Overall the playbook uses the expression "Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file:" with the heading "Adjusting the playbook configuration" for sections to explain what to be added as variables Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org>
3.4 KiB
Enabling metrics and graphs for NginX logs (optional)
It can be useful to have some (visual) insight into nginx logs.
This adds prometheus-nginxlog-exporter to your Matrix deployment.
It will collect access logs from various nginx reverse-proxies which may be used internally (e.g. matrix-synapse-reverse-proxy-companion
, if Synapse workers are enabled) and will make them available at a Prometheus-compatible /metrics
endpoint.
NOTE: nginx is only used internally by this Ansible playbook. With Traefik being our default reverse-proxy, collecting nginx metrics is less relevant.
To make use of this, you need to install Prometheus either via the playbook or externally. When using an external Prometheus, configuration adjustments are necessary - see Save metrics on an external Prometheus server.
If your setup includes Grafana, a dedicated NGINX PROXY
Grafana dashboard will be created.
Configuration
Add the following configuration to your inventory/host_vars/matrix.DOMAIN/vars.yml
file:
matrix_prometheus_nginxlog_exporter_enabled: true
Then, re-run the playbook. See installation.
Docker Image Compatibility
At the moment of writing only images for amd64
and arm64
architectures are available
The playbook currently does not support self-building a container image on other architectures. You can however use a custom-build image by setting:
matrix_prometheus_nginxlog_exporter_docker_image_arch_check_enabled: false
matrix_prometheus_nginxlog_exporter_docker_image: path/to/docker/image:tag
Security and privacy
Metrics and resulting graphs can contain a lot of information. NginX logs contain information like IP address, URLs, UserAgents and more. This information can reveal usage patterns and could be considered Personally Identifiable Information (PII). Think about this before enabling (anonymous) access. Please make sure you change the default Grafana password.
Save metrics on an external Prometheus server
The playbook will automatically integrate the metrics into the Prometheus server provided with this playbook (if enabled). In such cases, the metrics endpoint is not exposed publicly - it's only available on the container network.
When using an external Prometheus server, you'll need to expose metrics publicly. See Collecting metrics to an external Prometheus server.
You can either use matrix_prometheus_nginxlog_exporter_metrics_proxying_enabled: true
to expose just this one service, or matrix_metrics_exposure_enabled: true
to expose all services.
Whichever way you go with, this service will expose its metrics endpoint without password-protection at https://matrix.DOMAIN/metrics/nginxlog
by default.
For password-protection, use (matrix_metrics_exposure_http_basic_auth_enabled
and matrix_metrics_exposure_http_basic_auth_users
) or (matrix_prometheus_nginxlog_exporter_container_labels_metrics_middleware_basic_auth_enabled
and matrix_prometheus_nginxlog_exporter_container_labels_metrics_middleware_basic_auth_users
).