From e8c7091c3fb6bb630c76c6b72e7023ce40c1b84e Mon Sep 17 00:00:00 2001
From: Aine <aine@etke.cc>
Date: Wed, 30 Jul 2025 12:59:42 +0100
Subject: [PATCH] update nginx configs for cinny, hydrogen, and synapse reverse
 proxy companion with ip anonymization

---
 .../matrix-client-cinny/templates/nginx.conf.j2      | 12 +++++++++---
 .../matrix-client-hydrogen/templates/nginx.conf.j2   | 12 +++++++++---
 .../templates/nginx/nginx.conf.j2                    | 12 +++++++++---
 3 files changed, 27 insertions(+), 9 deletions(-)

diff --git a/roles/custom/matrix-client-cinny/templates/nginx.conf.j2 b/roles/custom/matrix-client-cinny/templates/nginx.conf.j2
index de9268842..774cdd998 100644
--- a/roles/custom/matrix-client-cinny/templates/nginx.conf.j2
+++ b/roles/custom/matrix-client-cinny/templates/nginx.conf.j2
@@ -31,9 +31,15 @@ http {
 	include /etc/nginx/mime.types;
 	default_type application/octet-stream;
 
-	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
-					'$status $body_bytes_sent "$http_referer" '
-					'"$http_user_agent" "$http_x_forwarded_for"';
+	map $remote_addr $remote_addr_anon {
+		~(?P<ip>\d+\.\d+\.\d+)\.    $ip.0;
+		~(?P<ip>[^:]+:[^:]+):       $ip::;
+		default                     0.0.0.0;
+	}
+
+	log_format main '$remote_addr_anon - $remote_user [$time_local] "$request" '
+		'$status $body_bytes_sent "$http_referer" '
+		'"$http_user_agent" "$http_x_forwarded_for"';
 
 	access_log /var/log/nginx/access.log main;
 
diff --git a/roles/custom/matrix-client-hydrogen/templates/nginx.conf.j2 b/roles/custom/matrix-client-hydrogen/templates/nginx.conf.j2
index e951f3670..41f5f0fc3 100644
--- a/roles/custom/matrix-client-hydrogen/templates/nginx.conf.j2
+++ b/roles/custom/matrix-client-hydrogen/templates/nginx.conf.j2
@@ -31,9 +31,15 @@ http {
 	include /etc/nginx/mime.types;
 	default_type application/octet-stream;
 
-	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
-					'$status $body_bytes_sent "$http_referer" '
-					'"$http_user_agent" "$http_x_forwarded_for"';
+	map $remote_addr $remote_addr_anon {
+		~(?P<ip>\d+\.\d+\.\d+)\.    $ip.0;
+		~(?P<ip>[^:]+:[^:]+):       $ip::;
+		default                     0.0.0.0;
+	}
+
+	log_format main '$remote_addr_anon - $remote_user [$time_local] "$request" '
+		'$status $body_bytes_sent "$http_referer" '
+		'"$http_user_agent" "$http_x_forwarded_for"';
 
 	access_log /var/log/nginx/access.log main;
 
diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/nginx.conf.j2 b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/nginx.conf.j2
index 98af2ab29..8df94b6f4 100644
--- a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/nginx.conf.j2
+++ b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/nginx.conf.j2
@@ -33,9 +33,15 @@ http {
 	include /etc/nginx/mime.types;
 	default_type application/octet-stream;
 
-	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
-					'$status $body_bytes_sent "$http_referer" '
-					'"$http_user_agent" "$http_x_forwarded_for"';
+	map $remote_addr $remote_addr_anon {
+		~(?P<ip>\d+\.\d+\.\d+)\.    $ip.0;
+		~(?P<ip>[^:]+:[^:]+):       $ip::;
+		default                     0.0.0.0;
+	}
+
+	log_format main '$remote_addr_anon - $remote_user [$time_local] "$request" '
+		'$status $body_bytes_sent "$http_referer" '
+		'"$http_user_agent" "$http_x_forwarded_for"';
 
 	{% if matrix_synapse_reverse_proxy_companion_access_log_enabled %}
 	access_log /var/log/nginx/access.log main;