Opened 4 weeks ago

Closed 4 weeks ago

#2149 closed defect (duplicate)

disable access forbidden by rule in error_log

Reported by: peter.volkov@… Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.18.x
Keywords: Cc: peter.volkov@…
uname -a: Linux m9-vss1-dvr1 5.4.80-gentoo-r1 #2 SMP Tue Dec 1 13:39:43 -00 2020 x86_64 Intel(R) Xeon(R) CPU E5-2680 v4 @ 2.40GHz GenuineIntel GNU/Linux
nginx -V: nginx version: nginx/1.18.0
built with OpenSSL 1.1.1d 10 Sep 2019
TLS SNI support enabled
configure arguments: --prefix=/usr --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error_log --pid-path=/run/nginx.pid --lock-path=/run/lock/nginx.lock --with-cc-opt=-I/usr/include --with-ld-opt=-L/usr/lib64 --http-log-path=/var/log/nginx/access_log --http-client-body-temp-path=/var/lib/nginx/tmp/client --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --with-compat --with-http_v2_module --with-pcre --without-http_grpc_module --without-http_ssi_module --without-http_upstream_hash_module --without-http_upstream_zone_module --with-http_flv_module --with-http_geoip_module --with-http_mp4_module --with-http_realip_module --with-http_secure_link_module --with-http_stub_status_module --with-http_realip_module --add-module=external_module/nginx_upstream_check_module-9aecf15ec379fe98f62355c57b60c0bc83296f04 --add-module=external_module/nginx-push-stream-module-0.5.4 --add-module=external_module/ngx_http_geoip2_module-3.3 --with-http_ssl_module --without-stream_access_module --without-stream_geo_module --without-stream_limit_conn_module --without-stream_map_module --without-stream_return_module --without-stream_split_clients_module --without-stream_upstream_hash_module --without-stream_upstream_least_conn_module --without-stream_upstream_zone_module --without-mail_imap_module --without-mail_pop3_module --without-mail_smtp_module --user=nginx --group=nginx

Description

There are lot's of cases (see below) when we do not want to log errors cause by deny rule in nginx:

2021/03/11 00:12:44 [error] 45842#0: *7562867097 access forbidden by rule, ...

For example our current use-case, we've used deny to disable DOS attack on our service and as a result, we have a huge error_log. To disable this message we have to set the level of logging to critical. This is bad since we'll lose useful errors. We need a configuration option (maybe similar to log_not_found) to disable this logging.

Look there was a lot of request on mailing list:

http://mailman.nginx.org/pipermail/nginx/2010-October/023273.html
http://mailman.nginx.org/pipermail/nginx/2017-July/054346.html
http://mailman.nginx.org/pipermail/nginx-ru/2015-July/056294.html
http://mailman.nginx.org/pipermail/nginx-ru/2016-January/057388.html
(and more!)

serverfault:
https://serverfault.com/questions/782321/nginx-deny-ip-access-forbidden-by-rule-in-error-log
https://serverfault.com/questions/743337/disable-nginx-logging-for-forbidden-by-rule
(and more!)

stackoverflow easily searchable lots of posts on this subject as well. Lots of people need some kind of solution here.

Change History (1)

comment:1 by Maxim Dounin, 4 weeks ago

Resolution: duplicate
Status: newclosed

Duplicate of #606.

Look there was a lot of request on mailing list:
http://mailman.nginx.org/pipermail/nginx/2010-October/023273.html
http://mailman.nginx.org/pipermail/nginx/2017-July/054346.html
http://mailman.nginx.org/pipermail/nginx-ru/2015-July/056294.html
http://mailman.nginx.org/pipermail/nginx-ru/2016-January/057388.html
(and more!)

Note that two of these links (2017 and 2015) point out to messages where the error in question was actually a useful diagnostic of a configuration problem, not something to avoid.

Note well that for manual DoS mitigation a readily available solution would be to use a geo block with IP addresses and appropriate if to reject requests, like if ($blocked) { return 444; }. Apart from being less chatty as you need it, this approach also more effective in terms of IP addresses lookup for large IP sets, and also makes it simple to do things like closing connection, as it usually make sense when mitigating DoS attacks.

Note: See TracTickets for help on using tickets.