5.6.7.8 - - [17/Apr/2024:00:17:59 -0500] "GET / HTTP/1.0" 400 362 "-" "-" sampledomainfoobar.com 1.2.3.4 80 443 HTTP/1.0 - - 56
Apache 2.4.
LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i" %v %A %p %{local}p %H %f %L %D" teccombinedwithpath
How can I get a hit where %p is 80 and %{local}p is 443?
https://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats
%p The canonical port of the server serving the request.
%{format}p The canonical port of the server serving the request, or the server's actual port, or the client's actual port. Valid formats are canonical, local, or remote.
One vhost is listening on 80, the other 443. Pretty standard setup. 80 does a redir to 443. HTTP2 is present, but the hit shows HTTP1.
And apache gets confused and throws a 400.
Looking at the very few hits like this it seems like some sort of probe: other probes occurring at the same time.
Just wondering that they are doing to achieve this hit.
You can achieve this by making an HTTP request to the HTTPS server on 443. I was pretty sure, but I just tested it (Using your logformat string):
[Wed, 17.Apr, 2024 - 11:59] david@dagmar:/etc/apache2/sites-enabled$ curl http://localhost:443 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>400 Bad Request</title> </head><body> <h1>Bad Request</h1> <p>Your browser sent a request that this server could not understand.<br /> Reason: You're speaking plain HTTP to an SSL-enabled server port.<br /> Instead use the HTTPS scheme to access this URL, please.<br /> </p> <hr> <address>Apache/2.4.52 (Ubuntu) Server at www.ddyck.ca Port 80</address> </body></html> [Wed, 17.Apr, 2024 - 11:59] david@dagmar:/etc/apache2/sites-enabled$ sudo tail -1 /var/log/apache2/access.log 127.0.0.1 - - [17/Apr/2024:11:59:34 -0500] "GET / HTTP/1.0" 400 440 "-" "-" www.ddyck.ca 127.0.0.1 80 443 HTTP/1.0 - - 156
Also - Your log format is way better than mine was so I might just have to keep it 😉
David
-----Original Message----- From: Roundtable roundtable-bounces@muug.ca On Behalf Of Trevor Cordes Sent: Wednesday, April 17, 2024 1:22 AM To: MUUG RndTbl roundtable@muug.ca Subject: [RndTbl] weird web hit 80 & 443?
5.6.7.8 - - [17/Apr/2024:00:17:59 -0500] "GET / HTTP/1.0" 400 362 "-" "-" sampledomainfoobar.com 1.2.3.4 80 443 HTTP/1.0 - - 56
Apache 2.4.
LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i" %v %A %p %{local}p %H %f %L %D" teccombinedwithpath
How can I get a hit where %p is 80 and %{local}p is 443?
https://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats
%p The canonical port of the server serving the request.
%{format}p The canonical port of the server serving the request, or the server's actual port, or the client's actual port. Valid formats are canonical, local, or remote.
One vhost is listening on 80, the other 443. Pretty standard setup. 80 does a redir to 443. HTTP2 is present, but the hit shows HTTP1.
And apache gets confused and throws a 400.
Looking at the very few hits like this it seems like some sort of probe: other probes occurring at the same time.
Just wondering that they are doing to achieve this hit. _______________________________________________ Roundtable mailing list Roundtable@muug.ca https://muug.ca/mailman/listinfo/roundtable
On 2024-04-17 dndyck6@gmail.com wrote:
You can achieve this by making an HTTP request to the HTTPS server on 443. I was pretty sure, but I just tested it (Using your logformat string):
[Wed, 17.Apr, 2024 - 11:59] david@dagmar:/etc/apache2/sites-enabled$ curl http://localhost:443 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML
That's messed up right there!
You are indeed correct, thanks for solving it!
Also - Your log format is way better than mine was so I might just have to keep it 😉
You're welcome! Years of debugging web hits & probes & problems have built that logformat... every time I think "argh, why don't I have X information" I put another % in it.