gmer3.itd.sterling.com/home.htm in the access log

Benn Boulton bboulton at skippingstone.com
Thu Jun 3 18:52:19 UTC 2021 

Hi,

Currently… The posts are coming from the  same computer that is hosting NGINX  that passes the requests to an external server.
Eventually…  NGINX will be run on the same computer with Apache and will also function as a load balancer for multiple servers. One being the same as NGINX and other external  servers.
The posts are from a custom poster process that is an .EXE run from the windows command prompt or a process that calls the POSTER executable.
C:\POSTER> Poster h:http://localhost/cr-bin/mp.exe f:test.txt
h: is the host to send to
f: is the file with the payload to be sent to the final destination which is the mp.exe on the server listed in the proxy_pass parameter.

Everything looks to work as it should.  But the ‘gmer3.itd.sterling.com/home.htm’ Log entries are just not what I expect to see.
I  am installing NGINX to rate limit a customer that is sending multiple posts so fast that we occasionally miss one, and hope this will resolve that.
Again, the proxy redirect is working, just the log entries is what prompted my asking.

Thanks,
- Benn
From: nginx <nginx-bounces at nginx.org> On Behalf Of Moshe Katz
Sent: Thursday, June 3, 2021 1:29 PM
To: nginx at nginx.org
Subject: Re: gmer3.itd.sterling.com/home.htm in the access log

Benn,

I guess my explanation wasn't clear enough, so I'll try again.

That value is not coming from anywhere in your server's configuration - it has nothing to do with proxy_pass or anything else. It is the value of the "Referer" header that is in the incoming request.

First, are these log lines from requests that you are making to the server yourself, or are they coming from someone else?

If it is your own traffic, where are you making your requests from? Is it a page in a web browser, or is it some other tool?

If it is a web browser, that is usually the URL of the web page that is open in the browser. For example, if I have a website at `example.com/page.html`<https://url.emailprotection.link/?bDBb9TVOKiqDPh_SUvfalWM90G6wcWScPnK_EVq6xVxh-Jq5ndDGgvfcC5U_tqxpluRe5jF35zSgN416HI1RIHw~~> with a form on it that submits to your server, the value in that place in the logs will be `https://example.com/page.html`<https://url.emailprotection.link/?bMe1AJs-bSscT1yazCR9XS0kzX52Qa1-DwoIBV-QK8xxhHB1slVsgthl_uC3ltg7Vu05wQoXQi9lo9go4OQWCbA~~> so that your server can see where the request came from.

Moshe

On Thu, Jun 3, 2021 at 1:18 PM Benn Boulton <bboulton at skippingstone.com<mailto:bboulton at skippingstone.com>> wrote:
Hello Moshe,

Thanks for the reply.  I guess I was not clear enough in my post.  I know the /cr-bin/mp.exe is part of the POST request.
 What I do not understand is where the  gmer3.itd.sterling.com/home.htm<https://url.emailprotection.link/?bD5H3QzZ3V5r-EeQ1owgpRQF9oV5l2NRIm985JaimcuSK9Ouf7HkyYPBjb_5XEDTDFQOhTH2rYvU2h1CLfmBEfM8_cgt7-mqSW8-5oZbZzhsOjFEa1jMAMRarOyYb8wct> is coming from. It is not my proxy_pass value.
It is not part of the POST request or part of the nginx proxy_pass or any thing I can find in my configuration.

Is my post being sent to both my proxy_pass value and this site in the log? Do I have a hacked nginx?

-Benn

From: nginx <nginx-bounces at nginx.org<mailto:nginx-bounces at nginx.org>> On Behalf Of Moshe Katz
Sent: Thursday, June 3, 2021 12:14 PM
To: nginx at nginx.org<mailto:nginx at nginx.org>
Subject: Re: gmer3.itd.sterling.com/home.htm<https://url.emailprotection.link/?bD5H3QzZ3V5r-EeQ1owgpRQF9oV5l2NRIm985JaimcuSK9Ouf7HkyYPBjb_5XEDTDFQOhTH2rYvU2h1CLfmBEfM8_cgt7-mqSW8-5oZbZzhsOjFEa1jMAMRarOyYb8wct> in the access log

Benn,

That part of the log is not the request URL, it is the referrer header. The path that was requested on your server is before that - a POST request to "/cr-bin/mp.exe". The referrer (which the HTTP standard actually misspells as "referer") is the web page that is making this request to your server.

Moshe

On Thu, Jun 3, 2021 at 12:08 PM Benn Boulton <bboulton at skippingstone.com<mailto:bboulton at skippingstone.com>> wrote:
Hello,
I have just installed the NGINX service to help rate limit connections to my Apache server on Windows.
NGNIX 1.19.10 on Windows 10 64 bit

Everything seems to be working fine but I am getting access log entries that I do not understand for the pages I am redirecting.
I am running a process that posts to the server. NGNIX is processing the request and passing it to the destination server but it is not gmer3.itd.sterling.com/home.htm<https://url.emailprotection.link/?bD5H3QzZ3V5r-EeQ1owgpRQF9oV5l2NRIm985JaimcuSK9Ouf7HkyYPBjb_5XEDTDFQOhTH2rYvU2h1CLfmBEfM8_cgt7-mqSW8-5oZbZzhsOjFEa1jMAMRarOyYb8wct> as shown in the access log entries below.
Any Idea why
127.0.0.1 - t_skipstone [03/Jun/2021:10:30:07 -0400] "POST /cr-bin/mp.exe HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm<https://url.emailprotection.link/?bD5H3QzZ3V5r-EeQ1owgpRQF9oV5l2NRIm985JaimcuSK9Ouf7HkyYPBjb_5XEDTDFQOhTH2rYvU2h1CLfmBEfM8_cgt7-mqSW8-5oZbZzhsOjFEa1jMAMRarOyYb8wct>" "brow v1.0 CCI"
127.0.0.1 - t_skipstone [03/Jun/2021:10:31:07 -0400] "POST /cr-bin/mp.exe HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm<https://url.emailprotection.link/?bD5H3QzZ3V5r-EeQ1owgpRQF9oV5l2NRIm985JaimcuSK9Ouf7HkyYPBjb_5XEDTDFQOhTH2rYvU2h1CLfmBEfM8_cgt7-mqSW8-5oZbZzhsOjFEa1jMAMRarOyYb8wct>" "brow v1.0 CCI"
127.0.0.1 - t_skipstone [03/Jun/2021:10:33:35 -0400] "POST /cr-bin/mp.exe HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm<https://url.emailprotection.link/?bD5H3QzZ3V5r-EeQ1owgpRQF9oV5l2NRIm985JaimcuSK9Ouf7HkyYPBjb_5XEDTDFQOhTH2rYvU2h1CLfmBEfM8_cgt7-mqSW8-5oZbZzhsOjFEa1jMAMRarOyYb8wct>" "brow v1.0 CCI"
127.0.0.1 - t_skipstone [03/Jun/2021:10:37:42 -0400] "POST /cr-bin/mp.exe HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm<https://url.emailprotection.link/?bD5H3QzZ3V5r-EeQ1owgpRQF9oV5l2NRIm985JaimcuSK9Ouf7HkyYPBjb_5XEDTDFQOhTH2rYvU2h1CLfmBEfM8_cgt7-mqSW8-5oZbZzhsOjFEa1jMAMRarOyYb8wct>" "brow v1.0 CCI"
127.0.0.1 - t_skipstone [03/Jun/2021:10:55:03 -0400] "POST /cr-bin/mp.exe HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm<https://url.emailprotection.link/?bD5H3QzZ3V5r-EeQ1owgpRQF9oV5l2NRIm985JaimcuSK9Ouf7HkyYPBjb_5XEDTDFQOhTH2rYvU2h1CLfmBEfM8_cgt7-mqSW8-5oZbZzhsOjFEa1jMAMRarOyYb8wct>" "brow v1.0 CCI"
127.0.0.1 - t_skipstone [03/Jun/2021:10:56:34 -0400] "POST /cr-bin/mp.exe HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm<https://url.emailprotection.link/?bD5H3QzZ3V5r-EeQ1owgpRQF9oV5l2NRIm985JaimcuSK9Ouf7HkyYPBjb_5XEDTDFQOhTH2rYvU2h1CLfmBEfM8_cgt7-mqSW8-5oZbZzhsOjFEa1jMAMRarOyYb8wct>" "brow v1.0 CCI"

Thanks
Benn

_______________________________________________
nginx mailing list
nginx at nginx.org<mailto:nginx at nginx.org>
http://mailman.nginx.org/mailman/listinfo/nginx<https://url.emailprotection.link/?b0r-C9_AUw48-Ch5rHbhyfCAxCuaEcGez1jSw3TSmi_yMSerkqszEs29ZeJ-9XHhKXFPzhIWSbHbDCNUmj6Tzf9mgNn_Pt2ohe5UJSMuWw0QP3IvnnyCmFlsv4r_rtY2d>
_______________________________________________
nginx mailing list
nginx at nginx.org<mailto:nginx at nginx.org>
http://mailman.nginx.org/mailman/listinfo/nginx<https://url.emailprotection.link/?b0r-C9_AUw48-Ch5rHbhyfCAxCuaEcGez1jSw3TSmi_yMSerkqszEs29ZeJ-9XHhKXFPzhIWSbHbDCNUmj6Tzf9mgNn_Pt2ohe5UJSMuWw0QP3IvnnyCmFlsv4r_rtY2d>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20210603/31b3a86c/attachment-0001.htm>

More information about the nginx mailing list