Skip to content

Commit 247361b

Browse files
ci: better access logs+redirect auth URLs+fix X-Request-Start header (ietf-tools#7700)
* fix: silence nginx healthcheck logs * fix: nginx logs in JSON * fix: typos in nginx conf * refactor: repeat less nginx config * fix: log more req headers from gunicorn * fix: redirect auth->datatracker, not deny * feat: log X-Forwarded-Proto
1 parent b5ab4b6 commit 247361b

7 files changed

Lines changed: 46 additions & 3 deletions

File tree

ietf/utils/jsonlogger.py

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,3 +24,11 @@ def add_fields(self, log_record, record, message_dict):
2424
log_record.setdefault("user_agent", record.args["a"])
2525
log_record.setdefault("len_bytes", record.args["B"])
2626
log_record.setdefault("duration_ms", record.args["M"])
27+
log_record.setdefault("host", record.args["{host}i"])
28+
log_record.setdefault("x_request_start", record.args["{x-request-start}i"])
29+
log_record.setdefault("x_real_ip", record.args["{x-real-ip}i"])
30+
log_record.setdefault("x_forwarded_for", record.args["{x-forwarded-for}i"])
31+
log_record.setdefault("x_forwarded_proto", record.args["{x-forwarded-proto}i"])
32+
log_record.setdefault("cf_connecting_ip", record.args["{cf-connecting-ip}i"])
33+
log_record.setdefault("cf_connecting_ipv6", record.args["{cf-connecting-ipv6}i"])
34+
log_record.setdefault("cf_ray", record.args["{cf-ray}i"])

k8s/auth.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -80,6 +80,9 @@ spec:
8080
volumeMounts:
8181
- name: nginx-tmp
8282
mountPath: /tmp
83+
- name: dt-cfg
84+
mountPath: /etc/nginx/conf.d/00logging.conf
85+
subPath: nginx-logging.conf
8386
- name: dt-cfg
8487
mountPath: /etc/nginx/conf.d/auth.conf
8588
subPath: nginx-auth.conf

k8s/datatracker.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -80,6 +80,9 @@ spec:
8080
volumeMounts:
8181
- name: nginx-tmp
8282
mountPath: /tmp
83+
- name: dt-cfg
84+
mountPath: /etc/nginx/conf.d/00logging.conf
85+
subPath: nginx-logging.conf
8386
- name: dt-cfg
8487
mountPath: /etc/nginx/conf.d/datatracker.conf
8588
subPath: nginx-datatracker.conf

k8s/kustomization.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@ namePrefix: dt-
33
configMapGenerator:
44
- name: files-cfgmap
55
files:
6+
- nginx-logging.conf
67
- nginx-auth.conf
78
- nginx-datatracker.conf
89
- settings_local.py

k8s/nginx-auth.conf

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,9 +2,13 @@ server {
22
listen 8080 default_server;
33
server_name _;
44

5+
# Replace default "main" formatter with the ietfjson formatter from nginx-logging.conf
6+
access_log /var/log/nginx/access.log ietfjson;
7+
58
# Note that regex location matches take priority over non-regex "prefix" matches. Use regexes so that
69
# our deny all rule does not squelch the other locations.
710
location ~ ^/health/nginx$ {
11+
access_log off;
812
return 200;
913
}
1014

@@ -19,14 +23,14 @@ server {
1923

2024
# n.b. (?!...) is a negative lookahead group
2125
location ~ ^(/(?!(api/openid/|accounts/login/|accounts/logout/|accounts/reset/|person/.*/photo|group/groupmenu.json)).*) {
22-
deny all;
26+
return 302 https://datatracker.ietf.org$${keepempty}request_uri;
2327
}
2428

2529
location / {
2630
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' data: https://datatracker.ietf.org/ https://www.ietf.org/ http://ietf.org/ https://analytics.ietf.org https://static.ietf.org; frame-ancestors 'self' ietf.org *.ietf.org meetecho.com *.meetecho.com gather.town *.gather.town";
2731
proxy_set_header Host $${keepempty}host;
2832
proxy_set_header Connection close;
29-
proxy_set_header X-Request-Start "t=${msec}";
33+
proxy_set_header X-Request-Start "t=$${keepempty}msec";
3034
proxy_set_header X-Forwarded-For $${keepempty}proxy_add_x_forwarded_for;
3135
proxy_set_header X-Real-IP $${keepempty}remote_addr;
3236
proxy_pass http://localhost:8000;

k8s/nginx-datatracker.conf

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,11 @@ server {
22
listen 8080 default_server;
33
server_name _;
44

5+
# Replace default "main" formatter with the ietfjson formatter from nginx-logging.conf
6+
access_log /var/log/nginx/access.log ietfjson;
7+
58
location /health/nginx {
9+
access_log off;
610
return 200;
711
}
812

@@ -15,7 +19,7 @@ server {
1519
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' data: https://datatracker.ietf.org/ https://www.ietf.org/ http://ietf.org/ https://analytics.ietf.org https://static.ietf.org; frame-ancestors 'self' ietf.org *.ietf.org meetecho.com *.meetecho.com";
1620
proxy_set_header Host $${keepempty}host;
1721
proxy_set_header Connection close;
18-
proxy_set_header X-Request-Start "t=${msec}";
22+
proxy_set_header X-Request-Start "t=$${keepempty}msec";
1923
proxy_set_header X-Forwarded-For $${keepempty}proxy_add_x_forwarded_for;
2024
proxy_set_header X-Real-IP $${keepempty}remote_addr;
2125
proxy_pass http://localhost:8000;

k8s/nginx-logging.conf

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
# Define JSON log format - must be loaded before config that references it
2+
log_format ietfjson escape=json
3+
'{'
4+
'"time":"$${keepempty}time_iso8601",'
5+
'"remote_ip":"$${keepempty}remote_addr",'
6+
'"request":"$${keepempty}request",'
7+
'"host":"$${keepempty}host",'
8+
'"path":"$${keepempty}request_uri",'
9+
'"method":"$${keepempty}request_method",'
10+
'"status":"$${keepempty}status",'
11+
'"len_bytes":"$${keepempty}body_bytes_sent",'
12+
'"duration_ms":"$${keepempty}request_time",'
13+
'"referer":"$${keepempty}http_referer",'
14+
'"user_agent":"$${keepempty}http_user_agent",'
15+
'"x_forwarded_for":"$${keepempty}http_x_forwarded_for",'
16+
'"x_forwarded_proto":"$${keepempty}http_x_forwarded_proto",'
17+
'"cf_connecting_ip":"$${keepempty}http_cf_connecting_ip",'
18+
'"cf_connecting_ipv6":"$${keepempty}http_cf_connecting_ipv6",'
19+
'"cf_ray":"$${keepempty}http_cf_ray"'
20+
'}';

0 commit comments

Comments
 (0)