Opened 13 days ago

Closed 13 days ago

Last modified 9 days ago

#2440 closed enhancement (worksforme)

Log new connections immediately when established

Reported by: pgassmann@… Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.23.x
Keywords: log, stream, connection, proxy Cc: pgassmann@…
uname -a: Linux c27b84e2b483 5.4.0-136-generic #153-Ubuntu SMP Thu Nov 24 15:56:58 UTC 2022 x86_64 Linux
nginx -V: nginx version: nginx/1.23.3
built by gcc 12.2.1 20220924 (Alpine 12.2.1_git20220924-r4)
built with OpenSSL 3.0.7 1 Nov 2022
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --with-perl_modules_path=/usr/lib/perl5/vendor_perl --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-Os -fomit-frame-pointer -g' --with-ld-opt=-Wl,--as-needed,-O1,--sort-common

Description (last modified by pgassmann@…)

We use nginx stream for tcp TLS termination.
The connections are long running.
nginx logs only once a connection is closed. (when a request is completed).
For our purposes it would be useful if a new connection is immediately logged with the client ip, server, port. so we can correlate that to other events on the backend where we cannot see the client ip.

How can we do that with nginx?

The only workaround I found would be to use proxy protocol and log new connections on the backend.
Implementing a proxy protocol wrapper on the backend just to log the client ip is complicated and also not always possible.

Attachments (1)

nginx.conf (2.6 KB ) - added by pgassmann@… 13 days ago.
nginx.conf for stream tls termination

Download all attachments as: .zip

Change History (4)

by pgassmann@…, 13 days ago

Attachment: nginx.conf added

nginx.conf for stream tls termination

comment:1 by pgassmann@…, 13 days ago

Description: modified (diff)

comment:2 by Maxim Dounin, 13 days ago

Component: documentationnginx-module
Resolution: worksforme
Status: newclosed
Type: taskenhancement

For access logging, as configured with the access_log directive, nginx follows the same model as for HTTP access logs for requests: stream sessions are logged with all the details, including bytes sent and received, when the session is closed.

However, all connection events in the stream module are logged to the error log at the info level. In particular, a typical proxied connection will be logged as follows:

2023/01/23 20:33:34 [info] 21515#100071: *1 client 127.0.0.1:14395 connected to 0.0.0.0:9000
2023/01/23 20:33:34 [info] 21515#100071: *1 proxy 127.0.0.1:57011 connected to 127.0.0.1:8080
2023/01/23 20:33:35 [info] 21515#100071: *1 upstream disconnected, bytes from/to client:3/309, bytes from/to upstream:309/3

This seems to be exactly equivalent to what you are asking about.

comment:3 by pgassmann@…, 9 days ago

Thank you for the fast reply. I enabled the info level for the error log and it works for that purpose. The levels of error_log are not explained in the docs. Also if it was called event_log, that would better describe the purpose ;-)

Another problem I noticed regarding long running connections:
When nginx (docker container) is restarted, the active connections are not terminated and logged in access_log before the log ends.

Note: See TracTickets for help on using tickets.