Users: Log unauthorized requests

This patch adds a new configuration option to the web.config.file which
makes it possible to enable logging of unauthorized requests.

If "log_unauthorized" at config file's top level is set to true,
any unauthorized request will have the ip as well as the X-Forwarded-For
header logged. This way, a program that might parse the logs can determent
for itself if the X-Forwarded-For header can be trusted.

Signed-off-by: networkException <git@nwex.de>

web/tls_config.go

@@ -34,9 +34,10 @@ var (
 )
 
 type Config struct {
-	TLSConfig  TLSStruct                     `yaml:"tls_server_config"`
-	HTTPConfig HTTPStruct                    `yaml:"http_server_config"`
-	Users      map[string]config_util.Secret `yaml:"basic_auth_users"`
+	TLSConfig       TLSStruct                     `yaml:"tls_server_config"`
+	HTTPConfig      HTTPStruct                    `yaml:"http_server_config"`
+	Users           map[string]config_util.Secret `yaml:"basic_auth_users"`
+	LogUnauthorized bool                          `yaml:"log_unauthorized"`
 }
 
 type TLSStruct struct {
@@ -73,7 +74,8 @@ func getConfig(configPath string) (*Config, error) {
 			MaxVersion:               tls.VersionTLS13,
 			PreferServerCipherSuites: true,
 		},
-		HTTPConfig: HTTPStruct{HTTP2: true},
+		HTTPConfig:      HTTPStruct{HTTP2: true},
+		LogUnauthorized: false,
 	}
 	err = yaml.UnmarshalStrict(content, c)
 	c.TLSConfig.SetDirectory(filepath.Dir(configPath))

web/users.go

@@ -21,6 +21,7 @@ import (
 	"sync"
 
 	"github.com/go-kit/log"
+	"github.com/go-kit/log/level"
 	"golang.org/x/crypto/bcrypt"
 )
 
@@ -93,6 +94,10 @@ func (u *userAuthRoundtrip) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
+	if c.LogUnauthorized {
+		level.Info(u.logger).Log("msg", "Unauthorized", "ip", r.RemoteAddr, "forwarded", r.Header.Get("X-Forwarded-For"))
+	}
+
 	w.Header().Set("WWW-Authenticate", "Basic")
 	http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
 }