Reduce information in logfiles in 3scale API Management
Issue
-
Unexpected log messages are seen and should be suppressed when sending the app_id and app_key in the header as in the following example request:
curl "https://3scale.api-mgmt.example.com:443/test-" -H'app_id: a1b2d3' -H'app_key: abcdefg123456'
-
Red Hat 3scale API manager APICast will generate the following INFO log entries:
[info] 29#29: *149565 [lua] proxy.lua:82: output_debug_headers(): usage: usage%5Btest%5D=1 credentials: app_key=abcdefg123456&app_id=a1b2d3, client: 10.10.10.10, server: _, request: "GET /test HTTP/1.1", host: "3scale.api-mgmt.example.com" [info] 29#29: *149565 [lua] backend_client.lua:133: call_backend_transaction(): backend client uri: https://3scale.api-mgmt.example.com/transactions/authrep.xml?service_id=4&service_token=abcdefg&usage%5Btest%5D=1&app_key=abcdefghi1234567&app_id=0123abcd ok: true status: 200 body: error: nil, client: 10.10.10.10, server: _, request: "GET /test HTTP/1.1", host: "3scale.api-mgmt.example.com"
-
Parameters like access keys should never be sent in query parameter as this is considered insecure as they will be logged in access logs and other logs as well
- But if the parameters are send in the header for security reasons the parameters should not be logged (this is the case in the default WARN level but may be noted being logged under INFO)
Environment
- Red Hat 3scale API Management
- 2.11.0 On-Premise
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.