How to not log a get request parameter in the nginx access logs?

Domino picture Domino · Oct 9, 2013 · Viewed 8.9k times · Source

I require access logs enabled, but for compliance reasons, cannot log a sensitive GET request parameter's data in the access logs. While I know, I could parse the logs (after-the-fact) and sanitize them, this is not an acceptable solution -- because for compliance reasons logs can't be tampered with.

http://www.example.com/resource?param1=123&sensitive_param=sensitive_data

How can I prevent the "sensitive_data" parameter value from being written to the logs? Here were some ideas:

  • Send in POST request -- is not an option with JSONP.
  • Use a new location rule for "resource" and set an access log to use a log_format the uses a different format (ie does not use $remote_addr). See this for reference: http://nginx.org/en/docs/http/ngx_http_log_module.html
  • Log a $sanitized_remote_addr, and set it (somehow parse the $remote_addr or something else?) before it makes it to the log. We're not sure if this is easy to accomplish.

How should this be done?

Answer

Shashank Agrawal picture Shashank Agrawal · Apr 28, 2014

Previous answer will not work since log_format module can only be used at http level config.

For fix of this, we can remove the log_format configuration from location directive and keep it as it in http level config.

http {

    log_format filter '$remote_addr - $remote_user [$time_local] '
        '"$temp" $status $body_bytes_sent "$http_referer" "$http_user_agent"';

    # Other Configs
}

log_format directive can have variables defined later in our location directive block.

So final config will look like:

http {

    log_format filter '$remote_addr - $remote_user [$time_local] '
        '"$temp" $status $body_bytes_sent "$http_referer" "$http_user_agent"';

    # Other Configs

    server {
        #Server Configs
        location / {
            set $temp $request;
            if ($temp ~ (.*)password=[^&]*(.*)) { 
                set $temp $1password=****$2;
            }

            access_log /opt/current/log/nginx_access.log filter;
        }
    }
}