Skip to content

Instantly share code, notes, and snippets.

@krushik
Last active December 15, 2021 07:20
Show Gist options
  • Save krushik/85fa30b410ca569a7132b18768743c1c to your computer and use it in GitHub Desktop.
Save krushik/85fa30b410ca569a7132b18768743c1c to your computer and use it in GitHub Desktop.
mask passwords in apache access logs with mod_lua
-- apache's %r log field (request line) is read only, we can't fix data in there,
-- so you need to change your LogFormat with '%m %U%q %H' instead of '%r' to get this masking effect
function log_mask_password(r)
-- manually parse request line, needed to overwrite r.uri to mimick apache's %r percent-encoding in %U for non-latin chars
local url = r.the_request:match"^%S+%s(.+)%sHTTP/[%d.]+$" -- ex.: GET /foo?bar=1 HTTP/1.1
-- in case of malformed http request, use apache's uri variant
if not url then
url = r.uri
end
-- remove query string from the extracted url and overwrite r.uri
r.uri = string.gsub(url, "%?.*", "")
-- mask password= param values in query string
if r.args then
r.args = r.args:gsub("([pP][aA][sS][sS][wW][oO][rR][dD])=[^&=]*(&?)", "%1=XXX%2")
end
return apache2.OK
end
@krushik
Copy link
Author

krushik commented Dec 5, 2018

  1. put log_mask.lua to /etc/apache2/
  2. enable mod_lua in apache with a2enmod lua
  3. set up lua log hook somewhere in your config
<IfModule lua_module>
    LuaHookLog /etc/apache2/log_mask.lua log_mask_password
</IfModule>
  1. fix your LogFormat to use %m %U%q %H instead of %r. e.g.:
    LogFormat "%a %l %u %t \"%m %U%q %H\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined

Don't forget to fix all your other log formats too, if you have them!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment