e3ea1fb486
docs: update README and architecture for RPM-only packaging
...
- Remove DEB and el7 references (RPM only: el8, el9, el10)
- Remove Python integration tests from documentation (not automated in CI)
- Add file inventory in architecture.yml (source, packaging, tests)
- Update CI verify jobs to check RPM metadata with rpm -qi
- Organize RPM packages by distribution in dist/rpm/{el8,el9,el10}/
- Add security and RPM packaging features to README
- Split Requirements into Runtime and Packaging sections
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com >
2026-03-01 00:29:51 +01:00
8b381c7feb
build: migrate RPM packaging from fpm to rpmbuild with .spec file
...
- Replace fpm with rpmbuild for standard RPM packaging
- Add mod_reqin_log.spec file with Version, %install, %files, %changelog
- Use Rocky Linux 9 as package-builder base image
- Extract version automatically from .spec file
- Remove CHANGELOG file (changelog now in .spec)
- Build RPMs for el8, el9, el10 distributions
Verified RPM metadata:
Name: mod_reqin_log
Version: 1.0.2
Release: 1.el8/el9/el10
License: Apache-2.0
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com >
2026-03-01 00:12:22 +01:00
3418cbcbbb
Add --no-cache to docker build command
...
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com >
2026-02-28 23:09:59 +01:00
c2e1221e5a
release: version 1.0.2 - Audit security fixes and RPM packaging
...
Security hardening:
- Add input sanitization for method (32), path (2048), host (256), http_version (16)
- Prevent log injection via oversized HTTP values
- Add LOG_THROTTLED macro for consistent error reporting
- Improve socket state double-check pattern to avoid unnecessary reconnects
Code quality:
- Fix const qualifier warnings in get_header()
- Add flags field to module definition
- Add -Wno-error=format-security for compatibility
Documentation:
- Clarify timestamp precision (microseconds expressed as nanoseconds)
- Update README and architecture.yml
Testing:
- Add 4 unit tests for input sanitization
- All 78 tests passing
Packaging:
- Remove DEB package support (RPM only: el8, el9, el10)
- Add CHANGELOG file included in RPM packages
- Bump version to 1.0.2
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com >
2026-02-28 21:45:06 +01:00
d0ca0a7e4c
fix: correction bugs + tests + migration el7 vers el10
...
Correctifs de bugs critiques:
- Overflow entier dans le calcul du timestamp (nanoseconds)
- Validation des composantes temporelles dans format_iso8601
- Race condition mutex: échec dur pour MPM threadés (worker/event)
- Rejet des espaces en tête dans parse_int_strict
Nouveaux tests unitaires (38 ajoutés):
- Overflow timestamp, limites ISO8601, format fixe 20 chars
- Limite de taille JSON 64KB
- Détection headers sensibles (blacklist)
- Validation parse_int_strict
- dynbuf NULL handling et strlen mode
Migration packaging:
- Suppression CentOS 7 (EOL)
- Ajout AlmaLinux 10 (el10)
- RPMs supportés: el8, el9, el10
Mise à jour CI/CD et documentation:
- .gitlab-ci.yml: jobs verify pour el8/el9/el10
- architecture.yml: OS supportés à jour
- 70/70 tests pass
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com >
2026-02-28 21:02:05 +01:00
59856a7ed7
fix: forcer la compilation en C11 dans le Makefile
...
Co-authored-by: aider (openrouter/openai/gpt-5.3-codex) <aider@aider.chat >
2026-02-28 20:42:29 +01:00
175a0cccda
fix: Sécuriser l’écriture socket et initialiser APR dans les tests
...
Co-authored-by: aider (openrouter/openai/gpt-5.3-codex) <aider@aider.chat >
2026-02-28 20:38:58 +01:00
ce1692bfba
fix: corriger la déclaration de reqin_log_module pour Apache
...
Co-authored-by: aider (openrouter/openai/gpt-5.3-codex) <aider@aider.chat >
2026-02-28 20:35:18 +01:00
77541f7500
fix: corriger la déclaration de reqin_log_module
...
Co-authored-by: aider (openrouter/openai/gpt-5.3-codex) <aider@aider.chat >
2026-02-28 20:33:42 +01:00
46291898e1
fix: renforcer la robustesse du module et étendre les tests/CI
...
Co-authored-by: aider (openrouter/openai/gpt-5.3-codex) <aider@aider.chat >
2026-02-28 20:28:40 +01:00
a935ed1641
ci: migrate to GitLab CI with multi-distribution RPM builds
...
- Replace GitHub Actions with GitLab CI using Docker-in-Docker
- Build 3 RPMs (el7, el8, el9) + 1 DEB from Dockerfile.package
- Add verify jobs for each target distribution
- Remove obsolete files:
- Dockerfile, Dockerfile.test-socket (replaced by Dockerfile.package)
- scripts/socket_consumer.py, scripts/socket_listener.py
- scripts/test_unix_socket.sh, scripts/run_integration_tests.sh
- Update README.md with new package targets
- Update architecture.yml for GitLab CI workflow
Breaks: Single RPM no longer supported (glibc incompatibility)
Replaced by: Distribution-specific RPMs (el7, el8, el9)
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com >
2026-02-28 16:06:57 +01:00
2fc3f92cf8
docs: update README with new Docker-based packaging
...
- Update installation section to use Docker-based packaging
- Replace rpmbuild and debhelper commands with make package-* targets
- Document new unified packaging workflow with fpm
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com >
2026-02-27 16:17:46 +01:00
d098211752
refactor: remove obsolete packaging files
...
- Remove debhelper files (compat, control, install, rules)
- Remove rpm spec file (mod_reqin_log.spec)
- All packaging now handled by fpm in Dockerfile.package
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com >
2026-02-27 16:06:34 +01:00
395635ab36
docs: update architecture.yml with unified packaging section
...
- Update CI package stage to use Dockerfile.package with fpm
- Replace rpmbuild and debhelper with unified fpm approach
- Document multi-stage build pipeline (builder, package_builder, output)
- Add file mappings, dependencies, and verification commands
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com >
2026-02-27 15:41:29 +01:00
802ce75a80
Unify packaging: use Docker + fpm for DEB and RPM builds
...
- Add Dockerfile.package with multi-stage build (builder, package-builder, output)
- Update Makefile to add package, package-deb, package-rpm, and test-package targets
- Replace debhelper and rpmbuild with fpm for consistent packaging
- Both DEB and RPM packages now built from single Dockerfile
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com >
2026-02-27 15:31:55 +01:00
b5d093f8cb
Docs: update security documentation and hardening notes
...
architecture.yml:
- Update header_handling: document built-in sensitive headers blacklist
- Expand security section with hardening measures
- Add socket permissions, path recommendations, environment variable
README.md:
- Add new 'Built-in Sensitive Headers Blacklist' section
- Document all blocked headers (Authorization, Cookie, X-Api-Key, etc.)
- Update socket security: permissions 0o660, /var/run path, group membership
- Add hardening features: path validation, JSON size limit, NULL checks, mutex
- Fix JSON example (remove extra closing brace)
- Update socket consumer example with secure permissions (0o660)
- Add MOD_REQIN_LOG_SOCKET environment variable to example
- Update Fields table: header_<Name> flat structure description
- Add note about automatic sensitive header exclusion
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com >
2026-02-26 23:41:51 +01:00
e44059865b
Security: fix critical vulnerabilities and harden module
...
Security fixes:
#1 Buffer overflow: Validate socket path length against sun_path limit
- Add MAX_SOCKET_PATH_LEN constant
- Reject paths >= 108 bytes before snprintf
#2,#3 NULL pointer dereference: Add NULL checks
- r->connection->local_ip: use conditional append
- r->protocol: fallback to "UNKNOWN" if NULL
#4 Sensitive headers blacklist: Prevent credential leakage
- Add DEFAULT_SENSITIVE_HEADERS[] blacklist
- Block: Authorization, Cookie, Set-Cookie, X-Api-Key, etc.
- Log skipped headers at DEBUG level only
#5 Memory exhaustion DoS: Add MAX_JSON_SIZE limit (64KB)
- Check buffer size before adding headers
- Truncate header list if limit reached
#6 Socket permissions: Change 0o666 → 0o660
- Owner and group only (not world-writable)
- Apache user must be in socket's group
#7 Race condition: Add mutex for FD access in worker/event MPMs
- apr_thread_mutex_t protects socket_fd
- FD_MUTEX_LOCK/UNLOCK macros
- Created in reqin_log_create_server_conf()
#8 Timestamp overflow: Document 2262 limitation
- Add comment explaining apr_time_t limits
- Safe until ~2262 (uint64 nanoseconds)
#9 Error logging verbosity: Reduce information disclosure
- APLOG_ERR: Generic messages only
- APLOG_DEBUG: Detailed error information
#10 Socket path security: Move from /tmp to /var/run
- Update socket_consumer.py, test scripts
- Use environment variable MOD_REQIN_LOG_SOCKET
- More secure default location
Files modified:
- src/mod_reqin_log.c: All security fixes
- scripts/socket_consumer.py: Permissions, path
- scripts/run_integration_tests.sh: Path security
- scripts/test_unix_socket.sh: Path security
- tests/integration/test_integration.py: Path security
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com >
2026-02-26 23:37:30 +01:00
070c2a7bd2
Refactor: thread-safe per-process state and add tests
...
Major changes:
- Move child state from global variable to server config (reqin_log_server_conf_t)
- Add reqin_log_create_server_conf() for proper per-server initialization
- Fix thread safety for worker/event MPMs
- Add cmocka unit tests (test_module_real.c)
- Add Python integration tests (test_integration.py)
- Update CI workflow and Dockerfiles for test execution
- Fix: Remove child_exit hook (not in architecture.yml)
Tests:
- Unit tests: JSON escaping, ISO8601 formatting, header truncation
- Integration tests: basic_logging, header_limits, socket_unavailable, socket_loss
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com >
2026-02-26 23:28:45 +01:00
7cfd14fb65
Fix: add missing child_exit hook per architecture.yml
...
- Add reqin_log_child_exit() to close Unix socket on child exit
- Register hook with ap_hook_child_exit()
- Ensures clean socket cleanup as specified in architecture.yml
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com >
2026-02-26 14:04:47 +01:00
66549acf5c
Initial commit: mod_reqin_log Apache module
...
Features:
- JSON logging of HTTP requests to Unix domain socket
- Configurable HTTP headers logging (flat JSON structure)
- Header value truncation and count limits
- Automatic reconnect on socket disconnection
- Error reporting with throttling
Configuration directives:
- JsonSockLogEnabled: Enable/disable logging
- JsonSockLogSocket: Unix socket path
- JsonSockLogHeaders: List of headers to log
- JsonSockLogMaxHeaders: Maximum headers to log
- JsonSockLogMaxHeaderValueLen: Max header value length
- JsonSockLogReconnectInterval: Reconnect delay
- JsonSockLogErrorReportInterval: Error log throttle
Includes:
- Module source code (src/)
- Unit and integration tests (tests/, scripts/)
- Documentation (README.md, architecture.yml)
- Build configuration (CMakeLists.txt, Makefile)
- Packaging (deb/rpm)
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com >
2026-02-26 13:55:07 +01:00
