[xxs]

>A reasonable reading of GDPR makes standard web server logs (which contain IP addresses) a punishable offense...

You need retention policies and if you use the web logs for (let's say) detection malicious behavior or troubleshooting, you are in the clear.

[moreless]

Also, you can keep just a hash(seed + IP address) - enough to uniquely identify user session (so you can debug possible problems) but not enough to pinpoint a specific user.

Of course in reality nothing is that simple, but it can be done, and it can be done automatically. I am sure there will be GDPR nginx plugins/configs available soon.

[xxs]

Unless you use IPv6 hashing IPv4 address space is way, way too narrow. Hash+seed is trivial to have the original IP recovered So whoever advises that got no idea how hashing (and collision of the latter) works.

(Brute force of few billion hashes in the days of crypto currencies is a walk in the park)