prepare for JA4 ssl-fingerprint

ansibleguy · Aug 25, 2024 · 7e83b86 · 7e83b86
1 parent c197d82
commit 7e83b86
Show file tree

Hide file tree

Showing 7 changed files with 44 additions and 56 deletions.
diff --git a/defaults/main/0_hardcoded.yml b/defaults/main/0_hardcoded.yml
@@ -50,6 +50,8 @@ HAPROXY_HC:
     geoip_maxmind_country: "https://download.maxmind.com/geoip/databases/GeoLite2-ASN/download?suffix=tar.gz"
     geoip_maxmind_asn: "https://download.maxmind.com/geoip/databases/GeoLite2-ASN/download?suffix=tar.gz"
     acme_script: "https://github.com/dehydrated-io/dehydrated/releases/download/v{{ version_dehydrated }}/dehydrated-{{ version_dehydrated }}.tar.gz"
+    ja3n_script: 'https://raw.githubusercontent.com/O-X-L/haproxy-ja3n/latest/ja3n.lua'
+    ja4_script: 'https://raw.githubusercontent.com/O-X-L/haproxy-ja4/latest/ja4.lua'
 
   valid_geoip_providers: ['ipinfo', 'maxmind']
   user_geoip: 'haproxy-geoip'

diff --git a/defaults/main/1_main.yml b/defaults/main/1_main.yml
@@ -89,7 +89,8 @@ defaults_frontend:
   ssl_redirect: true
   security:
     headers: true
-    fingerprint_ssl: false  # create and log the JA3 fingerprint of clients
+    fingerprint_ssl: false  # create and log the JA3/JA4 fingerprint of clients
+    fingerprint_ssl_type: 'ja3n'  # WARNING: ja4 is not yet in a usable state!
 
     restrict_methods: false
     allow_only_methods: ['HEAD', 'GET', 'POST']

diff --git a/filter_plugins/utils.py b/filter_plugins/utils.py
@@ -10,6 +10,7 @@ def filters(self):
             "is_dict": self.is_dict,
             "safe_key": self.safe_key,
             "ssl_fingerprint_active": self.ssl_fingerprint_active,
+            "ssl_fingerprint_ja4": self.ssl_fingerprint_ja4,
             "build_route": self.build_route,
             "join_w_excludes": self.join_w_excludes,
         }
@@ -46,6 +47,18 @@ def ssl_fingerprint_active(frontends: dict) -> bool:
 
         return False
 
+    @staticmethod
+    def ssl_fingerprint_ja4(frontends: dict) -> bool:
+        for fe_cnf in frontends.values():
+            try:
+                if fe_cnf['security']['fingerprint_ssl_type'].lower() == 'ja4':
+                    return True
+
+            except KeyError:
+                continue
+
+        return False
+
     @staticmethod
     def is_truthy(v: (bool, str, int)) -> bool:
         return v in [True, 'yes', 'y', 'Yes', 'YES', 'true', 1, '1']

diff --git a/tasks/debian/install.yml b/tasks/debian/install.yml
@@ -98,11 +98,22 @@
     name: 'haproxy.service'
     enabled: true
 
-- name: HAProxy | Install | Add LUA SSL-Fingerprint (JA3N) module
-  ansible.builtin.template:
-    src: "templates{{ HAPROXY_HC.path.lua }}/ja3n.lua.j2"
+- name: HAProxy | Install | Download SSL-Fingerprint plugin (JA3N)
+  ansible.builtin.get_url:
+    url: "{{ HAPROXY_HC.url.ja3n_script }}"
     dest: "{{ HAPROXY_HC.path.lua }}/ja3n.lua"
     owner: 'root'
     group: 'haproxy'
     mode: 0750
   tags: lua
+
+- name: HAProxy | Install | Download SSL-Fingerprint plugin (JA4)
+  ansible.builtin.get_url:
+    url: "{{ HAPROXY_HC.url.ja4_script }}"
+    dest: "{{ HAPROXY_HC.path.lua }}/ja4.lua"
+    owner: 'root'
+    group: 'haproxy'
+    mode: 0750
+  tags: lua
+
+# todo: opt-in for JA4-DB lookups + map update service (https://github.com/O-X-L/haproxy-ja4)
diff --git a/templates/etc/haproxy/conf.d/inc/security_only_fe.j2 b/templates/etc/haproxy/conf.d/inc/security_only_fe.j2
@@ -6,6 +6,11 @@
 {% endif %}
 {% if cnf.security.fingerprint_ssl | bool %}
     # SSL fingerprint
+{%   if cnf.security.fingerprint_ssl_type | lower == 'ja4' %}
+    http-request lua.fingerprint_ja4
+    http-request capture var(txn.fingerprint_ssl) len 36
+{%   else %}
     http-request lua.fingerprint_ja3n
     http-request capture var(txn.fingerprint_ssl) len 32
+{%   endif %}
 {% endif %}
diff --git a/templates/etc/haproxy/haproxy.cfg.j2 b/templates/etc/haproxy/haproxy.cfg.j2
@@ -10,9 +10,16 @@ global
     lua-load {{ HAPROXY_HC.path.lua }}/geoip.lua
 {% endif %}
 {% if HAPROXY_CONFIG.frontends | ssl_fingerprint_active %}
+{%   if HAPROXY_CONFIG.frontends | ssl_fingerprint_ja4 %}
+    lua-load {{ HAPROXY_HC.path.lua }}/ja4.lua
+{%     if 'tune.ssl.capture-buffer-size' not in HAPROXY_CONFIG.global %}
+    tune.ssl.capture-buffer-size 128
+{%     endif %}
+{%  else %}
     lua-load {{ HAPROXY_HC.path.lua }}/ja3n.lua
-{%   if 'tune.ssl.capture-buffer-size' not in HAPROXY_CONFIG.global %}
+{%     if 'tune.ssl.capture-buffer-size' not in HAPROXY_CONFIG.global %}
     tune.ssl.capture-buffer-size 96
+{%     endif %}
 {%   endif %}
 {% endif %}
 

diff --git a/templates/etc/haproxy/lua/ja3n.lua.j2 b/templates/etc/haproxy/lua/ja3n.lua.j2