Commit c0efec52 authored by Toby Allen's avatar Toby Allen Committed by GitHub

Allow Masking of IP address in Logfile. (#1930)

* First working mask

* IP Mask working with defaults and empty

* add tests for ipmask

* Store Mask as setup, some tidying, cleaner flow

* Prevent mask from running when directive not present

* use custom replacement to store masked ip
parent a74320bf
......@@ -18,6 +18,7 @@ import (
"bytes"
"io"
"log"
"net"
"os"
"strings"
"sync"
......@@ -40,6 +41,9 @@ type Logger struct {
Roller *LogRoller
writer io.Writer
fileMu *sync.RWMutex
V4ipMask net.IPMask
V6ipMask net.IPMask
IPMaskExists bool
}
// NewTestLogger creates logger suitable for testing purposes
......@@ -64,6 +68,22 @@ func (l Logger) Printf(format string, args ...interface{}) {
l.fileMu.RUnlock()
}
func (l Logger) MaskIP(ip string) string {
var reqIP net.IP
// If unable to parse, simply return IP as provided.
reqIP = net.ParseIP(ip)
if reqIP == nil {
return ip
}
if reqIP.To4() != nil {
return reqIP.Mask(l.V4ipMask).String()
} else {
return reqIP.Mask(l.V6ipMask).String()
}
}
// Attach binds logger Start and Close functions to
// controller's OnStartup and OnShutdown hooks.
func (l *Logger) Attach(controller *caddy.Controller) {
......
......@@ -17,6 +17,7 @@ package log
import (
"fmt"
"net"
"net/http"
"github.com/mholt/caddy"
......@@ -66,6 +67,16 @@ func (l Logger) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error) {
// Write log entries
for _, e := range rule.Entries {
// Mask IP Address
if e.Log.IPMaskExists {
hostip, _, err := net.SplitHostPort(r.RemoteAddr)
if err == nil {
maskedIP := e.Log.MaskIP(hostip)
// Overwrite log value with Masked version
rep.Set("remote", maskedIP)
}
}
e.Log.Println(rep.Replace(e.Format))
}
......
......@@ -15,6 +15,7 @@
package log
import (
"net"
"strings"
"github.com/mholt/caddy"
......@@ -47,6 +48,10 @@ func logParse(c *caddy.Controller) ([]*Rule, error) {
for c.Next() {
args := c.RemainingArgs()
ip4Mask := net.IPMask(net.ParseIP(DefaultIP4Mask).To4())
ip6Mask := net.IPMask(net.ParseIP(DefaultIP6Mask))
ipMaskExists := false
var logRoller *httpserver.LogRoller
logRoller = httpserver.DefaultLogRoller()
......@@ -54,14 +59,48 @@ func logParse(c *caddy.Controller) ([]*Rule, error) {
what := c.Val()
where := c.RemainingArgs()
// only support roller related options inside a block
if !httpserver.IsLogRollerSubdirective(what) {
if what == "ipmask" {
if len(where) == 0 {
return nil, c.ArgErr()
}
if where[0] != "" {
ip4MaskStr := where[0]
ipv4 := net.ParseIP(ip4MaskStr).To4()
if ipv4 == nil {
return nil, c.Err("IPv4 Mask not valid IP Mask Format")
} else {
ip4Mask = net.IPMask(ipv4)
ipMaskExists = true
}
}
if len(where) > 1 {
ip6MaskStr := where[1]
ipv6 := net.ParseIP(ip6MaskStr)
if ipv6 == nil {
return nil, c.Err("IPv6 Mask not valid IP Mask Format")
} else {
ip6Mask = net.IPMask(ipv6)
ipMaskExists = true
}
}
} else if httpserver.IsLogRollerSubdirective(what) {
if err := httpserver.ParseRoller(logRoller, what, where...); err != nil {
return nil, err
}
} else {
return nil, c.ArgErr()
}
}
path := "/"
......@@ -91,6 +130,9 @@ func logParse(c *caddy.Controller) ([]*Rule, error) {
Log: &httpserver.Logger{
Output: output,
Roller: logRoller,
V4ipMask: ip4Mask,
V6ipMask: ip6Mask,
IPMaskExists: ipMaskExists,
},
Format: format,
})
......@@ -114,3 +156,10 @@ func appendEntry(rules []*Rule, pathScope string, entry *Entry) []*Rule {
return rules
}
const (
// IP Masks that have no effect on IP Address
DefaultIP4Mask = "255.255.255.255"
DefaultIP6Mask = "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"
)
......@@ -15,9 +15,9 @@
package log
import (
"testing"
"net"
"reflect"
"testing"
"github.com/mholt/caddy"
"github.com/mholt/caddy/caddyhttp/httpserver"
......@@ -49,6 +49,8 @@ func TestSetup(t *testing.T) {
expectedLogger := &httpserver.Logger{
Output: DefaultLogFilename,
Roller: httpserver.DefaultLogRoller(),
V4ipMask: net.IPMask(net.ParseIP(DefaultIP4Mask).To4()),
V6ipMask: net.IPMask(net.ParseIP(DefaultIP6Mask)),
}
if !reflect.DeepEqual(myHandler.Rules[0].Entries[0].Log, expectedLogger) {
......@@ -74,6 +76,8 @@ func TestLogParse(t *testing.T) {
Log: &httpserver.Logger{
Output: DefaultLogFilename,
Roller: httpserver.DefaultLogRoller(),
V4ipMask: net.IPMask(net.ParseIP(DefaultIP4Mask).To4()),
V6ipMask: net.IPMask(net.ParseIP(DefaultIP6Mask)),
},
Format: DefaultLogFormat,
}},
......@@ -84,6 +88,8 @@ func TestLogParse(t *testing.T) {
Log: &httpserver.Logger{
Output: "log.txt",
Roller: httpserver.DefaultLogRoller(),
V4ipMask: net.IPMask(net.ParseIP(DefaultIP4Mask).To4()),
V6ipMask: net.IPMask(net.ParseIP(DefaultIP6Mask)),
},
Format: DefaultLogFormat,
}},
......@@ -94,6 +100,8 @@ func TestLogParse(t *testing.T) {
Log: &httpserver.Logger{
Output: "syslog://127.0.0.1:5000",
Roller: httpserver.DefaultLogRoller(),
V4ipMask: net.IPMask(net.ParseIP(DefaultIP4Mask).To4()),
V6ipMask: net.IPMask(net.ParseIP(DefaultIP6Mask)),
},
Format: DefaultLogFormat,
}},
......@@ -104,6 +112,8 @@ func TestLogParse(t *testing.T) {
Log: &httpserver.Logger{
Output: "syslog+tcp://127.0.0.1:5000",
Roller: httpserver.DefaultLogRoller(),
V4ipMask: net.IPMask(net.ParseIP(DefaultIP4Mask).To4()),
V6ipMask: net.IPMask(net.ParseIP(DefaultIP6Mask)),
},
Format: DefaultLogFormat,
}},
......@@ -114,6 +124,8 @@ func TestLogParse(t *testing.T) {
Log: &httpserver.Logger{
Output: "log.txt",
Roller: httpserver.DefaultLogRoller(),
V4ipMask: net.IPMask(net.ParseIP(DefaultIP4Mask).To4()),
V6ipMask: net.IPMask(net.ParseIP(DefaultIP6Mask)),
},
Format: DefaultLogFormat,
}},
......@@ -124,6 +136,8 @@ func TestLogParse(t *testing.T) {
Log: &httpserver.Logger{
Output: "stdout",
Roller: httpserver.DefaultLogRoller(),
V4ipMask: net.IPMask(net.ParseIP(DefaultIP4Mask).To4()),
V6ipMask: net.IPMask(net.ParseIP(DefaultIP6Mask)),
},
Format: DefaultLogFormat,
}},
......@@ -134,6 +148,8 @@ func TestLogParse(t *testing.T) {
Log: &httpserver.Logger{
Output: "log.txt",
Roller: httpserver.DefaultLogRoller(),
V4ipMask: net.IPMask(net.ParseIP(DefaultIP4Mask).To4()),
V6ipMask: net.IPMask(net.ParseIP(DefaultIP6Mask)),
},
Format: CommonLogFormat,
}},
......@@ -144,6 +160,8 @@ func TestLogParse(t *testing.T) {
Log: &httpserver.Logger{
Output: "log.txt",
Roller: httpserver.DefaultLogRoller(),
V4ipMask: net.IPMask(net.ParseIP(DefaultIP4Mask).To4()),
V6ipMask: net.IPMask(net.ParseIP(DefaultIP6Mask)),
},
Format: "prefix " + CommonLogFormat + " suffix",
}},
......@@ -154,6 +172,8 @@ func TestLogParse(t *testing.T) {
Log: &httpserver.Logger{
Output: "accesslog.txt",
Roller: httpserver.DefaultLogRoller(),
V4ipMask: net.IPMask(net.ParseIP(DefaultIP4Mask).To4()),
V6ipMask: net.IPMask(net.ParseIP(DefaultIP6Mask)),
},
Format: CombinedLogFormat,
}},
......@@ -164,6 +184,8 @@ func TestLogParse(t *testing.T) {
Log: &httpserver.Logger{
Output: "accesslog.txt",
Roller: httpserver.DefaultLogRoller(),
V4ipMask: net.IPMask(net.ParseIP(DefaultIP4Mask).To4()),
V6ipMask: net.IPMask(net.ParseIP(DefaultIP6Mask)),
},
Format: "prefix " + CombinedLogFormat + " suffix",
}},
......@@ -175,6 +197,8 @@ func TestLogParse(t *testing.T) {
Log: &httpserver.Logger{
Output: "log.txt",
Roller: httpserver.DefaultLogRoller(),
V4ipMask: net.IPMask(net.ParseIP(DefaultIP4Mask).To4()),
V6ipMask: net.IPMask(net.ParseIP(DefaultIP6Mask)),
},
Format: DefaultLogFormat,
}},
......@@ -184,6 +208,8 @@ func TestLogParse(t *testing.T) {
Log: &httpserver.Logger{
Output: "accesslog.txt",
Roller: httpserver.DefaultLogRoller(),
V4ipMask: net.IPMask(net.ParseIP(DefaultIP4Mask).To4()),
V6ipMask: net.IPMask(net.ParseIP(DefaultIP6Mask)),
},
Format: CombinedLogFormat,
}},
......@@ -195,6 +221,8 @@ func TestLogParse(t *testing.T) {
Log: &httpserver.Logger{
Output: "stdout",
Roller: httpserver.DefaultLogRoller(),
V4ipMask: net.IPMask(net.ParseIP(DefaultIP4Mask).To4()),
V6ipMask: net.IPMask(net.ParseIP(DefaultIP6Mask)),
},
Format: "{host}",
}},
......@@ -204,6 +232,8 @@ func TestLogParse(t *testing.T) {
Log: &httpserver.Logger{
Output: "log.txt",
Roller: httpserver.DefaultLogRoller(),
V4ipMask: net.IPMask(net.ParseIP(DefaultIP4Mask).To4()),
V6ipMask: net.IPMask(net.ParseIP(DefaultIP6Mask)),
},
Format: "{when}",
}},
......@@ -224,7 +254,59 @@ func TestLogParse(t *testing.T) {
MaxBackups: 3,
Compress: true,
LocalTime: true,
},
V4ipMask: net.IPMask(net.ParseIP(DefaultIP4Mask).To4()),
V6ipMask: net.IPMask(net.ParseIP(DefaultIP6Mask)),
},
Format: DefaultLogFormat,
}},
}}},
{`log access0.log {
ipmask 255.255.255.0
}`, false, []Rule{{
PathScope: "/",
Entries: []*Entry{{
Log: &httpserver.Logger{
Output: "access0.log",
Roller: httpserver.DefaultLogRoller(),
V4ipMask: net.IPMask(net.ParseIP("255.255.255.0").To4()),
V6ipMask: net.IPMask(net.ParseIP(DefaultIP6Mask)),
IPMaskExists: true,
},
Format: DefaultLogFormat,
}},
}}},
{`log access1.log {
ipmask "" ffff:ffff:ffff:ff00::
}`, false, []Rule{{
PathScope: "/",
Entries: []*Entry{{
Log: &httpserver.Logger{
Output: "access1.log",
Roller: httpserver.DefaultLogRoller(),
V4ipMask: net.IPMask(net.ParseIP(DefaultIP4Mask).To4()),
V6ipMask: net.IPMask(net.ParseIP("ffff:ffff:ffff:ff00::")),
IPMaskExists: true,
},
Format: DefaultLogFormat,
}},
}}},
{`log access2.log {
ipmask 255.255.255.0 ffff:ffff:ffff:ff00::
}`, false, []Rule{{
PathScope: "/",
Entries: []*Entry{{
Log: &httpserver.Logger{
Output: "access2.log",
Roller: httpserver.DefaultLogRoller(),
V4ipMask: net.IPMask(net.ParseIP("255.255.255.0").To4()),
V6ipMask: net.IPMask(net.ParseIP("ffff:ffff:ffff:ff00::")),
IPMaskExists: true,
},
Format: DefaultLogFormat,
}},
}}},
......@@ -235,12 +317,16 @@ func TestLogParse(t *testing.T) {
Log: &httpserver.Logger{
Output: "stdout",
Roller: httpserver.DefaultLogRoller(),
V4ipMask: net.IPMask(net.ParseIP(DefaultIP4Mask).To4()),
V6ipMask: net.IPMask(net.ParseIP(DefaultIP6Mask)),
},
Format: "{host}",
}, {
Log: &httpserver.Logger{
Output: "log.txt",
Roller: httpserver.DefaultLogRoller(),
V4ipMask: net.IPMask(net.ParseIP(DefaultIP4Mask).To4()),
V6ipMask: net.IPMask(net.ParseIP(DefaultIP6Mask)),
},
Format: "{when}",
}},
......@@ -248,6 +334,7 @@ func TestLogParse(t *testing.T) {
{`log access.log { rotate_size 2 rotate_age 10 rotate_keep 3 }`, true, nil},
{`log access.log { rotate_compress invalid }`, true, nil},
{`log access.log { rotate_size }`, true, nil},
{`log access.log { ipmask }`, true, nil},
{`log access.log { invalid_option 1 }`, true, nil},
{`log / acccess.log "{remote} - [{when}] "{method} {port}" {scheme} {mitm} "`, true, nil},
}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment