diff --git a/jellyfin.conf b/jellyfin.conf
index 3a8d155..72f89d9 100644
--- a/jellyfin.conf
+++ b/jellyfin.conf
@@ -1,4 +1,4 @@
-# /etc/nginx/sites-available/jellyfin
+# /etc/nginx/sites-available/nik4nao.home.arpa
 
 # WebSocket upgrade helper (for Jellyfin)
 map $http_upgrade $connection_upgrade {
@@ -10,6 +10,9 @@ server {
     listen 80;
     server_name nik4nao.home.arpa;
 
+    access_log off;
+    error_log  /var/log/nginx/jellyfin_error.log warn;
+
     # ---- Convenience redirects ----
     location = /         { return 302 /admin/; }   # land on Pi-hole admin by default
     location = /pihole   { return 302 /admin/; }   # /pihole -> /admin/
diff --git a/nginx.conf b/nginx.conf
index 6e21f02..d469ee8 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -28,6 +28,20 @@ http {
     ssl_protocols TLSv1.2 TLSv1.3;          # drop TLSv1.0/1.1
     ssl_prefer_server_ciphers on;
 
+    ##
+    # External vs internal detector
+    ##
+    geo $is_external {
+    default 1;                    # assume external unless matched below
+    10.0.0.0/8       0;
+    172.16.0.0/12    0;
+    192.168.0.0/16   0;
+    127.0.0.0/8      0;
+    ::1/128          0;
+    fc00::/7         0;           # Unique local (ULA)
+    fe80::/10        0;           # Link-local
+    }
+
     ##
     # Logging (JSON)
     ##
@@ -38,7 +52,7 @@ http {
       '"request_time":$request_time, "upstream_time":"$upstream_response_time", '
       '"host":"$host", "uri":"$uri" }';
 
-    access_log /var/log/nginx/access.json json;
+    access_log /var/log/nginx/access.json json if=$is_external;
 
     ##
     # Gzip (safe defaults)
diff --git a/watch-party.conf b/watch-party.conf
index 291b60f..7ccef11 100644
--- a/watch-party.conf
+++ b/watch-party.conf
@@ -1,4 +1,4 @@
-# /etc/nginx/sites-available/watch-party
+# /etc/nginx/sites-available/nik4nao.xyz
 
 # WebSocket upgrade helper
 map $http_upgrade $connection_upgrade {
@@ -18,6 +18,7 @@ server {
         root /var/www/html;
         default_type "text/plain";
         allow all;
+        access_log off;
     }
 
     # Serve /robots.txt from disk on HTTP
@@ -39,6 +40,9 @@ server {
     listen 443 ssl http2;
     server_name nik4nao.xyz;
 
+    access_log /var/log/nginx/nik4naoxyz_access.json json if=$is_external;
+    error_log  /var/log/nginx/nik4naoxyz_error.log warn;
+
     # --- Certbot-managed TLS files ---
     ssl_certificate     /etc/letsencrypt/live/nik4nao.xyz/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/nik4nao.xyz/privkey.pem;