ja4_processing
CLICKHOUSE_USER: default
CLICKHOUSE_DEFAULT_ACCESS_MANAGEMENT: 1
volumes:
- ../platform/clickhouse-init.sh:/docker-entrypoint-initdb.d/00_init.sh
- ../../../shared/clickhouse/00_database.sql:/initdb-src/00_database.sql:ro
- ../../../shared/clickhouse/01_raw_tables.sql:/initdb-src/01_raw_tables.sql:ro
- ../../../shared/clickhouse/02_dictionaries.sql:/initdb-src/02_dictionaries.sql:ro
- ../../../shared/clickhouse/03_anubis_tables.sql:/initdb-src/03_anubis_tables.sql:ro
- ../../../shared/clickhouse/04_mv_http_logs.sql:/initdb-src/04_mv_http_logs.sql:ro
- ../../../shared/clickhouse/05_aggregation_tables.sql:/initdb-src/05_aggregation_tables.sql:ro
- ../../../shared/clickhouse/06_ml_tables.sql:/initdb-src/06_ml_tables.sql:ro
- ../../../shared/clickhouse/07_ai_features_view.sql:/initdb-src/07_ai_features_view.sql:ro
- ../../../shared/clickhouse/08_users.sql:/initdb-src/08_users.sql:ro
- ../../../shared/clickhouse/09_audit_table.sql:/initdb-src/09_audit_table.sql:ro
- ../../../shared/clickhouse/10_perf_indexes.sql:/initdb-src/10_perf_indexes.sql:ro
- ../../../shared/clickhouse/11_views.sql:/initdb-src/11_views.sql:ro
- ../../../shared/clickhouse/12_thesis_features.sql:/initdb-src/12_thesis_features.sql:ro
- ../../../shared/data/browser_h2.csv:/initdb-src/browser_h2.csv:ro
- ../platform/csv-stubs:/var/lib/clickhouse/user_files
ports: ["9000:9000","8123:8123"]
healthcheck:
test: ["CMD","clickhouse-client","--query","SELECT 1"]
interval: 5s
timeout: 3s
retries: 30
networks: [ja4net]
platform:
build:
context: ../../..
dockerfile: tests/integration/hitch-varnish/platform/Dockerfile
args:
BASE_IMAGE: ${PLATFORM_BASE_IMAGE:-rockylinux:9}
hostname: platform
cap_add: [NET_ADMIN, BPF, SYS_PTRACE]
privileged: true
environment:
JA4EBPF_CH_ADDR: "clickhouse:9000"
depends_on:
clickhouse:
condition: service_healthy
ports: ["443:443","80:80"]
healthcheck:
# Hitch n'expose pas de port HTTP directement.
# On passe par HTTPS (hitch → varnish → backend).
test: ["CMD","curl","-sfk","https://localhost/health"]
interval: 5s
timeout: 3s
retries: 30
networks: [ja4net]
traffic-gen:
build:
context: ../traffic-gen
hostname: traffic-gen
depends_on:
platform:
condition: service_healthy
networks: [ja4net]
networks:
ja4net:
driver: bridge

54
tests/integration/hitch-varnish/platform/Dockerfile Normal file
View File

@ -0,0 +1,54 @@
# =============================================================================
# Platform hitch + varnish — Rocky Linux 9
# hitch (TLS, PROXY protocol) → Varnish (HTTP cache) → backend HTTP
# =============================================================================
FROM golang:1.24-bookworm AS go-builder
RUN apt-get update && apt-get install -y clang llvm libbpf-dev && rm -rf /var/lib/apt/lists/*
WORKDIR /build
COPY go.work go.work.sum* ./
COPY shared/go/ja4common/go.mod shared/go/ja4common/go.sum* ./shared/go/ja4common/
COPY services/ja4ebpf/go.mod services/ja4ebpf/go.sum* ./services/ja4ebpf/
RUN cd services/ja4ebpf && go mod download 2>/dev/null; true
COPY shared/go/ja4common/ ./shared/go/ja4common/
COPY services/ja4ebpf/ ./services/ja4ebpf/
WORKDIR /build/services/ja4ebpf
RUN GOWORK=off go generate ./internal/loader/ && \
GOWORK=off CGO_ENABLED=0 GOOS=linux GOARCH=amd64 \
go build -ldflags="-s -w" -o /out/ja4ebpf ./cmd/ja4ebpf/
# ── Runtime : hitch + varnish + backend + ja4ebpf ────────────────────────────
ARG BASE_IMAGE=rockylinux:9
FROM ${BASE_IMAGE}
# hitch est dans EPEL ; varnish dans le dépôt officiel Rocky
RUN dnf install -y epel-release && \
dnf install -y hitch varnish openssl curl python3 && \
dnf clean all
COPY --from=go-builder /out/ja4ebpf /usr/local/bin/ja4ebpf
# Certificat TLS auto-signé pour hitch
RUN openssl req -x509 -nodes -days 365 \
-subj "/CN=platform.test" \
-newkey rsa:2048 \
-keyout /tmp/hitch.key \
-out /tmp/hitch.crt && \
# hitch attend un fichier PEM concaténé (clé + certificat)
cat /tmp/hitch.key /tmp/hitch.crt > /etc/hitch/hitch.pem && \
chmod 600 /etc/hitch/hitch.pem && \
mkdir -p /var/www/html /run/varnish && \
echo '{"status":"ok","stack":"hitch-varnish"}' > /var/www/html/health
COPY tests/integration/hitch-varnish/platform/hitch.conf /etc/hitch/hitch.conf
COPY tests/integration/hitch-varnish/platform/varnish.vcl /etc/varnish/default.vcl
COPY tests/integration/hitch-varnish/platform/ja4ebpf.yml /etc/ja4ebpf/config.yml
COPY tests/integration/hitch-varnish/platform/entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh
EXPOSE 80 443
CMD ["/entrypoint.sh"]

120
tests/integration/hitch-varnish/platform/entrypoint.sh Executable file
View File

@ -0,0 +1,120 @@
#!/usr/bin/env bash
# =============================================================================
# Entrypoint — stack hitch + varnish + backend HTTP + ja4ebpf
# Ordre : backend → varnish → hitch → ja4ebpf
# =============================================================================
set -eo pipefail
log() { echo "[entrypoint:hitch-varnish] $(date +%H:%M:%S) $*"; }
BACKEND_PID="" VARNISH_PID="" HITCH_PID="" JA4EBPF_PID=""
cleanup() {
log "Arrêt des processus…"
for pid in "$JA4EBPF_PID" "$HITCH_PID" "$VARNISH_PID" "$BACKEND_PID"; do
[ -n "$pid" ] && kill "$pid" 2>/dev/null || true
done
wait 2>/dev/null || true
}
trap cleanup EXIT SIGTERM SIGINT
# ── 1. Backend HTTP simple (port 8080) ────────────────────────────────────────
log "Démarrage du backend HTTP (port 8080)…"
python3 -c "
import http.server, socketserver, json
class H(http.server.BaseHTTPRequestHandler):
def log_message(self, *a): pass
def do_GET(self):
body = json.dumps({'status':'ok','backend':'hitch-varnish','path':self.path}).encode()
self.send_response(200)
self.send_header('Content-Type','application/json')
self.send_header('Content-Length', len(body))
self.end_headers()
self.wfile.write(body)
def do_POST(self):
n = int(self.headers.get('Content-Length',0))
self.rfile.read(n)
body = b'{\"result\":\"accepted\"}'
self.send_response(200)
self.send_header('Content-Type','application/json')
self.send_header('Content-Length', len(body))
self.end_headers()
self.wfile.write(body)
with socketserver.TCPServer(('127.0.0.1', 8080), H) as s:
s.serve_forever()
" &
BACKEND_PID=$!
sleep 1
log "Backend démarré (PID $BACKEND_PID)"
# ── 2. Démarrage de Varnish (port 6081, avec PROXY protocol activé) ───────────
# L'option "-a 127.0.0.1:6081,PROXY" indique à Varnish d'accepter le PROXY header
# envoyé par hitch pour récupérer la vraie IP du client.
log "Démarrage de Varnish (port 6081, PROXY protocol)…"
varnishd \
-F \
-f /etc/varnish/default.vcl \
-a "127.0.0.1:6081,PROXY" \
-s malloc,64m \
-T 127.0.0.1:6082 &
VARNISH_PID=$!
for i in $(seq 1 30); do
if varnishadm -T 127.0.0.1:6082 status 2>/dev/null | grep -q "Child in state running"; then
log "Varnish opérationnel (PID $VARNISH_PID)"; break
fi
sleep 0.5
done
# ── 3. Démarrage de hitch (port 443) ──────────────────────────────────────────
log "Démarrage de hitch (port 443, TLS + PROXY protocol)…"
hitch --config=/etc/hitch/hitch.conf &
HITCH_PID=$!
# Attendre que hitch soit opérationnel (accepte les connexions TLS)
for i in $(seq 1 20); do
if curl -skf https://127.0.0.1/health >/dev/null 2>&1; then
log "hitch opérationnel (PID $HITCH_PID)"; break
fi
sleep 0.5
done
# Exposition d'un port HTTP 80 simple pour le healthcheck Docker
# (hitch gère uniquement HTTPS — on ajoute un mini-serveur HTTP pour /health)
python3 -c "
import http.server, socketserver, json
class H(http.server.BaseHTTPRequestHandler):
def log_message(self, *a): pass
def do_GET(self):
body = json.dumps({'status':'ok','stack':'hitch-varnish'}).encode()
self.send_response(200)
self.send_header('Content-Type','application/json')
self.send_header('Content-Length',len(body))
self.end_headers()
self.wfile.write(body)
with socketserver.TCPServer(('0.0.0.0',80), H) as s:
s.serve_forever()
" &
# ── 4. Démarrage de ja4ebpf ───────────────────────────────────────────────────
log "Démarrage de ja4ebpf (uprobes hitch/libssl + hook TC eth0)…"
ja4ebpf -config /etc/ja4ebpf/config.yml &
JA4EBPF_PID=$!
log "Stack complète — backend=$BACKEND_PID varnish=$VARNISH_PID hitch=$HITCH_PID ja4ebpf=$JA4EBPF_PID"
# ── 5. Supervision ────────────────────────────────────────────────────────────
while true; do
for pid_var in BACKEND_PID VARNISH_PID HITCH_PID JA4EBPF_PID; do
pid="${!pid_var}"
if [ -n "$pid" ] && ! kill -0 "$pid" 2>/dev/null; then
log "$pid_var (PID $pid) s'est arrêté — fin"
exit 1
fi
done
sleep 2
done

