Let's dissect an HTTP request that is sent to your NGINX server.
Assume for a moment it's '/cr-bin/mp.exe' that's the request but there's
extra headers. The full HTTP request looks like this (CURL format
output, but also what NGINX spits in debug mode):
POST /cr-bin/mp.exe
referer: example.com/foobar.html
content-type: text/json
content-length: 2345
The actual URL request in this case would have been
http://your-nginx-server/cr-bin/mp.exe with a POST to there, and that is
passed through to your system per your proxy_pass rules, etc.
Where your logs are getting "gmer3.itd.sterling.com/home.htm" is from
that *referer* header. I.E. you would see "example.com/foobar.html" if
the referer header in the request was the example above.
This has **nothing** to do with your configuration. Whatever 'poster'
is doing to post the items to your system is passing a referer header in
the POST with the contents "gmer3.itd.sterling.com/home.htm". If this
is some other site/system you'll see any number of potential referer
items. It's also entirely possible that this is your hostname, or
something specific to your Poster program itself setting the referer
header in the POST that it sends to your server.
This, again, has nothing to do with your NGINX configuration and
everything with how Poster is structuring the POST request (including
any headers it's sending in the request).
Thomas
On 6/3/21 2:52 PM, Benn Boulton wrote:
Hi,
Currently… The posts are coming from the same computer that is
hosting NGINX that passes the requests to an external server.
Eventually… NGINX will be run on the same computer with Apache and
will also function as a load balancer for multiple servers. One being
the same as NGINX and other external servers.
The posts are from a custom poster process that is an .EXE run from
the windows command prompt or a process that calls the POSTER executable.
C:\POSTER> Poster h:http://localhost/cr-bin/mp.exe f:test.txt
h: is the host to send to
f: is the file with the payload to be sent to the final destination
which is the mp.exe on the server listed in the proxy_pass parameter.
Everything looks to work as it should. But the
‘gmer3.itd.sterling.com/home.htm’ Log entries are just not what I
expect to see.
I am installing NGINX to rate limit a customer that is sending
multiple posts so fast that we occasionally miss one, and hope this
will resolve that.
Again, the proxy redirect is working, just the log entries is what
prompted my asking.
Thanks,
- Benn
*From:* nginx <nginx-boun...@nginx.org> *On Behalf Of *Moshe Katz
*Sent:* Thursday, June 3, 2021 1:29 PM
*To:* nginx@nginx.org
*Subject:* Re: gmer3.itd.sterling.com/home.htm in the access log
Benn,
I guess my explanation wasn't clear enough, so I'll try again.
That value is not coming from anywhere in your server's configuration
- it has nothing to do with proxy_pass or anything else. It is the
value of the "Referer" header that is in the incoming request.
First, are these log lines from requests that you are making to the
server yourself, or are they coming from someone else?
If it is your own traffic, where are you making your requests from? Is
it a page in a web browser, or is it some other tool?
If it is a web browser, that is usually the URL of the web page that
is open in the browser. For example, if I have a website at
`example.com/page.html`
<https://url.emailprotection.link/?bDBb9TVOKiqDPh_SUvfalWM90G6wcWScPnK_EVq6xVxh-Jq5ndDGgvfcC5U_tqxpluRe5jF35zSgN416HI1RIHw~~>
with a form on it that submits to your server, the value in that place
in the logs will be `https://example.com/page.html`
<https://url.emailprotection.link/?bMe1AJs-bSscT1yazCR9XS0kzX52Qa1-DwoIBV-QK8xxhHB1slVsgthl_uC3ltg7Vu05wQoXQi9lo9go4OQWCbA~~>
so that your server can see where the request came from.
Moshe
On Thu, Jun 3, 2021 at 1:18 PM Benn Boulton
<bboul...@skippingstone.com <mailto:bboul...@skippingstone.com>> wrote:
Hello Moshe,
Thanks for the reply. I guess I was not clear enough in my post.
I know the /cr-bin/mp.exe is part of the POST request.
What I do not understand is where the
gmer3.itd.sterling.com/home.htm
<https://url.emailprotection.link/?bD5H3QzZ3V5r-EeQ1owgpRQF9oV5l2NRIm985JaimcuSK9Ouf7HkyYPBjb_5XEDTDFQOhTH2rYvU2h1CLfmBEfM8_cgt7-mqSW8-5oZbZzhsOjFEa1jMAMRarOyYb8wct>
is coming from. It is not my proxy_pass value.
It is not part of the POST request or part of the nginx proxy_pass
or any thing I can find in my configuration.
Is my post being sent to both my proxy_pass value and this site in
the log? Do I have a hacked nginx?
-Benn
*From:* nginx <nginx-boun...@nginx.org
<mailto:nginx-boun...@nginx.org>> *On Behalf Of *Moshe Katz
*Sent:* Thursday, June 3, 2021 12:14 PM
*To:* nginx@nginx.org <mailto:nginx@nginx.org>
*Subject:* Re: gmer3.itd.sterling.com/home.htm
<https://url.emailprotection.link/?bD5H3QzZ3V5r-EeQ1owgpRQF9oV5l2NRIm985JaimcuSK9Ouf7HkyYPBjb_5XEDTDFQOhTH2rYvU2h1CLfmBEfM8_cgt7-mqSW8-5oZbZzhsOjFEa1jMAMRarOyYb8wct>
in the access log
Benn,
That part of the log is not the request URL, it is the
referrer header. The path that was requested on your server is
before that - a POST request to "/cr-bin/mp.exe". The
referrer (which the HTTP standard actually misspells as
"referer") is the web page that is making this request to your server.
Moshe
On Thu, Jun 3, 2021 at 12:08 PM Benn Boulton
<bboul...@skippingstone.com <mailto:bboul...@skippingstone.com>>
wrote:
Hello,
I have just installed the NGINX service to help rate limit
connections to my Apache server on Windows.
NGNIX 1.19.10 on Windows 10 64 bit
Everything seems to be working fine but I am getting access
log entries that I do not understand for the pages I am
redirecting.
I am running a process that posts to the server. NGNIX is
processing the request and passing it to the destination
server but it is not gmer3.itd.sterling.com/home.htm
<https://url.emailprotection.link/?bD5H3QzZ3V5r-EeQ1owgpRQF9oV5l2NRIm985JaimcuSK9Ouf7HkyYPBjb_5XEDTDFQOhTH2rYvU2h1CLfmBEfM8_cgt7-mqSW8-5oZbZzhsOjFEa1jMAMRarOyYb8wct>
as shown in the access log entries below.
Any Idea why
127.0.0.1 - t_skipstone [03/Jun/2021:10:30:07 -0400] "POST
/cr-bin/mp.exe HTTP/1.1" 200 569
"gmer3.itd.sterling.com/home.htm
<https://url.emailprotection.link/?bD5H3QzZ3V5r-EeQ1owgpRQF9oV5l2NRIm985JaimcuSK9Ouf7HkyYPBjb_5XEDTDFQOhTH2rYvU2h1CLfmBEfM8_cgt7-mqSW8-5oZbZzhsOjFEa1jMAMRarOyYb8wct>"
"brow v1.0 CCI"
127.0.0.1 - t_skipstone [03/Jun/2021:10:31:07 -0400] "POST
/cr-bin/mp.exe HTTP/1.1" 200 569
"gmer3.itd.sterling.com/home.htm
<https://url.emailprotection.link/?bD5H3QzZ3V5r-EeQ1owgpRQF9oV5l2NRIm985JaimcuSK9Ouf7HkyYPBjb_5XEDTDFQOhTH2rYvU2h1CLfmBEfM8_cgt7-mqSW8-5oZbZzhsOjFEa1jMAMRarOyYb8wct>"
"brow v1.0 CCI"
127.0.0.1 - t_skipstone [03/Jun/2021:10:33:35 -0400] "POST
/cr-bin/mp.exe HTTP/1.1" 200 569
"gmer3.itd.sterling.com/home.htm
<https://url.emailprotection.link/?bD5H3QzZ3V5r-EeQ1owgpRQF9oV5l2NRIm985JaimcuSK9Ouf7HkyYPBjb_5XEDTDFQOhTH2rYvU2h1CLfmBEfM8_cgt7-mqSW8-5oZbZzhsOjFEa1jMAMRarOyYb8wct>"
"brow v1.0 CCI"
127.0.0.1 - t_skipstone [03/Jun/2021:10:37:42 -0400] "POST
/cr-bin/mp.exe HTTP/1.1" 200 569
"gmer3.itd.sterling.com/home.htm
<https://url.emailprotection.link/?bD5H3QzZ3V5r-EeQ1owgpRQF9oV5l2NRIm985JaimcuSK9Ouf7HkyYPBjb_5XEDTDFQOhTH2rYvU2h1CLfmBEfM8_cgt7-mqSW8-5oZbZzhsOjFEa1jMAMRarOyYb8wct>"
"brow v1.0 CCI"
127.0.0.1 - t_skipstone [03/Jun/2021:10:55:03 -0400] "POST
/cr-bin/mp.exe HTTP/1.1" 200 569
"gmer3.itd.sterling.com/home.htm
<https://url.emailprotection.link/?bD5H3QzZ3V5r-EeQ1owgpRQF9oV5l2NRIm985JaimcuSK9Ouf7HkyYPBjb_5XEDTDFQOhTH2rYvU2h1CLfmBEfM8_cgt7-mqSW8-5oZbZzhsOjFEa1jMAMRarOyYb8wct>"
"brow v1.0 CCI"
127.0.0.1 - t_skipstone [03/Jun/2021:10:56:34 -0400] "POST
/cr-bin/mp.exe HTTP/1.1" 200 569
"gmer3.itd.sterling.com/home.htm
<https://url.emailprotection.link/?bD5H3QzZ3V5r-EeQ1owgpRQF9oV5l2NRIm985JaimcuSK9Ouf7HkyYPBjb_5XEDTDFQOhTH2rYvU2h1CLfmBEfM8_cgt7-mqSW8-5oZbZzhsOjFEa1jMAMRarOyYb8wct>"
"brow v1.0 CCI"
Thanks
*Benn *
_______________________________________________
nginx mailing list
nginx@nginx.org <mailto:nginx@nginx.org>
http://mailman.nginx.org/mailman/listinfo/nginx
<https://url.emailprotection.link/?b0r-C9_AUw48-Ch5rHbhyfCAxCuaEcGez1jSw3TSmi_yMSerkqszEs29ZeJ-9XHhKXFPzhIWSbHbDCNUmj6Tzf9mgNn_Pt2ohe5UJSMuWw0QP3IvnnyCmFlsv4r_rtY2d>
_______________________________________________
nginx mailing list
nginx@nginx.org <mailto:nginx@nginx.org>
http://mailman.nginx.org/mailman/listinfo/nginx
<https://url.emailprotection.link/?b0r-C9_AUw48-Ch5rHbhyfCAxCuaEcGez1jSw3TSmi_yMSerkqszEs29ZeJ-9XHhKXFPzhIWSbHbDCNUmj6Tzf9mgNn_Pt2ohe5UJSMuWw0QP3IvnnyCmFlsv4r_rtY2d>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
