Почему nginx не пишет access лог в /var/log/nginx?

Question

[Kirill_Ulyanov]

Всем привет!

Есть конфигурация Nginx, в рамках которой access-лог должен писаться в 2 файла:
* Основной файл лога сайта вида /var/www/httpd-logs/адрес_сайта.access.log
* Общий лог /var/log/nginx/access.log

В основной лог данные пишутся, а в access.log – нет. Strace процессов nginx не показывает вообще никаких вызовов, связанных с записью логов (возможно, я просто не умею им пользоваться)

При этом, в /var/log/nginx/error.log данные записываются, по этому проблем с правами нет:

/var/log/nginx# ls -al 
total 12
drwxr-xr-x  2 root adm    4096 Sep  8 09:41 .
drwxrwxr-x 14 root syslog 4096 Sep  8 09:15 ..
-rw-r--r--  1 root root      0 Sep  8 09:41 access.log
-rw-r--r--  1 root root    136 Sep  8 09:41 error.log

Вывод nginx -V

nginx version: nginx/1.18.0 (Ubuntu)
built with OpenSSL 1.1.1f  31 Mar 2020
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-KTLRnK/nginx-1.18.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-compat --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module

Вывод nginx -T:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
load_module modules/ngx_pagespeed.so;
events {
	worker_connections 65535;
}
http {
	log_format main_host '$remote_addr - $remote_user [$time_local] $host $request '
                    '$status $body_bytes_sent "$http_referer" "$http_user_agent" '
                    '"$http_x_forwarded_for" $request_time-$upstream_response_time';
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	include /etc/nginx/mime.types;
	default_type application/octet-stream;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
	ssl_prefer_server_ciphers on;
    pagespeed on;
    pagespeed FileCachePath /var/cache/nginx/pagespeed_temp;
	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;
	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
	include /etc/nginx/vhosts/*/*.conf;
	client_max_body_size 256m;
	server {
		server_name localhost;
		root /var/www/html;
		error_page 403 /index.html;
		disable_symlinks if_not_owner;
		include /etc/nginx/vhosts-includes/*.conf;
		location = /basic_status {
			access_log off;
			stub_status;
			allow 127.0.0.1;
			allow ::1;
			deny all;
		}
		location ~ ^/(status|ping)$ {
			access_log off;
			fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
			fastcgi_index index.php;
			include fastcgi_params;
			fastcgi_pass unix:/var/run/php-fpm.www-data.sock;
                        allow 127.0.0.1;
			allow ::1;
			deny all;
		}
		location / {
			return 403;
		}
		location /index.html {
		}
		location @fallback {
			error_log /dev/null crit;
			proxy_pass http://127.0.0.1:8080;
			proxy_redirect http://127.0.0.1:8080 /;
			proxy_set_header Host $host;
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
			proxy_set_header X-Forwarded-Proto $scheme;
			access_log off ;
		}
		listen 80 default_server;
		listen [::]:80 default_server;
	}
	server_names_hash_bucket_size 512;
	server_names_hash_max_size 512;

}
# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
...
# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
...
# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
...
# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
...
# configuration file /etc/nginx/mime.types:
...
# configuration file /etc/nginx/vhosts/www-root/default.local.conf:
server {
	server_name default.local www.default.local;
	charset off;
	index index.php index.html;
	disable_symlinks if_not_owner from=$root_path;
	include /etc/nginx/vhosts-includes/*.conf;
	include /etc/nginx/vhosts-resources/default.local/*.conf;
	ssi on;
	set $root_path /var/www/www-root/data/www/default.local;
	root $root_path;
	location / {
		location ~ [^/]\.ph(p\d*|tml)$ {
			try_files /does_not_exists @fallback;
		}
		location ~* ^.+\.(jpg|jpeg|gif|png|svg|js|css|mp3|ogg|mpe?g|avi|zip|gz|bz2?|rar|swf)$ {
			try_files $uri $uri/ @fallback;
		}
		location / {
			try_files /does_not_exists @fallback;
		}
	}
	location @fallback {
		proxy_pass http://127.0.0.1:8080;
		proxy_redirect http://127.0.0.1:8080 /;
		proxy_set_header Host $host;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_set_header X-Forwarded-Port $server_port;
		access_log off;
	}
	access_log /var/www/httpd-logs/default.local.access.log;
	error_log /var/www/httpd-logs/default.local.error.log notice;
	listen IPv4address:80;
	listen [IPv6address]:80;
}
server {
	server_name default.local www.default.local;
	ssl_certificate "/var/www/httpd-cert/www-root/default.local.crt";
	ssl_certificate_key "/var/www/httpd-cert/www-root/default.local.key";
	ssl_ciphers EECDH:+AES256:-3DES:RSA+AES:!NULL:!RC4;
	ssl_prefer_server_ciphers on;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
	ssl_dhparam /etc/ssl/certs/dhparam4096.pem;
	charset off;
	index index.php index.html;
	disable_symlinks if_not_owner from=$root_path;
	include /etc/nginx/vhosts-includes/*.conf;
	include /etc/nginx/vhosts-resources/default.local/*.conf;
	ssi on;
	set $root_path /var/www/www-root/data/www/default.local;
	root $root_path;
	location / {
		location ~ [^/]\.ph(p\d*|tml)$ {
			try_files /does_not_exists @fallback;
		}
		location ~* ^.+\.(jpg|jpeg|gif|png|svg|js|css|mp3|ogg|mpe?g|avi|zip|gz|bz2?|rar|swf)$ {
			try_files $uri $uri/ @fallback;
		}
		location / {
			try_files /does_not_exists @fallback;
		}
	}
	location @fallback {
		proxy_pass http://127.0.0.1:8080;
		proxy_redirect http://127.0.0.1:8080 /;
		proxy_set_header Host $host;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_set_header X-Forwarded-Port $server_port;
		access_log off;
	}
	access_log /var/www/httpd-logs/default.local.access.log;
	error_log /var/www/httpd-logs/default.local.error.log notice;
	listen IPv4address:443 ssl http2;
	listen [IPv6address]:443 ssl http2;
}
# configuration file /etc/nginx/vhosts-includes/awstats-nginx.conf:
...
# configuration file /etc/nginx/vhosts-includes/blacklist-nginx.conf:
...
# configuration file /etc/nginx/vhosts-includes/disabled.conf:
...
# configuration file /etc/nginx/vhosts-includes/letsencrypt.conf:
...
# configuration file /etc/nginx/vhosts-includes/logging.conf:
access_log /var/log/nginx/access.log main_host;
# configuration file /etc/nginx/vhosts-includes/phpmyadmin-nginx.conf:
...
# configuration file /etc/nginx/fastcgi_params:
...
# configuration file /etc/nginx/vhosts-includes/roundcube-nginx.conf:
...
# configuration file /etc/nginx/vhosts-includes/secure.conf:
...

Comments

[Kirill_Ulyanov]

Apparmor выключен

# apparmor_status 
apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

Answer 1

[Kirill_Ulyanov]

Вопрос решил сам. Запросы проксируются к Apache

location @fallback {
    proxy_pass http://127.0.0.1:8080;
    proxy_redirect http://127.0.0.1:8080 /;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Port $server_port;
    access_log off;
  }

и там отключено логирование запросов (привет, ИСП!)

Answer 2

[Данил Горев]

access_log /var/log/nginx/access.log; лучше указать внутри сервера, откуда нужно писать логи, условно:

server {
  access_log /var/log/nginx/access.log;
}

Ну и по хорошему всё это вынести в разные конфигурации в /etc/nginc/conf.d, для каждого из сайтов свой.

Comments

[Kirill_Ulyanov]

Мне нужно для каждого сайта писать лог в 2 файла, что делается:
1. Строкой вида
access_log /var/www/httpd-logs/default.local.access.log;
в конфиге самого сайта
2. Строкой вида
access_log /var/log/nginx/access.log main_host;
в этом же конфиге сайта (но для удобства, эта строка вынесена в другой файл, который инклюдится к конфигу сайта)

Эта конфигурация должна работать, но почему-то не работает, и я не могу понять, в какую сторону нужно смотреть