Last Updated: February 25, 2016
·
914
· informatiq

sanitize Nginx logs

I needed to remove some sensitive information coming in the GET params while not removing all the GET params
I first created a log format

log_format combined_plus '$host $remote_addr - $remote_user [$time_local] '
  '"$sanitized_request" $status $body_bytes_sent '
  '"$sanitized_http_referer" "$http_user_agent" '
  '$msec $request_time '
  '"$ssl_client_s_dn"';

then in my server config i did the following

server {
    listen 443;
    server_name example.com;
    location / {
        set $sanitized_request $request;
        set $sanitized_http_referer $http_referer
        if  ($request ~* (.*)secret=\w\{6\}(.*)) {
            set $sanitized_request $secret=******$2;
        }
        if ($http_referer ~* (.*)secret=\w\{6\}(.*)) {
            set $sanitized_http_referer $1secret=******$2;
        }
    }
}

note that i did the regex twice once for the request and once for the referrer as the same url will show as the referrer for other related requests such as getting static images or similar