Hi All,
My VPN hosts a small selection of web sites. I have noticed a LOT of
attacks recently.
The errors in the log file is typically something like this.
2020/04/29 11:08:12 [error] 831#831: *99107 FastCGI sent in stderr: "PHP
message: PHP Fatal error: Reseller record not found for
in /var/www/exampleone/htsecure/Classes/ApplicationFactory.php on line
86" while reading response header from upstream, client: 209.17.96.218,
server: exampleone.co.uk, request: "GET / HTTP/1.1", upstream:
"fastcgi://127.0.0.1:9000", host: "exampletwo"
This is very puzzling because exampletwo is any website I host, (except
exampleon) - including a site that DNS points to my server, but I don't
host!
The PHP error is caused because the value in $_SERVER['HTTP_HOST'] is
not something expected. I think it may be "\n" or missing.
It would appear that I have something screwy in my configuration for php
requests to one site to be passed to another - but I can't see it.
The default configuration is:
# Statements for default virtual host
server {
listen 80 default ;
# server name is catch all for unknown names#
server_name _ ;
root /etc/nginx/html;
index index.html;
# access_log /var/www/access_log;
try_files $uri =404;
}
This would be triggered when exampletwo is the domain pointed at my
server, that I don't (yet) host.
The only file in /etc/nginx/html is index.html and reports "the domain
you requested does not exist on this server". There are no php files.
The config for exampleone is (redacted for security).
# Statements for exampleone virtual host
# switched to letsencrypt cert 30/6/2019
server {
listen 80;
server_name exampleone.co.uk
www.exampleone.co.uk;
rewrite ^(.*)
https://exampleone .co.uk$1 permanent;
}
server {
listen 443 ssl http2;
server_name exampleone.co.uk
www.exampleone.co.uk;
## SSL Certs
ssl_certificate
/etc/letsencrypt/live/coachmaster.co.uk-0001/fullchain.pem;
ssl_certificate_key
/etc/letsencrypt/live/coachmaster.co.uk-0001/privkey.pem;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2;
ssl_ciphers
"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";
ssl_session_timeout 10m;
# Aditional Security Headers
# ref:
https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Sec…
add_header Strict-Transport-Security "max-age=31536000;
includeSubDomains";
# ref:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
add_header X-Frame-Options DENY always;
# ref:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Op…
add_header X-Content-Type-Options nosniff always;
# ref:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
add_header X-Xss-Protection "1; mode=block" always;
# Enable OCSP stapling
# ref.
http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate
/etc/letsencrypt/live/exampleone.co.uk/fullchain.pem;
root /var/www/exampleone/htsecure;
access_log /var/log/nginx/exampleone.co.uk.access.log;
error_log /var/log/nginx/error.log;
index index.php;
location = / {
rewrite ^ /index.php last;
}
location /easyrtc {
proxy_pass
http://localhost:5006;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
location /socket.io {
proxy_pass
http://localhost:5006;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
# serve php files via fastcgi if the file exists
location ~ \.php$ {
try_files $uri =404;
include /etc/nginx/fastcgi.conf;
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME
$document_root$fastcgi_script_name;
fastcgi_param CENTRAL_ROOT $document_root;
fastcgi_param RESELLER_ROOT $document_root;
fastcgi_param ENVIRONMENT production;
fastcgi_param HTTPS ON;
}
# serve static files
try_files $uri $uri/ /index.php;
expires 30m;
# now to configure the long polling
location /publish {
nchan_publisher;
nchan_channel_id $arg_id;
nchan_message_buffer_length 10;
nchan_message_timeout 90s;
}
# public long-polling endpoint
location /activity {
nchan_subscriber;
nchan_channel_id $arg_id;
}
}
Sorry about the extra line breaks borking the layout. SNAFU. :)
Any idea why or how, a request to a site that does not exist, gets
switched to exampleone, when default is present?
I am running fail2ban, and that locks them out for an hour at the third
attempt, so it does not matter much, except that my nightly report of
errors is so full of this junk, I can't see any real problems. :(
Thanks for any insights.
Ian
--
Ian Hobson
Tel (+351) 910 418 473
--
This email has been checked for viruses by AVG.
https://www.avg.com