Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Nginx is an open source high performance web server, reverse proxy and load balancer originally developed by Igor Sysoev and now maintained by F5 Networks. It is one of the most widely deployed pieces of internet infrastructure, powering over 30% of websites globally. From a privacy perspective, Nginx is server side software: it does not set any client side cookie by itself, but it writes access logs containing IP addresses, URLs, user agents and referer headers, which qualify as personal data under the GDPR.
Nginx is a high performance open source web server, reverse proxy, load balancer, mail proxy and HTTP cache. It was originally written by Igor Sysoev in 2004 to solve the C10K problem (handling ten thousand simultaneous connections on a single server) and is now maintained by Nginx Inc., a subsidiary of F5 Networks. Nginx powers over 30% of websites on the public web and is also widely used inside containers (the Nginx Ingress Controller is one of the most popular Kubernetes ingress options). Crucially, Nginx is server side software: it runs on the operator''s own infrastructure and does not send any data to Nginx Inc. or F5 by default.
Nginx does not set any client side cookie by itself. The cookies a visitor sees in their browser come from application backends (Express, Django, Rails, PHP) running behind Nginx, or from third party tags loaded by the HTML. What Nginx does generate is access logs: by default, the combined log format records the client IP address, the timestamp, the HTTP method and URI, the status code, the bytes sent, the referer header and the user agent. These logs qualify as personal data under the GDPR because the IP address is linked to a natural person in most contexts. Error logs add request lines that may contain query string parameters or POST data depending on configuration, which can include personal data.
Because Nginx does not store information on or retrieve information from the visitor''s terminal equipment, Art. 5(3) of the ePrivacy Directive (the cookie consent rule) does not apply to Nginx itself. The server logs are governed by the GDPR and rest on legitimate interest under Art. 6(1)(f): operating a website includes the right to log access for security, fraud prevention, troubleshooting and traffic management. CNIL guidance on server logs accepts retention periods of 6 to 12 months for security investigation purposes, with shorter retention preferred and longer retention requiring documented justification. Where the operator is bound by a sectoral law requiring longer retention (telecoms, finance, anti money laundering), legal obligation under Art. 6(1)(c) applies in addition.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Configure Nginx to anonymise IP addresses where the use case allows. A common pattern is to define a custom log_format that masks the last octet of IPv4 addresses or the last 80 bits of IPv6 addresses, then use that format for the access_log directive on visitor facing servers, while keeping full IPs only for backend admin endpoints. Set log_format to omit query strings on routes that may carry tokens or personal data. Use access_log off; for static assets that do not need to be audited. Pipe logs through a rotation tool (logrotate) with retention aligned to the documented policy. If logs are shipped to an external SIEM, ensure that SIEM is in your record of processing and that the data transfer mechanism is documented.
Nginx itself does not transfer data to third countries. Where the operator''s infrastructure sits determines the applicable transfer regime. EU based hosting (OVH, Scaleway, Hetzner, Ionos, etc.) keeps Nginx logs in the EU. AWS, Google Cloud and Azure offer EU regions, but operators should also consider the US CLOUD Act exposure when the cloud provider is US headquartered. F5 Networks (Nginx Plus, commercial Nginx support) has its own privacy notice with US transfer mechanisms (SCCs, EU US Data Privacy Framework), but this only matters if the operator buys commercial Nginx services.
Mention that you operate a web server (Nginx) that logs access data for security and operations, the categories of data logged (IP address, request URL, user agent, referer), the legal basis (legitimate interest, possibly legal obligation), the retention period, and the recipients (your hosting provider, any SIEM, security partners). You generally do not need to name Nginx specifically, but you must document the underlying data processing. Nginx itself does not need to appear on the cookie consent banner because it does not set cookies.
Websites using Nginx must obtain user consent under GDPR regulations.
DPIA considerations
Nginx itself does not require a DPIA because it is server side infrastructure software. However, the access logs it writes do require attention: (1) the default combined log format contains the full IP address, which is personal data under the GDPR; (2) retention should be limited to what is needed for security and operations (typical guidance: 30 to 90 days for security investigations, longer only with documented justification); (3) IP anonymisation can be configured at the Nginx level (set $remote_addr in a custom log_format with the last octet zeroed) where security requirements allow; (4) logs may be processed by downstream tools (Splunk, Elastic, Datadog) that have their own privacy implications; (5) if Nginx is used as a reverse proxy in front of cookie generating backends, the cookies must be assessed in their own right, not as Nginx cookies. A DPIA is generally only needed for the broader logging and security architecture, not for Nginx specifically.
Sample consent text
We operate Nginx as a web server and reverse proxy on our own infrastructure. Nginx does not set cookies on your device. Like any web server, it writes access logs containing your IP address, the page you requested, your browser type and the referring page. These logs are used to operate the site, investigate security incidents and meet legal retention obligations. The logs are retained for [XX] days then deleted or anonymised, and you have a right of access to your logged data on request.
This service may collect user data. Ensure GDPR compliance with FlowConsent.
No. Nginx itself does not set or read cookies on the visitor's device. The cookies you see in the browser come from application backends running behind Nginx, or from third party tags loaded by the HTML. If the operator configures Nginx to add cookies (for example via the proxy_set_header or add_header directives), those cookies must be assessed on their own merits.
No. Because Nginx does not store information on or retrieve information from the visitor's terminal equipment, the ePrivacy Directive cookie consent rule does not apply to Nginx. The server logs are governed by the GDPR and rest on legitimate interest for security and operations.
Legitimate interest under GDPR Art. 6(1)(f), justified by security, fraud prevention, troubleshooting and traffic management. Where a sectoral law requires retention (telecommunications, finance, anti money laundering), legal obligation under Art. 6(1)(c) applies in addition. The retention period should be limited to what is necessary, typically 30 to 90 days for security purposes.
Not by itself. Nginx is open source software that runs wherever the operator hosts it. If the operator uses a US cloud provider, the underlying hosting transfer applies (assessed for the cloud provider, not for Nginx). F5 Networks owns commercial Nginx; if the operator buys Nginx Plus or commercial support, F5's privacy notice and SCCs apply to that relationship.
A DPIA is generally not required for Nginx alone, since it is server infrastructure. A DPIA may be needed for the broader logging and security architecture if logs are processed for fraud detection, behavioural analysis or high risk profiling, or if logs are shipped to non EU systems. Document Nginx as part of your record of processing, with the log categories, retention and downstream recipients.
Use a custom log_format that anonymises IP addresses where the use case allows (mask the last octet of IPv4 or the last 80 bits of IPv6). Omit query strings from log lines on routes that may carry tokens. Set access_log off for static assets. Rotate logs aggressively with logrotate. Avoid logging request bodies by default. Tighten error log levels in production. Forward logs only to SIEMs that are in the record of processing.
Other open source web servers and reverse proxies include Apache HTTP Server, Caddy (automatic HTTPS, EU friendly), HAProxy (load balancer), Traefik (cloud native, EU origin), and Envoy (modern proxy). All of them generate similar access logs and have the same GDPR considerations. The hosting and log architecture matter more than the specific server software for privacy.
Nginx does not belong on the cookie banner because it does not set cookies. In the privacy policy, mention that the website is served by a web server (Nginx) which logs access data for security and operations, list the categories of data, the legal basis, the retention period and the recipients. Do not name Nginx specifically unless the operator wants to be transparent about the technology stack.