Filter sensitive query string parameters from NGINX access logs
This commit is contained in:
Nick Thomas
parent
4c7ada21c0
commit
603b68186a
2 changed files with 71 additions and 3 deletions
|
|
@ -25,6 +25,39 @@ map $http_upgrade $connection_upgrade_gitlab {
|
|||
'' close;
|
||||
}
|
||||
|
||||
## NGINX 'combined' log format with filtered query strings
|
||||
log_format gitlab_access $remote_addr - $remote_user [$time_local] "$request_method $gitlab_filtered_request_uri $server_protocol" $status $body_bytes_sent "$gitlab_filtered_http_referer" "$http_user_agent";
|
||||
|
||||
## Remove private_token from the request URI
|
||||
# In: /foo?private_token=unfiltered&authenticity_token=unfiltered&rss_token=unfiltered&...
|
||||
# Out: /foo?private_token=[FILTERED]&authenticity_token=unfiltered&rss_token=unfiltered&...
|
||||
map $request_uri $gitlab_temp_request_uri_1 {
|
||||
default $request_uri;
|
||||
~(?i)^(?<start>.*)(?<temp>[\?&]private[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
|
||||
}
|
||||
|
||||
## Remove authenticity_token from the request URI
|
||||
# In: /foo?private_token=[FILTERED]&authenticity_token=unfiltered&rss_token=unfiltered&...
|
||||
# Out: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=unfiltered&...
|
||||
map $gitlab_temp_request_uri_1 $gitlab_temp_request_uri_2 {
|
||||
default $gitlab_temp_request_uri_1;
|
||||
~(?i)^(?<start>.*)(?<temp>[\?&]authenticity[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
|
||||
}
|
||||
|
||||
## Remove rss_token from the request URI
|
||||
# In: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=unfiltered&...
|
||||
# Out: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=[FILTERED]&...
|
||||
map $gitlab_temp_request_uri_2 $gitlab_filtered_request_uri {
|
||||
default $gitlab_temp_request_uri_2;
|
||||
~(?i)^(?<start>.*)(?<temp>[\?&]rss[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
|
||||
}
|
||||
|
||||
## A version of the referer without the query string
|
||||
map $http_referer $gitlab_filtered_http_referer {
|
||||
default $http_referer;
|
||||
~^(?<temp>.*)\? $temp;
|
||||
}
|
||||
|
||||
## Normal HTTP host
|
||||
server {
|
||||
## Either remove "default_server" from the listen line below,
|
||||
|
|
@ -46,7 +79,7 @@ server {
|
|||
# set_real_ip_from YOUR_TRUSTED_ADDRESS; ## Replace this with something like 192.168.1.0/24
|
||||
|
||||
## Individual nginx logs for this GitLab vhost
|
||||
access_log /var/log/nginx/gitlab_access.log;
|
||||
access_log /var/log/nginx/gitlab_access.log gitlab_access;
|
||||
error_log /var/log/nginx/gitlab_error.log;
|
||||
|
||||
location / {
|
||||
|
|
|
|||
|
|
@ -29,6 +29,41 @@ map $http_upgrade $connection_upgrade_gitlab_ssl {
|
|||
'' close;
|
||||
}
|
||||
|
||||
|
||||
## NGINX 'combined' log format with filtered query strings
|
||||
log_format gitlab_ssl_access $remote_addr - $remote_user [$time_local] "$request_method $gitlab_ssl_filtered_request_uri $server_protocol" $status $body_bytes_sent "$gitlab_ssl_filtered_http_referer" "$http_user_agent";
|
||||
|
||||
## Remove private_token from the request URI
|
||||
# In: /foo?private_token=unfiltered&authenticity_token=unfiltered&rss_token=unfiltered&...
|
||||
# Out: /foo?private_token=[FILTERED]&authenticity_token=unfiltered&rss_token=unfiltered&...
|
||||
map $request_uri $gitlab_ssl_temp_request_uri_1 {
|
||||
default $request_uri;
|
||||
~(?i)^(?<start>.*)(?<temp>[\?&]private[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
|
||||
}
|
||||
|
||||
## Remove authenticity_token from the request URI
|
||||
# In: /foo?private_token=[FILTERED]&authenticity_token=unfiltered&rss_token=unfiltered&...
|
||||
# Out: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=unfiltered&...
|
||||
map $gitlab_ssl_temp_request_uri_1 $gitlab_ssl_temp_request_uri_2 {
|
||||
default $gitlab_ssl_temp_request_uri_1;
|
||||
~(?i)^(?<start>.*)(?<temp>[\?&]authenticity[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
|
||||
}
|
||||
|
||||
## Remove rss_token from the request URI
|
||||
# In: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=unfiltered&...
|
||||
# Out: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=[FILTERED]&...
|
||||
map $gitlab_ssl_temp_request_uri_2 $gitlab_ssl_filtered_request_uri {
|
||||
default $gitlab_ssl_temp_request_uri_2;
|
||||
~(?i)^(?<start>.*)(?<temp>[\?&]rss[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
|
||||
}
|
||||
|
||||
## A version of the referer without the query string
|
||||
map $http_referer $gitlab_ssl_filtered_http_referer {
|
||||
default $http_referer;
|
||||
~^(?<temp>.*)\? $temp;
|
||||
}
|
||||
|
||||
|
||||
## Redirects all HTTP traffic to the HTTPS host
|
||||
server {
|
||||
## Either remove "default_server" from the listen line below,
|
||||
|
|
@ -40,7 +75,7 @@ server {
|
|||
server_name YOUR_SERVER_FQDN; ## Replace this with something like gitlab.example.com
|
||||
server_tokens off; ## Don't show the nginx version number, a security best practice
|
||||
return 301 https://$http_host$request_uri;
|
||||
access_log /var/log/nginx/gitlab_access.log;
|
||||
access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access;
|
||||
error_log /var/log/nginx/gitlab_error.log;
|
||||
}
|
||||
|
||||
|
|
@ -93,7 +128,7 @@ server {
|
|||
# set_real_ip_from YOUR_TRUSTED_ADDRESS; ## Replace this with something like 192.168.1.0/24
|
||||
|
||||
## Individual nginx logs for this GitLab vhost
|
||||
access_log /var/log/nginx/gitlab_access.log;
|
||||
access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access;
|
||||
error_log /var/log/nginx/gitlab_error.log;
|
||||
|
||||
location / {
|
||||
|
|
|
|||
Loading…
Reference in a new issue