code_public/ja4-platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(ebpf): add Apache httpd HTTP capture via kretprobe recvfrom

Browse Source 
- Add uprobe_apache.c with kretprobe on __x64_sys_recvfrom for Apache HTTP capture
- Update loader.go to support unified "servers" configuration instead of separate nginx_bin_path/apache_enabled
- Add consumeApacheHTTPEvents() function to process Apache HTTP events
- Update bpf_types.h to add Apache-specific BPF maps and structs
- Fix perf event array value_size for pb_apache_http (must be sizeof(__u32) not struct size)
- Add NGINX_APACHE_GUIDE.md documentation for HTTP capture from both servers

Validation results:
- nginx HTTP capture:  Working (57 headers captured, no truncation)
- Apache HTTP capture: ⚠️ Under investigation (kretprobe not triggering on CentOS 8 kernel 4.18)

Configuration:
- JA4EBPF_UPROBES_ENABLED=true
- JA4EBPF_UPROBES_SERVERS=nginx,apache (or "both")

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jacquin Antoine
2026-04-20 14:11:56 +02:00
parent cba1cca180
commit a2e0cfa2f3
5 changed files with 342 additions and 88 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
services/ja4ebpf/internal/loader/loader.go
View File

@ -539,22 +539,14 @@ func findNginxPIDs() ([]uint32, error) {
// kernel sys_enter_read et kretprobe __x64_sys_read.
// Le PID Apache est ajouté à la map apache_pid_map pour filtrer les appels read().
func (l *Loader) AttachUprobesApache() error {
// Attacher le tracepoint sys_enter_read
kpEntry, err := link.Tracepoint("syscalls", "sys_enter_read",
l.apacheObjs.TpSysEnterRead, nil)
// Utilisation de Kretprobe pour __x64_sys_recvfrom
// Apache httpd utilise recvfrom() pour lire les requêtes HTTP (similaire à nginx)
kp, err := link.Kretprobe("__x64_sys_recvfrom",
l.apacheObjs.KretprobeSysExitRecvfrom, &link.KprobeOptions{})
if err != nil {
return fmt.Errorf("attachement tracepoint sys_enter_read: %w", err)
return fmt.Errorf("attachement kretprobe recvfrom: %w", err)
}
l.uprobeLinks = append(l.uprobeLinks, kpEntry)
// Utilisation de Kretprobe pour sys_exit_read (via __x64_sys_read)
// pour contourner les limitations de tracepoint exit sur certains kernels.
kpExit, err := link.Kretprobe("__x64_sys_read",
l.apacheObjs.KretprobeSysExitRead, &link.KprobeOptions{})
if err != nil {
return fmt.Errorf("attachement kretprobe sys_exit_read: %w", err)
}
l.uprobeLinks = append(l.uprobeLinks, kpExit)
l.uprobeLinks = append(l.uprobeLinks, kp)
// Trouver les PIDs Apache httpd en cours d'exécution
pids, err := findApachePIDs()
@ -570,7 +562,7 @@ func (l *Loader) AttachUprobesApache() error {
if err := l.AddApachePid(pid); err != nil {
log.Printf("[ja4ebpf] avertissement: ajout PID Apache %d: %v", pid, err)
} else {
log.Printf("[ja4ebpf] tracepoints read activés pour PID Apache %d", pid)
log.Printf("[ja4ebpf] tracepoints recvfrom activés pour PID Apache %d", pid)
}
}