Merge pull request #1427 from fabianfrz/ngx_logrotate
www/nginx TLS logrotate
This commit is contained in:
commit
42d1ecd878
|
@ -1,6 +1,6 @@
|
|||
PLUGIN_NAME= nginx
|
||||
PLUGIN_VERSION= 1.14
|
||||
PLUGIN_REVISION= 1
|
||||
PLUGIN_REVISION= 2
|
||||
PLUGIN_COMMENT= Nginx HTTP server and reverse proxy
|
||||
PLUGIN_DEPENDS= nginx
|
||||
PLUGIN_MAINTAINER= franz.fabian.94@gmail.com
|
||||
|
|
|
@ -29,6 +29,7 @@
|
|||
|
||||
require_once('config.inc');
|
||||
require_once('IPv6.inc');
|
||||
require_once('util.inc');
|
||||
|
||||
use OPNsense\Firewall\Alias;
|
||||
use OPNsense\Nginx\AccessLogParser;
|
||||
|
@ -69,6 +70,8 @@ function reopen_logs()
|
|||
$permanent_ban_file = '/var/log/nginx/permanentban.access.log';
|
||||
$permanent_ban_file_work = $permanent_ban_file . '.work';
|
||||
$autoblock_alias_name = 'nginx_autoblock';
|
||||
define('CRON_RUN_TEN_MINUTES', 10);
|
||||
$is_ten_minutes = intval(date('i')) % CRON_RUN_TEN_MINUTES != 0;
|
||||
|
||||
|
||||
if (!file_exists($permanent_ban_file)) {
|
||||
|
@ -80,7 +83,13 @@ if (!file_exists($permanent_ban_file)) {
|
|||
|
||||
// move the file, and inform nginx that we deleted the file
|
||||
rename($permanent_ban_file, $permanent_ban_file_work);
|
||||
if ($is_ten_minutes) {
|
||||
rename('/var/log/nginx/tls_handshake.log', '/var/log/nginx/tls_handshake.log.work');
|
||||
}
|
||||
reopen_logs();
|
||||
if ($is_ten_minutes) {
|
||||
mwexec_bg('/usr/local/opnsense/scripts/nginx/tls_ua_fingerprint.php');
|
||||
}
|
||||
|
||||
$log_parser = new AccessLogParser($permanent_ban_file_work);
|
||||
|
||||
|
|
|
@ -25,11 +25,18 @@
|
|||
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
* POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
$tls_logfile = '/var/log/nginx/tls_handshake.log.work';
|
||||
$database_name = '/var/log/nginx/handshakes.json';
|
||||
|
||||
function parse_line($line)
|
||||
{
|
||||
$tmp = explode('"', trim($line));
|
||||
return array('ua' => $tmp[1], 'ciphers' => $tmp[3], 'curves' => $tmp[5] == '-' ? '' : $tmp[5], 'count' => 1);
|
||||
return array(
|
||||
'ua' => $tmp[1],
|
||||
'ciphers' => $tmp[3],
|
||||
'curves' => $tmp[5] == '-' ? '' : $tmp[5],
|
||||
'count' => 1
|
||||
);
|
||||
}
|
||||
function filter_ua($key)
|
||||
{
|
||||
|
@ -37,9 +44,20 @@ function filter_ua($key)
|
|||
}
|
||||
|
||||
|
||||
if (!file_exists($tls_logfile)) {
|
||||
echo "logfile $tls_logfile does not exist\n";
|
||||
exit(0);
|
||||
}
|
||||
|
||||
$fingerprints_old = @json_decode(@file_get_contents($database_name), true);
|
||||
if (!is_array($fingerprints_old)) {
|
||||
$fingerprints_old = array();
|
||||
}
|
||||
|
||||
|
||||
// parse all finger prints and count them
|
||||
$fingerprints = array();
|
||||
$handle = @fopen('/var/log/nginx/tls_handshake.log', 'r');
|
||||
$handle = @fopen($tls_logfile, 'r');
|
||||
if ($handle) {
|
||||
while (($buffer = fgets($handle)) !== false) {
|
||||
$md5line = md5($buffer);
|
||||
|
@ -60,7 +78,7 @@ unset($handle);
|
|||
$fingerprints2 = array();
|
||||
foreach ($fingerprints as $fingerprint) {
|
||||
$user_agent = $fingerprint['ua'];
|
||||
if (!is_array($fingerprints2[$user_agent])) {
|
||||
if (isset($fingerprints2[$user_agent]) && !is_array($fingerprints2[$user_agent])) {
|
||||
$fingerprints2[$user_agent] = array();
|
||||
}
|
||||
$hashkey = md5($fingerprint['ciphers'] . $fingerprint['curves']);
|
||||
|
@ -80,4 +98,26 @@ foreach ($fingerprints2 as $ua => $fingerprint_data) {
|
|||
unset($fingerprints2);
|
||||
|
||||
|
||||
echo json_encode($fingerprints);
|
||||
foreach ($fingerprints_old as $ua_old => $fingerprint_data_old) {
|
||||
if (isset($fingerprints[$ua_old])) {
|
||||
foreach ($fingerprint_data_old as &$fpdo) {
|
||||
$changed = false;
|
||||
foreach ($fingerprints[$ua_old] as &$fingerprint_new) {
|
||||
if ($fpdo['ciphers'] == $fingerprint_new['ciphers'] && $fpdo['curves'] == $fingerprint_new['curves']) {
|
||||
$changed = true;
|
||||
$fingerprint_new['count'] = $fingerprint_new['count'] + $fpdo['count'];
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (!$changed) {
|
||||
$fingerprints[$ua_old][] = $fpdo;
|
||||
}
|
||||
}
|
||||
} else {
|
||||
// the new log does not have it, apply the old one
|
||||
$fingerprints[$ua_old] = $fingerprint_data_old;
|
||||
}
|
||||
}
|
||||
|
||||
file_put_contents($database_name, json_encode($fingerprints));
|
||||
unlink($tls_logfile);
|
||||
|
|
|
@ -33,7 +33,7 @@ type:script_output
|
|||
message:restarting nginx
|
||||
|
||||
[tls_handshakes]
|
||||
command:/usr/local/opnsense/scripts/nginx/tls_ua_fingerprint.php
|
||||
command:cat /var/log/nginx/handshakes.json
|
||||
parameters:
|
||||
type:script_output
|
||||
message:query TLS handshake information of nginx
|
||||
|
|
Loading…
Reference in New Issue