Re: internal dummy connection again
On 2007-03-05 13:24 PST, Joe Orton writes: Joe On Mon, Mar 05, 2007 at 09:33:56PM +0100, Ruediger Pluem wrote: On 03/03/2007 05:47 AM, Karl Chen wrote: present. Also other issues like noise in the log file. I've also seen people complaining that GET / might incur the cost of dynamic content generation for /. Hm. Just thinking loud. Can we avoid this if we replace GET / with OPTIONS /? Joe Doing OPTIONS * as Bill notes is probably the best Joe option available for the dummy connection, though it will Joe still be confusing for users (possible more confusing, Joe since that request rarely if ever seen in the wild). Thanks for the input everyone and pointers to the bugzilla issues. OPTIONS * is a definite improvement over GET / for performance. What about the NOOP idea? If the connection could be reliably detected to be coming from [EMAIL PROTECTED], would there still be a risk of an attack going unnoticed? It seems reasonable to elide those messages by default, or at least write them to a different log file. I'd say the risk of a real attack getting drowned in noise is currently higher than a kernel that allows spoofing TCP connections from localhost. Apache could also look at the srcport to check that it's coming from the httpd process+user. And it could create a nonce at startup and only elide messages with the proper nonce. Lots of ways to authenticate yourself to yourself :) -- Karl 2007-03-16 19:18
Re: internal dummy connection again
On 2007-03-17 11:19 PDT, William A Jr Rowe writes: William Karl - you can pretty easily toggle requests with William mod_log_custom and either mod_setenvif or mod_rewrite William to not appear in the log, I'll leave that as an William exercise to the reader (or efficient google user). Good point, thank you. I hope this thread wasn't an annoyance. Once I figured out the issue it was resolved for me. I merely hoped I could help improve the state of affairs so it doesn't bother other users in the future. -- Karl 2007-03-17 17:13
internal dummy connection again
Hi, I just spent 1-2 hours tracking down what turned out to be internal dummy connection. In my log files I get a ton of: ::1 - - [02/Mar/2007:19:31:22 -0800] GET / 400 705 - - For others, at least the log line would say Apache/... (internal dummy connection), for easy Googling; for me, unfortunately not. I thought this was something from a broken cron job, CGI script, etc. Only through using wireshark did I eventually track this down. The reason it's a 400 and doesn't show the user agent string is that httpd is connecting to itself on an SSL port, and issuing a regular non-SSL GET request [mpm_common.c dummy_connection()]. I guess even though this is an invalid request this accomplishes the goal of connecting to itself and closing the connection, but leaves a mess in the log file. I understand that I can grep these lines away before running a log file analyzer, but it still causes a ton of confusion especially when it doesn't even have the internal dummy connection string, and from what I found from Googling, creates unnecessary confusion even when that string is present. Also other issues like noise in the log file. I've also seen people complaining that GET / might incur the cost of dynamic content generation for /. Would it be possible to connect to a non-SSL port, if possible, so at least the string internal dummy connection shows up? Even better would be to not show that string at all. When I connect to httpd and close the connection without sending anything, I don't get any log entries. Would that work for dummy_connection() also? If that won't work, would it be possible to arrange something like: a receipt of NOOP\r\n on (ip6-)?localhost:* is ignored without logging (unless configured otherwise). -- Karl 2007-03-02 20:28
