matrix-docker-ansible-deploy/docs/configuring-playbook-prometheus-nginxlog.md
Suguru Hirahara bf5373479b
Use common expression on documentation regarding playbook configuration
Overall the playbook uses the expression "Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file:" with the heading "Adjusting the playbook configuration" for sections to explain what to be added as variables

Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org>
2024-10-12 20:59:15 +09:00

3.4 KiB

Enabling metrics and graphs for NginX logs (optional)

It can be useful to have some (visual) insight into nginx logs.

This adds prometheus-nginxlog-exporter to your Matrix deployment.

It will collect access logs from various nginx reverse-proxies which may be used internally (e.g. matrix-synapse-reverse-proxy-companion, if Synapse workers are enabled) and will make them available at a Prometheus-compatible /metrics endpoint.

NOTE: nginx is only used internally by this Ansible playbook. With Traefik being our default reverse-proxy, collecting nginx metrics is less relevant.

To make use of this, you need to install Prometheus either via the playbook or externally. When using an external Prometheus, configuration adjustments are necessary - see Save metrics on an external Prometheus server.

If your setup includes Grafana, a dedicated NGINX PROXY Grafana dashboard will be created.

Configuration

Add the following configuration to your inventory/host_vars/matrix.DOMAIN/vars.yml file:

matrix_prometheus_nginxlog_exporter_enabled: true

Then, re-run the playbook. See installation.

Docker Image Compatibility

At the moment of writing only images for amd64 and arm64 architectures are available

The playbook currently does not support self-building a container image on other architectures. You can however use a custom-build image by setting:

matrix_prometheus_nginxlog_exporter_docker_image_arch_check_enabled: false
matrix_prometheus_nginxlog_exporter_docker_image: path/to/docker/image:tag

Security and privacy

Metrics and resulting graphs can contain a lot of information. NginX logs contain information like IP address, URLs, UserAgents and more. This information can reveal usage patterns and could be considered Personally Identifiable Information (PII). Think about this before enabling (anonymous) access. Please make sure you change the default Grafana password.

Save metrics on an external Prometheus server

The playbook will automatically integrate the metrics into the Prometheus server provided with this playbook (if enabled). In such cases, the metrics endpoint is not exposed publicly - it's only available on the container network.

When using an external Prometheus server, you'll need to expose metrics publicly. See Collecting metrics to an external Prometheus server.

You can either use matrix_prometheus_nginxlog_exporter_metrics_proxying_enabled: true to expose just this one service, or matrix_metrics_exposure_enabled: true to expose all services.

Whichever way you go with, this service will expose its metrics endpoint without password-protection at https://matrix.DOMAIN/metrics/nginxlog by default.

For password-protection, use (matrix_metrics_exposure_http_basic_auth_enabled and matrix_metrics_exposure_http_basic_auth_users) or (matrix_prometheus_nginxlog_exporter_container_labels_metrics_middleware_basic_auth_enabled and matrix_prometheus_nginxlog_exporter_container_labels_metrics_middleware_basic_auth_users).