2

How do we configure nginx to prevent proxy abuse? (note that I have nginx set up as an onion server, which is the reason loopback IP is present in the logs)I found a few GET requests for content that I do not host nor have anything to do with, that returned a 200 status. The GET requests in question, from the log are as follows, and none of the URLs are mine:

127.0.0.1 - - [03/Dec/2015:02:19:41 -0600] "GET / HTTP/1.1" 200 >1159 "http://j4ko5c2kacr3pu6x.onion/" "Mozilla/5.0 (Windows NT 6.1; WOW64) >AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36"

127.0.0.1 - - [03/Dec/2015:02:32:28 -0600] "GET / HTTP/1.1" 200 >1159 "-" "S crapy/1.0.3 (+http://scrapy.org)"

127.0.0.1 - - [03/Dec/2015:03:05:43 -0600] "GET / HTTP/1.1" 200 >1159 "-" "Daniels Online-Test h ttp://tt3j2x4k5ycaa5zt.onion/test.php"

Scott Fulkerson
  • 21
  • 1
  • What behaviour do you actually want? To allow the proxy to serve only content from sites you have whitelisted? Or to only accept clients from IP ranges that you trust? – joeytwiddle Dec 05 '15 at 05:49
  • The thing is that all I'm doing is serving static html. I am NOT set up as a proxy, yet I am seeing what appears to me to be proxy-like behavior in the logs, unless I'm misreading it. – Scott Fulkerson Dec 05 '15 at 06:46
  • To Further clarify, I'm talking about the same issue presented here: http://serverfault.com/questions/253236/strange-get-requests-in-logs, though this deals with Apache, not nginx. – Scott Fulkerson Dec 05 '15 at 07:15
  • 1
    What do you mean by "content that I do not host"? All of these requests were for your homepage! – Michael Hampton Dec 05 '15 at 10:46
  • how do you figure: The log normally has something like this: GET hosturl/index.html /HTTP 1.1... Here, all I see is GET /HTTP 1.1. And then yet we have these other urls in the request. I'm a bit confused, though It seems to make since, given the fact that I was able to replicate this sort of thing. But yet I am still interested in a more robust config file, as to take precautions against the more common attacks. – Scott Fulkerson Dec 05 '15 at 21:03
  • Michael is correct, all of the requests are for `/` - your home page! Some of the URLs you see are the referrer page. Some of the others are part of the User Agent String (perhaps from a bot showing you how to find out more about him). – joeytwiddle Dec 06 '15 at 14:29
  • If you have an HTTP server listening on port 80, you will have to get used to random clients asking to view your content. Sometimes they are useful, for example when Google's crawler is indexing your site, or the various different types of user. You first need to decide what your server should provide to who, and after that you can start thinking about policies to enforce that. But in fact it looks like all these requests originated from 127.0.0.1, which is your local machine, so I guess they are coming from you or your software, and not from outside. – joeytwiddle Dec 06 '15 at 14:30

0 Answers0