add conditional access logging

apache · Jan 5, 2024 · f469ccf · f469ccf
1 parent 88107db
commit f469ccf
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 2 deletions.
diff --git a/apisix/cli/ngx_tpl.lua b/apisix/cli/ngx_tpl.lua
@@ -377,9 +377,9 @@ http {
     uninitialized_variable_warn off;
 
     {% if http.access_log_buffer then %}
-    access_log {* http.access_log *} main buffer={* http.access_log_buffer *} flush=3;
+    access_log {* http.access_log *} main {% if http.access_log_if_condition then %} if={* http.access_log_if_condition *}{% end %} buffer={* http.access_log_buffer *} flush=3;
     {% else %}
-    access_log {* http.access_log *} main buffer=16384 flush=3;
+    access_log {* http.access_log *} main {% if http.access_log_if_condition then %} if={* http.access_log_if_condition *}{% end %} buffer=16384 flush=3;
     {% end %}
     {% end %}
     open_file_cache  max=1000 inactive=60;

diff --git a/conf/config-default.yaml b/conf/config-default.yaml
@@ -220,6 +220,7 @@ nginx_config:                     # Config for render the template to generate n
     access_log_format: "$remote_addr - $remote_user [$time_local] $http_host \"$request\" $status $body_bytes_sent $request_time \"$http_referer\" \"$http_user_agent\" $upstream_addr $upstream_status $upstream_response_time \"$upstream_scheme://$upstream_host$upstream_uri\""
     # Customize log format: http://nginx.org/en/docs/varindex.html
     access_log_format_escape: default   # Escape default or json characters in variables.
+    # access_log_if_condition: $loggable  # Configure conditional access logging
     keepalive_timeout: 60s              # Set the maximum time for which TCP connection keeps alive.
     client_header_timeout: 60s          # Set the maximum time waiting for client to send the entire HTTP
                                         # request header before closing the connection.

diff --git a/t/cli/test_access_log.sh b/t/cli/test_access_log.sh
@@ -138,6 +138,51 @@ make stop
 
 echo "passed: access log with JSON format"
 
+# check conditional access log
+# exclude logging 2xx and 3xx requests
+
+echo '
+nginx_config:
+  http:
+    enable_access_log: true
+    access_log_if_condition: $loggable
+  http_configuration_snippet: |
+    map $status $loggable {
+        ~^[23]  0;
+        default 1;
+    }
+' > conf/config.yaml
+
+make init
+make run
+sleep 0.1
+curl http://127.0.0.1:9080/non-existent
+sleep 2
+tail -n 1 logs/access.log > output.log
+
+if [ `grep -c '404' output.log` -eq '0' ]; then
+    echo "failed: 404 not logged in the access log"
+    exit 1
+fi
+
+code=$(curl -v -k -i -m 20 -o /dev/null -s -w %{http_code} http://127.0.0.1:9090/v1/schema)
+sleep 2
+
+if [ ! $code -eq 200 ]; then
+    echo "failed: access control API"
+    exit 1
+fi
+
+tail -n 1 logs/access.log > output.log
+if [ `grep -c '200' output.log` -gt '0' ]; then
+    echo "failed: 200 found in the access log"
+    exit 1
+fi
+
+make stop
+
+echo "pass: conditional access logging"
+
 # check uninitialized variable in access log when access admin
 git checkout conf/config.yaml