diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md index a3146bbb0a..cd0e8035df 100644 --- a/docs/user-guide/nginx-configuration/configmap.md +++ b/docs/user-guide/nginx-configuration/configmap.md @@ -32,6 +32,7 @@ The following table shows a configuration option's name, type, and the default v |[hide-headers](#hide-headers)|string array|empty| |[access-log-params](#access-log-params)|string|""| |[access-log-path](#access-log-path)|string|"/var/log/nginx/access.log"| +|[enable-access-log-for-default-backend](#enable-access-log-for-default-backend)|bool|"false"| |[error-log-path](#error-log-path)|string|"/var/log/nginx/error.log"| |[enable-dynamic-tls-records](#enable-dynamic-tls-records)|bool|"true"| |[enable-modsecurity](#enable-modsecurity)|bool|"false"| @@ -184,6 +185,10 @@ Access log path. Goes to `/var/log/nginx/access.log` by default. __Note:__ the file `/var/log/nginx/access.log` is a symlink to `/dev/stdout` +## enable-access-log-for-default-backend + +Enables logging access to default backend. _**default:**_ is disabled. + ## error-log-path Error log path. Goes to `/var/log/nginx/error.log` by default. diff --git a/internal/ingress/controller/config/config.go b/internal/ingress/controller/config/config.go index dc613c1561..4378819fd8 100644 --- a/internal/ingress/controller/config/config.go +++ b/internal/ingress/controller/config/config.go @@ -99,6 +99,10 @@ type Configuration struct { // By default it's empty AccessLogParams string `json:"access-log-params,omitempty"` + // EnableAccessLogForDefaultBackend enable access_log for default backend + // By default this is disabled + EnableAccessLogForDefaultBackend bool `json:"enable-access-log-for-default-backend"` + // AccessLogPath sets the path of the access logs if enabled // http://nginx.org/en/docs/http/ngx_http_log_module.html#access_log // By default access logs go to /var/log/nginx/access.log @@ -595,77 +599,78 @@ func NewDefault() Configuration { defProxyDeadlineDuration := time.Duration(5) * time.Second cfg := Configuration{ - AllowBackendServerHeader: false, - AccessLogPath: "/var/log/nginx/access.log", - AccessLogParams: "", - WorkerCPUAffinity: "", - ErrorLogPath: "/var/log/nginx/error.log", - BlockCIDRs: defBlockEntity, - BlockUserAgents: defBlockEntity, - BlockReferers: defBlockEntity, - BrotliLevel: 4, - BrotliTypes: brotliTypes, - ClientHeaderBufferSize: "1k", - ClientHeaderTimeout: 60, - ClientBodyBufferSize: "8k", - ClientBodyTimeout: 60, - EnableDynamicTLSRecords: true, - EnableUnderscoresInHeaders: false, - ErrorLogLevel: errorLevel, - UseForwardedHeaders: false, - ForwardedForHeader: "X-Forwarded-For", - ComputeFullForwardedFor: false, - ProxyAddOriginalURIHeader: true, - GenerateRequestID: true, - HTTP2MaxFieldSize: "4k", - HTTP2MaxHeaderSize: "16k", - HTTP2MaxRequests: 1000, - HTTPRedirectCode: 308, - HSTS: true, - HSTSIncludeSubdomains: true, - HSTSMaxAge: hstsMaxAge, - HSTSPreload: false, - IgnoreInvalidHeaders: true, - GzipLevel: 5, - GzipTypes: gzipTypes, - KeepAlive: 75, - KeepAliveRequests: 100, - LargeClientHeaderBuffers: "4 8k", - LogFormatEscapeJSON: false, - LogFormatStream: logFormatStream, - LogFormatUpstream: logFormatUpstream, - EnableMultiAccept: true, - MaxWorkerConnections: 16384, - MaxWorkerOpenFiles: 0, - MapHashBucketSize: 64, - NginxStatusIpv4Whitelist: defNginxStatusIpv4Whitelist, - NginxStatusIpv6Whitelist: defNginxStatusIpv6Whitelist, - ProxyRealIPCIDR: defIPCIDR, - ProxyProtocolHeaderTimeout: defProxyDeadlineDuration, - ServerNameHashMaxSize: 1024, - ProxyHeadersHashMaxSize: 512, - ProxyHeadersHashBucketSize: 64, - ProxyStreamResponses: 1, - ReusePort: true, - ShowServerTokens: true, - SSLBufferSize: sslBufferSize, - SSLCiphers: sslCiphers, - SSLECDHCurve: "auto", - SSLProtocols: sslProtocols, - SSLSessionCache: true, - SSLSessionCacheSize: sslSessionCacheSize, - SSLSessionTickets: true, - SSLSessionTimeout: sslSessionTimeout, - EnableBrotli: false, - UseGzip: true, - UseGeoIP: true, - UseGeoIP2: false, - WorkerProcesses: strconv.Itoa(runtime.NumCPU()), - WorkerShutdownTimeout: "10s", - VariablesHashBucketSize: 128, - VariablesHashMaxSize: 2048, - UseHTTP2: true, - ProxyStreamTimeout: "600s", + AllowBackendServerHeader: false, + AccessLogPath: "/var/log/nginx/access.log", + AccessLogParams: "", + EnableAccessLogForDefaultBackend: false, + WorkerCPUAffinity: "", + ErrorLogPath: "/var/log/nginx/error.log", + BlockCIDRs: defBlockEntity, + BlockUserAgents: defBlockEntity, + BlockReferers: defBlockEntity, + BrotliLevel: 4, + BrotliTypes: brotliTypes, + ClientHeaderBufferSize: "1k", + ClientHeaderTimeout: 60, + ClientBodyBufferSize: "8k", + ClientBodyTimeout: 60, + EnableDynamicTLSRecords: true, + EnableUnderscoresInHeaders: false, + ErrorLogLevel: errorLevel, + UseForwardedHeaders: false, + ForwardedForHeader: "X-Forwarded-For", + ComputeFullForwardedFor: false, + ProxyAddOriginalURIHeader: true, + GenerateRequestID: true, + HTTP2MaxFieldSize: "4k", + HTTP2MaxHeaderSize: "16k", + HTTP2MaxRequests: 1000, + HTTPRedirectCode: 308, + HSTS: true, + HSTSIncludeSubdomains: true, + HSTSMaxAge: hstsMaxAge, + HSTSPreload: false, + IgnoreInvalidHeaders: true, + GzipLevel: 5, + GzipTypes: gzipTypes, + KeepAlive: 75, + KeepAliveRequests: 100, + LargeClientHeaderBuffers: "4 8k", + LogFormatEscapeJSON: false, + LogFormatStream: logFormatStream, + LogFormatUpstream: logFormatUpstream, + EnableMultiAccept: true, + MaxWorkerConnections: 16384, + MaxWorkerOpenFiles: 0, + MapHashBucketSize: 64, + NginxStatusIpv4Whitelist: defNginxStatusIpv4Whitelist, + NginxStatusIpv6Whitelist: defNginxStatusIpv6Whitelist, + ProxyRealIPCIDR: defIPCIDR, + ProxyProtocolHeaderTimeout: defProxyDeadlineDuration, + ServerNameHashMaxSize: 1024, + ProxyHeadersHashMaxSize: 512, + ProxyHeadersHashBucketSize: 64, + ProxyStreamResponses: 1, + ReusePort: true, + ShowServerTokens: true, + SSLBufferSize: sslBufferSize, + SSLCiphers: sslCiphers, + SSLECDHCurve: "auto", + SSLProtocols: sslProtocols, + SSLSessionCache: true, + SSLSessionCacheSize: sslSessionCacheSize, + SSLSessionTickets: true, + SSLSessionTimeout: sslSessionTimeout, + EnableBrotli: false, + UseGzip: true, + UseGeoIP: true, + UseGeoIP2: false, + WorkerProcesses: strconv.Itoa(runtime.NumCPU()), + WorkerShutdownTimeout: "10s", + VariablesHashBucketSize: 128, + VariablesHashMaxSize: 2048, + UseHTTP2: true, + ProxyStreamTimeout: "600s", Backend: defaults.Backend{ ProxyBodySize: bodySize, ProxyConnectTimeout: 5, diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go index 7785fba5f5..728e8b3a6e 100644 --- a/internal/ingress/controller/controller.go +++ b/internal/ingress/controller/controller.go @@ -18,6 +18,7 @@ package controller import ( "fmt" + "k8s.io/ingress-nginx/internal/ingress/annotations/log" "sort" "strconv" "strings" @@ -928,6 +929,10 @@ func (n *NGINXController) createServers(data []*ingress.Ingress, Backend: du.Name, Proxy: ngxProxy, Service: du.Service, + Logs: log.Config{ + Access: n.store.GetBackendConfiguration().EnableAccessLogForDefaultBackend, + Rewrite: false, + }, }, }} diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl index 6d1f26102a..a1919abcd1 100644 --- a/rootfs/etc/nginx/template/nginx.tmpl +++ b/rootfs/etc/nginx/template/nginx.tmpl @@ -615,6 +615,8 @@ http { {{ if $IsIPV6Enabled }}listen [::]:{{ $all.ListenPorts.Default }} default_server {{ if $all.Cfg.ReusePort }}reuseport{{ end }} backlog={{ $all.BacklogSize }};{{ end }} set $proxy_upstream_name "internal"; + access_log off; + location / { return 404; } diff --git a/test/e2e/defaultbackend/default_backend.go b/test/e2e/defaultbackend/default_backend.go index a218738ac7..04dec9f399 100644 --- a/test/e2e/defaultbackend/default_backend.go +++ b/test/e2e/defaultbackend/default_backend.go @@ -98,4 +98,35 @@ var _ = framework.IngressNginxDescribe("Default backend", func() { Expect(resp.StatusCode).Should(Equal(test.Status)) } }) + It("enables access logging for default backend", func() { + f.UpdateNginxConfigMapData("enable-access-log-for-default-backend", "true") + host := "foo" + resp, _, errs := gorequest.New(). + Get(f.GetURL(framework.HTTP)+"/somethingOne"). + Set("Host", host). + End() + + Expect(len(errs)).Should(Equal(0)) + Expect(resp.StatusCode).Should(Equal(http.StatusNotFound)) + + logs, err := f.NginxLogs() + Expect(err).ToNot(HaveOccurred()) + Expect(logs).To(ContainSubstring("/somethingOne")) + }) + + It("disables access logging for default backend", func() { + f.UpdateNginxConfigMapData("enable-access-log-for-default-backend", "false") + host := "bar" + resp, _, errs := gorequest.New(). + Get(f.GetURL(framework.HTTP)+"/somethingTwo"). + Set("Host", host). + End() + + Expect(len(errs)).Should(Equal(0)) + Expect(resp.StatusCode).Should(Equal(http.StatusNotFound)) + + logs, err := f.NginxLogs() + Expect(err).ToNot(HaveOccurred()) + Expect(logs).ToNot(ContainSubstring("/somethingTwo")) + }) })