[guardian-dev] Privacy preserving anonymized nginx log config

micah micah at riseup.net
Tue Jan 30 12:11:59 EST 2018

Abel Luck <abel at guardianproject.info> writes:

> Does anyone know of a configuration solution for nginx to meet any or
> all of these bullet points?
> * log only the date, not the time or time zone
> * referer, ip, user-agent are never logged
> * country is logged by looking up the ip in a geoip database
> Ideally this would apply to both the standard access log and error log.

Drop the following in conf.d/noip:

        log_format  noip  ' - $remote_user [$time_local] '
                      '"$request" $status $body_bytes_sent '
                      '"$http_referer" "$http_user_agent"';

and then reference it in your log lines, like this:

access_log  /var/log/nginx/gitlab_access.log noip;

... it doesn't satisfy your third point, but I don't really feel like
geoip lookup of IP fits the 'privacy preserving' frame.

More information about the guardian-dev mailing list