Apache Directive blacklisting CustomLog and ErrorLog?

Discussion in 'Developers' Forum' started by TonyG, Oct 3, 2020.

  1. TonyG

    TonyG Member

    I've been trying to insert the following into a vhost from Site > Options > Apache Directives :
    Code:
    ErrorLog /var/log/httpd/{DOMAIN}/error.log
    CustomLog /var/log/httpd/{DOMAIN}/access.log combined
    It's returning error : apache_directive_blocked_error

    That comes from the blacklist defined here. This is the result of a very recent change, merged last month.

    The change was made in response to a ticket #5612. Where is this mysterious ticket?
    upload_2020-10-2_17-32-55.png

    On researching issue tickets, I see someone else wanted to do this for the same reason.
    The goal is simply to get separate access/error files for each site. Can someone suggest how this can be done now in 3.2?

    For future documentation I think it would be helpful to explain why each of the directives in the list have been blacklisted. It's not obvious why specific directives return the terse error. That prompts a lot of questions in this forum like "why can't we use Include" (which I still don't understand outside of "it's a security issue").

    Thanks!
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Is this changed in ISPConfig 3.2? In 3.1 each site has /var/www/<sitename>/log where access and error logs are stored.
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Each site has separate access and error log file by default in ISPConfig in /var/log/ispconfig/httpd/domain.tld/ and this is even mounted into the log directory of the website for easy access by the client.

    [[email protected] ~]# ls /var/log/ispconfig/httpd/example.com/
    20200930-access.log 20201001-access.log access.log

    and

    [[email protected] ~]# ls /var/www/example.com/log/
    20200930-access.log 20201001-access.log access.log

    Makes no sense to do that and will not work anyway as logs are already stored in that path and logging is done globally and split globally for performance, log rotation and also traffic quota calculation.

    It's more than sufficient to be a security issue to get disallowed. So if you want to write a note for that for the docs, write that directives listed in the blacklist are not permitted for security reasons.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    He actually asked to disable the log, which is not from ISPConfig, it belongs to your Linux distribution, and not to split it as the splitted logs exist already. So if you do not want to have that default log of the Linux distribution, then just comment it out or remove the whole other-vhosts-access-log config include.
     
  5. TonyG

    TonyG Member

    As always, thanks for your time and insight. I'm recognizing my confusion. The "AccessLog ... combined" directive causes logs to go into other_vhosts_access.log. But it seems individual site logs are also going into the ISPC-specific files. I missed that. I can move forward with this. It takes a while to internalize some of this. Thanks guys!
    upload_2020-10-3_11-1-37.png
    upload_2020-10-3_11-5-27.png
     
  6. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    As far as I know you can still set a custom logs, but not use a | in front of them. Just a note.
     
  7. TonyG

    TonyG Member

    That line had me puzzled but I marked this thread as Solved anyway. Then I started thinking...

    No, the regex in the blacklist doesn't allow custom logs at all:
    Code:
    /^\s*(CustomLog|ErrorLog)(\s+|[\\\\])/mi
    Your note about the pipe is an example of standard functionality that we can't use, like this :
    Code:
    CustomLog "|/usr/bin/cronolog --symlink=/var/log/httpd/access.log /var/log/httpd/access.log_%Y_%m_%d" combined
    Coincidentally, that example comes from this HowToForge page which describes how to filter undesirable text out of the logs. In short: we can no longer do this :
    Code:
    CustomLog /var/log/apache2/access.log combined env=!dontlog
    ... adding the env=!dontlog qualifier to the directive. That is, we can define a bunch of SETENVIF rules, but we can't get the log to enforce them anymore.

    Yeah? No?
    Thanks!
     

Share This Page