AWS EB + nginx:更新access.log格式以混淆敏感的get请求参数 [英] AWS EB + nginx: Update access.log format to obfuscate sensitive get request parameters

问题描述

我遇到的问题与此问题概述的相同:

I am having the same issue as outlined in this question: How to not log a get request parameter in the nginx access logs?

但是，由于nginx是通过AWS配置的，因此我不确定在部署时如何对其进行修改.我不清楚这些配置在哪里. AWS支持无法提供帮助，因为这是nginx而不是AWS的问题.

However, since nginx is configured through AWS, I am not sure how to modify this when I deploy. It is not clear to me where these configurations go. AWS support is not able to help, as it is an issue with nginx rather than AWS.

任何向我指出正确方向的信息都将不胜感激.

Any information to point me in the right direction would be appreciated.

到目前为止，我所拥有的只是可以修改部署到EB的存储库中的./ebextensions/nginx.config，但是尚不清楚需要在其中设置什么.

So far all I have is that I can modify ./ebextensions/nginx.config in my repository that I deploy to EB, but what needs to be set within that is not clear.

================================

=================================

好的，所以有一些有趣的更新.基本上，AWS EB环境使用实例的默认nginx.configs进行设置.在这些配置中，它包括特定路径下的所有* .config文件，包括一个包含服务器指令的自动生成的文件.它将所有这些注入到nginx.config的http指令中.

OK, so some fun updates. Basically, AWS EB environments are set up with default nginx.configs for their instances. Within those configs, it includes all *.config files at a certain path, including one auto generated file which contains the server directive. It injects all of these into the http directive of the nginx.config.

您要做可以选择完全覆盖nginx配置.但是，作为一个完全不了解那里发生的一切以及这样做的潜在危险的人，我认为最好不要尽可能多地修改默认行为.因此，我决心找到一种方法来修改此自动生成的.config文件并重新启动nginx.

You do have the option of completely overriding the nginx config. But, being someone who is damn near clueless on what all is going on in there and the potential dangers of doing so, I figured that it'd be best to not modify default behavior as much as possible. Therefore, I've resolved to find a way to modify this auto generated .config file and restart nginx.

到目前为止，我为我的./ebextensions/01_proxy.config所得到的是这样的:

So far what I've got is this for my ./ebextensions/01_proxy.config:

files:
  "/etc/nginx/conf.d/injectObfuscation.sh":
    content: |
      # This script expects a file as input with an nginx server directive to be injected into the http directive of an nginx.config file.
      # It will make two modifications:
      # - It will create a log_format to be used when filtering the password parameter
      # - It will find the server directive and inject a location directive for the sensitive endpoint
      #   - This directive will replace the sensitive parameter with *s and use the filter log_format instead of the main log_format
      # TODO: Figure out how to do the above ^^

container_commands:
  01_update_server_directive:
    command: "./etc/nginx/conf.d/injectObfuscation.sh /etc/nginx/conf.d/00_elastic_beanstalk_proxy.conf"
  02_reload_nginx:
    command: "sudo service nginx reload"

files:行声明我正在创建一些文件以添加到EC2实例.在这里，我的目标是创建一个bash脚本来完成我的任务.如注释中所述，我的任务是首先添加一个带有log_format的行.然后，找到带有server{的行，在它下面，我需要整体注入locations /my/sensitive/endpoint指令.

The files: line declares that I'm creating some files to add to the EC2 instance. Here, my goal is to create a bash script to accomplish my task. My tasks, as outlined in the comments, are to first add a line with the log_format. Then, find the line with server{, and below it I need to inject the locations /my/sensitive/endpoint directive in its entirety.

对于编写此bash脚本(我完全不熟悉)的任何帮助，将非常感谢.

Any help on writing this bash script, which I'm completely unfamiliar with, would be awesomely appreciated.

推荐答案

我的尝试很愚蠢.

我需要像Node.js特定文档中那样覆盖默认的nginx.conf和00_elastic_beanstalk_proxy.conf:

I needed to overwrite the default nginx.conf and 00_elastic_beanstalk_proxy.conf like in the Node.js specific documentation: https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/nodejs-platform-proxy.html

EB上的其他平台允许您添加.ebextensions/nginx/nginx.conf来覆盖现有的nginx.conf，但是Node的启动过程似乎有所不同，并且会忽略此文件.但是，您可以使用.ebextension配置在/etc/nginx/nginx.conf处创建一个文件来替换它.

Other platforms on EB allow you to add a .ebextensions/nginx/nginx.conf to overwrite the existing nginx.conf, but Node's startup process seems to be different and ignores this file. However, you can use an .ebextension config to create a file at /etc/nginx/nginx.conf to replace it.

出于我的目的，我执行了此操作，然后在主log_format中将$request更改为$temp.

For my purposes, I did this and changed $request to $temp in the main log_format.

对于Node环境，服务器伪指令存在于实例在启动过程中自动生成的00_elastic_beanstalk_proxy.conf文件中.使用上面文档中的示例，我对此进行了覆盖，并添加了用于混淆我需要的参数的逻辑. (可选)可以将其放置在此覆盖文件内的location指令内.而且我可以定义一个单独的日志格式.但是出于我的目的，无论路径如何，我都希望不记录此参数.

For Node environments, the server directive exists inside the 00_elastic_beanstalk_proxy.conf file auto generated by the instance during launch. Using the example in the documentation above, I overrode this and added the logic to obfuscate the parameter I needed to. Optionally, this could have been placed inside a location directive within this overwritten file. And I could have defined a separate log format. But for my purposes, I wanted this parameter to not be logged no matter the path.

AWS请注意，默认的nginx.conf和00_elastic_beanstalk_proxy.conf可能会根据所使用的节点环境的版本而有所不同，因此请始终从特定版本中拉取该版本.

AWS Notes that the default nginx.conf and 00_elastic_beanstalk_proxy.conf may change depending on the version of the node environment you're using, so to always pull the one from the specific version.

我所做的一个尝试是仅覆盖nginx.conf.但是，set指令只能在位置，服务器和其他我不记得了的其他指令中使用.在http指令本身内设置变量无效.

One attempt I made was to only override the nginx.conf. However, the set directive can only be used inside location, server, and one other directive I can't remember off the top of my head. It is not valid to set a variable within the http directive itself.

这篇关于AWS EB + nginx:更新access.log格式以混淆敏感的get请求参数的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！