fix(ja4ebpf): split bpf2go generate into Ja4Tc + Ja4Ssl, fix RPM systemd-rpm-macros

- Use two separate //go:generate directives (Ja4Tc for tc_capture.c, Ja4Ssl
  for uprobe_ssl.c) to avoid duplicate LICENSE symbol and multi-file clang issue
- Update loader.go to hold tcObjs/sslObjs separately with correct field names:
  UprobeSslSetFd, UprobeSslReadEntry, UretprobeSslReadExit,
  KprobeAccept4Entry, KretprobeAccept4Exit
- Add systemd-rpm-macros to all three RPM build stages (el8/el9/el10)
  so that %{_unitdir} macro resolves correctly
- RPMs now build successfully for el8, el9, el10

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

tests/integration/apache/docker-compose.yml

@@ -0,0 +1,77 @@
+# =============================================================================
+# Stack apache — tests d'intégration ja4ebpf
+#
+# Architecture :
+#   traffic-gen ─HTTPS→ Apache HTTPD (TLS, HTTP/1.1+h2) ─→ ClickHouse
+#                              ↑
+#                           ja4ebpf (uprobe httpd + hook TC ingress)
+# =============================================================================
+
+services:
+
+  clickhouse:
+    image: clickhouse/clickhouse-server:24.8
+    hostname: clickhouse
+    environment:
+      CLICKHOUSE_DB: ja4_processing
+      CLICKHOUSE_USER: default
+      CLICKHOUSE_DEFAULT_ACCESS_MANAGEMENT: 1
+    volumes:
+      - ../platform/clickhouse-init.sh:/docker-entrypoint-initdb.d/00_init.sh
+      - ../../../shared/clickhouse/00_database.sql:/initdb-src/00_database.sql:ro
+      - ../../../shared/clickhouse/01_raw_tables.sql:/initdb-src/01_raw_tables.sql:ro
+      - ../../../shared/clickhouse/02_dictionaries.sql:/initdb-src/02_dictionaries.sql:ro
+      - ../../../shared/clickhouse/03_anubis_tables.sql:/initdb-src/03_anubis_tables.sql:ro
+      - ../../../shared/clickhouse/04_mv_http_logs.sql:/initdb-src/04_mv_http_logs.sql:ro
+      - ../../../shared/clickhouse/05_aggregation_tables.sql:/initdb-src/05_aggregation_tables.sql:ro
+      - ../../../shared/clickhouse/06_ml_tables.sql:/initdb-src/06_ml_tables.sql:ro
+      - ../../../shared/clickhouse/07_ai_features_view.sql:/initdb-src/07_ai_features_view.sql:ro
+      - ../../../shared/clickhouse/08_users.sql:/initdb-src/08_users.sql:ro
+      - ../../../shared/clickhouse/09_audit_table.sql:/initdb-src/09_audit_table.sql:ro
+      - ../../../shared/clickhouse/10_perf_indexes.sql:/initdb-src/10_perf_indexes.sql:ro
+      - ../../../shared/clickhouse/11_views.sql:/initdb-src/11_views.sql:ro
+      - ../../../shared/clickhouse/12_thesis_features.sql:/initdb-src/12_thesis_features.sql:ro
+      - ../../../shared/data/browser_h2.csv:/initdb-src/browser_h2.csv:ro
+      - ../platform/csv-stubs:/var/lib/clickhouse/user_files
+    ports: ["9000:9000","8123:8123"]
+    healthcheck:
+      test: ["CMD","clickhouse-client","--query","SELECT 1"]
+      interval: 5s
+      timeout: 3s
+      retries: 30
+    networks: [ja4net]
+
+  platform:
+    build:
+      context: ../../..
+      dockerfile: tests/integration/apache/platform/Dockerfile
+      args:
+        BASE_IMAGE: ${PLATFORM_BASE_IMAGE:-rockylinux:9}
+    hostname: platform
+    cap_add: [NET_ADMIN, BPF, SYS_PTRACE]
+    privileged: true
+    environment:
+      JA4EBPF_CH_ADDR: "clickhouse:9000"
+    depends_on:
+      clickhouse:
+        condition: service_healthy
+    ports: ["443:443","80:80"]
+    healthcheck:
+      test: ["CMD","curl","-sfk","https://localhost/health"]
+      interval: 5s
+      timeout: 3s
+      retries: 30
+    networks: [ja4net]
+
+  traffic-gen:
+    build:
+      context: ../traffic-gen
+    hostname: traffic-gen
+    depends_on:
+      platform:
+        condition: service_healthy
+    networks: [ja4net]
+
+networks:
+  ja4net:
+    driver: bridge

