feat: access log config (#1695)

yottahmd · web-flow · commit 950449af4146 · 2026-02-22T15:10:20.000+09:00
diff --git a/internal/cmn/config/config.go b/internal/cmn/config/config.go
@@ -120,6 +120,7 @@ type Server struct {
 	BasePath          string // URL path for reverse proxy subpath hosting
 	APIBasePath       string
 	Headless          bool
+	AccessLog         AccessLogMode // "all" (default), "non-public", or "none"
 	LatestStatusToday bool
 	TLS               *TLSConfig
 	Auth              Auth
@@ -165,6 +166,15 @@ const (
 	AuthModeBuiltin AuthMode = "builtin"
 )
 
+// AccessLogMode represents the HTTP access log mode.
+type AccessLogMode string
+
+const (
+	AccessLogAll       AccessLogMode = "all"
+	AccessLogNonPublic AccessLogMode = "non-public"
+	AccessLogNone      AccessLogMode = "none"
+)
+
 // MetricsAccess represents the access mode for the metrics endpoint.
 type MetricsAccess string
 
diff --git a/internal/cmn/config/definition.go b/internal/cmn/config/definition.go
@@ -13,10 +13,11 @@ type Definition struct {
 	TLS         *TLSDef `mapstructure:"tls"`
 
 	// Core settings
-	Debug        bool   `mapstructure:"debug"`
-	DefaultShell string `mapstructure:"default_shell"`
-	LogFormat    string `mapstructure:"log_format"` // "json" or "text"
-	TZ           string `mapstructure:"tz"`
+	Debug        bool    `mapstructure:"debug"`
+	DefaultShell string  `mapstructure:"default_shell"`
+	LogFormat    string  `mapstructure:"log_format"`      // "json" or "text"
+	AccessLog    *string `mapstructure:"access_log_mode"` // "all" (default), "non-public", or "none"
+	TZ           string  `mapstructure:"tz"`
 
 	// Authentication
 	Auth *AuthDef `mapstructure:"auth"`
diff --git a/internal/cmn/config/loader.go b/internal/cmn/config/loader.go
@@ -389,6 +389,16 @@ func (l *ConfigLoader) loadServerFlags(cfg *Config, def Definition) {
 	if def.Headless != nil {
 		cfg.Server.Headless = *def.Headless
 	}
+	cfg.Server.AccessLog = AccessLogAll
+	if def.AccessLog != nil {
+		switch AccessLogMode(*def.AccessLog) {
+		case AccessLogAll, AccessLogNonPublic, AccessLogNone:
+			cfg.Server.AccessLog = AccessLogMode(*def.AccessLog)
+		default:
+			l.warnings = append(l.warnings, fmt.Sprintf(
+				"Invalid access_log_mode value: %q, defaulting to 'all'", *def.AccessLog))
+		}
+	}
 	if def.LatestStatusToday != nil {
 		cfg.Server.LatestStatusToday = *def.LatestStatusToday
 	}
@@ -1114,6 +1124,7 @@ func (l *ConfigLoader) setViperDefaultValues(paths Paths) {
 	l.v.SetDefault("metrics", "private")
 	l.v.SetDefault("cache", "normal")
 	l.v.SetDefault("log_format", "text")
+	l.v.SetDefault("access_log_mode", "all")
 
 	// Coordinator
 	l.v.SetDefault("coordinator.host", "127.0.0.1")
@@ -1167,6 +1178,7 @@ type envBinding struct {
 var envBindings = []envBinding{
 	// Server
 	{key: "log_format", env: "LOG_FORMAT"},
+	{key: "access_log_mode", env: "ACCESS_LOG_MODE"},
 	{key: "base_path", env: "BASE_PATH"},
 	{key: "api_base_url", env: "API_BASE_URL"},
 	{key: "tz", env: "TZ"},
diff --git a/internal/cmn/config/loader_test.go b/internal/cmn/config/loader_test.go
@@ -93,6 +93,7 @@ func TestLoad_Env(t *testing.T) {
 		"DAGU_UI_DAGS_SORT_ORDER": "desc",
 
 		"DAGU_TERMINAL_ENABLED": "true",
+		"DAGU_ACCESS_LOG_MODE":  "none",
 
 		"DAGU_AUDIT_ENABLED": "false",
 
@@ -138,6 +139,7 @@ func TestLoad_Env(t *testing.T) {
 			BasePath:    "/test/base",
 			APIBasePath: "/test/api",
 			Headless:    true,
+			AccessLog:   AccessLogNone,
 			Auth: Auth{
 				Mode:  AuthModeBasic, // Explicit basic mode from env
 				Basic: AuthBasic{Username: "testuser", Password: "testpass"},
@@ -375,6 +377,7 @@ scheduler:
 			BasePath:          "/dagu",
 			APIBasePath:       "/api/v1",
 			Headless:          true,
+			AccessLog:         AccessLogAll,
 			LatestStatusToday: true,
 			Auth: Auth{
 				Mode:  AuthModeBasic, // Explicit basic mode from YAML
@@ -990,6 +993,53 @@ metrics: "invalid_value"
 	})
 }
 
+func TestLoad_AccessLogMode(t *testing.T) {
+	t.Run("AccessLogAll", func(t *testing.T) {
+		cfg := loadFromYAML(t, `
+access_log_mode: "all"
+`)
+		assert.Equal(t, AccessLogAll, cfg.Server.AccessLog)
+	})
+
+	t.Run("AccessLogNonPublic", func(t *testing.T) {
+		cfg := loadFromYAML(t, `
+access_log_mode: "non-public"
+`)
+		assert.Equal(t, AccessLogNonPublic, cfg.Server.AccessLog)
+	})
+
+	t.Run("AccessLogNone", func(t *testing.T) {
+		cfg := loadFromYAML(t, `
+access_log_mode: "none"
+`)
+		assert.Equal(t, AccessLogNone, cfg.Server.AccessLog)
+	})
+
+	t.Run("AccessLogDefault", func(t *testing.T) {
+		cfg := loadFromYAML(t, "# empty")
+		assert.Equal(t, AccessLogAll, cfg.Server.AccessLog)
+	})
+
+	t.Run("AccessLogFromEnv", func(t *testing.T) {
+		cfg := loadWithEnv(t, "# empty", map[string]string{
+			"DAGU_ACCESS_LOG_MODE": "non-public",
+		})
+		assert.Equal(t, AccessLogNonPublic, cfg.Server.AccessLog)
+	})
+
+	t.Run("AccessLogInvalid", func(t *testing.T) {
+		cfg := loadFromYAML(t, `
+auth:
+  mode: none
+access_log_mode: "invalid"
+`)
+		assert.Equal(t, AccessLogAll, cfg.Server.AccessLog)
+		require.Len(t, cfg.Warnings, 1)
+		assert.Contains(t, cfg.Warnings[0], "Invalid access_log_mode value")
+		assert.Contains(t, cfg.Warnings[0], "invalid")
+	})
+}
+
 func TestLoad_CacheConfig(t *testing.T) {
 	t.Run("DefaultCacheMode", func(t *testing.T) {
 		cfg := loadFromYAML(t, ``)
diff --git a/internal/cmn/schema/config.schema.json b/internal/cmn/schema/config.schema.json
@@ -37,6 +37,12 @@
       "type": "boolean",
       "description": "Enable debug mode with verbose logging."
     },
+    "access_log_mode": {
+      "type": "string",
+      "enum": ["all", "non-public", "none"],
+      "description": "HTTP access log mode. 'all' logs every request, 'non-public' skips public endpoints (/health, /auth/login, /auth/setup), 'none' disables access logging entirely. Default: 'all'.",
+      "default": "all"
+    },
     "default_shell": {
       "type": "string",
       "description": "Default shell for executing commands (e.g., '/bin/bash')."
diff --git a/internal/service/frontend/server.go b/internal/service/frontend/server.go
@@ -53,6 +53,7 @@ import (
 	"github.com/dagu-org/dagu/internal/service/audit"
 	authservice "github.com/dagu-org/dagu/internal/service/auth"
 	"github.com/dagu-org/dagu/internal/service/coordinator"
+	"github.com/dagu-org/dagu/internal/service/frontend/api/pathutil"
 	apiv1 "github.com/dagu-org/dagu/internal/service/frontend/api/v1"
 	"github.com/dagu-org/dagu/internal/service/frontend/auth"
 	"github.com/dagu-org/dagu/internal/service/frontend/metrics"
@@ -633,28 +634,65 @@ func redactTokenFromRequest(r *http.Request) *http.Request {
 	return redacted
 }
 
+// buildPublicPaths returns the set of public endpoint paths that should be
+// excluded from access logging in "non-public" mode.
+func buildPublicPaths(basePath string, metrics config.MetricsAccess) map[string]struct{} {
+	paths := []string{
+		pathutil.BuildPublicEndpointPath(basePath, "api/v1/health"),
+		pathutil.BuildPublicEndpointPath(basePath, "api/v1/auth/login"),
+		pathutil.BuildPublicEndpointPath(basePath, "api/v1/auth/setup"),
+	}
+	if metrics == config.MetricsAccessPublic {
+		paths = append(paths, pathutil.BuildPublicEndpointPath(basePath, "api/v1/metrics"))
+	}
+	set := make(map[string]struct{}, len(paths))
+	for _, p := range paths {
+		set[p] = struct{}{}
+	}
+	return set
+}
+
+// skipPathsMiddleware wraps a middleware to skip it for requests matching any of the given paths.
+func skipPathsMiddleware(mw func(http.Handler) http.Handler, skip map[string]struct{}) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		wrapped := mw(next)
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			if _, ok := skip[r.URL.Path]; ok {
+				next.ServeHTTP(w, r)
+				return
+			}
+			wrapped.ServeHTTP(w, r)
+		})
+	}
+}
+
 // Serve starts the HTTP server and configures routes.
 func (srv *Server) Serve(ctx context.Context) error {
-	logLevel := slog.LevelInfo
-	if srv.config.Core.Debug {
-		logLevel = slog.LevelDebug
-	}
-
-	requestLogger := httplog.NewLogger("http", httplog.Options{
-		LogLevel:         logLevel,
-		JSON:             srv.config.Core.LogFormat == "json",
-		Concise:          true,
-		RequestHeaders:   srv.config.Core.Debug,
-		MessageFieldName: "msg",
-		ResponseHeaders:  false,
-		QuietDownRoutes:  []string{"/api/v1/events"},
-		QuietDownPeriod:  10 * time.Second,
-	})
-
 	r := chi.NewMux()
 	r.Use(middleware.RealIP)
 	r.Use(middleware.Compress(5))
-	r.Use(sanitizedRequestLogger(requestLogger))
+	if srv.config.Server.AccessLog != config.AccessLogNone {
+		logLevel := slog.LevelInfo
+		if srv.config.Core.Debug {
+			logLevel = slog.LevelDebug
+		}
+		requestLogger := httplog.NewLogger("http", httplog.Options{
+			LogLevel:         logLevel,
+			JSON:             srv.config.Core.LogFormat == "json",
+			Concise:          true,
+			RequestHeaders:   srv.config.Core.Debug,
+			MessageFieldName: "msg",
+			ResponseHeaders:  false,
+			QuietDownRoutes:  []string{"/api/v1/events"},
+			QuietDownPeriod:  10 * time.Second,
+		})
+		logMiddleware := sanitizedRequestLogger(requestLogger)
+		if srv.config.Server.AccessLog == config.AccessLogNonPublic {
+			skipPaths := buildPublicPaths(srv.config.Server.BasePath, srv.config.Server.Metrics)
+			logMiddleware = skipPathsMiddleware(logMiddleware, skipPaths)
+		}
+		r.Use(logMiddleware)
+	}
 	r.Use(middleware.Recoverer)
 	r.Use(cors.Handler(cors.Options{
 		AllowedOrigins:   []string{"*"},
