Caddy log filter

Caddy is a powerful, enterprise-ready, open source web server with automatic HTTPS written in Go.

It can be used as a reverse proxy server, for example:

:10001 {
    respond /healthz "OK" 200
    reverse_proxy /* http://localhost:8000 {
        header_up x-account "user"
        header_up x-secret-key "secret"
    }
    log
}

The above Caddyfile will launch a http server listening on port 10001 and will redirect requests to localhost:8000 and add two headers which contain sensitive information. When the debug mode is turned on, caddy’s internal logger will log down the requests from the reverse proxy to the localhost server, which will expose the sensitive info.

The log directive can be used to remove certain header from the request and the reverse proxy server itself. To do so, simply add the log override config to the global level:

{
    log {
        format filter {
            wrap console
            fields {
                request>headers>X-Secret-Key delete
            }
        }
    }
}

Note that we don’t need to explicitly remove the Authorization header since:

Since Caddy v2.5, by default, headers with potentially sensitive information (Cookie, Set-Cookie, Authorization and Proxy-Authorization) will be logged with empty values. This behaviour can be disabled with the log_credentials global server option.