github_mirrors/openappsec
3
0
Fork 1
mirror of https://github.com/openappsec/openappsec.git synced 2026-01-17 16:00:26 +03:00
Code Issues Packages Projects Releases Wiki Activity

Jan 06 2026 dev (#387)

Browse Source 
* sync code

* update code to support brotli

* update code to support brotli

* update code to support brotli

* sync code

* fix findBrotli

* sync code

* sync code

* sync code

* sync code

---------

Co-authored-by: Ned Wright <nedwright@proton.me>
Co-authored-by: Daniel Eisenberg <danielei@checkpoint.com>
This commit is contained in:
Daniel-Eisenberg
2026-01-13 17:17:52 +02:00
committed by GitHub
parent c1058db57d
commit e7b6e51b31
216 changed files with 12601 additions and 2825 deletions
Download Patch File Download Diff File Expand all files Collapse all files

624
components/attachment-intakers/nginx_attachment/nginx_attachment.cc
View File

@@ -15,6 +15,8 @@
#include <pwd.h>
#include <grp.h>
#include <sched.h>
#include <errno.h>
#include <iostream>
#include <map>
#include <queue>
@@ -29,6 +31,7 @@
#include <unistd.h>
#include <utility>
#include <stdarg.h>
#include <cstring>
#include <boost/range/iterator_range.hpp>
#include <boost/algorithm/string.hpp>
@@ -48,7 +51,7 @@
#include "shmem_ipc.h"
#include "i_http_manager.h"
#include "http_transaction_common.h"
#include "nginx_attachment_common.h"
#include "nano_attachment_common.h"
#include "hash_combine.h"
#include "cpu/failopen_mode_status.h"
#include "attachment_registrator.h"
@@ -75,7 +78,7 @@ USE_DEBUG_FLAG(D_METRICS_NGINX_ATTACHMENT);
using namespace std;
using ChunkType = ngx_http_chunk_type_e;
using ChunkType = AttachmentDataType;
static const uint32_t corrupted_session_id = CORRUPTED_SESSION_ID;
static const AlertInfo alert(AlertTeam::CORE, "nginx attachment");
@@ -130,14 +133,15 @@ class NginxAttachment::Impl
:
Singleton::Provide<I_StaticResourcesHandler>::From<NginxAttachment>
{
static constexpr auto INSPECT = ngx_http_cp_verdict_e::TRAFFIC_VERDICT_INSPECT;
static constexpr auto LIMIT_RESPONSE_HEADERS = ngx_http_cp_verdict_e::LIMIT_RESPONSE_HEADERS;
static constexpr auto ACCEPT = ngx_http_cp_verdict_e::TRAFFIC_VERDICT_ACCEPT;
static constexpr auto DROP = ngx_http_cp_verdict_e::TRAFFIC_VERDICT_DROP;
static constexpr auto INJECT = ngx_http_cp_verdict_e::TRAFFIC_VERDICT_INJECT;
static constexpr auto IRRELEVANT = ngx_http_cp_verdict_e::TRAFFIC_VERDICT_IRRELEVANT;
static constexpr auto RECONF = ngx_http_cp_verdict_e::TRAFFIC_VERDICT_RECONF;
static constexpr auto WAIT = ngx_http_cp_verdict_e::TRAFFIC_VERDICT_WAIT;
static constexpr auto INSPECT = ServiceVerdict::TRAFFIC_VERDICT_INSPECT;
static constexpr auto LIMIT_RESPONSE_HEADERS = ServiceVerdict::LIMIT_RESPONSE_HEADERS;
static constexpr auto ACCEPT = ServiceVerdict::TRAFFIC_VERDICT_ACCEPT;
static constexpr auto DROP = ServiceVerdict::TRAFFIC_VERDICT_DROP;
static constexpr auto INJECT = ServiceVerdict::TRAFFIC_VERDICT_INJECT;
static constexpr auto IRRELEVANT = ServiceVerdict::TRAFFIC_VERDICT_IRRELEVANT;
static constexpr auto RECONF = ServiceVerdict::TRAFFIC_VERDICT_RECONF;
static constexpr auto WAIT = ServiceVerdict::TRAFFIC_VERDICT_DELAYED;
static constexpr auto CUSTOM_RESPONSE = ServiceVerdict::TRAFFIC_VERDICT_CUSTOM_RESPONSE;
public:
Impl()
@@ -197,6 +201,8 @@ public:
NUM_OF_NGINX_IPC_ELEMENTS, "nginxAttachment.numOfNginxIpcElements"
);
dbgInfo(D_NGINX_ATTACHMENT) << "Async mode configuration: enabled=" << attachment_config.isAsyncModeEnabled();
nginx_attachment_metric.init(
"Nginx Attachment data",
ReportIS::AudienceTeam::AGENT_CORE,
@@ -366,10 +372,13 @@ public:
}
bool
registerStaticResource(const string &resource_name, const string &resource_path)
registerStaticResource(
const string &resource_name,
const string &resource_path,
bool overwrite_if_exists)
{
string dest_path = static_resources_path + "/" + resource_name;
if (NGEN::Filesystem::exists(dest_path)) {
if (!overwrite_if_exists && NGEN::Filesystem::exists(dest_path)) {
dbgDebug(D_NGINX_ATTACHMENT) << "Static resource already exist. path: " << dest_path;
return true;
}
@@ -377,7 +386,7 @@ public:
if (!NGEN::Filesystem::copyFile(
resource_path,
dest_path,
false,
overwrite_if_exists,
S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH
)) {
dbgWarning(D_NGINX_ATTACHMENT)
@@ -397,6 +406,36 @@ public:
return true;
}
bool
registerStaticResourceByContent(
const string &resource_name,
const string &file_content
)
{
string dest_path = static_resources_path + "/" + resource_name;
if (!NGEN::Filesystem::createFileWithContent(
dest_path,
file_content,
true,
S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH
)) {
dbgWarning(D_NGINX_ATTACHMENT)
<< "Failed to create static resource file. Resource name: "
<< resource_name
<< ", destination path: " << dest_path
<< ", content size: " << file_content.size();
return false;
}
dbgTrace(D_NGINX_ATTACHMENT)
<< "Successfully created static resource. Resource name: "
<< resource_name
<< ", destination path: " << dest_path
<< ", content size: " << file_content.size();
return true;
}
void
printMetrics()
{
@@ -443,6 +482,11 @@ private:
attachment_routine_id = 0;
}
if (async_attachment_routine_id > 0 && mainloop->doesRoutineExist(async_attachment_routine_id)) {
mainloop->stop(async_attachment_routine_id);
async_attachment_routine_id = 0;
}
string curr_instance_unique_id = inst_awareness->getUniqueID().unpack();
if (attachment_ipc != nullptr) {
if (nginx_worker_user_id != nginx_user_id || nginx_worker_group_id != nginx_group_id) {
@@ -548,7 +592,11 @@ private:
);
while (isSignalPending()) {
if (!handleInspection()) break;
if (attachment_config.isAsyncModeEnabled()) {
if (!handleInspectionAsync()) break;
} else {
if (!handleInspection()) break;
}
}
},
"Nginx Attachment inspection handler",
@@ -791,7 +839,7 @@ private:
}
void
sendMetricToKibana(const ngx_http_cp_metric_data_t *received_metric_data)
sendMetricToKibana(const NanoHttpMetricData *received_metric_data)
{
nginx_intaker_event.addPluginMetricCounter(received_metric_data);
nginx_intaker_event.notify();
@@ -822,7 +870,7 @@ private:
return "Request End";
case ChunkType::METRIC_DATA_FROM_PLUGIN:
return "Metrics";
case ChunkType::HOLD_DATA:
case ChunkType::REQUEST_DELAYED_VERDICT:
return "HOLD_DATA";
case ChunkType::COUNT:
dbgAssert(false) << alert << "Invalid 'COUNT' ChunkType";
@@ -842,7 +890,7 @@ private:
return default_verdict;
}
auto rule_by_ctx = getConfiguration<BasicRuleConfig>("rulebase", "rulesConfig");
auto rule_by_ctx = getConfigurationWithCache<BasicRuleConfig>("rulebase", "rulesConfig");
if (rule_by_ctx.ok()) {
BasicRuleConfig rule = rule_by_ctx.unpack();
opaque.setSavedData("assetId", rule.getAssetId(), EnvKeyAttr::LogSection::SOURCEANDDATA);
@@ -917,6 +965,7 @@ private:
FilterVerdict cur_verdict = http_manager->inspect(chunk, is_request);
if (cur_verdict.getVerdict() == ACCEPT ||
cur_verdict.getVerdict() == DROP ||
cur_verdict.getVerdict() == CUSTOM_RESPONSE ||
cur_verdict.getVerdict() == WAIT) {
return cur_verdict;
}
@@ -1030,16 +1079,16 @@ private:
handleChunkedData(ChunkType chunk_type, const Buffer &data, NginxAttachmentOpaque &opaque)
{
ScopedContext event_type;
event_type.registerValue<ngx_http_chunk_type_e>("HTTP Chunk type", chunk_type);
event_type.registerValue<AttachmentDataType>("HTTP Chunk type", chunk_type);
if (chunk_type > ChunkType::REQUEST_HEADER && opaque.getApplicationState() == ApplicationState::UNKOWN) {
auto rule_by_ctx = getConfiguration<BasicRuleConfig>("rulebase", "rulesConfig");
auto rule_by_ctx = getConfigurationWithCache<BasicRuleConfig>("rulebase", "rulesConfig");
ApplicationState state = rule_by_ctx.ok() ? ApplicationState::DEFINED : ApplicationState::UNDEFINED;
opaque.setApplicationState(state);
}
if (opaque.getApplicationState() == ApplicationState::UNDEFINED) {
ngx_http_cp_verdict_e verdict_action =
ServiceVerdict verdict_action =
getSettingWithDefault<bool>(false, "allowOnlyDefinedApplications") ? DROP : ACCEPT;
dbgDebug(D_NGINX_ATTACHMENT)
@@ -1079,8 +1128,8 @@ private:
case ChunkType::RESPONSE_END:
return FilterVerdict(http_manager->inspectEndTransaction());
case ChunkType::METRIC_DATA_FROM_PLUGIN:
return FilterVerdict(ngx_http_cp_verdict::TRAFFIC_VERDICT_IRRELEVANT);
case ChunkType::HOLD_DATA:
return FilterVerdict(ServiceVerdict::TRAFFIC_VERDICT_IRRELEVANT);
case ChunkType::REQUEST_DELAYED_VERDICT:
return FilterVerdict(http_manager->inspectDelayedVerdict());
case ChunkType::COUNT:
break;
@@ -1106,10 +1155,10 @@ private:
<< "Handling Injection of HTTP session modification data. Modifications amount: "
<< modifications_amount;
vector<ngx_http_cp_inject_data> injection_data_persistency(modifications_amount);
vector<HttpInjectData> injection_data_persistency(modifications_amount);
for (const EventModifications &modifications : modifications_lists) {
for (const ModificationBuffer &modification_buffer_list : modifications.second) {
ngx_http_cp_inject_data injection_data;
HttpInjectData injection_data;
injection_data.orig_buff_index = modifications.first;
injection_data.injection_pos = std::get<0>(modification_buffer_list);
injection_data.mod_type = std::get<1>(modification_buffer_list);
@@ -1149,22 +1198,9 @@ private:
SharedMemoryIPC *ipc,
vector<const char *> &verdict_data,
vector<uint16_t> &verdict_data_sizes,
string web_user_response_id)
const WebTriggerConf &web_trigger_conf)
{
ngx_http_cp_web_response_data_t web_response_data;
ScopedContext ctx;
if (web_user_response_id != "") {
dbgTrace(D_NGINX_ATTACHMENT)
<< "web user response ID registered in contex: "
<< web_user_response_id;
set<string> triggers_set{web_user_response_id};
ctx.registerValue<set<GenericConfigId>>(TriggerMatcher::ctx_key, triggers_set);
}
WebTriggerConf web_trigger_conf = getConfigurationWithDefault<WebTriggerConf>(
WebTriggerConf::default_trigger_conf,
"rulebase",
"webUserResponse"
);
HttpWebResponseData web_response_data;
bool remove_event_id_param =
getProfileAgentSettingWithDefault<string>("false", "nginxAttachment.removeRedirectEventId") == "true";
@@ -1176,8 +1212,16 @@ private:
uuid = opaque.getSessionUUID();
}
web_response_data.uuid_size = uuid.size();
if (web_trigger_conf.getDetailsLevel() == "Redirect") {
string details_level = web_trigger_conf.getDetailsLevel();
if (details_level == "Custom Block Page") {
auto body = web_trigger_conf.getResponseBody();
auto content_type = web_trigger_conf.getContentType();
auto response_code = web_trigger_conf.getResponseCode();
string processed_body = process_html_content(body, uuid);
auto custom_response = CustomResponse(processed_body, response_code, content_type);
handleCustomResponse(ipc, verdict_data, verdict_data_sizes, custom_response);
return;
} else if (details_level == "Redirect") {
web_response_data.response_data.redirect_data.redirect_location_size =
web_trigger_conf.getRedirectURL().size();
bool add_event = web_trigger_conf.getAddEventId();
@@ -1186,19 +1230,19 @@ private:
strlen("?event_id=") + uuid.size();
}
web_response_data.response_data.redirect_data.add_event_id = add_event ? 1 : 0;
web_response_data.web_repsonse_type = static_cast<uint8_t>(ngx_web_response_type_e::REDIRECT_WEB_RESPONSE);
web_response_data.web_response_type = static_cast<uint8_t>(NanoWebResponseType::REDIRECT_WEB_RESPONSE);
} else {
web_response_data.response_data.custom_response_data.title_size =
web_trigger_conf.getResponseTitle().size();
web_response_data.response_data.custom_response_data.body_size = web_trigger_conf.getResponseBody().size();
web_response_data.response_data.custom_response_data.response_code = web_trigger_conf.getResponseCode();
web_response_data.web_repsonse_type = static_cast<uint8_t>(ngx_web_response_type_e::CUSTOM_WEB_RESPONSE);
web_response_data.web_response_type = static_cast<uint8_t>(NanoWebResponseType::CUSTOM_WEB_RESPONSE);
}
verdict_data.push_back(reinterpret_cast<const char *>(&web_response_data));
verdict_data_sizes.push_back(sizeof(ngx_http_cp_web_response_data_t));
verdict_data_sizes.push_back(sizeof(HttpWebResponseData));
if (web_trigger_conf.getDetailsLevel() == "Redirect") {
if (details_level == "Redirect") {
redirectUrl = web_trigger_conf.getRedirectURL();
if (!remove_event_id_param && web_trigger_conf.getAddEventId()) {
redirectUrl += "?event-id=" + uuid;
@@ -1242,23 +1286,88 @@ private:
<< " (title size: "
<< static_cast<uint>(web_response_data.response_data.custom_response_data.title_size)
<< "), Body: "
<< web_trigger_conf.getResponseBody()
<< web_trigger_conf.getResponseBody()
<< " (body size: "
<< static_cast<uint>(web_response_data.response_data.custom_response_data.body_size)
<< "), UUID: "
<< uuid
<< " (UUID size: "
<< static_cast<uint>(web_response_data.uuid_size)
<< "), Response Type: "
<< static_cast<uint>(web_response_data.web_response_type)
<< ")";
}
sendChunkedData(ipc, verdict_data_sizes.data(), verdict_data.data(), verdict_data.size());
}
string
process_html_content(const string &body, const string &uuid)
{
const string uuid_placeholder = "<!-- CHECK_POINT_USERCHECK_UUID_PLACEHOLDER-->";
size_t placeholder_pos = body.find(uuid_placeholder);
if (placeholder_pos == string::npos) {
dbgTrace(D_NGINX_ATTACHMENT) << "No UUID placeholder found in body content";
return body;
}
dbgTrace(D_NGINX_ATTACHMENT) << "Found UUID placeholder at position: " << placeholder_pos;
string incident_id_text = "Incident Id: " + uuid;
string processed_body = body;
processed_body.replace(placeholder_pos, uuid_placeholder.length(), incident_id_text);
dbgTrace(D_NGINX_ATTACHMENT)
<< "UUID replacement: original_len=" << body.length()
<< ", processed_len=" << processed_body.length()
<< ", uuid=" << uuid;
return processed_body;
}
void
handleCustomResponse(
SharedMemoryIPC *ipc,
vector<const char *> &verdict_data,
vector<uint16_t> &verdict_data_sizes,
const CustomResponse &custom_response_data)
{
HttpJsonResponseData json_response_data;
json_response_data.response_code = custom_response_data.getStatusCode();
string response_body = custom_response_data.getBody();
string content_type = custom_response_data.getContentType();
json_response_data.body_size = response_body.size();
if (content_type == "application/json") {
json_response_data.content_type = AttachmentContentType::CONTENT_TYPE_APPLICATION_JSON;
} else if (content_type == "text/html") {
json_response_data.content_type = AttachmentContentType::CONTENT_TYPE_TEXT_HTML;
} else {
json_response_data.content_type = AttachmentContentType::CONTENT_TYPE_OTHER;
}
verdict_data.push_back(reinterpret_cast<const char *>(&json_response_data));
verdict_data_sizes.push_back(sizeof(HttpJsonResponseData));
verdict_data.push_back(reinterpret_cast<const char *>(response_body.data()));
verdict_data_sizes.push_back(response_body.size());
dbgTrace(D_NGINX_ATTACHMENT)
<< "Added Custom JSON Response to current session."
<< " Response code: "
<< static_cast<uint>(json_response_data.response_code)
<< ", Body size: "
<< static_cast<uint>(json_response_data.body_size);
sendChunkedData(ipc, verdict_data_sizes.data(), verdict_data.data(), verdict_data.size());
}
void
handleVerdictResponse(const FilterVerdict &verdict, SharedMemoryIPC *ipc, SessionID session_id, bool is_header)
{
ngx_http_cp_reply_from_service_t verdict_to_send;
HttpReplyFromService verdict_to_send;
verdict_to_send.verdict = static_cast<uint16_t>(verdict.getVerdict());
verdict_to_send.session_id = session_id;
@@ -1281,7 +1390,31 @@ private:
if (verdict.getVerdict() == DROP) {
nginx_attachment_event.addTrafficVerdictCounter(nginxAttachmentEvent::trafficVerdict::DROP);
verdict_to_send.modification_count = 1;
return handleCustomWebResponse(ipc, verdict_fragments, fragments_sizes, verdict.getWebUserResponseID());
ScopedContext ctx;
set<string> triggers_set{verdict.getWebUserResponseID()};
ctx.registerValue<set<GenericConfigId>>(TriggerMatcher::ctx_key, triggers_set);
auto web_trigger_config = getConfiguration<WebTriggerConf>("rulebase", "webUserResponse");
WebTriggerConf web_trigger_conf = web_trigger_config.ok() ?
web_trigger_config.unpack() : WebTriggerConf::default_trigger_conf;
if (web_trigger_conf.getDetailsLevel() == "Custom Block Page") {
dbgTrace(D_NGINX_ATTACHMENT) << "Changing verdict from DROP to CUSTOM_BLOCK_PAGE";
verdict_to_send.verdict = static_cast<uint16_t>(CUSTOM_RESPONSE);
}
return handleCustomWebResponse(ipc, verdict_fragments, fragments_sizes, web_trigger_conf);
}
if (verdict.getVerdict() == CUSTOM_RESPONSE) {
verdict_to_send.modification_count = 1;
if (!verdict.getCustomResponse().ok()) {
dbgWarning(D_NGINX_ATTACHMENT)
<< "Failed to get custom web response data. Returning default verdict: "
<< ", Error: "
<< verdict.getCustomResponse().getErr();
return handleCustomResponse(ipc, verdict_fragments, fragments_sizes,
CustomResponse("{\"error\": \"Internal Server Error\"}", 500));
}
return handleCustomResponse(ipc, verdict_fragments, fragments_sizes, verdict.getCustomResponse().unpack());
}
if (verdict.getVerdict() == ACCEPT) {
@@ -1329,7 +1462,7 @@ private:
break;
}
auto transaction_data = reinterpret_cast<const ngx_http_cp_request_data_t *>(incoming_data);
auto transaction_data = reinterpret_cast<const NanoHttpRequestData *>(incoming_data);
if (transaction_data->session_id != cur_session_id) break;
popData(attachment_ipc);
@@ -1371,15 +1504,15 @@ private:
}
if (SHOULD_FAIL(
incoming_data_size >= sizeof(ngx_http_cp_request_data_t),
incoming_data_size >= sizeof(NanoHttpRequestData),
IntentionalFailureHandler::FailureType::GetDataFromAttchment,
&did_fail_on_purpose
)) {
dbgError(D_NGINX_ATTACHMENT)
<< "Corrupted transaction raw data received from NGINX attachment, size received: "
<< incoming_data_size
<< " is lower than ngx_http_cp_request_data_t size="
<< sizeof(ngx_http_cp_request_data_t)
<< " is lower than NanoHttpRequestData size="
<< sizeof(NanoHttpRequestData)
<< ". Resetting IPC"
<< dumpIpcWrapper(attachment_ipc)
<< (did_fail_on_purpose ? "[Intentional Failure]" : "");
@@ -1409,8 +1542,8 @@ private:
return make_pair(corrupted_session_id, false);
}
const ngx_http_cp_request_data_t *transaction_data =
reinterpret_cast<const ngx_http_cp_request_data_t *>(incoming_data);
const NanoHttpRequestData *transaction_data =
reinterpret_cast<const NanoHttpRequestData *>(incoming_data);
Maybe<ChunkType> chunked_data_type = convertToEnum<ChunkType>(transaction_data->data_type);
if (!chunked_data_type.ok()) {
@@ -1426,8 +1559,8 @@ private:
}
if (chunked_data_type.unpack() == ChunkType::METRIC_DATA_FROM_PLUGIN) {
const ngx_http_cp_metric_data_t *recieved_metric_data =
reinterpret_cast<const ngx_http_cp_metric_data_t *>(incoming_data);
const NanoHttpMetricData *recieved_metric_data =
reinterpret_cast<const NanoHttpMetricData *>(incoming_data);
sendMetricToKibana(recieved_metric_data);
popData(attachment_ipc);
return pair<uint32_t, bool>(0, false);
@@ -1478,7 +1611,7 @@ private:
const Buffer inspection_data(
transaction_data->data,
incoming_data_size - sizeof(ngx_http_cp_request_data_t),
incoming_data_size - sizeof(NanoHttpRequestData),
Buffer::MemoryType::VOLATILE
);
@@ -1522,6 +1655,7 @@ private:
bool is_final_verdict = verdict.getVerdict() == ACCEPT ||
verdict.getVerdict() == DROP ||
verdict.getVerdict() == CUSTOM_RESPONSE ||
verdict.getVerdict() == IRRELEVANT;
dbgTrace(D_NGINX_ATTACHMENT)
@@ -1638,6 +1772,8 @@ private:
return "RECONF";
case WAIT:
return "WAIT";
case CUSTOM_RESPONSE:
return "CUSTOM_RESPONSE";
}
dbgAssert(false) << alert << "Invalid EventVerdict enum: " << static_cast<int>(verdict.getVerdict());
return string();
@@ -1716,7 +1852,16 @@ private:
Maybe<string> uid = getUidFromSocket(new_attachment_socket);
Maybe<uint32_t> nginx_user_id = readIdFromSocket(new_attachment_socket);
Maybe<uint32_t> nginx_group_id = readIdFromSocket(new_attachment_socket);
Maybe<int32_t> target_core = readSignedIdFromSocket(new_attachment_socket);
DELAY_IF_NEEDED(IntentionalFailureHandler::FailureType::RegisterAttchment);
// Target core failure should not block registration - maintain backward compatibility
bool target_core_available = target_core.ok();
if (!target_core_available) {
dbgInfo(D_NGINX_ATTACHMENT) << "Failed to read target core (backward compatibility mode): "
<< target_core.getErr() << ". Proceeding without affinity information.";
}
if (SHOULD_FAIL(
nginx_user_id.ok() && nginx_group_id.ok() && uid.ok(),
IntentionalFailureHandler::FailureType::RegisterAttchment,
@@ -1743,6 +1888,7 @@ private:
return;
}
int32_t target_core_value = target_core_available ? *target_core : -1;
if (!registerAttachmentProcess(*nginx_user_id, *nginx_group_id, new_attachment_socket)) {
i_socket->closeSocket(new_attachment_socket);
new_attachment_socket = -1;
@@ -1753,6 +1899,48 @@ private:
nginx_attachment_event.notify();
nginx_attachment_event.resetAllCounters();
dbgWarning(D_NGINX_ATTACHMENT) << "Failed to register attachment";
} else {
// Set affinity to core based on received target core from NGINX
if (attachment_config.getIsPairedAffinityEnabled()
&& target_core_available && target_core_value >= 0) {
auto uid_integer = getUidInteger(uid.unpack());
if (!uid_integer.ok()) {
dbgWarning(D_NGINX_ATTACHMENT)
<< "Failed to convert UID to integer. Error: " << uid_integer.getErr();
} else {
dbgDebug(D_NGINX_ATTACHMENT)
<< "Setting CPU affinity for NGINX attachment using target core from NGINX"
<< " UID: " << uid_integer.unpack()
<< ", unique_id: " << uid.unpack()
<< ", received_target_core: " << target_core_value;
// Use common affinity function
int result = set_affinity_to_core(target_core_value);
if (result == 0) {
dbgDebug(D_NGINX_ATTACHMENT)
<< "Successfully set CPU affinity for NGINX attachment to core "
<< target_core_value;
} else {
dbgWarning(D_NGINX_ATTACHMENT)
<< "Failed to set CPU affinity for NGINX attachment to core "
<< target_core_value
<< ". Error code: "
<< result;
}
}
} else if (!target_core_available) {
dbgTrace(D_NGINX_ATTACHMENT)
<< "Target core not available from NGINX"
" (backward compatibility mode), skipping CPU affinity setting";
} else if (target_core_value < 0) {
dbgTrace(D_NGINX_ATTACHMENT)
<< "Paired affinity disabled by NGINX (target_core=" << target_core_value
<< "), skipping CPU affinity setting for NGINX attachment";
} else {
dbgTrace(D_NGINX_ATTACHMENT)
<< "Paired affinity is not enabled in service config, "
"skipping setting CPU affinity for NGINX attachment";
}
}
};
mainloop->addFileRoutine(
@@ -1811,6 +1999,35 @@ private:
return uid;
}
Maybe<uint32_t>
getUidInteger(string uid)
{
if (uid.empty()) {
return genError("UID is empty");
}
uint32_t uid_integer = 0;
try {
// Handle both container format "{container_id}_{worker_id}" and simple format "{worker_id}"
size_t underscore_pos = uid.find_last_of('_');
string worker_id_str;
if (underscore_pos != string::npos) {
// Container format: extract worker_id after the last underscore
worker_id_str = uid.substr(underscore_pos + 1);
} else {
// Simple format: entire string is the worker_id
worker_id_str = uid;
}
uid_integer = stoul(worker_id_str);
} catch (const std::exception &e) {
return genError(string("Failed to convert UID to integer: ") + e.what());
}
return uid_integer;
}
Maybe<uint32_t>
readIdFromSocket(I_Socket::socketFd new_attachment_socket)
{
@@ -1833,6 +2050,36 @@ private:
return attachment_id;
}
Maybe<int32_t>
readSignedIdFromSocket(I_Socket::socketFd new_attachment_socket)
{
bool did_fail_on_purpose = false;
DELAY_IF_NEEDED(IntentionalFailureHandler::FailureType::ReceiveDataFromSocket);
// Try to read target core - if this fails, it's likely backward compatibility
if (!i_socket->isDataAvailable(new_attachment_socket)) {
dbgTrace(D_NGINX_ATTACHMENT)
<< "No target core data available on socket - likely backward compatibility mode";
return genError("No target core data available on socket");
}
Maybe<vector<char>> id = i_socket->receiveData(new_attachment_socket, sizeof(int32_t));
if (SHOULD_FAIL(
id.ok(),
IntentionalFailureHandler::FailureType::ReceiveDataFromSocket,
&did_fail_on_purpose
)) {
return genError(
string("Failed to read the signed attachment ID (likely backward compatibility issue): ") +
(did_fail_on_purpose ? "[Intentional Failure]" : id.getErr())
);
}
int32_t attachment_id = *reinterpret_cast<const int32_t *>(id.unpack().data());
dbgTrace(D_NGINX_ATTACHMENT) << "Signed Attachment ID: " << static_cast<int>(attachment_id);
return attachment_id;
}
string static_resources_path;
FilterVerdict default_verdict;
FailopenModeListener fail_open_mode_listener;
@@ -1852,6 +2099,7 @@ private:
SharedMemoryIPC *attachment_ipc = nullptr;
HttpAttachmentConfig attachment_config;
I_MainLoop::RoutineID attachment_routine_id = 0;
I_MainLoop::RoutineID async_attachment_routine_id = 0;
bool traffic_indicator = false;
unordered_set<string> ignored_headers;
@@ -1882,7 +2130,267 @@ private:
nginxIntakerMetric nginx_intaker_metric;
TransactionTableEvent transaction_table_event;
TransactionTableMetric transaction_table_metric;
///
/// @brief Async version of handleInspection - simplified for fastest response time
/// @return true on success, false on error
///
// LCOV_EXCL_START Reason: Temporary INXT-49318
bool
handleInspectionAsync()
{
Maybe<vector<char>> comm_trigger = genError("comm trigger uninitialized");
static map<I_Socket::socketFd, bool> comm_status;
if (comm_status.find(attachment_sock) == comm_status.end()) {
comm_status[attachment_sock] = true;
}
DELAY_IF_NEEDED(IntentionalFailureHandler::FailureType::ReceiveDataFromSocket);
// Read session ID from socket (used as doorbell only)
uint32_t signaled_session_id = 0;
for (int retry = 0; retry < 3; retry++) {
comm_trigger = i_socket->receiveData(attachment_sock, sizeof(signaled_session_id));
if (comm_trigger.ok()) break;
}
bool did_fail_on_purpose = false;
if (SHOULD_FAIL(
comm_trigger.ok(),
IntentionalFailureHandler::FailureType::ReceiveDataFromSocket,
&did_fail_on_purpose
)) {
if (comm_status[attachment_sock] == true) {
dbgDebug(D_NGINX_ATTACHMENT)
<< "Failed to get signal from attachment socket (async mode)"
<< ", Socket: " << attachment_sock
<< ", Error: " << (did_fail_on_purpose ? "Intentional Failure" : comm_trigger.getErr());
comm_status[attachment_sock] = false;
}
return false;
}
signaled_session_id = *reinterpret_cast<const uint32_t *>(comm_trigger.unpack().data());
comm_status.erase(attachment_sock);
traffic_indicator = true;
while (isDataAvailable(attachment_ipc)) {
traffic_indicator = true;
uint32_t handled_session_id = handleRequestFromQueueAsync(attachment_ipc);
if (handled_session_id == 0 || handled_session_id == corrupted_session_id) {
continue;
}
// Always signal back to nginx - never leave it waiting
dbgTrace(D_NGINX_ATTACHMENT) << "Signaling attachment to read verdict (async mode)";
bool res = false;
vector<char> session_id_data(
reinterpret_cast<char *>(&handled_session_id),
reinterpret_cast<char *>(&handled_session_id) + sizeof(handled_session_id)
);
DELAY_IF_NEEDED(IntentionalFailureHandler::FailureType::WriteDataToSocket);
if (!SHOULD_FAIL(
true,
IntentionalFailureHandler::FailureType::WriteDataToSocket,
&did_fail_on_purpose
)) {
for (int retry = 0; retry < 3; retry++) {
if (i_socket->writeDataAsync(attachment_sock, session_id_data)) {
dbgTrace(D_NGINX_ATTACHMENT)
<< "Successfully sent signal to attachment (async mode).";
res = true;
break;
}
dbgDebug(D_NGINX_ATTACHMENT)
<< "Failed to send ACK to attachment (async mode, try " << retry << ")";
mainloop->yield(true);
}
}
if (!res) {
dbgWarning(D_NGINX_ATTACHMENT) << "Failed to send ACK to attachment (async mode)"
<< (did_fail_on_purpose ? "[Intentional Failure]" : "");
if (!did_fail_on_purpose) {
dbgWarning(D_NGINX_ATTACHMENT) << "Resetting IPC and socket";
resetIpc(attachment_ipc, num_of_nginx_ipc_elements);
}
return false;
}
}
return true;
}
// LCOV_EXCL_STOP
///
/// @brief Async version of handleRequestFromQueue - always signals back to nginx
/// @param[in] attachment_ipc IPC channel
/// @param[in] signaled_session_id Session ID that triggered the signal (not used, doorbell only)
/// @return session_id of processed request
///
// LCOV_EXCL_START Reason: Temporary INXT-49318
uint32_t
handleRequestFromQueueAsync(SharedMemoryIPC *attachment_ipc)
{
Maybe<pair<uint16_t, const char *>> read_data = readData(attachment_ipc);
if (!read_data.ok()) {
dbgWarning(D_NGINX_ATTACHMENT) << "Failed to read data. Error: " << read_data.getErr();
return corrupted_session_id;
}
uint16_t incoming_data_size = read_data.unpack().first;
const char *incoming_data = read_data.unpack().second;
if (incoming_data_size == 0 || incoming_data == nullptr) {
dbgWarning(D_NGINX_ATTACHMENT) << "No data received from NGINX attachment";
return corrupted_session_id;
}
const NanoHttpRequestData *transaction_data =
reinterpret_cast<const NanoHttpRequestData *>(incoming_data);
Maybe<ChunkType> chunked_data_type = convertToEnum<ChunkType>(transaction_data->data_type);
if (!chunked_data_type.ok()) {
dbgWarning(D_NGINX_ATTACHMENT)
<< "Could not convert "
<< static_cast<int>(transaction_data->data_type)
<< " to ChunkType enum. Resetting IPC"
<< dumpIpcWrapper(attachment_ipc);
popData(attachment_ipc);
resetIpc(attachment_ipc, num_of_nginx_ipc_elements);
nginx_attachment_event.addNetworkingCounter(nginxAttachmentEvent::networkVerdict::CONNECTION_FAIL);
return corrupted_session_id;
}
if (chunked_data_type.unpack() == ChunkType::METRIC_DATA_FROM_PLUGIN) {
const NanoHttpMetricData *recieved_metric_data =
reinterpret_cast<const NanoHttpMetricData *>(incoming_data);
sendMetricToKibana(recieved_metric_data);
popData(attachment_ipc);
return 0; // No signaling needed for metrics
}
dbgTrace(D_NGINX_ATTACHMENT)
<< "Reading "
<< incoming_data_size
<<" bytes "
<< convertChunkTypeToString(*chunked_data_type)
<< "(type = "
<< static_cast<int>(*chunked_data_type)
<< ") of data from NGINX attachment for session ID: "
<< transaction_data->session_id;
const uint32_t cur_session_id = transaction_data->session_id;
if (
isFailOpenTriggered()
&& (
chunked_data_type.unpack() == ChunkType::REQUEST_START
|| chunked_data_type.unpack() == ChunkType::REQUEST_HEADER
)
) {
dbgTrace(D_NGINX_ATTACHMENT)
<< "Agent is set to Fail Open Mode. Passing inspection and returning Accept."
<< " Session ID: "
<< cur_session_id
<< ", Chunked data type: "
<< static_cast<int>(*chunked_data_type);
if (i_transaction_table->hasEntry(cur_session_id)) {
i_transaction_table->deleteEntry(cur_session_id);
}
popData(attachment_ipc);
handleVerdictResponse(
FilterVerdict(ACCEPT),
attachment_ipc,
cur_session_id,
false
);
return cur_session_id;
}
if (!setActiveTransactionEntry(cur_session_id, chunked_data_type.unpack())) {
popData(attachment_ipc);
return cur_session_id;
}
const Buffer inspection_data(
transaction_data->data,
incoming_data_size - sizeof(NanoHttpRequestData),
Buffer::MemoryType::VOLATILE
);
if (*chunked_data_type == ChunkType::REQUEST_START && !createTransactionState(inspection_data)) {
dbgWarning(D_NGINX_ATTACHMENT)
<< "Failed to handle new request. Returning default verdict: "
<< verdictToString(default_verdict.getVerdict());
handleVerdictResponse(
default_verdict,
attachment_ipc,
cur_session_id,
false
);
popData(attachment_ipc);
removeTransactionEntry(cur_session_id);
return cur_session_id;
}
if (i_transaction_table != nullptr) {
transaction_table_event.setTransactionTableSize(i_transaction_table->count());
transaction_table_event.notify();
}
NginxAttachmentOpaque &opaque = i_transaction_table->getState<NginxAttachmentOpaque>();
opaque.activateContext();
FilterVerdict verdict = handleChunkedData(*chunked_data_type, inspection_data, opaque);
bool is_header =
*chunked_data_type == ChunkType::REQUEST_HEADER ||
*chunked_data_type == ChunkType::RESPONSE_HEADER ||
*chunked_data_type == ChunkType::CONTENT_LENGTH;
if (verdict.getVerdict() == LIMIT_RESPONSE_HEADERS) {
handleVerdictResponse(verdict, attachment_ipc, transaction_data->session_id, is_header);
popData(attachment_ipc);
verdict = FilterVerdict(INSPECT);
}
handleVerdictResponse(verdict, attachment_ipc, cur_session_id, is_header);
bool is_final_verdict = verdict.getVerdict() == ACCEPT ||
verdict.getVerdict() == DROP ||
verdict.getVerdict() == CUSTOM_RESPONSE ||
verdict.getVerdict() == IRRELEVANT;
dbgTrace(D_NGINX_ATTACHMENT)
<< "Request handled successfully - for"
<< " NGINX attachment session ID: "
<< transaction_data->session_id
<< " verdict: "
<< verdictToString(verdict.getVerdict())
<< " verdict_data_code="
<< static_cast<int>(verdict.getVerdict());
popData(attachment_ipc);
opaque.deactivateContext();
if (is_final_verdict) {
removeTransactionEntry(cur_session_id);
} else {
i_transaction_table->unsetActiveKey();
}
// Always signal back in async mode - never leave nginx waiting
return cur_session_id;
}
};
// LCOV_EXCL_STOP
NginxAttachment::NginxAttachment() : Component("NginxAttachment"), pimpl(make_unique<Impl>()) {}
@@ -1921,7 +2429,7 @@ NginxAttachment::preload()
registerExpectedConfiguration<uint>("Nginx Attachment", "metric reporting interval");
registerExpectedSetting<bool>("allowOnlyDefinedApplications");
registerExpectedConfigFile("activeContextConfig", Config::ConfigFileType::Policy);
registerExpectedConfiguration<UsersAllIdentifiersConfig>("rulebase", "usersIdentifiers");
registerExpectedConfigurationWithCache<UsersAllIdentifiersConfig>("assetId", "rulebase", "usersIdentifiers");
BasicRuleConfig::preload();
WebTriggerConf::preload();
}

74
components/attachment-intakers/nginx_attachment/nginx_attachment_config.cc
View File

@@ -14,6 +14,7 @@
#include "nginx_attachment_config.h"
#include <stdlib.h>
#include <algorithm>
#include "nginx_attachment.h"
#include "config.h"
@@ -25,7 +26,7 @@ USE_DEBUG_FLAG(D_NGINX_ATTACHMENT);
using namespace std;
using DebugLevel = ngx_http_cp_debug_level_e;
using DebugLevel = nano_http_cp_debug_level_e;
void
HttpAttachmentConfig::init()
@@ -43,6 +44,8 @@ HttpAttachmentConfig::init()
setDebugByContextValues();
setKeepAliveIntervalMsec();
setRetriesForVerdict();
setPairedAffinityEnabled();
setAsyncMode();
}
bool
@@ -210,15 +213,36 @@ HttpAttachmentConfig::setFailOpenTimeout()
"Response server header removal"
));
conf_data.setNumericalValue("decompression_pool_size", getAttachmentConf<uint>(
262144,
"agent.decompressionPoolSize.nginxModule",
"HTTP manager",
"Decompression pool size in bytes"
));
conf_data.setNumericalValue("recompression_pool_size", getAttachmentConf<uint>(
16384,
"agent.recompressionPoolSize.nginxModule",
"HTTP manager",
"Recompression pool size in bytes"
));
conf_data.setNumericalValue("is_brotli_inspection_enabled", getAttachmentConf<uint>(
0,
"agent.isBrotliInspectionEnabled.nginxModule",
"HTTP manager",
"Brotli inspection enabled"
));
uint inspection_mode = getAttachmentConf<uint>(
static_cast<uint>(ngx_http_inspection_mode_e::NON_BLOCKING_THREAD),
static_cast<uint>(NanoHttpInspectionMode::NON_BLOCKING_THREAD),
"agent.inspectionMode.nginxModule",
"HTTP manager",
"NGINX inspection mode"
);
if (inspection_mode >= ngx_http_inspection_mode_e::INSPECTION_MODE_COUNT) {
inspection_mode = ngx_http_inspection_mode_e::NON_BLOCKING_THREAD;
if (inspection_mode >= static_cast<uint>(NanoHttpInspectionMode::INSPECTION_MODE_COUNT)) {
inspection_mode = static_cast<uint>(NanoHttpInspectionMode::NON_BLOCKING_THREAD);
}
conf_data.setNumericalValue("nginx_inspection_mode", inspection_mode);
}
@@ -377,3 +401,45 @@ HttpAttachmentConfig::setDebugByContextValues()
<< ", listening_port: "
<< new_ctx_cfg.port;
}
void
HttpAttachmentConfig::setPairedAffinityEnabled() {
bool is_paired_affinity_enabled = getAttachmentConf<bool>(
false,
"agent.pairedAffinity.nginxModule",
"HTTP manager",
"Paired Affinity state"
);
// Check environment variable to allow runtime override
const char* env_enable_affinity = getenv("ENABLE_AFFINITY_PAIRING");
if (env_enable_affinity != nullptr) {
string env_value(env_enable_affinity);
// Convert to lowercase for case insensitive comparison
transform(env_value.begin(), env_value.end(), env_value.begin(), ::tolower);
is_paired_affinity_enabled = (env_value == "true");
dbgTrace(D_NGINX_ATTACHMENT)
<< "Paired affinity overridden by environment variable ENABLE_AFFINITY_PAIRING="
<< env_enable_affinity;
}
dbgTrace(D_NGINX_ATTACHMENT)
<< "Attachment paired affinity is: "
<< (is_paired_affinity_enabled ? "Enabled" : "Disabled");
conf_data.setNumericalValue("is_paired_affinity_enabled", is_paired_affinity_enabled);
}
void
HttpAttachmentConfig::setAsyncMode() {
bool is_async_mode_enabled = getAttachmentConf<bool>(
false,
"agent.asyncMode.nginxModule",
"HTTP manager",
"Async Mode state"
);
dbgTrace(D_NGINX_ATTACHMENT)
<< "Attachment async mode is: "
<< (is_async_mode_enabled ? "Enabled" : "Disabled");
conf_data.setNumericalValue("is_async_mode_enabled", is_async_mode_enabled);
}

8
components/attachment-intakers/nginx_attachment/nginx_attachment_config.h
View File

@@ -44,6 +44,10 @@ public:
unsigned int getMaxSessionsPerMinute() const { return conf_data.getNumericalValue("max_sessions_per_minute"); }
unsigned int getNumOfNginxElements() const { return conf_data.getNumericalValue("num_of_nginx_ipc_elements"); }
unsigned int getKeepAliveIntervalMsec() const { return conf_data.getNumericalValue("keep_alive_interval_msec"); }
bool getIsPairedAffinityEnabled() const { return conf_data.getNumericalValue("is_paired_affinity_enabled"); }
// LCOV_EXCL_START Reason: Temporary INXT-49318
bool isAsyncModeEnabled() const { return conf_data.getNumericalValue("is_async_mode_enabled"); }
// LCOV_EXCL_STOP
private:
void setGradualDeploymentIPs();
@@ -72,6 +76,10 @@ private:
void setRetriesForVerdict();
void setPairedAffinityEnabled();
void setAsyncMode();
WebTriggerConf web_trigger_conf;
HttpAttachmentConfiguration conf_data;
};

10
components/attachment-intakers/nginx_attachment/nginx_attachment_opaque.cc
View File

@@ -51,18 +51,19 @@ NginxAttachmentOpaque::NginxAttachmentOpaque(HttpTransactionData _transaction_da
std::stringstream client_ip_str;
client_ip_str << client_ip;
setSourceIdentifier("sourceip", client_ip_str.str());
ctx.registerValue("eventReferenceId", uuid, EnvKeyAttr::LogSection::DATA);
ctx.registerValue<string>(HttpTransactionData::http_proto_ctx, transaction_data.getHttpProtocol());
ctx.registerValue<string>(HttpTransactionData::method_ctx, transaction_data.getHttpMethod());
ctx.registerValue<string>(HttpTransactionData::host_name_ctx, transaction_data.getParsedHost());
ctx.registerValue<uint16_t>(HttpTransactionData::listening_port_ctx, transaction_data.getListeningPort());
ctx.registerQuickAccessValue<string>(HttpTransactionData::host_name_ctx, transaction_data.getParsedHost());
ctx.registerQuickAccessValue<uint16_t>(
HttpTransactionData::listening_port_ctx,
transaction_data.getListeningPort());
ctx.registerValue<IPAddr>(HttpTransactionData::listening_ip_ctx, transaction_data.getListeningIP());
ctx.registerValue<IPAddr>(HttpTransactionData::client_ip_ctx, transaction_data.getSourceIP());
ctx.registerValue<uint16_t>(HttpTransactionData::client_port_ctx, transaction_data.getSourcePort());
ctx.registerFunc<string>(HttpTransactionData::source_identifier, [this](){ return source_identifier; });
ctx.registerValue<string>(HttpTransactionData::uri_ctx, transaction_data.getParsedURI());
ctx.registerQuickAccessValue<string>(HttpTransactionData::uri_ctx, transaction_data.getParsedURI());
auto decoder = makeVirtualContainer<HexDecoder<'%'>>(transaction_data.getURI());
string decoded_url(decoder.begin(), decoder.end());
auto question_mark_location = decoded_url.find('?');
@@ -143,6 +144,7 @@ NginxAttachmentOpaque::setKeepAliveCtx(const string &hdr_key, const string &hdr_
ctx.registerValue("keep_alive_request_ctx", true);
return true;
}
dbgTrace(D_HTTP_MANAGER) << "Not a keep alive header";
return false;
}

