[guardian-dev] Privacy preserving anonymized nginx log config

micah micah at riseup.net
Tue Jan 30 12:42:29 EST 2018


Tim Schwartz <tim at timschwartz.org> writes:

> This is super helpful btw. Thanks. 
>
> What do people generally use as a rule of thumb on timing for log
> rotations on web servers that are privacy focused?

Depends on your threat model, but possibilities are:

1. no logs at all, no rotation needed (when you have a ton of data, this
is actually a lot easier)

2. logs only in memory (vulnerable to vampire tap, or preservation
orders)

3. rotate stored logs in as short of a time as possible so that you can
balance usefulness against being an arbitrarily deputized state agent.

when it comes to logging people generally want it for one of these
things:

1. surveillance capitalism - monetize visitors behaviors, sell to data
brokers, track you across the web, advertising

2. ego vanity - it feels good to know that 500 more people visited your
site this month, compared to last month

3. debugging

If you can get over the first two (requires a bit of transcendence above
the earthly trappings of being human), the third one is really the only
reason to have any logs at all. Fortunately, you can actually get by
without keeping any logs, and just turn them on *when you need to debug
something* and then *turn them off immediately afterwards*. In this
scenario, you are only giving up the possibility of debugging past
problems that you cannot reproduce. A worthy sacrifice.


More information about the guardian-dev mailing list