From 2774cc7f7a1d302389e5d45d7a73b38b9be92c54 Mon Sep 17 00:00:00 2001
From: Till Brehm <tbrehm@ispconfig.org>
Date: Wed, 23 May 2018 19:08:38 +0200
Subject: [PATCH] Add access and error log controls for nginx servers. Add
 description text for logging options.

---
 install/dist/lib/fedora.lib.php               | 11 ++++++++++
 install/dist/lib/opensuse.lib.php             | 10 ++++++++++
 install/lib/installer_base.lib.php            | 11 ++++++++++
 install/tpl/nginx_anonlog.master              | 20 +++++++++++++++++++
 .../web/admin/lib/lang/en_server_config.lng   |  2 +-
 .../templates/server_config_web_edit.htm      |  2 +-
 server/conf/nginx_vhost.conf.master           |  6 ++++++
 server/plugins-available/nginx_plugin.inc.php |  3 +++
 8 files changed, 63 insertions(+), 2 deletions(-)
 create mode 100644 install/tpl/nginx_anonlog.master

diff --git a/install/dist/lib/fedora.lib.php b/install/dist/lib/fedora.lib.php
index 9ceae29ca..f1d57f9c8 100644
--- a/install/dist/lib/fedora.lib.php
+++ b/install/dist/lib/fedora.lib.php
@@ -812,6 +812,17 @@ class installer_dist extends installer_base {
 		//* add a sshusers group
 		$command = 'groupadd sshusers';
 		if(!is_group('sshusers')) caselog($command.' &> /dev/null 2> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+	
+		// add anonymized log option to nginxx.conf file
+		$nginx_conf_file = $conf['nginx']['config_dir'].'/nginx.conf';
+		if(is_file($nginx_conf_file)) {
+			$tmp = file_get_contents($nginx_conf_file);
+			if(!stristr($tmp, 'log_format anonymized')) {
+				copy($nginx_conf_file,$nginx_conf_file.'~');
+				replaceLine($nginx_conf_file, 'http {', "http {\n\n".file_get_contents('tpl/nginx_anonlog.master'), 0, 0);
+			}
+		}
+	
 	}
 
 	public function configure_bastille_firewall()
diff --git a/install/dist/lib/opensuse.lib.php b/install/dist/lib/opensuse.lib.php
index 277a9dc22..b83b24dcf 100644
--- a/install/dist/lib/opensuse.lib.php
+++ b/install/dist/lib/opensuse.lib.php
@@ -823,6 +823,16 @@ class installer_dist extends installer_base {
 		//* add a sshusers group
 		$command = 'groupadd sshusers';
 		if(!is_group('sshusers')) caselog($command.' &> /dev/null 2> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+	
+		// add anonymized log option to nginxx.conf file
+		$nginx_conf_file = $conf['nginx']['config_dir'].'/nginx.conf';
+		if(is_file($nginx_conf_file)) {
+			$tmp = file_get_contents($nginx_conf_file);
+			if(!stristr($tmp, 'log_format anonymized')) {
+				copy($nginx_conf_file,$nginx_conf_file.'~');
+				replaceLine($nginx_conf_file, 'http {', "http {\n\n".file_get_contents('tpl/nginx_anonlog.master'), 0, 0);
+			}
+		}
 	}
 
 	public function configure_bastille_firewall()
diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php
index 7d3092372..8a1dcd465 100644
--- a/install/lib/installer_base.lib.php
+++ b/install/lib/installer_base.lib.php
@@ -1843,6 +1843,17 @@ class installer_base {
 		//* add a sshusers group
 		$command = 'groupadd sshusers';
 		if(!is_group('sshusers')) caselog($command.' &> /dev/null 2> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+		
+		// add anonymized log option to nginxx.conf file
+		$nginx_conf_file = $conf['nginx']['config_dir'].'/nginx.conf';
+		if(is_file($nginx_conf_file)) {
+			$tmp = file_get_contents($nginx_conf_file);
+			if(!stristr($tmp, 'log_format anonymized')) {
+				copy($nginx_conf_file,$nginx_conf_file.'~');
+				replaceLine($nginx_conf_file, 'http {', "http {\n\n".file_get_contents('tpl/nginx_anonlog.master'), 0, 0);
+			}
+		}
+		
 	}
 