298
components/attachment-intakers/nginx_attachment/nginx_intaker_metric.cc
View File

@@ -54,204 +54,204 @@ nginxIntakerEvent::resetAllCounters()
cpu_event.setCPU(0);
}
ngx_http_plugin_metric_type_e
AttachmentMetricType
nginxIntakerEvent::EnumOfIndex(int i)
{
return static_cast<ngx_http_plugin_metric_type_e>(i);
return static_cast<AttachmentMetricType>(i);
}
void
nginxIntakerEvent::addPluginMetricCounter(const ngx_http_cp_metric_data_t *recieved_metric_data)
nginxIntakerEvent::addPluginMetricCounter(const NanoHttpMetricData *recieved_metric_data)
{
for (int i = 0; i < static_cast<int>(ngx_http_plugin_metric_type_e::METRIC_TYPES_COUNT); i++) {
ngx_http_plugin_metric_type_e metric_type = EnumOfIndex(i);
for (int i = 0; i < static_cast<int>(AttachmentMetricType::METRIC_TYPES_COUNT); i++) {
AttachmentMetricType metric_type = EnumOfIndex(i);
uint64_t amount = recieved_metric_data->data[i];
switch (metric_type) {
case ngx_http_plugin_metric_type_e::INSPECTION_SUCCESSES_COUNT: {
case AttachmentMetricType::INSPECTION_SUCCESSES_COUNT: {
successfull_inspection_counter += amount;
break;
}
case ngx_http_plugin_metric_type_e::INSPECTION_OPEN_FAILURES_COUNT: {
case AttachmentMetricType::INSPECTION_OPEN_FAILURES_COUNT: {
open_failure_inspection_counter += amount;
break;
}
case ngx_http_plugin_metric_type_e::INSPECTION_CLOSE_FAILURES_COUNT: {
case AttachmentMetricType::INSPECTION_CLOSE_FAILURES_COUNT: {
close_failure_inspection_counter += amount;
break;
}
case ngx_http_plugin_metric_type_e::TRANSPARENTS_COUNT: {
case AttachmentMetricType::TRANSPARENTS_COUNT: {
transparent_mode_counter += amount;
break;
}
case ngx_http_plugin_metric_type_e::TOTAL_TRANSPARENTS_TIME: {
case AttachmentMetricType::TOTAL_TRANSPARENTS_TIME: {
total_transparent_time += amount;
break;
}
case ngx_http_plugin_metric_type_e::INSPECT_VERDICTS_COUNT: {
case AttachmentMetricType::INSPECT_VERDICTS_COUNT: {
inspect_verdict_counter += amount;
break;
}
case ngx_http_plugin_metric_type_e::ACCEPT_VERDICTS_COUNT: {
case AttachmentMetricType::ACCEPT_VERDICTS_COUNT: {
accept_verdict_counter += amount;
break;
}
case ngx_http_plugin_metric_type_e::DROP_VERDICTS_COUNT: {
case AttachmentMetricType::DROP_VERDICTS_COUNT: {
drop_verdict_counter += amount;
break;
}
case ngx_http_plugin_metric_type_e::INJECT_VERDICTS_COUNT: {
case AttachmentMetricType::INJECT_VERDICTS_COUNT: {
inject_verdict_counter += amount;
break;
}
case ngx_http_plugin_metric_type_e::IRRELEVANT_VERDICTS_COUNT: {
case AttachmentMetricType::IRRELEVANT_VERDICTS_COUNT: {
irrelevant_verdict_counter += amount;
break;
}
case ngx_http_plugin_metric_type_e::RECONF_VERDICTS_COUNT: {
case AttachmentMetricType::RECONF_VERDICTS_COUNT: {
reconf_verdict_counter += amount;
break;
}
case ngx_http_plugin_metric_type_e::AVERAGE_OVERALL_PPROCESSING_TIME_UNTIL_VERDICT: {
case AttachmentMetricType::AVERAGE_OVERALL_PPROCESSING_TIME_UNTIL_VERDICT: {
if (amount > 0) average_overall_processing_time_until_verdict = amount;
break;
}
case ngx_http_plugin_metric_type_e::MAX_OVERALL_PPROCESSING_TIME_UNTIL_VERDICT: {
case AttachmentMetricType::MAX_OVERALL_PPROCESSING_TIME_UNTIL_VERDICT: {
if (amount > 0) max_overall_processing_time_until_verdict = amount;
break;
}
case ngx_http_plugin_metric_type_e::MIN_OVERALL_PPROCESSING_TIME_UNTIL_VERDICT: {
case AttachmentMetricType::MIN_OVERALL_PPROCESSING_TIME_UNTIL_VERDICT: {
if (amount > 0) min_overall_processing_time_until_verdict = amount;
break;
}
case ngx_http_plugin_metric_type_e::AVERAGE_REQ_PPROCESSING_TIME_UNTIL_VERDICT: {
case AttachmentMetricType::AVERAGE_REQ_PPROCESSING_TIME_UNTIL_VERDICT: {
if (amount > 0) average_req_processing_time_until_verdict = amount;
break;
}
case ngx_http_plugin_metric_type_e::MAX_REQ_PPROCESSING_TIME_UNTIL_VERDICT: {
case AttachmentMetricType::MAX_REQ_PPROCESSING_TIME_UNTIL_VERDICT: {
if (amount > 0) max_req_processing_time_until_verdict = amount;
break;
}
case ngx_http_plugin_metric_type_e::MIN_REQ_PPROCESSING_TIME_UNTIL_VERDICT: {
case AttachmentMetricType::MIN_REQ_PPROCESSING_TIME_UNTIL_VERDICT: {
if (amount > 0) min_req_processing_time_until_verdict = amount;
break;
}
case ngx_http_plugin_metric_type_e::AVERAGE_RES_PPROCESSING_TIME_UNTIL_VERDICT: {
case AttachmentMetricType::AVERAGE_RES_PPROCESSING_TIME_UNTIL_VERDICT: {
if (amount > 0) average_res_processing_time_until_verdict = amount;
break;
}
case ngx_http_plugin_metric_type_e::MAX_RES_PPROCESSING_TIME_UNTIL_VERDICT: {
case AttachmentMetricType::MAX_RES_PPROCESSING_TIME_UNTIL_VERDICT: {
if (amount > 0) max_res_processing_time_until_verdict = amount;
break;
}
case ngx_http_plugin_metric_type_e::MIN_RES_PPROCESSING_TIME_UNTIL_VERDICT: {
case AttachmentMetricType::MIN_RES_PPROCESSING_TIME_UNTIL_VERDICT: {
if (amount > 0) min_res_processing_time_until_verdict = amount;
break;
}
case ngx_http_plugin_metric_type_e::REQ_FAILED_COMPRESSION_COUNT: {
case AttachmentMetricType::REQ_FAILED_COMPRESSION_COUNT: {
req_failed_compression_counter += amount;
break;
}
case ngx_http_plugin_metric_type_e::RES_FAILED_COMPRESSION_COUNT: {
case AttachmentMetricType::RES_FAILED_COMPRESSION_COUNT: {
res_failed_compression_counter += amount;
break;
}
case ngx_http_plugin_metric_type_e::REQ_FAILED_DECOMPRESSION_COUNT: {
case AttachmentMetricType::REQ_FAILED_DECOMPRESSION_COUNT: {
req_failed_decompression_counter += amount;
break;
}
case ngx_http_plugin_metric_type_e::RES_FAILED_DECOMPRESSION_COUNT: {
case AttachmentMetricType::RES_FAILED_DECOMPRESSION_COUNT: {
res_failed_decompression_counter += amount;
break;
}
case ngx_http_plugin_metric_type_e::REQ_SUCCESSFUL_COMPRESSION_COUNT: {
case AttachmentMetricType::REQ_SUCCESSFUL_COMPRESSION_COUNT: {
req_successful_compression_counter += amount;
break;
}
case ngx_http_plugin_metric_type_e::RES_SUCCESSFUL_COMPRESSION_COUNT: {
case AttachmentMetricType::RES_SUCCESSFUL_COMPRESSION_COUNT: {
res_successful_compression_counter += amount;
break;
}
case ngx_http_plugin_metric_type_e::REQ_SUCCESSFUL_DECOMPRESSION_COUNT: {
case AttachmentMetricType::REQ_SUCCESSFUL_DECOMPRESSION_COUNT: {
req_successful_decompression_counter += amount;
break;
}
case ngx_http_plugin_metric_type_e::RES_SUCCESSFUL_DECOMPRESSION_COUNT: {
case AttachmentMetricType::RES_SUCCESSFUL_DECOMPRESSION_COUNT: {
res_successful_decompression_counter += amount;
break;
}
case ngx_http_plugin_metric_type_e::CORRUPTED_ZIP_SKIPPED_SESSION_COUNT: {
case AttachmentMetricType::CORRUPTED_ZIP_SKIPPED_SESSION_COUNT: {
corrupted_zip_skipped_session_counter += amount;
break;
}
case ngx_http_plugin_metric_type_e::THREAD_TIMEOUT: {
case AttachmentMetricType::THREAD_TIMEOUT: {
thread_timeout += amount;
break;
}
case ngx_http_plugin_metric_type_e::REG_THREAD_TIMEOUT: {
case AttachmentMetricType::REG_THREAD_TIMEOUT: {
reg_thread_timeout += amount;
break;
}
case ngx_http_plugin_metric_type_e::REQ_HEADER_THREAD_TIMEOUT: {
case AttachmentMetricType::REQ_HEADER_THREAD_TIMEOUT: {
req_header_thread_timeout += amount;
break;
}
case ngx_http_plugin_metric_type_e::REQ_BODY_THREAD_TIMEOUT: {
case AttachmentMetricType::REQ_BODY_THREAD_TIMEOUT: {
req_body_thread_timeout += amount;
break;
}
case ngx_http_plugin_metric_type_e::AVERAGE_REQ_BODY_SIZE_UPON_TIMEOUT: {
case AttachmentMetricType::AVERAGE_REQ_BODY_SIZE_UPON_TIMEOUT: {
if (amount > 0) average_req_body_size_upon_timeout = amount;
break;
}
case ngx_http_plugin_metric_type_e::MAX_REQ_BODY_SIZE_UPON_TIMEOUT: {
case AttachmentMetricType::MAX_REQ_BODY_SIZE_UPON_TIMEOUT: {
if (amount > 0) max_req_body_size_upon_timeout = amount;
break;
}
case ngx_http_plugin_metric_type_e::MIN_REQ_BODY_SIZE_UPON_TIMEOUT: {
case AttachmentMetricType::MIN_REQ_BODY_SIZE_UPON_TIMEOUT: {
if (amount > 0) min_req_body_size_upon_timeout = amount;
break;
}
case ngx_http_plugin_metric_type_e::RES_HEADER_THREAD_TIMEOUT: {
case AttachmentMetricType::RES_HEADER_THREAD_TIMEOUT: {
res_header_thread_timeout += amount;
break;
}
case ngx_http_plugin_metric_type_e::RES_BODY_THREAD_TIMEOUT: {
case AttachmentMetricType::RES_BODY_THREAD_TIMEOUT: {
res_body_thread_timeout += amount;
break;
}
case ngx_http_plugin_metric_type_e::AVERAGE_RES_BODY_SIZE_UPON_TIMEOUT: {
case AttachmentMetricType::AVERAGE_RES_BODY_SIZE_UPON_TIMEOUT: {
if (amount > 0) average_res_body_size_upon_timeout = amount;
break;
}
case ngx_http_plugin_metric_type_e::MAX_RES_BODY_SIZE_UPON_TIMEOUT: {
case AttachmentMetricType::MAX_RES_BODY_SIZE_UPON_TIMEOUT: {
if (amount > 0) max_res_body_size_upon_timeout = amount;
break;
}
case ngx_http_plugin_metric_type_e::MIN_RES_BODY_SIZE_UPON_TIMEOUT: {
case AttachmentMetricType::MIN_RES_BODY_SIZE_UPON_TIMEOUT: {
if (amount > 0) min_res_body_size_upon_timeout = amount;
break;
}
case ngx_http_plugin_metric_type_e::THREAD_FAILURE: {
case AttachmentMetricType::THREAD_FAILURE: {
thread_failure += amount;
break;
}
case ngx_http_plugin_metric_type_e::REQ_PROCCESSING_TIMEOUT: {
case AttachmentMetricType::REQ_PROCCESSING_TIMEOUT: {
req_proccessing_timeout += amount;
break;
}
case ngx_http_plugin_metric_type_e::RES_PROCCESSING_TIMEOUT: {
case AttachmentMetricType::RES_PROCCESSING_TIMEOUT: {
res_proccessing_timeout += amount;
break;
}
case ngx_http_plugin_metric_type_e::REQ_FAILED_TO_REACH_UPSTREAM: {
case AttachmentMetricType::REQ_FAILED_TO_REACH_UPSTREAM: {
req_failed_to_reach_upstream += amount;
break;
}
case ngx_http_plugin_metric_type_e::CPU_USAGE: {
case AttachmentMetricType::CPU_USAGE: {
cpu_event.setCPU(amount);
break;
}
case ngx_http_plugin_metric_type_e::REQUEST_OVERALL_SIZE_COUNT: {
