I ment that those probably not a real requests being failed for some reason though we can't confirm that.
I will try your suggestion, even though this will just prevent it from being logged and not actually solve the problem (if any). Another thing is that if I'm not mistaking, when I dumped some traffic using tcpdump and open it with wireshark it looked like tgat those request are actually empty (though maybe wirshark think that a NULL byte request is an empty one) - I will doing it again just to make sure. As we couldnt find anyone wich having the same issue we kind of worried we are doing something wrong and we are not serving about 10% from our requests. The thing is we have two frontends on this machine which get different amount of traffic and they both have the same precentage of such invalid requests - what we think indicates that those are not port scanning or anything similar. On Thursday, December 6, 2012, Willy Tarreau wrote: > On Thu, Dec 06, 2012 at 01:24:59AM +0200, SBD wrote: > > Hi Willy, > > > > Thank you for your reply. And thank you guys for a great product. > > > > The requests are not coming from a single or even a few IP addresses and > > that what make us worry a bit though we have not got any complains from > our > > users about errors or anything similar. > > Since these are invalid requests, they're blocked so your users will not > see > them. > > > I also tried to filter out those requests with ACL checking for only 1 > byte > > in the request but with no success. > > Even if you block them, they'll still be logged unfortunately. We've said > for a long time that we need some "disable-log if ..." directives at a few > places (tcp-request, http-request, http-response at least). But we don't > have them yet. > > > Did you ever occur such a requests? (NULL byte) > > No, really. I think that either someone is having fun of you or believes > he's harming you, or that you may be checked by a buggy service. > > Hmmm I have an idea that you could use on 1.5-dev only (not sure whether > it will fit your needs). Just pass through a filtering layer which does > not log : > > listen www > bind :80 > mode tcp > tcp-request inspect-delay 5s > tcp-request content accept if HTTP > tcp-request content reject > server local 127.0.0.1:1 send-proxy > > frontend local > bind 127.0.0.1:1 accept-proxy > mode http > log global > ... > > In 1.4 you can also do it without the send-proxy/accept-proxy directives, > which implies you'll lose the client's IP address. I'm sure it's important > to you otherwise you would have disabled logging. > > Still that's something you might want to experiment with. > > Cheers, > Willy > >
