Bug 1298571

Summary: [RFE] Log X-Forwarded-For information
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Benjamin Schmaus <bschmaus>
Component: RGWAssignee: Matt Benjamin (redhat) <mbenjamin>
Status: CLOSED ERRATA QA Contact: Ramakrishnan Periyasamy <rperiyas>
Severity: high Docs Contact: Bara Ancincova <bancinco>
Priority: unspecified    
Version: 1.3.1CC: cbodley, ceph-eng-bugs, charlesalva, hnallurv, kbader, kdreyer, mbenjamin, nlevine, owasserm, smanjara, sweil, vumrao, zaitcev
Target Milestone: rc   
Target Release: 2.2   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: RHEL: ceph-10.2.5-7.el7cp Ubuntu: ceph_10.2.5-3redhat1xenial Doc Type: Enhancement
Doc Text:
.The Ceph Object Gateway now supports custom HTTP header logging Sites that use the Civetweb HTTP web server previously lacked the ability to log custom HTTP headers, as they could when using the Apache web server and the FastCGI protocol. With this update, the Ceph Object Gateway supports custom HTTP header logging. To log custom HTTP headers, enable the operations log socket on the Ceph Object Gateway instance and list the HTTP headers. Add the following parameters to the Ceph configuration file: ---- rgw enable ops log = true rgw ops log socket path = <path> rgw log http headers = "<headers>" ---- Replace `<path>` with the path to the operations log socket and `<headers` with a comma-separated list of custom HTTP headers, for example: ---- rgw enable ops log = true rgw ops log socket path = /tmp/opslog rgw log http headers = "http_x_forwarded_for, http_expect, http_content_md5" ---- The operations log stream then lists the headers as a JSON-formatted key-value list with the "http_x_headers" key.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-14 15:43:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1412948    

Description Benjamin Schmaus 2016-01-14 13:00:50 UTC 
Description of problem:

RGW (civetweb) does not allow addition of cache control headers, nor does it allow logging of custom headers. A few headers that I can think of are:

X-Forwarded-For (must be able to log this, and other custom headers in the RGW logs)
Cache-Control
last-modified (or X-Copied-From-Last-Modified)
etags (including ability to disable)

What are the recommended practices for the requirement above?


Version-Release number of selected component (if applicable):
1.3.1

How reproducible:
100%

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 7 Neil Levine 2016-02-11 00:58:19 UTC 
Upon further conversation with the customer, the use-case is where RGW act as a origin for a caching CDN and the cache needs to know when to re-contact the origin to see if a newer version of an object exists. The customer wasn't aware that you can arbitrarily set headers on the objects via the application which will hint this to the cache software so there is no need for RGW to set a default header.

However, the customer did request that RGW log the X-Forwarded-For header as this is necessary for debugging and analytics where you have multiple cache front-ends all talking to multiple RGW instances. Changing the RFE subject accordingly.
Comment 16 chrone 2016-11-19 02:35:03 UTC 
I could not find any documentation how to log X-FORWARDED-FOR or X-REAL-IP addresses in the default Ceph RGW civetweb log without enabling "debug ms = 1" and "debug rgw = 20" mode.

...
2016-11-18 18:18:14.137551 7f5e93b87700  1 civetweb: 0x7f5eb00018b0: 192.168.11.11 - - [18/Nov/2016:18:18:14 -0800] "GET /auth/1.0 HTTP/1.1" 204 0 - -
...

Will this feature enable Ceph RGW civetweb logging X-FORWARDED-FOR and/or X-REAL-IP addresses by default? This will be a great feature to have since enabling debug mode will filling up the disk space rapidly.
Comment 17 Matt Benjamin (redhat) 2016-12-15 16:52:57 UTC 
The capability log any HTTP header (and also other server variables) selectively to the RGW ops log has merged to master here:

https://github.com/ceph/ceph/pull/12491

Backport to Jewel in progress:

https://github.com/ceph/ceph/pull/12490

This is expected to reach RHCS 2.2, as planned.
Comment 21 shilpa 2017-01-13 07:27:12 UTC 
Hi Matt,

Could you share the steps to reproduce the BZ?

My understanding is that you would have to set the config options in ceph.conf as in https://github.com/ceph/ceph/pull/7639 and look for the X-Forwarded-For header in civetweb logs?
Comment 23 Matt Benjamin (redhat) 2017-01-17 12:24:17 UTC 
(In reply to shilpa from comment #21)
> Hi Matt,
> 
> Could you share the steps to reproduce the BZ?
> 
> My understanding is that you would have to set the config options in
> ceph.conf as in https://github.com/ceph/ceph/pull/7639 and look for the
> X-Forwarded-For header in civetweb logs?

Hi Shilpa,

No.  You need to:

1. enable usage logging
2. set a header to custom log--you can pick any header that we're actually receiving to verify;  I found http_content_md5 convenient for this
2. attach a program like nc to the output log socket on the radosgw host--if you use nc, it will stream the custom log records to stdout, and you should be able to verify the custom headers appear in a json labeled array in each matching record

Here's a snippet from my ceph.conf:
	# ops log
	rgw enable ops log = true
	rgw ops log socket path = /tmp/opslog
	#rgw log http headers = "http_x_forwarded_for, http_expect, http_content_md5"

Matt
Comment 27 Ramakrishnan Periyasamy 2017-02-17 09:12:17 UTC 
Moving this bug to verified state. verified in ceph: 10.2.5-26.el7cp
Thanks for the clarifications Matt.

Followed steps in comment23 and observed http_content_md5 header in nc stdout as mentioned in it.

Ceph.conf params:

rgw enable ops log = true
rgw ops log socket path = /tmp/opslog
rgw enable usage log = true
rgw log http headers = "http_x_forwarded_for, http_expect, http_content_md5"

after restarting rgw service a socket created in below path

/tmp/systemd-private-459cca697e8740108d3134fb6601def2-ceph-radosgw.service-7SlMGl/tmp/opslog

nc stdout:

[ubuntu@host023 ~]$ sudo nc -U /tmp/systemd-private-459cca697e8740108d3134fb6601def2-ceph-radosgw.service-7SlMGl/tmp/opslog
[{"bucket":"client2_run3","time":"2017-02-17 06:22:22.420641Z","time_local":"2017-02-17 06:22:22.420641","remote_addr":"","user":"nfsuser","operation":"PUT","uri":"\/client2_run3\/","http_status":"200","error_code":"","bytes_sent":19,"bytes_received":0,"object_size":0,"total_time":0,"user_agent":"Boto\/2.45.0 Python\/2.7.5 Linux\/3.10.0-514.6.1.el7.x86_64","referrer":""},
{"bucket":"client2_run3","time":"2017-02-17 06:22:22.619912Z","time_local":"2017-02-17 06:22:22.619912","remote_addr":"","user":"nfsuser","operation":"PUT","uri":"\/client2_run3\/redhat1607329","http_status":"200","error_code":"","bytes_sent":0,"bytes_received":1595408,"object_size":1595408,"total_time":0,"user_agent":"Boto\/2.45.0 Python\/2.7.5 Linux\/3.10.0-514.6.1.el7.x86_64","referrer":"","http_x_headers":[{"HTTP_CONTENT_MD5":"O3T1zQdAoFgCojsBnOV5ow=="},{"HTTP_EXPECT":"100-Continue"}]},
{"bucket":"client2_run3","time":"2017-02-17 06:22:22.861734Z","time_local":"2017-02-17 06:22:22.861734","remote_addr":"","user":"nfsuser","operation":"PUT","uri":"\/client2_run3\/redhat1607330","http_status":"200","error_code":"","bytes_sent":0,"bytes_received":1595408,"object_size":1595408,"total_time":0,"user_agent":"Boto\/2.45.0 Python\/2.7.5 Linux\/3.10.0-514.6.1.el7.x86_64","referrer":"","http_x_headers":[{"HTTP_CONTENT_MD5":"O3T1zQdAoFgCojsBnOV5ow=="},{"HTTP_EXPECT":"100-Continue"}]},
{"bucket":"client2_run3","time":"2017-02-17 06:22:22.958222Z","time_local":"2017-02-17 06:22:22.958222","remote_addr":"","user":"nfsuser","operation":"PUT","uri":"\/client2_run3\/redhat1607331","http_status":"200","error_code":"","bytes_sent":0,"bytes_received":1595408,"object_size":1595408,"total_time":0,"user_agent":"Boto\/2.45.0 Python\/2.7.5 Linux\/3.10.0-514.6.1.el7.x86_64","referrer":"","http_x_headers":[{"HTTP_CONTENT_MD5":"O3T1zQdAoFgCojsBnOV5ow=="},{"HTTP_EXPECT":"100-Continue"}]},
{"bucket":"client2_run3","time":"2017-02-17 06:22:23.107756Z","time_local":"2017-02-17 06:22:23.107756","remote_addr":"","user":"nfsuser","operation":"PUT","uri":"\/client2_run3\/redhat1607332","http_status":"200","error_code":"","bytes_sent":0,"bytes_received":1595408,"object_size":1595408,"total_time":0,"user_agent":"Boto\/2.45.0 Python\/2.7.5 Linux\/3.10.0-514.6.1.el7.x86_64","referrer":"","http_x_headers":[{"HTTP_CONTENT_MD5":"O3T1zQdAoFgCojsBnOV5ow=="},{"HTTP_EXPECT":"100-Continue"}]},
Comment 32 errata-xmlrpc 2017-03-14 15:43:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0514.html