Skip to content

Commit ce51f73

Browse files
WUMUXIANWUMUXIAN
committed
Enable TLS Fingerprinting configuration
1 parent 00812a4 commit ce51f73

30 files changed

+401
-121
lines changed

apis/projectcontour/v1alpha1/contourconfig.go

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -508,6 +508,16 @@ type EnvoyTLS struct {
508508
// Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS.
509509
// +optional
510510
CipherSuites []string `json:"cipherSuites,omitempty"`
511+
512+
// EnableJA3Fingerprinting enables JA3 fingerprinting in the TLS Inspector.
513+
// When true, populates JA3 hash in dynamic metadata.
514+
// +optional
515+
EnableJA3Fingerprinting *bool `json:"enableJA3Fingerprinting,omitempty"`
516+
517+
// EnableJA4Fingerprinting enables JA4 fingerprinting in the TLS Inspector.
518+
// When true, populates JA4 hash in dynamic metadata.
519+
// +optional
520+
EnableJA4Fingerprinting *bool `json:"enableJA4Fingerprinting,omitempty"`
511521
}
512522

513523
// EnvoyListener defines parameters for an Envoy Listener.

apis/projectcontour/v1alpha1/zz_generated.deepcopy.go

Lines changed: 10 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

cmd/contour/serve.go

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -454,6 +454,8 @@ func (s *Server) doServe() error {
454454
MinimumTLSVersion: annotation.TLSVersion(contourConfiguration.Envoy.Listener.TLS.MinimumProtocolVersion, "1.2"),
455455
MaximumTLSVersion: annotation.TLSVersion(contourConfiguration.Envoy.Listener.TLS.MaximumProtocolVersion, "1.3"),
456456
CipherSuites: contourConfiguration.Envoy.Listener.TLS.SanitizedCipherSuites(),
457+
EnableJA3Fingerprinting: contourConfiguration.Envoy.Listener.TLS.EnableJA3Fingerprinting,
458+
EnableJA4Fingerprinting: contourConfiguration.Envoy.Listener.TLS.EnableJA4Fingerprinting,
457459
Timeouts: timeouts,
458460
DefaultHTTPVersions: parseDefaultHTTPVersions(contourConfiguration.Envoy.DefaultHTTPVersions),
459461
AllowChunkedLength: !*contourConfiguration.Envoy.Listener.DisableAllowChunkedLength,

cmd/contour/servecontext.go

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -558,9 +558,11 @@ func (ctx *serveContext) convertToContourConfigurationSpec() contour_v1alpha1.Co
558558
HTTP2MaxConcurrentStreams: ctx.Config.Listener.HTTP2MaxConcurrentStreams,
559559
MaxConnectionsPerListener: ctx.Config.Listener.MaxConnectionsPerListener,
560560
TLS: &contour_v1alpha1.EnvoyTLS{
561-
MinimumProtocolVersion: ctx.Config.TLS.MinimumProtocolVersion,
562-
MaximumProtocolVersion: ctx.Config.TLS.MaximumProtocolVersion,
563-
CipherSuites: cipherSuites,
561+
MinimumProtocolVersion: ctx.Config.TLS.MinimumProtocolVersion,
562+
MaximumProtocolVersion: ctx.Config.TLS.MaximumProtocolVersion,
563+
CipherSuites: cipherSuites,
564+
EnableJA3Fingerprinting: ctx.Config.TLS.EnableJA3Fingerprinting,
565+
EnableJA4Fingerprinting: ctx.Config.TLS.EnableJA4Fingerprinting,
564566
},
565567
SocketOptions: &contour_v1alpha1.SocketOptions{
566568
TOS: ctx.Config.Listener.SocketOptions.TOS,

examples/contour/01-crds.yaml

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -200,6 +200,16 @@ spec:
200200
items:
201201
type: string
202202
type: array
203+
enableJA3Fingerprinting:
204+
description: |-
205+
EnableJA3Fingerprinting enables JA3 fingerprinting in the TLS Inspector.
206+
When true, populates JA3 hash in dynamic metadata.
207+
type: boolean
208+
enableJA4Fingerprinting:
209+
description: |-
210+
EnableJA4Fingerprinting enables JA4 fingerprinting in the TLS Inspector.
211+
When true, populates JA4 hash in dynamic metadata.
212+
type: boolean
203213
maximumProtocolVersion:
204214
description: |-
205215
MaximumProtocolVersion is the maximum TLS version this vhost should
@@ -438,6 +448,16 @@ spec:
438448
items:
439449
type: string
440450
type: array
451+
enableJA3Fingerprinting:
452+
description: |-
453+
EnableJA3Fingerprinting enables JA3 fingerprinting in the TLS Inspector.
454+
When true, populates JA3 hash in dynamic metadata.
455+
type: boolean
456+
enableJA4Fingerprinting:
457+
description: |-
458+
EnableJA4Fingerprinting enables JA4 fingerprinting in the TLS Inspector.
459+
When true, populates JA4 hash in dynamic metadata.
460+
type: boolean
441461
maximumProtocolVersion:
442462
description: |-
443463
MaximumProtocolVersion is the maximum TLS version this vhost should
@@ -4147,6 +4167,16 @@ spec:
41474167
items:
41484168
type: string
41494169
type: array
4170+
enableJA3Fingerprinting:
4171+
description: |-
4172+
EnableJA3Fingerprinting enables JA3 fingerprinting in the TLS Inspector.
4173+
When true, populates JA3 hash in dynamic metadata.
4174+
type: boolean
4175+
enableJA4Fingerprinting:
4176+
description: |-
4177+
EnableJA4Fingerprinting enables JA4 fingerprinting in the TLS Inspector.
4178+
When true, populates JA4 hash in dynamic metadata.
4179+
type: boolean
41504180
maximumProtocolVersion:
41514181
description: |-
41524182
MaximumProtocolVersion is the maximum TLS version this vhost should
@@ -4385,6 +4415,16 @@ spec:
43854415
items:
43864416
type: string
43874417
type: array
4418+
enableJA3Fingerprinting:
4419+
description: |-
4420+
EnableJA3Fingerprinting enables JA3 fingerprinting in the TLS Inspector.
4421+
When true, populates JA3 hash in dynamic metadata.
4422+
type: boolean
4423+
enableJA4Fingerprinting:
4424+
description: |-
4425+
EnableJA4Fingerprinting enables JA4 fingerprinting in the TLS Inspector.
4426+
When true, populates JA4 hash in dynamic metadata.
4427+
type: boolean
43884428
maximumProtocolVersion:
43894429
description: |-
43904430
MaximumProtocolVersion is the maximum TLS version this vhost should

