Opened 3 years ago
Closed 3 years ago
#2149 closed defect (duplicate)
disable access forbidden by rule in error_log
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-core | Version: | 1.18.x |
| Keywords: | Cc: | peter.volkov@… | |
| uname -a: | Linux m9-vss1-dvr1 5.4.80-gentoo-r1 #2 SMP Tue Dec 1 13:39:43 -00 2020 x86_64 Intel(R) Xeon(R) CPU E5-2680 v4 @ 2.40GHz GenuineIntel GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.18.0
built with OpenSSL 1.1.1d 10 Sep 2019 TLS SNI support enabled configure arguments: --prefix=/usr --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error_log --pid-path=/run/nginx.pid --lock-path=/run/lock/nginx.lock --with-cc-opt=-I/usr/include --with-ld-opt=-L/usr/lib64 --http-log-path=/var/log/nginx/access_log --http-client-body-temp-path=/var/lib/nginx/tmp/client --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --with-compat --with-http_v2_module --with-pcre --without-http_grpc_module --without-http_ssi_module --without-http_upstream_hash_module --without-http_upstream_zone_module --with-http_flv_module --with-http_geoip_module --with-http_mp4_module --with-http_realip_module --with-http_secure_link_module --with-http_stub_status_module --with-http_realip_module --add-module=external_module/nginx_upstream_check_module-9aecf15ec379fe98f62355c57b60c0bc83296f04 --add-module=external_module/nginx-push-stream-module-0.5.4 --add-module=external_module/ngx_http_geoip2_module-3.3 --with-http_ssl_module --without-stream_access_module --without-stream_geo_module --without-stream_limit_conn_module --without-stream_map_module --without-stream_return_module --without-stream_split_clients_module --without-stream_upstream_hash_module --without-stream_upstream_least_conn_module --without-stream_upstream_zone_module --without-mail_imap_module --without-mail_pop3_module --without-mail_smtp_module --user=nginx --group=nginx |
||
Description
There are lot's of cases (see below) when we do not want to log errors cause by deny rule in nginx:
2021/03/11 00:12:44 [error] 45842#0: *7562867097 access forbidden by rule, ...
For example our current use-case, we've used deny to disable DOS attack on our service and as a result, we have a huge error_log. To disable this message we have to set the level of logging to critical. This is bad since we'll lose useful errors. We need a configuration option (maybe similar to log_not_found) to disable this logging.
Look there was a lot of request on mailing list:
http://mailman.nginx.org/pipermail/nginx/2010-October/023273.html
http://mailman.nginx.org/pipermail/nginx/2017-July/054346.html
http://mailman.nginx.org/pipermail/nginx-ru/2015-July/056294.html
http://mailman.nginx.org/pipermail/nginx-ru/2016-January/057388.html
(and more!)
serverfault:
https://serverfault.com/questions/782321/nginx-deny-ip-access-forbidden-by-rule-in-error-log
https://serverfault.com/questions/743337/disable-nginx-logging-for-forbidden-by-rule
(and more!)
stackoverflow easily searchable lots of posts on this subject as well. Lots of people need some kind of solution here.
Duplicate of #606.
Note that two of these links (2017 and 2015) point out to messages where the error in question was actually a useful diagnostic of a configuration problem, not something to avoid.
Note well that for manual DoS mitigation a readily available solution would be to use a geo block with IP addresses and appropriate if to reject requests, like
if ($blocked) { return 444; }. Apart from being less chatty as you need it, this approach also more effective in terms of IP addresses lookup for large IP sets, and also makes it simple to do things like closing connection, as it usually make sense when mitigating DoS attacks.