fix ja4 client-tls-fingerprinting

ansibleguy · Dec 6, 2024 · dd134d9 · dd134d9
1 parent 0a9322b
commit dd134d9
Show file tree

Hide file tree

Showing 6 changed files with 11 additions and 8 deletions.
diff --git a/defaults/main/0_hardcoded.yml b/defaults/main/0_hardcoded.yml
@@ -6,7 +6,6 @@ version_dehydrated: '0.7.1'
 cpu_arch: "{{ 'amd64' if ansible_architecture == 'x86_64' else ansible_architecture }}"
 
 HAPROXY_HC:
-  valid_versions: ['2.6', '2.7', '2.8', '2.9']
   path:
     config: '/etc/haproxy/conf.d'
     map: '/etc/haproxy/map'

diff --git a/defaults/main/1_main.yml b/defaults/main/1_main.yml
@@ -90,7 +90,7 @@ defaults_frontend:
   security:
     headers: true
     fingerprint_ssl: false  # create and log the JA3/JA4 fingerprint of clients
-    fingerprint_ssl_type: 'ja3n'  # WARNING: ja4 is not yet in a usable state!
+    fingerprint_ssl_type: 'ja4'  # ja3n or ja4
 
     restrict_methods: false
     allow_only_methods: ['HEAD', 'GET', 'POST']

diff --git a/filter_plugins/utils.py b/filter_plugins/utils.py
@@ -48,14 +48,19 @@ def ssl_fingerprint_active(frontends: dict) -> bool:
         return False
 
     @staticmethod
-    def ssl_fingerprint_ja4(frontends: dict) -> bool:
+    def ssl_fingerprint_ja4(frontends: dict, defaults_frontend: dict) -> bool:
         for fe_cnf in frontends.values():
             try:
                 if fe_cnf['security']['fingerprint_ssl_type'].lower() == 'ja4':
                     return True
 
             except KeyError:
-                continue
+                try:
+                    if defaults_frontend['security']['fingerprint_ssl_type'].lower() == 'ja4':
+                        return True
+
+                except KeyError:
+                    continue
 
         return False
 

diff --git a/tasks/main.yml b/tasks/main.yml
@@ -4,7 +4,6 @@
   ansible.builtin.assert:
     that:
       - haproxy is defined
-      - HAPROXY_CONFIG.version in HAPROXY_HC.valid_versions
       # make sure we will be able to auto-download geoip dbs
       - not HAPROXY_CONFIG.geoip.enable|bool or not HAPROXY_CONFIG.geoip.manage_db|bool or HAPROXY_CONFIG.geoip.token|default(none, true) is not none
       - not HAPROXY_CONFIG.geoip.enable|bool or not HAPROXY_CONFIG.geoip.manage_db|bool or HAPROXY_CONFIG.geoip.provider in HAPROXY_HC.valid_geoip_providers

diff --git a/templates/etc/haproxy/conf.d/inc/security_only_fe.j2 b/templates/etc/haproxy/conf.d/inc/security_only_fe.j2
@@ -6,10 +6,10 @@
 {% endif %}
 {% if cnf.security.fingerprint_ssl | bool %}
     # SSL fingerprint
-{%   if cnf.security.fingerprint_ssl_type | lower == 'ja4' %}
+{%   if cnf.security.fingerprint_ssl_type | lower == 'ja4' and HAPROXY_CONFIG.version is version('3.1', '>=') %}
     http-request lua.fingerprint_ja4
     http-request capture var(txn.fingerprint_ssl) len 36
-{%   else %}
+{%   elif cnf.security.fingerprint_ssl_type | lower == 'ja3n' %}
     http-request lua.fingerprint_ja3n
     http-request capture var(txn.fingerprint_ssl) len 32
 {%   endif %}

diff --git a/templates/etc/haproxy/haproxy.cfg.j2 b/templates/etc/haproxy/haproxy.cfg.j2
@@ -10,7 +10,7 @@ global
     lua-load {{ HAPROXY_HC.path.lua }}/geoip.lua
 {% endif %}
 {% if HAPROXY_CONFIG.frontends | ssl_fingerprint_active %}
-{%   if HAPROXY_CONFIG.frontends | ssl_fingerprint_ja4 %}
+{%   if HAPROXY_CONFIG.frontends | ssl_fingerprint_ja4(defaults_frontend) and HAPROXY_CONFIG.version is version('3.1', '>=') %}
     lua-load {{ HAPROXY_HC.path.lua }}/ja4.lua
 {%     if 'tune.ssl.capture-buffer-size' not in HAPROXY_CONFIG.global %}
     tune.ssl.capture-buffer-size 128