On 04/01/2023 04:09, Jason Wee wrote:
Hi,Happy new year everyone. Background of my production setup. Using tomcat 10 and in linux environment, using the following accesslog valve %a %{X-Forwarded-For}i %h %l %u %t '%r' %s %b '%{Referer}i' '%{User-Agent}i' %D %S api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - - [20/Dec/2022:01:27:36 +0100] '-' 400 - '-' '-' 0 - api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - - [20/Dec/2022:01:27:36 +0100] '-' 400 - '-' '-' 0 - api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - - [20/Dec/2022:01:27:36 +0100] '-' 400 - '-' '-' 0 - api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - - [20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 - api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - - [20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 - api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - - [20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 - api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - - [20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 - I often see the above registered in accesslog and have the following questions 1. how/where to find more information about such requests? example how to reproduce of such request, how to enable debug to give more details about such request, etc?
Enable debug logging for org.apache.coyote.http11.Http11Processor
2. how to block such requests (at tomcat or at firewall or any other way)?
Tomcat has already blocked them. The requests were invalid. Processing stopped as soon as the request was found to be invalid. A 400 response was returned and the connection closed. There is little else Tomcat can do.
Options for blocking earlier depend on why the requests are invalid. That said, Tomcat appears to be behind a reverse proxy. In most (all?) cases, I'd expect the proxy to reject the request before it gets to Tomcat.
3. what impact it has to tomcat (or service) if these requests come in huge amounts and in a short time.
Minimal. Less impact than if valid requests were made since processing stops as soon as the request is found to be invalid. You might want to look at rate limiting abusive clients but in terms of a DoS, a valid request will cause more harm than one of these.
Mark
Thank you and happy to hear any other comments/opinions too. Kind regards, Jason --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