case AttachmentMetricType::REQUEST_OVERALL_SIZE_COUNT: {
req_overall_size += amount;
static const uint64_t max_expected_res_size = 100ULL * 1024 * 1024 * 1024;
if (amount > max_expected_res_size) {
@@ -259,7 +259,7 @@ nginxIntakerEvent::addPluginMetricCounter(const ngx_http_cp_metric_data_t *recie
}
break;
}
case ngx_http_plugin_metric_type_e::RESPONSE_OVERALL_SIZE_COUNT: {
case AttachmentMetricType::RESPONSE_OVERALL_SIZE_COUNT: {
res_overall_size += amount;
break;
}
@@ -272,104 +272,104 @@ nginxIntakerEvent::addPluginMetricCounter(const ngx_http_cp_metric_data_t *recie
}
uint64_t
nginxIntakerEvent::getPluginMetricCounter(ngx_http_plugin_metric_type_e metric_type) const
nginxIntakerEvent::getPluginMetricCounter(AttachmentMetricType metric_type) const
{
switch (metric_type) {
case ngx_http_plugin_metric_type_e::INSPECTION_SUCCESSES_COUNT:
case AttachmentMetricType::INSPECTION_SUCCESSES_COUNT:
return successfull_inspection_counter;
case ngx_http_plugin_metric_type_e::INSPECTION_OPEN_FAILURES_COUNT:
case AttachmentMetricType::INSPECTION_OPEN_FAILURES_COUNT:
return open_failure_inspection_counter;
case ngx_http_plugin_metric_type_e::INSPECTION_CLOSE_FAILURES_COUNT:
case AttachmentMetricType::INSPECTION_CLOSE_FAILURES_COUNT:
return close_failure_inspection_counter;
case ngx_http_plugin_metric_type_e::TRANSPARENTS_COUNT:
case AttachmentMetricType::TRANSPARENTS_COUNT:
return transparent_mode_counter;
case ngx_http_plugin_metric_type_e::TOTAL_TRANSPARENTS_TIME:
case AttachmentMetricType::TOTAL_TRANSPARENTS_TIME:
return total_transparent_time;
case ngx_http_plugin_metric_type_e::INSPECT_VERDICTS_COUNT:
case AttachmentMetricType::INSPECT_VERDICTS_COUNT:
return inspect_verdict_counter;
case ngx_http_plugin_metric_type_e::ACCEPT_VERDICTS_COUNT:
case AttachmentMetricType::ACCEPT_VERDICTS_COUNT:
return accept_verdict_counter;
case ngx_http_plugin_metric_type_e::DROP_VERDICTS_COUNT:
case AttachmentMetricType::DROP_VERDICTS_COUNT:
return drop_verdict_counter;
case ngx_http_plugin_metric_type_e::INJECT_VERDICTS_COUNT:
case AttachmentMetricType::INJECT_VERDICTS_COUNT:
return inject_verdict_counter;
case ngx_http_plugin_metric_type_e::IRRELEVANT_VERDICTS_COUNT:
case AttachmentMetricType::IRRELEVANT_VERDICTS_COUNT:
return irrelevant_verdict_counter;
case ngx_http_plugin_metric_type_e::RECONF_VERDICTS_COUNT:
case AttachmentMetricType::RECONF_VERDICTS_COUNT:
return reconf_verdict_counter;
case ngx_http_plugin_metric_type_e::AVERAGE_OVERALL_PPROCESSING_TIME_UNTIL_VERDICT:
case AttachmentMetricType::AVERAGE_OVERALL_PPROCESSING_TIME_UNTIL_VERDICT:
return average_overall_processing_time_until_verdict;
case ngx_http_plugin_metric_type_e::MAX_OVERALL_PPROCESSING_TIME_UNTIL_VERDICT:
case AttachmentMetricType::MAX_OVERALL_PPROCESSING_TIME_UNTIL_VERDICT:
return max_overall_processing_time_until_verdict;
case ngx_http_plugin_metric_type_e::MIN_OVERALL_PPROCESSING_TIME_UNTIL_VERDICT:
case AttachmentMetricType::MIN_OVERALL_PPROCESSING_TIME_UNTIL_VERDICT:
return min_overall_processing_time_until_verdict;
case ngx_http_plugin_metric_type_e::AVERAGE_REQ_PPROCESSING_TIME_UNTIL_VERDICT:
case AttachmentMetricType::AVERAGE_REQ_PPROCESSING_TIME_UNTIL_VERDICT:
return average_req_processing_time_until_verdict;
case ngx_http_plugin_metric_type_e::MAX_REQ_PPROCESSING_TIME_UNTIL_VERDICT:
case AttachmentMetricType::MAX_REQ_PPROCESSING_TIME_UNTIL_VERDICT:
return max_req_processing_time_until_verdict;
case ngx_http_plugin_metric_type_e::MIN_REQ_PPROCESSING_TIME_UNTIL_VERDICT:
case AttachmentMetricType::MIN_REQ_PPROCESSING_TIME_UNTIL_VERDICT:
return min_req_processing_time_until_verdict;
case ngx_http_plugin_metric_type_e::AVERAGE_RES_PPROCESSING_TIME_UNTIL_VERDICT:
case AttachmentMetricType::AVERAGE_RES_PPROCESSING_TIME_UNTIL_VERDICT:
return average_res_processing_time_until_verdict;
case ngx_http_plugin_metric_type_e::MAX_RES_PPROCESSING_TIME_UNTIL_VERDICT:
case AttachmentMetricType::MAX_RES_PPROCESSING_TIME_UNTIL_VERDICT:
return max_res_processing_time_until_verdict;
case ngx_http_plugin_metric_type_e::MIN_RES_PPROCESSING_TIME_UNTIL_VERDICT:
case AttachmentMetricType::MIN_RES_PPROCESSING_TIME_UNTIL_VERDICT:
return min_res_processing_time_until_verdict;
case ngx_http_plugin_metric_type_e::REQ_FAILED_COMPRESSION_COUNT:
case AttachmentMetricType::REQ_FAILED_COMPRESSION_COUNT:
return req_failed_compression_counter;
case ngx_http_plugin_metric_type_e::RES_FAILED_COMPRESSION_COUNT:
case AttachmentMetricType::RES_FAILED_COMPRESSION_COUNT:
return res_failed_compression_counter;
case ngx_http_plugin_metric_type_e::REQ_FAILED_DECOMPRESSION_COUNT:
case AttachmentMetricType::REQ_FAILED_DECOMPRESSION_COUNT:
return req_failed_decompression_counter;
case ngx_http_plugin_metric_type_e::RES_FAILED_DECOMPRESSION_COUNT:
case AttachmentMetricType::RES_FAILED_DECOMPRESSION_COUNT:
return res_failed_decompression_counter;
case ngx_http_plugin_metric_type_e::REQ_SUCCESSFUL_COMPRESSION_COUNT:
case AttachmentMetricType::REQ_SUCCESSFUL_COMPRESSION_COUNT:
return req_successful_compression_counter;
case ngx_http_plugin_metric_type_e::RES_SUCCESSFUL_COMPRESSION_COUNT:
case AttachmentMetricType::RES_SUCCESSFUL_COMPRESSION_COUNT:
return res_successful_compression_counter;
case ngx_http_plugin_metric_type_e::REQ_SUCCESSFUL_DECOMPRESSION_COUNT:
case AttachmentMetricType::REQ_SUCCESSFUL_DECOMPRESSION_COUNT:
return req_successful_decompression_counter;
case ngx_http_plugin_metric_type_e::RES_SUCCESSFUL_DECOMPRESSION_COUNT:
case AttachmentMetricType::RES_SUCCESSFUL_DECOMPRESSION_COUNT:
return res_successful_decompression_counter;
case ngx_http_plugin_metric_type_e::CORRUPTED_ZIP_SKIPPED_SESSION_COUNT:
case AttachmentMetricType::CORRUPTED_ZIP_SKIPPED_SESSION_COUNT:
return corrupted_zip_skipped_session_counter;
case ngx_http_plugin_metric_type_e::THREAD_TIMEOUT:
case AttachmentMetricType::THREAD_TIMEOUT:
return thread_timeout;
case ngx_http_plugin_metric_type_e::REG_THREAD_TIMEOUT:
case AttachmentMetricType::REG_THREAD_TIMEOUT:
return reg_thread_timeout;
case ngx_http_plugin_metric_type_e::REQ_HEADER_THREAD_TIMEOUT:
case AttachmentMetricType::REQ_HEADER_THREAD_TIMEOUT:
return req_header_thread_timeout;
case ngx_http_plugin_metric_type_e::REQ_BODY_THREAD_TIMEOUT:
case AttachmentMetricType::REQ_BODY_THREAD_TIMEOUT:
return req_body_thread_timeout;
case ngx_http_plugin_metric_type_e::AVERAGE_REQ_BODY_SIZE_UPON_TIMEOUT:
case AttachmentMetricType::AVERAGE_REQ_BODY_SIZE_UPON_TIMEOUT:
return average_req_body_size_upon_timeout;
case ngx_http_plugin_metric_type_e::MAX_REQ_BODY_SIZE_UPON_TIMEOUT:
case AttachmentMetricType::MAX_REQ_BODY_SIZE_UPON_TIMEOUT:
return max_req_body_size_upon_timeout;
case ngx_http_plugin_metric_type_e::MIN_REQ_BODY_SIZE_UPON_TIMEOUT:
case AttachmentMetricType::MIN_REQ_BODY_SIZE_UPON_TIMEOUT:
return min_req_body_size_upon_timeout;
case ngx_http_plugin_metric_type_e::RES_HEADER_THREAD_TIMEOUT:
case AttachmentMetricType::RES_HEADER_THREAD_TIMEOUT:
return res_header_thread_timeout;
case ngx_http_plugin_metric_type_e::RES_BODY_THREAD_TIMEOUT:
case AttachmentMetricType::RES_BODY_THREAD_TIMEOUT:
return res_body_thread_timeout;
case ngx_http_plugin_metric_type_e::AVERAGE_RES_BODY_SIZE_UPON_TIMEOUT:
case AttachmentMetricType::AVERAGE_RES_BODY_SIZE_UPON_TIMEOUT:
return average_res_body_size_upon_timeout;
case ngx_http_plugin_metric_type_e::MAX_RES_BODY_SIZE_UPON_TIMEOUT:
case AttachmentMetricType::MAX_RES_BODY_SIZE_UPON_TIMEOUT:
return max_res_body_size_upon_timeout;
case ngx_http_plugin_metric_type_e::MIN_RES_BODY_SIZE_UPON_TIMEOUT:
case AttachmentMetricType::MIN_RES_BODY_SIZE_UPON_TIMEOUT:
return min_res_body_size_upon_timeout;
case ngx_http_plugin_metric_type_e::THREAD_FAILURE:
case AttachmentMetricType::THREAD_FAILURE:
return thread_failure;
case ngx_http_plugin_metric_type_e::REQ_PROCCESSING_TIMEOUT:
case AttachmentMetricType::REQ_PROCCESSING_TIMEOUT:
return req_proccessing_timeout;
case ngx_http_plugin_metric_type_e::RES_PROCCESSING_TIMEOUT:
case AttachmentMetricType::RES_PROCCESSING_TIMEOUT:
return res_proccessing_timeout;
case ngx_http_plugin_metric_type_e::REQ_FAILED_TO_REACH_UPSTREAM:
case AttachmentMetricType::REQ_FAILED_TO_REACH_UPSTREAM:
return req_failed_to_reach_upstream;
case ngx_http_plugin_metric_type_e::CPU_USAGE:
case AttachmentMetricType::CPU_USAGE:
return static_cast<uint64_t>(cpu_event.getCPU());
case ngx_http_plugin_metric_type_e::REQUEST_OVERALL_SIZE_COUNT:
case AttachmentMetricType::REQUEST_OVERALL_SIZE_COUNT:
return req_overall_size;
case ngx_http_plugin_metric_type_e::RESPONSE_OVERALL_SIZE_COUNT:
case AttachmentMetricType::RESPONSE_OVERALL_SIZE_COUNT:
return res_overall_size;
default:
dbgWarning(D_METRICS_NGINX_ATTACHMENT)
@@ -382,145 +382,145 @@ void
nginxIntakerMetric::upon(const nginxIntakerEvent &event)
{
successfull_inspection_counter.report(
event.getPluginMetricCounter(ngx_http_plugin_metric_type_e::INSPECTION_SUCCESSES_COUNT)
event.getPluginMetricCounter(AttachmentMetricType::INSPECTION_SUCCESSES_COUNT)
);
transparent_mode_counter.report(
event.getPluginMetricCounter(ngx_http_plugin_metric_type_e::TRANSPARENTS_COUNT)
event.getPluginMetricCounter(AttachmentMetricType::TRANSPARENTS_COUNT)
);
total_transparent_time.report(
event.getPluginMetricCounter(ngx_http_plugin_metric_type_e::TOTAL_TRANSPARENTS_TIME)
event.getPluginMetricCounter(AttachmentMetricType::TOTAL_TRANSPARENTS_TIME)
);
open_failure_inspection_counter.report(