 	public function configure_fail2ban() {
diff --git a/install/tpl/nginx_anonlog.master b/install/tpl/nginx_anonlog.master
new file mode 100644
index 000000000..77b1dbbcc
--- /dev/null
+++ b/install/tpl/nginx_anonlog.master
@@ -0,0 +1,20 @@
+map $remote_addr $ip_anonym1 {
+default 0.0.0;
+"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" $ip;
+"~(?P<ip>[^:]+:[^:]+):" $ip;
+}
+
+map $remote_addr $ip_anonym2 {
+default .0;
+"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" .0;
+"~(?P<ip>[^:]+:[^:]+):" ::;
+}
+
+map $ip_anonym1$ip_anonym2 $ip_anonymized {
+default 0.0.0.0;
+"~(?P<ip>.*)" $ip;
+}
+
+log_format anonymized '$ip_anonymized - $remote_user [$time_local] '
+'"$request" $status $body_bytes_sent '
+'"$http_referer" "$http_user_agent"';
diff --git a/interface/web/admin/lib/lang/en_server_config.lng b/interface/web/admin/lib/lang/en_server_config.lng
index 4393a5255..5d087356e 100644
--- a/interface/web/admin/lib/lang/en_server_config.lng
+++ b/interface/web/admin/lib/lang/en_server_config.lng
@@ -289,7 +289,7 @@ $wb['skip_le_check_txt'] = 'Skip Lets Encrypt Check';
 $wb['migration_mode_txt'] = 'Server Migration Mode';
 $wb['nginx_enable_pagespeed_txt'] = 'Makes Pagespeed available';
 $wb['logging_txt'] = 'Store website access and error logs';
-$wb['logging_desc_txt'] = 'Use Tools > Resync to apply changes to existing sites.';
+$wb['logging_desc_txt'] = 'Use Tools > Resync to apply changes to existing sites. For Apache, access and error log can be anonymized. For nginx, only the access log is anonymized, the error log will contain IP addresses.';
 $wb['log_retention_txt'] = 'Log retention (days)';
 $wb['log_retention_error_ispositive'] = 'Log retention must be a number > 0';
 ?>
diff --git a/interface/web/admin/templates/server_config_web_edit.htm b/interface/web/admin/templates/server_config_web_edit.htm
index 5a28ffc58..c1bae44c0 100644
--- a/interface/web/admin/templates/server_config_web_edit.htm
+++ b/interface/web/admin/templates/server_config_web_edit.htm
@@ -110,7 +110,7 @@
                 <div class="col-sm-9">
 					<select name="logging" id="logging" class="form-control">
                         {tmpl_var name='logging'}
-                    </select>
+                    </select> {tmpl_var name='logging_desc_txt'}
 				</div>
             </div>
             <div class="form-group">
diff --git a/server/conf/nginx_vhost.conf.master b/server/conf/nginx_vhost.conf.master
index 596662d8a..1fd98a589 100644
--- a/server/conf/nginx_vhost.conf.master
+++ b/server/conf/nginx_vhost.conf.master
@@ -110,8 +110,14 @@ server {
         }
 </tmpl_if>
 		
+<tmpl_if name='logging' op='==' value='yes'>
         error_log /var/log/ispconfig/httpd/<tmpl_var name='domain'>/error.log;
         access_log /var/log/ispconfig/httpd/<tmpl_var name='domain'>/access.log combined;
+</tmpl_var>
+<tmpl_if name='logging' op='==' value='anon'>
+        error_log /var/log/ispconfig/httpd/<tmpl_var name='domain'>/error.log;
+        access_log /var/log/ispconfig/httpd/<tmpl_var name='domain'>/access.log anonymized;
+</tmpl_var>
 
         ## Disable .htaccess and other hidden files
 		location ~ /\. {
diff --git a/server/plugins-available/nginx_plugin.inc.php b/server/plugins-available/nginx_plugin.inc.php
index c09e226d0..20ba4e96f 100644
--- a/server/plugins-available/nginx_plugin.inc.php
+++ b/server/plugins-available/nginx_plugin.inc.php
@@ -1524,6 +1524,9 @@ class nginx_plugin {
 			}
 			unset($tmp_output, $tmp_retval);
 		}
+		
+		// set logging variable
+		$vhost_data['logging'] = $web_config['logging'];
 
 		$tpl->setVar($vhost_data);
 
-- 
GitLab