如何不将获取请求参数记录在Nginx访问日志中

如何不将获取请求参数记录在Nginx访问日志中

本文介绍了如何不将获取请求参数记录在Nginx访问日志中?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我需要启用访问日志,但是出于合规性原因,无法在访问日志中记录敏感的GET请求参数的数据.据我所知,我可以解析日志(事后)并清理日志,但这不是一个可以接受的解决方案-因为出于合规性原因,日志不能被篡改.

I require access logs enabled, but for compliance reasons, cannot log a sensitive GET request parameter's data in the access logs. While I know, I could parse the logs (after-the-fact) and sanitize them, this is not an acceptable solution -- because for compliance reasons logs can't be tampered with.

http://www.example.com/resource?param1=123& sensitive_param = sensitive_data

如何防止将"sensitive_data"参数值写入日志?这里有一些想法:

How can I prevent the "sensitive_data" parameter value from being written to the logs? Here were some ideas:

  • 发送POST请求-JSONP不能选择此选项.
  • 对资源"使用新的位置规则,并设置访问日志以使用log_format或使用其他格式(即不使用$ remote_addr).请参阅以下内容以供参考: http://nginx.org/zh-CN/docs/http/ngx_http_log_module. html
  • 记录一个$ sanitized_remote_addr,并在将其写入日志之前进行设置(以某种方式解析$ remote_addr或其他内容?).我们不确定这是否容易实现.

这应该怎么做?

推荐答案

由于log_format模块只能在http级别的配置中使用,因此先前的答案将无效.

Previous answer will not work since log_format module can only be used at http level config.

要解决此问题,我们可以从location指令中删除log_format配置,并将其保留在http级配置中.

For fix of this, we can remove the log_format configuration from location directive and keep it as it in http level config.

http {

    log_format filter '$remote_addr - $remote_user [$time_local] '
        '"$temp" $status $body_bytes_sent "$http_referer" "$http_user_agent"';

    # Other Configs
}

log_format指令可以在稍后的location指令块中定义变量.

log_format directive can have variables defined later in our location directive block.

因此最终配置如下:

http {

    log_format filter '$remote_addr - $remote_user [$time_local] '
        '"$temp" $status $body_bytes_sent "$http_referer" "$http_user_agent"';

    # Other Configs

    server {
        #Server Configs
        location / {
            set $temp $request;
            if ($temp ~ (.*)password=[^&]*(.*)) {
                set $temp $1password=****$2;
            }

            access_log /opt/current/log/nginx_access.log filter;
        }
    }
}

这篇关于如何不将获取请求参数记录在Nginx访问日志中?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-07 08:16