New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
hacker bypassing reverse proxy nginx+apache ?
Hi,
I have nginx configured reverse proxy for apache. Everything is cool however, time to time I find sites going slow with sometimes bad gateway 502 error, but there is no load on server at all as well no spike in traffic.
What I observed from nginx error log is this :
2016/08/31 12:32:42 [error] 1273#1273: *429809 connect() failed (110: Connection timed out) while connecting to upstream, client: 37.190.37.40, server: localhost, request: "GET http://chek.zennolab.com/proxy.php HTTP/1.1", upstream: "http://91.121.57.68:8111/proxy.php", host: "chek.zennolab.com", referrer: "RefererString"
2016/08/31 12:32:43 [error] 1273#1273: *429824 connect() failed (110: Connection timed out) while connecting to upstream, client: 37.190.37.40, server: localhost, request: "GET http://chekfast.zennolab.com/proxy.php HTTP/1.1", upstream: "http://95.213.195.219:8111/proxy.php", host: "chekfast.zennolab.com", referrer: "RefererString"
Thats interesting because upstream should my apache server but its something else. Essentially they are trying to check if my server has an open proxy at port 8111. And randomly there are tons of these request and thus slow sites, if I change to some random port, things are good for a while then I again see similar requests.
But in firewall I have disabled IN/OUT external access to port 8111, so what is exactly going on and how to solve it ?
Comments
Its probably just some banner scanner looking for open proxies.
I get these too, they'll move on once they figure out its not an open proxy.
You could always change Nginx to listen only locally and not even bind to the external IP.
In your NGINX config file, add a default server block that drops requests. I would also block CONNECT/TRACE HTTP requests in NGINX.
server { server_tokens off; client_max_body_size 512; return 404; } server { server_name yourservername; if ($request_method !~ ^(GET|HEAD|PUT|POST|OPTIONS)$ ) { return 444; } Other rules here. }BTW, run any upstream servers on loopback instead of a public-facing IP if you can. NGINX alone should run on the external IP.