Can't use placeholders request>tls>client>...

[IlariStenrothValtori]

It seems like placeholders containing TLS client certificate attributes like request>tls>client>serial and so on are not available. The log file will just have "-" where those placeholders are used. This could be a possible bug.

Caddy version: v2.7.5 Module transform-encoder version: v0.0.0-20231026093501-27036a52e8f6

[francislavoie]

Please share your full config and example logs.

[IlariStenrothValtori]

log access-apps {
        output file /var/log/access-apps.log
        format transform `{request>remote_ip} - {request>tls>client>serial} [{ts}] "{request>method} {request>uri} {request>proto}" {status} {size}` {
                time_format "02/Jan/2006:15:04:05 -0700"
        }
}

tls {
        client_auth {
                mode verify_if_given
                trusted_ca_cert_file /opt/tls/trusted-certs/ca-g1.pem
        }
}

The same result is observed when client_auth mode is request or require.

When using Caddy "templates" handler and printing placeholder "http.request.tls.client.serial" it works. But unable to use the same placeholder in logs.

[IlariStenrothValtori]

And the example log entry: x.x.x.x - - [06/Nov/2023:12:17:15 +0000] "GET / HTTP/2.0" 200 3203

[francislavoie]

Ah, it's client_serial, not client>serial. https://github.com/caddyserver/caddy/blob/3b3d67871446ee6bf1921938ef0f16b6112c7ceb/modules/caddyhttp/marshalers.go#L110

[IlariStenrothValtori]

Great! This works. How about a different placeholder variable http.request.tls.client.san.emails containing an array of certificate SAN email addresses? Is it possible to use in this logging context? To me it looks like the Caddy server zap interface isn't defining that variable and so it would need to be implemented at Caddy server codebase. Correct?

[francislavoie]

You don't use placeholder variables, you write a JSON accessor essentially. Look at the format of a normal access log, that's what you have available to log.

[IlariStenrothValtori]

Thanks! I got it now.