code changes to support ssl

Akshay2191 · Akshay2191 · commit b95dcb03df8a · 2025-07-17T16:34:24.000+01:00
diff --git a/internal/collector/nginxossreceiver/internal/config/config.go b/internal/collector/nginxossreceiver/internal/config/config.go
@@ -33,6 +33,7 @@ type APIDetails struct {
 	URL      string `mapstructure:"url"`
 	Listen   string `mapstructure:"listen"`
 	Location string `mapstructure:"location"`
+	Ca       string `mapstructure:"ca"`
 }
 
 type AccessLog struct {
@@ -56,6 +57,7 @@ func CreateDefaultConfig() component.Config {
 			URL:      "http://localhost:80/status",
 			Listen:   "localhost:80",
 			Location: "status",
+			Ca:       "",
 		},
 	}
 }
diff --git a/internal/collector/nginxossreceiver/internal/scraper/stubstatus/stub_status_scraper.go b/internal/collector/nginxossreceiver/internal/scraper/stubstatus/stub_status_scraper.go
@@ -7,8 +7,11 @@ package stubstatus
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"net"
 	"net/http"
+	"os"
 	"strings"
 	"sync"
 	"time"
@@ -63,6 +66,28 @@ func (s *NginxStubStatusScraper) ID() component.ID {
 func (s *NginxStubStatusScraper) Start(_ context.Context, _ component.Host) error {
 	s.logger.Info("Starting NGINX stub status scraper")
 	httpClient := http.DefaultClient
+	caCertLocation := s.cfg.APIDetails.Ca
+	if caCertLocation != "" {
+		s.settings.Logger.Debug("Reading from Location for Ca Cert : ", zap.Any(caCertLocation, caCertLocation))
+		caCert, err := os.ReadFile(caCertLocation)
+		if err != nil {
+			s.settings.Logger.Error("Error starting NGINX stub scraper. "+
+				"Failed to read CA certificate : ", zap.Error(err))
+
+			return nil
+		}
+		caCertPool := x509.NewCertPool()
+		caCertPool.AppendCertsFromPEM(caCert)
+
+		httpClient = &http.Client{
+			Transport: &http.Transport{
+				TLSClientConfig: &tls.Config{
+					RootCAs:    caCertPool,
+					MinVersion: tls.VersionTLS13,
+				},
+			},
+		}
+	}
 	httpClient.Timeout = s.cfg.ClientConfig.Timeout
 
 	if strings.HasPrefix(s.cfg.APIDetails.Listen, "unix:") {
diff --git a/internal/collector/nginxplusreceiver/config.go b/internal/collector/nginxplusreceiver/config.go
@@ -29,6 +29,7 @@ type APIDetails struct {
 	URL      string `mapstructure:"url"`
 	Listen   string `mapstructure:"listen"`
 	Location string `mapstructure:"location"`
+	Ca       string `mapstructure:"ca"`
 }
 
 // Validate checks if the receiver configuration is valid
@@ -59,6 +60,7 @@ func createDefaultConfig() component.Config {
 			URL:      "http://localhost:80/api",
 			Listen:   "localhost:80",
 			Location: "/api",
+			Ca:       "",
 		},
 		MetricsBuilderConfig: metadata.DefaultMetricsBuilderConfig(),
 	}
diff --git a/internal/collector/nginxplusreceiver/scraper.go b/internal/collector/nginxplusreceiver/scraper.go
@@ -6,9 +6,12 @@ package nginxplusreceiver
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"net"
 	"net/http"
+	"os"
 	"strconv"
 	"strings"
 	"sync"
@@ -82,6 +85,26 @@ func (nps *NginxPlusScraper) ID() component.ID {
 func (nps *NginxPlusScraper) Start(_ context.Context, _ component.Host) error {
 	endpoint := strings.TrimPrefix(nps.cfg.APIDetails.URL, "unix:")
 	httpClient := http.DefaultClient
+	caCertLocation := nps.cfg.APIDetails.Ca
+	if caCertLocation != "" {
+		nps.logger.Debug("Reading from Location for Ca Cert : ", zap.Any(caCertLocation, caCertLocation))
+		caCert, err := os.ReadFile(caCertLocation)
+		if err != nil {
+			nps.logger.Error("Unable to start NGINX Plus scraper. Failed to read CA certificate: %v", zap.Error(err))
+			return err
+		}
+		caCertPool := x509.NewCertPool()
+		caCertPool.AppendCertsFromPEM(caCert)
+
+		httpClient = &http.Client{
+			Transport: &http.Transport{
+				TLSClientConfig: &tls.Config{
+					RootCAs:    caCertPool,
+					MinVersion: tls.VersionTLS13,
+				},
+			},
+		}
+	}
 	httpClient.Timeout = nps.cfg.ClientConfig.Timeout
 
