[RndTbl] weird web hit 80 & 443?

dndyck6 at gmail.com dndyck6 at gmail.com
Wed Apr 17 12:03:44 CDT 2024 

You can achieve this by making an HTTP request to the HTTPS server on 443. I was pretty sure, but I just tested it (Using your logformat string): 

[Wed, 17.Apr, 2024 - 11:59] david at dagmar:/etc/apache2/sites-enabled$ curl http://localhost:443
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Reason: You're speaking plain HTTP to an SSL-enabled server port.<br />
 Instead use the HTTPS scheme to access this URL, please.<br />
</p>
<hr>
<address>Apache/2.4.52 (Ubuntu) Server at www.ddyck.ca Port 80</address>
</body></html>
[Wed, 17.Apr, 2024 - 11:59] david at dagmar:/etc/apache2/sites-enabled$ sudo tail -1 /var/log/apache2/access.log
127.0.0.1 - - [17/Apr/2024:11:59:34 -0500] "GET / HTTP/1.0" 400 440 "-" "-" www.ddyck.ca 127.0.0.1 80 443 HTTP/1.0 - - 156


Also - Your log format is way better than mine was so I might just have to keep it 😉 

David


-----Original Message-----
From: Roundtable <roundtable-bounces at muug.ca> On Behalf Of Trevor Cordes
Sent: Wednesday, April 17, 2024 1:22 AM
To: MUUG RndTbl <roundtable at muug.ca>
Subject: [RndTbl] weird web hit 80 & 443?

5.6.7.8 - - [17/Apr/2024:00:17:59 -0500] "GET / HTTP/1.0" 400 362 "-" "-" sampledomainfoobar.com 1.2.3.4 80 443 HTTP/1.0 - - 56

Apache 2.4.

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %v %A %p %{local}p %H %f %L %D" teccombinedwithpath

How can I get a hit where %p is 80 and %{local}p is 443?

https://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats

%p		The canonical port of the server serving the request.

%{format}p	The canonical port of the server serving the request, or
the server's actual port, or the client's actual port. Valid formats are canonical, local, or remote.

One vhost is listening on 80, the other 443.  Pretty standard setup.  80 does a redir to 443.  HTTP2 is present, but the hit shows HTTP1.

And apache gets confused and throws a 400.

Looking at the very few hits like this it seems like some sort of probe:
other probes occurring at the same time.

Just wondering that they are doing to achieve this hit.
_______________________________________________
Roundtable mailing list
Roundtable at muug.ca
https://muug.ca/mailman/listinfo/roundtable

More information about the Roundtable mailing list