archive-gh-me/docker-gitlab
1
0
Fork 0
mirror of https://github.com/sameersbn/docker-gitlab.git synced 2026-01-18 13:58:25 +00:00
Code Issues Projects Releases Wiki Activity

Obfuscate access_token and private_token in nginx access log

Browse Source 
Authentication tokens are allowed to be part of URI and therefore they are printed
in the access log. This can be a security concern especially when system and
application logs are being send to an external logging system (syslog, wazuh,
splunk, etc.).
This commit is contained in:
Michal Galet 2020-06-24 13:33:04 +02:00
parent 36e6bacce6
commit d2263980ea
2 changed files with 21 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
assets/runtime/config/nginx/gitlab
View File

@ -25,6 +25,15 @@ map $http_upgrade $connection_upgrade_gitlab {
'' close;
}
## Obfuscate access_token and private_token in access log
map $request_uri $obfuscated_request_uri {
~(.+\?)(.*&)?(private_token=|access_token=)[^&]*(&.*|$) $1$2$3****$4;
default $request_uri;
}
log_format main '$remote_addr - $remote_user [$time_local] '
'"$request_method $obfuscated_request_uri $server_protocol" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
## Normal HTTP host
server {
## Either remove "default_server" from the listen line below,
@ -49,7 +58,7 @@ server {
add_header Strict-Transport-Security "max-age={{NGINX_HSTS_MAXAGE}};";
## Individual nginx logs for this GitLab vhost
access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log;
access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log main;
error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_error.log;
location / {

13
assets/runtime/config/nginx/gitlab-ssl
View File

@ -29,6 +29,15 @@ map $http_upgrade $connection_upgrade_gitlab_ssl {
'' close;
}
## Obfuscate access_token and private_token in access log
map $request_uri $obfuscated_request_uri {
~(.+\?)(.*&)?(private_token=|access_token=)[^&]*(&.*|$) $1$2$3****$4;
default $request_uri;
}
log_format main '$remote_addr - $remote_user [$time_local] '
'"$request_method $obfuscated_request_uri $server_protocol" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
## Redirects all HTTP traffic to the HTTPS host
server {
## Either remove "default_server" from the listen line below,
@ -40,7 +49,7 @@ server {
server_name _; ## Replace this with something like gitlab.example.com
server_tokens off; ## Don't show the nginx version number, a security best practice
return 301 https://$host:{{GITLAB_PORT}}$request_uri;
access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log;
access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log main;
error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_error.log;
}
@ -94,7 +103,7 @@ server {
ssl_dhparam {{SSL_DHPARAM_PATH}};
## Individual nginx logs for this GitLab vhost
access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log;
access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log main;
error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_error.log;
location / {