From 9d1a4d34cfdaf0fba6ca5973e2a8bec792f076dc Mon Sep 17 00:00:00 2001 From: Jordan Schroter Date: Mon, 10 Nov 2025 13:35:10 -0500 Subject: [PATCH 1/2] Disable logging by default --- README.md | 5 ++++- conf/nginx.conf.server.template | 4 ++-- conf/nginx.conf.template | 4 ++-- scripts/generate_conf_files.sh | 22 ++++++++++++++++++++-- 4 files changed, 28 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 5fa4b70..72d2ff1 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,7 @@ Inside the `build` directory, `bash run.sh` to start the application. There are several helper scripts that are placed in in the `build` directory. These can be run manually or added to crontabs. - `logtruncate.sh` - - Truncates all logs from the Funes log directory. + - Truncates all logs from the Funes log directory when logging is enabled (`ENABLE_LOGGING=true`). - `clear_cert_disk_cache.sh ` - Clears any generated SSL cert files older than `AGE_MIN` from `CACHE_DIR`. @@ -52,6 +52,9 @@ RESTRICT_LOCAL_DOCKER # Disable dynamic SSL cert generation, instead passing the root cert on each response DISABLE_DYNAMIC_CERTS + +# Enable Nginx access/error logs (otherwise `access_log`/`error_log` directives are set to `off`) +ENABLE_LOGGING ``` Usage example: diff --git a/conf/nginx.conf.server.template b/conf/nginx.conf.server.template index d56f5e6..450ce57 100644 --- a/conf/nginx.conf.server.template +++ b/conf/nginx.conf.server.template @@ -153,7 +153,7 @@ server { ## The time here is overridden by our injected `expires $cache_expiry` header. proxy_cache_valid 200 206 1s; - access_log ${LOG_DIR}/cache.log proxy_cache; + ${CACHE_ACCESS_LOG_DIRECTIVE} } } @@ -241,7 +241,7 @@ server { proxy_ssl_trusted_certificate ./cacert.pem; proxy_ssl_server_name on; - access_log ${LOG_DIR}/range_cache.log range_cache; + ${RANGE_ACCESS_LOG_DIRECTIVE} } } diff --git a/conf/nginx.conf.template b/conf/nginx.conf.template index 4ad14be..5696073 100644 --- a/conf/nginx.conf.template +++ b/conf/nginx.conf.template @@ -41,8 +41,8 @@ http { # Logging Settings ## - access_log ${LOG_DIR}/access.log; - error_log ${LOG_DIR}/error.log; + ${ACCESS_LOG_DIRECTIVE} + ${ERROR_LOG_DIRECTIVE} log_format proxy_cache '$remote_addr – $upstream_cache_status $status [$time_local] $request_method $proxy_method://$host$uri $body_bytes_sent "$http_referer" "$http_user_agent" '; diff --git a/scripts/generate_conf_files.sh b/scripts/generate_conf_files.sh index 2639a81..e40fc48 100644 --- a/scripts/generate_conf_files.sh +++ b/scripts/generate_conf_files.sh @@ -53,6 +53,23 @@ then export LOG_DIR="./logs" fi +if [ -z "$ENABLE_LOGGING" ] +then + export ENABLE_LOGGING="false" +fi + +if [ "$ENABLE_LOGGING" = "true" ]; then + export ACCESS_LOG_DIRECTIVE="access_log ${LOG_DIR}/access.log;" + export ERROR_LOG_DIRECTIVE="error_log ${LOG_DIR}/error.log;" + export CACHE_ACCESS_LOG_DIRECTIVE="access_log ${LOG_DIR}/cache.log proxy_cache;" + export RANGE_ACCESS_LOG_DIRECTIVE="access_log ${LOG_DIR}/range_cache.log range_cache;" +else + export ACCESS_LOG_DIRECTIVE="access_log off;" + export ERROR_LOG_DIRECTIVE="error_log off;" + export CACHE_ACCESS_LOG_DIRECTIVE="access_log off;" + export RANGE_ACCESS_LOG_DIRECTIVE="access_log off;" +fi + if [ -z "$CONTENT_CACHE_DIR" ] then export CONTENT_CACHE_DIR="/data/funes/content_cache" @@ -133,6 +150,7 @@ then fi printf 'LOG_DIR=%s\n' "$LOG_DIR" +printf 'ENABLE_LOGGING=%s\n' "$ENABLE_LOGGING" printf 'CONTENT_CACHE_DIR=%s\n' "$CONTENT_CACHE_DIR" printf 'CONTENT_CACHE_KEYS_ZONE=%s\n' "$CONTENT_CACHE_KEYS_ZONE" printf 'CONTENT_CACHE_SIZE=%s\n' "$CONTENT_CACHE_SIZE" @@ -155,6 +173,6 @@ fi echo "Nameserver is: $NAMESERVER" echo "Copying nginx config" -envsubst '${ROOT_CA_CERT} ${ROOT_CA_KEY} ${LOG_DIR} ${PROXY_BUFFER_SIZE} ${PROXY_BUFFERS} ${PROXY_BUSY_BUFFERS_SIZE}' < ./conf/nginx.conf.template > ./conf/nginx.conf -envsubst '${PROXY_CONNECT_DATA_TIMEOUT} ${PROXY_READ_DATA_TIMEOUT} ${NAMESERVER} ${LOG_DIR} ${CONTENT_CACHE_DIR} ${CONTENT_CACHE_KEYS_ZONE} ${CONTENT_CACHE_SIZE} ${SSL_VERIFY_DEPTH}' < ./conf/nginx.conf.server.template > ./conf/nginx.conf.server +envsubst '${ROOT_CA_CERT} ${ROOT_CA_KEY} ${LOG_DIR} ${PROXY_BUFFER_SIZE} ${PROXY_BUFFERS} ${PROXY_BUSY_BUFFERS_SIZE} ${ACCESS_LOG_DIRECTIVE} ${ERROR_LOG_DIRECTIVE}' < ./conf/nginx.conf.template > ./conf/nginx.conf +envsubst '${PROXY_CONNECT_DATA_TIMEOUT} ${PROXY_READ_DATA_TIMEOUT} ${NAMESERVER} ${LOG_DIR} ${CONTENT_CACHE_DIR} ${CONTENT_CACHE_KEYS_ZONE} ${CONTENT_CACHE_SIZE} ${SSL_VERIFY_DEPTH} ${CACHE_ACCESS_LOG_DIRECTIVE} ${RANGE_ACCESS_LOG_DIRECTIVE}' < ./conf/nginx.conf.server.template > ./conf/nginx.conf.server envsubst '${ROOT_CA_CERT} ${ROOT_CA_KEY} ${CERT_MEM_CACHE_TTL_SEC}' < ./conf/generate_ssl_certs.template.lua > ./conf/generate_ssl_certs.lua From 3dab4622fa1e54e981a7da2da7c313a98d303746 Mon Sep 17 00:00:00 2001 From: Jordan Schroter Date: Mon, 10 Nov 2025 13:49:39 -0500 Subject: [PATCH 2/2] Send error logs to stdout by default --- README.md | 5 +---- conf/nginx.conf.template | 2 +- scripts/generate_conf_files.sh | 25 +++++++++++++------------ 3 files changed, 15 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index 72d2ff1..5fa4b70 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,7 @@ Inside the `build` directory, `bash run.sh` to start the application. There are several helper scripts that are placed in in the `build` directory. These can be run manually or added to crontabs. - `logtruncate.sh` - - Truncates all logs from the Funes log directory when logging is enabled (`ENABLE_LOGGING=true`). + - Truncates all logs from the Funes log directory. - `clear_cert_disk_cache.sh ` - Clears any generated SSL cert files older than `AGE_MIN` from `CACHE_DIR`. @@ -52,9 +52,6 @@ RESTRICT_LOCAL_DOCKER # Disable dynamic SSL cert generation, instead passing the root cert on each response DISABLE_DYNAMIC_CERTS - -# Enable Nginx access/error logs (otherwise `access_log`/`error_log` directives are set to `off`) -ENABLE_LOGGING ``` Usage example: diff --git a/conf/nginx.conf.template b/conf/nginx.conf.template index 5696073..3417a51 100644 --- a/conf/nginx.conf.template +++ b/conf/nginx.conf.template @@ -42,7 +42,7 @@ http { ## ${ACCESS_LOG_DIRECTIVE} - ${ERROR_LOG_DIRECTIVE} + error_log stderr ${ERROR_LOG_LEVEL}; log_format proxy_cache '$remote_addr – $upstream_cache_status $status [$time_local] $request_method $proxy_method://$host$uri $body_bytes_sent "$http_referer" "$http_user_agent" '; diff --git a/scripts/generate_conf_files.sh b/scripts/generate_conf_files.sh index e40fc48..3a98ae5 100644 --- a/scripts/generate_conf_files.sh +++ b/scripts/generate_conf_files.sh @@ -53,23 +53,22 @@ then export LOG_DIR="./logs" fi -if [ -z "$ENABLE_LOGGING" ] -then - export ENABLE_LOGGING="false" -fi - -if [ "$ENABLE_LOGGING" = "true" ]; then +if [ "$ENABLE_ACCESS_LOGS" = "true" ]; then export ACCESS_LOG_DIRECTIVE="access_log ${LOG_DIR}/access.log;" - export ERROR_LOG_DIRECTIVE="error_log ${LOG_DIR}/error.log;" export CACHE_ACCESS_LOG_DIRECTIVE="access_log ${LOG_DIR}/cache.log proxy_cache;" export RANGE_ACCESS_LOG_DIRECTIVE="access_log ${LOG_DIR}/range_cache.log range_cache;" else export ACCESS_LOG_DIRECTIVE="access_log off;" - export ERROR_LOG_DIRECTIVE="error_log off;" export CACHE_ACCESS_LOG_DIRECTIVE="access_log off;" export RANGE_ACCESS_LOG_DIRECTIVE="access_log off;" fi +# Levels can be warn, error crit, alert, and emerg. +if [ -z "$ERROR_LOG_LEVEL" ] +then + export ERROR_LOG_LEVEL="crit" +fi + if [ -z "$CONTENT_CACHE_DIR" ] then export CONTENT_CACHE_DIR="/data/funes/content_cache" @@ -148,9 +147,11 @@ if [ -z "$PROXY_READ_DATA_TIMEOUT" ] then export PROXY_READ_DATA_TIMEOUT="60s" fi - +printf 'ERROR_LOG_LEVEL=%s\n' "$ERROR_LOG_LEVEL" +printf 'ACCESS_LOG_DIRECTIVE=%s\n' "$ACCESS_LOG_DIRECTIVE" +printf 'CACHE_ACCESS_LOG_DIRECTIVE=%s\n' "$CACHE_ACCESS_LOG_DIRECTIVE" +printf 'RANGE_ACCESS_LOG_DIRECTIVE=%s\n' "$RANGE_ACCESS_LOG_DIRECTIVE" printf 'LOG_DIR=%s\n' "$LOG_DIR" -printf 'ENABLE_LOGGING=%s\n' "$ENABLE_LOGGING" printf 'CONTENT_CACHE_DIR=%s\n' "$CONTENT_CACHE_DIR" printf 'CONTENT_CACHE_KEYS_ZONE=%s\n' "$CONTENT_CACHE_KEYS_ZONE" printf 'CONTENT_CACHE_SIZE=%s\n' "$CONTENT_CACHE_SIZE" @@ -173,6 +174,6 @@ fi echo "Nameserver is: $NAMESERVER" echo "Copying nginx config" -envsubst '${ROOT_CA_CERT} ${ROOT_CA_KEY} ${LOG_DIR} ${PROXY_BUFFER_SIZE} ${PROXY_BUFFERS} ${PROXY_BUSY_BUFFERS_SIZE} ${ACCESS_LOG_DIRECTIVE} ${ERROR_LOG_DIRECTIVE}' < ./conf/nginx.conf.template > ./conf/nginx.conf -envsubst '${PROXY_CONNECT_DATA_TIMEOUT} ${PROXY_READ_DATA_TIMEOUT} ${NAMESERVER} ${LOG_DIR} ${CONTENT_CACHE_DIR} ${CONTENT_CACHE_KEYS_ZONE} ${CONTENT_CACHE_SIZE} ${SSL_VERIFY_DEPTH} ${CACHE_ACCESS_LOG_DIRECTIVE} ${RANGE_ACCESS_LOG_DIRECTIVE}' < ./conf/nginx.conf.server.template > ./conf/nginx.conf.server +envsubst '${ROOT_CA_CERT} ${ROOT_CA_KEY} ${ERROR_LOG_LEVEL} ${ACCESS_LOG_DIRECTIVE} ${PROXY_BUFFER_SIZE} ${PROXY_BUFFERS} ${PROXY_BUSY_BUFFERS_SIZE}' < ./conf/nginx.conf.template > ./conf/nginx.conf +envsubst '${PROXY_CONNECT_DATA_TIMEOUT} ${PROXY_READ_DATA_TIMEOUT} ${NAMESERVER} ${CACHE_ACCESS_LOG_DIRECTIVE} ${RANGE_ACCESS_LOG_DIRECTIVE} ${CONTENT_CACHE_DIR} ${CONTENT_CACHE_KEYS_ZONE} ${CONTENT_CACHE_SIZE} ${SSL_VERIFY_DEPTH}' < ./conf/nginx.conf.server.template > ./conf/nginx.conf.server envsubst '${ROOT_CA_CERT} ${ROOT_CA_KEY} ${CERT_MEM_CACHE_TTL_SEC}' < ./conf/generate_ssl_certs.template.lua > ./conf/generate_ssl_certs.lua