(draft) Privacy by design - offer more convenient way to anonymize IPs in access log by default

Christian Theune ct at flyingcircus.io
Tue Sep 22 06:55:59 UTC 2020


Thanks for that input!

> On 22. Sep 2020, at 08:42, Hung Nguyen <hungnv at opensource.com.vn> wrote:
> Hi Christian,
> In my opinion your use case (GDPR) is not widely used, since Nginx offers developer number of ways to change nginx behaviour and add more feature other than default, you should consider to write your own module to archive what you want

Interesting. Technically one can currently make a single nginx config that is GDPR compliant WRT IP logging. However, it’s AFAICT impossible to set up nginx in a way so that delegating virtual host configuration to another party doesn’t automatically lead to accidents (we weren’t able to avoid accidents even without delegation).

I was surprised that there is no way to change the default logging format reliably - and this could be an alternative path more relevant to the core with two options that I see:

1. allow redefining the ‘combined’ log format, or
2. allow explicitly setting another format as default (might be easier when I look at the current structure)

Having the anonymized IP as a separate value (remote_addr_anon) could easily be extracted into a separate module but maybe its so lightweight that adding it to the core makes sense as well. We originally did it purely using maps, my gut feeling tells me that that’s much slower but we don’t have any evidence of it making a significant impact at our traffic levels.

I would have thought that GDPR would be more relevant as nginx is so widely spread and privacy compliance has been such a big topic in Europe over the last years … Googling for “nginx gdpr” gives “only” 833k results. Not nothing but I kind of expected a larger result set.


Christian Theune · ct at flyingcircus.io · +49 345 219401 0
Flying Circus Internet Operations GmbH · http://flyingcircus.io
Leipziger Str. 70/71 · 06108 Halle (Saale) · Deutschland
HR Stendal HRB 21169 · Geschäftsführer: Christian Theune, Christian Zagrodnick

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: Message signed with OpenPGP
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20200922/225a14e9/attachment.bin>

More information about the nginx-devel mailing list