From a08f79607c6065b64c8157a55403abfd4b790c6f Mon Sep 17 00:00:00 2001
From: Kristian Klausen <kristian@klausen.dk>
Date: Sun, 18 Aug 2024 17:11:23 +0200
Subject: [PATCH] loki/nginx: Add recording rule for tracking HTTP/TLS version
 and cipher

Mainly because we are curious. The data may also be used to decide if we
want to drop older versions of TLS.
---
 roles/loki/files/rules.yaml         | 7 ++++++-
 roles/nginx/templates/nginx.conf.j2 | 9 +++++++--
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/roles/loki/files/rules.yaml b/roles/loki/files/rules.yaml
index 2ae22208b..a5f0b0196 100644
--- a/roles/loki/files/rules.yaml
+++ b/roles/loki/files/rules.yaml
@@ -1 +1,6 @@
-groups: []
+groups:
+  - name: NginxRules
+    interval: 1m
+    rules:
+      - record: instance_http_version_tls_version_tls_cipher:requests:rate1m
+        expr: 'sum by (instance, http_version, tls_version, tls_cipher) (rate({job="nginx"}[1m] | json http_version="server_protocol", tls_version="ssl_protocol", tls_cipher="ssl_cipher"))'
diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2
index f2fb8734d..bb1344f3c 100644
--- a/roles/nginx/templates/nginx.conf.j2
+++ b/roles/nginx/templates/nginx.conf.j2
@@ -28,12 +28,13 @@ http {
         '$remote_addr $host $remote_user [$time_local] "$request" '
         '$status $body_bytes_sent "$http_referer" '
         '"$http_user_agent" "$http_x_forwarded_for" $request_time '
-        '$server_protocol';
+        '$server_protocol $ssl_protocol $ssl_cipher';
 
     log_format reduced
         '$host [$time_local] "$request" '
         '$status $body_bytes_sent "$http_referer" '
-        '"$http_user_agent" $server_protocol';
+        '"$http_user_agent" $server_protocol $ssl_protocol '
+        '$ssl_cipher';
 
     log_format json_main escape=json
         '{'
@@ -50,6 +51,8 @@ http {
         '"http_x_forwarded_for":"$http_x_forwarded_for",'
         '"request_time":"$request_time",'
         '"server_protocol":"$server_protocol",'
+        '"ssl_protocol":"$ssl_protocol",'
+        '"ssl_cipher":"$ssl_cipher",'
         # This was added to keep every log line unique as Loki drops
         # log line with the same timestamp and log text:
         # https://grafana.com/docs/loki/latest/overview/#timestamp-ordering
@@ -68,6 +71,8 @@ http {
         '"http_referrer":"$http_referer",'
         '"http_user_agent":"$http_user_agent",'
         '"server_protocol":"$server_protocol",'
+        '"ssl_protocol":"$ssl_protocol",'
+        '"ssl_cipher":"$ssl_cipher",'
         # This was added to keep every log line unique as Loki drops
         # log line with the same timestamp and log text:
         # https://grafana.com/docs/loki/latest/overview/#timestamp-ordering
-- 
GitLab