kubernetes-ingress icon indicating copy to clipboard operation
kubernetes-ingress copied to clipboard

Published 20 hours ago verified publisher icon nginxinc

Mo: add option to turn off stream logs when access log is set to off

Open Binsabbar opened this issue 1 year ago • 10 comments

Proposed changes

During DoS attack the stream logs still writes logs, unlike when it is in HTTP, where the DoS automatically turn off access log based on the value of $loggable used in dos access log.

Since there is already an option to turn off access_log for default http server, it was not added for default stream server. I used the same variable to also turn off the stream access log.

If a new variable is preferred, please let me know.

Checklist

Before creating a PR, run through this checklist and mark each as complete.

  • [X] I have read the CONTRIBUTING doc
  • [ ] I have added tests that prove my fix is effective or that my feature works
  • [X] I have checked that all unit tests pass after adding my changes
  • [X] I have updated necessary documentation
  • [X] I have rebased my branch onto main
  • [X] I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

Binsabbar avatar Mar 28 '23 09:03 Binsabbar

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 52.35%. Comparing base (c44b1a5) to head (6efdaa3). Report is 623 commits behind head on main.

:exclamation: Current head 6efdaa3 differs from pull request most recent head 7ede785. Consider uploading reports for the commit 7ede785 to get more accurate results

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3701      +/-   ##
==========================================
+ Coverage   51.95%   52.35%   +0.40%     
==========================================
  Files          59       59              
  Lines       16762    16880     +118     
==========================================
+ Hits         8708     8838     +130     
+ Misses       7755     7747       -8     
+ Partials      299      295       -4

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

codecov[bot] avatar Mar 29 '23 17:03 codecov[bot]

Hi @Binsabbar Thanks for submitting this pull request. We're currently reviewing your proposed changes with the team to investigate the impact of this and determine if we need to use another config map key for the stream block. We'll let you know as soon as possible. Thanks for your patience.

haywoodsh avatar Apr 15 '23 23:04 haywoodsh

Seems reasonable to me. @Binsabbar can you please update your commit message and PR title following the guidelines? Thanks!

Sure I will work on that

Binsabbar avatar May 24 '23 17:05 Binsabbar

@lucacome @haywoodsh I am having a second though about how I implemented this. Currently there are two variables to control access_log for server blocks in thehttp block.

  • AccessLogOff in template file, which controls overall non-default server blocks.
  • DefaultServerAccessLogOff in template file, which only controls the default server block in http block.

In my PR I used AccessLogOff as a way to control stream block default logs. The AccessLogOff if set to true will also turn off the logs for server blocks in the http block.

I can think of two options:

  1. Use DefaultServerAccessLogOff instead of AccessLogOff to turn off stream logs.
  2. Introduce new configuration key to control stream access logs name it StreamAccessLogOff.

what do you think? (I will need some directions on implementing option 2)

Binsabbar avatar May 24 '23 18:05 Binsabbar

HI @brianehlert , can you provide me with a preferred option? and in case of option 2, can you provide me with direction?

Binsabbar avatar Aug 01 '23 06:08 Binsabbar

I think I found out how to do it and introduce a new StreamAccessLogOff and use it in the template file.

I will work on this one this week, and update my MR. I think introducing a new variable is cleaner

Binsabbar avatar Aug 01 '23 07:08 Binsabbar

Hi @Binsabbar apologies for the delay on our responding to this. I would say having the StreamAccessLogOff option would be best. If you still want help in knowing what files you should edit for this please let us know.

Since this would be a new ConfigMap key, we will need to add an entry for that setting in our docs here: https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/configmap-resource/#logging

There is currently a PR open which will be re-structuring our docs. I would wait for this PR to be merged before making any docs related changes (This PR is expected to be merged today 🤞 ) https://github.com/nginxinc/kubernetes-ingress/pull/4620

shaun-nx avatar Nov 14 '23 08:11 shaun-nx

This PR is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 10 days.

github-actions[bot] avatar Feb 13 '24 01:02 github-actions[bot]

This PR is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 10 days.

github-actions[bot] avatar May 14 '24 01:05 github-actions[bot]

We recently merged a PR that changed logging behaviour. We interested in brining this functionality from http to stream. We have an issue for it here https://github.com/nginxinc/kubernetes-ingress/issues/6171. Are you still interested in doing this?

j1m-ryan avatar Aug 12 '24 15:08 j1m-ryan