(draft) Privacy by design - offer more convenient way to anonymize IPs in access log by default

Wed Sep 16 19:20:24 UTC 2020

Replying to myself for now ;)

One thing I can imagine being desirable would be to make the number of bits (v4/v6) that are masked configurable.

The current choice of 8 bits for IPv4 and 64-bit on IPv6 is based on our tradition that was considered a reasonable practice with respect to GDPR by courts in Germany. Unfortunately I can’t find a reliable source at the moment, but would take the time to dig one up if needed for the discussion.

Cheers,
Christian

> On 16. Sep 2020, at 17:28, Christian Theune <ct at flyingcircus.io> wrote:
> 
> Signed PGP part
> Hi!
> 
> first time posting here. I started working on a builtin-way for nginx to provide GDPR conformaing access logs reliably by default:
> 
> https://github.com/nginx/nginx/compare/branches/stable-1.18...flyingcircusio:ctheune-anonymize-by-default
> 
> This isn’t ready to be merged at this point as it suffers at least from two things:
> 
> a) I’m not a C programmer by nature and might be making stupid mistakes. This is “monkey see monkey do code”.
> 
> b) You likely do not want to have this on by default for everyone, so I’m expecting that this requires a config option (runtime or compile, with a slight preference to runtime from me).
>   The new built-in variable remote_addr_anon should be available by default in any case, though.
> 
> Some background: we tried implementing this purely by using a mapping approach, but this doesn’t make it a proper default as everybody defining an access log has to mention the proper format or accidentally IPs will leak. This happens over and over and we’d prefer a “privacy by design” approach very much.
> 
> There is a trac ticket (https://trac.nginx.org/nginx/ticket/868) that already discusses this, however the .1 is IMHO not a good approach to recommend as it suggests a real IP whereas our impression is that nulling the last byte in IPv4 and nulling the last 8 bytes in IPv6 is the proper approach and it’s directly visible that this is an anonymized IP.
> 
> Let me know what you think about this and - if you’d like to see this in the mainstream code - I’d appreciate if you give me the necessary hints to bring this code to the level of quality that is proper for nginx.
> 
> Kind regards,
> Christian
> 
> --
> Christian Theune · ct at flyingcircus.io · +49 345 219401 0
> Flying Circus Internet Operations GmbH · http://flyingcircus.io
> Leipziger Str. 70/71 · 06108 Halle (Saale) · Deutschland
> HR Stendal HRB 21169 · Geschäftsführer: Christian Theune, Christian Zagrodnick

--
Christian Theune · ct at flyingcircus.io · +49 345 219401 0
Flying Circus Internet Operations GmbH · http://flyingcircus.io
Leipziger Str. 70/71 · 06108 Halle (Saale) · Deutschland
HR Stendal HRB 21169 · Geschäftsführer: Christian Theune, Christian Zagrodnick

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: Message signed with OpenPGP
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20200916/1fb5fbd5/attachment.bin>