Show gerrit users in the apache log
96 views
Skip to first unread message
shuo dou
Sep 26, 2019, 6:55:41 AM9/26/19
to Repo and Gerrit Discussion
Apache is doing gerrit's reverse proxy,from port 8080 to port 80, how can we display gerrit's user information in the apache log? like the picture:
Gert van Dijk
Sep 26, 2019, 7:49:51 AM9/26/19
to shuo dou, Repo and Gerrit Discussion
On Thu, Sep 26, 2019 at 12:55 PM shuo dou <dshowin...@gmail.com> wrote:
> Apache is doing gerrit's reverse proxy,from port 8080 to port 80, how can we display gerrit's user information in the apache log?
That depends on your configuration whether this is possible or not.
This is because you could configure your reverse proxy to do the
authentication, then pass the authorized user to Gerrit, with
auth.type [1] set to one of the HTTP* options.
If using auth.type = HTTP or auth.type = HTTP_LDAP for example, it's
up to your reverse proxy configuration to log the authenticated
username with the request. By default, Apache (2.4, Debian/Ubuntu
which I use) does this already with having '%u' in the default
LogFormat settings. For more information see Apache Module
mod_log_config documentation [2].
If using other authentication mechanisms, your reverse proxy is not
aware of the authentication and cannot log the username, as far as I
know. The best you can do then is looking at Gerrit's httpd request
log [3] and try to correlate it with your reverse proxy logs, in case
that's what you need. (Note that you don't get an HTTP request log
file by default with a reverse proxy, you have to explicitly enable
that, see [3].)
HTH
[1]: https://gerrit-documentation.storage.googleapis.com/Documentation/3.0.2/config-gerrit.html#auth.type
[2]: http://httpd.apache.org/docs/current/mod/mod_log_config.html
[3]: https://gerrit-documentation.storage.googleapis.com/Documentation/3.0.2/config-gerrit.html#httpd.requestLog
> Apache is doing gerrit's reverse proxy,from port 8080 to port 80, how can we display gerrit's user information in the apache log?
That depends on your configuration whether this is possible or not.
This is because you could configure your reverse proxy to do the
authentication, then pass the authorized user to Gerrit, with
auth.type [1] set to one of the HTTP* options.
If using auth.type = HTTP or auth.type = HTTP_LDAP for example, it's
up to your reverse proxy configuration to log the authenticated
username with the request. By default, Apache (2.4, Debian/Ubuntu
which I use) does this already with having '%u' in the default
LogFormat settings. For more information see Apache Module
mod_log_config documentation [2].
If using other authentication mechanisms, your reverse proxy is not
aware of the authentication and cannot log the username, as far as I
know. The best you can do then is looking at Gerrit's httpd request
log [3] and try to correlate it with your reverse proxy logs, in case
that's what you need. (Note that you don't get an HTTP request log
file by default with a reverse proxy, you have to explicitly enable
that, see [3].)
HTH
[1]: https://gerrit-documentation.storage.googleapis.com/Documentation/3.0.2/config-gerrit.html#auth.type
[2]: http://httpd.apache.org/docs/current/mod/mod_log_config.html
[3]: https://gerrit-documentation.storage.googleapis.com/Documentation/3.0.2/config-gerrit.html#httpd.requestLog
Sven Selberg
Sep 26, 2019, 8:07:34 AM9/26/19
to Repo and Gerrit Discussion
If you are on 2.15 or above you can configure Gerrit to add a header with user-name:
[http]
addUserAsResponseHeader = true
https://gerrit-review.googlesource.com/Documentation/config-gerrit.html#http.addUserAsResponseHeader
And capture it in Apache.
shuo dou
Sep 27, 2019, 1:27:42 AM9/27/19
to Repo and Gerrit Discussion
Sorry to bother you, but I must use LDAP authentication. If so, how can I get the user name in the apache reverse proxy log?
在 2019年9月26日星期四 UTC+8下午8:07:34,Sven Selberg写道:
在 2019年9月26日星期四 UTC+8下午8:07:34,Sven Selberg写道:
如果您使用的是2.15或更高版本,则可以配置Gerrit添加带有用户名的标头:[HTTP]
addUserAsResponseHeader = truehttps://gerrit-review.googlesource.com/Documentation/config-gerrit.html#http.addUserAsResponseHeader
并在Apache中捕获它。
在2019年9月26日星期四UTC + 2下午1:49:51,Gert van Dijk写道:在2019年9月26日星期四下午12:55 shuo dou < dshowin ... @ gmail.com >写道:
> Apache正在做gerrit的反向代理,从端口8080到端口80,如何在窗口中显示gerrit的用户信息。 apache日志?
这是否可能取决于您的配置。
这是因为您可以配置反向代理进行
身份验证,然后将
auth.type [1]设置为HTTP *选项之一,将授权用户传递给Gerrit 。
例如,如果使用auth.type = HTTP或auth.type = HTTP_LDAP,则由
反向代理配置来记录
请求中已验证的 用户名。默认情况下,Apache(2.4,Debian / Ubuntu
我使用的方法)已经通过在默认
LogFormat设置中使用'%u'来做到这一点 。有关更多信息,请参阅Apache Module
mod_log_config文档[2]。
如果使用其他身份验证机制,
据我
所知,您的反向代理不 知道身份验证,因此无法记录用户名 。然后,您可以做的最好的就是查看Gerrit的httpd请求
日志[3],并尝试将其与反向代理日志相关联,以防万一
。(请注意,
默认情况下您没有使用反向代理获得HTTP请求日志 文件,必须显式启用
它,请参阅[3]。)
HTH
[1]:https:// gerrit-documentation。storage.googleapis.com/Documentation / 3.0.2 / config- gerrit.html#auth.type
[2]:http ://httpd.apache.org/docs/ current / mod / mod_log_config。html
[3]:https:// gerrit-documentation。storage.googleapis.com/ 文档/3.0.2/config- gerrit.html#httpd.requestLog
Gert van Dijk
Sep 27, 2019, 5:03:59 AM9/27/19
to shuo dou, Repo and Gerrit Discussion
On Fri, Sep 27, 2019 at 7:27 AM shuo dou <dshowin...@gmail.com> wrote:
> Sorry to bother you, but I must use LDAP authentication. If so, how can I get the user name in the apache reverse proxy log?
If your Gerrit auth.type = LDAP, then Sven's suggestion is the way
> Sorry to bother you, but I must use LDAP authentication. If so, how can I get the user name in the apache reverse proxy log?
forward for configuration of Gerrit [1]. To configure Apache is not
the best place to ask here, but I believe you could try this:
- Use a custom LogFormat [2] directive.
- Include '%{User}o' (without the quotes) in your custom format.
See also this Q&A on Serverfault [3], which as a bonus, even includes
how to hide it from the connecting client.
HTH
[1]: https://gerrit-documentation.storage.googleapis.com/Documentation/3.0.2/config-gerrit.html#http.addUserAsResponseHeader
[2]: http://httpd.apache.org/docs/current/mod/mod_log_config.html
[3]: https://serverfault.com/a/728403/135437
shuo dou
Sep 28, 2019, 9:40:39 PM9/28/19
to Repo and Gerrit Discussion
Ok, thank you, it works!
However, versions above 2.15.x are required
在 2019年9月27日星期五 UTC+8下午5:03:59,Gert van Dijk写道:
在 2019年9月27日星期五 UTC+8下午5:03:59,Gert van Dijk写道:
Sven Selberg
Sep 30, 2019, 5:34:46 AM9/30/19
to Repo and Gerrit Discussion
On Sunday, September 29, 2019 at 3:40:39 AM UTC+2, shuo dou wrote:
Ok, thank you, it works!However, versions above 2.15.x are required
Yes, as I mentioned in my post this config option is only available for 2.15 or above.
If you are on a version < 2.15 you should consider upgrading to v2.16 and then v3.0.
/Sven
Reply all
Reply to author
Forward
0 new messages