Skip to main content

Nginx logs management

Context

The K8SAAS team is working to reduce the logs on the platform to increase efficiency and to reduce overall costs.

As a result, we decided to disable the nginx access logs by default due to their limited use. The new configuration will be applied starting with Babel 2.7. If you want to keep these logs, you can open a ticket through postIT and request that the access logs must be reactivated PostIT

Use case

By default, access logs are disabled at the cluster level, but if you have configured a whitelist as described here, and someone tries to reach your URL and his IP is not whitelisted, you will still be able to get this type of logs as they are considered error logs:

2022/10/25 12:58:39 [error] 1647#1647: *260282 access forbidden by rule, client: 81.65.94.XX, server: hw-ingress.helloworld.test.k8saas.thalesdigital.io, request: "GET / HTTP/2.0", host: "YOUR_APP_URL"

Manage nginx logs on your own

If you decide to enable the access logs setting, the K8SAAS team will do it for you. Once enabled you can also manage the access logs per ingress by adding an annotation to disable the access logs for some of your ingress as below:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: hello-world-ingress
annotations:
cert-manager.io/cluster-issuer: letsencrypt-staging
nginx.ingress.kubernetes.io/enable-access-log: "false"
spec:
ingressClassName: nginx-internal
tls:
- hosts:
- hello-world-ingress.jkfhsfkshdflkshjkdhf.kaas.thalesdigital.io
secretName: tls-secret
rules:
- host: hello-world-ingress.jkfhsfkshdflkshjkdhf.kaas.thalesdigital.io
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: aks-helloworld-one
port:
number: 80

Add this annotation to each ingress for which you want to deactivate the access logs (if you don't specify this annotation, it is set to true by default).

You can visit official documentation if you need more details : nginx_user_guide