This is an automated email from the ASF dual-hosted git repository. shinrich pushed a commit to branch aviatrix-integrate-ats10 in repository https://gitbox.apache.org/repos/asf/trafficserver.git
commit 36bba73bc5bda1fcd7987b612ac5fc33b636e32b Author: Susan Hinrichs <[email protected]> AuthorDate: Fri Sep 8 16:36:50 2023 +0000 Another checkpoint. This one installs and starts up --- aviatrix/10_0_0.0001/avx-gw-trafficserver.service | 16 ++++ aviatrix/10_0_0.0001/configs/logging.yaml | 53 +++++++++++ aviatrix/10_0_0.0001/configs/plugin.config | 16 ++++ aviatrix/10_0_0.0001/configs/records.yaml | 102 +++++++++++++++++++++ .../10_0_0.0001/logrotate/avx-gw-trafficserver | 11 +++ aviatrix/10_0_0.0001/postinst | 25 +++++ .../avx_plugins/policy_driver/policy_driver.cc | 5 +- aviatrix/avx_plugins/policy_driver/web_filter.cc | 5 +- build_debs.sh | 62 +++++++++++++ include/ts/ts.h | 1 + src/traffic_server/InkAPI.cc | 23 +++-- 11 files changed, 309 insertions(+), 10 deletions(-) diff --git a/aviatrix/10_0_0.0001/avx-gw-trafficserver.service b/aviatrix/10_0_0.0001/avx-gw-trafficserver.service new file mode 100644 index 0000000000..5bf0a6ea7d --- /dev/null +++ b/aviatrix/10_0_0.0001/avx-gw-trafficserver.service @@ -0,0 +1,16 @@ +[Unit] +Description=Service that runs the trafficserver + +[Service] +Type=simple +ExecStart=-/opt/ats/ats_10.0.0/bin/traffic_server -f -F --bind_stdout /var/log/tslogs/traffic.out --bind_stderr /var/log/tslogs/traffic.out +Restart=on-failure +RestartSec=5s +LimitNOFILE=1000000 +PIDFile=/opt/ats/ats_10.0.0/var/trafficserver/server.lock +TimeoutStopSec=5s +#ExecReload=@exp_bindir@/traffic_ctl config reload +KillMode=process + +[Install] +WantedBy=multi-user.target diff --git a/aviatrix/10_0_0.0001/configs/logging.yaml b/aviatrix/10_0_0.0001/configs/logging.yaml new file mode 100755 index 0000000000..087e2cde40 --- /dev/null +++ b/aviatrix/10_0_0.0001/configs/logging.yaml @@ -0,0 +1,53 @@ +# Custom log configuration +# +# Documentation on logging: +# https://docs.trafficserver.apache.org/en/9.0.x/admin-guide/logging/index.en.html +# +# Documentation on logging.yaml file format: +# https://docs.trafficserver.apache.org/en/9.0.x/admin-guide/files/logging.yaml.en.html +# +# Example log configurations: +# https://docs.trafficserver.apache.org/en/9.0.x/admin-guide/logging/examples.en.html + + +logging: + formats: + # WebTrends Enhanced Log Format. + # + # The following is compatible with the WebTrends Enhanced Log Format. + # If you want to generate a log that can be parsed by WebTrends + # reporting tools, simply create a log that uses this format. + - name: welf + format: |- + id=firewall time="%<cqtd> %<cqtt>" fw=%<phn> pri=6 proto=%<cqus> duration=%<ttmsf> sent=%<psql> rcvd=%<cqhl> src=%<chi> dst=%<shi> dstname=%<shn> user=%<caun> op=%<cqhm> arg="%<cqup>" result=%<pssc> ref="%<{Referer}cqh>" agent="%<{user-agent}cqh>" cache=%<crc> + # Squid Log Format with seconds resolution timestamp. + # The following is the squid format but with a seconds-only timestamp + # (cqts) instead of a seconds and milliseconds timestamp (cqtq). + - name: squid_seconds_only_timestamp + format: '%<cqts> %<ttms> %<chi> %<crc>/%<pssc> %<psql> %<cqhm> %<cquc> %<caun> %<phr>/%<shn> %<psct>' + + # Squid Log Format. + - name: squid + format: '%<cqtq> %<ttms> %<chi> %<crc>/%<pssc> %<psql> %<cqhm> %<cquc> %<caun> %<phr>/%<shn> %<psct>' + + - name: aviatrix + format: 'ts=%<cqtq> ttms=%<ttms> sni=%<cssn> meth=%<cqhm> cqpv=%<cqpv> pssc=%<pssc> cqtr=%<cqtr> cqssl=%<cqssl> chi=%<chi> cqql=%<cqql> shi=%<shi> shn=%<shn> psql=%<psql> sstc=%<sstc> cquc=%<cquc[:512]>' + + # Common Log Format. + - name: common + format: '%<chi> - %<caun> [%<cqtn>] "%<cqtx>" %<pssc> %<pscl>' + + # Extended Log Format. + - name: 'extended' + format: '%<chi> - %<caun> [%<cqtn>] "%<cqtx>" %<pssc> %<pscl> %<sssc> %<sscl> %<cqcl> %<pqcl> %<cqhl> %<pshl> %<pqhl> %<sshl> %<tts>' + + # Extended2 Log Formats + - name: "extended2" + format: '%<chi> - %<caun> [%<cqtn>] "%<cqtx>" %<pssc> %<pscl> %<sssc> %<sscl> %<cqcl> %<pqcl> %<cqhl> %<pshl> %<pqhl> %<sshl> %<tts> %<phr> %<cfsc> %<pfsc> %<crc>' + + logs: + - filename: access + format: aviatrix + mode: text + +# vim: set ft=yaml : diff --git a/aviatrix/10_0_0.0001/configs/plugin.config b/aviatrix/10_0_0.0001/configs/plugin.config new file mode 100644 index 0000000000..168bcf691f --- /dev/null +++ b/aviatrix/10_0_0.0001/configs/plugin.config @@ -0,0 +1,16 @@ +# +# plugin.config +# +# Documentation: +# https://docs.trafficserver.apache.org/en/latest/admin-guide/files/plugin.config.en.html +# +# Comments start with a '#' and continue to the end of the line +# Blank lines are ignored + +policy_driver.so 5557 +# +tee_decrypt.so 127.255.0.10 127.255.0.20 +# +#use certifier to automatically run with MITM +avx_certifier.so --sign-cert=/opt/ats/ats_9.1.3/etc/local_ca/mitm_ca.cert --sign-key=/opt/ats/ats_9.1.3/etc/local_ca/mitm_ca.key --sign-serial=/opt/ats/ats_9.1.3/var/local_ca/serial.txt --store=/opt/ats/ats_9.1.3/var/local_ca/keys --max=200 +memory_profile.so diff --git a/aviatrix/10_0_0.0001/configs/records.yaml b/aviatrix/10_0_0.0001/configs/records.yaml new file mode 100644 index 0000000000..4058a661db --- /dev/null +++ b/aviatrix/10_0_0.0001/configs/records.yaml @@ -0,0 +1,102 @@ +ts: + accept_threads: 1 + cache: + limits: + http: + max_alts: 5 + max_doc_size: 0 + min_average_object_size: 8000 + ram_cache: + size: -1 + ram_cache_cutoff: 4194304 + threads_per_disk: 8 + diags: + debug: + enabled: 0 + tags: http + dump_mem_info_frequency: 0 + exec_thread: + affinity: 1 + autoconfig: + enabled: 1 + scale: 1.0 + limit: 2 + http: + accept_no_activity_timeout: 120 + attach_server_session_to_client: 1 + auth_server_session_private: 0 + cache: + cache_responses_to_cookies: 1 + cache_urls_that_look_dynamic: 1 + heuristic_lm_factor: 0.1 + heuristic_max_lifetime: 86400 + heuristic_min_lifetime: 3600 + http: 0 + ignore_client_cc_max_age: 1 + required_headers: 2 + when_to_revalidate: 0 + connect_attempts_max_retries: 0 + connect_attempts_rr_retries: 3 + connect_attempts_timeout: 30 + down_server: + cache_time: 60 + forward: + proxy_auth_to_parent: 0 + insert_age_in_response: 0 + insert_client_ip: 0 + insert_response_via_str: 0 + insert_squid_x_forwarded_for: 0 + keep_alive_no_activity_timeout_in: 120 + keep_alive_no_activity_timeout_out: 120 + negative_caching_enabled: 0 + negative_caching_lifetime: 1800 + normalize_ae: 0 + parent_proxy: + retry_time: 300 + push_method_enabled: 0 + response_server_enabled: 0 + server_ports: 8443:ssl:tr-full:allow-plain:tr-pass + server_session_sharing: + match: both + slow: + log: + threshold: 0 + transaction_active_timeout_in: 900 + transaction_active_timeout_out: 0 + transaction_no_activity_timeout_in: 30 + transaction_no_activity_timeout_out: 30 + uncacheable_requests_bypass_parent: 1 + use_client_target_addr: 2 + log: + logfile_dir: /var/log/tslogs + logging_enabled: 3 + rolling_enabled: 0 + net: + connections_throttle: 30000 + default_inactivity_timeout: 86400 + max_connections_in: 30000 + max_requests_in: 0 + reverse_proxy: + enabled: 0 + ssl: + client: + CA: + cert: + filename: mitm-trustbundle.crt + path: certs + verify: + server: + policy: PERMISSIVE + properties: SIGNATURE + handshake_timeout_in: 0 + server: + cert: + path: ssl + private_key: + path: ssl + task_threads: 2 + url_remap: + pristine_host_hdr: 1 + remap_required: 0 + admin: + user_id: ats-user diff --git a/aviatrix/10_0_0.0001/logrotate/avx-gw-trafficserver b/aviatrix/10_0_0.0001/logrotate/avx-gw-trafficserver new file mode 100644 index 0000000000..ff97959ddc --- /dev/null +++ b/aviatrix/10_0_0.0001/logrotate/avx-gw-trafficserver @@ -0,0 +1,11 @@ +/var/log/tslogs/access.log /var/log/tslogs/diags.log { + su ats-user ats-user + rotate 12 + daily + size 5M + missingok + notifempty + compress + copytruncate +} + diff --git a/aviatrix/10_0_0.0001/postinst b/aviatrix/10_0_0.0001/postinst new file mode 100644 index 0000000000..2505e7dc15 --- /dev/null +++ b/aviatrix/10_0_0.0001/postinst @@ -0,0 +1,25 @@ +#!/bin/bash + +atsdir='/opt/ats/ats_10.0.0' + +#creating log directory and setting permissions +test -e /var/log/tslogs || mkdir -p /var/log/tslogs +useradd --shell /usr/sbin/nologin ats-user +chown ats-user:ats-user /var/log/tslogs +chmod 775 /var/log/tslogs + +#creating trustbundle directory +mkdir $atsdir/certs + +#fixing owners and setting permissions +chown -R ats-user:ats-user $atsdir +chown root:ats-user $atsdir/etc/local_ca +chmod 750 $atsdir/etc/local_ca +chown -R root:ats-user $atsdir/var/local_ca +chmod -R 770 $atsdir/var/local_ca + +#fixing permissions for logrotate conf +chown root:root /etc/logrotate.d/avx-gw-trafficserver +chmod 644 /etc/logrotate.d/avx-gw-trafficserver + +setcap cap_net_admin,cap_net_raw+eip $atsdir/bin/traffic_server diff --git a/aviatrix/avx_plugins/policy_driver/policy_driver.cc b/aviatrix/avx_plugins/policy_driver/policy_driver.cc index 0fd4dfb82a..c17e4a3b47 100644 --- a/aviatrix/avx_plugins/policy_driver/policy_driver.cc +++ b/aviatrix/avx_plugins/policy_driver/policy_driver.cc @@ -109,7 +109,8 @@ static int policy_sni(TSCont cont, TSEvent event, void *edata) { TSVConn ssl_vc = reinterpret_cast<TSVConn>(edata); - const char *server_name = TSVConnSslServernameGet(ssl_vc); + int len = 0; + const char *server_name = TSVConnSslSniGet(ssl_vc, &len); TSDebug(PLUGIN_NAME, "SNI filter %s", server_name); // Evalulate policy @@ -147,7 +148,7 @@ policy_sni(TSCont cont, TSEvent event, void *edata) case POLICY_DROP: default: TSDebug(PLUGIN_NAME, "Filter drop"); - int ssl_fd = TSVConnSslConnectionGetFd(ssl_vc); + int ssl_fd = TSVConnFdGet(ssl_vc); // close(ssl_fd); // One might think that the TSVConnClose would be more appropriate // than just closing the file descriptor. But calling TSVConnClose diff --git a/aviatrix/avx_plugins/policy_driver/web_filter.cc b/aviatrix/avx_plugins/policy_driver/web_filter.cc index 1e26c0d415..18d365c123 100644 --- a/aviatrix/avx_plugins/policy_driver/web_filter.cc +++ b/aviatrix/avx_plugins/policy_driver/web_filter.cc @@ -345,8 +345,9 @@ PolicyHolder::internalEvaluatePolicySni(TSVConn ssl_vc, PolicyEvalInfo *policy_e struct sockaddr_in client_addr, origin_addr; bool address_fail = true; - const char *server_name = TSVConnSslServernameGet(ssl_vc); - if (getTupleInfo(TSVConnSslConnectionGetFd(ssl_vc), &client_addr, &origin_addr) < 0) { + int len = 0; + const char *server_name = TSVConnSslSniGet(ssl_vc, &len); + if (getTupleInfo(TSVConnFdGet(ssl_vc), &client_addr, &origin_addr) < 0) { TSDebug(PLUGIN_NAME, "Failed to get tuple"); logAndWatchResult("SNI", POLICY_ERROR, address_fail ? nullptr : &client_addr, address_fail ? nullptr : &origin_addr, server_name, nullptr, -1, -1); diff --git a/build_debs.sh b/build_debs.sh new file mode 100755 index 0000000000..ac30281f7f --- /dev/null +++ b/build_debs.sh @@ -0,0 +1,62 @@ + +export OPENSSL=/usr/lib +export DEB=ats_10.0.0 +export ats_install_path=/opt/ats/ats_10.0.0 +export SRC_BASE=/home/ubuntu/ats10 +export BUILD_BASE=/home/ubuntu/build + + +echo $ats_install_path + +PKG_CONFIG_PATH=/home/ubuntu/.local/lib/pkgconfig make -j 8 +current_install="" +current_install=`cat $ats_install_path/environment` +echo updating ats_install_path + +mkdir -p $ats_install_path/lib/ +cp /usr/lib/x86_64-linux-gnu/libhwloc.so.15.5.2 $ats_install_path/lib/ +ln -sf $ats_install_path/lib/libhwloc.so.15.7.6 $ats_install_path/lib/libhwloc.so.15 +ln -sf $ats_install_path/lib/libhwloc.so.15.7.6 $ats_install_path/lib/libhwloc.so + +cp /usr/lib/x86_64-linux-gnu/libjemalloc.so.2 $ats_install_path/lib/ +ln -sf $ats_install_path/lib/libjemalloc.so.2 $ats_install_path/lib/libjemalloc.so + + +printf $1 > $ats_install_path/environment +PKG_CONFIG_PATH=/home/ubuntu/.local/lib/pkgconfig make -j 8 +PKG_CONFIG_PATH=/home/ubuntu/.local/lib/pkgconfig make -j 8 install +cp ${SRC_BASE}/aviatrix/avx_plugins/policy_driver/test_client $ats_install_path/bin +cp ${SRC_BASE}/aviatrix/avx_plugins/policy_driver/test_server $ats_install_path/bin + + +mkdir -p $BUILD_BASE +cd $BUILD_BASE + +mkdir $DEB && mkdir -p $DEB/opt/ats && mkdir -p $DEB/lib/systemd/system && mkdir -p $DEB/etc/logrotate.d && mkdir $DEB/DEBIAN && cd $DEB/DEBIAN && \ + printf "package: ats\nversion: 10.0.0\nmaintainer: Kasun\narchitecture: all\ndescription: testing it\n" > control +mkdir -p ${BUILD_BASE}/$DEB/lib/systemd/system +mkdir -p ${BUILD_BASE}/$DEB/etc/ +mkdir -p ${BUILD_BASE}/$DEB/DEBIAN + +cp -r ${SRC_BASE}/aviatrix/10_0_0.0001/configs/* ${ats_install_path}/etc/trafficserver +cp ${SRC_BASE}/aviatrix/10_0_0.0001/avx-gw-trafficserver.service ${BUILD_BASE}/$DEB/lib/systemd/system +cp ${SRC_BASE}/aviatrix/10_0_0.0001/logrotate/avx-gw-trafficserver ${BUILD_BASE}/$DEB/etc/logrotate.d +cp ${SRC_BASE}/aviatrix/10_0_0.0001/postinst ${BUILD_BASE}/$DEB/DEBIAN +mkdir -p $ats_install_path/etc/local_ca +mkdir -p $ats_install_path/var/local_ca/keys +echo 12345 > $ats_install_path/var/local_ca/serial.txt +mkdir -p ${BUILD_BASE}/$DEB/opt/ats/ + +cp -R $ats_install_path ${BUILD_BASE}/$DEB/opt/ats/ +chown root:root ${BUILD_BASE}/$DEB/DEBIAN/postinst && chmod 0775 ${BUILD_BASE}/$DEB/DEBIAN/postinst +cd ${BUILD_BASE}/$DEB +tar cf ../plugin_ats_10.0.0.tar opt/ats/ats_10.0.0/libexec/trafficserver/avx_certifier.* opt/ats/ats_10.0.0/libexec/trafficserver/policy_driver.* +cp ${BUILD_BASE}/plugin_ats_10.0.0.tar /debs +tar cf ../ats_10.0.0.tar opt/ats/ats_10.0.0/libexec/* opt/ats/ats_10.0.0/bin/* opt/ats/ats_10.0.0/lib/* +cp ${BUILD_BASE}/ats_10.0.0.tar /debs +cd ${BUILD_BASE} + + +time dpkg-deb --build $DEB +cp ${BUILD_BASE}/ats_10.0.0.deb /debs + diff --git a/include/ts/ts.h b/include/ts/ts.h index a213034a6e..9f0083ccf8 100644 --- a/include/ts/ts.h +++ b/include/ts/ts.h @@ -1354,6 +1354,7 @@ namespace c */ int TSVConnProvidedSslCert(TSVConn sslp); const char *TSVConnSslSniGet(TSVConn sslp, int *length); + int TSVConnFdGet(TSVConn vconnp); TSSslSession TSSslSessionGet(const TSSslSessionID *session_id); int TSSslSessionGetBuffer(const TSSslSessionID *session_id, char *buffer, int *len_ptr); diff --git a/src/traffic_server/InkAPI.cc b/src/traffic_server/InkAPI.cc index 49a35bbd4b..a883ab34ff 100644 --- a/src/traffic_server/InkAPI.cc +++ b/src/traffic_server/InkAPI.cc @@ -7207,18 +7207,19 @@ tsapi::c::TSNetConnectAdvanced( return reinterpret_cast<TSAction>(netProcessor.connect_re(reinterpret_cast<INKContInternal *>(contp), net_options->to, opt)); } } + const char * -TSIPNPToP(const sockaddr *addr, ///< Address. - char *dst, ///< Output buffer. - size_t size) +tsapi::c::TSIPNPToP(const sockaddr *addr, ///< Address. + char *dst, ///< Output buffer. + size_t size) { return ats_ip_nptop(addr, dst, size); } const char * -TSIPNToP(const sockaddr *addr, ///< Address. - char *dst, ///< Output buffer. - size_t size) +tsapi::c::TSIPNToP(const sockaddr *addr, ///< Address. + char *dst, ///< Output buffer. + size_t size) { return ats_ip_ntop(addr, dst, size); } @@ -9217,6 +9218,16 @@ tsapi::c::TSVConnSslSniGet(TSVConn sslp, int *length) return server_name; } +int +tsapi::c::TSVConnFdGet(TSVConn vconnp) +{ + NetVConnection *vc = reinterpret_cast<NetVConnection *>(vconnp); + if (vc != nullptr) { + return vc->get_socket(); + } + return -1; +} + tsapi::c::TSSslVerifyCTX tsapi::c::TSVConnSslVerifyCTXGet(TSVConn sslp) {
