fpm: Implement access log filtering #8214

maaarghk · 2022-03-17T12:14:20Z

Fixes GH-8174, #80428

Before merging I think it could be doing with more tests:

check the config parser fails in sensible ways
check the config dumper outputs what it is supposed to
check the request method / body filtering works

sapi/fpm/fpm/fpm_log.c

bukka · 2022-03-23T21:47:03Z

From the very quick look, it's looking good. I was initially thinking something more in line with listen.allowed_clients but this is actually nicer IMO.

maaarghk · 2022-03-24T16:15:10Z

@bukka do you happen to have any POST-doing tester.inc versions lying around somewhere to save me a bit of time?

bukka · 2022-03-25T00:34:51Z

do you mean something like

$tester->request('', ['REQUEST_METHOD' => 'POST'])->expect...

maaarghk · 2022-03-29T00:12:56Z

nah I meant actually passing STDIN, wasn't too hard to work out anyway so just pushed it up and think I'm done with this

maaarghk · 2022-04-03T15:37:16Z

Just popped into my head here whilst thinking about something unrelated, but - since proc->request_uri actually gets set to script_name, because that is what's read into PHP_SELF sapi->register_variables - is it the right thing to check? I know at least on servers I admin I put %{REQUEST_URI}e in the access.format for this reason. From the perspective of fpm_log.c should %r / request uri be redefined from proc.request_uri to coalesce(fcgi_getenv(REQUEST_URI), proc.request_uri)? Could be overthinking it of course. Probably makes sense for health check scripts to be separate PHP files that don't go through routers and whatever anyway.

bukka

Looks mostly good.

sapi/fpm/fpm/fpm_log.c

sapi/fpm/tests/log-suppress-output-request-body.phpt

sapi/fpm/tests/log-suppress-output.phpt

bukka · 2022-04-06T13:38:05Z

Just popped into my head here whilst thinking about something unrelated, but - since proc->request_uri actually gets set to script_name, because that is what's read into PHP_SELF sapi->register_variables - is it the right thing to check? I know at least on servers I admin I put %{REQUEST_URI}e in the access.format for this reason. From the perspective of fpm_log.c should %r / request uri be redefined from proc.request_uri to coalesce(fcgi_getenv(REQUEST_URI), proc.request_uri)? Could be overthinking it of course. Probably makes sense for health check scripts to be separate PHP files that don't go through routers and whatever anyway.

I would probably default to request_uri as it might be better to later add another option to specify path pattern where it could be possible to set how to get the path in a similar way like it is for the actual log pattern.

sapi/fpm/fpm/fpm_log.c

sapi/fpm/fpm/fpm_conf.c

sapi/fpm/fpm/fpm_log.c

sapi/fpm/tests/tester.inc

sapi/fpm/www.conf.in

bukka · 2022-06-29T22:24:48Z

@maaarghk Just a reminder that a feature freeze is on 5th July so it would be good to add this potentially. The comments are just NIT's so will try to give it a try over the weekend and see if we can merge it and I can additional fix them possibly. Although if you want to fix them before that, it would be appreciated!

maaarghk · 2022-07-02T11:43:17Z

@bukka I noticed the bot removed SAPI: fpm label from this, just flagging it incase that makes it drop off your radar

bukka · 2022-07-02T18:59:24Z

Thanks, bot should be now fixed. Will try to give it a try tomorrow.

bukka · 2022-07-02T19:00:41Z

If you could squash it to a single commit in the meantime, that would be great!

bukka

I tried the changes and all looks good to me. Just added few minor suggestions that you are free to ignore if you are too busy. I will merge it in the next few days.

sapi/fpm/fpm/fpm_conf.c

sapi/fpm/fpm/fpm_log.c

bukka · 2022-07-03T21:39:45Z

One correction that the feature freeze is actually on 19th. I confused it with a deadline for RFCs so there is a bit more time.

Adds a setting "access.suppress_path" to php-fpm pool configurations which causes successful GET requests to the specified URIs to be excluded from the access log. This is to reduce noise caused by automated health checks. Requests with response codes outwith the successful range 200 - 299, requests made with query parameters and requests which have a Content-Length other than 0 will ignore this setting as a security precaution. Closes phpGH-8174, #80428 [1] [1] https://bugs.php.net/bug.php?id=80428

bukka · 2022-07-10T22:24:13Z

Merged in 327bb21 . Thanks!

maaarghk mentioned this pull request Mar 17, 2022

FPM Feature "ping.dontlog" : See Issue #8174 #8184

Closed

maaarghk force-pushed the fpm-access-exclude branch from e41347c to 1ce05b0 Compare March 21, 2022 02:02

bukka reviewed Mar 23, 2022

View reviewed changes

sapi/fpm/fpm/fpm_log.c Outdated Show resolved Hide resolved

maaarghk force-pushed the fpm-access-exclude branch 2 times, most recently from 03dcddd to c042a61 Compare March 29, 2022 00:10

maaarghk requested a review from bukka March 29, 2022 12:42

bukka requested changes Apr 6, 2022

View reviewed changes

sapi/fpm/fpm/fpm_log.c Outdated Show resolved Hide resolved

sapi/fpm/tests/log-suppress-output-request-body.phpt Outdated Show resolved Hide resolved

sapi/fpm/tests/log-suppress-output.phpt Outdated Show resolved Hide resolved

maaarghk force-pushed the fpm-access-exclude branch from c042a61 to 1cffae6 Compare April 6, 2022 15:21