identify error origin in apache http server log - apache

I have apache http 2.2 server load balance to several tomcat application servers running java servlets. Sometimes there are error response coming back
in http log it shows:
212.xx.xx.x - - [09/Aug/2012:05:07:32 -0700] "GET /myservlet/myService?inputParam=xxx HTTP/1.1" 500 627
is there a way for me to log the tomcat ip or some kind of id so that I can identify which tomcat server is producing the error?

Related

Apache access log is reporting thousands of GET requests

Some weeks ago was being overwhelmed with ddos attack
After some research i fixed the proxy misconfiguration and activated Mod_evasive for apache, the slowlyness was gone.
I'm still receiving some types of request like this one
51.159.210.176 - - [01/Dec/2022:20:51:26 +0000] "GET http://chongzhi.jusunpay.com:8122/pay HTTP/1.1" 302 217
Are they harmless to my server? Also there is a way to disable this specific log? Because the access_log file is getting close to 50GB

Why this apache logs showing private ip as client ip?

just want to ask what does this apache logs mean? Although i know some of the meaning but did not really understand this logs line..
10.xx.x.xx - - [08/Dec/2021:08:06:12 +0000] "POST /endpoint HTTP/1.1" 200 511 "-" "PHP Curl/1.9 (+https://github.com/php-mod/curl)" "157.xxx.xx.xxx, 172.70.xxx.xxx"
My Server A (157.xxx.xx.xxx) is calling a http post method to another server B. So in this case not sure what kind of server config causing the client ip infront of the log showing that 10.xx.x.xx (look like private ip?) but my Server A ip is showing at behind as user agent and there is another ip show after my Server A iP (172.70.xxx.xxx)?
I suspect that the ip 10.xx.x.xx maybe is somekind of proxy or gateway ip? Maybe load balancer, nginx, cloudflare or etc?
Can anyone help to explain this? Thanks guys..

How to filter requests so that apache handles them and not tomcat?

For various reasons I want to shutdown my server after a certain period of idle time. I am running Tomcat 8.5.29 and Apache2 (not sure the version) on Debian 4.9.88. I wrote a script to look at the last time Tomcat had an access. I only have one app on the server and it is at "http://hostname/source/". My problem is that there are number of webserver vulnerabilities out there and I am getting a constant flow of requests to:
"GET / HTTP/1.1"
"POST /GponForm/diag_Form?images/ HTTP/1.1"
"GET /jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system%3Aservice%3DMainDeployer HTTP/1.1"
"POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1"
What I would like to do is stop anything that doesn't begin with "/source" from even getting to tomcat. I presume that a rewrite or something in Apache can do it, but I am not sure how the requests get to Tomcat in the first place.
Any ideas?
There are two possible ways for requests to reach Tomcat:
The probes send requests directly to the Tomcat port (typically port 8080). You can fix this by restricting Tomcat's listening address to the loopback address, by adding the attribute address="127.0.0.1" to the corresponding Connector element in conf/server.xml. Or you can just block port 8080 in your firewall.
The requests are forwarded from Apache to Tomcat via a reverse proxy configuration in Apache. This means there is a line such as the following in one of the Apache configuration files:
ProxyPass / http://127.0.0.1:8080/
If you add an explicit path prefix to both arguments, you can restrict which requests are passed to Tomcat:
ProxyPass /source http://127.0.0.1:8080/source
This ensures that only requests that begin with "/source" are forwarded to Tomcat.
Some Apache configurations use the AJP protocol instead of HTTP for proxying, but the same reasoning applies.

Why does Apache return 403

Why can't I see why Apache returns 403?!
If I look in the access log the only information I get is
193.162.142.166 - - [29/Jan/2014:18:34:26 +0100] "POST /api_test/callback.php HTTP/1.1" 403 2293
How can I get more information about why the request is forbidden/rejected?
The call is made from a payment gateway...
If the callback URL is a http request there are no problems and returns 200 OK
If the callback URL is a https my server returns 403.. I need to know why?
The server has SSL and openSSL installed and it works!
Have tried to do the https request from http://web-sniffer.net/ and then there are no problems..
I don't get it.. There must be something in the request headers from the payment gateway which results in 403
update
error log
[Wed Jan 29 20:45:55 2014] [error] No hostname was provided via SNI for a name based virtual host
solution
Ok it looks like the client doesn't support SNI
http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
Use the LogLevel directive to adjust how verbose the error logs are and increase until you can see what you want.
httpd 2.4 has better messages in a lot of respect and expensive list of LogLevel settings than 2.2. So if you're using 2.2 it may be a bit harder to figure this out.

Apache with Kerberos (mod_auth_kerb) - dealing with unauthorized access & 401 log clutter

I have set up an Apache server to use mod_auth_kerb. It authenticates users via Kerberos and the Negotiate protocol, allowing them entry to the site if they hold a valid Kerberos ticket. It works in that it properly authenticates users. There is a problem however: HTTP 401 response codes clutter the Apache log file. They're from the same IP address each time, so I know that a client attempts to access the page, receives a 401, then tries again and gets an HTTP 200 OK back on the second try. It looks like the user is unidentified in the first attempt, but identified properly in the second attempt.
1.2.3.4 - - [07/Jan/2014:12:29:16 -0500] "GET /my_url/ HTTP/1.1" 401 1005
1.2.3.4 - user#REALM.EXAMPLE.COM [07/Jan/2014:12:29:16 -0500] "GET /my_url/ HTTP/1.1" 200 1724
How can I find out what is causing these 401 unauthorized responses? I can't record it over Wireshark because the connection is encrypted with HTTPS and TLS. Chrome's Developer Tools is only showing HTTP 200 OK responses, but I know that 401s are being generated from the Apache server logs. Any thoughts?
This is how HTTP Authentication works.
There is nothing you can do about it.