Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Access log is logging Authorization headers #3531

Closed
elsbrock opened this issue Jun 29, 2020 · 2 comments
Closed

Access log is logging Authorization headers #3531

elsbrock opened this issue Jun 29, 2020 · 2 comments
Labels
question ❔ Help is being requested

Comments

@elsbrock
Copy link

elsbrock commented Jun 29, 2020
edited
Loading

Hi,

given this config snippet:

    :8080 {
      log {
        format console
      }
      reverse_proxy https://example.com:443 {
        header_up Host example.com
      }
    }

I noticed that by default Caddy seems to log Authorization headers:

 prometheus-proxy 1.5934604916540647e+09    info    http.log.access.log0    handled request    {"request": {"method": "GET", "uri": "/foobar", "proto": "HTTP/1.1", "remote_addr": "redacted", "host": "redacted", "headers": {"User-Agent": ["Prometheus/2.12.0"], "Accept": ["application/openmetrics-text; version=0.0.1,text/plain
 ;version=0.0.4;q=0.5,*/*;q=0.1"], "Accept-Encoding": ["gzip"], "Authorization": ["Basic $SHOULD_NOT_BE_WRITTEN_TO_LOG"]}}, "common_log": "10.16.1.11 - -
  [29/Jun/2020:19:54:51 +0000] \"GET /foobar HTTP/1.1\" 200 21520", "duration": 0.138742971, "size": 21520, "status": 200, "resp_headers": {"Content-Encoding": ["gzip"], "Server": ["Caddy", "cloudflare"], "Strict
 -Transport-Security": ["max-age=31536000; includeSubDomains; preload"], "Date": ["Mon, 29 Jun 2020 19:54:51 GMT"], "Content-Type": ["text/plain; version=0.0.4; charset=utf-8"]}}

Note the "Authorization": ["Basic $SHOULD_NOT_BE_WRITTEN_TO_LOG"]. Is that intended? If so, how do I turn it off? And: shouldn't that rather be a safe default?

Caddy version: v2.1.0-beta.1 h1:nG+Y2NuoqGvJEnHlVO5PXtTxuc2yHsjr2nU+dJ5yETk= (waiting for the Docker release 😉 )

Thanks!
@mholt
Copy link
Member

mholt commented Jun 29, 2020

You can read how Caddy logs work in the docs: https://caddyserver.com/docs/logging

Using the filter encoder, you can delete or mask any fields you want to: https://caddyserver.com/docs/json/logging/logs/encoder/filter/

@mholt mholt closed this as completed Jun 29, 2020
@mholt mholt added the question ❔ Help is being requested label Jun 29, 2020
@francislavoie
Copy link
Member

To be clear, the filter formatter isn't supported in the Caddyfile yet unfortunately because it's a little bit trickier than the rest to parse its config since it wraps other formatters.

I'll try to get Caddyfile support added for it for the 2.2 release (but no promises).

For now, you can adapt your config to JSON with the caddy adapt command and update your config with the filters you need. You'll also need to change the command your Caddy container runs with so it loads your JSON config instead of the Caddyfile.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question ❔ Help is being requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@elsbrock @mholt @francislavoie