diff --git a/README.md b/README.md
index 356f4a4d45b46e7a0b4c6166361262c61cfa088a..0b5558c702744f245d90970d44377fac16ed8430 100644
--- a/README.md
+++ b/README.md
@@ -81,6 +81,7 @@ Configuration is divided into different sections: `server`, `auth`, `ssh`, and `
 - `tls_cert` : string. Path to the TLS cert.
 - `port` : int. Port to listen on.
 - `cookie_secret`: string. Authentication key for the session cookie.
+- `http_logfile`: string. Path to the HTTP request log. Logs are written in the [Common Log Format](https://en.wikipedia.org/wiki/Common_Log_Format). If not set logs are written to stderr.
 
 ### auth
 - `provider` : string. Name of the oauth provider. At present the only valid value is "google".
diff --git a/cmd/cashierd/main.go b/cmd/cashierd/main.go
index b91f005005f8fe326521d72e87e177ac158b7c8c..8f081222bbdf158eaa355374abd882a01fa6805e 100644
--- a/cmd/cashierd/main.go
+++ b/cmd/cashierd/main.go
@@ -256,7 +256,14 @@ func main() {
 	r.Handle("/auth/login", appHandler{ctx, loginHandler})
 	r.Handle("/auth/callback", appHandler{ctx, callbackHandler})
 	r.Handle("/sign", appHandler{ctx, signHandler})
-	h := handlers.LoggingHandler(os.Stdout, r)
+	logfile := os.Stderr
+	if config.Server.HTTPLogFile != "" {
+		logfile, err = os.OpenFile(config.Server.HTTPLogFile, os.O_WRONLY|os.O_APPEND|os.O_CREATE, 0660)
+		if err != nil {
+			log.Fatal(err)
+		}
+	}
+	h := handlers.LoggingHandler(logfile, r)
 
 	fmt.Println("Starting server...")
 	l := fmt.Sprintf(":%d", config.Server.Port)
diff --git a/example-server.conf b/example-server.conf
index d112faf0edc066d562802eca6f2207cbd67ad139..6d0bb0587222fd5d16989fab0a0d2e0b35e97c14 100644
--- a/example-server.conf
+++ b/example-server.conf
@@ -5,6 +5,7 @@ server {
   tls_cert = "server.crt"  # Path to TLS certificate
   port = 443  # Port to listen on
   cookie_secret = "supersecret"  # Authentication key for the client cookie
+  http_logfile = "http.log"  # Logfile for HTTP requests
 }
 
 # Oauth2 configuration
diff --git a/server/config/config.go b/server/config/config.go
index 0ae1e60a0f3f4d502fe89e7066879c45211d0816..0ef417f8d4115e322af779277c5c713ee0d9c781 100644
--- a/server/config/config.go
+++ b/server/config/config.go
@@ -10,10 +10,10 @@ import (
 
 // Config holds the server configuration.
 type Config struct {
-	Server `mapstructure:"server"`
-	Auth   `mapstructure:"auth"`
-	SSH    `mapstructure:"ssh"`
-	AWS    `mapstructure:"aws"`
+	Server Server `mapstructure:"server"`
+	Auth   Auth   `mapstructure:"auth"`
+	SSH    SSH    `mapstructure:"ssh"`
+	AWS    AWS    `mapstructure:"aws"`
 }
 
 // unmarshalled holds the raw config.
@@ -31,6 +31,7 @@ type Server struct {
 	TLSCert      string `mapstructure:"tls_cert"`
 	Port         int    `mapstructure:"port"`
 	CookieSecret string `mapstructure:"cookie_secret"`
+	HTTPLogFile  string `mapstructure:"http_logfile"`
 }
 
 // Auth holds the configuration specific to the OAuth provider.