From bf730ee2db1d17a9e428ba13943622c2d304e90d Mon Sep 17 00:00:00 2001 From: zou rui Date: Fri, 10 Jun 2022 19:01:46 +0800 Subject: [PATCH] feat: support enbale nginx debug_connection (#8637) --- .../nginx-configuration/configmap.md | 8 ++++++++ internal/ingress/controller/config/config.go | 6 ++++++ .../ingress/controller/template/configmap.go | 20 +++++++++++++++++++ .../controller/template/configmap_test.go | 2 ++ rootfs/etc/nginx/template/nginx.tmpl | 3 +++ 5 files changed, 39 insertions(+) diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md index 6b64142180..270dd1c62a 100755 --- a/docs/user-guide/nginx-configuration/configmap.md +++ b/docs/user-guide/nginx-configuration/configmap.md @@ -211,6 +211,7 @@ The following table shows a configuration option's name, type, and the default v |[global-rate-limit-status-code](#global-rate-limit)|int|429| |[service-upstream](#service-upstream)|bool|"false"| |[ssl-reject-handshake](#ssl-reject-handshake)|bool|"false"| +|[debug-connections](#debug-connections)|[]string|"127.0.0.1,1.1.1.1/24"| ## add-headers @@ -1300,3 +1301,10 @@ _**default:**_ "false" _References:_ [https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake) + +## debug-connections +Enables debugging log for selected client connections. +_**default:**_ "" + +_References:_ +[http://nginx.org/en/docs/ngx_core_module.html#debug_connection](http://nginx.org/en/docs/ngx_core_module.html#debug_connection) diff --git a/internal/ingress/controller/config/config.go b/internal/ingress/controller/config/config.go index a1f35e9fa0..07f9d957aa 100644 --- a/internal/ingress/controller/config/config.go +++ b/internal/ingress/controller/config/config.go @@ -768,6 +768,11 @@ type Configuration struct { // GlobalRateLimitStatucCode determines the HTTP status code to return // when limit is exceeding during global rate limiting. GlobalRateLimitStatucCode int `json:"global-rate-limit-status-code"` + + // DebugConnections Enables debugging log for selected client connections + // http://nginx.org/en/docs/ngx_core_module.html#debug_connection + // Default: "" + DebugConnections []string `json:"debug-connections"` } // NewDefault returns the default nginx configuration @@ -932,6 +937,7 @@ func NewDefault() Configuration { GlobalRateLimitMemcachedMaxIdleTimeout: 10000, GlobalRateLimitMemcachedPoolSize: 50, GlobalRateLimitStatucCode: 429, + DebugConnections: []string{}, } if klog.V(5).Enabled() { diff --git a/internal/ingress/controller/template/configmap.go b/internal/ingress/controller/template/configmap.go index 382cb03677..bcd985f7f8 100644 --- a/internal/ingress/controller/template/configmap.go +++ b/internal/ingress/controller/template/configmap.go @@ -65,6 +65,7 @@ const ( globalAuthAlwaysSetCookie = "global-auth-always-set-cookie" luaSharedDictsKey = "lua-shared-dicts" plugins = "plugins" + debugConnections = "debug-connections" ) var ( @@ -111,6 +112,7 @@ func ReadConfig(src map[string]string) config.Configuration { blockRefererList := make([]string, 0) responseHeaders := make([]string, 0) luaSharedDicts := make(map[string]int) + debugConnectionsList := make([]string, 0) //parse lua shared dict values if val, ok := conf[luaSharedDictsKey]; ok { @@ -373,6 +375,24 @@ func ReadConfig(src map[string]string) config.Configuration { delete(conf, plugins) } + if val, ok := conf[debugConnections]; ok { + delete(conf, debugConnections) + for _, i := range splitAndTrimSpace(val, ",") { + validIp := net.ParseIP(i) + if validIp != nil { + debugConnectionsList = append(debugConnectionsList, i) + } else { + _, _, err := net.ParseCIDR(i) + if err == nil { + debugConnectionsList = append(debugConnectionsList, i) + } else { + klog.Warningf("%v is not a valid IP or CIDR address", i) + } + } + } + to.DebugConnections = debugConnectionsList + } + to.CustomHTTPErrors = filterErrors(errors) to.SkipAccessLogURLs = skipUrls to.WhitelistSourceRange = whiteList diff --git a/internal/ingress/controller/template/configmap_test.go b/internal/ingress/controller/template/configmap_test.go index b30e836eed..be3ffb0cec 100644 --- a/internal/ingress/controller/template/configmap_test.go +++ b/internal/ingress/controller/template/configmap_test.go @@ -75,6 +75,7 @@ func TestMergeConfigMapToStruct(t *testing.T) { "proxy-add-original-uri-header": "false", "disable-ipv6-dns": "true", "default-type": "text/plain", + "debug-connections": "127.0.0.1,1.1.1.1/24,::1", } def := config.NewDefault() def.CustomHTTPErrors = []int{300, 400} @@ -99,6 +100,7 @@ func TestMergeConfigMapToStruct(t *testing.T) { def.LuaSharedDicts = defaultLuaSharedDicts def.DisableIpv6DNS = true def.DefaultType = "text/plain" + def.DebugConnections = []string{"127.0.0.1", "1.1.1.1/24", "::1"} hash, err := hashstructure.Hash(def, &hashstructure.HashOptions{ TagName: "json", diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl index bd0880c77a..561278b6fb 100755 --- a/rootfs/etc/nginx/template/nginx.tmpl +++ b/rootfs/etc/nginx/template/nginx.tmpl @@ -58,6 +58,9 @@ events { multi_accept {{ if $cfg.EnableMultiAccept }}on{{ else }}off{{ end }}; worker_connections {{ $cfg.MaxWorkerConnections }}; use epoll; + {{ range $index , $v := $cfg.DebugConnections }} + debug_connection {{ $v }}; + {{ end }} } http {