From 4e10cc76e061558a170c42b1d7c0da81794ae2e6 Mon Sep 17 00:00:00 2001 From: Karl Skewes Date: Mon, 3 Jun 2019 13:51:59 +1200 Subject: [PATCH] Add silence ping logging flag using ExcludePath - Add `ping-path` option to enable switching on and passing to `logger.go` Default remains unchanged at: `"/ping"` - Add note in configuration.md about silence flag taking precedence Potential tests: - `options.go` sets `logger.SetExcludePath` based on silence flag? - Changing `PingPath` reflected in router? --- docs/configuration/configuration.md | 4 +++- main.go | 2 ++ oauthproxy.go | 2 +- options.go | 13 +++++++++---- 4 files changed, 15 insertions(+), 6 deletions(-) diff --git a/docs/configuration/configuration.md b/docs/configuration/configuration.md index 4e66ec1b..178e0096 100644 --- a/docs/configuration/configuration.md +++ b/docs/configuration/configuration.md @@ -74,6 +74,7 @@ Usage of oauth2_proxy: -pass-user-headers: pass X-Forwarded-User and X-Forwarded-Email information to upstream (default true) -profile-url string: Profile access endpoint -provider string: OAuth provider (default "google") + -ping-path string: the ping endpoint that can be used for basic health checks (default "/ping") -proxy-prefix string: the url root path that this proxy should be nested under (e.g. //sign_in) (default "/oauth2") -proxy-websockets: enables WebSocket proxying (default true) -pubjwk-url string: JWK pubkey access endpoint: required by login.gov @@ -91,6 +92,7 @@ Usage of oauth2_proxy: -set-xauthrequest: set X-Auth-Request-User and X-Auth-Request-Email response headers (useful in Nginx auth_request mode) -set-authorization-header: set Authorization Bearer response header (useful in Nginx auth_request mode) -signature-key string: GAP-Signature request signature key (algorithm:secretkey) + -silence-ping-logging bool: disable logging of requests to ping endpoint (default false) -skip-auth-preflight: will skip authentication for OPTIONS requests -skip-auth-regex value: bypass authentication for requests path's that match (may be given multiple times) -skip-jwt-bearer-tokens: will skip requests that have verified JWT bearer tokens @@ -140,7 +142,7 @@ There are three different types of logging: standard, authentication, and HTTP r Each type of logging has their own configurable format and variables. By default these formats are similar to the Apache Combined Log. -A specific path can be excluded from request logs by setting `-exclude-logging-path`. This is useful for disabling logging of requests to the `/ping` endpoint to reduce log volume when health checking `oauth2_proxy`. +Logging of requests to the `/ping` endpoint can be disabled with `-silence-ping-logging` reducing log volume. This flag sets the `-exclude-logging-path` value to the `-ping-path` and takes precedence over any other value `-exclude-logging-path` may have been set to directly. ### Auth Log Format Authentication logs are logs which are guaranteed to contain a username or email address of a user attempting to authenticate. These logs are output by default in the below format: diff --git a/main.go b/main.go index 222aa696..4ae92609 100644 --- a/main.go +++ b/main.go @@ -69,6 +69,7 @@ func main() { flagSet.String("banner", "", "custom banner string. Use \"-\" to disable default banner.") flagSet.String("footer", "", "custom footer string. Use \"-\" to disable default footer.") flagSet.String("proxy-prefix", "/oauth2", "the url root path that this proxy should be nested under (e.g. //sign_in)") + flagSet.String("ping-path", "/ping", "the ping endpoint that can be used for basic health checks") flagSet.Bool("proxy-websockets", true, "enables WebSocket proxying") flagSet.String("cookie-name", "_oauth2_proxy", "the name of the cookie that the oauth_proxy creates") @@ -99,6 +100,7 @@ func main() { flagSet.Bool("request-logging", true, "Log HTTP requests") flagSet.String("request-logging-format", logger.DefaultRequestLoggingFormat, "Template for HTTP request log lines") flagSet.String("exclude-logging-path", "", "Exclude logging requests to path (eg: /ping)") + flagSet.Bool("silence-ping-logging", false, "Disable logging of requests to ping endpoint") flagSet.Bool("auth-logging", true, "Log authentication attempts") flagSet.String("auth-logging-format", logger.DefaultAuthLoggingFormat, "Template for authentication log lines") diff --git a/oauthproxy.go b/oauthproxy.go index d2ff74c7..5ef7a390 100644 --- a/oauthproxy.go +++ b/oauthproxy.go @@ -254,7 +254,7 @@ func NewOAuthProxy(opts *Options, validator func(string) bool) *OAuthProxy { Validator: validator, RobotsPath: "/robots.txt", - PingPath: "/ping", + PingPath: opts.PingPath, SignInPath: fmt.Sprintf("%s/sign_in", opts.ProxyPrefix), SignOutPath: fmt.Sprintf("%s/sign_out", opts.ProxyPrefix), OAuthStartPath: fmt.Sprintf("%s/start", opts.ProxyPrefix), diff --git a/options.go b/options.go index 88e76e97..b2afe93c 100644 --- a/options.go +++ b/options.go @@ -30,6 +30,7 @@ import ( // or Config File type Options struct { ProxyPrefix string `flag:"proxy-prefix" cfg:"proxy_prefix" env:"OAUTH2_PROXY_PROXY_PREFIX"` + PingPath string `flag:"ping-path" cfg:"ping-path" env:"OAUTH2_PROXY_PING_PATH"` ProxyWebSockets bool `flag:"proxy-websockets" cfg:"proxy_websockets" env:"OAUTH2_PROXY_PROXY_WEBSOCKETS"` HTTPAddress string `flag:"http-address" cfg:"http_address" env:"OAUTH2_PROXY_HTTP_ADDRESS"` HTTPSAddress string `flag:"https-address" cfg:"https_address" env:"OAUTH2_PROXY_HTTPS_ADDRESS"` @@ -103,9 +104,8 @@ type Options struct { StandardLoggingFormat string `flag:"standard-logging-format" cfg:"standard_logging_format" env:"OAUTH2_PROXY_STANDARD_LOGGING_FORMAT"` RequestLogging bool `flag:"request-logging" cfg:"request_logging" env:"OAUTH2_PROXY_REQUEST_LOGGING"` RequestLoggingFormat string `flag:"request-logging-format" cfg:"request_logging_format" env:"OAUTH2_PROXY_REQUEST_LOGGING_FORMAT"` - PingPath string `flag:"ping-path" cfg:"ping_path" env:"OAUTH2_PROXY_PING_PATH"` - SilencePingLogging bool `flag:"silence-ping-logging" cfg:"silence_ping_logging" env:"OAUTH2_PROXY_SILENCE_PING_LOGGING"` ExcludeLoggingPath string `flag:"exclude-logging-path" cfg:"exclude_logging_path" env:"OAUTH2_PROXY_EXCLUDE_LOGGING_PATH"` + SilencePingLogging bool `flag:"silence-ping-logging" cfg:"silence_ping_logging" env:"OAUTH2_PROXY_SILENCE_PING_LOGGING"` AuthLogging bool `flag:"auth-logging" cfg:"auth_logging" env:"OAUTH2_PROXY_LOGGING_AUTH_LOGGING"` AuthLoggingFormat string `flag:"auth-logging-format" cfg:"auth_logging_format" env:"OAUTH2_PROXY_AUTH_LOGGING_FORMAT"` SignatureKey string `flag:"signature-key" cfg:"signature_key" env:"OAUTH2_PROXY_SIGNATURE_KEY"` @@ -136,6 +136,7 @@ type SignatureData struct { func NewOptions() *Options { return &Options{ ProxyPrefix: "/oauth2", + PingPath: "/ping", ProxyWebSockets: true, HTTPAddress: "127.0.0.1:4180", HTTPSAddress: ":443", @@ -168,7 +169,6 @@ func NewOptions() *Options { LoggingLocalTime: true, LoggingCompress: false, ExcludeLoggingPath: "", - PingPath: "/ping", SilencePingLogging: false, StandardLogging: true, StandardLoggingFormat: logger.DefaultStandardLoggingFormat, @@ -572,11 +572,16 @@ func setupLogger(o *Options, msgs []string) []string { logger.SetStandardEnabled(o.StandardLogging) logger.SetAuthEnabled(o.AuthLogging) logger.SetReqEnabled(o.RequestLogging) - logger.SetExcludePath(o.ExcludeLoggingPath) logger.SetStandardTemplate(o.StandardLoggingFormat) logger.SetAuthTemplate(o.AuthLoggingFormat) logger.SetReqTemplate(o.RequestLoggingFormat) + if o.SilencePingLogging { + logger.SetExcludePath(o.PingPath) + } else { + logger.SetExcludePath(o.ExcludeLoggingPath) + } + if !o.LoggingLocalTime { logger.SetFlags(logger.Flags() | logger.LUTC) }