Still 400 response code, but so weird this time

In access_log file, huge numbers of log entries like this:

115.85.238.34 1764839163 - 0.242 [01/Aug/2013:11:02:01 +0800]
foo.bar.com
“-” 400 0 “-” “-” “-”

log_format defined in http conf block:

‘$remote_addr $connection $remote_user $request_time [$time_local]
“$hostname” “$request” $status $body_bytes_sent “$http_referer”
“$http_cookie” “$http_user_agent”’

Points I realized:

  1. Cannot catch $request, which is full original request line according
    to
    Nginx documentation. So can it tell at which phrase the connection was
    dropped?
  2. $body_bytes_sent is zero. So no HTTP response body was generated.
  3. $http_refer, $http_cookie and $http_user_agent cannot be caught. So
    does
    this indicate any issue?

p.s. this might be caused by HTTPS/SSL connections from mobile client,
but
I’m not sure.

Could anyone give any words?

Thank you in advance!

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,241435,241435#msg-241435

addtions:

no corresponding logs in error_log.

Nginx version: 1.2.4

OpenSSL version: OpenSSL 1.0.1e

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,241435,241439#msg-241439

more additions:

some SSL related config in Nginx config file

    ssl_protocols SSLv3 TLSv1;
    ssl_ciphers RC4:AES128-SHA:3DES:!EXP:!aNULL:!kEDH:!ECDH;

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,241435,241441#msg-241441

Hello!

On Thu, Aug 01, 2013 at 03:10:30AM -0400, microwish wrote:

“$http_cookie” “$http_user_agent”’

p.s. this might be caused by HTTPS/SSL connections from mobile client, but
I’m not sure.

Such lines in access log are caused by opening and closing a
connection without sending any data in it. Usually this happens
due to browser optimizations (e.g., Chrome opens an additional
connection “just in case”), but might appear due to various other
reasons as well (e.g. if browser rejects your SSL cert).

As of nginx 1.3.15+ such connections are no longer logged to
access log, see http://nginx.org/en/CHANGES.


Maxim D.
http://nginx.org/en/donation.html

Hello!

On Thu, Aug 01, 2013 at 06:13:00AM -0400, microwish wrote:

Thanks, Maxim.

By “Such lines in access log are caused by opening and closing a connection
without sending any data in it”, you are meaning that a client opens a
connection and then closes the connection actively without sending any data,
or that a Nginx worker process accepts a connection and then closes it
actively without sending any data to the client?

A client opens a connection, and then closes the connection.

In any case, is the TCP handshake completed?

Yes.

I guess that SSL handshakes are already in process, because CPU resource is
consumed much.

Just as you said, if the browser rejected my SSL cert, what could I do to
solve this issue?

First of all, you should check if it’s the case. If it is, you
should investigate further why the browser rejects the cert -
there are plenty of possible reasons.


Maxim D.
http://nginx.org/en/donation.html

Hi Maxim,

Now I’m sure that the 400-related logs in access log file are caused by
bad
SSL connections, which either finish SSH handshakes and then sending no
data, or don’t finish SSH handshake at at.

I’ll be diving into it for more insights.

Thank you.

Maxim D. Wrote:

http://nginx.org/en/donation.html


nginx mailing list
[email protected]
http://mailman.nginx.org/mailman/listinfo/nginx

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,241435,241584#msg-241584

Thanks, Maxim.

By “Such lines in access log are caused by opening and closing a
connection
without sending any data in it”, you are meaning that a client opens a
connection and then closes the connection actively without sending any
data,
or that a Nginx worker process accepts a connection and then closes it
actively without sending any data to the client?

In any case, is the TCP handshake completed?

I guess that SSL handshakes are already in process, because CPU resource
is
consumed much.

Just as you said, if the browser rejected my SSL cert, what could I do
to
solve this issue?

Thanks again.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,241435,241456#msg-241456