Enhance health monitoring and status reporting in NGINX configuration and scripts

Author: Robbie1977

README.md

@@ -39,13 +39,48 @@ services:
 
 ```bash
 curl http://localhost/health
-# Returns: upstream response or "UPSTREAM_UNAVAILABLE" (503) if upstream is down
-# Includes X-Upstream-Status header showing actual upstream response code
+# Returns: OK
 ```
 
-The health endpoint now proxies to the upstream server to verify connectivity. If the upstream is unavailable, it returns 503 with "UPSTREAM_UNAVAILABLE".
+`/health` is a lightweight liveness check for NGINX itself. Use `/status` for upstream reachability, cache totals, and connection counters.
 
-**Health Monitoring**: A background process logs warnings every 5 minutes if the upstream server becomes unreachable, but the container continues running to serve cached content.
+### Status Endpoint
+
+```bash
+curl http://localhost/status
+```
+
+Example response:
+
+```json
+{
+  "updated_at": "2026-03-24T12:00:00Z",
+  "health": {
+    "nginx": true,
+    "upstream": true
+  },
+  "upstream": {
+    "host": "owl.virtualflybrain.org",
+    "port": 80
+  },
+  "cache": {
+    "source": "access_log",
+    "total": 120,
+    "hit": 113,
+    "miss": 7
+  },
+  "connections": {
+    "active": 3,
+    "reading": 0,
+    "writing": 1,
+    "waiting": 2
+  }
+}
+```
+
+`/status` is refreshed by a background monitor that reads the access log for cache totals and samples NGINX `stub_status` for connection counters.
+
+**Health Monitoring**: A background process logs warnings when the upstream server becomes unreachable, but the container continues running to serve cached content.
 
 ## Configuration
 
@@ -55,12 +90,14 @@ The health endpoint now proxies to the upstream server to verify connectivity. I
 - `CACHE_MAX_SIZE`: Maximum cache size on disk (default: `20g`, accepts NGINX size units like `1t` for 1TB)
 - `CACHE_STALE_TIME`: How long a cached response is considered fresh (default: `6M`). After this time the entry is served stale while being refreshed in the background. Accepts NGINX time units: `s`, `m`, `h`, `d`, `w`, `M` (30 days), `y` (365 days).
 - `DNS_RESOLVER`: DNS resolver servers (default: `8.8.8.8`, space-separated list). Check `cat /etc/resolv.conf` in your container to find the correct value for your environment.
+- `STATUS_POLL_INTERVAL`: Seconds between `/status` refreshes (default: `5`)
+- `HEALTH_LOG_INTERVAL`: Seconds between periodic upstream health log lines when state is unchanged (default: `300`)
 
 ### Cache Headers
 
 The proxy adds helpful headers to responses:
 
-- `X-Cache-Status`: `HIT`, `MISS`, `EXPIRED`, or `STALE`
+- `X-Cache-Status`: `HIT`, `MISS`, `EXPIRED`, `STALE`, `UPDATING`, or `REVALIDATED`
 - `X-Cache-Key`: The cache key used for the request
 
 ## Performance
@@ -80,7 +117,8 @@ The proxy adds helpful headers to responses:
 - **Cache storage**: `/var/cache/nginx/owlery` with 1:2 directory levels
 - **Cache zone**: 100MB in-memory metadata zone
 - **Max cache size**: 20GB on disk (configurable via `CACHE_MAX_SIZE` environment variable)
-- **Health monitoring**: Background process checks upstream connectivity every 5 minutes and logs warnings
+- **Status monitoring**: Background process updates `/var/run/nginx/status.json` from the access log and NGINX `stub_status`
+- **Health monitoring**: Background process checks upstream connectivity and logs warnings without taking the cache offline
 
 ### Caching Behavior
 
@@ -95,6 +133,7 @@ The proxy adds helpful headers to responses:
 ### Networking
 
 - **Listen ports**: 80 and 8080 (both ports handle requests identically)
+- **Status endpoints**: `/health` for liveness, `/status` for JSON metrics, and internal-only `/__nginx_status` for raw NGINX counters
 - **DNS resolver**: Configurable via `DNS_RESOLVER` (default: Google Public DNS `8.8.8.8` with 30s TTL for fast upstream IP updates). Check `cat /etc/resolv.conf` in your container for the correct value.
 - **Host-agnostic**: Ignores Host header for routing
 - **Connection pooling**: 16 keep-alive connections to backend
@@ -147,3 +186,4 @@ Set these in your GitHub repository secrets:
 - **Subsequent Requests**: Cache HIT → Return cached result (<10ms) with X-Cache-Status: HIT
 - **Expired Cache**: Return stale content immediately with X-Cache-Status: UPDATING + background refresh
 - **Backend Errors**: Forward errors to client without caching, allowing retries to succeed
+- **Status Reporting**: `/status` shows current hit/miss/total counts from the access log plus sampled connection counters

health-monitor.sh

@@ -1,24 +1,232 @@
 #!/bin/sh
 
-# Health monitoring script for upstream server
-# Logs warnings but doesn't exit container
+# Poll NGINX and the access log to keep /status current while also logging
+# upstream reachability changes.
 
-UPSTREAM_HOST=$(echo $UPSTREAM_SERVER | cut -d: -f1)
-UPSTREAM_PORT=$(echo $UPSTREAM_SERVER | cut -d: -f2)
+ACCESS_LOG=${ACCESS_LOG:-/var/log/nginx/access.log}
+STATUS_FILE=${STATUS_FILE:-/var/run/nginx/status.json}
+NGINX_STATUS_URL=${NGINX_STATUS_URL:-http://127.0.0.1:8080/__nginx_status}
+STATUS_POLL_INTERVAL=${STATUS_POLL_INTERVAL:-5}
+HEALTH_LOG_INTERVAL=${HEALTH_LOG_INTERVAL:-300}
 
-# Default to port 80 if no port specified
-if [ "$UPSTREAM_HOST" = "$UPSTREAM_PORT" ]; then
+UPSTREAM_HOST=$(printf '%s' "$UPSTREAM_SERVER" | cut -d: -f1)
+UPSTREAM_PORT=$(printf '%s' "$UPSTREAM_SERVER" | cut -d: -f2)
+
+# Default to port 80 if no port is specified.
+if [ -z "$UPSTREAM_HOST" ]; then
+    UPSTREAM_HOST=unknown
+fi
+
+if [ -z "$UPSTREAM_PORT" ] || [ "$UPSTREAM_HOST" = "$UPSTREAM_PORT" ]; then
     UPSTREAM_PORT=80
 fi
 
-echo "Monitoring upstream server: $UPSTREAM_HOST:$UPSTREAM_PORT"
+STATUS_DIR=$(dirname "$STATUS_FILE")
+ACCESS_LOG_DIR=$(dirname "$ACCESS_LOG")
 
-while true; do
-    if nc -z -w3 $UPSTREAM_HOST $UPSTREAM_PORT 2>/dev/null; then
-        echo "$(date): Upstream server is healthy"
+total_requests=0
+hit_requests=0
+miss_requests=0
+access_log_size=0
+
+active_connections=
+reading_connections=
+writing_connections=
+waiting_connections=
+
+nginx_healthy=false
+upstream_healthy=false
+last_upstream_state=
+last_health_log_epoch=0
+
+json_escape() {
+    printf '%s' "$1" | sed 's/\\/\\\\/g; s/"/\\"/g'
+}
+
+json_number_or_null() {
+    if [ -n "$1" ]; then
+        printf '%s' "$1"
     else
-        echo "$(date): WARNING - Upstream server $UPSTREAM_HOST:$UPSTREAM_PORT is unreachable"
+        printf 'null'
+    fi
+}
+
+get_file_size() {
+    if [ ! -f "$1" ]; then
+        printf '0'
+        return
+    fi
+
+    if size=$(stat -c %s "$1" 2>/dev/null); then
+        printf '%s' "$size"
+    else
+        wc -c < "$1" 2>/dev/null | tr -d ' '
+    fi
+}
+
+recount_access_log() {
+    if [ ! -f "$ACCESS_LOG" ]; then
+        total_requests=0
+        hit_requests=0
+        miss_requests=0
+        access_log_size=0
+        return
+    fi
+
+    counts=$(awk '
+        BEGIN { total = 0; hit = 0; miss = 0 }
+        {
+            status = ""
+            if (NF >= 3) {
+                status = $(NF - 2)
+            }
+            if (status ~ /^(HIT|MISS|BYPASS|EXPIRED|STALE|UPDATING|REVALIDATED)$/) {
+                total++
+                if (status == "HIT") {
+                    hit++
+                } else if (status == "MISS") {
+                    miss++
+                }
+            }
+        }
+        END { printf "%d %d %d", total, hit, miss }
+    ' "$ACCESS_LOG" 2>/dev/null)
+
+    set -- $counts
+    total_requests=${1:-0}
+    hit_requests=${2:-0}
+    miss_requests=${3:-0}
+    access_log_size=$(get_file_size "$ACCESS_LOG")
+}
+
+update_access_log_counts() {
+    current_size=$(get_file_size "$ACCESS_LOG")
+
+    if [ "$current_size" -lt "$access_log_size" ]; then
+        recount_access_log
+        return
+    fi
+
+    if [ "$current_size" -eq "$access_log_size" ]; then
+        return
     fi
 
-    sleep 300  # Check every 5 minutes
-done
+    if [ "$access_log_size" -eq 0 ]; then
+        recount_access_log
+        return
+    fi
+
+    start_byte=$((access_log_size + 1))
+    counts=$(tail -c +"$start_byte" "$ACCESS_LOG" 2>/dev/null | awk '
+        BEGIN { total = 0; hit = 0; miss = 0 }
+        {
+            status = ""
+            if (NF >= 3) {
+                status = $(NF - 2)
+            }
+            if (status ~ /^(HIT|MISS|BYPASS|EXPIRED|STALE|UPDATING|REVALIDATED)$/) {
+                total++
+                if (status == "HIT") {
+                    hit++
+                } else if (status == "MISS") {
+                    miss++
+                }
+            }
+        }
+        END { printf "%d %d %d", total, hit, miss }
+    ')
+
+    set -- $counts
+    total_requests=$((total_requests + ${1:-0}))
+    hit_requests=$((hit_requests + ${2:-0}))
+    miss_requests=$((miss_requests + ${3:-0}))
+    access_log_size=$current_size
+}
+
+update_upstream_health() {
+    current_epoch=$(date +%s)
+
+    if nc -z -w3 "$UPSTREAM_HOST" "$UPSTREAM_PORT" 2>/dev/null; then
+        upstream_healthy=true
+        upstream_state=healthy
+        upstream_message="Upstream server is healthy"
+    else
+        upstream_healthy=false
+        upstream_state=unreachable
+        upstream_message="WARNING - Upstream server $UPSTREAM_HOST:$UPSTREAM_PORT is unreachable"
+    fi
+
+    if [ "$upstream_state" != "$last_upstream_state" ] || [ $((current_epoch - last_health_log_epoch)) -ge "$HEALTH_LOG_INTERVAL" ]; then
+        echo "$(date): $upstream_message"
+        last_upstream_state=$upstream_state
+        last_health_log_epoch=$current_epoch
+    fi
+}
+
+update_connection_stats() {
+    status_text=$(wget -q -O - "$NGINX_STATUS_URL" 2>/dev/null || true)
+
+    if [ -n "$status_text" ]; then
+        active_connections=$(printf '%s\n' "$status_text" | awk '/Active connections:/ { print $3 }')
+        reading_connections=$(printf '%s\n' "$status_text" | awk '/Reading:/ { print $2 }')
+        writing_connections=$(printf '%s\n' "$status_text" | awk '/Writing:/ { print $4 }')
+        waiting_connections=$(printf '%s\n' "$status_text" | awk '/Waiting:/ { print $6 }')
+        nginx_healthy=true
+    else
+        active_connections=
+        reading_connections=
+        writing_connections=
+        waiting_connections=
+        nginx_healthy=false
+    fi
+}
+
+write_status_file() {
+    timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+    escaped_host=$(json_escape "$UPSTREAM_HOST")
+    tmp_file="${STATUS_FILE}.tmp"
+
+    cat > "$tmp_file" <<EOF
+{
+  "updated_at": "$timestamp",
+  "health": {
+    "nginx": $nginx_healthy,
+    "upstream": $upstream_healthy
+  },
+  "upstream": {
+    "host": "$escaped_host",
+    "port": $UPSTREAM_PORT
+  },
+  "cache": {
+    "source": "access_log",
+    "total": $total_requests,
+    "hit": $hit_requests,
+    "miss": $miss_requests
+  },
+  "connections": {
+    "active": $(json_number_or_null "$active_connections"),
+    "reading": $(json_number_or_null "$reading_connections"),
+    "writing": $(json_number_or_null "$writing_connections"),
+    "waiting": $(json_number_or_null "$waiting_connections")
+  }
+}
+EOF
+
+    mv "$tmp_file" "$STATUS_FILE"
+}
+
+mkdir -p "$STATUS_DIR" "$ACCESS_LOG_DIR"
+umask 022
+
+recount_access_log
+write_status_file
+
+echo "Monitoring upstream server: $UPSTREAM_HOST:$UPSTREAM_PORT"
+
+while true; do
+    update_access_log_counts
+    update_upstream_health
+    update_connection_stats
+    write_status_file
+    sleep "$STATUS_POLL_INTERVAL"
+done

nginx.conf.template

@@ -17,6 +17,7 @@ http {
                         '$upstream_cache_status $request_time $upstream_response_time';
 
     access_log /dev/stdout cache;
+    access_log /var/log/nginx/access.log cache;
     error_log /dev/stderr warn;
 
     proxy_cache_path /var/cache/nginx/owlery levels=1:2 keys_zone=owlery_cache:100m max_size=${CACHE_MAX_SIZE} inactive=5y use_temp_path=off;
@@ -39,6 +40,21 @@ http {
     server {
         listen 80;
 
+        location = /status {
+            access_log off;
+            default_type application/json;
+            add_header Cache-Control "no-store" always;
+            alias /var/run/nginx/status.json;
+        }
+
+        location = /__nginx_status {
+            access_log off;
+            stub_status;
+            allow 127.0.0.1;
+            allow ::1;
+            deny all;
+        }
+
         location /health {
             access_log off;
             return 200 "OK\n";
@@ -79,6 +95,21 @@ http {
     server {
         listen 8080;
 
+        location = /status {
+            access_log off;
+            default_type application/json;
+            add_header Cache-Control "no-store" always;
+            alias /var/run/nginx/status.json;
+        }
+
+        location = /__nginx_status {
+            access_log off;
+            stub_status;
+            allow 127.0.0.1;
+            allow ::1;
+            deny all;
+        }
+
         location /health {
             access_log off;
             return 200 "OK\n";