HAProxy community

Mask sensitive data in logs

I’m trying to hide sensitive data from the logs.

Example: www.example.com/api?token=sensitive&order_by=id
I want to mask/hide “sensitive”, (eg /api?token=****&order_by=id)

regsub() doesn’t work due to the parser limitation (] and ) are not allowed), so I can’t use regsub(token=[^&]+,token=****,gi)

# In this example regsub removes everything after token, but I want to mask only token and keep the rest
log-format "%[capture.req.uri,regsub(token=.+,token=****,g)]" #  => /api?token=****

I’d assume your token contains alphanumeric characters only, so why not use \w+?

log-format "%[capture.req.uri,regsub(token=\w+,token=****,g)]" #  => /api?token=****

It can contain -

No easy way as far as I can see, a feature request for a simpler solution has been posted here:

Here’s a LUA workaround:

/etc/haproxy/anonymizeToken.lua:

local function anonymizeToken(url)
   if url == nil then
       return
   end
   url = url:gsub("token=[^&]+", "token=******")
   return url
 end

core.register_converters("anonymizeToken", anonymizeToken)

Config:

global
    lua-load /etc/haproxy/anonymizeToken.lua

frontend blabla
    log-format "%[capture.req.uri,lua.anonymizeToken]"
1 Like