Opened 9 years ago

Last modified 7 years ago

#868 new enhancement

new variable: $remote_addr_anon

Reported by: eike.inter.net@… Owned by:
Priority: critical Milestone:
Component: nginx-core Version: 1.9.x
Keywords: Cc:
uname -a: Linux www.rockers.de 2.6.18-028stab119.3 #1 SMP Tue Sep 15 16:18:30 MSD 2015 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.9.2
built with OpenSSL 1.0.1e 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --conf-path=/srv/nginx/conf/nginx.conf --with-http_ssl_module --with-http_gzip_static_module --with-cc-opt=-Wno-error --add-module=/usr/local/lib/ruby/gems/*/gems/passenger-5.0.11/ext/nginx --with-http_ssl_module --with-http_spdy_module --add-module=../ngx-fancyindex --add-module=../headers-more-nginx-module-0.25

Description

I'd like to suggest a new feature:

There should be a new variable:

(I suggest the name: $remote_addr_anon)

That variable should be a anonymized version of the $remote_adrr variable.

In case of ipv4, the last octet should be replaced by '1':
aka when $remote_address is 123.45.67.89
then $remote_addr_anon should be 123.45.67.1

I'm not sure how to achieve the same thing for ipv6,
but maybe replacing the last octet there would be good enough for a start.

I'm from Germany, we are not allowed to place full ip addresses in any log files,
this is deemed violation of privacy and is actually forbidden by law.

some solutions have been suggested:
see: http://stackoverflow.com/questions/6477239/anonymize-ip-logging-in-nginx

We still want to retain some part of the ip address,
so that we can still apply geoip.

To my believe that would be ok than with german law,
as long as we drop the last octet (aka default it to 1)

This would really help all of us using nginx in Germany,
and it might also be a welcome privacy enhancement around the world.

Let me put that another way (so why this is a critical enhancement):
Anyone who does write any log files using the standard log facility is breaking german law.

I believe that the $remote_addr is set really deep in the core,
I'd like to suggest that the $remote_addr_anon should be set at the same place, deep in there.

This would really, really be a very welcome feature.

Change History (4)

comment:1 by privacyisright@…, 8 years ago

Instead of adding new variable, just add a switch;

ip_hide_last_octet 1;

comment:2 by Iruwen@…, 8 years ago

The issue with the solution mentioned at stackoverflow specifically is that it doesn't work for the error log. The only workaround as of now seems to be to log to syslog.
From what I see, this isn't just an issue in Germany but in the whole EU (GDPR / Regulation 2016/679). While it isn't completely illegal to log IP addresses, a general solution would be very welcome.
I also prefer the ip_hide_last_octet approach, and this should be configurable down to the server or even better location level.

Version 0, edited 8 years ago by Iruwen@… (next)

in reply to:  description comment:3 by David stickly, 7 years ago

Replying to eike.inter.net@…:

I'd like to suggest a new feature:

There should be a new variable:

(I suggest the name: $remote_addr_anon)

That variable should be a anonymized version of the $remote_adrr variable.

In case of ipv4, the last octet should be replaced by '1':
aka when $remote_address is 123.45.67.89
then $remote_addr_anon should be 123.45.67.1

I'm not sure how to achieve the same thing for ipv6,
but maybe replacing the last octet there would be good enough for a start.

I'm from Germany, we are not allowed to place full ip addresses in any log files,
this is deemed violation of privacy and is actually forbidden by law.

some solutions have been suggested:
see: http://stackoverflow.com/questions/6477239/anonymize-ip-logging-in-nginx

We still want to retain some part of the ip address,
so that we can still apply geoip.

To my believe that would be ok than with german law,
as long as we drop the last octet (aka default it to 1)

This would really help all of us using nginx in Germany,
and it might also be a welcome privacy enhancement around the world.

Let me put that another way (so why this is a critical enhancement):
Anyone who does write any log files using the standard log facility is breaking german law.

I believe that the $remote_addr is set really deep in the core,
I'd like to suggest that the $remote_addr_anon should be set at the same place, deep in there.

This would really, really be a very welcome feature.

comment:4 by masonicboom@…, 7 years ago

I just released a module that does this: https://github.com/masonicboom/ipscrub. It generates a hash of the IP address as $remote_addr_ipscrub. The hash salt cycles every so often (configurable), so you can link requests without logging user IP addresses.

Note: See TracTickets for help on using tickets.