diff --git a/defaults/main/0_hardcoded.yml b/defaults/main/0_hardcoded.yml index 2ca41ba..239c0f2 100644 --- a/defaults/main/0_hardcoded.yml +++ b/defaults/main/0_hardcoded.yml @@ -6,7 +6,6 @@ version_dehydrated: '0.7.1' cpu_arch: "{{ 'amd64' if ansible_architecture == 'x86_64' else ansible_architecture }}" HAPROXY_HC: - valid_versions: ['2.6', '2.7', '2.8', '2.9'] path: config: '/etc/haproxy/conf.d' map: '/etc/haproxy/map' diff --git a/defaults/main/1_main.yml b/defaults/main/1_main.yml index d6e65b5..c0a076f 100644 --- a/defaults/main/1_main.yml +++ b/defaults/main/1_main.yml @@ -90,7 +90,7 @@ defaults_frontend: security: headers: true fingerprint_ssl: false # create and log the JA3/JA4 fingerprint of clients - fingerprint_ssl_type: 'ja3n' # WARNING: ja4 is not yet in a usable state! + fingerprint_ssl_type: 'ja4' # ja3n or ja4 restrict_methods: false allow_only_methods: ['HEAD', 'GET', 'POST'] diff --git a/filter_plugins/utils.py b/filter_plugins/utils.py index 758b757..b543584 100644 --- a/filter_plugins/utils.py +++ b/filter_plugins/utils.py @@ -48,14 +48,19 @@ def ssl_fingerprint_active(frontends: dict) -> bool: return False @staticmethod - def ssl_fingerprint_ja4(frontends: dict) -> bool: + def ssl_fingerprint_ja4(frontends: dict, defaults_frontend: dict) -> bool: for fe_cnf in frontends.values(): try: if fe_cnf['security']['fingerprint_ssl_type'].lower() == 'ja4': return True except KeyError: - continue + try: + if defaults_frontend['security']['fingerprint_ssl_type'].lower() == 'ja4': + return True + + except KeyError: + continue return False diff --git a/tasks/main.yml b/tasks/main.yml index f49edd9..5e10788 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -4,7 +4,6 @@ ansible.builtin.assert: that: - haproxy is defined - - HAPROXY_CONFIG.version in HAPROXY_HC.valid_versions # make sure we will be able to auto-download geoip dbs - not HAPROXY_CONFIG.geoip.enable|bool or not HAPROXY_CONFIG.geoip.manage_db|bool or HAPROXY_CONFIG.geoip.token|default(none, true) is not none - not HAPROXY_CONFIG.geoip.enable|bool or not HAPROXY_CONFIG.geoip.manage_db|bool or HAPROXY_CONFIG.geoip.provider in HAPROXY_HC.valid_geoip_providers diff --git a/templates/etc/haproxy/conf.d/inc/security_only_fe.j2 b/templates/etc/haproxy/conf.d/inc/security_only_fe.j2 index 482cd2d..b172d47 100644 --- a/templates/etc/haproxy/conf.d/inc/security_only_fe.j2 +++ b/templates/etc/haproxy/conf.d/inc/security_only_fe.j2 @@ -6,10 +6,10 @@ {% endif %} {% if cnf.security.fingerprint_ssl | bool %} # SSL fingerprint -{% if cnf.security.fingerprint_ssl_type | lower == 'ja4' %} +{% if cnf.security.fingerprint_ssl_type | lower == 'ja4' and HAPROXY_CONFIG.version is version('3.1', '>=') %} http-request lua.fingerprint_ja4 http-request capture var(txn.fingerprint_ssl) len 36 -{% else %} +{% elif cnf.security.fingerprint_ssl_type | lower == 'ja3n' %} http-request lua.fingerprint_ja3n http-request capture var(txn.fingerprint_ssl) len 32 {% endif %} diff --git a/templates/etc/haproxy/haproxy.cfg.j2 b/templates/etc/haproxy/haproxy.cfg.j2 index 3973687..627d420 100644 --- a/templates/etc/haproxy/haproxy.cfg.j2 +++ b/templates/etc/haproxy/haproxy.cfg.j2 @@ -10,7 +10,7 @@ global lua-load {{ HAPROXY_HC.path.lua }}/geoip.lua {% endif %} {% if HAPROXY_CONFIG.frontends | ssl_fingerprint_active %} -{% if HAPROXY_CONFIG.frontends | ssl_fingerprint_ja4 %} +{% if HAPROXY_CONFIG.frontends | ssl_fingerprint_ja4(defaults_frontend) and HAPROXY_CONFIG.version is version('3.1', '>=') %} lua-load {{ HAPROXY_HC.path.lua }}/ja4.lua {% if 'tune.ssl.capture-buffer-size' not in HAPROXY_CONFIG.global %} tune.ssl.capture-buffer-size 128