I recently updated the settings on a public facing NGINX instance to add support for http2. While looking at the logs afterwards to get feel for how often it was being used I saw rapid rise in new log entries not related to site hosted.
First were a bunch of entries making CONNECT requests, these are all failing with 400 errors because the NGINX instance is not configured as a forward proxy. I've set up fail2ban rules to drop traffic from the many source IP addresses. I'm not particularly worried about this (please add a comment if I should be).
The next set of entries are GET requests but rather than having paths, they have full URLs as the target e.g.
222.223.121.231 - - [16/Jul/2020:12:57:37 +0100] "GET http://api.gxout.com/proxy/check.aspx HTTP/1.1" 404 199 "http://api.gxout.com/proxy/check.aspx" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
Most of these are getting 404 responses again as expected and I've added another fail2ban rule to drop packets from the source IP addresses (again not really bothered about these).
There are some more similar that are getting 200 responses and these are the ones I'm worried about e.g.
35.236.60.202 - - [16/Jul/2020:11:52:28 +0100] "GET http://www.nike.com/ HTTP/1.1" 200 396 "-" "python-requests/2.20.0"
I have the following questions:
- Why would NGINX return a 200 for this request?
- Suggestions for how to debug this?
All the incoming traffic should be https (required or http2) and I'm pinned at TLS 1.2 or 1.3 so I don't think capturing the traffic with tcpdump is going to help (I'm assuming I can't feed the private key into wireshark and decode the packets?).
The only other option I can think of is adding some custom logging (Is it possible to log the response data in nginx access log?) to the NGINX to log the whole request/response. I've done this in the past to debug oAuth2.0 token exchange issues but only on a system where I had full control over all the incoming traffic.
