[MediaWiki-commits] [Gerrit] operations/puppet[production]: tlsproxy::localssl: add ability to have an access.log

Giuseppe Lavagetto (Code Review) Wed, 21 Dec 2016 03:48:38 -0800

Giuseppe Lavagetto has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/328495 )


Change subject: tlsproxy::localssl: add ability to have an access.log
......................................................................

tlsproxy::localssl: add ability to have an access.log

While it's clearly something to avoid at the edge, for internal services
using this class it could be useful to write an access.log

Bug: T153797
Change-Id: Ifecbf9c60ab302cad87209b56c1f759bfc4baf0a
---
M modules/tlsproxy/manifests/localssl.pp
M modules/tlsproxy/templates/localssl.erb
2 files changed, 7 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/95/328495/1

diff --git a/modules/tlsproxy/manifests/localssl.pp 
b/modules/tlsproxy/manifests/localssl.pp
index a6e78a7..7093d77 100644
--- a/modules/tlsproxy/manifests/localssl.pp
+++ b/modules/tlsproxy/manifests/localssl.pp
@@ -44,6 +44,10 @@
 #   correct configuration directives in the site's nginx config file as well
 #   as creates the OCSP data file itself and ensures a cron is running to
 #   keep it up to date.  Does not work for ACME (letsencrypt) yet!
+#
+# [*access_log*]
+#   Boolean. If true, sets up the access log for the localssl virtualhost.
+#   Do NOT enable on the frontends. Defaults to false
 
 define tlsproxy::localssl(
     $certs          = [],
@@ -56,6 +60,7 @@
     $redir_port     = undef,
     $do_ocsp        = false,
     $skip_private   = false,
+    $access_log     = false,
 ) {
     if (!empty($certs) and !empty($acme_subjects)) or (empty($certs) and 
empty($acme_subjects)) {
         fail('Specify either certs or acme_subjects, not both and not 
neither.')
diff --git a/modules/tlsproxy/templates/localssl.erb 
b/modules/tlsproxy/templates/localssl.erb
index 9216c41..c96d987 100644
--- a/modules/tlsproxy/templates/localssl.erb
+++ b/modules/tlsproxy/templates/localssl.erb
@@ -16,8 +16,8 @@
        ssl on;
        server_name <%= ([@server_name] + @server_aliases).join(" ") %>;
 
-       error_log   /var/log/nginx/<%= @name %>.error.log;
-       access_log   off;
+        error_log   /var/log/nginx/<%= @name %>.error.log;
+       access_log   <% if @access_log %>/var/log/nginx/<%= @name 
%>.access.log<% else %>off<% end %>;
 
        <%- @certs_nginx.each do |cert| -%>
        ssl_certificate /etc/ssl/localcerts/<%= cert %>.chained.crt;

-- 
To view, visit https://gerrit.wikimedia.org/r/328495
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ifecbf9c60ab302cad87209b56c1f759bfc4baf0a
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Giuseppe Lavagetto <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: tlsproxy::localssl: add ability to have an access.log

Reply via email to