Add headers to HTTP logging

[jordanfranssen]

RabbitMQ Version: 3.8.4 Management Plugin: 3.8.4 OS: CentOS 7

Currently, HTTP logging for the Management UI includes timestamp, methods, routes, and a couple other message headers.

When using this plugin in increase security settings, additional logging becomes a requirement, including the capability to log all headers of HTTP requests and responses (particularly for any action that results in changes to configuration or access controls).

This article gives the guidelines: https://www.stigviewer.com/stig/application_security_and_development/2017-12-18/finding/V-69375

This is a feature request that logging of all HTTP headers be a option in the Management Plugin configuration.

[michaelklishin]

This plugin does not implement HTTP request logging, Cowboy does. If it supports such logging options (we don't know), you should be able to use them in advanced.config. We are aware of https://github.com/ninenines/cowboy/issues/1336 which does not target elevated security environments, though.

[michaelklishin]

If there are examples of existing open source software (e.g. Nginx or HAproxy) that support this kind of logging, it would be worth mentioning in an issue for Cowboy. If Nginx supports this, then using it as a reverse proxy in front of RabbitMQ HTTP API can get you the logging features you are looking for. This is the recommended setup anyway since this plugin never will match Nginx or HAproxy in terms of HTTP-centric features.