Mask sensitive data in API request/response in log browser

deepthi.ar · June 6, 2023, 12:46pm

When detailed logging is enabled on an API, the log browser on the tyk dashboard captures and displays the complete details of both the incoming requests and the outgoing responses. I need to mask certain headers in the request.
I would like to know how I can achieve this.

PS: I’m using Tyk self managed version 4.3.3

Olu · June 6, 2023, 3:29pm

Hello @deepthi.ar and welcome to the community.

Have you had a look at our analytics plugin.

deepthi.ar · June 8, 2023, 7:29am

I have a couple of questions here -
In the analytics plugins documentation the following is mentioned -
{
“analytics_plugin”: {
“enable”: true,
“func_name”: “”,
“plugin_path”: “/analytics_plugin.so”
}
}

In the plugin_path - what path is to be used?
How do we generate a .so file from .go file to build the plugin. Im using windows machine, I tried using wsl and MinGW-W64, I was not able to successfully do it.

Olu · June 8, 2023, 10:12am

The path mapped to your middleware directory (/opt/tyk-gateway/middleware/)

You can use docker run command along with tyk-plugin-compiler to build golang plugins. We have a getting started with Golang plugins on our documentation page that could prove helpful.

Additionally, you could install make using winget install make command and use our quick start guide to rapidly get and and running. We have a video tutorial that can guide you using the repo for convenience.

deepthi.ar · June 12, 2023, 9:31am

Thank you for pointing out the resources. Unfortunately its not working for me. The below are the details of what I have tried -

PluginCode -
func MyAnalyticsPluginMaskHeader(record *analytics.AnalyticsRecord) {
str, err := base64.StdEncoding.DecodeString(record.RawRequest)
if err != nil {
return
}

var b = &bytes.Buffer{}
b.Write(str)

r := bufio.NewReader(b)
var req http.Request
req, err = http.ReadRequest(r)
if err != nil {
return
}
req.Header.Add(“Foo”, “Bar”)
req.Header.Set(“Foo”, strings.Repeat("", len(req.Header.Get(“Foo”))))

var bNew bytes.Buffer
_ = req.Write(&bNew)
record.RawRequest = base64.StdEncoding.EncodeToString(bNew.Bytes())
}
API definition: added the following code -
“analytics_plugin”: {
“enable”: true,
“plugin_path”: “/opt/tyk-gateway/middleware/CustomGoPlugin.so”,
“func_name”: “MyAnalyticsPluginMaskHeader”
}

The log browser doesnt reflect the changes made -
PFA the image of the logs -

Olu · June 13, 2023, 4:53pm

Could you check the gateway logs for any possible errors in running the plugin?

You can enable debug logs log_level=debug for more verbose logs

Also, I see that your plugin name is slightly different that what it should have been. Did you build with v4.3.3 and rename it?

From version v4 and above, the gateway version, OS and architecture are appended to the name. You might want to check you are indeed using the right version.

deepthi.ar · June 14, 2023, 7:37am

After renaming the plugin name to include the version, it worked well.

Thank you so much for your response.