I require access logs enabled, but for compliance reasons, cannot log a sensitive GET request parameter's data in the access logs. While I know, I could parse the logs (after-the-fact) and sanitize them, this is not an acceptable solution -- because for compliance reasons logs can't be tampered with.
http://www.example.com/resource?param1=123&sensitive_param=sensitive_data
How can I prevent the "sensitive_data" parameter value from being written to the logs? Here were some ideas:
How should this be done?
Previous answer will not work since log_format
module can only be used at http
level config.
For fix of this, we can remove the log_format
configuration from location
directive and keep it as it in http level config.
http {
log_format filter '$remote_addr - $remote_user [$time_local] '
'"$temp" $status $body_bytes_sent "$http_referer" "$http_user_agent"';
# Other Configs
}
log_format
directive can have variables defined later in our location
directive block.
So final config will look like:
http {
log_format filter '$remote_addr - $remote_user [$time_local] '
'"$temp" $status $body_bytes_sent "$http_referer" "$http_user_agent"';
# Other Configs
server {
#Server Configs
location / {
set $temp $request;
if ($temp ~ (.*)password=[^&]*(.*)) {
set $temp $1password=****$2;
}
access_log /opt/current/log/nginx_access.log filter;
}
}
}