I require access logs enabled, but for compliance reasons, cannot log a sensitive GET request parameter's data in the access logs. While I know, I could parse the logs (after-the-fact) and sanitize them, this is not an acceptable solution -- because for compliance reasons logs can't be tampered with. http://www.example.com/resource?param1=123&sensitive_param=sensitive_data How can I prevent the "sensitive_data" parameter value from being written to the logs? Here were some ideas: <ul> <li>Send in POST request -- is not an option with JSONP.</li> <li>Use a new location rule for "resource" and set an access log to use a log_format the uses a different format (ie does not use $remote_addr). See this for reference: http://nginx.org/en/docs/http/ngx_http_log_module.html </li> <li>Log a $sanitized_remote_addr, and set it (somehow parse the $remote_addr or something else?) before it makes it to the log. We're not sure if this is easy to accomplish.</li> </ul> How should this be done?

Previous answer will not work since <code>log_format</code> module can only be used at <code>http</code> level config. For fix of this, we can remove the <code>log_format</code> configuration from <code>location</code> directive and keep it as it in http level config. <pre class="prettyprint"><code>http { log_format filter '$remote_addr - $remote_user [$time_local] ' '"$temp" $status $body_bytes_sent "$http_referer" "$http_user_agent"'; # Other Configs } </code></pre> <code>log_format</code> directive can have variables defined later in our <code>location</code> directive block. So final config will look like: <pre class="prettyprint"><code>http { log_format filter '$remote_addr - $remote_user [$time_local] ' '"$temp" $status $body_bytes_sent "$http_referer" "$http_user_agent"'; # Other Configs server { #Server Configs location / { set $temp $request; if ($temp ~ (.*)password=[^&]*(.*)) { set $temp $1password=****$2; } access_log /opt/current/log/nginx_access.log filter; } } } </code></pre>

How to not log a get request parameter in the nginx access logs?

I require access logs enabled, but for compliance reasons, cannot log a sensitive GET request parameter's data in the access logs. While I know, I could parse the logs (after-the-fact) and sanitize them, this is not an acceptable solution -- because for compliance reasons logs can't be tampered with.

http://www.example.com/resource?param1=123&sensitive_param=sensitive_data

How can I prevent the "sensitive_data" parameter value from being written to the logs? Here were some ideas:

Send in POST request -- is not an option with JSONP.
Use a new location rule for "resource" and set an access log to use a log_format the uses a different format (ie does not use $remote_addr). See this for reference: http://nginx.org/en/docs/http/ngx_http_log_module.html
Log a $sanitized_remote_addr, and set it (somehow parse the $remote_addr or something else?) before it makes it to the log. We're not sure if this is easy to accomplish.

How should this be done?

How do I disable nginx access log?

If you wish to turn off the Nginx error logs completely, you need to change the line to : error_log /dev/null crit; This will completely turn off the Nginx error logs on your server.

Can I delete nginx access log?

You can remove access. log as root user, or using sudo.

How do I change the log format in nginx?

http { log_format upstream_time '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent"' 'rt=$request_time uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"'; server { access_log /spool/logs/nginx-access.

How do I get nginx access log?

By default, the access log is located at /var/log/nginx/access. log , and the information is written to the log in the predefined combined format. You can override the default settings and change the format of logged messages by editing the NGINX configuration file ( /etc/nginx/nginx. conf by default).

Previous answer will not work since log_format module can only be used at http level config.

For fix of this, we can remove the log_format configuration from location directive and keep it as it in http level config.

http {

    log_format filter '$remote_addr - $remote_user [$time_local] '
        '"$temp" $status $body_bytes_sent "$http_referer" "$http_user_agent"';

    # Other Configs
}

log_format directive can have variables defined later in our location directive block.

So final config will look like:

http {

    log_format filter '$remote_addr - $remote_user [$time_local] '
        '"$temp" $status $body_bytes_sent "$http_referer" "$http_user_agent"';

    # Other Configs

    server {
        #Server Configs
        location / {
            set $temp $request;
            if ($temp ~ (.*)password=[^&]*(.*)) { 
                set $temp $1password=****$2;
            }

            access_log /opt/current/log/nginx_access.log filter;
        }
    }
}

The solution I found so far is here. In short:

location /any_sensitive... {
    # Strip password in access.log
    set $temp $request;
    if ($temp ~ (.*)password=[^&]*(.*)) {
        set $temp $1password=****$2;
    }

    log_format filter '$remote_addr - $remote_user [$time_local] '
        '"$temp" $status $body_bytes_sent "$http_referer" "$http_user_agent"';

    access_log logs/access.log filter;
}

Maybe this used to work at some point, now it says:

nginx: [emerg] unknown "temp" variable

or

nginx: [warn] the "log_format" directive may be used only on "http" level in ...

How to not log a get request parameter in the nginx access logs?

Tags:

nginx

access-log

Domino

People also ask

2 Answers

Shashank Agrawal

Doncho Gunchev

Recent Activity

Donate For Us

How to not log a get request parameter in the nginx access logs?

Tags:

nginx

access-log

Domino

People also ask

2 Answers

Shashank Agrawal

Doncho Gunchev

Related questions

Recent Activity

Donate For Us