README: documentation update
This commit is contained in:
parent
49f49491e6
commit
bc5f0ca945
26
README
26
README
|
@ -1,18 +1,22 @@
|
|||
Logtracker
|
||||
===========
|
||||
|
||||
Logtracker is a django application that aggregates and displays log entries
|
||||
Logtracker is a django application that aggregates and displays log entries.
|
||||
|
||||
Post-install
|
||||
------------
|
||||
In order to allow clients writes :
|
||||
1. Server installation
|
||||
|
||||
1. on the server :
|
||||
Clients upload using ssl certificates, ensure x-http-ssl* headers are added by
|
||||
upstream haproxy or nginx (see provided examples).
|
||||
|
||||
echo "create role rsyslog with login password 'ohGh6iec';
|
||||
grant connect on database logtracker to rsyslog;
|
||||
grant insert on table journal_entry to rsyslog;
|
||||
grant usage, select on sequence journal_entry_id_seq TO rsyslog; " | sudo -u postgres psql logtracker
|
||||
2. Clients installation
|
||||
|
||||
2. install rsyslog-logtracker, then
|
||||
copy and adapt debian/rsyslog-logtracker.conf-example to debian/rsyslog-logtracker.conf
|
||||
2.1 using curl
|
||||
|
||||
$ journalctl -o export --no-pager --cursor-file=~/.config/logtracker.cursor | curl -sS -X POST --cacert /etc/ssl/certs/ca-certificates.crt --cert $CERT --key $KEY --data-binary @- https://$HOST/upload
|
||||
|
||||
2.2
|
||||
* using systemd-journal-upload:
|
||||
** install systemd-journal-remote
|
||||
** in order to upload containers journals, override systemd-journal-upload.service with : ExecStart = /lib/systemd/systemd-journal-upload -m --save-state
|
||||
** in /etc/systemd/journal-upload.conf configure URL, ServerKeyFile, ServerCertificateFile and TrustedCertificateFile
|
||||
** enable and start systemd-journal-upload.service
|
||||
|
|
|
@ -0,0 +1,10 @@
|
|||
frontend https
|
||||
...
|
||||
bind *:443 ssl crt /etc/ssl/bundles ca-file /usr/local/share/ca-certificates/entrouvert-ca.crt verify optional
|
||||
http-request set-header X-SSL %[ssl_fc]
|
||||
http-request set-header X-SSL-Client-Cert %[ssl_fc_has_crt]
|
||||
http-request set-header X-SSL-Client-Verify %[ssl_c_verify]
|
||||
http-request set-header X-SSL-Client-SHA1 %[ssl_c_sha1,hex]
|
||||
http-request set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn]
|
||||
http-request set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
|
||||
http-request set-header X-SSL-Issuer %{+Q}[ssl_c_i_dn]
|
|
@ -6,6 +6,9 @@ server {
|
|||
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
|
||||
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
|
||||
|
||||
ssl_client_certificate /etc/ssl/certs/ca-certificates.crt;
|
||||
ssl_verify_client optional;
|
||||
|
||||
access_log /var/log/nginx/logtracker.example.org-access.log combined;
|
||||
error_log /var/log/nginx/logtracker.example.org-error.log;
|
||||
|
||||
|
@ -23,26 +26,11 @@ server {
|
|||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
server_name _;
|
||||
|
||||
access_log /var/log/nginx/logtracker.example.org-access.log combined;
|
||||
error_log /var/log/nginx/logtracker.example.org-error.log;
|
||||
|
||||
location ~ ^/static/(.+)$ {
|
||||
root /;
|
||||
try_files /var/lib/logtracker/collectstatic/$1
|
||||
=404;
|
||||
}
|
||||
|
||||
location / {
|
||||
proxy_pass http://unix:/var/run/logtracker/logtracker.sock;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
|
||||
proxy_set_header X-SSL 1;
|
||||
proxy_set_header X-SSL-Client-Verify $ssl_client_verify;
|
||||
proxy_set_header X-SSL-Client-SHA1 $ssl_client_fingerprint;
|
||||
proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
|
||||
proxy_set_header X-SSL-Client-DN $ssl_client_s_dn;
|
||||
}
|
||||
}
|
||||
|
|
Reference in New Issue