Sanitize IP addresses from server log output

Added a scrubber that takes all logging output to the standard logger and passes through a series of regular expressions to replace IP addresses with safe strings (e.g., X.X.X.X:443). Ensure server logs to stdout are also scrubbed
2025-10-13 20:11:19 -04:00 · 2019-03-20 15:50:55 -04:00 · 2019-03-20 15:50:55 -04:00 · f586a4bab8
commit f586a4bab8
parent 88f282c733
2 changed files with 51 additions and 2 deletions
--- a/server/server.go
+++ b/server/server.go
@ -15,6 +15,7 @@ import (
 	"os"
 	"os/signal"
 	"path/filepath"
+	"regexp"
 	"strings"
 	"sync"
 	"syscall"
@ -54,6 +55,22 @@ additional HTTP listener on port 80 to work with ACME.
 	flag.PrintDefaults()
 }

+// An io.Writer that can be used as the output for a logger that first
+// sanitizes logs and then writes to the provided io.Writer
+type logScrubber struct {
+	output io.Writer
+}
+
+func (ls *logScrubber) Write(b []byte) (n int, err error) {
+	//First scrub the input of IP addresses
+	reIPv4 := regexp.MustCompile(`\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b`)
+	reIPv6 := regexp.MustCompile(`(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))`)
+	scrubbedBytes := reIPv4.ReplaceAll(b, []byte("X.X.X.X"))
+	scrubbedBytes = reIPv6.ReplaceAll(scrubbedBytes,
+		[]byte("X:X:X:X:X:X:X:X"))
+	return ls.output.Write(scrubbedBytes)
+}
+
 // An abstraction that makes an underlying WebSocket connection look like an
 // io.ReadWriteCloser.
 type webSocketConn struct {
@ -280,8 +297,15 @@ func main() {
 			log.Fatalf("can't open log file: %s", err)
 		}
 		defer f.Close()
-		log.SetOutput(f)
-	}
+		//We want to send the log output through our scrubber first
+		scrubber := &logScrubber{f}
+		log.SetOutput(scrubber)
+	} else {
+            // we still want to send log output through our scrubber, even
+            // if no log file was specified
+            scrubber := &logScrubber{os.Stdout}
+            log.SetOutput(scrubber)
+        }

 	if !disableTLS && acmeHostnamesCommas == "" {
 		log.Fatal("the --acme-hostnames option is required")
--- a/server/server_test.go
+++ b/server/server_test.go
@ -1,6 +1,8 @@
 package main

 import (
+	"bytes"
+	"log"
 	"net"
 	"strconv"
 	"testing"
@ -47,3 +49,26 @@ func TestClientAddr(t *testing.T) {
 		}
 	}
 }
+
+func TestLogScrubber(t *testing.T) {
+
+	var buff bytes.Buffer
+	scrubber := &logScrubber{&buff}
+	log.SetFlags(0) //remove all extra log output for test comparisons
+	log.SetOutput(scrubber)
+
+	log.Printf("%s", "http: TLS handshake error from 129.97.208.23:38310:")
+
+	if bytes.Compare(buff.Bytes(), []byte("http: TLS handshake error from X.X.X.X:38310:\n")) != 0 {
+		t.Errorf("log scrubber didn't scrub IPv4 address. Output: %s", string(buff.Bytes()))
+	}
+	buff.Reset()
+
+	log.Printf("%s", "http2: panic serving [2620:101:f000:780:9097:75b1:519f:dbb8]:58344: interface conversion: *http2.responseWriter is not http.Hijacker: missing method Hijack")
+
+	if bytes.Compare(buff.Bytes(), []byte("http2: panic serving [X:X:X:X:X:X:X:X]:58344: interface conversion: *http2.responseWriter is not http.Hijacker: missing method Hijack\n")) != 0 {
+		t.Errorf("log scrubber didn't scrub IPv6 address. Output: %s", string(buff.Bytes()))
+	}
+	buff.Reset()
+
+}