From 5bf0adad8748e96e10529d5fc5777afc9236a7b5 Mon Sep 17 00:00:00 2001 From: Francis Lavoie Date: Thu, 2 Dec 2021 15:26:24 -0500 Subject: caddyhttp: Make logging of credential headers opt-in (#4438) --- modules/caddyhttp/server.go | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) (limited to 'modules/caddyhttp/server.go') diff --git a/modules/caddyhttp/server.go b/modules/caddyhttp/server.go index 2ddec60..98fd962 100644 --- a/modules/caddyhttp/server.go +++ b/modules/caddyhttp/server.go @@ -157,7 +157,11 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) { // it enters any handler chain; this is necessary // to capture the original request in case it gets // modified during handling - loggableReq := zap.Object("request", LoggableHTTPRequest{r}) + shouldLogCredentials := s.Logs != nil && s.Logs.ShouldLogCredentials + loggableReq := zap.Object("request", LoggableHTTPRequest{ + Request: r, + ShouldLogCredentials: shouldLogCredentials, + }) errLog := s.errorLogger.With(loggableReq) var duration time.Duration @@ -191,7 +195,10 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) { zap.Duration("duration", duration), zap.Int("size", wrec.Size()), zap.Int("status", wrec.Status()), - zap.Object("resp_headers", LoggableHTTPHeader(wrec.Header())), + zap.Object("resp_headers", LoggableHTTPHeader{ + Header: wrec.Header(), + ShouldLogCredentials: shouldLogCredentials, + }), ) }() } @@ -508,6 +515,12 @@ type ServerLogConfig struct { // If true, requests to any host not appearing in the // LoggerNames (logger_names) map will not be logged. SkipUnmappedHosts bool `json:"skip_unmapped_hosts,omitempty"` + + // If true, credentials that are otherwise omitted, will be logged. + // The definition of credentials is defined by https://fetch.spec.whatwg.org/#credentials, + // and this includes some request and response headers, i.e `Cookie`, + // `Set-Cookie`, `Authorization`, and `Proxy-Authorization`. + ShouldLogCredentials bool `json:"should_log_credentials,omitempty"` } // wrapLogger wraps logger in a logger named according to user preferences for the given host. -- cgit v1.2.3