I'm getting hundreds of entries in my access log with invalid requests like this ...
217.23.114.224|-|15/Dec/2010:08:17:19 +0000|-|-|-|400|0|-|-
217.23.114.224|-|15/Dec/2010:08:17:19 +0000|-|-|-|400|0|-|-
217.23.114.224|-|15/Dec/2010:08:17:20 +0000|-|-|-|400|0|-|-
217.23.114.224|-|15/Dec/2010:08:17:20 +0000|-|-|-|400|0|-|-
217.23.114.224|-|15/Dec/2010:08:17:20 +0000|-|-|-|400|0|-|-
217.23.114.224|-|15/Dec/2010:08:17:20 +0000|-|-|-|400|0|-|-
My log file format is
'$remote_addr|$cookie__ourcookie|$time_local|$request|$content_length|$content_type|$status|$body_bytes_sent|$upstream_addr|$upstream_response_time';
The IP address varies and some of them are valid user IP addresses (not sure about the others). They often appear in the middle of a valid set of requests and then stop.
Anyone got an idea why I'd be getting floods of seemingly invalid requests coming in?
I don't think this can be explained just by saying that it's a hack attempt (though some of it could be) - is there any additional debug setting for NGINX?
Thanks
Chris
This is part of running a server that's open to anonymous requests from the Internet. It looks like some client is attempting a connection, then immediately dropping it. I expect that it's a drone attempting to see what web server you're running... and to exploit you, if possible. Good thing you're running nginx ;)
Your problem may be that your Nginx
large_client_header_buffersneed to be increased per this dicussion.Alternatively, your problem may be simply web browsers opening an HTTP connection and then closing it without using it, or is using Keep-Alive and reaches the timeout. In this case it's not a problem that the users are ever seeing, but just Nginx reporting an error.