nginx: Reduce access log content for static data

For proxy/fastcgi/uwsgi blocks, logging is still set to the old format, but for everything else (= static data) a reduced format is used that excludes items that no longer make sense (request_time, remote_user) and those that are personal information all the time (remote_addr, http_x_forwarded_for). Signed-off-by: Florian Pritz <bluewind@xinu.at>

nginx: Reduce access log content for static data
For proxy/fastcgi/uwsgi blocks, logging is still set to the old format, but for everything else (= static data) a reduced format is used that excludes items that no longer make sense (request_time, remote_user) and those that are personal information all the time (remote_addr, http_x_forwarded_for). Signed-off-by: Florian Pritz <bluewind@xinu.at>
f5ee7a08 · Florian Pritz · ebd659d6 · f5ee7a08 · f5ee7a08 · f5ee7a08
Verified Commit f5ee7a08 authored May 30, 2018 by Florian Pritz
--- a/roles/arch32_mirror/templates/nginx.d.conf.j2
+++ b/roles/arch32_mirror/templates/nginx.d.conf.j2
@@ -4,7 +4,7 @@ server {
    server_name  {{ arch32_mirror_domain }} pool.mirror.archlinux32.org;
    root         {{ arch32_mirror_dir }};

-    access_log   /var/log/nginx/{{ arch32_mirror_domain }}/access.log main;
+    access_log   /var/log/nginx/{{ arch32_mirror_domain }}/access.log reduced;
    error_log    /var/log/nginx/{{ arch32_mirror_domain }}/error.log;

    include snippets/letsencrypt.conf;
@@ -18,7 +18,7 @@ server {
    server_name  {{ arch32_mirror_domain }};
    root         {{ arch32_mirror_dir }};

-    access_log   /var/log/nginx/{{ arch32_mirror_domain }}/access.log main;
+    access_log   /var/log/nginx/{{ arch32_mirror_domain }}/access.log reduced;
    error_log    /var/log/nginx/{{ arch32_mirror_domain }}/error.log;

    ssl_certificate      /etc/letsencrypt/live/{{ arch32_mirror_domain }}/fullchain.pem;

--- a/roles/archive/templates/nginx.d.conf.j2
+++ b/roles/archive/templates/nginx.d.conf.j2
@@ -3,7 +3,7 @@ server {
    listen       [::]:80;
    server_name  {{ archive_domain }};

-    access_log   /var/log/nginx/{{ archive_domain }}/access.log main;
+    access_log   /var/log/nginx/{{ archive_domain }}/access.log reduced;
    error_log    /var/log/nginx/{{ archive_domain }}/error.log;

    include snippets/letsencrypt.conf;
@@ -19,7 +19,7 @@ server {
    listen       [::]:443 ssl http2;
    server_name  {{ archive_domain }};

-    access_log   /var/log/nginx/{{ archive_domain }}/access.log main;
+    access_log   /var/log/nginx/{{ archive_domain }}/access.log reduced;
    error_log    /var/log/nginx/{{ archive_domain }}/error.log;

    ssl_certificate      /etc/letsencrypt/live/{{ archive_domain }}/fullchain.pem;

--- a/roles/archweb/templates/nginx.d.conf.j2
+++ b/roles/archweb/templates/nginx.d.conf.j2
@@ -9,7 +9,7 @@ server {
    listen       [::]:80;
    server_name  {{ domain }};

-    access_log   /var/log/nginx/{{ archweb_domain }}/access.log main;
+    access_log   /var/log/nginx/{{ archweb_domain }}/access.log reduced;
    error_log    /var/log/nginx/{{ archweb_domain }}/error.log;

    include snippets/letsencrypt.conf;
@@ -25,7 +25,7 @@ server {
    listen       [::]:443 ssl http2;
    server_name  {{ domain }};

-    access_log   /var/log/nginx/{{ archweb_domain }}/access.log main;
+    access_log   /var/log/nginx/{{ archweb_domain }}/access.log reduced;
    error_log    /var/log/nginx/{{ archweb_domain }}/error.log;

    ssl_certificate      /etc/letsencrypt/live/{{ archweb_domain }}/fullchain.pem;
@@ -53,7 +53,7 @@ server {
    listen       [::]:80;
    server_name  {{ archweb_domain }};

