I am trying to add some additional logging information when accessing phpMyAdmin through Nginx but I am having some issues trying to figure out a way to pass the information to Nginx without making it publicly viewable. The main thing is that I am trying to include the username/status that is "logged" inside of the libraries/logging.lib.php file during the PMA_logUser function. If you are not sure what this function is then I will include it here.
function PMA_logUser($user, $status = 'ok')
{
if (function_exists('apache_note')) {
apache_note('userID', $user);
apache_note('userStatus', $status);
}
}
This allows you to take the userID and userStatus and pass information between modules. Mostly people use this to add addition information for logging so that can check to see if someone is bruteforcing the password or something similar. I have tried to do some searching and can't find a good alternative for Nginx. I made some changes and did the following to add the information to the headers.
function PMA_logUser($user, $status = 'ok')
{
if (function_exists('apache_note')) {
apache_note('userID', $user);
apache_note('userStatus', $status);
} else {
header("userID: $user");
header("userStatus: $status");
}
}
This does allow me to add $sent_http_userID and $sent_http_userStatus to a custom log_format to include it in my logs. But this will make it publicly visible. I tried compiling Nginx with the Headers More module and adding the following to the end of my server configuration
more_clear_headers 'userID';
more_clear_headers 'userStatus';
This will prevent it from being sent to the person trying to login, but with these changes it will prevent me from logging the information that I am looking for. Is there any suggestions?
There is no designed in way of achieving this. However if you simply want to log something like the current user then one option is to use the auth_request module.
Make sure to understand it as it would double the number of requests to PHP and may cause issues.
The auth_request module is designed to allow incoming requests to be authenticated against a remote system before continuing with normal handling. This module happens to allow values from the authentication request to be used within nginx and not be visible to the client.
Supposing you had a fast PHP script which returned the values you wanted Nginx to log such as the current signed in user. This script could be at /var/www/auth/state.php and returns the loggable value via header 'CurrentUser' along with a http 200 response.
The rest of the existing application could be in /var/www/html/. This example assumes you use php-fpm but it will work on other nginx proxy modules.
server {
.. server name, listen, etc
root /var/www/html;
# get state for any php requests
location ~ \.php$ {
# Send all php requests here first
# any response other than http 200 will block the request
auth_request /getstate;
auth_request_set $currentuser $upstream_http_currentuser;
# after the auth_request returns http 200, the request will then go here
# replace this with your own upstream configuration
fastcgi_pass localhost:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
# auth_requests go this route
location /getstate {
internal;
fastcgi_pass localhost:9000;
# state.php must return http 200 response and ideally should be very fast
# state.php also needs to return values for logging as headers e.g. 'CurrentUser'
fastcgi_param SCRIPT_NAME /state.php;
fastcgi_param DOCUMENT_ROOT /var/www/auth
fastcgi_param SCRIPT_FILENAME /var/www/auth/state.php;
# don't send the request body unless it's needed by state.php
fastcgi_pass_request_body off;
}
}
When it all works, it will be possible to log the data from state.php by converting the response headers to variables using auth_request_set. These variables can then be appended to access logs using the log_format directive:
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" $currentuser';
The rest of the application continues to exist in it's current form as is not affected by the additional state.php lookup.
You will need to build nginx with the --with-http_auth_request_module option to use the auth_request module.
If you need a more specific example, please include what nginx config you have so far in the question.