diff --git a/images/nginx/config/nginx-server-default.conf b/images/nginx/config/nginx-server-default.conf index 83ff8e087c5656f257372e190d8df7332b9c492d..d3d7f0ad387c5c8f5ad3c4854475ddce9c9a5ea4 100644 --- a/images/nginx/config/nginx-server-default.conf +++ b/images/nginx/config/nginx-server-default.conf @@ -9,6 +9,14 @@ upstream webdav { server unix:/var/run/webdav.sock; } +## Log format expected by Fluentd and having real IP shown into the Nginx logs +## If log format is to be changed, please note the fluentd pattern +# TODO: Have fluentd configuration link here +log_format log_drupal '[$time_local] - $http_x_forwarded_for _ $remote_user - "$request" ' + 'S:$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" -T:$request_time'; + + ## Global cache configuration ## fastcgi_cache_path /var/cache/nginx keys_zone=cache:20m levels=1:2 inactive=900s max_size=200m; @@ -47,10 +55,26 @@ map $remote_addr $skip_cache_addr { "127.0.0.1" 1; } +## We are ignoring internal activity +# Expected internal activity: +# - Access `_site/_php-fpm-status for healthcheck +# - Access `/cron/$CRON_KEY` +# - Access `/user/login` internally for healthcheck +# If we did logged internal activity, only added points would be internal IP address and accessed endpoints +# any extended activity that could change instance will be logged into drupal-logs in such cases + +map $http_x_forwarded_for $notInternal { + "" 0 ; + default 1; +} + server { #listen 8080 ssl; listen 8080; + access_log /dev/stdout log_drupal if=$notInternal; + error_log /dev/stderr warn; + #ssl_certificate /etc/ssl/certs/ca-certificates.crt; #ssl_certificate_key /etc/ssl/certs/ca-cert-COMODO_Certification_Authority.pem; #ssl_session_cache shared:SSL:20m; @@ -131,6 +155,11 @@ server { } location / { + # We want to keep real IPs + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Request-Start "t=${msec}"; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # try_files $uri @rewrite; # For Drupal <= 6 try_files $uri /index.php?$query_string; # For Drupal >= 7 } @@ -166,6 +195,11 @@ server { } # WebDAV Page location ^~ /_webdav { + # We want to pass the Real IP to WebDav + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Request-Start "t=${msec}"; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + fastcgi_cache_bypass $skip_cache; fastcgi_no_cache $skip_cache; @@ -250,6 +284,12 @@ server { # pattern with front controllers other than update.php in a future # release. location ~ '\.php$|^/update.php' { + + # Keeping real IPs that come from headers + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Request-Start "t=${msec}"; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + fastcgi_cache_bypass $skip_cache; fastcgi_no_cache $skip_cache;