From 177e55df12f243c9c2f3865488576d27b3875936 Mon Sep 17 00:00:00 2001
From: Christoph Niehoff <christoph.niehoff@tngtech.com>
Date: Fri, 14 Jan 2022 16:57:49 +0100
Subject: [PATCH] anonymize remote IPs in nginx logs

---
 docker/client.dockerfile          |  1 +
 docker/files/etc/nginx/nginx.conf | 54 +++++++++++++++++++++++++++++++
 2 files changed, 55 insertions(+)
 create mode 100644 docker/files/etc/nginx/nginx.conf

diff --git a/docker/client.dockerfile b/docker/client.dockerfile
index fbf67f6..51d309c 100644
--- a/docker/client.dockerfile
+++ b/docker/client.dockerfile
@@ -9,6 +9,7 @@ RUN npm ci
 RUN npm run build
 
 FROM nginxinc/nginx-unprivileged:1.20.1-alpine
+COPY docker/files/etc/nginx/nginx.conf /etc/nginx/nginx.conf
 COPY docker/files/etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf
 COPY --from=builder /usr/src/app/build /usr/share/nginx/html/
 EXPOSE 8080
diff --git a/docker/files/etc/nginx/nginx.conf b/docker/files/etc/nginx/nginx.conf
new file mode 100644
index 0000000..b4b4ba0
--- /dev/null
+++ b/docker/files/etc/nginx/nginx.conf
@@ -0,0 +1,54 @@
+
+worker_processes  auto;
+
+error_log  /var/log/nginx/error.log notice;
+pid        /tmp/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    proxy_temp_path /tmp/proxy_temp;
+    client_body_temp_path /tmp/client_temp;
+    fastcgi_temp_path /tmp/fastcgi_temp;
+    uwsgi_temp_path /tmp/uwsgi_temp;
+    scgi_temp_path /tmp/scgi_temp;
+
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    map $remote_addr $ip_first_3_octets {
+        default 0.0.0;
+        "~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" $ip;
+        "~(?P<ip>[^:]+:[^:]+):" $ip;
+    }
+
+    map $remote_addr $ip_anonym_last_octet {
+        default .0;
+        "~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" .0;
+        "~(?P<ip>[^:]+:[^:]+):" ::;
+    }
+
+    map $ip_first_3_octets$ip_anonym_last_octet $ip_anonymized {
+        default 0.0.0.0;
+        "~(?P<ip>.*)" $ip;
+    }
+
+    log_format  main  '$ip_anonymized - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    keepalive_timeout  65;
+
+    #gzip  on;
+
+    include /etc/nginx/conf.d/*.conf;
+}