 	if strings.HasPrefix(nps.cfg.APIDetails.Listen, "unix:") {
diff --git a/internal/collector/otel_collector_plugin.go b/internal/collector/otel_collector_plugin.go
@@ -418,6 +418,7 @@ func (oc *Collector) checkForNewReceivers(ctx context.Context, nginxConfigContex
 					URL:      nginxConfigContext.PlusAPI.URL,
 					Listen:   nginxConfigContext.PlusAPI.Listen,
 					Location: nginxConfigContext.PlusAPI.Location,
+					Ca:       nginxConfigContext.PlusAPI.Ca,
 				},
 				CollectionInterval: defaultCollectionInterval,
 			},
diff --git a/internal/collector/otelcol.tmpl b/internal/collector/otelcol.tmpl
@@ -81,6 +81,7 @@ receivers:
       url: "{{- .StubStatus.URL -}}"
       listen: "{{- .StubStatus.Listen -}}"
       location: "{{- .StubStatus.Location -}}"
+      ca: "{{- .StubStatus.Ca -}}"
     {{- if .CollectionInterval }}
     collection_interval: {{ .CollectionInterval }}
     {{- end }}
@@ -98,6 +99,7 @@ receivers:
         url: "{{- .PlusAPI.URL -}}"
         listen: "{{- .PlusAPI.Listen -}}"
         location: "{{- .PlusAPI.Location -}}"
+        ca: "{{- .StubStatus.Ca -}}"
     {{- if .CollectionInterval }}
     collection_interval: {{ .CollectionInterval }}
     {{- end }}
diff --git a/internal/config/config.go b/internal/config/config.go
@@ -267,6 +267,12 @@ func registerFlags() {
 		"Warning messages in the NGINX errors logs after a NGINX reload will be treated as an error.",
 	)
 
+	fs.String(
+		NginxApiTlsCa,
+		DefNginxApiTlsCa,
+		"The NGINX Plus CA certificate file location needed to call the NGINX Plus API if SSL is enabled.",
+	)
+
 	fs.StringSlice(
 		NginxExcludeLogsKey, []string{},
 		"A comma-separated list of one or more NGINX log paths that you want to exclude from metrics "+
@@ -786,6 +792,7 @@ func resolveDataPlaneConfig() *DataPlaneConfig {
 			ReloadMonitoringPeriod: viperInstance.GetDuration(NginxReloadMonitoringPeriodKey),
 			TreatWarningsAsErrors:  viperInstance.GetBool(NginxTreatWarningsAsErrorsKey),
 			ExcludeLogs:            viperInstance.GetStringSlice(NginxExcludeLogsKey),
+			ApiTls:                 TLSConfig{Ca: viperInstance.GetString(NginxApiTlsCa)},
 		},
 	}
 }
diff --git a/internal/config/defaults.go b/internal/config/defaults.go
@@ -14,6 +14,7 @@ const (
 	DefGracefulShutdownPeriod      = 5 * time.Second
 	DefNginxReloadMonitoringPeriod = 10 * time.Second
 	DefTreatErrorsAsWarnings       = false
+	DefNginxApiTlsCa               = ""
 
 	DefCommandServerHostKey    = ""
 	DefCommandServerPortKey    = 0
diff --git a/internal/config/flags.go b/internal/config/flags.go
@@ -118,6 +118,7 @@ var (
 	NginxReloadMonitoringPeriodKey = pre(DataPlaneConfigRootKey, "nginx") + "reload_monitoring_period"
 	NginxTreatWarningsAsErrorsKey  = pre(DataPlaneConfigRootKey, "nginx") + "treat_warnings_as_errors"
 	NginxExcludeLogsKey            = pre(DataPlaneConfigRootKey, "nginx") + "exclude_logs"
+	NginxApiTlsCa                  = pre(DataPlaneConfigRootKey, "nginx") + "api_tls_ca"
 
 	FileWatcherMonitoringFrequencyKey = pre(FileWatcherKey) + "monitoring_frequency"
 	NginxExcludeFilesKey              = pre(FileWatcherKey) + "exclude_files"
diff --git a/internal/config/types.go b/internal/config/types.go
@@ -61,6 +61,7 @@ type (
 	}
 
