Merge branch 'nginx-config-diff' into 'master'

Nginx logging set to be used by fluentd and exposing IP on nginx logs See merge request !135

Merge branch 'nginx-config-diff' into 'master'
4f1a9c02 · Francisco Borges Aurindo Barros · fd6ac4bd · f4509a6f · 4f1a9c02
Commit 4f1a9c02 authored 2 years ago by Francisco Borges Aurindo Barros
--- a/images/nginx/config/nginx-server-default.conf
+++ b/images/nginx/config/nginx-server-default.conf
@@ -9,6 +9,14 @@ upstream webdav {
    server unix:/var/run/webdav.sock;
 }

+## Log format expected by Fluentd and having real IP shown into the Nginx logs
+## If log format is to be changed, please note the fluentd pattern
+# TODO: Have fluentd configuration link here
+log_format log_drupal '[$time_local] - $http_x_forwarded_for _ $remote_user - "$request" '
+                    'S:$status $body_bytes_sent "$http_referer" '
+                    '"$http_user_agent" -T:$request_time';
+
+
 ## Global cache configuration ##

 fastcgi_cache_path /var/cache/nginx keys_zone=cache:20m levels=1:2 inactive=900s max_size=200m;
@@ -47,10 +55,26 @@ map $remote_addr $skip_cache_addr {
    "127.0.0.1" 1;
 }

+## We are ignoring internal activity
+# Expected internal activity:
+#   - Access `_site/_php-fpm-status for healthcheck
+#   - Access `/cron/$CRON_KEY`
+#   - Access `/user/login` internally for healthcheck
+# If we did logged internal activity, only added points would be internal IP address and accessed endpoints
+# any extended activity that could change instance will be logged into drupal-logs in such cases
+
+map $http_x_forwarded_for $notInternal {
+  "" 0 ;
+  default 1;
+}
+
 server {
    #listen 8080 ssl;
    listen 8080;

+    access_log /dev/stdout log_drupal if=$notInternal;
+    error_log /dev/stderr warn;
+
    #ssl_certificate        /etc/ssl/certs/ca-certificates.crt;
    #ssl_certificate_key    /etc/ssl/certs/ca-cert-COMODO_Certification_Authority.pem;
    #ssl_session_cache     shared:SSL:20m;
@@ -131,6 +155,11 @@ server {
    }

    location / {
+        # We want to keep real IPs
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Request-Start "t=${msec}";
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
        # try_files $uri @rewrite; # For Drupal <= 6
        try_files $uri /index.php?$query_string; # For Drupal >= 7
    }
@@ -166,6 +195,11 @@ server {
    }
    # WebDAV Page
    location ^~ /_webdav {
+        # We want to pass the Real IP to WebDav
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Request-Start "t=${msec}";
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
        fastcgi_cache_bypass $skip_cache;
        fastcgi_no_cache $skip_cache;

@@ -250,6 +284,12 @@ server {
    # pattern with front controllers other than update.php in a future
    # release.
    location ~ '\.php$|^/update.php' {
+
+        # Keeping real IPs that come from headers
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Request-Start "t=${msec}";
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
        fastcgi_cache_bypass $skip_cache;
        fastcgi_no_cache $skip_cache;