I’m trying to hide sensitive data from the logs.
Example: www.example.com/api?token=sensitive&order_by=id
I want to mask/hide “sensitive”, (eg /api?token=****&order_by=id)
regsub() doesn’t work due to the parser limitation (] and ) are not allowed), so I can’t use regsub(token=[^&]+,token=****,gi)
# In this example regsub removes everything after token, but I want to mask only token and keep the rest
log-format "%[capture.req.uri,regsub(token=.+,token=****,g)]" # => /api?token=****
I’d assume your token contains alphanumeric characters only, so why not use \w+?
log-format "%[capture.req.uri,regsub(token=\w+,token=****,g)]" # => /api?token=****It can contain -
No easy way as far as I can see, a feature request for a simpler solution has been posted here:
Here’s a LUA workaround:
/etc/haproxy/anonymizeToken.lua:
local function anonymizeToken(url)
if url == nil then
return
end
url = url:gsub("token=[^&]+", "token=******")
return url
end
core.register_converters("anonymizeToken", anonymizeToken)
Config:
global
lua-load /etc/haproxy/anonymizeToken.lua
frontend blabla
log-format "%[capture.req.uri,lua.anonymizeToken]"