You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Ori Liel <ol...@redhat.com> on 2019/07/29 11:55:45 UTC

[users@httpd] Using server variables in CustomLog Directives

I have a server application, and for security reasons I'm trying to prevent
requests, which provide 'username' and 'password' as query parameters, from
being logged (providing these parameters as query parameters is a user
mistake, but still...)


I've tried this way:




*   SetEnvIf QUERY_STRING "username.*password|password.*username" dontlog
 CustomLog logs/my_log common env=!dontlog*

But the unwanted requests were still being printed to the log. I wanted to
verify that *QUERY_STRING *contains what I expected it to, so I tried to
print it out:

*   CustomLog logs/my_log "%{QUERY_STRING}e"*

But no matter what request was made, only '-' was printed to the log. I've
done the same for other server variables, e.g: REQUEST_URI, THE_REQUEST,
etc - and all were empty (or rather only contained the '-' character.

What am I missing?

Thanks!

[users@httpd] Re: Using server variables in CustomLog Directives

Posted by Ori Liel <ol...@redhat.com>.

On Mon, Jul 29, 2019 at 2:55 PM Ori Liel <ol...@redhat.com> wrote:

> I have a server application, and for security reasons I'm trying to
> prevent requests, which provide 'username' and 'password' as query
> parameters, from being logged (providing these parameters as query
> parameters is a user mistake, but still...)
>
>
> I've tried this way:
>
>
>
>
> *   SetEnvIf QUERY_STRING "username.*password|password.*username" dontlog
>  CustomLog logs/my_log common env=!dontlog*
>
> Just clarifying that the above was written in /etc/httpd/conf.d/ssl.conf

But the unwanted requests were still being printed to the log. I wanted to
> verify that *QUERY_STRING *contains what I expected it to, so I tried to
> print it out:
>
> *   CustomLog logs/my_log "%{QUERY_STRING}e"*
>
> But no matter what request was made, only '-' was printed to the log. I've
> done the same for other server variables, e.g: REQUEST_URI, THE_REQUEST,
> etc - and all were empty (or rather only contained the '-' character.
>
> What am I missing?
>
> Thanks!
>
>
>
>

Re: [users@httpd] Using server variables in CustomLog Directives

Posted by Ori Liel <ol...@redhat.com>.

I've solved the problem by doing it a different way:

   CustomLog logs/my_log common "expr=%{QUERY_STRING} !~
/username.*password|password.*username/

On Thu, Aug 1, 2019 at 9:47 AM Ori Liel <ol...@redhat.com> wrote:

>
>
> On Mon, Jul 29, 2019 at 3:13 PM Eric Covener <co...@gmail.com> wrote:
>
>> On Mon, Jul 29, 2019 at 7:56 AM Ori Liel <ol...@redhat.com> wrote:
>> >
>> > I have a server application, and for security reasons I'm trying to
>> prevent requests, which provide 'username' and 'password' as query
>> parameters, from being logged (providing these parameters as query
>> parameters is a user mistake, but still...)
>> >
>> >
>> > I've tried this way:
>> >
>> >
>> >    SetEnvIf QUERY_STRING "username.*password|password.*username" dontlog
>> >    CustomLog logs/my_log common env=!dontlog
>> >
>> > But the unwanted requests were still being printed to the log. I wanted
>> to verify that QUERY_STRING contains what I expected it to, so I tried to
>> print it out:
>> >
>> >    CustomLog logs/my_log "%{QUERY_STRING}e"
>> >
>> > But no matter what request was made, only '-' was printed to the log.
>> I've done the same for other server variables, e.g: REQUEST_URI,
>> THE_REQUEST, etc - and all were empty (or rather only contained the '-'
>> character.
>> >
>>
>> I think the problem is that the "variables" some modules use in their
>> configuration are not always/necessarily the per-request environment
>> variables the %{foo}e syntax retrieves.
>> Same neighborhood: Some of them use the same name as actual
>> per-request environment variables that are only set for CGI-like
>> responses.
>>
>> If SetEnvIf or the expr.html or mod_rewrite says you can read it, you
>> can read it, but you may not be able to plug it in anywhere else (like
>> in a logformat) as an environment variable.
>>
>> Thanks. If I understood you correctly, '-' printed to the log does not
> mean that
> the server variable is empty, because it may not be possible to use
> %{QUERY_STRING}e
> in the definition of the CustomLog.
>
> So I am left with the original question, which is why SetEnvIf isn't
> working as expected.
>
> Even when if simplify the predicate to check for any string at all:
>
>      SetEnvIf QUERY_STRING "." dontlog
>      CustomLog logs/my_log common env=!dontlog
>
> The query:
>
>      GET https://.../api?some_var=some_value
>
> Is logged, while it seems that it shouldn't be. Any ideas how I can tackle
> this?
>
> Thanks again!
>
>
> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>

