Status 400: Bad request method:

Discussion in 'General' started by jack, Jun 15, 2011.

  1. jack

    jack New Member

    Hi there,

    Since I upgraded to 4.1, legit client IPs are being temporarily blocked.

    After a few "Status 400: Bad request method:" errors, the offending IP gets blocked: "too many bad requests, block."

    I wasn't able to extract more information on the specifics of the requests causing these "Status 400..." messages, but they are present in older logs too (previous to LS 4.1), so it looks like the server just wasn't acting on them at the time.

    With DEBUG logging in HIGH level, I get this:

    Code:
    2011-06-15 12:07:18.252 [DEBUG] [x.x.x.x:443] New connection from 86.53.106.65:26258.
    2011-06-15 12:07:18.252 [DEBUG] [86.53.106.65:26258-0] HttpIOLink::handleEvents() events=1!
    2011-06-15 12:07:18.252 [DEBUG] [86.53.106.65:26258-0] HttpConnection::onReadEx(), state: 0!
    2011-06-15 12:07:18.252 [DEBUG] [86.53.106.65:26258-0] readToHeaderBuf().   
    2011-06-15 12:07:18.252 [DEBUG] [86.53.106.65:26258-0] Read from client: 120
    2011-06-15 12:07:18.252 [DEBUG] [86.53.106.65:26258-0] read 120 bytes to header buffer
    2011-06-15 12:07:18.252 [INFO] [86.53.106.65:26258-0] Status 400: Bad request method: ^V^C^A
    2011-06-15 12:07:18.252 [DEBUG] [86.53.106.65:26258-0] processHeader() return 21, header state: 0.
    2011-06-15 12:07:18.252 [NOTICE] [86.53.106.65:26258-0] too many bad requests, block.
    2011-06-15 12:07:18.252 [NOTICE] [86.53.106.65] bot detected, close connection!  
    2011-06-15 12:07:18.252 [DEBUG] [86.53.106.65:26258-0] readToHeaderBuf() return 21.
    2011-06-15 12:07:18.252 [DEBUG] [86.53.106.65:26258-0] HttpConnection::sendHttpError(),code=400 Bad Request
    2011-06-15 12:07:18.252 [DEBUG] [86.53.106.65:26258-0] HttpConnection::flush()!  
    2011-06-15 12:07:18.252 [DEBUG] [86.53.106.65:26258-0] Written to client: 574  
    2011-06-15 12:07:18.252 [DEBUG] [86.53.106.65:26258-0] HttpConnection::nextRequest()!
    2011-06-15 12:07:18.252 [DEBUG] [86.53.106.65:26258-0] Non-KeepAlive, CLOSING!   
    2011-06-15 12:07:18.252 [DEBUG] [86.53.106.65:26258-0] Shutting down out-bound socket ...
    2011-06-15 12:07:18.252 [DEBUG] [86.53.106.65:26258-0] Available Connections: 1960
    2011-06-15 12:07:18.252 [DEBUG] [86.53.106.65:26258-0] Close socket ...
    2011-06-15 12:07:18.252 [DEBUG] [x.x.x.x:443] 1 connections accepted! 
    From here, and also checking on the other server logs, I noticed it's only happening for HTTPS requests.

    Can someone please shed some light on this? At the very least I need to disable this auto blocking feature, if there's no other better way.

    Thanks in advance.

    Jack
  2. jack

    jack New Member

    I found out what issued those "Bad requests". It happens when a client visits a website with https when there's no configured SSL virtual host.

    How can I disable this auto-blocking feature?

    or

    How can I configure Litespeed not to consider a "Bad request" when someone requests an HTTPS url that does not exist?

    Jack
  3. mistwang

    mistwang LiteSpeed Staff

    Please do a force reinstall of 4.1.1, should be addressed.
  4. XN-Matt

    XN-Matt Member

    Customer is running brand new install of 4.1.2 and this is still happening.

    Please advise.
  5. mistwang

    mistwang LiteSpeed Staff

    Please provide error log related like Jack did.
  6. XN-Matt

    XN-Matt Member

    2011-06-15 12:07:18.252 [INFO] [86.53.106.65:26258-0] Status 400: Bad request method: ^V^C^A
    2011-06-15 12:07:18.252 [DEBUG] [86.53.106.65:26258-0] processHeader() return 21, header state: 0.
    2011-06-15 12:07:18.252 [NOTICE] [86.53.106.65:26258-0] too many bad requests, block.
    2011-06-15 12:07:18.252 [NOTICE] [86.53.106.65] bot detected, close connection!

    Exactly that, plus the resolution is the same. Install SSL on a vhost that should have it, it stops the issue.

Share This Page