我遇到了这个问题,当我启动 nginx 时,它开始以每秒 1 个请求的速率从 nginx 端口发送/接收流量,GET但我无法追踪导致这种情况的原因。关于如何追踪导致此流量的进程,您有什么想法吗?80/ping
日志样本: /tmp/nginx.error.log
2011/03/31 21:30:33 [error] 6587#0: *7213 connect() to unix:/home/deploy/apps/dashboard/current/tmp/sockets/unicorn.sock failed (111: Connection refused) while connecting to upstream, client: 10.252.27.111, server: myhost.com, request: "GET /ping HTTP/1.1", upstream: "http://unix:/home/deploy/apps/dashboard/current/tmp/sockets/unicorn.sock:/ping", host: "newcaprica11"
2011/03/31 21:30:33 [error] 6587#0: *7215 connect() to unix:/home/deploy/apps/dashboard/current/tmp/sockets/unicorn.sock failed (111: Connection refused) while connecting to upstream, client: 10.204.203.236, server: myhost.com, request: "GET /ping HTTP/1.1", upstream: "http://unix:/home/deploy/apps/dashboard/current/tmp/sockets/unicorn.sock:/ping", host: "newcaprica11"
2011/03/31 21:30:34 [error] 6587#0: *7217 connect() to unix:/home/deploy/apps/dashboard/current/tmp/sockets/unicorn.sock failed (111: Connection refused) while connecting to upstream, client: 10.252.27.111, server: myhost.com, request: "GET /ping HTTP/1.1", upstream: "http://unix:/home/deploy/apps/dashboard/current/tmp/sockets/unicorn.sock:/ping", host: "newcaprica11"
2011/03/31 21:30:34 [error] 6587#0: *7219 connect() to unix:/home/deploy/apps/dashboard/current/tmp/sockets/unicorn.sock failed (111: Connection refused) while connecting to upstream, client: 10.204.203.236, server: myhost.com, request: "GET /ping HTTP/1.1", upstream: "http://unix:/home/deploy/apps/dashboard/current/tmp/sockets/unicorn.sock:/ping", host: "newcaprica11"
Nginx 访问日志:nginx.vhost.访问日志
10.252.27.111 - - [31/Mar/2011:21:33:23 +0000] "GET /ping HTTP/1.1" 502 728 "-" "-"
10.204.203.236 - - [31/Mar/2011:21:33:23 +0000] "GET /ping HTTP/1.1" 502 728 "-" "-"
10.252.27.111 - - [31/Mar/2011:21:33:24 +0000] "GET /ping HTTP/1.1" 502 728 "-" "-"
10.204.203.236 - - [31/Mar/2011:21:33:24 +0000] "GET /ping HTTP/1.1" 502 728 "-" "-"
10.252.27.111 - - [31/Mar/2011:21:33:25 +0000] "GET /ping HTTP/1.1" 502 728 "-" "-"
我用 myhost.com 替换了我们的真实主机名,但奇怪的是,在 error.log 中有该主机主持人:“newcaprica11”
更多细节:
nmap -P0 10.204.203.236
Starting Nmap 5.21 ( http://nmap.org ) at 2011-03-31 21:38 UTC
Nmap scan report for ip-10-204-203-236.ec2.internal (10.204.203.236)
Host is up (0.00042s latency).
Not shown: 994 filtered ports
PORT STATE SERVICE
80/tcp open http
6667/tcp closed irc
8001/tcp closed unknown
8080/tcp closed http-proxy
9000/tcp closed cslistener
9090/tcp closed zeus-admin
所以他们在运行某种网络服务80
另外,telnet 显示:
telnet 10.204.203.236 80
Trying 10.204.203.236...
Connected to 10.204.203.236.
Escape character is '^]'.
GET / HTTP/1.0
HTTP/1.1 302 Found
Server: Apache/2.2.9 (Debian) Phusion_Passenger/2.2.15
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.15
X-Runtime: 310
Cache-Control: no-cache
Location: http://newcaprica9/neighborhoods
Status: 302
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 98
Date: Thu, 31 Mar 2011 21:39:16 GMT
X-Varnish: 2154834965
Age: 0
Via: 1.1 varnish
Connection: close
<html><body>You are being <a href="http://newcaprica9/neighborhoods">redirected</a>.</body></html>Connection closed by foreign host.
所以很明显,这是一些 Rails 或 Rack 应用程序在运行一些糟糕的事情。
答案1
从日志文件来看,它看起来很像服务器10.252.27.111,并且10.204.203.236正在请求/ping资源。Nginx 发出抱怨,因为/pingNginx 内部配置为连接到本地套接字并从那里提取数据以满足请求。它从套接字unicorn.sock获取,因此抛出了 502 错误。connection refused
在这种情况下,我相信上游是 nginx 为了获得请求的响应而连接的后端。
我不确定您是否已匿名化这些 IP 地址,或者它们是否真的是 RFC1918 地址。无论如何,他们都是发出请求的人。
我认为。