diff --git a/assets/runtime/config/nginx/gitlab b/assets/runtime/config/nginx/gitlab
index 6372aad9..b08c8bff 100644
--- a/assets/runtime/config/nginx/gitlab
+++ b/assets/runtime/config/nginx/gitlab
@@ -25,6 +25,15 @@ map $http_upgrade $connection_upgrade_gitlab {
     ''      close;
 }
 
+## Obfuscate access_token and private_token in access log
+map $request_uri $obfuscated_request_uri {
+    ~(.+\?)(.*&)?(private_token=|access_token=)[^&]*(&.*|$) $1$2$3****$4;
+    default $request_uri;
+}
+log_format main '$remote_addr - $remote_user [$time_local] '
+                  '"$request_method $obfuscated_request_uri $server_protocol" $status $body_bytes_sent '
+                  '"$http_referer" "$http_user_agent"';
+
 ## Normal HTTP host
 server {
   ## Either remove "default_server" from the listen line below,
@@ -49,7 +58,7 @@ server {
   add_header Strict-Transport-Security "max-age={{NGINX_HSTS_MAXAGE}};";
 
   ## Individual nginx logs for this GitLab vhost
-  access_log  {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log;
+  access_log  {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log main;
   error_log   {{GITLAB_LOG_DIR}}/nginx/gitlab_error.log;
 
   location / {
diff --git a/assets/runtime/config/nginx/gitlab-ssl b/assets/runtime/config/nginx/gitlab-ssl
index 24acfe17..8d8d5c3a 100644
--- a/assets/runtime/config/nginx/gitlab-ssl
+++ b/assets/runtime/config/nginx/gitlab-ssl
@@ -29,6 +29,15 @@ map $http_upgrade $connection_upgrade_gitlab_ssl {
     ''      close;
 }
 
+## Obfuscate access_token and private_token in access log
+map $request_uri $obfuscated_request_uri {
+    ~(.+\?)(.*&)?(private_token=|access_token=)[^&]*(&.*|$) $1$2$3****$4;
+    default $request_uri;
+}
+log_format main '$remote_addr - $remote_user [$time_local] '
+                  '"$request_method $obfuscated_request_uri $server_protocol" $status $body_bytes_sent '
+                  '"$http_referer" "$http_user_agent"';
+
 ## Redirects all HTTP traffic to the HTTPS host
 server {
   ## Either remove "default_server" from the listen line below,
@@ -40,7 +49,7 @@ server {
   server_name _; ## Replace this with something like gitlab.example.com
   server_tokens off; ## Don't show the nginx version number, a security best practice
   return 301 https://$host:{{GITLAB_PORT}}$request_uri;
-  access_log  {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log;
+  access_log  {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log main;
   error_log   {{GITLAB_LOG_DIR}}/nginx/gitlab_error.log;
 }
 
@@ -94,7 +103,7 @@ server {
   ssl_dhparam {{SSL_DHPARAM_PATH}};
 
   ## Individual nginx logs for this GitLab vhost
-  access_log  {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log;
+  access_log  {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log main;
   error_log   {{GITLAB_LOG_DIR}}/nginx/gitlab_error.log;
 
   location / {