You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I would like to see the ability to configure auth logging separately from request logs. This should specifically include the ability to log directly to a configured file path.
Current Behavior
All log output is sent to stdout, both requests and error logging. It appears that the error logs flow through a separate logging interface than the request logs. The only way to currently obtain these logs is to use docker logs Oauth2Proxy or configuring the docker container to log to the host syslog.
Request logs are logged:
123.123.123.123 - username@gmail.com [07/Feb/2019:00:01:30 +0000] domain.com GET - "/oauth2/auth" HTTP/1.0 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36" 202 0 0.000
Failed auth attempts are logged un-formatted to stdout as well:
2019/02/07 00:00:40 oauthproxy.go:754: 172.17.0.1:52548 ("123.123.123.123") Permission Denied: "username@gmail.com" is unauthorized
Possible Solution
Further configuration either via command line like:
-auth-logging: Log auth requests (default true)
-auth-logging-file: File to log auth requests to (defaults to empty for stdout)
-auth-logging-format: Template for auth log lines (see "Auth Logging Format" paragraph below)
Most of this logging would at the existing log.PrintF() function calls in oauthproxy.go.
Context
I would like to get a log file of failed login attempts to redirect through fail2ban so that any attempts to login via any interface can be blocked upstream at the reverse proxy level. In this particular case I have fail2ban set up to ban IP addresses directly at the cloudflare proxy so the banned IP's don't even make it to my reverse proxy server.
Then you could create a file /etc/fail2ban/jail.d/oauth2proxy.conf
This seems like a sensible enhancement to add. If we can do it in a way that the default values maintain existing behaviour than that would be even better.
We will likely want to use some sort of logging library for this, does anyone have any suggestions?
This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.
Expected Behavior
I would like to see the ability to configure auth logging separately from request logs. This should specifically include the ability to log directly to a configured file path.
Current Behavior
All log output is sent to stdout, both requests and error logging. It appears that the error logs flow through a separate logging interface than the request logs. The only way to currently obtain these logs is to use
docker logs Oauth2Proxy
or configuring the docker container to log to the host syslog.Request logs are logged:
Failed auth attempts are logged un-formatted to stdout as well:
Possible Solution
Further configuration either via command line like:
Or through the oauth2_proxy.cfg file:
The format should include the option for all relevant info but most importantly the remote IP address of the request.
That way a failed oauth2 attempt would log something like:
Most of this logging would at the existing log.PrintF() function calls in oauthproxy.go.
Context
I would like to get a log file of failed login attempts to redirect through fail2ban so that any attempts to login via any interface can be blocked upstream at the reverse proxy level. In this particular case I have fail2ban set up to ban IP addresses directly at the cloudflare proxy so the banned IP's don't even make it to my reverse proxy server.
Then you could create a file /etc/fail2ban/jail.d/oauth2proxy.conf
And then you could add oauth2proxy as a fail2ban jail.
The text was updated successfully, but these errors were encountered: