diff --git a/falco.yaml b/falco.yaml index 64c064b221b..4c4e3a055da 100644 --- a/falco.yaml +++ b/falco.yaml @@ -401,6 +401,15 @@ http_output: enabled: false url: http://some.url user_agent: "falcosecurity/falco" + # Tell Falco to not verify the remote server. + insecure: false + # Path to the CA certificate that can verify the remote server. + ca_cert: "" + # Path to a specific file that will be used as the CA certificate store. + ca_bundle: "" + # Path to a folder that will be used as the CA certificate store. CA certificate need to be + # stored as indivitual PEM files in this directory. + ca_path: "/etc/ssl/certs" # Falco supports running a gRPC server with two main binding types # 1. Over the network with mandatory mutual TLS authentication (mTLS) diff --git a/userspace/falco/configuration.cpp b/userspace/falco/configuration.cpp index a3d9f64535a..a7ed9cfc44e 100644 --- a/userspace/falco/configuration.cpp +++ b/userspace/falco/configuration.cpp @@ -177,6 +177,22 @@ void falco_configuration::load_yaml(const std::string& config_name, const yaml_h user_agent = config.get_scalar("http_output.user_agent","falcosecurity/falco"); http_output.options["user_agent"] = user_agent; + bool insecure; + insecure = config.get_scalar("http_output.insecure", false); + http_output.options["insecure"] = insecure? std::string("True") : std::string("False"); + + std::string ca_cert; + ca_cert = config.get_scalar("http_output.ca_cert", ""); + http_output.options["ca_cert"] = ca_cert; + + std::string ca_bundle; + ca_bundle = config.get_scalar("http_output.ca_bundle", ""); + http_output.options["ca_bundle"] = ca_bundle; + + std::string ca_path; + ca_path = config.get_scalar("http_output.ca_path", "/etc/ssl/certs"); + http_output.options["ca_path"] = ca_path; + m_outputs.push_back(http_output); } diff --git a/userspace/falco/outputs_http.cpp b/userspace/falco/outputs_http.cpp index 09ef389dc34..112b5e78859 100644 --- a/userspace/falco/outputs_http.cpp +++ b/userspace/falco/outputs_http.cpp @@ -34,15 +34,58 @@ void falco::outputs::output_http::output(const message *msg) } else { slist1 = curl_slist_append(slist1, "Content-Type: text/plain"); } + res = curl_easy_setopt(curl, CURLOPT_HTTPHEADER, slist1); - curl_easy_setopt(curl, CURLOPT_HTTPHEADER, slist1); - curl_easy_setopt(curl, CURLOPT_URL, m_oc.options["url"].c_str()); - curl_easy_setopt(curl, CURLOPT_POSTFIELDS, msg->msg.c_str()); - curl_easy_setopt(curl, CURLOPT_USERAGENT, m_oc.options["user_agent"].c_str()); - curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, -1L); + if(res == CURLE_OK) + { + res = curl_easy_setopt(curl, CURLOPT_URL, m_oc.options["url"].c_str()); + } + + if(res == CURLE_OK) + { + res = curl_easy_setopt(curl, CURLOPT_POSTFIELDS, msg->msg.c_str()); + } + + if(res == CURLE_OK) + { + res = curl_easy_setopt(curl, CURLOPT_USERAGENT, m_oc.options["user_agent"].c_str()); + } + + if(res == CURLE_OK) + { + res = curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, -1L); + } + + if(res == CURLE_OK) + { + if(m_oc.options["insecure"] == std::string("True")) + { + res = curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER, 0L); + if(res == CURLE_OK) + { + res = curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L); + } + } + } - res = curl_easy_perform(curl); + if(res == CURLE_OK) + { + if (!m_oc.options["ca_cert"].empty()) + { + res = curl_easy_setopt(curl, CURLOPT_CAINFO, m_oc.options["ca_cert"].c_str()); + }else if(!m_oc.options["ca_bundle"].empty()) + { + res = curl_easy_setopt(curl, CURLOPT_CAINFO, m_oc.options["ca_bundle"].c_str()); + }else{ + res = curl_easy_setopt(curl, CURLOPT_CAPATH, m_oc.options["ca_path"].c_str()); + } + } + + if(res == CURLE_OK) + { + res = curl_easy_perform(curl); + } if(res != CURLE_OK) {