Logging refactor (#78)

* Update +TARGETS Add new Target for syslog-ng template * Create caddy.conf Add template for syslog-ng. - Creates a unix datagram socket: /var/caddy/var/run/log - Parses and rewrites the <PRI> based on the level in Caddy logs - rewrites the program name to "caddy" - outputs the log file * Update Menu.xml Change Menu to new logging view * Update +POST_INSTALL.post Added syslog-ng restart so the configuration generated by the template will be loaded automatically. * Update +POST_DEINSTALL.post - Adjusted deinstall script for new template generated files. * Update Caddyfile Change logging to unixgram to connect caddy logs to syslog-ng in the OPNsense to leverage the standard logging features. * Delete usr/plugins/devel/caddy/src/opnsense/scripts/Pischem/Caddy/caddy_log.py Cleanup logging refactor * Delete usr/plugins/devel/caddy/src/opnsense/mvc/app/views/Pischem/Caddy/log.volt Cleanup logging refactor * Delete usr/plugins/devel/caddy/src/opnsense/mvc/app/controllers/Pischem/Caddy/LogController.php Cleanup logging refactor * Delete usr/plugins/devel/caddy/src/opnsense/mvc/app/controllers/Pischem/Caddy/Api/LogController.php Cleanup logging refactor * Update actions_caddy.conf Cleanup logging refactor Removed showlog action * Update dialogHandle.xml #73 * Update Caddy.xml Add: - Access Log - Log Credentials - Desec DNS Provider * Update general.xml - Add LogCredentials Field - Rename Reject Unmatched Connections to Abort Connections * Update ReverseProxyController.php * Update reverse_proxy.volt * Update dialogReverseProxy.xml - Add Access Log Field for HTTP request logging * Update Caddyfile - Credential Logging and HTTP Access Log added, which can be enabled per domain.
Monviech · Jan 11, 2024 · e81bb57 · e81bb57
1 parent 4c0cc60
commit e81bb57
Show file tree

Hide file tree

Showing 17 changed files with 129 additions and 352 deletions.
diff --git a/usr/plugins/devel/caddy/+POST_DEINSTALL.post b/usr/plugins/devel/caddy/+POST_DEINSTALL.post
@@ -1,16 +1,21 @@
 #!/bin/sh
 
-# Remove the Caddy service script
-if [ -f /usr/local/etc/rc.d/caddy ]; then
-    echo "Removing file: /usr/local/etc/rc.d/caddy"
-    rm -f /usr/local/etc/rc.d/caddy
-fi
+# This deinstall script removes all generated template files since they are unknown by pkg.
 
 # Remove the /etc/rc.conf.d/caddy file
 if [ -f /etc/rc.conf.d/caddy ]; then
     echo "Removing file: /etc/rc.conf.d/caddy"
     rm -f /etc/rc.conf.d/caddy
 fi
 
-echo "Caddy deinstallation completed."
+# Remove the /usr/local/etc/syslog-ng.conf.d/caddy.conf file
+if [ -f /usr/local/etc/syslog-ng.conf.d/caddy.conf ]; then
+    echo "Removing file: /usr/local/etc/syslog-ng.conf.d/caddy.conf"
+    rm -f /usr/local/etc/syslog-ng.conf.d/caddy.conf
+fi
 
+# Trigger a syslog-ng restart to remove the caddy unix socket cleanly
+echo "restart syslog-ng"
+configctl syslog restart
+
+echo "Caddy deinstallation completed."
diff --git a/usr/plugins/devel/caddy/+POST_INSTALL.post b/usr/plugins/devel/caddy/+POST_INSTALL.post
@@ -4,9 +4,15 @@
 TARGETS_FILE="/usr/local/opnsense/service/templates/Pischem/Caddy/+TARGETS"
 
 # Trigger a reload of the Caddy template to ensure all necessary files are generated
+echo "reload configuration templates"
 configctl template reload Pischem/Caddy
 
+# Trigger a syslog-ng restart since caddy generated a configuration file for it
+echo "restart syslog-ng"
+configctl syslog restart
+
 # Define the path to the setup script
+echo "executing setup script"
 SETUP_SCRIPT="/usr/local/opnsense/scripts/Pischem/Caddy/setup.sh"
 
