fpm: Implement access log filtering

Fixes GH-8174, #80428

Author: maaarghk

sapi/fpm/fpm/fpm_conf.c

@@ -557,11 +557,13 @@ static char *fpm_conf_set_array(zval *key, zval *value, void **config, int conve
 	}
 
 	memset(kv, 0, sizeof(*kv));
-	kv->key = strdup(Z_STRVAL_P(key));
+	if (key) {
+		kv->key = strdup(Z_STRVAL_P(key));
 
-	if (!kv->key) {
-		free(kv);
-		return "fpm_conf_set_array: strdup(key) failed";
+		if (!kv->key) {
+			free(kv);
+			return "fpm_conf_set_array: strdup(key) failed";
+		}
 	}
 
 	if (convert_to_bool) {
@@ -663,6 +665,11 @@ int fpm_worker_pool_config_free(struct fpm_worker_pool_config_s *wpc) /* {{{ */
 	free(wpc->apparmor_hat);
 #endif
 
+	for (kv = wpc->access_suppress_paths; kv; kv = kv_next) {
+		kv_next = kv->next;
+		free(kv->value);
+		free(kv);
+	}
 	for (kv = wpc->php_values; kv; kv = kv_next) {
 		kv_next = kv->next;
 		free(kv->key);
@@ -1497,11 +1504,29 @@ static void fpm_conf_ini_parser_array(zval *name, zval *key, zval *value, void *
 	char *err = NULL;
 	void *config;
 
-	if (!Z_STRVAL_P(key) || !Z_STRVAL_P(value) || !*Z_STRVAL_P(key)) {
-		zlog(ZLOG_ERROR, "[%s:%d] Misspelled  array ?", ini_filename, ini_lineno);
+	if (
+		!zend_string_equals_literal(Z_STR_P(name), "access.suppress_path")
+		&& (!Z_STRVAL_P(key) || !Z_STRVAL_P(value) || !*Z_STRVAL_P(key))
+	) {
+		zlog(ZLOG_ERROR, "[%s:%d] You must provide a key for field '%s'", ini_filename, ini_lineno, Z_STRVAL_P(name));
 		*error = 1;
 		return;
+	} else if (
+		zend_string_equals_literal(Z_STR_P(name), "access.suppress_path")
+	) {
+		if (!Z_STRVAL_P(key) || !(*Z_STRVAL_P(key) == '\0')) {
+			zlog(ZLOG_ERROR, "[%s:%d] Keys provided to field 'access.suppress_path' are ignored", ini_filename, ini_lineno);
+			*error = 1;
+		}
+		if (!Z_STRVAL_P(value) || !(*Z_STRVAL_P(value)) || (*Z_STRVAL_P(value) != '/')) {
+			zlog(ZLOG_ERROR, "[%s:%d] Values provided to field 'access.suppress_path' must begin with '/'", ini_filename, ini_lineno);
+			*error = 1;
+		}
+		if (*error) {
+			return;
+		}
 	}
+
 	if (!current_wp || !current_wp->config) {
 		zlog(ZLOG_ERROR, "[%s:%d] Array are not allowed in the global section", ini_filename, ini_lineno);
 		*error = 1;
@@ -1533,6 +1558,10 @@ static void fpm_conf_ini_parser_array(zval *name, zval *key, zval *value, void *
 		config = (char *)current_wp->config + WPO(php_admin_values);
 		err = fpm_conf_set_array(key, value, &config, 1);
 
+	} else if (zend_string_equals_literal(Z_STR_P(name), "access.suppress_path")) {
+		config = (char *)current_wp->config + WPO(access_suppress_paths);
+		err = fpm_conf_set_array(NULL, value, &config, 0);
+
 	} else {
 		zlog(ZLOG_ERROR, "[%s:%d] unknown directive '%s'", ini_filename, ini_lineno, Z_STRVAL_P(name));
 		*error = 1;
@@ -1735,6 +1764,9 @@ static void fpm_conf_dump(void) /* {{{ */
 		zlog(ZLOG_NOTICE, "\tping.response = %s",              STR2STR(wp->config->ping_response));
 		zlog(ZLOG_NOTICE, "\taccess.log = %s",                 STR2STR(wp->config->access_log));
 		zlog(ZLOG_NOTICE, "\taccess.format = %s",              STR2STR(wp->config->access_format));
+		for (kv = wp->config->access_suppress_paths; kv; kv = kv->next) {
+			zlog(ZLOG_NOTICE, "\taccess.suppress_path[] = %s", kv->value);
+		}
 		zlog(ZLOG_NOTICE, "\tslowlog = %s",                    STR2STR(wp->config->slowlog));
 		zlog(ZLOG_NOTICE, "\trequest_slowlog_timeout = %ds",   wp->config->request_slowlog_timeout);
 		zlog(ZLOG_NOTICE, "\trequest_slowlog_trace_depth = %d", wp->config->request_slowlog_trace_depth);

sapi/fpm/fpm/fpm_conf.h

@@ -79,6 +79,7 @@ struct fpm_worker_pool_config_s {
 	char *ping_response;
 	char *access_log;
 	char *access_format;
+	struct key_value_s *access_suppress_paths;
 	char *slowlog;
 	int request_slowlog_timeout;
 	int request_slowlog_trace_depth;

sapi/fpm/fpm/fpm_log.c

@@ -27,6 +27,9 @@
 
 static char *fpm_log_format = NULL;
 static int fpm_log_fd = -1;
+static struct key_value_s *fpm_access_suppress_paths = NULL;
+
+static int fpm_access_log_suppress(struct fpm_scoreboard_proc_s *proc);
 
 int fpm_log_open(int reopen) /* {{{ */
 {
@@ -79,6 +82,17 @@ int fpm_log_init_child(struct fpm_worker_pool_s *wp)  /* {{{ */
 		}
 	}
 
+	for (struct key_value_s *kv = wp->config->access_suppress_paths; kv; kv = kv->next) {
+		struct key_value_s *kvcopy = calloc(1, sizeof(*kvcopy));
+		if (kvcopy == NULL) {
+			zlog(ZLOG_ERROR, "unable to allocate memory while opening the access log");
+			return -1;
+		}
+		kvcopy->value = strdup(kv->value);
+		kvcopy->next = fpm_access_suppress_paths;
+		fpm_access_suppress_paths = kvcopy;
+	}
+
 	if (fpm_log_fd == -1) {
 		fpm_log_fd = wp->log_fd;
 	}
@@ -109,7 +123,6 @@ int fpm_log_write(char *log_format) /* {{{ */
 #ifdef HAVE_TIMES
 	clock_t tms_total;
 #endif
-
 	if (!log_format && (!fpm_log_format || fpm_log_fd == -1)) {
 		return -1;
 	}
@@ -136,6 +149,10 @@ int fpm_log_write(char *log_format) /* {{{ */
 		}
 		proc = *proc_p;
 		fpm_scoreboard_proc_release(proc_p);
+
+		if (UNEXPECTED(fpm_access_log_suppress(&proc) == 1)) {
+			return -1;
+		}
 	}
 
 	token = 0;
@@ -474,3 +491,39 @@ int fpm_log_write(char *log_format) /* {{{ */
 	return 0;
 }
 /* }}} */
+
+static int fpm_access_log_suppress(struct fpm_scoreboard_proc_s *proc)
+{
+	// Never suppress when query string is passed
+	if (proc->query_string[0] != '\0') {
+		return -1;
+	}
+
+	// Never suppress if request method is not GET or HEAD
+	if (
+		strcmp(proc->request_method, "GET") != 0
+		&& strcmp(proc->request_method, "HEAD") != 0
+	) {
+		return -2;
+	}
+
+	// Never suppress when response code is not 200
+	if (SG(sapi_headers).http_response_code != 200) {
+		return -3;
+	}
+
+	// Never suppress when a body has been sent
+	if (SG(request_info).content_length > 0) {
+		return -4;
+	}
+
+	struct key_value_s *kv;
+	// Suppress when request URI is an exact match for one of our entries
+	for (kv = fpm_access_suppress_paths; kv; kv = kv->next) {
+		if (kv->value && strcmp(kv->value, proc->request_uri) == 0) {
+			return 1;
+		}
+	}
+
+	return -5;
+}

sapi/fpm/tests/log-suppress-output-request-body.phpt

@@ -0,0 +1,121 @@
+--TEST--
+FPM: Test URIs are not excluded from access log when there is a request body
+--SKIPIF--
+<?php include "skipif.inc"; ?>
+--FILE--
+<?php
+
+require_once "tester.inc";
+
+$testScript = <<<EOT
+<?php
+echo strlen(file_get_contents('php://input'));
+EOT;
+$s = __DIR__ . '/health_check.php';
+file_put_contents($s, $testScript);
+
+$body = str_repeat('a', 100);
+
+// Add health checks to ignore list
+$cfg = <<<EOT
+[global]
+error_log = {{FILE:LOG:ERR}}
+pid = {{FILE:PID}}
+[unconfined]
+listen = {{ADDR}}
+access.log = {{FILE:LOG:ACC}}
+access.format = "%R \"%m %r%Q%q\" %s"
+access.suppress_path[] = /ping
+access.suppress_path[] = /request-1
+access.suppress_path[] = /request-2
+access.suppress_path[] = /request-3
+access.suppress_path[] = /request-4
+access.suppress_path[] = /request-5
+access.suppress_path[] = /request-6
+slowlog = {{FILE:LOG:SLOW}}
+request_slowlog_timeout = 1
+ping.path = /ping
+ping.response = pong
+pm = dynamic
+pm.max_children = 5
+pm.start_servers = 2
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+EOT;
+
+$tester = new FPM\Tester($cfg);
+$tester->start();
+$tester->expectLogStartNotices();
+$tester->ping();
+
+// Should not suppress POST with no body
+$tester->request(
+    scriptFilename: $s,
+    uri: '/request-1',
+    headers: ['REQUEST_METHOD' => 'POST']
+)->expectBody('0');
+
+// Should not suppress POST with body
+$tester->request(
+    scriptFilename: $s,
+    uri: '/request-2',
+    stdin: $body
+)->expectBody('100');
+
+// Should not suppress GET with body
+$tester->request(
+    scriptFilename: $s,
+    uri: '/request-3',
+    headers: ['REQUEST_METHOD' => 'GET'],
+    stdin: $body
+)->expectBody('100');
+
+// Should suppress GET with no body
+$tester->request(
+    scriptFilename: $s,
+    uri: '/request-4'
+)->expectBody('0');
+
+// Should not suppress GET with no body but incorrect content length
+$tester->request(
+    scriptFilename: $s,
+    uri: '/request-5',
+    headers: ['REQUEST_METHOD' => 'GET', 'CONTENT_LENGTH' => 100]
+)->expectBody('0');
+
+// Should suppress GET with body but 0 content length (no stdin readable)
+$tester->request(
+    scriptFilename: $s,
+    uri: '/request-6',
+    headers: ['REQUEST_METHOD' => 'GET', 'CONTENT_LENGTH' => 0],
+    stdin: $body
+)->expectBody('0');
+
+// Should suppress GET with body but 0 content length (no stdin readable)
+$tester->request(
+    scriptFilename: $s,
+    uri: '/request-6',
+    headers: ['REQUEST_METHOD' => 'GET', 'CONTENT_LENGTH' => 0],
+    stdin: $body
+)->expectBody('0');
+
+$tester->terminate();
+$tester->expectLogTerminatingNotices();
+$tester->close();
+$tester->expectNoFile(FPM\Tester::FILE_EXT_PID);
+$tester->printAccessLog();
+
+?>
+Done
+--EXPECT--
+127.0.0.1 "POST /request-1" 200
+127.0.0.1 "POST /request-2" 200
+127.0.0.1 "GET /request-3" 200
+127.0.0.1 "GET /request-5" 200
+Done
+--CLEAN--
+<?php
+require_once "tester.inc";
+FPM\Tester::clean();
+unlink(__DIR__ . '/health_check.php');
+?>