From 6223cbf9a5e11f075c8dec36d6710216ec2a33d3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@stgraber.org>
Date: Mon, 11 Dec 2023 10:12:06 -0500
Subject: [PATCH] incusd/endpoints: Also hide read errors from proxies
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
---
 internal/server/endpoints/network_util.go     |  2 +-
 .../server/endpoints/network_util_test.go     | 33 ++++++++++++++++---
 2 files changed, 30 insertions(+), 5 deletions(-)

diff --git a/internal/server/endpoints/network_util.go b/internal/server/endpoints/network_util.go
index 375b591e9b5..cd537be8326 100644
--- a/internal/server/endpoints/network_util.go
+++ b/internal/server/endpoints/network_util.go
@@ -13,7 +13,7 @@ type networkServerErrorLogWriter struct {
 }
 
 // Regex for the log we want to ignore.
-var unwantedLogRegex = regexp.MustCompile(`^http: TLS handshake error from ([^\[:]+?|\[([^\]]+?)\]):[0-9]+: .+write: connection reset by peer$`)
+var unwantedLogRegex = regexp.MustCompile(`^http: TLS handshake error from ([^\[:]+?|\[([^\]]+?)\]):[0-9]+: .+: connection reset by peer$`)
 
 func (d networkServerErrorLogWriter) Write(p []byte) (int, error) {
 	strippedLog := d.stripLog(p)
diff --git a/internal/server/endpoints/network_util_test.go b/internal/server/endpoints/network_util_test.go
index b5d5d977c25..e2b5d28e03f 100644
--- a/internal/server/endpoints/network_util_test.go
+++ b/internal/server/endpoints/network_util_test.go
@@ -15,29 +15,54 @@ func Test_networkServerErrorLogWriter_shouldDiscard(t *testing.T) {
 		want    string
 	}{
 		{
-			name:    "ipv4 trusted proxy",
+			name:    "ipv4 trusted proxy (write)",
 			proxies: []net.IP{net.ParseIP("10.24.0.32")},
 			log:     []byte("Sep 17 04:58:30 abydos incus.daemon[21884]: 2021/09/17 04:58:30 http: TLS handshake error from 10.24.0.32:55672: write tcp 10.24.0.22:8443->10.24.0.32:55672: write: connection reset by peer\n"),
 			want:    "",
 		},
 		{
-			name:    "ipv4 non-trusted proxy",
+			name:    "ipv4 non-trusted proxy (write)",
 			proxies: []net.IP{net.ParseIP("10.24.0.33")},
 			log:     []byte("Sep 17 04:58:30 abydos incus.daemon[21884]: 2021/09/17 04:58:30 http: TLS handshake error from 10.24.0.32:55672: write tcp 10.24.0.22:8443->10.24.0.32:55672: write: connection reset by peer\n"),
 			want:    "http: TLS handshake error from 10.24.0.32:55672: write tcp 10.24.0.22:8443->10.24.0.32:55672: write: connection reset by peer",
 		},
 		{
-			name:    "ipv6 trusted proxy",
+			name:    "ipv6 trusted proxy (write)",
 			proxies: []net.IP{net.ParseIP("2602:fd23:8:1003:216:3eff:fefa:7670")},
 			log:     []byte("Sep 17 04:58:30 abydos incus.daemon[21884]: 2021/09/17 04:58:30 http: TLS handshake error from [2602:fd23:8:1003:216:3eff:fefa:7670]:55672: write tcp [2602:fd23:8:101::100]:8443->[2602:fd23:8:1003:216:3eff:fefa:7670]:55672: write: connection reset by peer\n"),
 			want:    "",
 		},
 		{
-			name:    "ipv6 non-trusted proxy",
+			name:    "ipv6 non-trusted proxy (write)",
 			proxies: []net.IP{net.ParseIP("2602:fd23:8:1003:216:3eff:fefa:7671")},
 			log:     []byte("Sep 17 04:58:30 abydos incus.daemon[21884]: 2021/09/17 04:58:30 http: TLS handshake error from [2602:fd23:8:1003:216:3eff:fefa:7670]:55672: write tcp [2602:fd23:8:101::100]:8443->[2602:fd23:8:1003:216:3eff:fefa:7670]:55672: write: connection reset by peer\n"),
 			want:    "http: TLS handshake error from [2602:fd23:8:1003:216:3eff:fefa:7670]:55672: write tcp [2602:fd23:8:101::100]:8443->[2602:fd23:8:1003:216:3eff:fefa:7670]:55672: write: connection reset by peer",
 		},
+		{
+			name:    "ipv4 trusted proxy (read)",
+			proxies: []net.IP{net.ParseIP("10.24.0.32")},
+			log:     []byte("Sep 17 04:58:30 abydos incus.daemon[21884]: 2021/09/17 04:58:30 http: TLS handshake error from 10.24.0.32:55672: read tcp 10.24.0.22:8443->10.24.0.32:55672: read: connection reset by peer\n"),
+			want:    "",
+		},
+		{
+			name:    "ipv4 non-trusted proxy (read)",
+			proxies: []net.IP{net.ParseIP("10.24.0.33")},
+			log:     []byte("Sep 17 04:58:30 abydos incus.daemon[21884]: 2021/09/17 04:58:30 http: TLS handshake error from 10.24.0.32:55672: read tcp 10.24.0.22:8443->10.24.0.32:55672: read: connection reset by peer\n"),
+			want:    "http: TLS handshake error from 10.24.0.32:55672: read tcp 10.24.0.22:8443->10.24.0.32:55672: read: connection reset by peer",
+		},
+		{
+			name:    "ipv6 trusted proxy (read)",
+			proxies: []net.IP{net.ParseIP("2602:fd23:8:1003:216:3eff:fefa:7670")},
+			log:     []byte("Sep 17 04:58:30 abydos incus.daemon[21884]: 2021/09/17 04:58:30 http: TLS handshake error from [2602:fd23:8:1003:216:3eff:fefa:7670]:55672: read tcp [2602:fd23:8:101::100]:8443->[2602:fd23:8:1003:216:3eff:fefa:7670]:55672: read: connection reset by peer\n"),
+			want:    "",
+		},
+		{
+			name:    "ipv6 non-trusted proxy (read)",
+			proxies: []net.IP{net.ParseIP("2602:fd23:8:1003:216:3eff:fefa:7671")},
+			log:     []byte("Sep 17 04:58:30 abydos incus.daemon[21884]: 2021/09/17 04:58:30 http: TLS handshake error from [2602:fd23:8:1003:216:3eff:fefa:7670]:55672: read tcp [2602:fd23:8:101::100]:8443->[2602:fd23:8:1003:216:3eff:fefa:7670]:55672: read: connection reset by peer\n"),
+			want:    "http: TLS handshake error from [2602:fd23:8:1003:216:3eff:fefa:7670]:55672: read tcp [2602:fd23:8:101::100]:8443->[2602:fd23:8:1003:216:3eff:fefa:7670]:55672: read: connection reset by peer",
+		},
+
 		{
 			name:    "unrelated",
 			proxies: []net.IP{},