Introduce

revomatico · Jun 13, 2023 · 29f78c5 · 29f78c5
1 parent 6ae1851
commit 29f78c5
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 34 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -49,47 +49,54 @@ lua_shared_dict introspection \${{X_OIDC_CACHE_INTROSPECTION_SIZE}};\n\
 > if x_session_storage == "shm" then\n\
 lua_shared_dict \${{X_SESSION_SHM_STORE}} \${{X_SESSION_SHM_STORE_SIZE}};\n\
 > end\n\
-    ' "$TPL" \
+map \$remote_addr \$log_ip {\n\
+> if x_nolog_list_file then\n\
+    include \${{X_NOLOG_LIST_FILE}};\n\
+> end\n\
+    default 1;\n\
+}\n\
+' "$TPL" \
     # Patch nginx_kong.lua to add for memcached sessions
     && sed -i "/server_name kong;/a\ \n\
 ## Session:
-set \$session_storage \${{X_SESSION_STORAGE}};\n\
-set \$session_name \${{X_SESSION_NAME}};\n\
-set \$session_compressor \${{X_SESSION_COMPRESSOR}};\n\
+    set \$session_storage \${{X_SESSION_STORAGE}};\n\
+    set \$session_name \${{X_SESSION_NAME}};\n\
+    set \$session_compressor \${{X_SESSION_COMPRESSOR}};\n\
 ## Session: Memcached specific
-set \$session_memcache_connect_timeout \${{X_SESSION_MEMCACHE_CONNECT_TIMEOUT}};\n\
-set \$session_memcache_send_timeout \${{X_SESSION_MEMCACHE_SEND_TIMEOUT}};\n\
-set \$session_memcache_read_timeout \${{X_SESSION_MEMCACHE_READ_TIMEOUT}};\n\
-set \$session_memcache_prefix \${{X_SESSION_MEMCACHE_PREFIX}};\n\
-set \$session_memcache_host \${{X_SESSION_MEMCACHE_HOST}};\n\
-set \$session_memcache_port \${{X_SESSION_MEMCACHE_PORT}};\n\
-set \$session_memcache_uselocking \${{X_SESSION_MEMCACHE_USELOCKING}};\n\
-set \$session_memcache_spinlockwait \${{X_SESSION_MEMCACHE_SPINLOCKWAIT}};\n\
-set \$session_memcache_maxlockwait \${{X_SESSION_MEMCACHE_MAXLOCKWAIT}};\n\
-set \$session_memcache_pool_timeout \${{X_SESSION_MEMCACHE_POOL_TIMEOUT}};\n\
-set \$session_memcache_pool_size \${{X_SESSION_MEMCACHE_POOL_SIZE}};\n\
+    set \$session_memcache_connect_timeout \${{X_SESSION_MEMCACHE_CONNECT_TIMEOUT}};\n\
+    set \$session_memcache_send_timeout \${{X_SESSION_MEMCACHE_SEND_TIMEOUT}};\n\
+    set \$session_memcache_read_timeout \${{X_SESSION_MEMCACHE_READ_TIMEOUT}};\n\
+    set \$session_memcache_prefix \${{X_SESSION_MEMCACHE_PREFIX}};\n\
+    set \$session_memcache_host \${{X_SESSION_MEMCACHE_HOST}};\n\
+    set \$session_memcache_port \${{X_SESSION_MEMCACHE_PORT}};\n\
+    set \$session_memcache_uselocking \${{X_SESSION_MEMCACHE_USELOCKING}};\n\
+    set \$session_memcache_spinlockwait \${{X_SESSION_MEMCACHE_SPINLOCKWAIT}};\n\
+    set \$session_memcache_maxlockwait \${{X_SESSION_MEMCACHE_MAXLOCKWAIT}};\n\
+    set \$session_memcache_pool_timeout \${{X_SESSION_MEMCACHE_POOL_TIMEOUT}};\n\
+    set \$session_memcache_pool_size \${{X_SESSION_MEMCACHE_POOL_SIZE}};\n\
 ## Session: DHSM specific
-set \$session_dshm_region \${{X_SESSION_DSHM_REGION}};\n\
-set \$session_dshm_connect_timeout \${{X_SESSION_DSHM_CONNECT_TIMEOUT}};\n\
-set \$session_dshm_send_timeout \${{X_SESSION_DSHM_SEND_TIMEOUT}};\n\
-set \$session_dshm_read_timeout \${{X_SESSION_DSHM_READ_TIMEOUT}};\n\
-set \$session_dshm_host \${{X_SESSION_DSHM_HOST}};\n\
-set \$session_dshm_port \${{X_SESSION_DSHM_PORT}};\n\
-set \$session_dshm_pool_name \${{X_SESSION_DSHM_POOL_NAME}};\n\
-set \$session_dshm_pool_timeout \${{X_SESSION_DSHM_POOL_TIMEOUT}};\n\
-set \$session_dshm_pool_size \${{X_SESSION_DSHM_POOL_SIZE}};\n\
-set \$session_dshm_pool_backlog \${{X_SESSION_DSHM_POOL_BACKLOG}};\n\
+    set \$session_dshm_region \${{X_SESSION_DSHM_REGION}};\n\
+    set \$session_dshm_connect_timeout \${{X_SESSION_DSHM_CONNECT_TIMEOUT}};\n\
+    set \$session_dshm_send_timeout \${{X_SESSION_DSHM_SEND_TIMEOUT}};\n\
+    set \$session_dshm_read_timeout \${{X_SESSION_DSHM_READ_TIMEOUT}};\n\
+    set \$session_dshm_host \${{X_SESSION_DSHM_HOST}};\n\
+    set \$session_dshm_port \${{X_SESSION_DSHM_PORT}};\n\
+    set \$session_dshm_pool_name \${{X_SESSION_DSHM_POOL_NAME}};\n\
+    set \$session_dshm_pool_timeout \${{X_SESSION_DSHM_POOL_TIMEOUT}};\n\
+    set \$session_dshm_pool_size \${{X_SESSION_DSHM_POOL_SIZE}};\n\
+    set \$session_dshm_pool_backlog \${{X_SESSION_DSHM_POOL_BACKLOG}};\n\
 ## Session: SHM Specific
-set \$session_shm_store \${{X_SESSION_SHM_STORE}};\n\
-set \$session_shm_uselocking \${{X_SESSION_SHM_USELOCKING}};\n\
-set \$session_shm_lock_exptime \${{X_SESSION_SHM_LOCK_EXPTIME}};\n\
-set \$session_shm_lock_timeout \${{X_SESSION_SHM_LOCK_TIMEOUT}};\n\
-set \$session_shm_lock_step \${{X_SESSION_SHM_LOCK_STEP}};\n\
-set \$session_shm_lock_ratio \${{X_SESSION_SHM_LOCK_RATIO}};\n\
-set \$session_shm_lock_max_step \${{X_SESSION_SHM_LOCK_MAX_STEP}};\n\
+    set \$session_shm_store \${{X_SESSION_SHM_STORE}};\n\
+    set \$session_shm_uselocking \${{X_SESSION_SHM_USELOCKING}};\n\
+    set \$session_shm_lock_exptime \${{X_SESSION_SHM_LOCK_EXPTIME}};\n\
+    set \$session_shm_lock_timeout \${{X_SESSION_SHM_LOCK_TIMEOUT}};\n\
+    set \$session_shm_lock_step \${{X_SESSION_SHM_LOCK_STEP}};\n\
+    set \$session_shm_lock_ratio \${{X_SESSION_SHM_LOCK_RATIO}};\n\
+    set \$session_shm_lock_max_step \${{X_SESSION_SHM_LOCK_MAX_STEP}};\n\
 " "$TPL" \
     # Patch kong_defaults.lua to add custom variables that are replaced dynamically in the template above when kong is started
     && TPL=${LUA_BASE_DIR}/kong/templates/kong_defaults.lua \
+    && sed -E -i "s/((admin|proxy)_access_log.+)/\1 combined if=\$log_ip/" "$TPL" \
     && sed -i "/\]\]/i\ \n\
 x_session_storage = cookie\n\
 x_session_name = oidc_session\n\
@@ -132,6 +139,8 @@ x_oidc_cache_discovery_size = 128k\n\
 x_oidc_cache_jwks_size = 128k\n\
 x_oidc_cache_introspection_size = 128k\n\
 \n\
+x_nolog_list_file =\n\
+\n\
 " "$TPL" \
     ## Cleanup
     && rm -fr *.rock* \

diff --git a/README.md b/README.md
@@ -15,7 +15,6 @@
   - `KONG_PLUGINS=bundled,oidc`
 - Default: `KONG_X_SESSION_NAME=oidc_session`
 
-
 ## Session: Cookie
 
 - This is the default, but not recommended. I would recommend **shm** for a single instance, lightweight deployment.
@@ -81,6 +80,13 @@
 - KONG_X_SESSION_SHM_LOCK_RATIO, default: 2
 - KONG_X_SESSION_SHM_LOCK_MAX_STEP, default: 0.5
 
+## Exclude IPs from access_log
+- `KONG_X_NOLOG_LIST_FILE` could be set to a file path, e.g. `/tmp/nolog.txt`
+- File format is `ip 0;`. To exclude for example requests from the kubernetes probes:
+    ```
+    127.0.0.1 0;
+    ```
+
 ## Releases
 
 - Kong v3.2.2: [Dockerfile](https://github.com/revomatico/docker-kong-oidc/blob/master/Dockerfile)
@@ -110,6 +116,8 @@
 - Kong v2.0.2: [Dockerfile](https://github.com/revomatico/docker-kong-oidc/blob/2.0.2-1/Dockerfile)
 
 ## Release notes
+- 2023-03-26 [3.2.2-4]
+  - Introduce `KONG_X_NOLOG_LIST_FILE` that could optionally point to a file containing list of IPs to be excluded from access_log
 - 2023-03-26 [3.2.2-3]
   - Bump lua-resty-oidc to 1.7.6-3 and kong-plugin-oidc to 1.3.1-1. Based on https://github.com/zmartzone/lua-resty-openidc/issues/463, will fix https://github.com/revomatico/docker-kong-oidc/issues/37
 - 2023-03-24 [3.2.2-2]

diff --git a/common.sh b/common.sh
@@ -2,7 +2,7 @@
 
 # Common script used by all others to define variables and stay DRY
 DOCKER_CONTAINER='docker-kong-oidc'
-DOCKER_IMAGE="local/$DOCKER_CONTAINER:3.2.2-3"
+DOCKER_IMAGE="local/$DOCKER_CONTAINER:3.2.2-4"
 KONG_LOCAL_HTTP_PORT=${KONG_LOCAL_HTTP_PORT:-18000}
 KONG_LOCAL_HTTPS_PORT=${KONG_LOCAL_HTTPS_PORT:-14443}
 KONG_LOCAL_ADMIN_PORT=${KONG_LOCAL_ADMIN_PORT:-18001}