匿名化nginx中的IP日志记录？ [英] Anonymize IP logging in nginx?

问题描述

为了尊重用户的隐私，我试图在nginx日志文件中匿名化他们的IP地址。

To respect the privacy of my users I'm trying to anonymize their ip addresses in nginx log files.

一种方法是定义自定义日志格式，如下：

One way to do this would be defining a custom log format, like so:

log_format noip '127.0.0.1 - [$time_local]  '
    '"$request" $status $body_bytes_sent '
    '"$http_referer" "$http_user_agent" $request_time';

这种方法有两个缺点：我无法区分两个用户而无法使用地理位置工具。

This method has two downsides: I can't distinguish between two users and can't use geo location tools.

最好的做法是缩短IP地址（ 87.12.23.55 将变为 87.12.23.1 ）。

The best thing would be to 'shorten' the ip address (87.12.23.55 would become 87.12.23.1).

是否有可能使用nginx配置脚本实现此目的？

Is there a possibillity to achieve this using nginx config scripting?

谢谢。

推荐答案

即使已经有一个已接受的答案，解决方案似乎也不是有效。

Even if there is already an accepted answer, the solution seems not to be valid.

nginx具有 log_format 指令，该指令的上下文为。这意味着，log_format只能在配置文件的http {}部分内（有效）设置，而不能在服务器部分内设置！

nginx has the log_format directive, which has a context of http. This means, the log_format can only be (valid) set within the http {} section of the config file, NOT within the server sections!

另一方面，我们有一个 if 指令，它具有服务器和位置的上下文。

On the other hand we have an if directive, which has a context of server and location.

所以我们不能使用if和服务器部分中的log_format（在已接受的解决方案中完成）

So we can NOT use "if" and "log_format" within a server section (which is done within the accepted solution)

所以如果在这里没有帮助，也是如果是邪恶的（ http://wiki.nginx.org/IfIsEvil ）！我们需要在 http上下文中工作的东西，因为只有log_format才能以有效的方式定义，这是服务器上下文之外的唯一位置，我们的虚拟主机已定义...

So the if is not helpful here, also if is evil ( http://wiki.nginx.org/IfIsEvil )! We need something which is working at http context because only there the log_format can be defined in a valid way, and this is the only place outside of the server context, where our virtual hosts are defined…

幸运的是，nginx中有一个地图功能！ map将一些值重新映射到新值（可在log_format指令中使用的变量中访问）。好消息：这也适用于正则表达式。

Luckily there is a map feature within nginx! map is remapping some values into new values (accessible within variables which can be used in a log_format directive). And the good message: This also works with regular expressions.

因此，让我们将IPv4和IPv6地址映射到匿名地址。这必须分三步完成，因为map不能累积返回的值，它只能返回字符串或变量，而不是两者的组合。

So let’s map our IPv4 and IPv6 addresses into anonymized addresses. This has to be done in 3 steps, since map can not accumulate returned values, it can only return strings or variables, not a combination of both.

所以，起初我们在日志文件中获取我们想要的IP部分，第二个地图返回表示匿名部分的部分，第3个地图规则将它们再次映射到一起。

So, at first we grab the part of IP we want to have in the logfiles, the second map returns the part which symbolizes the anonymized part, and the 3rd map rule maps them together again.

以下是进入http {}上下文的规则：

Here are the rules which go into the http {} context:

map $remote_addr $ip_anonym1 {
 default 0.0.0;
 "~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" $ip;
 "~(?P<ip>[^:]+:[^:]+):" $ip;
}

map $remote_addr $ip_anonym2 {
 default .0;
 "~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" .0;
 "~(?P<ip>[^:]+:[^:]+):" ::;
}

map $ip_anonym1$ip_anonym2 $ip_anonymized {
 default 0.0.0.0;
 "~(?P<ip>.*)" $ip;
}

log_format anonymized '$ip_anonymized - $remote_user [$time_local] ' 
   '"$request" $status $body_bytes_sent ' 
   '"$http_referer" "$http_user_agent"';

access_log /var/log/nginx/access.log anonymized;

将此添加到您的nginx.conf配置文件后，请记得重新加载您的nginx。如果您使用匿名日志格式（这是access_log指令的格式参数），您的日志文件现在应该包含anoymized IP地址。

After adding this to your nginx.conf config file, remember to reload your nginx. Your log files should now contain anoymized IP addresses, if you are using the "anonymized" log format (this is the format parameter of access_log directive).

这篇关于匿名化nginx中的IP日志记录？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！