examples/render/contour-deployment.yaml

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -419,6 +419,16 @@ spec:
419419
items:
420420
type: string
421421
type: array
422+
enableJA3Fingerprinting:
423+
description: |-
424+
EnableJA3Fingerprinting enables JA3 fingerprinting in the TLS Inspector.
425+
When true, populates JA3 hash in dynamic metadata.
426+
type: boolean
427+
enableJA4Fingerprinting:
428+
description: |-
429+
EnableJA4Fingerprinting enables JA4 fingerprinting in the TLS Inspector.
430+
When true, populates JA4 hash in dynamic metadata.
431+
type: boolean
422432
maximumProtocolVersion:
423433
description: |-
424434
MaximumProtocolVersion is the maximum TLS version this vhost should
@@ -657,6 +667,16 @@ spec:
657667
items:
658668
type: string
659669
type: array
670+
enableJA3Fingerprinting:
671+
description: |-
672+
EnableJA3Fingerprinting enables JA3 fingerprinting in the TLS Inspector.
673+
When true, populates JA3 hash in dynamic metadata.
674+
type: boolean
675+
enableJA4Fingerprinting:
676+
description: |-
677+
EnableJA4Fingerprinting enables JA4 fingerprinting in the TLS Inspector.
678+
When true, populates JA4 hash in dynamic metadata.
679+
type: boolean
660680
maximumProtocolVersion:
661681
description: |-
662682
MaximumProtocolVersion is the maximum TLS version this vhost should
@@ -4366,6 +4386,16 @@ spec:
43664386
items:
43674387
type: string
43684388
type: array
4389+
enableJA3Fingerprinting:
4390+
description: |-
4391+
EnableJA3Fingerprinting enables JA3 fingerprinting in the TLS Inspector.
4392+
When true, populates JA3 hash in dynamic metadata.
4393+
type: boolean
4394+
enableJA4Fingerprinting:
4395+
description: |-
4396+
EnableJA4Fingerprinting enables JA4 fingerprinting in the TLS Inspector.
4397+
When true, populates JA4 hash in dynamic metadata.
4398+
type: boolean
43694399
maximumProtocolVersion:
43704400
description: |-
43714401
MaximumProtocolVersion is the maximum TLS version this vhost should
@@ -4604,6 +4634,16 @@ spec:
46044634
items:
46054635
type: string
46064636
type: array
4637+
enableJA3Fingerprinting:
4638+
description: |-
4639+
EnableJA3Fingerprinting enables JA3 fingerprinting in the TLS Inspector.
4640+
When true, populates JA3 hash in dynamic metadata.
4641+
type: boolean
4642+
enableJA4Fingerprinting:
4643+
description: |-
4644+
EnableJA4Fingerprinting enables JA4 fingerprinting in the TLS Inspector.
4645+
When true, populates JA4 hash in dynamic metadata.
4646+
type: boolean
46074647
maximumProtocolVersion:
46084648
description: |-
46094649
MaximumProtocolVersion is the maximum TLS version this vhost should

examples/render/contour-gateway-provisioner.yaml

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -211,6 +211,16 @@ spec:
211211
items:
212212
type: string
213213
type: array
214+
enableJA3Fingerprinting:
215+
description: |-
216+
EnableJA3Fingerprinting enables JA3 fingerprinting in the TLS Inspector.
217+
When true, populates JA3 hash in dynamic metadata.
218+
type: boolean
219+
enableJA4Fingerprinting:
220+
description: |-
221+
EnableJA4Fingerprinting enables JA4 fingerprinting in the TLS Inspector.
222+
When true, populates JA4 hash in dynamic metadata.
223+
type: boolean
214224
maximumProtocolVersion:
215225
description: |-
216226
MaximumProtocolVersion is the maximum TLS version this vhost should
@@ -449,6 +459,16 @@ spec:
449459
items:
450460
type: string
451461
type: array
462+
enableJA3Fingerprinting:
463+
description: |-
464+
EnableJA3Fingerprinting enables JA3 fingerprinting in the TLS Inspector.
465+
When true, populates JA3 hash in dynamic metadata.
466+
type: boolean
467+
enableJA4Fingerprinting:
468+
description: |-
469+
EnableJA4Fingerprinting enables JA4 fingerprinting in the TLS Inspector.
470+
When true, populates JA4 hash in dynamic metadata.
471+
type: boolean
452472
maximumProtocolVersion:
453473
description: |-
454474
MaximumProtocolVersion is the maximum TLS version this vhost should
@@ -4158,6 +4178,16 @@ spec:
41584178
items:
41594179
type: string
41604180
type: array
4181+
enableJA3Fingerprinting:
4182+
description: |-
4183+
EnableJA3Fingerprinting enables JA3 fingerprinting in the TLS Inspector.
4184+
When true, populates JA3 hash in dynamic metadata.
4185+
type: boolean
4186+
enableJA4Fingerprinting:
4187+
description: |-
4188+
EnableJA4Fingerprinting enables JA4 fingerprinting in the TLS Inspector.
4189+
When true, populates JA4 hash in dynamic metadata.
4190+
type: boolean
41614191
maximumProtocolVersion:
41624192
description: |-
41634193
MaximumProtocolVersion is the maximum TLS version this vhost should
@@ -4396,6 +4426,16 @@ spec:
43964426
items:
43974427
type: string
43984428
type: array
4429+
enableJA3Fingerprinting:
4430+
description: |-
4431+
EnableJA3Fingerprinting enables JA3 fingerprinting in the TLS Inspector.
4432+
When true, populates JA3 hash in dynamic metadata.
4433+
type: boolean
4434+
enableJA4Fingerprinting:
4435+
description: |-
4436+
EnableJA4Fingerprinting enables JA4 fingerprinting in the TLS Inspector.
4437+
When true, populates JA4 hash in dynamic metadata.
4438+
type: boolean
43994439
maximumProtocolVersion:
44004440
description: |-
44014441
MaximumProtocolVersion is the maximum TLS version this vhost should

examples/render/contour-gateway.yaml

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -236,6 +236,16 @@ spec:
236236
items:
237237
type: string
238238
type: array
239+
enableJA3Fingerprinting:
240+
description: |-
241+
EnableJA3Fingerprinting enables JA3 fingerprinting in the TLS Inspector.
242+
When true, populates JA3 hash in dynamic metadata.
243+
type: boolean
244+
enableJA4Fingerprinting:
245+
description: |-
246+
EnableJA4Fingerprinting enables JA4 fingerprinting in the TLS Inspector.
247+
When true, populates JA4 hash in dynamic metadata.
248+
type: boolean
239249
maximumProtocolVersion:
240250
description: |-
241251
MaximumProtocolVersion is the maximum TLS version this vhost should
@@ -474,6 +484,16 @@ spec:
474484
items:
475485
type: string
476486
type: array
487+
enableJA3Fingerprinting:
488+
description: |-
489+
EnableJA3Fingerprinting enables JA3 fingerprinting in the TLS Inspector.
490+
When true, populates JA3 hash in dynamic metadata.
491+
type: boolean
492+
enableJA4Fingerprinting:
493+
description: |-
494+
EnableJA4Fingerprinting enables JA4 fingerprinting in the TLS Inspector.
495+
When true, populates JA4 hash in dynamic metadata.
496+
type: boolean
477497
maximumProtocolVersion:
478498
description: |-
479499
MaximumProtocolVersion is the maximum TLS version this vhost should
@@ -4183,6 +4203,16 @@ spec:
41834203
items:
41844204
type: string
41854205
type: array
4206+
enableJA3Fingerprinting:
4207+
description: |-
4208+
EnableJA3Fingerprinting enables JA3 fingerprinting in the TLS Inspector.
4209+
When true, populates JA3 hash in dynamic metadata.
4210+
type: boolean
4211+
enableJA4Fingerprinting:
4212+
description: |-
4213+
EnableJA4Fingerprinting enables JA4 fingerprinting in the TLS Inspector.
4214+
When true, populates JA4 hash in dynamic metadata.
4215+
type: boolean
41864216
maximumProtocolVersion:
41874217
description: |-
41884218
MaximumProtocolVersion is the maximum TLS version this vhost should
@@ -4421,6 +4451,16 @@ spec:
44214451
items:
44224452
type: string
44234453
type: array
4454+
enableJA3Fingerprinting:
4455+
description: |-
4456+
EnableJA3Fingerprinting enables JA3 fingerprinting in the TLS Inspector.
4457+
When true, populates JA3 hash in dynamic metadata.
4458+
type: boolean
4459+
enableJA4Fingerprinting:
4460+
description: |-
4461+
EnableJA4Fingerprinting enables JA4 fingerprinting in the TLS Inspector.
4462+
When true, populates JA4 hash in dynamic metadata.
4463+
type: boolean
44244464
maximumProtocolVersion:
44254465
description: |-
44264466
MaximumProtocolVersion is the maximum TLS version this vhost should

0 commit comments

Comments
 (0)