Lighttpd

Why?

See mod_accesslog docs. You can already
1. define a log format which omits the IP or uses some other identifier (e.g. a cookie value)
or
2. send all logs through a piped logger and in the piped logger you can rewrite the field, truncate the field, encrypt the field, or do whatever you want.

Why would you name it something non-descript and generic like server.privacy when it is very, very specific to IP addresses?
Why should the very limited and very specific feature of your patch be a config option in lighttpd?
What problem are you trying to solve? And how well does your patch solve said problem?
Why did you not include answers to the above with your patch?

Since you can send both access logs and error logs through a piped logger, and the piped logger can scrub IP and other information as appropriate, the patch you have proposed is unnecessary.

FYI: You got the response you got because you failed to include basic information about requirements (GDPR) with your patch dump and you failed to include links to specifications that your patch implemented to comply with such specifications. (Hint: do not dump patches without communicating the problem you are trying to solve and how the patch solves the problem)

2 1/2 year ago, someone asked the same question. You spent time writing a patch before using that little search box in the upper-right of this page to search for "GDPR"
https://redmine.lighttpd.net/boards/2/topics/8097

I did not yet found a piped logger that rewrites the IPs,
cronolog does not mention how to truncate fields.
Pointers welcome.

If you need to anonymize IPs, you parse each line to identify and anonymize IPs. How should IP addresses be anonymized? What about port numbers? What about ... ? If you need to comply with GDPR, then you need to comply with GDPR.

Your partial patch does something very specific, and there is no specification to which you linked for which your patch meets the requirements. Of note, https://tools.ietf.org/html/draft-andersdotter-intarea-update-to-rfc6302-00 (which is a draft) suggests:

SHOULD keep only the first two octets (of an IPv4 address) or the
first three octets (of an IPv6 address) with remaining octets set
to zero, when logging.

Your patch does something different. The draft makes other suggestions as well, also not implemented by your patch.

If you need to comply with GDPR, then there is more than IP anonymization that must be handled.

Options to comply with GDPR specifically regarding web server logging:

• disable logging
  • send lighttpd stderr to /dev/null
  • disable access log
• modify logging (insufficient)
  • modify access log to not include IP (insufficient if query string contains IP)
  • error log must still be handled separately, or directed to /dev/null
• piped loggers
  • use piped loggers with your own custom logic to comply as best you can with GDPR.

lighttpd can make no guarantees of compliance with GDPR since GDPR may include many different operational requirements for log handling and log rotation, some of which are likely outside the scope of lighttpd.

I did not yet found a piped logger that rewrites the IPs,

Please try again with search terms: "piped logger anonymize IP"