I’m not sure whether CPE would be willing to disable web server logs entirely
Oh, I’d understood the change proposal as involving no IP addresses being stored by anything anywhere at all, not just them not being stored in the metrics database. Looking at the text again, it is probably the “which notably means IP addresses must not be stored” that led me to believe the proposal involved no storing of IP addresses at all. Anyway, um, it does seem of course much better to disable the web server logs?
Is there anything specific you’d like to see here? Other than “apply software updates regularly,” which is a pretty basic expectation?
- Having the machine that receives the initial requests be used solely for this proxying purpose, minimizing the software that runs on it.
- Automatic updates for nginx and the system.
- Generally considering it a sensitive system and restricting remote access methods and permissions accordingly.
And, sure, maybe some of these are pretty basic expectations. But, basic things are easy to forget and often there’s nobody who notices. It’s surprising the things that can just not get noticed or the degree to which there can be nobody with the time or willingness to fix them. Okay, for (an otherwise unrelated) example, the GNOME 3.38 runtime on Flathub never actually got EOLed because the pipeline that was supposed to do that failed. That was probably noticed by many people, but one way or another, it ends up still not being flagged as EOL today, two years after the last update. It’s just the way software is: everything is frequently broken, the breakage doesn’t get noticed for years, and even if it did nobody has the time to fix it anyway.
I suppose we could encrypt the data with a public key encryption scheme, and split up the server such that nginx and azafea-metrics-proxy run on different servers, and the server running nginx does not have the private key to decrypt the data.
Yes, exactly this, this would be great.
It seems a little paranoid to me, but I guess we could do it if this is really considered important.
Not paranoid at all, it hugely helps reduce the risk of IP addresses and app usage data (or any other information that will be collected, but app usage data is the most sensitive I’ve seen mentioned yet) being collected together with any of the multiple ways that could otherwise happen. That’s one of the biggest risks, the encryption helps reduce it pretty significantly, and it’s way less complicated to do than the sort of thing that would be needed to hide the IP addresses.
I think it’s the single improvement with the best cost-benefit ratio.