Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[heartbeat][libbeat][metricbeat][filebeat] Pass TLS options to forward proxies #15516

Merged
merged 9 commits into from
Jan 27, 2020
Merged

[heartbeat][libbeat][metricbeat][filebeat] Pass TLS options to forward proxies #15516

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
cb946e7
[Heartbeat] Pass TLS options to forward proxies
andrewvc Jan 13, 2020
e761051
Merge remote-tracking branch 'origin/master' into fix-forward-proxy-ssl
andrewvc Jan 23, 2020
95115fa
Add test
andrewvc Jan 23, 2020
5b9c22d
Handle nil configs
andrewvc Jan 24, 2020
7390d05
Handle nil configs correctly
andrewvc Jan 24, 2020
5a4e09c
Add to other beats
andrewvc Jan 24, 2020
0ce0f6e
Merge remote-tracking branch 'origin/master' into fix-forward-proxy-ssl
andrewvc Jan 27, 2020
19658f3
Add changelog
andrewvc Jan 27, 2020
391f3dc
Merge branch 'master' into fix-forward-proxy-ssl
andrewvc Jan 27, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Fix missing output in dockerlogbeat {pull}15719[15719]
- Fix logging target settings being ignored when Beats are started via systemd or docker. {issue}12024[12024] {pull}15422[15442]
- Do not load dashboards where not available. {pull}15802[15802]
- Fix issue where TLS settings would be ignored when a forward proxy was in use. {pull}15516{15516}
- Update replicaset group to apps/v1 {pull}15854[15802]

*Auditbeat*
Expand Down
1 change: 1 addition & 0 deletions heartbeat/monitors/active/http/http.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,7 @@ func newRoundTripper(config *Config, tls *transport.TLSConfig) (*http.Transport,
Proxy: proxy,
Dial: dialer.Dial,
DialTLS: tlsDialer.Dial,
TLSClientConfig: tls.ToConfig(),
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add this change to some other packages, please?

  • libbeat/output/elasticsearch
  • metricbeat/helper

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@urso I've done so 4 additional spots in 5a4e09c

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you.

DisableKeepAlives: true,
}, nil
}
29 changes: 29 additions & 0 deletions heartbeat/monitors/active/http/http_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ import (
"github.com/elastic/beats/libbeat/beat"
"github.com/elastic/beats/libbeat/common"
"github.com/elastic/beats/libbeat/common/file"
"github.com/elastic/beats/libbeat/outputs/transport"
btesting "github.com/elastic/beats/libbeat/testing"
"github.com/elastic/go-lookslike"
"github.com/elastic/go-lookslike/isdef"
Expand Down Expand Up @@ -498,3 +499,31 @@ func TestRedirect(t *testing.T) {
event.Fields,
)
}

func TestNewRoundTripper(t *testing.T) {
configs := map[string]Config{
"Plain": {Timeout: time.Second},
"With Proxy": {Timeout: time.Second, ProxyURL: "http://localhost:1234"},
}

for name, config := range configs {
t.Run(name, func(t *testing.T) {
transp, err := newRoundTripper(&config, &transport.TLSConfig{})
require.NoError(t, err)

if config.ProxyURL == "" {
require.Nil(t, transp.Proxy)
} else {
require.NotNil(t, transp.Proxy)
}

// It's hard to compare func types in tests
require.NotNil(t, transp.Dial)
require.NotNil(t, transport.TLSDialer)

require.Equal(t, (&transport.TLSConfig{}).ToConfig(), transp.TLSClientConfig)
require.True(t, transp.DisableKeepAlives)
})
}

}
21 changes: 16 additions & 5 deletions libbeat/common/transport/tlscommon/tls_config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,11 +66,11 @@ type TLSConfig struct {
ClientAuth tls.ClientAuthType
}

// BuildModuleConfig takes the TLSConfig and transform it into a `tls.Config`.
func (c *TLSConfig) BuildModuleConfig(host string) *tls.Config {
// ToConfig generates a tls.Config object. Note, you must use BuildModuleConfig to generate a config with
// ServerName set, use that method for servers with SNI.
func (c *TLSConfig) ToConfig() *tls.Config {
if c == nil {
// use default TLS settings, if config is empty.
return &tls.Config{ServerName: host}
return &tls.Config{}
}

minVersion, maxVersion := extractMinMaxVersion(c.Versions)
Expand All @@ -80,7 +80,6 @@ func (c *TLSConfig) BuildModuleConfig(host string) *tls.Config {
}

return &tls.Config{
ServerName: host,
MinVersion: minVersion,
MaxVersion: maxVersion,
Certificates: c.Certificates,
Expand All @@ -93,3 +92,15 @@ func (c *TLSConfig) BuildModuleConfig(host string) *tls.Config {
ClientAuth: c.ClientAuth,
}
}

// BuildModuleConfig takes the TLSConfig and transform it into a `tls.Config`.
func (c *TLSConfig) BuildModuleConfig(host string) *tls.Config {
if c == nil {
// use default TLS settings, if config is empty.
return &tls.Config{ServerName: host}
}

config := c.ToConfig()
config.ServerName = host
return config
}
5 changes: 3 additions & 2 deletions libbeat/kibana/client.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -136,8 +136,9 @@ func NewClientWithConfig(config *ClientConfig) (*Client, error) {
Password: password,
HTTP: &http.Client{
Transport: &http.Transport{
Dial: dialer.Dial,
DialTLS: tlsDialer.Dial,
Dial: dialer.Dial,
DialTLS: tlsDialer.Dial,
TLSClientConfig: tlsConfig.ToConfig(),
},
Timeout: config.Timeout,
},
Expand Down
7 changes: 4 additions & 3 deletions libbeat/outputs/elasticsearch/client.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -213,9 +213,10 @@ func NewClient(
Headers: s.Headers,
http: &http.Client{
Transport: &http.Transport{
Dial: dialer.Dial,
DialTLS: tlsDialer.Dial,
Proxy: proxy,
Dial: dialer.Dial,
DialTLS: tlsDialer.Dial,
TLSClientConfig: s.TLS.ToConfig(),
Proxy: proxy,
},
Timeout: s.Timeout,
},
Expand Down
7 changes: 4 additions & 3 deletions metricbeat/helper/http.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -96,9 +96,10 @@ func newHTTPFromConfig(config Config, name string, hostData mb.HostData) (*HTTP,
hostData: hostData,
client: &http.Client{
Transport: &http.Transport{
Dial: dialer.Dial,
DialTLS: tlsDialer.Dial,
Proxy: http.ProxyFromEnvironment,
Dial: dialer.Dial,
DialTLS: tlsDialer.Dial,
TLSClientConfig: tlsConfig.ToConfig(),
Proxy: http.ProxyFromEnvironment,
},
Timeout: config.Timeout,
},
Expand Down
1 change: 1 addition & 0 deletions x-pack/filebeat/input/httpjson/input.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -260,6 +260,7 @@ func (in *httpjsonInput) run() error {
Transport: &http.Transport{
Dial: dialer.Dial,
DialTLS: tlsDialer.Dial,
TLSClientConfig: tlsConfig.ToConfig(),
DisableKeepAlives: true,
},
Timeout: in.config.HTTPClientTimeout,
Expand Down