nginx: added log scraping for loki
This commit is contained in:
parent
c760e55c24
commit
a4c05c7a60
|
@ -99,23 +99,23 @@ in
|
||||||
|
|
||||||
# Enable Real IP from Cloudflare
|
# Enable Real IP from Cloudflare
|
||||||
services.nginx.commonHttpConfig =
|
services.nginx.commonHttpConfig =
|
||||||
# let
|
let
|
||||||
# realIpsFromList = lib.strings.concatMapStringsSep "\n" (x: "set_real_ip_from ${x};");
|
realIpsFromList = lib.strings.concatMapStringsSep "\n" (x: "set_real_ip_from ${x};");
|
||||||
# fileToList = x: lib.strings.splitString "\n" (builtins.readFile x);
|
fileToList = x: lib.strings.splitString "\n" (builtins.readFile x);
|
||||||
# cfipv4 = fileToList (
|
cfipv4 = fileToList (
|
||||||
# pkgs.fetchurl {
|
pkgs.fetchurl {
|
||||||
# url = "https://www.cloudflare.com/ips-v4";
|
url = "https://www.cloudflare.com/ips-v4";
|
||||||
# sha256 = "0ywy9sg7spafi3gm9q5wb59lbiq0swvf0q3iazl0maq1pj1nsb7h";
|
sha256 = "0ywy9sg7spafi3gm9q5wb59lbiq0swvf0q3iazl0maq1pj1nsb7h";
|
||||||
# }
|
}
|
||||||
# );
|
);
|
||||||
# cfipv6 = fileToList (
|
cfipv6 = fileToList (
|
||||||
# pkgs.fetchurl {
|
pkgs.fetchurl {
|
||||||
# url = "https://www.cloudflare.com/ips-v6";
|
url = "https://www.cloudflare.com/ips-v6";
|
||||||
# sha256 = "1ad09hijignj6zlqvdjxv7rjj8567z357zfavv201b9vx3ikk7cy";
|
sha256 = "1ad09hijignj6zlqvdjxv7rjj8567z357zfavv201b9vx3ikk7cy";
|
||||||
# }
|
}
|
||||||
# );
|
);
|
||||||
# in
|
in
|
||||||
#nginx
|
# nginx
|
||||||
''
|
''
|
||||||
geo $auth_ip {
|
geo $auth_ip {
|
||||||
default "Password required";
|
default "Password required";
|
||||||
|
@ -124,11 +124,84 @@ in
|
||||||
192.168.0.0/16 off;
|
192.168.0.0/16 off;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
${realIpsFromList cfipv4}
|
||||||
|
${realIpsFromList cfipv6}
|
||||||
|
real_ip_header CF-Connecting-IP;
|
||||||
|
|
||||||
auth_basic_user_file ${config.sops.secrets."nginx/htpasswd".path};
|
auth_basic_user_file ${config.sops.secrets."nginx/htpasswd".path};
|
||||||
|
|
||||||
|
log_format json_combined escape=json '{'
|
||||||
|
'"time_local":"$time_local",'
|
||||||
|
'"host":"$host",'
|
||||||
|
'"remote_addr":"$remote_addr",'
|
||||||
|
'"remote_user":"$remote_user",'
|
||||||
|
'"request":"$request",'
|
||||||
|
'"status":$status,'
|
||||||
|
'"body_bytes_sent":"$body_bytes_sent",'
|
||||||
|
'"http_referer":"$http_referer",'
|
||||||
|
'"http_user_agent":"$http_user_agent",'
|
||||||
|
'"http_x_forwarded_for":"$http_x_forwarded_for",'
|
||||||
|
'"request_time":"$request_time",'
|
||||||
|
'"upstream_addr":"$upstream_addr",'
|
||||||
|
'"upstream_response_time":"$upstream_response_time",'
|
||||||
|
'"upstream_status":"$upstream_status"'
|
||||||
|
'}';
|
||||||
|
access_log /var/log/nginx/access.log json_combined;
|
||||||
'';
|
'';
|
||||||
|
|
||||||
# This is needed for nginx to be able to read other processes
|
# This is needed for nginx to be able to read other processes
|
||||||
# directories in `/run`. Else it will fail with (13: Permission denied)
|
# directories in `/run`. Else it will fail with (13: Permission denied)
|
||||||
systemd.services.nginx.serviceConfig.ProtectHome = false;
|
systemd.services.nginx.serviceConfig.ProtectHome = false;
|
||||||
|
|
||||||
|
environment.etc."alloy/config.alloy".text =
|
||||||
|
# hcl
|
||||||
|
''
|
||||||
|
local.file_match "nginx_access_log" {
|
||||||
|
path_targets = [
|
||||||
|
{
|
||||||
|
"__path__" = "/var/log/nginx/access.log",
|
||||||
|
},
|
||||||
|
]
|
||||||
|
sync_period = "30s"
|
||||||
|
}
|
||||||
|
|
||||||
|
loki.source.file "nginx_access_log" {
|
||||||
|
targets = local.file_match.nginx_access_log.targets
|
||||||
|
forward_to = [loki.process.nginx_access_log.receiver]
|
||||||
|
}
|
||||||
|
|
||||||
|
loki.process "nginx_access_log" {
|
||||||
|
forward_to = [loki.write.default.receiver]
|
||||||
|
|
||||||
|
stage.json {
|
||||||
|
expressions = {
|
||||||
|
time = "time_local",
|
||||||
|
host = "",
|
||||||
|
request = "",
|
||||||
|
status = "",
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
stage.labels {
|
||||||
|
values = {
|
||||||
|
host = "",
|
||||||
|
request = "",
|
||||||
|
status = "",
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
stage.static_labels {
|
||||||
|
values = {
|
||||||
|
level = "info",
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
stage.timestamp {
|
||||||
|
source = "time"
|
||||||
|
format = "_2/Jan/2006:15:04:05 -0700"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -9,7 +9,6 @@ let
|
||||||
webguiListenAddress = "0.0.0.0:5319";
|
webguiListenAddress = "0.0.0.0:5319";
|
||||||
otelcolHTTPListenAddress = "192.168.100.5:4318";
|
otelcolHTTPListenAddress = "192.168.100.5:4318";
|
||||||
otelcolGRPCListenAddress = "192.168.100.5:4317";
|
otelcolGRPCListenAddress = "192.168.100.5:4317";
|
||||||
domain = "alloy.tigor.web.id";
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
# imports = [
|
# imports = [
|
||||||
|
@ -23,40 +22,6 @@ in
|
||||||
extraFlags = [ ''--server.http.listen-addr=${webguiListenAddress}'' ];
|
extraFlags = [ ''--server.http.listen-addr=${webguiListenAddress}'' ];
|
||||||
package = unstable.grafana-alloy;
|
package = unstable.grafana-alloy;
|
||||||
};
|
};
|
||||||
services.caddy.virtualHosts.${domain}.extraConfig = ''
|
|
||||||
@require_auth not remote_ip private_ranges
|
|
||||||
|
|
||||||
basic_auth @require_auth {
|
|
||||||
{$AUTH_USERNAME} {$AUTH_PASSWORD}
|
|
||||||
}
|
|
||||||
|
|
||||||
reverse_proxy ${webguiListenAddress}
|
|
||||||
'';
|
|
||||||
|
|
||||||
services.caddy.virtualHosts."otelhttp.tigor.web.id".extraConfig = ''
|
|
||||||
@require_auth not remote_ip private_ranges
|
|
||||||
|
|
||||||
basic_auth @require_auth {
|
|
||||||
{$AUTH_USERNAME} {$AUTH_PASSWORD}
|
|
||||||
}
|
|
||||||
|
|
||||||
reverse_proxy ${otelcolHTTPListenAddress}
|
|
||||||
'';
|
|
||||||
|
|
||||||
services.caddy.virtualHosts."otelgrpc.tigor.web.id".extraConfig = ''
|
|
||||||
@require_auth not remote_ip private_ranges
|
|
||||||
|
|
||||||
basic_auth @require_auth {
|
|
||||||
{$AUTH_USERNAME} {$AUTH_PASSWORD}
|
|
||||||
}
|
|
||||||
|
|
||||||
reverse_proxy ${otelcolGRPCListenAddress} {
|
|
||||||
transport http {
|
|
||||||
tls
|
|
||||||
tls_insecure_skip_verify
|
|
||||||
}
|
|
||||||
}
|
|
||||||
'';
|
|
||||||
|
|
||||||
systemd.services.alloy.serviceConfig = {
|
systemd.services.alloy.serviceConfig = {
|
||||||
User = "root";
|
User = "root";
|
||||||
|
|
Loading…
Reference in a new issue