Re: Cloud armor Doesn't show custom header values ...

SamSamsLah · 02-03-2024 12:10 AM

Hi everyone,

I have enabled a Cloud Armor security policy with a throttle rule based on Custom Authorization HTTP header. This rule is functioning as expected, and requests are being throttled as required. Now, I want to inspect this token in the header within the logs. Therefore, I have enabled logs with

gcloud compute security-policies update ca-policy-1 \
    --log-level=VERBOSE

But it doesn't show in logs instead it show part of jwt token

keys: [

0: "Bearer eyJ0eXAiOiJKV1QiLCJhbGciO"

]

Is there anything I have missed here, and how can I configure Cloud Armor to display custom headers in logs

Marvin_Lucero

Hi @SamSamsLah ,

I believe the logs shown is intentional to prevent sensitive information from being exposed on the logs. As stated on the documentation, when you use verbose logging, Cloud Armor logs snippets of the elements from the incoming requests that triggered a particular preconfigured WAF rule. These snippets might contain pieces of request headers, request parameters, or elements of the POST body.

If you need to inspect the details of the custom headers in the logs, use Logging query language. Create a filter to extract the contents of your Auth header. Below is an example:

jsonPayload.httpRequest.headers.authorization

Let me know if this helps.

SamSamsLah

Hi @Marvin_Lucero
Thanks for the reply, is it possible to fully see the contents of the Auth header using a filter, I couldn't get it, can you please help with that.

sokol8

per this SO thread https://stackoverflow.com/questions/45077509/how-to-log-x-forwarded-for-in-google-cloud-http-loadbal... and the docs, LB (and CA as a part of LB) doesn't dump custom headers into the logs. Unfortunately

Cloud armor Doesn't show custom header values in logs