I need to replace one log field, from nginx.conf, with its SHA-512 hash, for security reasons. I'd prefer to do this with njs, but would consider Lua.
I'm finding a chicken-and-the-egg problem when I try to do this with njs. More specifically, the only way I know of to modify a log field is js_set, but js_set wants synchronous code, while njs' crypto.subtle.digest("SHA-512", msgUint8) is asynchronous - and the two combine like oil and water.
Is there an alternative to js_set that can accept an asynchronous function, that can be used in the http block of an nginx.conf?
I've already been down the road of trying to get a SHA-512 hash synchronously using crypto.subtle.digest("SHA-512", message), and am largely giving up on that. Javascript developers don't like to discuss this much, and commonly say things like "It's a good thing that you can't".
I suspect I could use a 3rd party SHA-512 module, but we'd prefer to avoid that if possible. It'd mean more code to maintain, and a license review.
Here's a summarized version of what I have right now: nginx.conf, in the http section:
js_import obfuscate.js;
js_set $obfuscated_token obfuscate.get_obfuscated_token_test;
log_format main escape=json '{'
'"http_authorization":"$obfuscated_token",'
'}';
And a little test code in obfuscate.js:
async function get_obfuscated_token_test(r) {
return "abc";
}
This replaces the http_authorization field with:
"http_authorization":"[object Promise]"
...which is not what I want. Instead of [object Promise], I want a SHA-512 hash in hexadecimal, or at least just "abc" :). I'll remind you, if I try to return an output from crypto.subtle.digest(), the get_obfuscated_token_test() needs to be async.
Thanks!