Apache accepting requests to other servers?

Question

I'm having problems with apache server (CentOS VPS at Amazon). When apache starts, it starts to receive hundreds of requests, this is an example of the log:

173.208.216.165 - - [25/Jan/2015:18:23:11 +0000] "GET http://go.padstm.com/resources/img/iebt.png HTTP/1.0" 200 36023 "http://go.padstm.com/?id=173374&t=iframe&var=33110" "Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)"

The path /resources/img/iebt.png is in my server, but not go.padstm.com. The strangest thing is that apache is accepting all the requests. Other example: in this case, the entire resource is NOT in my server, but apache returns 200:

198.204.239.250 - - [25/Jan/2015:19:04:39 +0000] "GET http://fstads.com/show.php?z=26&pl=494&j=1&code=1422237874120 HTTP/1.0" 200 10819 "http://financezhen.com/?p=186#respond" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.2a1pre) Gecko/20110324 Firefox/4.2a1pre"

I don't know why these requests goes to my server, or why it returns 200...

Also, when apache starts and module prefork is enabled, it launches multiple httpd processes. If worker module is enabled, it launches multiple threads. Ok, but in both cases apache ends up consuming all the CPU and memory of the server, and there is not traffic directed to my server.

More info: ProxyRequests is Off. Also: I'm using ip-based vhosts:

NameVirtualHost xxx.xxx.xxx.xxx:80

<VirtualHost xxx.xxx.xxx.xxx:80>
    ServerName mydomain.com
    ServerAlias www.mydomain.com
    DocumentRoot /var/www/html/w3prod
    ServerAdmin admin@localhost
    UseCanonicalName Off
    CustomLog /var/log/httpd/w3prod.mydomain.com combined
    ErrorLog /var/log/httpd/w3prod_error.mydomain.com
</VirtualHost>
<VirtualHost xxx.xxx.xxx.xxx:80>
    ServerName picfarm.mydomain.com
    ServerAlias www.picfarm.mydomain.com
    DocumentRoot /var/www/html/picfarm
    ServerAdmin admin@localhost
    UseCanonicalName Off
    CustomLog /var/log/httpd/picfarm.mydomain.com combined
    ErrorLog /var/log/httpd/picfarm_error.mydomain.com
</VirtualHost>
<VirtualHost xxx.xxx.xxx.xxx:80>
    ServerName test.mydomain.com
    ServerAlias www.test.mydomain.com
    DocumentRoot /var/www/html/engine-test
    ServerAdmin admin@localhost
    UseCanonicalName Off
    CustomLog /var/log/httpd/test.mydomain.com combined
    ErrorLog  /var/log/httpd/test_error.mydomain.com
    ProxyRequests Off
    ProxyPreserveHost On
    <Proxy *>
            Order deny,allow
            Allow from all
    </Proxy>
    ProxyPass /bosh http://xxx.xxx.xxx.xxx:7070/http-bind/
    ProxyPassReverse /bosh http://xxx.xxx.xxx.xxx:7070/http-bind/
    ProxyPass / http://xxx.xxx.xxx.xxx:8080/
    ProxyPassReverse / http://xxx.xxx.xxx.xxx:8080/
</VirtualHost>

Any help would be appreciated. Thanks!

possible duplicate of [Why does apache log requests to GET http://www.google.com with code 200?](http://serverfault.com/questions/115827/why-does-apache-log-requests-to-get-http-www-google-com-with-code-200) — kasperd, Jan 25 '15 at 19:44
I think your config is right, but just to make sure, could you try doing a test to check if you have an open proxy? You could either do a `telnet mydomain.com 80` and then `GET http://fstads.com/show.php?z=26&pl=494&j=1&code=1422237874120 HTTP/1.0` and check whether the results are from your domain (i.e. your homepage) or from the external host. Other way is to change your browser's configuration to use "mydomain.com" as a proxy and check if you can surf to those sites. — NuTTyX, Jan 25 '15 at 20:08
Hello, thanks! I'm receiving content from my own site, so I guess it is properly configured. I'm going to make some of the changes recommended in the ProxyAbuse link. — Rlagom, Jan 25 '15 at 20:37
This is frustrating. There is no way to solve this problem. Whatever I do, the problem persists. Even if I use the default configuration file, same thing happens. How can I receive so many requests? At the current log entry generation rate, the server will end up dying for lack of disk space. — Rlagom, Jan 26 '15 at 09:29
@kasperd While the question is a duplicate, the answer talks about open proxies which isnät the actual issue. — Jenny D, Jan 26 '15 at 09:42
@JennyD The part about apache in a typical configuration returning 200 on probes for open proxies without actually proxying the request is duplicated. It is quite understandable that this confuses many people looking at the logs. That has been asked over and over again. The other part to the problem might be that the page actually being served to those probes needs too many resources during rendering. That may be a real issue, which needs addressing. — kasperd, Jan 26 '15 at 09:56
@kasperd I tried finding a previous answer on that for apache, but I only found a few for nginx. As you say, it does need addressing so we can have a better answer to point duplicates to. — Jenny D, Jan 26 '15 at 10:01
@JennyD That part probably has been asked before. But I am not sure exactly what to search for in order to find it. I have retracted my close vote. — kasperd, Jan 26 '15 at 10:04
Welcome to the Internet. Everyone who operates a server on the Internet has to have a strategy for dealing with the "baseline noise" that pretty much all Internet servers see. — David Schwartz, Jan 26 '15 at 10:07
@DavidSchwartz I used to be an email server sysadmin at an ISP. I know very well what you mean... Still, it'd be nice to have a good answer to point new sysadmins at. — Jenny D, Jan 26 '15 at 10:09

score 3 · Accepted Answer · edited Jun 11 '20 at 10:02

The problem here is that somebody has set up a DNS record of their own domain, and pointed it to your IP instead of their own server's IP. There is no possible way to stop somebody from doing this.

What you can do to solve the basis of the problem is:

You can contact the owners of the domain padstm.com and tell them about the error. If it actually is a mistake, they'll probably fix it. But if it's a spammer, they will happily go on abusing you...
You can request an new IP address from your hosting company. You'll need to change your own DNS records to point to the new IP, and give them time to fade from caches, before you switch off the old IP.

You can also make Apache not serve any content that contains a request for a hostname that doesn't belong to you. The way it works is, if you send a request to Apache with a hostname that is listed in one of the VirtualHosts, that VirtualHost will be used. But if the hostname isn't listed anywhere, then the first VirtualHost will be used by default. (I wrote a longer description of how this works in this answer, if you're interested.) So what you do is simply to set up a default VirtualHost that doesn't serve content. Here's a sample configuration

<VirtualHost xxx.xxx.xxx.xxx:80>
    ServerName default
    RewriteEngine On
    RewriteRule .* - [G]
</VirtualHost>

This means that every URL requested will be rewritten to return 410 Gone for any request to any hostname that is not listed as a ServerName or ServerAlias in one of the other VirtualHosts in your config. This return code means that the resource does not exist and never will exist again and the client should stop attempting to access it.

If you're interested in seeing what gets thrown at your server, set up suitable CustomLog and ErrorLog directives to keep track of it. If not, send the logs to the bitbucket by adding the following lines:

CustomLog /dev/null common
ErrorLog  /dev/null

to the VirtualHost config

Thanks. I have added a default virtual host. I also added 'CustomLog /dev/null common' and 'ErrorLog /dev/null' entries to that vhost. Is this a good idea? The problem now is the network usage, but that is beyond the scope of this question. — Rlagom, Jan 26 '15 at 10:42
It was a very good idea; I should have thought of it and will update my response. — Jenny D, Jan 26 '15 at 10:56
Is "RewriteMatch" correct? It didn't work for me. I changed it to "RewriteRule" and it worked. — ericbae, May 15 '15 at 13:51
@ericbae You're quite right, I can't imagine how I missed that. Fixing it. — Jenny D, May 15 '15 at 14:57
Rather than the [`F`](https://httpd.apache.org/docs/2.4/rewrite/flags.html#flag_f) flag I would consider using the [`G`](https://httpd.apache.org/docs/2.4/rewrite/flags.html#flag_g) flag and trigger a **410 Gone** as that *"Indicates that the resource requested is no longer available and will not be available again. This should be used when a resource has been intentionally removed and the resource should be purged. Upon receiving a 410 status code, the client should not request the resource in the future. Clients such as search engines should remove the resource from their indices"* — HBruijn, Jul 23 '18 at 08:31

Apache accepting requests to other servers?

1 Answers1

Linked

Related