Nginx logs contains temporary passwords

lior.amir · July 4, 2024, 6:22am

Hello,

Our security auditor identified temporary passwords being logged by Nginx.
Is there a way to remove it? does it posses any risk?
Thank you,
Lior

[30/Jun/2024:10:36:13 +0300] “GET /pun/sys/dashboard/noVNC-1.3.0/app/sounds/bell.oga HTTP/1.1” 206 8495 “https://server.X.X./pun/sys/dashboard/noVNC-1.3.0/vnc.html?autoconnect=true&path=rnode%2Fserver.X.X%2F64083%2Fwebsockify&resize=remote&password=nkpDvxxq&compression=0&quality=9&commit=Launch+Desktop” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36” “X.X.X.X”

jeff.ohrstrom · July 5, 2024, 2:15pm

Hi and welcome.

Unfortunately - there’s no way to disable that. It is however, that is a 1 time use password. As soon as we generate and use it, we generate the next password. So even if someone were to capture it, it’s not valid anymore by that time.

system · January 1, 2025, 2:15pm

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Login issue with nginx pun Get Help	4	1054	May 26, 2022
Logrotate config for per-user nginx log files Feature Requests and Roadmap Discussion feature-request	5	1257	May 26, 2022
Copy of shareable link of Interactive desktop app Get Help	3	200	January 7, 2024
Authentication failed / Client temporarily blocked errors when connecting to a running session Get Help question	12	52	May 27, 2025
Keycloack, OOD 3.1.5 Get Help question	3	40	January 15, 2025

Nginx logs contains temporary passwords

Related topics