Troubleshooting the Web server with forward proxy logs

Source: Internet
Author: User

Tags: exception forward proxy log

0x00 Event Background

One day, the application administrator came to tell you something, and there were a lot of strange logs on the server. Have access to Taobao, Qzone, 163 and other various records, may be hung horse. A number of investigations and studies have been conducted on this matter.


0x01 forward Proxy and log comparison for normal access

Set up an environment that uses Apache as a Web server to begin viewing the browser settings agent with the packet and server logs that do not set the proxy. Where 192.12.53.101 as the client, 192.12.53.55 as a web Server.


    • Do not set browser proxy

      In this case, everything is normal and used as a contrast.

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/8A/08/wKioL1gkfT2iyDtWAABWhOFoUYU390.png "title=" 111. PNG "alt=" Wkiol1gkft2iydtwaabwhofouyu390.png "/>


650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M01/8A/0C/wKiom1gkfZPScdPyAAUiUc1Y4oM659.png "title=" 111. PNG "alt=" Wkiom1gkfzpscdpyaauiuc1y4om659.png "/>



    • Set browser proxy, server open forward Proxy

Grab bag can see, when the browser set the proxy, get back is not a simple path, but the full HTTP URL. Therefore, the reverse proxy is turned on by the Web server to which it is acting, requesting the page, and not returning its own resources on the Web server.


650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/8A/08/wKioL1gkfuKROaLgAABY81krhuE790.png "title=" 111. PNG "alt=" Wkiol1gkfukroalgaaby81krhue790.png "/>



Check the logs on the server, and the logs are consistent with the packet capture.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/8A/0C/wKiom1gkf3Tx6floAAHV8t4EbQ8694.png "title=" 222. PNG "alt=" Wkiom1gkf3tx6floaahv8t4ebq8694.png "/>

However, if the get domain name or IP is indeed the domain name or IP of the server, the Web server will return its own resources, but also through the server to self-request another HTTP request to complete.

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/8A/0C/wKiom1gkhHyQT0wrAAA8Ixf_HK0139.png "style=" float: none; "title=" 111.png "alt=" Wkiom1gkhhyqt0wraaa8ixf_hk0139.png "/>

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/8A/08/wKioL1gkhHyjaqFRAAA-ijH0qkE170.png "style=" float: none; "title=" 222.png "alt=" Wkiol1gkhhyjaqfraaa-ijh0qke170.png "/>

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/8A/0C/wKiom1gkhH2TUB8UAAA4uK6r9Cw345.png "style=" float: none; "title=" 333.png "alt=" Wkiom1gkhh2tub8uaaa4uk6r9cw345.png "/>

From the server log, the server records two logs, one is a forward proxy log, and the other is a normal log. From Netstat, two connections are established, one is from the client, and the other is the one that requests its own connection.

It is therefore possible to confirm that the request is being made to the Proxy server's own HTTP resource and that it needs to proxy itself to request and return the resource.


650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/8A/08/wKioL1gkhH-Q8Xz3AADDoJpVqdQ858.png "style=" float: none; "title=" 444.png "alt=" Wkiol1gkhh-q8xz3aaddojpvqdq858.png "/>


    • Set the browser proxy, but do not open the forward proxy for the server

      In this case, the server receives a forward proxy request, but ignores the domain name in the GET request, intercepts only the path in its own resource, and returns the Web server's own resources.


650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/8A/08/wKioL1gkhXvRQTObAADbLZLrljA383.png "style=" float: none; "title=" 111.png "alt=" Wkiol1gkhxvrqtobaadblzlrlja383.png "/>

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/8A/08/wKioL1gkhXzR6h6uAADbIc0my4I953.png "style=" float: none; "title=" 222.png "alt=" Wkiol1gkhxzr6h6uaadbic0my4i953.png "/>


650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M01/8A/08/wKioL1gkheLCYYedAAAd4qM0OL0864.png "title=" 333. PNG "alt=" Wkiol1gkhelcyyedaaad4qm0ol0864.png "/>

0x02 reason for the presence of forward proxy logs

According to the troubleshooting, the server with the forward proxy log does not have the forward proxy feature turned on, and the phenomenon is no longer present. After consulting with a cow, the following are some reasons why the exception is being presented to the agent log.

    • Server IP was a proxy, now IP for the use of people, can not be used, but still someone use this proxy (this situation is not confirmed)

    • Server has been hacked, IP and port has been used as a proxy (this can be confirmed by troubleshooting server past security Events)

    • Client DNS problem, error resolution to this IP (this situation is not good to confirm, unable to confirm the DNS server IP used by clients)

    • Proxy Scan Tool is not perfect, mistakenly put the server IP into the proxy address library (This situation is not very good confirmation)

    • The server is hacked, and before the troubleshooting, someone will be configured to restore the proxy, when necessary and open (can be resolved by troubleshooting all access logs, as long as there is no forward proxy log path is not part of the path of the Web server, but the corresponding response code is 20X)






Troubleshooting the Web server with forward proxy logs

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

Tags Index: