Disabling IP address logging in Apache

Much thanks to Micah Lee for speaking at HOPE Number 9 – Privacy Tricks for Activist Web Developers

This post covers, in slightly more detail, the actions needed that are described between 15:50m and 17:01m of the following video:

I’d really like to flesh out additional SOPs in order to work toward an open privacy specification.

Standard Operating Procedure for disabling IP logging of visitors to an Apache 2.2 vhost on Ubuntu 12.04. I performed the following steps on this WordPress blog, anon.is. If you maintain your own WordPress blog, you would need SSH and root/sudo access to your web server.

Confirm Apache version:
# apache2 -v
Server version: Apache/2.2.22 (Ubuntu)

Edit Apache’s config file:
# sudo vim /etc/apache2/apache2.conf

Locate the directives for defining log customization and add:
LogFormat "%l %u %t "%r" %>s %O" noip

Edit your virtual host config file:
# sudo vim /etc/apache2/sites-available/site

The default vhost config will have the following line:
CustomLog ${APACHE_LOG_DIR}/access.log combined

Replace the word ‘combined’ with ‘noip’ at the end of the line:
CustomLog ${APACHE_LOG_DIR}/access.log noip

Delete, via shred, your old access.log files:
# sudo shred -f -v -z -u /var/log/apache2/access.log*

Save your change and reload Apache:
# sudo service apache2 reload

Before this change, my visit to my blog looked like: - - [29/Jul/2012:18:40:51 -0700] "GET / HTTP/1.1" 200 19663 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.57 Safari/536.11"

After this change, my log entry looks like:
- - [29/Jul/2012:18:45:49 -0700] "GET / HTTP/1.1" 200 19664 is CloudFlare — Micah discusses this issue in his talk. Since I’m using the CloudFlare CDN as a middleman between my blog and my blogs readers, CloudFlare does record all visitors. As far as I know, I have no control over CloudFlare IP logging. If I were not using a third-party service, I would have seen my actual originating IP.

It would be really awesome if I could find a way to log partial IP addresses, like the first two octets of an IPv4 address, possibly using Apache’s SetEnvIf directive. I also need to find out how to leverage this privacy-maintaining tactic when using an Intrusion Detection System in front of a web server, since it definitely stores all IP addresses with timestamps that can be compared to the reduced log file.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s