We Keep Coding

Bigger HTTPS size

On apache access log, I find out that https return bigger size than http
210.10.0.156 - - [29/Apr/2019:12:22:46 +0800] "GET /robots.txt HTTP/1.1" 200 5837 "-" "curl/7.52.1"
If you can see it is 5837 bytes where is for http less than 1000 bytes
my robots.txt content is only
User-agent: *
Disallow: /
Is this a normal things?
When i tried to do same thing on other server with cpanel installed, the size is much more lower, im not sure what configuration i missed, any advise?

Yes, this is perfectly normal.
Your website may not be configured for HTTP, which will redirect people to HTTPS with a 301 or 302 rule, meaning all they see when they access your site through HTTP is a redirect page, which is usually smaller than the regular webpage which they were expecting.
You can go to your website with http:// or https:// at the start of the URL and see if it looks any different.

What is Apache's other_vhosts_access.log file used for?

What is Apache's other_vhosts_access.log file used for?
I cannot find any documentation on this file on Google.
On the local system, which runs both Apache and Nginx, a lot of entries are displayed in other_vhosts_access.log, like:
kr.b19cms.dk:80 127.0.0.1 - - [19/Jun/2018:08:46:30 +0200] "POST /CHANGELOG.txt HTTP/1.0" 200 108893 "-" "drupalgeddon2" 246.189.151.79, 127.0.0.1
However, I cannot seem to make much out of it?

Usually one of the vhosts is marked as default - so if the Host: HTTP header does not match any of the other vhosts then the default vhost will be used to handle the request.
However, if no vhost is marked as default - then it goes into this log.

How to filter requests so that apache handles them and not tomcat?

For various reasons I want to shutdown my server after a certain period of idle time. I am running Tomcat 8.5.29 and Apache2 (not sure the version) on Debian 4.9.88. I wrote a script to look at the last time Tomcat had an access. I only have one app on the server and it is at "http://hostname/source/". My problem is that there are number of webserver vulnerabilities out there and I am getting a constant flow of requests to:
"GET / HTTP/1.1"
"POST /GponForm/diag_Form?images/ HTTP/1.1"
"GET /jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system%3Aservice%3DMainDeployer HTTP/1.1"
"POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1"
What I would like to do is stop anything that doesn't begin with "/source" from even getting to tomcat. I presume that a rewrite or something in Apache can do it, but I am not sure how the requests get to Tomcat in the first place.
Any ideas?

There are two possible ways for requests to reach Tomcat:
The probes send requests directly to the Tomcat port (typically port 8080). You can fix this by restricting Tomcat's listening address to the loopback address, by adding the attribute address="127.0.0.1" to the corresponding Connector element in conf/server.xml. Or you can just block port 8080 in your firewall.
The requests are forwarded from Apache to Tomcat via a reverse proxy configuration in Apache. This means there is a line such as the following in one of the Apache configuration files:
ProxyPass / http://127.0.0.1:8080/
If you add an explicit path prefix to both arguments, you can restrict which requests are passed to Tomcat:
ProxyPass /source http://127.0.0.1:8080/source
This ensures that only requests that begin with "/source" are forwarded to Tomcat.
Some Apache configurations use the AJP protocol instead of HTTP for proxying, but the same reasoning applies.

Can i use HTTP/2 between origin and cloudflare servers?(Apache)

I try to do, but when i turn to bypass my domain A record, the protocol h2 is working.
All correct in browser and apache logs.
When i turn on the cloudflare on the domain, the browser is working fine(I know the CF is working on HTTP2 protocol with the clients).
But I saw these in the apache logs:
“GET / HTTP/1.1” 302 5067
"GET /en/ HTTP/1.1" 200 5068
"POST /en/ajax/user HTTP/1.1" 200 77
It's using http/1.1, but I don't know why.
I try to force http2 protocol, but no difference.
Any idea ?:slightly_smiling_face:
Thank you!

Cloudflare plans to use HTTP 1.1 to the origin for the foreseeable future.
https://support.cloudflare.com/hc/en-us/articles/214534978-Are-the-HTTP-2-or-SPDY-protocols-supported-between-Cloudflare-and-the-origin-server-

You can use HTTP/2 to origin as of June 14th, 2022:
1. Log into the [Cloudflare dashboard](https://dash.cloudflare.com/login) and select your account.
2. Choose the domain that will use HTTP/2 to Origin.
3. Click **Network**.
4. Under **HTTP/2 to Origin** set the toggle to On.
Refs are:
https://github.com/cloudflare/cloudflare-docs/blob/production/content/cache/how-to/enable-http2-to-origin.md
https://developers.cloudflare.com/cache/how-to/enable-http2-to-origin/

Suspicious requests in Apache web server log file

I found the following requests in my Apache web server. Are these hack attempts? Will they be harmful to the server?
My server is crashing frequently, and I don't have the reasons for it:
GET /muieblackcat HTTP/1.1" 302 214
GET //index.php HTTP/1.1" 302 214
GET //admin/index.php HTTP/1.1" 302 214
GET //admin/pma/index.php HTTP/1.1" 302 214
GET //admin/phpmyadmin/index.php HTTP/1.1" 302 214
/user/soapCaller.bs HTTP/1.1" 302 214
GET /robots.txt HTTP/1.0" 302 214.
We see a lot of requests for non-existent setup.php files:
GET /phpmyadmin/scripts/setup.php HTTP/1.1" 302 214
GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 302 214
GET /MyAdmin/scripts/setup.php HTTP/1.1" 302 214
GET /myadmin/scripts/setup.php HTTP/1.1" 302 214
GET //typo3/phpmyadmin/index.php HTTP/1.1" 302 214
GET /pma/scripts/setup.php HTTP/1.1" 302 214
GET //phpMyAdmin-2.5.5/index.php HTTP/1.1" 302 214
The below request is also accessed on the server. What request is this?
95.211.124.232 - - [16/Aug/2012:18:14:52 +0800] "CONNECT yandex.ru:80 HTTP/1.1" 302 214
How should this server crash issue be understood?

Yes, this is probably attempts to hack your server. The hacker makes calls to URLs with known weaknesses. However, you are safe as long as these files don't exists on your server.
You should be concerned if you actually have a file with a known weakness.
One temporary solution would be to block the IP address that these calls are made from. You should also check if any calls from that particular IP address actually found an existing page.
The only permanent solution is to upgrade all of your software so that you are not vulnerable to known security weaknesses.
These HTTP calls can not explain why your server crashes.
PS: The /robot.txt is not a hacking attempt. This is a file that search engines like Google looks for to get instructions about how to index your site. That is perfectly OK.

I'd like to ask if you are using PHP at all. Most webspaces do support a lot of features. If you don't use PHP, CGI, SSI, etc., you could turn them off.
Also it might be an idea to watch your messages (Linux? - tail -f /var/log/messages). There you can see live actions.
Another idea would be to move well known ports of SSH and other deamons except HTTP, to upper weird ports above 1024 - or if you have an own public IP address from where you access the Internet you could set your firewall to only accept connections on those ports from your own IP address.

A good solution would be, if you are running Apache/WHM, to install Mod_security and CSFirewall. Mod_Sec will watch for malicious activity and kick IP addresses to the firewall if they trigger the same security rule to often.
Another solution, which is pretty extreme, would be to block all IP traffic in the firewall based on country code. For instance, if you notice that most your attacks are coming from Ukraine and 99% of your user-base is out of the USA then block the entire offending country. As I said... it's extreme.
Also note, that running mod_sec and csf can slow down the server since it has to check the firewall database for all incoming traffic.