我在 Apache 日志中看到这些错误...
proxy:error] [pid 13317] (110)Connection timed out: AH00957: HTTP: attempt to connect to 210.86.231.64:80 (*) failed
[proxy_http:error] [pid 13317] [client 5.39.116.17:56290] AH01114: HTTP: failed to make connection to backend: simsodep.com
这种情况会无限重复。我将代理从 Apache 转发到 JBoss。
在:80 配置中...
SetEnvIfNoCase User-Agent "^ApacheBench/2.3" bad_bot
<Proxy https://exampledev.com/*>
Require all denied
Deny from env=bad_bot
Require ip 12.34.56.78
Require host exampledev.com
</Proxy>
Redirect permanent / https://exampledev.com
并且在:443 配置中...
<Proxy https://exampledev.com/*>
Require all denied
Deny from env=bad_bot
Require host exampledev.com
Require ip 12.34.56.78
</Proxy>
在我的防火墙中,通过 ufw,我已经......
To Action From
-- ------ ----
[ 1] 22 ALLOW IN Anywhere
[ 2] 443 ALLOW IN Anywhere
[ 3] 80 ALLOW IN Anywhere
[ 4] Anywhere DENY IN 210.86.231.64
[ 5] Anywhere DENY IN 5.39.116.17
[ 6] 22 (v6) ALLOW IN Anywhere (v6)
[ 7] 443 (v6) ALLOW IN Anywhere (v6)
[ 8] 80 (v6) ALLOW IN Anywhere (v6)
为什么我的 Apache 2.4 日志文件充满了这些代理错误产生的数据?我遗漏了什么?
答案1
您需要修复防火墙规则顺序。
防火墙规则的顺序非常重要,因为它们是按顺序处理/匹配的。因此,如果先匹配了允许规则,则后面的拒绝规则将无法按预期工作。
更改规则,使拒绝规则位于顶部或先于所有其他接受规则进行匹配。它们应如下所示:
To Action From
-- ------ ----
[ 1] Anywhere DENY IN 210.86.231.64
[ 2] Anywhere DENY IN 5.39.116.17
[ 3] 80 ALLOW IN Anywhere
[ 4] 22 ALLOW IN Anywhere
[ 5] 443 ALLOW IN Anywhere
[ 6] 22 (v6) ALLOW IN Anywhere (v6)
[ 7] 443 (v6) ALLOW IN Anywhere (v6)
[ 8] 80 (v6) ALLOW IN Anywhere (v6)
当然,逐个禁止 IP 并不是最佳方法。保护 Web 服务器是一个更广泛的问题,网上有很多资料可供参考。
至于防火墙,你可以尝试fail2ban: