fix(ja4ebpf): split bpf2go generate into Ja4Tc + Ja4Ssl, fix RPM systemd-rpm-macros

- Use two separate //go:generate directives (Ja4Tc for tc_capture.c, Ja4Ssl for uprobe_ssl.c) to avoid duplicate LICENSE symbol and multi-file clang issue - Update loader.go to hold tcObjs/sslObjs separately with correct field names: UprobeSslSetFd, UprobeSslReadEntry, UretprobeSslReadExit, KprobeAccept4Entry, KretprobeAccept4Exit - Add systemd-rpm-macros to all three RPM build stages (el8/el9/el10) so that %{_unitdir} macro resolves correctly - RPMs now build successfully for el8, el9, el10 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-04-11 23:21:11 +02:00
parent a1e4c1dad5
commit 3b047b680a
155 changed files with 197011 additions and 599 deletions
--- a/tests/integration/hitch-varnish/docker-compose.yml
+++ b/tests/integration/hitch-varnish/docker-compose.yml
@ -0,0 +1,90 @@
+# =============================================================================
+# Stack hitch + varnish — tests d'intégration ja4ebpf
+#
+# Architecture :
+#   traffic-gen ─HTTPS→ hitch (TLS, port 443, PROXY protocol) ─HTTP→ varnish (port 6081)
+#                                                                          ↓
+#                                                              backend HTTP (port 8080)
+#                          ↑
+#                       ja4ebpf (uprobe hitch/libssl + hook TC)
+#
+# Hitch est un TLS offloader dédié : il ne fait QUE la terminaison TLS
+# et transmet le trafic cleartext + PROXY protocol header à Varnish.
+# Varnish lit le PROXY header pour récupérer l'IP réelle du client.
+#
+# Différence clé vs nginx+varnish :
+#   - uprobe sur hitch (/usr/sbin/hitch ou libssl liée par hitch)
+#   - PROXY protocol header permet à ja4ebpf de récupérer la vraie src_ip
+#     même si le trafic L3 vient de hitch → varnish (127.0.0.1)
+# =============================================================================
+
+services:
+
+  clickhouse:
+    image: clickhouse/clickhouse-server:24.8
+    hostname: clickhouse
+    environment:
+      CLICKHOUSE_DB: ja4_processing
+      CLICKHOUSE_USER: default
+      CLICKHOUSE_DEFAULT_ACCESS_MANAGEMENT: 1
+    volumes:
+      - ../platform/clickhouse-init.sh:/docker-entrypoint-initdb.d/00_init.sh
+      - ../../../shared/clickhouse/00_database.sql:/initdb-src/00_database.sql:ro
+      - ../../../shared/clickhouse/01_raw_tables.sql:/initdb-src/01_raw_tables.sql:ro
+      - ../../../shared/clickhouse/02_dictionaries.sql:/initdb-src/02_dictionaries.sql:ro
+      - ../../../shared/clickhouse/03_anubis_tables.sql:/initdb-src/03_anubis_tables.sql:ro
+      - ../../../shared/clickhouse/04_mv_http_logs.sql:/initdb-src/04_mv_http_logs.sql:ro
+      - ../../../shared/clickhouse/05_aggregation_tables.sql:/initdb-src/05_aggregation_tables.sql:ro
+      - ../../../shared/clickhouse/06_ml_tables.sql:/initdb-src/06_ml_tables.sql:ro
+      - ../../../shared/clickhouse/07_ai_features_view.sql:/initdb-src/07_ai_features_view.sql:ro
+      - ../../../shared/clickhouse/08_users.sql:/initdb-src/08_users.sql:ro
+      - ../../../shared/clickhouse/09_audit_table.sql:/initdb-src/09_audit_table.sql:ro
+      - ../../../shared/clickhouse/10_perf_indexes.sql:/initdb-src/10_perf_indexes.sql:ro
+      - ../../../shared/clickhouse/11_views.sql:/initdb-src/11_views.sql:ro
+      - ../../../shared/clickhouse/12_thesis_features.sql:/initdb-src/12_thesis_features.sql:ro
+      - ../../../shared/data/browser_h2.csv:/initdb-src/browser_h2.csv:ro
+      - ../platform/csv-stubs:/var/lib/clickhouse/user_files
+    ports: ["9000:9000","8123:8123"]
+    healthcheck:
+      test: ["CMD","clickhouse-client","--query","SELECT 1"]
+      interval: 5s
+      timeout: 3s
+      retries: 30
+    networks: [ja4net]
+
+  platform:
+    build:
+      context: ../../..
+      dockerfile: tests/integration/hitch-varnish/platform/Dockerfile
+      args:
+        BASE_IMAGE: ${PLATFORM_BASE_IMAGE:-rockylinux:9}
+    hostname: platform
+    cap_add: [NET_ADMIN, BPF, SYS_PTRACE]
+    privileged: true
+    environment:
+      JA4EBPF_CH_ADDR: "clickhouse:9000"
+    depends_on:
+      clickhouse:
+        condition: service_healthy
+    ports: ["443:443","80:80"]
+    healthcheck:
+      # Hitch n'expose pas de port HTTP directement.
+      # On passe par HTTPS (hitch → varnish → backend).
+      test: ["CMD","curl","-sfk","https://localhost/health"]
+      interval: 5s
+      timeout: 3s
+      retries: 30
+    networks: [ja4net]
+
+  traffic-gen:
+    build:
+      context: ../traffic-gen
+    hostname: traffic-gen
+    depends_on:
+      platform:
+        condition: service_healthy
+    networks: [ja4net]
+
+networks:
+  ja4net:
+    driver: bridge