Skip to content

Commit

Permalink
new(falco/config): add new configuration for http_output
Browse files Browse the repository at this point in the history
Support for user provided CA certificate that can verify the remote server. Users
can provide path to the CA certiface store by providing a path to the dir or to the
CA store file. If needed users can decide to tell Falco to not verify the server.

Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
  • Loading branch information
alacuku committed Mar 30, 2023
1 parent 7f4fb62 commit ba3e236
Show file tree
Hide file tree
Showing 3 changed files with 74 additions and 6 deletions.
9 changes: 9 additions & 0 deletions falco.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -408,6 +408,15 @@ http_output:
enabled: false
url: http://some.url
user_agent: "falcosecurity/falco"
# Tell Falco to not verify the remote server.
insecure: false
# Path to the CA certificate that can verify the remote server.
ca_cert: ""
# Path to a specific file that will be used as the CA certificate store.
ca_bundle: ""
# Path to a folder that will be used as the CA certificate store. CA certificate need to be
# stored as indivitual PEM files in this directory.
ca_path: "/etc/ssl/certs"

# Falco supports running a gRPC server with two main binding types
# 1. Over the network with mandatory mutual TLS authentication (mTLS)
Expand Down
16 changes: 16 additions & 0 deletions userspace/falco/configuration.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -178,6 +178,22 @@ void falco_configuration::load_yaml(const std::string& config_name, const yaml_h
user_agent = config.get_scalar<std::string>("http_output.user_agent","falcosecurity/falco");
http_output.options["user_agent"] = user_agent;

bool insecure;
insecure = config.get_scalar<bool>("http_output.insecure", false);
http_output.options["insecure"] = insecure? std::string("true") : std::string("false");

std::string ca_cert;
ca_cert = config.get_scalar<std::string>("http_output.ca_cert", "");
http_output.options["ca_cert"] = ca_cert;

std::string ca_bundle;
ca_bundle = config.get_scalar<std::string>("http_output.ca_bundle", "");
http_output.options["ca_bundle"] = ca_bundle;

std::string ca_path;
ca_path = config.get_scalar<std::string>("http_output.ca_path", "/etc/ssl/certs");
http_output.options["ca_path"] = ca_path;

m_outputs.push_back(http_output);
}

Expand Down
55 changes: 49 additions & 6 deletions userspace/falco/outputs_http.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -34,15 +34,58 @@ void falco::outputs::output_http::output(const message *msg)
} else {
slist1 = curl_slist_append(slist1, "Content-Type: text/plain");
}
res = curl_easy_setopt(curl, CURLOPT_HTTPHEADER, slist1);

curl_easy_setopt(curl, CURLOPT_HTTPHEADER, slist1);
curl_easy_setopt(curl, CURLOPT_URL, m_oc.options["url"].c_str());
curl_easy_setopt(curl, CURLOPT_POSTFIELDS, msg->msg.c_str());
curl_easy_setopt(curl, CURLOPT_USERAGENT, m_oc.options["user_agent"].c_str());
curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, -1L);
if(res == CURLE_OK)
{
res = curl_easy_setopt(curl, CURLOPT_URL, m_oc.options["url"].c_str());
}

if(res == CURLE_OK)
{
res = curl_easy_setopt(curl, CURLOPT_POSTFIELDS, msg->msg.c_str());
}

if(res == CURLE_OK)
{
res = curl_easy_setopt(curl, CURLOPT_USERAGENT, m_oc.options["user_agent"].c_str());
}

if(res == CURLE_OK)
{
res = curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, -1L);
}

if(res == CURLE_OK)
{
if(m_oc.options["insecure"] == std::string("true"))
{
res = curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER, 0L);

if(res == CURLE_OK)
{
res = curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L);
}
}
}

res = curl_easy_perform(curl);
if(res == CURLE_OK)
{
if (!m_oc.options["ca_cert"].empty())
{
res = curl_easy_setopt(curl, CURLOPT_CAINFO, m_oc.options["ca_cert"].c_str());
}else if(!m_oc.options["ca_bundle"].empty())
{
res = curl_easy_setopt(curl, CURLOPT_CAINFO, m_oc.options["ca_bundle"].c_str());
}else{
res = curl_easy_setopt(curl, CURLOPT_CAPATH, m_oc.options["ca_path"].c_str());
}
}

if(res == CURLE_OK)
{
res = curl_easy_perform(curl);
}

if(res != CURLE_OK)
{
Expand Down

0 comments on commit ba3e236

Please sign in to comment.