[MDL-57887] Support nginx and other webservers for logging of username in access logs - Moodle Tracker

XML

Word

Printable

Details

Type: Improvement
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 3.3
Fix Version/s: 3.3
Component/s: Logging
Labels:
- CatalystIT
- ci
- partner
- triaged

Affected Branches:
MOODLE_33_STABLE
Fixed Branches:
MOODLE_33_STABLE
Pull from Repository:
https://github.com/brendanheywood/moodle
Pull Master Branch:
~~MDL-57887~~-nginx-username-logging
Pull Master Diff URL:
https://github.com/moodle/moodle/compare/0f59b6dd...brendanheywood:MDL-57887-nginx-username-logging
Testing Instructions:
Hide

Under apache setup your CustomLog to be:

LogFormat "%h %l -- %{MOODLEUSER}n -- %t \"%r\" %s %b " moodle

CustomLog ${APACHE_LOG_DIR}/access.log moodle

and then confirm that all of the 3 old settings still work as they should:

$CFG->apacheloguser = 1;

$CFG->apacheloguser = 2;

$CFG->apacheloguser = 3;

Now simulate how this could work in nginx or any other webserver, by serving an extra header and log that instead:

LogFormat "%h %l -- %{X-MOODLEUSER}o -- %t \"%r\" %s %b " moodle

CustomLog ${APACHE_LOG_DIR}/access.log moodle

$CFG->headerloguser = 1;

$CFG->headerloguser = 2;

$CFG->headerloguser = 3;

You and also test this directly in your browser and see that the X-MOODLEUSER header is coming through on all requests that are authenticated. In production you'd probably strip these out so they never make it to the browser but out of scope for testing here.
Show
Under apache setup your CustomLog to be: LogFormat "%h %l -- %{MOODLEUSER}n -- %t \"%r\" %s %b " moodle CustomLog ${APACHE_LOG_DIR}/access.log moodle and then confirm that all of the 3 old settings still work as they should: $CFG->apacheloguser = 1; $CFG->apacheloguser = 2; $CFG->apacheloguser = 3; Now simulate how this could work in nginx or any other webserver, by serving an extra header and log that instead: LogFormat "%h %l -- %{X-MOODLEUSER}o -- %t \"%r\" %s %b " moodle CustomLog ${APACHE_LOG_DIR}/access.log moodle $CFG->headerloguser = 1; $CFG->headerloguser = 2; $CFG->headerloguser = 3; You and also test this directly in your browser and see that the X-MOODLEUSER header is coming through on all requests that are authenticated. In production you'd probably strip these out so they never make it to the browser but out of scope for testing here.

Description

Moodle supports logging the username under apache via the $CFG->apacheloguser mechanism using the apache_note() function. Make this a bit more generic to support any webserver by alternatively sending this as a custom header which can be logged and stripped out if needed.

eg these would all work:

$CFG->apacheloguser = 1;

$CFG->apacheloguser = 2;

$CFG->apacheloguser = 3;

$CFG->headerloguser = 1;

$CFG->headerloguser = 2;

$CFG->headerloguser = 3;

Attachments

Issue Links

has a non-specific relationship to

MDL-71377 Add a security check around the X-MOODLEUSER header

Open

Activity

People

Assignee:: Brendan Heywood

Reporter:: Brendan Heywood

Peer reviewer:: Jake Dallimore

Integrator:: Dan Poltawski

Tester:: Mathieu Petit-Clair

Participants:: Brendan Heywood, CiBoT, Dan Poltawski, Eloy Lafuente (stronk7), Jake Dallimore, Jonathan Champ, Mathieu Petit-Clair

Component watchers:: David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo

Votes:: 2 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 07/Feb/17 6:18 PM

Updated:: 20/Apr/21 9:43 AM

Resolved:: 12/Mar/17 9:58 AM

Fix Release Date:: 15/May/17