Welcome! Log In Create A New Profile


Can Njs (or Lua?) be used to replace a log field with the SHA-512 hash of that log field?

Posted by dstromberg 
I need to replace one log field, from nginx.conf, with its SHA-512 hash, for security reasons. I'd prefer to do this with njs, but would consider Lua.

I'm finding a chicken-and-the-egg problem when I try to do this with njs. More specifically, the only way I know of to modify a log field is js_set, but js_set wants synchronous code, while njs' crypto.subtle.digest("SHA-512", msgUint8) is asynchronous - and the two combine like oil and water.

Is there an alternative to js_set that can accept an asynchronous function, that can be used in the http block of an nginx.conf?

I've already been down the road of trying to get a SHA-512 hash synchronously using crypto.subtle.digest("SHA-512", message), and am largely giving up on that. Javascript developers don't like to discuss this much, and commonly say things like "It's a good thing that you can't".

I suspect I could use a 3rd party SHA-512 module, but we'd prefer to avoid that if possible. It'd mean more code to maintain, and a license review.

Here's a summarized version of what I have right now: nginx.conf, in the http section:

js_import obfuscate.js;
js_set $obfuscated_token obfuscate.get_obfuscated_token_test;
log_format main escape=json '{'

And a little test code in obfuscate.js:

async function get_obfuscated_token_test(r) {
return "abc";
This replaces the http_authorization field with:

"http_authorization":"[object Promise]"
...which is not what I want. Instead of [object Promise], I want a SHA-512 hash in hexadecimal, or at least just "abc" :). I'll remind you, if I try to return an output from crypto.subtle.digest(), the get_obfuscated_token_test() needs to be async.

I tried https://github.com/emn178/js-sha512 and https://github.com/indutny/hash.js and found that neither one was tremendously compatible with njs.

And the Cryptocoin implementation is deprecated.

Edited 1 time(s). Last edit at 07/09/2024 05:30PM by dstromberg.
With the js-sha512 implementation I get:
root@tact_manager_nginx:/tmp# cat t
#!/usr/bin/env njs

const { sha512, sha384, sha512_256, sha512_224 } = require('js-sha512');

root@tact_manager_nginx:/tmp# ./t
SyntaxError: Token "sha512" not supported in this version in ./t:2

Is njs not compatible enough?
nodejs likes my test script, but njs does not:

root@tact_manager_nginx:/tmp# NODE_PATH=$(pwd) nodejs ./t
root@tact_manager_nginx:/tmp# njs ./t
SyntaxError: Token "sha512" not supported in this version in ./t:2
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 205
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready