Class: LogCourier::ServerTcp
- Inherits:
-
Object
- Object
- LogCourier::ServerTcp
- Defined in:
- lib/log-courier/server_tcp.rb
Overview
TLS transport implementation for server
Instance Attribute Summary collapse
-
#port ⇒ Object
readonly
Returns the value of attribute port.
Instance Method Summary collapse
-
#initialize(options = {}) ⇒ ServerTcp
constructor
Create a new TLS transport endpoint.
- #run(&block) ⇒ Object
Constructor Details
#initialize(options = {}) ⇒ ServerTcp
Create a new TLS transport endpoint
56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 |
# File 'lib/log-courier/server_tcp.rb', line 56 def initialize( = {}) @options = { logger: nil, transport: 'tls', port: 0, address: '0.0.0.0', ssl_certificate: nil, ssl_key: nil, ssl_key_passphrase: nil, ssl_verify: false, ssl_verify_default_ca: false, ssl_verify_ca: nil, max_packet_size: 10_485_760, add_peer_fields: false, min_tls_version: 1.2, disable_handshake: false, }.merge!() @logger = @options[:logger] if @options[:transport] == 'tls' [:ssl_certificate, :ssl_key].each do |k| raise "input/courier: '#{k}' is required" if @options[k].nil? end if @options[:ssl_verify] && (!@options[:ssl_verify_default_ca] && @options[:ssl_verify_ca].nil?) raise 'input/courier: Either \'ssl_verify_default_ca\' or \'ssl_verify_ca\' must be specified when ssl_verify is true' end end begin @tcp_server = ExtendedTCPServer.new(@options[:address], @options[:port]) # Query the port in case the port number is '0' # TCPServer#addr == [ address_family, port, address, address ] @port = @tcp_server.addr[1] if @options[:transport] == 'tls' ssl = OpenSSL::SSL::SSLContext.new # Disable SSLv2 and SSLv3 # Call set_params first to ensure options attribute is there (hmmmm?) ssl.set_params # Modify the default options to ensure SSLv2 and SSLv3 is disabled # This retains any beneficial options set by default in the current Ruby implementation # TODO: https://github.com/jruby/jruby-openssl/pull/215 is fixed in JRuby 9.3.0.0 # As of 7.15 Logstash, JRuby version is still 9.2 # Once 9.3 is in use we can switch to using min_version and max_version ssl. |= OpenSSL::SSL::OP_NO_SSLv2 ssl. |= OpenSSL::SSL::OP_NO_SSLv3 ssl. |= OpenSSL::SSL::OP_NO_TLSv1 if @options[:min_tls_version] > 1 ssl. |= OpenSSL::SSL::OP_NO_TLSv1_1 if @options[:min_tls_version] > 1.1 ssl. |= OpenSSL::SSL::OP_NO_TLSv1_2 if @options[:min_tls_version] > 1.2 raise 'Invalid min_tls_version - max is 1.3' if @options[:min_tls_version] > 1.3 # Set the certificate file ssl.cert = OpenSSL::X509::Certificate.new(File.read(@options[:ssl_certificate])) ssl.key = OpenSSL::PKey::RSA.new(File.read(@options[:ssl_key]), @options[:ssl_key_passphrase]) if @options[:ssl_verify] cert_store = OpenSSL::X509::Store.new # Load the system default certificate path to the store cert_store.set_default_paths if @options[:ssl_verify_default_ca] if File.directory?(@options[:ssl_verify_ca]) cert_store.add_path(@options[:ssl_verify_ca]) else cert_store.add_file(@options[:ssl_verify_ca]) end ssl.cert_store = cert_store ssl.verify_mode = OpenSSL::SSL::VERIFY_PEER | OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT end # Create the OpenSSL server - set start_immediately to false so we can multithread handshake @server = OpenSSL::SSL::SSLServer.new(@tcp_server, ssl) @server.start_immediately = false else @server = @tcp_server end @logger&.warn 'Ephemeral port allocated', transport: @options[:transport], port: @port if @options[:port].zero? rescue StandardError => e raise "input/courier: Failed to initialise: #{e}" end end |
Instance Attribute Details
#port ⇒ Object (readonly)
Returns the value of attribute port.
53 54 55 |
# File 'lib/log-courier/server_tcp.rb', line 53 def port @port end |
Instance Method Details
#run(&block) ⇒ Object
145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 |
# File 'lib/log-courier/server_tcp.rb', line 145 def run(&block) client_threads = {} loop do # Because start_immediately is false, TCP accept is single thread but # handshake is essentiall multithreaded as we defer it to the thread @tcp_server.reset_peer client = nil begin client = @server.accept rescue OpenSSL::SSL::SSLError, IOError => e # Accept failure or other issue @logger&.warn 'Connection failed to accept', error: e., peer: @tcp_server.peer begin client&.close rescue OpenSSL::SSL::SSLError, IOError # Ignore IO error during close end next end @logger&.info 'New connection', peer: @tcp_server.peer # Clear up finished threads client_threads.delete_if do |_, thr| !thr.alive? end # Start a new connection thread client_threads[client] = Thread.new(client, @tcp_server.peer) do |client_copy, peer_copy| run_thread client_copy, peer_copy, &block end end nil rescue ShutdownSignal nil rescue StandardError => e # Some other unknown problem @logger&.warn e., hint: 'Unknown error, shutting down' nil ensure # Raise shutdown in all client threads and join then client_threads.each do |_, thr| thr.raise ShutdownSignal end client_threads.each(&:join) @tcp_server.close end |