unit icon indicating copy to clipboard operation
unit copied to clipboard

Published 20 hours ago verified publisher icon nginx

Access log masking

Open jalaziz opened this issue 2 years ago • 3 comments

In some scenarios, sensitive information must be passed via query strings. It would be great if Unit had support for applying masking rules when writing access logs. A simple version of this would be a regex match and replace.

This is currently possible in nginx using a combination of map and log_format.

jalaziz avatar May 22 '22 04:05 jalaziz

Hi, There is a patch of custom log format in the internal review, it also supports variables.

hongzhidao avatar May 22 '22 05:05 hongzhidao

There is a patch of custom log format in the internal review, it also supports variables.

Great! Does it include support for modifying/masking variables or just including/excluding them? In the masking use case we have, we'd like to include the query string in most cases, but only mask out the sensitive data.

jalaziz avatar May 22 '22 09:05 jalaziz

Yes, users can modify built-in variables like uri and create custom variables by regex named captures. For example:

{
       "match": {"uri": "~(?<uri>.*)/salt"},
}

hongzhidao avatar May 22 '22 09:05 hongzhidao