33
tests/integration/hitch-varnish/platform/hitch.conf Normal file
View File

@ -0,0 +1,33 @@
# hitch.conf — TLS offloader hitch
# Terminaison TLS sur port 443, transmission à Varnish (port 6081) via PROXY protocol.
# Le PROXY protocol permet à Varnish de connaître la vraie IP source du client.
# Réf: https://hitch-tls.org/
# Adresse et port d'écoute TLS
frontend = "[*]:443"
# Backend Varnish (HTTP cleartext + PROXY protocol header)
backend = "[127.0.0.1]:6081"
# Fichier PEM : clé privée + certificat (concaténés)
pem-file = "/etc/hitch/hitch.pem"
# Activation du PROXY protocol v1 (texte) vers le backend
write-proxy-v1 = on
# Protocoles TLS acceptés
tls-protos = TLSv1.2 TLSv1.3
# Suites de chiffrement variées pour générer des JA4 distincts
ciphers = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256"
# ALPN : activer h2 pour HTTP/2 (si Varnish supporte)
alpn-protos = "h2,http/1.1"
# Nombre de workers (= nombre de cœurs pour les tests)
workers = 2
# Répertoire de travail
daemon = off
log-level = 1
syslog = off

41
tests/integration/hitch-varnish/platform/ja4ebpf.yml Normal file
View File

@ -0,0 +1,41 @@
# Configuration ja4ebpf — stack hitch + varnish
#
# Architecture TLS : hitch est le seul processus qui fait SSL_read.
# Il lie libssl.so.3 dynamiquement (package openssl sur Rocky Linux 9).
# ja4ebpf attache son uprobe sur libssl.so.3 pour capturer les données
# déchiffrées que hitch transmet à Varnish via PROXY protocol.
#
# Différence clé vs nginx :
# - Le processus qui appelle SSL_read est /usr/sbin/hitch (pas nginx)
# - Le PROXY protocol header est dans le flux cleartext hitch→varnish,
# pas dans les données capturées par SSL_read
# - src_ip est récupérée via le hook TC (TCP SYN du client vers hitch:443)
interface: eth0
ssl_probes:
# hitch lie libssl.so.3 de Rocky Linux 9.
# On peut aussi essayer directement le binaire hitch si OpenSSL est statique.
- executable: /usr/lib64/libssl.so.3
symbol: SSL_read
# Fallback : hitch peut lier une version différente selon le packaging
- executable: /usr/sbin/hitch
symbol: SSL_read
clickhouse:
addr: "clickhouse:9000"
database: "ja4_logs"
table: "http_logs_raw"
username: "default"
password: ""
tls: false
batch_size: 100
flush_every: "1s"
timeouts:
session_expiry: "500ms"
slowloris: "10s"
log:
level: "info"
format: "json"

55
tests/integration/hitch-varnish/platform/varnish.vcl Normal file
View File

@ -0,0 +1,55 @@
vcl 4.1;
# =============================================================================
# varnish.vcl — Stack hitch + varnish
# Varnish reçoit le trafic de hitch avec le PROXY protocol header.
# accept_from est limité à 127.0.0.1 (hitch tourne en local).
# =============================================================================
# Activation du PROXY protocol : Varnish récupère la vraie IP client depuis
# le header PROXY envoyé par hitch.
# (configuré via -a "...PROXY" dans la ligne de commande varnishd)
backend default {
.host = "127.0.0.1";
.port = "8080";
.probe = {
.url = "/health";
.interval = 5s;
.timeout = 2s;
.window = 3;
.threshold = 2;
}
}
sub vcl_recv {
# Normalisation URL
if (req.url ~ "//") {
set req.url = regsuball(req.url, "//+", "/");
}
# Ne pas cacher les mutations
if (req.method != "GET" && req.method != "HEAD") {
return (pass);
}
return (hash);
}
sub vcl_backend_response {
set beresp.ttl = 5s;
set beresp.grace = 10s;
}
sub vcl_deliver {
# En-têtes de debug pour les tests
if (obj.hits > 0) {
set resp.http.X-Cache = "HIT";
} else {
set resp.http.X-Cache = "MISS";
}
# Indique que Varnish a traité la requête (vérifiable dans les tests)
set resp.http.Via = "1.1 varnish (Varnish/hitch-varnish-test)";
# Expose l'IP client vue par Varnish (après PROXY protocol de hitch)
set resp.http.X-Client-IP = client.ip;
return (deliver);
}

102
tests/integration/hitch-varnish/run-tests.sh Executable file
View File

@ -0,0 +1,102 @@
#!/usr/bin/env bash
# =============================================================================
# run-tests.sh — Tests d'intégration stack hitch + varnish + ja4ebpf
# =============================================================================
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
export STACK_NAME="hitch-varnish"
export COMPOSE_FILE="$SCRIPT_DIR/docker-compose.yml"
for arg in "$@"; do
case "$arg" in
--no-down) export KEEP_UP=true ;;
--build-only) export BUILD_ONLY=true ;;
esac
done
source "$SCRIPT_DIR/../lib/run-stack-tests.sh"
# ── Vérifications spécifiques hitch+varnish ───────────────────────────────────
stack_verify_extra() {
# Vérifie que hitch est bien en cours d'exécution
local hitch_pid
hitch_pid=$(docker compose -f "$COMPOSE_FILE" exec -T platform \
pgrep -x hitch 2>/dev/null | head -1 || echo "")
[ -n "$hitch_pid" ] && pass "Processus hitch actif (PID $hitch_pid)" \
|| fail "Processus hitch introuvable"
# Vérifie Varnish
local varnish_pid
varnish_pid=$(docker compose -f "$COMPOSE_FILE" exec -T platform \
pgrep -x varnishd 2>/dev/null | head -1 || echo "")
[ -n "$varnish_pid" ] && pass "Processus varnishd actif (PID $varnish_pid)" \
|| fail "Processus varnishd introuvable"
# Vérifie que ja4ebpf tourne
local ja4_pid
ja4_pid=$(docker compose -f "$COMPOSE_FILE" exec -T platform \
pgrep -x ja4ebpf 2>/dev/null | head -1 || echo "")
[ -n "$ja4_pid" ] && pass "ja4ebpf actif (PID $ja4_pid)" \
|| fail "ja4ebpf introuvable"
# Vérifie la présence du header Via Varnish (trafic bien routé hitch→varnish)
local via_hdr
via_hdr=$(docker compose -f "$COMPOSE_FILE" exec -T platform \
curl -skI https://localhost/ 2>/dev/null | grep -i "^Via:" | tr -d '\r' || echo "")
if echo "$via_hdr" | grep -qi "varnish"; then
pass "Header Via: varnish — trafic routé hitch→Varnish→backend"
else
warn "Header Via varnish absent ('$via_hdr')"
fi
# Vérifie X-Client-IP : doit être non-vide (Varnish récupère l'IP via PROXY protocol)
local client_ip_hdr
client_ip_hdr=$(docker compose -f "$COMPOSE_FILE" exec -T platform \
curl -skI https://localhost/ 2>/dev/null | grep -i "^X-Client-IP:" | tr -d '\r' || echo "")
if [ -n "$client_ip_hdr" ]; then
pass "PROXY protocol actif : X-Client-IP visible ('$client_ip_hdr')"
else
warn "X-Client-IP absent — PROXY protocol peut-être désactivé dans Varnish"
fi
# Vérifie ALPN h2 côté hitch (hitch supporte HTTP/2 via ALPN)
local http_ver
http_ver=$(docker compose -f "$COMPOSE_FILE" exec -T platform \
curl -sk --http2 -w "%{http_version}" -o /dev/null https://localhost/ 2>/dev/null || echo "")
if [ "$http_ver" = "2" ]; then
pass "HTTP/2 ALPN négocié par hitch (h2)"
else
warn "HTTP/2 non négocié (version: '$http_ver') — ALPN hitch peut nécessiter Varnish ≥ 6.0"
fi
# Vérification clé : dans la stack hitch+varnish, les uprobes sont sur hitch.
# ja4ebpf doit avoir capturé des requêtes depuis le processus hitch.
# On vérifie que des lignes avec method != '' existent (uprobe SSL_read actif).
local l7_from_hitch
l7_from_hitch=$(ch_query "SELECT count() FROM ja4_logs.http_logs_raw WHERE method != ''")
if [ "${l7_from_hitch:-0}" -gt 0 ] 2>/dev/null; then
pass "L7 capturé via uprobe hitch : $l7_from_hitch requêtes HTTP"
else
warn "Aucune requête L7 — uprobe hitch/libssl peut-être non attaché"
log " Vérifier : les uprobes nécessitent que hitch soit compilé avec des symboles"
log " Debug : docker compose exec platform ja4ebpf -config /etc/ja4ebpf/config.yml --dry-run"
fi
# Vérifie que le fingerprint JA4 est cohérent avec la config TLS de hitch
# (TLSv1.2 + TLSv1.3, suites ECDHE, ALPN h2+http/1.1)
local ja4_sample
ja4_sample=$(ch_query "SELECT ja4 FROM ja4_logs.http_logs_raw WHERE ja4 != '' LIMIT 1" 2>/dev/null || echo "")
if [ -n "$ja4_sample" ]; then
# JA4 format : t{ver}{sni}{cc}{ec}_{hash}_{hash}
# Avec TLS 1.3 négocié via hitch → doit commencer par tt13
if echo "$ja4_sample" | grep -qE "^tt1[23]"; then
pass "JA4 cohérent avec config hitch TLS 1.2/1.3 : $ja4_sample"
else
warn "JA4 inattendu pour hitch TLS config : $ja4_sample"
fi
fi
}
run_all_phases

