Skip to content

Commit d226398

Browse files
galetgalet
committed
Obfuscate access_token and private_token in nginx access log
Authentication tokens are allowed to be part of URI and therefore they are printed in the access log. This can be a security concern especially when system and application logs are being send to an external logging system (syslog, wazuh, splunk, etc.).
1 parent 36e6bac commit d226398

File tree

2 files changed

+21
-3
lines changed

2 files changed

+21
-3
lines changed

assets/runtime/config/nginx/gitlab

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,15 @@ map $http_upgrade $connection_upgrade_gitlab {
2525
'' close;
2626
}
2727

28+
## Obfuscate access_token and private_token in access log
29+
map $request_uri $obfuscated_request_uri {
30+
~(.+\?)(.*&)?(private_token=|access_token=)[^&]*(&.*|$) $1$2$3****$4;
31+
default $request_uri;
32+
}
33+
log_format main '$remote_addr - $remote_user [$time_local] '
34+
'"$request_method $obfuscated_request_uri $server_protocol" $status $body_bytes_sent '
35+
'"$http_referer" "$http_user_agent"';
36+
2837
## Normal HTTP host
2938
server {
3039
## Either remove "default_server" from the listen line below,
@@ -49,7 +58,7 @@ server {
4958
add_header Strict-Transport-Security "max-age={{NGINX_HSTS_MAXAGE}};";
5059

5160
## Individual nginx logs for this GitLab vhost
52-
access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log;
61+
access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log main;
5362
error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_error.log;
5463

5564
location / {

assets/runtime/config/nginx/gitlab-ssl

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,15 @@ map $http_upgrade $connection_upgrade_gitlab_ssl {
2929
'' close;
3030
}
3131

32+
## Obfuscate access_token and private_token in access log
33+
map $request_uri $obfuscated_request_uri {
34+
~(.+\?)(.*&)?(private_token=|access_token=)[^&]*(&.*|$) $1$2$3****$4;
35+
default $request_uri;
36+
}
37+
log_format main '$remote_addr - $remote_user [$time_local] '
38+
'"$request_method $obfuscated_request_uri $server_protocol" $status $body_bytes_sent '
39+
'"$http_referer" "$http_user_agent"';
40+
3241
## Redirects all HTTP traffic to the HTTPS host
3342
server {
3443
## Either remove "default_server" from the listen line below,
@@ -40,7 +49,7 @@ server {
4049
server_name _; ## Replace this with something like gitlab.example.com
4150
server_tokens off; ## Don't show the nginx version number, a security best practice
4251
return 301 https://$host:{{GITLAB_PORT}}$request_uri;
43-
access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log;
52+
access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log main;
4453
error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_error.log;
4554
}
4655

@@ -94,7 +103,7 @@ server {
94103
ssl_dhparam {{SSL_DHPARAM_PATH}};
95104

96105
## Individual nginx logs for this GitLab vhost
97-
access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log;
106+
access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log main;
98107
error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_error.log;
99108

100109
location / {

0 commit comments

Comments
 (0)