You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by ri...@speedy.com.pe on 2004/06/05 16:08:55 UTC

Better error logging for mod_access

Hi, all.

I've been following the #apache channel on freenode, and it seemed to me that 
a lot of people trying to configure apache have trouble with mod_access 
configurations. So it occurred to me that it would be easier for them if 
mod_access produced more informative logs, identifying the filename and line 
number of the directive which caused the denial (including in .htaccess 
files).

The patch here: <http://drbacchus.com/files/access_logging_patch.txt> for 
2.0.49 creates logs that look like this:

[Fri May 28 22:19:16 2004] [notice] Apache/2.0.49 (Unix) configured -- 
resuming
normal operations
[Fri May 28 22:19:24 2004] [error] [client 192.168.1.33] client denied by 
order directive at line 362 of /opt/apache2/conf/httpd.conf for:
/opt/apache2/htdocs/bar
[Fri May 28 22:19:33 2004] [error] [client 192.168.1.33] client denied by deny
directive at line 2 of /opt/apache2/htdocs/foo/.htaccess for: /opt/apache2/
htdocs/foo
[Fri May 28 22:19:45 2004] [error] [client 192.168.1.33] client denied by deny
directive at line 2 of /opt/apache2/htdocs/foo/.htaccess for: /opt/apache2/
htdocs/foo/file
[Fri May 28 22:19:54 2004] [error] [client 192.168.1.33] client denied by deny
directive at line 411 of /opt/apache2/conf/httpd.conf for: /opt/apache2/
htdocs/foo/.htaccess

There should not be much performance impact from this patch -- the only thing 
it does is copy a filepath (limited to a maximum of 80 characters) into 
mod_access's config for each mod_access directive. Of course, those 80 
characters will add up in a big complex config file; but I figured it would 
not be likely that it would be used on a production server. Probably the best 
thing would be to have both mod_access and the patched mod_access as loadable 
modules, so you could enable or disable by changing the LoadModule line.

I hope this helps someone (and thanks to DrBacchus for hosting the patch and 
providing the kick to do it.)

Rici Lake

Re: Better error logging for mod_access

Posted by Jeff Trawick <tr...@attglobal.net>.

Joshua Slive wrote:
> On Sat, 5 Jun 2004, Jeff Trawick wrote:
> 
> 
>>ricilake@speedy.com.pe wrote:
>>
>>
>>>The patch here: <http://drbacchus.com/files/access_logging_patch.txt> for
>>>2.0.49 creates logs that look like this:
>>>
>>>[Fri May 28 22:19:16 2004] [notice] Apache/2.0.49 (Unix) configured --
>>>resuming
>>>normal operations
>>>[Fri May 28 22:19:24 2004] [error] [client 192.168.1.33] client denied by
>>>order directive at line 362 of /opt/apache2/conf/httpd.conf for:
>>>/opt/apache2/htdocs/bar
>>
>>What about enabling via a per-dir directive?  Looks very useful, but some sites
>>  might have a significant number of new entries in error log serving no useful
>>purpose (for them).
> 
> 
> The problem with per-dir is that the user might not know exactly where in
> the config file he should be editting.  If they did, they probably
> wouldn't have a problem finding the relevant allow/deny in the first
> place.
> 
> What about keeping the old error message, but logging an *additional*
> message at loglevel debug with the additional info?
> 
> Two other notes:
> - Personally, I hate arbitrary path-size limitations.  They always bite
> you when you least expect it.  What about dynamically sizing this?
> - You'll get more people to read your patches if you use "diff -u".

I somehow misread the patch and didn't remember what was logged before the 
patch.  I withdraw any and all comments about not logging the config location 
by default.

Re: Better error logging for mod_access

Posted by Geoffrey Young <ge...@modperlcookbook.org>.

