3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-08-03 08:50:42 +02:00
Code Issues Projects Releases Packages Wiki Activity

envoy: log mtls failures (#5210)

Browse source 
envoy: log mtls failures

This implements limited listener-based access logging for downstream
transport failures, only enabled when downstream_mtls.enforcement is
set to 'reject_connection'. Client certificate details and the error
message will be logged.

Additionally, the new key 'client-certificate' can be set in the
access_log_fields list in the configuration, which will add peer
certificate properties (issuer, subject, SANs) to the existing
per-request http logs.

---------

Co-authored-by: Kenneth Jenkins <51246568+kenjenkins@users.noreply.github.com>
This commit is contained in:
Joe Kralicky 2024-08-09 14:05:10 -04:00 committed by GitHub
parent c196921e87
commit 554e77bc7c
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 111 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

2
internal/log/access.go
View file

@ -24,6 +24,7 @@ const (
AccessLogFieldSize AccessLogField = "size"
AccessLogFieldUpstreamCluster AccessLogField = "upstream-cluster"
AccessLogFieldUserAgent AccessLogField = "user-agent"
AccessLogFieldClientCertificate AccessLogField = "client-certificate"
)
var defaultAccessLogFields = []AccessLogField{
@ -64,6 +65,7 @@ var accessLogFieldLookup = map[AccessLogField]struct{}{
AccessLogFieldSize: {},
AccessLogFieldUpstreamCluster: {},
AccessLogFieldUserAgent: {},
AccessLogFieldClientCertificate: {},
}
// Validate returns an error if the access log field is invalid.