ci: better access logs+redirect auth URLs+fix X-Request-Start header (#7700)

* fix: silence nginx healthcheck logs

* fix: nginx logs in JSON

* fix: typos in nginx conf

* refactor: repeat less nginx config

* fix: log more req headers from gunicorn

* fix: redirect auth->datatracker, not deny

* feat: log X-Forwarded-Proto

ietf/utils/jsonlogger.py

@@ -24,3 +24,11 @@ class GunicornRequestJsonFormatter(DatatrackerJsonFormatter):
         log_record.setdefault("user_agent", record.args["a"])
         log_record.setdefault("len_bytes", record.args["B"])
         log_record.setdefault("duration_ms", record.args["M"])
+        log_record.setdefault("host", record.args["{host}i"])
+        log_record.setdefault("x_request_start", record.args["{x-request-start}i"])
+        log_record.setdefault("x_real_ip", record.args["{x-real-ip}i"])
+        log_record.setdefault("x_forwarded_for", record.args["{x-forwarded-for}i"])
+        log_record.setdefault("x_forwarded_proto", record.args["{x-forwarded-proto}i"])
+        log_record.setdefault("cf_connecting_ip", record.args["{cf-connecting-ip}i"])
+        log_record.setdefault("cf_connecting_ipv6", record.args["{cf-connecting-ipv6}i"])
+        log_record.setdefault("cf_ray", record.args["{cf-ray}i"])

k8s/auth.yaml

@@ -80,6 +80,9 @@ spec:
           volumeMounts:
             - name: nginx-tmp
               mountPath: /tmp
+            - name: dt-cfg
+              mountPath: /etc/nginx/conf.d/00logging.conf
+              subPath: nginx-logging.conf
             - name: dt-cfg
               mountPath: /etc/nginx/conf.d/auth.conf
               subPath: nginx-auth.conf

k8s/datatracker.yaml

@@ -80,6 +80,9 @@ spec:
           volumeMounts:
             - name: nginx-tmp
               mountPath: /tmp
+            - name: dt-cfg
+              mountPath: /etc/nginx/conf.d/00logging.conf
+              subPath: nginx-logging.conf
             - name: dt-cfg
               mountPath: /etc/nginx/conf.d/datatracker.conf
               subPath: nginx-datatracker.conf

k8s/kustomization.yaml

@@ -3,6 +3,7 @@ namePrefix: dt-
 configMapGenerator:
   - name: files-cfgmap
     files:
+      - nginx-logging.conf
       - nginx-auth.conf
       - nginx-datatracker.conf
       - settings_local.py

k8s/nginx-auth.conf

@@ -2,9 +2,13 @@ server {
     listen 8080 default_server;
     server_name _;
 
+    # Replace default "main" formatter with the ietfjson formatter from nginx-logging.conf
+    access_log  /var/log/nginx/access.log  ietfjson;
+
     # Note that regex location matches take priority over non-regex "prefix" matches. Use regexes so that
     # our deny all rule does not squelch the other locations. 
     location ~ ^/health/nginx$ {
+        access_log off;
         return 200;
     }
 
@@ -19,14 +23,14 @@ server {
 
     # n.b. (?!...) is a negative lookahead group
     location ~ ^(/(?!(api/openid/|accounts/login/|accounts/logout/|accounts/reset/|person/.*/photo|group/groupmenu.json)).*) {
-        deny all;
+        return 302 https://datatracker.ietf.org$${keepempty}request_uri;
     }
 
     location / {
         add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' data: https://datatracker.ietf.org/ https://www.ietf.org/ http://ietf.org/ https://analytics.ietf.org https://static.ietf.org; frame-ancestors 'self' ietf.org *.ietf.org meetecho.com *.meetecho.com gather.town *.gather.town";
         proxy_set_header Host $${keepempty}host;
         proxy_set_header Connection close;
-        proxy_set_header X-Request-Start "t=${msec}";
+        proxy_set_header X-Request-Start "t=$${keepempty}msec";
         proxy_set_header X-Forwarded-For $${keepempty}proxy_add_x_forwarded_for;
         proxy_set_header X-Real-IP $${keepempty}remote_addr;
         proxy_pass http://localhost:8000;

k8s/nginx-datatracker.conf

@@ -2,7 +2,11 @@ server {
     listen 8080 default_server;
     server_name _;
 
+    # Replace default "main" formatter with the ietfjson formatter from nginx-logging.conf
+    access_log  /var/log/nginx/access.log  ietfjson;
+
     location /health/nginx {
+        access_log off;
         return 200;
     }
 
@@ -15,7 +19,7 @@ server {
         add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' data: https://datatracker.ietf.org/ https://www.ietf.org/ http://ietf.org/ https://analytics.ietf.org https://static.ietf.org; frame-ancestors 'self' ietf.org *.ietf.org meetecho.com *.meetecho.com";
         proxy_set_header Host $${keepempty}host;
         proxy_set_header Connection close;
-        proxy_set_header X-Request-Start "t=${msec}";
+        proxy_set_header X-Request-Start "t=$${keepempty}msec";
         proxy_set_header X-Forwarded-For $${keepempty}proxy_add_x_forwarded_for;
         proxy_set_header X-Real-IP $${keepempty}remote_addr;
         proxy_pass http://localhost:8000;

k8s/nginx-logging.conf

@@ -0,0 +1,20 @@
+# Define JSON log format - must be loaded before config that references it
+log_format  ietfjson  escape=json
+  '{'
+    '"time":"$${keepempty}time_iso8601",'
+    '"remote_ip":"$${keepempty}remote_addr",'
+    '"request":"$${keepempty}request",'
+    '"host":"$${keepempty}host",'
+    '"path":"$${keepempty}request_uri",'
+    '"method":"$${keepempty}request_method",'
+    '"status":"$${keepempty}status",'
+    '"len_bytes":"$${keepempty}body_bytes_sent",'
+    '"duration_ms":"$${keepempty}request_time",'
+    '"referer":"$${keepempty}http_referer",'
+    '"user_agent":"$${keepempty}http_user_agent",'
+    '"x_forwarded_for":"$${keepempty}http_x_forwarded_for",'
+    '"x_forwarded_proto":"$${keepempty}http_x_forwarded_proto",'
+    '"cf_connecting_ip":"$${keepempty}http_cf_connecting_ip",'
+    '"cf_connecting_ipv6":"$${keepempty}http_cf_connecting_ipv6",'
+    '"cf_ray":"$${keepempty}http_cf_ray"'
+  '}';