You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Ori Liel <ol...@redhat.com> on 2019/07/29 11:56:51 UTC

[users@httpd] Re: Using server variables in CustomLog Directives

On Mon, Jul 29, 2019 at 2:55 PM Ori Liel <ol...@redhat.com> wrote:

> I have a server application, and for security reasons I'm trying to
> prevent requests, which provide 'username' and 'password' as query
> parameters, from being logged (providing these parameters as query
> parameters is a user mistake, but still...)
>
>
> I've tried this way:
>
>
>
>
> *   SetEnvIf QUERY_STRING "username.*password|password.*username" dontlog
>  CustomLog logs/my_log common env=!dontlog*
>
> Just clarifying that the above was written in /etc/httpd/conf.d/ssl.conf

But the unwanted requests were still being printed to the log. I wanted to
> verify that *QUERY_STRING *contains what I expected it to, so I tried to
> print it out:
>
> *   CustomLog logs/my_log "%{QUERY_STRING}e"*
>
> But no matter what request was made, only '-' was printed to the log. I've
> done the same for other server variables, e.g: REQUEST_URI, THE_REQUEST,
> etc - and all were empty (or rather only contained the '-' character.
>
> What am I missing?
>
> Thanks!
>
>
>
>