nginx. How to log ssl errors without blowing up the server logs

Solution 1:

All the SSL handshake errors you mention are logged by nginx at an info level, so you don't need to enable debugging.

You don't mention which distribution you are using, but most systems nowadays come with SystemD so redirecting your logs to standard error:

error_log stderr info;

or syslog:

error_log syslog:server=/dev/log info;

will allow systemd-journald to capture all Nginx logs and administer their size. A simple:

journalctl -u nginx.service -a -p info

will allow you to list all debug messages above info level (assuming you use syslog).

If you need more data for certain clients, you can use Nginx's debug_connection:

events {
    debug_connection 192.0.50.1;
    ...
}

As you mention in your question, setting a log level of debug for all clients will certainly produce a lot of output. If you need to enable debugging you might do it on a per subsystem level. Although it is not documented in the documentation of error_log, this directive accepts also a finer subdivision of the debug level (cf. source code): debug_core, debug_alloc, debug_mutex, debug_event, debug_http, debug_mail, debug_stream. You are interested in the debug_event level, but you can add several in the error_log directive, e.g.:

error_log syslog:server=/dev/log debug_http debug_event;

Solution 2:

A:

  1. enable "debug"
  2. create pipe instead of logfile (ensure it won't be hurt by logrotation)
  3. create listener in background (cat awk, grep, sed, whatever, etc)
  4. restart nginx

B:

error_log syslog:server=unix:/var/log/nginx.sock debug;