Block certain GET request in Apache log

Question

Since recently I have a VPS. Now it seems that there is a domain not owned by me that has DNS records pointing to my IP. Because of this my Apache (2.4) logs are flooded with some kind of GIT request. The format is always: GET /?p=foo.git;...random stuff....

I tried blocking it with iptables and in Apache configuration, but nothing seems to work because it starts with a question mark. My whole site is on SSL.

Is it possible to keep it out of my logs and how? Any help would be appreciated.

Answer 1

Given that the requests follow a specific format, you can try the following trick: put HAProxy in front of Apache (this requires a bit of work) and create an ACL in HAProxy that matches said requests (based oh host/header/request criteria) and ensure that they never hit Apache.

Answer 2

There are a few ways that you can stop this:

• mod_rewrite can match on query string
• mod_security can block this, and a number of other attempts to abuse your server
• if the clients use SNI, you can set up a separate virtual host for the other domain and block everything to it, and log to a separate file (or to /dev/null)
• let the requests through, but don't log them

For mod_rewrite, there's a canonical question with lots of information. A basic ruleset for this could be

RewriteEngine On
RewriteCond %{QUERY_STRING} ?p=foo.git.*
RewriteRule .* - [F]

This will return 403 Forbidden to the client.

For mod_security, see the documentation at modsecurity.org.

For virtual hosts, see the documentation at the apache documentation site. Note that there may be a problem with clients who don't use SNI, as per the question Understand ssl setup

For changing the logging, you can use a combination of mod_rewrite, environment variables and custom log format. Here's an example:

RewriteEngine On
RewriteCond %{QUERY_STRING} ?p=foo.git.*
RewriteRule .* - [F,E=nolog:1]
CustomLog /path/to/your/access.log common env=!nolog