Integrate with TCP data via eBPF

[ThatcherT]

The nginx module can compute L7 fingerprints (JA4 / JA4H / etc.) in user space, but TCP-layer fingerprints and latency metrics need data nginx can’t access: SYN/SYN-ACK TCP options, observed TTL/Hop Limit, and handshake packet timestamps.

We want to integrate the module with an eBPF collector to capture TCP handshake metadata and expose it to nginx for logging/headers/routing.

Goals

• Capture via eBPF:

  • client SYN data for JA4T
  • server SYN-ACK data for JA4TS
  • A–F timestamps + TTL/HLIM for JA4L / JA4LS and JA4L-Delta

• Store per-connection state in an LRU map (5-tuple key + expiration).

• Ingest eBPF data in the nginx module.

• Compute and expose JA4T / JA4L fingerprints as nginx variables.

[vlvkobal]

We should key the map by 4-tuple + l4proto so TCP and UDP flows don’t collide (the same 4-tuple can exist for both). Within a single protocol, l4proto won’t prevent collisions from fast tuple reuse (high CPS / NAT can reuse the same tuple quickly), so we should also add a per-connection discriminator - ideally a socket cookie, otherwise a short TTL + generation/epoch.