Skip to content

Incomplete instructions for stripping nginx's logs of api keys. #1638

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 16, 2025
Merged

Incomplete instructions for stripping nginx's logs of api keys. #1638

merged 2 commits into from
Nov 16, 2025

Conversation

@wnhre2ur8cxx8
Copy link
Contributor

@wnhre2ur8cxx8 wnhre2ur8cxx8 commented Oct 27, 2025

Changes

This adds the more up to date ApiKey URL parameter to the instructions on how to set up stripping sensitive informatione from nginx's logs. I found two more possible apikey parameters in the code, but I am unsure if they need to be added as well. Maybe someone with a bit more insight can help here.

Copyediting

To avoid "nitpicky" reviews, please ensure all of the following have been done for any non-trivial changes.

While you're waiting for someone to look at your pull request, How about looking at another one? You do not have to do this, but it will help ensure your PR is reviewed quickly in turn.

Issues

closes #1637

@BotBlake
Copy link
Member

BotBlake commented Oct 28, 2025

At the moment, there should only be two ways of providing API keys to Jellyfin.

Either through the Authorization-Header, or through the ApiKey url parameter.
api_key, X-Emby-Token, X-MediaBrowser-Token and X-Emby-Authorization are deprecated and should not be used.

I would suggest removing the api_key filter as well. What is your oppinion on that?

We are currently working on a developer documentation, so that information like that is more easily available.
At the moment you can check that here

Kind regards!

@wnhre2ur8cxx8
Copy link
Contributor Author

wnhre2ur8cxx8 commented Oct 29, 2025

That documentation is very helpful, thank you a lot!

Note: Not all official Jellyfin clients are currently compatible with legacy authorization disabled.

Looking through my logs there are indeed still some api_key calls. It looks like all /socket requests use this type of authorization still. This happens on the latest "Jellyfin Media Player" by the way. So no niche client at all.

I would suggest keeping both filters for now.

@jellyfin-bot
Copy link

jellyfin-bot commented Oct 30, 2025

Cloudflare Pages deployment

Latest commit 9733352c261979b357e2985116b0625feb6902cd
Status ✅ Deployed!
Preview URL https://6428c7a1.jellyfin-org.pages.dev
Type 🔀 Preview

@BotBlake BotBlake merged commit ff77086 into jellyfin:master Nov 16, 2025
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@BotBlake BotBlake BotBlake approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

nginx's "Censor sensitive information in logs" instruction is incomplete

3 participants

@wnhre2ur8cxx8 @BotBlake @jellyfin-bot