Hi John,

On Wed, Dec 04, 2024 at 07:17:15PM +0000, John Rouillard wrote:
> 
> Hi Ralf:
> 
> My only concern is that it could be used to fill the logs with errors.
> But that's an issue we have elsewhere in the code. I don't have a good
> solution for it or how to make it easier to respond to.

Yes, we could make it configurable. But I have several customers where
I'm very happy when I can diagnose things with the right amount of
logging. And seeing when there are REST calls with missing headers is
certainly one of them.

> Logging the username might be useful in tracking down the cause.
> But, I think this code is accessible from an anonymous user if
> anonymous is granted rest access and the username is useless in
> this case.

Yes, I do not have any trackers where anonymous has REST access.

> Maybe logging the IP address to allow firewalling in case of DOS?

Yes, makes sense.
I have a use-case where a sync job is using the API, finding all
log entries where something goes wrong is a use-case for me (the sync
job comes from a fixed IP), I'll look into this.

> I don't think the Client object has that. It would also need to be
> proxy aware (see rev 627c5d6a0551 for changes to roundup-server) which
> would require a setting to enable/disable.

We could use the already-introduced -P option for that if I understand
this correctly? Do we really need that option? I guess a X-Forwarded-For
header would only be present in the proxy-case so logging the IP from
there if the header is present wouldn't require a -P option?

Note that I'm running roundup in the meantime always behind apache using
uwsgi. This *is* sort-of a proxy setup. I'm not sure what logging would
do in that case, have you experience with uwsgi concerning logging of
IPs?

Thanks
Ralf
-- 
Dr. Ralf Schlatterbeck                  Tel:   +43/2243/26465-16
Open Source Consulting                  www:   www.runtux.com
Reichergasse 131, A-3411 Weidling       email: office@runtux.com