ip address masking
Robert Paprocki
rpaprocki at fearnothingproductions.net
Thu Feb 15 17:30:42 UTC 2018
Hi,
On Tue, Feb 13, 2018 at 5:46 PM, Tom <tom at keepschtum.win> wrote:
> Hi,
>
> I'm wondering if anyone has successfully masked ip addresses in nginx
> before they are written to a log file.
>
> I understand there are reasons why you would and would not do this.
>
> Anyway, my config so far, which I believe works for ipv4 addresses, but
> probably on only a few formats of ipv6 addresses. I've used secondary map
> directives to append text to the short ip address as I couldn't work out
> how to concatenate the variable with text, so concatenated two variables
> instead. (Hope that makes sense).
>
>
> log_format ipmask '$remote_addr $ip_anon';
>
> map $remote_addr $ip_anon {
> default $remote_addr;
> "~^(?P<ipv4>[0-9]{1,3}\.[0-9]{1,3}.)(?P<junkv4>.*)" $ipv4$ipv4suffix;
> "~^(?P<ipv6>[^:]+:[^:]+)(?P<junkv6>.*$)" '$ipv6 $junkv6';
> }
>
> map - $ipv4suffix{
> default 0.0;
> }
> map - $ipv6suffix{
> default XX;
> }
> server {
> listen 8080;
> listen [::]:8080;
> server_name _;
> access_log /tmp/ngn-ip.log ipmask;
> allow all;
> }
>
>
> Anyone got any thoughts on this?
> Thanks
>
I suspect it might be a bit more efficient to do this with a simple module
than trying to play around with more variables, maps, and regular
expressions. I hacked together a quick module to do this:
https://github.com/p0pr0ck5/ngx_http_ip_mask_module. You could also do the
same thing with a little bit of Lua scripting (simply AND-ing off the
unwanted bits). I'd guess extending out the same logic for IPv6 wouldn't be
too hard, but that's left as an exercise for the reader :p
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20180215/9e1caf6e/attachment.html>
More information about the nginx
mailing list