Forward proxying and suppression of health checks in access logs
All checks were successful
Build containers when image tags change / build-if-image-changed (., web, containers, main container, git.baumann.gr/adebaumann/labhelper) (push) Successful in 11s
Build containers when image tags change / build-if-image-changed (data-loader, loader, initContainers, init-container, git.baumann.gr/adebaumann/labhelper-data-loader) (push) Successful in 8s
All checks were successful
Build containers when image tags change / build-if-image-changed (., web, containers, main container, git.baumann.gr/adebaumann/labhelper) (push) Successful in 11s
Build containers when image tags change / build-if-image-changed (data-loader, loader, initContainers, init-container, git.baumann.gr/adebaumann/labhelper-data-loader) (push) Successful in 8s
This commit is contained in:
@@ -17,5 +17,6 @@ data:
|
||||
LOGIN_URL: "login"
|
||||
LOGIN_REDIRECT_URL: "index"
|
||||
LOGOUT_REDIRECT_URL: "login"
|
||||
TRUSTED_PROXIES: "192.168.17.44,192.168.17.53"
|
||||
GUNICORN_OPTS: "--access-logfile -"
|
||||
IMAGE_TAG: "0.068"
|
||||
|
||||
@@ -102,6 +102,11 @@ spec:
|
||||
configMapKeyRef:
|
||||
name: django-config
|
||||
key: LOGOUT_REDIRECT_URL
|
||||
- name: TRUSTED_PROXIES
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: django-config
|
||||
key: TRUSTED_PROXIES
|
||||
- name: GUNICORN_OPTS
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
|
||||
65
gunicorn.conf.py
Normal file
65
gunicorn.conf.py
Normal file
@@ -0,0 +1,65 @@
|
||||
import logging
|
||||
import os
|
||||
|
||||
from gunicorn.glogging import Logger
|
||||
|
||||
TRUSTED_PROXIES = {
|
||||
ip.strip()
|
||||
for ip in os.environ.get("TRUSTED_PROXIES", "").split(",")
|
||||
if ip.strip()
|
||||
}
|
||||
|
||||
|
||||
class HealthCheckFilter(logging.Filter):
|
||||
def filter(self, record):
|
||||
message = record.getMessage()
|
||||
return "kube-probe" not in message
|
||||
|
||||
|
||||
class CustomLogger(Logger):
|
||||
def atoms(self, resp, req, environ, request_time):
|
||||
atoms = super().atoms(resp, req, environ, request_time)
|
||||
atoms["{client-ip}e"] = self._get_client_ip(environ)
|
||||
return atoms
|
||||
|
||||
@staticmethod
|
||||
def _get_client_ip(environ):
|
||||
remote_addr = environ.get("REMOTE_ADDR", "-")
|
||||
xff = environ.get("HTTP_X_FORWARDED_FOR", "")
|
||||
if not xff:
|
||||
return remote_addr
|
||||
# Walk the chain from right to left, skipping trusted proxies
|
||||
ips = [ip.strip() for ip in xff.split(",")]
|
||||
for ip in reversed(ips):
|
||||
if ip not in TRUSTED_PROXIES:
|
||||
return ip
|
||||
# All IPs in the chain are trusted; fall back to the leftmost
|
||||
return ips[0]
|
||||
|
||||
|
||||
logger_class = CustomLogger
|
||||
access_log_format = '%({client-ip}e)s %(l)s %(u)s %(t)s "%(r)s" %(s)s %(b)s "%(f)s" "%(a)s"'
|
||||
|
||||
logconfig_dict = {
|
||||
"version": 1,
|
||||
"disable_existing_loggers": False,
|
||||
"filters": {
|
||||
"health_check": {
|
||||
"()": HealthCheckFilter,
|
||||
},
|
||||
},
|
||||
"handlers": {
|
||||
"console": {
|
||||
"class": "logging.StreamHandler",
|
||||
"filters": ["health_check"],
|
||||
"stream": "ext://sys.stdout",
|
||||
},
|
||||
},
|
||||
"loggers": {
|
||||
"gunicorn.access": {
|
||||
"handlers": ["console"],
|
||||
"level": "INFO",
|
||||
"propagate": False,
|
||||
},
|
||||
},
|
||||
}
|
||||
Reference in New Issue
Block a user