fluent-plugin-secure-forward 0.3.4 → 0.3.5pre1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +16 -16
  3. data/fluent-plugin-secure-forward.gemspec +2 -2
  4. data/lib/fluent/plugin/input_session.rb +4 -3
  5. data/lib/fluent/plugin/out_secure_forward.rb +9 -3
  6. data/lib/fluent/plugin/output_node.rb +24 -2
  7. metadata +6 -6
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: bb950a6a82fcb71e21a56f55ec30826c5e9ddf3f
4
- data.tar.gz: 12df6a78237b207ed07d0eed7fca8a71f7dcb942
3
+ metadata.gz: dbd0f5d3a80da4fb3d6c86664b6a339c2dd9ab69
4
+ data.tar.gz: fcd62fa11d69cdab0eedb7a58f1a7ee904fef8cb
5
5
  SHA512:
6
- metadata.gz: 4c40796160884581c62f260fd971ef694c98c0c502383362b116ef9b02f5c4ced793dc1adfce1ecb230d38e895c638189cb3da26163befd573a56829f83e1e02
7
- data.tar.gz: 62da5b2c12d701c05a42b4c8b0d73d134f0054643737b590897dce6c73a04a3185a23e6a6cb2abe10cd3e45aea33679a4d7dac3748ea32399d1b9855ed969bd6
6
+ metadata.gz: 4ed7cc4556ddce8d742829d068034af94aac9af3c56be50284117dec93136a43ffff9ae00766621b8cf7433b22922ab05392a2ce2891f97d1567ae21487995db
7
+ data.tar.gz: ca8470d87dc2ea67be427cd37a9e56ccc5be643c72560d59bf8145de29d0dd7752c110740095b66aaf53961c6a0bc5c51848d3afc6473fada90395d7e4d96746
data/README.md CHANGED
@@ -33,7 +33,7 @@ To communicate over SSL with valid certificate issued from public CA, configure
33
33
 
34
34
  ```apache
35
35
  <source>
36
- type secure_forward
36
+ @type secure_forward
37
37
 
38
38
  # bind 0.0.0.0 # default
39
39
  # port 24284 # default
@@ -55,7 +55,7 @@ For output plugin, specify just 2 options below:
55
55
 
56
56
  ```apache
57
57
  <match secret.data.**>
58
- type secure_forward
58
+ @type secure_forward
59
59
 
60
60
  self_hostname client.fqdn.local
61
61
  shared_key secret_string
@@ -87,7 +87,7 @@ And then, configure Fluentd with these files and the passphrase. With this confi
87
87
 
88
88
  ```apache
89
89
  <source>
90
- type secure_forward
90
+ @type secure_forward
91
91
 
92
92
  # bind 0.0.0.0 # default
93
93
  # port 24284 # default
@@ -109,7 +109,7 @@ For output plugin, specify just 2 options below:
109
109
 
110
110
  ```apache
111
111
  <match secret.data.**>
112
- type secure_forward
112
+ @type secure_forward
113
113
 
114
114
  self_hostname myclient.local
115
115
  shared_key secret_string
@@ -137,7 +137,7 @@ For just testing or data center internal communications, this plugin has a featu
137
137
 
138
138
  ```apache
139
139
  <source>
140
- type secure_forward
140
+ @type secure_forward
141
141
 
142
142
  self_hostname myserver.local
143
143
  shared_key secret_string
@@ -150,7 +150,7 @@ Configure output plugin just same way:
150
150
 
151
151
  ```apache
152
152
  <match data.**>
153
- type secure_forward
153
+ @type secure_forward
154
154
 
155
155
  self_hostname myclient.local
156
156
  shared_key secret_string
@@ -187,7 +187,7 @@ Minimal configurations like below:
187
187
 
188
188
  ```apache
189
189
  <source>
190
- type secure_forward
190
+ @type secure_forward
191
191
  shared_key secret_string
192
192
  self_hostname server.fqdn.local # This fqdn is used as CN (Common Name) of certificates
193
193
 
@@ -200,7 +200,7 @@ To check username/password from clients, like this:
200
200
 
201
201
  ```apache
202
202
  <source>
203
- type secure_forward
203
+ @type secure_forward
204
204
  shared_key secret_string
205
205
  self_hostname server.fqdn.local
206
206
 
