
Show HN: ipscrub, an IP address anonymizer for Nginx - masonicb00m
https://github.com/masonicboom/ipscrub
======
JeanMarcS
I’m sure laws differs between countries, but isn’t there a law in Europe that
forces you to log IP for eventual police investigation ?

It was true some years ago in France (a law from 2011 says you must keep 1
year of logs for user posting content on your website [1]), and it’s the big
question I am asking myself for several months with GPRD comming.

Everyone I ask had its own way of seeing it and I’m confused.

[1]
[https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFT...](https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000023646013&categorieLien=id)
(in French, article 3)

Edit: found the law

~~~
badrabbit
In some countries in europe (e.g.: Germany) they are pretty strict against
maintaining logs that associate employee web traffic with the employee.
Plus,GDPR will introduce some concerns like you mentioned.

For that law you referenced,I am not sure it would apply for a network
provider as it would for a site-owner (e.g.: VPN or CDN provider vs a website)

------
social_quotient
This looks great for GDPR and a good way to get in compliance by pushing the
problem way upstream as to not have to figure out delegations at the app
layers.

------
iknowstuff
This module makes it impossible to detect and handle IPv6 /64 subnets. Perhaps
the first and last 64 bits should be hashed separately.

~~~
masonicb00m
What do you mean when you say “detect and handle IPv6/64 subnets”?

I’m not too familiar with IPv6 but would love to improve support for it if the
project is deficient somehow.

~~~
mcpherrinm
With the original IP, addresses are fairly expensive. With IPv6, even home
users are assigned a /64 subnet at the smallest, so a malicious actor can
iterate through many addresses. Generally for things like per-IP ratelimiting,
you treat a whole IPv6 /64 subnet like you would treat a single IP address.

------
NewsAware
Even using anonymization such as this you should not keep logs for longer than
necessary to debug and delete after a month or two

------
wemdyjreichert
Why would you need to avoid logging IPs?

~~~
masonicb00m
I prefer to look at it the other way around. Why would you need to log IPs?
It’s like asking people for their social security number (USA) just to have a
unique identifier—this is more info than you need.

~~~
tscs37
It can be useful to find out who's been spamming requests at your server and
block connections on the firewall level.

~~~
kitotik
From the project summary:

“You can use this hash to link requests from the same source, without
identifying your users by IP address”

So perhaps it is/will be possible to take actions against bad IPs.

~~~
tscs37
With more difficulty. I can hardly use hashes to blacklist IP ranges in my
firewall, even if it could, the performance would suck due to the necessary
hashing.

