From: Ralf Jung Date: Tue, 1 May 2018 16:25:51 +0000 (+0200) Subject: deploy apache log anonymizer X-Git-Url: https://git.ralfj.de/ansible.git/commitdiff_plain/dfc066052e57635234c8afed9010c38f55e5cc78 deploy apache log anonymizer --- diff --git a/roles/apache/files/log-anon b/roles/apache/files/log-anon new file mode 100644 index 0000000..51775a0 --- /dev/null +++ b/roles/apache/files/log-anon @@ -0,0 +1,39 @@ +#!/usr/bin/python +import sys, re +from netaddr import IPAddress + +if len(sys.argv) != 2: + print >>sys.stderr, "Usage: %s filename" % sys.argv[0] + sys.exit(1) + +log = open(sys.argv[1], "a") + +# group 1 must be the prefix, group 2 the IP, group 3 the suffix +ipmatch = r"([0-9a-f.:]+)" +accesslog = re.compile(r"^(\S+ )"+ipmatch+r"( .*)$") +errorlog = re.compile(r"^(.* \[client )"+ipmatch+r"(\] .*)$") + +while True: + line = sys.stdin.readline() + if not line: break + # process this line + match = accesslog.search(line) + if match is None: + match = errorlog.search(line) + # check what we got + if match is None: + # unknown line + log.write(line) + else: + prefix = match.group(1) + ip = match.group(2) + suffix = match.group(3) + try: + ip = IPAddress(ip) # parse the addres + ip = ip & (IPAddress('255.255.255.0') if ip.version == 4 else IPAddress('ffff:ffff:ffff::')) # mask out a bunch of bits + # now we have a parsed representation of the IP address we want to print + log.write(prefix+str(ip)+suffix+"\n") + except (ValueError, netaddr.core.AddrFormatError): + # not actually an IP address... + log.write(line) + log.flush() diff --git a/roles/apache/tasks/main.yml b/roles/apache/tasks/main.yml index 12f9580..a4d1b24 100644 --- a/roles/apache/tasks/main.yml +++ b/roles/apache/tasks/main.yml @@ -1,5 +1,5 @@ - name: install apache - apt: name=apache2 state=latest + apt: name=apache2,python-netaddr state=latest - name: enable apache service: name=apache2 enabled=yes # config @@ -19,6 +19,11 @@ loop: - access_compat notify: apache +- name: install log anonymization script + copy: + dest: /etc/apache2/log-anon + src: files/log-anon + mode: +x - name: install shared config files copy: dest: /etc/apache2/conf-available/{{ item }}