@@ -223,7 +223,7 @@ To deny unknown source IP/hosts:
223
223
 
224
224
  ```apache
225
225
  <source>
226
- type secure_forward
226
+ @type secure_forward
227
227
  shared_key secret_string
228
228
  self_hostname server.fqdn.local
229
229
 
@@ -248,7 +248,7 @@ You can use both of username/password check and client check:
248
248
 
249
249
  ```apache
250
250
  <source>
251
- type secure_forward
251
+ @type secure_forward
252
252
  shared_key secret_string
253
253
  self_hostname server.fqdn.local
254
254
 
@@ -290,7 +290,7 @@ Minimal configurations like this:
290
290
 
291
291
  ```apache
292
292
  <match secret.data.**>
293
- type secure_forward
293
+ @type secure_forward
294
294
  shared_key secret_string
295
295
  self_hostname client.fqdn.local
296
296
 
@@ -308,7 +308,7 @@ Without hostname ACL (and it's not implemented yet), `self_hostname` is not chec
308
308
 
309
309
  ```apache
310
310
  <match secret.data.**>
311
- type secure_forward
311
+ @type secure_forward
312
312
  shared_key secret_string
313
313
  self_hostname ${hostname}
314
314
 
@@ -328,7 +328,7 @@ If server requires username/password, set `username` and `password` in `<server>
328
328
 
329
329
  ```apache
330
330
  <match secret.data.**>
331
- type secure_forward
331
+ @type secure_forward
332
332
  shared_key secret_string
333
333
  self_hostname client.fqdn.local
334
334
 
@@ -363,7 +363,7 @@ To specify keepalive timeouts, use `keepalive` configuration with seconds. SSL c
363
363
 
364
364
  ```apache
365
365
  <match secret.data.**>
366
- type secure_forward
366
+ @type secure_forward
367
367
  shared_key secret_string
368
368
  self_hostname client.fqdn.local
369
369
 
@@ -383,7 +383,7 @@ If you connect via Proxy,
383
383
  set for `proxy_uri` in `<server>` section:
384
384
  ```apache
385
385
  <match secret.data.**>
386
- type secure_forward
386
+ @type secure_forward
387
387
  shared_key secret_string
388
388
  self_hostname client.fqdn.local
389
389
 
@@ -398,7 +398,7 @@ set for `proxy_uri` in `<server>` section:
398
398
  </match>
399
399
  ```
400
400
 
401
- ## Senario (developer document)
401
+ ## Scenario (developer document)
402
402
 
403
403
  * server
404
404
  * in\_secure\_forward
data/fluent-plugin-secure-forward.gemspec CHANGED
@@ -1,13 +1,13 @@
1
1
  # -*- encoding: utf-8 -*-
2
2
  Gem::Specification.new do |gem|
3
3
  gem.name = "fluent-plugin-secure-forward"
4
- gem.version = "0.3.4"
4
+ gem.version = "0.3.5pre1"
5
5
  gem.authors = ["TAGOMORI Satoshi"]
6
6
  gem.email = ["tagomoris@gmail.com"]
7
7
  gem.summary = %q{Fluentd input/output plugin to forward over SSL with authentications}
8
8
  gem.description = %q{Message forwarding over SSL with authentication}
9
9
  gem.homepage = "https://github.com/tagomoris/fluent-plugin-secure-forward"
10
- gem.license = "APLv2"
10
+ gem.license = "Apache-2.0"
11
11
 
12
12
  gem.files = `git ls-files`.split($\)
13
13
  gem.executables = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
data/lib/fluent/plugin/input_session.rb CHANGED
@@ -196,22 +196,23 @@ class Fluent::SecureForwardInput::Session
196
196
  rescue Errno::ECONNRESET => e
197
197
  # disconnected from client
198
198
  rescue => e
199
- log.warn "unexpected error in in_secure_forward", error_class: e.class, error: e
199
+ log.warn "unexpected error in in_secure_forward from #{host}:#{port}", error_class: e.class, error: e
200
200
  ensure
201
+ log.debug "Shutting down #{host}:#{port}"
201
202
  self.shutdown
202
203
  end
203
204
 
204
205
  def shutdown
205
206
  @state = :closed
207
+ log.debug "Shutdown called"
208
+ @socket.close
206
209
  if @thread == Thread.current
207
- @socket.close
208
210
  @thread.kill
209
211
  else
210
212
  if @thread
211
213
  @thread.kill
212
214
  @thread.join
213
215
  end
214
- @socket.close
215
216
  end
216
217
  rescue => e
217
218
  log.debug "#{e.class}:#{e.message}"
data/lib/fluent/plugin/out_secure_forward.rb CHANGED
@@ -23,10 +23,12 @@ module Fluent
23
23
  config_param :shared_key, :string, secret: true
24
24
 
25
25
  config_param :keepalive, :time, default: nil # nil/0 means disable keepalive expiration
26
+ config_param :connection_hard_timeout, :time, default: nil # specifying 0 explicitly means not to disconnect stuck connection forever
26
27
 
27
28
  config_param :send_timeout, :time, default: 60
28
29
  # config_param :hard_timeout, :time, :default => 60
29
- # config_param :expire_dns_cache, :time, :default => 0 # 0 means disable cache
30
+
31
+ config_param :expire_dns_cache, :time, default: 60 # 0 means disable DNS cache
30
32
 
31
33
  config_param :ca_cert_path, :string, default: nil
32
34
 
@@ -92,6 +94,10 @@ module Fluent
92
94
  log.warn "'insecure' mode has vulnerability for man-in-the-middle attacks."
93
95
  end
94
96
 
97
+ if @keepalive && !@connection_hard_timeout
98
+ @connection_hard_timeout = @keepalive * 1.2
99
+ end
100
+
95
101
  @read_interval = @read_interval_msec / 1000.0
96
102
  @socket_interval = @socket_interval_msec / 1000.0
97
103
 
@@ -109,7 +115,7 @@ module Fluent
109
115
  @next_node = 0
110
116
  @mutex = Mutex.new
111
117
 
112
- @hostname_resolver = Resolve::Hostname.new(system_resolver: true)
118
+ @hostname_resolver = Resolve::Hostname.new(system_resolver: true, ttl: @expire_dns_cache)
113
119
 
114
120
  true
115
121
  end
@@ -173,7 +179,7 @@ module Fluent
173
179
  end
174
180
 
175
181
  node = @nodes[i]
176
- log.debug "reconnecting to node", host: node.host, port: node.port, expire: node.expire, expired: node.expired?, detached: node.detached?
182
+ log.debug "reconnecting to node", host: node.host, port: node.port, state: node.state, expire: node.expire, expired: node.expired?, detached: node.detached?
177
183
 
178
184
  renewed = node.dup
179
185
  renewed.start
data/lib/fluent/plugin/output_node.rb CHANGED
@@ -32,6 +32,7 @@ class Fluent::SecureForwardOutput::Node
32
32
  @proxy_uri = conf.proxy_uri
33
33
 
34
34
  @keepalive = sender.keepalive
35
+ @connection_hard_timeout = sender.connection_hard_timeout
35
36
 
36
37
  @authentication = nil
37
38
 
@@ -47,6 +48,7 @@ class Fluent::SecureForwardOutput::Node
47
48
 
48
49
  @shared_key_salt = generate_salt
49
50
  @state = :helo
51
+ @mtime = Time.now
50
52
  @thread = nil
51
53
  end
52
54
 
@@ -137,6 +139,7 @@ class Fluent::SecureForwardOutput::Node
137
139
  @shared_key_nonce = opts['nonce'] || '' # make shared_key_check failed (instead of error) if protocol version mismatch exist
138
140
  @authentication = opts['auth']
139
141
  @allow_keepalive = opts['keepalive']
142
+ @mtime = Time.now
140
143
  true
141
144
  end
142
145
 
@@ -152,6 +155,7 @@ class Fluent::SecureForwardOutput::Node
152
155
  else
153
156
  ping.push('','')
154
157
  end
158
+ @mtime = Time.now
155
159
  ping
156
160
  end
157
161
 
@@ -177,10 +181,12 @@ class Fluent::SecureForwardOutput::Node
177
181
  return false, 'shared key mismatch'
178
182
  end
179
183
 
184
+ @mtime = Time.now
180
185
  return true, nil
181
186
  end
182
187
 
183
188
  def send_data(data)
189
+ @mtime = Time.now
184
190
  @sslsession.write data.to_msgpack
185
191
  end
186
192
 
