Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Suppress query params in logs #274

Merged
merged 4 commits into from
Oct 13, 2020
Merged

Suppress query params in logs #274

merged 4 commits into from
Oct 13, 2020

Conversation

domdom82
Copy link
Contributor

  • A short explanation of the proposed change:
    As discussed in this routing-release issue I have provided logic to redact query parameters of GET requests from getting logged to the access log.

  • An explanation of the use cases your change solves
    There are three options:
    none (default) retains the current behavior: All parameters are logged
    all Removes all query parameters from the log
    hash performs a SHA1 over the query parameters and logs only the hash sum.

  • Instructions to functionally test the behavior change using operator interfaces (BOSH manifest, logs, curl, and metrics)

Default behavior:

  1. In gorouter BOSH job set property redact_query_parameters to none
  2. bosh -d cf deploy
  3. curl https://some-app.cf-app.com/?password=secret
  4. bosh -d cf ssh gorouter
  5. vi access_log
  6. The access_log should say some-app.cf-app.com - [timestamp] "GET /?password=secret HTTP/1.1"

Log no query parameters:

  1. In gorouter BOSH job set property redact_query_parameters to all
  2. bosh -d cf deploy
  3. curl https://some-app.cf-app.com/?password=secret
  4. bosh -d cf ssh gorouter
  5. vi access_log
  6. The access_log should say some-app.cf-app.com - [timestamp] "GET / HTTP/1.1"

Log only hash of query parameters:

  1. In gorouter BOSH job set property redact_query_parameters to hash
  2. bosh -d cf deploy
  3. curl https://some-app.cf-app.com/?password=secret
  4. bosh -d cf ssh gorouter
  5. vi access_log
  6. The access_log should say some-app.cf-app.com - [timestamp] "GET /?hash=878830dc19ac17a15b189cad83b7809975bc525e HTTP/1.1"

  • Expected result after the change
    GET query parameters are hidden or hashed if needed.

  • Current result before the change
    GET query parameters are logged.

  • Links to any other associated PRs
    tbd

  • I have viewed signed and have submitted the Contributor License Agreement

  • I have made this pull request to the main branch

  • I have run all the unit tests using scripts/run-unit-tests-in-docker from routing-release.

  • (Optional) I have run Routing Acceptance Tests and Routing Smoke Tests on bosh lite

  • (Optional) I have run CF Acceptance Tests on bosh lite

This was referenced Sep 30, 2020
Merged
Closed
@ryanhallware ryanhallware merged commit 1e28509 into cloudfoundry:main Oct 13, 2020
@ameowlia
Copy link
Member

Released! https://github.com/cloudfoundry/routing-release/releases/tag/0.209.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@domdom82 @ameowlia @ryanhallware