Anonymizing IPs Using HAProxy

At work, I had to come up with an easy way to anonymize the last octet of a logged IP address in order to comply with German data protection laws. If you’re using HAProxy (1.5+), you can do this in one line.

If you want to forward the source IP address to a backend server, you would usually use option forwardfor. Sadly you can’t set or change the forwarded IP using that option, so instead you have to set the X-Forwarded-For header manually.

http-request set-header X-Forwarded-For %[src,ipmask(24)]

This will set the last octet of the source IP address to zero.

The HAProxy documentation has more information on the various things I used in this post:

Comments