Re: how to block bad request?

Thu, 05 Jan 2023 14:30:23 -0800 

Mark, Jason,

On 1/4/23 09:07, Mark Thomas wrote:

On 04/01/2023 04:09, Jason Wee wrote:

Hi,

Happy new year everyone.

Background of my production setup. Using tomcat 10 and in linux
environment, using the following accesslog valve

%a %{X-Forwarded-For}i %h %l %u %t '%r' %s %b '%{Referer}i'
'%{User-Agent}i' %D %S

api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
[20/Dec/2022:01:27:36 +0100] '-' 400 - '-' '-' 0 -
api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
[20/Dec/2022:01:27:36 +0100] '-' 400 - '-' '-' 0 -
api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
[20/Dec/2022:01:27:36 +0100] '-' 400 - '-' '-' 0 -
api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
[20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 -
api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
[20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 -
api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
[20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 -
api.access_log.2022-12-20.txt:94.102.61.23 - 94.102.61.23 - -
[20/Dec/2022:01:30:42 +0100] '-' 400 - '-' '-' 0 -
I often see the above registered in accesslog and have the following questions 

1. how/where to find more information about such requests? example how
to reproduce of such request, how to enable debug to give more details
about such request, etc?


Enable debug logging for
org.apache.coyote.http11.Http11Processor
2. how to block such requests (at tomcat or at firewall or any other way)?
Tomcat has already blocked them. The requests were invalid. Processing stopped as soon as the request was found to be invalid. A 400 response was returned and the connection closed. There is little else Tomcat can do.
Options for blocking earlier depend on why the requests are invalid. That said, Tomcat appears to be behind a reverse proxy. In most (all?) cases, I'd expect the proxy to reject the request before it gets to Tomcat.
Those requests look like they actually came from the reverse proxy (X-Forwarded-For and %h values are the same). They look a *lot* like "are you alive" requests that reverse proxies will often send to back-end servers to see whether or not real traffic should be sent to those back-end servers. 

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to