Opened 10 years ago

Last modified 4 years ago

#606 new enhancement

lower log level of ngx_http_access_module forbidden access

Reported by: Jérémy Lal Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.6.x
Keywords: Cc:
uname -a: Linux myhost.host.tld 3.14-2-amd64 #1 SMP Debian 3.14.15-2 (2014-08-09) x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.6.1
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt=-Wl,-z,relro --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_spdy_module --with-http_sub_module --with-http_xslt_module --with-mail --with-mail_ssl_module --add-module=/build/nginx-naOmgm/nginx-1.6.1/debian/modules/nginx-auth-pam --add-module=/build/nginx-naOmgm/nginx-1.6.1/debian/modules/nginx-dav-ext-module --add-module=/build/nginx-naOmgm/nginx-1.6.1/debian/modules/nginx-echo --add-module=/build/nginx-naOmgm/nginx-1.6.1/debian/modules/nginx-upstream-fair --add-module=/build/nginx-naOmgm/nginx-1.6.1/debian/modules/ngx_http_substitutions_filter_module

Description

When using the deny/allow ip directives of the ngx_http_access_module,
nginx logs the denied accesses with level "error".
If there are many unauthorized clients, it fills the error log with useless messages,
and changing the log level is not acceptable since it hides legitimate errors.

I propose to set the log_level for "access forbidden by rule" messages to info, notice, or warn
instead of error.

Change History (1)

comment:1 by Maxim Dounin, 4 years ago

See also #2149.

Note: See TracTickets for help on using tickets.