Access Module Question

Jim Ohlstein jim at ohlste.in
Fri Dec 25 21:41:48 MSK 2009 

I recently had a spike in requests and saw many lines like this in the 
access log:

67.249.108.42 - - [25/Dec/2009:13:15:57 -0500] "GET 
/forums/forumdisplay.php?s=&forumid=2 HTTP/1.1" 301 185 "-" "Mozilla/4.0 
(compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; (R1 1.6); .NET 
CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 
3.5.30729)"
67.249.108.42 - - [25/Dec/2009:13:15:57 -0500] "GET 
/forums/forumdisplay.php?s=&forumid=2 HTTP/1.1" 301 185 "-" "Mozilla/4.0 
(compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; (R1 1.6); .NET 
CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 
3.5.30729)"
67.249.108.42 - - [25/Dec/2009:13:15:57 -0500] "GET 
/forums/forumdisplay.php?s=&forumid=2 HTTP/1.1" 301 185 "-" "Mozilla/4.0 
(compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; (R1 1.6); .NET 
CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 
3.5.30729)"
67.249.108.42 - - [25/Dec/2009:13:15:57 -0500] "GET 
/forums/forumdisplay.php?s=&forumid=2 HTTP/1.1" 301 185 "-" "Mozilla/4.0 
(compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; (R1 1.6); .NET 
CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 
3.5.30729)"
67.249.108.42 - - [25/Dec/2009:13:15:57 -0500] "GET 
/forums/forumdisplay.php?s=&forumid=2 HTTP/1.1" 301 185 "-" "Mozilla/4.0 
(compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; (R1 1.6); .NET 
CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 
3.5.30729)"
67.249.108.42 - - [25/Dec/2009:13:15:57 -0500] "GET 
/forums/forumdisplay.php?s=&forumid=2 HTTP/1.1" 301 185 "-" "Mozilla/4.0 
(compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; (R1 1.6); .NET 
CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 
3.5.30729)"

So I added:

deny	67.249.108.42;

into nginx.conf in the "http" section where there are a few other banned 
IP's.

I ran

# nginx -s reload

I expected that this IP would be blocked but it kept showing up in the 
log. I reloaded a couple more times with no change. I restarted nginx 
and then that IP was indeed blocked and requests went down to normal. Is 
this expected behavior? Error log does show that the "reload" signal was 
received.

# tail -10000 /var/log/nginx-error* | grep signal | more
2009/12/25 13:16:53 [notice] 22620#0: signal process started
2009/12/25 13:18:40 [notice] 22673#0: signal process started
2009/12/25 13:19:58 [notice] 22693#0: signal process started
2009/12/25 13:25:22 [notice] 23629#0: signal process started

I'm running nginx 0.8.31 on FreeBSD 8.0.

-- 
Jim Ohlstein

More information about the nginx mailing list