Apache :: Seemingly Legit Requests Generating 400 Bad Request Errors
Feb 8, 2015
So I've got a problem where a small percentage of incoming requests are resulting in "400 bad request" errors and I could really use some input. At first I thought they were just caused by malicious spiders, scrapers, etc. but they seem to be legitimate requests.
I'm running Apache 2.2.15 and mod_perl2.
The first thing I did was turn on mod_logio and interestingly enough, for every request where this happens the request headers are between 8000-9000 bytes, whereas with most requests it's under 1000. Hmm.
There are a lot of cookies being set, and it's happening across all browsers and operating systems, so I assumed it had to be related to bad or "corrupted" cookies somehow - but it's not.
I added "%{Cookie}i" to my LogFormat directive hoping that would provide some clues, but as it turns out half the time the 400 error is returned the client doesn't even have a cookie. Darn.
Next I fired up mod_log_forensic hoping to be able to see ALL the request headers, but as luck would have it nothing is logged when it happens. I guess Apache is returning the 400 error before the forensic module gets to do its logging?
By the way, when this happens I see this in the error log:
request failed: error reading the headers
To me this says Apache doesn't like something about the raw incoming request, rather than a problem with our rewriting, etc. Or am I misunderstanding the error?
I'm at a loss where to go from here. Is there some other way that I can easily see all the request headers? I feel like that's the only thing that will possibly provide a clue as to what's going on.
View 1 Replies
ADVERTISEMENT
Aug 22, 2013
We're running Apache 2.4.3 on Slackware 14:
LCMlinux ~> uname -a
Linux LCMlinux 3.2.29-smp #2 SMP Mon Sep 17 13:16:43 CDT 2012 i686
LCMlinux ~> httpd -v
Server version: Apache/2.4.3 (Unix)
Server built: Aug 23 2012 11:07:26
LCMlinux ~>
We are using this both for the Trac issue-tracking application and for a small, simple internal mirror web site. Trac is working perfectly; the web site works if exact URLs are provided (as in <a href=...>
View 7 Replies
View Related
Jun 28, 2008
Recently I use suphp with fcgi on my cPanel Server. When I apply RLimitCPU for each vhost, I see that some scripts that potentially overloading the server is killed. I think this is a good way to control load on server.
But each time a php process killed, apache create a coredump files under users's directory that is large enough to fill user's space limit.
How to disable apache from creating core dump files?
I have try:
- set "ulimit -c 0" on users and root
- set "/proc/sys/fs/suid_dumpable" to 0
- set /etc/security/limits.conf with 0 limit for core parameter
- set CoreDumpDirectory to specific directory ...
View 12 Replies
View Related
Feb 8, 2007
I have a dedicated box with softlayer and I have noticed at varying times the past few months that with sites we host, sometimes the connection times out (I'll try to access like 5 or 6 sites within 30 seconds or so and they all drop, then a minute later they load fine).
I opened a support ticket and they said it usually has to do with the # of requests Apache can handle, and that this can be modified. They stated they could: "tweak the apache configuration file in this server that can make it possible to handle more requests."
So my question is what should the # of requests be set to? (I'm not sure what it is now, but I assume whatever the default # is).
View 6 Replies
View Related
Mar 31, 2008
I have been experiencing a lot of Keepalive requests for a particular image on a particular domain. please see the lines below.
0-11233931/63/63K 0.15100.40.030.03 195.68.185.13mydomain.comGET http://mydomain.com//images/logo.jpg HTTP/1.1
1-11233941/77/77K 0.18100.40.050.05 122.164.58.63mydomain.comGET http://mydomain.com//images/logo.jpg HTTP/1.1
2-11233951/42/42K 0.76000.40.170.17 89.139.214.74mydomain.comGET http://mydomain.com//images/logo.jpg HTTP/1.1
3-11233971/57/57K 0.04000.40.020.02 82.199.98.229mydomain.comGET http://mydomain.com//images/logo.jpg HTTP/1.1
4-11233981/46/46K 0.27000.40.040.04 217.150.55.41mydomain.comGET http://mydomain.com//images/logo.jpg HTTP/1.1
These are just a few lines from the top.
How can i prevent this from happening.. it seems as a SYN Flood, or maybe a DDoS.
View 3 Replies
View Related
Sep 16, 2014
We have an Apache acting as a reverse-proxy and listening on the Internet ("Our URL" on port 443).
We would have two ways of accessing this reverse-proxy:
-From a mobile app (authentication would be based on a corporate certificate)
-From any browser (authentication would be a login form)
The question is: can Apache forward requests to either server 1 or server 2, depending on whether a certificate is sent by the client?
View 10 Replies
View Related
Sep 29, 2013
I have Apache 2.4.2, OpenSSL/1.0.1c, on Windows Web Server 2008 R2 (64 bits)
After 12 hours of heavier load, the SSL requests stopped working/being answered. However if you requested the same page via http instead of https, it worked fine. Restarting the Apache server fixes this, for a while. Again after a few hours of traffic, the https requests stopped working again. I checked the logs, and nothing notable, the mod_ssl entries just...
The site is called only by client developed with Delphi 2007 (CodeGear user-agent). Delphi client use THTTPRIO for sending HTTPS request to SOAP.
View 9 Replies
View Related
Dec 13, 2012
So I just upgraded Apache 2.2.22 to Apache 2.4.3 and made sure to go through all the options that had changed and update the conf file accordingly. This included adding the cache module for SSL and changing the SSLMutex option over to Mutex default ssl-cache. We also turned off SSLCompression due to the CRIME attack vulnerability.
We use apache strictly as a loadbalancer to 2 tomcat servers via mod_jk. Apache serves no static content at this time.
After being deployed, everything worked fine until later in the day. After 3 hours of heavier load (our site only takes significant traffic during business hours), the SSL requests stopped working/being answered. However if you requested the same page via http instead of https, it worked fine.
Restarting the Apache server fixes this, for a while. Again after a few hours of traffic, the https requests stopped working again. This time I turned the loglevel up to debug and restarted the Apache server.
As traffic slowed down it took another 6 or 7 hours before SSL requests stopped working again. I checked the logs, and nothing notable, the mod_ssl entries just... stopped. (I don't know for sure its ammount of traffic related, it just seems that way)
I have tried reproducing this in a lab, but have not been able to get it to happen on the lab server.
OS: Windows Server 2008 R2
Apache: 2.4.3 vc9 build with OpenSSL 0.9.8 downloaded from apachelounge.org
Mod_JK Version 1.2.37 vc9 also downloaded from apachelounge.
View 10 Replies
View Related
Apr 12, 2014
I've spent the last several months working on a huge upgrade of a couple dozen websites. The upgrades include modifying Apache so that visitors who arrive at links pointing to mysite/World/New_York are redirected to mysite/world/new-york. In other words, all my links now default to lower case, and underscores are replaced with dashes.
Unfortunately, publishing it has been an endless series of disasters. My websites are now all crashed, and the server is unbelievably slow. It takes pages forever to load (if they load at all), and I can scarcely publish files online.So the following notice sent to me by my webhost got my attention.
IT appears your own server IP is making GET requests to Apache, causing excessive loading and causing service failures. On today's date, your IP made almost 6,000 connections to Apache:<br><br>
[root@host ~]# grep 64.91.229.106 /usr/local/apache/domlogs/mysite.org | wc -l 5924 [root@host ~]#<br><br>
These were all the same request:<br><br>
64.91.229.106 - - [12/Apr/2014:08:10:10 -0400] "GET /404.php HTTP/1.0" 200 14294 "-" "-"<br><br>
And that made up the total of requests:<br><br>
[root@host ~]# grep 64.91.229.106 /usr/local/apache/domlogs/mysite.org | grep "GET /404.php HTTP/1.0" | wc -l 5924 [root@host ~]#<br><br>
View 1 Replies
View Related
May 25, 2015
I have a little problem (on my Raspberry) with the maximum concurrent connections.When I open multiple tabs of a webpage which keeps persistent connections, apache is unable to serve more requests.Here is the (shortened) mod_info output (which also takes some time till there is a process kind enough to serve the request):
Code:
Server Version: Apache/2.4.10 (Raspbian) OpenSSL/1.0.1k
Server MPM: prefork
5 requests currently being processed, 9 idle workers
.___W____WWW_..W_...............................................
................................................................
......................
Srv PID Acc M CPU SS Req Conn Child Slot Client VHost Request
[Code] ....
When I understood it correctly, apache should spawn new processes (up to MaxRequestWorkers=150)
But there are idle???? processes, so it wont add new ones?
I dont think it has to do with mod_proxy (used for the webpage) since the mod_info output is affected as well...
View 1 Replies
View Related
Jan 26, 2008
A weird thing happents once on few days on my server, and it's not a regular thing or on exact time.
When I have this problem no page can be loaded in the browser, but WHM is working, i think because it's accessed by IP .
In apache status page I can see lots of ..reading.. requests which are there even for 10 - 20 seconds sometimes.
Usualy the server has 10 - 20 requests/s :
CPU Usage: u35146 s2297.05 cu2.74 cs4.5 - 6.97% CPU load
11.2 requests/sec - 83.0 kB/second - 7.4 kB/request
10 requests currently being processed, 8 idle servers
But when the ..reading.. requests appear it goes much higher like 100 to 200
11.5 requests/sec - 85.3 kB/second - 7.5 kB/request
200 requests currently being processed, 0 idle servers
after 3 minutes :
160 requests currently being processed, 30 idle servers
When I logged on to SSH I saw that there are ~150 conection from a single IP .
View 14 Replies
View Related
Feb 20, 2013
I have an Apache Server (2.4.3) and a Tomcat Server (7.0.36) and have some Java Applications deployed.Everything works fine, but when we start a quite long Ajax process, I see in my Java Application, that a Ajax request is received and starts processing - everything fine. But during processing of the first request, I see a second request starts after 5 minutes.
View 1 Replies
View Related
Jan 19, 2008
I currently have a web VPS hosted with FDCServers.net and after 5 days of switching to it i am getting massive HTTP requests. When i login to WHM and hit apache status i have many requests per second by multiple IP's that are going to pages that simple don't exist. Currently my hostname for the server is set at web-01.optical-hosting.com which is what the requests are being sent to. I am also having a DNS issue because when i put http://web-01.optical-hosting.com in the web browser it displays the first account's site under "list accounts" in cpanel. Can someone please help me fix both of these issue's? i will post an apache log in a second post as it is long. Also, these are from overseas. please someone help me with this i have Aim and Msn.
View 4 Replies
View Related
Apr 10, 2013
I'm looking to pass the entries to a web form, via Apache, to an external process (listening on a port say 4321) running on the same host as Apache.Is there a way to "coerce" Apache into doing this?
View 1 Replies
View Related
Nov 15, 2013
Server Version: Apache/2.2.22 (Unix)
On our production service, we've been getting numerous malformed POST requests to some of our CGI scripts that are showing up as 500 errors in our logs. They are malformed in the sense that the actual content length doesn't match the Content-Length specified in the request.
Here's the most trivial example I can come up with that reproduces the problem for us:
POST /some_valid_alias HTTP/1.1
Host: example.org
User-Agent: Arbitrary/1.0
Content-Type: multipart/form-data; boundary=---------------------------41184676334
Content-Length: 769
-----------------------------41184676334
In addition to the 500 error in the access log, we see the corresponding error in the error log:
(70014)End of file found: Error reading request entity data
Based on the nature of the POST request and the error response, it does appear that Apache is doing the right thing here.
The POST never actually makes it as far as the script being targeted (/some_valid_alias in the above example); in other words, Apache returns 500 to the client, writes the error to the error log and never executes the script.
Is there a way to capture/avoid internal Apache errors like 70014, and return some other HTTP status besides 500 (like 403)? It's particularly annoying in our case, because our server sends us an email for all 500 errors.
So far, our best "defense" against these 500 errors is to disallow POST for these aliases, which normally just ignore the POST data anyway (when the request is not malformed):
RewriteCond %{REQUEST_METHOD} ^POST$
RewriteRule ^/(some_valid_alias)(.*)$ $1$2 [R]
But this won't work for all our scripts, because in some cases we do want to permit POST.
View 2 Replies
View Related
Jun 4, 2009
My Linux Server's Http Daemon (Apache) would stop serving websites ever so often, as soon as apache is restarted the error fixes iteself only to resurface within few hours.
The apache process would still be running i.e. apache does not die but no websites hosted on my server would be accessible from browser. And when this happens the apache logs do not log any http requests.
Instead when this happens all http requests to my server would be redirected to some weird Trojan website and my Norton Antivirus would show an Alert/Warning, for example;
"Browser exploit at www.xxx.xxx was blocked"
Risk Name: MSIE WebViewFolderIcon ActiveX Control BO
or another error like;
"Auto-Protect has detected Trojan.Fakeavalert".
At first i thought the problem could be with my Laptop/ISP so i logged on to the server via SSH and opened try to open a website using command line "lynx mywebsite.com" and it shows following error;
"Alert!: HTTP/1.0 503 Service Unavailable".
Now if i assume my laptop were to be infected, then as soon as i restart my apache and visit mywebsite.com eveything returns to normal with no such warnings. Why do i see those norton error messages only when apache is down with 503, and when apache is down with 503 how come the http requests always get redirected to some suspicious websites and nothing gets logged in apache error log?
I think my server is being attacked causing http to get unresponsive and thereafter http requests to my server are redirected to some malicious website, is this correct?
Also, i suspect this is a php script exploit as some customers have reported that google have blocked their website due to security reasons, i found <iframe> tage inserted in some php pages which i fixed.
Also, another thinh i noticed;
when apache responds with the 503 it is referencing PHP 5.1.4 in the header response:
[root@]# curl -I xxx.xxx.xxx.xxx (my server ip)
HTTP/1.0 503 Service Unavailable
Server: Apache
X-Powered-By: PHP/5.1.4
Retry-After: 20
I am running PHP 4.3.9m why does apache responds with PHP 5.1.4 when this 503 error surfaces?
Also, since my apache was dowan with 503 error a customer mailed in today saying;
"It seems that my site www.xxxx.com is regularly down, and the winlogon virus is involved."
I suspect this is again due to the fact that http requests start getting redirected?
View 3 Replies
View Related
Jan 21, 2014
I have been trying to solve a big problem for the last 2 weeks with one of our servers.
The client using our system (web based w/ apache and php) is a contact center firm. They have about 120 operators, all connect to our websever with the same IP.
We have been suffering DoS attacks from some of these operators. This are simple, browser attacks , namely 5 or 10 operators will just hold F5 key and bombard the server with requests when they shouldnt.
We did manage to produce a php protection which will recognize the multiple requests and blacklist the user, but its "too late" because the request have already been sent and processed by the webserver.
We use the user ID in the system to control who should be blacklisted, so this is all dependent on our own authentication.
Ideally, we need something EXACTLY like mod_evasive, but for rejecting single requests instead of blocking the IP. Exemplifying : if a user calls the same url, 5 times, in a 3 second spawn, we will reject every next request for 30 seconds, but only the requests by that user.
If the webserver can make any use of it, the user id is stored in a cookie.
View 4 Replies
View Related
Mar 27, 2013
I'm running Apache 2.4.4 on Windows Server 2008 R2. It's already happened many times that Apache stopped responding to requests. The last entry in the error.log:
[Wed Mar 27 06:22:07.043600 2013] [mpm_winnt:notice] [pid 1736:tid 256] AH00354: Child: Starting 64 worker threads.
[Wed Mar 27 06:52:34.521200 2013] [mpm_winnt:error] [pid 1736:tid 1656] AH00326: Server ran out of threads to serve requests. Consider raising the ThreadsPerChild setting
View 1 Replies
View Related
Apr 10, 2015
I'm trying to prevent unnecessary GET requests from being processed by my CMS that originate from mutating IP address locations. This is sucking up server resources when the request is processed by the app, and so if possible, I'd like to block them with HTACCESS so that the request is stopped before anything is intensively-processed.
What happens is that an IP address will make a GET request for, say, "blah/test" or "blah/test2" but nothing else (no site assets like images or CSS/JavaScript files or even other pages). After this request, another IP address will then make an equivalent kind of request, and so on, and so on... All of them have similar if not identical user agent strings but they're always worthless requests that do nothing but waste CPU and RAM. I'm assuming it's just some idiotic SPAM bot because of this.
