From d2263980ea645a4aac3be1d27afea2df71a382ad Mon Sep 17 00:00:00 2001 From: Michal Galet Date: Wed, 24 Jun 2020 13:33:04 +0200 Subject: [PATCH] Obfuscate access_token and private_token in nginx access log Authentication tokens are allowed to be part of URI and therefore they are printed in the access log. This can be a security concern especially when system and application logs are being send to an external logging system (syslog, wazuh, splunk, etc.). --- assets/runtime/config/nginx/gitlab | 11 ++++++++++- assets/runtime/config/nginx/gitlab-ssl | 13 +++++++++++-- 2 files changed, 21 insertions(+), 3 deletions(-) diff --git a/assets/runtime/config/nginx/gitlab b/assets/runtime/config/nginx/gitlab index 6372aad9..b08c8bff 100644 --- a/assets/runtime/config/nginx/gitlab +++ b/assets/runtime/config/nginx/gitlab @@ -25,6 +25,15 @@ map $http_upgrade $connection_upgrade_gitlab { '' close; } +## Obfuscate access_token and private_token in access log +map $request_uri $obfuscated_request_uri { + ~(.+\?)(.*&)?(private_token=|access_token=)[^&]*(&.*|$) $1$2$3****$4; + default $request_uri; +} +log_format main '$remote_addr - $remote_user [$time_local] ' + '"$request_method $obfuscated_request_uri $server_protocol" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"'; + ## Normal HTTP host server { ## Either remove "default_server" from the listen line below, @@ -49,7 +58,7 @@ server { add_header Strict-Transport-Security "max-age={{NGINX_HSTS_MAXAGE}};"; ## Individual nginx logs for this GitLab vhost - access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log; + access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log main; error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_error.log; location / { diff --git a/assets/runtime/config/nginx/gitlab-ssl b/assets/runtime/config/nginx/gitlab-ssl index 24acfe17..8d8d5c3a 100644 --- a/assets/runtime/config/nginx/gitlab-ssl +++ b/assets/runtime/config/nginx/gitlab-ssl @@ -29,6 +29,15 @@ map $http_upgrade $connection_upgrade_gitlab_ssl { '' close; } +## Obfuscate access_token and private_token in access log +map $request_uri $obfuscated_request_uri { + ~(.+\?)(.*&)?(private_token=|access_token=)[^&]*(&.*|$) $1$2$3****$4; + default $request_uri; +} +log_format main '$remote_addr - $remote_user [$time_local] ' + '"$request_method $obfuscated_request_uri $server_protocol" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"'; + ## Redirects all HTTP traffic to the HTTPS host server { ## Either remove "default_server" from the listen line below, @@ -40,7 +49,7 @@ server { server_name _; ## Replace this with something like gitlab.example.com server_tokens off; ## Don't show the nginx version number, a security best practice return 301 https://$host:{{GITLAB_PORT}}$request_uri; - access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log; + access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log main; error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_error.log; } @@ -94,7 +103,7 @@ server { ssl_dhparam {{SSL_DHPARAM_PATH}}; ## Individual nginx logs for this GitLab vhost - access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log; + access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log main; error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_error.log; location / {