tests/integration/apache/platform/Dockerfile

@@ -0,0 +1,57 @@
+# =============================================================================
+# Platform apache — Multi-distro (Rocky Linux 9 par défaut)
+#
+# Architecture :
+#   traffic-gen ─HTTPS→ Apache HTTPD (TLS, HTTP/2) → ClickHouse
+#                            ↑
+#                         ja4ebpf (uprobe httpd/libssl + hook TC ingress)
+#
+# ja4ebpf attache ses uprobes sur /usr/sbin/httpd qui lie OpenSSL.
+# Le hook TC ingress capture TCP SYN + TLS ClientHello sur eth0.
+# =============================================================================
+
+# ── Stage 1 : build ja4ebpf ──────────────────────────────────────────────────
+FROM golang:1.24-bookworm AS go-builder
+
+RUN apt-get update && apt-get install -y clang llvm libbpf-dev && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /build
+COPY go.work go.work.sum* ./
+COPY shared/go/ja4common/go.mod shared/go/ja4common/go.sum* ./shared/go/ja4common/
+COPY services/ja4ebpf/go.mod services/ja4ebpf/go.sum* ./services/ja4ebpf/
+RUN cd services/ja4ebpf && go mod download 2>/dev/null; true
+
+COPY shared/go/ja4common/ ./shared/go/ja4common/
+COPY services/ja4ebpf/ ./services/ja4ebpf/
+
+WORKDIR /build/services/ja4ebpf
+RUN GOWORK=off go generate ./internal/loader/ && \
+    GOWORK=off CGO_ENABLED=0 GOOS=linux GOARCH=amd64 \
+    go build -ldflags="-s -w" -o /out/ja4ebpf ./cmd/ja4ebpf/
+
+# ── Stage 2 : runtime Apache HTTPD + ja4ebpf ─────────────────────────────────
+ARG BASE_IMAGE=rockylinux:9
+FROM ${BASE_IMAGE}
+
+RUN dnf install -y epel-release 2>/dev/null; \
+    dnf install -y httpd mod_ssl mod_http2 openssl curl && \
+    dnf clean all
+
+COPY --from=go-builder /out/ja4ebpf /usr/local/bin/ja4ebpf
+
+# Certificat TLS auto-signé pour Apache
+RUN openssl req -x509 -nodes -days 365 \
+        -subj "/CN=platform.test" \
+        -newkey rsa:2048 \
+        -keyout /etc/pki/tls/private/apache.key \
+        -out /etc/pki/tls/certs/apache.crt && \
+    mkdir -p /var/www/html /var/log/httpd && \
+    echo '{"status":"ok","stack":"apache"}' > /var/www/html/health
+
+COPY tests/integration/apache/platform/httpd-ssl.conf /etc/httpd/conf.d/ssl.conf
+COPY tests/integration/apache/platform/ja4ebpf.yml    /etc/ja4ebpf/config.yml
+COPY tests/integration/apache/platform/entrypoint.sh  /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+
+EXPOSE 80 443
+CMD ["/entrypoint.sh"]

tests/integration/apache/platform/entrypoint.sh

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+# =============================================================================
+# entrypoint.sh — Stack Apache HTTPD + ja4ebpf
+# Démarre Apache en foreground et lance ja4ebpf en arrière-plan.
+# =============================================================================
+set -euo pipefail
+
+# Activer le module HTTP/2 si pas déjà chargé
+if ! httpd -M 2>/dev/null | grep -q http2_module; then
+    echo "LoadModule http2_module modules/mod_http2.so" >> /etc/httpd/conf.modules.d/00-base.conf
+fi
+
+# Créer les répertoires de run nécessaires
+mkdir -p /run/httpd /var/log/httpd
+
+# Démarrer ja4ebpf en arrière-plan
+/usr/local/bin/ja4ebpf -config /etc/ja4ebpf/config.yml &
+JA4_PID=$!
+echo "[entrypoint] ja4ebpf démarré (PID $JA4_PID)"
+
+# Attendre que ja4ebpf charge ses programmes eBPF
+sleep 2
+
+# Démarrer Apache HTTPD en foreground
+echo "[entrypoint] Démarrage d'Apache HTTPD..."
+exec /usr/sbin/httpd -DFOREGROUND

tests/integration/apache/platform/httpd-ssl.conf

@@ -0,0 +1,57 @@
+# Configuration Apache HTTPD — HTTPS + HTTP/2 pour les tests ja4ebpf
+# Remplace /etc/httpd/conf.d/ssl.conf
+
+Listen 443 https
+
+SSLPassPhraseDialog  exec:/usr/libexec/httpd-ssl-pass-dialog
+SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
+SSLSessionCacheTimeout  300
+SSLCryptoDevice builtin
+
+# Désactiver SSLv2/v3 et TLSv1.0/1.1 pour forcer JA4 modernes
+SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
+
+# Suites de chiffrement compatibles HTTP/2 + TLS 1.2/1.3
+SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384
+SSLHonorCipherOrder off
+
+<VirtualHost _default_:443>
+    ServerName platform.test
+    DocumentRoot /var/www/html
+
+    # Activation HTTP/2 (ALPN h2)
+    Protocols h2 http/1.1
+
+    SSLEngine on
+    SSLCertificateFile    /etc/pki/tls/certs/apache.crt
+    SSLCertificateKeyFile /etc/pki/tls/private/apache.key
+
+    <Directory /var/www/html>
+        AllowOverride None
+        Require all granted
+    </Directory>
+
+    # Route healthcheck
+    Alias /health /var/www/html/health
+    <Location /health>
+        Header always set Content-Type "application/json"
+    </Location>
+
+    # Logs
+    ErrorLog  /var/log/httpd/ssl_error.log
+    CustomLog /var/log/httpd/ssl_access.log combined
+</VirtualHost>
+
+# VirtualHost HTTP (port 80) pour capturer le trafic en clair
+<VirtualHost *:80>
+    ServerName platform.test
+    DocumentRoot /var/www/html
+
+    <Directory /var/www/html>
+        AllowOverride None
+        Require all granted
+    </Directory>
+
+    ErrorLog  /var/log/httpd/access_error.log
+    CustomLog /var/log/httpd/access_log combined
+</VirtualHost>

tests/integration/apache/platform/ja4ebpf.yml

@@ -0,0 +1,22 @@
+# Configuration ja4ebpf — stack Apache
+# Fichier monté dans /etc/ja4ebpf/config.yml
+
+interface: eth0
+
+# Cibles uprobe : httpd lie OpenSSL via libssl.so.
+# Sur RHEL/Rocky, le binaire est /usr/sbin/httpd.
+targets:
+  - binary: /usr/sbin/httpd
+  - binary: /usr/lib64/httpd/modules/mod_ssl.so
+
+clickhouse:
+  addr: "${JA4EBPF_CH_ADDR:-clickhouse:9000}"
+  database: ja4_logs
+  table: http_logs_raw
+  batch_size: 200
+  flush_interval_ms: 500
+
+session:
+  timeout_ms: 500
+  slowloris_timeout_s: 10
+  gc_interval_ms: 100

tests/integration/apache/run-tests.sh

@@ -0,0 +1,107 @@
+#!/usr/bin/env bash
+# =============================================================================
+# run-tests.sh — Tests d'intégration stack Apache HTTPD + ja4ebpf
+#
+# Usage :
+#   ./run-tests.sh                           # build + start + test + down
+#   ./run-tests.sh --no-down                 # garder la stack après les tests
+#   ./run-tests.sh --build-only              # build uniquement
+#   PLATFORM_BASE_IMAGE=almalinux:8 ./run-tests.sh   # tester sur el8
+# =============================================================================
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+export STACK_NAME="apache"
+export COMPOSE_FILE="$SCRIPT_DIR/docker-compose.yml"
+
+for arg in "$@"; do
+    case "$arg" in
+        --no-down)    export KEEP_UP=true ;;
+        --build-only) export BUILD_ONLY=true ;;
+    esac
+done
+
+source "$SCRIPT_DIR/../lib/run-stack-tests.sh"
+
+# ── Vérifications spécifiques Apache ─────────────────────────────────────────
+stack_verify_extra() {
+    # Vérifie que httpd répond avec le bon Server header
+    local server_hdr
+    server_hdr=$(docker compose -f "$COMPOSE_FILE" exec -T platform \
+        curl -skI https://localhost/ 2>/dev/null | grep -i "^Server:" | tr -d '\r' || echo "")
+    if echo "$server_hdr" | grep -qi "apache\|httpd"; then
+        pass "Header Server: Apache présent dans les réponses HTTPS"
+    else
+        warn "Header Server Apache non détecté (réponse: '$server_hdr')"
+    fi
+
+    # Vérifie HTTP/2 ALPN h2 via curl
+    local alpn_result
+    alpn_result=$(docker compose -f "$COMPOSE_FILE" exec -T platform \
+        curl -sk --http2 -w "%{http_version}" -o /dev/null https://localhost/ 2>/dev/null || echo "")
+    if [ "$alpn_result" = "2" ]; then
+        pass "HTTP/2 (ALPN h2) négocié avec succès sur Apache"
+    else
+        warn "HTTP/2 non négocié (version: '$alpn_result') — vérifier mod_http2 et SSLProtocol"
+    fi
+
+    # Vérifie que ja4ebpf tourne
+    local ja4_pid
+    ja4_pid=$(docker compose -f "$COMPOSE_FILE" exec -T platform \
+        pgrep -x ja4ebpf 2>/dev/null | head -1 || echo "")
+    if [ -n "$ja4_pid" ]; then
+        pass "Processus ja4ebpf actif (PID $ja4_pid)"
+    else
+        fail "Processus ja4ebpf introuvable dans le conteneur platform"
+    fi
+
+    # Vérifie que httpd tourne
+    local httpd_count
+    httpd_count=$(docker compose -f "$COMPOSE_FILE" exec -T platform \
+        pgrep -c httpd 2>/dev/null || echo "0")
+    if [ "${httpd_count:-0}" -gt 0 ] 2>/dev/null; then
+        pass "Apache HTTPD actif ($httpd_count processus httpd)"
+    else
+        fail "Aucun processus httpd trouvé"
+    fi
+
+    # Vérifie les données L7 capturées via uprobe httpd
+    local l7_count
+    l7_count=$(ch_query "SELECT count() FROM ja4_logs.http_logs_raw WHERE method != ''")
+    if [ "${l7_count:-0}" -gt 0 ] 2>/dev/null; then
+        pass "L7 capturé via uprobe httpd : $l7_count requêtes HTTP"
+    else
+        warn "Aucune requête L7 — uprobe httpd peut nécessiter que httpd lie directement libssl"
+        log "  Vérifier : ldd /usr/sbin/httpd | grep ssl"
+    fi
+
+    # Vérifie JA4 fingerprint
+    local ja4_sample
+    ja4_sample=$(ch_query "SELECT ja4 FROM ja4_logs.http_logs_raw WHERE ja4 != '' LIMIT 1" 2>/dev/null || echo "")
+    if [ -n "$ja4_sample" ]; then
+        pass "JA4 fingerprint capturé : $ja4_sample"
+    else
+        warn "JA4 fingerprint vide — TC ingress hook peut-être non fonctionnel"
+    fi
+
+    # Vérifie le SNI capturé
+    local sni_count
+    sni_count=$(ch_query "SELECT count() FROM ja4_logs.http_logs_raw WHERE sni != ''")
+    if [ "${sni_count:-0}" -gt 0 ] 2>/dev/null; then
+        pass "SNI capturé dans $sni_count enregistrements"
+    else
+        warn "Aucun SNI capturé"
+    fi
+
+    # Vérifie HTTP port 80 (trafic en clair — kprobe tcp_recvmsg)
+    local plain_count
+    plain_count=$(ch_query "SELECT count() FROM ja4_logs.http_logs_raw WHERE correlated = 0 AND method != ''" 2>/dev/null || echo "0")
+    if [ "${plain_count:-0}" -gt 0 ] 2>/dev/null; then
+        pass "HTTP en clair capturé : $plain_count requêtes (kprobe tcp_recvmsg)"
+    else
+        warn "Aucune requête HTTP port 80 en clair détectée (normal si traffic-gen n'envoie que du HTTPS)"
+    fi
+}
+
+run_all_phases