On Mon, Jul 29, 2019 at 7:56 AM Ori Liel <oliel@xxxxxxxxxx> wrote:
>
> I have a server application, and for security reasons I'm trying to prevent requests, which provide 'username' and 'password' as query parameters, from being logged (providing these parameters as query parameters is a user mistake, but still...)
>
>
> I've tried this way:
>
>
> SetEnvIf QUERY_STRING "username.*password|password.*username" dontlog
> CustomLog logs/my_log common env=!dontlog
>
> But the unwanted requests were still being printed to the log. I wanted to verify that QUERY_STRING contains what I expected it to, so I tried to print it out:
>
> CustomLog logs/my_log "%{QUERY_STRING}e"
>
> But no matter what request was made, only '-' was printed to the log. I've done the same for other server variables, e.g: REQUEST_URI, THE_REQUEST, etc - and all were empty (or rather only contained the '-' character.
>
I think the problem is that the "variables" some modules use in their
configuration are not always/necessarily the per-request environment
variables the %{foo}e syntax retrieves.
Same neighborhood: Some of them use the same name as actual
per-request environment variables that are only set for CGI-like
responses.
If SetEnvIf or the expr.html or mod_rewrite says you can read it, you
can read it, but you may not be able to plug it in anywhere else (like
in a logformat) as an environment variable.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|