I have a server application, and for security reasons I'm trying to prevent requests, which provide 'username' and 'password' as query parameters, from being logged (providing these parameters as query parameters is a user mistake, but still...)
I've tried this way:
SetEnvIf QUERY_STRING "username.*password|password.*username" dontlog
CustomLog logs/my_log common env=!dontlog
But the unwanted requests were still being printed to the log. I wanted to verify that QUERY_STRING contains what I expected it to, so I tried to print it out:
CustomLog logs/my_log "%{QUERY_STRING}e"
But no matter what request was made, only '-' was printed to the log. I've done the same for other server variables, e.g: REQUEST_URI, THE_REQUEST, etc - and all were empty (or rather only contained the '-' character.
What am I missing?
Thanks!
