问题描述
我需要启用访问日志,但是出于合规性原因,无法在访问日志中记录敏感的GET请求参数的数据.据我所知,我可以解析日志(事后)并清理日志,但这不是一个可以接受的解决方案-因为出于合规性原因,日志不能被篡改.
I require access logs enabled, but for compliance reasons, cannot log a sensitive GET request parameter's data in the access logs. While I know, I could parse the logs (after-the-fact) and sanitize them, this is not an acceptable solution -- because for compliance reasons logs can't be tampered with.
http://www.example.com/resource?param1=123& sensitive_param = sensitive_data
如何防止将"sensitive_data"参数值写入日志?这里有一些想法:
How can I prevent the "sensitive_data" parameter value from being written to the logs? Here were some ideas:
- 发送POST请求-JSONP不能选择此选项.
- 对资源"使用新的位置规则,并设置访问日志以使用log_format或使用其他格式(即不使用$ remote_addr).请参阅以下内容以供参考: http://nginx.org/zh-CN/docs/http/ngx_http_log_module. html
- 记录一个$ sanitized_remote_addr,并在将其写入日志之前进行设置(以某种方式解析$ remote_addr或其他内容?).我们不确定这是否容易实现.
这应该怎么做?
推荐答案
由于log_format模块只能在http级别的配置中使用,因此先前的答案将无效.
Previous answer will not work since log_format module can only be used at http level config.
要解决此问题,我们可以从location指令中删除log_format配置,并将其保留在http级配置中.
For fix of this, we can remove the log_format configuration from location directive and keep it as it in http level config.
http {
log_format filter '$remote_addr - $remote_user [$time_local] '
'"$temp" $status $body_bytes_sent "$http_referer" "$http_user_agent"';
# Other Configs
}
log_format指令可以在稍后的location指令块中定义变量.
log_format directive can have variables defined later in our location directive block.
因此最终配置如下:
http {
log_format filter '$remote_addr - $remote_user [$time_local] '
'"$temp" $status $body_bytes_sent "$http_referer" "$http_user_agent"';
# Other Configs
server {
#Server Configs
location / {
set $temp $request;
if ($temp ~ (.*)password=[^&]*(.*)) {
set $temp $1password=****$2;
}
access_log /opt/current/log/nginx_access.log filter;
}
}
}
这篇关于如何不将获取请求参数记录在Nginx访问日志中?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!