Nginx - Log Headers

Page content

How to enable Logging with Headers for Nginx

Assuming you have a running setup and you want to enable logging with headers for debug and learning purposes ?

Add Lua

doas pkg_add nginx-lua--

and you get …

doas pkg_info -L nginx-lua--
Information for inst:nginx-lua-1.20.1p0

Files:
/var/www/modules/ndk_http_module.so
/var/www/modules/ngx_http_lua_module.so

Enable Modules in /etc/nginx/nginx.conf

add two lines on Top

load_module "modules/ndk_http_module.so";
load_module "modules/ngx_http_lua_module.so";

Enhance Logging

add the following to the “http” Section

log_format log_req_resp   '$remote_addr - $remote_user [$time_local] '
                          '"$request" $status $body_bytes_sent '
                          '"$http_referer" "$http_user_agent" '
                          '$request_time req_header:"$req_header" '
                          'resp_header:"$resp_header"';

Enable Logging

add the following lines to your virtual Host Section


server {

    ... snip ...

    access_log    /var/log/nginx/your-web-server.ch-req-resp.log log_req_resp;

    ... snip ...

    lua_need_request_body on;

    set $resp_body "";
    body_filter_by_lua '
      local resp_body = string.sub(ngx.arg[1], 1, 1000)
      ngx.ctx.buffered = (ngx.ctx.buffered or "") .. resp_body
      if ngx.arg[2] then
        ngx.var.resp_body = ngx.ctx.buffered
      end
    ';

    set $req_header "";
    set $resp_header "";
    header_filter_by_lua '
      local h = ngx.req.get_headers()
      for k, v in pairs(h) do
        ngx.var.req_header = ngx.var.req_header .. k.."="..v.." "
      end
    local rh = ngx.resp.get_headers()
      for k, v in pairs(rh) do
        ngx.var.resp_header = ngx.var.resp_header .. k.."="..v.." "
      end
    ';

Check Config and Restart Nginx

doas nginx -t && doas rcctl restart nginx

Check Logs

tail -1 /var/log/nginx/your-web-server-req-resp.log 
2a0b:xxxxxxxxxxxxxxxx - - [26/Feb/2022:10:55:13 +0100] "GET /extractedData=%22/%22eyXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXxJ9.eyJpXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXhexwKE/%22%22 HTTP/1.1" 404 548 "https://db934XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.idocker.vuln.land/" "Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Mobile Safari/537.36" 0.000 req_header:"connection=keep-alive sec-fetch-site=cross-site origin=https://dbXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.idocker.vuln.land sec-fetch-dest=empty host=XXXXXXXXXXXXX.ch sec-fetch-mode=cors pragma=no-cache referer=https://dbXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.idocker.vuln.land/ sec-ch-ua=\x22 Not A;Brand\x22;v=\x2299\x22, \x22Chromium\x22;v=\x2298\x22, \x22Google Chrome\x22;v=\x2298\x22 sec-ch-ua-mobile=?1 cache-control=no-cache accept-encoding=gzip, deflate, br accept-language=de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7,nl;q=0.6,fr;q=0.5 user-agent=Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Mobile Safari/537.36 accept=*/* sec-ch-ua-platform=\x22Android\x22 dnt=1 " resp_header:"content-length=548 content-type=text/html connection=keep-alive "

or nicely formated ...

req_header:"
accept=*/*
accept-encoding=gzip, deflate, br
accept-language=de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7,nl;q=0.6,fr;q=0.5
cache-control=no-cache
connection=keep-alive
dnt=1
host=XXXXXXXXXXXXX.ch
origin=https://dbXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.idocker.vuln.land
pragma=no-cache
referer=https://dbXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.idocker.vuln.land/
sec-ch-ua=\x22 Not A;Brand\x22;v=\x2299\x22, \x22Chromium\x22;v=\x2298\x22, \x22Google Chrome\x22;v=\x2298\x22
sec-ch-ua-mobile=?1
sec-ch-ua-platform=\x22Android\x22
sec-fetch-dest=empty
sec-fetch-mode=cors
sec-fetch-site=cross-site
user-agent=Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Mobile Safari/537.36
"

resp_header:"
content-length=548
content-type=text/html
connection=keep-alive
"

sha256: 548e6f23bc4500d1a765967d3b6f03dfb0873ed75d0feccb1b00bedf4ed9a03d