httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Carlo Traversa <traversa.ca...@gmail.com>
Subject Re: [users@httpd] Can somebody help me to understand the strange GET requests logged in access.log and error.log ?
Date Mon, 13 Aug 2012 16:07:20 GMT
Hi Mark.
Thank you very much for your precious suggestion. You're completely 
right. I read the information at 
https://wiki.apache.org/httpd/ProxyAbuse (the link you provided me) and 
the problem described is exactly the same I'm going to have. According 
to what explained in the above link I'm sure now my server is properly 
configured not to proxy requests to foreign domains. But I still would 
like to deny all those requests for random hostnames.
I put in place what described in the section "I don't like the idea of 
my server responding to requests for random hostnames, even if it serves 
local content. How can I deny these requests?" of the article but I 
still see GET requests in the access.log
So is there something I did wrong or I didn't understand?
Many Thanks in advance.



P.S. If needed here is my server configuration

I use Apache Named-based Virtual Host with Tomcat 6.x webapps and my
server configuration is the following:

Server details:
- Ubuntu 10.04 64 bit
- Apache/2.2.14
- Tomcat 6.x

modules enabled:
mod_proxy, mod_proxy_http, mod_proxy_ajp

Configuration details:
/etc/apache2/apache2.conf
Standard configuration ......... plus at the end the log file for virtual hosts
CustomLog /var/log/apache2/other_vhosts_access.log vhost_combined

/etc/apache2/proxy.conf
<IfModule mod_proxy.c>
     ProxyRequests Off
     <Proxy *>
         AddDefaultCharset off
         Order deny,allow
         Deny from all
     </Proxy>
     ProxyVia Block
</IfModule>

/etc/apache2/sites-enabled/000-default -> ../sites-available/default
<VirtualHost *:80>
         ServerAdmin webmaster@localhost
         DocumentRoot /var/www/default
         DirectoryIndex index.jsp index.html index.iface
         <Directory />
                 Options FollowSymLinks
                 AllowOverride None
         </Directory>
         <Directory /var/www/default>
                 Options Indexes FollowSymLinks MultiViews
                 AllowOverride None
                 Order allow,deny
                 Deny from all
         </Directory>
         ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
         <Directory "/usr/lib/cgi-bin">
                 AllowOverride None
                 Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                 Order allow,deny
                 Deny from all
         </Directory>
         ErrorLog /var/log/apache2/error.log
         LogLevel warn
         CustomLog /var/log/apache2/access.log combined
     Alias /doc/ "/usr/share/doc/"
     <Directory "/usr/share/doc/">
         Options Indexes MultiViews FollowSymLinks
         AllowOverride None
         Order deny,allow
         Deny from all
         Allow from 127.0.0.0/255.0.0.0 ::1/128
     </Directory>
</VirtualHost>

/etc/apache2/sites-enabled/mysite1
<VirtualHost *:80>
     ServerName mysite1.tld
     ServerAliaswww.mysite1.tld
     DocumentRoot /var/www/mysite1/
     DirectoryIndex index.html index.jsp
     <Proxy *>
         Order Allow,Deny
         Allow from all
     </Proxy>
     ProxyPass /mysite1 ajp://ip_address_tomcat1:8009/mysite1
     ProxyPassReverse /mysite1 ajp://ip_address_tomcat1:8009/mysite1
</VirtualHost>

/etc/apache2/sites-enabled/mysite2
<VirtualHost *:80>
     ServerName mysite2.tld
     ServerAliaswww.mysite2.tld
     DocumentRoot /var/www/mysite2/
     DirectoryIndex index.html index.jsp
     <Proxy *>
         Order Allow,Deny
         Allow from all
     </Proxy>
     ProxyPass /mysite2 ajp://ip_address_tomcat2:8009/mysite2
     ProxyPassReverse /mysite2 ajp://ip_address_tomcat2:8009/mysite2
</VirtualHost>

/var/www/mysite1/index.html
<html>
<head>
<SCRIPT LANGUAGE="JavaScript">
<!--
window.location="http://www.mysite1.tld/mysite1/";
// -->
</script>
</head>
<body>
         <div style="visibility:hidden;">
                 <a href="http://www.mysite1.tld/mysite1/"  />
         </div>
</body>

/var/www/mysite2/index.html
<html>
<head>
<SCRIPT LANGUAGE="JavaScript">
<!--
window.location="http://www.mysite2.tld/mysite2/";
// -->
</script>
</head>
<body>
         <div style="visibility:hidden;">
                 <a href="http://www.mysite2.tld/mysite2/"  />
         </div>
</body>


Il 11/08/2012 15.34, Mark Montague ha scritto:
> On August 11, 2012 6:33 , Carlo Traversa <traversa.carlo@gmail.com> 
> wrote:
>> As in the subject If I check the access.log and error.log I see a huge
>> number of CONNECT, GET, POST requests that make no sense to me (please
>> see *.log files in logs.zip).
>
> Please make it easy for people to help you.  We are all volunteers.  
> Asking us to download an attachment, unzip it, and then sort through 
> hundreds of lines of logs makes it harder for us to help, resulting in 
> many of us just ignoring your message.
>
> Instead of attaching zip'ed log files, just paste a few representative 
> log lines into the body of the email message.
>
>
>> No one of those requests are related to
>> any of my hosted sistes. They aren't dangerous for apache server (or I
>> hope so) because the reverse proxying is disabled (is it right?) but
>> they are band consuming. Is there any way to avoid to receive those
>> requests working on apache configuration? Or maybe there is something
>> wrong in my configuration files?
>
> I have not looked at the log files you attached, but it sounds like 
> you are describing "proxy abuse" requests.  These are very common.  
> With proxy abuse requests, you will see requests in your log files 
> that are for sites you are not running.  The solution is to first make 
> sure that your proxy is properly configured to not pass the attacker's 
> requests, and then, if you want, to set up a default virtual host to 
> capture and deny such requests.
>
> A lot more information is available at 
> https://wiki.apache.org/httpd/ProxyAbuse
>
> If you look at the page above and determine that what you are seeing 
> in your logs is not what the page above is talking about, please send 
> the mailing list just a couple representative log lines so we can see 
> what you're describing.
>
> -- 
>   Mark Montague
> mark@catseye.org
>



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message