BBlack has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/378246 )
Change subject: varnishxcps: generate new hierarchical TLS stats ...................................................................... varnishxcps: generate new hierarchical TLS stats One of the main problems with our current TLS stats is that the TLS attributes of a given request are counted up independently. For example, with the current stats we know these two independent facts: 1) That 0.7% of clients use DHE-RSA-AES128-SHA 2) That 95.6% use TLSv1.2, 0.3% use TLSv1.1, and 4.1% use TLSv1.0 But we can't answer questions like: "What percentage of DHE-RSA-AES128-SHA negotiators used TLSv1.0?" This hierarchical dataset can answer that question, and many others like it (e.g. what percentage of chapoly negotiators also use x25519?). It will require a few new grafana boards to make sense of it in different ways. Change-Id: I7a1d33ff3c195a9b9c218910ede6b1b2160e7da3 --- M modules/varnish/files/varnishxcps 1 file changed, 41 insertions(+), 5 deletions(-) Approvals: BBlack: Looks good to me, approved jenkins-bot: Verified diff --git a/modules/varnish/files/varnishxcps b/modules/varnish/files/varnishxcps index 9fbaf85..5b40f79 100755 --- a/modules/varnish/files/varnishxcps +++ b/modules/varnish/files/varnishxcps @@ -34,6 +34,19 @@ from cachestats import CacheStatsSender +# Our newer hierarchical stats are structured like: +# tls.<tls-version>.<key-exchange>.<auth>.<cipher> +# Where the legal values look like: +# tls-version: tlsv1, tlsv1_1, tlsv1_2, tlsv1_3 +# key-exchange: x25519, prime256v1, ffdheNNNN (?), dhe, rsa +# auth: ecdsa, rsa +# cipher: aes128-gcm-sha256 (stripped of kx-auth|tls13- prefix) +# Note also that our current parsing and interpretation assumes: +# 1) TLSv1.3 clients use ECDSA exclusively (we'll need to modify some nginx +# stuff to do any differently...), or at least are capable... +# 2) That if TLSv1.3+FFDHE gets used, the ffdhe will show up as the named curve +# via openssl? (unlikely to be a problem?) + class XcpsCacheStatsSender(CacheStatsSender): cmd = ['/usr/bin/varnishncsa', '-n', 'frontend', @@ -47,19 +60,42 @@ def __init__(self, argument_list): super(XcpsCacheStatsSender, self).__init__(argument_list) self.key_value_pairs = re.compile('([A-Z][A-Z0-9]*)=([^;]+)') + self.kxa = re.compile('^(ecdhe-(ecdsa|rsa)|dhe-rsa|tls13)-') def gen_stats(self, record): - for k, v in self.key_value_pairs.findall(record): - if k == 'SSR': + d = {k.lower(): v.lower() for + (k, v) in self.key_value_pairs.findall(record)} + if 'ssl' not in d: + return + # This creates the legacy split stats: + for (k, v) in d.items(): + if k == 'ssr': k = 'ssl_sessions' v = 'reused' if v == '1' else 'negotiated' - elif k == 'C': + elif k == 'c': k = 'ssl_cipher' - elif k == 'EC': + elif k == 'ec': k = 'ssl_ecdhe_curve' v = v.replace('.', '_') - s = '.'.join((k, v)).lower() + s = '.'.join((k, v)) self.stats[s] = self.stats.get(s, 0) + 1 + # This creates the new hierarchical stats (one stat bump per record) + parts = ('tls', d['ssl'].replace('.', '_')) + kxam = self.kxa.match(d['c']) + if kxam: + ciph = self.kxa.sub('', d['c']) + if kxam.group(1) == 'ecdhe-ecdsa': + parts += (d['ec'], 'ecdsa', ciph) + elif kxam.group(1) == 'ecdhe-rsa': + parts += (d['ec'], 'rsa', ciph) + elif kxam.group(1) == 'dhe-rsa': + parts += ('dhe', 'rsa', ciph) + else: # TLS13 + parts += (d['ec'], 'ecdsa', ciph) + else: + parts += ('rsa', 'rsa', d['c']) + s = '.'.join(parts) + self.stats[s] = self.stats.get(s, 0) + 1 if __name__ == "__main__": -- To view, visit https://gerrit.wikimedia.org/r/378246 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I7a1d33ff3c195a9b9c218910ede6b1b2160e7da3 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: BBlack <bbl...@wikimedia.org> Gerrit-Reviewer: BBlack <bbl...@wikimedia.org> Gerrit-Reviewer: Ema <e...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits