#!/bin/bash # ============================================================================= # nginx access_log 脱敏脚本(生产服务器跑) # ============================================================================= # 作用:把默认的 access_log 换成自定义 log_format,删除 Authorization/Cookie 等 # 敏感 header,避免泄漏到日志 # 用法:bash nginx-access-log-redact.sh # 回滚:bash nginx-access-log-redact.sh --rollback # ============================================================================= set -e CONTAINER="wecom_it_nginx" # 注意是下划线 CONF_PATH="/etc/nginx/conf.d/log-format.conf" BACKUP_PATH="/etc/nginx/conf.d/log-format.conf.bak" if [[ "$1" == "--rollback" ]]; then echo "[ROLLBACK] 恢复默认 access_log..." docker exec "$CONTAINER" bash -c " if [[ -f $BACKUP_PATH ]]; then mv $BACKUP_PATH $CONF_PATH else echo 'access_log /var/log/nginx/access.log;' > $CONF_PATH fi " docker exec "$CONTAINER" nginx -t docker exec "$CONTAINER" nginx -s reload echo "[OK] 已回滚到默认 access_log" exit 0 fi echo "[1/5] 备份现有 log-format.conf(如有)..." docker exec "$CONTAINER" bash -c " if [[ -f $CONF_PATH ]]; then cp $CONF_PATH $BACKUP_PATH fi " echo "[2/5] 写入脱敏 log_format 配置..." docker exec "$CONTAINER" bash -c "cat > $CONF_PATH << 'EOF' # 自定义 access_log 格式 — 删除 Authorization/Cookie 等敏感 header # 仅保留请求方法 + URI + 状态码 + 字节数 + UA + Referer log_format secure \$remote_addr - \$remote_user [\$time_local] \"\$request_method \$uri \$server_protocol\" \$status \$body_bytes_sent \"\$http_referer\" \"\$http_user_agent\"; # 应用:覆盖默认 access_log access_log /var/log/nginx/access.log secure; EOF " echo "[3/5] 验证配置文件..." docker exec "$CONTAINER" cat $CONF_PATH echo "" echo "[4/5] nginx -t 验证语法..." docker exec "$CONTAINER" nginx -t echo "" echo "[5/5] reload nginx(不中断连接)..." docker exec "$CONTAINER" nginx -s reload echo "" echo "========================================" echo "[OK] nginx access_log 脱敏已生效" echo "========================================" echo "" echo "验证:tail 一下 access.log 看新格式" echo " docker exec $CONTAINER tail -5 /var/log/nginx/access.log" echo "" echo "回滚:bash nginx-access-log-redact.sh --rollback"