 # Execute the setup script
@@ -15,4 +21,3 @@ if [ -f "$SETUP_SCRIPT" ]; then
 else
     echo "Setup script not found: $SETUP_SCRIPT"
 fi
-
diff --git a/usr/plugins/devel/caddy/src/opnsense/mvc/app/controllers/Pischem/Caddy/Api/LogController.php b/usr/plugins/devel/caddy/src/opnsense/mvc/app/controllers/Pischem/Caddy/Api/LogController.php
diff --git a/...devel/caddy/src/opnsense/mvc/app/controllers/Pischem/Caddy/Api/ReverseProxyController.php b/...devel/caddy/src/opnsense/mvc/app/controllers/Pischem/Caddy/Api/ReverseProxyController.php
@@ -43,7 +43,7 @@ class ReverseProxyController extends ApiMutableModelControllerBase
 
     public function searchReverseProxyAction()
     {
-        return $this->searchBase("reverseproxy.reverse", ['enabled', 'FromDomain', 'FromPort', 'accesslist', 'DnsChallenge', 'CustomCertificate', 'Description']);
+        return $this->searchBase("reverseproxy.reverse", ['enabled', 'FromDomain', 'FromPort', 'accesslist', 'DnsChallenge', 'CustomCertificate', 'AccessLog', 'Description']);
     }
 
     public function setReverseProxyAction($uuid)

diff --git a/usr/plugins/devel/caddy/src/opnsense/mvc/app/controllers/Pischem/Caddy/LogController.php b/usr/plugins/devel/caddy/src/opnsense/mvc/app/controllers/Pischem/Caddy/LogController.php
diff --git a/...plugins/devel/caddy/src/opnsense/mvc/app/controllers/Pischem/Caddy/forms/dialogHandle.xml b/...plugins/devel/caddy/src/opnsense/mvc/app/controllers/Pischem/Caddy/forms/dialogHandle.xml
@@ -51,7 +51,7 @@
         <id>handle.HttpTls</id>
         <label>TLS</label>
         <type>checkbox</type>
-        <help>Use TLS over HTTP (HTTPS) to communicate with the Backend Server. In most cases, leaving this unchecked will be the best choice. Caddy uses HTTP for communication with the Backend Server by default.</help>
+        <help>Use HTTP over TLS (HTTPS) to communicate with the Backend Server. In most cases, leaving this unchecked will be the best choice. Caddy uses HTTP for communication with the Backend Server by default.</help>
         <advanced>true</advanced>
     </field>
     <field>
@@ -65,14 +65,14 @@
         <id>handle.HttpTlsServerName</id>
         <label>TLS Server Name</label>
         <type>text</type>
-        <help><![CDATA[Optionally, specify a hostname or IP address that matches the Common Name (CN) of the Trusted CA Certificate. Useful if a certificate has been chosen and the CN doesn't match with the "Backend Server Domain".]]></help>
+        <help><![CDATA[Optionally, specify a hostname or IP address that matches the SAN of the "TLS Trusted CA Certificate". Please note that only SAN certificates are supported, CN will not work.]]></help>
         <advanced>true</advanced>
     </field>
     <field>
         <id>handle.HttpNtlm</id>
         <label>NTLM</label>
         <type>checkbox</type>
-        <help>When "TLS" has been checked, check "NTLM" in addition for reverse proxying an Exchange Server. In most other cases, leaving this unchecked will be the best choice.</help>
+        <help>If "TLS" has been checked, check "NTLM" in addition for reverse proxying an Exchange Server. In most other cases, leaving this unchecked will be the best choice.</help>
         <advanced>true</advanced>
     </field>
     <field>

diff --git a/...s/devel/caddy/src/opnsense/mvc/app/controllers/Pischem/Caddy/forms/dialogReverseProxy.xml b/...s/devel/caddy/src/opnsense/mvc/app/controllers/Pischem/Caddy/forms/dialogReverseProxy.xml
@@ -41,6 +41,13 @@
         <help>Choose your own certificate from System Trust Certificates. Make sure you have imported the full chain. In most cases, leaving this on "None" will be the best choice.</help>
         <advanced>true</advanced>
     </field>
+    <field>
+        <id>reverse.AccessLog</id>
+        <label>HTTP Access Log</label>
+        <type>checkbox</type>
+        <help>Enable the HTTP request logging for this domain and its subdomains. This option is mostly for troubleshooting since it will log every single request.</help>
+        <advanced>true</advanced>
+    </field>
     <field>
         <id>reverse.Description</id>
         <label>Description</label>

