Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Hide sensitive GET parameters within nginx access logs thanks to the Lua module
http {
log_format filt '$remote_addr - $remote_user [$time_local] "$_request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
server {
location /login {
# `set` is provided by the Rewrite module
set $filter "password|secret";
set_by_lua $_request '
local filt = ngx.arg[1]
local req = ngx.arg[2]
return, "((" .. filt .. ")=)[^&]+", "$1-FILTERED-")
' $filter $request;
access_log logs/access.log filt;
# ...
Copy link

ghost commented May 15, 2013

    location /xxx {
        #Strip password in access.log
        set $temp $request;
        if ($temp ~ (.*)password=[^&]*(.*)) { 
            set $temp $1password=****$2;
        log_format filter '$remote_addr - $remote_user [$time_local]  '
                            '"$temp" $status $body_bytes_sent '
                            '"$http_referer" "$http_user_agent"';
        access_log  logs/access.log filter;

Copy link

deltheil commented Nov 20, 2013

Thanks for this alternative!

Copy link

ricardograca commented Mar 5, 2018

The above alternative from @Rockes won't work because you can't have log_format directives inside location blocks. It can only exist inside http blocks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment