Nginx: Do not save IP address in log files

If you want to store as little data as possible for data protection reasons - DSGVO is the keyword - you can define an appropriate log file format. In this way, both IPv4 and IPv6 addresses are made anonymous.

Unfortunately, it is not possible to define a new format for the error logs - however, even with a sufficiently short storage period, one can assume a legitimate interest in smooth operation. The setup of the anonymized log files is simple: the following code is inserted into the central nginx.conf, thereby replacing the last three digits with "0" for IPv4 addresses, and the last two blocks for IPv6 addresses are also deleted.

map $remote_addr $ip_anonymous1 {
default 0.0.0;
"~(?P(\d+)\.(\d+)\.(\d+))\.\d+" $ip;
"~(?P[^:]+:[^:]+):" $ip;
}

map $remote_addr $ip_anonymous2 {
default .0;
"~(?P(\d+)\.(\d+)\.(\d+))\.\d+" .0;
"~(?P[^:]+:[^:]+):" ::;
}

map $ip_anonym1$ip_anonym2 $ip_anonymized {
default 0.0.0.0;
"~(?P.*)" $ip;
}

log_format anonymized '$ip_anonymized - $remote_user [$time_local] '.
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';

access_log /var/log/nginx/access.log anonymized;

The entry "anonymized" is now added to the access log line for each virtual host. Afterwards all old log files must be deleted once. After the next server restart the reduced log files will be saved, otherwise everything will work as usual. In terms of data protection, this brings us a little closer to a "clean solution", which is completely in line with the EU-DSGVO data economy. This solution is also used on this server.

Leave a Comment

Your email address will not be published. Required fields are marked *

en_USEnglish
Scroll to Top