diff --git a/usr/plugins/devel/caddy/src/opnsense/mvc/app/controllers/Pischem/Caddy/forms/general.xml b/usr/plugins/devel/caddy/src/opnsense/mvc/app/controllers/Pischem/Caddy/forms/general.xml
@@ -41,8 +41,16 @@
     </field>
     <field>
         <id>caddy.general.abort</id>
-        <label>Reject Unmatched Connections</label>
+        <label>Abort Connections</label>
         <type>checkbox</type>
         <help>Abort all connections that don't have a matching handle or access list. This option doesn't conflict with Let's Encrypt. Disable it for troubleshooting purposes, e.g. testing if the Reverse Proxy Domain works and the Certificate has been installed. For production use, enabling this option is recommended.</help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>caddy.general.LogCredentials</id>
+        <label>Log Credentials</label>
+        <type>checkbox</type>
+        <help>Log all Cookies and Authorization in HTTP request logging. Use combined with HTTP Access Log in the Reverse Proxy Domain. Enable this option only for troubleshooting.</help>
+        <advanced>true</advanced>
     </field>
 </form>
diff --git a/usr/plugins/devel/caddy/src/opnsense/mvc/app/models/Pischem/Caddy/Caddy.xml b/usr/plugins/devel/caddy/src/opnsense/mvc/app/models/Pischem/Caddy/Caddy.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//Pischem/caddy</mount>
     <description>A GUI model for configuring a basic reverse proxy in Caddy Web Server.</description>
-    <version>1.1.0</version>
+    <version>1.1.1</version>
     <items>
         <general>
             <enabled type="BooleanField">
@@ -33,6 +33,7 @@
                     <gandi>Gandi</gandi>
                     <vultr>Vultr</vultr>
                     <ionos>IONOS</ionos>
+                    <desec>Desec</desec>
                 </OptionValues>
             </TlsDnsProvider>
             <TlsDnsApiKey type="TextField">
@@ -50,6 +51,9 @@
             <abort type="BooleanField">
                 <Default>0</Default>
             </abort>
+            <LogCredentials type="BooleanField">
+                <Default>0</Default>
+            </LogCredentials>
         </general>
         <reverseproxy>
             <reverse type="ArrayField">
@@ -89,6 +93,9 @@
                 </DnsChallenge>
                 <CustomCertificate type="CertificateField">
                 </CustomCertificate>
+                <AccessLog type="BooleanField">
+                    <Default>0</Default>
+                </AccessLog>
             </reverse>
             <subdomain type="ArrayField">
                 <enabled type="BooleanField">

diff --git a/usr/plugins/devel/caddy/src/opnsense/mvc/app/models/Pischem/Caddy/Menu/Menu.xml b/usr/plugins/devel/caddy/src/opnsense/mvc/app/models/Pischem/Caddy/Menu/Menu.xml
@@ -3,7 +3,7 @@
         <Caddy VisibleName="Caddy Web Server" cssClass="fa fa-globe fa-fw">
             <General VisibleName="General Settings" order="10" url="/ui/caddy/general"/>
             <ReverseProxy VisibleName="Reverse Proxy" order="20" url="/ui/caddy/reverse_proxy"/>
-            <Log VisibleName="Log File" order="30" url="/ui/caddy/log"/>
+            <Log VisibleName="Log File" order="30" url="/ui/diagnostics/log/core/caddy"/>
         </Caddy>
     </Services>
 </menu>
diff --git a/usr/plugins/devel/caddy/src/opnsense/mvc/app/views/Pischem/Caddy/log.volt b/usr/plugins/devel/caddy/src/opnsense/mvc/app/views/Pischem/Caddy/log.volt
diff --git a/usr/plugins/devel/caddy/src/opnsense/mvc/app/views/Pischem/Caddy/reverse_proxy.volt b/usr/plugins/devel/caddy/src/opnsense/mvc/app/views/Pischem/Caddy/reverse_proxy.volt
@@ -101,6 +101,7 @@
                             <th data-column-id="FromPort" data-type="string">Port</th>
                             <th data-column-id="accesslist" data-type="string" data-visible="false">Access List</th>
                             <th data-column-id="DnsChallenge" data-type="boolean" data-formatter="boolean" data-visible="false">DNS-01</th>
+                            <th data-column-id="AccessLog" data-type="boolean" data-formatter="boolean" data-visible="false">HTTP Access Log</th>
                             <th data-column-id="CustomCertificate" data-type="string" data-visible="false">Custom Certificate</th>
                             <th data-column-id="Description" data-type="string">Description</th>
                             <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">Commands</th>