From f469ccf648d3c27fe9d108b27d803696a07676fa Mon Sep 17 00:00:00 2001
From: Traky <trakydeng@gmail.com>
Date: Thu, 4 Jan 2024 17:02:47 -0800
Subject: [PATCH] add conditional access logging

---
 apisix/cli/ngx_tpl.lua   |  4 ++--
 conf/config-default.yaml |  1 +
 t/cli/test_access_log.sh | 45 ++++++++++++++++++++++++++++++++++++++++
 3 files changed, 48 insertions(+), 2 deletions(-)

diff --git a/apisix/cli/ngx_tpl.lua b/apisix/cli/ngx_tpl.lua
index d8cc2550266c..fce4178fdb3d 100644
--- a/apisix/cli/ngx_tpl.lua
+++ b/apisix/cli/ngx_tpl.lua
@@ -377,9 +377,9 @@ http {
     uninitialized_variable_warn off;
 
     {% if http.access_log_buffer then %}
-    access_log {* http.access_log *} main buffer={* http.access_log_buffer *} flush=3;
+    access_log {* http.access_log *} main {% if http.access_log_if_condition then %} if={* http.access_log_if_condition *}{% end %} buffer={* http.access_log_buffer *} flush=3;
     {% else %}
-    access_log {* http.access_log *} main buffer=16384 flush=3;
+    access_log {* http.access_log *} main {% if http.access_log_if_condition then %} if={* http.access_log_if_condition *}{% end %} buffer=16384 flush=3;
     {% end %}
     {% end %}
     open_file_cache  max=1000 inactive=60;
diff --git a/conf/config-default.yaml b/conf/config-default.yaml
index 6ab8db8aa608..bd72e17164f8 100755
--- a/conf/config-default.yaml
+++ b/conf/config-default.yaml
@@ -220,6 +220,7 @@ nginx_config:                     # Config for render the template to generate n
     access_log_format: "$remote_addr - $remote_user [$time_local] $http_host \"$request\" $status $body_bytes_sent $request_time \"$http_referer\" \"$http_user_agent\" $upstream_addr $upstream_status $upstream_response_time \"$upstream_scheme://$upstream_host$upstream_uri\""
     # Customize log format: http://nginx.org/en/docs/varindex.html
     access_log_format_escape: default   # Escape default or json characters in variables.
+    # access_log_if_condition: $loggable  # Configure conditional access logging
     keepalive_timeout: 60s              # Set the maximum time for which TCP connection keeps alive.
     client_header_timeout: 60s          # Set the maximum time waiting for client to send the entire HTTP
                                         # request header before closing the connection.
diff --git a/t/cli/test_access_log.sh b/t/cli/test_access_log.sh
index 01dda603a285..cb4f915c16ae 100755
--- a/t/cli/test_access_log.sh
+++ b/t/cli/test_access_log.sh
@@ -138,6 +138,51 @@ make stop
 
 echo "passed: access log with JSON format"
 
+# check conditional access log
+# exclude logging 2xx and 3xx requests
+
+echo '
+nginx_config:
+  http:
+    enable_access_log: true
+    access_log_if_condition: $loggable
+  http_configuration_snippet: |
+    map $status $loggable {
+        ~^[23]  0;
+        default 1;
+    }
+' > conf/config.yaml
+
+make init
+make run
+sleep 0.1
+curl http://127.0.0.1:9080/non-existent
+sleep 2
+tail -n 1 logs/access.log > output.log
+
+if [ `grep -c '404' output.log` -eq '0' ]; then
+    echo "failed: 404 not logged in the access log"
+    exit 1
+fi
+
+code=$(curl -v -k -i -m 20 -o /dev/null -s -w %{http_code} http://127.0.0.1:9090/v1/schema)
+sleep 2
+
+if [ ! $code -eq 200 ]; then
+    echo "failed: access control API"
+    exit 1
+fi
+
+tail -n 1 logs/access.log > output.log
+if [ `grep -c '200' output.log` -gt '0' ]; then
+    echo "failed: 200 found in the access log"
+    exit 1
+fi
+
+make stop
+
+echo "pass: conditional access logging"
+
 # check uninitialized variable in access log when access admin
 git checkout conf/config.yaml