Skip to content

Comments

[AAP-64061] Add nginx log markers for direct API access detection#2100

Merged
jamesmarshall24 merged 1 commit intoansible:develfrom
TheRealHaoLiu:AAP-64061/nginx-log-markers
Feb 17, 2026
Merged

[AAP-64061] Add nginx log markers for direct API access detection#2100
jamesmarshall24 merged 1 commit intoansible:develfrom
TheRealHaoLiu:AAP-64061/nginx-log-markers

Conversation

@TheRealHaoLiu
Copy link
Member

@TheRealHaoLiu TheRealHaoLiu commented Feb 12, 2026

Summary

  • Add map directives for X-Trusted-Proxy and X-DAB-JW-TOKEN headers
  • Update log_format to append $trusted_proxy_present and $dab_jwt_present fields
  • Add explicit error_log /dev/stderr warn;

These markers enable the CLI detection tool (aap-detect-direct-component-access) to identify direct API access that bypasses AAP Gateway by scanning nginx logs from SOSReport or must-gather.

Jira

ISSUE TYPE
  • New or Enhanced Feature

Test plan

  • Nginx logs contain trusted-proxy/dab-jwt or - fields appended to existing format
  • Requests through Gateway show trusted-proxy dab-jwt
  • Direct requests show - -
  • Lightspeed traffic shows - dab-jwt (JWT without Trusted-Proxy)

🤖 Generated with Claude Code

Add map directives for X-Trusted-Proxy and X-DAB-JW-TOKEN headers to
log the presence of these headers as trusted_proxy_present and
dab_jwt_present fields in the nginx access log.

These markers enable the detection tool (aap-detect-direct-component-access)
to identify direct API access that bypasses AAP Gateway.

Also add explicit error_log /dev/stderr warn; instead of relying on
container base image symlinks.

Part of ANSTRAT-1840: Remove direct API access to platform components.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@TheRealHaoLiu TheRealHaoLiu force-pushed the AAP-64061/nginx-log-markers branch from 9121753 to 75b6678 Compare February 17, 2026 14:46
@jamesmarshall24 jamesmarshall24 merged commit e0ce3ef into ansible:devel Feb 17, 2026
7 checks passed
@TheRealHaoLiu TheRealHaoLiu deleted the AAP-64061/nginx-log-markers branch February 17, 2026 22:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants