fluent-plugin-secure-forward 0.3.4 → 0.3.5pre1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +16 -16
- data/fluent-plugin-secure-forward.gemspec +2 -2
- data/lib/fluent/plugin/input_session.rb +4 -3
- data/lib/fluent/plugin/out_secure_forward.rb +9 -3
- data/lib/fluent/plugin/output_node.rb +24 -2
- metadata +6 -6
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: dbd0f5d3a80da4fb3d6c86664b6a339c2dd9ab69
|
4
|
+
data.tar.gz: fcd62fa11d69cdab0eedb7a58f1a7ee904fef8cb
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 4ed7cc4556ddce8d742829d068034af94aac9af3c56be50284117dec93136a43ffff9ae00766621b8cf7433b22922ab05392a2ce2891f97d1567ae21487995db
|
7
|
+
data.tar.gz: ca8470d87dc2ea67be427cd37a9e56ccc5be643c72560d59bf8145de29d0dd7752c110740095b66aaf53961c6a0bc5c51848d3afc6473fada90395d7e4d96746
|
data/README.md
CHANGED
@@ -33,7 +33,7 @@ To communicate over SSL with valid certificate issued from public CA, configure
|
|
33
33
|
|
34
34
|
```apache
|
35
35
|
<source>
|
36
|
-
type secure_forward
|
36
|
+
@type secure_forward
|
37
37
|
|
38
38
|
# bind 0.0.0.0 # default
|
39
39
|
# port 24284 # default
|
@@ -55,7 +55,7 @@ For output plugin, specify just 2 options below:
|
|
55
55
|
|
56
56
|
```apache
|
57
57
|
<match secret.data.**>
|
58
|
-
type secure_forward
|
58
|
+
@type secure_forward
|
59
59
|
|
60
60
|
self_hostname client.fqdn.local
|
61
61
|
shared_key secret_string
|
@@ -87,7 +87,7 @@ And then, configure Fluentd with these files and the passphrase. With this confi
|
|
87
87
|
|
88
88
|
```apache
|
89
89
|
<source>
|
90
|
-
type secure_forward
|
90
|
+
@type secure_forward
|
91
91
|
|
92
92
|
# bind 0.0.0.0 # default
|
93
93
|
# port 24284 # default
|
@@ -109,7 +109,7 @@ For output plugin, specify just 2 options below:
|
|
109
109
|
|
110
110
|
```apache
|
111
111
|
<match secret.data.**>
|
112
|
-
type secure_forward
|
112
|
+
@type secure_forward
|
113
113
|
|
114
114
|
self_hostname myclient.local
|
115
115
|
shared_key secret_string
|
@@ -137,7 +137,7 @@ For just testing or data center internal communications, this plugin has a featu
|
|
137
137
|
|
138
138
|
```apache
|
139
139
|
<source>
|
140
|
-
type secure_forward
|
140
|
+
@type secure_forward
|
141
141
|
|
142
142
|
self_hostname myserver.local
|
143
143
|
shared_key secret_string
|
@@ -150,7 +150,7 @@ Configure output plugin just same way:
|
|
150
150
|
|
151
151
|
```apache
|
152
152
|
<match data.**>
|
153
|
-
type secure_forward
|
153
|
+
@type secure_forward
|
154
154
|
|
155
155
|
self_hostname myclient.local
|
156
156
|
shared_key secret_string
|
@@ -187,7 +187,7 @@ Minimal configurations like below:
|
|
187
187
|
|
188
188
|
```apache
|
189
189
|
<source>
|
190
|
-
type secure_forward
|
190
|
+
@type secure_forward
|
191
191
|
shared_key secret_string
|
192
192
|
self_hostname server.fqdn.local # This fqdn is used as CN (Common Name) of certificates
|
193
193
|
|
@@ -200,7 +200,7 @@ To check username/password from clients, like this:
|
|
200
200
|
|
201
201
|
```apache
|
202
202
|
<source>
|
203
|
-
type secure_forward
|
203
|
+
@type secure_forward
|
204
204
|
shared_key secret_string
|
205
205
|
self_hostname server.fqdn.local
|
206
206
|
|
@@ -223,7 +223,7 @@ To deny unknown source IP/hosts:
|
|
223
223
|
|
224
224
|
```apache
|
225
225
|
<source>
|
226
|
-
type secure_forward
|
226
|
+
@type secure_forward
|
227
227
|
shared_key secret_string
|
228
228
|
self_hostname server.fqdn.local
|
229
229
|
|
@@ -248,7 +248,7 @@ You can use both of username/password check and client check:
|
|
248
248
|
|
249
249
|
```apache
|
250
250
|
<source>
|
251
|
-
type secure_forward
|
251
|
+
@type secure_forward
|
252
252
|
shared_key secret_string
|
253
253
|
self_hostname server.fqdn.local
|
254
254
|
|
@@ -290,7 +290,7 @@ Minimal configurations like this:
|
|
290
290
|
|
291
291
|
```apache
|
292
292
|
<match secret.data.**>
|
293
|
-
type secure_forward
|
293
|
+
@type secure_forward
|
294
294
|
shared_key secret_string
|
295
295
|
self_hostname client.fqdn.local
|
296
296
|
|
@@ -308,7 +308,7 @@ Without hostname ACL (and it's not implemented yet), `self_hostname` is not chec
|
|
308
308
|
|
309
309
|
```apache
|
310
310
|
<match secret.data.**>
|
311
|
-
type secure_forward
|
311
|
+
@type secure_forward
|
312
312
|
shared_key secret_string
|
313
313
|
self_hostname ${hostname}
|
314
314
|
|
@@ -328,7 +328,7 @@ If server requires username/password, set `username` and `password` in `<server>
|
|
328
328
|
|
329
329
|
```apache
|
330
330
|
<match secret.data.**>
|
331
|
-
type secure_forward
|
331
|
+
@type secure_forward
|
332
332
|
shared_key secret_string
|
333
333
|
self_hostname client.fqdn.local
|
334
334
|
|
@@ -363,7 +363,7 @@ To specify keepalive timeouts, use `keepalive` configuration with seconds. SSL c
|
|
363
363
|
|
364
364
|
```apache
|
365
365
|
<match secret.data.**>
|
366
|
-
type secure_forward
|
366
|
+
@type secure_forward
|
367
367
|
shared_key secret_string
|
368
368
|
self_hostname client.fqdn.local
|
369
369
|
|
@@ -383,7 +383,7 @@ If you connect via Proxy,
|
|
383
383
|
set for `proxy_uri` in `<server>` section:
|
384
384
|
```apache
|
385
385
|
<match secret.data.**>
|
386
|
-
type secure_forward
|
386
|
+
@type secure_forward
|
387
387
|
shared_key secret_string
|
388
388
|
self_hostname client.fqdn.local
|
389
389
|
|
@@ -398,7 +398,7 @@ set for `proxy_uri` in `<server>` section:
|
|
398
398
|
</match>
|
399
399
|
```
|
400
400
|
|
401
|
-
##
|
401
|
+
## Scenario (developer document)
|
402
402
|
|
403
403
|
* server
|
404
404
|
* in\_secure\_forward
|
@@ -1,13 +1,13 @@
|
|
1
1
|
# -*- encoding: utf-8 -*-
|
2
2
|
Gem::Specification.new do |gem|
|
3
3
|
gem.name = "fluent-plugin-secure-forward"
|
4
|
-
gem.version = "0.3.
|
4
|
+
gem.version = "0.3.5pre1"
|
5
5
|
gem.authors = ["TAGOMORI Satoshi"]
|
6
6
|
gem.email = ["tagomoris@gmail.com"]
|
7
7
|
gem.summary = %q{Fluentd input/output plugin to forward over SSL with authentications}
|
8
8
|
gem.description = %q{Message forwarding over SSL with authentication}
|
9
9
|
gem.homepage = "https://github.com/tagomoris/fluent-plugin-secure-forward"
|
10
|
-
gem.license = "
|
10
|
+
gem.license = "Apache-2.0"
|
11
11
|
|
12
12
|
gem.files = `git ls-files`.split($\)
|
13
13
|
gem.executables = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
|
@@ -196,22 +196,23 @@ class Fluent::SecureForwardInput::Session
|
|
196
196
|
rescue Errno::ECONNRESET => e
|
197
197
|
# disconnected from client
|
198
198
|
rescue => e
|
199
|
-
log.warn "unexpected error in in_secure_forward", error_class: e.class, error: e
|
199
|
+
log.warn "unexpected error in in_secure_forward from #{host}:#{port}", error_class: e.class, error: e
|
200
200
|
ensure
|
201
|
+
log.debug "Shutting down #{host}:#{port}"
|
201
202
|
self.shutdown
|
202
203
|
end
|
203
204
|
|
204
205
|
def shutdown
|
205
206
|
@state = :closed
|
207
|
+
log.debug "Shutdown called"
|
208
|
+
@socket.close
|
206
209
|
if @thread == Thread.current
|
207
|
-
@socket.close
|
208
210
|
@thread.kill
|
209
211
|
else
|
210
212
|
if @thread
|
211
213
|
@thread.kill
|
212
214
|
@thread.join
|
213
215
|
end
|
214
|
-
@socket.close
|
215
216
|
end
|
216
217
|
rescue => e
|
217
218
|
log.debug "#{e.class}:#{e.message}"
|
@@ -23,10 +23,12 @@ module Fluent
|
|
23
23
|
config_param :shared_key, :string, secret: true
|
24
24
|
|
25
25
|
config_param :keepalive, :time, default: nil # nil/0 means disable keepalive expiration
|
26
|
+
config_param :connection_hard_timeout, :time, default: nil # specifying 0 explicitly means not to disconnect stuck connection forever
|
26
27
|
|
27
28
|
config_param :send_timeout, :time, default: 60
|
28
29
|
# config_param :hard_timeout, :time, :default => 60
|
29
|
-
|
30
|
+
|
31
|
+
config_param :expire_dns_cache, :time, default: 60 # 0 means disable DNS cache
|
30
32
|
|
31
33
|
config_param :ca_cert_path, :string, default: nil
|
32
34
|
|
@@ -92,6 +94,10 @@ module Fluent
|
|
92
94
|
log.warn "'insecure' mode has vulnerability for man-in-the-middle attacks."
|
93
95
|
end
|
94
96
|
|
97
|
+
if @keepalive && !@connection_hard_timeout
|
98
|
+
@connection_hard_timeout = @keepalive * 1.2
|
99
|
+
end
|
100
|
+
|
95
101
|
@read_interval = @read_interval_msec / 1000.0
|
96
102
|
@socket_interval = @socket_interval_msec / 1000.0
|
97
103
|
|
@@ -109,7 +115,7 @@ module Fluent
|
|
109
115
|
@next_node = 0
|
110
116
|
@mutex = Mutex.new
|
111
117
|
|
112
|
-
@hostname_resolver = Resolve::Hostname.new(system_resolver: true)
|
118
|
+
@hostname_resolver = Resolve::Hostname.new(system_resolver: true, ttl: @expire_dns_cache)
|
113
119
|
|
114
120
|
true
|
115
121
|
end
|
@@ -173,7 +179,7 @@ module Fluent
|
|
173
179
|
end
|
174
180
|
|
175
181
|
node = @nodes[i]
|
176
|
-
log.debug "reconnecting to node", host: node.host, port: node.port, expire: node.expire, expired: node.expired?, detached: node.detached?
|
182
|
+
log.debug "reconnecting to node", host: node.host, port: node.port, state: node.state, expire: node.expire, expired: node.expired?, detached: node.detached?
|
177
183
|
|
178
184
|
renewed = node.dup
|
179
185
|
renewed.start
|
@@ -32,6 +32,7 @@ class Fluent::SecureForwardOutput::Node
|
|
32
32
|
@proxy_uri = conf.proxy_uri
|
33
33
|
|
34
34
|
@keepalive = sender.keepalive
|
35
|
+
@connection_hard_timeout = sender.connection_hard_timeout
|
35
36
|
|
36
37
|
@authentication = nil
|
37
38
|
|
@@ -47,6 +48,7 @@ class Fluent::SecureForwardOutput::Node
|
|
47
48
|
|
48
49
|
@shared_key_salt = generate_salt
|
49
50
|
@state = :helo
|
51
|
+
@mtime = Time.now
|
50
52
|
@thread = nil
|
51
53
|
end
|
52
54
|
|
@@ -137,6 +139,7 @@ class Fluent::SecureForwardOutput::Node
|
|
137
139
|
@shared_key_nonce = opts['nonce'] || '' # make shared_key_check failed (instead of error) if protocol version mismatch exist
|
138
140
|
@authentication = opts['auth']
|
139
141
|
@allow_keepalive = opts['keepalive']
|
142
|
+
@mtime = Time.now
|
140
143
|
true
|
141
144
|
end
|
142
145
|
|
@@ -152,6 +155,7 @@ class Fluent::SecureForwardOutput::Node
|
|
152
155
|
else
|
153
156
|
ping.push('','')
|
154
157
|
end
|
158
|
+
@mtime = Time.now
|
155
159
|
ping
|
156
160
|
end
|
157
161
|
|
@@ -177,10 +181,12 @@ class Fluent::SecureForwardOutput::Node
|
|
177
181
|
return false, 'shared key mismatch'
|
178
182
|
end
|
179
183
|
|
184
|
+
@mtime = Time.now
|
180
185
|
return true, nil
|
181
186
|
end
|
182
187
|
|
183
188
|
def send_data(data)
|
189
|
+
@mtime = Time.now
|
184
190
|
@sslsession.write data.to_msgpack
|
185
191
|
end
|
186
192
|
|
@@ -200,6 +206,7 @@ class Fluent::SecureForwardOutput::Node
|
|
200
206
|
return
|
201
207
|
end
|
202
208
|
send_data generate_ping()
|
209
|
+
@mtime = Time.now
|
203
210
|
@state = :pingpong
|
204
211
|
when :pingpong
|
205
212
|
success, reason = check_pong(data)
|
@@ -211,6 +218,7 @@ class Fluent::SecureForwardOutput::Node
|
|
211
218
|
log.info "connection established to #{@host}" if @first_session
|
212
219
|
@state = :established
|
213
220
|
@expire = Time.now + @keepalive if @keepalive && @keepalive > 0
|
221
|
+
@mtime = Time.now
|
214
222
|
log.debug "connection established", host: @host, port: @port, expire: @expire
|
215
223
|
end
|
216
224
|
end
|
@@ -282,6 +290,7 @@ class Fluent::SecureForwardOutput::Node
|
|
282
290
|
sslsession = OpenSSL::SSL::SSLSocket.new(sock, context)
|
283
291
|
log.trace "connecting...", host: @host, address: addr, port: @port
|
284
292
|
sslsession.connect
|
293
|
+
@mtime = Time.now
|
285
294
|
rescue => e
|
286
295
|
log.warn "failed to establish SSL connection", error_class: e.class, error: e, host: @host, address: addr, port: @port
|
287
296
|
@state = :failed
|
@@ -317,8 +326,11 @@ class Fluent::SecureForwardOutput::Node
|
|
317
326
|
read_interval = @sender.read_interval
|
318
327
|
socket_interval = @sender.socket_interval
|
319
328
|
|
329
|
+
@mtime = Time.now
|
330
|
+
|
320
331
|
loop do
|
321
332
|
break if @detach
|
333
|
+
break if Time.now > @mtime + @connection_hard_timeout
|
322
334
|
|
323
335
|
begin
|
324
336
|
while @sslsession.read_nonblock(read_length, buf)
|
@@ -327,11 +339,21 @@ class Fluent::SecureForwardOutput::Node
|
|
327
339
|
next
|
328
340
|
end
|
329
341
|
@unpacker.feed_each(buf, &method(:on_read))
|
342
|
+
@mtime = Time.now
|
330
343
|
buf = ''
|
331
344
|
end
|
332
|
-
rescue OpenSSL::SSL::SSLError
|
345
|
+
rescue OpenSSL::SSL::SSLError => e
|
333
346
|
# to wait i/o restart
|
334
|
-
|
347
|
+
log.trace "SSLError", error_class: e.class, error: e, mtime: @mtime, host: @host, port: @port
|
348
|
+
if Time.now > @mtime + @connection_hard_timeout
|
349
|
+
log.warn "connection hard timeout", mtime: @mtime, timeout: @connection_hard_timeout, host: @host, port: @port
|
350
|
+
log.warn "aborting connection", host: @host, port: @port
|
351
|
+
self.release!
|
352
|
+
self.detach!
|
353
|
+
break
|
354
|
+
else
|
355
|
+
sleep socket_interval
|
356
|
+
end
|
335
357
|
rescue SystemCallError => e
|
336
358
|
log.warn "disconnected by Error", error_class: e.class, error: e, host: @host, port: @port
|
337
359
|
self.release!
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: fluent-plugin-secure-forward
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.3.
|
4
|
+
version: 0.3.5pre1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- TAGOMORI Satoshi
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2016-03-08 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: fluentd
|
@@ -140,7 +140,7 @@ files:
|
|
140
140
|
- test/plugin/test_out_secure_forward.rb
|
141
141
|
homepage: https://github.com/tagomoris/fluent-plugin-secure-forward
|
142
142
|
licenses:
|
143
|
-
-
|
143
|
+
- Apache-2.0
|
144
144
|
metadata: {}
|
145
145
|
post_install_message:
|
146
146
|
rdoc_options: []
|
@@ -153,12 +153,12 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
153
153
|
version: '0'
|
154
154
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
155
155
|
requirements:
|
156
|
-
- - "
|
156
|
+
- - ">"
|
157
157
|
- !ruby/object:Gem::Version
|
158
|
-
version:
|
158
|
+
version: 1.3.1
|
159
159
|
requirements: []
|
160
160
|
rubyforge_project:
|
161
|
-
rubygems_version: 2.
|
161
|
+
rubygems_version: 2.5.1
|
162
162
|
signing_key:
|
163
163
|
specification_version: 4
|
164
164
|
summary: Fluentd input/output plugin to forward over SSL with authentications
|