Welcome! Log In Create A New Profile

Advanced

Re: gmer3.itd.sterling.com/home.htm in the access log

Thomas Ward
June 03, 2021 05:24PM
You're most welcome!  (Your reply to me did not go to the list)

Sometimes, it helps to see the actual HTTP request or an example request
and understand the headers, etc.  You're right, this is likely being
added by your poster.exe program which precedes your existence or
involvement in the project, and is likely doing something with the
headers.  If you ever want to *test* you can put the error.log into
`debug` mode by doing `error_log /path/to/error.log debug;`  and get a
TON of extra stuff during request processing (DO NOT do this long term!)
but it'll also show you the request and the headers - it won't show you
the data in a POST but it'll show you the request and received headers
and the reply.  Sometimes, this helps you to dissect the request and
understand what's going on behind the scenes.


Thomas


On 6/3/21 4:56 PM, Benn Boulton wrote:
>
> Thomas,
>
> Thank you for that explanation.
>
> It must be the poster.exe program adding that as a default header.
>
> I did not create the poster.exe application, it precedes my employment.
>
> Again Thank you for the information and thank you to this list .
>
> -Benn
>
> *From:* Thomas Ward <teward@thomas-ward.net>
> *Sent:* Thursday, June 3, 2021 4:02 PM
> *To:* nginx@nginx.org; Benn Boulton <bboulton@skippingstone.com>
> *Subject:* Re: gmer3.itd.sterling.com/home.htm in the access log
>
> Let's dissect an HTTP request that is sent to your NGINX server.
>
> Assume for a moment it's '/cr-bin/mp.exe' that's the request but
> there's extra headers.  The full HTTP request looks like this (CURL
> format output, but also what NGINX spits in debug mode):
>
> POST /cr-bin/mp.exe
> referer: example.com/foobar.html
> content-type: text/json
> content-length: 2345
>
> The actual URL request in this case would have been
> http://your-nginx-server/cr-bin/mp.exe
> https://url.emailprotection.link/?bwkn8DTjVOXhBFZ6R5Yx3rK971vdc14vuUILU7hnSjBYY5r57OSPXR8dCG1HSujSJCegPBsRcpH9pSQS6uuFgMwMGpt9YeOZDPqz1IAZXA-71zWnFiVr_LB7dufsQGKx_
> with a POST to there, and that is passed through to your system per
> your proxy_pass rules, etc.
>
> Where your logs are getting "gmer3.itd.sterling.com/home.htm" is from
> that *referer* header.  I.E. you would see "example.com/foobar.html"
> if the referer header in the request was the example above.
>
> This has **nothing** to do with your configuration.  Whatever 'poster'
> is doing to post the items to your system is passing a referer header
> in the POST with the contents "gmer3.itd.sterling.com/home.htm".  If
> this is some other site/system you'll see any number of potential
> referer items. It's also entirely possible that this is your hostname,
> or something specific to your Poster program itself setting the
> referer header in the POST that it sends to your server.
>
> This, again, has nothing to do with your NGINX configuration and
> everything with how Poster is structuring the POST request (including
> any headers it's sending in the request).
>
> Thomas
>
> On 6/3/21 2:52 PM, Benn Boulton wrote:
>
> Hi,
>
> Currently… The posts are coming from the  same computer that is
> hosting NGINX  that passes the requests to an external server.
>
> Eventually…  NGINX will be run on the same computer with Apache
> and will also function as a load balancer for multiple servers.
> One being the same as NGINX and other external  servers.
>
> The posts are from a custom poster process that is an .EXE run
> from the windows command prompt or a process that calls the POSTER
> executable.
>
> C:\POSTER> Poster h:http://localhost/cr-bin/mp.exe
> https://url.emailprotection.link/?bvfyNuLOUSKoCAN95VRolCtTnlZv_GE8qno8EEJXYck_6XfRmaMZL-PPvEsyKjLRVrgBjSH2q3pVAMxl8wUV6Aw~~
> f:test.txt
>
> h: is the host to send to
>
> f: is the file with the payload to be sent to the final
> destination which is the mp.exe on the server listed in the
> proxy_pass parameter.
>
> Everything looks to work as it should.  But the
> ‘gmer3.itd.sterling.com/home.htm’ Log entries are just not what I
> expect to see.
>
> I  am installing NGINX to rate limit a customer that is sending
> multiple posts so fast that we occasionally miss one, and hope
> this will resolve that.
>
> Again, the proxy redirect is working, just the log entries is what
> prompted my asking.
>
> Thanks,
>
> - Benn
>
> *From:* nginx <nginx-bounces@nginx.org>
> <mailto:nginx-bounces@nginx.org> *On Behalf Of *Moshe Katz
> *Sent:* Thursday, June 3, 2021 1:29 PM
> *To:* nginx@nginx.org <mailto:nginx@nginx.org>
> *Subject:* Re: gmer3.itd.sterling.com/home.htm in the access log
>
> Benn,
>
> I guess my explanation wasn't clear enough, so I'll try again.
>
> That value is not coming from anywhere in your server's
> configuration - it has nothing to do with proxy_pass or anything
> else. It is the value of the "Referer" header that is in the
> incoming request.
>
> First, are these log lines from requests that you are making to
> the server yourself, or are they coming from someone else?
>
> If it is your own traffic, where are you making your requests
> from? Is it a page in a web browser, or is it some other tool?
>
> If it is a web browser, that is usually the URL of the web page
> that is open in the browser. For example, if I have a website at
> `example.com/page.html`
> https://url.emailprotection.link/?bDBb9TVOKiqDPh_SUvfalWM90G6wcWScPnK_EVq6xVxizKwZf0qkcUED1FUainDmbSHVgkakCmLVmIY23vWJ1bQ~~
> with a form on it that submits to your server, the value in that
> place in the logs will be `https://example.com/page.html`
> https://url.emailprotection.link/?bMe1AJs-bSscT1yazCR9XS0kzX52Qa1-DwoIBV-QK8xxhHB1slVsgthl_uC3ltg7VPOfB-FhvldHP0mGGnWmK1Q~~
> so that your server can see where the request came from.
>
> Moshe
>
> On Thu, Jun 3, 2021 at 1:18 PM Benn Boulton
> <bboulton@skippingstone.com <mailto:bboulton@skippingstone.com>>
> wrote:
>
> Hello Moshe,
>
> Thanks for the reply.  I guess I was not clear enough in my
> post.  I know the /cr-bin/mp.exe is part of the POST request.
>
>  What I do not understand is where the
> gmer3.itd.sterling.com/home.htm
> https://url.emailprotection.link/?bD5H3QzZ3V5r-EeQ1owgpRQF9oV5l2NRIm985JaimcuSK9Ouf7HkyYPBjb_5XEDTDRBkXtPp653bQj78257vLDzTtdkxNExo4pny7K5hfiSUsrBYzsu0MyJJTFCwqaYuV
> is coming from. It is not my proxy_pass value.
>
> It is not part of the POST request or part of the nginx
> proxy_pass or any thing I can find in my configuration.
>
> Is my post being sent to both my proxy_pass value and this
> site in the log? Do I have a hacked nginx?
>
> -Benn
>
> *From:* nginx <nginx-bounces@nginx.org
> <mailto:nginx-bounces@nginx.org>> *On Behalf Of *Moshe Katz
> *Sent:* Thursday, June 3, 2021 12:14 PM
> *To:* nginx@nginx.org <mailto:nginx@nginx.org>
> *Subject:* Re: gmer3.itd.sterling.com/home.htm
> https://url.emailprotection.link/?bD5H3QzZ3V5r-EeQ1owgpRQF9oV5l2NRIm985JaimcuSK9Ouf7HkyYPBjb_5XEDTDRBkXtPp653bQj78257vLDzTtdkxNExo4pny7K5hfiSUsrBYzsu0MyJJTFCwqaYuV
> in the access log
>
> Benn,
>
> That part of the log is not the request URL, it is the
> referrer header. The path that was requested on your server is
> before that - a POST request to "/cr-bin/mp.exe". The
> referrer (which the HTTP standard actually misspells as
> "referer") is the web page that is making this request to your
> server.
>
> Moshe
>
> On Thu, Jun 3, 2021 at 12:08 PM Benn Boulton
> <bboulton@skippingstone.com
> <mailto:bboulton@skippingstone.com>> wrote:
>
> Hello,
>
> I have just installed the NGINX service to help rate limit
> connections to my Apache server on Windows.
>
> NGNIX 1.19.10 on Windows 10 64 bit
>
> Everything seems to be working fine but I am getting
> access log entries that I do not understand for the pages
> I am redirecting.
>
> I am running a process that posts to the server. NGNIX is
> processing the request and passing it to the destination
> server but it is not gmer3.itd.sterling.com/home.htm
> https://url.emailprotection.link/?bD5H3QzZ3V5r-EeQ1owgpRQF9oV5l2NRIm985JaimcuSK9Ouf7HkyYPBjb_5XEDTDRBkXtPp653bQj78257vLDzTtdkxNExo4pny7K5hfiSUsrBYzsu0MyJJTFCwqaYuV
> as shown in the access log entries below.
>
> Any Idea why
>
> 127.0.0.1 - t_skipstone [03/Jun/2021:10:30:07 -0400] "POST
> /cr-bin/mp.exe HTTP/1.1" 200 569
> "gmer3.itd.sterling.com/home.htm
> https://url.emailprotection.link/?bD5H3QzZ3V5r-EeQ1owgpRQF9oV5l2NRIm985JaimcuSK9Ouf7HkyYPBjb_5XEDTDRBkXtPp653bQj78257vLDzTtdkxNExo4pny7K5hfiSUsrBYzsu0MyJJTFCwqaYuV"
> "brow v1.0 CCI"
>
> 127.0.0.1 - t_skipstone [03/Jun/2021:10:31:07 -0400] "POST
> /cr-bin/mp.exe HTTP/1.1" 200 569
> "gmer3.itd.sterling.com/home.htm
> https://url.emailprotection.link/?bD5H3QzZ3V5r-EeQ1owgpRQF9oV5l2NRIm985JaimcuSK9Ouf7HkyYPBjb_5XEDTDRBkXtPp653bQj78257vLDzTtdkxNExo4pny7K5hfiSUsrBYzsu0MyJJTFCwqaYuV"
> "brow v1.0 CCI"
>
> 127.0.0.1 - t_skipstone [03/Jun/2021:10:33:35 -0400] "POST
> /cr-bin/mp.exe HTTP/1.1" 200 569
> "gmer3.itd.sterling.com/home.htm
> https://url.emailprotection.link/?bD5H3QzZ3V5r-EeQ1owgpRQF9oV5l2NRIm985JaimcuSK9Ouf7HkyYPBjb_5XEDTDRBkXtPp653bQj78257vLDzTtdkxNExo4pny7K5hfiSUsrBYzsu0MyJJTFCwqaYuV"
> "brow v1.0 CCI"
>
> 127.0.0.1 - t_skipstone [03/Jun/2021:10:37:42 -0400] "POST
> /cr-bin/mp.exe HTTP/1.1" 200 569
> "gmer3.itd.sterling.com/home.htm
> https://url.emailprotection.link/?bD5H3QzZ3V5r-EeQ1owgpRQF9oV5l2NRIm985JaimcuSK9Ouf7HkyYPBjb_5XEDTDRBkXtPp653bQj78257vLDzTtdkxNExo4pny7K5hfiSUsrBYzsu0MyJJTFCwqaYuV"
> "brow v1.0 CCI"
>
> 127.0.0.1 - t_skipstone [03/Jun/2021:10:55:03 -0400] "POST
> /cr-bin/mp.exe HTTP/1.1" 200 569
> "gmer3.itd.sterling.com/home.htm
> https://url.emailprotection.link/?bD5H3QzZ3V5r-EeQ1owgpRQF9oV5l2NRIm985JaimcuSK9Ouf7HkyYPBjb_5XEDTDRBkXtPp653bQj78257vLDzTtdkxNExo4pny7K5hfiSUsrBYzsu0MyJJTFCwqaYuV"
> "brow v1.0 CCI"
>
> 127.0.0.1 - t_skipstone [03/Jun/2021:10:56:34 -0400] "POST
> /cr-bin/mp.exe HTTP/1.1" 200 569
> "gmer3.itd.sterling.com/home.htm
> https://url.emailprotection.link/?bD5H3QzZ3V5r-EeQ1owgpRQF9oV5l2NRIm985JaimcuSK9Ouf7HkyYPBjb_5XEDTDRBkXtPp653bQj78257vLDzTtdkxNExo4pny7K5hfiSUsrBYzsu0MyJJTFCwqaYuV"
> "brow v1.0 CCI"
>
> Thanks
>
> *Benn *
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org <mailto:nginx@nginx.org>
> http://mailman.nginx.org/mailman/listinfo/nginx
> https://url.emailprotection.link/?bipAKDkmOuA1Dlq4E4Xw3DOT5SwVVI-j-YDWkPjfwdYs718S838b8BxtW6bEpCbU-yxksYDTn-S8lyamDVHEsX2iyY6j3TOXPYk0YFbsVRgLRpoN650FzSZqXuYvWaU16
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org <mailto:nginx@nginx.org>
> http://mailman.nginx.org/mailman/listinfo/nginx
> https://url.emailprotection.link/?bipAKDkmOuA1Dlq4E4Xw3DOT5SwVVI-j-YDWkPjfwdYs718S838b8BxtW6bEpCbU-yxksYDTn-S8lyamDVHEsX2iyY6j3TOXPYk0YFbsVRgLRpoN650FzSZqXuYvWaU16
>
>
>
> _______________________________________________
>
> nginx mailing list
>
> nginx@nginx.org <mailto:nginx@nginx.org>
>
> http://mailman.nginx.org/mailman/listinfo/nginx https://url.emailprotection.link/?bipAKDkmOuA1Dlq4E4Xw3DOT5SwVVI-j-YDWkPjfwdYs718S838b8BxtW6bEpCbU-yxksYDTn-S8lyamDVHEsX2iyY6j3TOXPYk0YFbsVRgLRpoN650FzSZqXuYvWaU16
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

gmer3.itd.sterling.com/home.htm in the access log

Benn Boulton June 03, 2021 12:10PM

Re: gmer3.itd.sterling.com/home.htm in the access log

Moshe Katz June 03, 2021 12:16PM

RE: gmer3.itd.sterling.com/home.htm in the access log

Benn Boulton June 03, 2021 01:20PM

Re: gmer3.itd.sterling.com/home.htm in the access log

Moshe Katz June 03, 2021 01:30PM

RE: gmer3.itd.sterling.com/home.htm in the access log

Benn Boulton June 03, 2021 02:54PM

Re: gmer3.itd.sterling.com/home.htm in the access log

Thomas Ward June 03, 2021 04:02PM

Re: gmer3.itd.sterling.com/home.htm in the access log

Fatma MAZARI June 03, 2021 05:08PM

Re: gmer3.itd.sterling.com/home.htm in the access log

Thomas Ward June 03, 2021 05:22PM

Re: gmer3.itd.sterling.com/home.htm in the access log

Thomas Ward June 03, 2021 05:24PM

RE: gmer3.itd.sterling.com/home.htm in the access log

Benn Boulton June 03, 2021 01:20PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 78
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready