#9625 closed enhancement (fixed)
HTTP caller IP address as logger variable
| Reported by: | Owned by: | Remy Blank | |
|---|---|---|---|
| Priority: | low | Milestone: | 1.0 |
| Component: | admin/web | Version: | |
| Severity: | minor | Keywords: | logging, trac.ini |
| Cc: | Branch: | ||
| Release Notes: |
Log remote IP address with |
||
| API Changes: | |||
| Internal Changes: | |||
Description
When trac produces log messages like HTTPForbidden, it would be very helpful to see which IP address the HTTP request was made from, e.g. to determine whether this was an external attack or a legal user who forgot their login data.
According to TracIni, the IP address is currently not available as formatter variable.
Along with this, probably other HTTP variables would be nice to include in the log file.
Attachments (2)
Change History (17)
comment:1 by , 14 years ago
| Keywords: | bitesized added |
|---|---|
| Milestone: | → unscheduled |
| Summary: | Feature request: HTTP caller IP address as logger variable → HTTP caller IP address as logger variable |
comment:2 by , 14 years ago
| Milestone: | unscheduled → 0.13 |
|---|
This patch prints the following in the log:
22:17:32 Trac[perm] DEBUG: No policy allowed anonymous performing TIMELINE_VIEW on None 22:17:32 Trac[main] WARNING: Forbidden request from IP: 127.0.0.1 22:17:32 Trac[main] WARNING: HTTPForbidden: 403 Forbidden (TIMELINE_VIEW privileges are required to perform this operation)
-
trac/web/main.py
276 276 exception_to_unicode(e, traceback=True)) 277 277 raise err[0], err[1], err[2] 278 278 except PermissionError, e: 279 self.log.warn("Forbidden request from IP: %s" % req.remote_addr) 279 280 raise HTTPForbidden(to_unicode(e)) 280 281 except ResourceNotFound, e: 281 282 raise HTTPNotFound(e)
comment:3 by , 14 years ago
| Keywords: | bitesized removed |
|---|---|
| Owner: | set to |
That's probably good enough for satisfying the use case explained in the description.
As for making the "IP address (available as a) logger variable" I think that's not realistic, as the IP address is stored in the Request which bears no direct connection with the logging system.
So, thanks for the patch!
comment:4 by , 14 years ago
Would it be possible to include the IP address in the same logging statement as the exception itself, instead of using a separate logging statement?
by , 14 years ago
| Attachment: | log-ip.patch added |
|---|
comment:5 by , 14 years ago
The attached patch includes the IP in the exception logging statement:
02:27:51 Trac[main] WARNING: HTTPForbidden: 403 Forbidden (TIMELINE_VIEW privileges are required to perform this operation - IP: 127.0.0.1)
follow-up: 7 comment:6 by , 14 years ago
Just noticed that including it in the exception causes Trac to print it in the web view as well, and I'm not sure if web users need to see their IP printed on the screen.
comment:7 by , 14 years ago
Replying to Thijs Triemstra <lists@…>:
Just noticed that including it in the exception causes Trac to print it in the web view as well, and I'm not sure if web users need to see their IP printed on the screen.
I would prefer not having the address in the error itself, only in the log statement.
by , 14 years ago
| Attachment: | log-ip2.patch added |
|---|
comment:8 by , 14 years ago
Attached patch produces:
23:52:17 Trac[main] WARNING: HTTPForbidden: 403 Forbidden (TIMELINE_VIEW privileges are required to perform this operation) 23:52:17 Trac[main] WARNING: IP: 127.0.0.1
Or including the user-agent?
-
trac/web/main.py
541 541 data = {'title': title, 'type': 'TracError', 'message': message, 542 542 'frames': [], 'traceback': None} 543 543 if e.code == 403 and req.authname == 'anonymous': 544 env.log.warn("IP: %s - %s" % (req.remote_addr, req.get_header('User-Agent'))) 544 545 # TRANSLATOR: ... not logged in, you may want to 'do so' now (link) 545 546 do_so = tag.a(_("do so"), href=req.href.login()) 546 547 req.chrome['notices'].append(
23:55:02 Trac[main] WARNING: HTTPForbidden: 403 Forbidden (TIMELINE_VIEW privileges are required to perform this operation) 23:55:02 Trac[main] WARNING: IP: 127.0.0.1 - Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-us) AppleWebKit/534.10+ (KHTML, like Gecko) Version/5.0.2 Safari/533.18.5
comment:9 by , 14 years ago
| Milestone: | 0.13 → 0.12.2 |
|---|
comment:10 by , 14 years ago
| Milestone: | 0.12.2 → 0.13 |
|---|
I was rather thinking something like (for permission errors only):
-
trac/web/main.py
diff --git a/trac/web/main.py b/trac/web/main.py
a b def _dispatch_request(req, env, env_erro 517 517 # This part is a bit more complex than it should be. 518 518 # See trac/web/api.py for the definition of HTTPException subclasses. 519 519 if env: 520 env.log.warn(exception_to_unicode(e)) 520 message = exception_to_unicode(e) 521 if e.code == 403: 522 message = '[%s] %s' % (req.remote_addr, message) 523 env.log.warn(message) 521 524 try: 522 525 # We try to get localized error messages here, 523 526 # but we should ignore secondary errors
Or even simpler, for all HTTPExceptions:
-
trac/web/main.py
diff --git a/trac/web/main.py b/trac/web/main.py
a b def _dispatch_request(req, env, env_erro 517 517 # This part is a bit more complex than it should be. 518 518 # See trac/web/api.py for the definition of HTTPException subclasses. 519 519 if env: 520 env.log.warn(exception_to_unicode(e)) 520 env.log.warn('[%s] %s' % (req.remote_addr, 521 exception_to_unicode(e))) 521 522 try: 522 523 # We try to get localized error messages here, 523 524 # but we should ignore secondary errors
(No enhancements on 0.12-stable)
comment:11 by , 14 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Second patch in comment:10 applied in [10260].
comment:12 by , 14 years ago
| Owner: | changed from to |
|---|
comment:13 by , 14 years ago
| Release Notes: | modified (diff) |
|---|
That's probably relatively easy to implement. PatchWelcome.