fix(ja4ebpf): split bpf2go generate into Ja4Tc + Ja4Ssl, fix RPM systemd-rpm-macros

- Use two separate //go:generate directives (Ja4Tc for tc_capture.c, Ja4Ssl for uprobe_ssl.c) to avoid duplicate LICENSE symbol and multi-file clang issue - Update loader.go to hold tcObjs/sslObjs separately with correct field names: UprobeSslSetFd, UprobeSslReadEntry, UretprobeSslReadExit, KprobeAccept4Entry, KretprobeAccept4Exit - Add systemd-rpm-macros to all three RPM build stages (el8/el9/el10) so that %{_unitdir} macro resolves correctly - RPMs now build successfully for el8, el9, el10 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-04-11 23:21:11 +02:00
parent a1e4c1dad5
commit 3b047b680a
155 changed files with 197011 additions and 599 deletions
--- a/tests/integration/apache/platform/Dockerfile
+++ b/tests/integration/apache/platform/Dockerfile
@ -0,0 +1,57 @@
+# =============================================================================
+# Platform apache — Multi-distro (Rocky Linux 9 par défaut)
+#
+# Architecture :
+#   traffic-gen ─HTTPS→ Apache HTTPD (TLS, HTTP/2) → ClickHouse
+#                            ↑
+#                         ja4ebpf (uprobe httpd/libssl + hook TC ingress)
+#
+# ja4ebpf attache ses uprobes sur /usr/sbin/httpd qui lie OpenSSL.
+# Le hook TC ingress capture TCP SYN + TLS ClientHello sur eth0.
+# =============================================================================
+
+# ── Stage 1 : build ja4ebpf ──────────────────────────────────────────────────
+FROM golang:1.24-bookworm AS go-builder
+
+RUN apt-get update && apt-get install -y clang llvm libbpf-dev && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /build
+COPY go.work go.work.sum* ./
+COPY shared/go/ja4common/go.mod shared/go/ja4common/go.sum* ./shared/go/ja4common/
+COPY services/ja4ebpf/go.mod services/ja4ebpf/go.sum* ./services/ja4ebpf/
+RUN cd services/ja4ebpf && go mod download 2>/dev/null; true
+
+COPY shared/go/ja4common/ ./shared/go/ja4common/
+COPY services/ja4ebpf/ ./services/ja4ebpf/
+
+WORKDIR /build/services/ja4ebpf
+RUN GOWORK=off go generate ./internal/loader/ && \
+    GOWORK=off CGO_ENABLED=0 GOOS=linux GOARCH=amd64 \
+    go build -ldflags="-s -w" -o /out/ja4ebpf ./cmd/ja4ebpf/
+
+# ── Stage 2 : runtime Apache HTTPD + ja4ebpf ─────────────────────────────────
+ARG BASE_IMAGE=rockylinux:9
+FROM ${BASE_IMAGE}
+
+RUN dnf install -y epel-release 2>/dev/null; \
+    dnf install -y httpd mod_ssl mod_http2 openssl curl && \
+    dnf clean all
+
+COPY --from=go-builder /out/ja4ebpf /usr/local/bin/ja4ebpf
+
+# Certificat TLS auto-signé pour Apache
+RUN openssl req -x509 -nodes -days 365 \
+        -subj "/CN=platform.test" \
+        -newkey rsa:2048 \
+        -keyout /etc/pki/tls/private/apache.key \
+        -out /etc/pki/tls/certs/apache.crt && \
+    mkdir -p /var/www/html /var/log/httpd && \
+    echo '{"status":"ok","stack":"apache"}' > /var/www/html/health
+
+COPY tests/integration/apache/platform/httpd-ssl.conf /etc/httpd/conf.d/ssl.conf
+COPY tests/integration/apache/platform/ja4ebpf.yml    /etc/ja4ebpf/config.yml
+COPY tests/integration/apache/platform/entrypoint.sh  /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+
+EXPOSE 80 443
+CMD ["/entrypoint.sh"]
--- a/tests/integration/apache/platform/entrypoint.sh
+++ b/tests/integration/apache/platform/entrypoint.sh
@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+# =============================================================================
+# entrypoint.sh — Stack Apache HTTPD + ja4ebpf
+# Démarre Apache en foreground et lance ja4ebpf en arrière-plan.
+# =============================================================================
+set -euo pipefail
+
+# Activer le module HTTP/2 si pas déjà chargé
+if ! httpd -M 2>/dev/null | grep -q http2_module; then
+    echo "LoadModule http2_module modules/mod_http2.so" >> /etc/httpd/conf.modules.d/00-base.conf
+fi
+
+# Créer les répertoires de run nécessaires
+mkdir -p /run/httpd /var/log/httpd
+
+# Démarrer ja4ebpf en arrière-plan
+/usr/local/bin/ja4ebpf -config /etc/ja4ebpf/config.yml &
+JA4_PID=$!
+echo "[entrypoint] ja4ebpf démarré (PID $JA4_PID)"
+
+# Attendre que ja4ebpf charge ses programmes eBPF
+sleep 2
+
+# Démarrer Apache HTTPD en foreground
+echo "[entrypoint] Démarrage d'Apache HTTPD..."
+exec /usr/sbin/httpd -DFOREGROUND
--- a/tests/integration/apache/platform/httpd-ssl.conf
+++ b/tests/integration/apache/platform/httpd-ssl.conf
@ -0,0 +1,57 @@
+# Configuration Apache HTTPD — HTTPS + HTTP/2 pour les tests ja4ebpf
+# Remplace /etc/httpd/conf.d/ssl.conf
+
+Listen 443 https
+
+SSLPassPhraseDialog  exec:/usr/libexec/httpd-ssl-pass-dialog
+SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
+SSLSessionCacheTimeout  300
+SSLCryptoDevice builtin
+
+# Désactiver SSLv2/v3 et TLSv1.0/1.1 pour forcer JA4 modernes
+SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
+
+# Suites de chiffrement compatibles HTTP/2 + TLS 1.2/1.3
+SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384
+SSLHonorCipherOrder off
+
+<VirtualHost _default_:443>
+    ServerName platform.test
+    DocumentRoot /var/www/html
+
+    # Activation HTTP/2 (ALPN h2)
+    Protocols h2 http/1.1
+
+    SSLEngine on
+    SSLCertificateFile    /etc/pki/tls/certs/apache.crt
+    SSLCertificateKeyFile /etc/pki/tls/private/apache.key
+
+    <Directory /var/www/html>
+        AllowOverride None
+        Require all granted
+    </Directory>
+
+    # Route healthcheck
+    Alias /health /var/www/html/health
+    <Location /health>
+        Header always set Content-Type "application/json"
+    </Location>
+
+    # Logs
+    ErrorLog  /var/log/httpd/ssl_error.log
+    CustomLog /var/log/httpd/ssl_access.log combined
+</VirtualHost>
+
+# VirtualHost HTTP (port 80) pour capturer le trafic en clair
+<VirtualHost *:80>
+    ServerName platform.test
+    DocumentRoot /var/www/html
+
+    <Directory /var/www/html>
+        AllowOverride None
+        Require all granted
+    </Directory>
+
+    ErrorLog  /var/log/httpd/access_error.log
+    CustomLog /var/log/httpd/access_log combined
+</VirtualHost>
--- a/tests/integration/apache/platform/ja4ebpf.yml
+++ b/tests/integration/apache/platform/ja4ebpf.yml
@ -0,0 +1,22 @@
+# Configuration ja4ebpf — stack Apache
+# Fichier monté dans /etc/ja4ebpf/config.yml
+
+interface: eth0
+
+# Cibles uprobe : httpd lie OpenSSL via libssl.so.
+# Sur RHEL/Rocky, le binaire est /usr/sbin/httpd.
+targets:
+  - binary: /usr/sbin/httpd
+  - binary: /usr/lib64/httpd/modules/mod_ssl.so
+
+clickhouse:
+  addr: "${JA4EBPF_CH_ADDR:-clickhouse:9000}"
+  database: ja4_logs
+  table: http_logs_raw
+  batch_size: 200
+  flush_interval_ms: 500
+
+session:
+  timeout_ms: 500
+  slowloris_timeout_s: 10
+  gc_interval_ms: 100