code_public/mod_reqin_log
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Docs: update security documentation and hardening notes

Browse Source 
architecture.yml:
- Update header_handling: document built-in sensitive headers blacklist
- Expand security section with hardening measures
- Add socket permissions, path recommendations, environment variable

README.md:
- Add new 'Built-in Sensitive Headers Blacklist' section
- Document all blocked headers (Authorization, Cookie, X-Api-Key, etc.)
- Update socket security: permissions 0o660, /var/run path, group membership
- Add hardening features: path validation, JSON size limit, NULL checks, mutex
- Fix JSON example (remove extra closing brace)
- Update socket consumer example with secure permissions (0o660)
- Add MOD_REQIN_LOG_SOCKET environment variable to example
- Update Fields table: header_<Name> flat structure description
- Add note about automatic sensitive header exclusion

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
This commit is contained in:
Jacquin Antoine
2026-02-26 23:41:51 +01:00
parent e44059865b
commit b5d093f8cb
2 changed files with 51 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
architecture.yml
View File

@ -198,11 +198,12 @@ configuration:
- JsonSockLogEnabled must be On.
- JsonSockLogSocket must be set to a non-empty path.
header_handling:
- No built-in blacklist; admin is fully responsible for excluding
sensitive headers (Authorization, Cookie, etc.).
- Built-in blacklist prevents logging of sensitive headers by default.
- Blacklisted headers: Authorization, Cookie, Set-Cookie, X-Api-Key,
X-Auth-Token, Proxy-Authorization, WWW-Authenticate.
- Blacklisted headers are silently skipped (logged at DEBUG level only).
- If a configured header is absent in a request, the corresponding
JSON key may be omitted or set to null (implementation choice, but
must be consistent).
JSON key is omitted from the log entry.
- Header values are truncated to JsonSockLogMaxHeaderValueLen characters.
io:
@ -274,9 +275,19 @@ constraints:
- Avoid reconnect attempts on every request via time-based backoff.
security:
notes:
- Module does not anonymize IPs nor scrub headers; it is intentionally
transparent. Data protection and header choices are delegated to configuration.
- Module includes built-in blacklist of sensitive headers to prevent
accidental credential leakage (Authorization, Cookie, X-Api-Key, etc.).
- Socket permissions default to 0o660 (owner+group only) for security.
- Recommended socket path: /var/run/mod_reqin_log.sock (not /tmp).
- Use environment variable MOD_REQIN_LOG_SOCKET to configure socket path.
- Module does not anonymize IPs; data protection is delegated to configuration.
- No requests are rejected due to logging failures.
hardening:
- Socket path length validated against system limit (108 bytes).
- JSON log line size limited to 64KB to prevent memory exhaustion DoS.
- NULL pointer checks on all connection/request fields.
- Thread-safe socket FD access via mutex (worker/event MPMs).
- Error logging reduced to prevent information disclosure.
robustness:
requirements:
- Logging failures must not crash Apache worker processes.