From trevor@tecnopolis.ca Wed Apr 17 01:22:10 2024
From: Trevor Cordes <trevor@tecnopolis.ca>
To: roundtable@muug.ca
Subject: [RndTbl] weird web hit 80 & 443?
Date: Wed, 17 Apr 2024 01:21:58 -0500
Message-ID: <Zh9qhieQHcsgKCCj@pog.tecnopolis.ca>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3096498142518415853=="

--===============3096498142518415853==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

5.6.7.8 - - [17/Apr/2024:00:17:59 -0500] "GET / HTTP/1.0" 400 362 "-" "-" sam=
pledomainfoobar.com 1.2.3.4 80 443 HTTP/1.0 - - 56

Apache 2.4.

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %v %A=
 %p %{local}p %H %f %L %D" teccombinedwithpath

How can I get a hit where %p is 80 and %{local}p is 443?

https://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats

%p		The canonical port of the server serving the request.

%{format}p	The canonical port of the server serving the request, or
the server's actual port, or the client's actual port. Valid formats are
canonical, local, or remote.

One vhost is listening on 80, the other 443.  Pretty standard setup.  80
does a redir to 443.  HTTP2 is present, but the hit shows HTTP1.

And apache gets confused and throws a 400.

Looking at the very few hits like this it seems like some sort of probe:
other probes occurring at the same time.

Just wondering that they are doing to achieve this hit.

--===============3096498142518415853==--


From dndyck6@gmail.com Wed Apr 17 12:03:52 2024
From: dndyck6@gmail.com
To: roundtable@muug.ca
Subject: Re: [RndTbl] weird web hit 80 & 443?
Date: Wed, 17 Apr 2024 12:03:44 -0500
Message-ID: <003201da90e9$356bae00$a0430a00$@gmail.com>
In-Reply-To: <Zh9qhieQHcsgKCCj@pog.tecnopolis.ca>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2521192457645011920=="

--===============2521192457645011920==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

You can achieve this by making an HTTP request to the HTTPS server on 443. I =
was pretty sure, but I just tested it (Using your logformat string):=20

[Wed, 17.Apr, 2024 - 11:59] david@dagmar:/etc/apache2/sites-enabled$ curl htt=
p://localhost:443
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Reason: You're speaking plain HTTP to an SSL-enabled server port.<br />
 Instead use the HTTPS scheme to access this URL, please.<br />
</p>
<hr>
<address>Apache/2.4.52 (Ubuntu) Server at www.ddyck.ca Port 80</address>
</body></html>
[Wed, 17.Apr, 2024 - 11:59] david@dagmar:/etc/apache2/sites-enabled$ sudo tai=
l -1 /var/log/apache2/access.log
127.0.0.1 - - [17/Apr/2024:11:59:34 -0500] "GET / HTTP/1.0" 400 440 "-" "-" w=
ww.ddyck.ca 127.0.0.1 80 443 HTTP/1.0 - - 156


Also - Your log format is way better than mine was so I might just have to ke=
ep it =F0=9F=98=89=20

David


-----Original Message-----
From: Roundtable <roundtable-bounces@muug.ca> On Behalf Of Trevor Cordes
Sent: Wednesday, April 17, 2024 1:22 AM
To: MUUG RndTbl <roundtable@muug.ca>
Subject: [RndTbl] weird web hit 80 & 443?

5.6.7.8 - - [17/Apr/2024:00:17:59 -0500] "GET / HTTP/1.0" 400 362 "-" "-" sam=
pledomainfoobar.com 1.2.3.4 80 443 HTTP/1.0 - - 56

Apache 2.4.

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %v %A=
 %p %{local}p %H %f %L %D" teccombinedwithpath

How can I get a hit where %p is 80 and %{local}p is 443?

https://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats

%p		The canonical port of the server serving the request.

%{format}p	The canonical port of the server serving the request, or
the server's actual port, or the client's actual port. Valid formats are cano=
nical, local, or remote.

One vhost is listening on 80, the other 443.  Pretty standard setup.  80 does=
 a redir to 443.  HTTP2 is present, but the hit shows HTTP1.

And apache gets confused and throws a 400.

Looking at the very few hits like this it seems like some sort of probe:
other probes occurring at the same time.

Just wondering that they are doing to achieve this hit.
_______________________________________________
Roundtable mailing list
Roundtable@muug.ca
https://muug.ca/mailman/listinfo/roundtable



--===============2521192457645011920==--


From trevor@tecnopolis.ca Fri Apr 19 00:38:22 2024
From: Trevor Cordes <trevor@tecnopolis.ca>
To: roundtable@muug.ca
Subject: Re: [RndTbl] weird web hit 80 & 443?
Date: Fri, 19 Apr 2024 00:38:13 -0500
Message-ID: <20240419003813.0c559540@pog.tecnopolis.ca>
In-Reply-To: <003201da90e9$356bae00$a0430a00$@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7729105941195563192=="

--===============7729105941195563192==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

On 2024-04-17 dndyck6@gmail.com wrote:
> You can achieve this by making an HTTP request to the HTTPS server on
> 443. I was pretty sure, but I just tested it (Using your logformat
> string): 
> 
> [Wed, 17.Apr, 2024 - 11:59] david@dagmar:/etc/apache2/sites-enabled$
> curl http://localhost:443 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML

That's messed up right there!

You are indeed correct, thanks for solving it!

> Also - Your log format is way better than mine was so I might just
> have to keep it 😉 

You're welcome!  Years of debugging web hits & probes & problems have
built that logformat... every time I think "argh, why don't I have X
information" I put another % in it.


--===============7729105941195563192==--