You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When an incoming connection to a TLS-backed HTTP server does not contain a valid TLS record, the net/http package will try to return a helpful error if the incoming message is HTTP (matching the behaviour of Apache), however in the event that the incoming connection doesn't contain a HTTP request, it writes an event to the logger of the http.Server: https://cs.opensource.google/go/go/+/master:src/net/http/server.go;l=1870;bpv=1;bpt=0
For http.Servers that are internet facing, especially those on public cloud providers, this can result in the output of that logger (by default stdout), being flooded with unhelpful messages such as: http: TLS handshake error from <ip>: EOF. A simple port scan will trigger this message.
This makes troubleshooting or monitoring the actual application difficult, as the log is overwhelmed by these messages. While other servers like nginx and apache do print out similar error messages, they offer significantly greater control over logging.
Go, on the other hand, only lets you override the logger with your own. This requires the application to either implement a null logger (therefor silencing all messages from the http.Server, including helpful errors), or writing a custom logger that filters these unhelpful errors.
I'm unsure if this is a proposal or bug (I feel it's both, really). I am asking if we want to remove this log line, or ignore EOF errors.
The text was updated successfully, but these errors were encountered:
While you might not care, other people do. Our best option is to log the error and you can filter it out if you don't care. Logger calls Write once per log line, the filtering isn't hard to implement.
When an incoming connection to a TLS-backed HTTP server does not contain a valid TLS record, the net/http package will try to return a helpful error if the incoming message is HTTP (matching the behaviour of Apache), however in the event that the incoming connection doesn't contain a HTTP request, it writes an event to the logger of the http.Server: https://cs.opensource.google/go/go/+/master:src/net/http/server.go;l=1870;bpv=1;bpt=0
For http.Servers that are internet facing, especially those on public cloud providers, this can result in the output of that logger (by default stdout), being flooded with unhelpful messages such as:
http: TLS handshake error from <ip>: EOF
. A simple port scan will trigger this message.This makes troubleshooting or monitoring the actual application difficult, as the log is overwhelmed by these messages. While other servers like nginx and apache do print out similar error messages, they offer significantly greater control over logging.
Go, on the other hand, only lets you override the logger with your own. This requires the application to either implement a null logger (therefor silencing all messages from the http.Server, including helpful errors), or writing a custom logger that filters these unhelpful errors.
I'm unsure if this is a proposal or bug (I feel it's both, really). I am asking if we want to remove this log line, or ignore
EOF
errors.The text was updated successfully, but these errors were encountered: