GDPR and Apache logs, remove last octet of an IP address

GDPR and IP addresses

For a new project I had to identify the source network of visitors of an http site, served via Apache. I did not need their individual IP address. This is something you’ll encounter when dealing with logs in light of the GDPR and having to store only the minimum amount of personal data necessary.

In essence it meant I needed a way to store the log requests and remove the last octet of the IP address. This will not work properly for networks smaller than /24 but this wasn’t an issue for this project.

The first approach was to do this when processing the logs with Logstash. But this still meant the real IP address was somewhere stored in the web logs. There must be a better way.

Apache – Log-ipmask

Enter the Apache web module apache2-mod-log-ipmask.

The mod_log_ipmask module is designed to work with version 2.4 of the Apache HTTP Server. It extends the mod_log_config module by overriding the %a and %h format strings in order to limit the number of IP address bits that are included in log files. This is intended for applications where partial logging of IP addresses is desired, but full IP addresses may not be logged due to privacy concerns.

This sounds exactly what I needed. Unfortunately there’s no Ubuntu 18.04 package available so I had to build it from source.

Ubuntu

For this to work you need git to download the repository, the packages needed to build your own Debian packages and the Apache headers.

apt-get install git
apt-get install devscripts debsign
apt-get install fakeroot build-essential
apt-get install dh-apache2

Fetch the source code and start building.

git clone https://github.com/aquenos/apache2-mod-log-ipmask.git
cd apache2-mod-log-ipmask
dpkg-buildpackage -uc -us

This will then give you the Debian package that you can install with

dpkg -i ../libapache2-mod-log-ipmask_1.0.0_amd64.deb

As a last step you need to enable the module (although normally it will already be enabled after installation).

a2enmod log_ipmask

Configuration

The configuration of the package is straightforward. You only need to change two lines in /etc/apache2/mods-enabled/log_ipmask.conf

<IfModule log_ipmask_module>
        # Restrict logging of IPv4 addresses to the first 24 bits.
        LogDefaultIPv4Mask 24
        # Restrict logging of IPv6 addresses to the first 56 bits.
        LogDefaultIPv6Mask 56
</IfModule>

Because I only needed the last octet removed, I had to keep the first three octets, resulting in 24 bits. The module also has support for IPv6.

Logs

After enabling the module and restarting Apache you’ll see that the network addresses now no longer contain the last, identifying part. This has been replaced with a 0.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.