https://issues.apache.org/bugzilla/show_bug.cgi?id=46525
Summary: forensic-id not available for commonlog when using
mod_rewrite
Product: Apache httpd-2
Version: 2.2.9
Platform: Other
OS/Version: other
Status: NEW
Severity: major
Priority: P2
Component: mod_log_forensic
AssignedTo: [email protected]
ReportedBy: [email protected]
- Description -
When using mod_rewrite and mod_log_forensic together, any "%{forensic-id}n" tag
specified in the LogFormat directive is written to the log file as "-" for any
successful request which was rewritten.
- Steps to reproduce -
1. Create "/etc/httpd/conf.d/forensic_rewrite_test.conf":
########
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule log_forensic_module modules/mod_log_forensic
ForensicLog logs/forensic.log
LogFormat "\"%r\" %>s %{forensic-id}n" common_forensic
########
2. Inside a VirtualHost directive, add the following:
########
CustomLog logs/forensic_rewrite_test.log common_forensic
########
3. Inside an .htaccess file for the above Virtualhost, add the following:
########
RewriteEngine on
RewriteRule ^rewrite.html target.html [L]
########
4. In the root of the above VirtualHost, create a simple HTML file named
"target.html" as referenced in the rewrite rule above.
5. Issue the following HTTP requests to the server:
GET /rewrite.html HTTP/1.0
GET /target.html HTTP/1.0
6. Examine the "forensic.log" and "forensic_rewrite_test.log" files.
==> forensic.log <==
+29275:496d97ef:0|GET /rewrite.html HTTP/1.0|Accept:*/*
-29275:496d97ef:0
+29268:496d974f:1|GET /target.html HTTP/1.0|Accept:*/*
-29268:496d974f
==> forensic_rewrite_test.log <==
"GET /rewrite.html HTTP/1.0" 200 -
"GET /target.html HTTP/1.0" 200 29268:496d974f
Although the forensic log was written correctly, the corresponding forensic-id
value specified in the LogFormat directive is missing, replaced with "-". The
expected output is:
==> forensic_rewrite_test.log <==
"GET /rewrite.html HTTP/1.0" 200 29275:496d97ef:0
"GET /target.html HTTP/1.0" 200 29268:496d974f
- Summary -
Any request which is processed through a RewriteRule will fail to include the
forensic-id tag in the commonlog output, even though direct requests to the
same file include the forensic-id properly. In both cases, the forensic log
itself is written correctly, including both the "+" entry written when the
request is received and the "-" entry written after the request is completed.
I did not find any documentation which refers to conflicts between these
packages, nor did I find any documentation indicating the mod_rewrite blocks
the forensic-id or other logging tags by design.
- Tested platforms -
Fedora Core 8 & Apache 2.2.8-1
Fedora Core 9 & Apache 2.2.9-1.x86_64
- Workarounds -
1. Changing the RewriteRule directive to use external redirection (substituting
[R,L] for [L], above) does allow tracking of each forensic-id.
However, this is a poor solution as it introduces additional network overhead
as well as functional limitations. In particular, it prevents the use of
internal redirects as a method of information hiding. The use case which
prompted my discovery of this bug is the remapping of existing HTML urls onto a
backend content delivery application whose relatively insecure directory
structure is to be hidden from the end user, ala "RewriteRule
^public-content.html cms.php?site=141&item=23512014 [L]".
2. Arbitrary headers may be written to the commonlog using LogFormat's
"%{header-name}i" syntax.
This is also a poor slution, since it requires each header to be specified in
the LogFormat, which is unwieldy when multiple headers are required. Recording
request headers for debugging a multi-carrier mobile phone site would require
about 70 headers to cover the full set of x-up-devcap-, x-jphone-, x-h3g-,
x-nokia-, x-wap-, x-operamini- and other requests headers which are applicable.
- Severity -
Since the purpose of the forensic log is to be able to examine the details of
incoming requests, it is important to be able to identify which incoming
request generated which outgoing response. None of the known workarounds can
provide this information without affecting the operation of the system or
compromising the completeness of the data set. The ability to add the
forensic-id tag to the commonlog output provides the necessary reference
between the request and response. Without this reference, any analysis of the
correspondence between request and response is not possible.
Since this bug prevents mod_forensic from being used when mod_rewrite is in
use, I consider this bug to be major.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
