ISPConfig GDPR

In order to get ISPConfig GDPR compatible, we think that the default log file storage time for websites should be decreased and the statistics should be turned off. ISPConfig itself has no problems with the GDPR, because you can delete customers at any time and all data stored with this customer will be removed from your server.

With the next ISPConfig release 3.1.12 the storage time of 10 days will be standard for new websites. However, a change for existing websites does not make sense, as the software is also used outside of the EU.

Problem Statistics

The programs for creating web server statistics AWStats and Webalizer, which can be used with ISPConfig, also output the complete IP addresses of website visitors, if no corresponding adjustments have been made to the code.

We consider this to be incompatible with the GDPR and have therefore deactivated the statistics on all our web servers (own and full-managed). To avoid doing this manually for each page, you will find a small bash code at the end, which you can simply run as root on your server. If you don’t have a –defaults-file, you can use -p instead and then enter your root password for MySQL. Of course you can also enter the commands in PHPMyAdmin.

Problem Logfiles

The default setting for log files of all web sites is 30 days. We think that a significantly lower value is sufficient. Here we take 10 days as an example. However, you should certainly ask yourself whether you really need to store the data for that long time. The complete IP is certainly needed in the logfiles to secure the server or to detect problems. But if you haven’t noticed an attack after 10 days, even a longer storage time won’t help much…

Solution

Don’t forget to make the changes on all servers if you have a multi-server setup.

And this is how it works with a single SQL call:

mysql --defaults-file=/etc/mysql/debian.cnf --database=dbispconfig -e "
ALTER TABLE web_domain CHANGE stats_type stats_type varchar(255) DEFAULT ''; 
ALTER TABLE web_domain CHANGE log_retention log_retention INT(11) NOT NULL DEFAULT '10'; 
UPDATE web_domain SET log_retention = '10' WHERE log_retention > 10;
UPDATE web_domain SET stats_type = '';
"