apache2 logs flooded by empty requests?

[NeoIce]

I'm using apache2 on Debian and my logs are absolutely flooded with messages like these:

127.0.0.1 - - [08/Jul/2009:17:55:17 -0700] "GET /" 400 531 "-" "-"
127.0.0.1 - - [08/Jul/2009:17:55:18 -0700] "GET /" 400 531 "-" "-"
127.0.0.1 - - [08/Jul/2009:17:55:19 -0700] "GET /" 400 531 "-" "-"

I'm thinking its a vhost issue because I cant get requests to my vhosts dont appear to be logging anything to the main /var/log/apache2/access_log.

any thoughts on causes or investigation techniques?

[paulkoan]

400 means "malformed reqest", and it is coming from your local host - so are you running the browser on the same machine as your apache server?

Do you have a default virtual host, one that you would expect to reply if you didn't specify a hostname?

You could post its config which may provide clues...

If you do

Code:

ps auwx | grep apache

check to see if

Code:

 -D DEFAULT_VHOST

is present.

[NeoIce]

400 means "malformed reqest", and it is coming from your local host - so are you running the browser on the same machine as your apache server?

on occasion, I will use w3m or lynx on the apache server to browse other pages. I'll also occasionally tunnel HTTP requests to other pages through SSH. very very very rarely will I be connecting to the apache server locally. the access messages appear about once a second, even if I'm not tunnelling. (that was my first thought.)

Do you have a default virtual host, one that you would expect to reply if you didn't specify a hostname?

yes, I do. I'm not opposed to turning it off if it would help.

You could post its config which may provide clues...

there's a variety of files floating around, but these should be a representative sample.

Code:

NameVirtualHost *:80
NameVirtualHost *:443

<VirtualHost *:80>
        ServerName thule.neoice.net
        ServerAdmin webmaster@localhost

        ErrorLog /var/log/apache2/error.log
        LogLevel warn
        CustomLog /var/log/apache2/access.log combined
        ServerSignature On

        DocumentRoot /var/www/
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>

        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
</VirtualHost>

<VirtualHost *:443>
        ServerName thule.neoice.net
        ServerAdmin webmaster@localhost

        DocumentRoot /var/www/
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>

        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
</VirtualHost>

<VirtualHost *:80>
ServerName llama.neoice.net
ServerAlias www.llama.neoice.net
DocumentRoot /var/www/_domains/llama.neoice.net/public_html
ErrorLog /var/log/virtualmin/llama.neoice.net_error_log
CustomLog /var/log/virtualmin/llama.neoice.net_access_log combined
ScriptAlias /cgi-bin/ /var/www/_domains/llama.neoice.net/cgi-bin/
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /var/www/_domains/llama.neoice.net/public_html>
Options -Indexes IncludesNOEXEC FollowSymLinks
allow from all
AllowOverride All 
</Directory>
<Directory /var/www/_domains/llama.neoice.net/cgi-bin>
allow from all
</Directory>
</VirtualHost>

If you do

Code:

ps auwx | grep apache

check to see if

Code:

 -D DEFAULT_VHOST

is present.

about a dozen '/usr/sbin/apache2 -k start' lines but nothing else.

[NeoIce]

just for fun, I tried this:

iptables -A INPUT -s 127.0.0.1 -p tcp --dport 80 -j DROP

it didnt work...

[NeoIce]

update: I re-enabled IPv6, so now all the logs use ipv6-localhost

::1 - - [11/Jul/2009:13:50:38 -0700] "GET /" 400 531 "-" "-"
::1 - - [11/Jul/2009:13:50:39 -0700] "GET /" 400 531 "-" "-"
::1 - - [11/Jul/2009:13:50:40 -0700] "GET /" 400 531 "-" "-"
::1 - - [11/Jul/2009:13:50:41 -0700] "GET /" 400 531 "-" "-"
::1 - - [11/Jul/2009:13:50:42 -0700] "GET /" 400 531 "-" "-"

I've still had little luck in tracking down the source of the issue.

[edit] ok, once I started looking on Google using ipv6-localhost, I found some people with similar problems related to SSL. comment out the 443 vhost, errors go away. uncomment it and they come back with a vengeance.

[edit2] definitely ssl. switched 443 vhost to log to ssl_access.log and now the messages appear there instead of the regular access.log. still not a fix, but at least I'm moving towards something.

[edit3] looks like we have a winner: InternalDummyConnection - Httpd Wiki

[edit4] I'll leave the config here too in case others find this thread. I added the following to the 443 vhost.

<code>SetEnvIf Remote_Addr "::1" dontlog
CustomLog /var/log/apache2/access.log combined env=!dontlog</code>