 	NginxDataPlaneConfig struct {
+		ApiTls                 TLSConfig     `yaml:"api_tls"                  mapstructure:"api_tls"`
 		ExcludeLogs            []string      `yaml:"exclude_logs"             mapstructure:"exclude_logs"`
 		ReloadMonitoringPeriod time.Duration `yaml:"reload_monitoring_period" mapstructure:"reload_monitoring_period"`
 		TreatWarningsAsErrors  bool          `yaml:"treat_warnings_as_errors" mapstructure:"treat_warnings_as_errors"`
@@ -230,6 +231,7 @@ type (
 		URL      string `yaml:"url"      mapstructure:"url"`
 		Listen   string `yaml:"listen"   mapstructure:"listen"`
 		Location string `yaml:"location" mapstructure:"location"`
+		Ca       string `yaml:"ca"       mapstructure:"ca"`
 	}
 
 	AccessLog struct {
diff --git a/internal/datasource/config/nginx_config_parser.go b/internal/datasource/config/nginx_config_parser.go
@@ -7,6 +7,8 @@ package config
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -575,7 +577,11 @@ func (ncp *NginxConfigParser) apiCallback(ctx context.Context, parent,
 func (ncp *NginxConfigParser) pingAPIEndpoint(ctx context.Context, statusAPIDetail *model.APIDetails,
 	apiType string,
 ) bool {
-	httpClient := http.DefaultClient
+	httpClient, err := ncp.prepareHTTPClient(ctx)
+	if err != nil {
+		slog.ErrorContext(ctx, "Failed to prepare HTTP client", "error", err)
+		return false
+	}
 	listen := statusAPIDetail.Listen
 	statusAPI := statusAPIDetail.URL
 
@@ -641,6 +647,13 @@ func (ncp *NginxConfigParser) urlsForLocationDirectiveAPIDetails(
 	locationDirectiveName string,
 ) []*model.APIDetails {
 	var urls []*model.APIDetails
+	// Check if SSL is enabled in the server block
+	isSSL := ncp.isSSLEnabled(parent)
+	caCertLocation := ""
+	// If SSl is enabled, check if CA cert is provided and the location is allowed
+	if isSSL {
+		caCertLocation = ncp.getCACertLocation()
+	}
 	// process from the location block
 	if current.Directive != locationDirective {
 		return urls
@@ -668,12 +681,15 @@ func (ncp *NginxConfigParser) urlsForLocationDirectiveAPIDetails(
 						URL:      fmt.Sprintf(format, path),
 						Listen:   address,
 						Location: path,
+						Ca:       caCertLocation,
 					})
 				} else {
 					urls = append(urls, &model.APIDetails{
-						URL:      fmt.Sprintf(apiFormat, address, path),
+						URL: fmt.Sprintf("%s://%s%s", map[bool]string{true: "https", false: "http"}[isSSL],
+							address, path),
 						Listen:   address,
 						Location: path,
+						Ca:       caCertLocation,
 					})
 				}
 			}
@@ -773,6 +789,37 @@ func (ncp *NginxConfigParser) isPort(value string) bool {
 	return err == nil && port >= 1 && port <= 65535
 }
 
+// checks if any of the arguments contain "ssl".
+func (ncp *NginxConfigParser) hasSSLArgument(args []string) bool {
+	for i := 1; i < len(args); i++ {
+		if args[i] == "ssl" {
+			return true
+		}
+	}
+
+	return false
+}
+
+// checks if a directive is a listen directive with ssl enabled.
+func (ncp *NginxConfigParser) isSSLListenDirective(dir *crossplane.Directive) bool {
+	return dir.Directive == "listen" && ncp.hasSSLArgument(dir.Args)
+}
+
+// checks if SSL is enabled for a given server block.
+func (ncp *NginxConfigParser) isSSLEnabled(serverBlock *crossplane.Directive) bool {
+	if serverBlock == nil {
+		return false
+	}
+
+	for _, dir := range serverBlock.Block {
+		if ncp.isSSLListenDirective(dir) {
+			return true
+		}
+	}
+
+	return false
+}
+
 func (ncp *NginxConfigParser) socketClient(socketPath string) *http.Client {
 	return &http.Client{
 		Timeout: ncp.agentConfig.Client.Grpc.KeepAlive.Timeout,
@@ -784,6 +831,47 @@ func (ncp *NginxConfigParser) socketClient(socketPath string) *http.Client {
 	}
 }
 
+// prepareHTTPClient handles TLS config
+func (ncp *NginxConfigParser) prepareHTTPClient(ctx context.Context) (*http.Client, error) {
+	httpClient := http.DefaultClient
+	caCertLocation := ncp.agentConfig.DataPlaneConfig.Nginx.ApiTls.Ca
+
+	if caCertLocation != "" && ncp.agentConfig.IsDirectoryAllowed(caCertLocation) {
+		slog.DebugContext(ctx, "Reading from Location for Ca Cert : ", "cacertlocation", caCertLocation)
+		caCert, err := os.ReadFile(caCertLocation)
+		if err != nil {
+			slog.ErrorContext(ctx, "Failed to read CA certificate", "error", err)
+			return nil, err
+		}
+		caCertPool := x509.NewCertPool()
+		caCertPool.AppendCertsFromPEM(caCert)
+
+		httpClient = &http.Client{
+			Transport: &http.Transport{
+				TLSClientConfig: &tls.Config{
+					RootCAs:    caCertPool,
+					MinVersion: tls.VersionTLS13,
+				},
+			},
+		}
+	}
+
+	return httpClient, nil
+}
+
+// Populate the CA cert location based ondirectory allowance.
+func (ncp *NginxConfigParser) getCACertLocation() string {
+	caCertLocation := ncp.agentConfig.DataPlaneConfig.Nginx.ApiTls.Ca
+
+	if caCertLocation != "" && !ncp.agentConfig.IsDirectoryAllowed(caCertLocation) {
+		// If SSL is enabled but CA cert is provided and not allowed, treat it as if no CA cert
+		slog.Warn("CA certificate location is not allowed, treating as if no CA cert provided.")
+		return ""
+	}
+
+	return caCertLocation
+}
+
 func (ncp *NginxConfigParser) isDuplicateFile(nginxConfigContextFiles []*mpi.File, newFile *mpi.File) bool {
 	for _, nginxConfigContextFile := range nginxConfigContextFiles {
 		if nginxConfigContextFile.GetFileMeta().GetName() == newFile.GetFileMeta().GetName() {
diff --git a/internal/model/config.go b/internal/model/config.go
@@ -26,6 +26,7 @@ type APIDetails struct {
 	URL      string
 	Listen   string
 	Location string
+	Ca       string
 }
 
 type ManifestFile struct {
diff --git a/internal/resource/resource_service.go b/internal/resource/resource_service.go
@@ -7,12 +7,15 @@ package resource
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"log/slog"
 	"net"
 	"net/http"
+	"os"
 	"strings"
 	"sync"
 
@@ -348,6 +351,26 @@ func (r *ResourceService) createPlusClient(instance *mpi.Instance) (*client.Ngin
 	}
 
 	httpClient := http.DefaultClient
+	caCertLocation := plusAPI.GetCa()
+	if caCertLocation != "" {
+		slog.Debug("Reading from Location for Ca Cert : ", "cacertlocation", caCertLocation)
+		caCert, err := os.ReadFile(caCertLocation)
+		if err != nil {
+			slog.Error("Unable to Create NGINX Plus client. Failed to read CA certificate : ", "err", err)
+			return nil, err
+		}
+		caCertPool := x509.NewCertPool()
+		caCertPool.AppendCertsFromPEM(caCert)
+
+		httpClient = &http.Client{
+			Transport: &http.Transport{
+				TLSClientConfig: &tls.Config{
+					RootCAs:    caCertPool,
+					MinVersion: tls.VersionTLS13,
+				},
+			},
+		}
+	}
 	if strings.HasPrefix(plusAPI.GetListen(), "unix:") {
 		httpClient = socketClient(strings.TrimPrefix(plusAPI.GetListen(), "unix:"))
 	}
diff --git a/test/config/collector/test-opentelemetry-collector-agent.yaml b/test/config/collector/test-opentelemetry-collector-agent.yaml
@@ -31,6 +31,7 @@ receivers:
       url: "http://localhost:80/status"
       listen: ""
       location: ""
+      ca: ""
     collection_interval: 30s
     access_logs:
       - log_format: "$remote_addr - $remote_user [$time_local] \"$request\" $status $body_bytes_sent \"$http_referer\" \"$http_user_agent\" \"$http_x_forwarded_for\"\"$upstream_cache_status\""

Original file line number	Diff line number	Diff line change
`@@ -33,6 +33,7 @@ type APIDetails struct {`
`33`	`33`	URL string `mapstructure:"url"`
`34`	`34`	Listen string `mapstructure:"listen"`
`35`	`35`	Location string `mapstructure:"location"`
	`36`	+ Ca string `mapstructure:"ca"`
`36`	`37`	`}`
`37`	`38`
`38`	`39`	`type AccessLog struct {`
`@@ -56,6 +57,7 @@ func CreateDefaultConfig() component.Config {`
`56`	`57`	`URL: "http://localhost:80/status",`
`57`	`58`	`Listen: "localhost:80",`
`58`	`59`	`Location: "status",`
	`60`	`+ Ca: "",`
`59`	`61`	`},`
`60`	`62`	`}`
`61`	`63`	`}`
Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,7 @@ type APIDetails struct {`
`29`	`29`	URL string `mapstructure:"url"`
`30`	`30`	Listen string `mapstructure:"listen"`
`31`	`31`	Location string `mapstructure:"location"`
	`32`	+ Ca string `mapstructure:"ca"`
`32`	`33`	`}`
`33`	`34`
`34`	`35`	`// Validate checks if the receiver configuration is valid`
`@@ -59,6 +60,7 @@ func createDefaultConfig() component.Config {`
`59`	`60`	`URL: "http://localhost:80/api",`
`60`	`61`	`Listen: "localhost:80",`
`61`	`62`	`Location: "/api",`
	`63`	`+ Ca: "",`
`62`	`64`	`},`
`63`	`65`	`MetricsBuilderConfig: metadata.DefaultMetricsBuilderConfig(),`
`64`	`66`	`}`
Original file line number	Diff line number	Diff line change
`@@ -267,6 +267,12 @@ func registerFlags() {`
`267`	`267`	`"Warning messages in the NGINX errors logs after a NGINX reload will be treated as an error.",`
`268`	`268`	`)`
`269`	`269`
	`270`	`+ fs.String(`
	`271`	`+ NginxApiTlsCa,`
	`272`	`+ DefNginxApiTlsCa,`
	`273`	`+ "The NGINX Plus CA certificate file location needed to call the NGINX Plus API if SSL is enabled.",`
	`274`	`+ )`
	`275`	`+`
`270`	`276`	`fs.StringSlice(`
`271`	`277`	`NginxExcludeLogsKey, []string{},`
`272`	`278`	`"A comma-separated list of one or more NGINX log paths that you want to exclude from metrics "+`
`@@ -786,6 +792,7 @@ func resolveDataPlaneConfig() *DataPlaneConfig {`
`786`	`792`	`ReloadMonitoringPeriod: viperInstance.GetDuration(NginxReloadMonitoringPeriodKey),`
`787`	`793`	`TreatWarningsAsErrors: viperInstance.GetBool(NginxTreatWarningsAsErrorsKey),`
`788`	`794`	`ExcludeLogs: viperInstance.GetStringSlice(NginxExcludeLogsKey),`
	`795`	`+ ApiTls: TLSConfig{Ca: viperInstance.GetString(NginxApiTlsCa)},`
`789`	`796`	`},`
`790`	`797`	`}`
`791`	`798`	`}`
Original file line number	Diff line number	Diff line change
`@@ -61,6 +61,7 @@ type (`
`61`	`61`	`}`
`62`	`62`
`63`	`63`	`NginxDataPlaneConfig struct {`
	`64`	+ ApiTls TLSConfig `yaml:"api_tls" mapstructure:"api_tls"`
`64`	`65`	ExcludeLogs []string `yaml:"exclude_logs" mapstructure:"exclude_logs"`
`65`	`66`	ReloadMonitoringPeriod time.Duration `yaml:"reload_monitoring_period" mapstructure:"reload_monitoring_period"`
`66`	`67`	TreatWarningsAsErrors bool `yaml:"treat_warnings_as_errors" mapstructure:"treat_warnings_as_errors"`
`@@ -230,6 +231,7 @@ type (`
`230`	`231`	URL string `yaml:"url" mapstructure:"url"`
`231`	`232`	Listen string `yaml:"listen" mapstructure:"listen"`
`232`	`233`	Location string `yaml:"location" mapstructure:"location"`
	`234`	+ Ca string `yaml:"ca" mapstructure:"ca"`
`233`	`235`	`}`
`234`	`236`
`235`	`237`	`AccessLog struct {`