From c4f20fff3d961f186a041c3f00aab7de40492608 Mon Sep 17 00:00:00 2001 From: Karl Skewes Date: Sun, 2 Jun 2019 14:36:54 +1200 Subject: [PATCH] Add exclude logging path option Useful for excluding /ping endpoint to reduce log volume. This is somewhat more verbose than a simple bool to disable logging of the `/ping` endpoint. Perhaps better to add `-silence-ping-logging` bool flag to `options.go` and pass in the `/ping` endpoint as part of `logger` declaration in `options.go`. Could be extended into a slice of paths similar to go-gin's `SkipPaths`: https://github.com/gin-gonic/gin/blob/master/logger.go#L46 --- docs/configuration/configuration.md | 4 ++-- logging_handler_test.go | 18 ++++++++-------- main.go | 2 +- options.go | 18 ++++++++-------- pkg/logger/logger.go | 33 ++++++++--------------------- 5 files changed, 30 insertions(+), 45 deletions(-) diff --git a/docs/configuration/configuration.md b/docs/configuration/configuration.md index 5fffc432..4e66ec1b 100644 --- a/docs/configuration/configuration.md +++ b/docs/configuration/configuration.md @@ -42,6 +42,7 @@ Usage of oauth2_proxy: -display-htpasswd-form: display username / password login form if an htpasswd file is provided (default true) -email-domain value: authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email -extra-jwt-issuers: if -skip-jwt-bearer-tokens is set, a list of extra JWT issuer=audience pairs (where the issuer URL has a .well-known/openid-configuration or a .well-known/jwks.json) + -exclude-logging-path: don't log requests to this path, eg: /ping (default "" = no paths excluded) -flush-interval: period between flushing response buffers when streaming responses (default "1s") -banner string: custom banner string. Use "-" to disable default banner. -footer string: custom footer string. Use "-" to disable default footer. @@ -90,7 +91,6 @@ Usage of oauth2_proxy: -set-xauthrequest: set X-Auth-Request-User and X-Auth-Request-Email response headers (useful in Nginx auth_request mode) -set-authorization-header: set Authorization Bearer response header (useful in Nginx auth_request mode) -signature-key string: GAP-Signature request signature key (algorithm:secretkey) - -silence-ping-logging bool: disable logging of requests to ping endpoint (default false) -skip-auth-preflight: will skip authentication for OPTIONS requests -skip-auth-regex value: bypass authentication for requests path's that match (may be given multiple times) -skip-jwt-bearer-tokens: will skip requests that have verified JWT bearer tokens @@ -140,7 +140,7 @@ There are three different types of logging: standard, authentication, and HTTP r Each type of logging has their own configurable format and variables. By default these formats are similar to the Apache Combined Log. -Logging of requests to the `/ping` endpoint can be disabled with `-silence-ping-logging` reducing log volume. +A specific path can be excluded from request logs by setting `-exclude-logging-path`. This is useful for disabling logging of requests to the `/ping` endpoint to reduce log volume when health checking `oauth2_proxy`. ### Auth Log Format Authentication logs are logs which are guaranteed to contain a username or email address of a user attempting to authenticate. These logs are output by default in the below format: diff --git a/logging_handler_test.go b/logging_handler_test.go index 9d966b39..b036a1f6 100644 --- a/logging_handler_test.go +++ b/logging_handler_test.go @@ -19,15 +19,15 @@ func TestLoggingHandler_ServeHTTP(t *testing.T) { Format, ExpectedLogMessage, Path string - SilentPing bool + ExcludePath string }{ - {logger.DefaultRequestLoggingFormat, fmt.Sprintf("127.0.0.1 - - [%s] test-server GET - \"/foo/bar\" HTTP/1.1 \"\" 200 4 0.000\n", logger.FormatTimestamp(ts)), "/foo/bar", false}, - {logger.DefaultRequestLoggingFormat, fmt.Sprintf("127.0.0.1 - - [%s] test-server GET - \"/foo/bar\" HTTP/1.1 \"\" 200 4 0.000\n", logger.FormatTimestamp(ts)), "/foo/bar", true}, - {logger.DefaultRequestLoggingFormat, fmt.Sprintf("127.0.0.1 - - [%s] test-server GET - \"/ping\" HTTP/1.1 \"\" 200 4 0.000\n", logger.FormatTimestamp(ts)), "/ping", false}, - {"{{.RequestMethod}}", "GET\n", "/foo/bar", false}, - {"{{.RequestMethod}}", "GET\n", "/foo/bar", true}, - {"{{.RequestMethod}}", "GET\n", "/ping", false}, - {"{{.RequestMethod}}", "", "/ping", true}, + {logger.DefaultRequestLoggingFormat, fmt.Sprintf("127.0.0.1 - - [%s] test-server GET - \"/foo/bar\" HTTP/1.1 \"\" 200 4 0.000\n", logger.FormatTimestamp(ts)), "/foo/bar", ""}, + {logger.DefaultRequestLoggingFormat, fmt.Sprintf("127.0.0.1 - - [%s] test-server GET - \"/foo/bar\" HTTP/1.1 \"\" 200 4 0.000\n", logger.FormatTimestamp(ts)), "/foo/bar", "/ping"}, + {logger.DefaultRequestLoggingFormat, fmt.Sprintf("127.0.0.1 - - [%s] test-server GET - \"/ping\" HTTP/1.1 \"\" 200 4 0.000\n", logger.FormatTimestamp(ts)), "/ping", ""}, + {"{{.RequestMethod}}", "GET\n", "/foo/bar", ""}, + {"{{.RequestMethod}}", "GET\n", "/foo/bar", "/ping"}, + {"{{.RequestMethod}}", "GET\n", "/ping", ""}, + {"{{.RequestMethod}}", "", "/ping", "/ping"}, } for _, test := range tests { @@ -43,7 +43,7 @@ func TestLoggingHandler_ServeHTTP(t *testing.T) { logger.SetOutput(buf) logger.SetReqTemplate(test.Format) - logger.SetSilentPing(test.SilentPing) + logger.SetExcludePath(test.ExcludePath) h := LoggingHandler(http.HandlerFunc(handler)) r, _ := http.NewRequest("GET", test.Path, nil) diff --git a/main.go b/main.go index 395a55a9..222aa696 100644 --- a/main.go +++ b/main.go @@ -98,7 +98,7 @@ func main() { flagSet.Bool("request-logging", true, "Log HTTP requests") flagSet.String("request-logging-format", logger.DefaultRequestLoggingFormat, "Template for HTTP request log lines") - flagSet.Bool("silence-ping-logging", false, "Disable logging of requests to ping endpoint") + flagSet.String("exclude-logging-path", "", "Exclude logging requests to path (eg: /ping)") flagSet.Bool("auth-logging", true, "Log authentication attempts") flagSet.String("auth-logging-format", logger.DefaultAuthLoggingFormat, "Template for authentication log lines") diff --git a/options.go b/options.go index 69919c3c..88e76e97 100644 --- a/options.go +++ b/options.go @@ -105,15 +105,15 @@ type Options struct { RequestLoggingFormat string `flag:"request-logging-format" cfg:"request_logging_format" env:"OAUTH2_PROXY_REQUEST_LOGGING_FORMAT"` PingPath string `flag:"ping-path" cfg:"ping_path" env:"OAUTH2_PROXY_PING_PATH"` SilencePingLogging bool `flag:"silence-ping-logging" cfg:"silence_ping_logging" env:"OAUTH2_PROXY_SILENCE_PING_LOGGING"` + ExcludeLoggingPath string `flag:"exclude-logging-path" cfg:"exclude_logging_path" env:"OAUTH2_PROXY_EXCLUDE_LOGGING_PATH"` AuthLogging bool `flag:"auth-logging" cfg:"auth_logging" env:"OAUTH2_PROXY_LOGGING_AUTH_LOGGING"` AuthLoggingFormat string `flag:"auth-logging-format" cfg:"auth_logging_format" env:"OAUTH2_PROXY_AUTH_LOGGING_FORMAT"` - - SignatureKey string `flag:"signature-key" cfg:"signature_key" env:"OAUTH2_PROXY_SIGNATURE_KEY"` - AcrValues string `flag:"acr-values" cfg:"acr_values" env:"OAUTH2_PROXY_ACR_VALUES"` - JWTKey string `flag:"jwt-key" cfg:"jwt_key" env:"OAUTH2_PROXY_JWT_KEY"` - JWTKeyFile string `flag:"jwt-key-file" cfg:"jwt_key_file" env:"OAUTH2_PROXY_JWT_KEY_FILE"` - PubJWKURL string `flag:"pubjwk-url" cfg:"pubjwk_url" env:"OAUTH2_PROXY_PUBJWK_URL"` - GCPHealthChecks bool `flag:"gcp-healthchecks" cfg:"gcp_healthchecks" env:"OAUTH2_PROXY_GCP_HEALTHCHECKS"` + SignatureKey string `flag:"signature-key" cfg:"signature_key" env:"OAUTH2_PROXY_SIGNATURE_KEY"` + AcrValues string `flag:"acr-values" cfg:"acr_values" env:"OAUTH2_PROXY_ACR_VALUES"` + JWTKey string `flag:"jwt-key" cfg:"jwt_key" env:"OAUTH2_PROXY_JWT_KEY"` + JWTKeyFile string `flag:"jwt-key-file" cfg:"jwt_key_file" env:"OAUTH2_PROXY_JWT_KEY_FILE"` + PubJWKURL string `flag:"pubjwk-url" cfg:"pubjwk_url" env:"OAUTH2_PROXY_PUBJWK_URL"` + GCPHealthChecks bool `flag:"gcp-healthchecks" cfg:"gcp_healthchecks" env:"OAUTH2_PROXY_GCP_HEALTHCHECKS"` // internal values that are set after config validation redirectURL *url.URL @@ -167,6 +167,7 @@ func NewOptions() *Options { LoggingMaxBackups: 0, LoggingLocalTime: true, LoggingCompress: false, + ExcludeLoggingPath: "", PingPath: "/ping", SilencePingLogging: false, StandardLogging: true, @@ -571,8 +572,7 @@ func setupLogger(o *Options, msgs []string) []string { logger.SetStandardEnabled(o.StandardLogging) logger.SetAuthEnabled(o.AuthLogging) logger.SetReqEnabled(o.RequestLogging) - logger.SetSilentPing(o.SilencePingLogging) - logger.SetPingPath(o.PingPath) + logger.SetExcludePath(o.ExcludeLoggingPath) logger.SetStandardTemplate(o.StandardLoggingFormat) logger.SetAuthTemplate(o.AuthLoggingFormat) logger.SetReqTemplate(o.RequestLoggingFormat) diff --git a/pkg/logger/logger.go b/pkg/logger/logger.go index 89546131..68149c75 100644 --- a/pkg/logger/logger.go +++ b/pkg/logger/logger.go @@ -88,8 +88,7 @@ type Logger struct { stdEnabled bool authEnabled bool reqEnabled bool - silentPing bool - pingPath string + excludePath string stdLogTemplate *template.Template authTemplate *template.Template reqTemplate *template.Template @@ -103,8 +102,7 @@ func New(flag int) *Logger { stdEnabled: true, authEnabled: true, reqEnabled: true, - silentPing: false, - pingPath: "/ping", + excludePath: "", stdLogTemplate: template.Must(template.New("std-log").Parse(DefaultStandardLoggingFormat)), authTemplate: template.Must(template.New("auth-log").Parse(DefaultAuthLoggingFormat)), reqTemplate: template.Must(template.New("req-log").Parse(DefaultRequestLoggingFormat)), @@ -181,7 +179,7 @@ func (l *Logger) PrintReq(username, upstream string, req *http.Request, url url. return } - if url.Path == l.pingPath && l.silentPing { + if url.Path == l.excludePath { return } duration := float64(time.Now().Sub(ts)) / float64(time.Second) @@ -309,18 +307,11 @@ func (l *Logger) SetReqEnabled(e bool) { l.reqEnabled = e } -// SetPingPath sets the ping path. -func (l *Logger) SetPingPath(s string) { +// SetExcludePath sets the path to exclude from logging. +func (l *Logger) SetExcludePath(s string) { l.mu.Lock() defer l.mu.Unlock() - l.pingPath = s -} - -// SetSilentPing disables ping request logging. -func (l *Logger) SetSilentPing(e bool) { - l.mu.Lock() - defer l.mu.Unlock() - l.silentPing = e + l.excludePath = s } // SetStandardTemplate sets the template for standard logging. @@ -386,15 +377,9 @@ func SetReqEnabled(e bool) { std.SetReqEnabled(e) } -// SetPingPath sets the healthcheck endpoint path. -// FIXME: Seems wrong to define this -func SetPingPath(s string) { - std.SetPingPath(s) -} - -// SetSilentPing disables request logging for the ping endpoint. -func SetSilentPing(e bool) { - std.SetSilentPing(e) +// SetExcludePath sets the path to exclude from logging, eg: health checks +func SetExcludePath(s string) { + std.SetExcludePath(s) } // SetStandardTemplate sets the template for standard logging for