On Mon, Jul 29, 2019 at 3:13 PM Eric Covener <[email protected]> wrote:
> On Mon, Jul 29, 2019 at 7:56 AM Ori Liel <[email protected]> wrote: > > > > I have a server application, and for security reasons I'm trying to > prevent requests, which provide 'username' and 'password' as query > parameters, from being logged (providing these parameters as query > parameters is a user mistake, but still...) > > > > > > I've tried this way: > > > > > > SetEnvIf QUERY_STRING "username.*password|password.*username" dontlog > > CustomLog logs/my_log common env=!dontlog > > > > But the unwanted requests were still being printed to the log. I wanted > to verify that QUERY_STRING contains what I expected it to, so I tried to > print it out: > > > > CustomLog logs/my_log "%{QUERY_STRING}e" > > > > But no matter what request was made, only '-' was printed to the log. > I've done the same for other server variables, e.g: REQUEST_URI, > THE_REQUEST, etc - and all were empty (or rather only contained the '-' > character. > > > > I think the problem is that the "variables" some modules use in their > configuration are not always/necessarily the per-request environment > variables the %{foo}e syntax retrieves. > Same neighborhood: Some of them use the same name as actual > per-request environment variables that are only set for CGI-like > responses. > > If SetEnvIf or the expr.html or mod_rewrite says you can read it, you > can read it, but you may not be able to plug it in anywhere else (like > in a logformat) as an environment variable. > > Thanks. If I understood you correctly, '-' printed to the log does not mean that the server variable is empty, because it may not be possible to use %{QUERY_STRING}e in the definition of the CustomLog. So I am left with the original question, which is why SetEnvIf isn't working as expected. Even when if simplify the predicate to check for any string at all: SetEnvIf QUERY_STRING "." dontlog CustomLog logs/my_log common env=!dontlog The query: GET https://.../api?some_var=some_value Is logged, while it seems that it shouldn't be. Any ideas how I can tackle this? Thanks again! --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
