diff options
-rw-r--r-- | doc/guix.texi | 71 | ||||
-rw-r--r-- | gnu/services/web.scm | 110 |
2 files changed, 179 insertions, 2 deletions
diff --git a/doc/guix.texi b/doc/guix.texi index 9d9cb3dc07..b97ee9fa64 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -30,7 +30,7 @@ Copyright @copyright{} 2015, 2016 Mathieu Lirzin@* Copyright @copyright{} 2014 Pierre-Antoine Rault@* Copyright @copyright{} 2015 Taylan Ulrich Bayırlı/Kammer@* Copyright @copyright{} 2015, 2016, 2017, 2019, 2020, 2021 Leo Famulari@* -Copyright @copyright{} 2015, 2016, 2017, 2018, 2019, 2020, 2021 Ricardo Wurmus@* +Copyright @copyright{} 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022 Ricardo Wurmus@* Copyright @copyright{} 2016 Ben Woodcroft@* Copyright @copyright{} 2016, 2017, 2018, 2021 Chris Marusich@* Copyright @copyright{} 2016, 2017, 2018, 2019, 2020, 2021, 2022 Efraim Flashner@* @@ -18706,6 +18706,75 @@ String or gexp denoting the corresponding mcron job schedule @end table @end deftp +@cindex logging, anonymization +@subheading Anonip Service + +Anonip is a privacy filter that removes IP address from web server logs. +This service creates a FIFO and filters any written lines with anonip +before writing the filtered log to a target file. + +The following example sets up the FIFO +@file{/var/run/anonip/https.access.log} and writes the filtered log file +@file{/var/log/anonip/https.access.log}. + +@lisp +(service anonip-service-type + (anonip-configuration + (input "/var/run/anonip/https.access.log") + (output "/var/log/anonip/https.access.log"))) +@end lisp + +Configure your web server to write its logs to the FIFO at +@file{/var/run/anonip/https.access.log} and collect the anonymized log +file at @file{/var/web-logs/https.access.log}. + +@deftp {Data Type} anonip-configuration +This data type represents the configuration of anonip. +It has the following parameters: + +@table @asis +@item @code{anonip} (default: @code{anonip}) +The anonip package to use. + +@item @code{input} +The file name of the input log file to process. The service creates a +FIFO of this name. The web server should write its logs to this FIFO. + +@item @code{output} +The file name of the processed log file. +@end table + +The following optional settings may be provided: + +@table @asis +@item @code{skip-private?} +When @code{#true} do not mask addresses in private ranges. + +@item @code{column} +A 1-based indexed column number. Assume IP address is in the specified +column (default is 1). + +@item @code{replacement} +Replacement string in case address parsing fails, e.g. @code{"0.0.0.0"}. + +@item @code{ipv4mask} +Number of bits to mask in IPv4 addresses. + +@item @code{ipv6mask} +Number of bits to mask in IPv6 addresses. + +@item @code{increment} +Increment the IP address by the given number. By default this is zero. + +@item @code{delimiter} +Log delimiter string. + +@item @code{regex} +Regular expression for detecting IP addresses. Use this instead of @code{column}. +@end table +@end deftp + + @node Networking Setup @subsection Networking Setup diff --git a/gnu/services/web.scm b/gnu/services/web.scm index 4434fecf02..f0c7e90cbf 100644 --- a/gnu/services/web.scm +++ b/gnu/services/web.scm @@ -9,7 +9,7 @@ ;;; Copyright © 2018 Pierre-Antoine Rouby <pierre-antoine.rouby@inria.fr> ;;; Copyright © 2018 Marius Bakke <mbakke@fastmail.com> ;;; Copyright © 2019, 2020 Florian Pelz <pelzflorian@pelzflorian.de> -;;; Copyright © 2020 Ricardo Wurmus <rekado@elephly.net> +;;; Copyright © 2020, 2022 Ricardo Wurmus <rekado@elephly.net> ;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr> ;;; Copyright © 2020 Arun Isaac <arunisaac@systemreboot.net> ;;; Copyright © 2020 Oleg Pykhalov <go.wigust@gmail.com> @@ -205,6 +205,21 @@ tailon-service-type + anonip-configuration + anonip-configuration? + anonip-configuration-anonip + anonip-configuration-input + anonip-configuration-output + anonip-configuration-skip-private? + anonip-configuration-column + anonip-configuration-replacement + anonip-configuration-ipv4mask + anonip-configuration-ipv6mask + anonip-configuration-increment + anonip-configuration-delimiter + anonip-configuration-regex + anonip-service-type + varnish-configuration varnish-configuration? varnish-configuration-package @@ -1355,6 +1370,99 @@ files.") files)))))))) (default-value (tailon-configuration)))) + + +;;; +;;; Log anonymization +;;; + +(define-record-type* <anonip-configuration> + anonip-configuration make-anonip-configuration + anonip-configuration? + (anonip anonip-configuration-anonip ;file-like + (default anonip)) + (input anonip-configuration-input) ;string + (output anonip-configuration-output) ;string + (skip-private? anonip-configuration-skip-private? ;boolean + (default #f)) + (column anonip-configuration-column ;number + (default #f)) + (replacement anonip-configuration-replacement ;string + (default #f)) + (ipv4mask anonip-configuration-ipv4mask ;number + (default #f)) + (ipv6mask anonip-configuration-ipv6mask ;number + (default #f)) + (increment anonip-configuration-increment ;number + (default #f)) + (delimiter anonip-configuration-delimiter ;string + (default #f)) + (regex anonip-configuration-regex ;string + (default #f))) + +(define (anonip-activation config) + (with-imported-modules '((guix build utils)) + #~(begin + (use-modules (guix build utils)) + (for-each + (lambda (directory) + (mkdir-p directory) + (chmod directory #o755)) + (list (dirname #$(anonip-configuration-input config)) + (dirname #$(anonip-configuration-output config))))))) + +(define (anonip-shepherd-service config) + (let ((input (anonip-configuration-input config)) + (output (anonip-configuration-output config)) + (optional + (lambda (accessor option) + (or (and=> (accessor config) + (lambda (value) + (list + (format #false "~a=~a" + option value)))) + (list))))) + (list (shepherd-service + (provision (list (symbol-append 'anonip- (string->symbol output)))) + (requirement '(user-processes)) + (documentation "Anonimyze the given log file location with anonip.") + (start #~(lambda _ + (unless (file-exists? #$input) + (mknod #$input 'fifo #o600 0)) + (let ((pid (fork+exec-command + (append + (list #$(file-append (anonip-configuration-anonip config) + "/bin/anonip") + (string-append "--input=" #$input) + (string-append "--output=" #$output)) + (if #$(anonip-configuration-skip-private? config) + '("--skip-private") (list)) + '#$(optional anonip-configuration-column "--column") + '#$(optional anonip-configuration-ipv4mask "--ipv4mask") + '#$(optional anonip-configuration-ipv6mask "--ipv6mask") + '#$(optional anonip-configuration-increment "--increment") + '#$(optional anonip-configuration-replacement "--replacement") + '#$(optional anonip-configuration-delimiter "--delimiter") + '#$(optional anonip-configuration-regex "--regex")) + ;; Run in a UTF-8 locale + #:environment-variables + (list (string-append "GUIX_LOCPATH=" #$glibc-utf8-locales + "/lib/locale") + "LC_ALL=en_US.utf8")))) + pid))) + (stop #~(make-kill-destructor)))))) + +(define anonip-service-type + (service-type + (name 'anonip) + (extensions + (list (service-extension shepherd-root-service-type + anonip-shepherd-service) + (service-extension activation-service-type + anonip-activation))) + (description + "Provide web server log anonymization with @command{anonip}."))) + ;;; ;;; Varnish |