nginx log when specific referrer is present

Question

Because someone steals content from our website, I need to create additional log file, that logs only if http_referrer contains specific domain.

Currently I have this:

   if ($http_referer ~* (bad-domain.com)){
           return  500;
   }

But instead of return 500, i need to return normal response, but to log the request.

Since 1.7.0 nginx's `access_log` has `if` parameter. See docs — Alexey Ten, Apr 23 '15 at 08:52
Why do that at all instead of just greping the log for bad referers? — AD7six, Apr 23 '15 at 08:53

score 3 · Answer 1 · answered Apr 23 '15 at 06:13

The access_log directive is valid inside if, so you can simply add one there.

However, its presence overrides any ones that appear above it in the hierarchy, so if you simply add one entry the request will not be logged to whatever access log you normally log for that server.

To get around that, you can use two access_log directives inside the if, one which repeats the regular access log, and one for your special access log (which can also use a different log_format if you wish).

score 1 · Answer 2 · edited Apr 13 '17 at 12:14

1

Just putting access_log inside if, does not work

However access_log only inside if inside location and from this thread we can see the workaround:

Separate Nginx access log file for certain requests only

if ($http_referer ~* (bad-domain.com)){
  set $bad_domain 'yes';
}

location / {
  if ($bad_domain = 'yes') {
    access_log logs/bad_domain.log;
    return 200;
    }

    ...
}

edited Apr 13 '17 at 12:14

Community

1

answered Apr 23 '15 at 08:44

Nick

786
2
12
37

score 0 · Answer 3 · answered Jan 28 '18 at 20:50

0

Use map directive like this

map $http_referer $loggable_referer {
    default           0;
    ~*bad-domain.com  1;
}
access_log /var/log/nginx/bad_domain.log combined if=$loggable_referer;

answered Jan 28 '18 at 20:50

DidThis

111
1

nginx log when specific referrer is present

3 Answers3