Bug 64731 - change log message for authorization checks in mod_authz_host
Summary: change log message for authorization checks in mod_authz_host
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_authz_host (show other bugs)
Version: 2.5-HEAD
Hardware: PC All
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Keywords: PatchAvailable
Depends on:
Reported: 2020-09-09 19:34 UTC by Bingyu Shen
Modified: 2020-09-29 05:40 UTC (History)
0 users

Improve log message for mod_authz_host authorization checks (1.77 KB, text/plain)
2020-09-09 19:34 UTC, Bingyu Shen

Note You need to log in before you can comment on or make changes to this bug.
Description Bingyu Shen 2020-09-09 19:34:40 UTC
Created attachment 37446 [details]
Improve log message for mod_authz_host authorization checks

mod_authz_host has several authorization checks, which contain four authorization checks for client's address, with functions

These functions only have log messages for syntax checks, but do not log the authorization check result even though the authorization check fails. The authorization result will be logged at DEBUG level which is usually disabled.

I would suggest add the log messages when the authorization check fails, which pinpoints the root cause of authorization failure and saves sysadmins' time for troubleshooting. For example 

@@ -287,6 +294,9 @@ forward_dns_check_authorization(request_rec *r,

+    ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO()
+            "authz_host authorize: Authorization of require forward-dns failed: "
+            "client's address is not resolved from the require'd host name");
     return AUTHZ_DENIED;

Adding the log before return AUTHZ_DENIED can clearly tell the sysadmin the root cause of the authorization failure.

I also added the logs for the ip/host/local checks, and submitted as attachment. Any feedbacks are appreciated!