Add exclude logging path option
Useful for excluding /ping endpoint to reduce log volume. This is somewhat more verbose than a simple bool to disable logging of the `/ping` endpoint. Perhaps better to add `-silence-ping-logging` bool flag to `options.go` and pass in the `/ping` endpoint as part of `logger` declaration in `options.go`. Could be extended into a slice of paths similar to go-gin's `SkipPaths`: https://github.com/gin-gonic/gin/blob/master/logger.go#L46
This commit is contained in:
parent
ec97000169
commit
c4f20fff3d
@ -42,6 +42,7 @@ Usage of oauth2_proxy:
|
|||||||
-display-htpasswd-form: display username / password login form if an htpasswd file is provided (default true)
|
-display-htpasswd-form: display username / password login form if an htpasswd file is provided (default true)
|
||||||
-email-domain value: authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email
|
-email-domain value: authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email
|
||||||
-extra-jwt-issuers: if -skip-jwt-bearer-tokens is set, a list of extra JWT issuer=audience pairs (where the issuer URL has a .well-known/openid-configuration or a .well-known/jwks.json)
|
-extra-jwt-issuers: if -skip-jwt-bearer-tokens is set, a list of extra JWT issuer=audience pairs (where the issuer URL has a .well-known/openid-configuration or a .well-known/jwks.json)
|
||||||
|
-exclude-logging-path: don't log requests to this path, eg: /ping (default "" = no paths excluded)
|
||||||
-flush-interval: period between flushing response buffers when streaming responses (default "1s")
|
-flush-interval: period between flushing response buffers when streaming responses (default "1s")
|
||||||
-banner string: custom banner string. Use "-" to disable default banner.
|
-banner string: custom banner string. Use "-" to disable default banner.
|
||||||
-footer string: custom footer string. Use "-" to disable default footer.
|
-footer string: custom footer string. Use "-" to disable default footer.
|
||||||
@ -90,7 +91,6 @@ Usage of oauth2_proxy:
|
|||||||
-set-xauthrequest: set X-Auth-Request-User and X-Auth-Request-Email response headers (useful in Nginx auth_request mode)
|
-set-xauthrequest: set X-Auth-Request-User and X-Auth-Request-Email response headers (useful in Nginx auth_request mode)
|
||||||
-set-authorization-header: set Authorization Bearer response header (useful in Nginx auth_request mode)
|
-set-authorization-header: set Authorization Bearer response header (useful in Nginx auth_request mode)
|
||||||
-signature-key string: GAP-Signature request signature key (algorithm:secretkey)
|
-signature-key string: GAP-Signature request signature key (algorithm:secretkey)
|
||||||
-silence-ping-logging bool: disable logging of requests to ping endpoint (default false)
|
|
||||||
-skip-auth-preflight: will skip authentication for OPTIONS requests
|
-skip-auth-preflight: will skip authentication for OPTIONS requests
|
||||||
-skip-auth-regex value: bypass authentication for requests path's that match (may be given multiple times)
|
-skip-auth-regex value: bypass authentication for requests path's that match (may be given multiple times)
|
||||||
-skip-jwt-bearer-tokens: will skip requests that have verified JWT bearer tokens
|
-skip-jwt-bearer-tokens: will skip requests that have verified JWT bearer tokens
|
||||||
@ -140,7 +140,7 @@ There are three different types of logging: standard, authentication, and HTTP r
|
|||||||
|
|
||||||
Each type of logging has their own configurable format and variables. By default these formats are similar to the Apache Combined Log.
|
Each type of logging has their own configurable format and variables. By default these formats are similar to the Apache Combined Log.
|
||||||
|
|
||||||
Logging of requests to the `/ping` endpoint can be disabled with `-silence-ping-logging` reducing log volume.
|
A specific path can be excluded from request logs by setting `-exclude-logging-path`. This is useful for disabling logging of requests to the `/ping` endpoint to reduce log volume when health checking `oauth2_proxy`.
|
||||||
|
|
||||||
### Auth Log Format
|
### Auth Log Format
|
||||||
Authentication logs are logs which are guaranteed to contain a username or email address of a user attempting to authenticate. These logs are output by default in the below format:
|
Authentication logs are logs which are guaranteed to contain a username or email address of a user attempting to authenticate. These logs are output by default in the below format:
|
||||||
|
@ -19,15 +19,15 @@ func TestLoggingHandler_ServeHTTP(t *testing.T) {
|
|||||||
Format,
|
Format,
|
||||||
ExpectedLogMessage,
|
ExpectedLogMessage,
|
||||||
Path string
|
Path string
|
||||||
SilentPing bool
|
ExcludePath string
|
||||||
}{
|
}{
|
||||||
{logger.DefaultRequestLoggingFormat, fmt.Sprintf("127.0.0.1 - - [%s] test-server GET - \"/foo/bar\" HTTP/1.1 \"\" 200 4 0.000\n", logger.FormatTimestamp(ts)), "/foo/bar", false},
|
{logger.DefaultRequestLoggingFormat, fmt.Sprintf("127.0.0.1 - - [%s] test-server GET - \"/foo/bar\" HTTP/1.1 \"\" 200 4 0.000\n", logger.FormatTimestamp(ts)), "/foo/bar", ""},
|
||||||
{logger.DefaultRequestLoggingFormat, fmt.Sprintf("127.0.0.1 - - [%s] test-server GET - \"/foo/bar\" HTTP/1.1 \"\" 200 4 0.000\n", logger.FormatTimestamp(ts)), "/foo/bar", true},
|
{logger.DefaultRequestLoggingFormat, fmt.Sprintf("127.0.0.1 - - [%s] test-server GET - \"/foo/bar\" HTTP/1.1 \"\" 200 4 0.000\n", logger.FormatTimestamp(ts)), "/foo/bar", "/ping"},
|
||||||
{logger.DefaultRequestLoggingFormat, fmt.Sprintf("127.0.0.1 - - [%s] test-server GET - \"/ping\" HTTP/1.1 \"\" 200 4 0.000\n", logger.FormatTimestamp(ts)), "/ping", false},
|
{logger.DefaultRequestLoggingFormat, fmt.Sprintf("127.0.0.1 - - [%s] test-server GET - \"/ping\" HTTP/1.1 \"\" 200 4 0.000\n", logger.FormatTimestamp(ts)), "/ping", ""},
|
||||||
{"{{.RequestMethod}}", "GET\n", "/foo/bar", false},
|
{"{{.RequestMethod}}", "GET\n", "/foo/bar", ""},
|
||||||
{"{{.RequestMethod}}", "GET\n", "/foo/bar", true},
|
{"{{.RequestMethod}}", "GET\n", "/foo/bar", "/ping"},
|
||||||
{"{{.RequestMethod}}", "GET\n", "/ping", false},
|
{"{{.RequestMethod}}", "GET\n", "/ping", ""},
|
||||||
{"{{.RequestMethod}}", "", "/ping", true},
|
{"{{.RequestMethod}}", "", "/ping", "/ping"},
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, test := range tests {
|
for _, test := range tests {
|
||||||
@ -43,7 +43,7 @@ func TestLoggingHandler_ServeHTTP(t *testing.T) {
|
|||||||
|
|
||||||
logger.SetOutput(buf)
|
logger.SetOutput(buf)
|
||||||
logger.SetReqTemplate(test.Format)
|
logger.SetReqTemplate(test.Format)
|
||||||
logger.SetSilentPing(test.SilentPing)
|
logger.SetExcludePath(test.ExcludePath)
|
||||||
h := LoggingHandler(http.HandlerFunc(handler))
|
h := LoggingHandler(http.HandlerFunc(handler))
|
||||||
|
|
||||||
r, _ := http.NewRequest("GET", test.Path, nil)
|
r, _ := http.NewRequest("GET", test.Path, nil)
|
||||||
|
2
main.go
2
main.go
@ -98,7 +98,7 @@ func main() {
|
|||||||
|
|
||||||
flagSet.Bool("request-logging", true, "Log HTTP requests")
|
flagSet.Bool("request-logging", true, "Log HTTP requests")
|
||||||
flagSet.String("request-logging-format", logger.DefaultRequestLoggingFormat, "Template for HTTP request log lines")
|
flagSet.String("request-logging-format", logger.DefaultRequestLoggingFormat, "Template for HTTP request log lines")
|
||||||
flagSet.Bool("silence-ping-logging", false, "Disable logging of requests to ping endpoint")
|
flagSet.String("exclude-logging-path", "", "Exclude logging requests to path (eg: /ping)")
|
||||||
|
|
||||||
flagSet.Bool("auth-logging", true, "Log authentication attempts")
|
flagSet.Bool("auth-logging", true, "Log authentication attempts")
|
||||||
flagSet.String("auth-logging-format", logger.DefaultAuthLoggingFormat, "Template for authentication log lines")
|
flagSet.String("auth-logging-format", logger.DefaultAuthLoggingFormat, "Template for authentication log lines")
|
||||||
|
18
options.go
18
options.go
@ -105,15 +105,15 @@ type Options struct {
|
|||||||
RequestLoggingFormat string `flag:"request-logging-format" cfg:"request_logging_format" env:"OAUTH2_PROXY_REQUEST_LOGGING_FORMAT"`
|
RequestLoggingFormat string `flag:"request-logging-format" cfg:"request_logging_format" env:"OAUTH2_PROXY_REQUEST_LOGGING_FORMAT"`
|
||||||
PingPath string `flag:"ping-path" cfg:"ping_path" env:"OAUTH2_PROXY_PING_PATH"`
|
PingPath string `flag:"ping-path" cfg:"ping_path" env:"OAUTH2_PROXY_PING_PATH"`
|
||||||
SilencePingLogging bool `flag:"silence-ping-logging" cfg:"silence_ping_logging" env:"OAUTH2_PROXY_SILENCE_PING_LOGGING"`
|
SilencePingLogging bool `flag:"silence-ping-logging" cfg:"silence_ping_logging" env:"OAUTH2_PROXY_SILENCE_PING_LOGGING"`
|
||||||
|
ExcludeLoggingPath string `flag:"exclude-logging-path" cfg:"exclude_logging_path" env:"OAUTH2_PROXY_EXCLUDE_LOGGING_PATH"`
|
||||||
AuthLogging bool `flag:"auth-logging" cfg:"auth_logging" env:"OAUTH2_PROXY_LOGGING_AUTH_LOGGING"`
|
AuthLogging bool `flag:"auth-logging" cfg:"auth_logging" env:"OAUTH2_PROXY_LOGGING_AUTH_LOGGING"`
|
||||||
AuthLoggingFormat string `flag:"auth-logging-format" cfg:"auth_logging_format" env:"OAUTH2_PROXY_AUTH_LOGGING_FORMAT"`
|
AuthLoggingFormat string `flag:"auth-logging-format" cfg:"auth_logging_format" env:"OAUTH2_PROXY_AUTH_LOGGING_FORMAT"`
|
||||||
|
SignatureKey string `flag:"signature-key" cfg:"signature_key" env:"OAUTH2_PROXY_SIGNATURE_KEY"`
|
||||||
SignatureKey string `flag:"signature-key" cfg:"signature_key" env:"OAUTH2_PROXY_SIGNATURE_KEY"`
|
AcrValues string `flag:"acr-values" cfg:"acr_values" env:"OAUTH2_PROXY_ACR_VALUES"`
|
||||||
AcrValues string `flag:"acr-values" cfg:"acr_values" env:"OAUTH2_PROXY_ACR_VALUES"`
|
JWTKey string `flag:"jwt-key" cfg:"jwt_key" env:"OAUTH2_PROXY_JWT_KEY"`
|
||||||
JWTKey string `flag:"jwt-key" cfg:"jwt_key" env:"OAUTH2_PROXY_JWT_KEY"`
|
JWTKeyFile string `flag:"jwt-key-file" cfg:"jwt_key_file" env:"OAUTH2_PROXY_JWT_KEY_FILE"`
|
||||||
JWTKeyFile string `flag:"jwt-key-file" cfg:"jwt_key_file" env:"OAUTH2_PROXY_JWT_KEY_FILE"`
|
PubJWKURL string `flag:"pubjwk-url" cfg:"pubjwk_url" env:"OAUTH2_PROXY_PUBJWK_URL"`
|
||||||
PubJWKURL string `flag:"pubjwk-url" cfg:"pubjwk_url" env:"OAUTH2_PROXY_PUBJWK_URL"`
|
GCPHealthChecks bool `flag:"gcp-healthchecks" cfg:"gcp_healthchecks" env:"OAUTH2_PROXY_GCP_HEALTHCHECKS"`
|
||||||
GCPHealthChecks bool `flag:"gcp-healthchecks" cfg:"gcp_healthchecks" env:"OAUTH2_PROXY_GCP_HEALTHCHECKS"`
|
|
||||||
|
|
||||||
// internal values that are set after config validation
|
// internal values that are set after config validation
|
||||||
redirectURL *url.URL
|
redirectURL *url.URL
|
||||||
@ -167,6 +167,7 @@ func NewOptions() *Options {
|
|||||||
LoggingMaxBackups: 0,
|
LoggingMaxBackups: 0,
|
||||||
LoggingLocalTime: true,
|
LoggingLocalTime: true,
|
||||||
LoggingCompress: false,
|
LoggingCompress: false,
|
||||||
|
ExcludeLoggingPath: "",
|
||||||
PingPath: "/ping",
|
PingPath: "/ping",
|
||||||
SilencePingLogging: false,
|
SilencePingLogging: false,
|
||||||
StandardLogging: true,
|
StandardLogging: true,
|
||||||
@ -571,8 +572,7 @@ func setupLogger(o *Options, msgs []string) []string {
|
|||||||
logger.SetStandardEnabled(o.StandardLogging)
|
logger.SetStandardEnabled(o.StandardLogging)
|
||||||
logger.SetAuthEnabled(o.AuthLogging)
|
logger.SetAuthEnabled(o.AuthLogging)
|
||||||
logger.SetReqEnabled(o.RequestLogging)
|
logger.SetReqEnabled(o.RequestLogging)
|
||||||
logger.SetSilentPing(o.SilencePingLogging)
|
logger.SetExcludePath(o.ExcludeLoggingPath)
|
||||||
logger.SetPingPath(o.PingPath)
|
|
||||||
logger.SetStandardTemplate(o.StandardLoggingFormat)
|
logger.SetStandardTemplate(o.StandardLoggingFormat)
|
||||||
logger.SetAuthTemplate(o.AuthLoggingFormat)
|
logger.SetAuthTemplate(o.AuthLoggingFormat)
|
||||||
logger.SetReqTemplate(o.RequestLoggingFormat)
|
logger.SetReqTemplate(o.RequestLoggingFormat)
|
||||||
|
@ -88,8 +88,7 @@ type Logger struct {
|
|||||||
stdEnabled bool
|
stdEnabled bool
|
||||||
authEnabled bool
|
authEnabled bool
|
||||||
reqEnabled bool
|
reqEnabled bool
|
||||||
silentPing bool
|
excludePath string
|
||||||
pingPath string
|
|
||||||
stdLogTemplate *template.Template
|
stdLogTemplate *template.Template
|
||||||
authTemplate *template.Template
|
authTemplate *template.Template
|
||||||
reqTemplate *template.Template
|
reqTemplate *template.Template
|
||||||
@ -103,8 +102,7 @@ func New(flag int) *Logger {
|
|||||||
stdEnabled: true,
|
stdEnabled: true,
|
||||||
authEnabled: true,
|
authEnabled: true,
|
||||||
reqEnabled: true,
|
reqEnabled: true,
|
||||||
silentPing: false,
|
excludePath: "",
|
||||||
pingPath: "/ping",
|
|
||||||
stdLogTemplate: template.Must(template.New("std-log").Parse(DefaultStandardLoggingFormat)),
|
stdLogTemplate: template.Must(template.New("std-log").Parse(DefaultStandardLoggingFormat)),
|
||||||
authTemplate: template.Must(template.New("auth-log").Parse(DefaultAuthLoggingFormat)),
|
authTemplate: template.Must(template.New("auth-log").Parse(DefaultAuthLoggingFormat)),
|
||||||
reqTemplate: template.Must(template.New("req-log").Parse(DefaultRequestLoggingFormat)),
|
reqTemplate: template.Must(template.New("req-log").Parse(DefaultRequestLoggingFormat)),
|
||||||
@ -181,7 +179,7 @@ func (l *Logger) PrintReq(username, upstream string, req *http.Request, url url.
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
if url.Path == l.pingPath && l.silentPing {
|
if url.Path == l.excludePath {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
duration := float64(time.Now().Sub(ts)) / float64(time.Second)
|
duration := float64(time.Now().Sub(ts)) / float64(time.Second)
|
||||||
@ -309,18 +307,11 @@ func (l *Logger) SetReqEnabled(e bool) {
|
|||||||
l.reqEnabled = e
|
l.reqEnabled = e
|
||||||
}
|
}
|
||||||
|
|
||||||
// SetPingPath sets the ping path.
|
// SetExcludePath sets the path to exclude from logging.
|
||||||
func (l *Logger) SetPingPath(s string) {
|
func (l *Logger) SetExcludePath(s string) {
|
||||||
l.mu.Lock()
|
l.mu.Lock()
|
||||||
defer l.mu.Unlock()
|
defer l.mu.Unlock()
|
||||||
l.pingPath = s
|
l.excludePath = s
|
||||||
}
|
|
||||||
|
|
||||||
// SetSilentPing disables ping request logging.
|
|
||||||
func (l *Logger) SetSilentPing(e bool) {
|
|
||||||
l.mu.Lock()
|
|
||||||
defer l.mu.Unlock()
|
|
||||||
l.silentPing = e
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// SetStandardTemplate sets the template for standard logging.
|
// SetStandardTemplate sets the template for standard logging.
|
||||||
@ -386,15 +377,9 @@ func SetReqEnabled(e bool) {
|
|||||||
std.SetReqEnabled(e)
|
std.SetReqEnabled(e)
|
||||||
}
|
}
|
||||||
|
|
||||||
// SetPingPath sets the healthcheck endpoint path.
|
// SetExcludePath sets the path to exclude from logging, eg: health checks
|
||||||
// FIXME: Seems wrong to define this
|
func SetExcludePath(s string) {
|
||||||
func SetPingPath(s string) {
|
std.SetExcludePath(s)
|
||||||
std.SetPingPath(s)
|
|
||||||
}
|
|
||||||
|
|
||||||
// SetSilentPing disables request logging for the ping endpoint.
|
|
||||||
func SetSilentPing(e bool) {
|
|
||||||
std.SetSilentPing(e)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// SetStandardTemplate sets the template for standard logging for
|
// SetStandardTemplate sets the template for standard logging for
|
||||||
|
Loading…
Reference in New Issue
Block a user