I have configured apache2 behind varnish and am trying to add stats by log reading (piwik)
however piwik complains log is "malformed"... and its correct :
89.79.******, 89.79.****** - - [31/Mar/2014:12:50:05 +0200] "GET / HTTP/1.1" 200 16310 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36"
as you can see it logs the same ip twice as host...
in varnish .vcl i have :
remove req.http.X-Forwarded-For;
set req.http.X-Forwarded-For = client.ip;
and in apache2 vhost :
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" varnishcombined
CustomLog ${APACHE_LOG_DIR}/e***o-access.log varnishcombined
however it still logs the ip twice ...
what can i do to prevent that ?
I ended up using mod_cloudflare :
https://support.cloudflare.com/hc/en-us/articles/200170796-How-do-I-install-mod-cloudflare-on-Apache-
and setting the trusted proxy to 127.0.0.1 + log combined
if anyone has a better solution....
Related
I am using mod_security with CRS 3.3.0 on top of Apache 2.4. During a recent L7 DDoS attack, I recognized that certain attacks using HTTP/1.* were correctly block with HTTP 403 based on geolookup and having the country code listed in tx.high_risk_country_codes of the CRS config. However, a request from the identical IP was not blocked when using HTTP/2 as protocol. Any idea of a configuration setting specific for REQUEST-910-IP-REPUTATION.conf only enabled for protocols HTTP/1.* in the default rule set? For the time being, I restricted allowed protocols to HTTP 1.1 for affected site make mod_security working.
Some examples from access log:
<HOST>:443 XXX.XXX.XXX.XXX - - [03/Aug/2022:00:37:49 +0200] "GET /?s HTTP/1.1" 403 5636 "https://<HOST>/?s" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36"
<HOST>:443 XXX.XXX.XXX.XXX - - [03/Aug/2022:00:43:12 +0200] "GET /?s HTTP/2.0" 301 392 "https:///?s" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36"
Thanks in advance!
SCHAPPY
CRS dev-on-duty here. There is no configuration setting specific for REQUEST-910-IP-REPUTATION.conf that is only enabled for protocols HTTP/1.*.
I have no idea why the rule 910100 does not work for HTTP/2.
But do you have the possibility to enable debug logs (better not in production) with SecDebugLog and SecDebugLogLevel? Maybe you'll get more insights this way?
If you can't see and solve the problem with the modsec_debug.log, you can open an issue in the Core Rule Set GitHub project. We're happy to help!
I've been scouring trying to find a solution, but when I go to my domain, all my static files are just returning index.html, giving me a
Uncaught SyntaxError: Unexpected token '<' error
My setup is this:
A server that runs nginx for multiple domains, with the one site in question having the following config file
server {
listen 80;
listen [::]:80;
server_name domain.com www.domain.com;
return 302 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/ssl/domain/cert.pem;
ssl_certificate_key /etc/ssl/domain/key.pem;
server_name domain.com www.domain.com;
location / {
proxy_pass http://10.0.0.41:80;
}
location /api {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://10.0.0.41:3000;
where 10.0.0.41 is another server which is hosting 2 docker containers, one for my react app/nginx and one for my express backend app.
The reverse proxy to the express app works perfect, but when I try to visit domain.com, my js files are returning as index.html and not loading, giving me the error above.
When I visit 10.0.0.41 in my browser, everything loads as it should and works correctly, just not when coming from the domain.
this is the nginx config file for the second server
server {
listen 80;
listen [::]:80;
root /usr/share/nginx/html;
location / {
try_files $uri /index.html;
}
location ~ .(static)/(js|css|media)/(.+)$ {
try_files $uri $uri/ /$1/$2/$3;
}
}
I've tried everything I can find, adding that last line in the 2nd nginx config, removing, adding, changing homepage in package.json.
I am using React router, with <Route exact path="/"
This has been driving me crazy and any help would be greatly appreciated, and if I left out any important information let me know.
Difference in requests:
10.0.0.41:80
10.0.0.142 - - [02/Aug/2022:13:42:53 +0000] "GET / HTTP/1.1" 200 644 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" "-"
10.0.0.142 - - [02/Aug/2022:13:42:53 +0000] "GET /static/css/main.69847ccd.css HTTP/1.1" 200 2261 "http://10.0.0.41/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" "-"
10.0.0.142 - - [02/Aug/2022:13:42:53 +0000] "GET /static/js/main.10f72de5.js HTTP/1.1" 200 514201 "http://10.0.0.41/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" "-"
10.0.0.142 - - [02/Aug/2022:13:42:53 +0000] "GET /static/js/423.0a0d8ebb.chunk.js HTTP/1.1" 200 3280 "http://10.0.0.41/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" "-"
10.0.0.142 - - [02/Aug/2022:13:42:53 +0000] "GET /favicon.ico HTTP/1.1" 200 3150 "http://10.0.0.41/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" "-"
www.domain.com
10.0.0.101 - - [02/Aug/2022:13:44:37 +0000] "GET / HTTP/1.1" 200 644 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" "my_ip, cloudflare_ip"
10.0.0.101 - - [02/Aug/2022:13:44:37 +0000] "GET /manifest.json HTTP/1.1" 304 0 "https://www.my_domain.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" "my_ip, cloudflare_ip"
10.0.0.142 is the machine i'm testing with, 10.0.0.101 is the first nginx server
On an apache2 server, I recently cloned an app 'MyApp' from github. But I'm not able to access it through url 133.29.22.57/MyApp/ (ip address is dummy) ? I have tried setting permissions for /var/www/ folder to 777, I also created a new file myapp.conf in etc/apache2/sites-available/ , then I used a2ensite to make it live, then restarted server but still can't access the site. Please help.
Here are the contents of my myapp.conf file :
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/MyApp/
<Directory /var/www/MyApp/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Some (possibly) relevant info from apache2.conf
Mutex file:${APACHE_LOCK_DIR} default
# These need to be set in /etc/apache2/envvars
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
#
<Directory />
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>
<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
AccessFileName .htaccess
IncludeOptional conf-enabled/*.conf
# Include the virtual host configurations:
IncludeOptional sites-enabled/*.conf
UPDATE
some of the content that you may find relevant which I found under /var/log/apache2/access.log...
169.149.128.75 - - [20/Mar/2017:12:30:49 +0000] "GET /MyApp HTTP/1.1" 404 497 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
169.149.128.75 - - [20/Mar/2017:12:31:01 +0000] "GET /MyApp/index.php HTTP/1.1" 404 507 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
169.149.128.75 - - [20/Mar/2017:12:31:05 +0000] "GET /MyApp/index.php HTTP/1.1" 404 506 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
169.149.128.75 - - [20/Mar/2017:12:31:40 +0000] "GET /MyApp/index.php HTTP/1.1" 404 507 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
::1 - - [20/Mar/2017:12:36:02 +0000] "OPTIONS * HTTP/1.0" 200 125 "-" "Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.21 (internal dummy connection)"
moreover,
I tried running command /usr/sbin/apache2 -V | grep SERVER_CONFIG_FILE
which says that the following variables are not defined :
${APACHE_LOCK_DIR} ${APACHE_PID_FILE } ${APACHE_RUN_GROUP } ${APACHE_LOG_DIR}
Setting permissions for /var/www/ folder to 777 is a very bad habit.
Give the directory (recursive) to the web server user, usually www-data like "chown -R www-data:www-data /var/www"
Then do a separated log, something like "mywebsite.error.log" and "mywebsite.access.log" so you'll be able to see quickly what's going on.
ErrorLog ${APACHE_LOG_DIR}/mywebsite.error.log
CustomLog ${APACHE_LOG_DIR}/mywebsite.access.log combined
Then tell us more precisely what's going on and I'll update my answer.
I have been trying to configure my Apache to list the log files that are stored in /var/log/squid/ so that I can download them from the server to my local PC if required. I have configured the Alias as follows;
Alias /squid/ "/var/log/squid/"
<Directory "/var/log/squid/">
Options None
AllowOverride All
Order allow,deny
Allow from all
</Directory>
But I keep getting the 403 Forbidden error message when I try to browse to the directory.
Apache2 Log Files (CentOS)
172.16.200.132 - - [10/May/2014:14:34:01 +0100] "GET /squid/ HTTP/1.1" 403 288 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36"
172.16.200.132 - - [10/May/2014:14:34:01 +0100] "GET /squid/ HTTP/1.1" 403 288 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36"
172.16.200.132 - - [10/May/2014:14:34:01 +0100] "GET /squid/ HTTP/1.1" 403 288 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36"
172.16.200.132 - - [10/May/2014:14:34:01 +0100] "GET /squid/ HTTP/1.1" 403 288 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36"
172.16.200.132 - - [10/May/2014:14:34:01 +0100] "GET /squid/ HTTP/1.1" 403 288 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36"
172.16.200.132 - - [10/May/2014:14:34:01 +0100] "GET /squid/ HTTP/1.1" 403 288 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36"
172.16.200.132 - - [10/May/2014:14:34:01 +0100] "GET /squid/ HTTP/1.1" 403 288 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36"
Does anyone have any suggestions, I have tried changing the user Apache runs under to admin which is a user that has full access to the /var/log/squid/ directory but doesn't have access to any system services /etc/init.d/ or the ability to run commands such as (halt, service).
Any suggestion please.
Error Log from Apache
[Mon May 12 17:53:11 2014] [error] [client 172.16.200.132] (13)Permission denied: Can't open directory for index: /var/log/squid/
From the log OP posted, the interesting part is )Permission denied: Can't open directory for index:.
To solve this, change line Options None to Options +Indexes
References: official documentation
I'm building a system where the users will upload articles to my app and I need to store them. I've read the tutorial about blobhandlers on Google's documentation and it worked, but only local.
When I test the app on development server, everything is fine, but on production server, I get Error 404 and the following logs:
2014-02-17 08:59:28.490 /http://ciro-app-id.appspot.com/_ah/upload/AMmfu6ah2vpKNsIDSzlpYPqAgnQ_zznnUwDweG571CgMMnGlluXc1GJS0i42UYYOKVZNQMBhzyY3grQFeCgD4hf4usx_YeMwy4n_93qM-QFegsMIFHDkNovRcJ9Rnl9li91bo4bdClfV/ALBNUaYAAAAAUwJCQ_kw2ANG1Tnvs9OIU6cAyOUDscqL/ 404 19ms 0kb Mozilla/5.0 (X11; Linux i686 (x86_64)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36 module=default version=1
186.226.15.242 - - [17/Feb/2014:08:59:28 -0800] "POST /http://ciro-app-id.appspot.com/_ah/upload/AMmfu6ah2vpKNsIDSzlpYPqAgnQ_zznnUwDweG571CgMMnGlluXc1GJS0i42UYYOKVZNQMBhzyY3grQFeCgD4hf4usx_YeMwy4n_93qM-QFegsMIFHDkNovRcJ9Rnl9li91bo4bdClfV/ALBNUaYAAAAAUwJCQ_kw2ANG1Tnvs9OIU6cAyOUDscqL/ HTTP/1.1" 404 188 "http://ciro-app-id.appspot.com/enviar" "Mozilla/5.0 (X11; Linux i686 (x86_64)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36" "ciro-app-id.appspot.com" ms=20 cpu_ms=0 cpm_usd=0.000021 app_engine_release=1.9.0 instance=00c61b117c6c9b0c25f5b86e2eadac83e2908691
Here is my code: https://drive.google.com/file/d/0B1-lpPH97tV2dzN6aURYVENCMzQ/edit?usp=sharing
Here is my app: ciro-app-id.appspot.com
Try it yourself
Login credentials:
Email: ciromoraismedeiros#gmail.com
Password: 123
Access ciro-app-id.appspot.com/enviar fill the form and submit it.
Obs.: I'm Brazillian, so everything is in portuguese language.
Notice the leading "/" in your request log? In /templates/enviar_artigo.html, change
<form action='/{{upload_url}}' ...>
to
<form action='{{upload_url}}' ...>