Add access and error log controls for nginx servers.

Add description text for logging options.

Author: Till Brehm

install/dist/lib/fedora.lib.php

@@ -812,6 +812,17 @@ public function configure_nginx(){
 		//* add a sshusers group
 		$command = 'groupadd sshusers';
 		if(!is_group('sshusers')) caselog($command.' &> /dev/null 2> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+	
+		// add anonymized log option to nginxx.conf file
+		$nginx_conf_file = $conf['nginx']['config_dir'].'/nginx.conf';
+		if(is_file($nginx_conf_file)) {
+			$tmp = file_get_contents($nginx_conf_file);
+			if(!stristr($tmp, 'log_format anonymized')) {
+				copy($nginx_conf_file,$nginx_conf_file.'~');
+				replaceLine($nginx_conf_file, 'http {', "http {\n\n".file_get_contents('tpl/nginx_anonlog.master'), 0, 0);
+			}
+		}
+	
 	}
 
 	public function configure_bastille_firewall()

install/dist/lib/opensuse.lib.php

@@ -823,6 +823,16 @@ public function configure_nginx(){
 		//* add a sshusers group
 		$command = 'groupadd sshusers';
 		if(!is_group('sshusers')) caselog($command.' &> /dev/null 2> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+	
+		// add anonymized log option to nginxx.conf file
+		$nginx_conf_file = $conf['nginx']['config_dir'].'/nginx.conf';
+		if(is_file($nginx_conf_file)) {
+			$tmp = file_get_contents($nginx_conf_file);
+			if(!stristr($tmp, 'log_format anonymized')) {
+				copy($nginx_conf_file,$nginx_conf_file.'~');
+				replaceLine($nginx_conf_file, 'http {', "http {\n\n".file_get_contents('tpl/nginx_anonlog.master'), 0, 0);
+			}
+		}
 	}
 
 	public function configure_bastille_firewall()

install/lib/installer_base.lib.php

@@ -1843,6 +1843,17 @@ public function configure_nginx(){
 		//* add a sshusers group
 		$command = 'groupadd sshusers';
 		if(!is_group('sshusers')) caselog($command.' &> /dev/null 2> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+		
+		// add anonymized log option to nginxx.conf file
+		$nginx_conf_file = $conf['nginx']['config_dir'].'/nginx.conf';
+		if(is_file($nginx_conf_file)) {
+			$tmp = file_get_contents($nginx_conf_file);
+			if(!stristr($tmp, 'log_format anonymized')) {
+				copy($nginx_conf_file,$nginx_conf_file.'~');
+				replaceLine($nginx_conf_file, 'http {', "http {\n\n".file_get_contents('tpl/nginx_anonlog.master'), 0, 0);
+			}
+		}
+		
 	}
 
 	public function configure_fail2ban() {

install/tpl/nginx_anonlog.master

@@ -0,0 +1,20 @@
+map $remote_addr $ip_anonym1 {
+default 0.0.0;
+"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" $ip;
+"~(?P<ip>[^:]+:[^:]+):" $ip;
+}
+
+map $remote_addr $ip_anonym2 {
+default .0;
+"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" .0;
+"~(?P<ip>[^:]+:[^:]+):" ::;
+}
+
+map $ip_anonym1$ip_anonym2 $ip_anonymized {
+default 0.0.0.0;
+"~(?P<ip>.*)" $ip;
+}
+
+log_format anonymized '$ip_anonymized - $remote_user [$time_local] '
+'"$request" $status $body_bytes_sent '
+'"$http_referer" "$http_user_agent"';

interface/web/admin/lib/lang/en_server_config.lng

@@ -289,7 +289,7 @@ $wb['skip_le_check_txt'] = 'Skip Lets Encrypt Check';
 $wb['migration_mode_txt'] = 'Server Migration Mode';
 $wb['nginx_enable_pagespeed_txt'] = 'Makes Pagespeed available';
 $wb['logging_txt'] = 'Store website access and error logs';
-$wb['logging_desc_txt'] = 'Use Tools > Resync to apply changes to existing sites.';
+$wb['logging_desc_txt'] = 'Use Tools > Resync to apply changes to existing sites. For Apache, access and error log can be anonymized. For nginx, only the access log is anonymized, the error log will contain IP addresses.';
 $wb['log_retention_txt'] = 'Log retention (days)';
 $wb['log_retention_error_ispositive'] = 'Log retention must be a number > 0';
 ?>

interface/web/admin/templates/server_config_web_edit.htm

@@ -110,7 +110,7 @@ <h4 class="panel-title">
                 <div class="col-sm-9">
 					<select name="logging" id="logging" class="form-control">
                         {tmpl_var name='logging'}
-                    </select>
+                    </select> {tmpl_var name='logging_desc_txt'}
 				</div>
             </div>
             <div class="form-group">

server/conf/nginx_vhost.conf.master

@@ -110,8 +110,14 @@ server {
         }
 </tmpl_if>
 
+<tmpl_if name='logging' op='==' value='yes'>
         error_log /var/log/ispconfig/httpd/<tmpl_var name='domain'>/error.log;
         access_log /var/log/ispconfig/httpd/<tmpl_var name='domain'>/access.log combined;
+</tmpl_var>
+<tmpl_if name='logging' op='==' value='anon'>
+        error_log /var/log/ispconfig/httpd/<tmpl_var name='domain'>/error.log;
+        access_log /var/log/ispconfig/httpd/<tmpl_var name='domain'>/access.log anonymized;
+</tmpl_var>
 
         ## Disable .htaccess and other hidden files
 		location ~ /\. {

server/plugins-available/nginx_plugin.inc.php

@@ -1524,6 +1524,9 @@ function update($event_name, $data) {
 			}
 			unset($tmp_output, $tmp_retval);
 		}
+		
+		// set logging variable
+		$vhost_data['logging'] = $web_config['logging'];
 
 		$tpl->setVar($vhost_data);