NGINX Reverse-Proxy – Server Protocol HTTP/1.0 and blank User Agent

Home Forums BulletProof Security Pro NGINX Reverse-Proxy – Server Protocol HTTP/1.0 and blank User Agent

Tagged: , ,

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • October 2, 2014 at 3:41 pm #18250
    JB
    Participant

    Hi,

    every 30 minutes i found these two entries in the Security-Log.
    I know why it comes but i don´t know how to fix it. Our provider/hoster is monitoring our site every 30 minutes.
    That’s the reason …

    I tried the “additional whitelist” under “Firewall-Plugin” within the servernames and IPs in the text below – but nothing has changed.

    BPS PRO SECURITY LOG
=====================
=====================
[403 GET / HEAD Request: 3. Oktober 2014 - 00:22]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 80.237.136.5
Host Name: server02.monitor.xxx.de
SERVER_PROTOCOL: HTTP/1.0
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR: 80.xxx.xxx.x
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /
QUERY_STRING:
HTTP_USER_AGENT:

[403 GET / HEAD Request: 3. Oktober 2014 - 00:22]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 80.237.136.5
Host Name: server02.monitor.xxx.de
SERVER_PROTOCOL: HTTP/1.0
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR: 80.xxx.xxx.x
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /
QUERY_STRING:
HTTP_USER_AGENT:

    Here the error-code i get by mail from my hoster:

    HTTP/1.1 403 Forbidden Server: nginx Date: Thu, 02 Oct
2014 22:22:04 GMT Content-Type: text/html Content-Length:
1060 Connection: close Set-Cookie:
PHPSESSID=2a3m56e1ua6hg0cc3ccdrje6f5; path=/ Expires: Thu,
19 Nov 1981 08:52:00 GMT Cache-Cont

and

HTTP/1.1 403 Forbidden Server: nginx Date: Thu, 02 Oct
2014 22:22:14 GMT Content-Type: text/html Content-Length:
1060 Connection: close Set-Cookie:
PHPSESSID=au01bp2forj7mtqcnbcu13p8g3; path=/ Expires: Thu,
19 Nov 1981 08:52:00 GMT Cache-Cont

    I hope you can tell me how to solve this problem?
    nukleuz
    EDIT: NGINX is installed as an Reverse-Proxy!

    October 2, 2014 at 3:58 pm #18253
    AITpro Admin
    Keymaster

    You have 2 primary problems.  The Nginx Reverse Proxy is using Server Protocol HTTP/1.0 and needs to be changed to Server Protocol HTTP/1.1 and the User Agent is blank.  It is ironic that the error message your Host is sending you is using HTTP/1.1.  You can find the solution for changing the Server Protocol to HTTP/1.1 on the Nginx website.  I guess ask your Host to add a User Agent for whatever monitoring method they are using and also ask them if this is a HEAD Request.  Let me know what your host says about the Request method.

    October 2, 2014 at 4:09 pm #18256
    AITpro Admin
    Keymaster

    Actually I should rephrase this in another way.  I assume the only thing that is being blocked is the Request Method itself as long as you are not using HTTP/1.0 Brute Force Login protection Bonus Custom Code and are not using any additional personal custom htaccess code that filters by empty/blank User Agents.  Most likely all that needs to happen for the Host Monitor check to not be blocked is to remove HEAD from the Request Methods filter.  So you do not “need” to do anything about the Server Protocol or the blank User Agent, but ask your Host if the Request is a HEAD Request.  If it is then you would do this whitelist method in the link below.

    http://forum.ait-pro.com/forums/topic/split-uptimerobot-whitelist-uptimerobot-bot/page/2/#post-8003

    October 2, 2014 at 4:17 pm #18257
    JB
    Participant

    Hi Admin,
    thanks for your fast reply.
    I will try an give an answer.
    nukleuz

    October 7, 2014 at 6:33 am #18387
    JB
    Participant

    The requst is a HEAD-Request so i follow this Link and remove the HEAD:
    http://forum.ait-pro.com/forums/topic/split-uptimerobot-whitelist-uptimerobot-bot/page/2/#post-8003

    But i still get the error.
    Any ideas?

    October 7, 2014 at 7:03 am #18389
    AITpro Admin
    Keymaster

    Use Web-Sniffer:  http://web-sniffer.net/ and test making a GET Request with Server Protocol HTTP/1.0 with a User Agent and then test making a GET Request with no User Agent (none) with Server Protocol HTTP/1.1.  Also make a HEAD Request with Server Protocol HTTP/1.1 just to make sure HEAD Requests are allowed/whitelisted. Check your BPS Security Log after doing these tests and post any Security Log entries.

    October 7, 2014 at 7:18 am #18394
    AITpro Admin
    Keymaster

    I cross referenced your forum user account settings with your BPS Pro account and found this domain (obfuscated):  bxxx-markxxxxxxxxxx.de.  I ran Web-Sniffer tests and all of them passed with 200 OK Responses so I don’t think any of the original things I thought were the problem are actually a problem (with the exception of allowing HEAD Requests).

    I believe this is going to be a Plugin Firewall issue/problem and probably you will need to whitelist the Proxy IP address using the Plugin Firewall additional whitelist tools.

    Deactivate the Plugin Firewall for testing and manually test running the Host Monitor check if that is possible.  If that is not possible then wait 30 minutes for the next automated Host Monitor check to see if the Monitor check is blocked or allowed.

    http://forum.ait-pro.com/forums/topic/read-me-first-pro/#bps-pro-general-troubleshooting

    October 7, 2014 at 8:20 am #18399
    JB
    Participant

    Hi,

    thanks for your help.

    i think the reason was the http-protocol 1.1. I have changed the command string in the monitoring tool from version 1.1 to 1.0 and all is fine. But i also removed the HEAD-Request with .htaccess custom code the same time. So i had to proof which setting it was.

    The IPs of monitoring tools are in the whitelist, too. Now everything ist fine – the log doesn’t shows the 403-error anymore.

    THX, nukleuz

    Or do you think i have to change some of my settings i did?

    October 7, 2014 at 8:29 am #18401
    AITpro Admin
    Keymaster

    There are a lot of known issues/problems in general with using the old Server Protocol HTTP/1.0 – Server Protocol HTTP/1.0 was phased out in 1999 and the new Server Protocol is now HTTP/1.1 starting in 1999.  There are also known issues/problems with using Server Protocol HTTP/1.0 with an Nginx Reverse Proxy.  My point is simply that everything nowadays should be using the new Server Protocol HTTP/1.1 to avoid any possible issues or problems.  Hackers and Spammers use the old Server Protocol HTTP/1.0 because it allows them to do some shady/nasty things that they cannot do with the new Server Protocol HTTP/1.1.

    Anyway sounds like my original hunch was correct and besides to avoid a lot of other common problems you want to be using the current new standard Server Protocol so that other strange/odd problems do not occur.  You have solved the issue/problem so no you do not need to do anything else.

    Great Job!

  • Author
    Posts
Viewing 9 posts - 1 through 9 (of 9 total)
  • You must be logged in to reply to this topic.