post(caddy): remove PII from error log

- "log" global option
- https://caddyserver.com/docs/caddyfile/options#log
- available in Caddy v2.4.0+
This commit is contained in:
Ming Di Leom 2021-07-16 09:16:10 +00:00
parent 82de82cca2
commit ff0dd91b8d
No known key found for this signature in database
GPG Key ID: 32D3E28E96A695E8
1 changed files with 64 additions and 11 deletions

View File

@ -2,7 +2,7 @@
title: "Setup Caddy as a reverse proxy on NixOS (Part 3: Caddy)" title: "Setup Caddy as a reverse proxy on NixOS (Part 3: Caddy)"
excerpt: "Part 3: Configure Caddy" excerpt: "Part 3: Configure Caddy"
date: 2020-03-14 date: 2020-03-14
updated: 2020-11-09 updated: 2021-07-16
tags: tags:
- server - server
- linux - linux
@ -292,7 +292,7 @@ To make sure Caddy sends the correct `Host:` header to the upstream/backend loca
To prevent any unnecessary request headers from being sent to the upstreams, I use `header_up`. I use it to remove cookie, referer and [other headers](https://support.cloudflare.com/hc/en-us/articles/200170986-How-does-Cloudflare-handle-HTTP-Request-headers-) added by Cloudflare. Since there are many headers to remove, I group them as a global variable. I apply it to all `reverse_proxy` directives. To prevent any unnecessary request headers from being sent to the upstreams, I use `header_up`. I use it to remove cookie, referer and [other headers](https://support.cloudflare.com/hc/en-us/articles/200170986-How-does-Cloudflare-handle-HTTP-Request-headers-) added by Cloudflare. Since there are many headers to remove, I group them as a global variable. I apply it to all `reverse_proxy` directives.
{% codeblock mark:25,34,40 %} ``` Caddyfile
(removeHeaders) { (removeHeaders) {
header_up -cdn-loop header_up -cdn-loop
header_up -cf-cache-status header_up -cf-cache-status
@ -301,10 +301,18 @@ To prevent any unnecessary request headers from being sent to the upstreams, I u
header_up -cf-ray header_up -cf-ray
header_up -cf-request-id header_up -cf-request-id
header_up -cf-visitor header_up -cf-visitor
header_up -cf-worker
header_up -cookie header_up -cookie
header_up -referer header_up -referer
header_up -sec-ch-ua # https://user-agent-client-hints.glitch.me/
header_up -sec-ch-ua-mobile header_up -sec-ch-ua-arch
header_up -sec-ch-ua-bitness
header_up -sec-ch-ua-full-version
header_up -sec-ch-ua-ua
header_up -sec-ch-ua-ua-mobile
header_up -sec-ch-ua-ua-model
header_up -sec-ch-ua-ua-platform
header_up -sec-ch-ua-ua-platform-version
header_up -true-client-ip header_up -true-client-ip
header_up -via header_up -via
header_up -x-forwarded-for header_up -x-forwarded-for
@ -334,7 +342,7 @@ mdleom.com {
header_up Host curben.netlify.app header_up Host curben.netlify.app
} }
} }
{% endcodeblock %} ```
The upstream locations insert some information into the response headers that are irrelevant to the site visitors. I use `header` directive to filter them out. It also applies to all `reverse_proxy` directives. The upstream locations insert some information into the response headers that are irrelevant to the site visitors. I use `header` directive to filter them out. It also applies to all `reverse_proxy` directives.
@ -401,10 +409,47 @@ Since I also set up reverse proxy for {% post_link tor-hidden-onion-nixos 'Tor O
``` plain common.conf ``` plain common.conf
## Optional: disable admin endpoint and http->https redirect ## Optional: disable admin endpoint and http->https redirect
#{ {
# admin off ## disable admin endpoint
# auto_https disable_redirects # admin off
#} ## http->https redirect
# auto_https disable_redirects
## Remove PII from error log
log {
level ERROR
format filter {
wrap json {
time_format iso8601
}
fields {
request>remote_addr delete
request>headers>CDN-Loop delete
request>headers>CF-Cache-Status delete
request>headers>CF-Connecting-IP delete
request>headers>CF-IPCountry delete
request>headers>CF-RAY delete
request>headers>CF-Request-ID delete
request>headers>CF-Visitor delete
request>headers>CF-Worker delete
request>headers>Cookie delete
request>headers>Referer delete
request>headers>Sec-CH-UA-Arch delete
request>headers>Sec-CH-UA-Bitness delete
request>headers>Sec-CH-UA-Full-Version delete
request>headers>Sec-CH-UA-UA delete
request>headers>Sec-CH-UA-UA-Mobile delete
request>headers>Sec-CH-UA-UA-Model delete
request>headers>Sec-CH-UA-UA-Platform delete
request>headers>Sec-CH-UA-UA-Platform-Version delete
request>headers>True-Client-IP delete
request>headers>User-Agent delete
request>headers>Via delete
request>headers>X-Forwarded-For delete
request>headers>X-Forwarded-Proto delete
}
}
}
}
(setHeaders) { (setHeaders) {
-access-control-allow-origin -access-control-allow-origin
@ -461,10 +506,18 @@ Since I also set up reverse proxy for {% post_link tor-hidden-onion-nixos 'Tor O
header_up -cf-ray header_up -cf-ray
header_up -cf-request-id header_up -cf-request-id
header_up -cf-visitor header_up -cf-visitor
header_up -cf-worker
header_up -cookie header_up -cookie
header_up -referer header_up -referer
header_up -sec-ch-ua # https://user-agent-client-hints.glitch.me/
header_up -sec-ch-ua-mobile header_up -sec-ch-ua-arch
header_up -sec-ch-ua-bitness
header_up -sec-ch-ua-full-version
header_up -sec-ch-ua-ua
header_up -sec-ch-ua-ua-mobile
header_up -sec-ch-ua-ua-model
header_up -sec-ch-ua-ua-platform
header_up -sec-ch-ua-ua-platform-version
header_up -true-client-ip header_up -true-client-ip
header_up -via header_up -via
header_up -x-forwarded-for header_up -x-forwarded-for