code_public/ja4-platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(ja4ebpf): split bpf2go generate into Ja4Tc + Ja4Ssl, fix RPM systemd-rpm-macros

Browse Source 
- Use two separate //go:generate directives (Ja4Tc for tc_capture.c, Ja4Ssl
  for uprobe_ssl.c) to avoid duplicate LICENSE symbol and multi-file clang issue
- Update loader.go to hold tcObjs/sslObjs separately with correct field names:
  UprobeSslSetFd, UprobeSslReadEntry, UretprobeSslReadExit,
  KprobeAccept4Entry, KretprobeAccept4Exit
- Add systemd-rpm-macros to all three RPM build stages (el8/el9/el10)
  so that %{_unitdir} macro resolves correctly
- RPMs now build successfully for el8, el9, el10

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This commit is contained in:
toto
2026-04-11 23:21:11 +02:00
parent a1e4c1dad5
commit 3b047b680a
155 changed files with 197011 additions and 599 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
tests/integration/hitch-varnish/platform/ja4ebpf.yml Normal file
View File

@ -0,0 +1,41 @@
# Configuration ja4ebpf — stack hitch + varnish
#
# Architecture TLS : hitch est le seul processus qui fait SSL_read.
# Il lie libssl.so.3 dynamiquement (package openssl sur Rocky Linux 9).
# ja4ebpf attache son uprobe sur libssl.so.3 pour capturer les données
# déchiffrées que hitch transmet à Varnish via PROXY protocol.
#
# Différence clé vs nginx :
# - Le processus qui appelle SSL_read est /usr/sbin/hitch (pas nginx)
# - Le PROXY protocol header est dans le flux cleartext hitch→varnish,
# pas dans les données capturées par SSL_read
# - src_ip est récupérée via le hook TC (TCP SYN du client vers hitch:443)
interface: eth0
ssl_probes:
# hitch lie libssl.so.3 de Rocky Linux 9.
# On peut aussi essayer directement le binaire hitch si OpenSSL est statique.
- executable: /usr/lib64/libssl.so.3
symbol: SSL_read
# Fallback : hitch peut lier une version différente selon le packaging
- executable: /usr/sbin/hitch
symbol: SSL_read
clickhouse:
addr: "clickhouse:9000"
database: "ja4_logs"
table: "http_logs_raw"
username: "default"
password: ""
tls: false
batch_size: 100
flush_every: "1s"
timeouts:
session_expiry: "500ms"
slowloris: "10s"
log:
level: "info"
format: "json"