pygelf icon indicating copy to clipboard operation
pygelf copied to clipboard
verified publisher icon keeprocking

TLS support for HTTP handler

Open keeprocking opened this issue 8 years ago • 11 comments

As pointed out in https://github.com/keeprocking/pygelf/issues/1#issuecomment-319743003, HTTPS support should be added

keeprocking avatar Aug 27 '17 19:08 keeprocking

Unfortunately, no success with testing locally with self-signed certificates.

What I've tried:

  • generate a key-cert pair for CA
  • generate a server key and sign its cert with CA key
  • set up a HTTP input with TLS enabled and specify server key-cert pair
  • use CA cert when doing a HTTP request from client

Any help is appreciated.

keeprocking avatar Nov 21 '17 23:11 keeprocking

Hey @keeprocking are you still looking for help on this?

chilledornaments avatar Aug 17 '20 20:08 chilledornaments

Yep.

If you are willing to help, that would be great.

keeprocking avatar Aug 17 '20 21:08 keeprocking

#45 adds a new GelfHttpsHandler class. I've put some details in the PR.

I did not add any tests. I can give that a go this week.

chilledornaments avatar Aug 18 '20 14:08 chilledornaments

Thanks a lot for this!

Unfortunately, I caught a cold or something but will try to look into this as soon as possible - please give me some time. 🙂

As for the tests: that would be great. A new Graylog handler should be added to the bootstrap script (https://github.com/keeprocking/pygelf/blob/master/tests/config/bootstrap) and then just extend existing tests with a new logging handler.

keeprocking avatar Aug 18 '20 15:08 keeprocking

No rush - hope you feel better soon!

I added tests for the new handler. They all pass locally. However, I'm not able to get tests to pass with certificate verification. Still working on that

chilledornaments avatar Aug 18 '20 17:08 chilledornaments

Ah, ok, I'm able to run tests with certificate verification now.

There are two issues with the TLS tests currently:

  1. The certificate in tests/config/ is expired
  2. Graylog throws File does not contain valid private key when the private key is protected by a passphrase. There was a post in the Graylog community about this.

I can include a new unencrypted keypair in the PR if you'd like, along with a change to the bootstrap script to not supply tls_key_password when creating TLS-enabled inputs.

chilledornaments avatar Aug 18 '20 18:08 chilledornaments

Smee again, alive and well. 😉

I can include a new unencrypted keypair in the PR if you'd like

Yes, please do - that'd be awesome.

keeprocking avatar Aug 22 '20 22:08 keeprocking

Done! I uncommented tests for GelfTlsHandler as well, they pass locally.

I included a slightly modified version of the /etc/pki/tls/certs/make-dummy-cert script that OpenSSL installs on RHEL so that one can easily create new keys. I've been testing with a keypair made by this script that's signed for localhost, which explains why some of the tests use localhost instead of 127.0.0.1.

I also added a step in the bootstrap script to fix ownership and permissions on tests/config/key.pem.

chilledornaments avatar Aug 23 '20 15:08 chilledornaments

You did a truly amazing job here, thank you so much!

The PR is merged into master.

keeprocking avatar Aug 24 '20 06:08 keeprocking

Happy to help!

chilledornaments avatar Aug 24 '20 12:08 chilledornaments