From f9683e1077ad3cc9c2fa1c0618208602a7742982 Mon Sep 17 00:00:00 2001
From: Marcus Noble <github@marcusnoble.co.uk>
Date: Mon, 2 Sep 2024 08:18:48 +0100
Subject: [PATCH] Include a masked remote addr in nginx logs

Signed-off-by: Marcus Noble <github@marcusnoble.co.uk>
---
 manifests/nginx-lb/nginx-lb.yaml | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/manifests/nginx-lb/nginx-lb.yaml b/manifests/nginx-lb/nginx-lb.yaml
index a05f1cf..f540024 100644
--- a/manifests/nginx-lb/nginx-lb.yaml
+++ b/manifests/nginx-lb/nginx-lb.yaml
@@ -337,10 +337,31 @@ apiVersion: v1
 data:
   allow-snippet-annotations: "true"
   use-proxy-protocol: "true"
-  log-format-upstream: '{"time": "$time_iso8601", "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, "status": $status, "host": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", "request_length": $request_length, "duration": $request_time,"method": "$request_method", "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent", "redirect_location": "$redirect_location" }'
+  log-format-upstream: '{"time": "$time_iso8601", "request_id": "$req_id", "remote_user": "$remote_user", "remote_addr_masked": "$remote_addr_masked", "bytes_sent": $bytes_sent, "request_time": $request_time, "status": $status, "host": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", "request_length": $request_length, "duration": $request_time,"method": "$request_method", "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent", "redirect_location": "$redirect_location" }'
   plugins: "redirect_location"
   location-snippet: |
     set $redirect_location '';
+  server-snippet: |
+    set_by_lua_block $remote_addr_masked {
+      local bit = require("bit")
+
+      local hval = 2166136261
+      local rem_addr = ngx.var.remote_addr
+
+      for w in rem_addr:gmatch(".") do
+        hval = bit.bxor(hval,string.byte(w))
+        hval = hval + bit.lshift(hval,1) + bit.lshift(hval,4) + bit.lshift(hval,7) + bit.lshift(hval,8) + bit.lshift(hval,24)
+      end
+      if hval < 0 then
+        hval = bit.bnot(hval)
+      end
+      local octet1 = bit.band(bit.rshift(hval,24), 255)
+      local octet2 = bit.band(bit.rshift(hval,16), 255)
+      local octet3 = bit.band(bit.rshift(hval,8), 255)
+      local octet4 = bit.band(hval, 255)
+      local op = octet1 .. "." .. octet2 .. "." .. octet3 .. "." .. octet4
+      return op
+    }
 kind: ConfigMap
 metadata:
   labels: