GitGuardian · ixxeL2097 · Oct 10, 2025
diff --git a/apko/prod.yaml b/apko/prod.yaml
@@ -74,6 +74,21 @@ paths:
     permissions: 0o777
     uid: 65532
     gid: 65532
+  - path: /var/run/openresty
+    type: directory
+    permissions: 0o777
+    uid: 65532
+    gid: 65532
+  - path: /var/cache/openresty
+    type: directory
+    permissions: 0o777
+    uid: 65532
+    gid: 65532
+  - path: /var/log/openresty
+    type: directory
+    permissions: 0o777
+    uid: 65532
+    gid: 65532
 
 archs:
   - aarch64

diff --git a/docker/nginx/nginx.conf b/docker/nginx/nginx.conf
@@ -1,9 +1,6 @@
-load_module "/usr/lib/nginx/modules/ngx_stream_module.so";
-
 worker_processes 1;
-
-error_log  stderr  notice;
-pid        /var/run/nginx.pid;
+error_log stderr notice;
+pid /var/run/nginx.pid;
 
 events {
     worker_connections 1024;
@@ -13,6 +10,20 @@ http {
     map_hash_bucket_size 128;
     map_hash_max_size 4096;
 
+    client_body_temp_path /var/run/nginx-client-body;
+    proxy_temp_path /var/run/nginx-proxy;
+    fastcgi_temp_path /var/run/nginx-fastcgi;
+    uwsgi_temp_path /var/run/nginx-uwsgi;
+    scgi_temp_path /var/run/nginx-scgi;
+
+    lua_shared_dict metrics 10M;
+
+    init_by_lua_block {
+        ngx.shared.metrics:set("http_requests_total", 0)
+        ngx.shared.metrics:set("healthz_requests_total", 0)
+        ngx.shared.metrics:set("metrics_requests_total", 0)
+    }
+
     log_format main '$remote_addr - $remote_user [$time_local] '
                              '"$request" $status $body_bytes_sent '
                              '"$http_referer" "$http_user_agent"';
@@ -24,11 +35,81 @@ http {
 
         location / {
             return 404;
+
+            log_by_lua_block {
+                local metrics = ngx.shared.metrics
+                local total = metrics:get("http_requests_total") or 0
+                metrics:set("http_requests_total", total + 1)
+            }
         }
 
         location /healthz {
             default_type text/plain;
             return 200 "OK\n";
+
+            log_by_lua_block {
+                local metrics = ngx.shared.metrics
+
+                local healthz = metrics:get("healthz_requests_total") or 0
+                metrics:set("healthz_requests_total", healthz + 1)
+
+                local total = metrics:get("http_requests_total") or 0
+                metrics:set("http_requests_total", total + 1)
+            }
+        }
+
+        location /metrics {
+            default_type text/plain;
+            content_by_lua_block {
+                local metrics = ngx.shared.metrics
+                local stream_metrics = ngx.shared.stream_metrics
+                local output = {}
+
+                table.insert(output, "# HELP nginx_up Nginx is running")
+                table.insert(output, "# TYPE nginx_up gauge")
+                table.insert(output, "nginx_up 1")
+                table.insert(output, "")
+
+                table.insert(output, "# HELP nginx_http_requests_total Total HTTP requests")
+                table.insert(output, "# TYPE nginx_http_requests_total counter")
+                table.insert(output, "nginx_http_requests_total " .. (metrics:get("http_requests_total") or 0))
+                table.insert(output, "")
+
+                table.insert(output, "# HELP nginx_healthz_requests_total Total healthz requests")
+                table.insert(output, "# TYPE nginx_healthz_requests_total counter")
+                table.insert(output, "nginx_healthz_requests_total " .. (metrics:get("healthz_requests_total") or 0))
+                table.insert(output, "")
+
+                if stream_metrics then
+                    table.insert(output, "# HELP nginx_stream_connections_total Total stream connections")
+                    table.insert(output, "# TYPE nginx_stream_connections_total counter")
+                    table.insert(output, "nginx_stream_connections_total " .. (stream_metrics:get("stream_connections_total") or 0))
+                    table.insert(output, "")
+
+                    local sum = stream_metrics:get("upstream_connect_time_sum") or 0
+                    local count = stream_metrics:get("upstream_connect_time_count") or 0
+                    local avg = count > 0 and (sum / count) or 0
+
+                    table.insert(output, "# HELP nginx_stream_upstream_connect_time_seconds Average upstream connect time")
+                    table.insert(output, "# TYPE nginx_stream_upstream_connect_time_seconds gauge")
+                    table.insert(output, "nginx_stream_upstream_connect_time_seconds " .. string.format("%.6f", avg))
+                    table.insert(output, "")
+
+                    table.insert(output, "# HELP nginx_stream_upstream_connect_time_sum_seconds Total upstream connect time")
+                    table.insert(output, "# TYPE nginx_stream_upstream_connect_time_sum_seconds counter")
+                    table.insert(output, "nginx_stream_upstream_connect_time_sum_seconds " .. string.format("%.6f", sum))
+                    table.insert(output, "")
+
+                    table.insert(output, "# HELP nginx_stream_upstream_connect_time_count_total Total upstream connections")
+                    table.insert(output, "# TYPE nginx_stream_upstream_connect_time_count_total counter")
+                    table.insert(output, "nginx_stream_upstream_connect_time_count_total " .. count)
+                end
+
+                ngx.say(table.concat(output, "\n"))
+
+                local metrics_count = metrics:get("metrics_requests_total") or 0
+                metrics:set("metrics_requests_total", metrics_count + 1)
+            }
         }
     }
 }
@@ -37,13 +118,20 @@ stream {
     map_hash_bucket_size 128;
     map_hash_max_size 4096;
 
+    lua_shared_dict stream_metrics 10M;
+
+    init_by_lua_block {
+        ngx.shared.stream_metrics:set("stream_connections_total", 0)
+        ngx.shared.stream_metrics:set("upstream_connect_time_sum", 0)
+        ngx.shared.stream_metrics:set("upstream_connect_time_count", 0)
+    }
+
     log_format main '$proxy_protocol_addr - $remote_addr [$time_local] '
                     '$protocol $status $bytes_sent $bytes_received '
                     '$session_time "$upstream_addr" '
                       '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
 
     access_log /dev/stdout main;
-
     resolver kube-dns.kube-system.svc.cluster.local valid=30s;
     resolver_timeout 5s;
 
@@ -52,5 +140,21 @@ stream {
         ssl_preread on;
         proxy_pass $ssl_preread_server_name:443;
         proxy_protocol off;
+
+        log_by_lua_block {
+            local metrics = ngx.shared.stream_metrics
+            local connect_time = tonumber(ngx.var.upstream_connect_time) or 0
+            local upstream = ngx.var.upstream_addr or "unknown"
+
+            local connections = metrics:get("stream_connections_total") or 0
+            metrics:set("stream_connections_total", connections + 1)
+
+            if connect_time > 0 then
+                local sum = metrics:get("upstream_connect_time_sum") or 0
+                local count = metrics:get("upstream_connect_time_count") or 0
+                metrics:set("upstream_connect_time_sum", sum + connect_time)
+                metrics:set("upstream_connect_time_count", count + 1)
+            end
+        }
     }
-}
+}
diff --git a/helm/ggbridge/README.md b/helm/ggbridge/README.md
@@ -88,13 +88,16 @@ A Helm chart for installing ggbridge
 | proxy.config.upstream.maxFails | int | `2` | Maximum number of unsuccessful attempts to communicate with the server |
 | proxy.labels | object | `{}` | Set proxy labels |
 | proxy.logLevel | string | `"notice"` | Set nginx sidecar container and proxy pod log level (default: notice) |
+| proxy.metrics.enabled | bool | `true` |  |
+| proxy.metrics.service.annotations | object | `{}` |  |
 | proxy.networkPolicy.allowExternal | bool | `true` | When true, server will accept connections from any source |
 | proxy.networkPolicy.enabled | bool | `true` | Specifies whether a NetworkPolicy should be created |
 | proxy.networkPolicy.extraEgress | list | `[]` | Add extra egress rules to the NetworkPolicy |
 | proxy.networkPolicy.extraIngress | list | `[]` | Add extra ingress rules to the NetworkPolicy |
 | proxy.networkPolicy.ingressNSMatchLabels | object | `{}` | Labels to match to allow traffic to the proxy server from other namespaces |
 | proxy.networkPolicy.ingressNSPodMatchLabels | object | `{}` | Pod labels to match to allow traffic to the proxy server from other namespaces |
 | proxy.nodeSelector | object | `{}` | Node labels for pod assignment |
+| proxy.openresty | object | `{"enabled":true}` | OpenResty config |
 | proxy.readinessProbe.enabled | bool | `true` | Whether to enable readiness probe for proxy |
 | proxy.readinessProbe.exec.command[0] | string | `"ggbridge"` |  |
 | proxy.readinessProbe.exec.command[1] | string | `"healthcheck"` |  |