Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

enable-access-log: false doesnt work as expected #3448

Closed
day0ops opened this issue Nov 21, 2018 · 2 comments
Closed

enable-access-log: false doesnt work as expected #3448

day0ops opened this issue Nov 21, 2018 · 2 comments

Comments

@day0ops
Copy link

day0ops commented Nov 21, 2018

NGINX Ingress controller version:
0.19.0

Kubernetes version:
Client Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.7", GitCommit:"0c38c362511b20a098d7cd855f1314dad92c2780", GitTreeState:"clean", BuildDate:"2018-08-20T10:09:03Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"11+", GitVersion:"v1.11.2-gke.18", GitCommit:"5796233393d7bc034428de15191ad3d2eaff95fb", GitTreeState:"clean", BuildDate:"2018-11-08T20:49:08Z", GoVersion:"go1.10.3b4", Compiler:"gc", Platform:"linux/amd64"}

Environment:
GKE

What happened:
Despite of adding nginx.ingress.kubernetes.io/enable-access-log: false in the ingress doesnt seem to disable logging.

What you expected to happen:
Nginx controller should log any requests

How to reproduce it:
Added nginx.ingress.kubernetes.io/enable-access-log: false as follows,

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: kb-kibana
  annotations:
    kubernetes.io/ingress.class: nginx
    kubernetes.io/tls-acme: "true"
    nginx.ingress.kubernetes.io/auth-signin: https://oauth2.test.test.com/oauth2/start
    nginx.ingress.kubernetes.io/auth-url: http://op-oauth2-proxy.control.svc.cluster.local:4180/oauth2/auth
    nginx.ingress.kubernetes.io/enable-access-log: "false"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/secure-backends: "false"
    nginx.ingress.kubernetes.io/ssl-passthrough: "false"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
  rules:
  - host: kibana.test.com
    http:
      paths:
      - backend:
          serviceName: kb-kibana
          servicePort: 5601
        path: /
  tls:
  - hosts:
    - kibana.test.com
    secretName: kb-kibana-tls

I can see in the nginx.conf that it has added the access_log off; switch in the location block,

              location ~ / {

                        set $namespace      "monitoring";
                        set $ingress_name   "kb-kibana";
                        set $service_name   "kb-kibana";
                        set $service_port   "5601";
                        set $location_path  "/";

                        rewrite_by_lua_block {

                                balancer.rewrite()

                        }

                        log_by_lua_block {

                                balancer.log()

                                monitor.call()
                        }

                        if ($scheme = https) {
                                more_set_headers                        "Strict-Transport-Security: max-age=15724800; includeSubDomains";
                        }

                        access_log off;

However, the logging still shows the requests.

{"proxy_protocol_addr": "","remote_addr": "xxx.xxx.xxx.xx", "proxy_add_x_forwarded_for": "xxx.xxx.xxx.xx, xxx.xxx.xxx.xx", "remote_user": "", "time_local": "21/Nov/2018:09:53:39 +0000", "request" : "GET / HTTP/1.1", "status": "202", "body_bytes_sent": "0", "http_referer":  "", "http_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36", "request_length" : "0", "request_time": "0.004", "proxy_upstream_name": "monitoring-kb-kibana-5601", "upstream_addr": "xxx.xxx.xxx.xx:4180",  "upstream_response_length": "0", "upstream_response_time": "0.003", "upstream_status": "202", "request_body": "", "http_authorization": ""}
{"proxy_protocol_addr": "","remote_addr": "xxx.xxx.xxx.xx", "proxy_add_x_forwarded_for": "xxx.xxx.xxx.xx, xxx.xxx.xxx.xx", "remote_user": "", "time_local": "21/Nov/2018:09:53:40 +0000", "request" : "GET /app/kibana HTTP/1.1", "status": "202", "body_bytes_sent": "0", "http_referer":  "https://kibana.test.com/", "http_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36", "request_length" : "0", "request_time": "0.001", "proxy_upstream_name": "monitoring-kb-kibana-5601", "upstream_addr": "xxx.xxx.xxx.xx:4180",  "upstream_response_length": "0", "upstream_response_time": "0.001", "upstream_status": "202", "request_body": "", "http_authorization": ""}
{"proxy_protocol_addr": "","remote_addr": "xxx.xxx.xxx.xx", "proxy_add_x_forwarded_for": "xxx.xxx.xxx.xx, xxx.xxx.xxx.xx", "remote_user": "", "time_local": "21/Nov/2018:09:53:42 +0000", "request" : "GET /api/console/api_server?sense_version=%40%40SENSE_VERSION&apis=es_6_0 HTTP/1.1", "status": "202", "body_bytes_sent": "0", "http_referer":  "https://kibana.test.com/app/kibana", "http_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36", "request_length" : "0", "request_time": "0.002", "proxy_upstream_name": "monitoring-kb-kibana-5601", "upstream_addr": "xxx.xxx.xxx.xx:4180",  "upstream_response_length": "0", "upstream_response_time": "0.001", "upstream_status": "202", "request_body": "", "http_authorization": ""}
{"proxy_protocol_addr": "","remote_addr": "xxx.xxx.xxx.xx", "proxy_add_x_forwarded_for": "xxx.xxx.xxx.xx, xxx.xxx.xxx.xx", "remote_user": "", "time_local": "21/Nov/2018:09:53:43 +0000", "request" : "GET /plugins/kibana/assets/discover.svg HTTP/1.1", "status": "202", "body_bytes_sent": "0", "http_referer":  "https://kibana.test.com/app/kibana", "http_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36", "request_length" : "0", "request_time": "0.001", "proxy_upstream_name": "monitoring-kb-kibana-5601", "upstream_addr": "xxx.xxx.xxx.xx:4180",  "upstream_response_length": "0", "upstream_response_time": "0.001", "upstream_status": "202", "request_body": "", "http_authorization": ""}
{"proxy_protocol_addr": "","remote_addr": "xxx.xxx.xxx.xx", "proxy_add_x_forwarded_for": "xxx.xxx.xxx.xx, xxx.xxx.xxx.xx", "remote_user": "", "time_local": "21/Nov/2018:09:53:43 +0000", "request" : "GET /plugins/timelion/icon.svg HTTP/1.1", "status": "202", "body_bytes_sent": "0", "http_referer":  "https://kibana.test.com/app/kibana", "http_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36", "request_length" : "0", "request_time": "0.001", "proxy_upstream_name": "monitoring-kb-kibana-5601", "upstream_addr": "xxx.xxx.xxx.xx:4180",  "upstream_response_length": "0", "upstream_response_time": "0.000", "upstream_status": "202", "request_body": "", "http_authorization": ""}
{"proxy_protocol_addr": "","remote_addr": "xxx.xxx.xxx.xx", "proxy_add_x_forwarded_for": "xxx.xxx.xxx.xx, xxx.xxx.xxx.xx", "remote_user": "", "time_local": "21/Nov/2018:09:53:43 +0000", "request" : "GET /plugins/kibana/assets/settings.svg HTTP/1.1", "status": "202", "body_bytes_sent": "0", "http_referer":  "https://kibana.test.com/app/kibana", "http_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36", "request_length" : "0", "request_time": "0.029", "proxy_upstream_name": "monitoring-kb-kibana-5601", "upstream_addr": "xxx.xxx.xxx.xx:4180",  "upstream_response_length": "0", "upstream_response_time": "0.030", "upstream_status": "202", "request_body": "", "http_authorization": ""}
{"proxy_protocol_addr": "","remote_addr": "xxx.xxx.xxx.xx", "proxy_add_x_forwarded_for": "xxx.xxx.xxx.xx, xxx.xxx.xxx.xx", "remote_user": "", "time_local": "21/Nov/2018:09:53:43 +0000", "request" : "GET /plugins/kibana/assets/dashboard.svg HTTP/1.1", "status": "202", "body_bytes_sent": "0", "http_referer":  "https://kibana.test.com/app/kibana", "http_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36", "request_length" : "0", "request_time": "0.029", "proxy_upstream_name": "monitoring-kb-kibana-5601", "upstream_addr": "xxx.xxx.xxx.xx:4180",  "upstream_response_length": "0", "upstream_response_time": "0.030", "upstream_status": "202", "request_body": "", "http_authorization": ""}
{"proxy_protocol_addr": "","remote_addr": "xxx.xxx.xxx.xx", "proxy_add_x_forwarded_for": "xxx.xxx.xxx.xx, xxx.xxx.xxx.xx", "remote_user": "", "time_local": "21/Nov/2018:09:53:43 +0000", "request" : "GET /ui/favicons/favicon-32x32.png HTTP/1.1", "status": "202", "body_bytes_sent": "0", "http_referer":  "https://kibana.test.com/app/kibana", "http_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36", "request_length" : "0", "request_time": "0.001", "proxy_upstream_name": "monitoring-kb-kibana-5601", "upstream_addr": "xxx.xxx.xxx.xx:4180",  "upstream_response_length": "0", "upstream_response_time": "0.001", "upstream_status": "202", "request_body": "", "http_authorization": ""}
{"proxy_protocol_addr": "","remote_addr": "xxx.xxx.xxx.xx", "proxy_add_x_forwarded_for": "xxx.xxx.xxx.xx, xxx.xxx.xxx.xx", "remote_user": "", "time_local": "21/Nov/2018:09:53:44 +0000", "request" : "GET /plugins/kibana/assets/wrench.svg HTTP/1.1", "status": "202", "body_bytes_sent": "0", "http_referer":  "https://kibana.test.com/app/kibana", "http_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36", "request_length" : "0", "request_time": "0.003", "proxy_upstream_name": "monitoring-kb-kibana-5601", "upstream_addr": "xxx.xxx.xxx.xx:4180",  "upstream_response_length": "0", "upstream_response_time": "0.003", "upstream_status": "202", "request_body": "", "http_authorization": ""}
{"proxy_protocol_addr": "","remote_addr": "xxx.xxx.xxx.xx", "proxy_add_x_forwarded_for": "xxx.xxx.xxx.xx, xxx.xxx.xxx.xx", "remote_user": "", "time_local": "21/Nov/2018:09:53:45 +0000", "request" : "GET /ui/fonts/open_sans/open_sans_v15_latin_600.woff2 HTTP/1.1", "status": "202", "body_bytes_sent": "0", "http_referer":  "https://kibana.test.com/app/kibana", "http_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36", "request_length" : "0", "request_time": "0.002", "proxy_upstream_name": "monitoring-kb-kibana-5601", "upstream_addr": "xxx.xxx.xxx.xx:4180",  "upstream_response_length": "0", "upstream_response_time": "0.002", "upstream_status": "202", "request_body": "", "http_authorization": ""}

Is this how the annotation is intended or do i need to do anything further to disable access log per site ?
@day0ops day0ops changed the title nginx.ingress.kubernetes.io/enable-access-log: false doesnt work as expected enable-access-log: false doesnt work as expected Nov 21, 2018
@day0ops
Copy link
Author

day0ops commented Nov 22, 2018
edited
Loading

So turns out the problem is in the external authentication location block.
I ended up adding the following to the template,

# Special case to disable access log
{{ if (not $location.Logs.Access) }}
{{ if (contains $location.ExternalAuth.Host "op-oauth2-proxy.") }}
access_log off;
{{ end }}
{{ end }}

There has to be a better way to achieve this.

@aledbf
Copy link
Member

aledbf commented Nov 23, 2018

Closing. Duplicated #3040

@aledbf aledbf closed this as completed Nov 23, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aledbf @day0ops