You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Mitar <mm...@gmail.com> on 2008/12/12 05:32:15 UTC
Disable logging of invalid requests
Hi!
Is there a way to disable logging of invalid requests to an HTTP
server (which result in a 501 response code)? I would like to log only
specific URLs and I am using SetEnvIf with CustomLog to do that, like:
SetEnvIf Request_URI "^/$" log_request=yes
SetEnvIf Request_URI "^/index.html$" log_request=yes
CustomLog "/var/log/httpd-access.log" common env=log_request
CustomLog "/dev/null" common env=!log_request
But the problem is that those invalid requests are still logged to
httpd-access.log file.
Mitar
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Disable logging of invalid requests
Posted by Mitar <mm...@gmail.com>.
Hi!
On Sun, Dec 14, 2008 at 9:41 PM, Joshua Slive <jo...@slive.ca> wrote:
> For example, you want to log based on Request_URI. But to figure out
> what the Request_URI is, apache needs to parse the Request Line. One
> of the reasons for short-circuiting is an over-long request line,
> which would be dangerous to parse.
True. But in my case it is like this:
- if the request is valid and it is for some specific set of URLs, log it
- otherwise do not log it (also if it is invalid)
So I would like to see a switch/option which would say "do not log
invalid requests". If the request is valid, then I will check
Request_URI and based on that I will log it. I understand that I
cannot check Request_URI for invalid requests. But why I cannot
disable logging of invalid requests? I would like to be able to
disable that in CustomLog and maybe just get a warning in error log,
something like "IP this and this sent an invalid request". And what is
logged to an error log is already adjusted with LogLevel. I would put
this warning into info or notice level.
Mitar
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Disable logging of invalid requests
Posted by Joshua Slive <jo...@slive.ca>.
On Sun, Dec 14, 2008 at 1:35 PM, Mitar <mm...@gmail.com> wrote:
> And now I do not have invalid requests logged. I do not like that but
> I do not like having them logged even more. I really do not understand
> why this short-circuiting is necessary. We have an error log for such
> "important" things. CustomLog should be completely customizable. Even
> this short-circuiting.
For example, you want to log based on Request_URI. But to figure out
what the Request_URI is, apache needs to parse the Request Line. One
of the reasons for short-circuiting is an over-long request line,
which would be dangerous to parse.
Joshua.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Disable logging of invalid requests
Posted by Mitar <mm...@gmail.com>.
Hi!
On Sun, Dec 14, 2008 at 3:46 PM, Morgan Gangwere <0....@gmail.com> wrote:
> Well, more accurately, this is kinda backwards. According to the
> "documentation", the syntax for SetEnvIf is
>
> SetEnvIf (statement) (statement) (varname)
In my documentation:
http://httpd.apache.org/docs/2.2/mod/mod_setenvif.html
it is written:
SetEnvIf attribute regex [!]env-variable[=value] [[!]env-variable[=value]] ...
> You're acctually //setting// a variable here to a particular //value//. if
> this is possible please let me know, as i could use this, as I'm having 0
> luck getting CustomLog to work.
But CustomLog just checks whether environment variable exists or not.
So the value does not matter in this case.
And about my problem. I have opted at the end for:
CustomLog "/dev/null" common
And now I do not have invalid requests logged. I do not like that but
I do not like having them logged even more. I really do not understand
why this short-circuiting is necessary. We have an error log for such
"important" things. CustomLog should be completely customizable. Even
this short-circuiting.
It is funny in some way that I do not want those requests to be logged
for security reasons (because they could leak some data to logs) but
reason Apache logs them is just because of security. Only some other
security. Can I make this a feature request? Obviously (t)here are
users which do not mind not logging such requests. I agree that the
default behavior should be logging them. But I also believe this
should be customizable. Not all usage cases have the same definition
of security.
I could pipe to another program which would remove them before writing
to a log file, though.
Mitar
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Disable logging of invalid requests
Posted by Morgan Gangwere <0....@gmail.com>.
Joshua Slive wrote:
> On Thu, Dec 11, 2008 at 11:32 PM, Mitar <mm...@gmail.com> wrote:
>> Hi!
>>
>> Is there a way to disable logging of invalid requests to an HTTP
>> server (which result in a 501 response code)? I would like to log only
>> specific URLs and I am using SetEnvIf with CustomLog to do that, like:
>>
>> SetEnvIf Request_URI "^/$" log_request=yes
>> SetEnvIf Request_URI "^/index.html$" log_request=yes
>>
>> CustomLog "/var/log/httpd-access.log" common env=log_request
>> CustomLog "/dev/null" common env=!log_request
>>
>> But the problem is that those invalid requests are still logged to
>> httpd-access.log file.
>
> No, some kinds of invalid requests will short-circuit the standard
> request processing for security reasons. (You don't want to run a
> bunch of complex code on input that may be deliberately trying to
> break you.) Part of the code that gets short-circuited is the stuff
> that allows you to do log exclusions.
>
Well, more accurately, this is kinda backwards. According to the
"documentation", the syntax for SetEnvIf is
SetEnvIf (statement) (statement) (varname)
You're acctually //setting// a variable here to a particular //value//.
if this is possible please let me know, as i could use this, as I'm
having 0 luck getting CustomLog to work.
--
Morgan Gangwere
Unknown Software
http://sonof.bandit.name/
Member, INCOSE [ incose.org ] PACA [ paca.org ] and NMUG [ nmug.net ]
[indrora@boxly ~]#_
Find me on FreeNode! irc.freenode.net ~indrora on ##linux
Re: Disable logging of invalid requests
Posted by Joshua Slive <jo...@slive.ca>.
On Thu, Dec 11, 2008 at 11:32 PM, Mitar <mm...@gmail.com> wrote:
> Hi!
>
> Is there a way to disable logging of invalid requests to an HTTP
> server (which result in a 501 response code)? I would like to log only
> specific URLs and I am using SetEnvIf with CustomLog to do that, like:
>
> SetEnvIf Request_URI "^/$" log_request=yes
> SetEnvIf Request_URI "^/index.html$" log_request=yes
>
> CustomLog "/var/log/httpd-access.log" common env=log_request
> CustomLog "/dev/null" common env=!log_request
>
> But the problem is that those invalid requests are still logged to
> httpd-access.log file.
No, some kinds of invalid requests will short-circuit the standard
request processing for security reasons. (You don't want to run a
bunch of complex code on input that may be deliberately trying to
break you.) Part of the code that gets short-circuited is the stuff
that allows you to do log exclusions.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org