Stopped logging Docker healthcheck pings in dev#28981
Conversation
no ref - the ghost-dev container's healthcheck runs every 30s, producing ~120 access-log lines/hour that buried real HTTP traffic in dev - gave the compose healthcheck a distinctive UA (GhostDockerHealthcheck/1.0) and filtered it in the request-log middleware - node's global fetch defaults to 'User-Agent: node', too generic to filter on safely, so a custom UA was required
WalkthroughThe Docker healthcheck command in 🚥 Pre-merge checks | ✅ 4✅ Passed checks (4 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
| Command | Status | Duration | Result |
|---|---|---|---|
nx run ghost:test:ci:integration |
✅ Succeeded | 2m 38s | View ↗ |
nx run ghost:test:integration |
✅ Succeeded | 2m 34s | View ↗ |
nx run ghost:test:legacy |
✅ Succeeded | 2m 52s | View ↗ |
nx run ghost:test:e2e |
✅ Succeeded | 2m 19s | View ↗ |
nx run-many --target=build --projects=tag:publi... |
✅ Succeeded | 2s | View ↗ |
nx run-many -t test:unit -p ghost |
✅ Succeeded | 23s | View ↗ |
nx run-many -t lint -p ghost-monorepo,ghost |
✅ Succeeded | 27s | View ↗ |
nx run @tryghost/admin:build |
✅ Succeeded | 5s | View ↗ |
Additional runs (2) |
✅ Succeeded | ... | View ↗ |
💡 Verify your cache is correct by running tasks in a sandbox. Read docs ↗
☁️ Nx Cloud last updated this comment at 2026-06-29 23:43:25 UTC
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@ghost/core/core/server/web/parent/middleware/log-request.js`:
- Around line 3-4: The log bypass keyed off HEALTHCHECK_USER_AGENT in
log-request.js is currently global, so spoofed User-Agent values can suppress
logs outside development; update the middleware to only skip logging when the
environment is development (for example by checking the existing dev flag/config
in the same request path) and keep normal logging for all other environments.
Use the existing HEALTHCHECK_USER_AGENT constant and the log-request middleware
entrypoint to scope the bypass, and add a regression test that verifies the
non-development case still logs even when the healthcheck user agent is present.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: beae98c2-0a38-4b14-ae57-768516890f4a
📒 Files selected for processing (3)
compose.dev.yamlghost/core/core/server/web/parent/middleware/log-request.jsghost/core/test/unit/server/web/parent/middleware/log-request.test.js
| const HEALTHCHECK_USER_AGENT = 'GhostDockerHealthcheck/1.0'; | ||
|
|
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Scope the log bypass to development only.
This middleware runs outside Docker dev too, so a client can suppress access/error logs anywhere by spoofing User-Agent: GhostDockerHealthcheck/1.0. The compose change is dev-only, but this skip is global.
Suggested fix
module.exports = function logRequest(req, res, next) {
- if (req.headers['user-agent'] === HEALTHCHECK_USER_AGENT) {
+ if (process.env.NODE_ENV === 'development' && req.headers['user-agent'] === HEALTHCHECK_USER_AGENT) {
return next();
}Please also add a regression test for the non-development case.
Also applies to: 13-15
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@ghost/core/core/server/web/parent/middleware/log-request.js` around lines 3 -
4, The log bypass keyed off HEALTHCHECK_USER_AGENT in log-request.js is
currently global, so spoofed User-Agent values can suppress logs outside
development; update the middleware to only skip logging when the environment is
development (for example by checking the existing dev flag/config in the same
request path) and keep normal logging for all other environments. Use the
existing HEALTHCHECK_USER_AGENT constant and the log-request middleware
entrypoint to scope the bypass, and add a regression test that verifies the
non-development case still logs even when the healthcheck user agent is present.

Summary
pnpm devaccess logs only show real traffic.compose.dev.yaml:ghost-devhealthcheck now sendsUser-Agent: GhostDockerHealthcheck/1.0(Node's globalfetchdefaults toUser-Agent: node, too generic to filter on safely).ghost/core/core/server/web/parent/middleware/log-request.js: when the UA matches that exact string, skip both response listeners andnext()immediately.Why
The
ghost-devcontainer runs a healthcheck againstGET /every 30s. In steady-state dev that's the dominant access-log line — ~120INFO "GET /" 200 ...entries per hour that bury real HTTP traffic when you're trying to see what the admin / portal / a curl is actually doing.Verification
test/unit/server/web/parent/middleware/log-request.test.js) covers four paths via supertest: normal request logged, exact healthcheck UA skipped, near-miss UA (GhostDockerHealthcheck/2.0) still logged, genericnodeUA still logged. 4/4 passing.ghost-devstack and I didn't want to clobber an active session. To verify manually after merge:pnpm dev:daemonfrom a fresh shell, wait 90s.docker logs ghost-dev --since 90s | grep "GET /"— should have no healthcheck lines.curl -A "GhostDockerHealthcheck/1.0" http://localhost:2368/— should NOT appear in the log.curl http://localhost:2368/— should appear in the log.Test plan
pnpm dev:daemon, wait 90s, confirmdocker logs ghost-dev | grep "GET /"has no healthcheck lines.