-    access_log   /var/log/nginx/{{ archweb_domain }}/access.log main;
+    access_log   /var/log/nginx/{{ archweb_domain }}/access.log reduced;
    error_log    /var/log/nginx/{{ archweb_domain }}/error.log;

    include snippets/letsencrypt.conf;
@@ -75,7 +75,7 @@ server {
    listen       [::]:443 ssl http2;
    server_name  {{ archweb_domain }};

-    access_log   /var/log/nginx/{{ archweb_domain }}/access.log main;
+    access_log   /var/log/nginx/{{ archweb_domain }}/access.log reduced;
    error_log    /var/log/nginx/{{ archweb_domain }}/error.log;

    ssl_certificate      /etc/letsencrypt/live/{{ archweb_domain }}/fullchain.pem;
@@ -135,6 +135,7 @@ server {
    }

    location / {
+        access_log   /var/log/nginx/{{ archweb_domain }}/access.log main;
        include uwsgi_params;
        uwsgi_pass archweb;
    }

--- a/roles/archwiki/templates/nginx.d.conf.j2
+++ b/roles/archwiki/templates/nginx.d.conf.j2
@@ -7,7 +7,7 @@ server {
    listen       [::]:80;
    server_name  {{ archwiki_domain }};

-    access_log   /var/log/nginx/{{ archwiki_domain }}/access.log main;
+    access_log   /var/log/nginx/{{ archwiki_domain }}/access.log reduced;
    error_log    /var/log/nginx/{{ archwiki_domain }}/error.log;

    include snippets/letsencrypt.conf;
@@ -23,7 +23,7 @@ server {
    listen       [::]:443 ssl http2;
    server_name  {{ archwiki_domain }};

-    access_log   /var/log/nginx/{{ archwiki_domain }}/access.log main;
+    access_log   /var/log/nginx/{{ archwiki_domain }}/access.log reduced;
    error_log    /var/log/nginx/{{ archwiki_domain }}/error.log;

    ssl_certificate      /etc/letsencrypt/live/{{ archwiki_domain }}/fullchain.pem;
@@ -40,6 +40,7 @@ server {

    # special case due to our '/index.php/Main_Page' type URLs
    location ~ ^/(?:index|redirect)\.php(?:/.*)$ {
+        access_log   /var/log/nginx/{{ archwiki_domain }}/access.log main;
        fastcgi_pass   archwiki;
        fastcgi_index  index.php;
        fastcgi_split_path_info ^(.+\.php)(.*)$;
@@ -51,6 +52,7 @@ server {

    # normal PHP FastCGI handler
    location ~ ^/[^/]+\.php$ {
+        access_log   /var/log/nginx/{{ archwiki_domain }}/access.log main;
        fastcgi_pass   archwiki;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;

--- a/roles/flyspray/templates/nginx.d.conf.j2
+++ b/roles/flyspray/templates/nginx.d.conf.j2
@@ -7,7 +7,7 @@ server {
    listen       [::]:80;
    server_name  {{ flyspray_domain }};

-    access_log   /var/log/nginx/{{ flyspray_domain }}/access.log main;
+    access_log   /var/log/nginx/{{ flyspray_domain }}/access.log reduced;
    error_log    /var/log/nginx/{{ flyspray_domain }}/error.log;

    include snippets/letsencrypt.conf;
@@ -23,7 +23,7 @@ server {
    listen       [::]:443 ssl http2;
    server_name  {{ flyspray_domain }};

-    access_log   /var/log/nginx/{{ flyspray_domain }}/access.log main;
+    access_log   /var/log/nginx/{{ flyspray_domain }}/access.log reduced;
    error_log    /var/log/nginx/{{ flyspray_domain }}/error.log;

    ssl_certificate      /etc/letsencrypt/live/{{ flyspray_domain }}/fullchain.pem;
@@ -120,6 +120,7 @@ server {
    }

    location ~ \.php$ {
+        access_log   /var/log/nginx/{{ flyspray_domain }}/access.log main;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
        fastcgi_pass flyspray;

--- a/roles/grafana/templates/nginx.d.conf.j2
+++ b/roles/grafana/templates/nginx.d.conf.j2
@@ -7,7 +7,7 @@ server {
    listen       [::]:80;
    server_name  {{ grafana_domain }};

-    access_log   /var/log/nginx/{{ grafana_domain }}/access.log main;
+    access_log   /var/log/nginx/{{ grafana_domain }}/access.log reduced;
    error_log    /var/log/nginx/{{ grafana_domain }}/error.log;

    include snippets/letsencrypt.conf;
@@ -23,7 +23,7 @@ server {
    listen       [::]:443 ssl http2;
    server_name  {{ grafana_domain }};

-    access_log   /var/log/nginx/{{ grafana_domain }}/access.log main;
+    access_log   /var/log/nginx/{{ grafana_domain }}/access.log reduced;
    error_log    /var/log/nginx/{{ grafana_domain }}/error.log;

    ssl_certificate      /etc/letsencrypt/live/{{ grafana_domain }}/fullchain.pem;
@@ -33,6 +33,7 @@ server {
    root {{ grafana_domain }};

    location / {
+        access_log   /var/log/nginx/{{ grafana_domain }}/access.log main;
 		proxy_pass http://grafana;
    }
 }
--- a/roles/kanboard/templates/nginx.d.conf.j2
+++ b/roles/kanboard/templates/nginx.d.conf.j2
@@ -7,7 +7,7 @@ server {
    listen       [::]:80;
    server_name  {{ kanboard_domain }};

-    access_log   /var/log/nginx/{{ kanboard_domain }}/access.log main;
+    access_log   /var/log/nginx/{{ kanboard_domain }}/access.log reduced;
    error_log    /var/log/nginx/{{ kanboard_domain }}/error.log;

    include snippets/letsencrypt.conf;
@@ -23,7 +23,7 @@ server {
    listen       [::]:443 ssl http2;
    server_name  {{ kanboard_domain }};

-    access_log   /var/log/nginx/{{ kanboard_domain }}/access.log main;
+    access_log   /var/log/nginx/{{ kanboard_domain }}/access.log reduced;
    error_log    /var/log/nginx/{{ kanboard_domain }}/error.log;

    ssl_certificate      /etc/letsencrypt/live/{{ kanboard_domain }}/fullchain.pem;
@@ -39,6 +39,7 @@ server {
    }

    location ~ \.php$ {
+        access_log   /var/log/nginx/{{ kanboard_domain }}/access.log main;
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

--- a/roles/mailman/templates/nginx.d.conf.j2
+++ b/roles/mailman/templates/nginx.d.conf.j2
@@ -3,7 +3,7 @@ server {
    listen       [::]:80;
    server_name  mailman.archlinux.org;

-    access_log   /var/log/nginx/{{ mailman_domain }}/access.log main;
+    access_log   /var/log/nginx/{{ mailman_domain }}/access.log reduced;
    error_log    /var/log/nginx/{{ mailman_domain }}/error.log;

    include snippets/letsencrypt.conf;
@@ -19,7 +19,7 @@ server {
    listen       [::]:443 ssl http2;
    server_name  mailman.archlinux.org;

-    access_log   /var/log/nginx/{{ mailman_domain }}/access.log main;
+    access_log   /var/log/nginx/{{ mailman_domain }}/access.log reduced;
    error_log    /var/log/nginx/{{ mailman_domain }}/error.log;

    ssl_certificate      /etc/letsencrypt/live/mailman.archlinux.org/fullchain.pem;

--- a/roles/matrix/templates/nginx.d.conf.j2
+++ b/roles/matrix/templates/nginx.d.conf.j2
@@ -7,7 +7,7 @@ server {
    listen       [::]:80;
    server_name  {{ matrix_domain }};

-    access_log   /var/log/nginx/{{ matrix_domain }}/access.log main;
+    access_log   /var/log/nginx/{{ matrix_domain }}/access.log reduced;
    error_log    /var/log/nginx/{{ matrix_domain }}/error.log;

    include snippets/letsencrypt.conf;
@@ -23,7 +23,7 @@ server {
    listen       [::]:443 ssl http2;
    server_name  {{ matrix_domain }};

-    access_log   /var/log/nginx/{{ matrix_domain }}/access.log main;
+    access_log   /var/log/nginx/{{ matrix_domain }}/access.log reduced;
    error_log    /var/log/nginx/{{ matrix_domain }}/error.log;

    ssl_certificate      /etc/letsencrypt/live/{{ matrix_domain }}/fullchain.pem;
@@ -31,6 +31,7 @@ server {
    ssl_trusted_certificate /etc/letsencrypt/live/{{ matrix_domain }}/chain.pem;

    location /_matrix {
+        access_log   /var/log/nginx/{{ matrix_domain }}/access.log main;
        proxy_pass http://matrix;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_read_timeout 900s;

--- a/roles/nginx/templates/nginx.conf.j2
+++ b/roles/nginx/templates/nginx.conf.j2
@@ -16,6 +16,9 @@ http {
    log_format  main  '$remote_addr $host $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" $request_time';
+    log_format  reduced  '$host [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent"';

    sendfile        on;
    keepalive_timeout  65;

--- a/roles/patchwork/templates/nginx.d.conf.j2
+++ b/roles/patchwork/templates/nginx.d.conf.j2
@@ -7,7 +7,7 @@ server {
    listen       [::]:80;
    server_name  {{ patchwork_domain }};

-    access_log   /var/log/nginx/{{ patchwork_domain }}/access.log main;
+    access_log   /var/log/nginx/{{ patchwork_domain }}/access.log reduced;
    error_log    /var/log/nginx/{{ patchwork_domain }}/error.log;

    include snippets/letsencrypt.conf;
@@ -23,7 +23,7 @@ server {
    listen       [::]:443 ssl http2;
    server_name  {{ patchwork_domain }};

-    access_log   /var/log/nginx/{{ patchwork_domain }}/access.log main;
+    access_log   /var/log/nginx/{{ patchwork_domain }}/access.log reduced;
    error_log    /var/log/nginx/{{ patchwork_domain }}/error.log;

    ssl_certificate      /etc/letsencrypt/live/{{ patchwork_domain }}/fullchain.pem;
@@ -35,6 +35,7 @@ server {
    }

    location / {
+        access_log   /var/log/nginx/{{ patchwork_domain }}/access.log main;
        include uwsgi_params;
        uwsgi_pass patchwork;
    }

--- a/roles/planet/templates/nginx.d.conf.j2
+++ b/roles/planet/templates/nginx.d.conf.j2
@@ -3,7 +3,7 @@ server {
    listen       [::]:80;
    server_name  {{ planet_domain }};

-    access_log   /var/log/nginx/{{ planet_domain }}/access.log main;
+    access_log   /var/log/nginx/{{ planet_domain }}/access.log reduced;
    error_log    /var/log/nginx/{{ planet_domain }}/error.log;

    include snippets/letsencrypt.conf;
@@ -19,7 +19,7 @@ server {
    listen       [::]:443 ssl http2;
    server_name  {{ planet_domain }};

-    access_log   /var/log/nginx/{{ planet_domain }}/access.log main;
+    access_log   /var/log/nginx/{{ planet_domain }}/access.log reduced;
    error_log    /var/log/nginx/{{ planet_domain }}/error.log;

    ssl_certificate      /etc/letsencrypt/live/{{ planet_domain }}/fullchain.pem;

--- a/roles/public_html/templates/nginx.d.conf.j2
+++ b/roles/public_html/templates/nginx.d.conf.j2
@@ -4,7 +4,7 @@ server {
    server_name  {{ public_domain }} www.{{ public_domain }};
    root         /srv/public_html;

-    access_log   /var/log/nginx/{{ public_domain }}/access.log main;
+    access_log   /var/log/nginx/{{ public_domain }}/access.log reduced;
    error_log    /var/log/nginx/{{ public_domain }}/error.log;

    include snippets/letsencrypt.conf;
@@ -22,7 +22,7 @@ server {
    server_name  {{ public_domain }} www.{{ public_domain }};
    root         /srv/public_html;

-    access_log   /var/log/nginx/{{ public_domain }}/access.log main;
+    access_log   /var/log/nginx/{{ public_domain }}/access.log reduced;
    error_log    /var/log/nginx/{{ public_domain }}/error.log;

    ssl_certificate      /etc/letsencrypt/live/{{ public_domain }}/fullchain.pem;

--- a/roles/security_tracker/templates/nginx.d.conf.j2
+++ b/roles/security_tracker/templates/nginx.d.conf.j2
@@ -7,7 +7,7 @@ server {
    listen       [::]:80;
    server_name  {{ security_tracker_domain }};

