Still about Nginx's 400 response code. So weird.

microwish · 2013-08-01T15:16:26+00:00

Hello! On Wed, Jul 31, 2013 at 12:25 AM, Andrey Oktyabrskiy wrote: > I have strange problem with ngx.location.capture(): > > location /usr_info { &...

Still about Nginx's 400 response code. So weird.

microwish

In access_log file, huge numbers of log entries like this:

115.85.238.34 1764839163 - 0.242 [01/Aug/2013:11:02:01 +0800] "foo.bar.com" "-" 400 0 "-" "-" "-"

log_format defined in http conf block:

'$remote_addr $connection $remote_user $request_time [$time_local] "$hostname" "$request" $status $body_bytes_sent "$http_referer" "$http_cookie" "$http_user_agent"'

Points I realized:
1) Cannot catch $request, which is full original request line according to Nginx documentation. So can it tell at which phrase the connection was dropped?
2) $body_bytes_sent is zero. So no HTTP response body was generated.
3) $http_refer, $http_cookie and $http_user_agent cannot be caught. So does this indicate any issue?

p.s. this might be caused by HTTPS/SSL connections from mobile client, but I'm not sure.

Could anyone give any words?

Thank you in advance!

agentzh

Hello!

On Thu, Aug 1, 2013 at 12:16 AM, microwish wrote:
> In access_log file, huge numbers of log entries like this:
>
> 115.85.238.34 1764839163 - 0.242 [01/Aug/2013:11:02:01 +0800] "foo.bar.com"
> "-" 400 0 "-" "-" "-"
>

A lot of 400 errors are caused by modern web browsers which often open
multiple connections and shut down some of them without sending out
requests. And some load-balancers or health checkers may also do
something like this.

To further confirm the actual reasons, you'd better write a tool based
on sysemtap or dtrace to trace your live nginx worker processes. You
can take a look at my Nginx Systemtap Toolkit:

    https://github.com/agentzh/nginx-systemtap-toolkit

Regards,
-agentzh

microwish

Now I'm sure that "400" entries in access log are caused by SSL connections, which either finish SSL handshakes without sending any more data, or even do not finish SSL handshakes.

Because most SSL processing includeing SSL handshakes consume much CPU resource, I want to kick those rubbish SSL connections away.

Any suggestions? It seems like an impossible mission.

On Friday, August 2, 2013 3:00:18 AM UTC+8, agentzh wrote:

Hello!

On Thu, Aug 1, 2013 at 12:16 AM, microwish wrote:
> In access_log file, huge numbers of log entries like this:
>
> 115.85.238.34 1764839163 - 0.242 [01/Aug/2013:11:02:01 +0800] "foo.bar.com"
> "-" 400 0 "-" "-" "-"
>

A lot of 400 errors are caused by modern web browsers which often open
multiple connections and shut down some of them without sending out
requests. And some load-balancers or health checkers may also do
something like this.

To further confirm the actual reasons, you'd better write a tool based
on sysemtap or dtrace to trace your live nginx worker processes. You
can take a look at my Nginx Systemtap Toolkit:

https://github.com/agentzh/nginx-systemtap-toolkit

Regards,
-agentzh

agentzh

Hello!

On Mon, Aug 5, 2013 at 5:19 AM, microwish wrote:
> Now I'm sure that "400" entries in access log are caused by SSL connections,
> which either finish SSL handshakes without sending any more data, or even do
> not finish SSL handshakes.
> Because most SSL processing includeing SSL handshakes consume much CPU
> resource, I want to kick those rubbish SSL connections away.
>
> Any suggestions? It seems like an impossible mission.
>

One common thing is SYN flooding attacks (or other DoS attacks).

Regards,
-agentzh

microwish

Yichun, thanks a lot for your reminding!

The most common cause for my case is that many mobile clients including mobile browers reject SSL cerf or fail to negotiate for some ciphers.

On Tuesday, August 6, 2013 2:41:27 AM UTC+8, agentzh wrote:

Hello!

On Mon, Aug 5, 2013 at 5:19 AM, microwish wrote:
> Now I'm sure that "400" entries in access log are caused by SSL connections,
> which either finish SSL handshakes without sending any more data, or even do
> not finish SSL handshakes.
> Because most SSL processing includeing SSL handshakes consume much CPU
> resource, I want to kick those rubbish SSL connections away.
>
> Any suggestions? It seems like an impossible mission.
>

One common thing is SYN flooding attacks (or other DoS attacks).

Regards,
-agentzh