Allow Masking of IP address in Logfile. (#1930)

* First working mask * IP Mask working with defaults and empty * add tests for ipmask * Store Mask as setup, some tidying, cleaner flow * Prevent mask from running when directive not present * use custom replacement to store masked ip

Allow Masking of IP address in Logfile. (#1930)
* First working mask * IP Mask working with defaults and empty * add tests for ipmask * Store Mask as setup, some tidying, cleaner flow * Prevent mask from running when directive not present * use custom replacement to store masked ip
c0efec52 · Toby Allen · GitHub · a74320bf · c0efec52 · c0efec52
Commit c0efec52 authored Dec 23, 2017 by Toby Allen Committed by GitHub Dec 23, 2017
4 changed files
--- a/caddyhttp/httpserver/logger.go
+++ b/caddyhttp/httpserver/logger.go
@@ -18,6 +18,7 @@ import (
 	"bytes"
 	"io"
 	"log"
+	"net"
 	"os"
 	"strings"
 	"sync"
@@ -40,6 +41,9 @@ type Logger struct {
 	Roller       *LogRoller
 	writer       io.Writer
 	fileMu       *sync.RWMutex
+	V4ipMask     net.IPMask
+	V6ipMask     net.IPMask
+	IPMaskExists bool
 }

 // NewTestLogger creates logger suitable for testing purposes
@@ -64,6 +68,22 @@ func (l Logger) Printf(format string, args ...interface{}) {
 	l.fileMu.RUnlock()
 }

+func (l Logger) MaskIP(ip string) string {
+	var reqIP net.IP
+	// If unable to parse, simply return IP as provided.
+	reqIP = net.ParseIP(ip)
+	if reqIP == nil {
+		return ip
+	}
+
+	if reqIP.To4() != nil {
+		return reqIP.Mask(l.V4ipMask).String()
+	} else {
+		return reqIP.Mask(l.V6ipMask).String()
+	}
+
+}
+
 // Attach binds logger Start and Close functions to
 // controller's OnStartup and OnShutdown hooks.
 func (l *Logger) Attach(controller *caddy.Controller) {

--- a/caddyhttp/log/log.go
+++ b/caddyhttp/log/log.go
@@ -17,6 +17,7 @@ package log

 import (
 	"fmt"
+	"net"
 	"net/http"

 	"github.com/mholt/caddy"
@@ -66,6 +67,16 @@ func (l Logger) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error) {

 			// Write log entries
 			for _, e := range rule.Entries {
+
+				// Mask IP Address
+				if e.Log.IPMaskExists {
+					hostip, _, err := net.SplitHostPort(r.RemoteAddr)
+					if err == nil {
+						maskedIP := e.Log.MaskIP(hostip)
+						// Overwrite log value with Masked version
+						rep.Set("remote", maskedIP)
+					}
+				}
 				e.Log.Println(rep.Replace(e.Format))
 			}


--- a/caddyhttp/log/setup.go
+++ b/caddyhttp/log/setup.go
@@ -15,6 +15,7 @@
 package log

 import (
+	"net"
 	"strings"

 	"github.com/mholt/caddy"
@@ -47,6 +48,10 @@ func logParse(c *caddy.Controller) ([]*Rule, error) {
 	for c.Next() {
 		args := c.RemainingArgs()

+		ip4Mask := net.IPMask(net.ParseIP(DefaultIP4Mask).To4())
+		ip6Mask := net.IPMask(net.ParseIP(DefaultIP6Mask))
+		ipMaskExists := false
+
 		var logRoller *httpserver.LogRoller
 		logRoller = httpserver.DefaultLogRoller()

@@ -54,14 +59,48 @@ func logParse(c *caddy.Controller) ([]*Rule, error) {
 			what := c.Val()
 			where := c.RemainingArgs()

-			// only support roller related options inside a block
-			if !httpserver.IsLogRollerSubdirective(what) {
+			if what == "ipmask" {
+
+				if len(where) == 0 {
 					return nil, c.ArgErr()
 				}

+				if where[0] != "" {
+					ip4MaskStr := where[0]
+					ipv4 := net.ParseIP(ip4MaskStr).To4()
+
+					if ipv4 == nil {
+						return nil, c.Err("IPv4 Mask not valid IP Mask Format")
+					} else {
+						ip4Mask = net.IPMask(ipv4)
+						ipMaskExists = true
+					}
+				}
+
+				if len(where) > 1 {
+
+					ip6MaskStr := where[1]
+					ipv6 := net.ParseIP(ip6MaskStr)
+
+					if ipv6 == nil {
+						return nil, c.Err("IPv6 Mask not valid IP Mask Format")
+					} else {
+						ip6Mask = net.IPMask(ipv6)
+						ipMaskExists = true
+					}
+
+				}
+
+			} else if httpserver.IsLogRollerSubdirective(what) {
+
 				if err := httpserver.ParseRoller(logRoller, what, where...); err != nil {
 					return nil, err
 				}
+
+			} else {
+				return nil, c.ArgErr()
+			}
+
 		}

 		path := "/"
@@ -91,6 +130,9 @@ func logParse(c *caddy.Controller) ([]*Rule, error) {
 			Log: &httpserver.Logger{
 				Output:       output,
 				Roller:       logRoller,
+				V4ipMask:     ip4Mask,
+				V6ipMask:     ip6Mask,
+				IPMaskExists: ipMaskExists,
 			},
 			Format: format,
 		})
@@ -114,3 +156,10 @@ func appendEntry(rules []*Rule, pathScope string, entry *Entry) []*Rule {

 	return rules
 }
+
+const (
+	// IP Masks that have no effect on IP Address
+	DefaultIP4Mask = "255.255.255.255"
+
+	DefaultIP6Mask = "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"
+)
--- a/caddyhttp/log/setup_test.go
+++ b/caddyhttp/log/setup_test.go
@@ -15,9 +15,9 @@
 package log

 import (
-	"testing"
-
+	"net"
 	"reflect"
+	"testing"

 	"github.com/mholt/caddy"
 	"github.com/mholt/caddy/caddyhttp/httpserver"
@@ -49,6 +49,8 @@ func TestSetup(t *testing.T) {
 	expectedLogger := &httpserver.Logger{
 		Output:   DefaultLogFilename,
 		Roller:   httpserver.DefaultLogRoller(),
+		V4ipMask: net.IPMask(net.ParseIP(DefaultIP4Mask).To4()),
+		V6ipMask: net.IPMask(net.ParseIP(DefaultIP6Mask)),
 	}

 	if !reflect.DeepEqual(myHandler.Rules[0].Entries[0].Log, expectedLogger) {
@@ -74,6 +76,8 @@ func TestLogParse(t *testing.T) {
 				Log: &httpserver.Logger{
 					Output:   DefaultLogFilename,
 					Roller:   httpserver.DefaultLogRoller(),
+					V4ipMask: net.IPMask(net.ParseIP(DefaultIP4Mask).To4()),
+					V6ipMask: net.IPMask(net.ParseIP(DefaultIP6Mask)),
 				},
 				Format: DefaultLogFormat,
 			}},
@@ -84,6 +88,8 @@ func TestLogParse(t *testing.T) {
 				Log: &httpserver.Logger{
 					Output:   "log.txt",
 					Roller:   httpserver.DefaultLogRoller(),
+					V4ipMask: net.IPMask(net.ParseIP(DefaultIP4Mask).To4()),
+					V6ipMask: net.IPMask(net.ParseIP(DefaultIP6Mask)),
 				},
 				Format: DefaultLogFormat,
 			}},
@@ -94,6 +100,8 @@ func TestLogParse(t *testing.T) {
 				Log: &httpserver.Logger{
 					Output:   "syslog://127.0.0.1:5000",
 					Roller:   httpserver.DefaultLogRoller(),
+					V4ipMask: net.IPMask(net.ParseIP(DefaultIP4Mask).To4()),
+					V6ipMask: net.IPMask(net.ParseIP(DefaultIP6Mask)),
 				},
 				Format: DefaultLogFormat,
 			}},
@@ -104,6 +112,8 @@ func TestLogParse(t *testing.T) {
 				Log: &httpserver.Logger{
 					Output:   "syslog+tcp://127.0.0.1:5000",
 					Roller:   httpserver.DefaultLogRoller(),
+					V4ipMask: net.IPMask(net.ParseIP(DefaultIP4Mask).To4()),
+					V6ipMask: net.IPMask(net.ParseIP(DefaultIP6Mask)),
 				},
 				Format: DefaultLogFormat,
 			}},
@@ -114,6 +124,8 @@ func TestLogParse(t *testing.T) {
 				Log: &httpserver.Logger{
 					Output:   "log.txt",
 					Roller:   httpserver.DefaultLogRoller(),
+					V4ipMask: net.IPMask(net.ParseIP(DefaultIP4Mask).To4()),
+					V6ipMask: net.IPMask(net.ParseIP(DefaultIP6Mask)),
 				},
 				Format: DefaultLogFormat,
 			}},
@@ -124,6 +136,8 @@ func TestLogParse(t *testing.T) {
 				Log: &httpserver.Logger{
 					Output:   "stdout",
 					Roller:   httpserver.DefaultLogRoller(),
+					V4ipMask: net.IPMask(net.ParseIP(DefaultIP4Mask).To4()),
+					V6ipMask: net.IPMask(net.ParseIP(DefaultIP6Mask)),
 				},
 				Format: DefaultLogFormat,
 			}},
@@ -134,6 +148,8 @@ func TestLogParse(t *testing.T) {
 				Log: &httpserver.Logger{
 					Output:   "log.txt",
 					Roller:   httpserver.DefaultLogRoller(),
+					V4ipMask: net.IPMask(net.ParseIP(DefaultIP4Mask).To4()),
+					V6ipMask: net.IPMask(net.ParseIP(DefaultIP6Mask)),
 				},
 				Format: CommonLogFormat,
 			}},
@@ -144,6 +160,8 @@ func TestLogParse(t *testing.T) {
 				Log: &httpserver.Logger{
 					Output:   "log.txt",
 					Roller:   httpserver.DefaultLogRoller(),
+					V4ipMask: net.IPMask(net.ParseIP(DefaultIP4Mask).To4()),
+					V6ipMask: net.IPMask(net.ParseIP(DefaultIP6Mask)),
 				},
 				Format: "prefix " + CommonLogFormat + " suffix",
 			}},
@@ -154,6 +172,8 @@ func TestLogParse(t *testing.T) {
 				Log: &httpserver.Logger{
 					Output:   "accesslog.txt",
 					Roller:   httpserver.DefaultLogRoller(),
+					V4ipMask: net.IPMask(net.ParseIP(DefaultIP4Mask).To4()),
+					V6ipMask: net.IPMask(net.ParseIP(DefaultIP6Mask)),
 				},
 				Format: CombinedLogFormat,
 			}},
@@ -164,6 +184,8 @@ func TestLogParse(t *testing.T) {
 				Log: &httpserver.Logger{
 					Output:   "accesslog.txt",
 					Roller:   httpserver.DefaultLogRoller(),
+					V4ipMask: net.IPMask(net.ParseIP(DefaultIP4Mask).To4()),
+					V6ipMask: net.IPMask(net.ParseIP(DefaultIP6Mask)),
 				},
 				Format: "prefix " + CombinedLogFormat + " suffix",
 			}},
@@ -175,6 +197,8 @@ func TestLogParse(t *testing.T) {
 				Log: &httpserver.Logger{
 					Output:   "log.txt",
 					Roller:   httpserver.DefaultLogRoller(),
+					V4ipMask: net.IPMask(net.ParseIP(DefaultIP4Mask).To4()),
+					V6ipMask: net.IPMask(net.ParseIP(DefaultIP6Mask)),
 				},
 				Format: DefaultLogFormat,
 			}},
@@ -184,6 +208,8 @@ func TestLogParse(t *testing.T) {
 				Log: &httpserver.Logger{
 					Output:   "accesslog.txt",
 					Roller:   httpserver.DefaultLogRoller(),
+					V4ipMask: net.IPMask(net.ParseIP(DefaultIP4Mask).To4()),
+					V6ipMask: net.IPMask(net.ParseIP(DefaultIP6Mask)),
 				},
 				Format: CombinedLogFormat,
 			}},
@@ -195,6 +221,8 @@ func TestLogParse(t *testing.T) {
 				Log: &httpserver.Logger{
 					Output:   "stdout",
 					Roller:   httpserver.DefaultLogRoller(),
+					V4ipMask: net.IPMask(net.ParseIP(DefaultIP4Mask).To4()),
+					V6ipMask: net.IPMask(net.ParseIP(DefaultIP6Mask)),
 				},
 				Format: "{host}",
 			}},
@@ -204,6 +232,8 @@ func TestLogParse(t *testing.T) {
 				Log: &httpserver.Logger{
 					Output:   "log.txt",
 					Roller:   httpserver.DefaultLogRoller(),
+					V4ipMask: net.IPMask(net.ParseIP(DefaultIP4Mask).To4()),
+					V6ipMask: net.IPMask(net.ParseIP(DefaultIP6Mask)),
 				},
 				Format: "{when}",
 			}},
@@ -224,7 +254,59 @@ func TestLogParse(t *testing.T) {
 						MaxBackups: 3,
 						Compress:   true,
 						LocalTime:  true,
+					},
+					V4ipMask: net.IPMask(net.ParseIP(DefaultIP4Mask).To4()),
+					V6ipMask: net.IPMask(net.ParseIP(DefaultIP6Mask)),
+				},
+
+				Format: DefaultLogFormat,
+			}},
+		}}},
+		{`log access0.log {
+			ipmask 255.255.255.0
+		}`, false, []Rule{{
+			PathScope: "/",
+			Entries: []*Entry{{
+				Log: &httpserver.Logger{
+					Output:       "access0.log",
+					Roller:       httpserver.DefaultLogRoller(),
+					V4ipMask:     net.IPMask(net.ParseIP("255.255.255.0").To4()),
+					V6ipMask:     net.IPMask(net.ParseIP(DefaultIP6Mask)),
+					IPMaskExists: true,
+				},
+
+				Format: DefaultLogFormat,
 			}},
+		}}},
+		{`log access1.log {
+			ipmask "" ffff:ffff:ffff:ff00::
+		}`, false, []Rule{{
+			PathScope: "/",
+			Entries: []*Entry{{
+				Log: &httpserver.Logger{
+					Output:       "access1.log",
+					Roller:       httpserver.DefaultLogRoller(),
+					V4ipMask:     net.IPMask(net.ParseIP(DefaultIP4Mask).To4()),
+					V6ipMask:     net.IPMask(net.ParseIP("ffff:ffff:ffff:ff00::")),
+					IPMaskExists: true,
+				},
+
+				Format: DefaultLogFormat,
+			}},
+		}}},
+		{`log access2.log {
+			ipmask 255.255.255.0 ffff:ffff:ffff:ff00::
+		}`, false, []Rule{{
+			PathScope: "/",
+			Entries: []*Entry{{
+				Log: &httpserver.Logger{
+					Output:       "access2.log",
+					Roller:       httpserver.DefaultLogRoller(),
+					V4ipMask:     net.IPMask(net.ParseIP("255.255.255.0").To4()),
+					V6ipMask:     net.IPMask(net.ParseIP("ffff:ffff:ffff:ff00::")),
+					IPMaskExists: true,
+				},
+
 				Format: DefaultLogFormat,
 			}},
 		}}},
@@ -235,12 +317,16 @@ func TestLogParse(t *testing.T) {
 				Log: &httpserver.Logger{
 					Output:   "stdout",
 					Roller:   httpserver.DefaultLogRoller(),
+					V4ipMask: net.IPMask(net.ParseIP(DefaultIP4Mask).To4()),
+					V6ipMask: net.IPMask(net.ParseIP(DefaultIP6Mask)),
 				},
 				Format: "{host}",
 			}, {
 				Log: &httpserver.Logger{
 					Output:   "log.txt",
 					Roller:   httpserver.DefaultLogRoller(),
+					V4ipMask: net.IPMask(net.ParseIP(DefaultIP4Mask).To4()),
+					V6ipMask: net.IPMask(net.ParseIP(DefaultIP6Mask)),
 				},
 				Format: "{when}",
 			}},
@@ -248,6 +334,7 @@ func TestLogParse(t *testing.T) {
 		{`log access.log { rotate_size 2 rotate_age 10 rotate_keep 3 }`, true, nil},
 		{`log access.log { rotate_compress invalid }`, true, nil},
 		{`log access.log { rotate_size }`, true, nil},
+		{`log access.log { ipmask }`, true, nil},
 		{`log access.log { invalid_option 1 }`, true, nil},
 		{`log / acccess.log "{remote} - [{when}] "{method} {port}" {scheme} {mitm} "`, true, nil},
 	}