Clarify access_token in proxy access logs: https://github.com/dani-garcia/vaultwarden/discussions/4631

rwjack 2024-06-09 12:15:43 +02:00
parent 4930e8e7c2
commit 6fb2f61792
1 changed files with 14 additions and 0 deletions

@ -29,6 +29,20 @@ For example, Rocket TLS doesn't support [strict SNI](#Strict-SNI) or ECC certs (
See [[Proxy example|Proxy-examples]] for some sample reverse proxy configurations.
### Access logs contain `access_token` parameter
A WSS connection is established for notifications by invoking a GET request with a JWT key.
Example GET request:
```
/notifications/hub?access_token=[this part is always the same].eyJuYmYi[redacted]sImV4cCI6MTcxNzc1NzQ1OCwiaXN[redacted]M6Ly92YXVsdC5zZWMuYXJwYXxsb2dpbiIsInN1YiI6ImY5YmVhN[redacted]tNGJjNS05MDY2LTQ3NjFlZmY4ND[redacted]sInByZW1pdW0iOnRydWU[redacted]JjaXBoZXIiLCJlbWFpbCI6ImNpc[redacted]ljdSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJzc3RhbXAiOiJlZjM3[redacted]MjctODE2OS1hZTQ3NmFjNDc4MGQiLCJkZX[redacted]02ZTk3LTQ2N2M[redacted]jM3NmEiLCJzY29wZSI6WyJhcG[redacted]5lX2FjY2VzcyJdLCJhbXIiOlsiQXBwbGljY[redacted]hGDeCNdjTs1cOL2fV_OR96Sey-gA5eRa8OCGNgCrDeyYAPyk[redacted]BkQGwjEhD7fcWILxRYqQ7W6rkC2o[redacted]LB_nztpAgeRUbsPgsd3RNTWJDKdlH8aMf1[redacted]vB_doENJPeyaeMuEG85KqpAN2A[redacted]GeeCztxmQIe21PMtBG-SAgGeI[redacted]X_9mmyv0nISHBuHjhQ_km[redacted]VCLoFneb-MEzN[redacted]T8VcXSKhGXpwJUx8j1[redacted]k_nH27vrD2Dg
```
If your reverse proxy is configured to save access logs, or the access logs are shipped to an external service such as Prometheus + Promtail, it is recommended to redact the value of the `access_token` parameter on the external log store, or directly on your reverse proxy of choice, if supported.
No other data is ever send via GET request, encrypted or unencrypted.
# Docker configuration
The subsections below cover hardening related to Docker.