From af56fd8dcd6dd273b7eb580f80a8d068ff0ed028 Mon Sep 17 00:00:00 2001
From: Markus Hauschild <markus@moepman.eu>
Date: Tue, 20 Oct 2020 15:59:08 +0200
Subject: [PATCH] nginx: support ip anonymization

---
 roles/nginx/tasks/main.yml                    |  2 +-
 .../nginx.conf => templates/nginx.conf.j2}    | 25 +++++++++++++++++++
 roles/web_svc/meta/main.yml                   |  2 +-
 3 files changed, 27 insertions(+), 2 deletions(-)
 rename roles/nginx/{files/nginx.conf => templates/nginx.conf.j2} (71%)

diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
index 91a6425..187f943 100644
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -30,7 +30,7 @@
   - /etc/nginx/dhparam.pem
 
 - name: Configure nginx
-  copy: src=nginx.conf dest=/etc/nginx/nginx.conf
+  template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf
   notify: Restart nginx
 
 - name: Configure default vhost
diff --git a/roles/nginx/files/nginx.conf b/roles/nginx/templates/nginx.conf.j2
similarity index 71%
rename from roles/nginx/files/nginx.conf
rename to roles/nginx/templates/nginx.conf.j2
index 5892b8a..2e1953c 100644
--- a/roles/nginx/files/nginx.conf
+++ b/roles/nginx/templates/nginx.conf.j2
@@ -47,7 +47,32 @@ http {
 	# Logging Settings
 	##
 
+{% if nginx_anonymize %}
+	map $remote_addr $ip_anonym1 {
+		default 0.0.0;
+		"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" $ip;
+		"~(?P<ip>[^:]+:[^:]+):" $ip;
+	}
+
+	map $remote_addr $ip_anonym2 {
+		default .0;
+		"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" .0;
+		"~(?P<ip>[^:]+:[^:]+):" ::;
+	}
+
+	map $ip_anonym1$ip_anonym2 $ip_anonymized {
+		default 0.0.0.0;
+		"~(?P<ip>.*)" $ip;
+	}
+
+	log_format anonymized '$ip_anonymized - $remote_user [$time_local] '
+		'"$request" $status $body_bytes_sent '
+		'"$http_referer" "$http_user_agent"';
+
+	access_log /var/log/nginx/access.log anonymized;
+{% else %}
 	access_log /var/log/nginx/access.log;
+{% endif %}
 	error_log /var/log/nginx/error.log;
 
 	##
diff --git a/roles/web_svc/meta/main.yml b/roles/web_svc/meta/main.yml
index 8fcf724..35ce32b 100644
--- a/roles/web_svc/meta/main.yml
+++ b/roles/web_svc/meta/main.yml
@@ -2,4 +2,4 @@
 
 dependencies:
 - { role: acertmgr }
-- { role: nginx, nginx_ssl: True }
+- { role: nginx, nginx_anonymize: True, nginx_ssl: True }