public_git
/
oauth2-proxy
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Add exclude logging path option 

Useful for excluding /ping endpoint to reduce log volume.
This is somewhat more verbose than a simple bool to disable logging of
the `/ping` endpoint.

Perhaps better to add `-silence-ping-logging` bool flag to `options.go` and
pass in the `/ping` endpoint as part of `logger` declaration in `options.go`.

Could be extended into a slice of paths similar to go-gin's `SkipPaths`:
https://github.com/gin-gonic/gin/blob/master/logger.go#L46
This commit is contained in:
Karl Skewes 2019-06-02 14:36:54 +12:00
parent ec97000169
commit c4f20fff3d
5 changed files with 30 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/configuration/configuration.md
View File

@ -42,6 +42,7 @@ Usage of oauth2_proxy:
-display-htpasswd-form: display username / password login form if an htpasswd file is provided (default true) -display-htpasswd-form: display username / password login form if an htpasswd file is provided (default true)
-email-domain value: authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email -email-domain value: authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email
-extra-jwt-issuers: if -skip-jwt-bearer-tokens is set, a list of extra JWT issuer=audience pairs (where the issuer URL has a .well-known/openid-configuration or a .well-known/jwks.json) -extra-jwt-issuers: if -skip-jwt-bearer-tokens is set, a list of extra JWT issuer=audience pairs (where the issuer URL has a .well-known/openid-configuration or a .well-known/jwks.json)
-exclude-logging-path: don't log requests to this path, eg: /ping (default "" = no paths excluded)
-flush-interval: period between flushing response buffers when streaming responses (default "1s") -flush-interval: period between flushing response buffers when streaming responses (default "1s")
-banner string: custom banner string. Use "-" to disable default banner. -banner string: custom banner string. Use "-" to disable default banner.
-footer string: custom footer string. Use "-" to disable default footer. -footer string: custom footer string. Use "-" to disable default footer.
@ -90,7 +91,6 @@ Usage of oauth2_proxy:
-set-xauthrequest: set X-Auth-Request-User and X-Auth-Request-Email response headers (useful in Nginx auth_request mode) -set-xauthrequest: set X-Auth-Request-User and X-Auth-Request-Email response headers (useful in Nginx auth_request mode)
-set-authorization-header: set Authorization Bearer response header (useful in Nginx auth_request mode) -set-authorization-header: set Authorization Bearer response header (useful in Nginx auth_request mode)
-signature-key string: GAP-Signature request signature key (algorithm:secretkey) -signature-key string: GAP-Signature request signature key (algorithm:secretkey)
-silence-ping-logging bool: disable logging of requests to ping endpoint (default false)
-skip-auth-preflight: will skip authentication for OPTIONS requests -skip-auth-preflight: will skip authentication for OPTIONS requests
-skip-auth-regex value: bypass authentication for requests path's that match (may be given multiple times) -skip-auth-regex value: bypass authentication for requests path's that match (may be given multiple times)
-skip-jwt-bearer-tokens: will skip requests that have verified JWT bearer tokens -skip-jwt-bearer-tokens: will skip requests that have verified JWT bearer tokens
@ -140,7 +140,7 @@ There are three different types of logging: standard, authentication, and HTTP r
Each type of logging has their own configurable format and variables. By default these formats are similar to the Apache Combined Log. Each type of logging has their own configurable format and variables. By default these formats are similar to the Apache Combined Log.
Logging of requests to the `/ping` endpoint can be disabled with `-silence-ping-logging` reducing log volume. A specific path can be excluded from request logs by setting `-exclude-logging-path`. This is useful for disabling logging of requests to the `/ping` endpoint to reduce log volume when health checking `oauth2_proxy`.
### Auth Log Format ### Auth Log Format
Authentication logs are logs which are guaranteed to contain a username or email address of a user attempting to authenticate. These logs are output by default in the below format: Authentication logs are logs which are guaranteed to contain a username or email address of a user attempting to authenticate. These logs are output by default in the below format:

18
logging_handler_test.go
View File

@ -19,15 +19,15 @@ func TestLoggingHandler_ServeHTTP(t *testing.T) {
Format, Format,
ExpectedLogMessage, ExpectedLogMessage,
Path string Path string
SilentPing bool ExcludePath string
}{ }{
{logger.DefaultRequestLoggingFormat, fmt.Sprintf("127.0.0.1 - - [%s] test-server GET - \"/foo/bar\" HTTP/1.1 \"\" 200 4 0.000\n", logger.FormatTimestamp(ts)), "/foo/bar", false}, {logger.DefaultRequestLoggingFormat, fmt.Sprintf("127.0.0.1 - - [%s] test-server GET - \"/foo/bar\" HTTP/1.1 \"\" 200 4 0.000\n", logger.FormatTimestamp(ts)), "/foo/bar", ""},
{logger.DefaultRequestLoggingFormat, fmt.Sprintf("127.0.0.1 - - [%s] test-server GET - \"/foo/bar\" HTTP/1.1 \"\" 200 4 0.000\n", logger.FormatTimestamp(ts)), "/foo/bar", true}, {logger.DefaultRequestLoggingFormat, fmt.Sprintf("127.0.0.1 - - [%s] test-server GET - \"/foo/bar\" HTTP/1.1 \"\" 200 4 0.000\n", logger.FormatTimestamp(ts)), "/foo/bar", "/ping"},
{logger.DefaultRequestLoggingFormat, fmt.Sprintf("127.0.0.1 - - [%s] test-server GET - \"/ping\" HTTP/1.1 \"\" 200 4 0.000\n", logger.FormatTimestamp(ts)), "/ping", false}, {logger.DefaultRequestLoggingFormat, fmt.Sprintf("127.0.0.1 - - [%s] test-server GET - \"/ping\" HTTP/1.1 \"\" 200 4 0.000\n", logger.FormatTimestamp(ts)), "/ping", ""},
{"{{.RequestMethod}}", "GET\n", "/foo/bar", false}, {"{{.RequestMethod}}", "GET\n", "/foo/bar", ""},
{"{{.RequestMethod}}", "GET\n", "/foo/bar", true}, {"{{.RequestMethod}}", "GET\n", "/foo/bar", "/ping"},
{"{{.RequestMethod}}", "GET\n", "/ping", false}, {"{{.RequestMethod}}", "GET\n", "/ping", ""},
{"{{.RequestMethod}}", "", "/ping", true}, {"{{.RequestMethod}}", "", "/ping", "/ping"},
} }
for _, test := range tests { for _, test := range tests {
@ -43,7 +43,7 @@ func TestLoggingHandler_ServeHTTP(t *testing.T) {
logger.SetOutput(buf) logger.SetOutput(buf)
logger.SetReqTemplate(test.Format) logger.SetReqTemplate(test.Format)
logger.SetSilentPing(test.SilentPing) logger.SetExcludePath(test.ExcludePath)
h := LoggingHandler(http.HandlerFunc(handler)) h := LoggingHandler(http.HandlerFunc(handler))
r, _ := http.NewRequest("GET", test.Path, nil) r, _ := http.NewRequest("GET", test.Path, nil)

2
main.go
View File

@ -98,7 +98,7 @@ func main() {
flagSet.Bool("request-logging", true, "Log HTTP requests") flagSet.Bool("request-logging", true, "Log HTTP requests")
flagSet.String("request-logging-format", logger.DefaultRequestLoggingFormat, "Template for HTTP request log lines") flagSet.String("request-logging-format", logger.DefaultRequestLoggingFormat, "Template for HTTP request log lines")
flagSet.Bool("silence-ping-logging", false, "Disable logging of requests to ping endpoint") flagSet.String("exclude-logging-path", "", "Exclude logging requests to path (eg: /ping)")
flagSet.Bool("auth-logging", true, "Log authentication attempts") flagSet.Bool("auth-logging", true, "Log authentication attempts")
flagSet.String("auth-logging-format", logger.DefaultAuthLoggingFormat, "Template for authentication log lines") flagSet.String("auth-logging-format", logger.DefaultAuthLoggingFormat, "Template for authentication log lines")

