Is it possible to log a single cookie value in Caddy?

Help
1

1. The problem I’m having:

I would like to continue redacting the Cookie & Set-Cookie headers, however I would like to pull out one specific cookie values in the logs.

I am able to enable logging Cookie/Set-Cookie with servers.log_credentials and then start redacting any known sensitive cookies, but I’d like to be able to assume all cookies are sensitive by default, and then whitelist a couple values to be output in the logs.

2. Error messages and/or full log output:

{"level":"info","ts":1744122799.5209837,"logger":"http.log.access.log0","msg":"handled request","request":{"remote_ip":"172.18.0.1","remote_port":"57814","client_ip":"172.18.0.1","proto":"HTTP/1.1","method":"GET","host":"localhost:8080","uri":"/","headers":{"Cache-Control":["no-cache"],"Postman-Token":["60d68f72-b526-46c8-82fd-60aa5ede73c7"],"Accept-Encoding":["gzip, deflate, br"],"Connection":["keep-alive"],"Cookie":["myCookie=value;"],"User-Agent":["PostmanRuntime/7.43.3"],"Accept":["*/*"]}},"bytes_read":0,"user_id":"","duration":0.013699417,"size":101,"status":200,"resp_headers":{"Server":["Caddy","Caddy"],"Content-Type":["text/plain; charset=utf-8"],"Date":["Tue, 08 Apr 2025 14:33:19 GMT"],"Content-Length":["101"],"Set-Cookie":[""]}}

3. Caddy version:

Docker image caddy:2.9

4. How I installed and ran Caddy:

I am using a Caddyfile and running caddy run through Docker.

a. System environment:

MacOS/Docker

b. Command:

`docker run` (`caddy run` under the hood)

c. Service/unit/compose file:

services:
  caddy-proxy:
    build:
      context: ./caddy-proxy
      dockerfile: Dockerfile
    container_name: caddy-proxy
    ports:
      - "8080:8080"

d. My complete Caddy config:

{
	debug
	servers {
		log_credentials
	}
}
:8080 {
	log {
		output stdout
		format json
		level INFO
	}
	handle /* {
		respond "OK" 200
	}
}

Edit: for formatting

5. Links to relevant resources:

2

I would suggest you to use the log_append directive (see log_append (Caddyfile directive) — Caddy Documentation) and specify the cookie to be logged using placeholders.

For example, if you want to log the value of the cookie “test_cookie”, you could:

	handle /* {
		log_append special_cookie {http.request.cookie.test_cookie}
		respond "OK" 200
	}

The name special_cookie will appear in the json logs and have the value of the cookie test_cookie or null if a request did not send the test_cookie at all.

3 Likes
3

You could try this:

{
	http_port 8080
	servers {
		log_credentials
	}
}

:8080 {
	header +Set-Cookie "cookie1=val1"
	header +Set-Cookie "cookie2=val2"
	header +Set-Cookie "cookie3=val3"
	respond "Alive"
	log {
		format filter {
			request>headers>Cookie regexp (?i).*?(?:^|;\s*)(cookie2=[^;]+).* ${1}
			resp_headers>Set-Cookie regexp (?i)(.*)=.* ${1}=REDACTED
		}
	}
}

$ curl http://localhost:8080 -H 'Cookie: cookie1=val1; cookie2=val2; cookie3=val3'

http.log.access.log0	handled request	{"request": {"remote_ip": "::1", "remote_port": "62790", "client_ip": "::1", "proto": "HTTP/1.1", "method": "GET", "host": "localhost:8080", "uri": "/", "headers": {"Accept": ["*/*"], "Cookie": ["cookie2=val2"], "User-Agent": ["curl/8.12.1"]}}, "bytes_read": 0, "user_id": "", "duration": 0.000032625, "size": 5, "status": 200, "resp_headers": {"Server": ["Caddy"], "Set-Cookie": ["cookie1=REDACTED", "cookie2=REDACTED", "cookie3=REDACTED"], "Content-Type": ["text/plain; charset=utf-8"]}}

While I can preserve cookie2 in the Cookie header and remove the other cookies, I can’t do the same with the Set-Cookie header :frowning: Not sure how to do the negative lookahead in RE2, sorry :confused:

One option would be what @stbu suggested, or you could also take a look at your log format and only log the information you need:

1 Like
4

Awesome, thank you for the reply! This seems to have done the trick for my access logs.

Any idea if there’s a way for that to make its way into the reverse proxy debug logs as well?