In access_log file, huge numbers of log entries like this:
115.85.238.34 1764839163 - 0.242 [01/Aug/2013:11:02:01 +0800]
“foo.bar.com”
“-” 400 0 “-” “-” “-”
log_format defined in http conf block:
‘$remote_addr $connection $remote_user $request_time [$time_local]
“$hostname” “$request” $status $body_bytes_sent “$http_referer”
“$http_cookie” “$http_user_agent”’
Points I realized:
- Cannot catch $request, which is full original request line according
to
Nginx documentation. So can it tell at which phrase the connection was
dropped?
- $body_bytes_sent is zero. So no HTTP response body was generated.
- $http_refer, $http_cookie and $http_user_agent cannot be caught. So
does
this indicate any issue?
p.s. this might be caused by HTTPS/SSL connections from mobile client,
but
I’m not sure.
Could anyone give any words?
Thank you in advance!
Posted at Nginx Forum:
addtions:
no corresponding logs in error_log.
Nginx version: 1.2.4
OpenSSL version: OpenSSL 1.0.1e
Posted at Nginx Forum:
more additions:
some SSL related config in Nginx config file
ssl_protocols SSLv3 TLSv1;
ssl_ciphers RC4:AES128-SHA:3DES:!EXP:!aNULL:!kEDH:!ECDH;
Posted at Nginx Forum:
Hello!
On Thu, Aug 01, 2013 at 03:10:30AM -0400, microwish wrote:
“$http_cookie” “$http_user_agent”’
p.s. this might be caused by HTTPS/SSL connections from mobile client, but
I’m not sure.
Such lines in access log are caused by opening and closing a
connection without sending any data in it. Usually this happens
due to browser optimizations (e.g., Chrome opens an additional
connection “just in case”), but might appear due to various other
reasons as well (e.g. if browser rejects your SSL cert).
As of nginx 1.3.15+ such connections are no longer logged to
access log, see http://nginx.org/en/CHANGES.
–
Maxim D.
http://nginx.org/en/donation.html
Hello!
On Thu, Aug 01, 2013 at 06:13:00AM -0400, microwish wrote:
Thanks, Maxim.
By “Such lines in access log are caused by opening and closing a connection
without sending any data in it”, you are meaning that a client opens a
connection and then closes the connection actively without sending any data,
or that a Nginx worker process accepts a connection and then closes it
actively without sending any data to the client?
A client opens a connection, and then closes the connection.
In any case, is the TCP handshake completed?
Yes.
I guess that SSL handshakes are already in process, because CPU resource is
consumed much.
Just as you said, if the browser rejected my SSL cert, what could I do to
solve this issue?
First of all, you should check if it’s the case. If it is, you
should investigate further why the browser rejects the cert -
there are plenty of possible reasons.
–
Maxim D.
http://nginx.org/en/donation.html
Hi Maxim,
Now I’m sure that the 400-related logs in access log file are caused by
bad
SSL connections, which either finish SSH handshakes and then sending no
data, or don’t finish SSH handshake at at.
I’ll be diving into it for more insights.
Thank you.
Maxim D. Wrote:
nginx: donation
nginx mailing list
[email protected]
nginx Info Page
Posted at Nginx Forum:
Thanks, Maxim.
By “Such lines in access log are caused by opening and closing a
connection
without sending any data in it”, you are meaning that a client opens a
connection and then closes the connection actively without sending any
data,
or that a Nginx worker process accepts a connection and then closes it
actively without sending any data to the client?
In any case, is the TCP handshake completed?
I guess that SSL handshakes are already in process, because CPU resource
is
consumed much.
Just as you said, if the browser rejected my SSL cert, what could I do
to
solve this issue?
Thanks again.
Posted at Nginx Forum: