I have a XAMPP installation on Windows 2008 R2 that I have to support. The facts are these:
The computer has 3 IP addresses (25, 59 and 130, each 192.168.43.)
Apache and IIS need to run side by side (IIS is used for application pools)
The apache is configured to listen only on IP 25
Accessing any of the other IP addresses yields a message from the apache
The following configuration files have been adapted to the IP address listen/bind change (from the default installation):
httpd.conf lists "Listen 192.168.43.25:80"
httpd.conf lists "ServerName 192.168.43.25:80"
extra/httpd-ssl.conf lists "Listen 192.168.43.25:443"
I have no explanation for this behaviour. Whenever I access one of the other IP addresses, I get the following lines in the "access.log":
192.168.43.130 - - [25/Apr/2012:11:41:47 +0200] "GET / HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 6.0; rv:11.0) Gecko/20100101 Firefox/11.0"
192.168.43.130 - - [25/Apr/2012:11:41:47 +0200] "GET /xampp/ HTTP/1.1" 403 1371 "-" "Mozilla/5.0 (Windows NT 6.0; rv:11.0) Gecko/20100101 Firefox/11.0"
I'm not sure what to make of this. I'm pretty sure that this is my fault, that I somehow do not get the configuration, yet it seems straight forward correct.
Please help me. Thank you. I'll try to answer any questions in a matter of minutes.
Related
We never had any problem and we didn't deploy anything, but one particular customer on his ipv6 addr is now getting 403 error from our Apache and I just can't figure out why.
I'm not sure what to provide but I double check every a2 config file.
I can see the customer access in the access.log (with the 403 code status), but nothing in the error.log.
access.log :
2a02:2788(...):102f - - [17/May/2021:12:54:12 +0200] "GET /page_url HTTP/1.0" 403 368 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 Edg/89.0.774.75"
2a02:2788(...):102f - - [17/May/2021:12:54:15 +0200] "GET /page_url HTTP/1.0" 403 368 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 Edg/89.0.774.75"
It's not on the application level too, we don"t have anything that return a 403 error.
Any idea on what Apache can do to trigger 403 error specificly on IP ?
Why/how is the customer seemingly making an HTTP/1.0 request? This alone could be sufficient reason for the server to reject the request since normal users using normal browsers don't send HTTP 1.0 requests. (HTTP/1.1 is expected.)
Generally, only certain bots make HTTP 1.0 requests.
An Apache module like mod_security could potentially have a rule that would block such requests. (Or any other rule using mod_rewrite, for instance, could also block such requests - but this is certainly not a default.)
Edg/89.0.774.75
It would seem this may have been a bug with Microsoft Edge, as the following Microsoft community post (from around the same time as this question) would seem to suggest:
https://answers.microsoft.com/en-us/microsoftedge/forum/all/internet-explorer-and-ms-edge-sends-ssl-requests/22708bcd-f196-45fb-84c9-6d8c34e7e08f
And as also noted in the above article, this would seem to have been "fixed" in later versions. So, your customer may also now be "fixed". (?)
We are seeing random letters appear in access logs. The requests 404 since the content does not exist. The requests are made by a variety of users and other requests from the same ip usually look genuine. There is no way to request these from the site. Some of these requests even appear from internal traffic on our network.
Example:
157.203.177.191 - - [04/Feb/2018:23:51:20 +0000] "GET /VLTRP/content/dam/example/dotcom/images/ABtest/existing-customer-thumb.jpg HTTP/1.1" 404 60294 39082 "http://www.example.com/shop.html" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0" 2
Without the /VLTRP this is a genuine request. Has anyone seen something similar before?
For info we are running Apache/2.2.15 (Unix) with ModSec enabled. We do see similar behaviour on another site where we do not have ModSec configured. We see similar requests for internal, external and bot traffic.
I am hosting a small test website in ec2 and there should be only 2-3 test users with valid login to my server. However, I am seeing a lot of junk logs in my apache access_log(
/var/log/httpd/access_log):
198.2.208.231 - - [13/Dec/2013:21:11:07 +0000] "GET http://ib.adnxs.com/ttj?id=1995383&position=above HTTP/1.0" 302 - "http://www.minbusiness.net/?p=611" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.18.1 (KHTML, like Gecko) Version/5.0 Safari/533.16"
173.234.32.69 - - [13/Dec/2013:21:11:07 +0000] "GET http://ads.creafi-online-media.com/st?ad_type=iframe&ad_size=728x90,468x60§ion=5172215&pub_url=${PUB_URL} HTTP/1.0" 302 - "http://lookfashionstyle.com/index.php?option=com_content&view=category&layout=blog&id=42&Itemid=98&limitstart=24" "Mozilla/4.0 (compatible; MSIE 6.0; WINDOWS; .NET CLR 1.1.4322)"
198.136.31.98 - - [13/Dec/2013:21:11:07 +0000] "GET http://ad.tagjunction.com/st?ad_type=ad&ad_size=468x60§ion=4914662&pub_url=${PUB_URL} HTTP/1.0" 302 - "http://www.benzec.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13"
....
Not exactly sure what's going on... Am I being attacked?
thanks!
One possibility is that your server is configured as an open proxy and some ad scams are proxying traffic through it to hide their real origin.
There is alot of bots around the web attempting all kinds of exploits,
I spawned my web server just yesterday and already received lots of spamming/exploit attempts. Like the ones in the thread I've just created ( and not only, quite a few others.. Cloudflare is helping but it doesn't catch it all, at least not in the free version, which is what I am using to get some protection):
Exploit Attempts in nginx access log, Some logs without IP, what to do about it?
i want log in my accesslog the full urls not just this.
127.0.0.1 - - [07/May/2011:20:19:48 +0200] "GET /test/index1.php HTTP/1.1" 200 31333 "-" "Mozilla/5.0 (Windows NT 6.0; rv:2.0) Gecko/20100101 Firefox/4.0"
i want log for example:
/test/index.php?page=10 or I use also mod rewrite than it would be /test/Page/100
is this possible?
On my server is running Apache / PHP 5
Thank you for your help.
Use the LogFormat directive to specify the exact format that you want. The parameter for the query string is %q
When I restart my apache2 and reload a page, the log file shows
boogie.tontut.fi - - [28/Oct/2008:03:27:49 +0200] "GET /test HTTP/1.1" 404 457 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3"
...as supposed to, as it's 03:27:49 now. However, when I click the refresh button again, the new log entry is:
boogie.tontut.fi - - [27/Oct/2008:21:27:52 -0400] "GET /test HTTP/1.1" 404 457 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3"
Offset has changed from +0200 to -0400 and I have no clue where this comes from.
How can I start troubleshooting this problem?
sudo vim /etc/php5/apache2/php.ini
Add time zone
date.timezone="Europe/London"
restart apache2
/etc/init.d/apache2 restart
Try and set your timezone explicitly in the httpd.conf:
SetEnv TZ GMT+2
Maybe looking at the system call would help; on Unix its gettimeofday and on Windows its GetSystemTime.
Isn't it possible that something that runs in apache is changing locale settings in its environment?
Something like:
First reload: log message GMT+2
Apache runs /weird_script.php that calls some kind of setlocale()
Second reload, new enviroment setting in effect, results in log message GMT-4