Feat: Use keylog event to obtain TLS certificate for better reliability [1.23.X] (#4630)

Co-authored-by: Frank Elsinga <frank@elsinga.de>
This commit is contained in:
Nelson Chan 2024-04-06 18:43:08 +08:00 committed by GitHub
parent 0e30ea830d
commit 893278bd3d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 29 additions and 25 deletions

View File

@ -512,6 +512,12 @@ class Monitor extends BeanModel {
} }
} }
let tlsInfo;
// Store tlsInfo when key material is received
options.httpsAgent.on("keylog", (line, tlsSocket) => {
tlsInfo = checkCertificate(tlsSocket);
});
log.debug("monitor", `[${this.name}] Axios Options: ${JSON.stringify(options)}`); log.debug("monitor", `[${this.name}] Axios Options: ${JSON.stringify(options)}`);
log.debug("monitor", `[${this.name}] Axios Request`); log.debug("monitor", `[${this.name}] Axios Request`);
@ -521,29 +527,20 @@ class Monitor extends BeanModel {
bean.msg = `${res.status} - ${res.statusText}`; bean.msg = `${res.status} - ${res.statusText}`;
bean.ping = dayjs().valueOf() - startTime; bean.ping = dayjs().valueOf() - startTime;
// Check certificate if https is used // Store certificate and check for expiry if https is used
let certInfoStartTime = dayjs().valueOf();
if (this.getUrl()?.protocol === "https:") { if (this.getUrl()?.protocol === "https:") {
log.debug("monitor", `[${this.name}] Check cert`); // No way to listen for the `secureConnection` event, so we do it here
try { const tlssocket = res.request.res.socket;
let tlsInfoObject = checkCertificate(res);
tlsInfo = await this.updateTlsInfo(tlsInfoObject);
if (tlssocket) {
tlsInfo.valid = tlssocket.authorized || false;
}
await this.updateTlsInfo(tlsInfo);
if (!this.getIgnoreTls() && this.isEnabledExpiryNotification()) { if (!this.getIgnoreTls() && this.isEnabledExpiryNotification()) {
log.debug("monitor", `[${this.name}] call checkCertExpiryNotifications`); log.debug("monitor", `[${this.name}] call checkCertExpiryNotifications`);
await this.checkCertExpiryNotifications(tlsInfoObject); await this.checkCertExpiryNotifications(tlsInfo);
} }
} catch (e) {
if (e.message !== "No TLS certificate in response") {
log.error("monitor", "Caught error");
log.error("monitor", e.message);
}
}
}
if (process.env.TIMELOGGER === "1") {
log.debug("monitor", "Cert Info Query Time: " + (dayjs().valueOf() - certInfoStartTime) + "ms");
} }
if (process.env.UPTIME_KUMA_LOG_RESPONSE_BODY_MONITOR_ID === this.id) { if (process.env.UPTIME_KUMA_LOG_RESPONSE_BODY_MONITOR_ID === this.id) {

View File

@ -716,20 +716,27 @@ const parseCertificateInfo = function (info) {
/** /**
* Check if certificate is valid * Check if certificate is valid
* @param {Object} res Response object from axios * @param {tls.TLSSocket} socket TLSSocket, which may or may not be connected
* @returns {Object} Object containing certificate information * @returns {Object} Object containing certificate information
*/ */
exports.checkCertificate = function (res) { exports.checkCertificate = function (socket) {
if (!res.request.res.socket) { let certInfoStartTime = dayjs().valueOf();
throw new Error("No socket found");
// Return null if there is no socket
if (socket === undefined || socket == null) {
return null;
} }
const info = res.request.res.socket.getPeerCertificate(true); const info = socket.getPeerCertificate(true);
const valid = res.request.res.socket.authorized || false; const valid = socket.authorized || false;
log.debug("cert", "Parsing Certificate Info"); log.debug("cert", "Parsing Certificate Info");
const parsedInfo = parseCertificateInfo(info); const parsedInfo = parseCertificateInfo(info);
if (process.env.TIMELOGGER === "1") {
log.debug("monitor", "Cert Info Query Time: " + (dayjs().valueOf() - certInfoStartTime) + "ms");
}
return { return {
valid: valid, valid: valid,
certInfo: parsedInfo certInfo: parsedInfo