Caddy log filter
Caddy is a powerful, enterprise-ready, open source web server with automatic HTTPS written in Go.
It can be used as a reverse proxy server, for example:
:10001 {
respond /healthz "OK" 200
reverse_proxy /* http://localhost:8000 {
header_up x-account "user"
header_up x-secret-key "secret"
}
log
}
The above Caddyfile
will launch a http server listening on port 10001
and will redirect requests to localhost:8000
and add two headers which contain sensitive information.
When the debug
mode is turned on, caddy’s internal logger will log down the requests from the reverse proxy to the localhost server, which will expose the sensitive info.
The log
directive
can be used to remove certain header from the request and the reverse proxy server itself.
To do so, simply add the log
override config to the global level:
{
log {
format filter {
wrap console
fields {
request>headers>X-Secret-Key delete
}
}
}
}
Note that we don’t need to explicitly remove the Authorization
header since:
Since Caddy v2.5, by default, headers with potentially sensitive information (Cookie, Set-Cookie, Authorization and Proxy-Authorization) will be logged with empty values. This behaviour can be disabled with the log_credentials global server option.