I've found those requests in my access.log of nginx:

X.X.X.X - - [03/Apr/2017:20:52:31 +0200] "GET //phpMyAdmin/scripts/setup.php HTTP/1.1" 301 184 "-" "-"
X.X.X.X - - [03/Apr/2017:20:52:31 +0200] "GET //myadmin/scripts/setup.php HTTP/1.1" 301 184 "-" "-"
X.X.X.X - - [03/Apr/2017:20:52:31 +0200] "GET //phpmyadmin/scripts/setup.php HTTP/1.1" 301 184 "-" "-"
X.X.X.X - - [03/Apr/2017:20:52:31 +0200] "GET //MyAdmin/scripts/setup.php HTTP/1.1" 301 184 "-" "-"
X.X.X.X - - [03/Apr/2017:20:52:31 +0200] "GET //pma/scripts/setup.php HTTP/1.1" 301 184 "-" "-"
X.X.X.X - - [03/Apr/2017:20:52:31 +0200] "GET /muieblackcat HTTP/1.1" 301 184 "-" "-"

I know these requests are made to look for vulnerabilities on my server. We can see that those requests were permanently redirected (301). But nginx/GeoIP should have blocked them with 403 (Forbidden). Why got those requests redirected and where?

This is my nginx configuration (used as a reverse proxy):

server {
    listen 80;
    server_name example.com;

    # enforce https
    return 301 https://$server_name$request_uri;

server {
    listen 443 ssl;
    server_name example.com;

    if ($lan-ip = yes) {
        set $allowed_country yes;

    if ($allowed_country = no) {
        return 403;

    root /var/www/html;

    # SSL Configuration
    # .
    # .
    # .

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;

    root /var/www/html;

    index index.html;

    location /app {
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

This is the GeoIP blocking party in nginx.conf:

geoip_country /usr/share/GeoIP/GeoIP.dat;

map $geoip_country_code $allowed_country {
    default no;
    DE yes;

geo $lan-ip {
    default no; yes;
  • 113
  • 6
  • Is this the complete configuration? – Tero Kilkanen Apr 06 '17 at 17:40
  • 1
    I'm sure these are request to `http://`, so they are processed by first server block. And these bots don't bother to follow redirects, so there is no corresponging 403 in error log. – Alexey Ten Apr 06 '17 at 17:41
  • @AlexeyTen this makes absolutely sense. Should I also add the block for blocking foreign IPs in the http virtual server? – PatrickMA Apr 06 '17 at 17:44
  • @TeroKilkanen I've added the reverse proxy config part – PatrickMA Apr 06 '17 at 17:44
  • It practically makes no difference if you return 403 or 301. 301 causes on more request, which makes bandwidth usage slightly bigger and CPU usage slightly bigger. – Tero Kilkanen Apr 06 '17 at 19:22
  • To work out where they got redirected to use "curl -i" on that URL and look at the response – Tim Apr 06 '17 at 19:31

0 Answers0