The European General Data Protection Regulation Law (GDPR) aims to protect end users privacy. Among many other consequences, system administrators are therefore obliged to configure their systems in a way that they do not store IP addresses for unnecessary long periods of time, not without consent, et cetera. This is because IP addresses are considered personal data.
Nevertheless, there are good reasons – in accordance with the GDRP – for not anonymizing IP addresses right from the very beginning. For example, one needs means to protect a system from attacks (e.g. in order to protect the personal data of many users in the database). For example, if your system currently is under attack, and this attack originates from one particular IP address, you need to be able to block this IP (probably only temporarily). You also may want to be able to check, when the attack started, i.e. when those bad requests from this IP started. Moreover, you often want to keep your log files for a longer period of time so that you can analyze them (which is perfectly okay, if they don't contain personal data).
So these are competing interests. One simple compromise is to store the original IP addresses in the log files for only a short period of time, anonymize the IP addresses in the older log files, and – of course – inform your users/visitors about these facts (in your web sites privacy notice).
How can I configure NGINX for such a GDPR compliant setup, which does not anonymize all IP addresses right from the beginning? There are discussions and solutions for instantly/directly anonymizing IPs (e.g. here); but how can I setup anonymization for older log files only?
Caveat: IANAL