diff --git a/app/vmauth/auth_config.go b/app/vmauth/auth_config.go index 41d21b866..e8c72051a 100644 --- a/app/vmauth/auth_config.go +++ b/app/vmauth/auth_config.go @@ -67,6 +67,7 @@ type UserInfo struct { URLPrefix *URLPrefix `yaml:"url_prefix,omitempty"` DiscoverBackendIPs *bool `yaml:"discover_backend_ips,omitempty"` URLMaps []URLMap `yaml:"url_map,omitempty"` + DumpRequestOnErrors bool `yaml:"dump_request_on_errors,omitempty"` HeadersConf HeadersConf `yaml:",inline"` MaxConcurrentRequests int `yaml:"max_concurrent_requests,omitempty"` DefaultURL *URLPrefix `yaml:"default_url,omitempty"` diff --git a/app/vmauth/main.go b/app/vmauth/main.go index 466147bf2..7f18d7798 100644 --- a/app/vmauth/main.go +++ b/app/vmauth/main.go @@ -192,7 +192,11 @@ func processRequest(w http.ResponseWriter, r *http.Request, ui *UserInfo) { return } missingRouteRequests.Inc() - httpserver.Errorf(w, r, "missing route for %s", u.String()) + var di string + if ui.DumpRequestOnErrors { + di = debugInfo(u, r.Header) + } + httpserver.Errorf(w, r, "missing route for %q%s", u.String(), di) return } up, hc = ui.DefaultURL, ui.HeadersConf @@ -644,3 +648,14 @@ func (rtb *readTrackingBody) Close() error { return nil } + +func debugInfo(u *url.URL, h http.Header) string { + s := &strings.Builder{} + fmt.Fprintf(s, " (host: %q; ", u.Host) + fmt.Fprintf(s, "path: %q; ", u.Path) + fmt.Fprintf(s, "args: %q; ", u.Query().Encode()) + fmt.Fprint(s, "headers:") + _ = h.WriteSubset(s, nil) + fmt.Fprint(s, ")") + return s.String() +} diff --git a/app/vmauth/main_test.go b/app/vmauth/main_test.go index 6414ef803..68f24bbe4 100644 --- a/app/vmauth/main_test.go +++ b/app/vmauth/main_test.go @@ -346,7 +346,27 @@ unauthorized_user: } responseExpected = ` statusCode=400 -remoteAddr: "42.2.3.84:6789, X-Forwarded-For: 12.34.56.78"; requestURI: /abc?de=fg; missing route for http://some-host.com/abc?de=fg` +remoteAddr: "42.2.3.84:6789, X-Forwarded-For: 12.34.56.78"; requestURI: /abc?de=fg; missing route for "http://some-host.com/abc?de=fg"` + f(cfgStr, requestURL, backendHandler, responseExpected) + + // missing default_url and default url_prefix for unauthorized user with dump_request_on_errors enabled + cfgStr = ` +unauthorized_user: + dump_request_on_errors: true + url_map: + - src_paths: ["/foo/.+"] + url_prefix: {BACKEND}/x-foo/` + requestURL = "http://some-host.com/abc?de=fg" + backendHandler = func(_ http.ResponseWriter, _ *http.Request) { + panic(fmt.Errorf("backend handler shouldn't be called")) + } + responseExpected = ` +statusCode=400 +remoteAddr: "42.2.3.84:6789, X-Forwarded-For: 12.34.56.78"; requestURI: /abc?de=fg; missing route for "http://some-host.com/abc?de=fg" (host: "some-host.com"; path: "/abc"; args: "de=fg"; headers:Connection: Some-Header,Other-Header +Pass-Header: abc +Some-Header: foobar +X-Forwarded-For: 12.34.56.78 +)` f(cfgStr, requestURL, backendHandler, responseExpected) // missing default_url and default url_prefix for unauthorized user when there are configs for authorized users diff --git a/docs/changelog/CHANGELOG.md b/docs/changelog/CHANGELOG.md index 830de5a39..ca354ceeb 100644 --- a/docs/changelog/CHANGELOG.md +++ b/docs/changelog/CHANGELOG.md @@ -23,6 +23,7 @@ See also [LTS releases](https://docs.victoriametrics.com/lts-releases/). * FEATURE: [vmalert](https://docs.victoriametrics.com/vmalert): revert the default value of `-remoteWrite.maxQueueSize` from `1_000_000` to `100_000`. It was bumped in [v1.104.0](https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.104.0), which increases memory usage and is not needed for most setups. See [this issue](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/7471). * FEATURE: [vmui](https://docs.victoriametrics.com/#vmui): add `Raw Query` tab for displaying raw data. See [this issue](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/7024). * FEATURE: [stream aggregation](https://docs.victoriametrics.com/stream-aggregation/): add `ignore_first_sample_interval` param to [aggregation config](https://docs.victoriametrics.com/stream-aggregation/#stream-aggregation-config). It allows users to control the time interval when aggregation skips sending aggregated samples to avoid unexpected spikes in values. By default, this interval is set to x2 of `staleness_interval`. The new setting is applicable only to `total`, `total_prometheus`, `increase`, `increase_prometheus` and `histogram_bucket` outputs. See [this issue](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/7116) for details. Thanks to @iyuroch for the [pull request](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/7313). +* FEATURE: [vmauth](https://docs.victoriametrics.com/vmauth/): add `dump_request_on_errors` bool setting to [auth config](https://docs.victoriametrics.com/vmauth/#auth-config) for debugging HTTP requests that missed routing rules. This should improve debugability of vmauth settings. * BUGFIX: [vmagent](https://docs.victoriametrics.com/vmagent): Properly return `200 OK` HTTP status code when importing data via [Pushgateway protocol](https://docs.victoriametrics.com/#how-to-import-data-in-prometheus-exposition-format) using [multitenant URL format](https://docs.victoriametrics.com/cluster-victoriametrics/#url-format). See [this issue](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/3636) and [this pull request](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/7571). * BUGFIX: [vmagent](https://docs.victoriametrics.com/vmagent): Properly set `TCP` connection timeout for `Kubernetes API server` connection for metric scrapping with `kubernetes_sd_configs`. See [this issue](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/7127). diff --git a/docs/vmauth.md b/docs/vmauth.md index 84505c9fb..33680c266 100644 --- a/docs/vmauth.md +++ b/docs/vmauth.md @@ -380,6 +380,8 @@ See also [security docs](#security), [routing docs](#routing) and [load balancin - [Multiple parts](#routing-by-multiple-parts) See also [authorization](#authorization) and [load balancing](#load-balancing). +For debug purposes, extra logging for failed requests can be enabled by setting `dump_request_on_errors: true` {{% available_from "#" %}} +on user level. Please note, such logging may expose sensitive info and is recommended to use only for debugging. ### Routing by path @@ -953,6 +955,8 @@ users: # # Regular expressions are allowed in `src_paths` and `src_hosts` entries. - username: "foobar" + # log requests that failed url_map rules, for debugging purposes + dump_request_on_errors: true url_map: - src_paths: - "/api/v1/query"