In message <20241205064231.fhotuss6d4hoggh6@runtux.com>,
Ralf Schlatterbeck writes:
>
>
>Ralf Schlatterbeck added the comment:
>
>Hi John,
>
>On Wed, Dec 04, 2024 at 07:17:15PM +0000, John Rouillard wrote:
>> 
>> Hi Ralf:
>> 
>> My only concern is that it could be used to fill the logs with errors.
>> But that's an issue we have elsewhere in the code. I don't have a good
>> solution for it or how to make it easier to respond to.
>
>Yes, we could make it configurable. But I have several customers where
>I'm very happy when I can diagnose things with the right amount of
>logging. And seeing when there are REST calls with missing headers is
>certainly one of them.

I think logging these by default is a good idea. I just don't know how
to handle it being abused. Rate limiting could work, but seems
overkill.  YAGNI seems to apply here for now if we can add info so the
admin can use other tools to address abuse.

[...]
>> Maybe logging the IP address to allow firewalling in case of DOS?
>
>Yes, makes sense.
>I have a use-case where a sync job is using the API, finding all
>log entries where something goes wrong is a use-case for me (the sync
>job comes from a fixed IP), I'll look into this.
>
>> I don't think the Client object has that. It would also need to be
>> proxy aware (see rev 627c5d6a0551 for changes to roundup-server) which
>> would require a setting to enable/disable.
>
>We could use the already-introduced -P option for that if I understand
>this correctly?

-P only works for the standalone roundup-server. AFAIK, only
roundup-server logs an http log format string. None of the other ways
of running Roundup (cgi, wsgi, zope) do. But all of the other ways
should have access to all the CGI environment variables. Only
roundup-server filters that environment.

>Do we really need that option? I guess a X-Forwarded-For
>header would only be present in the proxy-case so logging the IP from
>there if the header is present wouldn't require a -P option?

X-Forwarded-For can be sent by the client. It should be used when
Roundup is accessible only via reverse proxy. Then the reverse proxy
will set that header correctly.

>Note that I'm running roundup in the meantime always behind apache using
>uwsgi. This *is* sort-of a proxy setup. I'm not sure what logging would
>do in that case, have you experience with uwsgi concerning logging of
>IPs?

I am not running uwsgi anymore. AFAIK, only roundup-server logs
connection info currently.