NGINX / Server Setup

Nginx: Disable logging of Magento security probes

by ,

We have by far the largest RPM repository with dynamic stable NGINX modules and VMODs for Varnish 4.1 and 6.0 LTS. If you want to install NGINX, Varnish, and lots of useful modules for them, this is your one-stop repository to get all performance-related software.
You have to maintain an active subscription in order to be able to use the repository!

Constantly monitoring error logs is a good idea. It helps to find misconfiguration in your server setup. However, going through logs can be troubled in case your logs are poisoned with unnecessary entries.

Here is one type of unnecessary log entries commonly found with nginx error.log for Magento 1.x websites:

2017/07/16 11:28:05 [error] 22465#22465: *443659 access forbidden by rule, client:, server:, request: “POST /app/etc/local.xml HTTP/1.1”, host: “”

To fix this, you will need to use nginx map directive and conditional logging.

In your nginx.conf put the following inside http { ... } block:

map "$request_method:$request_uri:$remote_addr" $loggable {
    "POST:/app/etc/local.xml:" 0;
    default 1;    

In the directive above, make sure to use your server’s IP address only. We only want to skip logging for Magento internal security check. We’re still interested in logging same type of requests by external IP addresses.

Find your access_log directive and add the if condition to it like so:

access_log /path/to/access.log combined if=$loggable;

What this whole thing does, is logs requests conditionally: a POST request to /app/etc/local.xml made by server itself, will not be logged. Everything else is logged as usual.

Pro tip: if you’re using Varnish, you may also want to disable logging of Varnish backend probes by combing the map directives into one.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: