anti
5675dd8ebc
- Renames caddy.listeners.decnet_h2fp → decnet_fp; adds h1 raw-byte header capture (plainTappingConn) and h2 continuous HPACK decode loop (parseH2HeadersLoop) so headers_ordered reflects actual wire order, not Go map iteration order. - Adds H3App Caddy module (decnet_h3) that owns UDP/443 via quic-go, wraps accepted QUIC connections with h3SettingsTappingConn to intercept the h3 control stream and extract RFC 9114 SETTINGS in wire order. - Wires access_log emission from FPHandler.ServeHTTP via responseCapture. - Updates syslog_bridge.py (canonical + per-service copies) with inline _compute_ja4h and new fp socket record branches: http_request_headers, h3_settings, access_log. - Fixes ingester proto field alias (bridge emits 'proto', ingester expected 'protocol') and exposes _process_fingerprint_bounties test alias. - Go tests: h1/h2/h3 golden-byte tests all green; h3_tracer_test covers varint parser, GREASE detection, truncated-stream safety. - Python tests: 15/15 green across bridge JA4H hash parity, ingester compat (old + new event shapes), and Caddyfile h3 template assertions.
96 lines
2.5 KiB
Bash
96 lines
2.5 KiB
Bash
#!/bin/bash
|
|
set -e
|
|
|
|
TLS_DIR="/opt/tls"
|
|
mkdir -p "$TLS_DIR"
|
|
|
|
# TLS_CERT/TLS_KEY may arrive as either a host-side path OR raw PEM content.
|
|
# Detect by looking for a PEM header; if present, write to disk.
|
|
if [ -n "$TLS_CERT" ] && printf '%s' "$TLS_CERT" | grep -q 'BEGIN '; then
|
|
printf '%s' "$TLS_CERT" > "$TLS_DIR/cert.pem"
|
|
CERT="$TLS_DIR/cert.pem"
|
|
else
|
|
CERT="${TLS_CERT:-$TLS_DIR/cert.pem}"
|
|
fi
|
|
if [ -n "$TLS_KEY" ] && printf '%s' "$TLS_KEY" | grep -q 'BEGIN '; then
|
|
printf '%s' "$TLS_KEY" > "$TLS_DIR/key.pem"
|
|
chmod 600 "$TLS_DIR/key.pem"
|
|
KEY="$TLS_DIR/key.pem"
|
|
else
|
|
KEY="${TLS_KEY:-$TLS_DIR/key.pem}"
|
|
fi
|
|
|
|
# Generate a self-signed certificate if none exists
|
|
if [ ! -f "$CERT" ] || [ ! -f "$KEY" ]; then
|
|
CN="${TLS_CN:-${NODE_NAME:-localhost}}"
|
|
openssl req -x509 -newkey rsa:2048 -nodes \
|
|
-keyout "$KEY" -out "$CERT" \
|
|
-days 3650 -subj "/CN=$CN" \
|
|
2>/dev/null
|
|
fi
|
|
|
|
# Parse HTTP_VERSIONS JSON → Caddy protocol tokens (h1 / h2 only).
|
|
# h3 is handled by decnet_h3 Caddy app (H3App owns UDP/443); never goes to Caddy native h3.
|
|
CADDY_PROTOCOLS=$(python3 -c "
|
|
import json, os
|
|
versions = json.loads(os.environ.get('HTTP_VERSIONS', '[\"http/1.1\"]'))
|
|
tokens = []
|
|
if 'http/1.1' in versions:
|
|
tokens.append('h1')
|
|
if 'http/2' in versions:
|
|
tokens.append('h2')
|
|
print(' '.join(tokens) if tokens else 'h1')
|
|
")
|
|
|
|
# When http/3 is selected, activate the decnet_h3 Caddy app (global block).
|
|
DECNET_H3_GLOBAL=$(python3 -c "
|
|
import json, os
|
|
versions = json.loads(os.environ.get('HTTP_VERSIONS', '[\"http/1.1\"]'))
|
|
if 'http/3' in versions:
|
|
print(' decnet_h3')
|
|
")
|
|
|
|
DECNET_FP_SOCK="${DECNET_FP_SOCK:-/run/decnet/fp.sock}"
|
|
# Remove stale socket from a previous run
|
|
rm -f "$DECNET_FP_SOCK"
|
|
|
|
cat > /etc/caddy/Caddyfile <<EOF
|
|
{
|
|
admin off
|
|
${DECNET_H3_GLOBAL}
|
|
servers :443 {
|
|
protocols ${CADDY_PROTOCOLS}
|
|
listener_wrappers {
|
|
decnet_fp
|
|
}
|
|
}
|
|
}
|
|
|
|
:443 {
|
|
tls ${CERT} ${KEY}
|
|
route {
|
|
decnet_fp
|
|
reverse_proxy 127.0.0.1:8443
|
|
}
|
|
}
|
|
EOF
|
|
|
|
python3 /opt/server.py &
|
|
FLASK_PID=$!
|
|
|
|
# Wait for Flask to be ready before handing off to Caddy
|
|
python3 -c "
|
|
import socket, sys, time
|
|
for _ in range(80):
|
|
try:
|
|
s = socket.create_connection(('127.0.0.1', 8443), timeout=0.25)
|
|
s.close()
|
|
sys.exit(0)
|
|
except OSError:
|
|
time.sleep(0.1)
|
|
print('Flask did not bind to :8443 in time', file=sys.stderr)
|
|
sys.exit(1)
|
|
" || { echo 'Flask startup failed — aborting'; kill $FLASK_PID 2>/dev/null; exit 1; }
|
|
|
|
exec caddy run --config /etc/caddy/Caddyfile
|