AWS EB + nginx: Update access.log format to obfuscate sensitive get request parameters

余生颓废 提交于 2019-12-08 06:24:28

问题


I am having the same issue as outlined in this question: How to not log a get request parameter in the nginx access logs?

However, since nginx is configured through AWS, I am not sure how to modify this when I deploy. It is not clear to me where these configurations go. AWS support is not able to help, as it is an issue with nginx rather than AWS.

Any information to point me in the right direction would be appreciated.

So far all I have is that I can modify ./ebextensions/nginx.config in my repository that I deploy to EB, but what needs to be set within that is not clear.

=================================

OK, so some fun updates. Basically, AWS EB environments are set up with default nginx.configs for their instances. Within those configs, it includes all *.config files at a certain path, including one auto generated file which contains the server directive. It injects all of these into the http directive of the nginx.config.

You do have the option of completely overriding the nginx config. But, being someone who is damn near clueless on what all is going on in there and the potential dangers of doing so, I figured that it'd be best to not modify default behavior as much as possible. Therefore, I've resolved to find a way to modify this auto generated .config file and restart nginx.

So far what I've got is this for my ./ebextensions/01_proxy.config:

files:
  "/etc/nginx/conf.d/injectObfuscation.sh":
    content: |
      # This script expects a file as input with an nginx server directive to be injected into the http directive of an nginx.config file.
      # It will make two modifications:
      # - It will create a log_format to be used when filtering the password parameter
      # - It will find the server directive and inject a location directive for the sensitive endpoint
      #   - This directive will replace the sensitive parameter with *s and use the filter log_format instead of the main log_format
      # TODO: Figure out how to do the above ^^

container_commands:
  01_update_server_directive:
    command: "./etc/nginx/conf.d/injectObfuscation.sh /etc/nginx/conf.d/00_elastic_beanstalk_proxy.conf"
  02_reload_nginx:
    command: "sudo service nginx reload"

The files: line declares that I'm creating some files to add to the EC2 instance. Here, my goal is to create a bash script to accomplish my task. My tasks, as outlined in the comments, are to first add a line with the log_format. Then, find the line with server{, and below it I need to inject the locations /my/sensitive/endpoint directive in its entirety.

Any help on writing this bash script, which I'm completely unfamiliar with, would be awesomely appreciated.


回答1:


My attempt was silly.

I needed to overwrite the default nginx.conf and 00_elastic_beanstalk_proxy.conf like in the Node.js specific documentation: https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/nodejs-platform-proxy.html

Other platforms on EB allow you to add a .ebextensions/nginx/nginx.conf to overwrite the existing nginx.conf, but Node's startup process seems to be different and ignores this file. However, you can use an .ebextension config to create a file at /etc/nginx/nginx.conf to replace it.

For my purposes, I did this and changed $request to $temp in the main log_format.

For Node environments, the server directive exists inside the 00_elastic_beanstalk_proxy.conf file auto generated by the instance during launch. Using the example in the documentation above, I overrode this and added the logic to obfuscate the parameter I needed to. Optionally, this could have been placed inside a location directive within this overwritten file. And I could have defined a separate log format. But for my purposes, I wanted this parameter to not be logged no matter the path.

AWS Notes that the default nginx.conf and 00_elastic_beanstalk_proxy.conf may change depending on the version of the node environment you're using, so to always pull the one from the specific version.

One attempt I made was to only override the nginx.conf. However, the set directive can only be used inside location, server, and one other directive I can't remember off the top of my head. It is not valid to set a variable within the http directive itself.



来源:https://stackoverflow.com/questions/51850461/aws-eb-nginx-update-access-log-format-to-obfuscate-sensitive-get-request-para

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!