Much thanks to Micah Lee for speaking at HOPE Number 9 – Privacy Tricks for Activist Web Developers
This post covers, in slightly more detail, the actions needed that are described between 15:50m and 17:01m of the following video:
I’d really like to flesh out additional SOPs in order to work toward an open privacy specification.
Standard Operating Procedure for disabling IP logging of visitors to an Apache 2.2 vhost on Ubuntu 12.04. I performed the following steps on this WordPress blog, anon.is. If you maintain your own WordPress blog, you would need SSH and root/sudo access to your web server.
Confirm Apache version:
# apache2 -v
Server version: Apache/2.2.22 (Ubuntu)
Edit Apache’s config file:
# sudo vim /etc/apache2/apache2.conf
Locate the directives for defining log customization and add:
LogFormat "%l %u %t "%r" %>s %O" noip
Edit your virtual host config file:
# sudo vim /etc/apache2/sites-available/site
The default vhost config will have the following line:
CustomLog ${APACHE_LOG_DIR}/access.log combined
Replace the word ‘combined’ with ‘noip’ at the end of the line:
CustomLog ${APACHE_LOG_DIR}/access.log noip
Delete, via shred, your old access.log files:
# sudo shred -f -v -z -u /var/log/apache2/access.log*
Save your change and reload Apache:
# sudo service apache2 reload
Before this change, my visit to my blog looked like:
108.162.246.105 - - [29/Jul/2012:18:40:51 -0700] "GET / HTTP/1.1" 200 19663 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.57 Safari/536.11"
After this change, my log entry looks like:
- - [29/Jul/2012:18:45:49 -0700] "GET / HTTP/1.1" 200 19664
108.162.246.105 is CloudFlare — Micah discusses this issue in his talk. Since I’m using the CloudFlare CDN as a middleman between my blog and my blogs readers, CloudFlare does record all visitors. As far as I know, I have no control over CloudFlare IP logging. If I were not using a third-party service, I would have seen my actual originating IP.
It would be really awesome if I could find a way to log partial IP addresses, like the first two octets of an IPv4 address, possibly using Apache’s SetEnvIf directive. I also need to find out how to leverage this privacy-maintaining tactic when using an Intrusion Detection System in front of a web server, since it definitely stores all IP addresses with timestamps that can be compared to the reduced log file.