[Bug 59765] provide a way to obfuscate/hash IP addresses
https://bz.apache.org/bugzilla/show_bug.cgi?id=59765 Szőgyényi Gáborchanged: What|Removed |Added CC||szg0...@freemail.hu -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 59765] provide a way to obfuscate/hash IP addresses
https://bz.apache.org/bugzilla/show_bug.cgi?id=59765 --- Comment #14 from Luca Toscano--- After a chat with Humbedooh there might be a better way to do this using mod-lua. I am going to update this task and the documentation when the lua code will be published. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 59765] provide a way to obfuscate/hash IP addresses
https://bz.apache.org/bugzilla/show_bug.cgi?id=59765 --- Comment #13 from Luca Toscano--- The patch attached creates a new directive called "PrivacyStatus" that is directory context aware (previous patch was only server level). I think that this would be good for admins that need to publish an external public facing server-status while being able to consult a private one showing IPs. Still not worked on Jim's comment about replacing the IPs with x.x.x.x and not with a blank line. 1) Would we need to distinguish between IPv4/6? So something like x.x.x.x vs [x:x:x:x] or similar? I guess that probably this info falls under the "privacy" shield that we want to offer, but at the same time it might confuse users. 2) Is there an XML output option for mod_status? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 59765] provide a way to obfuscate/hash IP addresses
https://bz.apache.org/bugzilla/show_bug.cgi?id=59765 --- Comment #12 from Luca Toscano--- Created attachment 34479 --> https://bz.apache.org/bugzilla/attachment.cgi?id=34479=edit Mod status PrivacyMode directive (directory context aware version) -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 59765] provide a way to obfuscate/hash IP addresses
https://bz.apache.org/bugzilla/show_bug.cgi?id=59765 Jim Jagielskichanged: What|Removed |Added CC||j...@apache.org -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 59765] provide a way to obfuscate/hash IP addresses
https://bz.apache.org/bugzilla/show_bug.cgi?id=59765 --- Comment #11 from Jim Jagielski--- I'd prefer that if instead of printing out "" it printed out something like "x.x.x.x" or "255.255.255.255" or something like that for those systems which may try to screen scrape (or use the XML output option). -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 59765] provide a way to obfuscate/hash IP addresses
https://bz.apache.org/bugzilla/show_bug.cgi?id=59765 --- Comment #10 from Luca Toscano--- Re-added a very simple patch in: http://home.apache.org/~elukey/httpd-trunk-mod_status-privacy_mode.patch This one is only adds a new Server Directive, IIRC on IRC this was the first one suggested. I'd also see the value of having a new Directive working also with Location blocks, in order to allow request from localhost to display client IPs. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 59765] provide a way to obfuscate/hash IP addresses
https://bz.apache.org/bugzilla/show_bug.cgi?id=59765 --- Comment #7 from Luca Toscano--- (In reply to Eric Covener from comment #6) > looks like progress, but I would suggest factoring out just the bit that > retrieves the client ip, even if it means a dummy column. New diff: http://apaste.info/0le If this is ok, the last step would be to add the possibility to specify a server config other than a per directory one. Never done it but it doesn't seem to be difficult. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 59765] provide a way to obfuscate/hash IP addresses
https://bz.apache.org/bugzilla/show_bug.cgi?id=59765 --- Comment #6 from Eric Covener--- (In reply to Luca Toscano from comment #5) > Example of what I meant: http://apaste.info/SyZ > > This is only a proof of concept and works only with Directory/Location > context. The idea is to remove completely the Client IP column and add the > sentence "Client IP removed due to privacy mode set." on top of the table. looks like progress, but I would suggest factoring out just the bit that retrieves the client ip, even if it means a dummy column. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 59765] provide a way to obfuscate/hash IP addresses
https://bz.apache.org/bugzilla/show_bug.cgi?id=59765 --- Comment #5 from Luca Toscano--- Example of what I meant: http://apaste.info/SyZ This is only a proof of concept and works only with Directory/Location context. The idea is to remove completely the Client IP column and add the sentence "Client IP removed due to privacy mode set." on top of the table. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 59765] provide a way to obfuscate/hash IP addresses
https://bz.apache.org/bugzilla/show_bug.cgi?id=59765 --- Comment #4 from Luca Toscano--- (In reply to Eric Covener from comment #3) > > I thought this too, and maybe it's fine for a first pass, but you probably > would want to know how many clients were the same at any given time. Maybe > blank out the middle? I would still prefer complete anonymity, not sure if we can avoid completely fingerprinting. If the goal is to offer to the admin a way to know clients connected, we could offer multiple views of mod-status, the privacy one available for everybody (removing the IPs completely) and the more complete one restricted for example to localhost. Maybe this is possible simply with the new directive? Something like: SetHandler server-status Require host 127.0.0.1 SetHandler server-status Require all granted ServerStatusPrivacyMode on -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 59765] provide a way to obfuscate/hash IP addresses
https://bz.apache.org/bugzilla/show_bug.cgi?id=59765 --- Comment #3 from Eric Covener--- (In reply to Luca Toscano from comment #2) > The implementation seems not super difficult, but I have a couple of > questions: > > 1) How would it be better to set the "obfuscate" mode to on? Something like > ExtendedStatus in core or by other means? mod_status directive would be best. > > 2) hashing every single IP address with a reasonable function could be good > for a lot of reasons (no need for a shared state to assign the same value to > the same IP over multiple requests, variety in the hashing functions, etc..) > but it could also lead to resources waste while doing hash calculations on > busy servers. Would it be reasonable just to remove the "Client" column from > status and extended status? This concern might be not relevant with modern > CPU, but it is good in my opinion to discuss it. I thought this too, and maybe it's fine for a first pass, but you probably would want to know how many clients were the same at any given time. Maybe blank out the middle? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 59765] provide a way to obfuscate/hash IP addresses
https://bz.apache.org/bugzilla/show_bug.cgi?id=59765 --- Comment #2 from Luca Toscano--- The implementation seems not super difficult, but I have a couple of questions: 1) How would it be better to set the "obfuscate" mode to on? Something like ExtendedStatus in core or by other means? 2) hashing every single IP address with a reasonable function could be good for a lot of reasons (no need for a shared state to assign the same value to the same IP over multiple requests, variety in the hashing functions, etc..) but it could also lead to resources waste while doing hash calculations on busy servers. Would it be reasonable just to remove the "Client" column from status and extended status? This concern might be not relevant with modern CPU, but it is good in my opinion to discuss it. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 59765] provide a way to obfuscate/hash IP addresses
https://bz.apache.org/bugzilla/show_bug.cgi?id=59765 Eric Covenerchanged: What|Removed |Added Summary|provide a way to|provide a way to |obfuscate/hash email|obfuscate/hash IP addresses |addresses | --- Comment #1 from Eric Covener --- er, IP addresses :( -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org