Skip to content

[BUG] CF_TUNNEL_PASSWORD expose in log while using docker secrets #568

New issue
New issue
Closed as not planned
Closed as not planned
[BUG] CF_TUNNEL_PASSWORD expose in log while using docker secrets#568
Labels
no-issue-activity
@salvq

Description

@salvq
salvq
opened on May 30, 2025

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

Docker log expose CF_TUNNEL_PASSWORD even using docker secrets

swaghome | - hostname: "url.url.url"
swaghome | service: https://url.url.url/
swaghome | originRequest:
swaghome | access:
swaghome | required: true
swaghome | teamName: 3243
swaghome | audTag:
swaghome | - 123124346556757586976886
swaghome | - service: http_status:404 CF_TUNNEL_NAME:asdsdaad CF_TUNNEL_PASSWORD:34566578667867978978658678
swaghome | FILE__CF_TUNNEL_CONFIG:/config/tunnelconfig.yml FILE__CF_TUNNEL_PASSWORD:/run/secrets/CF_TUNNEL_PASSWORD]
swaghome | 2025-05-29T19:04:23Z INF Generated Connector ID: 3453445533654645654645
swaghome | 2025-05-29T19:04:23Z INF Initial protocol quic
swaghome | 2025-05-29T19:04:23Z INF ICMP proxy will use 172.18.5.210 as source for IPv4
swaghome | 2025-05-29T19:04:23Z INF ICMP proxy will use ::1 in zone lo as source for IPv6
swaghome | 2025-05-29T19:04:23Z INF ICMP proxy will use 172.18.5.210 as source for IPv4
swaghome | 2025-05-29T19:04:23Z INF ICMP proxy will use ::1 in zone lo as source for IPv6
swaghome | 2025-05-29T19:04:23Z INF Starting metrics server on 127.0.0.1:20241/metrics
swaghome | 2025-05-29T19:04:23Z INF Tunnel connection curve preferences: [CurveID(4588) CurveID(25497) CurveP256] connIndex=0 event=0 ip=1231231

Expected Behavior

No sensitive information visible in logs i.e. when use FILE__prefix to variable, data should have not been listed in log

Steps To Reproduce

Use value as docker secret, FILE__CF_TUNNEL_PASSWORD
The value will be visible in docker logs

swaghome | - service: http_status:404 CF_TUNNEL_NAME:asdsdaad CF_TUNNEL_PASSWORD:34566578667867978978658678
swaghome | FILE__CF_TUNNEL_CONFIG:/config/tunnelconfig.yml FILE__CF_TUNNEL_PASSWORD:/run/secrets/CF_TUNNEL_PASSWORD]

Environment

- OS: QNAP TS-264D, x86 platform
- How docker service was installed: using docker-compose.yaml and Container station

CPU architecture

x86-64

Docker creation

version: "2.1"
services:
  swag:
    image: lscr.io/linuxserver/swag:3.3.0-ls373
    container_name: swaghome
    cap_add:
      - NET_ADMIN
    privileged: true
    environment:
      - PUID=1000
      - PGID=100
      - TZ=Europe/Prague
      - URL=url.url
      - VALIDATION=dns
      - SUBDOMAINS=wildcard
      - DNSPLUGIN=cloudflare
      - DOCKER_MODS=linuxserver/mods:universal-cloudflared-2025.5.0|linuxserver/mods:swag-cloudflare-real-ip
      - CF_TUNNEL_NAME=name
      - FILE__CF_TUNNEL_PASSWORD=/run/secrets/CF_TUNNEL_PASSWORD
      - FILE__CF_TUNNEL_CONFIG=/config/tunnelconfig.yml
      - FILE__CF_ZONE_ID=/run/secrets/CF_ZONE_ID
      - FILE__CF_ACCOUNT_ID=/run/secrets/CF_ACCOUNT_ID
      - FILE__CF_API_TOKEN=/run/secrets/CF_API_TOKEN
    extra_hosts:
      - url.url.url:127.0.0.1
      - acme-v02.api.letsencrypt.org:172.65.32.248
      - api.cloudflare.com:104.19.192.29
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /share/Container/swaghome:/config
    restart: unless-stopped
    secrets:
      - CF_TUNNEL_PASSWORD
      - CF_ZONE_ID
      - CF_ACCOUNT_ID
      - CF_API_TOKEN
    networks:
      ha_net:
         ipv4_address: 172.18.5.210
secrets:
  CF_TUNNEL_PASSWORD:
    file: /share/Container/secrets/swag/CF_TUNNEL_PASSWORD
  CF_ZONE_ID:
    file: /share/Container/secrets/swag/CF_ZONE_ID
  CF_ACCOUNT_ID:
    file: /share/Container/secrets/swag/CF_ACCOUNT_ID
  CF_API_TOKEN:
    file: /share/Container/secrets/swag/CF_API_TOKEN
networks:
  ha_net:
    external: true

Container logs

> swaghome | - hostname: "url.url.url"
> swaghome | service: https://url.url.url/
> swaghome | originRequest:
> swaghome | access:
> swaghome | required: true
> swaghome | teamName: 3243
> swaghome | audTag:
> swaghome | - 123124346556757586976886
> swaghome | - service: http_status:404 CF_TUNNEL_NAME:asdsdaad CF_TUNNEL_PASSWORD:34566578667867978978658678
> swaghome | FILE__CF_TUNNEL_CONFIG:/config/tunnelconfig.yml FILE__CF_TUNNEL_PASSWORD:/run/secrets/CF_TUNNEL_PASSWORD]
> swaghome | 2025-05-29T19:04:23Z INF Generated Connector ID: 2354534554345
> swaghome | 2025-05-29T19:04:23Z INF Initial protocol quic
> swaghome | 2025-05-29T19:04:23Z INF ICMP proxy will use 172.18.5.210 as source for IPv4
> swaghome | 2025-05-29T19:04:23Z INF ICMP proxy will use ::1 in zone lo as source for IPv6
> swaghome | 2025-05-29T19:04:23Z INF ICMP proxy will use 172.18.5.210 as source for IPv4
> swaghome | 2025-05-29T19:04:23Z INF ICMP proxy will use ::1 in zone lo as source for IPv6
> swaghome | 2025-05-29T19:04:23Z INF Starting metrics server on 127.0.0.1:20241/metrics
> swaghome | 2025-05-29T19:04:23Z INF Tunnel connection curve preferences: [CurveID(4588) CurveID(25497) CurveP256] connIndex=0 event=0 ip=1231231

Metadata

Metadata

Assignees

No one assigned

    Labels

    no-issue-activity

    Type

    No type

    Projects

    Issue & PR Tracker

    Status

    Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions