From f4509a6f313ff1131e8d61d6cb7bf401fb71d363 Mon Sep 17 00:00:00 2001
From: Francisco Borges Aurindo Barros
 <francisco.borges.aurindo.barros@cern.ch>
Date: Mon, 18 Jul 2022 13:31:46 +0200
Subject: [PATCH] Nginx logging set to be used by fluentd and exposing IP on
 nginx logs

---
 images/nginx/config/nginx-server-default.conf | 40 +++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/images/nginx/config/nginx-server-default.conf b/images/nginx/config/nginx-server-default.conf
index 83ff8e087..d3d7f0ad3 100644
--- a/images/nginx/config/nginx-server-default.conf
+++ b/images/nginx/config/nginx-server-default.conf
@@ -9,6 +9,14 @@ upstream webdav {
     server unix:/var/run/webdav.sock;
 }
 
+## Log format expected by Fluentd and having real IP shown into the Nginx logs
+## If log format is to be changed, please note the fluentd pattern
+# TODO: Have fluentd configuration link here
+log_format log_drupal '[$time_local] - $http_x_forwarded_for _ $remote_user - "$request" '
+                    'S:$status $body_bytes_sent "$http_referer" '
+                    '"$http_user_agent" -T:$request_time';
+
+
 ## Global cache configuration ##
 
 fastcgi_cache_path /var/cache/nginx keys_zone=cache:20m levels=1:2 inactive=900s max_size=200m;
@@ -47,10 +55,26 @@ map $remote_addr $skip_cache_addr {
     "127.0.0.1" 1;
 }
 
+## We are ignoring internal activity
+# Expected internal activity:
+#   - Access `_site/_php-fpm-status for healthcheck
+#   - Access `/cron/$CRON_KEY`
+#   - Access `/user/login` internally for healthcheck
+# If we did logged internal activity, only added points would be internal IP address and accessed endpoints
+# any extended activity that could change instance will be logged into drupal-logs in such cases
+
+map $http_x_forwarded_for $notInternal {
+  "" 0 ;
+  default 1;
+}
+
 server {
     #listen 8080 ssl;
     listen 8080;
 
+    access_log /dev/stdout log_drupal if=$notInternal;
+    error_log /dev/stderr warn;
+
     #ssl_certificate        /etc/ssl/certs/ca-certificates.crt;
     #ssl_certificate_key    /etc/ssl/certs/ca-cert-COMODO_Certification_Authority.pem;
     #ssl_session_cache     shared:SSL:20m;
@@ -131,6 +155,11 @@ server {
     }
 
     location / {
+        # We want to keep real IPs
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Request-Start "t=${msec}";
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
         # try_files $uri @rewrite; # For Drupal <= 6
         try_files $uri /index.php?$query_string; # For Drupal >= 7
     }
@@ -166,6 +195,11 @@ server {
     }
     # WebDAV Page
     location ^~ /_webdav {
+        # We want to pass the Real IP to WebDav
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Request-Start "t=${msec}";
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
         fastcgi_cache_bypass $skip_cache;
         fastcgi_no_cache $skip_cache;
 
@@ -250,6 +284,12 @@ server {
     # pattern with front controllers other than update.php in a future
     # release.
     location ~ '\.php$|^/update.php' {
+
+        # Keeping real IPs that come from headers
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Request-Start "t=${msec}";
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
         fastcgi_cache_bypass $skip_cache;
         fastcgi_no_cache $skip_cache;
 
-- 
GitLab