Home / server / Questions / 1010681
Accepted
gelonida
Asked: 2020-04-03 17:33:10 +0800 CST

nginx. How to log ssl errors without blowing up the server logs

  • 772

I have a web site, that is visited by many different mobile devices and embedded devices.

Quite often I encounter the issue, that some devices cannot connect.

The reasons can be:

  • the device doesn't recognize an certain CA
  • the device is too old and would require an older protocol TLS1.1
  • the device requires an outdated crypto algorithm or just a crypto algorithm, that I didn't make available with me server conf.

As the devices are in remote locations, don't have easily accessible logs I would like to be able to analyze such issues with nginx logs.

I can do this by increasing the error-log log level to debug.

error_log  /var/log/nginx/errors_with_debug.log debug;

However this logs contain loads of things which I am not interested in.

Is there any way to log detailed information only if an ssl connection was refused but have a normal error log level for all other cases?

So far I enable debug logging, ask remote users who have issues with their devices to connect and record the the traces, disable debug level, reload nginx and analyze then the obtained traces.

In fact I would already be helped if I could just log the date and the ip address of any client that failed to connect due to SSL issues.

Ideally I'd also like to log the reason, but alerady knowing, that a connection was attempted but failed due to SSL would be very helpful.

logging ssl nginx debugging

2 Answers

  1. A:

    1. enable "debug"
    2. create pipe instead of logfile (ensure it won't be hurt by logrotation)
    3. create listener in background (cat awk, grep, sed, whatever, etc)
    4. restart nginx

    B:

    error_log syslog:server=unix:/var/log/nginx.sock debug;

    • 3
  2. Best Answer

    All the SSL handshake errors you mention are logged by nginx at an info level, so you don't need to enable debugging.

    You don't mention which distribution you are using, but most systems nowadays come with SystemD so redirecting your logs to standard error:

    error_log stderr info;

    or syslog:

    error_log syslog:server=/dev/log info;

    will allow systemd-journald to capture all Nginx logs and administer their size. A simple:

    journalctl -u nginx.service -a -p info

    will allow you to list all debug messages above info level (assuming you use syslog).

    If you need more data for certain clients, you can use Nginx's debug_connection:

    events {
    debug_connection 192.0.50.1;
    ...
}

    As you mention in your question, setting a log level of debug for all clients will certainly produce a lot of output. If you need to enable debugging you might do it on a per subsystem level. Although it is not documented in the documentation of error_log, this directive accepts also a finer subdivision of the debug level (cf. source code): debug_core, debug_alloc, debug_mutex, debug_event, debug_http, debug_mail, debug_stream. You are interested in the debug_event level, but you can add several in the error_log directive, e.g.:

    error_log syslog:server=/dev/log debug_http debug_event;
    • 3