You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Ori Liel <ol...@redhat.com> on 2019/07/29 11:55:45 UTC
[users@httpd] Using server variables in CustomLog Directives
I have a server application, and for security reasons I'm trying to prevent
requests, which provide 'username' and 'password' as query parameters, from
being logged (providing these parameters as query parameters is a user
mistake, but still...)
I've tried this way:
* SetEnvIf QUERY_STRING "username.*password|password.*username" dontlog
CustomLog logs/my_log common env=!dontlog*
But the unwanted requests were still being printed to the log. I wanted to
verify that *QUERY_STRING *contains what I expected it to, so I tried to
print it out:
* CustomLog logs/my_log "%{QUERY_STRING}e"*
But no matter what request was made, only '-' was printed to the log. I've
done the same for other server variables, e.g: REQUEST_URI, THE_REQUEST,
etc - and all were empty (or rather only contained the '-' character.
What am I missing?
Thanks!
[users@httpd] Re: Using server variables in CustomLog Directives
Posted by Ori Liel <ol...@redhat.com>.
On Mon, Jul 29, 2019 at 2:55 PM Ori Liel <ol...@redhat.com> wrote:
> I have a server application, and for security reasons I'm trying to
> prevent requests, which provide 'username' and 'password' as query
> parameters, from being logged (providing these parameters as query
> parameters is a user mistake, but still...)
>
>
> I've tried this way:
>
>
>
>
> * SetEnvIf QUERY_STRING "username.*password|password.*username" dontlog
> CustomLog logs/my_log common env=!dontlog*
>
> Just clarifying that the above was written in /etc/httpd/conf.d/ssl.conf
But the unwanted requests were still being printed to the log. I wanted to
> verify that *QUERY_STRING *contains what I expected it to, so I tried to
> print it out:
>
> * CustomLog logs/my_log "%{QUERY_STRING}e"*
>
> But no matter what request was made, only '-' was printed to the log. I've
> done the same for other server variables, e.g: REQUEST_URI, THE_REQUEST,
> etc - and all were empty (or rather only contained the '-' character.
>
> What am I missing?
>
> Thanks!
>
>
>
>
Re: [users@httpd] Using server variables in CustomLog Directives
Posted by Ori Liel <ol...@redhat.com>.
I've solved the problem by doing it a different way:
CustomLog logs/my_log common "expr=%{QUERY_STRING} !~
/username.*password|password.*username/
On Thu, Aug 1, 2019 at 9:47 AM Ori Liel <ol...@redhat.com> wrote:
>
>
> On Mon, Jul 29, 2019 at 3:13 PM Eric Covener <co...@gmail.com> wrote:
>
>> On Mon, Jul 29, 2019 at 7:56 AM Ori Liel <ol...@redhat.com> wrote:
>> >
>> > I have a server application, and for security reasons I'm trying to
>> prevent requests, which provide 'username' and 'password' as query
>> parameters, from being logged (providing these parameters as query
>> parameters is a user mistake, but still...)
>> >
>> >
>> > I've tried this way:
>> >
>> >
>> > SetEnvIf QUERY_STRING "username.*password|password.*username" dontlog
>> > CustomLog logs/my_log common env=!dontlog
>> >
>> > But the unwanted requests were still being printed to the log. I wanted
>> to verify that QUERY_STRING contains what I expected it to, so I tried to
>> print it out:
>> >
>> > CustomLog logs/my_log "%{QUERY_STRING}e"
>> >
>> > But no matter what request was made, only '-' was printed to the log.
>> I've done the same for other server variables, e.g: REQUEST_URI,
>> THE_REQUEST, etc - and all were empty (or rather only contained the '-'
>> character.
>> >
>>
>> I think the problem is that the "variables" some modules use in their
>> configuration are not always/necessarily the per-request environment
>> variables the %{foo}e syntax retrieves.
>> Same neighborhood: Some of them use the same name as actual
>> per-request environment variables that are only set for CGI-like
>> responses.
>>
>> If SetEnvIf or the expr.html or mod_rewrite says you can read it, you
>> can read it, but you may not be able to plug it in anywhere else (like
>> in a logformat) as an environment variable.
>>
>> Thanks. If I understood you correctly, '-' printed to the log does not
> mean that
> the server variable is empty, because it may not be possible to use
> %{QUERY_STRING}e
> in the definition of the CustomLog.
>
> So I am left with the original question, which is why SetEnvIf isn't
> working as expected.
>
> Even when if simplify the predicate to check for any string at all:
>
> SetEnvIf QUERY_STRING "." dontlog
> CustomLog logs/my_log common env=!dontlog
>
> The query:
>
> GET https://.../api?some_var=some_value
>
> Is logged, while it seems that it shouldn't be. Any ideas how I can tackle
> this?
>
> Thanks again!
>
>
> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
Re: [users@httpd] Using server variables in CustomLog Directives
Posted by Ori Liel <ol...@redhat.com>.
On Mon, Jul 29, 2019 at 3:13 PM Eric Covener <co...@gmail.com> wrote:
> On Mon, Jul 29, 2019 at 7:56 AM Ori Liel <ol...@redhat.com> wrote:
> >
> > I have a server application, and for security reasons I'm trying to
> prevent requests, which provide 'username' and 'password' as query
> parameters, from being logged (providing these parameters as query
> parameters is a user mistake, but still...)
> >
> >
> > I've tried this way:
> >
> >
> > SetEnvIf QUERY_STRING "username.*password|password.*username" dontlog
> > CustomLog logs/my_log common env=!dontlog
> >
> > But the unwanted requests were still being printed to the log. I wanted
> to verify that QUERY_STRING contains what I expected it to, so I tried to
> print it out:
> >
> > CustomLog logs/my_log "%{QUERY_STRING}e"
> >
> > But no matter what request was made, only '-' was printed to the log.
> I've done the same for other server variables, e.g: REQUEST_URI,
> THE_REQUEST, etc - and all were empty (or rather only contained the '-'
> character.
> >
>
> I think the problem is that the "variables" some modules use in their
> configuration are not always/necessarily the per-request environment
> variables the %{foo}e syntax retrieves.
> Same neighborhood: Some of them use the same name as actual
> per-request environment variables that are only set for CGI-like
> responses.
>
> If SetEnvIf or the expr.html or mod_rewrite says you can read it, you
> can read it, but you may not be able to plug it in anywhere else (like
> in a logformat) as an environment variable.
>
> Thanks. If I understood you correctly, '-' printed to the log does not
mean that
the server variable is empty, because it may not be possible to use
%{QUERY_STRING}e
in the definition of the CustomLog.
So I am left with the original question, which is why SetEnvIf isn't
working as expected.
Even when if simplify the predicate to check for any string at all:
SetEnvIf QUERY_STRING "." dontlog
CustomLog logs/my_log common env=!dontlog
The query:
GET https://.../api?some_var=some_value
Is logged, while it seems that it shouldn't be. Any ideas how I can tackle
this?
Thanks again!
---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] Using server variables in CustomLog Directives
Posted by Eric Covener <co...@gmail.com>.
On Mon, Jul 29, 2019 at 7:56 AM Ori Liel <ol...@redhat.com> wrote:
>
> I have a server application, and for security reasons I'm trying to prevent requests, which provide 'username' and 'password' as query parameters, from being logged (providing these parameters as query parameters is a user mistake, but still...)
>
>
> I've tried this way:
>
>
> SetEnvIf QUERY_STRING "username.*password|password.*username" dontlog
> CustomLog logs/my_log common env=!dontlog
>
> But the unwanted requests were still being printed to the log. I wanted to verify that QUERY_STRING contains what I expected it to, so I tried to print it out:
>
> CustomLog logs/my_log "%{QUERY_STRING}e"
>
> But no matter what request was made, only '-' was printed to the log. I've done the same for other server variables, e.g: REQUEST_URI, THE_REQUEST, etc - and all were empty (or rather only contained the '-' character.
>
I think the problem is that the "variables" some modules use in their
configuration are not always/necessarily the per-request environment
variables the %{foo}e syntax retrieves.
Same neighborhood: Some of them use the same name as actual
per-request environment variables that are only set for CGI-like
responses.
If SetEnvIf or the expr.html or mod_rewrite says you can read it, you
can read it, but you may not be able to plug it in anywhere else (like
in a logformat) as an environment variable.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org