Re: Using server variables in CustomLog Directives

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I've solved the problem by doing it a different way: 

   CustomLog logs/my_log common "expr=%{QUERY_STRING} !~ /username.*password|password.*username/

On Thu, Aug 1, 2019 at 9:47 AM Ori Liel <oliel@xxxxxxxxxx> wrote:


On Mon, Jul 29, 2019 at 3:13 PM Eric Covener <covener@xxxxxxxxx> wrote:
On Mon, Jul 29, 2019 at 7:56 AM Ori Liel <oliel@xxxxxxxxxx> wrote:
>
> I have a server application, and for security reasons I'm trying to prevent requests, which provide 'username' and 'password' as query parameters, from being logged (providing these parameters as query parameters is a user mistake, but still...)
>
>
> I've tried this way:
>
>
>    SetEnvIf QUERY_STRING "username.*password|password.*username" dontlog
>    CustomLog logs/my_log common env=!dontlog
>
> But the unwanted requests were still being printed to the log. I wanted to verify that QUERY_STRING contains what I expected it to, so I tried to print it out:
>
>    CustomLog logs/my_log "%{QUERY_STRING}e"
>
> But no matter what request was made, only '-' was printed to the log. I've done the same for other server variables, e.g: REQUEST_URI, THE_REQUEST, etc - and all were empty (or rather only contained the '-' character.
>

I think the problem is that the "variables" some modules use in their
configuration are not always/necessarily the per-request environment
variables the %{foo}e syntax retrieves.
Same neighborhood: Some of them use the same name as actual
per-request environment variables that are only set for CGI-like
responses.

If SetEnvIf or the expr.html or mod_rewrite says you can read it, you
can read it, but you may not be able to plug it in anywhere else (like
in a logformat) as an environment variable.

Thanks. If I understood you correctly, '-' printed to the log does not mean that
the server variable is empty, because it may not be possible to use %{QUERY_STRING}e
in the definition of the CustomLog. 

So I am left with the original question, which is why SetEnvIf isn't working as expected.

Even when if simplify the predicate to check for any string at all:

     SetEnvIf QUERY_STRING "." dontlog
     CustomLog logs/my_log common env=!dontlog

The query: 

     GET https://.../api?some_var=some_value

Is logged, while it seems that it shouldn't be. Any ideas how I can tackle this? 

Thanks again!


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux