This repository contains the source code for the ngx_http_datadog_module, an NGINX module
that integrates Datadog APM and Application Security Management into NGINX.
- Download a gzipped tarball from a [recent release][12], extract it to
wherever nginx looks for modules (e.g.
/usr/lib/nginx/modules/). - Add the following line to the top of the main nginx configuration (e.g.
/etc/nginx/nginx.conf):
load_module modules/ngx_http_datadog_module.so;Tracing is automatically added to all endpoints by default. For more information, see the API documentation.
Important
We provide support for NGINX versions up to their End Of Life, extended by one year. Aligned with the NGINX release cycle, this entails support for the four most recent NGINX versions.
If you plan to add tracing features to an older NGINX version using our module, please check out the build section for guidance.
There are two tarballs (the actual executable module and, separately, the debug
symbols) per each combination of: 1) nginx version, 2) architecture, 3) whether
AppSec is built in or not. The main tarball contains a single file,
ngx_http_datadog_module.so, which is the Datadog nginx module.
The naming convention is:
ngx_http_datadog_module-<arch>-<version>.so.tgzfor builds without appsec support andngx_http_datadog_module-appsec-<arch>-<version>.so.tgzfor builds with appsec support.
Important
The AppSec variants require nginx to have been built with --threads (thread
support).
Supported architectures (<arch>) are amd64 and arm64.
While it may be possible to build the extension against an older version, this is not guaranteed; in particular, AppSec builds require a feature introduced in version 1.21.4.
Unless otherwise configured, ngx_http_datadog_module adds the following
default behavior to NGINX:
- Connect to the Datadog agent at
http://localhost:8126. - Create one span per request:
- Service name is "nginx".
- Operation name is "nginx.request".
- Resource name is
"$request_method $uri", e.g. "GET /api/book/0-345-24223-8/title". - Includes multiple
http.*tags.
Custom configuration can be specified via the datadog_* family of directives in nginx's configuration file, or via environment variables.
To enable AppSec, besides using the correct binary (the relase artifact with "-appsec") in the name, it's necessary to edit the nginx configuration:
- Set
datadog_appsec_enabled on;. - Define one (or more thread pools).
- Choose which thread pool AppSec will use, either on a global or a per-location basis.
For more information, see the documentation.
If the version of NGINX you’re using is no longer supported by this repository, you can build the module by following the steps below.
This repository uses git submodules for some of its dependencies. To ensure all dependencies are available or updated before building, run the following command:
git submodule update --init --recursiveBefore building the module, ensure your environment meets the following requirements:
- Recent C and C++ toolchain (
clangorgcc/g++) (must support at least some C++20 features). - make.
- CMake
v3.24or newer. - Architecture is either
x86_64orarm64.
We recommend using Docker which greatly simplify the build process for various environments. Below are specific commands and options for different build targets.
Important
Be sure to match the version of NGINX, OpenResty, or ingress-nginx with the version you are using in your environment to avoid compatibility issues.
Note
The build-musl target builds against musl to guarantee portability.
WAF=ON ARCH=amd64 NGINX_VERSION=1.27.1 make build-muslOptions:
WAF=<ON|OFF>: Enable (ON) or disable (OFF) AppSec.ARCH=<amd64|aarch64>: Specify the CPU architecture.NGINX_VERSION=<version>: Specify the NGINX version to build.
The NGINX module will be generated at .musl-build\ngx_http_datadog_module.so.
Note
The build-openresty target builds against musl to guarantee portability.
To build the module for OpenResty:
WAF=ON ARCH=amd64 RESTY_VERSION=1.27.1.1 make build-openrestyOptions:
WAF=<ON|OFF>: Enable (ON) or disable (OFF) AppSec.ARCH=<amd64|aarch64>: Specify the CPU architecture.RESTY_VERSION=<version>: Specify the OpenResty version to build.
Note
The build-ingress-nginx target builds against musl to guarantee portability.
To build the module for ingress-nginx:
WAF=ON ARCH=amd64 INGRESS_NGINX_VERSION=1.11.2 make build-ingress-nginxOptions:
WAF=<ON|OFF>: Enable (ON) or disable (OFF) AppSec.ARCH=<amd64|aarch64>: Specify the CPU architecture.INGRESS_NGINX_VERSION=<version>: Specify the version ingress-nginx to build.
This project is based largely on previous work. See CREDITS.md.