270
tests/integration/lib/run-stack-tests.sh Normal file
View File

@ -0,0 +1,270 @@
#!/usr/bin/env bash
# =============================================================================
# lib/run-stack-tests.sh — Bibliothèque partagée pour les tests d'intégration
# des stacks web avec ja4ebpf.
#
# Usage (depuis un run-tests.sh par stack) :
# STACK_NAME="nginx"
# COMPOSE_FILE="$SCRIPT_DIR/docker-compose.yml"
# source "$(dirname "$0")/../lib/run-stack-tests.sh"
# run_all_phases
#
# Variables obligatoires à définir avant source :
# STACK_NAME — nom court (nginx / nginx-varnish / hitch-varnish)
# COMPOSE_FILE — chemin absolu vers le docker-compose.yml de la stack
#
# Variables optionnelles :
# KEEP_UP — true = garder la stack après tests (défaut : false)
# BUILD_ONLY — true = build uniquement, pas de tests (défaut : false)
# STACK_HEALTH_URL — URL pour le healthcheck principal (défaut : /health)
# TLS_PORT — port HTTPS exposé par la stack (défaut : 443)
# HTTP_PORT — port HTTP exposé (défaut : 80)
#
# Fonctions de vérification spécifiques à la stack (optionnel) :
# stack_verify_extra() — hook appelé après la phase 5 générique
# =============================================================================
# ---------------------------------------------------------------------------
# Couleurs et helpers de logging
# ---------------------------------------------------------------------------
RED='\033[0;31m'; GREEN='\033[0;32m'; YELLOW='\033[1;33m'; CYAN='\033[0;36m'; NC='\033[0m'
TESTS_PASSED=0
TESTS_FAILED=0
KEEP_UP="${KEEP_UP:-false}"
BUILD_ONLY="${BUILD_ONLY:-false}"
TLS_PORT="${TLS_PORT:-443}"
HTTP_PORT="${HTTP_PORT:-80}"
log() { echo -e "${CYAN}[${STACK_NAME}]${NC} $(date +%H:%M:%S) $*"; }
pass() { echo -e "${GREEN}$*${NC}"; TESTS_PASSED=$((TESTS_PASSED + 1)); }
fail() { echo -e "${RED}$*${NC}"; TESTS_FAILED=$((TESTS_FAILED + 1)); }
warn() { echo -e "${YELLOW}$*${NC}"; }
_dc() { docker compose -f "$COMPOSE_FILE" "$@"; }
# Exécute une requête SQL ClickHouse dans le service clickhouse du compose.
ch_query() { _dc exec -T clickhouse clickhouse-client --query "$1" 2>/dev/null; }
# Attend qu'un service atteigne l'état healthy (max_wait secondes).
wait_for_service() {
local service="$1" max_wait="${2:-120}" elapsed=0
log "En attente de $service (max ${max_wait}s)…"
while [ $elapsed -lt "$max_wait" ]; do
local status
status=$(_dc ps --format json "$service" 2>/dev/null \
| python3 -c "import sys,json; [print(json.loads(l).get('Health','')) for l in sys.stdin]" 2>/dev/null \
|| echo "")
if [ "$status" = "healthy" ]; then
log "$service est healthy (${elapsed}s)"; return 0
fi
sleep 2; elapsed=$((elapsed + 2))
done
log "ERREUR : $service pas healthy après ${max_wait}s"
_dc logs --tail=30 "$service"
return 1
}
# ---------------------------------------------------------------------------
# Phase 1 — Build
# ---------------------------------------------------------------------------
phase_build() {
log "========== Phase 1 : Build =========="
_dc build --parallel 2>&1 | tail -20
[ "$BUILD_ONLY" = true ] && { log "Build terminé (--build-only)."; exit 0; }
}
# ---------------------------------------------------------------------------
# Phase 2 — Démarrage de la stack (DB fraîche)
# ---------------------------------------------------------------------------
phase_start() {
log "========== Phase 2 : Démarrage (DB fraîche) =========="
_dc down -v --remove-orphans 2>/dev/null || true
_dc up -d
wait_for_service clickhouse 120
wait_for_service platform 120
}
# ---------------------------------------------------------------------------
# Phase 3 — Vérification du schéma ClickHouse
# ---------------------------------------------------------------------------
phase_schema() {
log "========== Phase 3 : Schéma ClickHouse =========="
local db_count
db_count=$(ch_query "SELECT count() FROM system.databases WHERE name IN ('ja4_logs','ja4_processing')")
[ "$db_count" = "2" ] \
&& pass "Bases ja4_logs + ja4_processing créées" \
|| fail "Bases ClickHouse manquantes (obtenu: $db_count)"
for table in "ja4_logs.http_logs_raw" "ja4_logs.http_logs" \
"ja4_processing.ml_detected_anomalies" \
"ja4_processing.agg_host_ip_ja4_1h"; do
local db tbl exists
db="${table%%.*}"; tbl="${table##*.}"
exists=$(ch_query "SELECT count() FROM system.tables WHERE database='$db' AND name='$tbl'")
[ "$exists" = "1" ] \
&& pass "Table $table présente" \
|| fail "Table $table manquante"
done
}
# ---------------------------------------------------------------------------
# Phase 4 — Génération de trafic
# ---------------------------------------------------------------------------
phase_traffic() {
log "========== Phase 4 : Génération de trafic =========="
local requests="${TRAFFIC_REQUESTS:-300}" workers="${TRAFFIC_WORKERS:-8}"
# Le générateur de trafic réutilise l'image du dossier traffic-gen existant.
if _dc exec -T traffic-gen python /app/generate_traffic.py \
--host platform \
--http-port "$HTTP_PORT" \
--https-port "$TLS_PORT" \
--requests "$requests" \
--workers "$workers"; then
pass "Trafic généré : $requests requêtes via la stack $STACK_NAME"
else
warn "Générateur de trafic : quelques erreurs (seuil 80% appliqué)"
fi
log "Attente 15s pour flush ja4ebpf → ClickHouse…"
sleep 15
}
# ---------------------------------------------------------------------------
# Phase 5 — Vérification du pipeline de données
# ---------------------------------------------------------------------------
phase_verify() {
log "========== Phase 5 : Vérification pipeline =========="
# 5a. Lignes brutes insérées par ja4ebpf
local raw_count
raw_count=$(ch_query "SELECT count() FROM ja4_logs.http_logs_raw")
if [ "${raw_count:-0}" -gt 0 ] 2>/dev/null; then
pass "http_logs_raw : $raw_count lignes insérées par ja4ebpf"
else
fail "http_logs_raw vide — ja4ebpf n'a pas écrit dans ClickHouse"
log "Logs platform :"
_dc logs --tail=40 platform | grep -i "ebpf\|error\|clickhouse" | head -20
fi
# 5b. Fingerprints JA4 capturés (hook TC + parsing TLS ClientHello)
local ja4_count ja4_uniq
ja4_count=$(ch_query "SELECT count() FROM ja4_logs.http_logs_raw WHERE ja4 != ''")
ja4_uniq=$(ch_query "SELECT count(DISTINCT ja4) FROM ja4_logs.http_logs_raw WHERE ja4 != ''")
if [ "${ja4_count:-0}" -gt 0 ] 2>/dev/null; then
pass "JA4 : $ja4_count enregistrements, $ja4_uniq fingerprints distincts"
local ja4_sample
ja4_sample=$(ch_query "SELECT ja4 FROM ja4_logs.http_logs_raw WHERE ja4 != '' LIMIT 1")
log " Exemple JA4 : $ja4_sample"
else
warn "Aucun fingerprint JA4 (hook TC peut-être non chargé — vérifier CAP_BPF)"
fi
# 5c. Données L3/L4 (TTL, MSS, Window)
local l34_count
l34_count=$(ch_query "SELECT count() FROM ja4_logs.http_logs_raw WHERE ttl > 0")
if [ "${l34_count:-0}" -gt 0 ] 2>/dev/null; then
pass "L3/L4 : $l34_count enregistrements avec TTL (hook TC actif)"
local ttl_sample
ttl_sample=$(ch_query "SELECT ttl, mss, window_size FROM ja4_logs.http_logs_raw WHERE ttl > 0 LIMIT 1 FORMAT TabSeparated")
log " TTL/MSS/Window sample : $ttl_sample"
else
warn "Données L3/L4 absentes (hook TC ingress non attaché)"
fi
# 5d. Requêtes HTTP capturées (uprobe SSL_read)
local http_count methods
http_count=$(ch_query "SELECT count() FROM ja4_logs.http_logs_raw WHERE method != ''")
methods=$(ch_query "SELECT groupArray(method) FROM (SELECT DISTINCT method FROM ja4_logs.http_logs_raw WHERE method != '' ORDER BY method)")
if [ "${http_count:-0}" -gt 0 ] 2>/dev/null; then
pass "L7 HTTP : $http_count requêtes capturées via uprobe SSL_read"
pass "Méthodes HTTP vues : $methods"
else
warn "Aucune requête HTTP capturée (uprobe SSL_read non attaché)"
fi
# 5e. HTTP/2 SETTINGS capturés (uprobe + parsing preface H2)
local h2_count
h2_count=$(ch_query "SELECT count() FROM ja4_logs.http_logs_raw WHERE h2_settings != ''")
if [ "${h2_count:-0}" -gt 0 ] 2>/dev/null; then
pass "HTTP/2 SETTINGS : $h2_count connexions H2 avec preface capturée"
local h2_sample
h2_sample=$(ch_query "SELECT h2_settings FROM ja4_logs.http_logs_raw WHERE h2_settings != '' LIMIT 1")
log " Exemple H2 SETTINGS : $h2_sample"
else
warn "Pas de SETTINGS HTTP/2 (trafic h2 absent ou ALPN négociation échouée)"
fi
# 5f. Corrélation L3/L4 ↔ L7 (flag correlated)
local corr_total corr_yes corr_pct
corr_total=$(ch_query "SELECT count() FROM ja4_logs.http_logs_raw WHERE method != ''")
corr_yes=$(ch_query "SELECT count() FROM ja4_logs.http_logs_raw WHERE correlated = true AND method != ''")
if [ "${corr_total:-0}" -gt 0 ] 2>/dev/null; then
corr_pct=$(echo "$corr_yes $corr_total" | awk '{printf "%.0f", $1*100/$2}')
if [ "${corr_pct:-0}" -ge 50 ] 2>/dev/null; then
pass "Corrélation L3↔L7 : ${corr_pct}% ($corr_yes/$corr_total requêtes corrélées)"
else
warn "Corrélation L3↔L7 faible : ${corr_pct}% ($corr_yes/$corr_total)"
fi
fi
# 5g. Keep-alives (multiplexage TCP)
local ka_max
ka_max=$(ch_query "SELECT max(maxkeepalives) FROM ja4_logs.http_logs_raw")
if [ "${ka_max:-0}" -gt 1 ] 2>/dev/null; then
pass "Keep-alives TCP : max $ka_max requêtes sur une même connexion"
else
log " Keep-alives : max=$ka_max (1 = pas de multiplexage détecté)"
fi
# Hook de vérification spécifique à la stack (optionnel)
if declare -f stack_verify_extra > /dev/null 2>&1; then
log "========== Vérifications spécifiques $STACK_NAME =========="
stack_verify_extra
fi
}
# ---------------------------------------------------------------------------
# Résumé final
# ---------------------------------------------------------------------------
phase_summary() {
local total=$((TESTS_PASSED + TESTS_FAILED))
echo ""
log "========== RÉSULTATS — $STACK_NAME =========="
echo -e " ${GREEN}Réussis : $TESTS_PASSED${NC} / $total"
[ "$TESTS_FAILED" -gt 0 ] && echo -e " ${RED}Échoués : $TESTS_FAILED${NC} / $total"
echo ""
if [ "$TESTS_FAILED" -gt 0 ]; then
log "Certains tests ont échoué. Utilisez --no-down pour garder la stack."
log "Debug : _dc logs platform | grep -i 'error\|ebpf\|uprobe'"
return 1
fi
log "Tous les tests ont réussi !"
}
# ---------------------------------------------------------------------------
# Cleanup
# ---------------------------------------------------------------------------
_cleanup() {
if [ "$KEEP_UP" = false ]; then
log "Nettoyage de la stack…"
_dc down -v --remove-orphans 2>/dev/null || true
else
log "Stack conservée (--no-down). Arrêt : _dc down -v"
fi
}
# ---------------------------------------------------------------------------
# Point d'entrée principal
# ---------------------------------------------------------------------------
run_all_phases() {
trap _cleanup EXIT
phase_build
phase_start
phase_schema
phase_traffic
phase_verify
phase_summary
}

83
tests/integration/nginx-varnish/docker-compose.yml Normal file
View File

@ -0,0 +1,83 @@
# =============================================================================
# Stack nginx + varnish — tests d'intégration ja4ebpf
#
# Architecture :
# traffic-gen ─HTTPS→ nginx (TLS, port 443) ─HTTP→ varnish (port 6081)
# ↓
# backend HTTP simple (port 8080)
# ↑
# ja4ebpf (uprobe nginx/libssl + hook TC)
#
# nginx termine le TLS et proxyfie vers Varnish en HTTP/1.1 (cleartext).
# Varnish ajoute un en-tête Via et le header X-Varnish pour les tests.
# ja4ebpf capture côté nginx : JA4 depuis le ClientHello, L7 depuis SSL_read.
# =============================================================================
services:
clickhouse:
image: clickhouse/clickhouse-server:24.8
hostname: clickhouse
environment:
CLICKHOUSE_DB: ja4_processing
CLICKHOUSE_USER: default
CLICKHOUSE_DEFAULT_ACCESS_MANAGEMENT: 1
volumes:
- ../platform/clickhouse-init.sh:/docker-entrypoint-initdb.d/00_init.sh
- ../../../shared/clickhouse/00_database.sql:/initdb-src/00_database.sql:ro
- ../../../shared/clickhouse/01_raw_tables.sql:/initdb-src/01_raw_tables.sql:ro
- ../../../shared/clickhouse/02_dictionaries.sql:/initdb-src/02_dictionaries.sql:ro
- ../../../shared/clickhouse/03_anubis_tables.sql:/initdb-src/03_anubis_tables.sql:ro
- ../../../shared/clickhouse/04_mv_http_logs.sql:/initdb-src/04_mv_http_logs.sql:ro
- ../../../shared/clickhouse/05_aggregation_tables.sql:/initdb-src/05_aggregation_tables.sql:ro
- ../../../shared/clickhouse/06_ml_tables.sql:/initdb-src/06_ml_tables.sql:ro
- ../../../shared/clickhouse/07_ai_features_view.sql:/initdb-src/07_ai_features_view.sql:ro
- ../../../shared/clickhouse/08_users.sql:/initdb-src/08_users.sql:ro
- ../../../shared/clickhouse/09_audit_table.sql:/initdb-src/09_audit_table.sql:ro
- ../../../shared/clickhouse/10_perf_indexes.sql:/initdb-src/10_perf_indexes.sql:ro
- ../../../shared/clickhouse/11_views.sql:/initdb-src/11_views.sql:ro
- ../../../shared/clickhouse/12_thesis_features.sql:/initdb-src/12_thesis_features.sql:ro
- ../../../shared/data/browser_h2.csv:/initdb-src/browser_h2.csv:ro
- ../platform/csv-stubs:/var/lib/clickhouse/user_files
ports: ["9000:9000","8123:8123"]
healthcheck:
test: ["CMD","clickhouse-client","--query","SELECT 1"]
interval: 5s
timeout: 3s
retries: 30
networks: [ja4net]
platform:
build:
context: ../../..
dockerfile: tests/integration/nginx-varnish/platform/Dockerfile
args:
BASE_IMAGE: ${PLATFORM_BASE_IMAGE:-rockylinux:9}
hostname: platform
cap_add: [NET_ADMIN, BPF, SYS_PTRACE]
privileged: true
environment:
JA4EBPF_CH_ADDR: "clickhouse:9000"
depends_on:
clickhouse:
condition: service_healthy
ports: ["443:443","80:80"]
healthcheck:
test: ["CMD","curl","-sfk","https://localhost/health"]
interval: 5s
timeout: 3s
retries: 30
networks: [ja4net]
traffic-gen:
build:
context: ../traffic-gen
hostname: traffic-gen
depends_on:
platform:
condition: service_healthy
networks: [ja4net]
networks:
ja4net:
driver: bridge

50
tests/integration/nginx-varnish/platform/Dockerfile Normal file
View File

@ -0,0 +1,50 @@
# =============================================================================
# Platform nginx + varnish — Rocky Linux 9
# nginx (TLS frontend) → Varnish (HTTP cache) → backend HTTP simple
# =============================================================================
FROM golang:1.24-bookworm AS go-builder
RUN apt-get update && apt-get install -y clang llvm libbpf-dev && rm -rf /var/lib/apt/lists/*
WORKDIR /build
COPY go.work go.work.sum* ./
COPY shared/go/ja4common/go.mod shared/go/ja4common/go.sum* ./shared/go/ja4common/
COPY services/ja4ebpf/go.mod services/ja4ebpf/go.sum* ./services/ja4ebpf/
RUN cd services/ja4ebpf && go mod download 2>/dev/null; true
COPY shared/go/ja4common/ ./shared/go/ja4common/
COPY services/ja4ebpf/ ./services/ja4ebpf/
WORKDIR /build/services/ja4ebpf
RUN GOWORK=off go generate ./internal/loader/ && \
GOWORK=off CGO_ENABLED=0 GOOS=linux GOARCH=amd64 \
go build -ldflags="-s -w" -o /out/ja4ebpf ./cmd/ja4ebpf/
# ── Runtime : nginx + varnish + backend + ja4ebpf ─────────────────────────────
ARG BASE_IMAGE=rockylinux:9
FROM ${BASE_IMAGE}
RUN dnf install -y epel-release && \
dnf install -y nginx varnish openssl curl python3 && \
dnf clean all
COPY --from=go-builder /out/ja4ebpf /usr/local/bin/ja4ebpf
# Certificat TLS auto-signé pour nginx
RUN openssl req -x509 -nodes -days 365 \
-subj "/CN=platform.test" \
-newkey rsa:2048 \
-keyout /etc/pki/tls/private/nginx.key \
-out /etc/pki/tls/certs/nginx.crt && \
mkdir -p /var/www/html /var/log/nginx /run/nginx /run/varnish && \
echo '{"status":"ok","stack":"nginx-varnish"}' > /var/www/html/health
COPY tests/integration/nginx-varnish/platform/nginx.conf /etc/nginx/nginx.conf
COPY tests/integration/nginx-varnish/platform/varnish.vcl /etc/varnish/default.vcl
COPY tests/integration/nginx-varnish/platform/ja4ebpf.yml /etc/ja4ebpf/config.yml
COPY tests/integration/nginx-varnish/platform/entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh
EXPOSE 80 443
CMD ["/entrypoint.sh"]

104
tests/integration/nginx-varnish/platform/entrypoint.sh Executable file
View File

@ -0,0 +1,104 @@
#!/usr/bin/env bash
# =============================================================================
# Entrypoint — stack nginx + varnish + backend HTTP + ja4ebpf
# Ordre : backend → varnish → nginx → ja4ebpf
# =============================================================================
set -eo pipefail
log() { echo "[entrypoint:nginx-varnish] $(date +%H:%M:%S) $*"; }
BACKEND_PID="" VARNISH_PID="" NGINX_PID="" JA4EBPF_PID=""
cleanup() {
log "Arrêt des processus…"
for pid in "$JA4EBPF_PID" "$NGINX_PID" "$VARNISH_PID" "$BACKEND_PID"; do
[ -n "$pid" ] && kill "$pid" 2>/dev/null || true
done
wait 2>/dev/null || true
}
trap cleanup EXIT SIGTERM SIGINT
# ── 1. Backend HTTP simple (Python) ──────────────────────────────────────────
log "Démarrage du backend HTTP (port 8080)…"
python3 -c "
import http.server, socketserver, json
class H(http.server.BaseHTTPRequestHandler):
def log_message(self, *a): pass
def do_GET(self):
body = json.dumps({'status':'ok','backend':'python','path':self.path}).encode()
self.send_response(200)
self.send_header('Content-Type','application/json')
self.send_header('Content-Length', len(body))
self.end_headers()
self.wfile.write(body)
def do_POST(self):
n = int(self.headers.get('Content-Length',0))
self.rfile.read(n)
body = b'{\"result\":\"accepted\"}'
self.send_response(200)
self.send_header('Content-Type','application/json')
self.send_header('Content-Length', len(body))
self.end_headers()
self.wfile.write(body)
with socketserver.TCPServer(('127.0.0.1', 8080), H) as s:
s.serve_forever()
" &
BACKEND_PID=$!
sleep 1
log "Backend HTTP démarré (PID $BACKEND_PID)"
# ── 2. Démarrage de Varnish ───────────────────────────────────────────────────
log "Démarrage de Varnish (port 6081)…"
varnishd \
-F \
-f /etc/varnish/default.vcl \
-a "0.0.0.0:6081,HTTP" \
-s malloc,64m \
-T 127.0.0.1:6082 &
VARNISH_PID=$!
for i in $(seq 1 20); do
if varnishadm -T 127.0.0.1:6082 status 2>/dev/null | grep -q "Child in state running"; then
log "Varnish opérationnel (PID $VARNISH_PID)"; break
fi
sleep 0.5
done
# ── 3. Démarrage de nginx ─────────────────────────────────────────────────────
log "Démarrage de nginx…"
nginx
NGINX_PID=$(cat /run/nginx/nginx.pid 2>/dev/null || pgrep nginx | head -1)
for i in $(seq 1 20); do
if curl -sf http://localhost/health >/dev/null 2>&1; then
log "nginx opérationnel (PID $NGINX_PID)"; break
fi
sleep 0.5
done
# ── 4. Démarrage de ja4ebpf ───────────────────────────────────────────────────
log "Démarrage de ja4ebpf (uprobes nginx/libssl + hook TC)…"
ja4ebpf -config /etc/ja4ebpf/config.yml &
JA4EBPF_PID=$!
log "Stack complète — backend=$BACKEND_PID varnish=$VARNISH_PID nginx=$NGINX_PID ja4ebpf=$JA4EBPF_PID"
# ── 5. Supervision ────────────────────────────────────────────────────────────
while true; do
for pid_var in BACKEND_PID VARNISH_PID JA4EBPF_PID; do
pid="${!pid_var}"
if [ -n "$pid" ] && ! kill -0 "$pid" 2>/dev/null; then
log "$pid_var (PID $pid) s'est arrêté — fin"
exit 1
fi
done
# nginx master process via PID file
NGINX_PID=$(cat /run/nginx/nginx.pid 2>/dev/null || echo "")
if [ -z "$NGINX_PID" ] || ! kill -0 "$NGINX_PID" 2>/dev/null; then
log "nginx master s'est arrêté — fin"
exit 1
fi
sleep 2
done

30
tests/integration/nginx-varnish/platform/ja4ebpf.yml Normal file
View File

@ -0,0 +1,30 @@
# Configuration ja4ebpf — stack nginx + varnish
# TLS terminé par nginx → uprobe sur libssl.so.3 (liée par nginx).
# Varnish reçoit le trafic HTTP cleartext : pas de SSL_read côté varnish.
interface: eth0
ssl_probes:
# nginx lie libssl.so.3 pour la terminaison TLS.
# L'uprobe SSL_read capture les données HTTP/1.1 et HTTP/2
# déchiffrées juste avant que nginx les traite.
- executable: /usr/lib64/libssl.so.3
symbol: SSL_read
clickhouse:
addr: "clickhouse:9000"
database: "ja4_logs"
table: "http_logs_raw"
username: "default"
password: ""
tls: false
batch_size: 100
flush_every: "1s"
timeouts:
session_expiry: "500ms"
slowloris: "10s"
log:
level: "info"
format: "json"

74
tests/integration/nginx-varnish/platform/nginx.conf Normal file
View File

@ -0,0 +1,74 @@
# nginx.conf — Stack nginx + varnish
# nginx : TLS frontend (port 443) + proxy vers Varnish (port 6081)
# Port 80 : redirige vers HTTPS
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /run/nginx/nginx.pid;
events {
worker_connections 1024;
use epoll;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
keepalive_requests 200;
log_format main '$remote_addr [$time_local] "$request" $status '
'ssl=$ssl_protocol via_varnish=$upstream_http_x_varnish';
access_log /var/log/nginx/access.log main;
# Backend Varnish (HTTP cleartext, pas de TLS)
upstream varnish_backend {
server 127.0.0.1:6081;
keepalive 32;
}
# ── Port 80 ─────────────────────────────────────────────────────────────
server {
listen 80;
server_name _;
location /health {
return 200 '{"status":"ok","stack":"nginx-varnish"}';
add_header Content-Type application/json;
}
location / {
return 301 https://$host$request_uri;
}
}
# ── Port 443 (TLS frontend → proxy Varnish) ──────────────────────────────
server {
listen 443 ssl;
http2 on;
server_name _;
ssl_certificate /etc/pki/tls/certs/nginx.crt;
ssl_certificate_key /etc/pki/tls/private/nginx.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSL:10m;
# Transmission de l'IP réelle du client vers Varnish
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
location /health {
return 200 '{"status":"ok","stack":"nginx-varnish","tls":true}';
add_header Content-Type application/json;
}
location / {
proxy_pass http://varnish_backend;
proxy_http_version 1.1;
# HTTP/2 terminé côté nginx ; nginx→Varnish est HTTP/1.1 cleartext
proxy_set_header Connection "";
}
}
}

56
tests/integration/nginx-varnish/platform/varnish.vcl Normal file
View File

@ -0,0 +1,56 @@
vcl 4.1;
# =============================================================================
# varnish.vcl — Stack nginx + varnish
# Varnish reçoit le trafic HTTP/1.1 depuis nginx (après terminaison TLS).
# Il proxyfie vers le backend HTTP simple sur 127.0.0.1:8080.
# =============================================================================
backend default {
.host = "127.0.0.1";
.port = "8080";
.probe = {
.url = "/health";
.interval = 5s;
.timeout = 2s;
.window = 3;
.threshold = 2;
}
}
sub vcl_recv {
# Normalisation de l'URL (suppression du double slash)
if (req.url ~ "//") {
set req.url = regsuball(req.url, "//+", "/");
}
# Transmission des en-têtes de provenance (déjà ajoutés par nginx)
if (req.http.X-Forwarded-For) {
set req.http.X-Forwarded-For = req.http.X-Forwarded-For;
}
# Ne pas mettre en cache les requêtes POST/PUT/DELETE
if (req.method != "GET" && req.method != "HEAD") {
return (pass);
}
# Cache les requêtes GET/HEAD
return (hash);
}
sub vcl_backend_response {
# TTL de cache court pour les tests (évite les faux positifs)
set beresp.ttl = 5s;
set beresp.grace = 10s;
}
sub vcl_deliver {
# Ajout des en-têtes de debug Varnish (vérifiés par les tests)
if (obj.hits > 0) {
set resp.http.X-Cache = "HIT";
} else {
set resp.http.X-Cache = "MISS";
}
# X-Varnish est ajouté automatiquement par Varnish
set resp.http.Via = "1.1 varnish (Varnish/test)";
return (deliver);
}

74
tests/integration/nginx-varnish/run-tests.sh Executable file
View File

@ -0,0 +1,74 @@
#!/usr/bin/env bash
# =============================================================================
# run-tests.sh — Tests d'intégration stack nginx + varnish + ja4ebpf
# =============================================================================
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
export STACK_NAME="nginx-varnish"
export COMPOSE_FILE="$SCRIPT_DIR/docker-compose.yml"
for arg in "$@"; do
case "$arg" in
--no-down) export KEEP_UP=true ;;
--build-only) export BUILD_ONLY=true ;;
esac
done
source "$SCRIPT_DIR/../lib/run-stack-tests.sh"
# ── Vérifications spécifiques nginx+varnish ───────────────────────────────────
stack_verify_extra() {
# Vérifie la présence du header Via Varnish dans les réponses HTTPS
local via_hdr
via_hdr=$(docker compose -f "$COMPOSE_FILE" exec -T platform \
curl -skI https://localhost/ 2>/dev/null | grep -i "^Via:" | tr -d '\r' || echo "")
if echo "$via_hdr" | grep -qi "varnish"; then
pass "Header Via: varnish présent — traffic bien routé nginx→Varnish"
else
warn "Header Via varnish absent (via='$via_hdr') — Varnish peut-être bypassé"
fi
# Vérifie X-Cache (HIT/MISS de Varnish)
local xcache1 xcache2
xcache1=$(docker compose -f "$COMPOSE_FILE" exec -T platform \
curl -sk https://localhost/api/cached -o /dev/null -w "%{http_code}" 2>/dev/null || echo "")
# Deuxième requête sur le même chemin → doit être un HIT Varnish
xcache2=$(docker compose -f "$COMPOSE_FILE" exec -T platform \
curl -skI https://localhost/api/cached 2>/dev/null | grep -i "^X-Cache:" | tr -d '\r' || echo "")
if echo "$xcache2" | grep -qi "HIT"; then
pass "Cache Varnish actif : X-Cache: HIT sur requête répétée"
else
warn "Cache Varnish non confirmé (X-Cache='$xcache2') — TTL cache peut-être expiré"
fi
# Vérifie que HTTP/2 est terminé côté nginx (pas propagé vers Varnish)
local http_ver
http_ver=$(docker compose -f "$COMPOSE_FILE" exec -T platform \
curl -sk --http2 -w "%{http_version}" -o /dev/null https://localhost/ 2>/dev/null || echo "")
if [ "$http_ver" = "2" ]; then
pass "HTTP/2 terminé par nginx (client↔nginx h2, nginx↔varnish HTTP/1.1)"
else
warn "HTTP/2 non négocié côté client (version: '$http_ver')"
fi
# Vérifie que ja4ebpf tourne
local ja4_pid
ja4_pid=$(docker compose -f "$COMPOSE_FILE" exec -T platform \
pgrep -x ja4ebpf 2>/dev/null | head -1 || echo "")
[ -n "$ja4_pid" ] && pass "ja4ebpf actif (PID $ja4_pid)" \
|| fail "ja4ebpf introuvable"
# Dans cette stack, les requêtes L7 passent via Varnish :
# on vérifie que header_order_signature est capturé malgré le proxy.
local sig_count
sig_count=$(ch_query "SELECT count() FROM ja4_logs.http_logs_raw WHERE header_order_signature != ''")
if [ "${sig_count:-0}" -gt 0 ] 2>/dev/null; then
pass "Signature ordre en-têtes capturée : $sig_count enregistrements"
else
warn "Signature ordre en-têtes absente (uprobe SSL_read peut-être inactif)"
fi
}
run_all_phases

82
tests/integration/nginx/docker-compose.yml Normal file
View File

@ -0,0 +1,82 @@
# =============================================================================
# Stack nginx — tests d'intégration ja4ebpf
#
# Architecture :
# traffic-gen ─HTTPS→ nginx (TLS, HTTP/1.1+h2) ─→ ClickHouse
# ↑
# ja4ebpf (uprobe nginx + hook TC)
#
# ja4ebpf attache ses uprobes directement sur /usr/sbin/nginx (qui lie OpenSSL).
# Le hook TC ingress capture les paquets TCP SYN + TLS ClientHello sur eth0.
# =============================================================================
services:
clickhouse:
image: clickhouse/clickhouse-server:24.8
hostname: clickhouse
environment:
CLICKHOUSE_DB: ja4_processing
CLICKHOUSE_USER: default
CLICKHOUSE_DEFAULT_ACCESS_MANAGEMENT: 1
volumes:
- ../platform/clickhouse-init.sh:/docker-entrypoint-initdb.d/00_init.sh
- ../../../shared/clickhouse/00_database.sql:/initdb-src/00_database.sql:ro
- ../../../shared/clickhouse/01_raw_tables.sql:/initdb-src/01_raw_tables.sql:ro
- ../../../shared/clickhouse/02_dictionaries.sql:/initdb-src/02_dictionaries.sql:ro
- ../../../shared/clickhouse/03_anubis_tables.sql:/initdb-src/03_anubis_tables.sql:ro
- ../../../shared/clickhouse/04_mv_http_logs.sql:/initdb-src/04_mv_http_logs.sql:ro
- ../../../shared/clickhouse/05_aggregation_tables.sql:/initdb-src/05_aggregation_tables.sql:ro
- ../../../shared/clickhouse/06_ml_tables.sql:/initdb-src/06_ml_tables.sql:ro
- ../../../shared/clickhouse/07_ai_features_view.sql:/initdb-src/07_ai_features_view.sql:ro
- ../../../shared/clickhouse/08_users.sql:/initdb-src/08_users.sql:ro
- ../../../shared/clickhouse/09_audit_table.sql:/initdb-src/09_audit_table.sql:ro
- ../../../shared/clickhouse/10_perf_indexes.sql:/initdb-src/10_perf_indexes.sql:ro
- ../../../shared/clickhouse/11_views.sql:/initdb-src/11_views.sql:ro
- ../../../shared/clickhouse/12_thesis_features.sql:/initdb-src/12_thesis_features.sql:ro
- ../../../shared/data/browser_h2.csv:/initdb-src/browser_h2.csv:ro
- ../platform/csv-stubs:/var/lib/clickhouse/user_files
ports: ["9000:9000","8123:8123"]
healthcheck:
test: ["CMD","clickhouse-client","--query","SELECT 1"]
interval: 5s
timeout: 3s
retries: 30
networks: [ja4net]
platform:
build:
context: ../../..
dockerfile: tests/integration/nginx/platform/Dockerfile
args:
BASE_IMAGE: ${PLATFORM_BASE_IMAGE:-rockylinux:9}
hostname: platform
# ja4ebpf nécessite CAP_BPF + CAP_NET_ADMIN pour charger eBPF
# et CAP_SYS_PTRACE pour attacher les uprobes.
cap_add: [NET_ADMIN, BPF, SYS_PTRACE]
privileged: true # requis sur certains kernels pour bpf()
environment:
JA4EBPF_CH_ADDR: "clickhouse:9000"
depends_on:
clickhouse:
condition: service_healthy
ports: ["443:443","80:80"]
healthcheck:
test: ["CMD","curl","-sfk","https://localhost/health"]
interval: 5s
timeout: 3s
retries: 30
networks: [ja4net]
traffic-gen:
build:
context: ../traffic-gen
hostname: traffic-gen
depends_on:
platform:
condition: service_healthy
networks: [ja4net]
networks:
ja4net:
driver: bridge

56
tests/integration/nginx/platform/Dockerfile Normal file
View File

@ -0,0 +1,56 @@
# =============================================================================
# Platform nginx — Rocky Linux 9
# Construit ja4ebpf (eBPF CO-RE) + nginx avec HTTP/2 et TLS.
#
# Multi-stage :
# ebpf-builder — compile les programmes eBPF C avec clang
# go-builder — compile ja4ebpf (go generate + go build)
# runtime — nginx + binaire ja4ebpf sur Rocky Linux 9
# =============================================================================
# ── Stage 1 : build ja4ebpf ──────────────────────────────────────────────────
FROM golang:1.24-bookworm AS go-builder
RUN apt-get update && apt-get install -y clang llvm libbpf-dev && rm -rf /var/lib/apt/lists/*
WORKDIR /build
COPY go.work go.work.sum* ./
COPY shared/go/ja4common/go.mod shared/go/ja4common/go.sum* ./shared/go/ja4common/
COPY services/ja4ebpf/go.mod services/ja4ebpf/go.sum* ./services/ja4ebpf/
RUN cd services/ja4ebpf && go mod download 2>/dev/null; true
COPY shared/go/ja4common/ ./shared/go/ja4common/
COPY services/ja4ebpf/ ./services/ja4ebpf/
WORKDIR /build/services/ja4ebpf
RUN GOWORK=off go generate ./internal/loader/ && \
GOWORK=off CGO_ENABLED=0 GOOS=linux GOARCH=amd64 \
go build -ldflags="-s -w" -o /out/ja4ebpf ./cmd/ja4ebpf/
# ── Stage 2 : runtime nginx + ja4ebpf ────────────────────────────────────────
ARG BASE_IMAGE=rockylinux:9
FROM ${BASE_IMAGE}
RUN dnf install -y epel-release && \
dnf install -y nginx openssl curl && \
dnf clean all
COPY --from=go-builder /out/ja4ebpf /usr/local/bin/ja4ebpf
# Configuration nginx : HTTP/2 + TLS auto-signé
RUN openssl req -x509 -nodes -days 365 \
-subj "/CN=platform.test" \
-newkey rsa:2048 \
-keyout /etc/pki/tls/private/nginx.key \
-out /etc/pki/tls/certs/nginx.crt && \
mkdir -p /var/www/html && \
echo '{"status":"ok","stack":"nginx"}' > /var/www/html/health && \
mkdir -p /var/log/nginx /run/nginx
COPY tests/integration/nginx/platform/nginx.conf /etc/nginx/nginx.conf
COPY tests/integration/nginx/platform/ja4ebpf.yml /etc/ja4ebpf/config.yml
COPY tests/integration/nginx/platform/entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh
EXPOSE 80 443
CMD ["/entrypoint.sh"]

60
tests/integration/nginx/platform/entrypoint.sh Executable file
View File

@ -0,0 +1,60 @@
#!/usr/bin/env bash
# =============================================================================
# Entrypoint — stack nginx + ja4ebpf
# Ordre : nginx → ja4ebpf (uprobes sur nginx/libssl)
# =============================================================================
set -eo pipefail
log() { echo "[entrypoint:nginx] $(date +%H:%M:%S) $*"; }
NGINX_PID=""
JA4EBPF_PID=""
cleanup() {
log "Arrêt des processus…"
[ -n "$JA4EBPF_PID" ] && kill "$JA4EBPF_PID" 2>/dev/null || true
[ -n "$NGINX_PID" ] && kill "$NGINX_PID" 2>/dev/null || true
wait 2>/dev/null || true
}
trap cleanup EXIT SIGTERM SIGINT
# ── 1. Démarrage de nginx ─────────────────────────────────────────────────
log "Démarrage de nginx…"
nginx
NGINX_PID=$(cat /run/nginx/nginx.pid 2>/dev/null || pgrep nginx | head -1)
# Attendre que nginx soit opérationnel
for i in $(seq 1 20); do
if curl -sf http://localhost/health >/dev/null 2>&1; then
log "nginx opérationnel (PID $NGINX_PID)"
break
fi
sleep 0.5
done
# ── 2. Démarrage de ja4ebpf ───────────────────────────────────────────────
log "Démarrage de ja4ebpf (attache uprobes sur libssl)…"
ja4ebpf -config /etc/ja4ebpf/config.yml &
JA4EBPF_PID=$!
log "Stack démarrée — nginx PID=$NGINX_PID ja4ebpf PID=$JA4EBPF_PID"
# ── 3. Supervision ────────────────────────────────────────────────────────
# nginx fonctionne en daemon : surveiller le process master via le PID file.
# ja4ebpf tourne en foreground.
while true; do
# Vérifier que nginx est toujours en vie
if ! kill -0 "$NGINX_PID" 2>/dev/null; then
NGINX_PID=$(cat /run/nginx/nginx.pid 2>/dev/null || echo "")
if [ -z "$NGINX_PID" ] || ! kill -0 "$NGINX_PID" 2>/dev/null; then
log "nginx s'est arrêté — fin de l'entrypoint"
break
fi
fi
# Vérifier que ja4ebpf est toujours en vie
if ! kill -0 "$JA4EBPF_PID" 2>/dev/null; then
log "ja4ebpf s'est arrêté (code: $?) — fin de l'entrypoint"
break
fi
sleep 2
done

29
tests/integration/nginx/platform/ja4ebpf.yml Normal file
View File

@ -0,0 +1,29 @@
# Configuration ja4ebpf — stack nginx
# ja4ebpf attache ses uprobes sur le processus nginx qui lie OpenSSL directement.
# Sur Rocky Linux 9, nginx utilise libssl.so.3 via dlopen ou liaison dynamique.
interface: eth0
ssl_probes:
# nginx lie OpenSSL : les appels SSL_read sont dans la librairie partagée.
# Le fichier réel (pas le symlink) est requis pour l'uprobe.
- executable: /usr/lib64/libssl.so.3
symbol: SSL_read
clickhouse:
addr: "clickhouse:9000"
database: "ja4_logs"
table: "http_logs_raw"
username: "default"
password: ""
tls: false
batch_size: 100
flush_every: "1s"
timeouts:
session_expiry: "500ms"
slowloris: "10s"
log:
level: "info"
format: "json"

82
tests/integration/nginx/platform/nginx.conf Normal file
View File

@ -0,0 +1,82 @@
# nginx.conf — Stack de test nginx + ja4ebpf
# HTTP/2 activé (h2) pour tester le parsing de la preface HTTP/2 par ja4ebpf.
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /run/nginx/nginx.pid;
events {
worker_connections 1024;
use epoll;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
keepalive_requests 200;
# Log format étendu (debug)
log_format main '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'ssl_protocol=$ssl_protocol ssl_cipher=$ssl_cipher';
access_log /var/log/nginx/access.log main;
# ── Serveur HTTP (port 80) ─────────────────────────────────────────────
server {
listen 80;
server_name _;
location /health {
return 200 '{"status":"ok","stack":"nginx"}';
add_header Content-Type application/json;
}
# Redirection HTTPS optionnelle (trafic HTTP testé directement)
location / {
root /var/www/html;
index index.html;
try_files $uri $uri/ =404;
}
}
# ── Serveur HTTPS (port 443) avec HTTP/2 ──────────────────────────────
server {
listen 443 ssl;
http2 on;
server_name _;
ssl_certificate /etc/pki/tls/certs/nginx.crt;
ssl_certificate_key /etc/pki/tls/private/nginx.key;
# Suites de chiffrement variées pour générer plusieurs JA4 distincts
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers off;
# Activation du session resumption (teste le parsing ja4ebpf de session IDs)
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
location /health {
return 200 '{"status":"ok","stack":"nginx","tls":true}';
add_header Content-Type application/json;
}
location / {
root /var/www/html;
index index.html;
try_files $uri $uri/ =404;
}
# Endpoint POST pour tester la capture des requêtes avec body
location /api/ {
return 200 '{"result":"accepted"}';
add_header Content-Type application/json;
}
}
}

73
tests/integration/nginx/run-tests.sh Executable file
View File

@ -0,0 +1,73 @@
#!/usr/bin/env bash
# =============================================================================
# run-tests.sh — Tests d'intégration stack nginx + ja4ebpf
#
# Usage :
# ./run-tests.sh # build + start + test + down
# ./run-tests.sh --no-down # garder la stack après les tests
# ./run-tests.sh --build-only # build uniquement
# =============================================================================
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
# Variables de configuration pour la bibliothèque partagée
export STACK_NAME="nginx"
export COMPOSE_FILE="$SCRIPT_DIR/docker-compose.yml"
for arg in "$@"; do
case "$arg" in
--no-down) export KEEP_UP=true ;;
--build-only) export BUILD_ONLY=true ;;
esac
done
# Chargement de la bibliothèque commune
source "$SCRIPT_DIR/../lib/run-stack-tests.sh"
# ── Vérifications spécifiques nginx ──────────────────────────────────────────
stack_verify_extra() {
# Vérifie que nginx répond avec le bon Server header
local server_hdr
server_hdr=$(docker compose -f "$COMPOSE_FILE" exec -T platform \
curl -skI https://localhost/ 2>/dev/null | grep -i "^Server:" | tr -d '\r' || echo "")
if echo "$server_hdr" | grep -qi "nginx"; then
pass "Header Server: nginx présent dans les réponses HTTPS"
else
warn "Header Server nginx non détecté (réponse: '$server_hdr')"
fi
# Vérifie HTTP/2 négocié (ALPN h2)
local alpn_result
alpn_result=$(docker compose -f "$COMPOSE_FILE" exec -T platform \
curl -sk --http2 -w "%{http_version}" -o /dev/null https://localhost/ 2>/dev/null || echo "")
if [ "$alpn_result" = "2" ]; then
pass "HTTP/2 négocié avec succès sur nginx (ALPN h2)"
else
warn "HTTP/2 non négocié (version: '$alpn_result') — vérifier la config TLS nginx"
fi
# Vérifie que ja4ebpf est bien en cours d'exécution
local ja4_running
ja4_running=$(docker compose -f "$COMPOSE_FILE" exec -T platform \
pgrep -x ja4ebpf 2>/dev/null | head -1 || echo "")
if [ -n "$ja4_running" ]; then
pass "Processus ja4ebpf actif (PID $ja4_running)"
else
fail "Processus ja4ebpf introuvable dans le conteneur platform"
fi
# Vérifie SNI capturé (ja4ebpf parse le ClientHello → extrait SNI)
local sni_count
sni_count=$(ch_query "SELECT count() FROM ja4_logs.http_logs_raw WHERE sni != ''")
if [ "${sni_count:-0}" -gt 0 ] 2>/dev/null; then
local sni_sample
sni_sample=$(ch_query "SELECT sni FROM ja4_logs.http_logs_raw WHERE sni != '' LIMIT 1")
pass "SNI capturé : $sni_count enregistrements (exemple : '$sni_sample')"
else
warn "Aucun SNI capturé (trafic TLS peut-être sans extension SNI)"
fi
}
# Lancement de tous les phases
run_all_phases

83
tests/integration/run-all-stacks.sh Executable file
View File

@ -0,0 +1,83 @@
#!/usr/bin/env bash
# =============================================================================
# run-all-stacks.sh — Lance les tests des 3 stacks web en séquence
#
# Usage :
# ./run-all-stacks.sh # toutes les stacks
# ./run-all-stacks.sh nginx # stack nginx uniquement
# ./run-all-stacks.sh nginx-varnish hitch-varnish # 2 stacks
# ./run-all-stacks.sh --no-down # garder les stacks actives
# =============================================================================
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
RED='\033[0;31m'; GREEN='\033[0;32m'; YELLOW='\033[1;33m'; CYAN='\033[0;36m'; NC='\033[0m'
log() { echo -e "${CYAN}[run-all]${NC} $(date +%H:%M:%S) $*"; }
pass() { echo -e "${GREEN}$*${NC}"; }
fail() { echo -e "${RED}$*${NC}"; }
# Stacks disponibles
ALL_STACKS=(apache nginx nginx-varnish hitch-varnish)
STACKS_TO_RUN=()
EXTRA_ARGS=()
for arg in "$@"; do
case "$arg" in
apache|nginx|nginx-varnish|hitch-varnish)
STACKS_TO_RUN+=("$arg") ;;
*)
EXTRA_ARGS+=("$arg") ;;
esac
done
# Par défaut : toutes les stacks
[ "${#STACKS_TO_RUN[@]}" -eq 0 ] && STACKS_TO_RUN=("${ALL_STACKS[@]}")
declare -A RESULTS
for stack in "${STACKS_TO_RUN[@]}"; do
runner="$SCRIPT_DIR/$stack/run-tests.sh"
if [ ! -f "$runner" ]; then
log "ERREUR : runner introuvable pour la stack '$stack' ($runner)"
RESULTS[$stack]="MISSING"
continue
fi
chmod +x "$runner"
log "========================================================"
log "Démarrage de la stack : $stack"
log "========================================================"
if bash "$runner" "${EXTRA_ARGS[@]}"; then
RESULTS[$stack]="PASS"
pass "Stack $stack : TOUS LES TESTS RÉUSSIS"
else
RESULTS[$stack]="FAIL"
fail "Stack $stack : DES TESTS ONT ÉCHOUÉ"
fi
echo ""
done
# ── Résumé global ─────────────────────────────────────────────────────────────
log "========================================================"
log "RÉSUMÉ GLOBAL"
log "========================================================"
TOTAL_PASS=0
TOTAL_FAIL=0
for stack in "${STACKS_TO_RUN[@]}"; do
result="${RESULTS[$stack]:-MISSING}"
case "$result" in
PASS) pass "[$stack] RÉUSSI" ; TOTAL_PASS=$((TOTAL_PASS + 1)) ;;
FAIL) fail "[$stack] ÉCHOUÉ" ; TOTAL_FAIL=$((TOTAL_FAIL + 1)) ;;
MISSING) echo -e "${YELLOW} ⚠ [$stack] MANQUANT${NC}" ; TOTAL_FAIL=$((TOTAL_FAIL + 1)) ;;
esac
done
echo ""
log "Total : ${TOTAL_PASS} réussi(s), ${TOTAL_FAIL} échoué(s) sur ${#STACKS_TO_RUN[@]} stacks"
[ "$TOTAL_FAIL" -gt 0 ] && exit 1 || exit 0

190
tests/integration/run-distro-matrix.sh Executable file
View File

@ -0,0 +1,190 @@
#!/usr/bin/env bash
# =============================================================================
# run-distro-matrix.sh — Test toutes les stacks sur toutes les distributions
#
# Usage :
# ./run-distro-matrix.sh # toutes stacks × toutes distros
# ./run-distro-matrix.sh --stacks=nginx,apache # stacks choisies
# ./run-distro-matrix.sh --distros=el9,el10 # distros choisies
# ./run-distro-matrix.sh --no-down # garder les stacks actives
# ./run-distro-matrix.sh --fail-fast # arrêter au premier échec
#
# Variables d'environnement :
# MATRIX_STACKS — liste des stacks séparées par virgules (défaut: toutes)
# MATRIX_DISTROS — liste des distros séparées par virgules (défaut: el8,el9,el10)
# =============================================================================
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
RED='\033[0;31m'; GREEN='\033[0;32m'; YELLOW='\033[1;33m'
CYAN='\033[0;36m'; BOLD='\033[1m'; NC='\033[0m'
log() { echo -e "${CYAN}[matrix]${NC} $(date +%H:%M:%S) $*"; }
pass() { echo -e "${GREEN}$*${NC}"; }
fail() { echo -e "${RED}$*${NC}"; }
warn() { echo -e "${YELLOW}$*${NC}"; }
# ── Correspondance distro → image Docker ──────────────────────────────────────
declare -A DISTRO_IMAGES=(
[el8]="almalinux:8"
[el9]="rockylinux:9"
[el10]="almalinux:10"
)
# ── Disponibilité des packages par distro ─────────────────────────────────────
# hitch n'est pas disponible sur el8 (pas dans EPEL 8)
declare -A STACK_SKIP=(
[el8_hitch-varnish]="hitch non disponible dans EPEL 8"
)
# ── Valeurs par défaut ────────────────────────────────────────────────────────
ALL_STACKS=(apache nginx nginx-varnish hitch-varnish)
ALL_DISTROS=(el8 el9 el10)
STACKS=()
DISTROS=()
KEEP_UP=false
FAIL_FAST=false
# ── Parse des arguments ───────────────────────────────────────────────────────
for arg in "$@"; do
case "$arg" in
--stacks=*)
IFS=',' read -ra STACKS <<< "${arg#--stacks=}" ;;
--distros=*)
IFS=',' read -ra DISTROS <<< "${arg#--distros=}" ;;
--no-down)
KEEP_UP=true ;;
--fail-fast)
FAIL_FAST=true ;;
esac
done
# Utiliser les valeurs env si définies
if [ -n "${MATRIX_STACKS:-}" ]; then
IFS=',' read -ra STACKS <<< "$MATRIX_STACKS"
fi
if [ -n "${MATRIX_DISTROS:-}" ]; then
IFS=',' read -ra DISTROS <<< "$MATRIX_DISTROS"
fi
# Défauts
[ "${#STACKS[@]}" -eq 0 ] && STACKS=("${ALL_STACKS[@]}")
[ "${#DISTROS[@]}" -eq 0 ] && DISTROS=("${ALL_DISTROS[@]}")
# ── Résultats ─────────────────────────────────────────────────────────────────
declare -A RESULTS # RESULTS[distro_stack] = PASS|FAIL|SKIP
# ── Lancement de la matrice ───────────────────────────────────────────────────
TOTAL_PASS=0
TOTAL_FAIL=0
TOTAL_SKIP=0
log "============================================================"
log "${BOLD}MATRICE DE TESTS : ${#DISTROS[@]} distros × ${#STACKS[@]} stacks${NC}"
log "Distros : ${DISTROS[*]}"
log "Stacks : ${STACKS[*]}"
log "============================================================"
echo ""
for distro in "${DISTROS[@]}"; do
base_image="${DISTRO_IMAGES[$distro]:-}"
if [ -z "$base_image" ]; then
warn "Distro inconnue '$distro' — ignorée. Valides: ${!DISTRO_IMAGES[*]}"
continue
fi
log "┌──────────────────────────────────────────────────────────"
log "│ DISTRO : $distro (image: $base_image)"
log "└──────────────────────────────────────────────────────────"
for stack in "${STACKS[@]}"; do
key="${distro}_${stack}"
# Vérifier si cette combinaison est à ignorer
skip_reason="${STACK_SKIP[$key]:-}"
if [ -n "$skip_reason" ]; then
warn "SKIP [$distro/$stack] : $skip_reason"
RESULTS[$key]="SKIP"
TOTAL_SKIP=$((TOTAL_SKIP + 1))
continue
fi
runner="$SCRIPT_DIR/$stack/run-tests.sh"
if [ ! -f "$runner" ]; then
warn "Runner introuvable : $runner"
RESULTS[$key]="MISSING"
TOTAL_FAIL=$((TOTAL_FAIL + 1))
continue
fi
chmod +x "$runner"
log " → Stack '$stack' sur $distro..."
# Passer BASE_IMAGE via l'env + flag --no-down si demandé
extra_args=()
$KEEP_UP && extra_args+=(--no-down)
set +e
PLATFORM_BASE_IMAGE="$base_image" bash "$runner" "${extra_args[@]}"
rc=$?
set -e
if [ $rc -eq 0 ]; then
pass "[$distro/$stack] RÉUSSI"
RESULTS[$key]="PASS"
TOTAL_PASS=$((TOTAL_PASS + 1))
else
fail "[$distro/$stack] ÉCHOUÉ (exit $rc)"
RESULTS[$key]="FAIL"
TOTAL_FAIL=$((TOTAL_FAIL + 1))
if $FAIL_FAST; then
log "FAIL-FAST activé — arrêt."
break 2
fi
fi
echo ""
done
echo ""
done
# ── Résumé en tableau ─────────────────────────────────────────────────────────
log "============================================================"
log "${BOLD}RÉSUMÉ DE LA MATRICE${NC}"
log "============================================================"
# En-tête
printf "%-16s" "DISTRO \\ STACK"
for stack in "${STACKS[@]}"; do
printf " %-18s" "$stack"
done
echo ""
printf "%-16s" "----------------"
for stack in "${STACKS[@]}"; do
printf " %-18s" "------------------"
done
echo ""
for distro in "${DISTROS[@]}"; do
printf "%-16s" "$distro"
for stack in "${STACKS[@]}"; do
key="${distro}_${stack}"
result="${RESULTS[$key]:-N/A}"
case "$result" in
PASS) printf " ${GREEN}%-18s${NC}" "PASS ✓" ;;
FAIL) printf " ${RED}%-18s${NC}" "FAIL ✗" ;;
SKIP) printf " ${YELLOW}%-18s${NC}" "SKIP ⚠" ;;
MISSING) printf " ${YELLOW}%-18s${NC}" "MISSING" ;;
*) printf " %-18s" "$result" ;;
esac
done
echo ""
done
echo ""
log "Résultat global : ${GREEN}${TOTAL_PASS} PASS${NC} | ${RED}${TOTAL_FAIL} FAIL${NC} | ${YELLOW}${TOTAL_SKIP} SKIP${NC}"
if [ $TOTAL_FAIL -gt 0 ]; then
exit 1
fi
exit 0