From 3f041f26aa9403ed0fc70714bb35c9e742b5f395 Mon Sep 17 00:00:00 2001 From: Daniel Volz Date: Sat, 14 Feb 2026 21:04:45 +0100 Subject: [PATCH] feat: respect LOG_LEVEL in frontend nginx container (#212) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add entrypoint wrapper that translates LOG_LEVEL into nginx access_log control. When LOG_LEVEL is warn or higher, nginx access logs are suppressed. The frontend container now receives LOG_LEVEL via env_file (.env) — no new env vars needed. --- .env.example | 3 +++ docker-compose.yml | 2 ++ frontend/Dockerfile | 7 ++++++- frontend/nginx-entrypoint.sh | 21 +++++++++++++++++++++ frontend/nginx.conf | 3 +++ 5 files changed, 35 insertions(+), 1 deletion(-) create mode 100755 frontend/nginx-entrypoint.sh diff --git a/.env.example b/.env.example index 0fbe62c..04a87ae 100644 --- a/.env.example +++ b/.env.example @@ -12,6 +12,9 @@ PGID=1000 PORT=3000 CORS_ORIGINS=http://localhost:4174 LOG_LEVEL=info +# Levels: debug, info, warn, error, silent +# Controls: backend Fastify logging, frontend nginx access logs (Docker), +# and frontend browser console (via build-time injection) # Rate limit: max requests per minute per IP (default: 100) # Increase for development/testing environments diff --git a/docker-compose.yml b/docker-compose.yml index 3915cde..64de583 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -35,6 +35,8 @@ services: frontend: image: ghcr.io/danielvolz/medassist-ng-frontend:latest container_name: medassist-ng-frontend + env_file: + - .env environment: - BACKEND_URL=backend:3000 ports: diff --git a/frontend/Dockerfile b/frontend/Dockerfile index b5a90b1..edf2be7 100644 --- a/frontend/Dockerfile +++ b/frontend/Dockerfile @@ -41,6 +41,10 @@ RUN sed -i 's|include /etc/nginx/conf.d/\*.conf;|include /tmp/default.conf;|' /e # nginx-unprivileged automatically substitutes env vars in .template files COPY nginx.conf /etc/nginx/templates/default.conf.template +# Copy entrypoint wrapper (translates LOG_LEVEL → nginx access log control) +COPY nginx-entrypoint.sh /nginx-entrypoint.sh +RUN chmod +x /nginx-entrypoint.sh + # Copy built static files with correct ownership (nginx user = uid 101) COPY --from=builder --chown=101:101 /app/dist /usr/share/nginx/html @@ -50,5 +54,6 @@ EXPOSE 8080 # Already runs as non-root (nginx user, uid 101) USER nginx -# Start nginx (entrypoint processes templates automatically) +# Use wrapper entrypoint that maps LOG_LEVEL to nginx config +ENTRYPOINT ["/nginx-entrypoint.sh"] CMD ["nginx", "-g", "daemon off;"] diff --git a/frontend/nginx-entrypoint.sh b/frontend/nginx-entrypoint.sh new file mode 100755 index 0000000..db3a200 --- /dev/null +++ b/frontend/nginx-entrypoint.sh @@ -0,0 +1,21 @@ +#!/bin/sh +# ============================================================================= +# Frontend entrypoint wrapper +# Translates LOG_LEVEL into nginx access log control before +# delegating to the standard nginx-unprivileged entrypoint. +# +# LOG_LEVEL=debug|info → access logs enabled (default) +# LOG_LEVEL=warn|error|fatal|silent → access logs suppressed +# ============================================================================= + +case "${LOG_LEVEL:-info}" in + warn|error|fatal|silent) + export NGINX_ACCESS_LOG="off" + ;; + *) + export NGINX_ACCESS_LOG="/dev/stdout" + ;; +esac + +# Delegate to the original nginx-unprivileged entrypoint +exec /docker-entrypoint.sh "$@" diff --git a/frontend/nginx.conf b/frontend/nginx.conf index 48ab14e..36949ab 100644 --- a/frontend/nginx.conf +++ b/frontend/nginx.conf @@ -6,6 +6,9 @@ server { root /usr/share/nginx/html; index index.html; + # Access log control (suppressed when LOG_LEVEL is warn or higher) + access_log ${NGINX_ACCESS_LOG}; + # Security headers add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always;