How to not log a get request parameter in the nginx access logs?

Question

I require access logs enabled, but for compliance reasons, cannot log a sensitive GET request parameter's data in the access logs. While I know, I could parse the logs (after-the-fact) and sanitize them, this is not an acceptable solution -- because for compliance reasons logs can't be tampered with.

http://www.example.com/resource?param1=123&sensitive_param=sensitive_data

How can I prevent the "sensitive_data" parameter value from being written to the logs? Here were some ideas:

• Send in POST request -- is not an option with JSONP.
• Use a new location rule for "resource" and set an access log to use a log_format the uses a different format (ie does not use $remote_addr). See this for reference: http://nginx.org/en/docs/http/ngx_http_log_module.html
• Log a $sanitized_remote_addr, and set it (somehow parse the $remote_addr or something else?) before it makes it to the log. We're not sure if this is easy to accomplish.

How should this be done?

Answer 1

Previous answer will not work since log_format module can only be used at http level config.

For fix of this, we can remove the log_format configuration from location directive and keep it as it in http level config.

http {

    log_format filter '$remote_addr - $remote_user [$time_local] '
        '"$temp" $status $body_bytes_sent "$http_referer" "$http_user_agent"';

    # Other Configs
}

log_format directive can have variables defined later in our location directive block.

So final config will look like:

http {

    log_format filter '$remote_addr - $remote_user [$time_local] '
        '"$temp" $status $body_bytes_sent "$http_referer" "$http_user_agent"';

    # Other Configs

    server {
        #Server Configs
        location / {
            set $temp $request;
            if ($temp ~ (.*)password=[^&]*(.*)) { 
                set $temp $1password=****$2;
            }

            access_log /opt/current/log/nginx_access.log filter;
        }
    }
}

Answer 2

The solution I found so far is here. In short:

location /any_sensitive... {
    # Strip password in access.log
    set $temp $request;
    if ($temp ~ (.*)password=[^&]*(.*)) {
        set $temp $1password=****$2;
    }

    log_format filter '$remote_addr - $remote_user [$time_local] '
        '"$temp" $status $body_bytes_sent "$http_referer" "$http_user_agent"';

    access_log logs/access.log filter;
}

Maybe this used to work at some point, now it says:

nginx: [emerg] unknown "temp" variable

or

nginx: [warn] the "log_format" directive may be used only on "http" level in ...