我想请求有关Elastic Beanstalk错误的帮助:
环境健康已经从好转为严重。 81.8%的请求在HTTP 4xx中出错。
我在这里阅读了一些文章,我跟着WAF的解决方案,所以我创建了分配给我们的CloudFront的ACL,然后我创建了规则,阻止所有 HTTP方法中包含单词HEAD的请求。当我尝试从邮递员发送HEAD请求时,它就像我想要的那样工作(我收到错误403),但遗憾的是错误仍然存在 存在,我每天都在apache日志中看到很多HEAD请求。
请求清单:
[01 / Aug / 2017:07:42:09 +0000]" HEAD / mysql / dbadmin / HTTP / 1.1" 404 260 " - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:42:11 +0000]" HEAD / mysql / mysqlmanager / HTTP / 1.1" 404 260" - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:42:11 +0000]" HEAD / phpMyadmin / HTTP / 1.1" 404 260" - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:42:11 +0000]" HEAD / phpmyAdmin / HTTP / 1.1" 404 260" - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:42:12 +0000]" HEAD / phpmyadmin3 / HTTP / 1.1" 404 260" - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:42:13 +0000]" HEAD / 2phpmyadmin / HTTP / 1.1" 404 260" - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:42:13 +0000]" HEAD / phppma / HTTP / 1.1" 404 260" - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:42:14 +0000]" HEAD / shopdb / HTTP / 1.1" 404 260" - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:42:15 +0000]" HEAD / program / HTTP / 1.1" 404 260" - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:42:15 +0000]" HEAD / dbadmin / HTTP / 1.1" 404 260" - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:42:16 +0000]" HEAD / db / HTTP / 1.1" 404 260" - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:42:16 +0000]" HEAD / mysql / HTTP / 1.1" 404 260" - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:42:17 +0000]" HEAD / db / phpmyadmin / HTTP / 1.1" 404 260 " - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:42:17 +0000]" HEAD / sqlmanager / HTTP / 1.1" 404 260" - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:42:18 +0000]" HEAD / php-myadmin / HTTP / 1.1" 404 260" - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:42:19 +0000]" HEAD / mysqladmin / HTTP / 1.1" 404 260" - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:42:19 +0000]" HEAD / admin / phpmyadmin / HTTP / 1.1" 404 260" - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:42:20 +0000]" HEAD / admin / sysadmin / HTTP / 1.1" 404 260 " - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:42:20 +0000]" HEAD / admin / db / HTTP / 1.1" 404 260" - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:42:21 +0000]" HEAD / admin / pMA / HTTP / 1.1" 404 260" - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:42:22 +0000]" HEAD / mysql / db / HTTP / 1.1" 404 260" - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:42:23 +0000]" HEAD / mysql / pMA / HTTP / 1.1" 404 260" - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:42:24 +0000]" HEAD / sql / php-myadmin / HTTP / 1.1" 404 260 " - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:42:24 +0000]" HEAD / sql / sql / HTTP / 1.1" 404 260" - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:42:25 +0000]" HEAD / sql / webadmin / HTTP / 1.1" 404 260 " - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:42:26 +0000]" HEAD / sql / websql / HTTP / 1.1" 404 260" - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:42:30 +0000]" HEAD / sql / sqladmin / HTTP / 1.1" 404 260 " - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:42:30 +0000]" HEAD / sql / phpmyadmin2 / HTTP / 1.1" 404 260 " - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:42:31 +0000]" HEAD / sql / phpMyAdmin / HTTP / 1.1" 404 260 " - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:42:38 +0000]" HEAD / db / webadmin / HTTP / 1.1" 404 260" - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:42:43 +0000]" HEAD / db / websql / HTTP / 1.1" 404 260" - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:42:49 +0000]" HEAD / db / dbadmin / HTTP / 1.1" 404 260" - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:42:49 +0000]" HEAD / db / phpmyadmin3 / HTTP / 1.1" 404 260 " - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:42:51 +0000]" HEAD / db / phpMyAdmin-3 / HTTP / 1.1" 404 260 " - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:42:52 +0000]" HEAD / administrator / phpMyAdmin / HTTP / 1.1" 404 260" - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:42:52 +0000]" HEAD / administrator / web / HTTP / 1.1" 404 260" - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:42:54 +0000]" HEAD / administrator / PMA / HTTP / 1.1" 404 260" - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:42:54 +0000]" HEAD / phpMyAdmin2 / HTTP / 1.1" 404 260" - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:42:55 +0000]" HEAD / phpMyAdmin4 / HTTP / 1.1" 404 260" - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:42:55 +0000]" HEAD / php-my-admin / HTTP / 1.1" 404 260 " - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:42:56 +0000]" HEAD / PMA2012 / HTTP / 1.1" 404 260" - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:42:56 +0000]" HEAD / PMA2014 / HTTP / 1.1" 404 260" - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:42:57 +0000]" HEAD / PMA2016 / HTTP / 1.1" 404 260" - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:42:57 +0000]" HEAD / PMA2018 / HTTP / 1.1" 404 260" - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:42:58 +0000]" HEAD / pma2012 / HTTP / 1.1" 404 260" - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:42:59 +0000]" HEAD / pma2014 / HTTP / 1.1" 404 260" - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:43:00 +0000]" HEAD / pma2016 / HTTP / 1.1" 404 260" - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:43:01 +0000]" HEAD / pma2018 / HTTP / 1.1" 404 260" - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:43:01 +0000]" HEAD / phpmyadmin2012 / HTTP / 1.1" 404 260 " - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:43:02 +0000]" HEAD / phpmyadmin2014 / HTTP / 1.1" 404 260 " - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:43:02 +0000]" HEAD / phpmyadmin2016 / HTTP / 1.1" 404 260 " - " " Mozilla / 5.0 Jorgee"
[01 / Aug / 2017:07:43:04 +0000]" HEAD / phpmyadmin2018 / HTTP / 1.1" 404 260 " - " " Mozilla / 5.0 Jorgee"
感谢您的帮助。
答案 0 :(得分:1)
我联系了直接的AWS Support,这是他们提供给我的解决方案:
我查看了你发布的日志,我找到了代理商 是Jorgee,这是一个常见的恶意软件代理。我偶然发现了博客 关于这个代理人[1],虽然它不是正式的但是得到了 对它的见解。
Elastic Beanstalk环境实例中名为“healthd”的守护程序 通过观察特殊日志文件监控健康状况如果代理找到了很多 这个文件中的4xx,环境进入严重状态。
$ sudo tail /var/log/nginx/healthd/application.log.2017-08-21-07 1503299631.249"/asdf"404"0.075"0.075"- 1503299631.379"/asdf"404"0.002"0.002"-我看到你推出了使用64位解决方案堆栈的环境 亚马逊Linux 2017.03 v2.7.2运行Docker 17.03.1-ce“,因此我会 想为此解决方案堆栈提供此问题的解决方法。
在解决方案堆栈中“运行64位Amazon Linux 2017.03 v2.7.2 Docker 17.03.1-ce“,上面的日志格式定义于 “/etc/nginx/nginx.conf”,并启用 “/etc/nginx/sites-enabled/elasticbeanstalk-nginx-docker-proxy.conf”。
因此,您可以在您的环境中配置nginx以忽略 请求HTTP状态为404或403.请尝试添加以下内容 配置文件位于应用程序源的.ebextensions目录下 代码包。
<强> .ebextensions / healthd_ignore_4xx.config
files: "/etc/nginx/sites-enabled/elasticbeanstalk-nginx-docker-proxy.conf": mode: "000644" owner: root group: root content: | # modification No.1 map $status $logflag { 404 0; 403 0; default 1; } map $http_upgrade $connection_upgrade { default "upgrade"; "" ""; } server { listen 80; gzip on; gzip_comp_level 4; gzip_types text/html text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; if ($time_iso8601 ~ "^(\d{4})-(\d{2})-(\d{2})T(\d{2})") { set $year $1; set $month $2; set $day $3; set $hour $4; } # modification No.2 # access_log /var/log/nginx/healthd/application.log.$year-$month-$day-$hour healthd; access_log /var/log/nginx/healthd/application.log.$year-$month-$day-$hour healthd if=$logflag; access_log /var/log/nginx/access.log; location / { proxy_pass http://docker; proxy_http_version 1.1; proxy_set_header Connection $connection_upgrade; proxy_set_header Upgrade $http_upgrade; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } }此配置将替换默认值 /etc/nginx/sites-enabled/elasticbeanstalk-nginx-docker-proxy.conf文件 与您定义的内容。我做的修改是:
- No.1:添加了map指令,从$ status映射到$ logflag。当请求为404或403时,将$ logflag设置为0.将1设置为其他状态。
- No.2:在access_log [2]指令中添加if = $ logflag。仅在HTTP状态不是404或403时写入健康监控日志。
使用ebextensions配置部署新版本应用程序后 以上,您的环境状态不会受到无效404或 403个请求。
参考文献[1]: http://www.skepticism.us/2015/05/new-malware-user-agent-value-jorgee/ 的 [2] : http://nginx.org/en/docs/stream/ngx_stream_log_module.html#access_log
答案 1 :(得分:0)
要解决此问题,
我将Elasticbeans负载均衡器更改为应用程序一级,并启用了WAF集成。
在WAF中,我定义了以下规则以防止恶意软件请求。
URI contains: "/pma" after converting to lowercase.
URI contains: "/sql" after converting to lowercase.
URI contains: "/admin" after converting to lowercase.
URI ends with: "php" after converting to lowercase.
URI contains: "/mysql" after converting to lowercase.
URI contains: "/db" after converting to lowercase.
URI contains: "/2phpmyadmin/ " after converting to lowercase.
URI contains: "/shopdb/ " after converting to lowercase.
URI contains: "/php" after converting to lowercase.
答案 2 :(得分:0)
对我来说,我没有对 root(/) 的响应,所以只需在 spring-boot 中添加一个虚拟页面,我的 ELB 问题就消失了。
@GetMapping("/")
@ResponseBody
public String sayHello() {
return "hello";
}