I’m working on a a new authentication middleware that performs HTTP Basic Auth, but authenticating against RADIUS backend. That all works so far.
My issue, is that I noticed there was no way to log the username portion of the HTTP request. Username has been part of the Apache common log format, since forever (Common Log Format - Wikipedia), and is a part of the %{COMBINEDAPACHELOG} grok pattern used by many logging platforms.
So I set about to add the username for my middleware. Below is code and example. It works well.
However when I added a header directive to enable HSTS, it wipes out my custom placeholder. So What can I do to remedy this? Am I going about this all wrong? Should header be overriding other ResponseRecorders?
Any suggestion are appreciated.
// Check for HTTP Basic Authorization Headers and valid username, password
username, password, ok := r.BasicAuth()
<snip some if !ok validation, if blank, etc.>
// Capture username into {user} placeholder for caddyfile log directive
// ex: log / stdout "{remote} - {user} [{when}] {method} {uri} {proto} {status} {size}"
if rr, ok := w.(*httpserver.ResponseRecorder); ok && rr.Replacer != nil {
rr.Replacer.Set("user", username)
}
#Caddyfile
log / /var/log/caddy/access.log "{remote} - {user} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\""
# produces
127.0.0.1 - jim [24/Mar/2017:13:11:15 -0400] "GET / HTTP/2.0" 200 4272 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.98 Safari/537.36"
# with header directive enabled in Caddy file
# {user} has been overwritten?
127.0.0.1 - - [24/Mar/2017:13:11:15 -0400] "GET / HTTP/2.0" 200 4272 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.98 Safari/537.36"
I noted when fixing #1399https://github.com/mholt/caddy/pull/1399 that we would ideally add in a {user} placeholder rather than a - . We should probably create the same placeholder {user} in basicauth at some point.
Could you show the exact Caddyfile that causes the overwrite?
Could it be caused by ordering? Is your plugin loaded before Header plugin? (I’m just grasping at straws here)
@tobya I concur. Capturing the username is key for log analysis. In addition {user} or whatever we call it should be added to {common} definition
In regards to my plugin ordering. It’s loading just after {basicauth}, and both of those are after {header}
Here is my testing Caddyfile, which is same structure as my production. I have to completely remove header section to get {user} to log correctly. Ordering of Caddyfile seems to make no difference. Even with {header} as last directive it overrides {user}. Username logging only works if {header} isn’t used at all.
Perhaps if you use NewReplace to get access to the replacer it might not overwrite user. There are a number of examples in the code. An example from rewrite