code_public/ja4-platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: tests intégration matrix — procps-ng, varnish h2, hitch ALPN, pgrep→ps

Browse Source 
- Ajout de procps-ng dans les 4 Dockerfiles runtime (ps/pgrep disponibles)
- Remplacement de pgrep par ps -C dans tous les run-tests.sh
- Correction entrypoint nginx-varnish : pgrep nginx → cat nginx.pid (exit 127)
- Activation HTTP/2 dans Varnish : ajout de -p feature=+http2 dans les
  entrypoints nginx-varnish et hitch-varnish
- Restauration ALPN h2,http/1.1 dans hitch.conf (varnish supporte maintenant h2)
- Correction healthcheck hitch-varnish : curl sans --http1.1 (h2 fonctionnel)
- Correction requêtes phase_verify : http_logs_raw → http_logs, colonnes correctes
- Correction writer clickhouse.go : noms JSON alignés avec la MV (ip_meta_*, tls_sni…)
- Fix toStartOfSecond(DateTime) → toStartOfSecond(toDateTime64(col, 3))
- Retrait du SKIP el8/nginx-varnish (varnish s'installe bien sur AlmaLinux 8)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This commit is contained in:
toto
2026-04-12 01:29:01 +02:00
parent 3b047b680a
commit dc6ffd6474
25 changed files with 431 additions and 345 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
tests/integration/apache/platform/Dockerfile
View File

@ -10,10 +10,25 @@
# Le hook TC ingress capture TCP SYN + TLS ClientHello sur eth0.
# =============================================================================
# ── Stage 1 : build ja4ebpf ──────────────────────────────────────────────────
FROM golang:1.24-bookworm AS go-builder
# ARG global : doit être déclaré avant tous les FROM
ARG BASE_IMAGE=rockylinux:9
RUN apt-get update && apt-get install -y clang llvm libbpf-dev && rm -rf /var/lib/apt/lists/*
# ── Stage 1 : build ja4ebpf (Rocky Linux, même toolchain que la prod) ─────────
FROM rockylinux:9 AS go-builder
# libbpf-devel est dans le dépôt CRB (CodeReady Builder) de Rocky Linux 9
RUN dnf install -y epel-release dnf-plugins-core && \
dnf config-manager --enable crb && \
dnf install -y \
golang \
clang \
llvm \
libbpf-devel \
kernel-headers \
bpftool \
make \
&& \
dnf clean all
WORKDIR /build
COPY go.work go.work.sum* ./
@ -30,11 +45,10 @@ RUN GOWORK=off go generate ./internal/loader/ && \
go build -ldflags="-s -w" -o /out/ja4ebpf ./cmd/ja4ebpf/
# ── Stage 2 : runtime Apache HTTPD + ja4ebpf ─────────────────────────────────
ARG BASE_IMAGE=rockylinux:9
FROM ${BASE_IMAGE}
RUN dnf install -y epel-release 2>/dev/null; \
dnf install -y httpd mod_ssl mod_http2 openssl curl && \
dnf install -y --allowerasing procps-ng httpd mod_ssl mod_http2 openssl curl && \
dnf clean all
COPY --from=go-builder /out/ja4ebpf /usr/local/bin/ja4ebpf

9
tests/integration/apache/platform/entrypoint.sh
View File

@ -13,13 +13,16 @@ fi
# Créer les répertoires de run nécessaires
mkdir -p /run/httpd /var/log/httpd
# Démarrer ja4ebpf en arrière-plan
# Démarrer ja4ebpf en arrière-plan (optionnel : ne bloque pas le démarrage)
/usr/local/bin/ja4ebpf -config /etc/ja4ebpf/config.yml &
JA4_PID=$!
echo "[entrypoint] ja4ebpf démarré (PID $JA4_PID)"
# Attendre que ja4ebpf charge ses programmes eBPF
sleep 2
# Laisser 3s pour détecter un échec immédiat (ex: verifier eBPF)
sleep 3
if ! kill -0 "$JA4_PID" 2>/dev/null; then
echo "[entrypoint] ⚠ ja4ebpf s'est arrêté immédiatement — mode dégradé (Apache seul)"
fi
# Démarrer Apache HTTPD en foreground
echo "[entrypoint] Démarrage d'Apache HTTPD..."

26
tests/integration/apache/platform/ja4ebpf.yml
View File

@ -1,22 +1,16 @@
# Configuration ja4ebpf — stack Apache
# Fichier monté dans /etc/ja4ebpf/config.yml
interface: eth0
# Cibles uprobe : httpd lie OpenSSL via libssl.so.
# Sur RHEL/Rocky, le binaire est /usr/sbin/httpd.
targets:
- binary: /usr/sbin/httpd
- binary: /usr/lib64/httpd/modules/mod_ssl.so
ssl_lib_path: "/usr/lib64/libssl.so.3"
clickhouse:
addr: "${JA4EBPF_CH_ADDR:-clickhouse:9000}"
database: ja4_logs
table: http_logs_raw
batch_size: 200
flush_interval_ms: 500
dsn: "clickhouse://default:@clickhouse:9000/ja4_logs"
batch_size: 100
flush_secs: 1
session:
correlation:
timeout_ms: 500
slowloris_timeout_s: 10
gc_interval_ms: 100
slowloris_ms: 10000
log:
level: "info"
format: "json"

14
tests/integration/apache/run-tests.sh
View File

@ -49,7 +49,7 @@ stack_verify_extra() {
# Vérifie que ja4ebpf tourne
local ja4_pid
ja4_pid=$(docker compose -f "$COMPOSE_FILE" exec -T platform \
pgrep -x ja4ebpf 2>/dev/null | head -1 || echo "")
ps -C ja4ebpf -o pid= 2>/dev/null | head -1 || echo "")
if [ -n "$ja4_pid" ]; then
pass "Processus ja4ebpf actif (PID $ja4_pid)"
else
@ -59,7 +59,7 @@ stack_verify_extra() {
# Vérifie que httpd tourne
local httpd_count
httpd_count=$(docker compose -f "$COMPOSE_FILE" exec -T platform \
pgrep -c httpd 2>/dev/null || echo "0")
ps -C httpd -o pid= 2>/dev/null | wc -l || echo "0")
if [ "${httpd_count:-0}" -gt 0 ] 2>/dev/null; then
pass "Apache HTTPD actif ($httpd_count processus httpd)"
else
@ -68,7 +68,7 @@ stack_verify_extra() {
# Vérifie les données L7 capturées via uprobe httpd
local l7_count
l7_count=$(ch_query "SELECT count() FROM ja4_logs.http_logs_raw WHERE method != ''")
l7_count=$(ch_query "SELECT count() FROM ja4_logs.http_logs WHERE method != ''" || echo "0")
if [ "${l7_count:-0}" -gt 0 ] 2>/dev/null; then
pass "L7 capturé via uprobe httpd : $l7_count requêtes HTTP"
else
@ -78,16 +78,16 @@ stack_verify_extra() {
# Vérifie JA4 fingerprint
local ja4_sample
ja4_sample=$(ch_query "SELECT ja4 FROM ja4_logs.http_logs_raw WHERE ja4 != '' LIMIT 1" 2>/dev/null || echo "")
ja4_sample=$(ch_query "SELECT ja4 FROM ja4_logs.http_logs WHERE ja4 != '' LIMIT 1" || echo "")
if [ -n "$ja4_sample" ]; then
pass "JA4 fingerprint capturé : $ja4_sample"
else
warn "JA4 fingerprint vide — TC ingress hook peut-être non fonctionnel"
fi
# Vérifie le SNI capturé
# Vérifie le SNI capturé (colonne tls_sni dans http_logs)
local sni_count
sni_count=$(ch_query "SELECT count() FROM ja4_logs.http_logs_raw WHERE sni != ''")
sni_count=$(ch_query "SELECT count() FROM ja4_logs.http_logs WHERE tls_sni != ''" || echo "0")
if [ "${sni_count:-0}" -gt 0 ] 2>/dev/null; then
pass "SNI capturé dans $sni_count enregistrements"
else
@ -96,7 +96,7 @@ stack_verify_extra() {
# Vérifie HTTP port 80 (trafic en clair — kprobe tcp_recvmsg)
local plain_count
plain_count=$(ch_query "SELECT count() FROM ja4_logs.http_logs_raw WHERE correlated = 0 AND method != ''" 2>/dev/null || echo "0")
plain_count=$(ch_query "SELECT count() FROM ja4_logs.http_logs WHERE correlated = 0 AND method != ''" || echo "0")
if [ "${plain_count:-0}" -gt 0 ] 2>/dev/null; then
pass "HTTP en clair capturé : $plain_count requêtes (kprobe tcp_recvmsg)"
else

2
tests/integration/hitch-varnish/docker-compose.yml
View File

@ -69,7 +69,7 @@ services:
ports: ["443:443","80:80"]
healthcheck:
# Hitch n'expose pas de port HTTP directement.
# On passe par HTTPS (hitch → varnish → backend).
# On passe par HTTPS (hitch → varnish → backend). Varnish supporte h2 via -p feature=+http2.
test: ["CMD","curl","-sfk","https://localhost/health"]
interval: 5s
timeout: 3s

25
tests/integration/hitch-varnish/platform/Dockerfile
View File

@ -3,9 +3,24 @@
# hitch (TLS, PROXY protocol) → Varnish (HTTP cache) → backend HTTP
# =============================================================================
FROM golang:1.24-bookworm AS go-builder
ARG BASE_IMAGE=rockylinux:9
RUN apt-get update && apt-get install -y clang llvm libbpf-dev && rm -rf /var/lib/apt/lists/*
# ── Stage 1 : build ja4ebpf (Rocky Linux, même toolchain que la prod) ─────────
FROM rockylinux:9 AS go-builder
# libbpf-devel est dans le dépôt CRB (CodeReady Builder) de Rocky Linux 9
RUN dnf install -y epel-release dnf-plugins-core && \
dnf config-manager --enable crb && \
dnf install -y \
golang \
clang \
llvm \
libbpf-devel \
kernel-headers \
bpftool \
make \
&& \
dnf clean all
WORKDIR /build
COPY go.work go.work.sum* ./
@ -22,12 +37,11 @@ RUN GOWORK=off go generate ./internal/loader/ && \
go build -ldflags="-s -w" -o /out/ja4ebpf ./cmd/ja4ebpf/
# ── Runtime : hitch + varnish + backend + ja4ebpf ────────────────────────────
ARG BASE_IMAGE=rockylinux:9
FROM ${BASE_IMAGE}
# hitch est dans EPEL ; varnish dans le dépôt officiel Rocky
RUN dnf install -y epel-release && \
dnf install -y hitch varnish openssl curl python3 && \
dnf install -y --allowerasing procps-ng hitch varnish openssl curl python3 && \
dnf clean all
COPY --from=go-builder /out/ja4ebpf /usr/local/bin/ja4ebpf
@ -40,7 +54,8 @@ RUN openssl req -x509 -nodes -days 365 \
-out /tmp/hitch.crt && \
# hitch attend un fichier PEM concaténé (clé + certificat)
cat /tmp/hitch.key /tmp/hitch.crt > /etc/hitch/hitch.pem && \
chmod 600 /etc/hitch/hitch.pem && \
# lisible par nobody (user hitch worker)
chmod 644 /etc/hitch/hitch.pem && \
mkdir -p /var/www/html /run/varnish && \
echo '{"status":"ok","stack":"hitch-varnish"}' > /var/www/html/health

15
tests/integration/hitch-varnish/platform/entrypoint.sh
View File

@ -57,6 +57,7 @@ varnishd \
-F \
-f /etc/varnish/default.vcl \
-a "127.0.0.1:6081,PROXY" \
-p feature=+http2 \
-s malloc,64m \
-T 127.0.0.1:6082 &
VARNISH_PID=$!
@ -107,14 +108,26 @@ JA4EBPF_PID=$!
log "Stack complète — backend=$BACKEND_PID varnish=$VARNISH_PID hitch=$HITCH_PID ja4ebpf=$JA4EBPF_PID"
# Laisser 3s pour détecter un échec immédiat de ja4ebpf
sleep 3
if ! kill -0 "$JA4EBPF_PID" 2>/dev/null; then
log "⚠ ja4ebpf s'est arrêté immédiatement — mode dégradé (web server seul)"
JA4EBPF_PID=""
fi
# ── 5. Supervision ────────────────────────────────────────────────────────────
while true; do
for pid_var in BACKEND_PID VARNISH_PID HITCH_PID JA4EBPF_PID; do
for pid_var in BACKEND_PID VARNISH_PID HITCH_PID; do
pid="${!pid_var}"
if [ -n "$pid" ] && ! kill -0 "$pid" 2>/dev/null; then
log "$pid_var (PID $pid) s'est arrêté — fin"
exit 1
fi
done
# ja4ebpf est optionnel : loguer si arrêté mais ne pas quitter
if [ -n "$JA4EBPF_PID" ] && ! kill -0 "$JA4EBPF_PID" 2>/dev/null; then
log "⚠ ja4ebpf s'est arrêté — web server continue sans collecte eBPF"
JA4EBPF_PID=""
fi
sleep 2
done

5
tests/integration/hitch-varnish/platform/hitch.conf
View File

@ -21,12 +21,15 @@ tls-protos = TLSv1.2 TLSv1.3
# Suites de chiffrement variées pour générer des JA4 distincts
ciphers = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256"
# ALPN : activer h2 pour HTTP/2 (si Varnish supporte)
# ALPN : h2 et http/1.1 — varnish supporte h2 via -p feature=+http2
alpn-protos = "h2,http/1.1"
# Nombre de workers (= nombre de cœurs pour les tests)
workers = 2
# Utilisateur non-root pour les workers (hitch refuse root depuis 1.5.x)
user = "nobody"
# Répertoire de travail
daemon = off
log-level = 1

38
tests/integration/hitch-varnish/platform/ja4ebpf.yml
View File

@ -1,40 +1,16 @@
# Configuration ja4ebpf — stack hitch + varnish
#
# Architecture TLS : hitch est le seul processus qui fait SSL_read.
# Il lie libssl.so.3 dynamiquement (package openssl sur Rocky Linux 9).
# ja4ebpf attache son uprobe sur libssl.so.3 pour capturer les données
# déchiffrées que hitch transmet à Varnish via PROXY protocol.
#
# Différence clé vs nginx :
# - Le processus qui appelle SSL_read est /usr/sbin/hitch (pas nginx)
# - Le PROXY protocol header est dans le flux cleartext hitch→varnish,
# pas dans les données capturées par SSL_read
# - src_ip est récupérée via le hook TC (TCP SYN du client vers hitch:443)
# hitch est le seul processus qui appelle SSL_read (terminaison TLS).
interface: eth0
ssl_probes:
# hitch lie libssl.so.3 de Rocky Linux 9.
# On peut aussi essayer directement le binaire hitch si OpenSSL est statique.
- executable: /usr/lib64/libssl.so.3
symbol: SSL_read
# Fallback : hitch peut lier une version différente selon le packaging
- executable: /usr/sbin/hitch
symbol: SSL_read
ssl_lib_path: "/usr/lib64/libssl.so.3"
clickhouse:
addr: "clickhouse:9000"
database: "ja4_logs"
table: "http_logs_raw"
username: "default"
password: ""
tls: false
dsn: "clickhouse://default:@clickhouse:9000/ja4_logs"
batch_size: 100
flush_every: "1s"
flush_secs: 1
timeouts:
session_expiry: "500ms"
slowloris: "10s"
correlation:
timeout_ms: 500
slowloris_ms: 10000
log:
level: "info"

20
tests/integration/hitch-varnish/run-tests.sh
View File

@ -23,21 +23,21 @@ stack_verify_extra() {
# Vérifie que hitch est bien en cours d'exécution
local hitch_pid
hitch_pid=$(docker compose -f "$COMPOSE_FILE" exec -T platform \
pgrep -x hitch 2>/dev/null | head -1 || echo "")
ps -C hitch -o pid= 2>/dev/null | head -1 || echo "")
[ -n "$hitch_pid" ] && pass "Processus hitch actif (PID $hitch_pid)" \
|| fail "Processus hitch introuvable"
# Vérifie Varnish
local varnish_pid
varnish_pid=$(docker compose -f "$COMPOSE_FILE" exec -T platform \
pgrep -x varnishd 2>/dev/null | head -1 || echo "")
ps -C varnishd -o pid= 2>/dev/null | head -1 || echo "")
[ -n "$varnish_pid" ] && pass "Processus varnishd actif (PID $varnish_pid)" \
|| fail "Processus varnishd introuvable"
# Vérifie que ja4ebpf tourne
local ja4_pid
ja4_pid=$(docker compose -f "$COMPOSE_FILE" exec -T platform \
pgrep -x ja4ebpf 2>/dev/null | head -1 || echo "")
ps -C ja4ebpf -o pid= 2>/dev/null | head -1 || echo "")
[ -n "$ja4_pid" ] && pass "ja4ebpf actif (PID $ja4_pid)" \
|| fail "ja4ebpf introuvable"
@ -61,21 +61,20 @@ stack_verify_extra() {
warn "X-Client-IP absent — PROXY protocol peut-être désactivé dans Varnish"
fi
# Vérifie ALPN h2 côté hitch (hitch supporte HTTP/2 via ALPN)
# Vérifie ALPN h2 côté hitch (varnish supporte h2 via -p feature=+http2)
local http_ver
http_ver=$(docker compose -f "$COMPOSE_FILE" exec -T platform \
curl -sk --http2 -w "%{http_version}" -o /dev/null https://localhost/ 2>/dev/null || echo "")
if [ "$http_ver" = "2" ]; then
pass "HTTP/2 ALPN négocié par hitch (h2)"
pass "HTTP/2 ALPN négocié par hitch→Varnish (h2)"
else
warn "HTTP/2 non négocié (version: '$http_ver') — ALPN hitch peut nécessiter Varnish ≥ 6.0"
warn "HTTP/2 non négocié (version: '$http_ver') — vérifier -p feature=+http2"
fi
# Vérification clé : dans la stack hitch+varnish, les uprobes sont sur hitch.
# ja4ebpf doit avoir capturé des requêtes depuis le processus hitch.
# On vérifie que des lignes avec method != '' existent (uprobe SSL_read actif).
local l7_from_hitch
l7_from_hitch=$(ch_query "SELECT count() FROM ja4_logs.http_logs_raw WHERE method != ''")
l7_from_hitch=$(ch_query "SELECT count() FROM ja4_logs.http_logs WHERE method != ''" || echo "0")
if [ "${l7_from_hitch:-0}" -gt 0 ] 2>/dev/null; then
pass "L7 capturé via uprobe hitch : $l7_from_hitch requêtes HTTP"
else
@ -85,12 +84,9 @@ stack_verify_extra() {
fi
# Vérifie que le fingerprint JA4 est cohérent avec la config TLS de hitch
# (TLSv1.2 + TLSv1.3, suites ECDHE, ALPN h2+http/1.1)
local ja4_sample
ja4_sample=$(ch_query "SELECT ja4 FROM ja4_logs.http_logs_raw WHERE ja4 != '' LIMIT 1" 2>/dev/null || echo "")
ja4_sample=$(ch_query "SELECT ja4 FROM ja4_logs.http_logs WHERE ja4 != '' LIMIT 1" || echo "")
if [ -n "$ja4_sample" ]; then
# JA4 format : t{ver}{sni}{cc}{ec}_{hash}_{hash}
# Avec TLS 1.3 négocié via hitch → doit commencer par tt13
if echo "$ja4_sample" | grep -qE "^tt1[23]"; then
pass "JA4 cohérent avec config hitch TLS 1.2/1.3 : $ja4_sample"
else

48
tests/integration/lib/run-stack-tests.sh
View File

@ -71,7 +71,10 @@ wait_for_service() {
phase_build() {
log "========== Phase 1 : Build =========="
_dc build --parallel 2>&1 | tail -20
[ "$BUILD_ONLY" = true ] && { log "Build terminé (--build-only)."; exit 0; }
if [ "${BUILD_ONLY:-false}" = true ]; then
log "Build terminé (--build-only)."
exit 0
fi
}
# ---------------------------------------------------------------------------
@ -139,7 +142,7 @@ phase_verify() {
# 5a. Lignes brutes insérées par ja4ebpf
local raw_count
raw_count=$(ch_query "SELECT count() FROM ja4_logs.http_logs_raw")
raw_count=$(ch_query "SELECT count() FROM ja4_logs.http_logs_raw" || echo "0")
if [ "${raw_count:-0}" -gt 0 ] 2>/dev/null; then
pass "http_logs_raw : $raw_count lignes insérées par ja4ebpf"
else
@ -149,25 +152,26 @@ phase_verify() {
fi
# 5b. Fingerprints JA4 capturés (hook TC + parsing TLS ClientHello)
# Requête sur http_logs (colonnes structurées après le MV)
local ja4_count ja4_uniq
ja4_count=$(ch_query "SELECT count() FROM ja4_logs.http_logs_raw WHERE ja4 != ''")
ja4_uniq=$(ch_query "SELECT count(DISTINCT ja4) FROM ja4_logs.http_logs_raw WHERE ja4 != ''")
ja4_count=$(ch_query "SELECT count() FROM ja4_logs.http_logs WHERE ja4 != ''" || echo "0")
ja4_uniq=$( ch_query "SELECT count(DISTINCT ja4) FROM ja4_logs.http_logs WHERE ja4 != ''" || echo "0")
if [ "${ja4_count:-0}" -gt 0 ] 2>/dev/null; then
pass "JA4 : $ja4_count enregistrements, $ja4_uniq fingerprints distincts"
local ja4_sample
ja4_sample=$(ch_query "SELECT ja4 FROM ja4_logs.http_logs_raw WHERE ja4 != '' LIMIT 1")
ja4_sample=$(ch_query "SELECT ja4 FROM ja4_logs.http_logs WHERE ja4 != '' LIMIT 1" || echo "")
log " Exemple JA4 : $ja4_sample"
else
warn "Aucun fingerprint JA4 (hook TC peut-être non chargé — vérifier CAP_BPF)"
fi
# 5c. Données L3/L4 (TTL, MSS, Window)
# 5c. Données L3/L4 (TTL, MSS, Window) — colonnes ip_meta_* / tcp_meta_* dans http_logs
local l34_count
l34_count=$(ch_query "SELECT count() FROM ja4_logs.http_logs_raw WHERE ttl > 0")
l34_count=$(ch_query "SELECT count() FROM ja4_logs.http_logs WHERE ip_meta_ttl > 0" || echo "0")
if [ "${l34_count:-0}" -gt 0 ] 2>/dev/null; then
pass "L3/L4 : $l34_count enregistrements avec TTL (hook TC actif)"
local ttl_sample
ttl_sample=$(ch_query "SELECT ttl, mss, window_size FROM ja4_logs.http_logs_raw WHERE ttl > 0 LIMIT 1 FORMAT TabSeparated")
ttl_sample=$(ch_query "SELECT ip_meta_ttl, tcp_meta_mss, tcp_meta_window_size FROM ja4_logs.http_logs WHERE ip_meta_ttl > 0 LIMIT 1 FORMAT TabSeparated" || echo "")
log " TTL/MSS/Window sample : $ttl_sample"
else
warn "Données L3/L4 absentes (hook TC ingress non attaché)"
@ -175,8 +179,8 @@ phase_verify() {
# 5d. Requêtes HTTP capturées (uprobe SSL_read)
local http_count methods
http_count=$(ch_query "SELECT count() FROM ja4_logs.http_logs_raw WHERE method != ''")
methods=$(ch_query "SELECT groupArray(method) FROM (SELECT DISTINCT method FROM ja4_logs.http_logs_raw WHERE method != '' ORDER BY method)")
http_count=$(ch_query "SELECT count() FROM ja4_logs.http_logs WHERE method != ''" || echo "0")
methods=$( ch_query "SELECT groupArray(method) FROM (SELECT DISTINCT method FROM ja4_logs.http_logs WHERE method != '' ORDER BY method)" || echo "")
if [ "${http_count:-0}" -gt 0 ] 2>/dev/null; then
pass "L7 HTTP : $http_count requêtes capturées via uprobe SSL_read"
pass "Méthodes HTTP vues : $methods"
@ -184,22 +188,22 @@ phase_verify() {
warn "Aucune requête HTTP capturée (uprobe SSL_read non attaché)"
fi
# 5e. HTTP/2 SETTINGS capturés (uprobe + parsing preface H2)
local h2_count
h2_count=$(ch_query "SELECT count() FROM ja4_logs.http_logs_raw WHERE h2_settings != ''")
if [ "${h2_count:-0}" -gt 0 ] 2>/dev/null; then
pass "HTTP/2 SETTINGS : $h2_count connexions H2 avec preface capturée"
local h2_sample
h2_sample=$(ch_query "SELECT h2_settings FROM ja4_logs.http_logs_raw WHERE h2_settings != '' LIMIT 1")
log " Exemple H2 SETTINGS : $h2_sample"
# 5e. TLS SNI capturés (hook TC + parsing ClientHello)
local sni_count
sni_count=$(ch_query "SELECT count() FROM ja4_logs.http_logs WHERE tls_sni != ''" || echo "0")
if [ "${sni_count:-0}" -gt 0 ] 2>/dev/null; then
pass "TLS SNI : $sni_count enregistrements avec SNI capturé"
local sni_sample
sni_sample=$(ch_query "SELECT tls_sni FROM ja4_logs.http_logs WHERE tls_sni != '' LIMIT 1" || echo "")
log " Exemple SNI : $sni_sample"
else
warn "Pas de SETTINGS HTTP/2 (trafic h2 absent ou ALPN négociation échouée)"
warn "Aucun SNI capturé (trafic TLS sans extension SNI ou hook TC inactif)"
fi
# 5f. Corrélation L3/L4 ↔ L7 (flag correlated)
local corr_total corr_yes corr_pct
corr_total=$(ch_query "SELECT count() FROM ja4_logs.http_logs_raw WHERE method != ''")
corr_yes=$(ch_query "SELECT count() FROM ja4_logs.http_logs_raw WHERE correlated = true AND method != ''")
corr_total=$(ch_query "SELECT count() FROM ja4_logs.http_logs WHERE method != ''" || echo "0")
corr_yes=$( ch_query "SELECT count() FROM ja4_logs.http_logs WHERE correlated = 1 AND method != ''" || echo "0")
if [ "${corr_total:-0}" -gt 0 ] 2>/dev/null; then
corr_pct=$(echo "$corr_yes $corr_total" | awk '{printf "%.0f", $1*100/$2}')
if [ "${corr_pct:-0}" -ge 50 ] 2>/dev/null; then
@ -211,7 +215,7 @@ phase_verify() {
# 5g. Keep-alives (multiplexage TCP)
local ka_max
ka_max=$(ch_query "SELECT max(maxkeepalives) FROM ja4_logs.http_logs_raw")
ka_max=$(ch_query "SELECT max(keepalives) FROM ja4_logs.http_logs" || echo "0")
if [ "${ka_max:-0}" -gt 1 ] 2>/dev/null; then
pass "Keep-alives TCP : max $ka_max requêtes sur une même connexion"
else

22
tests/integration/nginx-varnish/platform/Dockerfile
View File

@ -3,9 +3,24 @@
# nginx (TLS frontend) → Varnish (HTTP cache) → backend HTTP simple
# =============================================================================
FROM golang:1.24-bookworm AS go-builder
ARG BASE_IMAGE=rockylinux:9
RUN apt-get update && apt-get install -y clang llvm libbpf-dev && rm -rf /var/lib/apt/lists/*
# ── Stage 1 : build ja4ebpf (Rocky Linux, même toolchain que la prod) ─────────
FROM rockylinux:9 AS go-builder
# libbpf-devel est dans le dépôt CRB (CodeReady Builder) de Rocky Linux 9
RUN dnf install -y epel-release dnf-plugins-core && \
dnf config-manager --enable crb && \
dnf install -y \
golang \
clang \
llvm \
libbpf-devel \
kernel-headers \
bpftool \
make \
&& \
dnf clean all
WORKDIR /build
COPY go.work go.work.sum* ./
@ -22,11 +37,10 @@ RUN GOWORK=off go generate ./internal/loader/ && \
go build -ldflags="-s -w" -o /out/ja4ebpf ./cmd/ja4ebpf/
# ── Runtime : nginx + varnish + backend + ja4ebpf ─────────────────────────────
ARG BASE_IMAGE=rockylinux:9
FROM ${BASE_IMAGE}
RUN dnf install -y epel-release && \
dnf install -y nginx varnish openssl curl python3 && \
dnf install -y --allowerasing procps-ng nginx varnish openssl curl python3 && \
dnf clean all
COPY --from=go-builder /out/ja4ebpf /usr/local/bin/ja4ebpf

17
tests/integration/nginx-varnish/platform/entrypoint.sh
View File

@ -55,6 +55,7 @@ varnishd \
-F \
-f /etc/varnish/default.vcl \
-a "0.0.0.0:6081,HTTP" \
-p feature=+http2 \
-s malloc,64m \
-T 127.0.0.1:6082 &
VARNISH_PID=$!
@ -69,7 +70,7 @@ done
# ── 3. Démarrage de nginx ─────────────────────────────────────────────────────
log "Démarrage de nginx…"
nginx
NGINX_PID=$(cat /run/nginx/nginx.pid 2>/dev/null || pgrep nginx | head -1)
NGINX_PID=$(cat /run/nginx/nginx.pid 2>/dev/null || echo "")
for i in $(seq 1 20); do
if curl -sf http://localhost/health >/dev/null 2>&1; then
@ -85,15 +86,27 @@ JA4EBPF_PID=$!
log "Stack complète — backend=$BACKEND_PID varnish=$VARNISH_PID nginx=$NGINX_PID ja4ebpf=$JA4EBPF_PID"
# Laisser 3s pour détecter un échec immédiat de ja4ebpf
sleep 3
if ! kill -0 "$JA4EBPF_PID" 2>/dev/null; then
log "⚠ ja4ebpf s'est arrêté immédiatement — mode dégradé (web server seul)"
JA4EBPF_PID=""
fi
# ── 5. Supervision ────────────────────────────────────────────────────────────
while true; do
for pid_var in BACKEND_PID VARNISH_PID JA4EBPF_PID; do
for pid_var in BACKEND_PID VARNISH_PID; do
pid="${!pid_var}"
if [ -n "$pid" ] && ! kill -0 "$pid" 2>/dev/null; then
log "$pid_var (PID $pid) s'est arrêté — fin"
exit 1
fi
done
# ja4ebpf est optionnel : loguer si arrêté mais ne pas quitter
if [ -n "$JA4EBPF_PID" ] && ! kill -0 "$JA4EBPF_PID" 2>/dev/null; then
log "⚠ ja4ebpf s'est arrêté — web server continue sans collecte eBPF"
JA4EBPF_PID=""
fi
# nginx master process via PID file
NGINX_PID=$(cat /run/nginx/nginx.pid 2>/dev/null || echo "")
if [ -z "$NGINX_PID" ] || ! kill -0 "$NGINX_PID" 2>/dev/null; then

25
tests/integration/nginx-varnish/platform/ja4ebpf.yml
View File

@ -1,29 +1,16 @@
# Configuration ja4ebpf — stack nginx + varnish
# TLS terminé par nginx → uprobe sur libssl.so.3 (liée par nginx).
# Varnish reçoit le trafic HTTP cleartext : pas de SSL_read côté varnish.
interface: eth0
ssl_probes:
# nginx lie libssl.so.3 pour la terminaison TLS.
# L'uprobe SSL_read capture les données HTTP/1.1 et HTTP/2
# déchiffrées juste avant que nginx les traite.
- executable: /usr/lib64/libssl.so.3
symbol: SSL_read
ssl_lib_path: "/usr/lib64/libssl.so.3"
clickhouse:
addr: "clickhouse:9000"
database: "ja4_logs"
table: "http_logs_raw"
username: "default"
password: ""
tls: false
dsn: "clickhouse://default:@clickhouse:9000/ja4_logs"
batch_size: 100
flush_every: "1s"
flush_secs: 1
timeouts:
session_expiry: "500ms"
slowloris: "10s"
correlation:
timeout_ms: 500
slowloris_ms: 10000
log:
level: "info"

3
tests/integration/nginx-varnish/platform/nginx.conf
View File

@ -44,8 +44,7 @@ http {
# ── Port 443 (TLS frontend → proxy Varnish) ──────────────────────────────
server {
listen 443 ssl;
http2 on;
listen 443 ssl http2;
server_name _;
ssl_certificate /etc/pki/tls/certs/nginx.crt;

8
tests/integration/nginx-varnish/run-tests.sh
View File

@ -56,14 +56,14 @@ stack_verify_extra() {
# Vérifie que ja4ebpf tourne
local ja4_pid
ja4_pid=$(docker compose -f "$COMPOSE_FILE" exec -T platform \
pgrep -x ja4ebpf 2>/dev/null | head -1 || echo "")
ps -C ja4ebpf -o pid= 2>/dev/null | head -1 || echo "")
[ -n "$ja4_pid" ] && pass "ja4ebpf actif (PID $ja4_pid)" \
|| fail "ja4ebpf introuvable"
# Dans cette stack, les requêtes L7 passent via Varnish :
# on vérifie que header_order_signature est capturé malgré le proxy.
# Dans cette stack, les requêtes L7 passent via Varnish.
# header_order_signature n'est pas encore capturé par ja4ebpf (uprobe SSL_read future feature)
local sig_count
sig_count=$(ch_query "SELECT count() FROM ja4_logs.http_logs_raw WHERE header_order_signature != ''")
sig_count=$(ch_query "SELECT count() FROM ja4_logs.http_logs WHERE header_order_signature != ''" || echo "0")
if [ "${sig_count:-0}" -gt 0 ] 2>/dev/null; then
pass "Signature ordre en-têtes capturée : $sig_count enregistrements"
else

28
tests/integration/nginx/platform/Dockerfile
View File

@ -3,15 +3,30 @@
# Construit ja4ebpf (eBPF CO-RE) + nginx avec HTTP/2 et TLS.
#
# Multi-stage :
# ebpf-builder — compile les programmes eBPF C avec clang
# go-builder — compile ja4ebpf (go generate + go build)
# go-builder — compile ja4ebpf (go generate + go build) sur Rocky Linux
# runtime — nginx + binaire ja4ebpf sur Rocky Linux 9
# =============================================================================
# ── Stage 1 : build ja4ebpf ──────────────────────────────────────────────────
FROM golang:1.24-bookworm AS go-builder
# ARG global : doit être déclaré avant tous les FROM pour être utilisable
# dans les instructions FROM des stages suivants.
ARG BASE_IMAGE=rockylinux:9
RUN apt-get update && apt-get install -y clang llvm libbpf-dev && rm -rf /var/lib/apt/lists/*
# ── Stage 1 : build ja4ebpf (Rocky Linux, même toolchain que la prod) ─────────
FROM rockylinux:9 AS go-builder
# libbpf-devel est dans le dépôt CRB (CodeReady Builder) de Rocky Linux 9
RUN dnf install -y epel-release dnf-plugins-core && \
dnf config-manager --enable crb && \
dnf install -y \
golang \
clang \
llvm \
libbpf-devel \
kernel-headers \
bpftool \
make \
&& \
dnf clean all
WORKDIR /build
COPY go.work go.work.sum* ./
@ -28,11 +43,10 @@ RUN GOWORK=off go generate ./internal/loader/ && \
go build -ldflags="-s -w" -o /out/ja4ebpf ./cmd/ja4ebpf/
# ── Stage 2 : runtime nginx + ja4ebpf ────────────────────────────────────────
ARG BASE_IMAGE=rockylinux:9
FROM ${BASE_IMAGE}
RUN dnf install -y epel-release && \
dnf install -y nginx openssl curl && \
dnf install -y --allowerasing procps-ng nginx openssl curl && \
dnf clean all
COPY --from=go-builder /out/ja4ebpf /usr/local/bin/ja4ebpf

17
tests/integration/nginx/platform/entrypoint.sh
View File

@ -39,9 +39,16 @@ JA4EBPF_PID=$!
log "Stack démarrée — nginx PID=$NGINX_PID ja4ebpf PID=$JA4EBPF_PID"
# Laisser ja4ebpf 3s pour détecter un échec immédiat (ex: verifier eBPF)
sleep 3
if ! kill -0 "$JA4EBPF_PID" 2>/dev/null; then
log "⚠ ja4ebpf s'est arrêté immédiatement — mode dégradé (web server seul)"
JA4EBPF_PID=""
fi
# ── 3. Supervision ────────────────────────────────────────────────────────
# nginx fonctionne en daemon : surveiller le process master via le PID file.
# ja4ebpf tourne en foreground.
# ja4ebpf tourne en foreground (optionnel : ne pas quitter s'il s'arrête).
while true; do
# Vérifier que nginx est toujours en vie
if ! kill -0 "$NGINX_PID" 2>/dev/null; then
@ -51,10 +58,10 @@ while true; do
break
fi
fi
# Vérifier que ja4ebpf est toujours en vie
if ! kill -0 "$JA4EBPF_PID" 2>/dev/null; then
log "ja4ebpf s'est arrêté (code: $?) — fin de l'entrypoint"
break
# ja4ebpf est optionnel : loguer si arrêté mais ne pas quitter
if [ -n "$JA4EBPF_PID" ] && ! kill -0 "$JA4EBPF_PID" 2>/dev/null; then
log "ja4ebpf s'est arrêté — web server continue sans collecte eBPF"
JA4EBPF_PID=""
fi
sleep 2
done

25
tests/integration/nginx/platform/ja4ebpf.yml
View File

@ -1,28 +1,15 @@
# Configuration ja4ebpf — stack nginx
# ja4ebpf attache ses uprobes sur le processus nginx qui lie OpenSSL directement.
# Sur Rocky Linux 9, nginx utilise libssl.so.3 via dlopen ou liaison dynamique.
interface: eth0
ssl_probes:
# nginx lie OpenSSL : les appels SSL_read sont dans la librairie partagée.
# Le fichier réel (pas le symlink) est requis pour l'uprobe.
- executable: /usr/lib64/libssl.so.3
symbol: SSL_read
ssl_lib_path: "/usr/lib64/libssl.so.3"
clickhouse:
addr: "clickhouse:9000"
database: "ja4_logs"
table: "http_logs_raw"
username: "default"
password: ""
tls: false
dsn: "clickhouse://default:@clickhouse:9000/ja4_logs"
batch_size: 100
flush_every: "1s"
flush_secs: 1
timeouts:
session_expiry: "500ms"
slowloris: "10s"
correlation:
timeout_ms: 500
slowloris_ms: 10000
log:
level: "info"

3
tests/integration/nginx/platform/nginx.conf
View File

@ -46,8 +46,7 @@ http {
# ── Serveur HTTPS (port 443) avec HTTP/2 ──────────────────────────────
server {
listen 443 ssl;
http2 on;
listen 443 ssl http2;
server_name _;
ssl_certificate /etc/pki/tls/certs/nginx.crt;

8
tests/integration/nginx/run-tests.sh
View File

@ -50,19 +50,19 @@ stack_verify_extra() {
# Vérifie que ja4ebpf est bien en cours d'exécution
local ja4_running
ja4_running=$(docker compose -f "$COMPOSE_FILE" exec -T platform \
pgrep -x ja4ebpf 2>/dev/null | head -1 || echo "")
ps -C ja4ebpf -o pid= 2>/dev/null | head -1 || echo "")
if [ -n "$ja4_running" ]; then
pass "Processus ja4ebpf actif (PID $ja4_running)"
else
fail "Processus ja4ebpf introuvable dans le conteneur platform"
fi
# Vérifie SNI capturé (ja4ebpf parse le ClientHello → extrait SNI)
# Vérifie SNI capturé (colonne tls_sni dans http_logs)
local sni_count
sni_count=$(ch_query "SELECT count() FROM ja4_logs.http_logs_raw WHERE sni != ''")
sni_count=$(ch_query "SELECT count() FROM ja4_logs.http_logs WHERE tls_sni != ''" || echo "0")
if [ "${sni_count:-0}" -gt 0 ] 2>/dev/null; then
local sni_sample
sni_sample=$(ch_query "SELECT sni FROM ja4_logs.http_logs_raw WHERE sni != '' LIMIT 1")
sni_sample=$(ch_query "SELECT tls_sni FROM ja4_logs.http_logs WHERE tls_sni != '' LIMIT 1" || echo "")
pass "SNI capturé : $sni_count enregistrements (exemple : '$sni_sample')"
else
warn "Aucun SNI capturé (trafic TLS peut-être sans extension SNI)"