Re: [users@httpd] Using server variables in CustomLog Directives

Posted by Ori Liel <ol...@redhat.com>.

On Mon, Jul 29, 2019 at 3:13 PM Eric Covener <co...@gmail.com> wrote:

> On Mon, Jul 29, 2019 at 7:56 AM Ori Liel <ol...@redhat.com> wrote:
> >
> > I have a server application, and for security reasons I'm trying to
> prevent requests, which provide 'username' and 'password' as query
> parameters, from being logged (providing these parameters as query
> parameters is a user mistake, but still...)
> >
> >
> > I've tried this way:
> >
> >
> >    SetEnvIf QUERY_STRING "username.*password|password.*username" dontlog
> >    CustomLog logs/my_log common env=!dontlog
> >
> > But the unwanted requests were still being printed to the log. I wanted
> to verify that QUERY_STRING contains what I expected it to, so I tried to
> print it out:
> >
> >    CustomLog logs/my_log "%{QUERY_STRING}e"
> >
> > But no matter what request was made, only '-' was printed to the log.
> I've done the same for other server variables, e.g: REQUEST_URI,
> THE_REQUEST, etc - and all were empty (or rather only contained the '-'
> character.
> >
>
> I think the problem is that the "variables" some modules use in their
> configuration are not always/necessarily the per-request environment
> variables the %{foo}e syntax retrieves.
> Same neighborhood: Some of them use the same name as actual
> per-request environment variables that are only set for CGI-like
> responses.
>
> If SetEnvIf or the expr.html or mod_rewrite says you can read it, you
> can read it, but you may not be able to plug it in anywhere else (like
> in a logformat) as an environment variable.
>
> Thanks. If I understood you correctly, '-' printed to the log does not
mean that
the server variable is empty, because it may not be possible to use
%{QUERY_STRING}e
in the definition of the CustomLog.

So I am left with the original question, which is why SetEnvIf isn't
working as expected.

Even when if simplify the predicate to check for any string at all:

     SetEnvIf QUERY_STRING "." dontlog
     CustomLog logs/my_log common env=!dontlog

The query:

     GET https://.../api?some_var=some_value

Is logged, while it seems that it shouldn't be. Any ideas how I can tackle
this?

Thanks again!


---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Re: [users@httpd] Using server variables in CustomLog Directives

Posted by Eric Covener <co...@gmail.com>.

On Mon, Jul 29, 2019 at 7:56 AM Ori Liel <ol...@redhat.com> wrote:
>
> I have a server application, and for security reasons I'm trying to prevent requests, which provide 'username' and 'password' as query parameters, from being logged (providing these parameters as query parameters is a user mistake, but still...)
>
>
> I've tried this way:
>
>
>    SetEnvIf QUERY_STRING "username.*password|password.*username" dontlog
>    CustomLog logs/my_log common env=!dontlog
>
> But the unwanted requests were still being printed to the log. I wanted to verify that QUERY_STRING contains what I expected it to, so I tried to print it out:
>
>    CustomLog logs/my_log "%{QUERY_STRING}e"
>
> But no matter what request was made, only '-' was printed to the log. I've done the same for other server variables, e.g: REQUEST_URI, THE_REQUEST, etc - and all were empty (or rather only contained the '-' character.
>

I think the problem is that the "variables" some modules use in their
configuration are not always/necessarily the per-request environment
variables the %{foo}e syntax retrieves.
Same neighborhood: Some of them use the same name as actual
per-request environment variables that are only set for CGI-like
responses.

If SetEnvIf or the expr.html or mod_rewrite says you can read it, you
can read it, but you may not be able to plug it in anywhere else (like
in a logformat) as an environment variable.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org