Menu
I require access logs enabled, but for compliance reasons, cannot log a sensitive GET request parameter's data in the access logs. While I know, I could parse the logs (after-the-fact) and sanitize them, this is not an acceptable solution -- because for compliance reasons logs can't be tampered with.
http://www.example.com/resource?param1=123&sensitive_param=sensitive_data
How can I prevent the "sensitive_data" parameter value from being written to the logs? Here were some ideas:
How should this be done?
815
If you wish to turn off the Nginx error logs completely, you need to change the line to : error_log /dev/null crit; This will completely turn off the Nginx error logs on your server.
You can remove access. log as root user, or using sudo.
http { log_format upstream_time '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent"' 'rt=$request_time uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"'; server { access_log /spool/logs/nginx-access.
By default, the access log is located at /var/log/nginx/access. log , and the information is written to the log in the predefined combined format. You can override the default settings and change the format of logged messages by editing the NGINX configuration file ( /etc/nginx/nginx. conf by default).
Previous answer will not work since log_format module can only be used at http level config.
For fix of this, we can remove the log_format configuration from location directive and keep it as it in http level config.
http {
log_format filter '$remote_addr - $remote_user [$time_local] '
'"$temp" $status $body_bytes_sent "$http_referer" "$http_user_agent"';
# Other Configs
}
log_format directive can have variables defined later in our location directive block.
So final config will look like:
http {
log_format filter '$remote_addr - $remote_user [$time_local] '
'"$temp" $status $body_bytes_sent "$http_referer" "$http_user_agent"';
# Other Configs
server {
#Server Configs
location / {
set $temp $request;
if ($temp ~ (.*)password=[^&]*(.*)) {
set $temp $1password=****$2;
}
access_log /opt/current/log/nginx_access.log filter;
}
}
}
The solution I found so far is here. In short:
location /any_sensitive... {
# Strip password in access.log
set $temp $request;
if ($temp ~ (.*)password=[^&]*(.*)) {
set $temp $1password=****$2;
}
log_format filter '$remote_addr - $remote_user [$time_local] '
'"$temp" $status $body_bytes_sent "$http_referer" "$http_user_agent"';
access_log logs/access.log filter;
}
Maybe this used to work at some point, now it says:
nginx: [emerg] unknown "temp" variable
or
nginx: [warn] the "log_format" directive may be used only on "http" level in ...
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
