nginx: Add metrics

This commit is contained in:
Tristan Daniël Maat 2023-10-02 22:53:56 +02:00
parent afcc959bf9
commit 39d9884ff0
Signed by: tlater
GPG key ID: 49670FD774E43268
7 changed files with 71 additions and 0 deletions

View file

@ -137,8 +137,40 @@
recommendedProxySettings = true; recommendedProxySettings = true;
clientMaxBodySize = "10G"; clientMaxBodySize = "10G";
domain = "tlater.net"; domain = "tlater.net";
statusPage = true; # For metrics, should be accessible only from localhost
commonHttpConfig = ''
log_format upstream_time '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'rt=$request_time uct="$upstream_connect_time" '
'uht="$upstream_header_time" urt="$upstream_response_time"';
'';
}; };
services.logrotate = {
enable = true;
settings = lib.mapAttrs' (virtualHost: _:
lib.nameValuePair "/var/log/nginx/${virtualHost}/access.log" {
frequency = "daily";
rotate = 2;
compress = true;
delaycompress = true;
su = "${config.services.nginx.user} ${config.services.nginx.group}";
postrotate = "[ ! -f /var/run/nginx/nginx.pid ] || kill -USR1 `cat /var/run/nginx/nginx.pid`";
})
config.services.nginx.virtualHosts;
};
systemd.tmpfiles.rules =
lib.mapAttrsToList (
virtualHost: _:
#
"d /var/log/nginx/${virtualHost} 0750 ${config.services.nginx.user} ${config.services.nginx.group}"
)
config.services.nginx.virtualHosts;
security.acme = { security.acme = {
defaults.email = "tm@tlater.net"; defaults.email = "tm@tlater.net";
acceptTerms = true; acceptTerms = true;

View file

@ -205,6 +205,7 @@ in {
addSSL = true; addSSL = true;
extraConfig = '' extraConfig = ''
merge_slashes off; merge_slashes off;
access_log /var/log/nginx/${domain}/access.log upstream_time;
''; '';
locations = { locations = {

View file

@ -25,6 +25,7 @@ in {
enableACME = true; enableACME = true;
extraConfig = '' extraConfig = ''
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
access_log /var/log/nginx/${domain}/access.log upstream_time;
''; '';
locations."/" = { locations."/" = {

View file

@ -33,6 +33,7 @@ in {
enableACME = true; enableACME = true;
extraConfig = '' extraConfig = ''
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
access_log /var/log/nginx/${domain}/access.log upstream_time;
''; '';
locations."/".proxyPass = "http://${httpAddress}:${toString httpPort}"; locations."/".proxyPass = "http://${httpAddress}:${toString httpPort}";

View file

@ -50,6 +50,37 @@ in {
enabledCollectors = ["systemd"]; enabledCollectors = ["systemd"];
listenAddress = "127.0.0.1"; listenAddress = "127.0.0.1";
}; };
nginx = {
enable = true;
listenAddress = "127.0.0.1";
};
nginxlog = {
enable = true;
listenAddress = "127.0.0.1";
group = "nginx";
settings.namespaces =
lib.mapAttrsToList (name: virtualHost: {
inherit name;
metrics_override.prefix = "nginxlog";
namespace_label = "vhost";
format = lib.concatStringsSep " " [
"$remote_addr - $remote_user [$time_local]"
''"$request" $status $body_bytes_sent''
''"$http_referer" "$http_user_agent"''
''rt=$request_time uct="$upstream_connect_time"''
''uht="$upstream_header_time" urt="$upstream_response_time"''
];
source.files = [
"/var/log/nginx/${name}/access.log"
];
})
config.services.nginx.virtualHosts;
};
}; };
systemd.services.export-to-victoriametrics = let systemd.services.export-to-victoriametrics = let
@ -80,6 +111,7 @@ in {
enableACME = true; enableACME = true;
extraConfig = '' extraConfig = ''
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
access_log /var/log/nginx/${domain}/access.log upstream_time;
''; '';
locations."/".proxyPass = "http://localhost:3001"; locations."/".proxyPass = "http://localhost:3001";
}; };

View file

@ -50,6 +50,9 @@ in {
services.nginx.virtualHosts."${hostName}" = { services.nginx.virtualHosts."${hostName}" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
extraConfig = ''
access_log /var/log/nginx/${hostName}/access.log upstream_time;
'';
}; };
# Block repeated failed login attempts # Block repeated failed login attempts

View file

@ -19,6 +19,7 @@ in {
enableACME = true; enableACME = true;
extraConfig = '' extraConfig = ''
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
access_log /var/log/nginx/${domain}/access.log upstream_time;
''; '';
locations."/".proxyPass = "http://${addr}:${toString port}"; locations."/".proxyPass = "http://${addr}:${toString port}";