Pim van pelt
96f77baacd
Pull the .deb + ASan-nginx rebuild out of `make robot-test` — a full
dpkg-buildpackage + nginx recompile before every test run was turning
a 15-second test loop into a multi-minute one, which hurts when
iterating on a flaky suite. robot-test now fails fast with an
actionable message if either artifact is missing:
Bootstrap once: make pkg-deb build-asan
Then iterate: make robot-test # reuses both
install-deps grew to cover what a truly minimal Debian box needs —
`build-essential`, `ca-certificates`, and an explicit check that
`deb-src` is enabled (required by `apt source nginx`, which both
fetch-nginx-src and build-asan rely on). `nginx-dev` transitively
brings in the nginx build-deps (libpcre2-dev, libssl-dev, libxslt1-dev,
libgeoip-dev, libperl-dev, libexpat-dev, libgd-dev, zlib1g-dev,
debhelper-compat, po-debconf) so those stay off the explicit list.
debian/rules' override_dh_clean now pre-clears
build/nginx-asan/{fastcgi,proxy,scgi,uwsgi,client_body}_temp before
running dh_clean. Those dirs get chowned to "nobody" when the 02-asan
robot suite bind-mounts build/nginx-asan/ RW into its container and
nginx master startup creates them — subsequent pkg-deb runs were
dying with EACCES from dh_clean's find traversal. rm -rf only needs
write access to the parent (which we have), so this is safe.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
nginx-ipng-stats-plugin
Per-VIP, per-device traffic counters for nginx. Ships as a dynamic nginx module and a Debian package that loads into stock upstream nginx on Debian Trixie.
The module attributes every HTTP request to the interface it arrived on, reading the ingress ifindex per connection from the
kernel's IP_PKTINFO / IPV6_PKTINFO cmsg. Listening sockets stay plain wildcards, so outgoing packets follow the normal
routing table — which is what makes this safe for DSR / maglev deployments where the SYN arrives via a GRE tunnel and the
SYN-ACK must leave via the default route. Counters — requests, status codes, bytes, latency histograms — are exposed as
Prometheus text or JSON from a single HTTP scrape endpoint, filtered per-source. This is useful for any deployment where
traffic arrives on distinct interfaces — GRE tunnels, VLANs, bonded links, or plain ethernet — and per-interface observability
is needed.
Without any device=/ipng_source_tag= parameters, the module still counts and exposes per-VIP traffic under the configurable
default source tag (direct), which makes it a useful plain observability module for any nginx host.
See docs/design.md for the full design, including the attribution model, data flow, and requirements.
Quick start
make install-deps # install build and test dependencies (apt)
make build # build the .so out-of-tree
make pkg-deb # build a .deb package
make robot-test # run end-to-end tests via containerlab
Installing
sudo dpkg -i build/*.deb
The package installs the .so into /usr/lib/nginx/modules, drops a load_module stanza into /etc/nginx/modules-enabled/, and runs
nginx -t before completing.
Configuring
See docs/user-guide.md for an end-to-end walkthrough and docs/config-guide.md for the
directive and listen parameter reference.
License
Apache-2.0. See LICENSE.