From 1a5f1af43cd956de60c6f037f0479afa0572f063 Mon Sep 17 00:00:00 2001 From: WeidiDeng Date: Fri, 31 Oct 2025 08:26:57 +0800 Subject: [PATCH 1/3] http: create a placeholder for and log ech status --- modules/caddyhttp/app.go | 1 + modules/caddyhttp/marshalers.go | 1 + modules/caddyhttp/replacer.go | 2 ++ 3 files changed, 4 insertions(+) diff --git a/modules/caddyhttp/app.go b/modules/caddyhttp/app.go index 6ad18d051..80232d039 100644 --- a/modules/caddyhttp/app.go +++ b/modules/caddyhttp/app.go @@ -82,6 +82,7 @@ func init() { // `{http.request.tls.proto}` | The negotiated next protocol // `{http.request.tls.proto_mutual}` | The negotiated next protocol was advertised by the server // `{http.request.tls.server_name}` | The server name requested by the client, if any +// `{http.request.tls.ech_accepted}` | ECH offered by the client and accepted by the server // `{http.request.tls.client.fingerprint}` | The SHA256 checksum of the client certificate // `{http.request.tls.client.public_key}` | The public key of the client certificate. // `{http.request.tls.client.public_key_sha256}` | The SHA256 checksum of the client's public key. diff --git a/modules/caddyhttp/marshalers.go b/modules/caddyhttp/marshalers.go index 9bce377f4..f9da84afa 100644 --- a/modules/caddyhttp/marshalers.go +++ b/modules/caddyhttp/marshalers.go @@ -110,6 +110,7 @@ func (t LoggableTLSConnState) MarshalLogObject(enc zapcore.ObjectEncoder) error enc.AddUint16("cipher_suite", t.CipherSuite) enc.AddString("proto", t.NegotiatedProtocol) enc.AddString("server_name", t.ServerName) + enc.AddBool("ech_accepted", t.ECHAccepted) if len(t.PeerCertificates) > 0 { enc.AddString("client_common_name", t.PeerCertificates[0].Subject.CommonName) enc.AddString("client_serial", t.PeerCertificates[0].SerialNumber.String()) diff --git a/modules/caddyhttp/replacer.go b/modules/caddyhttp/replacer.go index 9c3ab85f2..554ddf164 100644 --- a/modules/caddyhttp/replacer.go +++ b/modules/caddyhttp/replacer.go @@ -511,6 +511,8 @@ func getReqTLSReplacement(req *http.Request, key string) (any, bool) { return true, true case "server_name": return req.TLS.ServerName, true + case "ech_accepted": + return req.TLS.ECHAccepted, true } return nil, false } From 15c5995754a38c295adacb3929783c4c9fa15d82 Mon Sep 17 00:00:00 2001 From: WeidiDeng Date: Sun, 7 Dec 2025 20:23:51 +0800 Subject: [PATCH 2/3] change placeholder name --- modules/caddyhttp/marshalers.go | 2 +- modules/caddyhttp/replacer.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/caddyhttp/marshalers.go b/modules/caddyhttp/marshalers.go index f9da84afa..2a40b6cd7 100644 --- a/modules/caddyhttp/marshalers.go +++ b/modules/caddyhttp/marshalers.go @@ -110,7 +110,7 @@ func (t LoggableTLSConnState) MarshalLogObject(enc zapcore.ObjectEncoder) error enc.AddUint16("cipher_suite", t.CipherSuite) enc.AddString("proto", t.NegotiatedProtocol) enc.AddString("server_name", t.ServerName) - enc.AddBool("ech_accepted", t.ECHAccepted) + enc.AddBool("ech", t.ECHAccepted) if len(t.PeerCertificates) > 0 { enc.AddString("client_common_name", t.PeerCertificates[0].Subject.CommonName) enc.AddString("client_serial", t.PeerCertificates[0].SerialNumber.String()) diff --git a/modules/caddyhttp/replacer.go b/modules/caddyhttp/replacer.go index 554ddf164..2c372a9e8 100644 --- a/modules/caddyhttp/replacer.go +++ b/modules/caddyhttp/replacer.go @@ -511,7 +511,7 @@ func getReqTLSReplacement(req *http.Request, key string) (any, bool) { return true, true case "server_name": return req.TLS.ServerName, true - case "ech_accepted": + case "ech": return req.TLS.ECHAccepted, true } return nil, false From dff673bb8f26463d01ceb46c4cfc6e299becc7fa Mon Sep 17 00:00:00 2001 From: WeidiDeng Date: Sun, 7 Dec 2025 21:14:48 +0800 Subject: [PATCH 3/3] update comments for placeholders too Co-authored-by: Francis Lavoie --- modules/caddyhttp/app.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/caddyhttp/app.go b/modules/caddyhttp/app.go index 80232d039..f5ea45a7c 100644 --- a/modules/caddyhttp/app.go +++ b/modules/caddyhttp/app.go @@ -82,7 +82,7 @@ func init() { // `{http.request.tls.proto}` | The negotiated next protocol // `{http.request.tls.proto_mutual}` | The negotiated next protocol was advertised by the server // `{http.request.tls.server_name}` | The server name requested by the client, if any -// `{http.request.tls.ech_accepted}` | ECH offered by the client and accepted by the server +// `{http.request.tls.ech}` | Whether ECH was offered by the client and accepted by the server // `{http.request.tls.client.fingerprint}` | The SHA256 checksum of the client certificate // `{http.request.tls.client.public_key}` | The public key of the client certificate. // `{http.request.tls.client.public_key_sha256}` | The SHA256 checksum of the client's public key.