0

I have found some solutions to anonymize IP in nginx log - like this Anonymize IP logging in nginx?

But this will strip IP to C-subnet. Thats too much. For my purposes and GDPR compilant is in my opinion enough if the last octet of IP will be divided by 2, floored and multiplied by 2 to again. So IP will not be exact.

Can be done this in nginx / map. I did not have any luck yet.

TylerH
  • 20,799
  • 66
  • 75
  • 101
Adam
  • 130
  • 1
  • 2
  • 12
  • Because I can't comment on Baptiste LARVOL-SIMON: The GDPR replaced 2002/58/EC. So you have to be compliant to the GDPR. – Tim A. Jun 03 '18 at 13:15

2 Answers2

1

Have a look to another law before doing this, if your website is hosted in the EU, the UE Directive 2002/58/EC requires you to store the real IP addresses between 6 month and 2 years, depending on your country within EU.

If you are hosting your website in the EU, what anonymising or pseudonimising IP adresses is only allowed after a time.

Baptiste LARVOL-SIMON
  • 220
  • 1
  • 8
  • Tim A. said in a comment-as-an-answer "The GDPR replaced 2002/58/EC. So you have to be compliant to the GDPR." – Stephen Kennedy Jun 03 '18 at 13:18
  • @Baptiste are you talking about the data retention directive? This is the only part of the mentioned document where I could find a similar requirement: https://en.wikipedia.org/wiki/Data_Retention_Directive However However, it has been declared invalid in 2014. Afaik this also never meant to target a person hosting a website, but the actual providers. Could you please add a link where one can find the requirements you are quoting? – st-h Aug 24 '18 at 13:28
  • @StephenKennedy it looks like the upcoming ePR will repeal 2002/58/EC https://en.wikipedia.org/wiki/Privacy_and_Electronic_Communications_Directive_2002 So, it is actually not the GDPR which is replacing 2002/58/EC – st-h Aug 24 '18 at 13:31
0

So i have answer, not pure nginx, using compiled perl.

nginx.conf

load_module /usr/local/libexec/nginx/ngx_http_perl_module.so;

(depends on OS - this is on freebsd)

in httpd {

perl_set $remote_addr_anon 'sub {

    use POSIX;

    my $r = shift;
    my $str = $r->remote_addr;
    my @ex = split(/\./, $str);

    if ( scalar @ex == 4 ) {

            my $anon_ip = @ex[0] . "." . @ex[1] . "." . @ex[2] . "." . (floor(@ex[3]/2)*2) ;

            return $anon_ip;
    } else {

            return "IPv6"
    }
}'; 

log_format anonymized '$remote_addr_anon - $remote_user [$time_local] ' 
'"$request" $status $body_bytes_sent ' 
'"$http_referer" "$http_user_agent"';

And then use anonymized access log format in access_log.

I dont use IPv6 so dont care about it. If you purify this, you can, I'm not familiar with perl.

Adam
  • 130
  • 1
  • 2
  • 12