Troubleshooting the Web server with forward proxy logs

0x00 Event Background

One day, the application administrator came to tell you something, and there were a lot of strange logs on the server. Have access to Taobao, Qzone, 163 and other various records, may be hung horse. A number of investigations and studies have been conducted on this matter.

0x01 forward Proxy and log comparison for normal access

Set up an environment that uses Apache as a Web server to begin viewing the browser settings agent with the packet and server logs that do not set the proxy. Where 192.12.53.101 as the client, 192.12.53.55 as a web Server.

• Do not set browser proxy

  In this case, everything is normal and used as a contrast.

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/8A/08/wKioL1gkfT2iyDtWAABWhOFoUYU390.png "title=" 111. PNG "alt=" Wkiol1gkft2iydtwaabwhofouyu390.png "/>

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M01/8A/0C/wKiom1gkfZPScdPyAAUiUc1Y4oM659.png "title=" 111. PNG "alt=" Wkiom1gkfzpscdpyaauiuc1y4om659.png "/>

• Set browser proxy, server open forward Proxy

Grab bag can see, when the browser set the proxy, get back is not a simple path, but the full HTTP URL. Therefore, the reverse proxy is turned on by the Web server to which it is acting, requesting the page, and not returning its own resources on the Web server.

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/8A/08/wKioL1gkfuKROaLgAABY81krhuE790.png "title=" 111. PNG "alt=" Wkiol1gkfukroalgaaby81krhue790.png "/>

Check the logs on the server, and the logs are consistent with the packet capture.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/8A/0C/wKiom1gkf3Tx6floAAHV8t4EbQ8694.png "title=" 222. PNG "alt=" Wkiom1gkf3tx6floaahv8t4ebq8694.png "/>

However, if the get domain name or IP is indeed the domain name or IP of the server, the Web server will return its own resources, but also through the server to self-request another HTTP request to complete.

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/8A/0C/wKiom1gkhHyQT0wrAAA8Ixf_HK0139.png "style=" float: none; "title=" 111.png "alt=" Wkiom1gkhhyqt0wraaa8ixf_hk0139.png "/>

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/8A/08/wKioL1gkhHyjaqFRAAA-ijH0qkE170.png "style=" float: none; "title=" 222.png "alt=" Wkiol1gkhhyjaqfraaa-ijh0qke170.png "/>

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/8A/0C/wKiom1gkhH2TUB8UAAA4uK6r9Cw345.png "style=" float: none; "title=" 333.png "alt=" Wkiom1gkhh2tub8uaaa4uk6r9cw345.png "/>

From the server log, the server records two logs, one is a forward proxy log, and the other is a normal log. From Netstat, two connections are established, one is from the client, and the other is the one that requests its own connection.

It is therefore possible to confirm that the request is being made to the Proxy server's own HTTP resource and that it needs to proxy itself to request and return the resource.

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/8A/08/wKioL1gkhH-Q8Xz3AADDoJpVqdQ858.png "style=" float: none; "title=" 444.png "alt=" Wkiol1gkhh-q8xz3aaddojpvqdq858.png "/>

• Set the browser proxy, but do not open the forward proxy for the server

  In this case, the server receives a forward proxy request, but ignores the domain name in the GET request, intercepts only the path in its own resource, and returns the Web server's own resources.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/8A/08/wKioL1gkhXvRQTObAADbLZLrljA383.png "style=" float: none; "title=" 111.png "alt=" Wkiol1gkhxvrqtobaadblzlrlja383.png "/>

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/8A/08/wKioL1gkhXzR6h6uAADbIc0my4I953.png "style=" float: none; "title=" 222.png "alt=" Wkiol1gkhxzr6h6uaadbic0my4i953.png "/>

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M01/8A/08/wKioL1gkheLCYYedAAAd4qM0OL0864.png "title=" 333. PNG "alt=" Wkiol1gkhelcyyedaaad4qm0ol0864.png "/>

0x02 reason for the presence of forward proxy logs

According to the troubleshooting, the server with the forward proxy log does not have the forward proxy feature turned on, and the phenomenon is no longer present. After consulting with a cow, the following are some reasons why the exception is being presented to the agent log.

• Server IP was a proxy, now IP for the use of people, can not be used, but still someone use this proxy (this situation is not confirmed)

• Server has been hacked, IP and port has been used as a proxy (this can be confirmed by troubleshooting server past security Events)

• Client DNS problem, error resolution to this IP (this situation is not good to confirm, unable to confirm the DNS server IP used by clients)

• Proxy Scan Tool is not perfect, mistakenly put the server IP into the proxy address library (This situation is not very good confirmation)
  

• The server is hacked, and before the troubleshooting, someone will be configured to restore the proxy, when necessary and open (can be resolved by troubleshooting all access logs, as long as there is no forward proxy log path is not part of the path of the Web server, but the corresponding response code is 20X)
  

Troubleshooting the Web server with forward proxy logs