Welcome! Log In Create A New Profile

Advanced

[error] access forbidden by rule

Gena Makhomed
July 12, 2022 09:48AM
On 10.07.2022 11:41, Maxim Dounin wrote:

> Вы чуть раньше в этом треде писали Илье, "client sent plain HTTP
> request to HTTPS port". Как и другие ошибки в клиентских
> запросах, эти ошибки логгируются на уровне info.

nginx/1.23.0 из официального репозитория nginx.org

В error.log есть такая запись:

2022/07/12 16:00:00 [error] 16594#16594: *21415 access forbidden by
rule, client: 62.46.205.111, server: gitlab.example.com, request: "GET
/api/v4/user HTTP/2.0", host: "gitlab.example.com"

То, что какому-то клиенту возвращается 403 статус - разве это ошибка,
которую необходимо писать в error.log на уровне [error] а не [info] ?

Кстати, директивы limit_conn_log_level и limit_req_log_level
зачем-то по умолчанию стоят на уровне error, как будто это есть
ошибка на стороне сервера, если какому-то клиенту будет запрещен
доступ.

Директива deny_log_level в nginx вообще отсутствует.

Может быть имеет смысл сделать директиву deny_log_level
и для всех трех директив: limit_conn_log_level,
limit_req_log_level и deny_log_level сделать значением
по умолчанию info ?

Это было бы логично и соответствовало бы общему правилу,
что все ошибки в клиентских запросах логгируются на уровне info.

P.S.

Конфиг /etc/nginx/conf.d/gitlab.example.com.conf:

server {

listen 443 ssl http2;

server_name gitlab.example.com;

ssl_certificate
/etc/letsencrypt/live/gitlab.example.com/fullchain.pem;
ssl_certificate_key
/etc/letsencrypt/live/gitlab.example.com/privkey.pem;

location / {
allow 111.222.33.144;
allow 172.17.113.100;
allow 172.17.113.101;
allow 172.17.113.102;
allow 172.17.113.103;
deny all;
proxy_pass http://172.17.113.100:9000;
}

location /users/auth/google_oauth2/callback {
proxy_pass http://172.17.113.100:9000;
}

location /-/google_api/auth/callback {
proxy_pass http://172.17.113.100:9000;
}
}

server {

listen 80;

server_name gitlab.example.com;

location / {
return 301 https://gitlab.example.com$request_uri;
}

location /.well-known/acme-challenge { default_type text/plain;
root /opt/letsencrypt; }
}

Конфиг /etc/gitlab/gitlab.rb на сервере 172.17.113.100:

nginx['listen_port'] = 9000

nginx['listen_https'] = false

--
Best regards,
Gena
_______________________________________________
nginx-ru mailing list -- nginx-ru@nginx.org
To unsubscribe send an email to nginx-ru-leave@nginx.org
Subject Author Posted

400 Bad Request The plain HTTP request was sent to HTTPS port

milov July 05, 2022 05:49AM

Re: 400 Bad Request The plain HTTP request was sent to HTTPS port

Илья Шипицин July 05, 2022 06:34AM

Re: 400 Bad Request The plain HTTP request was sent to HTTPS port

milov July 05, 2022 06:57AM

Re: 400 Bad Request The plain HTTP request was sent to HTTPS port

Илья Шипицин July 05, 2022 07:16AM

Re: 400 Bad Request The plain HTTP request was sent to HTTPS port

milov July 05, 2022 02:12PM

Re: 400 Bad Request The plain HTTP request was sent to HTTPS port

Maxim Dounin July 05, 2022 08:56AM

certbot

Gena Makhomed July 05, 2022 03:10PM

Re: certbot

Maxim Dounin July 05, 2022 05:54PM

Re: certbot

Gena Makhomed July 06, 2022 02:02AM

Re: certbot

Maxim Dounin July 06, 2022 03:02PM

Re: certbot

Gena Makhomed July 06, 2022 04:40PM

Re: certbot

Maxim Dounin July 06, 2022 06:20PM

Re: certbot

Evgeniy Berdnikov July 07, 2022 05:20AM

Re: certbot

Илья Шипицин July 07, 2022 05:42AM

Re: certbot

Evgeniy Berdnikov July 07, 2022 06:16AM

Re: certbot

Илья Шипицин July 07, 2022 06:40AM

Re: certbot

Dmitry Morozovsky July 20, 2022 01:00PM

Re: certbot

Maxim Dounin July 20, 2022 04:02PM

Re: certbot

Илья Шипицин July 21, 2022 06:44AM

Re: certbot

Илья Шипицин July 21, 2022 06:48AM

OCSP Must Staple

Gena Makhomed July 21, 2022 07:06AM

Re: OCSP Must Staple

Илья Шипицин July 21, 2022 07:14AM

Re: OCSP Must Staple

Maxim Dounin July 21, 2022 09:30PM

Re: certbot

raven_kg@megaline.kg July 06, 2022 02:10AM

Re: certbot

milov July 06, 2022 04:49AM

Re: certbot

Илья Шипицин July 06, 2022 07:46AM

Re: 400 Bad Request The plain HTTP request was sent to HTTPS port

milov July 05, 2022 03:40PM

Re: 400 Bad Request The plain HTTP request was sent to HTTPS port

Maxim Dounin July 05, 2022 07:06PM

Re: 400 Bad Request The plain HTTP request was sent to HTTPS port

milov July 05, 2022 07:20PM

Re: 400 Bad Request The plain HTTP request was sent to HTTPS port

Maxim Dounin July 05, 2022 09:54PM

long deprecated directives

Gena Makhomed July 06, 2022 01:18AM

Re: long deprecated directives

Maxim Konovalov July 06, 2022 02:30AM

Re: long deprecated directives

Maxim Dounin July 06, 2022 03:16PM

Re: 400 Bad Request The plain HTTP request was sent to HTTPS port

milov July 06, 2022 04:44AM

Re: 400 Bad Request The plain HTTP request was sent to HTTPS port

Maxim Dounin July 06, 2022 03:22PM

Re: 400 Bad Request The plain HTTP request was sent to HTTPS port

milov July 07, 2022 04:34AM

Re: 400 Bad Request The plain HTTP request was sent to HTTPS port

Антон Горлов via nginx-ru July 07, 2022 04:46AM

Re: 400 Bad Request The plain HTTP request was sent to HTTPS port

milov July 07, 2022 04:57AM

Re: 400 Bad Request The plain HTTP request was sent to HTTPS port

Maxim Dounin July 07, 2022 03:16PM

Re: 400 Bad Request The plain HTTP request was sent to HTTPS port

milov July 09, 2022 04:46AM

Re: 400 Bad Request The plain HTTP request was sent to HTTPS port

Maxim Dounin July 10, 2022 04:42AM

SSL_do_handshake() failed (SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking

Gena Makhomed July 11, 2022 02:08PM

Re: SSL_do_handshake() failed (SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking

Maxim Dounin July 11, 2022 09:26PM

Re: SSL_do_handshake() failed (SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking

Sergey Kandaurov July 12, 2022 07:54AM

Re: SSL_do_handshake() failed (SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking

Maxim Dounin July 12, 2022 10:00AM

[error] access forbidden by rule

Gena Makhomed July 12, 2022 09:48AM

Re: [error] access forbidden by rule

Илья Шипицин July 12, 2022 10:42AM

Re: [error] access forbidden by rule

Maxim Dounin July 12, 2022 10:52AM

Re: [error] access forbidden by rule

Gena Makhomed July 12, 2022 12:56PM

Re: [error] access forbidden by rule

Илья Шипицин July 12, 2022 01:14PM

[warn] a client request body is buffered to a temporary file

Gena Makhomed July 12, 2022 03:16PM

Re: [warn] a client request body is buffered to a temporary file

Илья Шипицин July 12, 2022 03:28PM

Re: [warn] a client request body is buffered to a temporary file

Gena Makhomed July 12, 2022 05:02PM

Re: [warn] a client request body is buffered to a temporary file

Илья Шипицин July 12, 2022 11:44PM

Re: [error] access forbidden by rule

Илья Шипицин July 12, 2022 01:18PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 113
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready