feat: expose SSL_CIPHER env var (#1693)

Author: alexandre-daubois

caddy/module.go

@@ -136,7 +136,6 @@ func needReplacement(s string) bool {
 }
 
 // ServeHTTP implements caddyhttp.MiddlewareHandler.
-// TODO: Expose TLS versions as env vars, as Apache's mod_ssl: https://github.com/caddyserver/caddy/blob/master/modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go#L298
 func (f *FrankenPHPModule) ServeHTTP(w http.ResponseWriter, r *http.Request, _ caddyhttp.Handler) error {
 	origReq := r.Context().Value(caddyhttp.OriginalRequestCtxKey).(http.Request)
 	repl := r.Context().Value(caddy.ReplacerCtxKey).(*caddy.Replacer)

cgi.go

@@ -41,6 +41,7 @@ var knownServerKeys = []string{
 	"SERVER_PROTOCOL",
 	"SERVER_SOFTWARE",
 	"SSL_PROTOCOL",
+	"SSL_CIPHER",
 	"AUTH_TYPE",
 	"REMOTE_IDENT",
 	"CONTENT_TYPE",
@@ -73,11 +74,13 @@ func addKnownVariablesToServer(thread *phpThread, fc *frankenPHPContext, trackVa
 
 	var https string
 	var sslProtocol string
+	var sslCipher string
 	var rs string
 	if request.TLS == nil {
 		rs = "http"
 		https = ""
 		sslProtocol = ""
+		sslCipher = ""
 	} else {
 		rs = "https"
 		https = "on"
@@ -89,6 +92,10 @@ func addKnownVariablesToServer(thread *phpThread, fc *frankenPHPContext, trackVa
 		} else {
 			sslProtocol = ""
 		}
+
+		if request.TLS.CipherSuite != 0 {
+			sslCipher = tls.CipherSuiteName(request.TLS.CipherSuite)
+		}
 	}
 
 	reqHost, reqPort, _ := net.SplitHostPort(request.Host)
@@ -151,6 +158,7 @@ func addKnownVariablesToServer(thread *phpThread, fc *frankenPHPContext, trackVa
 		packCgiVariable(keys["REMOTE_IDENT"], ""),
 		// Request uri of the original request
 		packCgiVariable(keys["REQUEST_URI"], requestURI),
+		packCgiVariable(keys["SSL_CIPHER"], sslCipher),
 	)
 
 	// These values are already present in the SG(request_info), so we'll register them from there

frankenphp.c

@@ -641,7 +641,7 @@ void frankenphp_register_bulk(
     ht_key_value_pair gateway_interface, ht_key_value_pair server_protocol,
     ht_key_value_pair server_software, ht_key_value_pair http_host,
     ht_key_value_pair auth_type, ht_key_value_pair remote_ident,
-    ht_key_value_pair request_uri) {
+    ht_key_value_pair request_uri, ht_key_value_pair ssl_cipher) {
   HashTable *ht = Z_ARRVAL_P(track_vars_array);
   frankenphp_register_trusted_var(remote_addr.key, remote_addr.val,
                                   remote_addr.val_len, ht);
@@ -664,6 +664,8 @@ void frankenphp_register_bulk(
   frankenphp_register_trusted_var(https.key, https.val, https.val_len, ht);
   frankenphp_register_trusted_var(ssl_protocol.key, ssl_protocol.val,
                                   ssl_protocol.val_len, ht);
+  frankenphp_register_trusted_var(ssl_cipher.key, ssl_cipher.val,
+                                  ssl_cipher.val_len, ht);
   frankenphp_register_trusted_var(request_scheme.key, request_scheme.val,
                                   request_scheme.val_len, ht);
   frankenphp_register_trusted_var(server_name.key, server_name.val,

frankenphp.h

@@ -91,7 +91,7 @@ void frankenphp_register_bulk(
     ht_key_value_pair gateway_interface, ht_key_value_pair server_protocol,
     ht_key_value_pair server_software, ht_key_value_pair http_host,
     ht_key_value_pair auth_type, ht_key_value_pair remote_ident,
-    ht_key_value_pair request_uri);
+    ht_key_value_pair request_uri, ht_key_value_pair ssl_cipher);
 
 void register_extensions(zend_module_entry *m, int len);