Aral Balkan

Mastodon icon RSS feed icon

Are You Logging IPs Without Even Knowing?

A screenshot of a terminal session to my server for this blog in the /var/log/nginx folder showing an ls command with no output.

Log off.

My blog is served both over the centralised web via HTTPS by nginx and over the peer web via DAT.

nginx has an access log that is enabled by default that logs IP addresses. Needless to say, I don’t want this information.

Thankfully, turning it off is easy:

server {
  access_log off;

That’s it!

(You might still be logging IP addresses in the error log so it’s a good idea to clear those out also on a regular basis.)

Remember that clearing out existing logs in nginx is as easy as:

rm /var/log/nginx/*

If you want to keep logs (e.g., to calculate unique views, etc.), you can still do that in a privacy-respecting manner by storing a hash of the IP address in your logs instead of the IP address itself. There’s an nginx module called ipscrub you can use for that purpose.

I do wish that servers like nginx came with privacy-respecting (and secure) settings by default.