Find the answer to your Linux question:
Results 1 to 5 of 5
I'm using apache2 on Debian and my logs are absolutely flooded with messages like these: 127.0.0.1 - - [08/Jul/2009:17:55:17 -0700] "GET /" 400 531 "-" "-" 127.0.0.1 - - [08/Jul/2009:17:55:18 ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Aug 2008
    Location
    Seattle, WA
    Posts
    46

    apache2 logs flooded by empty requests?


    I'm using apache2 on Debian and my logs are absolutely flooded with messages like these:

    127.0.0.1 - - [08/Jul/2009:17:55:17 -0700] "GET /" 400 531 "-" "-"
    127.0.0.1 - - [08/Jul/2009:17:55:18 -0700] "GET /" 400 531 "-" "-"
    127.0.0.1 - - [08/Jul/2009:17:55:19 -0700] "GET /" 400 531 "-" "-"

    I'm thinking its a vhost issue because I cant get requests to my vhosts dont appear to be logging anything to the main /var/log/apache2/access_log.

    any thoughts on causes or investigation techniques?

  2. #2
    Just Joined!
    Join Date
    Jul 2009
    Posts
    15
    400 means "malformed reqest", and it is coming from your local host - so are you running the browser on the same machine as your apache server?

    Do you have a default virtual host, one that you would expect to reply if you didn't specify a hostname?

    You could post its config which may provide clues...

    If you do
    Code:
    ps auwx | grep apache
    check to see if
    Code:
     -D DEFAULT_VHOST
    is present.

  3. #3
    Just Joined!
    Join Date
    Aug 2008
    Location
    Seattle, WA
    Posts
    46
    Quote Originally Posted by paulkoan View Post
    400 means "malformed reqest", and it is coming from your local host - so are you running the browser on the same machine as your apache server?
    on occasion, I will use w3m or lynx on the apache server to browse other pages. I'll also occasionally tunnel HTTP requests to other pages through SSH. very very very rarely will I be connecting to the apache server locally. the access messages appear about once a second, even if I'm not tunnelling. (that was my first thought.)

    Do you have a default virtual host, one that you would expect to reply if you didn't specify a hostname?
    yes, I do. I'm not opposed to turning it off if it would help.

    You could post its config which may provide clues...
    there's a variety of files floating around, but these should be a representative sample.
    Code:
    NameVirtualHost *:80
    NameVirtualHost *:443
    
    <VirtualHost *:80>
            ServerName thule.neoice.net
            ServerAdmin webmaster@localhost
    
            ErrorLog /var/log/apache2/error.log
            LogLevel warn
            CustomLog /var/log/apache2/access.log combined
            ServerSignature On
    
            DocumentRoot /var/www/
            <Directory />
                    Options FollowSymLinks
                    AllowOverride None
            </Directory>
    
            <Directory /var/www/>
                    Options Indexes FollowSymLinks MultiViews
                    AllowOverride None
                    Order allow,deny
                    allow from all
            </Directory>
    </VirtualHost>
    
    <VirtualHost *:443>
            ServerName thule.neoice.net
            ServerAdmin webmaster@localhost
    
            DocumentRoot /var/www/
            <Directory />
                    Options FollowSymLinks
                    AllowOverride None
            </Directory>
    
            <Directory /var/www/>
                    Options Indexes FollowSymLinks MultiViews
                    AllowOverride None
                    Order allow,deny
                    allow from all
            </Directory>
    </VirtualHost>
    
    <VirtualHost *:80>
    ServerName llama.neoice.net
    ServerAlias www.llama.neoice.net
    DocumentRoot /var/www/_domains/llama.neoice.net/public_html
    ErrorLog /var/log/virtualmin/llama.neoice.net_error_log
    CustomLog /var/log/virtualmin/llama.neoice.net_access_log combined
    ScriptAlias /cgi-bin/ /var/www/_domains/llama.neoice.net/cgi-bin/
    DirectoryIndex index.html index.htm index.php index.php4 index.php5
    <Directory /var/www/_domains/llama.neoice.net/public_html>
    Options -Indexes IncludesNOEXEC FollowSymLinks
    allow from all
    AllowOverride All 
    </Directory>
    <Directory /var/www/_domains/llama.neoice.net/cgi-bin>
    allow from all
    </Directory>
    </VirtualHost>
    If you do
    Code:
    ps auwx | grep apache
    check to see if
    Code:
     -D DEFAULT_VHOST
    is present.
    about a dozen '/usr/sbin/apache2 -k start' lines but nothing else.

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined!
    Join Date
    Aug 2008
    Location
    Seattle, WA
    Posts
    46
    just for fun, I tried this:

    iptables -A INPUT -s 127.0.0.1 -p tcp --dport 80 -j DROP

    it didnt work...

  6. #5
    Just Joined!
    Join Date
    Aug 2008
    Location
    Seattle, WA
    Posts
    46
    update: I re-enabled IPv6, so now all the logs use ipv6-localhost

    ::1 - - [11/Jul/2009:13:50:38 -0700] "GET /" 400 531 "-" "-"
    ::1 - - [11/Jul/2009:13:50:39 -0700] "GET /" 400 531 "-" "-"
    ::1 - - [11/Jul/2009:13:50:40 -0700] "GET /" 400 531 "-" "-"
    ::1 - - [11/Jul/2009:13:50:41 -0700] "GET /" 400 531 "-" "-"
    ::1 - - [11/Jul/2009:13:50:42 -0700] "GET /" 400 531 "-" "-"

    I've still had little luck in tracking down the source of the issue.

    [edit] ok, once I started looking on Google using ipv6-localhost, I found some people with similar problems related to SSL. comment out the 443 vhost, errors go away. uncomment it and they come back with a vengeance.

    [edit2] definitely ssl. switched 443 vhost to log to ssl_access.log and now the messages appear there instead of the regular access.log. still not a fix, but at least I'm moving towards something.

    [edit3] looks like we have a winner: InternalDummyConnection - Httpd Wiki

    [edit4] I'll leave the config here too in case others find this thread. I added the following to the 443 vhost.

    <code>SetEnvIf Remote_Addr "::1" dontlog
    CustomLog /var/log/apache2/access.log combined env=!dontlog</code>

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •