diff --git a/ietf/utils/jsonlogger.py b/ietf/utils/jsonlogger.py index a9eeb02ba..9c7949fd5 100644 --- a/ietf/utils/jsonlogger.py +++ b/ietf/utils/jsonlogger.py @@ -24,3 +24,11 @@ class GunicornRequestJsonFormatter(DatatrackerJsonFormatter): log_record.setdefault("user_agent", record.args["a"]) log_record.setdefault("len_bytes", record.args["B"]) log_record.setdefault("duration_ms", record.args["M"]) + log_record.setdefault("host", record.args["{host}i"]) + log_record.setdefault("x_request_start", record.args["{x-request-start}i"]) + log_record.setdefault("x_real_ip", record.args["{x-real-ip}i"]) + log_record.setdefault("x_forwarded_for", record.args["{x-forwarded-for}i"]) + log_record.setdefault("x_forwarded_proto", record.args["{x-forwarded-proto}i"]) + log_record.setdefault("cf_connecting_ip", record.args["{cf-connecting-ip}i"]) + log_record.setdefault("cf_connecting_ipv6", record.args["{cf-connecting-ipv6}i"]) + log_record.setdefault("cf_ray", record.args["{cf-ray}i"]) diff --git a/k8s/auth.yaml b/k8s/auth.yaml index 66627ed45..c35cdc8ac 100644 --- a/k8s/auth.yaml +++ b/k8s/auth.yaml @@ -80,6 +80,9 @@ spec: volumeMounts: - name: nginx-tmp mountPath: /tmp + - name: dt-cfg + mountPath: /etc/nginx/conf.d/00logging.conf + subPath: nginx-logging.conf - name: dt-cfg mountPath: /etc/nginx/conf.d/auth.conf subPath: nginx-auth.conf diff --git a/k8s/datatracker.yaml b/k8s/datatracker.yaml index 9e1ead1a9..a8a967568 100644 --- a/k8s/datatracker.yaml +++ b/k8s/datatracker.yaml @@ -80,6 +80,9 @@ spec: volumeMounts: - name: nginx-tmp mountPath: /tmp + - name: dt-cfg + mountPath: /etc/nginx/conf.d/00logging.conf + subPath: nginx-logging.conf - name: dt-cfg mountPath: /etc/nginx/conf.d/datatracker.conf subPath: nginx-datatracker.conf diff --git a/k8s/kustomization.yaml b/k8s/kustomization.yaml index ba8b8a582..4b79f0075 100644 --- a/k8s/kustomization.yaml +++ b/k8s/kustomization.yaml @@ -3,6 +3,7 @@ namePrefix: dt- configMapGenerator: - name: files-cfgmap files: + - nginx-logging.conf - nginx-auth.conf - nginx-datatracker.conf - settings_local.py diff --git a/k8s/nginx-auth.conf b/k8s/nginx-auth.conf index 4cbc8a0a5..6dd5d6ed5 100644 --- a/k8s/nginx-auth.conf +++ b/k8s/nginx-auth.conf @@ -2,9 +2,13 @@ server { listen 8080 default_server; server_name _; + # Replace default "main" formatter with the ietfjson formatter from nginx-logging.conf + access_log /var/log/nginx/access.log ietfjson; + # Note that regex location matches take priority over non-regex "prefix" matches. Use regexes so that # our deny all rule does not squelch the other locations. location ~ ^/health/nginx$ { + access_log off; return 200; } @@ -19,14 +23,14 @@ server { # n.b. (?!...) is a negative lookahead group location ~ ^(/(?!(api/openid/|accounts/login/|accounts/logout/|accounts/reset/|person/.*/photo|group/groupmenu.json)).*) { - deny all; + return 302 https://datatracker.ietf.org$${keepempty}request_uri; } location / { add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' data: https://datatracker.ietf.org/ https://www.ietf.org/ http://ietf.org/ https://analytics.ietf.org https://static.ietf.org; frame-ancestors 'self' ietf.org *.ietf.org meetecho.com *.meetecho.com gather.town *.gather.town"; proxy_set_header Host $${keepempty}host; proxy_set_header Connection close; - proxy_set_header X-Request-Start "t=${msec}"; + proxy_set_header X-Request-Start "t=$${keepempty}msec"; proxy_set_header X-Forwarded-For $${keepempty}proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $${keepempty}remote_addr; proxy_pass http://localhost:8000; diff --git a/k8s/nginx-datatracker.conf b/k8s/nginx-datatracker.conf index 63c985463..ff439fba6 100644 --- a/k8s/nginx-datatracker.conf +++ b/k8s/nginx-datatracker.conf @@ -2,7 +2,11 @@ server { listen 8080 default_server; server_name _; + # Replace default "main" formatter with the ietfjson formatter from nginx-logging.conf + access_log /var/log/nginx/access.log ietfjson; + location /health/nginx { + access_log off; return 200; } @@ -15,7 +19,7 @@ server { add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' data: https://datatracker.ietf.org/ https://www.ietf.org/ http://ietf.org/ https://analytics.ietf.org https://static.ietf.org; frame-ancestors 'self' ietf.org *.ietf.org meetecho.com *.meetecho.com"; proxy_set_header Host $${keepempty}host; proxy_set_header Connection close; - proxy_set_header X-Request-Start "t=${msec}"; + proxy_set_header X-Request-Start "t=$${keepempty}msec"; proxy_set_header X-Forwarded-For $${keepempty}proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $${keepempty}remote_addr; proxy_pass http://localhost:8000; diff --git a/k8s/nginx-logging.conf b/k8s/nginx-logging.conf new file mode 100644 index 000000000..0938b0530 --- /dev/null +++ b/k8s/nginx-logging.conf @@ -0,0 +1,20 @@ +# Define JSON log format - must be loaded before config that references it +log_format ietfjson escape=json + '{' + '"time":"$${keepempty}time_iso8601",' + '"remote_ip":"$${keepempty}remote_addr",' + '"request":"$${keepempty}request",' + '"host":"$${keepempty}host",' + '"path":"$${keepempty}request_uri",' + '"method":"$${keepempty}request_method",' + '"status":"$${keepempty}status",' + '"len_bytes":"$${keepempty}body_bytes_sent",' + '"duration_ms":"$${keepempty}request_time",' + '"referer":"$${keepempty}http_referer",' + '"user_agent":"$${keepempty}http_user_agent",' + '"x_forwarded_for":"$${keepempty}http_x_forwarded_for",' + '"x_forwarded_proto":"$${keepempty}http_x_forwarded_proto",' + '"cf_connecting_ip":"$${keepempty}http_cf_connecting_ip",' + '"cf_connecting_ipv6":"$${keepempty}http_cf_connecting_ipv6",' + '"cf_ray":"$${keepempty}http_cf_ray"' + '}';