I require access logs enabled, but for compliance reasons, cannot log a sensitive GET request parameter's data in the access logs. While I know, I could parse the logs (after-the-fact) and sanitize them, this is not an acceptable solution -- because for compliance reasons logs can't be tampered with.

http://www.example.com/resource?param1=123&sensitive_param=sensitive_data

How can I prevent the "sensitive_data" parameter value from being written to the logs? Here were some ideas:

• Send in POST request -- is not an option with JSONP.
• Use a new location rule for "resource" and set an access log to use a log_format the uses a different format (ie does not use $remote_addr). See this for reference: http://nginx.org/en/docs/http/ngx_http_log_module.html
• Log a $sanitized_remote_addr, and set it (somehow parse the $remote_addr or something else?) before it makes it to the log. We're not sure if this is easy to accomplish.

How should this be done?

Previous answer will not work since log_format module can only be used at http level config.

For fix of this, we can remove the log_format configuration from location directive and keep it as it in http level config.

http {

    log_format filter '$remote_addr - $remote_user [$time_local] '
        '"$temp" $status $body_bytes_sent "$http_referer" "$http_user_agent"';

    # Other Configs
}

log_format directive can have variables defined later in our location directive block.

So final config will look like:

http {

    log_format filter '$remote_addr - $remote_user [$time_local] '
        '"$temp" $status $body_bytes_sent "$http_referer" "$http_user_agent"';

    # Other Configs

    server {
        #Server Configs
        location / {
            set $temp $request;
            if ($temp ~ (.*)password=[^&]*(.*)) { 
                set $temp $1password=****$2;
            }

            access_log /opt/current/log/nginx_access.log filter;
        }
    }
}

The solution I found so far is here. In short:

location /any_sensitive... {
    # Strip password in access.log
    set $temp $request;
    if ($temp ~ (.*)password=[^&]*(.*)) {
        set $temp $1password=****$2;
    }

    log_format filter '$remote_addr - $remote_user [$time_local] '
        '"$temp" $status $body_bytes_sent "$http_referer" "$http_user_agent"';

    access_log logs/access.log filter;
}

Maybe this used to work at some point, now it says:

nginx: [emerg] unknown "temp" variable

or

nginx: [warn] the "log_format" directive may be used only on "http" level in ...