Anonymized IPs in nginx Access Log

If you want to reduce your nginx logs to non-personalized resp. anonymized client addresses, you may apply the following method, running a slightly changed log format after setting a new variable $remote_addr_anon.

The changes boil down to the following three steps.

Include for $remote_addr_anon

Prepare a configuration snippet remote_addr_anon for use in include statements in server definitions just before access_log is defined:

# Anonymize IP address.
set $remote_addr_anon '-anon-';

# IPv4: Flush lower 16 bits, leaving upper 16 bits.
if ($remote_addr ~ ^(\d+)\.(\d+)\.) {
	set $remote_addr_anon $1.$2.0.1;
# IPv6: Flush lower 80 bits, leaving upper 48 bits.
if ($remote_addr ~ ^(\w+):(\w+):(\w+):) {
	set $remote_addr_anon $1:$2:$3:1::1;

In my Debian-based nginx installation I placed this file at /etc/nginx/remote_addr_anon, so I can reference it later without path prefix. I recommend a standard location to keep the reference in step 3 simple.

Configure log_format

In the global http section introduce a new log format derived from the pre-defined combined one:

log_format combined_anon
        '$remote_addr_anon - $remote_user [$time_local] '
        '"$request" $status $body_bytes_sent '
        '"$http_referer" "$http_user_agent"';

If you compare this to the standard definition of combined you will see, that only $remote_addr was changed to $remote_addr_anon.

In my Debian-based nginx installation I put this into a separate /etc/nginx/conf.d/log_anon.conf.

Set Variable and activate Format in server

Change your server setups to include the remote_addr_anon file and switch to the new format combined_anon:

server {
	include remote_addr_anon;
	access_log /var/log/nginx/access.log combined_anon;
	error_log /var/log/nginx/error.log;

In my case the include statements are able to reference the file just by name, because it’s in the standard location.

With relative or absolute path prefixes you can fix problems in different setups.

The log file locations are provided as example, you can adopt existing definitions, just add the new log format combined_anon to your access_log and keep the file locations.

You are know read to check the new configuration with nginx -t before reloading with nginx -s reload in case there is no error.