[guardian-dev] Privacy preserving anonymized nginx log config

micah micah at riseup.net
Tue Feb 13 16:56:15 EST 2018


Abel Luck <abel at guardianproject.info> writes:

> Thanks Micah, very useful indeed.
>
> But it only works for nginx' access log, not the error log.

Yep, I forgot to mention that!

> AFAICT from reading the nginx docs [0], it is only possible to configure
> the error log path and the log level.

Yeah :(

> Having access to error logs is useful, arguably more so than the normal
> logs, in order to troubleshoot misconfigurations and identify 404s that
> should or shouldn't be happening.
>
> Best to disable error logs it seems, and only enable them when debugging.

Agreed.

Its hard to minimize logging, pesky little ips showing up everywhere! In
fact a lot of webapps can take the IPs that are available in the HTTP
headers and store them in their own internal databases for whatever
purposes. Even if you have the access log zeroed out. This is why we use
the apache mod_remove_ip module that will remove them internally before
they get to any application.

micah


More information about the guardian-dev mailing list