Do not init content logging for the connection if its log action is disabled

So now, we don't create any content log file if that log action is disabled. Also, improve documentation.
3 years ago · 357e6050db
parent f0c2ca6819
commit 357e6050db
5 changed files with 102 additions and 71 deletions
--- a/README.md
+++ b/README.md
@ -275,25 +275,6 @@ parse and use this information in its logic and/or logging:
 The user authentication feature is currently available on OpenBSD and Linux 
 only.

-#### User control lists
-
-DivertUsers and PassUsers options can be used to divert, pass through, or 
-block users.
-
- If neither DivertUsers nor PassUsers is defined, all users are diverted to 
-listening programs.
- Connections from users in DivertUsers, if defined, are diverted to listening 
-programs.
- Connections from users in PassUsers, if defined, are simply passed through 
-to their original destinations. SSLproxy engages the Passthrough mode for that 
-purpose.
- If both DivertUsers and PassUsers are defined, users not listed in either of 
-the lists are blocked. SSLproxy simply terminates their connections.
- If *no* DivertUsers list is defined, only users *not* listed in PassUsers 
-are diverted to listening programs.
-
-These user control lists can be defined globally or per-proxyspec.
-
 ### Filtering rules

 SSLproxy can divert, split, pass, block, or match connections based on 
@ -307,8 +288,8 @@ allowing content logging of packets
 - Pass action passes the connection through by engaging passthrough mode, 
 effectively disabling SSL inspection and content logging of packets
 - Block action terminates the connection
- Match action is used to specify log actions for matching connections without 
-changing their filter actions
+- Match action specifies log actions for the connection without changing its 
+filter action

 The syntax of filtering rules is as follows:

@ -398,14 +379,12 @@ In terms of possible filter actions,
 - HTTP filter rules can take the block action, but not divert, split, or pass 
 actions.

-Log actions do not configure any loggers. Global content loggers for 
-respective log actions should have been configured for those log actions to 
-have any effect.
+Log actions do not configure any loggers. Global loggers for respective log 
+actions should have been configured for those log actions to have any effect.

-If no filter rules are defined for a proxyspec, all logging actions for that 
+If no filter rules are defined for a proxyspec, all log actions for that 
 proxyspec are enabled. Otherwise, all log actions are disabled, and filtering 
-rules should enable them specifically. Note that if logging is disabled by 
-filtering rules, the loggers create the log files, but they remain empty.
+rules should enable them specifically.

 You can append an asterisk `*` to site field of filtering rules for substring 
 matching. Otherwise, the filter searches for an exact match with the site field 
@ -418,9 +397,9 @@ the from part of filtering rules.

 #### Excluding sites from SSL inspection

-PassSite option is a special form of Pass filtering rule. All PassSite rules 
-can be written as Pass filter rules. The PassSite option will be deprecated in 
-favor of filter rules in the future.
+PassSite option is a special form of Pass filtering rule. PassSite rules can 
+be written as Pass filtering rules. The PassSite option will be deprecated in 
+favor of filtering rules in the future.

 PassSite option allows certain SSL sites to be excluded from SSL inspection. 
 If a PassSite matches the SNI or common names in the SSL certificate of a 
@ -434,6 +413,29 @@ description keywords. If the UserAuth option is disabled, only client IP
 addresses can be used in PassSite filters. Multiple sites can be defined, one 
 on each line. PassSite rules can search for exact or substring matches.

+#### User control lists
+
+User control lists can be implemented using filtering rules. The DivertUsers 
+and PassUsers options will be deprecated in favor of filtering rules in the 
+future.
+
+DivertUsers and PassUsers options can be used to divert, pass through, or 
+block users.
+
+- If neither DivertUsers nor PassUsers is defined, all users are diverted to 
+listening programs.
+- Connections from users in DivertUsers, if defined, are diverted to listening 
+programs.
+- Connections from users in PassUsers, if defined, are simply passed through 
+to their original destinations. SSLproxy engages the Passthrough mode for that 
+purpose.
+- If both DivertUsers and PassUsers are defined, users not listed in either of 
+the lists are blocked. SSLproxy simply terminates their connections.
+- If *no* DivertUsers list is defined, only users *not* listed in PassUsers 
+are diverted to listening programs.
+
+These user control lists can be defined globally or per-proxyspec.
+
 ### Logging

 Logging options include traditional SSLproxy connect and content log files as
--- a/src/log.c
+++ b/src/log.c
@ -702,7 +702,12 @@ log_content_open(log_content_ctx_t *ctx, global_t *global,
                 const struct sockaddr *dstaddr, socklen_t dstaddrlen,
                 char *srchost, char *srcport,
                 char *dsthost, char *dstport,
-                 char *exec_path, char *user, char *group)
+                 char *exec_path, char *user, char *group,
+                 int log_content, int log_pcap
+#ifndef WITHOUT_MIRROR
+                 , int log_mirror
+#endif /* !WITHOUT_MIRROR */
+	)
 {
 	char timebuf[24];
 	time_t epoch;
@ -717,8 +722,16 @@ log_content_open(log_content_ctx_t *ctx, global_t *global,
 	    )
 		return 0; /* does this actually happen? */

-	if (global->contentlog_isdir || global->contentlog_isspec ||
-	    global->pcaplog_isdir    || global->pcaplog_isspec) {
+	if (!log_content && !log_pcap
+#ifndef WITHOUT_MIRROR
+		&& !log_mirror
+#endif /* !WITHOUT_MIRROR */
+		) {
+		return 0;
+	}
+
+	if ((log_content && (global->contentlog_isdir || global->contentlog_isspec)) ||
+	    (log_pcap && (global->pcaplog_isdir || global->pcaplog_isspec))) {
 		if (global->contentlog_isdir || global->pcaplog_isdir) {
 			if (time(&epoch) == -1) {
 				log_err_level_printf(LOG_CRIT, "Failed to get time\n");
@ -752,7 +765,7 @@ log_content_open(log_content_ctx_t *ctx, global_t *global,
 		}
 	}

-	if (global->contentlog) {
+	if (log_content && global->contentlog) {
 		ctx->file = malloc(sizeof(log_content_file_ctx_t));
 		if (!ctx->file)
 			goto errout;
@ -799,7 +812,7 @@ log_content_open(log_content_ctx_t *ctx, global_t *global,
 		}
 	}

-	if (global->pcaplog) {
+	if (log_pcap && global->pcaplog) {
 		ctx->pcap = malloc(sizeof(log_content_pcap_ctx_t));
 		if (!ctx->pcap)
 			goto errout;
@ -838,7 +851,7 @@ log_content_open(log_content_ctx_t *ctx, global_t *global,
 	}

 #ifndef WITHOUT_MIRROR
-	if (global->mirrorif) {
+	if (log_mirror && global->mirrorif) {
 		ctx->mirror = malloc(sizeof(log_content_mirror_ctx_t));
 		if (!ctx->mirror)
 			goto errout;
@ -854,16 +867,16 @@ log_content_open(log_content_ctx_t *ctx, global_t *global,
 #endif /* !WITHOUT_MIRROR */

 	/* submit open events */
-	if (ctx->file) {
+	if (log_content && ctx->file) {
 		if (logger_open(content_file_log, ctx->file) == -1)
 			goto errout;
 	}
-	if (ctx->pcap) {
+	if (log_pcap && ctx->pcap) {
 		if (logger_open(content_pcap_log, ctx->pcap) == -1)
 			goto errout;
 	}
 #ifndef WITHOUT_MIRROR
-	if (ctx->mirror) {
+	if (log_mirror && ctx->mirror) {
 		if (logger_open(content_mirror_log, ctx->mirror) == -1)
 			goto errout;
 	}
@ -885,9 +898,11 @@ errout:
 	if (ctx->pcap) {
 		free(ctx->pcap);
 	}
+#ifndef WITHOUT_MIRROR
 	if (ctx->mirror) {
 		free(ctx->mirror);
 	}
+#endif /* !WITHOUT_MIRROR */
 	memset(ctx, 0, sizeof(log_content_ctx_t));
 	return -1;
 }
--- a/src/log.h
+++ b/src/log.h
@ -136,17 +136,25 @@ int log_conn(const char *);
 typedef struct log_content_ctx log_content_ctx_t;
 struct log_content_file_ctx;
 struct log_content_pcap_ctx;
+#ifndef WITHOUT_MIRROR
 struct log_content_mirror_ctx;
+#endif /* !WITHOUT_MIRROR */
 struct log_content_ctx {
 	struct log_content_file_ctx *file;
 	struct log_content_pcap_ctx *pcap;
+#ifndef WITHOUT_MIRROR
 	struct log_content_mirror_ctx *mirror;
+#endif /* !WITHOUT_MIRROR */
 };
 int log_content_open(log_content_ctx_t *, global_t *,
                     const struct sockaddr *, socklen_t,
                     const struct sockaddr *, socklen_t,
                     char *, char *, char *, char *,
-                     char *, char *, char *) NONNULL(1,2,3) WUNRES;
+                     char *, char *, char *, int, int
+#ifndef WITHOUT_MIRROR
+	, int
+#endif /* !WITHOUT_MIRROR */
+	) NONNULL(1,2,3) WUNRES;
 int log_content_submit(log_content_ctx_t *, logbuf_t *, int, int, int
 #ifndef WITHOUT_MIRROR
 	, int
--- a/src/pxyconn.c
+++ b/src/pxyconn.c
@ -674,11 +674,15 @@ pxy_prepare_logging(pxy_conn_ctx_t *ctx)
 #ifdef HAVE_LOCAL_PROCINFO
 							 ctx->lproc.exec_path,
 							 ctx->lproc.user,
-							 ctx->lproc.group
+							 ctx->lproc.group,
 #else /* HAVE_LOCAL_PROCINFO */
-							 NULL, NULL, NULL
+							 NULL, NULL, NULL,
 #endif /* HAVE_LOCAL_PROCINFO */
-							 ) == -1) {
+							 ctx->log_content, ctx->log_pcap
+#ifndef WITHOUT_MIRROR
+							 , ctx->log_mirror
+#endif /* !WITHOUT_MIRROR */
+		) == -1) {
 			if (errno == ENOMEM)
 				ctx->enomem = 1;
 			pxy_conn_term(ctx, 1);
--- a/src/sslproxy.1
+++ b/src/sslproxy.1
@ -288,23 +288,6 @@ SSLproxy: [127.0.0.1]:34649,[192.168.3.24]:47286,[192.168.111.130]:443,s,soner
 .LP
 The user authentication feature is currently available on OpenBSD and Linux 
 only.
-.SH 	User control lists
-DivertUsers and PassUsers options can be used to divert, pass through, or 
-block users.
-.LP
- - If neither DivertUsers nor PassUsers is defined, all users are diverted to 
-listening programs.
- - Connections from users in DivertUsers, if defined, are diverted to listening 
-programs.
- - Connections from users in PassUsers, if defined, are simply passed through 
-to their original destinations. SSLproxy engages the Passthrough mode for that 
-purpose.
- - If both DivertUsers and PassUsers are defined, users not listed in either of 
-the lists are blocked. SSLproxy simply terminates their connections.
- - If *no* DivertUsers list is defined, only users *not* listed in PassUsers 
-are diverted to listening programs.
-.LP
-These user control lists can be defined globally or per-proxyspec.
 .SH Filtering rules
 .LP
 SSLproxy can divert, split, pass, block, or match connections based on filtering 
@ -318,8 +301,8 @@ allowing content logging of packets
 - Pass action passes the connection through by engaging passthrough mode, 
 effectively disabling SSL inspection and content logging of packets
 - Block action terminates the connection
- - Match action is used to specify log actions for matching connections without 
-changing their filter actions
+ - Match action specifies log actions for the connection without changing its 
+filter action
 .LP
 The syntax of filtering rules is as follows:

@ -409,14 +392,12 @@ In terms of possible filter actions,
 - HTTP filter rules can take the block action, but not divert, split, or pass 
 actions.
 .LP
-Log actions do not configure any loggers. Global content loggers for 
-respective log actions should have been configured for those log actions to 
-have any effect.
+Log actions do not configure any loggers. Global loggers for respective log 
+actions should have been configured for those log actions to have any effect.
 .LP
-If no filter rules are defined for a proxyspec, all logging actions for that 
+If no filter rules are defined for a proxyspec, all log actions for that 
 proxyspec are enabled. Otherwise, all log actions are disabled, and filtering 
-rules should enable them specifically. Note that if logging is disabled by 
-filtering rules, the loggers create the log files, but they remain empty.
+rules should enable them specifically.
 .LP
 You can append an asterisk * to site field of filtering rules for substring 
 matching. Otherwise, the filter searches for an exact match with the site field 
@ -427,9 +408,9 @@ The order of from, to, and log parts is not important.
 If the UserAuth option is disabled, only client IP addresses can be used in 
 the from part of filtering rules.
 .SH 	Excluding sites from SSL inspection
-PassSite option is a special form of Pass filtering rule. All PassSite rules 
-can be written as Pass filter rules. The PassSite option will be deprecated in 
-favor of filter rules in the future.
+PassSite option is a special form of Pass filtering rule. PassSite rules can 
+be written as Pass filtering rules. The PassSite option will be deprecated in 
+favor of filtering rules in the future.
 .LP
 PassSite option allows certain SSL sites to be excluded from SSL inspection. 
 If a PassSite matches the SNI or common names in the SSL certificate of a 
@ -442,6 +423,27 @@ Per-site filters can be defined using client IP addresses, users, and
 description keywords. If the UserAuth option is disabled, only client IP 
 addresses can be used in PassSite filters. Multiple sites can be defined, one 
 on each line. PassSite rules can search for exact or substring matches.
+.SH 	User control lists
+User control lists can be implemented using filtering rules. The DivertUsers 
+and PassUsers options will be deprecated in favor of filtering rules in the 
+future.
+.LP
+DivertUsers and PassUsers options can be used to divert, pass through, or 
+block users.
+.LP
+ - If neither DivertUsers nor PassUsers is defined, all users are diverted to 
+listening programs.
+ - Connections from users in DivertUsers, if defined, are diverted to listening 
+programs.
+ - Connections from users in PassUsers, if defined, are simply passed through 
+to their original destinations. SSLproxy engages the Passthrough mode for that 
+purpose.
+ - If both DivertUsers and PassUsers are defined, users not listed in either of 
+the lists are blocked. SSLproxy simply terminates their connections.
+ - If *no* DivertUsers list is defined, only users *not* listed in PassUsers 
+are diverted to listening programs.
+.LP
+These user control lists can be defined globally or per-proxyspec.
 .SH Logging
 Logging options include traditional SSLproxy connect and content log files as
 well as PCAP files and mirroring decrypted traffic to a network interface.