Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Anonymize IP logging in nginx?

To respect the privacy of my users I'm trying to anonymize their IP addresses in nginx log files.

One way to do this would be defining a custom log format, like so:

log_format noip '127.0.0.1 - [$time_local]  '     '"$request" $status $body_bytes_sent '     '"$http_referer" "$http_user_agent" $request_time'; 

This method has two downsides: I can't distinguish between two users and can't use geo location tools.

The best thing would be to 'shorten' the IP address (87.12.23.55 would become 87.12.23.1).

Is there a possibility to achieve this using nginx config scripting?

like image 466
endzeit Avatar asked Jun 25 '11 10:06

endzeit


People also ask

Does nginx log ips?

The NGINX logs all client requests just after the request is processed in the access logs. In access logs, You will see the files are accessed, how NGINX responded to a request, which browser a client is using, client IP addresses, and more in this section.

How do I change the error log in nginx?

Syntax of error_log in Nginx: For configuring the error_log, you have to add the path of the log file and set the log level. If you do not set the second parameter, then the error_log will take “error” as its default log level: error_log /var/log/nginx/error.

What logging does nginx use?

By default, NGINX writes its events in two types of logs - the error log and the access log. In most of the popular Linux distro like Ubuntu, CentOS or Debian, both the access and error log can be found in /var/log/nginx , assuming you have already enabled the access and error logs in the core NGINX configuration file.

How do I disable nginx access log?

If you wish to turn off the Nginx error logs completely, you need to change the line to : error_log /dev/null crit; This will completely turn off the Nginx error logs on your server.


1 Answers

Even if there is already an accepted answer, the solution seems not to be valid.

nginx has the log_format directive, which has a context of http. This means, the log_format can only be (valid) set within the http {} section of the config file, NOT within the server sections!

On the other hand we have an if directive, which has a context of server and location.

So we can NOT use “if” and “log_format” within a server section (which is done within the accepted solution)

So the if is not helpful here, also if is evil ( http://wiki.nginx.org/IfIsEvil )! We need something which is working at http context because only there the log_format can be defined in a valid way, and this is the only place outside of the server context, where our virtual hosts are defined…

Luckily there is a map feature within nginx! map is remapping some values into new values (accessible within variables which can be used in a log_format directive). And the good message: This also works with regular expressions.

So let’s map our IPv4 and IPv6 addresses into anonymized addresses. This has to be done in 3 steps, since map can not accumulate returned values, it can only return strings or variables, not a combination of both.

So, at first we grab the part of IP we want to have in the logfiles, the second map returns the part which symbolizes the anonymized part, and the 3rd map rule maps them together again.

Here are the rules which go into the http {} context:

map $remote_addr $ip_anonym1 {  default 0.0.0;  "~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" $ip;  "~(?P<ip>[^:]+:[^:]+):" $ip; }  map $remote_addr $ip_anonym2 {  default .0;  "~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" .0;  "~(?P<ip>[^:]+:[^:]+):" ::; }  map $ip_anonym1$ip_anonym2 $ip_anonymized {  default 0.0.0.0;  "~(?P<ip>.*)" $ip; }  log_format anonymized '$ip_anonymized - $remote_user [$time_local] '     '"$request" $status $body_bytes_sent '     '"$http_referer" "$http_user_agent"';  access_log /var/log/nginx/access.log anonymized; 

After adding this to your nginx.conf config file, remember to reload your nginx. Your log files should now contain anoymized IP addresses, if you are using the “anonymized” log format (this is the format parameter of access_log directive).

like image 171
Mike Bretz Avatar answered Sep 24 '22 13:09

Mike Bretz