By default, AppDynamics PHP Agent sends transaction data to the Controller that your organization may classify as privileged information. Though this data is useful for diagnosis and troubleshooting, security considerations may require you to filter certain sensitive information from being displayed on the Controller. You can use the following for the security considerations:

  • URL filters to exclude sensitive information from a URL in snapshot details.

  • Data filters to exclude sensitive HTTP cookies.

Add a URL Filter

  1. Edit the PHP configuration file, php.ini or appdynamics_agent.ini depending on your environment.

  2. In the PHP configuration file, configure the following settings. If a value in the ini file for any of the following config contains any non-alphanumeric characters, it must be enclosed within double-quotes (") as per the PHP guidelines.

    • Config Delimiter: Specify the character that you want to use as the configuration delimiter for the sensitive data filter for redaction. The config delimiter must be chosen such that it should not occur in the redaction config strings. This value is REQUIRED.

For example:

agent.sensitive_data_filter.configDelimiter = "|"
CODE
    • URL Delimiter: Specify the character that you want to use as URL segment endpoints. The agent splits the URL at each delimiter instance to create the segments. For HTTP, use the forward-slash character "/". For a forward slash, the agent does not split on the slashes immediately following the protocol. For example, "https://myapp.example.com/" constitutes a single segment. By default, the delimiter is "/" but this is REQUIRED for successful redaction.

For example:

agent.sensitive_data_filter.delimiter = "/"
CODE

‘#’ and ‘;’ cannot be used as a delimiter or configDelimiter because the ini file considers it as a comment.

    • Segment: Specify a comma-separated list to indicate the segments that you want the agent to filter. Segment numbering starts from 1 and providing 0 or negative value fails to redact the segments with an error message in the agent logs. The segment numbers must be in the ascending order. This value is REQUIRED.

For example:

agent.sensitive_data_filter.segment = "2,3"
CODE
    • Matchfilter: Specify the type of filter to be used to match the URL among - NOT_EMPTY|EQUALS|STARTSWITH|ENDSWITH|CONTAINS|REGEX.  PERL standard must be followed if REGEX is usedThe value is REQUIRED.

For using this correctly, query parameters must not be considered for match-filtering. With an example of the call "https://myapp.example.com/sensitive/data?first_name=abc&last_name=xyz", to specify match-filter as STARTSWITH, it matches a specified string starting with the hostname “https://myapp.example.com” in this example. If the URL contains the port in the hostname, it must be present in the config string. Similarly for ENDSWITH, it will correspond to the last segment leaving out the query parameters, “data” in this case, as query parameters are never reported in the snapshots.

For example:

agent.sensitive_data_filter.matchFilter = "CONTAINS"
CODE
    • MatchPattern: Specify the string that you want to be filtered by the match-filter. This value is REQUIRED.

For example:

agent.sensitive_data_filter.matchPattern = "myapp"
CODE
    • ParamPattern: Specify the regular expression matching the query parameters to filter. PERL Standard should be followed for the regular expression. This value is OPTIONAL.

For example:

agent.sensitive_data_filter.paramMatcher = "[a-z]+_name"
CODE

For example, the following configuration splits the URL on the "/" character and masks the second segment and the ParamPattern in the third segment of the URL. Here, the segmentation and obfuscation apply only to URLs containing "myapp".

agent.sensitive_data_filter.configDelimiter = "|" 
agent.sensitive_data_filter.delimiter = "/" 
agent.sensitive_data_filter.segment = "2" 
agent.sensitive_data_filter.matchFilter = "CONTAINS"
agent.sensitive_data_filter.matchPattern = "myapp" 
agent.sensitive_data_filter.paramMatcher = "[a-z]+_name"
CODE

The exit call to "https://myapp.example.com/sensitive/data?first_name=abc&last_name=xyz" breaks down to three segments: "https://myapp.example.com", "sensitive", and "data?first_name=abc&last_name=xyz". The Controller shows the masked values of the URL and the param-pattern display "https://myapp.example.com/*****/data?first_name=***&last_name=***" in the snapshot details.

If you do not use any values for the query parameters, the Controller does not mask any query parameters in the URL.

Redaction of Multiple URLs

Due to the limitations of the PHP configurations, if you want to redact multiple URLs separately, arguments must be written separated by the config delimiter as described below:

agent.sensitive_data_filter.configDelimiter = "|" 
agent.sensitive_data_filter.delimiter = "/|/" 
agent.sensitive_data_filter.segment = "1,2,3|1,4" 
agent.sensitive_data_filter.matchFilter = "CONTAINS|ENDSWITH" 
agent.sensitive_data_filter.matchPattern = "One|.php" 
agent.sensitive_data_filter.paramMatcher = "[a-z]+_name|[a-z]+_name"
CODE

Each ‘|’ separated values correspond to an additional URL filter added. For ‘n’ number of separate URL filters, you need to have ‘n’ different ‘I’ configurations correspondingly. These filters work independently on the URLs and will redact based on the configurations specified for each filter. The first matching configuration is used for the redaction.

For a successful redaction, ensure that each configuration contains the same number of configuration segments.

Data Filter for Cookies

You can use Cookie filters to configure the agent to obfuscate sensitive information from the URLs in transaction snapshot details.

  1. Edit the PHP configuration file, php.ini or appdynamics_agent.ini depending on your environment.

  2. Add sensitive cookie filter element as directives:

    • AppDynamicsCookieMatchPattern: Specify a regular expression identifying cookies that must be redacted.

For example:

agent.sensitive_data_filter.cookieMatcher = "cookieKey"
CODE

    

    • For masking multiple cookies values simultaneously, provide names of all those cookies separated by the config delimiter as a single string as follows: 

agent.sensitive_data_filter.cookieMatcher = "PHPSESSID|X-CSRF-TOKEN|cookiekey"
CODE


  If the config delimiter is present in the cookie name itself, change it to something else such that it should not occur in the cookie matcher strings.