event.getPluginMetricCounter(ngx_http_plugin_metric_type_e::INSPECTION_OPEN_FAILURES_COUNT)
event.getPluginMetricCounter(AttachmentMetricType::INSPECTION_OPEN_FAILURES_COUNT)
);
close_failure_inspection_counter.report(
event.getPluginMetricCounter(ngx_http_plugin_metric_type_e::INSPECTION_CLOSE_FAILURES_COUNT)
event.getPluginMetricCounter(AttachmentMetricType::INSPECTION_CLOSE_FAILURES_COUNT)
);
inject_verdict_counter.report(
event.getPluginMetricCounter(ngx_http_plugin_metric_type_e::INJECT_VERDICTS_COUNT)
event.getPluginMetricCounter(AttachmentMetricType::INJECT_VERDICTS_COUNT)
);
inspect_verdict_counter.report(
event.getPluginMetricCounter(ngx_http_plugin_metric_type_e::INSPECT_VERDICTS_COUNT)
event.getPluginMetricCounter(AttachmentMetricType::INSPECT_VERDICTS_COUNT)
);
accept_verdict_counter.report(
event.getPluginMetricCounter(ngx_http_plugin_metric_type_e::ACCEPT_VERDICTS_COUNT)
event.getPluginMetricCounter(AttachmentMetricType::ACCEPT_VERDICTS_COUNT)
);
drop_verdict_counter.report(
event.getPluginMetricCounter(ngx_http_plugin_metric_type_e::DROP_VERDICTS_COUNT)
event.getPluginMetricCounter(AttachmentMetricType::DROP_VERDICTS_COUNT)
);
irrelevant_verdict_counter.report(
event.getPluginMetricCounter(ngx_http_plugin_metric_type_e::IRRELEVANT_VERDICTS_COUNT)
event.getPluginMetricCounter(AttachmentMetricType::IRRELEVANT_VERDICTS_COUNT)
);
reconf_verdict_counter.report(
event.getPluginMetricCounter(ngx_http_plugin_metric_type_e::RECONF_VERDICTS_COUNT)
event.getPluginMetricCounter(AttachmentMetricType::RECONF_VERDICTS_COUNT)
);
average_overall_processing_time_until_verdict.report(
event.getPluginMetricCounter(ngx_http_plugin_metric_type_e::AVERAGE_OVERALL_PPROCESSING_TIME_UNTIL_VERDICT)
event.getPluginMetricCounter(AttachmentMetricType::AVERAGE_OVERALL_PPROCESSING_TIME_UNTIL_VERDICT)
);
max_overall_processing_time_until_verdict.report(
event.getPluginMetricCounter(ngx_http_plugin_metric_type_e::MAX_OVERALL_PPROCESSING_TIME_UNTIL_VERDICT)
event.getPluginMetricCounter(AttachmentMetricType::MAX_OVERALL_PPROCESSING_TIME_UNTIL_VERDICT)
);
min_overall_processing_time_until_verdict.report(
event.getPluginMetricCounter(ngx_http_plugin_metric_type_e::MIN_OVERALL_PPROCESSING_TIME_UNTIL_VERDICT)
event.getPluginMetricCounter(AttachmentMetricType::MIN_OVERALL_PPROCESSING_TIME_UNTIL_VERDICT)
);
average_req_processing_time_until_verdict.report(
event.getPluginMetricCounter(ngx_http_plugin_metric_type_e::AVERAGE_REQ_PPROCESSING_TIME_UNTIL_VERDICT)
event.getPluginMetricCounter(AttachmentMetricType::AVERAGE_REQ_PPROCESSING_TIME_UNTIL_VERDICT)
);
max_req_processing_time_until_verdict.report(
event.getPluginMetricCounter(ngx_http_plugin_metric_type_e::MAX_REQ_PPROCESSING_TIME_UNTIL_VERDICT)
event.getPluginMetricCounter(AttachmentMetricType::MAX_REQ_PPROCESSING_TIME_UNTIL_VERDICT)
);
min_req_processing_time_until_verdict.report(
event.getPluginMetricCounter(ngx_http_plugin_metric_type_e::MIN_REQ_PPROCESSING_TIME_UNTIL_VERDICT)
event.getPluginMetricCounter(AttachmentMetricType::MIN_REQ_PPROCESSING_TIME_UNTIL_VERDICT)
);
average_res_processing_time_until_verdict.report(
event.getPluginMetricCounter(ngx_http_plugin_metric_type_e::AVERAGE_RES_PPROCESSING_TIME_UNTIL_VERDICT)
event.getPluginMetricCounter(AttachmentMetricType::AVERAGE_RES_PPROCESSING_TIME_UNTIL_VERDICT)
);
max_res_processing_time_until_verdict.report(
event.getPluginMetricCounter(ngx_http_plugin_metric_type_e::MAX_RES_PPROCESSING_TIME_UNTIL_VERDICT)
event.getPluginMetricCounter(AttachmentMetricType::MAX_RES_PPROCESSING_TIME_UNTIL_VERDICT)
);
min_res_processing_time_until_verdict.report(
event.getPluginMetricCounter(ngx_http_plugin_metric_type_e::MIN_RES_PPROCESSING_TIME_UNTIL_VERDICT)
event.getPluginMetricCounter(AttachmentMetricType::MIN_RES_PPROCESSING_TIME_UNTIL_VERDICT)
);
req_failed_compression_counter.report(
event.getPluginMetricCounter(ngx_http_plugin_metric_type_e::REQ_FAILED_COMPRESSION_COUNT)
event.getPluginMetricCounter(AttachmentMetricType::REQ_FAILED_COMPRESSION_COUNT)
);
res_failed_compression_counter.report(
event.getPluginMetricCounter(ngx_http_plugin_metric_type_e::RES_FAILED_COMPRESSION_COUNT)
event.getPluginMetricCounter(AttachmentMetricType::RES_FAILED_COMPRESSION_COUNT)
);
req_failed_decompression_counter.report(
event.getPluginMetricCounter(ngx_http_plugin_metric_type_e::REQ_FAILED_DECOMPRESSION_COUNT)
event.getPluginMetricCounter(AttachmentMetricType::REQ_FAILED_DECOMPRESSION_COUNT)
);
res_failed_decompression_counter.report(
event.getPluginMetricCounter(ngx_http_plugin_metric_type_e::RES_FAILED_DECOMPRESSION_COUNT)
event.getPluginMetricCounter(AttachmentMetricType::RES_FAILED_DECOMPRESSION_COUNT)
);
req_successful_compression_counter.report(
event.getPluginMetricCounter(ngx_http_plugin_metric_type_e::REQ_SUCCESSFUL_COMPRESSION_COUNT)
event.getPluginMetricCounter(AttachmentMetricType::REQ_SUCCESSFUL_COMPRESSION_COUNT)
);
res_successful_compression_counter.report(
event.getPluginMetricCounter(ngx_http_plugin_metric_type_e::RES_SUCCESSFUL_COMPRESSION_COUNT)
event.getPluginMetricCounter(AttachmentMetricType::RES_SUCCESSFUL_COMPRESSION_COUNT)
);
req_successful_decompression_counter.report(
event.getPluginMetricCounter(ngx_http_plugin_metric_type_e::REQ_SUCCESSFUL_DECOMPRESSION_COUNT)
event.getPluginMetricCounter(AttachmentMetricType::REQ_SUCCESSFUL_DECOMPRESSION_COUNT)
);
res_successful_decompression_counter.report(
event.getPluginMetricCounter(ngx_http_plugin_metric_type_e::RES_SUCCESSFUL_DECOMPRESSION_COUNT)
event.getPluginMetricCounter(AttachmentMetricType::RES_SUCCESSFUL_DECOMPRESSION_COUNT)
);
corrupted_zip_skipped_session_counter.report(
event.getPluginMetricCounter(ngx_http_plugin_metric_type_e::CORRUPTED_ZIP_SKIPPED_SESSION_COUNT)
event.getPluginMetricCounter(AttachmentMetricType::CORRUPTED_ZIP_SKIPPED_SESSION_COUNT)
);
thread_timeout.report(
event.getPluginMetricCounter(ngx_http_plugin_metric_type_e::THREAD_TIMEOUT)
event.getPluginMetricCounter(AttachmentMetricType::THREAD_TIMEOUT)
);
reg_thread_timeout.report(
event.getPluginMetricCounter(ngx_http_plugin_metric_type_e::REG_THREAD_TIMEOUT)
event.getPluginMetricCounter(AttachmentMetricType::REG_THREAD_TIMEOUT)
);
req_header_thread_timeout.report(
event.getPluginMetricCounter(ngx_http_plugin_metric_type_e::REQ_HEADER_THREAD_TIMEOUT)
event.getPluginMetricCounter(AttachmentMetricType::REQ_HEADER_THREAD_TIMEOUT)
);
req_body_thread_timeout.report(
event.getPluginMetricCounter(ngx_http_plugin_metric_type_e::REQ_BODY_THREAD_TIMEOUT)
event.getPluginMetricCounter(AttachmentMetricType::REQ_BODY_THREAD_TIMEOUT)
);
average_req_body_size_upon_timeout.report(
event.getPluginMetricCounter(ngx_http_plugin_metric_type_e::AVERAGE_REQ_BODY_SIZE_UPON_TIMEOUT)
event.getPluginMetricCounter(AttachmentMetricType::AVERAGE_REQ_BODY_SIZE_UPON_TIMEOUT)
);
max_req_body_size_upon_timeout.report(
event.getPluginMetricCounter(ngx_http_plugin_metric_type_e::MAX_REQ_BODY_SIZE_UPON_TIMEOUT)
event.getPluginMetricCounter(AttachmentMetricType::MAX_REQ_BODY_SIZE_UPON_TIMEOUT)
);
min_req_body_size_upon_timeout.report(
event.getPluginMetricCounter(ngx_http_plugin_metric_type_e::MIN_REQ_BODY_SIZE_UPON_TIMEOUT)
event.getPluginMetricCounter(AttachmentMetricType::MIN_REQ_BODY_SIZE_UPON_TIMEOUT)
);
res_header_thread_timeout.report(
event.getPluginMetricCounter(ngx_http_plugin_metric_type_e::RES_HEADER_THREAD_TIMEOUT)
event.getPluginMetricCounter(AttachmentMetricType::RES_HEADER_THREAD_TIMEOUT)
);
res_body_thread_timeout.report(
event.getPluginMetricCounter(ngx_http_plugin_metric_type_e::RES_BODY_THREAD_TIMEOUT)
event.getPluginMetricCounter(AttachmentMetricType::RES_BODY_THREAD_TIMEOUT)
);
average_res_body_size_upon_timeout.report(
event.getPluginMetricCounter(ngx_http_plugin_metric_type_e::AVERAGE_RES_BODY_SIZE_UPON_TIMEOUT)
event.getPluginMetricCounter(AttachmentMetricType::AVERAGE_RES_BODY_SIZE_UPON_TIMEOUT)
);
max_res_body_size_upon_timeout.report(
event.getPluginMetricCounter(ngx_http_plugin_metric_type_e::MAX_RES_BODY_SIZE_UPON_TIMEOUT)
event.getPluginMetricCounter(AttachmentMetricType::MAX_RES_BODY_SIZE_UPON_TIMEOUT)
);
min_res_body_size_upon_timeout.report(
event.getPluginMetricCounter(ngx_http_plugin_metric_type_e::MIN_RES_BODY_SIZE_UPON_TIMEOUT)
event.getPluginMetricCounter(AttachmentMetricType::MIN_RES_BODY_SIZE_UPON_TIMEOUT)
);
thread_failure.report(
event.getPluginMetricCounter(ngx_http_plugin_metric_type_e::THREAD_FAILURE)
event.getPluginMetricCounter(AttachmentMetricType::THREAD_FAILURE)
);
req_proccessing_timeout.report(
event.getPluginMetricCounter(ngx_http_plugin_metric_type_e::REQ_PROCCESSING_TIMEOUT)
event.getPluginMetricCounter(AttachmentMetricType::REQ_PROCCESSING_TIMEOUT)
);
res_proccessing_timeout.report(
event.getPluginMetricCounter(ngx_http_plugin_metric_type_e::RES_PROCCESSING_TIMEOUT)
event.getPluginMetricCounter(AttachmentMetricType::RES_PROCCESSING_TIMEOUT)
);
req_failed_to_reach_upstream.report(
event.getPluginMetricCounter(ngx_http_plugin_metric_type_e::REQ_FAILED_TO_REACH_UPSTREAM)
event.getPluginMetricCounter(AttachmentMetricType::REQ_FAILED_TO_REACH_UPSTREAM)
);
req_overall_size.report(
event.getPluginMetricCounter(ngx_http_plugin_metric_type_e::REQUEST_OVERALL_SIZE_COUNT)
event.getPluginMetricCounter(AttachmentMetricType::REQUEST_OVERALL_SIZE_COUNT)
);
res_overall_size.report(
event.getPluginMetricCounter(ngx_http_plugin_metric_type_e::RESPONSE_OVERALL_SIZE_COUNT)
event.getPluginMetricCounter(AttachmentMetricType::RESPONSE_OVERALL_SIZE_COUNT)
);
event.notifyCPU();
}

127
components/attachment-intakers/nginx_attachment/nginx_parser.cc
View File

@@ -34,7 +34,8 @@ bool is_keep_alive_ctx = getenv("SAAS_KEEP_ALIVE_HDR_NAME") != nullptr;
map<Buffer, CompressionType> NginxParser::content_encodings = {
{Buffer("identity"), CompressionType::NO_COMPRESSION},
{Buffer("gzip"), CompressionType::GZIP},
{Buffer("deflate"), CompressionType::ZLIB}
{Buffer("deflate"), CompressionType::ZLIB},
{Buffer("br"), CompressionType::BROTLI}
};
Maybe<HttpTransactionData>
@@ -180,6 +181,7 @@ getActivetenantAndProfile(const string &str, const string &deli = ",")
Maybe<vector<HttpHeader>>
NginxParser::parseRequestHeaders(const Buffer &data, const unordered_set<string> &ignored_headers)
{
dbgFlow(D_NGINX_ATTACHMENT_PARSER) << "Parsing request headers";
auto maybe_parsed_headers = genHeaders(data);
if (!maybe_parsed_headers.ok()) return maybe_parsed_headers.passErr();
@@ -188,44 +190,72 @@ NginxParser::parseRequestHeaders(const Buffer &data, const unordered_set<string>
NginxAttachmentOpaque &opaque = i_transaction_table->getState<NginxAttachmentOpaque>();
if (is_keep_alive_ctx || !ignored_headers.empty()) {
bool is_last_header_removed = false;
parsed_headers.erase(
remove_if(
parsed_headers.begin(),
parsed_headers.end(),
[&opaque, &is_last_header_removed, &ignored_headers](const HttpHeader &header)
{
string hdr_key = static_cast<string>(header.getKey());
string hdr_val = static_cast<string>(header.getValue());
if (
opaque.setKeepAliveCtx(hdr_key, hdr_val)
|| ignored_headers.find(hdr_key) != ignored_headers.end()
) {
dbgTrace(D_NGINX_ATTACHMENT_PARSER) << "Header was removed from headers list: " << hdr_key;
if (header.isLastHeader()) {
dbgTrace(D_NGINX_ATTACHMENT_PARSER) << "Last header was removed from headers list";
is_last_header_removed = true;
}
return true;
}
return false;
dbgTrace(D_NGINX_ATTACHMENT_PARSER)
<< "is_keep_alive_ctx: " << is_keep_alive_ctx
<< ", ignored_headers size: " << ignored_headers.size()
<< ", headers count before removal: " << parsed_headers.size();
// First, determine which headers would be removed
std::vector<size_t> remove_indices;
for (size_t i = 0; i < parsed_headers.size(); ++i) {
const auto &header = parsed_headers[i];
string hdr_key = static_cast<string>(header.getKey());
string hdr_val = static_cast<string>(header.getValue());
bool should_remove =
opaque.setKeepAliveCtx(hdr_key, hdr_val) ||
ignored_headers.find(hdr_key) != ignored_headers.end();
if (should_remove) {
dbgTrace(D_NGINX_ATTACHMENT_PARSER)
<< "Header should be removed from headers list: "
<< dumpHex(header.getKey());
remove_indices.push_back(i);
}
}
if (remove_indices.size() == parsed_headers.size() && !parsed_headers.empty()) {
// All headers would be removed: keep the last, mark as shouldNotLog
parsed_headers.back().setShouldNotLog();
// Remove all except the last
parsed_headers.erase(parsed_headers.begin(), parsed_headers.end() - 1);
// Ensure the last header is marked as last
parsed_headers.back().setIsLastHeader();
dbgTrace(D_NGINX_ATTACHMENT_PARSER)
<< "All headers were marked for removal. Keeping last header and marking it as shouldNotLog: "
<< dumpHex(parsed_headers.back().getKey());
} else {
// Remove the marked headers as usual
// (remove from end to start to keep indices valid)
bool is_last_header_removed = false;
for (auto it = remove_indices.rbegin(); it != remove_indices.rend(); ++it) {
if (parsed_headers[*it].isLastHeader()) {
is_last_header_removed = true;
}
),
parsed_headers.end()
);
if (is_last_header_removed) {
dbgTrace(D_NGINX_ATTACHMENT_PARSER) << "Adjusting last header flag";
if (!parsed_headers.empty()) parsed_headers.back().setIsLastHeader();
parsed_headers.erase(parsed_headers.begin() + *it);
}
dbgTrace(D_NGINX_ATTACHMENT_PARSER)
<< "Headers removal completed. Remaining headers count: "
<< parsed_headers.size();
if (is_last_header_removed) {
dbgTrace(D_NGINX_ATTACHMENT_PARSER) << "Adjusting last header flag";
if (!parsed_headers.empty()) {
parsed_headers.back().setIsLastHeader();
dbgTrace(D_NGINX_ATTACHMENT_PARSER)
<< "New last header after removal: "
<< dumpHex(parsed_headers.back().getKey());
}
}
}
}
static auto default_identifiers = UsersAllIdentifiersConfig();
auto maybe_source_identifiers =
getConfigurationWithCache<UsersAllIdentifiersConfig>("rulebase", "usersIdentifiers");
auto source_identifiers = maybe_source_identifiers.ok() ? maybe_source_identifiers.unpack() : default_identifiers;
for (const HttpHeader &header : parsed_headers) {
auto source_identifiers = getConfigurationWithDefault<UsersAllIdentifiersConfig>(
UsersAllIdentifiersConfig(),
"rulebase",
"usersIdentifiers"
);
source_identifiers.parseRequestHeaders(header);
if (!header.shouldLog()) {
continue;
}
opaque.addToSavedData(
HttpTransactionData::req_headers,
static_cast<string>(header.getKey()) + ": " + static_cast<string>(header.getValue()) + "\r\n"
@@ -419,11 +449,38 @@ NginxParser::convertToContentEncoding(const Buffer &content_encoding_header_valu
return genError("Multiple content encodings for a specific HTTP request/response body are not supported");
}
if (content_encodings.find(content_encoding_header_value) == content_encodings.end()) {
auto it = find_if(
content_encodings.begin(),
content_encodings.end(),
[&content_encoding_header_value](const pair<Buffer, CompressionType> &encoding_pair) {
bool is_equal = content_encoding_header_value.isEqualLowerCase(encoding_pair.first);
dbgTrace(D_NGINX_ATTACHMENT_PARSER)
<< "Comparing '"
<< static_cast<string>(content_encoding_header_value)
<< "' with '"
<< static_cast<string>(encoding_pair.first)
<< ". Comparison result: "
<< (is_equal ? "MATCH" : "NO MATCH");
return is_equal;
}
);
if (it == content_encodings.end()) {
dbgDebug(D_NGINX_ATTACHMENT_PARSER)
<< "No matching compression type found for: '"
<< static_cast<string>(content_encoding_header_value)
<< "'";
return genError(
"Unsupported or undefined \"Content-Encoding\" value: " +
static_cast<string>(content_encoding_header_value)
);
}
return content_encodings[content_encoding_header_value];
dbgDebug(D_NGINX_ATTACHMENT_PARSER)
<< "Successfully matched '"
<< static_cast<string>(content_encoding_header_value)
<< "' to compression type";
return it->second;
}

2
components/attachment-intakers/nginx_attachment/nginx_parser.h
View File

@@ -17,7 +17,7 @@
#include <vector>
#include "compression_utils.h"
#include "nginx_attachment_common.h"
#include "nano_attachment_common.h"
#include "http_transaction_common.h"
#include "http_inspection_events.h"
#include "i_encryptor.h"