我从运行 Apache 中的 Passenger 的服务器收到零星的 403 响应。问题似乎在随机情况下开始,也随机结束。从日志来看,Apache 似乎正在尝试将 URL 作为脚本运行:
[Fri Oct 11 17:23:51.509902 2019] [core:trace4] [pid 7309:tid 139735209076480] u
til_script.c(571): [client 132.72.41.107:38416] Headers from script '':
[Fri Oct 11 17:23:51.509934 2019] [core:trace4] [pid 7309:tid 139735209076480] util_script.c(572): [client 132.72.41.107:38416] Status: 403 Forbidden
[Fri Oct 11 17:23:51.509942 2019] [core:trace1] [pid 7309:tid 139735209076480] util_script.c(653): [client 132.72.41.107:38416] Status line from script '': 403 Forbidden
[Fri Oct 11 17:23:51.509948 2019] [core:trace4] [pid 7309:tid 139735209076480] util_script.c(572): [client 132.72.41.107:38416] Cache-Control: no-cache
[Fri Oct 11 17:23:51.509954 2019] [core:trace4] [pid 7309:tid 139735209076480] util_script.c(572): [client 132.72.41.107:38416] Vary: Origin
乘客日志文件不包含任何相关信息,应用程序 (rails) 日志也不包含任何相关信息。乘客未提供的静态文件照常提供。
Apache 配置:
PassengerLogFile ${APACHE_LOG_DIR}/passenger.log
PassengerLogLevel 8
<VirtualHost *:80>
ServerName math.bgu.ac.il
ServerAlias www.math.bgu.ac.il
ServerSignature off
AllowEncodedSlashes NoDecode
ProxyPreserveHost on
PassengerAppEnv production
PassengerFriendlyErrorPages on
PassengerLoadShellEnvvars off
PassengerMaxRequestQueueSize 300
PassengerUser wwwmath
PassengerGroup www-data
PassengerInstanceRegistryDir /var/run/passenger
DocumentRoot /var/www/math/current/public
DirectoryCheckHandler on
<IfModule mod_proxy.c>
ProxyPassMatch "^/~(.*)$" "http://user-web1.cs.bgu.ac.il/~$1"
</IfModule>
Include /etc/apache2/sites-available/redirects.include
<Directory /var/www/math/current/public>
Allow from all
Options -MultiViews
Require all granted
</Directory>
<IfModule mod_proxy.c>
<Location /git>
PassengerEnabled off
Require all granted
Header always set X-Frame-Options SAMEORIGIN
ProxyPassReverse http://127.0.0.1:8181
ProxyPassReverse http://www.math.bgu.ac.il/
</Location>
RewriteEngine on
#Don't escape encoded characters in api requests
RewriteCond %{REQUEST_URI} ^/api/v4/.*
RewriteRule ^/git(.*) http://127.0.0.1:8181/git/$1 [P,QSA,NE]
#Forward all requests to gitlab-workhorse except existing files like error documents
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR]
RewriteCond %{REQUEST_URI} ^/uploads/.*
RewriteRule ^/git(.*) http://127.0.0.1:8181/git/$1 [P,QSA,NE]
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR]
RewriteCond %{REQUEST_URI} ^/uploads/.*
RewriteRule ^/mattermost(.*) http://127.0.0.1:8065/$1 [P,QSA,NE]
</IfModule>
# add trailing slash to dirs
RewriteEngine On
RewriteCond "%{DOCUMENT_ROOT}/%{REQUEST_URI}" -d
RewriteCond %{REQUEST_URI} !(.*)/$
RewriteRule ^(.*)$ $1/ [L]
LogLevel trace4 rewrite:info
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log vhost_combined
</VirtualHost>
输出passenger-status
:
Version : 6.0.4
Date : 2019-10-11 17:35:19 +0300
Instance: 6TJeLpUK (Apache/2.4.29 (Ubuntu) Phusion_Passenger/6.0.4)
----------- General information -----------
Max pool size : 6
App groups : 1
Processes : 2
Requests in top-level queue : 0
----------- Application groups -----------
/var/www/math/current (production):
App root: /var/www/math/current
Requests in queue: 0
* PID: 7569 Sessions: 0 Processed: 62 Uptime: 11m 28s
CPU: 0% Memory : 165M Last used: 34s ago
* PID: 14050 Sessions: 0 Processed: 0 Uptime: 1m 17s
CPU: 0% Memory : 46M Last used: 1m 17s ago
很乐意提供更多信息,但不确定哪些是相关的
答案1
我发现了问题:我使用“rack-attack”来防止暴力攻击,但请求是从代理转发的,因此所有请求都带有代理的 IP。不幸的是,我忘记了如何修复它...