fluentd 1.9.0-x64-mingw32 → 1.9.1-x64-mingw32
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of fluentd might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/.github/PULL_REQUEST_TEMPLATE.md +2 -1
- data/CHANGELOG.md +24 -0
- data/Gemfile +0 -2
- data/appveyor.yml +5 -14
- data/fluentd.gemspec +2 -1
- data/lib/fluent/config/section.rb +4 -0
- data/lib/fluent/plugin/in_monitor_agent.rb +1 -1
- data/lib/fluent/plugin/in_tail.rb +12 -139
- data/lib/fluent/plugin/in_tail/position_file.rb +171 -0
- data/lib/fluent/plugin/out_forward.rb +3 -2
- data/lib/fluent/plugin/out_http.rb +10 -4
- data/lib/fluent/plugin/output.rb +1 -1
- data/lib/fluent/plugin/parser_syslog.rb +5 -2
- data/lib/fluent/plugin_helper/cert_option.rb +5 -2
- data/lib/fluent/plugin_helper/http_server.rb +62 -2
- data/lib/fluent/plugin_helper/http_server/compat/server.rb +14 -3
- data/lib/fluent/plugin_helper/http_server/compat/ssl_context_extractor.rb +52 -0
- data/lib/fluent/plugin_helper/http_server/server.rb +14 -8
- data/lib/fluent/plugin_helper/http_server/ssl_context_builder.rb +41 -0
- data/lib/fluent/plugin_helper/server.rb +5 -10
- data/lib/fluent/plugin_helper/socket.rb +4 -8
- data/lib/fluent/tls.rb +81 -0
- data/lib/fluent/version.rb +1 -1
- data/test/config/test_section.rb +0 -2
- data/test/plugin/in_tail/test_position_file.rb +192 -0
- data/test/plugin/test_in_tail.rb +13 -0
- data/test/plugin/test_out_http.rb +15 -2
- data/test/plugin/test_output_as_buffered_backup.rb +2 -1
- data/test/plugin/test_parser_syslog.rb +36 -0
- data/test/plugin_helper/data/cert/generate_cert.rb +87 -0
- data/test/plugin_helper/data/cert/with_ca/ca-cert-key-pass.pem +30 -0
- data/test/plugin_helper/data/cert/with_ca/ca-cert-key.pem +27 -0
- data/test/plugin_helper/data/cert/with_ca/ca-cert-pass.pem +20 -0
- data/test/plugin_helper/data/cert/with_ca/ca-cert.pem +20 -0
- data/test/plugin_helper/data/cert/with_ca/cert-key-pass.pem +30 -0
- data/test/plugin_helper/data/cert/with_ca/cert-key.pem +27 -0
- data/test/plugin_helper/data/cert/with_ca/cert-pass.pem +21 -0
- data/test/plugin_helper/data/cert/with_ca/cert.pem +21 -0
- data/test/plugin_helper/data/cert/without_ca/cert-key-pass.pem +30 -0
- data/test/plugin_helper/data/cert/without_ca/cert-key.pem +27 -0
- data/test/plugin_helper/data/cert/without_ca/cert-pass.pem +20 -0
- data/test/plugin_helper/data/cert/without_ca/cert.pem +20 -0
- data/test/plugin_helper/test_http_server_helper.rb +168 -7
- data/test/plugin_helper/test_server.rb +40 -9
- data/test/test_tls.rb +65 -0
- metadata +52 -4
@@ -17,6 +17,7 @@
|
|
17
17
|
require 'fluent/output'
|
18
18
|
require 'fluent/config/error'
|
19
19
|
require 'fluent/clock'
|
20
|
+
require 'fluent/tls'
|
20
21
|
require 'base64'
|
21
22
|
require 'forwardable'
|
22
23
|
|
@@ -89,9 +90,9 @@ module Fluent::Plugin
|
|
89
90
|
config_param :compress, :enum, list: [:text, :gzip], default: :text
|
90
91
|
|
91
92
|
desc 'The default version of TLS transport.'
|
92
|
-
config_param :tls_version, :enum, list: Fluent::
|
93
|
+
config_param :tls_version, :enum, list: Fluent::TLS::SUPPORTED_VERSIONS, default: Fluent::TLS::DEFAULT_VERSION
|
93
94
|
desc 'The cipher configuration of TLS transport.'
|
94
|
-
config_param :tls_ciphers, :string, default: Fluent::
|
95
|
+
config_param :tls_ciphers, :string, default: Fluent::TLS::CIPHERS_DEFAULT
|
95
96
|
desc 'Skip all verification of certificates or not.'
|
96
97
|
config_param :tls_insecure_mode, :bool, default: false
|
97
98
|
desc 'Allow self signed certificates or not.'
|
@@ -17,6 +17,7 @@
|
|
17
17
|
require 'net/http'
|
18
18
|
require 'uri'
|
19
19
|
require 'openssl'
|
20
|
+
require 'fluent/tls'
|
20
21
|
require 'fluent/plugin/output'
|
21
22
|
require 'fluent/plugin_helper/socket'
|
22
23
|
|
@@ -57,14 +58,14 @@ module Fluent::Plugin
|
|
57
58
|
desc 'The verify mode of TLS'
|
58
59
|
config_param :tls_verify_mode, :enum, list: [:none, :peer], default: :peer
|
59
60
|
desc 'The default version of TLS'
|
60
|
-
config_param :tls_version, :enum, list: Fluent::
|
61
|
+
config_param :tls_version, :enum, list: Fluent::TLS::SUPPORTED_VERSIONS, default: Fluent::TLS::DEFAULT_VERSION
|
61
62
|
desc 'The cipher configuration of TLS'
|
62
|
-
config_param :tls_ciphers, :string, default: Fluent::
|
63
|
+
config_param :tls_ciphers, :string, default: Fluent::TLS::CIPHERS_DEFAULT
|
63
64
|
|
64
65
|
desc 'Raise UnrecoverableError when the response is non success, 4xx/5xx'
|
65
66
|
config_param :error_response_as_unrecoverable, :bool, default: true
|
66
67
|
desc 'The list of retryable response code'
|
67
|
-
config_param :retryable_response_codes, :array, value_type: :integer, default:
|
68
|
+
config_param :retryable_response_codes, :array, value_type: :integer, default: nil
|
68
69
|
|
69
70
|
config_section :format do
|
70
71
|
config_set_default :@type, 'json'
|
@@ -90,6 +91,11 @@ module Fluent::Plugin
|
|
90
91
|
def configure(conf)
|
91
92
|
super
|
92
93
|
|
94
|
+
if @retryable_response_codes.nil?
|
95
|
+
log.warn('Status code 503 is going to be removed from default `retryable_response_codes` from fluentd v2. Please add it by yourself if you wish')
|
96
|
+
@retryable_response_codes = [503]
|
97
|
+
end
|
98
|
+
|
93
99
|
@http_opt = setup_http_option
|
94
100
|
@proxy_uri = URI.parse(@proxy) if @proxy
|
95
101
|
@formatter = formatter_create
|
@@ -172,7 +178,7 @@ module Fluent::Plugin
|
|
172
178
|
end
|
173
179
|
|
174
180
|
def parse_endpoint(chunk)
|
175
|
-
endpoint = extract_placeholders(@endpoint, chunk)
|
181
|
+
endpoint = extract_placeholders(@endpoint, chunk)
|
176
182
|
URI.parse(endpoint)
|
177
183
|
end
|
178
184
|
|
data/lib/fluent/plugin/output.rb
CHANGED
@@ -1091,7 +1091,7 @@ module Fluent
|
|
1091
1091
|
end
|
1092
1092
|
end
|
1093
1093
|
|
1094
|
-
UNRECOVERABLE_ERRORS = [Fluent::UnrecoverableError, TypeError, ArgumentError, NoMethodError, MessagePack::UnpackError]
|
1094
|
+
UNRECOVERABLE_ERRORS = [Fluent::UnrecoverableError, TypeError, ArgumentError, NoMethodError, MessagePack::UnpackError, EncodingError]
|
1095
1095
|
|
1096
1096
|
def try_flush
|
1097
1097
|
chunk = @buffer.dequeue_chunk
|
@@ -27,8 +27,8 @@ module Fluent
|
|
27
27
|
REGEXP = /^(?<time>[^ ]*\s*[^ ]* [^ ]*) (?<host>[^ ]*) (?<ident>[^ :\[]*)(?:\[(?<pid>[0-9]+)\])?(?:[^\:]*\:)? *(?<message>.*)$/
|
28
28
|
# From in_syslog default pattern
|
29
29
|
REGEXP_WITH_PRI = /^\<(?<pri>[0-9]+)\>(?<time>[^ ]* {1,2}[^ ]* [^ ]*) (?<host>[^ ]*) (?<ident>[^ :\[]*)(?:\[(?<pid>[0-9]+)\])?(?:[^\:]*\:)? *(?<message>.*)$/
|
30
|
-
REGEXP_RFC5424 = /\A
|
31
|
-
REGEXP_RFC5424_WITH_PRI = /\A
|
30
|
+
REGEXP_RFC5424 = /\A(?<time>[^ ]+) (?<host>[!-~]{1,255}) (?<ident>[!-~]{1,48}) (?<pid>[!-~]{1,128}) (?<msgid>[!-~]{1,32}) (?<extradata>(?:\-|\[(.*)\]))(?: (?<message>.+))?\z/m
|
31
|
+
REGEXP_RFC5424_WITH_PRI = /\A\<(?<pri>[0-9]{1,3})\>[1-9]\d{0,2} (?<time>[^ ]+) (?<host>[!-~]{1,255}) (?<ident>[!-~]{1,48}) (?<pid>[!-~]{1,128}) (?<msgid>[!-~]{1,32}) (?<extradata>(?:\-|\[(.*)\]))(?: (?<message>.+))?\z/m
|
32
32
|
REGEXP_DETECT_RFC5424 = /^\<.*\>[1-9]\d{0,2}/
|
33
33
|
|
34
34
|
config_set_default :time_format, "%b %d %H:%M:%S"
|
@@ -141,6 +141,9 @@ module Fluent
|
|
141
141
|
end
|
142
142
|
end
|
143
143
|
record[name] = value if @keep_time_key
|
144
|
+
when "message"
|
145
|
+
value.chomp!
|
146
|
+
record[name] = value
|
144
147
|
else
|
145
148
|
record[name] = value
|
146
149
|
end
|
@@ -17,14 +17,16 @@
|
|
17
17
|
require 'openssl'
|
18
18
|
require 'socket'
|
19
19
|
|
20
|
-
|
20
|
+
require 'fluent/tls'
|
21
|
+
|
22
|
+
# this module is only for Socket/Server/HttpServer plugin helpers
|
21
23
|
module Fluent
|
22
24
|
module PluginHelper
|
23
25
|
module CertOption
|
24
26
|
def cert_option_create_context(version, insecure, ciphers, conf)
|
25
27
|
cert, key, extra = cert_option_server_validate!(conf)
|
26
28
|
|
27
|
-
ctx = OpenSSL::SSL::SSLContext.new
|
29
|
+
ctx = OpenSSL::SSL::SSLContext.new
|
28
30
|
unless insecure
|
29
31
|
# inject OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
|
30
32
|
# https://bugs.ruby-lang.org/issues/9424
|
@@ -43,6 +45,7 @@ module Fluent
|
|
43
45
|
if extra && !extra.empty?
|
44
46
|
ctx.extra_chain_cert = extra
|
45
47
|
end
|
48
|
+
Fluent::TLS.set_version_to_context(ctx, version, conf.min_version, conf.max_version)
|
46
49
|
|
47
50
|
ctx
|
48
51
|
end
|
@@ -23,27 +23,77 @@ rescue LoadError => _
|
|
23
23
|
end
|
24
24
|
|
25
25
|
require 'fluent/plugin_helper/thread'
|
26
|
+
require 'fluent/plugin_helper/server' # For Server::ServerTransportParams
|
27
|
+
require 'fluent/plugin_helper/http_server/ssl_context_builder'
|
26
28
|
|
27
29
|
module Fluent
|
28
30
|
module PluginHelper
|
29
31
|
module HttpServer
|
30
32
|
include Fluent::PluginHelper::Thread
|
33
|
+
include Fluent::Configurable
|
34
|
+
|
31
35
|
# stop : stop http server and mark callback thread as stopped
|
32
36
|
# shutdown : [-]
|
33
37
|
# close : correct stopped threads
|
34
38
|
# terminate: kill thread
|
35
39
|
|
40
|
+
def self.included(mod)
|
41
|
+
mod.include Fluent::PluginHelper::Server::ServerTransportParams
|
42
|
+
end
|
43
|
+
|
44
|
+
def initialize(*)
|
45
|
+
super
|
46
|
+
@_http_server = nil
|
47
|
+
end
|
48
|
+
|
49
|
+
def create_http_server(title, addr:, port:, logger:, default_app: nil, proto: nil, tls_opts: nil, &block)
|
50
|
+
logger.warn('this method is deprecated. Use #http_server_create_http_server instead')
|
51
|
+
http_server_create_http_server(title, addr: addr, port: port, logger: logger, default_app: default_app, proto: proto, tls_opts: tls_opts, &block)
|
52
|
+
end
|
53
|
+
|
36
54
|
# @param title [Symbol] the thread name. this value should be unique.
|
37
55
|
# @param addr [String] Listen address
|
38
56
|
# @param port [String] Listen port
|
39
57
|
# @param logger [Logger] logger used in this server
|
40
58
|
# @param default_app [Object] This method must have #call.
|
41
|
-
|
59
|
+
# @param proto [Symbol] :tls or :tcp
|
60
|
+
# @param tls_opts [Hash] options for TLS.
|
61
|
+
def http_server_create_http_server(title, addr:, port:, logger:, default_app: nil, proto: nil, tls_opts: nil, &block)
|
42
62
|
unless block_given?
|
43
63
|
raise ArgumentError, 'BUG: callback not specified'
|
44
64
|
end
|
45
65
|
|
46
|
-
|
66
|
+
if proto == :tls || (@transport_config && @transport_config.protocol == :tls)
|
67
|
+
http_server_create_https_server(title, addr: addr, port: port, logger: logger, default_app: default_app, tls_opts: tls_opts, &block)
|
68
|
+
else
|
69
|
+
@_http_server = HttpServer::Server.new(addr: addr, port: port, logger: logger, default_app: default_app) do |serv|
|
70
|
+
yield(serv)
|
71
|
+
end
|
72
|
+
|
73
|
+
_block_until_http_server_start do |notify|
|
74
|
+
thread_create(title) do
|
75
|
+
@_http_server.start(notify)
|
76
|
+
end
|
77
|
+
end
|
78
|
+
end
|
79
|
+
end
|
80
|
+
|
81
|
+
# @param title [Symbol] the thread name. this value should be unique.
|
82
|
+
# @param addr [String] Listen address
|
83
|
+
# @param port [String] Listen port
|
84
|
+
# @param logger [Logger] logger used in this server
|
85
|
+
# @param default_app [Object] This method must have #call.
|
86
|
+
# @param tls_opts [Hash] options for TLS.
|
87
|
+
def http_server_create_https_server(title, addr:, port:, logger:, default_app: nil, tls_opts: nil)
|
88
|
+
topt =
|
89
|
+
if tls_opts
|
90
|
+
_http_server_overwrite_config(@transport_config, tls_opts)
|
91
|
+
else
|
92
|
+
@transport_config
|
93
|
+
end
|
94
|
+
ctx = Fluent::PluginHelper::HttpServer::SSLContextBuilder.new($log).build(topt)
|
95
|
+
|
96
|
+
@_http_server = HttpServer::Server.new(addr: addr, port: port, logger: logger, default_app: default_app, tls_context: ctx) do |serv|
|
47
97
|
yield(serv)
|
48
98
|
end
|
49
99
|
|
@@ -64,6 +114,16 @@ module Fluent
|
|
64
114
|
|
65
115
|
private
|
66
116
|
|
117
|
+
def _http_server_overwrite_config(config, opts)
|
118
|
+
conf = config.dup
|
119
|
+
Fluent::PluginHelper::Server::SERVER_TRANSPORT_PARAMS.map(&:to_s).each do |param|
|
120
|
+
if opts.key?(param)
|
121
|
+
conf[param] = opts[param]
|
122
|
+
end
|
123
|
+
end
|
124
|
+
conf
|
125
|
+
end
|
126
|
+
|
67
127
|
# To block until server is ready to listen
|
68
128
|
def _block_until_http_server_start
|
69
129
|
que = Queue.new
|
@@ -16,6 +16,7 @@
|
|
16
16
|
|
17
17
|
require 'fluent/plugin_helper/http_server/methods'
|
18
18
|
require 'fluent/plugin_helper/http_server/compat/webrick_handler'
|
19
|
+
require 'fluent/plugin_helper/http_server/compat/ssl_context_extractor'
|
19
20
|
|
20
21
|
module Fluent
|
21
22
|
module PluginHelper
|
@@ -24,16 +25,26 @@ module Fluent
|
|
24
25
|
class Server
|
25
26
|
# @param logger [Logger]
|
26
27
|
# @param default_app [Object] ignored option. only for compat
|
27
|
-
|
28
|
+
# @param tls_context [OpenSSL::SSL::SSLContext]
|
29
|
+
def initialize(addr:, port:, logger:, default_app: nil, tls_context: nil)
|
28
30
|
@addr = addr
|
29
31
|
@port = port
|
30
32
|
@logger = logger
|
31
|
-
|
33
|
+
|
34
|
+
config = {
|
32
35
|
BindAddress: @addr,
|
33
36
|
Port: @port,
|
34
37
|
Logger: WEBrick::Log.new(STDERR, WEBrick::Log::FATAL),
|
35
38
|
AccessLog: [],
|
36
|
-
|
39
|
+
}
|
40
|
+
if tls_context
|
41
|
+
require 'webrick/https'
|
42
|
+
@logger.warn('Webrick ignores given TLS version')
|
43
|
+
tls_opt = Fluent::PluginHelper::HttpServer::Compat::SSLContextExtractor.extract(tls_context)
|
44
|
+
config = tls_opt.merge(**config)
|
45
|
+
end
|
46
|
+
|
47
|
+
@server = WEBrick::HTTPServer.new(config)
|
37
48
|
|
38
49
|
# @example ["/example.json", :get, handler object]
|
39
50
|
@methods = []
|
@@ -0,0 +1,52 @@
|
|
1
|
+
#
|
2
|
+
# Fluentd
|
3
|
+
#
|
4
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
5
|
+
# you may not use this file except in compliance with the License.
|
6
|
+
# You may obtain a copy of the License at
|
7
|
+
#
|
8
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
9
|
+
#
|
10
|
+
# Unless required by applicable law or agreed to in writing, software
|
11
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
12
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
13
|
+
# See the License for the specific language governing permissions and
|
14
|
+
# limitations under the License.
|
15
|
+
#
|
16
|
+
|
17
|
+
module Fluent
|
18
|
+
module PluginHelper
|
19
|
+
module HttpServer
|
20
|
+
module Compat
|
21
|
+
# This class converts OpenSSL::SSL::SSLContext to Webrick SSL Config because webrick does not have interface to pass OpenSSL::SSL::SSLContext directory
|
22
|
+
# https://github.com/ruby/webrick/blob/v1.6.0/lib/webrick/ssl.rb#L67-L88
|
23
|
+
class SSLContextExtractor
|
24
|
+
|
25
|
+
#
|
26
|
+
# memo: https://github.com/ruby/webrick/blob/v1.6.0/lib/webrick/ssl.rb#L180-L205
|
27
|
+
# @param ctx [OpenSSL::SSL::SSLContext]
|
28
|
+
def self.extract(ctx)
|
29
|
+
{
|
30
|
+
SSLEnable: true,
|
31
|
+
SSLPrivateKey: ctx.key,
|
32
|
+
SSLCertificate: ctx.cert,
|
33
|
+
SSLClientCA: ctx.client_ca,
|
34
|
+
SSLExtraChainCert: ctx.extra_chain_cert,
|
35
|
+
SSLCACertificateFile: ctx.ca_file,
|
36
|
+
SSLCACertificatePath: ctx.ca_path,
|
37
|
+
SSLCertificateStore: ctx.cert_store,
|
38
|
+
SSLTmpDhCallback: ctx.tmp_dh_callback,
|
39
|
+
SSLVerifyClient: ctx.verify_mode,
|
40
|
+
SSLVerifyDepth: ctx.verify_depth,
|
41
|
+
SSLVerifyCallback: ctx.verify_callback,
|
42
|
+
SSLServerNameCallback: ctx.servername_cb,
|
43
|
+
SSLTimeout: ctx.timeout,
|
44
|
+
SSLOptions: ctx.options,
|
45
|
+
SSLCiphers: ctx.ciphers,
|
46
|
+
}
|
47
|
+
end
|
48
|
+
end
|
49
|
+
end
|
50
|
+
end
|
51
|
+
end
|
52
|
+
end
|
@@ -26,20 +26,26 @@ module Fluent
|
|
26
26
|
module PluginHelper
|
27
27
|
module HttpServer
|
28
28
|
class Server
|
29
|
+
# @param logger [Logger]
|
29
30
|
# @param default_app [Object] This method must have #call.
|
30
|
-
|
31
|
+
# @param tls_context [OpenSSL::SSL::SSLContext]
|
32
|
+
def initialize(addr:, port:, logger:, default_app: nil, tls_context: nil)
|
31
33
|
@addr = addr
|
32
34
|
@port = port
|
33
35
|
@logger = logger
|
34
36
|
|
35
|
-
# TODO: support
|
36
|
-
|
37
|
+
# TODO: support http2
|
38
|
+
scheme = tls_context ? 'https' : 'http'
|
39
|
+
@uri = URI("#{scheme}://#{@addr}:#{@port}").to_s
|
37
40
|
@router = Router.new(default_app)
|
38
|
-
@reactor = Async::Reactor.new
|
39
|
-
|
40
|
-
|
41
|
-
|
42
|
-
|
41
|
+
@reactor = Async::Reactor.new(nil, logger: @logger)
|
42
|
+
|
43
|
+
opts = if tls_context
|
44
|
+
{ ssl_context: tls_context }
|
45
|
+
else
|
46
|
+
{}
|
47
|
+
end
|
48
|
+
@server = Async::HTTP::Server.new(App.new(@router, @logger), Async::HTTP::Endpoint.parse(@uri, **opts))
|
43
49
|
|
44
50
|
if block_given?
|
45
51
|
yield(self)
|
@@ -0,0 +1,41 @@
|
|
1
|
+
#
|
2
|
+
# Fluentd
|
3
|
+
#
|
4
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
5
|
+
# you may not use this file except in compliance with the License.
|
6
|
+
# You may obtain a copy of the License at
|
7
|
+
#
|
8
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
9
|
+
#
|
10
|
+
# Unless required by applicable law or agreed to in writing, software
|
11
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
12
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
13
|
+
# See the License for the specific language governing permissions and
|
14
|
+
# limitations under the License.
|
15
|
+
#
|
16
|
+
|
17
|
+
require 'fluent/plugin_helper/cert_option'
|
18
|
+
|
19
|
+
module Fluent
|
20
|
+
module PluginHelper
|
21
|
+
module HttpServer
|
22
|
+
# In order not to expose CertOption's methods unnecessary
|
23
|
+
class SSLContextBuilder
|
24
|
+
include Fluent::PluginHelper::CertOption
|
25
|
+
|
26
|
+
def initialize(log)
|
27
|
+
@log = log
|
28
|
+
end
|
29
|
+
|
30
|
+
# @param config [Fluent::Config::Section] @transport_config
|
31
|
+
def build(config)
|
32
|
+
cert_option_create_context(config.version, config.insecure, config.ciphers, config)
|
33
|
+
end
|
34
|
+
|
35
|
+
private
|
36
|
+
|
37
|
+
attr_reader :log
|
38
|
+
end
|
39
|
+
end
|
40
|
+
end
|
41
|
+
end
|
@@ -240,7 +240,7 @@ module Fluent
|
|
240
240
|
end
|
241
241
|
|
242
242
|
SERVER_TRANSPORT_PARAMS = [
|
243
|
-
:protocol, :version, :ciphers, :insecure,
|
243
|
+
:protocol, :version, :min_version, :max_version, :ciphers, :insecure,
|
244
244
|
:ca_path, :cert_path, :private_key_path, :private_key_passphrase, :client_cert_auth,
|
245
245
|
:ca_cert_path, :ca_private_key_path, :ca_private_key_passphrase,
|
246
246
|
:generate_private_key_length,
|
@@ -260,18 +260,13 @@ module Fluent
|
|
260
260
|
end
|
261
261
|
|
262
262
|
module ServerTransportParams
|
263
|
-
TLS_DEFAULT_VERSION = :'TLSv1_2'
|
264
|
-
TLS_SUPPORTED_VERSIONS = [:'TLSv1_1', :'TLSv1_2']
|
265
|
-
### follow httpclient configuration by nahi
|
266
|
-
# OpenSSL 0.9.8 default: "ALL:!ADH:!LOW:!EXP:!MD5:+SSLv2:@STRENGTH"
|
267
|
-
CIPHERS_DEFAULT = "ALL:!aNULL:!eNULL:!SSLv2" # OpenSSL >1.0.0 default
|
268
|
-
|
269
263
|
include Fluent::Configurable
|
270
264
|
config_section :transport, required: false, multi: false, init: true, param_name: :transport_config do
|
271
265
|
config_argument :protocol, :enum, list: [:tcp, :tls], default: :tcp
|
272
|
-
config_param :version, :enum, list:
|
273
|
-
|
274
|
-
config_param :
|
266
|
+
config_param :version, :enum, list: Fluent::TLS::SUPPORTED_VERSIONS, default: Fluent::TLS::DEFAULT_VERSION
|
267
|
+
config_param :min_version, :enum, list: Fluent::TLS::SUPPORTED_VERSIONS, default: nil
|
268
|
+
config_param :max_version, :enum, list: Fluent::TLS::SUPPORTED_VERSIONS, default: nil
|
269
|
+
config_param :ciphers, :string, default: Fluent::TLS::CIPHERS_DEFAULT
|
275
270
|
config_param :insecure, :bool, default: false
|
276
271
|
|
277
272
|
# Cert signed by public CA
|
@@ -21,6 +21,7 @@ if Fluent.windows?
|
|
21
21
|
require 'certstore'
|
22
22
|
end
|
23
23
|
|
24
|
+
require 'fluent/tls'
|
24
25
|
require_relative 'socket_option'
|
25
26
|
|
26
27
|
module Fluent
|
@@ -33,12 +34,6 @@ module Fluent
|
|
33
34
|
|
34
35
|
include Fluent::PluginHelper::SocketOption
|
35
36
|
|
36
|
-
TLS_DEFAULT_VERSION = :'TLSv1_2'
|
37
|
-
TLS_SUPPORTED_VERSIONS = [:'TLSv1_1', :'TLSv1_2']
|
38
|
-
### follow httpclient configuration by nahi
|
39
|
-
# OpenSSL 0.9.8 default: "ALL:!ADH:!LOW:!EXP:!MD5:+SSLv2:@STRENGTH"
|
40
|
-
CIPHERS_DEFAULT = "ALL:!aNULL:!eNULL:!SSLv2" # OpenSSL >1.0.0 default
|
41
|
-
|
42
37
|
attr_reader :_sockets # for tests
|
43
38
|
|
44
39
|
# TODO: implement connection pool for specified host
|
@@ -97,7 +92,7 @@ module Fluent
|
|
97
92
|
|
98
93
|
def socket_create_tls(
|
99
94
|
host, port,
|
100
|
-
version:
|
95
|
+
version: Fluent::TLS::DEFAULT_VERSION, min_version: nil, max_version: nil, ciphers: Fluent::TLS::CIPHERS_DEFAULT, insecure: false, verify_fqdn: true, fqdn: nil,
|
101
96
|
enable_system_cert_store: true, allow_self_signed_cert: false, cert_paths: nil,
|
102
97
|
cert_path: nil, private_key_path: nil, private_key_passphrase: nil,
|
103
98
|
cert_thumbprint: nil, cert_logical_store_name: nil, cert_use_enterprise_store: true,
|
@@ -106,7 +101,7 @@ module Fluent
|
|
106
101
|
host_is_ipaddress = IPAddr.new(host) rescue false
|
107
102
|
fqdn ||= host unless host_is_ipaddress
|
108
103
|
|
109
|
-
context = OpenSSL::SSL::SSLContext.new
|
104
|
+
context = OpenSSL::SSL::SSLContext.new
|
110
105
|
|
111
106
|
if insecure
|
112
107
|
log.trace "setting TLS verify_mode NONE"
|
@@ -154,6 +149,7 @@ module Fluent
|
|
154
149
|
context.cert = OpenSSL::X509::Certificate.new(File.read(cert_path)) if cert_path
|
155
150
|
context.key = OpenSSL::PKey::read(File.read(private_key_path), private_key_passphrase) if private_key_path
|
156
151
|
end
|
152
|
+
Fluent::TLS.set_version_to_context(context, version, min_version, max_version)
|
157
153
|
|
158
154
|
tcpsock = socket_create_tcp(host, port, **kwargs)
|
159
155
|
sock = WrappedSocket::TLS.new(tcpsock, context)
|