GDPR and IP addresses
For a new project I had to identify the source network of visitors of an http site, served via Apache. I did not need their individual IP address. This is something you’ll encounter when dealing with logs in light of the GDPR and having to store only the minimum amount of personal data necessary.
In essence it meant I needed a way to store the log requests and remove the last octet of the IP address. This will not work properly for networks smaller than /24 but this wasn’t an issue for this project.
The first approach was to do this when processing the logs with Logstash. But this still meant the real IP address was somewhere stored in the web logs. There must be a better way.
Apache – Log-ipmask
Enter the Apache web module apache2-mod-log-ipmask.
The mod_log_ipmask module is designed to work with version 2.4 of the Apache HTTP Server. It extends the mod_log_config module by overriding the %a and %h format strings in order to limit the number of IP address bits that are included in log files. This is intended for applications where partial logging of IP addresses is desired, but full IP addresses may not be logged due to privacy concerns.
This sounds exactly what I needed. Unfortunately there’s no Ubuntu 18.04 package available so I had to build it from source.
For this to work you need git to download the repository, the packages needed to build your own Debian packages and the Apache headers.
apt-get install git apt-get install devscripts debsign apt-get install fakeroot build-essential apt-get install dh-apache2
Fetch the source code and start building.
git clone https://github.com/aquenos/apache2-mod-log-ipmask.git cd apache2-mod-log-ipmask dpkg-buildpackage -uc -us
This will then give you the Debian package that you can install with
dpkg -i ../libapache2-mod-log-ipmask_1.0.0_amd64.deb
As a last step you need to enable the module (although normally it will already be enabled after installation).
The configuration of the package is straightforward. You only need to change two lines in /etc/apache2/mods-enabled/log_ipmask.conf
<IfModule log_ipmask_module> # Restrict logging of IPv4 addresses to the first 24 bits. LogDefaultIPv4Mask 24 # Restrict logging of IPv6 addresses to the first 56 bits. LogDefaultIPv6Mask 56 </IfModule>
Because I only needed the last octet removed, I had to keep the first three octets, resulting in 24 bits. The module also has support for IPv6.
After enabling the module and restarting Apache you’ll see that the network addresses now no longer contain the last, identifying part. This has been replaced with a 0.