Re: [guardian-dev] Privacy preserving anonymized nginx log config

2018-01-30 Thread Hans-Christoph Steiner 

i'll bet greenhost is ammenable to privacy focused logging configs.

.hc

Tim Schwartz:
> Thanks Micah,
> 
> Yeah I really only think server logs are valuable as debugging, if $$$ is the 
> core concept behind data analytics, then better to do it with a different 
> system than straight server logs anyway. I really like this idea…
> 
>> Fortunately, you can actually get by
>> without keeping any logs, and just turn them on *when you need to debug
>> something* and then *turn them off immediately afterwards*. In this
>> scenario, you are only giving up the possibility of debugging past
>> problems that you cannot reproduce. A worthy sacrifice.
> 
> Though once you are scaling to a few servers or a higher level production 
> environment, turning on / off logs might not be such an easy feat. 
> 
> Is anyone aware of managed hosting systems that have opted for privacy 
> focused logging options? Might be an interesting space to investigate in 
> general.  
> 
> Cheers,
> Tim
> 
> 
>> On Jan 30, 2018, at 9:42 AM, micah  wrote:
>>
>> Tim Schwartz  writes:
>>
>>> This is super helpful btw. Thanks. 
>>>
>>> What do people generally use as a rule of thumb on timing for log
>>> rotations on web servers that are privacy focused?
>>
>> Depends on your threat model, but possibilities are:
>>
>> 1. no logs at all, no rotation needed (when you have a ton of data, this
>> is actually a lot easier)
>>
>> 2. logs only in memory (vulnerable to vampire tap, or preservation
>> orders)
>>
>> 3. rotate stored logs in as short of a time as possible so that you can
>> balance usefulness against being an arbitrarily deputized state agent.
>>
>> when it comes to logging people generally want it for one of these
>> things:
>>
>> 1. surveillance capitalism - monetize visitors behaviors, sell to data
>> brokers, track you across the web, advertising
>>
>> 2. ego vanity - it feels good to know that 500 more people visited your
>> site this month, compared to last month
>>
>> 3. debugging
>>
>> If you can get over the first two (requires a bit of transcendence above
>> the earthly trappings of being human), the third one is really the only
>> reason to have any logs at all. Fortunately, you can actually get by
>> without keeping any logs, and just turn them on *when you need to debug
>> something* and then *turn them off immediately afterwards*. In this
>> scenario, you are only giving up the possibility of debugging past
>> problems that you cannot reproduce. A worthy sacrifice.
> 
> ___
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
> To unsubscribe, email:  guardian-dev-unsubscr...@lists.mayfirst.org
> 

-- 
PGP fingerprint: EE66 20C7 136B 0D2C 456C  0A4D E9E2 8DEA 00AA 5556
https://pgp.mit.edu/pks/lookup?op=vindex=0xE9E28DEA00AA5556
___
List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
To unsubscribe, email:  guardian-dev-unsubscr...@lists.mayfirst.org

Re: [guardian-dev] Privacy preserving anonymized nginx log config

2018-01-30 Thread micah 
Tim Schwartz  writes:

> This is super helpful btw. Thanks. 
>
> What do people generally use as a rule of thumb on timing for log
> rotations on web servers that are privacy focused?

Depends on your threat model, but possibilities are:

1. no logs at all, no rotation needed (when you have a ton of data, this
is actually a lot easier)

2. logs only in memory (vulnerable to vampire tap, or preservation
orders)

3. rotate stored logs in as short of a time as possible so that you can
balance usefulness against being an arbitrarily deputized state agent.

when it comes to logging people generally want it for one of these
things:

1. surveillance capitalism - monetize visitors behaviors, sell to data
brokers, track you across the web, advertising

2. ego vanity - it feels good to know that 500 more people visited your
site this month, compared to last month

3. debugging

If you can get over the first two (requires a bit of transcendence above
the earthly trappings of being human), the third one is really the only
reason to have any logs at all. Fortunately, you can actually get by
without keeping any logs, and just turn them on *when you need to debug
something* and then *turn them off immediately afterwards*. In this
scenario, you are only giving up the possibility of debugging past
problems that you cannot reproduce. A worthy sacrifice.
___
List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
To unsubscribe, email:  guardian-dev-unsubscr...@lists.mayfirst.org

Re: [guardian-dev] Privacy preserving anonymized nginx log config

2018-01-30 Thread Tim Schwartz 
This is super helpful btw. Thanks. 

What do people generally use as a rule of thumb on timing for log rotations on 
web servers that are privacy focused?

Thx,
Tim


> On Jan 30, 2018, at 9:11 AM, micah  wrote:
> 
> Abel Luck  writes:
> 
>> Does anyone know of a configuration solution for nginx to meet any or
>> all of these bullet points?
>> 
>> * log only the date, not the time or time zone
>> * referer, ip, user-agent are never logged
>> * country is logged by looking up the ip in a geoip database
>> 
>> Ideally this would apply to both the standard access log and error log.
> 
> Drop the following in conf.d/noip:
> 
>log_format  noip  '0.0.0.0 - $remote_user [$time_local] '
>  '"$request" $status $body_bytes_sent '
>  '"$http_referer" "$http_user_agent"';
> 
> and then reference it in your log lines, like this:
> 
> access_log  /var/log/nginx/gitlab_access.log noip;
> 
> ... it doesn't satisfy your third point, but I don't really feel like
> geoip lookup of IP fits the 'privacy preserving' frame.
> ___
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
> To unsubscribe, email:  guardian-dev-unsubscr...@lists.mayfirst.org

___
List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
To unsubscribe, email:  guardian-dev-unsubscr...@lists.mayfirst.org

Re: [guardian-dev] Privacy preserving anonymized nginx log config

2018-01-30 Thread micah 
Abel Luck  writes:

> Does anyone know of a configuration solution for nginx to meet any or
> all of these bullet points?
>
> * log only the date, not the time or time zone
> * referer, ip, user-agent are never logged
> * country is logged by looking up the ip in a geoip database
>
> Ideally this would apply to both the standard access log and error log.

Drop the following in conf.d/noip:

log_format  noip  '0.0.0.0 - $remote_user [$time_local] '
  '"$request" $status $body_bytes_sent '
  '"$http_referer" "$http_user_agent"';

and then reference it in your log lines, like this:

access_log  /var/log/nginx/gitlab_access.log noip;

... it doesn't satisfy your third point, but I don't really feel like
geoip lookup of IP fits the 'privacy preserving' frame.
___
List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
To unsubscribe, email:  guardian-dev-unsubscr...@lists.mayfirst.org

[guardian-dev] Privacy preserving anonymized nginx log config

2018-01-30 Thread Abel Luck 
Does anyone know of a configuration solution for nginx to meet any or
all of these bullet points?

* log only the date, not the time or time zone
* referer, ip, user-agent are never logged
* country is logged by looking up the ip in a geoip database

Ideally this would apply to both the standard access log and error log.

~abel
___
List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
To unsubscribe, email:  guardian-dev-unsubscr...@lists.mayfirst.org