Nginx – Disable Nginx Logging for “forbidden by rule”

loggingnginx

In my Nginx config I have some IP blocks in place, to fight off spammers & bots.

This is very effective, but as a result, my error logs get filled up super fast with error messages like these:

2015/12/16 00:56:28 [error] 27748#0: *120462 access forbidden by rule,
client: 167.114.xxx.xxx, server: bla bla ….

Now I don't want to fully disable error logging, as I want to find out what is going wrong when something goes wrong. I just want to disable logging of these "forbidden by rule" messages.

Any idea how to do this?

Best Answer

As mentioned here, use conditional logging (access_log directive):

Enabling Conditional Logging

Conditional logging allows excluding trivial or non-important log entries from the access log. In NGINX, conditional logging is enabled by the if parameter of the access_log directive.

For example, it makes possible to exclude requests with HTTP status codes 2XX (Success) and 3XX (Redirection):
map $status $loggable {
    ~^[23]  0;
    default 1; }

access_log /path/to/access.log combined if=$loggable;

EDIT: as @zsero described in comment, conditional logging is only supported with the access_log - not with the error_log directive.

Correct way in new versions of nginx

Turn out my first answer to this question was correct at certain time, but it turned into another pitfall - to stay up to date please check Taxing rewrite pitfalls

I have been corrected by many SE users, so the credit goes to them, but more importantly, here is the correct code:

server {
       listen         80;
       server_name    my.domain.com;
       return         301 https://$server_name$request_uri;
}

server {
       listen         443 ssl;
       server_name    my.domain.com;
       # add Strict-Transport-Security to prevent man in the middle attacks
       add_header Strict-Transport-Security "max-age=31536000" always; 

       [....]
}

Nginx – How to disable Nginx logging for localhost or certain ip

Your config is correct, but NginX tends to be a little... crazy? with Ifs. Take a look on it's If is Evil wiki page.

Aside from that, instead of trying to disable the log on that condition, try to redirect it to another log, like /var/log/nginx/access_localhost.log and see if it helps (link it to /dev/null if it works, or just truncate each day).

Also remember that access_log diretives (and other directives in NginX) will not be inherited. This is a quote from the NginX mail list (linked from NginX's wiki) about the subject:

There is no "global" logs in nginx, only "local" ones, either explicitly defined or inhereted from previous level.

The access_log directive, as all array-type directives in nginx config, will ignore inherited values if defined at certain level. I.e. in configuration

http { access_log log1;
server {
    server_name  server1;
}

server {
    server_name  server2;
    access_log   log2;
    ...
} }
only server1 will have logging set to log1, while server2 will have logging set to log2. If you want server2 to write log into both log1 and log2 you should say this explicitly, i.e.
server {
    server_name  server2;
    access_log   log1;
    access_log   log2;
    ...
}

Best Answer

Related Solutions

NGINX Redirect – How to Rewrite All HTTP Requests to HTTPS While Maintaining Sub-Domain

Correct way in new versions of nginx

Nginx – How to disable Nginx logging for localhost or certain ip

Related Topic