3b047b680a
- Use two separate //go:generate directives (Ja4Tc for tc_capture.c, Ja4Ssl
for uprobe_ssl.c) to avoid duplicate LICENSE symbol and multi-file clang issue
- Update loader.go to hold tcObjs/sslObjs separately with correct field names:
UprobeSslSetFd, UprobeSslReadEntry, UretprobeSslReadExit,
KprobeAccept4Entry, KretprobeAccept4Exit
- Add systemd-rpm-macros to all three RPM build stages (el8/el9/el10)
so that %{_unitdir} macro resolves correctly
- RPMs now build successfully for el8, el9, el10
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
103 lines
4.6 KiB
Bash
Executable File
103 lines
4.6 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# =============================================================================
|
|
# run-tests.sh — Tests d'intégration stack hitch + varnish + ja4ebpf
|
|
# =============================================================================
|
|
set -euo pipefail
|
|
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
|
|
export STACK_NAME="hitch-varnish"
|
|
export COMPOSE_FILE="$SCRIPT_DIR/docker-compose.yml"
|
|
|
|
for arg in "$@"; do
|
|
case "$arg" in
|
|
--no-down) export KEEP_UP=true ;;
|
|
--build-only) export BUILD_ONLY=true ;;
|
|
esac
|
|
done
|
|
|
|
source "$SCRIPT_DIR/../lib/run-stack-tests.sh"
|
|
|
|
# ── Vérifications spécifiques hitch+varnish ───────────────────────────────────
|
|
stack_verify_extra() {
|
|
# Vérifie que hitch est bien en cours d'exécution
|
|
local hitch_pid
|
|
hitch_pid=$(docker compose -f "$COMPOSE_FILE" exec -T platform \
|
|
pgrep -x hitch 2>/dev/null | head -1 || echo "")
|
|
[ -n "$hitch_pid" ] && pass "Processus hitch actif (PID $hitch_pid)" \
|
|
|| fail "Processus hitch introuvable"
|
|
|
|
# Vérifie Varnish
|
|
local varnish_pid
|
|
varnish_pid=$(docker compose -f "$COMPOSE_FILE" exec -T platform \
|
|
pgrep -x varnishd 2>/dev/null | head -1 || echo "")
|
|
[ -n "$varnish_pid" ] && pass "Processus varnishd actif (PID $varnish_pid)" \
|
|
|| fail "Processus varnishd introuvable"
|
|
|
|
# Vérifie que ja4ebpf tourne
|
|
local ja4_pid
|
|
ja4_pid=$(docker compose -f "$COMPOSE_FILE" exec -T platform \
|
|
pgrep -x ja4ebpf 2>/dev/null | head -1 || echo "")
|
|
[ -n "$ja4_pid" ] && pass "ja4ebpf actif (PID $ja4_pid)" \
|
|
|| fail "ja4ebpf introuvable"
|
|
|
|
# Vérifie la présence du header Via Varnish (trafic bien routé hitch→varnish)
|
|
local via_hdr
|
|
via_hdr=$(docker compose -f "$COMPOSE_FILE" exec -T platform \
|
|
curl -skI https://localhost/ 2>/dev/null | grep -i "^Via:" | tr -d '\r' || echo "")
|
|
if echo "$via_hdr" | grep -qi "varnish"; then
|
|
pass "Header Via: varnish — trafic routé hitch→Varnish→backend"
|
|
else
|
|
warn "Header Via varnish absent ('$via_hdr')"
|
|
fi
|
|
|
|
# Vérifie X-Client-IP : doit être non-vide (Varnish récupère l'IP via PROXY protocol)
|
|
local client_ip_hdr
|
|
client_ip_hdr=$(docker compose -f "$COMPOSE_FILE" exec -T platform \
|
|
curl -skI https://localhost/ 2>/dev/null | grep -i "^X-Client-IP:" | tr -d '\r' || echo "")
|
|
if [ -n "$client_ip_hdr" ]; then
|
|
pass "PROXY protocol actif : X-Client-IP visible ('$client_ip_hdr')"
|
|
else
|
|
warn "X-Client-IP absent — PROXY protocol peut-être désactivé dans Varnish"
|
|
fi
|
|
|
|
# Vérifie ALPN h2 côté hitch (hitch supporte HTTP/2 via ALPN)
|
|
local http_ver
|
|
http_ver=$(docker compose -f "$COMPOSE_FILE" exec -T platform \
|
|
curl -sk --http2 -w "%{http_version}" -o /dev/null https://localhost/ 2>/dev/null || echo "")
|
|
if [ "$http_ver" = "2" ]; then
|
|
pass "HTTP/2 ALPN négocié par hitch (h2)"
|
|
else
|
|
warn "HTTP/2 non négocié (version: '$http_ver') — ALPN hitch peut nécessiter Varnish ≥ 6.0"
|
|
fi
|
|
|
|
# Vérification clé : dans la stack hitch+varnish, les uprobes sont sur hitch.
|
|
# ja4ebpf doit avoir capturé des requêtes depuis le processus hitch.
|
|
# On vérifie que des lignes avec method != '' existent (uprobe SSL_read actif).
|
|
local l7_from_hitch
|
|
l7_from_hitch=$(ch_query "SELECT count() FROM ja4_logs.http_logs_raw WHERE method != ''")
|
|
if [ "${l7_from_hitch:-0}" -gt 0 ] 2>/dev/null; then
|
|
pass "L7 capturé via uprobe hitch : $l7_from_hitch requêtes HTTP"
|
|
else
|
|
warn "Aucune requête L7 — uprobe hitch/libssl peut-être non attaché"
|
|
log " Vérifier : les uprobes nécessitent que hitch soit compilé avec des symboles"
|
|
log " Debug : docker compose exec platform ja4ebpf -config /etc/ja4ebpf/config.yml --dry-run"
|
|
fi
|
|
|
|
# Vérifie que le fingerprint JA4 est cohérent avec la config TLS de hitch
|
|
# (TLSv1.2 + TLSv1.3, suites ECDHE, ALPN h2+http/1.1)
|
|
local ja4_sample
|
|
ja4_sample=$(ch_query "SELECT ja4 FROM ja4_logs.http_logs_raw WHERE ja4 != '' LIMIT 1" 2>/dev/null || echo "")
|
|
if [ -n "$ja4_sample" ]; then
|
|
# JA4 format : t{ver}{sni}{cc}{ec}_{hash}_{hash}
|
|
# Avec TLS 1.3 négocié via hitch → doit commencer par tt13
|
|
if echo "$ja4_sample" | grep -qE "^tt1[23]"; then
|
|
pass "JA4 cohérent avec config hitch TLS 1.2/1.3 : $ja4_sample"
|
|
else
|
|
warn "JA4 inattendu pour hitch TLS config : $ja4_sample"
|
|
fi
|
|
fi
|
|
}
|
|
|
|
run_all_phases
|