18
options.go
View File

@ -105,15 +105,15 @@ type Options struct {
RequestLoggingFormat string `flag:"request-logging-format" cfg:"request_logging_format" env:"OAUTH2_PROXY_REQUEST_LOGGING_FORMAT"` RequestLoggingFormat string `flag:"request-logging-format" cfg:"request_logging_format" env:"OAUTH2_PROXY_REQUEST_LOGGING_FORMAT"`
PingPath string `flag:"ping-path" cfg:"ping_path" env:"OAUTH2_PROXY_PING_PATH"` PingPath string `flag:"ping-path" cfg:"ping_path" env:"OAUTH2_PROXY_PING_PATH"`
SilencePingLogging bool `flag:"silence-ping-logging" cfg:"silence_ping_logging" env:"OAUTH2_PROXY_SILENCE_PING_LOGGING"` SilencePingLogging bool `flag:"silence-ping-logging" cfg:"silence_ping_logging" env:"OAUTH2_PROXY_SILENCE_PING_LOGGING"`
ExcludeLoggingPath string `flag:"exclude-logging-path" cfg:"exclude_logging_path" env:"OAUTH2_PROXY_EXCLUDE_LOGGING_PATH"`
AuthLogging bool `flag:"auth-logging" cfg:"auth_logging" env:"OAUTH2_PROXY_LOGGING_AUTH_LOGGING"` AuthLogging bool `flag:"auth-logging" cfg:"auth_logging" env:"OAUTH2_PROXY_LOGGING_AUTH_LOGGING"`
AuthLoggingFormat string `flag:"auth-logging-format" cfg:"auth_logging_format" env:"OAUTH2_PROXY_AUTH_LOGGING_FORMAT"` AuthLoggingFormat string `flag:"auth-logging-format" cfg:"auth_logging_format" env:"OAUTH2_PROXY_AUTH_LOGGING_FORMAT"`
SignatureKey string `flag:"signature-key" cfg:"signature_key" env:"OAUTH2_PROXY_SIGNATURE_KEY"`
SignatureKey string `flag:"signature-key" cfg:"signature_key" env:"OAUTH2_PROXY_SIGNATURE_KEY"` AcrValues string `flag:"acr-values" cfg:"acr_values" env:"OAUTH2_PROXY_ACR_VALUES"`
AcrValues string `flag:"acr-values" cfg:"acr_values" env:"OAUTH2_PROXY_ACR_VALUES"` JWTKey string `flag:"jwt-key" cfg:"jwt_key" env:"OAUTH2_PROXY_JWT_KEY"`
JWTKey string `flag:"jwt-key" cfg:"jwt_key" env:"OAUTH2_PROXY_JWT_KEY"` JWTKeyFile string `flag:"jwt-key-file" cfg:"jwt_key_file" env:"OAUTH2_PROXY_JWT_KEY_FILE"`
JWTKeyFile string `flag:"jwt-key-file" cfg:"jwt_key_file" env:"OAUTH2_PROXY_JWT_KEY_FILE"` PubJWKURL string `flag:"pubjwk-url" cfg:"pubjwk_url" env:"OAUTH2_PROXY_PUBJWK_URL"`
PubJWKURL string `flag:"pubjwk-url" cfg:"pubjwk_url" env:"OAUTH2_PROXY_PUBJWK_URL"` GCPHealthChecks bool `flag:"gcp-healthchecks" cfg:"gcp_healthchecks" env:"OAUTH2_PROXY_GCP_HEALTHCHECKS"`
GCPHealthChecks bool `flag:"gcp-healthchecks" cfg:"gcp_healthchecks" env:"OAUTH2_PROXY_GCP_HEALTHCHECKS"`
// internal values that are set after config validation // internal values that are set after config validation
redirectURL *url.URL redirectURL *url.URL
@ -167,6 +167,7 @@ func NewOptions() *Options {
LoggingMaxBackups: 0, LoggingMaxBackups: 0,
LoggingLocalTime: true, LoggingLocalTime: true,
LoggingCompress: false, LoggingCompress: false,
ExcludeLoggingPath: "",
PingPath: "/ping", PingPath: "/ping",
SilencePingLogging: false, SilencePingLogging: false,
StandardLogging: true, StandardLogging: true,
@ -571,8 +572,7 @@ func setupLogger(o *Options, msgs []string) []string {
logger.SetStandardEnabled(o.StandardLogging) logger.SetStandardEnabled(o.StandardLogging)
logger.SetAuthEnabled(o.AuthLogging) logger.SetAuthEnabled(o.AuthLogging)
logger.SetReqEnabled(o.RequestLogging) logger.SetReqEnabled(o.RequestLogging)
logger.SetSilentPing(o.SilencePingLogging) logger.SetExcludePath(o.ExcludeLoggingPath)
logger.SetPingPath(o.PingPath)
logger.SetStandardTemplate(o.StandardLoggingFormat) logger.SetStandardTemplate(o.StandardLoggingFormat)
logger.SetAuthTemplate(o.AuthLoggingFormat) logger.SetAuthTemplate(o.AuthLoggingFormat)
logger.SetReqTemplate(o.RequestLoggingFormat) logger.SetReqTemplate(o.RequestLoggingFormat)

33
pkg/logger/logger.go
View File

@ -88,8 +88,7 @@ type Logger struct {
stdEnabled bool stdEnabled bool
authEnabled bool authEnabled bool
reqEnabled bool reqEnabled bool
silentPing bool excludePath string
pingPath string
stdLogTemplate *template.Template stdLogTemplate *template.Template
authTemplate *template.Template authTemplate *template.Template
reqTemplate *template.Template reqTemplate *template.Template
@ -103,8 +102,7 @@ func New(flag int) *Logger {
stdEnabled: true, stdEnabled: true,
authEnabled: true, authEnabled: true,
reqEnabled: true, reqEnabled: true,
silentPing: false, excludePath: "",
pingPath: "/ping",
stdLogTemplate: template.Must(template.New("std-log").Parse(DefaultStandardLoggingFormat)), stdLogTemplate: template.Must(template.New("std-log").Parse(DefaultStandardLoggingFormat)),
authTemplate: template.Must(template.New("auth-log").Parse(DefaultAuthLoggingFormat)), authTemplate: template.Must(template.New("auth-log").Parse(DefaultAuthLoggingFormat)),
reqTemplate: template.Must(template.New("req-log").Parse(DefaultRequestLoggingFormat)), reqTemplate: template.Must(template.New("req-log").Parse(DefaultRequestLoggingFormat)),
@ -181,7 +179,7 @@ func (l *Logger) PrintReq(username, upstream string, req *http.Request, url url.
return return
} }
if url.Path == l.pingPath && l.silentPing { if url.Path == l.excludePath {
return return
} }
duration := float64(time.Now().Sub(ts)) / float64(time.Second) duration := float64(time.Now().Sub(ts)) / float64(time.Second)
@ -309,18 +307,11 @@ func (l *Logger) SetReqEnabled(e bool) {
l.reqEnabled = e l.reqEnabled = e
} }
// SetPingPath sets the ping path. // SetExcludePath sets the path to exclude from logging.
func (l *Logger) SetPingPath(s string) { func (l *Logger) SetExcludePath(s string) {
l.mu.Lock() l.mu.Lock()
defer l.mu.Unlock() defer l.mu.Unlock()
l.pingPath = s l.excludePath = s
}
// SetSilentPing disables ping request logging.
func (l *Logger) SetSilentPing(e bool) {
l.mu.Lock()
defer l.mu.Unlock()
l.silentPing = e
} }
// SetStandardTemplate sets the template for standard logging. // SetStandardTemplate sets the template for standard logging.
@ -386,15 +377,9 @@ func SetReqEnabled(e bool) {
std.SetReqEnabled(e) std.SetReqEnabled(e)
} }
// SetPingPath sets the healthcheck endpoint path. // SetExcludePath sets the path to exclude from logging, eg: health checks
// FIXME: Seems wrong to define this func SetExcludePath(s string) {
func SetPingPath(s string) { std.SetExcludePath(s)
std.SetPingPath(s)
}
// SetSilentPing disables request logging for the ping endpoint.
func SetSilentPing(e bool) {
std.SetSilentPing(e)
} }
// SetStandardTemplate sets the template for standard logging for // SetStandardTemplate sets the template for standard logging for