fpm: Implement access log filtering

Fixes GH-8174, #80428

Author: maaarghk

sapi/fpm/fpm/fpm_conf.c

@@ -557,11 +557,13 @@ static char *fpm_conf_set_array(zval *key, zval *value, void **config, int conve
 	}
 
 	memset(kv, 0, sizeof(*kv));
-	kv->key = strdup(Z_STRVAL_P(key));
+	if (key) {
+		kv->key = strdup(Z_STRVAL_P(key));
 
-	if (!kv->key) {
-		free(kv);
-		return "fpm_conf_set_array: strdup(key) failed";
+		if (!kv->key) {
+			free(kv);
+			return "fpm_conf_set_array: strdup(key) failed";
+		}
 	}
 
 	if (convert_to_bool) {
@@ -663,6 +665,11 @@ int fpm_worker_pool_config_free(struct fpm_worker_pool_config_s *wpc) /* {{{ */
 	free(wpc->apparmor_hat);
 #endif
 
+	for (kv = wpc->access_suppress_paths; kv; kv = kv_next) {
+		kv_next = kv->next;
+		free(kv->value);
+		free(kv);
+	}
 	for (kv = wpc->php_values; kv; kv = kv_next) {
 		kv_next = kv->next;
 		free(kv->key);
@@ -1497,11 +1504,29 @@ static void fpm_conf_ini_parser_array(zval *name, zval *key, zval *value, void *
 	char *err = NULL;
 	void *config;
 
-	if (!Z_STRVAL_P(key) || !Z_STRVAL_P(value) || !*Z_STRVAL_P(key)) {
-		zlog(ZLOG_ERROR, "[%s:%d] Misspelled  array ?", ini_filename, ini_lineno);
+	if (
+		!zend_string_equals_literal(Z_STR_P(name), "access.suppress_path")
+		&& (!Z_STRVAL_P(key) || !Z_STRVAL_P(value) || !*Z_STRVAL_P(key))
+	) {
+		zlog(ZLOG_ERROR, "[%s:%d] You must provide a key for field '%s'", ini_filename, ini_lineno, Z_STRVAL_P(name));
 		*error = 1;
 		return;
+	} else if (
+		zend_string_equals_literal(Z_STR_P(name), "access.suppress_path")
+	) {
+		if (!Z_STRVAL_P(key) || !(*Z_STRVAL_P(key) == '\0')) {
+			zlog(ZLOG_ERROR, "[%s:%d] Keys provided to field 'access.suppress_path' are ignored", ini_filename, ini_lineno);
+			*error = 1;
+		}
+		if (!Z_STRVAL_P(value) || !(*Z_STRVAL_P(value)) || (*Z_STRVAL_P(value) != '/')) {
+			zlog(ZLOG_ERROR, "[%s:%d] Values provided to field 'access.suppress_path' must begin with '/'", ini_filename, ini_lineno);
+			*error = 1;
+		}
+		if (*error) {
+			return;
+		}
 	}
+
 	if (!current_wp || !current_wp->config) {
 		zlog(ZLOG_ERROR, "[%s:%d] Array are not allowed in the global section", ini_filename, ini_lineno);
 		*error = 1;
@@ -1533,6 +1558,10 @@ static void fpm_conf_ini_parser_array(zval *name, zval *key, zval *value, void *
 		config = (char *)current_wp->config + WPO(php_admin_values);
 		err = fpm_conf_set_array(key, value, &config, 1);
 
+	} else if (zend_string_equals_literal(Z_STR_P(name), "access.suppress_path")) {
+		config = (char *)current_wp->config + WPO(access_suppress_paths);
+		err = fpm_conf_set_array(NULL, value, &config, 0);
+
 	} else {
 		zlog(ZLOG_ERROR, "[%s:%d] unknown directive '%s'", ini_filename, ini_lineno, Z_STRVAL_P(name));
 		*error = 1;
@@ -1735,6 +1764,9 @@ static void fpm_conf_dump(void) /* {{{ */
 		zlog(ZLOG_NOTICE, "\tping.response = %s",              STR2STR(wp->config->ping_response));
 		zlog(ZLOG_NOTICE, "\taccess.log = %s",                 STR2STR(wp->config->access_log));
 		zlog(ZLOG_NOTICE, "\taccess.format = %s",              STR2STR(wp->config->access_format));
+		for (kv = wp->config->access_suppress_paths; kv; kv = kv->next) {
+			zlog(ZLOG_NOTICE, "\taccess.suppress_path[] = %s", kv->value);
+		}
 		zlog(ZLOG_NOTICE, "\tslowlog = %s",                    STR2STR(wp->config->slowlog));
 		zlog(ZLOG_NOTICE, "\trequest_slowlog_timeout = %ds",   wp->config->request_slowlog_timeout);
 		zlog(ZLOG_NOTICE, "\trequest_slowlog_trace_depth = %d", wp->config->request_slowlog_trace_depth);

sapi/fpm/fpm/fpm_conf.h

@@ -79,6 +79,7 @@ struct fpm_worker_pool_config_s {
 	char *ping_response;
 	char *access_log;
 	char *access_format;
+	struct key_value_s *access_suppress_paths;
 	char *slowlog;
 	int request_slowlog_timeout;
 	int request_slowlog_trace_depth;

sapi/fpm/fpm/fpm_log.c

@@ -27,6 +27,9 @@
 
 static char *fpm_log_format = NULL;
 static int fpm_log_fd = -1;
+static struct key_value_s *fpm_access_suppress_paths = NULL;
+
+static int fpm_access_log_suppress(struct fpm_scoreboard_proc_s *proc);
 
 int fpm_log_open(int reopen) /* {{{ */
 {
@@ -79,6 +82,17 @@ int fpm_log_init_child(struct fpm_worker_pool_s *wp)  /* {{{ */
 		}
 	}
 
+	for (struct key_value_s *kv = wp->config->access_suppress_paths; kv; kv = kv->next) {
+		struct key_value_s *kvcopy = calloc(1, sizeof(*kvcopy));
+		if (kvcopy == NULL) {
+			zlog(ZLOG_ERROR, "unable to allocate memory while opening the access log");
+			return -1;
+		}
+		kvcopy->value = strdup(kv->value);
+		kvcopy->next = fpm_access_suppress_paths;
+		fpm_access_suppress_paths = kvcopy;
+	}
+
 	if (fpm_log_fd == -1) {
 		fpm_log_fd = wp->log_fd;
 	}
@@ -109,7 +123,6 @@ int fpm_log_write(char *log_format) /* {{{ */
 #ifdef HAVE_TIMES
 	clock_t tms_total;
 #endif
-
 	if (!log_format && (!fpm_log_format || fpm_log_fd == -1)) {
 		return -1;
 	}
@@ -136,6 +149,10 @@ int fpm_log_write(char *log_format) /* {{{ */
 		}
 		proc = *proc_p;
 		fpm_scoreboard_proc_release(proc_p);
+
+		if (fpm_access_log_suppress(&proc) == 1) {
+			return -1;
+		}
 	}
 
 	token = 0;
@@ -474,3 +491,36 @@ int fpm_log_write(char *log_format) /* {{{ */
 	return 0;
 }
 /* }}} */
+
+static int fpm_access_log_suppress(struct fpm_scoreboard_proc_s *proc)
+{
+	// Never suppress when query string is passed
+	if (proc->query_string && *proc->query_string != '\0') {
+		return -1;
+	}
+	// Never suppress if request method is not GET or HEAD
+	if (
+		strcmp(proc->request_method, "GET") != 0
+		&& strcmp(proc->request_method, "HEAD") != 0
+	) {
+		return -2;
+	}
+	// Never suppress when response code is not 200
+	if (SG(sapi_headers).http_response_code != 200) {
+		return -3;
+	}
+	// Never suppress when a body has been sent
+	if (SG(request_info).content_length > 0) {
+		return -4;
+	}
+	struct key_value_s *kv;
+	// Suppress when request URI is an exact match for one of our entries
+	for (kv = fpm_access_suppress_paths; kv; kv = kv->next) {
+		if (kv->value && strcmp(kv->value, proc->request_uri) == 0) {
+			return 1;
+		}
+	}
+	// TODO: Is there something we can set in SG(request_info / sapi_headers) to
+	// flag that the script doesn't want to be logged?
+	return -5;
+}

sapi/fpm/tests/log-exclude-paths.phpt

@@ -0,0 +1,146 @@
+--TEST--
+FPM: Test excluding URIs from access log
+--SKIPIF--
+<?php include "skipif.inc"; ?>
+--FILE--
+<?php
+
+require_once "tester.inc";
+
+$normalCode = <<<EOT
+<?php
+echo \$_REQUEST['test'] ?? "Hello world";
+EOT;
+
+file_put_contents(__DIR__ . '/log_exclude_paths_normal.php', $normalCode);
+
+$statusCode = <<<EOT
+<?php
+if (isset(\$_SERVER['X_ERROR'])) {
+    echo "Not OK";
+    http_response_code(500);
+    exit;
+}
+echo "OK";
+EOT;
+
+file_put_contents(__DIR__ . '/log_exclude_paths_status.php', $statusCode);
+
+
+$cfg = <<<EOT
+[global]
+error_log = {{RFILE:LOG:ERR}}
+pid = {{RFILE:PID}}
+[unconfined]
+listen = {{ADDR}}
+access.log = {{RFILE:LOG:ACC}}
+access.format = "%R \"%m %r%Q%q\" %s Output"
+slowlog = {{RFILE:LOG:SLOW}}
+request_slowlog_timeout = 1
+ping.path = /ping
+ping.response = pong
+pm = dynamic
+pm.max_children = 5
+pm.start_servers = 2
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+EOT;
+
+$prefix = __DIR__;
+$tester = new FPM\Tester($cfg);
+$tester->start(['--prefix', $prefix]);
+$tester->expectLogStartNotices();
+$tester->ping();
+$tester->request(scriptFilename: __DIR__ . '/log_exclude_paths_normal.php')->expectBody('Hello world');
+$tester->request(scriptFilename: __DIR__ . '/log_exclude_paths_status.php')->expectBody('OK');
+$tester->ping();
+$tester->request(scriptFilename: __DIR__ . '/log_exclude_paths_status.php')->expectBody('OK');
+$tester->request(query: 'test=output', scriptFilename: __DIR__ . '/log_exclude_paths_normal.php')->expectBody('output');
+$tester->ping();
+$tester->request(scriptFilename: __DIR__ . '/log_exclude_paths_status.php')->expectBody('OK');
+$tester->request(query: 'test=output', scriptFilename: __DIR__ . '/ping')->expectBody('pong', 'text/plain');
+$tester->request(headers: ['X_ERROR' => 1], scriptFilename: __DIR__ . '/log_exclude_paths_status.php')->expectBody('Not OK');
+$tester->request(scriptFilename: __DIR__ . '/log_exclude_paths_normal.php')->expectBody('Hello world');
+$tester->request(scriptFilename: __DIR__ . '/log_exclude_paths_status.php')->expectBody('OK');
+$tester->request(scriptFilename: __DIR__ . '/log_exclude_paths_normal.php')->expectBody('Hello world');
+$tester->request(query: 'test=output', scriptFilename: __DIR__ . '/ping')->expectBody('pong', 'text/plain');
+$tester->ping();
+
+// Add health checks to ignore list
+$cfg = <<<EOT
+[global]
+error_log = {{RFILE:LOG:ERR}}
+pid = {{RFILE:PID}}
+[unconfined]
+listen = {{ADDR}}
+access.log = {{RFILE:LOG:ACC}}
+access.format = "%R \"%m %r%Q%q\" %s Ignore"
+access.suppress_path[] = /ping
+access.suppress_path[] = /log_exclude_paths_status.php
+slowlog = {{RFILE:LOG:SLOW}}
+request_slowlog_timeout = 1
+ping.path = /ping
+ping.response = pong
+pm = dynamic
+pm.max_children = 5
+pm.start_servers = 2
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+EOT;
+$tester->reload($cfg);
+$tester->expectLogReloadingNotices();
+$tester->ping();
+$tester->request(scriptFilename: __DIR__ . '/log_exclude_paths_normal.php')->expectBody('Hello world');
+$tester->request(scriptFilename: __DIR__ . '/log_exclude_paths_status.php')->expectBody('OK');
+$tester->ping();
+$tester->request(scriptFilename: __DIR__ . '/log_exclude_paths_status.php')->expectBody('OK');
+$tester->request(query: 'test=output', scriptFilename: __DIR__ . '/log_exclude_paths_normal.php')->expectBody('output');
+$tester->ping();
+$tester->request(scriptFilename: __DIR__ . '/log_exclude_paths_status.php')->expectBody('OK');
+$tester->request(query: 'test=output', scriptFilename: __DIR__ . '/ping')->expectBody('pong', 'text/plain');
+$tester->request(headers: ['X_ERROR' => 1], scriptFilename: __DIR__ . '/log_exclude_paths_status.php')->expectBody('Not OK');
+$tester->request(scriptFilename: __DIR__ . '/log_exclude_paths_normal.php')->expectBody('Hello world');
+$tester->request(scriptFilename: __DIR__ . '/log_exclude_paths_status.php')->expectBody('OK');
+$tester->request(scriptFilename: __DIR__ . '/log_exclude_paths_normal.php')->expectBody('Hello world');
+$tester->request(query: 'test=output', scriptFilename: __DIR__ . '/ping')->expectBody('pong', 'text/plain');
+$tester->ping();
+$tester->terminate();
+$tester->expectLogTerminatingNotices();
+$tester->close();
+$tester->expectNoFile(FPM\Tester::FILE_EXT_PID, $prefix);
+$tester->printAccessLog();
+
+unlink(__DIR__ . '/log_exclude_paths_normal.php');
+unlink(__DIR__ . '/log_exclude_paths_status.php');
+
+?>
+Done
+--EXPECT--
+127.0.0.1 "GET /ping" 200 Output
+127.0.0.1 "GET /log_exclude_paths_normal.php" 200 Output
+127.0.0.1 "GET /log_exclude_paths_status.php" 200 Output
+127.0.0.1 "GET /ping" 200 Output
+127.0.0.1 "GET /log_exclude_paths_status.php" 200 Output
+127.0.0.1 "GET /log_exclude_paths_normal.php?test=output" 200 Output
+127.0.0.1 "GET /ping" 200 Output
+127.0.0.1 "GET /log_exclude_paths_status.php" 200 Output
+127.0.0.1 "GET /ping?test=output" 200 Output
+127.0.0.1 "GET /log_exclude_paths_status.php" 500 Output
+127.0.0.1 "GET /log_exclude_paths_normal.php" 200 Output
+127.0.0.1 "GET /log_exclude_paths_status.php" 200 Output
+127.0.0.1 "GET /log_exclude_paths_normal.php" 200 Output
+127.0.0.1 "GET /ping?test=output" 200 Output
+127.0.0.1 "GET /ping" 200 Output
+127.0.0.1 "GET /log_exclude_paths_normal.php" 200 Ignore
+127.0.0.1 "GET /log_exclude_paths_normal.php?test=output" 200 Ignore
+127.0.0.1 "GET /ping?test=output" 200 Ignore
+127.0.0.1 "GET /log_exclude_paths_status.php" 500 Ignore
+127.0.0.1 "GET /log_exclude_paths_normal.php" 200 Ignore
+127.0.0.1 "GET /log_exclude_paths_normal.php" 200 Ignore
+127.0.0.1 "GET /ping?test=output" 200 Ignore
+Done
+--CLEAN--
+<?php
+require_once "tester.inc";
+FPM\Tester::clean();
+?>

sapi/fpm/tests/tester.inc

@@ -342,11 +342,14 @@ class Tester
      * @return null|string
      * @throws \Exception
      */
-    public function testConfig()
+    public function testConfig($returnRaw = false)
     {
         $configFile = $this->createConfig();
-        $cmd = self::findExecutable() . ' -t -y ' . $configFile . ' 2>&1';
+        $cmd = self::findExecutable() . ' -tt -y ' . $configFile . ' 2>&1';
         exec($cmd, $output, $code);
+        if ($returnRaw) {
+            return $output;
+        }
         if ($code) {
             return preg_replace("/\[.+?\]/", "", $output[0]);
         }
@@ -537,7 +540,10 @@ class Tester
         string $scriptFilename = null
     ) {
         if (is_null($uri)) {
-            $uri = $this->makeSourceFile();
+            if (is_null($scriptFilename)) {
+                $scriptFilename = $this->makeSourceFile();
+            }
+            $uri = "/" . basename($scriptFilename);
         }
 
         $params = array_merge(
@@ -1159,7 +1165,6 @@ class Tester
     {
         $filePath = $this->getFile($extension, $dir, $name);
         file_put_contents($filePath, $content);
-
         return $filePath;
     }
 

sapi/fpm/www.conf.in

@@ -343,6 +343,16 @@ pm.max_spare_servers = 3
 ; Default: "%R - %u %t \"%m %r\" %s"
 ;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{milli}d %{kilo}M %C%%"
 
+; A list of REQUEST_URI values which should be filtered from the access log.
+; As a security precuation, this setting will be ignored if:
+;     - The request method is not GET or HEAD
+;     - There is a request body
+;     - There are query parameters
+;     - The response code is not 200
+; Default Value: not set
+;access.suppress_path[] = /ping
+;access.suppress_path[] = /health_check.php
+
 ; The log file for slow requests
 ; Default Value: not set
 ; Note: slowlog is mandatory if request_slowlog_timeout is set