Another option would be to store the log file as a hidden file (dot file), then use a php script that reads the file and confirms that the user is logged in before displaying the file. This has the added advantage of working with most default nginx installs.
We are seeing it as well. We have a rule to disable access to the debug log server wide.
I tried to use the for form on their website but it was not loading.
