We are facing an issue with Internet Explorer 10/11. At some moment during file download IE hangs for a while (up to 1 minute) and then opens file as expected (this is relevant only for MS Office file types). Other browsers work without any issues (including IE7, IE8, Firefox, Chrome, etc). This is somehow related to Microsoft Office Protocol Discovery, so our server returns 405 for such requests to tell IE that there is no support for this protocol. Microsoft actually has an article about similar issues:
The WebClient service also assumes that if the target host does not
support PROPFIND that it will return an error status like 405 Method
Not Allowed
Here is relevant portion of httpd.conf:
# Returning 405 for HEAD requests is not a great idea, we use it here just for testing
RewriteCond %{REQUEST_METHOD} ^(OPTIONS|PROPFIND|HEAD)$ [NC]
RewriteCond %{HTTP_USER_AGENT} ^Microsoft\ Office\ Protocol\ Discovery [OR]
RewriteCond %{HTTP_USER_AGENT} ^Microsoft\ Office\ Existence\ Discovery [OR]
RewriteCond %{HTTP_USER_AGENT} ^Microsoft\-WebDAV\-MiniRedir.*$
RewriteRule .* - [R=405,L]
Using "attachment" in Content-disposition header is not an option (we want MS Office plugin for IE to open files in a browser window without a lot of additional dialogue boxes, etc).
Delay during file download is clearly visible in Wireshark:
No. Time Source Destination Protocol Length Info
4 0.012920000 172.17.0.9 172.17.0.182 HTTP 348 GET /service/download/094444448003f6ae HTTP/1.1
57 4.652657000 172.17.0.182 172.17.0.9 HTTP 1371 HTTP/1.1 200 OK (application/msword)
62 11.291203000 172.17.0.9 172.17.0.182 HTTP 208 OPTIONS /service/download/ HTTP/1.1
64 11.292579000 172.17.0.182 172.17.0.9 HTTP 580 HTTP/1.1 405 Method Not Allowed (text/html)
72 11.295662000 172.17.0.9 172.17.0.182 HTTP 208 OPTIONS /service/download/ HTTP/1.1
74 11.297493000 172.17.0.182 172.17.0.9 HTTP 580 HTTP/1.1 405 Method Not Allowed (text/html)
82 11.310690000 172.17.0.9 172.17.0.182 HTTP 208 OPTIONS /service/download/ HTTP/1.1
84 11.312993000 172.17.0.182 172.17.0.9 HTTP 580 HTTP/1.1 405 Method Not Allowed (text/html)
94 32.345213000 172.17.0.9 172.17.0.182 HTTP 203 HEAD /service/download/094444448003f6ae HTTP/1.1
98 32.346555000 172.17.0.182 172.17.0.9 HTTP 60 HTTP/1.1 405 Method Not Allowed
104 53.357503000 172.17.0.9 172.17.0.182 HTTP 202 OPTIONS /service/download HTTP/1.1
106 53.358397000 172.17.0.182 172.17.0.9 HTTP 579 HTTP/1.1 405 Method Not Allowed (text/html)
114 53.380199000 172.17.0.9 172.17.0.182 HTTP 222 HEAD /service/download/094444448003f6ae HTTP/1.1
117 53.381414000 172.17.0.182 172.17.0.9 HTTP 60 HTTP/1.1 405 Method Not Allowed
The back-end is a Spring application deployed to Tomcat. Relevant headers look like this:
response.setContentType(mimeType + ";charset=UTF-8");
response.setHeader("Content-Transfer-Encoding", "binary");
response.addHeader("Content-disposition", "inline;filename=sample_document.doc");
What is IE waiting for between OPTIONS requests? Is it possible to debug somehow?
Note: This was confirmed for multiple workstations in our network running Windows 7, Office 2010 and IE10/11. Some machines show significantly better performance in this task than others.
We had something which sounds similar a year and a bit ago. We added the following stanza to the Apache config for the sub-site to "fix" things ...
# IM163264 18/02/2013 - disallow OPTIONS/PROPFIND to stop Windows/IE treating
# this as a webdav store and being slow.
<LimitExcept GET HEAD POST>
deny from all
</LimitExcept>
My theory was that IE was trying to act as a WebDav client - blocking anything but GET/HEAD/POST felt like a sledgehammer but made things work for the customers.
Related
Yesterday we faced a strange behavior when reading access log of Apache httpd. An example of below:
207.46.13.135 - - [25/Sep/2022:15:28:28 +0700] "GET / HTTP/1.1" 302 287 (core.c/0/translate_name) - 140
This is a normal access entry: x.x.x.x - - [26/Sep/2022:14:16:57 +0700] "GET /corp/L003/consumer/theme/vn.ssc.css HTTP/1.1" 200 1043 (core.c/0/handler) - 830
We have directives to proxy and redirect the request going to the system. But why this does not redirect (the return code 302 is understandable when in debug mod but why we don't get it when having in production log) – > We suspected that these IPs used some kind of engines to flood the web server, only to response status but not the content.
I try to do, but when i turn to bypass my domain A record, the protocol h2 is working.
All correct in browser and apache logs.
When i turn on the cloudflare on the domain, the browser is working fine(I know the CF is working on HTTP2 protocol with the clients).
But I saw these in the apache logs:
“GET / HTTP/1.1” 302 5067
"GET /en/ HTTP/1.1" 200 5068
"POST /en/ajax/user HTTP/1.1" 200 77
It's using http/1.1, but I don't know why.
I try to force http2 protocol, but no difference.
Any idea ?:slightly_smiling_face:
Thank you!
Cloudflare plans to use HTTP 1.1 to the origin for the foreseeable future.
https://support.cloudflare.com/hc/en-us/articles/214534978-Are-the-HTTP-2-or-SPDY-protocols-supported-between-Cloudflare-and-the-origin-server-
You can use HTTP/2 to origin as of June 14th, 2022:
1. Log into the [Cloudflare dashboard](https://dash.cloudflare.com/login) and select your account.
2. Choose the domain that will use HTTP/2 to Origin.
3. Click **Network**.
4. Under **HTTP/2 to Origin** set the toggle to On.
Refs are:
https://github.com/cloudflare/cloudflare-docs/blob/production/content/cache/how-to/enable-http2-to-origin.md
https://developers.cloudflare.com/cache/how-to/enable-http2-to-origin/
Why can't I see why Apache returns 403?!
If I look in the access log the only information I get is
193.162.142.166 - - [29/Jan/2014:18:34:26 +0100] "POST /api_test/callback.php HTTP/1.1" 403 2293
How can I get more information about why the request is forbidden/rejected?
The call is made from a payment gateway...
If the callback URL is a http request there are no problems and returns 200 OK
If the callback URL is a https my server returns 403.. I need to know why?
The server has SSL and openSSL installed and it works!
Have tried to do the https request from http://web-sniffer.net/ and then there are no problems..
I don't get it.. There must be something in the request headers from the payment gateway which results in 403
update
error log
[Wed Jan 29 20:45:55 2014] [error] No hostname was provided via SNI for a name based virtual host
solution
Ok it looks like the client doesn't support SNI
http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
Use the LogLevel directive to adjust how verbose the error logs are and increase until you can see what you want.
httpd 2.4 has better messages in a lot of respect and expensive list of LogLevel settings than 2.2. So if you're using 2.2 it may be a bit harder to figure this out.
I'am doing a web based application and what I did is to disable some of the HTTP methods are not necessary for the website specifically: OPTIONS, HEAD and TRACE.
I put this on the httpd.conf of my xampp to test if this works:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} !^(GET|POST|PUT)
RewriteRule .* - [R=405,L]
Now my problem is how would i know if it is really deactivated or this particular setting is working properly? Are there tools that could facilitate this. I'm just new to server side administration.
Please someone help me.
You could just use telnet/netcat to verify this. Assuming that you're not using HTTPS, something like below should work perfectly to test:
$ telnet www.google.com 80
Trying 74.125.239.49...
Connected to www.google.com.
Escape character is '^]'.
OPTIONS / HTTP/1.1
Host:
HTTP/1.1 405 Method Not Allowed
Content-Type: text/html; charset=UTF-8
Content-Length: 962
Date: Tue, 17 Dec 2013 20:18:22 GMT
Server: GFE/2.0
Alternate-Protocol: 80:quic
Rinse and repeat for any other method that you have disabled, and that will tell you for sure whether the configuration works or not.
I found the following requests in my Apache web server. Are these hack attempts? Will they be harmful to the server?
My server is crashing frequently, and I don't have the reasons for it:
GET /muieblackcat HTTP/1.1" 302 214
GET //index.php HTTP/1.1" 302 214
GET //admin/index.php HTTP/1.1" 302 214
GET //admin/pma/index.php HTTP/1.1" 302 214
GET //admin/phpmyadmin/index.php HTTP/1.1" 302 214
/user/soapCaller.bs HTTP/1.1" 302 214
GET /robots.txt HTTP/1.0" 302 214.
We see a lot of requests for non-existent setup.php files:
GET /phpmyadmin/scripts/setup.php HTTP/1.1" 302 214
GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 302 214
GET /MyAdmin/scripts/setup.php HTTP/1.1" 302 214
GET /myadmin/scripts/setup.php HTTP/1.1" 302 214
GET //typo3/phpmyadmin/index.php HTTP/1.1" 302 214
GET /pma/scripts/setup.php HTTP/1.1" 302 214
GET //phpMyAdmin-2.5.5/index.php HTTP/1.1" 302 214
The below request is also accessed on the server. What request is this?
95.211.124.232 - - [16/Aug/2012:18:14:52 +0800] "CONNECT yandex.ru:80 HTTP/1.1" 302 214
How should this server crash issue be understood?
Yes, this is probably attempts to hack your server. The hacker makes calls to URLs with known weaknesses. However, you are safe as long as these files don't exists on your server.
You should be concerned if you actually have a file with a known weakness.
One temporary solution would be to block the IP address that these calls are made from. You should also check if any calls from that particular IP address actually found an existing page.
The only permanent solution is to upgrade all of your software so that you are not vulnerable to known security weaknesses.
These HTTP calls can not explain why your server crashes.
PS: The /robot.txt is not a hacking attempt. This is a file that search engines like Google looks for to get instructions about how to index your site. That is perfectly OK.
I'd like to ask if you are using PHP at all. Most webspaces do support a lot of features. If you don't use PHP, CGI, SSI, etc., you could turn them off.
Also it might be an idea to watch your messages (Linux? - tail -f /var/log/messages). There you can see live actions.
Another idea would be to move well known ports of SSH and other deamons except HTTP, to upper weird ports above 1024 - or if you have an own public IP address from where you access the Internet you could set your firewall to only accept connections on those ports from your own IP address.
A good solution would be, if you are running Apache/WHM, to install Mod_security and CSFirewall. Mod_Sec will watch for malicious activity and kick IP addresses to the firewall if they trigger the same security rule to often.
Another solution, which is pretty extreme, would be to block all IP traffic in the firewall based on country code. For instance, if you notice that most your attacks are coming from Ukraine and 99% of your user-base is out of the USA then block the entire offending country. As I said... it's extreme.
Also note, that running mod_sec and csf can slow down the server since it has to check the firewall database for all incoming traffic.