You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Stefan Fritsch <sf...@sfritsch.de> on 2016/08/19 18:00:33 UTC
Re: Improving logs to make AUTH_DENIES easy to understand and fix
Hi,
sorry for the late response.
On Wednesday, 18 May 2016 02:12:39 CEST Tianyin Xu wrote:
> I propose to apply the same good practices (such as mod_authz_owner &
> mod_authz_dbm) to all the authn/authz modules. Basically, I want to add log
> messages before each AUTHN/Z_DENIES to pinpoint:
>
> 1) which module denied the request
> 2) the reason the request gets denied
>
> In this way, sysadmins can immediately understand the causes and take
> actions (if necessary).
The problem is, that when using RequireNone, RequireAny, RequireAll, or
"Require not", the module does not know which result will lead to the request
being denied. So, logging in each module at high loglevel would cause a lot of
"denied" messages even for requests that are allowed in the end. With negation
an AUTHZ_GRANTED could also lead to the request being denied, and that would
then lack a log message.
The preferred way to debug this is to set "Loglevel authz_core debug",
possibly only for the one URL that is interesting. This should give ample
logging for debugging. This should probably be documented better. Someone
wants to write a debugging section in http://httpd.apache.org/docs/trunk/
howto/auth.html ?
If more logging is needed, the authn/authz module should need to put the info
somewhere and mod_authz_core should only log it if it actually causes the
request to be denied. But this obviously would need more infrastructure that
is not present now.
Cheers,
Stefan