Nginx monster docker with logging headers

Instruction about build docker nginx with many modules and enable headers logging

Dockerfile

FROM alpine:3.9.4
LABEL maintainer "a.v.galushko86@gmail.com"
ENV COMPILE_DIR /build
ENV LIBRESSL_DIR /libressl
ENV NB_PROC 4
ARG NGINX_VERSION
ENV VERSION_PCRE pcre-8.42
ENV VERSION_LIBRESSL libressl-2.8.2
ENV VERSION_NGINX nginx-$NGINX_VERSION
ENV SOURCE_LIBRESSL http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/
ENV SOURCE_PCRE https://ftp.pcre.org/pub/pcre/
ENV SOURCE_NGINX http://nginx.org/download/
ENV STATICLIBSSL $LIBRESSL_DIR/$VERSION_LIBRESSL
ENV VERSION_NGINX_DEVEL_KIT 0.3.1
ENV VERSION_LUA_NGINX_MODULE 0.10.15
ENV VERSION_LUA_JIT 2.0.5
RUN deluser xfs \
    && addgroup -g 33 -S www-data \
    && adduser -u 33 -D -S -G www-data www-data \
    && apk add --no-cache \
     ca-certificates \
     openldap-dev \
     pcre \
     zlib \
     libgcc \
     bash \
     curl \
     libressl \
     tzdata \
     libpq \
     postgresql-dev \
   && apk add --no-cache --virtual .build-deps \
     build-base \
     autoconf \
     automake \
     bind-tools \
     binutils \
     build-base \
     ca-certificates \
     cmake \
     curl \
     file \
     gcc \
     gd-dev \
     geoip-dev \
     git \
     gnupg \
     libc-dev \
     libstdc++ \
     readline \
     libtool \
     libxslt-dev \
     linux-headers \
     make \
     patch \
     pcre \
     pcre-dev \
     perl-dev \
     su-exec \
     tar \
     zlib \
     zlib-dev \
 && mkdir -p ${COMPILE_DIR} && mkdir -p ${LIBRESSL_DIR} \
 && wget -P $COMPILE_DIR https://ftp.pcre.org/pub/pcre/${VERSION_PCRE}.tar.gz \
 && wget -P $COMPILE_DIR http://nginx.org/download/${VERSION_NGINX}.tar.gz \
 && wget -P $COMPILE_DIR https://github.com/simplresty/ngx_devel_kit/archive/v${VERSION_NGINX_DEVEL_KIT}.tar.gz \
 && wget -P $COMPILE_DIR https://github.com/openresty/lua-nginx-module/archive/v${VERSION_LUA_NGINX_MODULE}.tar.gz \
 #&& wget -P $COMPILE_DIR https://github.com/3078825/nginx-image/archive/master.zip \
 && wget -P $COMPILE_DIR  http://luajit.org/download/LuaJIT-${VERSION_LUA_JIT}.tar.gz \
 && wget -P $COMPILE_DIR https://people.freebsd.org/~osa/ngx_http_redis-0.3.9.tar.gz \
 && git clone git://github.com/vozlt/nginx-module-vts.git $COMPILE_DIR/nginx-module-vts \
 && git clone https://github.com/yaoweibin/ngx_http_substitutions_filter_module.git $COMPILE_DIR/ngx_http_substitutions_filter_module \
 && git clone https://github.com/kvspb/nginx-auth-ldap.git $COMPILE_DIR/nginx-auth-ldap \
 && git clone https://github.com/openresty/ngx_postgres $COMPILE_DIR/ngx_postgres \
 && git clone https://github.com/openresty/srcache-nginx-module.git $COMPILE_DIR/srcache-nginx-module \
 && git clone https://github.com/openresty/echo-nginx-module.git $COMPILE_DIR/echo-nginx-module \
 && git clone https://github.com/openresty/redis2-nginx-module.git $COMPILE_DIR/redis2-nginx-module \
 && git clone https://github.com/openresty/rds-json-nginx-module.git $COMPILE_DIR/rds-json-nginx-module \
 && git clone https://github.com/calio/form-input-nginx-module $COMPILE_DIR/form-input-nginx-module \
 && cd $COMPILE_DIR && tar xzf $VERSION_NGINX.tar.gz \
 && cd $COMPILE_DIR && tar xzf ngx_http_redis-0.3.9.tar.gz \
 && cd $COMPILE_DIR && tar xzf $VERSION_PCRE.tar.gz \
 && cd $COMPILE_DIR && tar xzf v${VERSION_NGINX_DEVEL_KIT}.tar.gz \
 && cd $COMPILE_DIR && tar xzf v${VERSION_LUA_NGINX_MODULE}.tar.gz \
 && cd $COMPILE_DIR && tar xzf LuaJIT-${VERSION_LUA_JIT}.tar.gz \
 && cd $COMPILE_DIR/LuaJIT-${VERSION_LUA_JIT} && make && make install \
 && cd $COMPILE_DIR/$VERSION_NGINX && ./configure \
--with-ld-opt="-lrt"  \
--with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' \
--with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,--as-needed' \
--sbin-path=/usr/sbin/nginx \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--lock-path=/var/lock/nginx.lock \
--pid-path=/run/nginx.pid \
--with-pcre=$COMPILE_DIR/$VERSION_PCRE \
--with-http_ssl_module \
--with-http_v2_module \
--with-file-aio \
--with-http_sub_module \
--with-http_gzip_static_module \
--with-http_stub_status_module \
--with-http_image_filter_module \
--with-threads \
--with-mail \
--with-http_dav_module \
--with-mail_ssl_module \
--with-stream \
--with-stream_realip_module \
--with-stream_ssl_module \
--with-stream_ssl_preread_module \
--http-client-body-temp-path=/var/lib/nginx/body \
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
--http-proxy-temp-path=/var/lib/nginx/proxy \
--http-scgi-temp-path=/var/lib/nginx/scgi \
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi \
--with-debug \
--with-pcre-jit \
--with-http_stub_status_module \
--with-http_realip_module \
--with-http_gunzip_module \
--with-http_auth_request_module \
--with-http_addition_module \
--with-http_gzip_static_module \
--add-module=$COMPILE_DIR/ngx_devel_kit-${VERSION_NGINX_DEVEL_KIT} \
--add-module=$COMPILE_DIR/lua-nginx-module-${VERSION_LUA_NGINX_MODULE} \
--add-module=$COMPILE_DIR/ngx_http_substitutions_filter_module \
--add-module=$COMPILE_DIR/nginx-auth-ldap \
--add-module=$COMPILE_DIR/nginx-module-vts \
--add-module=$COMPILE_DIR/srcache-nginx-module \
--add-module=$COMPILE_DIR/echo-nginx-module \
--add-module=$COMPILE_DIR/redis2-nginx-module \
--add-module=$COMPILE_DIR/ngx_http_redis-0.3.9 \
--add-module=$COMPILE_DIR/ngx_postgres \
--add-module=$COMPILE_DIR/rds-json-nginx-module \
--add-module=$COMPILE_DIR/form-input-nginx-module \
&& cd $COMPILE_DIR/$VERSION_NGINX \
&& make  -j 4 \
&& make install && rm -rf $COMPILE_DIR/* \
&&  apk add --no-cache --virtual .gettext gettext \
  && mv /usr/bin/envsubst /tmp/ \
  && runDeps="$( \
    scanelf --needed --nobanner /usr/sbin/nginx /usr/lib/nginx/modules/*.so /tmp/envsubst \
      | awk '{ gsub(/,/, "\nso:", $2); print "so:" $2 }' \
      | sort -u \
      | xargs -r apk info --installed \
      | sort -u \
  ) sed tzdata ca-certificates tini shadow" \
  && apk add --no-cache --virtual .nginx-rundeps $runDeps \
  && apk del .build-deps \
  && apk del .gettext \
  && mv /tmp/envsubst /usr/local/bin/ \
  && ln -sf /dev/stdout /var/log/nginx/access.log \
  && ln -sf /dev/stderr /var/log/nginx/error.log \
  && mkdir -p /var/www \
  && rm -rf /tmp/* /usr/src/* /var/cache/apk/* /root/.gnupg /libressl* /nginx* || true
RUN mkdir -p /var/lib/nginx/body \
    && mkdir -p /caches/nginx/proxy \
    && mkdir -p /fpm-sockets \
    && chmod 777 -R  /caches/nginx /fpm-sockets \
    && chmod +x /docker-entrypoint.sh
  EXPOSE 80 443
  CMD ["nginx", "-g", "daemon off;"]
  STOPSIGNAL SIGTERM

Nginx config — nginx.conf

user                                 www-data;
worker_processes                     1;
timer_resolution                     100ms;
worker_rlimit_nofile                 65536;
pid                                 /var/run/nginx.pid;
events {
    worker_connections                      2048;
    use                                     epoll;
    multi_accept                            on;
}
http {
    aio                         threads;
    include                     mime.types;
    default_type                application/octet-stream;
    client_header_buffer_size   128k;
    large_client_header_buffers 100 256k;
    gzip                        on;
    gzip_comp_level             2;
    gzip_vary                   on;
    gzip_min_length             1;
    gzip_proxied                any;
    gzip_types                  text/plain
                                text/css
                                application/x-javascript
                                text/xml
                                application/xml
                                application/xml+rss
                                text/javascript
                                application/javascript
                                application/json;
    gzip_buffers                32 1024k;
    server_names_hash_max_size  2048;
    server_names_hash_bucket_size 512;
    postpone_output             1460;
    sendfile                    on;
    tcp_nopush                  on;
    tcp_nodelay                 on;
    client_max_body_size        300M;
    keepalive_timeout           75 20;
    charset                     utf-8;
    client_header_timeout           10;
    client_body_timeout             10;
    output_buffers                  8 512k;
    lingering_time                  30;
    lingering_timeout               6;
    send_timeout                7;
    reset_timedout_connection   on;
    server_tokens off;
    include  /etc/nginx/nginx-logs.conf;
    #include blocked-ip.conf;
    include                     /etc/nginx/conf.d/*.conf;
    include                     /etc/nginx/proxy.d/*.conf;
    }

Configfile nginx-logs.conf


map $status $loggable { ~^[23] 0; default 1; } log_format json_combined escape=json '{' '"nginx.time":"$time_local",' '"nginx.host":"$host",' '"nginx.http_host":"$http_host",' '"nginx.remote_addr":"$remote_addr",' '"nginx.http_x_forwarded_for":"$http_x_forwarded_for",' '"nginx.request_method":"$request_method",' '"nginx.request":"$request",' '"nginx.status":"$status",' '"nginx.upstream_status":"$upstream_status",' '"nginx.body_bytes_sent":"$body_bytes_sent",' '"nginx.http_referer":"$http_referer",' '"nginx.request_time":"$request_time",' '"nginx.upstream_response_time":"$upstream_response_time",' '"nginx.upstream_http_x_cache":"$upstream_http_x_cache",' '"nginx.uri":"$uri",' '"nginx.upstream_addr":"$upstream_addr",' '"nginx.upstream_response_length":"$upstream_response_length",' '"nginx.server_name":"$server_name",' '"nginx.upstream_cache_status":"$upstream_cache_status",' '"nginx.user_agent":"$http_user_agent",' '"nginx.request_uri":"$scheme://$host$request_uri",' '"nginx.request_body":"$request_body",' '"nginx.request_headers":"$request_headers"' '}'; ###remote_sending #access_log syslog:server=rsyslog-forwarder:30010,facility=local7,tag=nginxaccess,severity=info json_combined; #error_log syslog:server=rsyslog-forwarder:30010,facility=local7,tag=nginxerror,severity=error warn; #access_log /dev/stdout compression; error_log /dev/stdout; access_log /dev/stdout json_combined;

Enable headers loging.

Create file nginx-logs-headers.conf



underscores_in_headers on; set_by_lua $request_headers ' local h = ngx.req.get_headers() local request_headers_all = "" for k, v in pairs(h) do request_headers_all = request_headers_all .. ""..k..": "..v..";" end return request_headers_all ';

You need add this config in conf file with domain, after serve_name block


include nginx-logs-headers.conf;

Docker stdout logs example after this steps(from kibana)


{ "_index": "nginxaccess-2019.08.13", "_type": "_doc", "_id": "VMVeiWwBN-fu67bxSKcs", "_version": 1, "_score": null, "_ignored": [ "nginx.http_x_forwarded_for" ], "_source": { "nginx.time": "13/Aug/2019:10:04:41 +0500", "nginx.host": "itc-life.ru", "nginx.http_host": "itc-life.ru", "nginx.remote_addr": "10.8.0.12", "nginx.http_x_forwarded_for": "", "nginx.request_method": "GET", "nginx.request": "GET /wp-includes/js/wp-embed.min.js?ver=5.2.2 HTTP/2.0", "nginx.status": "200", "nginx.upstream_status": "", "nginx.body_bytes_sent": "765", "nginx.http_referer": "https://itc-life.ru/", "nginx.request_time": "0.000", "nginx.upstream_response_time": "", "nginx.upstream_http_x_cache": "", "nginx.uri": "/wp-includes/js/wp-embed.min.js", "nginx.upstream_addr": "", "nginx.upstream_response_length": "", "nginx.server_name": "itc-life.ru", "nginx.upstream_cache_status": "HIT", "nginx.user_agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0", "nginx.request_uri": "https://itc-life.ru/wp-includes/js/wp-embed.min.js?ver=5.2.2", "nginx.request_body": "", "nginx.request_headers": "host: itc-life.ru;accept-language: en-US,en;q=0.5;accept: */*;referer: https://itc-life.ru/;accept-encoding: gzip, deflate, br;user-agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0;", "HOST_FROM": "elasticsearch.master", "@timestamp": "2019-08-13T10:05:44.893175369+05:00", "@log_name": "nginxaccess.docker" }, "fields": { "@timestamp": [ "2019-08-13T05:05:44.893Z" ] },

Добавить комментарий

Войти с помощью: 

Ваш e-mail не будет опубликован. Обязательные поля помечены *

 

Этот сайт использует Akismet для борьбы со спамом. Узнайте как обрабатываются ваши данные комментариев.