diff --git a/README.md b/README.md index deb7212..59fb09e 100644 --- a/README.md +++ b/README.md @@ -42,7 +42,11 @@ Additionally, logs are also stored in /opt/flownative/log/nginx-error.log and /opt/flownative/log/nginx-access.log. If the log format is "json", the access log file is /opt/flownative/log/nginx-access.json.log -The log level for error can be defined via the `NGINX_LOG_LEVEL` +Note that the error log only contains errors related to the webserver itself. +Requests resulting in status codes like 404 (not found) or 503 (internal +server error) are logged to the access log, if it is enabled. + +The log level for the error log can be defined via the `NGINX_LOG_LEVEL` environment variable. See the [Nginx documentation](https://docs.nginx.com/nginx/admin-guide/monitoring/logging/) for possible values. The default value is `warn`. @@ -58,41 +62,55 @@ behind a reverse proxy. Instead of the default format, a JSON format can be used by setting `NGINX_ACCESS_LOG_FORMAT` to "json". +The access log may contain a lot of entries, if enabled. If you are only +interested in requests resulting in certain status codes (for example +internal server errors), you can define a regular expression which filters out +other log entries. Setting `NGINX_ACCESS_LOG_IGNORED_STATUS_CODES_REGEX` to +"^[234]" will ignore all responses whose status code starts with "2", "3" or +"4" respectively. Therefore, only 5xx errors will then end up in the access +log. + +By default, connection-related status (1xx) and redirects (3xx) will be ignored. + +NOTE: Be careful when specifying the regular expression, because syntax +errors might keep Nginx from starting. + ### Environment variables -| Variable Name | Type | Default | Description | -|:-----------------------------------------|:--------|:--------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| NGINX_BASE_PATH | string | /opt/flownative/nginx | Base path for Nginx | -| NGINX_ERROR_LOG_LEVEL | string | warn | Nginx log level (see [documentation](https://docs.nginx.com/nginx/admin-guide/monitoring/logging/)) | -| NGINX_ACCESS_LOG_ENABLE | boolean | no | Nginx log level (see [documentation](https://docs.nginx.com/nginx/admin-guide/monitoring/logging/)) | -| NGINX_ACCESS_LOG_FORMAT | string | default | Format of the access log; possible values are "default" and "json" | -| NGINX_ACCESS_LOG_MODE | string | dynamic | Defines which requests should be logged: "dynamic" only logs dynamic requests to PHP, "all" also includes requests to static files | -| NGINX_CACHE_ENABLE | boolean | no | If the FastCGI cache should be enabled; see section about caching | -| NGINX_CACHE_NAME | string | application | Name of the memory zone Nginx should use for caching | -| NGINX_CACHE_DEFAULT_LIFETIME | string | 5s | Default cache lifetime to use when caching is enabled | -| NGINX_CACHE_MAX_SIZE | string | 1024m | Maximum memory size for the FastCGI cache | -| NGINX_CACHE_INACTIVE | string | 1h | Time after which cache entries are removed automatically | -| NGINX_CACHE_USE_STALE_OPTIONS | string | updating error timeout invalid_header | Options to pass to the `fastcgi_cache_use_stale` directive | -| NGINX_CACHE_BACKGROUND_UPDATE | boolean | off | If background updates should be enabled | -| NGINX_CUSTOM_ERROR_PAGE_CODES | string | 500 501 502 503 | FastCGI error codes which should redirect to the custom error page | -| NGINX_CUSTOM_ERROR_PAGE_TARGET | string | | Upstream URL to use for custom FastCGI error pages | -| NGINX_STATIC_ROOT | string | /var/www/html | Document root path for when BEACH_NGINX_MODE is "Static" | -| NGINX_STRICT_TRANSPORT_SECURITY_ENABLE | boolean | no | If Strict-Transport-Security headers should be sent (HSTS) | -| NGINX_STRICT_TRANSPORT_SECURITY_PRELOAD | boolean | no | If site should be added to list of HTTPS-only sites by Google and others | -| NGINX_STRICT_TRANSPORT_SECURITY_MAX_AGE | boolean | 31536000 | Maxmimum age for Strict-Transport-Security header, if enabled | -| NGINX_AUTH_BASIC_REALM | string | off | Realm for HTTP Basic Authentication; if "off", authentication is disabled | -| NGINX_AUTH_BASIC_USERNAME | string | | Username for HTTP Basic Authentication | -| NGINX_AUTH_BASIC_ENCODED_HASHED_PASSWORD | string | | Base64-encoded hashed password (using httpasswd) for HTTP Basic Authentication | -| NGINX_ENABLE_UNDERSCORES_IN_HEADERS | boolean | no | Enables or disables the use of underscores in client request header fields. | -| BEACH_NGINX_CUSTOM_METRICS_ENABLE | boolean | no | If support for a custom metrics endpoint should be enabled | -| BEACH_NGINX_CUSTOM_METRICS_SOURCE_PATH | string | /metrics | Path where metrics are located | -| BEACH_NGINX_CUSTOM_METRICS_TARGET_PORT | integer | 8082 | Port at which Nginx should listen to provide the metrics for scraping | -| BEACH_NGINX_MODE | string | Flow | Either "Flow" or "Static"; this variable is going to be renamed in the future | -| BEACH_ASSET_PROXY_ENDPOINT | string | | Endpoint of a cloud storage frontend to use for proxying requests to Flow persistent resources. Requires BEACH_PERSISTENT_RESOURCES_BASE_PATH to be set. Example: "https://assets.flownative.com/example-bucket/" | -| BEACH_ASSET_PROXY_RESOLVER | string | 8.8.8.8 | IP address of a DNS server to use for resolving domains when proxying assets. Set this to 127.0.0.11 when using Local Beach. | -| BEACH_PERSISTENT_RESOURCES_BASE_PATH | string | | Base path of URLs pointing to Flow persistent resources; example: "https://www.flownative.com/assets/" | -| BEACH_STATIC_RESOURCES_LIFETIME | string | 30d | Expiration time for static resources; examples: "3600s" or "7d" or "max" | -| FLOW_HTTP_TRUSTED_PROXIES | string | 10.0.0.0/8 | Nginx passes FLOW_HTTP_TRUSTED_PROXIES to the virtual host using the value of this variable | +| Variable Name | Type | Default | Description | +|:---------------------------------------------|:--------|:--------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| NGINX_BASE_PATH | string | /opt/flownative/nginx | Base path for Nginx | +| NGINX_ERROR_LOG_LEVEL | string | warn | Nginx log level (see [documentation](https://docs.nginx.com/nginx/admin-guide/monitoring/logging/)) | +| NGINX_ACCESS_LOG_ENABLE | boolean | no | Nginx log level (see [documentation](https://docs.nginx.com/nginx/admin-guide/monitoring/logging/)) | +| NGINX_ACCESS_LOG_FORMAT | string | default | Format of the access log; possible values are "default" and "json" | +| NGINX_ACCESS_LOG_MODE | string | dynamic | Defines which requests should be logged: "dynamic" only logs dynamic requests to PHP, "all" also includes requests to static files | +| NGINX_ACCESS_LOG_IGNORED_STATUS_CODES_REGEX | string | ^[13] | Regular expression which defines which status codes should NOT be logged into the access log | +| NGINX_CACHE_ENABLE | boolean | no | If the FastCGI cache should be enabled; see section about caching | +| NGINX_CACHE_NAME | string | application | Name of the memory zone Nginx should use for caching | +| NGINX_CACHE_DEFAULT_LIFETIME | string | 5s | Default cache lifetime to use when caching is enabled | +| NGINX_CACHE_MAX_SIZE | string | 1024m | Maximum memory size for the FastCGI cache | +| NGINX_CACHE_INACTIVE | string | 1h | Time after which cache entries are removed automatically | +| NGINX_CACHE_USE_STALE_OPTIONS | string | updating error timeout invalid_header | Options to pass to the `fastcgi_cache_use_stale` directive | +| NGINX_CACHE_BACKGROUND_UPDATE | boolean | off | If background updates should be enabled | +| NGINX_CUSTOM_ERROR_PAGE_CODES | string | 500 501 502 503 | FastCGI error codes which should redirect to the custom error page; codes are separated by spaces | +| NGINX_CUSTOM_ERROR_PAGE_TARGET | string | | Upstream URL to use for custom FastCGI error pages, for example https://example.com/maintenance.html | +| NGINX_STATIC_ROOT | string | /var/www/html | Document root path for when BEACH_NGINX_MODE is "Static" | +| NGINX_STRICT_TRANSPORT_SECURITY_ENABLE | boolean | no | If Strict-Transport-Security headers should be sent (HSTS) | +| NGINX_STRICT_TRANSPORT_SECURITY_PRELOAD | boolean | no | If site should be added to list of HTTPS-only sites by Google and others | +| NGINX_STRICT_TRANSPORT_SECURITY_MAX_AGE | boolean | 31536000 | Maxmimum age for Strict-Transport-Security header, if enabled | +| NGINX_AUTH_BASIC_REALM | string | off | Realm for HTTP Basic Authentication; if "off", authentication is disabled | +| NGINX_AUTH_BASIC_USERNAME | string | | Username for HTTP Basic Authentication | +| NGINX_AUTH_BASIC_ENCODED_HASHED_PASSWORD | string | | Base64-encoded hashed password (using httpasswd) for HTTP Basic Authentication | +| NGINX_ENABLE_UNDERSCORES_IN_HEADERS | boolean | no | Enables or disables the use of underscores in client request header fields. | +| BEACH_NGINX_CUSTOM_METRICS_ENABLE | boolean | no | If support for a custom metrics endpoint should be enabled | +| BEACH_NGINX_CUSTOM_METRICS_SOURCE_PATH | string | /metrics | Path where metrics are located | +| BEACH_NGINX_CUSTOM_METRICS_TARGET_PORT | integer | 8082 | Port at which Nginx should listen to provide the metrics for scraping | +| BEACH_NGINX_MODE | string | Flow | Either "Flow" or "Static"; this variable is going to be renamed in the future | +| BEACH_ASSET_PROXY_ENDPOINT | string | | Endpoint of a cloud storage frontend to use for proxying requests to Flow persistent resources. Requires BEACH_PERSISTENT_RESOURCES_BASE_PATH to be set. Example: "https://assets.flownative.com/example-bucket/" | +| BEACH_ASSET_PROXY_RESOLVER | string | 8.8.8.8 | IP address of a DNS server to use for resolving domains when proxying assets. Set this to 127.0.0.11 when using Local Beach. | +| BEACH_PERSISTENT_RESOURCES_BASE_PATH | string | | Base path of URLs pointing to Flow persistent resources; example: "https://www.flownative.com/assets/" | +| BEACH_STATIC_RESOURCES_LIFETIME | string | 30d | Expiration time for static resources; examples: "3600s" or "7d" or "max" | +| FLOW_HTTP_TRUSTED_PROXIES | string | 10.0.0.0/8 | Nginx passes FLOW_HTTP_TRUSTED_PROXIES to the virtual host using the value of this variable | ## Asset Proxy diff --git a/root-files/opt/flownative/lib/nginx-legacy.sh b/root-files/opt/flownative/lib/nginx-legacy.sh index 00de60f..377914f 100644 --- a/root-files/opt/flownative/lib/nginx-legacy.sh +++ b/root-files/opt/flownative/lib/nginx-legacy.sh @@ -58,6 +58,7 @@ export BEACH_NGINX_CUSTOM_METRICS_ENABLE=${BEACH_NGINX_CUSTOM_METRICS_ENABLE:-fa export BEACH_NGINX_CUSTOM_METRICS_SOURCE_PATH=${BEACH_NGINX_CUSTOM_METRICS_SOURCE_PATH:-/metrics} export BEACH_NGINX_CUSTOM_METRICS_TARGET_PORT=${BEACH_NGINX_CUSTOM_METRICS_TARGET_PORT:-8082} +export BEACH_NGINX_CUSTOM_ERROR_PAGE_TARGET="${BEACH_NGINX_CUSTOM_ERROR_PAGE_TARGET:-}" export NGINX_CUSTOM_ERROR_PAGE_TARGET=${NGINX_CUSTOM_ERROR_PAGE_TARGET:-${BEACH_NGINX_CUSTOM_ERROR_PAGE_TARGET:-}} export NGINX_STRICT_TRANSPORT_SECURITY_ENABLE=${NGINX_STRICT_TRANSPORT_SECURITY_ENABLE:-no} @@ -161,10 +162,10 @@ EOM if is_boolean_yes "${NGINX_ACCESS_LOG_ENABLE}"; then if [ "${NGINX_ACCESS_LOG_FORMAT}" == "json" ]; then info "Nginx: Enabling access log using format 'json' ..." - dynamicAccessLogDirective=" access_log ${FLOWNATIVE_LOG_PATH}/nginx-access.json.log main_json buffer=256k flush=5s;" + dynamicAccessLogDirective=" access_log ${FLOWNATIVE_LOG_PATH}/nginx-access.json.log main_json buffer=256k flush=5s if=\$status_is_enabled_for_access_log;" else info "Nginx: Enabling access log using format 'default' ..." - dynamicAccessLogDirective=" access_log ${FLOWNATIVE_LOG_PATH}/nginx-access.log main_ext buffer=256k flush=5s;" + dynamicAccessLogDirective=" access_log ${FLOWNATIVE_LOG_PATH}/nginx-access.log main_ext buffer=256k flush=5s if=\$status_is_enabled_for_access_log;" fi else info "Nginx: Access log is disabled" diff --git a/root-files/opt/flownative/lib/nginx.sh b/root-files/opt/flownative/lib/nginx.sh index 00eb6d1..33b87e9 100755 --- a/root-files/opt/flownative/lib/nginx.sh +++ b/root-files/opt/flownative/lib/nginx.sh @@ -28,6 +28,7 @@ export NGINX_ERROR_LOG_LEVEL="${NGINX_ERROR_LOG_LEVEL:-${NGINX_LOG_LEVEL:-warn}} export NGINX_ACCESS_LOG_ENABLE="${NGINX_ACCESS_LOG_ENABLE:-false}" export NGINX_ACCESS_LOG_MODE="${NGINX_ACCESS_LOG_MODE:-dynamic}" export NGINX_ACCESS_LOG_FORMAT="${NGINX_ACCESS_LOG_FORMAT:-default}" +export NGINX_ACCESS_LOG_IGNORED_STATUS_CODES_REGEX="${NGINX_ACCESS_LOG_IGNORED_STATUS_CODES_REGEX:-^[13]}" export NGINX_CACHE_PATH="${NGINX_CACHE_PATH:-${NGINX_BASE_PATH}/cache}" export NGINX_CACHE_ENABLE="${NGINX_CACHE_ENABLE:-no}" diff --git a/root-files/opt/flownative/nginx/etc/nginx.conf.template b/root-files/opt/flownative/nginx/etc/nginx.conf.template index 52c7ee5..1c24f25 100644 --- a/root-files/opt/flownative/nginx/etc/nginx.conf.template +++ b/root-files/opt/flownative/nginx/etc/nginx.conf.template @@ -27,6 +27,11 @@ http { tcp_nopush on; tcp_nodelay on; + map $$status $$status_is_enabled_for_access_log { + ~${NGINX_ACCESS_LOG_IGNORED_STATUS_CODES_REGEX} 0; + default 1; + } + log_format main_ext '$$remote_addr - $$remote_user [$$time_local] "$$request" ' '$$status $$body_bytes_sent "$$http_referer" ' '"$$http_user_agent" "$$http_x_forwarded_for" '