summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--doc/guix.texi71
-rw-r--r--gnu/services/web.scm110
2 files changed, 179 insertions, 2 deletions
diff --git a/doc/guix.texi b/doc/guix.texi
index 9d9cb3dc07..b97ee9fa64 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -30,7 +30,7 @@ Copyright @copyright{} 2015, 2016 Mathieu Lirzin@*
 Copyright @copyright{} 2014 Pierre-Antoine Rault@*
 Copyright @copyright{} 2015 Taylan Ulrich Bayırlı/Kammer@*
 Copyright @copyright{} 2015, 2016, 2017, 2019, 2020, 2021 Leo Famulari@*
-Copyright @copyright{} 2015, 2016, 2017, 2018, 2019, 2020, 2021 Ricardo Wurmus@*
+Copyright @copyright{} 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022 Ricardo Wurmus@*
 Copyright @copyright{} 2016 Ben Woodcroft@*
 Copyright @copyright{} 2016, 2017, 2018, 2021 Chris Marusich@*
 Copyright @copyright{} 2016, 2017, 2018, 2019, 2020, 2021, 2022 Efraim Flashner@*
@@ -18706,6 +18706,75 @@ String or gexp denoting the corresponding mcron job schedule
 @end table
 @end deftp
 
+@cindex logging, anonymization
+@subheading Anonip Service
+
+Anonip is a privacy filter that removes IP address from web server logs.
+This service creates a FIFO and filters any written lines with anonip
+before writing the filtered log to a target file.
+
+The following example sets up the FIFO
+@file{/var/run/anonip/https.access.log} and writes the filtered log file
+@file{/var/log/anonip/https.access.log}.
+
+@lisp
+(service anonip-service-type
+         (anonip-configuration
+           (input  "/var/run/anonip/https.access.log")
+           (output "/var/log/anonip/https.access.log")))
+@end lisp
+
+Configure your web server to write its logs to the FIFO at
+@file{/var/run/anonip/https.access.log} and collect the anonymized log
+file at @file{/var/web-logs/https.access.log}.
+
+@deftp {Data Type} anonip-configuration
+This data type represents the configuration of anonip.
+It has the following parameters:
+
+@table @asis
+@item @code{anonip} (default: @code{anonip})
+The anonip package to use.
+
+@item @code{input}
+The file name of the input log file to process.  The service creates a
+FIFO of this name.  The web server should write its logs to this FIFO.
+
+@item @code{output}
+The file name of the processed log file.
+@end table
+
+The following optional settings may be provided:
+
+@table @asis
+@item @code{skip-private?}
+When @code{#true} do not mask addresses in private ranges.
+
+@item @code{column}
+A 1-based indexed column number.  Assume IP address is in the specified
+column (default is 1).
+
+@item @code{replacement}
+Replacement string in case address parsing fails, e.g. @code{"0.0.0.0"}.
+
+@item @code{ipv4mask}
+Number of bits to mask in IPv4 addresses.
+
+@item @code{ipv6mask}
+Number of bits to mask in IPv6 addresses.
+
+@item @code{increment}
+Increment the IP address by the given number.  By default this is zero.
+
+@item @code{delimiter}
+Log delimiter string.
+
+@item @code{regex}
+Regular expression for detecting IP addresses.  Use this instead of @code{column}.
+@end table
+@end deftp
+
+
 @node Networking Setup
 @subsection Networking Setup
 
diff --git a/gnu/services/web.scm b/gnu/services/web.scm
index 4434fecf02..f0c7e90cbf 100644
--- a/gnu/services/web.scm
+++ b/gnu/services/web.scm
@@ -9,7 +9,7 @@
 ;;; Copyright © 2018 Pierre-Antoine Rouby <pierre-antoine.rouby@inria.fr>
 ;;; Copyright © 2018 Marius Bakke <mbakke@fastmail.com>
 ;;; Copyright © 2019, 2020 Florian Pelz <pelzflorian@pelzflorian.de>
-;;; Copyright © 2020 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2020, 2022 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2020 Arun Isaac <arunisaac@systemreboot.net>
 ;;; Copyright © 2020 Oleg Pykhalov <go.wigust@gmail.com>
@@ -205,6 +205,21 @@
 
             tailon-service-type
 
+            anonip-configuration
+            anonip-configuration?
+            anonip-configuration-anonip
+            anonip-configuration-input
+            anonip-configuration-output
+            anonip-configuration-skip-private?
+            anonip-configuration-column
+            anonip-configuration-replacement
+            anonip-configuration-ipv4mask
+            anonip-configuration-ipv6mask
+            anonip-configuration-increment
+            anonip-configuration-delimiter
+            anonip-configuration-regex
+            anonip-service-type
+
             varnish-configuration
             varnish-configuration?
             varnish-configuration-package
@@ -1355,6 +1370,99 @@ files.")
                                  files))))))))
    (default-value (tailon-configuration))))
 
+
+
+;;;
+;;; Log anonymization
+;;;
+
+(define-record-type* <anonip-configuration>
+  anonip-configuration make-anonip-configuration
+  anonip-configuration?
+  (anonip            anonip-configuration-anonip       ;file-like
+                     (default anonip))
+  (input             anonip-configuration-input)       ;string
+  (output            anonip-configuration-output)      ;string
+  (skip-private?     anonip-configuration-skip-private? ;boolean
+                     (default #f))
+  (column            anonip-configuration-column       ;number
+                     (default #f))
+  (replacement       anonip-configuration-replacement  ;string
+                     (default #f))
+  (ipv4mask          anonip-configuration-ipv4mask     ;number
+                     (default #f)) 
+  (ipv6mask          anonip-configuration-ipv6mask     ;number
+                     (default #f))
+  (increment         anonip-configuration-increment    ;number
+                     (default #f))
+  (delimiter         anonip-configuration-delimiter    ;string
+                     (default #f))
+  (regex             anonip-configuration-regex        ;string
+                     (default #f)))
+
+(define (anonip-activation config)
+  (with-imported-modules '((guix build utils))
+    #~(begin
+        (use-modules (guix build utils))
+        (for-each
+         (lambda (directory)
+           (mkdir-p directory)
+           (chmod directory #o755))
+         (list (dirname #$(anonip-configuration-input config))
+               (dirname #$(anonip-configuration-output config)))))))
+
+(define (anonip-shepherd-service config)
+  (let ((input (anonip-configuration-input config))
+        (output (anonip-configuration-output config))
+        (optional
+         (lambda (accessor option)
+           (or (and=> (accessor config)
+                      (lambda (value)
+                        (list
+                         (format #false "~a=~a"
+                                 option value))))
+               (list)))))
+    (list (shepherd-service
+           (provision (list (symbol-append 'anonip- (string->symbol output))))
+           (requirement '(user-processes))
+           (documentation "Anonimyze the given log file location with anonip.")
+           (start #~(lambda _
+                      (unless (file-exists? #$input)
+                          (mknod #$input 'fifo #o600 0))
+                      (let ((pid (fork+exec-command
+                                  (append
+                                      (list #$(file-append (anonip-configuration-anonip config)
+                                                           "/bin/anonip")
+                                            (string-append "--input=" #$input)
+                                            (string-append "--output=" #$output))
+                                      (if #$(anonip-configuration-skip-private? config)
+                                          '("--skip-private") (list))
+                                    '#$(optional anonip-configuration-column "--column")
+                                    '#$(optional anonip-configuration-ipv4mask "--ipv4mask")
+                                    '#$(optional anonip-configuration-ipv6mask "--ipv6mask")
+                                    '#$(optional anonip-configuration-increment "--increment")
+                                    '#$(optional anonip-configuration-replacement "--replacement")
+                                    '#$(optional anonip-configuration-delimiter "--delimiter")
+                                    '#$(optional anonip-configuration-regex "--regex"))
+                                  ;; Run in a UTF-8 locale
+                                  #:environment-variables
+                                  (list (string-append "GUIX_LOCPATH=" #$glibc-utf8-locales
+                                                       "/lib/locale")
+                                        "LC_ALL=en_US.utf8"))))
+                        pid)))
+           (stop #~(make-kill-destructor))))))
+
+(define anonip-service-type
+  (service-type
+   (name 'anonip)
+   (extensions
+    (list (service-extension shepherd-root-service-type
+                             anonip-shepherd-service)
+          (service-extension activation-service-type
+                             anonip-activation)))
+   (description
+    "Provide web server log anonymization with @command{anonip}.")))
+
 
 ;;;
 ;;; Varnish