如何屏蔽nginx日志中POST正文的敏感信息? [英] How to mask sensitive information of POST body in nginx log?

问题描述

为了便于分析，我们在访问日志中保存了$request_body 字段.但是，帖子正文中有一些敏感信息，例如密码或信用卡号，会暴露在日志中.我们如何掩盖这些信息?

For the convenience of analyzing we save the $request_body field in access log. However, there are some sensitive information inside the post body, such as password or credit card number, exposed in the logs. How can we mask these information?

password=1234asdf  ->  password=****

如果我写了一个nginx模块来屏蔽数据，我应该写一个新的日志模块还是应该在调用原始日志模块之前操作请求体?
或者我应该使用 nginx-lua 来实现这个目标吗?
或者还有其他方法吗?

If I write a nginx module to mask the data, should I write a new log module or should I manipulate the request body before the original log module called?
Or should I use nginx-lua to achieve this goal?
Or is there any other methods?

推荐答案

使用 'echo_read_request_body' 命令获取 HTTP POST 数据，然后使用 'map' 和 regex 过滤密码

Use 'echo_read_request_body' command to get the HTTP POST data and then filter the password using 'map' and regex

map $request_body $req_body_start {
    "~(?<nopwd>.*)\&password=[^\&]*.+"  $nopwd;
    default        $request_body;
}

map $request_body $req_body_end {
    "~.*\&password=[^\&]*(?<nopwd1>.+)"  $nopwd1;
    default        '';
}

 map $request_body $req_body_pwd {
    "~.*\&password=[^\&]*.+"  '&password=****';
    default        '';
}

然后定义 log_format 并在服务器/位置级别使用它:

Then define log_format and use it on a server/location level:

log_format  logreqbody  '$remote_addr - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for" "$req_body_start$req_body_pwd$req_body_end"';

这里有更多信息:https://www.rstcloud.net/blog/30-how-to-hide-sensitive-post-data-in-nginx-log

这篇关于如何屏蔽nginx日志中POST正文的敏感信息?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！