code_public/ja4-platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(ebpf): Apache HTTP capture implementation (WIP on Rocky 10)

Browse Source 
- Implemented Apache HTTP capture using recvfrom syscall (model identical to nginx)
- Added sys_enter_recvfrom + kretprobe __x64_sys_recvfrom approach
- Renamed Apache BPF maps (apache_http_pid_map, apache_http_recv_args_map) to avoid conflicts with nginx
- Added support for recvfrom and recvmsg syscalls (recvmsg support incomplete)

Test results:
- Rocky 9 (kernel 5.14): nginx HTTP capture works perfectly with full headers
- Rocky 10 (kernel 6.12): Apache HTTP capture NOT working (headers=0)
- CentOS 8 (kernel 4.18): Apache HTTP capture NOT working (headers=0)

Root cause: Apache event MPM uses async epoll model that doesn't trigger
recvfrom syscalls the same way as nginx. Further investigation needed
for Apache-specific capture methods.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jacquin Antoine
2026-04-20 18:22:10 +02:00
parent 8d817414b3
commit 4d30d9a7cb
2 changed files with 71 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
services/ja4ebpf/internal/loader/loader.go
View File

@ -539,14 +539,21 @@ func findNginxPIDs() ([]uint32, error) {
// kernel sys_enter_read et kretprobe __x64_sys_read.
// Le PID Apache est ajouté à la map apache_pid_map pour filtrer les appels read().
func (l *Loader) AttachUprobesApache() error {
// Utilisation de Kretprobe pour __x64_sys_recvfrom (identique à nginx)
// Apache httpd utilise recvfrom() pour lire les requêtes HTTP
kp, err := link.Kretprobe("__x64_sys_recvfrom",
// Identique à nginx : sys_enter_recvfrom + kretprobe __x64_sys_recvfrom
kpEnter, err := link.Tracepoint("syscalls", "sys_enter_recvfrom",
l.apacheObjs.TpSysEnterRecvfrom, nil)
if err != nil {
return fmt.Errorf("attachement tracepoint sys_enter_recvfrom: %w", err)
}
l.uprobeLinks = append(l.uprobeLinks, kpEnter)
kpExit, err := link.Kretprobe("__x64_sys_recvfrom",
l.apacheObjs.KretprobeSysExitRecvfrom, &link.KprobeOptions{})
if err != nil {
return fmt.Errorf("attachement kretprobe recvfrom: %w", err)
return fmt.Errorf("attachement kretprobe __x64_sys_recvfrom: %w", err)
}
l.uprobeLinks = append(l.uprobeLinks, kp)
l.uprobeLinks = append(l.uprobeLinks, kpExit)
// Trouver les PIDs Apache httpd en cours d'exécution
pids, err := findApachePIDs()