Error connecting to upstream leaks apikey

I have configured kong with a custom log format and regex to mask apikeys in the logs and this works well. The one issue I have is that if there is an error in connecting to the upstream due to a transient error, kong writes out the requestline which can include an apikey.

Can this logging be masked?


I’m not sure but I don’t think so. I think that log line comes form Nginx core.

@datong.sun Any idea?

@martybell I think @hbagdi is right but just to confirm, would you mind posting what error message you saw in error.log specifically? So we can better understand the source of it.


@datong.sun @hbagdi

Here’s the error with any sensitive data masked out:

[error] 27#0: *74091557 connect() failed (111: Connection refused) while connecting to upstream, client: XX.XXX.XX.XX, server: kong, request: “GET /{{my-route}}?apikey=XXXXXXXXXXXXXXXXXXXXXXXX HTTP/1.1”

We have followed these instructions to remove the key from successful requests that where originally being logged:

We now need to work out how to redact it from failed requests.


@martybell That error log came from the Nginx core request processing module (See: It can not be turned off easily and is not an issue specific to Kong.

However, note that it is generally advised to not put any sensitive data in the URI. If you can’t change this easily, the only option is to turn off error logging for Nginx completely (with obvious drawbacks).



Appreciate it’s coming from nginx core, but it is the kong keyauth plugin we are using to secure the api, so there is a kong dimension to this.

The instructions we followed to remove the key from normal request processing already requires a custom base nginx file and custom formatter, so we are already having to configure nginx.

Have you looked into this scenario at all given the guidance you already published for removing from successful requests?

Many Thanks