Support

jack · #1 06-15-2011, 05:21 AM

Hi there,

Since I upgraded to 4.1, legit client IPs are being temporarily blocked.

After a few "Status 400: Bad request method:" errors, the offending IP gets blocked: "too many bad requests, block."

I wasn't able to extract more information on the specifics of the requests causing these "Status 400..." messages, but they are present in older logs too (previous to LS 4.1), so it looks like the server just wasn't acting on them at the time.

With DEBUG logging in HIGH level, I get this:

Code:

2011-06-15 12:07:18.252 [DEBUG] [x.x.x.x:443] New connection from 86.53.106.65:26258.
2011-06-15 12:07:18.252 [DEBUG] [86.53.106.65:26258-0] HttpIOLink::handleEvents() events=1!
2011-06-15 12:07:18.252 [DEBUG] [86.53.106.65:26258-0] HttpConnection::onReadEx(), state: 0!
2011-06-15 12:07:18.252 [DEBUG] [86.53.106.65:26258-0] readToHeaderBuf().   
2011-06-15 12:07:18.252 [DEBUG] [86.53.106.65:26258-0] Read from client: 120
2011-06-15 12:07:18.252 [DEBUG] [86.53.106.65:26258-0] read 120 bytes to header buffer
2011-06-15 12:07:18.252 [INFO] [86.53.106.65:26258-0] Status 400: Bad request method: ^V^C^A
2011-06-15 12:07:18.252 [DEBUG] [86.53.106.65:26258-0] processHeader() return 21, header state: 0.
2011-06-15 12:07:18.252 [NOTICE] [86.53.106.65:26258-0] too many bad requests, block.
2011-06-15 12:07:18.252 [NOTICE] [86.53.106.65] bot detected, close connection!  
2011-06-15 12:07:18.252 [DEBUG] [86.53.106.65:26258-0] readToHeaderBuf() return 21.
2011-06-15 12:07:18.252 [DEBUG] [86.53.106.65:26258-0] HttpConnection::sendHttpError(),code=400 Bad Request
2011-06-15 12:07:18.252 [DEBUG] [86.53.106.65:26258-0] HttpConnection::flush()!  
2011-06-15 12:07:18.252 [DEBUG] [86.53.106.65:26258-0] Written to client: 574  
2011-06-15 12:07:18.252 [DEBUG] [86.53.106.65:26258-0] HttpConnection::nextRequest()!
2011-06-15 12:07:18.252 [DEBUG] [86.53.106.65:26258-0] Non-KeepAlive, CLOSING!   
2011-06-15 12:07:18.252 [DEBUG] [86.53.106.65:26258-0] Shutting down out-bound socket ...
2011-06-15 12:07:18.252 [DEBUG] [86.53.106.65:26258-0] Available Connections: 1960
2011-06-15 12:07:18.252 [DEBUG] [86.53.106.65:26258-0] Close socket ...
2011-06-15 12:07:18.252 [DEBUG] [x.x.x.x:443] 1 connections accepted!

From here, and also checking on the other server logs, I noticed it's only happening for HTTPS requests.

Can someone please shed some light on this? At the very least I need to disable this auto blocking feature, if there's no other better way.

Thanks in advance.

Jack

jack · #2 06-15-2011, 07:31 AM

I found out what issued those "Bad requests". It happens when a client visits a website with https when there's no configured SSL virtual host.

How can I disable this auto-blocking feature?

or

How can I configure Litespeed not to consider a "Bad request" when someone requests an HTTPS url that does not exist?

Jack

mistwang · #3 06-15-2011, 09:30 AM

Please do a force reinstall of 4.1.1, should be addressed.

XN-Matt · #4 07-18-2011, 05:02 AM

Customer is running brand new install of 4.1.2 and this is still happening.

Please advise.

mistwang · #5 07-18-2011, 12:46 PM

Please provide error log related like Jack did.

XN-Matt · #6 07-18-2011, 12:48 PM

2011-06-15 12:07:18.252 [INFO] [86.53.106.65:26258-0] Status 400: Bad request method: ^V^C^A
2011-06-15 12:07:18.252 [DEBUG] [86.53.106.65:26258-0] processHeader() return 21, header state: 0.
2011-06-15 12:07:18.252 [NOTICE] [86.53.106.65:26258-0] too many bad requests, block.
2011-06-15 12:07:18.252 [NOTICE] [86.53.106.65] bot detected, close connection!

Exactly that, plus the resolution is the same. Install SSL on a vhost that should have it, it stops the issue.