Good evening. I’ve enabled the web server’s “Access Log” capability, and it is working. But I’m wondering if it’s possible to change the location of the log file to a place more easily accessible, like /var/log/access.log. Any thoughts on what to do for this, just for the web server access log? Is it even possible?
I’m also tangentially wondering if the built-in CommandBox web server has any capabilities for rate limiting requests?
I could easily add that feature, but right now there’s not really been any demand to change it so I’ve never exposed a setting for it. Since each server can have its own access log, and you can have as many servers as you like, it’s convenient out of the box to keep all the log files for each server inside the server home dir for that server.
If it’s any help, you can always get the path to any server’s access log programmatically like so:
Depends on what you mean. You can control the total number of concurrent request in the web.maxRequests setting, which sets the size of the worker thread pool. There is also a request-limit( 25 ) Undertow handler you can specify in your server rules, and even pair with a predicate to apply to certain requests, but it’s still just for all incoming requests, it’s not per user or per IP, etc.
Building a rate limiter that was per IP or per jsessionid or something wouldn’t be too hard, but I’ve never gotten around to making that a core feature of CommandBox. There are some CFML versions of this floating around you can just put in your Application.cfc.
Thank you very much, @bdw429s. I appreciate your response and thank you for taking time to write back. For the log, I suppose I’ll just adapt to the location, as is.
I am wondering, though, how long the archived archive.log files are kept around? Will they rotate out after a set number of days?
As for the rate-limiting question – I was looking for functionality similar to nginx for limiting the number of requests for specific IP addresses within a given timeframe, so as to avoid taking a hit from bots engaging in clearly malicious behavior, rapidly probing for vulnerabilities.
Thank you again for taking a few moments to respond, it is appreciated.
This is the only log file in CommandBox that doesn’t use Log4j since it’s a custom tie-in with Undertow. I don’t believe it deletes old files. The code is here:
Yeah, that’s a great use case and definitely one I think we should add in. If you wanted to roll up your Java sleeves, you could write this as an Undertow handler you add into your class path and add via a server rule.
I thought I’d chime in and mention this exact scenario hits us maybe once a year. We scramble around trying to figure out what in the world is going on. This isn’t a big deal (today), but it seems like a big deal when we’re in the thick of it.