Joshua Slive wrote:
> On Sat, 5 Jun 2004, Rici Lake wrote:
> 
>>>What about keeping the old error message, but logging an *additional*
>>>message at loglevel debug with the additional info?
>>
>>That is certainly possible but I was trying to make things as easy as possible
>>for newbies. I think having both modules available, and using a -D flag to
>>select which one to load would probably work out better. But that is just one
>>person's opinion.
> 
> 
> I can say with relative certainty that you won't get people to agree to
> that solution.  It involves a bunch of new complexity (distributing and
> compiling two almost-identical modules) for one new debugging feature.
> Opening httpd.conf and finding the LogLevel directive, which appears only
> once, should be relatively easy.

and more idiomatic, I'd say - if it's extra debugging information you're
after, I would _expect_ lowering the LogLevel to provide it (if it's
available at all).

personally, I add this kind of stuff at 'info' and save 'debug' for
guts-type things, as debug is more verbose by design anyway.  but adding the
additional information at either level sounds like a good idea.

--Geoff

Re: Better error logging for mod_access

Posted by Rici Lake <ri...@speedy.com.pe>.

Fair enough. I guess I am being sensitive here, because the
last time I submitted a patch to some other project, I did
it with -u and got told that I should use -c. :)

Anyway, I apologise for being grumpy and look forward to comments
on the patch itself.

On 9-Jun-04, at 8:29 AM, Greg Marr wrote:

> At 10:18 PM 6/8/2004, Rici Lake wrote:
>> The patch is now posted to bugzilla as [Bug 29450]. I believe that 
>> conforms to the patches.html document cited below. Although that 
>> document says -C3 is acceptable, I have submitted it in the 
>> preferential -u format (which I also prefer, actually).
>
> It says use -u, but if you absolutely *can't* do -u, then of the 
> remaining options, -C3 is the best, or at least, that is what it is 
> meant to say.
>

Re: Better error logging for mod_access

Posted by Greg Marr <gr...@alum.wpi.edu>.

At 10:18 PM 6/8/2004, Rici Lake wrote:
>The patch is now posted to bugzilla as [Bug 29450]. I believe that 
>conforms to the patches.html document cited below. Although that 
>document says -C3 is acceptable, I have submitted it in the 
>preferential -u format (which I also prefer, actually).

It says use -u, but if you absolutely *can't* do -u, then of the 
remaining options, -C3 is the best, or at least, that is what it is 
meant to say.

Re: Better error logging for mod_access

Posted by Rici Lake <ri...@speedy.com.pe>.

The patch is now posted to bugzilla as [Bug 29450]. I believe that 
conforms to the patches.html document cited below. Although that 
document says -C3 is acceptable, I have submitted it in the 
preferential -u format (which I also prefer, actually).

On 5-Jun-04, at 11:57 AM, Joshua Slive wrote:

> Yes, tastes vary.  But Apache has a "defined" taste:
> http://httpd.apache.org/dev/patches.html

Re: Better error logging for mod_access

Posted by ri...@speedy.com.pe.

Mensaje citado por Joshua Slive :

> I can say with relative certainty that you won't get people to agree to
> that solution.  It involves a bunch of new complexity (distributing and
> compiling two almost-identical modules) for one new debugging feature.
> Opening httpd.conf and finding the LogLevel directive, which appears only
> once, should be relatively easy.

Fair enough. Really the question is how much of a nuisance the logging is
for normal operations. In terms of memory consumption, the best solution
would be to use the strings already saved, assuming that is possible (it
should be since the directive structure is available and it should not have
dangling pointers in it even if they are undocumented pointers.) I doubt whether
the extra characters in the log file are going to matter to anyone.
So perhaps the simplest solution is just to do it and see if it actually helps
the lives of new apache users, which seems to me to be likely.

>
> > > - You'll get more people to read your patches if you use "diff -u".
> >
> > Tastes vary.
>
> Yes, tastes vary.  But Apache has a "defined" taste:
> http://httpd.apache.org/dev/patches.html

That page says that diff -C3 is acceptable. However, I will redo it with
diff -u, and any changes anyone suggests in the next little while, and then try
to submit it on bugzilla as requested.

Rici



SPEEDY! Velocidad en Internet con tarifa plana!

Re: Better error logging for mod_access

Posted by Joshua Slive <jo...@slive.ca>.

On Sat, 5 Jun 2004, Rici Lake wrote:
> > What about keeping the old error message, but logging an *additional*
> > message at loglevel debug with the additional info?
>
> That is certainly possible but I was trying to make things as easy as possible
> for newbies. I think having both modules available, and using a -D flag to
> select which one to load would probably work out better. But that is just one
> person's opinion.

I can say with relative certainty that you won't get people to agree to
that solution.  It involves a bunch of new complexity (distributing and
compiling two almost-identical modules) for one new debugging feature.
Opening httpd.conf and finding the LogLevel directive, which appears only
once, should be relatively easy.

> > - You'll get more people to read your patches if you use "diff -u".
>
> Tastes vary.

Yes, tastes vary.  But Apache has a "defined" taste:
http://httpd.apache.org/dev/patches.html

Joshua.

Re: Better error logging for mod_access

Posted by Rici Lake <ri...@speedy.com.pe>.

Quoting Joshua Slive <jo...@slive.ca>:

> On Sat, 5 Jun 2004, Jeff Trawick wrote:
> > What about enabling via a per-dir directive?  Looks very useful, but some
> sites
> >   might have a significant number of new entries in error log serving no
> useful
> > purpose (for them).
> 
> The problem with per-dir is that the user might not know exactly where in
> the config file he should be editting.  If they did, they probably
> wouldn't have a problem finding the relevant allow/deny in the first
> place.

I agree.

> 
> What about keeping the old error message, but logging an *additional*
> message at loglevel debug with the additional info?

That is certainly possible but I was trying to make things as easy as possible 
for newbies. I think having both modules available, and using a -D flag to 
select which one to load would probably work out better. But that is just one 
person's opinion.

> 
> Two other notes:
> - Personally, I hate arbitrary path-size limitations.  They always bite
> you when you least expect it.  What about dynamically sizing this?

That was how I did it the first time, and then I thought that someone would 
complain about the possible storage usage.

Actually, the best thing would be to use the pointer from the directive 
structure, but I could not convince myself that it was in the right pool. If 
someone who understands Apache 2's configuration system better than me said 
"the filename in the directive structure is allocated in a pool which is still 
live when the directive is being used", I would happily change it.

> - You'll get more people to read your patches if you use "diff -u".

Tastes vary. I can post it that way if you prefer. But two people reading it 
in 11 minutes isn't bad :)

Rici.

Re: Better error logging for mod_access

Posted by Joshua Slive <jo...@slive.ca>.

On Sat, 5 Jun 2004, Jeff Trawick wrote:

> ricilake@speedy.com.pe wrote:
>
> > The patch here: <http://drbacchus.com/files/access_logging_patch.txt> for
> > 2.0.49 creates logs that look like this:
> >
> > [Fri May 28 22:19:16 2004] [notice] Apache/2.0.49 (Unix) configured --
> > resuming
> > normal operations
> > [Fri May 28 22:19:24 2004] [error] [client 192.168.1.33] client denied by
> > order directive at line 362 of /opt/apache2/conf/httpd.conf for:
> > /opt/apache2/htdocs/bar
>
> What about enabling via a per-dir directive?  Looks very useful, but some sites
>   might have a significant number of new entries in error log serving no useful
> purpose (for them).

The problem with per-dir is that the user might not know exactly where in
the config file he should be editting.  If they did, they probably
wouldn't have a problem finding the relevant allow/deny in the first
place.

What about keeping the old error message, but logging an *additional*
message at loglevel debug with the additional info?

Two other notes:
- Personally, I hate arbitrary path-size limitations.  They always bite
you when you least expect it.  What about dynamically sizing this?
- You'll get more people to read your patches if you use "diff -u".

Joshua.

Re: Better error logging for mod_access

Posted by Jeff Trawick <tr...@attglobal.net>.

ricilake@speedy.com.pe wrote:

> The patch here: <http://drbacchus.com/files/access_logging_patch.txt> for 
> 2.0.49 creates logs that look like this:
> 
> [Fri May 28 22:19:16 2004] [notice] Apache/2.0.49 (Unix) configured -- 
> resuming
> normal operations
> [Fri May 28 22:19:24 2004] [error] [client 192.168.1.33] client denied by 
> order directive at line 362 of /opt/apache2/conf/httpd.conf for:
> /opt/apache2/htdocs/bar

What about enabling via a per-dir directive?  Looks very useful, but some sites 
  might have a significant number of new entries in error log serving no useful 
purpose (for them).