-    access_log   /var/log/nginx/{{ security_tracker_domain }}/access.log main;
+    access_log   /var/log/nginx/{{ security_tracker_domain }}/access.log reduced;
    error_log    /var/log/nginx/{{ security_tracker_domain }}/error.log;

    include snippets/letsencrypt.conf;
@@ -23,7 +23,7 @@ server {
    listen       [::]:443 ssl http2;
    server_name  {{ security_tracker_domain }};

-    access_log   /var/log/nginx/{{ security_tracker_domain }}/access.log main;
+    access_log   /var/log/nginx/{{ security_tracker_domain }}/access.log reduced;
    error_log    /var/log/nginx/{{ security_tracker_domain }}/error.log;

    ssl_certificate      /etc/letsencrypt/live/{{ security_tracker_domain }}/fullchain.pem;
@@ -40,6 +40,7 @@ server {
    }

    location / {
+        access_log   /var/log/nginx/{{ security_tracker_domain }}/access.log main;
        include uwsgi_params;
        uwsgi_pass security-tracker;
    }

--- a/roles/sources/templates/nginx.d.conf.j2
+++ b/roles/sources/templates/nginx.d.conf.j2
@@ -3,7 +3,7 @@ server {
    listen       [::]:80;
    server_name  {{ sources_domain }};

-    access_log   /var/log/nginx/{{ sources_domain }}/access.log main;
+    access_log   /var/log/nginx/{{ sources_domain }}/access.log reduced;
    error_log    /var/log/nginx/{{ sources_domain }}/error.log;

    include snippets/letsencrypt.conf;
@@ -19,7 +19,7 @@ server {
    listen       [::]:443 ssl http2;
    server_name  {{ sources_domain }};

-    access_log   /var/log/nginx/{{ sources_domain }}/access.log main;
+    access_log   /var/log/nginx/{{ sources_domain }}/access.log reduced;
    error_log    /var/log/nginx/{{ sources_domain }}/error.log;

    ssl_certificate      /etc/letsencrypt/live/{{ sources_domain }}/fullchain.pem;

--- a/roles/syncrepo/templates/nginx.d.conf.j2
+++ b/roles/syncrepo/templates/nginx.d.conf.j2
@@ -4,7 +4,7 @@ server {
    server_name  {{ mirror_domain }};
    root         /srv/ftp;

-    access_log   /var/log/nginx/{{ mirror_domain }}/access.log main;
+    access_log   /var/log/nginx/{{ mirror_domain }}/access.log reduced;
    error_log    /var/log/nginx/{{ mirror_domain }}/error.log;

    include snippets/letsencrypt.conf;
@@ -18,7 +18,7 @@ server {
    server_name  {{ mirror_domain }};
    root         /srv/ftp;

-    access_log   /var/log/nginx/{{ mirror_domain }}/access.log main;
+    access_log   /var/log/nginx/{{ mirror_domain }}/access.log reduced;
    error_log    /var/log/nginx/{{ mirror_domain }}/error.log;

    ssl_certificate      /etc/letsencrypt/live/{{ mirror_domain }}/fullchain.pem;

--- a/roles/zabbix-server/templates/nginx.d.conf.j2
+++ b/roles/zabbix-server/templates/nginx.d.conf.j2
@@ -7,7 +7,7 @@ server {
    listen       [::]:80;
    server_name  {{ zabbix_domain }};

-    access_log   /var/log/nginx/{{ zabbix_domain }}/access.log main;
+    access_log   /var/log/nginx/{{ zabbix_domain }}/access.log reduced;
    error_log    /var/log/nginx/{{ zabbix_domain }}/error.log;

    include snippets/letsencrypt.conf;
@@ -23,7 +23,7 @@ server {
    listen       [::]:443 ssl http2;
    server_name  {{ zabbix_domain }};

-    access_log   /var/log/nginx/{{ zabbix_domain }}/access.log main;
+    access_log   /var/log/nginx/{{ zabbix_domain }}/access.log reduced;
    error_log    /var/log/nginx/{{ zabbix_domain }}/error.log;

    ssl_certificate      /etc/letsencrypt/live/{{ zabbix_domain }}/fullchain.pem;
@@ -39,6 +39,7 @@ server {
    }

    location ~ \.php$ {
+        access_log   /var/log/nginx/{{ zabbix_domain }}/access.log main;
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;