Nginx monster docker with logging headers

Instruction about build docker nginx with many modules and enable headers logging

Dockerfile

FROM alpine:3.9.4
LABEL maintainer "a.v.galushko86@gmail.com"
ENV COMPILE_DIR /build
ENV LIBRESSL_DIR /libressl
ENV NB_PROC 4
ARG NGINX_VERSION
ENV VERSION_PCRE pcre-8.42
ENV VERSION_LIBRESSL libressl-2.8.2
ENV VERSION_NGINX nginx-$NGINX_VERSION
ENV SOURCE_LIBRESSL http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/
ENV SOURCE_PCRE https://ftp.pcre.org/pub/pcre/
ENV SOURCE_NGINX http://nginx.org/download/
ENV STATICLIBSSL $LIBRESSL_DIR/$VERSION_LIBRESSL
ENV VERSION_NGINX_DEVEL_KIT 0.3.1
ENV VERSION_LUA_NGINX_MODULE 0.10.15
ENV VERSION_LUA_JIT 2.0.5
RUN deluser xfs \
    && addgroup -g 33 -S www-data \
    && adduser -u 33 -D -S -G www-data www-data \
    && apk add --no-cache \
     ca-certificates \
     openldap-dev \
     pcre \
     zlib \
     libgcc \
     bash \
     curl \
     libressl \
     tzdata \
     libpq \
     postgresql-dev \
   && apk add --no-cache --virtual .build-deps \
     build-base \
     autoconf \
     automake \
     bind-tools \
     binutils \
     build-base \
     ca-certificates \
     cmake \
     curl \
     file \
     gcc \
     gd-dev \
     geoip-dev \
     git \
     gnupg \
     libc-dev \
     libstdc++ \
     readline \
     libtool \
     libxslt-dev \
     linux-headers \
     make \
     patch \
     pcre \
     pcre-dev \
     perl-dev \
     su-exec \
     tar \
     zlib \
     zlib-dev \
 && mkdir -p ${COMPILE_DIR} && mkdir -p ${LIBRESSL_DIR} \
 && wget -P $COMPILE_DIR https://ftp.pcre.org/pub/pcre/${VERSION_PCRE}.tar.gz \
 && wget -P $COMPILE_DIR http://nginx.org/download/${VERSION_NGINX}.tar.gz \
 && wget -P $COMPILE_DIR https://github.com/simplresty/ngx_devel_kit/archive/v${VERSION_NGINX_DEVEL_KIT}.tar.gz \
 && wget -P $COMPILE_DIR https://github.com/openresty/lua-nginx-module/archive/v${VERSION_LUA_NGINX_MODULE}.tar.gz \
 #&& wget -P $COMPILE_DIR https://github.com/3078825/nginx-image/archive/master.zip \
 && wget -P $COMPILE_DIR  http://luajit.org/download/LuaJIT-${VERSION_LUA_JIT}.tar.gz \
 && wget -P $COMPILE_DIR https://people.freebsd.org/~osa/ngx_http_redis-0.3.9.tar.gz \
 && git clone git://github.com/vozlt/nginx-module-vts.git $COMPILE_DIR/nginx-module-vts \
 && git clone https://github.com/yaoweibin/ngx_http_substitutions_filter_module.git $COMPILE_DIR/ngx_http_substitutions_filter_module \
 && git clone https://github.com/kvspb/nginx-auth-ldap.git $COMPILE_DIR/nginx-auth-ldap \
 && git clone https://github.com/openresty/ngx_postgres $COMPILE_DIR/ngx_postgres \
 && git clone https://github.com/openresty/srcache-nginx-module.git $COMPILE_DIR/srcache-nginx-module \
 && git clone https://github.com/openresty/echo-nginx-module.git $COMPILE_DIR/echo-nginx-module \
 && git clone https://github.com/openresty/redis2-nginx-module.git $COMPILE_DIR/redis2-nginx-module \
 && git clone https://github.com/openresty/rds-json-nginx-module.git $COMPILE_DIR/rds-json-nginx-module \
 && git clone https://github.com/calio/form-input-nginx-module $COMPILE_DIR/form-input-nginx-module \
 && cd $COMPILE_DIR && tar xzf $VERSION_NGINX.tar.gz \
 && cd $COMPILE_DIR && tar xzf ngx_http_redis-0.3.9.tar.gz \
 && cd $COMPILE_DIR && tar xzf $VERSION_PCRE.tar.gz \
 && cd $COMPILE_DIR && tar xzf v${VERSION_NGINX_DEVEL_KIT}.tar.gz \
 && cd $COMPILE_DIR && tar xzf v${VERSION_LUA_NGINX_MODULE}.tar.gz \
 && cd $COMPILE_DIR && tar xzf LuaJIT-${VERSION_LUA_JIT}.tar.gz \
 && cd $COMPILE_DIR/LuaJIT-${VERSION_LUA_JIT} && make && make install \
 && cd $COMPILE_DIR/$VERSION_NGINX && ./configure \
--with-ld-opt="-lrt"  \
--with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' \
--with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,--as-needed' \
--sbin-path=/usr/sbin/nginx \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--lock-path=/var/lock/nginx.lock \
--pid-path=/run/nginx.pid \
--with-pcre=$COMPILE_DIR/$VERSION_PCRE \
--with-http_ssl_module \
--with-http_v2_module \
--with-file-aio \
--with-http_sub_module \
--with-http_gzip_static_module \
--with-http_stub_status_module \
--with-http_image_filter_module \
--with-threads \
--with-mail \
--with-http_dav_module \
--with-mail_ssl_module \
--with-stream \
--with-stream_realip_module \
--with-stream_ssl_module \
--with-stream_ssl_preread_module \
--http-client-body-temp-path=/var/lib/nginx/body \
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
--http-proxy-temp-path=/var/lib/nginx/proxy \
--http-scgi-temp-path=/var/lib/nginx/scgi \
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi \
--with-debug \
--with-pcre-jit \
--with-http_stub_status_module \
--with-http_realip_module \
--with-http_gunzip_module \
--with-http_auth_request_module \
--with-http_addition_module \
--with-http_gzip_static_module \
--add-module=$COMPILE_DIR/ngx_devel_kit-${VERSION_NGINX_DEVEL_KIT} \
--add-module=$COMPILE_DIR/lua-nginx-module-${VERSION_LUA_NGINX_MODULE} \
--add-module=$COMPILE_DIR/ngx_http_substitutions_filter_module \
--add-module=$COMPILE_DIR/nginx-auth-ldap \
--add-module=$COMPILE_DIR/nginx-module-vts \
--add-module=$COMPILE_DIR/srcache-nginx-module \
--add-module=$COMPILE_DIR/echo-nginx-module \
--add-module=$COMPILE_DIR/redis2-nginx-module \
--add-module=$COMPILE_DIR/ngx_http_redis-0.3.9 \
--add-module=$COMPILE_DIR/ngx_postgres \
--add-module=$COMPILE_DIR/rds-json-nginx-module \
--add-module=$COMPILE_DIR/form-input-nginx-module \
&& cd $COMPILE_DIR/$VERSION_NGINX \
&& make  -j 4 \
&& make install && rm -rf $COMPILE_DIR/* \
&&  apk add --no-cache --virtual .gettext gettext \
  && mv /usr/bin/envsubst /tmp/ \
  && runDeps="$( \
    scanelf --needed --nobanner /usr/sbin/nginx /usr/lib/nginx/modules/*.so /tmp/envsubst \
      | awk '{ gsub(/,/, "\nso:", $2); print "so:" $2 }' \
      | sort -u \
      | xargs -r apk info --installed \
      | sort -u \
  ) sed tzdata ca-certificates tini shadow" \
  && apk add --no-cache --virtual .nginx-rundeps $runDeps \
  && apk del .build-deps \
  && apk del .gettext \
  && mv /tmp/envsubst /usr/local/bin/ \
  && ln -sf /dev/stdout /var/log/nginx/access.log \
  && ln -sf /dev/stderr /var/log/nginx/error.log \
  && mkdir -p /var/www \
  && rm -rf /tmp/* /usr/src/* /var/cache/apk/* /root/.gnupg /libressl* /nginx* || true
RUN mkdir -p /var/lib/nginx/body \
    && mkdir -p /caches/nginx/proxy \
    && mkdir -p /fpm-sockets \
    && chmod 777 -R  /caches/nginx /fpm-sockets \
    && chmod +x /docker-entrypoint.sh
  EXPOSE 80 443
  CMD ["nginx", "-g", "daemon off;"]
  STOPSIGNAL SIGTERM

Nginx config – nginx.conf

user                                 www-data;
worker_processes                     1;
timer_resolution                     100ms;
worker_rlimit_nofile                 65536;
pid                                 /var/run/nginx.pid;
events {
    worker_connections                      2048;
    use                                     epoll;
    multi_accept                            on;
}
http {
    aio                         threads;
    include                     mime.types;
    default_type                application/octet-stream;
    client_header_buffer_size   128k;
    large_client_header_buffers 100 256k;
    gzip                        on;
    gzip_comp_level             2;
    gzip_vary                   on;
    gzip_min_length             1;
    gzip_proxied                any;
    gzip_types                  text/plain
                                text/css
                                application/x-javascript
                                text/xml
                                application/xml
                                application/xml+rss
                                text/javascript
                                application/javascript
                                application/json;
    gzip_buffers                32 1024k;
    server_names_hash_max_size  2048;
    server_names_hash_bucket_size 512;
    postpone_output             1460;
    sendfile                    on;
    tcp_nopush                  on;
    tcp_nodelay                 on;
    client_max_body_size        300M;
    keepalive_timeout           75 20;
    charset                     utf-8;
    client_header_timeout           10;
    client_body_timeout             10;
    output_buffers                  8 512k;
    lingering_time                  30;
    lingering_timeout               6;
    send_timeout                7;
    reset_timedout_connection   on;
    server_tokens off;
    include  /etc/nginx/nginx-logs.conf;
    #include blocked-ip.conf;
    include                     /etc/nginx/conf.d/*.conf;
    include                     /etc/nginx/proxy.d/*.conf;
    }

Configfile nginx-logs.conf


map $status $loggable {
    ~^[23]  0;
    default 1;
}
log_format ltsv
                   '\tnginx.time:$time_local'
                   '\tnginx.host:$host'
                   '\tnginx.http_host:$http_host'
                   '\tnginx.remote_addr:$remote_addr'
                   '\tnginx.http_x_forwarded_for:$http_x_forwarded_for'
                   '\tnginx.request_method:$request_method'
                   '\tnginx.request:$request'
                   '\tnginx.status:$status'
                   '\tnginx.upstream_status:$upstream_status'
                   '\tnginx.body_bytes_sent:$body_bytes_sent'
                   '\tnginx.http_referer:$http_referer'
                   '\tnginx.request_time:$request_time'
                   '\tnginx.upstream_response_time:$upstream_response_time'
                   '\tnginx.upstream_http_x_cache:$upstream_http_x_cache'
                   '\tnginx.uri:$uri'
                   '\tnginx.upstream_addr:$upstream_addr'
                   '\tnginx.upstream_response_length:$upstream_response_length'
                   '\tnginx.server_name:$server_name'
                   '\tnginx.upstream_cache_status:$upstream_cache_status'
                   '\tnginx.user_agent:$http_user_agent'
                   '\tnginx.request_uri:$scheme://$host$request_uri'
                   '\tnginx.request_body:$request_body';
log_format json_combined escape=json
  '{'
                   '"nginx.time":"$time_local",'
                   '"nginx.host":"$host",'
                   '"nginx.http_host":"$http_host",'
                   '"nginx.remote_addr":"$remote_addr",'
                   '"nginx.http_x_forwarded_for":"$http_x_forwarded_for",'
                   '"nginx.request_method":"$request_method",'
                   '"nginx.request":"$request",'
                   '"nginx.status":"$status",'
                   '"nginx.upstream_status":"$upstream_status",'
                   '"nginx.body_bytes_sent":"$body_bytes_sent",'
                   '"nginx.http_referer":"$http_referer",'
                   '"nginx.request_time":"$request_time",'
                   '"nginx.upstream_response_time":"$upstream_response_time",'
                   '"nginx.upstream_http_x_cache":"$upstream_http_x_cache",'
                   '"nginx.uri":"$uri",'
                   '"nginx.upstream_addr":"$upstream_addr",'
                   '"nginx.upstream_response_length":"$upstream_response_length",'
                   '"nginx.server_name":"$server_name",'
                   '"nginx.upstream_cache_status":"$upstream_cache_status",'
                   '"nginx.user_agent":"$http_user_agent",'
                   '"nginx.request_uri":"$scheme://$host$request_uri",'
                   '"nginx.request_body":"$request_body",'
                   '"nginx.request_headers":"$req_headers",'
           '"nginx.resp_body":"$resp_body"'
  '}';
###remote_sending
#access_log syslog:server=rsyslog-forwarder:30010,facility=local7,tag=nginxaccess,severity=info json_combined;
#error_log syslog:server=rsyslog-forwarder:30010,facility=local7,tag=nginxerror,severity=error warn;
#access_log /dev/stdout compression;
error_log /dev/stdout;
access_log /dev/stdout json_combined;

Enable headers loging.

Create file nginx-logs-headers.conf


underscores_in_headers on;
     lua_need_request_body on;
        set $resp_body "";
        set $req_body "";
        set $req_headers "";
        rewrite_by_lua_block {
            local req_headers = "Headers: ";
            ngx.var.req_body = ngx.req.get_body_data();
            local h, err = ngx.req.get_headers()
            for k, v in pairs(h) do
                req_headers = req_headers .. k .. ": " .. v .. "\n";
            end
            ngx.var.req_headers = req_headers;
        }
        body_filter_by_lua '
        local resp_body = string.sub(ngx.arg[1], 1, 1000)
        ngx.ctx.buffered = (ngx.ctx.buffered or "") .. resp_body
        if ngx.arg[2] then
          ngx.var.resp_body = ngx.ctx.buffered
        end
        ';

You need add this config in conf file with domain, after serve_name block


include nginx-logs-headers.conf;

Docker stdout logs example after this steps(from kibana)


{
  "_index": "nginxaccess-2019.08.13",
  "_type": "_doc",
  "_id": "VMVeiWwBN-fu67bxSKcs",
  "_version": 1,
  "_score": null,
  "_ignored": [
    "nginx.http_x_forwarded_for"
  ],
  "_source": {
    "nginx.time": "13/Aug/2019:10:04:41 +0500",
    "nginx.host": "itc-life.ru",
    "nginx.http_host": "itc-life.ru",
    "nginx.remote_addr": "10.8.0.12",
    "nginx.http_x_forwarded_for": "",
    "nginx.request_method": "GET",
    "nginx.request": "GET /wp-includes/js/wp-embed.min.js?ver=5.2.2 HTTP/2.0",
    "nginx.status": "200",
    "nginx.upstream_status": "",
    "nginx.body_bytes_sent": "765",
    "nginx.http_referer": "https://itc-life.ru/",
    "nginx.request_time": "0.000",
    "nginx.upstream_response_time": "",
    "nginx.upstream_http_x_cache": "",
    "nginx.uri": "/wp-includes/js/wp-embed.min.js",
    "nginx.upstream_addr": "",
    "nginx.upstream_response_length": "",
    "nginx.server_name": "itc-life.ru",
    "nginx.upstream_cache_status": "HIT",
    "nginx.user_agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0",
    "nginx.request_uri": "https://itc-life.ru/wp-includes/js/wp-embed.min.js?ver=5.2.2",
    "nginx.request_body": "",
    "nginx.request_headers": "host: itc-life.ru;accept-language: en-US,en;q=0.5;accept: */*;referer: https://itc-life.ru/;accept-encoding: gzip, deflate, br;user-agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0;",
    "HOST_FROM": "elasticsearch.master",
    "@timestamp": "2019-08-13T10:05:44.893175369+05:00",
    "@log_name": "nginxaccess.docker"
  },
  "fields": {
    "@timestamp": [
      "2019-08-13T05:05:44.893Z"
    ]
  },

Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *

 

Этот сайт использует Akismet для борьбы со спамом. Узнайте как обрабатываются ваши данные комментариев.