Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Hide sensitive GET parameters within nginx access logs thanks to the Lua module
http {
log_format filt '$remote_addr - $remote_user [$time_local] "$_request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
server {
location /login {
# `set` is provided by the Rewrite module
set $filter "password|secret";
set_by_lua $_request '
local filt = ngx.arg[1]
local req = ngx.arg[2]
return ngx.re.gsub(req, "((" .. filt .. ")=)[^&]+", "$1-FILTERED-")
' $filter $request;
access_log logs/access.log filt;
# ...
}
}
}
@ghost

This comment has been minimized.

@ghost

This comment has been minimized.

Copy link

ghost commented May 15, 2013

    location /xxx {
        #Strip password in access.log
        set $temp $request;
        if ($temp ~ (.*)password=[^&]*(.*)) { 
            set $temp $1password=****$2;
        }
        log_format filter '$remote_addr - $remote_user [$time_local]  '
                            '"$temp" $status $body_bytes_sent '
                            '"$http_referer" "$http_user_agent"';
        access_log  logs/access.log filter;
    }
@deltheil

This comment has been minimized.

Copy link
Owner Author

deltheil commented Nov 20, 2013

Thanks for this alternative!

@ricardograca

This comment has been minimized.

Copy link

ricardograca commented Mar 5, 2018

The above alternative from @Rockes won't work because you can't have log_format directives inside location blocks. It can only exist inside http blocks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.