@@ -200,6 +206,7 @@ class Fluent::SecureForwardOutput::Node
200
206
  return
201
207
  end
202
208
  send_data generate_ping()
209
+ @mtime = Time.now
203
210
  @state = :pingpong
204
211
  when :pingpong
205
212
  success, reason = check_pong(data)
@@ -211,6 +218,7 @@ class Fluent::SecureForwardOutput::Node
211
218
  log.info "connection established to #{@host}" if @first_session
212
219
  @state = :established
213
220
  @expire = Time.now + @keepalive if @keepalive && @keepalive > 0
221
+ @mtime = Time.now
214
222
  log.debug "connection established", host: @host, port: @port, expire: @expire
215
223
  end
216
224
  end
@@ -282,6 +290,7 @@ class Fluent::SecureForwardOutput::Node
282
290
  sslsession = OpenSSL::SSL::SSLSocket.new(sock, context)
283
291
  log.trace "connecting...", host: @host, address: addr, port: @port
284
292
  sslsession.connect
293
+ @mtime = Time.now
285
294
  rescue => e
286
295
  log.warn "failed to establish SSL connection", error_class: e.class, error: e, host: @host, address: addr, port: @port
287
296
  @state = :failed
@@ -317,8 +326,11 @@ class Fluent::SecureForwardOutput::Node
317
326
  read_interval = @sender.read_interval
318
327
  socket_interval = @sender.socket_interval
319
328
 
329
+ @mtime = Time.now
330
+
320
331
  loop do
321
332
  break if @detach
333
+ break if Time.now > @mtime + @connection_hard_timeout
322
334
 
323
335
  begin
324
336
  while @sslsession.read_nonblock(read_length, buf)
@@ -327,11 +339,21 @@ class Fluent::SecureForwardOutput::Node
327
339
  next
328
340
  end
329
341
  @unpacker.feed_each(buf, &method(:on_read))
342
+ @mtime = Time.now
330
343
  buf = ''
331
344
  end
332
- rescue OpenSSL::SSL::SSLError
345
+ rescue OpenSSL::SSL::SSLError => e
333
346
  # to wait i/o restart
334
- sleep socket_interval
347
+ log.trace "SSLError", error_class: e.class, error: e, mtime: @mtime, host: @host, port: @port
348
+ if Time.now > @mtime + @connection_hard_timeout
349
+ log.warn "connection hard timeout", mtime: @mtime, timeout: @connection_hard_timeout, host: @host, port: @port
350
+ log.warn "aborting connection", host: @host, port: @port
351
+ self.release!
352
+ self.detach!
353
+ break
354
+ else
355
+ sleep socket_interval
356
+ end
335
357
  rescue SystemCallError => e
336
358
  log.warn "disconnected by Error", error_class: e.class, error: e, host: @host, port: @port
337
359
  self.release!
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: fluent-plugin-secure-forward
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.3.4
4
+ version: 0.3.5pre1
5
5
  platform: ruby
6
6
  authors:
7
7
  - TAGOMORI Satoshi
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2015-12-22 00:00:00.000000000 Z
11
+ date: 2016-03-08 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: fluentd
@@ -140,7 +140,7 @@ files:
140
140
  - test/plugin/test_out_secure_forward.rb
141
141
  homepage: https://github.com/tagomoris/fluent-plugin-secure-forward
142
142
  licenses:
143
- - APLv2
143
+ - Apache-2.0
144
144
  metadata: {}
145
145
  post_install_message:
146
146
  rdoc_options: []
@@ -153,12 +153,12 @@ required_ruby_version: !ruby/object:Gem::Requirement
153
153
  version: '0'
154
154
  required_rubygems_version: !ruby/object:Gem::Requirement
155
155
  requirements:
156
- - - ">="
156
+ - - ">"
157
157
  - !ruby/object:Gem::Version
158
- version: '0'
158
+ version: 1.3.1
159
159
  requirements: []
160
160
  rubyforge_project:
161
- rubygems_version: 2.4.5
161
+ rubygems_version: 2.5.1
162
162
  signing_key:
163
163
  specification_version: 4
164
164
  summary: Fluentd input/output plugin to forward over SSL with authentications