403 禁止使用 Apache 和 Passenger

403 禁止使用 Apache 和 Passenger

我从运行 Apache 中的 Passenger 的服务器收到零星的 403 响应。问题似乎在随机情况下开始,也随机结束。从日志来看,Apache 似乎正在尝试将 URL 作为脚本运行:

[Fri Oct 11 17:23:51.509902 2019] [core:trace4] [pid 7309:tid 139735209076480] u
til_script.c(571): [client 132.72.41.107:38416] Headers from script '':
[Fri Oct 11 17:23:51.509934 2019] [core:trace4] [pid 7309:tid 139735209076480] util_script.c(572): [client 132.72.41.107:38416]   Status: 403 Forbidden
[Fri Oct 11 17:23:51.509942 2019] [core:trace1] [pid 7309:tid 139735209076480] util_script.c(653): [client 132.72.41.107:38416] Status line from script '': 403 Forbidden
[Fri Oct 11 17:23:51.509948 2019] [core:trace4] [pid 7309:tid 139735209076480] util_script.c(572): [client 132.72.41.107:38416]   Cache-Control: no-cache
[Fri Oct 11 17:23:51.509954 2019] [core:trace4] [pid 7309:tid 139735209076480] util_script.c(572): [client 132.72.41.107:38416]   Vary: Origin

乘客日志文件不包含任何相关信息,应用程序 (rails) 日志也不包含任何相关信息。乘客未提供的静态文件照常提供。

Apache 配置:

PassengerLogFile ${APACHE_LOG_DIR}/passenger.log
PassengerLogLevel 8

<VirtualHost *:80>
ServerName math.bgu.ac.il
ServerAlias www.math.bgu.ac.il
ServerSignature off
AllowEncodedSlashes NoDecode
ProxyPreserveHost on

PassengerAppEnv production
PassengerFriendlyErrorPages on
PassengerLoadShellEnvvars off
PassengerMaxRequestQueueSize 300
PassengerUser wwwmath
PassengerGroup www-data
PassengerInstanceRegistryDir /var/run/passenger
DocumentRoot /var/www/math/current/public
DirectoryCheckHandler on

<IfModule mod_proxy.c>                                                         
ProxyPassMatch "^/~(.*)$" "http://user-web1.cs.bgu.ac.il/~$1"                                                                                                 
</IfModule>                                                                    

Include /etc/apache2/sites-available/redirects.include                         

<Directory /var/www/math/current/public>                                       
Allow from all                                                                 
Options -MultiViews                                                            
Require all granted                                                            
</Directory>                                                                   

<IfModule mod_proxy.c>                                                         
<Location /git>                                                                
  PassengerEnabled off                                                         
  Require all granted                                                                                                                  
  Header always set X-Frame-Options SAMEORIGIN                                 
  ProxyPassReverse http://127.0.0.1:8181                                       
  ProxyPassReverse http://www.math.bgu.ac.il/                                  
</Location>                                                                    

  RewriteEngine on                                                             
  #Don't escape encoded characters in api requests                             
  RewriteCond %{REQUEST_URI} ^/api/v4/.*                                       
  RewriteRule ^/git(.*) http://127.0.0.1:8181/git/$1 [P,QSA,NE]                
  #Forward all requests to gitlab-workhorse except existing files like error documents                                                                         
  RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR]                    
  RewriteCond %{REQUEST_URI} ^/uploads/.*                                      
  RewriteRule ^/git(.*) http://127.0.0.1:8181/git/$1 [P,QSA,NE]                

  RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR]                    
  RewriteCond %{REQUEST_URI} ^/uploads/.*                                      
  RewriteRule ^/mattermost(.*) http://127.0.0.1:8065/$1 [P,QSA,NE]             
</IfModule>                                                                    

# add trailing slash to dirs                                                   
RewriteEngine On                                                               
RewriteCond "%{DOCUMENT_ROOT}/%{REQUEST_URI}" -d                               
RewriteCond %{REQUEST_URI} !(.*)/$                                             
RewriteRule ^(.*)$ $1/ [L]                                                     

        LogLevel trace4 rewrite:info                                           

        ErrorLog ${APACHE_LOG_DIR}/error.log                                   
        CustomLog ${APACHE_LOG_DIR}/access.log vhost_combined                  

</VirtualHost>                                                                 

输出passenger-status

Version : 6.0.4                                                                
Date    : 2019-10-11 17:35:19 +0300                                            
Instance: 6TJeLpUK (Apache/2.4.29 (Ubuntu) Phusion_Passenger/6.0.4)

----------- General information -----------
Max pool size : 6
App groups    : 1
Processes     : 2
Requests in top-level queue : 0

----------- Application groups -----------
/var/www/math/current (production):
  App root: /var/www/math/current
  Requests in queue: 0
  * PID: 7569    Sessions: 0       Processed: 62      Uptime: 11m 28s
    CPU: 0%      Memory  : 165M    Last used: 34s ago
  * PID: 14050   Sessions: 0       Processed: 0       Uptime: 1m 17s
    CPU: 0%      Memory  : 46M     Last used: 1m 17s ago

很乐意提供更多信息,但不确定哪些是相关的

答案1

我发现了问题:我使用“rack-attack”来防止暴力攻击,但请求是从代理转发的,因此所有请求都带有代理的 IP。不幸的是,我忘记了如何修复它...

相关内容