traversa.carlo at gmail
Aug 13, 2012, 9:07 AM
Post #3 of 5
(299 views)
Permalink
|
|
Re: Can somebody help me to understand the strange GET requests logged in access.log and error.log ?
[In reply to]
|
|
Hi Mark.
Thank you very much for your precious suggestion. You're completely
right. I read the information at
https://wiki.apache.org/httpd/ProxyAbuse (the link you provided me) and
the problem described is exactly the same I'm going to have. According
to what explained in the above link I'm sure now my server is properly
configured not to proxy requests to foreign domains. But I still would
like to deny all those requests for random hostnames.
I put in place what described in the section "I don't like the idea of
my server responding to requests for random hostnames, even if it serves
local content. How can I deny these requests?" of the article but I
still see GET requests in the access.log
So is there something I did wrong or I didn't understand?
Many Thanks in advance.
P.S. If needed here is my server configuration
I use Apache Named-based Virtual Host with Tomcat 6.x webapps and my
server configuration is the following:
Server details:
- Ubuntu 10.04 64 bit
- Apache/2.2.14
- Tomcat 6.x
modules enabled:
mod_proxy, mod_proxy_http, mod_proxy_ajp
Configuration details:
/etc/apache2/apache2.conf
Standard configuration ......... plus at the end the log file for virtual hosts
CustomLog /var/log/apache2/other_vhosts_access.log vhost_combined
/etc/apache2/proxy.conf
<IfModule mod_proxy.c>
ProxyRequests Off
<Proxy *>
AddDefaultCharset off
Order deny,allow
Deny from all
</Proxy>
ProxyVia Block
</IfModule>
/etc/apache2/sites-enabled/000-default -> ../sites-available/default
<VirtualHost *:80>
ServerAdmin webmaster [at] localhos
DocumentRoot /var/www/default
DirectoryIndex index.jsp index.html index.iface
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/default>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
Deny from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Deny from all
</Directory>
ErrorLog /var/log/apache2/error.log
LogLevel warn
CustomLog /var/log/apache2/access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
</VirtualHost>
/etc/apache2/sites-enabled/mysite1
<VirtualHost *:80>
ServerName mysite1.tld
ServerAliaswww.mysite1.tld
DocumentRoot /var/www/mysite1/
DirectoryIndex index.html index.jsp
<Proxy *>
Order Allow,Deny
Allow from all
</Proxy>
ProxyPass /mysite1 ajp://ip_address_tomcat1:8009/mysite1
ProxyPassReverse /mysite1 ajp://ip_address_tomcat1:8009/mysite1
</VirtualHost>
/etc/apache2/sites-enabled/mysite2
<VirtualHost *:80>
ServerName mysite2.tld
ServerAliaswww.mysite2.tld
DocumentRoot /var/www/mysite2/
DirectoryIndex index.html index.jsp
<Proxy *>
Order Allow,Deny
Allow from all
</Proxy>
ProxyPass /mysite2 ajp://ip_address_tomcat2:8009/mysite2
ProxyPassReverse /mysite2 ajp://ip_address_tomcat2:8009/mysite2
</VirtualHost>
/var/www/mysite1/index.html
<html>
<head>
<SCRIPT LANGUAGE="JavaScript">
<!--
window.location="http://www.mysite1.tld/mysite1/";
// -->
</script>
</head>
<body>
<div style="visibility:hidden;">
<a href="http://www.mysite1.tld/mysite1/" />
</div>
</body>
/var/www/mysite2/index.html
<html>
<head>
<SCRIPT LANGUAGE="JavaScript">
<!--
window.location="http://www.mysite2.tld/mysite2/";
// -->
</script>
</head>
<body>
<div style="visibility:hidden;">
<a href="http://www.mysite2.tld/mysite2/" />
</div>
</body>
Il 11/08/2012 15.34, Mark Montague ha scritto:
> On August 11, 2012 6:33 , Carlo Traversa <traversa.carlo [at] gmail>
> wrote:
>> As in the subject If I check the access.log and error.log I see a huge
>> number of CONNECT, GET, POST requests that make no sense to me (please
>> see *.log files in logs.zip).
>
> Please make it easy for people to help you. We are all volunteers.
> Asking us to download an attachment, unzip it, and then sort through
> hundreds of lines of logs makes it harder for us to help, resulting in
> many of us just ignoring your message.
>
> Instead of attaching zip'ed log files, just paste a few representative
> log lines into the body of the email message.
>
>
>> No one of those requests are related to
>> any of my hosted sistes. They aren't dangerous for apache server (or I
>> hope so) because the reverse proxying is disabled (is it right?) but
>> they are band consuming. Is there any way to avoid to receive those
>> requests working on apache configuration? Or maybe there is something
>> wrong in my configuration files?
>
> I have not looked at the log files you attached, but it sounds like
> you are describing "proxy abuse" requests. These are very common.
> With proxy abuse requests, you will see requests in your log files
> that are for sites you are not running. The solution is to first make
> sure that your proxy is properly configured to not pass the attacker's
> requests, and then, if you want, to set up a default virtual host to
> capture and deny such requests.
>
> A lot more information is available at
> https://wiki.apache.org/httpd/ProxyAbuse
>
> If you look at the page above and determine that what you are seeing
> in your logs is not what the page above is talking about, please send
> the mailing list just a couple representative log lines so we can see
> what you're describing.
>
> --
> Mark Montague
> mark [at] catseye
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd
|
logs.zip
