diff --git a/docs/configuration/configuration.md b/docs/configuration/configuration.md index 178e009..d84d40d 100644 --- a/docs/configuration/configuration.md +++ b/docs/configuration/configuration.md @@ -41,8 +41,9 @@ Usage of oauth2_proxy: -custom-templates-dir string: path to custom html templates -display-htpasswd-form: display username / password login form if an htpasswd file is provided (default true) -email-domain value: authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email +<<<<<<< HEAD -extra-jwt-issuers: if -skip-jwt-bearer-tokens is set, a list of extra JWT issuer=audience pairs (where the issuer URL has a .well-known/openid-configuration or a .well-known/jwks.json) - -exclude-logging-path: don't log requests to this path, eg: /ping (default "" = no paths excluded) + -exclude-logging-paths: comma separated list of paths to exclude from logging, eg: "/ping,/path2" (default "" = no paths excluded) -flush-interval: period between flushing response buffers when streaming responses (default "1s") -banner string: custom banner string. Use "-" to disable default banner. -footer string: custom footer string. Use "-" to disable default footer. @@ -142,7 +143,7 @@ There are three different types of logging: standard, authentication, and HTTP r Each type of logging has their own configurable format and variables. By default these formats are similar to the Apache Combined Log. -Logging of requests to the `/ping` endpoint can be disabled with `-silence-ping-logging` reducing log volume. This flag sets the `-exclude-logging-path` value to the `-ping-path` and takes precedence over any other value `-exclude-logging-path` may have been set to directly. +Logging of requests to the `/ping` endpoint can be disabled with `-silence-ping-logging` reducing log volume. This flag appends the `-ping-path` to `-exclude-logging-paths`. ### Auth Log Format Authentication logs are logs which are guaranteed to contain a username or email address of a user attempting to authenticate. These logs are output by default in the below format: diff --git a/logging_handler_test.go b/logging_handler_test.go index 0adec08..ddc9778 100644 --- a/logging_handler_test.go +++ b/logging_handler_test.go @@ -19,16 +19,21 @@ func TestLoggingHandler_ServeHTTP(t *testing.T) { Format, ExpectedLogMessage, Path string - ExcludePath string + ExcludePaths []string + SilencePingLogging bool }{ - {logger.DefaultRequestLoggingFormat, fmt.Sprintf("127.0.0.1 - - [%s] test-server GET - \"/foo/bar\" HTTP/1.1 \"\" 200 4 0.000\n", logger.FormatTimestamp(ts)), "/foo/bar", ""}, - {logger.DefaultRequestLoggingFormat, fmt.Sprintf("127.0.0.1 - - [%s] test-server GET - \"/foo/bar\" HTTP/1.1 \"\" 200 4 0.000\n", logger.FormatTimestamp(ts)), "/foo/bar", "/ping"}, - {logger.DefaultRequestLoggingFormat, fmt.Sprintf("127.0.0.1 - - [%s] test-server GET - \"/ping\" HTTP/1.1 \"\" 200 4 0.000\n", logger.FormatTimestamp(ts)), "/ping", ""}, - {logger.DefaultRequestLoggingFormat, "", "/ping", "/ping"}, - {"{{.RequestMethod}}", "GET\n", "/foo/bar", ""}, - {"{{.RequestMethod}}", "GET\n", "/foo/bar", "/ping"}, - {"{{.RequestMethod}}", "GET\n", "/ping", ""}, - {"{{.RequestMethod}}", "", "/ping", "/ping"}, + {logger.DefaultRequestLoggingFormat, fmt.Sprintf("127.0.0.1 - - [%s] test-server GET - \"/foo/bar\" HTTP/1.1 \"\" 200 4 0.000\n", logger.FormatTimestamp(ts)), "/foo/bar", []string{}, false}, + {logger.DefaultRequestLoggingFormat, fmt.Sprintf("127.0.0.1 - - [%s] test-server GET - \"/foo/bar\" HTTP/1.1 \"\" 200 4 0.000\n", logger.FormatTimestamp(ts)), "/foo/bar", []string{}, true}, + {logger.DefaultRequestLoggingFormat, fmt.Sprintf("127.0.0.1 - - [%s] test-server GET - \"/foo/bar\" HTTP/1.1 \"\" 200 4 0.000\n", logger.FormatTimestamp(ts)), "/foo/bar", []string{"/ping"}, false}, + {logger.DefaultRequestLoggingFormat, "", "/foo/bar", []string{"/foo/bar"}, false}, + {logger.DefaultRequestLoggingFormat, "", "/ping", []string{}, true}, + {logger.DefaultRequestLoggingFormat, "", "/ping", []string{"/ping"}, false}, + {logger.DefaultRequestLoggingFormat, "", "/ping", []string{"/ping"}, true}, + {logger.DefaultRequestLoggingFormat, "", "/ping", []string{"/foo/bar", "/ping"}, false}, + {"{{.RequestMethod}}", "GET\n", "/foo/bar", []string{}, true}, + {"{{.RequestMethod}}", "GET\n", "/foo/bar", []string{"/ping"}, false}, + {"{{.RequestMethod}}", "GET\n", "/ping", []string{}, false}, + {"{{.RequestMethod}}", "", "/ping", []string{"/ping"}, true}, } for _, test := range tests { @@ -44,7 +49,10 @@ func TestLoggingHandler_ServeHTTP(t *testing.T) { logger.SetOutput(buf) logger.SetReqTemplate(test.Format) - logger.SetExcludePath(test.ExcludePath) + if test.SilencePingLogging { + test.ExcludePaths = append(test.ExcludePaths, "/ping") + } + logger.SetExcludePaths(test.ExcludePaths) h := LoggingHandler(http.HandlerFunc(handler)) r, _ := http.NewRequest("GET", test.Path, nil) diff --git a/main.go b/main.go index 4ae9260..6900845 100644 --- a/main.go +++ b/main.go @@ -99,7 +99,7 @@ func main() { flagSet.Bool("request-logging", true, "Log HTTP requests") flagSet.String("request-logging-format", logger.DefaultRequestLoggingFormat, "Template for HTTP request log lines") - flagSet.String("exclude-logging-path", "", "Exclude logging requests to path (eg: /ping)") + flagSet.String("exclude-logging-paths", "", "Exclude logging requests to paths (eg: '/path1,/path2,/path3')") flagSet.Bool("silence-ping-logging", false, "Disable logging of requests to ping endpoint") flagSet.Bool("auth-logging", true, "Log authentication attempts") diff --git a/options.go b/options.go index b2afe93..3eda23c 100644 --- a/options.go +++ b/options.go @@ -104,7 +104,7 @@ type Options struct { StandardLoggingFormat string `flag:"standard-logging-format" cfg:"standard_logging_format" env:"OAUTH2_PROXY_STANDARD_LOGGING_FORMAT"` RequestLogging bool `flag:"request-logging" cfg:"request_logging" env:"OAUTH2_PROXY_REQUEST_LOGGING"` RequestLoggingFormat string `flag:"request-logging-format" cfg:"request_logging_format" env:"OAUTH2_PROXY_REQUEST_LOGGING_FORMAT"` - ExcludeLoggingPath string `flag:"exclude-logging-path" cfg:"exclude_logging_path" env:"OAUTH2_PROXY_EXCLUDE_LOGGING_PATH"` + ExcludeLoggingPaths string `flag:"exclude-logging-paths" cfg:"exclude_logging_paths" env:"OAUTH2_EXCLUDE_LOGGING_PATHS"` SilencePingLogging bool `flag:"silence-ping-logging" cfg:"silence_ping_logging" env:"OAUTH2_PROXY_SILENCE_PING_LOGGING"` AuthLogging bool `flag:"auth-logging" cfg:"auth_logging" env:"OAUTH2_PROXY_LOGGING_AUTH_LOGGING"` AuthLoggingFormat string `flag:"auth-logging-format" cfg:"auth_logging_format" env:"OAUTH2_PROXY_AUTH_LOGGING_FORMAT"` @@ -168,7 +168,7 @@ func NewOptions() *Options { LoggingMaxBackups: 0, LoggingLocalTime: true, LoggingCompress: false, - ExcludeLoggingPath: "", + ExcludeLoggingPaths: "", SilencePingLogging: false, StandardLogging: true, StandardLoggingFormat: logger.DefaultStandardLoggingFormat, @@ -576,12 +576,14 @@ func setupLogger(o *Options, msgs []string) []string { logger.SetAuthTemplate(o.AuthLoggingFormat) logger.SetReqTemplate(o.RequestLoggingFormat) + excludePaths := make([]string, 0) + excludePaths = append(excludePaths, strings.Split(o.ExcludeLoggingPaths, ",")...) if o.SilencePingLogging { - logger.SetExcludePath(o.PingPath) - } else { - logger.SetExcludePath(o.ExcludeLoggingPath) + excludePaths = append(excludePaths, o.PingPath) } + logger.SetExcludePaths(excludePaths) + if !o.LoggingLocalTime { logger.SetFlags(logger.Flags() | logger.LUTC) } diff --git a/pkg/logger/logger.go b/pkg/logger/logger.go index 89b8450..1ef9b7d 100644 --- a/pkg/logger/logger.go +++ b/pkg/logger/logger.go @@ -88,7 +88,7 @@ type Logger struct { stdEnabled bool authEnabled bool reqEnabled bool - excludePath string + excludePaths map[string]struct{} stdLogTemplate *template.Template authTemplate *template.Template reqTemplate *template.Template @@ -102,7 +102,7 @@ func New(flag int) *Logger { stdEnabled: true, authEnabled: true, reqEnabled: true, - excludePath: "", + excludePaths: nil, stdLogTemplate: template.Must(template.New("std-log").Parse(DefaultStandardLoggingFormat)), authTemplate: template.Must(template.New("auth-log").Parse(DefaultAuthLoggingFormat)), reqTemplate: template.Must(template.New("req-log").Parse(DefaultRequestLoggingFormat)), @@ -179,7 +179,7 @@ func (l *Logger) PrintReq(username, upstream string, req *http.Request, url url. return } - if url.Path == l.excludePath { + if _, excludedPath := l.excludePaths[url.Path]; excludedPath { return } @@ -308,11 +308,14 @@ func (l *Logger) SetReqEnabled(e bool) { l.reqEnabled = e } -// SetExcludePath sets the path to exclude from logging. -func (l *Logger) SetExcludePath(s string) { +// SetExcludePaths sets the paths to exclude from logging. +func (l *Logger) SetExcludePaths(s []string) { l.mu.Lock() defer l.mu.Unlock() - l.excludePath = s + l.excludePaths = make(map[string]struct{}) + for _, p := range s { + l.excludePaths[p] = struct{}{} + } } // SetStandardTemplate sets the template for standard logging. @@ -378,9 +381,9 @@ func SetReqEnabled(e bool) { std.SetReqEnabled(e) } -// SetExcludePath sets the path to exclude from logging, eg: health checks -func SetExcludePath(s string) { - std.SetExcludePath(s) +// SetExcludePaths sets the path to exclude from logging, eg: health checks +func SetExcludePaths(s []string) { + std.SetExcludePaths(s) } // SetStandardTemplate sets the template for standard logging for