[GH-ISSUE #577] The nginx configuration(and the one used by ntfy.sh) leaks topic name/auth query in logs #437

New issue

Closed

opened 2026-05-07 00:24:07 +02:00 by BreizhHardware · 2 comments

BreizhHardware commented

2026-05-07 00:24:07 +02:00

Owner

Originally created by @MaeIsBad on GitHub (Jan 8, 2023).
Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/577

In github.com/binwiederhier/ntfy-ansible@eaa9b7c7ee/roles/nginx/files/nginx.conf (L48) log_format includes $request which contains the request path, which in turn leaks topic names.
This is mitigated with the use of http basic auth, but in the case of authentication via a query parameter the credentials are also logged.

It's is not a huge issue, but potentially could end up quite bad if someone is able to see the log(via LFI? An admin accidentally forgetting they were screensharing? Idk), so maybe it's worth fixing?

The docs for setting up a reverse proxy in front of ntfy(https://docs.ntfy.sh/config/?h=nginx#nginxapache2caddy) don't explicitly set the log format themselves, but the default configuration used by most linux distributions will include the $request param

Originally created by @MaeIsBad on GitHub (Jan 8, 2023). Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/577 In https://github.com/binwiederhier/ntfy-ansible/blob/eaa9b7c7ee96adc106317ddfaf07dc28e7d6bde1/roles/nginx/files/nginx.conf#L48 log_format includes $request which contains the request path, which in turn leaks topic names. This is mitigated with the use of http basic auth, but in the case of authentication via a query parameter the credentials are also logged. It's is not a huge issue, but potentially could end up quite bad if someone is able to see the log(via LFI? An admin accidentally forgetting they were screensharing? Idk), so maybe it's worth fixing? The docs for setting up a reverse proxy in front of ntfy(https://docs.ntfy.sh/config/?h=nginx#nginxapache2caddy) don't explicitly set the log format themselves, but the default configuration used by most linux distributions will include the $request param

BreizhHardware closed this issue

2026-05-07 00:24:07 +02:00

BreizhHardware commented

2026-05-07 00:24:08 +02:00

Author

Owner

@binwiederhier commented on GitHub (Mar 26, 2023):

I understand that this seems like a security concern to you, but the fact of the matter is that for debugging purposes I need to be able to group by topic to diagnose issues. The ntfy log is even more detailed when debug/trace is enabled. I will not ever betray people's trust and share the topic names or message content. If people are uncomfortable with that (which I totally understand), they can always set up their own server.

That said, I think I'd be absolutely fine with somehow censoring the auth param somehow. I'm happy to accept PRs or suggestions.

@binwiederhier commented on GitHub (Mar 26, 2023): I understand that this seems like a security concern to you, but the fact of the matter is that for debugging purposes I need to be able to group by topic to diagnose issues. The ntfy log is even more detailed when debug/trace is enabled. I will not ever betray people's trust and share the topic names or message content. If people are uncomfortable with that (which I totally understand), they can always set up their own server. That said, I think I'd be absolutely fine with somehow censoring the `auth` param somehow. I'm happy to accept PRs or suggestions.

BreizhHardware commented

2026-05-07 00:24:08 +02:00

Author

Owner

@MaeIsBad commented on GitHub (Mar 27, 2023):

As mentioned I don't think this is a huge problem, just something I thought was worth documenting even as an issue.
I'll look into redacting auth params in nginx logs in my spare time

Thanks for ntfy 😃

@MaeIsBad commented on GitHub (Mar 27, 2023): As mentioned I don't think this is a huge problem, just something I thought was worth documenting even as an issue. I'll look into redacting auth params in nginx logs in my spare time Thanks for ntfy :smiley:

BreizhHardware referenced this issue

2026-05-07 01:01:28 +02:00

[PR #437] [MERGED] docs(examples): Update Gatus example with new ntfy provider #1302