Open matsuev opened 1 week ago
Hello @matsuev
Thanks for the report, you are right - need to strip out sensitive info before logging.
While it's not fixed - maybe consider using some reverse proxy between Centrifugo and your backend which adds basic auth.
Once the proxy endpoint is created, Centrifugo displays a connection string with the user credentials in the log output:
2024-09-09 01:59:21 [INF] RPC proxy enabled endpoint=https://user:password@localhost:8080/rpc
OR (if log in JSON format)
{"level":"info","endpoint":"https://user:password@localhost:8080/rpc","time":"2024-09-08T19:13:44Z","message":"RPC proxy enabled"}
This is a potential risk of leaking passwords for connecting to the application server.
Versions
Centrifugo version is <5.4.5>
Steps to Reproduce How can the bug be triggered? In centrifugo config file: { ... "proxy_rpc_endpoint": "https://user:password@localhost:8080/rpc", ... }
A quick solution might be like this In main.go add function
and replace any log code
Then the log looks like this: 2024-09-09 03:39:13 [INF] RPC proxy enabled endpoint=https://user:xxxxx@localhost:8080/rpc
Patch to FIX log output: https://github.com/matsuev/centrifugo/tree/fix-log-proxy-credentials
Refactored code to use proxy.Config Endpoint field as *url.URL: https://github.com/matsuev/centrifugo/tree/refactor-proxy-config