nono_proxy/
audit.rs

1//! Audit logging for proxy requests.
2//!
3//! Logs all proxy requests with structured fields via `tracing`.
4//! Sensitive data (authorization headers, tokens, request bodies)
5//! is never included in audit logs.
6
7use tracing::info;
8
9/// Proxy mode for audit logging.
10#[derive(Debug, Clone, Copy)]
11pub enum ProxyMode {
12    /// CONNECT tunnel (host filtering only)
13    Connect,
14    /// Reverse proxy (credential injection)
15    Reverse,
16    /// External proxy passthrough (enterprise)
17    External,
18}
19
20impl std::fmt::Display for ProxyMode {
21    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
22        match self {
23            ProxyMode::Connect => write!(f, "connect"),
24            ProxyMode::Reverse => write!(f, "reverse"),
25            ProxyMode::External => write!(f, "external"),
26        }
27    }
28}
29
30/// Log an allowed proxy request.
31pub fn log_allowed(mode: ProxyMode, host: &str, port: u16, method: &str) {
32    info!(
33        target: "nono_proxy::audit",
34        mode = %mode,
35        host = host,
36        port = port,
37        method = method,
38        decision = "allow",
39        "proxy request allowed"
40    );
41}
42
43/// Log a denied proxy request.
44pub fn log_denied(mode: ProxyMode, host: &str, port: u16, reason: &str) {
45    info!(
46        target: "nono_proxy::audit",
47        mode = %mode,
48        host = host,
49        port = port,
50        decision = "deny",
51        reason = reason,
52        "proxy request denied"
53    );
54}
55
56/// Log a reverse proxy request with service info.
57pub fn log_reverse_proxy(service: &str, method: &str, path: &str, status: u16) {
58    info!(
59        target: "nono_proxy::audit",
60        mode = "reverse",
61        service = service,
62        method = method,
63        path = path,
64        status = status,
65        "reverse proxy response"
66    );
67}
nono_proxy/audit.rs

nono_proxy/
audit.rs
