Nginx TCP Stream配置日志记录

释放双眼,带上耳机,听听看~!
🤖 由 ChatGPT 生成的文章摘要

nginx自1.9.0开始提供tcp/udp的反向代理功能,直到1.11.4才开始提供session日志功能。

开启 Stream访问日志有几个缺陷

  • nginx会等待session结束才会记录到日志文件;
  • session日志只是tcp层面的记录,包括session时间,发送接收字节数等等;
  • session内部发送日志(比如一个socket连接建立起来以后,多次发送心跳数据)需要在应用层面才能记录;

日志格式需要在stream标签内配置,与server标签同级

stream {
    log_format proxy '$remote_addr [$time_local] '
                 '$protocol $status $bytes_sent $bytes_received '
                 '$session_time "$upstream_addr" '
                 '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
}

不同端口配置不同日志输出

    server {
        listen 8100 ssl;
        access_log /opt/nginx-1.24.0/logs/tcp-ssl-access.log proxy;
        ssl_certificate   /opt/nginx-1.24.0/conf/cert/server.crt;
        ssl_certificate_key    /opt/nginx-1.24.0/conf/cert/server.key;
        ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
        proxy_ssl_session_reuse on; 
        ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 10m;
        proxy_pass redis;
}

server {
    listen 8104;
    access_log /opt/nginx-1.24.0/logs/tcp-access.log proxy;      #日志记录
    proxy_connect_timeout 60s;
    proxy_timeout 60s;
    proxy_pass 127.0.0.1:8100;
    ssl_verify_client on;
    ssl_client_certificate /opt/nginx-1.24.0/conf/cert/ca.crt;
    proxy_ssl   on;  
    ssl_certificate   /opt/nginx-1.24.0/conf/cert/server.crt;
    ssl_certificate_key    /opt/nginx-1.24.0/conf/cert/server.key;
    ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
   }

检查日志访问状态

root@abcdocker:/opt/nginx-1.24.0# tail -f logs/tcp*
==> logs/tcp-access.log <==
111.201.222.10 [20/Mar/2024:02:37:57 +0000] TCP 200 7490 250 22.959 "127.0.0.1:8100" "250" "7490" "0.003"
111.201.222.10 [20/Mar/2024:02:45:38 +0000] TCP 200 7777 824 434.695 "127.0.0.1:8100" "824" "7777" "0.001"
111.201.222.10 [20/Mar/2024:02:45:47 +0000] TCP 200 7478 222 5.642 "127.0.0.1:8100" "222" "7478" "0.009"

==> logs/tcp-ssl-access.log <==
127.0.0.1 [20/Mar/2024:02:37:57 +0000] TCP 200 7490 250 22.958 "127.0.0.1:6379" "250" "7490" "0.000"
127.0.0.1 [20/Mar/2024:02:45:38 +0000] TCP 200 7777 824 434.650 "127.0.0.1:6379" "824" "7777" "0.000"
127.0.0.1 [20/Mar/2024:02:45:47 +0000] TCP 200 7478 222 5.642 "127.0.0.1:6379" "222" "7478" "0.000"

给TA打赏
共{{data.count}}人
人已打赏
NGINX

Nginx 四层代理TCP配置SSL加密访问

2024-3-20 10:58:48

报错锦集

Error ENOENT: all mgr daemons do not support module 'dashboard', pass --force to force enablement

2022-6-26 22:43:12

0 条回复 A文章作者 M管理员
    暂无讨论,说说你的看法吧
个人中心
购物车
优惠劵
今日签到
有新私信 私信列表
搜索