github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-25 04:11:59 +00:00
Code Issues Projects Releases Wiki Activity

feat(userspace/outputs_http): Add option for mTLS

Browse Source 
Signed-off-by: Anna Simon <asimon@mercari.com>
This commit is contained in:
Anna Simon
2023-06-12 17:28:36 +09:00
committed by poiana
parent 600318aaae
commit c8d1637130
3 changed files with 34 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
falco.yaml
View File

@@ -359,6 +359,12 @@ http_output:
# Path to a folder that will be used as the CA certificate store. CA certificate need to be
# stored as indivitual PEM files in this directory.
ca_path: "/etc/ssl/certs"
# Tell Falco to use mTLS
mtls: false
# Path to the client cert.
client_cert: "/etc/ssl/certs/client.crt"
# Path to the client key.
client_key: "/etc/ssl/certs/client.key"
# [Stable] `program_output`
#

14
userspace/falco/configuration.cpp
View File

@@ -194,7 +194,7 @@ void falco_configuration::load_yaml(const std::string& config_name, const yaml_h
bool insecure;
insecure = config.get_scalar<bool>("http_output.insecure", false);
http_output.options["insecure"] = insecure? std::string("true") : std::string("false");
std::string ca_cert;
ca_cert = config.get_scalar<std::string>("http_output.ca_cert", "");
http_output.options["ca_cert"] = ca_cert;
@@ -207,6 +207,18 @@ void falco_configuration::load_yaml(const std::string& config_name, const yaml_h
ca_path = config.get_scalar<std::string>("http_output.ca_path", "/etc/ssl/certs");
http_output.options["ca_path"] = ca_path;
bool mtls;
mtls = config.get_scalar<bool>("http_output.mtls", false);
http_output.options["mtls"] = mtls? std::string("true") : std::string("false");
std::string client_cert;
client_cert = config.get_scalar<std::string>("http_output.client_cert", "/etc/ssl/certs/client.crt");
http_output.options["client_cert"] = client_cert;
std::string client_key;
client_key = config.get_scalar<std::string>("http_output.client_key", "/etc/ssl/certs/client.key");
http_output.options["client_key"] = client_key;
m_outputs.push_back(http_output);
}

17
userspace/falco/outputs_http.cpp
View File

@@ -62,14 +62,14 @@ void falco::outputs::output_http::output(const message *msg)
if(res == CURLE_OK)
{
res = curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, -1L);
res = curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, -1L);
}
if(res == CURLE_OK)
{
if(m_oc.options["insecure"] == std::string("true"))
{
res = curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER, 0L);
res = curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
if(res == CURLE_OK)
{
@@ -78,6 +78,19 @@ void falco::outputs::output_http::output(const message *msg)
}
}
if(res == CURLE_OK)
{
if(m_oc.options["mtls"] == std::string("true"))
{
res = curl_easy_setopt(curl, CURLOPT_SSLCERT, m_oc.options["client_cert"].c_str());
if(res == CURLE_OK)
{
res = curl_easy_setopt(curl, CURLOPT_SSLKEY, m_oc.options["client_key"].c_str());
}
}
}
if(res == CURLE_OK)
{
if (!m_oc.options["ca_cert"].empty())