如何屏蔽nginx日志中POST正文的敏感信息?
为了便于分析,我们在访问日志中保存了$request_body 字段.但是,帖子正文中有一些敏感信息,例如密码或信用卡号,会暴露在日志中.我们如何掩盖这些信息?
For the convenience of analyzing we save the $request_body field in access log. However, there are some sensitive information inside the post body, such as password or credit card number, exposed in the logs. How can we mask these information?
password=1234asdf -> password=****
如果我写了一个nginx模块来屏蔽数据,我应该写一个新的日志模块还是应该在调用原始日志模块之前操作请求体?
或者我应该使用 nginx-lua 来实现这个目标吗?
或者还有其他方法吗?
If I write a nginx module to mask the data, should I write a new log module or should I manipulate the request body before the original log module called?
Or should I use nginx-lua to achieve this goal?
Or is there any other methods?
使用 'echo_read_request_body' 命令获取 HTTP POST 数据,然后使用 'map' 和 regex 过滤密码
Use 'echo_read_request_body' command to get the HTTP POST data and then filter the password using 'map' and regex
map $request_body $req_body_start {
"~(?<nopwd>.*)\&password=[^\&]*.+" $nopwd;
default $request_body;
}
map $request_body $req_body_end {
"~.*\&password=[^\&]*(?<nopwd1>.+)" $nopwd1;
default '';
}
map $request_body $req_body_pwd {
"~.*\&password=[^\&]*.+" '&password=****';
default '';
}
然后定义 log_format 并在服务器/位置级别使用它:
Then define log_format and use it on a server/location level:
log_format logreqbody '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" "$req_body_start$req_body_pwd$req_body_end"';
这里有更多信息:https://www.rstcloud.net/blog/30-how-to-hide-sensitive-post-data-in-nginx-log