Welcome! Log In Create A New Profile

Advanced

Help obfuscating access.log GET request parameters on AWS Elastic Beanstalk

Posted by guru-j 
Help obfuscating access.log GET request parameters on AWS Elastic Beanstalk
August 14, 2018 06:40PM
I am trying to obfuscate a sensitive parameter that appears on some GET requests. These requests are encrypted, but are appearing in the access.log files in plain text.

I found this Stack Overflow question, which solves my issue... except that I don't configure nginx myself.
https://stackoverflow.com/questions/19265766/how-to-not-log-a-get-request-parameter-in-the-nginx-access-logs

I use AWS Elastic Beanstalk, which creates an EC2 instance running nginx. I have done literally 0 configuration of nginx myself, it uses default settings, including the default log_format.

I know that I have a file, `./ebextensions/nginx.config`, but currently it's contents are just this, to change the max body size of a request so that it's large enough to accept full res images from mobile devices:

```
files:
/etc/nginx/conf.d/proxy.conf:
content: |
client_max_body_size 5M;
```

I think I would be able to SSH into my instance to update this, but that would be overwritten with each deployment, and any new instance that gets spun up would still be using the defaults, so I think I need to figure out how to modify this from the file I posted above. However, I can hardly find any information on how to utilize this file.

Any help would be greatly appreciated!



Edited 2 time(s). Last edit at 08/14/2018 06:41PM by guru-j.
Re: Help obfuscating access.log GET request parameters on AWS Elastic Beanstalk
August 14, 2018 08:37PM
Here's where I'm at so far.

EB extensions allow you to add files, similar to what I did above. The default nginx.config looks like this:

```
# Elastic Beanstalk Managed

# Elastic Beanstalk managed configuration file
# Some configuration of nginx can be by placing files in /etc/nginx/conf.d
# using Configuration Files.
# http://docs.amazonwebservices.com/elasticbeanstalk/latest/dg/customize-containers.html
#
# Modifications of nginx.conf can be performed using container_commands to modify the staged version
# located in /tmp/deployment/config/etc#nginx#nginx.conf

# Elastic_Beanstalk
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/

user nginx;
worker_processes auto;

error_log /var/log/nginx/error.log;

pid /var/run/nginx.pid;


events {
worker_connections 1024;
}

http {

port_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;

log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

access_log /var/log/nginx/access.log main;

sendfile on;

keepalive_timeout 65;
# Elastic Beanstalk Modification(EB_INCLUDE)

log_format healthd '$msec"$uri"'
'$status"$request_time"$upstream_response_time"'
'$http_x_forwarded_for';

include /etc/nginx/conf.d/*.conf;
# End Modification

}
```

Note at the end, `include /etc/nginx/conf.d/*.conf;`, which will include other .conf files, like the one I posted in my question that just sets the max body size.

AWS EB also has a default file that gets included, autogenerated by EB: etc/nginx/conf.d/00_elastic_beanstalk_proxy.conf

```
# Elastic Beanstalk Managed

# Elastic Beanstalk managed configuration file
# Some configuration of nginx can be by placing files in /etc/nginx/conf.d
# using Configuration Files.
# http://docs.amazonwebservices.com/elasticbeanstalk/latest/dg/customize-containers.html
#
# Modifications of nginx.conf can be performed using container_commands to modify the staged version
# located in /tmp/deployment/config/etc#nginx#nginx.conf


upstream nodejs {
server 127.0.0.1:8081;
keepalive 256;
}

server {
listen 8080;


if ($time_iso8601 ~ "^(\d{4})-(\d{2})-(\d{2})T(\d{2})") {
set $year $1;
set $month $2;
set $day $3;
set $hour $4;
}
access_log /var/log/nginx/healthd/application.log.$year-$month-$day-$hour healthd;
access_log /var/log/nginx/access.log main;


location / {
proxy_pass http://nodejs;
proxy_set_header Connection "";
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

gzip on;
gzip_comp_level 4;
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;


}
```

Of note is the sloppy indenting, that's literally copied from AWS' own file...

Anyway, it seems that this file is where I would have to do what the Stack Overflow answer I posted suggests, since it's where the Server { } configuration is.

The comments at the top of each file mention you can modfiy nginx.config through container commands, but I do not believe that will help me, since nginx.config doesn't contain the Server call. However, I've got to imagine these container commands could also be used to update this file, no? Here is a link discussing container commands: https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/customize-containers-ec2.html#linux-container-commands

So now it looks like what I need is a command that will copy the existing `00_elastic_beanstalk_proxy.conf` and inject the following:
```
log_format filter '$remote_addr - $remote_user [$time_local] '
'"$temp" $status $body_bytes_sent "$http_referer" "$http_user_agent"';
#....

#inside server block
location /my/sensitive/route {
set $temp $request;
if ($temp ~ (.*)password=[^&]*(.*)) {
set $temp $1password=*****$2
}

access_log /var/log/nginx/access.log filter;
}
```


So at this point, I'm thinking I literally need to include a bash script with my source code that takes an input file, adds a new line at the beginning of the file `log_format filter '$remote_addr - $remote_user [$time_local] ''"$temp" $status $body_bytes_sent "$http_referer" "$http_user_agent"';`, since this file is all encapsulated within the http directive, then find the line with `server{` || `server {`, and add the location block below it....

Can anybody tell me that I'm completely wrong before I go ahead and do this?
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 66
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready