Remove sensitive params from the NGINX access logs
The request query string has sensitive parameters filtered out, while the referer has the query string removed completely.
This commit is contained in:
parent
be5c8be5ca
commit
6983fe5953
|
@ -104,11 +104,12 @@ Jun 26 06:33:46 ubuntu1204-test gitlab_access.log: 172.16.228.1 - - [26/Jun/2014
|
|||
|
||||
### Using a custom NGINX log format
|
||||
|
||||
By default the NGINX access logs will use the 'combined' NGINX
|
||||
format, see
|
||||
http://nginx.org/en/docs/http/ngx_http_log_module.html#log_format .
|
||||
By default the NGINX access logs will use a version of the 'combined' NGINX
|
||||
format, designed to hide potentially sensitive information embedded in query strings.
|
||||
If you want to use a custom log format string you can specify it
|
||||
in `/etc/gitlab/gitlab.rb`.
|
||||
in `/etc/gitlab/gitlab.rb` - see
|
||||
[the NGINX documentation](http://nginx.org/en/docs/http/ngx_http_log_module.html#log_format)
|
||||
for format details.
|
||||
|
||||
```
|
||||
nginx['log_format'] = 'my format string $foo $bar'
|
||||
|
|
|
@ -539,7 +539,7 @@ default['gitlab']['nginx']['dir'] = "/var/opt/gitlab/nginx"
|
|||
default['gitlab']['nginx']['log_directory'] = "/var/log/gitlab/nginx"
|
||||
default['gitlab']['nginx']['worker_processes'] = node['cpu']['total'].to_i
|
||||
default['gitlab']['nginx']['worker_connections'] = 10240
|
||||
default['gitlab']['nginx']['log_format'] = '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"' # NGINX 'combined' format
|
||||
default['gitlab']['nginx']['log_format'] = '$remote_addr - $remote_user [$time_local] "$request_method $filtered_request_uri $server_protocol" $status $body_bytes_sent "$filtered_http_referer" "$http_user_agent"' # NGINX 'combined' format without query strings
|
||||
default['gitlab']['nginx']['sendfile'] = 'on'
|
||||
default['gitlab']['nginx']['tcp_nopush'] = 'on'
|
||||
default['gitlab']['nginx']['tcp_nodelay'] = 'on'
|
||||
|
|
|
@ -41,6 +41,36 @@ http {
|
|||
'' close;
|
||||
}
|
||||
|
||||
# Remove private_token from the request URI
|
||||
# In: /foo?private_token=unfiltered&authenticity_token=unfiltered&rss_token=unfiltered&...
|
||||
# Out: /foo?private_token=[FILTERED]&authenticity_token=unfiltered&rss_token=unfiltered&...
|
||||
map $request_uri $temp_request_uri_1 {
|
||||
default $request_uri;
|
||||
~(?i)^(?<start>.*)(?<temp>[\?&]private[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
|
||||
}
|
||||
|
||||
# Remove authenticity_token from the request URI
|
||||
# In: /foo?private_token=[FILTERED]&authenticity_token=unfiltered&rss_token=unfiltered&...
|
||||
# Out: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=unfiltered&...
|
||||
map $temp_request_uri_1 $temp_request_uri_2 {
|
||||
default $temp_request_uri_1;
|
||||
~(?i)^(?<start>.*)(?<temp>[\?&]authenticity[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
|
||||
}
|
||||
|
||||
# Remove rss_token from the request URI
|
||||
# In: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=unfiltered&...
|
||||
# Out: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=[FILTERED]&...
|
||||
map $temp_request_uri_2 $filtered_request_uri {
|
||||
default $temp_request_uri_2;
|
||||
~(?i)^(?<start>.*)(?<temp>[\?&]rss[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
|
||||
}
|
||||
|
||||
# A version of the referer without the query string
|
||||
map $http_referer $filtered_http_referer {
|
||||
default $http_referer;
|
||||
~^(?<temp>.*)\? $temp;
|
||||
}
|
||||
|
||||
<% if @gitlab_http_config %>
|
||||
include <%= @gitlab_http_config %>;
|
||||
<% end %>
|
||||
|
|
Loading…
Reference in New Issue