View 8 Replies
View Related
Dec 6, 2008
when i check apache status, i see one domain send many request to server, for example:
domain.com 10.20.30.40
domain.com 10.20.30.40
domain.com 10.20.30.40
domain.com 10.20.30.40
domain.com 10.20.30.40
-
-
-
how can i prevent this problem?
this problem tease me and my server, because induce apache to work unremitting.
Ram Usage is: 65%!
View 5 Replies
View Related
May 12, 2015
I am working with XAMPP 5.6.8 (Apache 2.4.4, MySQL 5.5.32 and PHP 5.6.8 ) on a 64 bits Windows 7 Ultimate (Service Pack 1) Operating System.
I am working with an Arduino UNO and a WIFI Shield connected to the Apache server.
I am sure Arduino is connected to the WiFi network and to the server, and it also sends the GET request to the server.
Apparently, everything is OK because I can see the 200 OK message from the server in the Arduino serial monitor, but I find no trace of that request in the server log although all the requests made from the browser (by typewriting the server address in the browser address bar and pressing enter) appear in the server log.
View 6 Replies
View Related
Oct 21, 2007
New VPS, CentOS 4.5, Apache 2.0.52, Plesk 8.2.
Every request is getting processed 3 times. In other words, if I point my browser to the URL of an image hosted on this server, it generates 3 lines in the access log each time I refresh the page.
If I point it to a script which logs something to a file, it logs it 3 times, showing it's run all 3 times.
I haven't touched the httpd.conf or any other configuration. Any idea what could cause this?
View 4 Replies
View Related
Jan 17, 2007
Is there any tool out there (I prefer command line) that is especially for analysis of apache error log files ? I need something that can summarize information from log and give them back to me.
View 0 Replies
View Related
May 22, 2015
My site is hosted in shared hosting.
Whenever I try to upload text using form It is showing me '413 - request entity too large'
I have uploaded the screenshot of the problem so that you can view the problem i details.
View 1 Replies
View Related
Nov 13, 2013
In my web site I have several index pages in different languages in the following format
[URL] ....
Two days ago I noticed increased, many times. Google bot activity on my site and when I checked my log file I found that all pages crawled were wrong web addresses: to the above index were added existing files from my site like
/folder1/folder2/file.html
So, the strings looked like
[URL] ....
And surprisingly all they returned code "200".
My question is: is there any way to rewrite such requests to the first ".html" found in the string.
View 2 Replies
View Related
Feb 3, 2014
I have question for apache in centos. I loaded the apache and I want to know that which MPM used by default two MPM defined in apache but which MPM apache actually used for request server.
<IfModule prefork.c>
StartServers 8
MinSpareServers 5
MaxSpareServers 20
ServerLimit 256
[Code] ....
View 6 Replies
View Related
May 31, 2015
I have following components configured.
LoadBalancer, Apache and SSL enabled JBoss.
Lodbalancer URL ....
Apache URL ...
Jboss URL (SSL) ...
When the request comes to Loadbalancer, it is forwarding the request fine to apache.
But from apache I am not able to forward the request to Jboss(SSL)
I am using below settings on httpd.conf file of apache but url is getting changed to [URL] .... from [URL] ...
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://servername:8443/EPC [R,L]
I still want the generic name (emsprod.com) to be displayed on url instead of server name.
How I can successfully forward the request to Jboss when I access LB url.
View 3 Replies
View Related
Nov 18, 2014
I would like to rewrite mysite.com to www.mysite.com.
However, if the request is a subdomain (i.e. blabla.mysite.com), then it should not rewrite.
I believe this gets me close, but it will not differentiate the subdomains (i.e., blabla.mysite.com).
View 5 Replies
View Related
Nov 1, 2014
I've just joined the group and new to Apache/php. I have just assembled a website in Joomla/vertumart and called petslovezone.com.au. I want to redirect all the request such as
1. http://xyz.com to https://xyz.com
2. http://www.xyz.com to https://xyz.com
3. xyz.com. to https://xyz.com
4. www.xyz.com to https://xyz.com
now know I have to change .htaccess "RewriteEngine On" section. What would be the best code to do all the above.
Apache Version2.4.10
PHP Version5.4.32
View 2 Replies
View Related
