Default site configured for 444 returns 404

Jeffrey Walton noloader at gmail.com
Sun Aug 25 10:28:31 UTC 2024


On Sun, Aug 25, 2024 at 6:18 AM Steinar Bang <sb at dod.no> wrote:
>
> >>>>> Steinar Bang <sb at dod.no>:
>
> One piece of weirdness in the access.log.
>
> These two IP address requests for "/" returns 200.
>
> > 162.216.149.127 - - [23/Aug/2024:00:51:03 +0000] "<server's IPv4 address>" "GET / HTTP/1.1" 200 467 "-" "Expanse, a Palo Alto Networks company, searches across the global IPv4 space multipleer day to identify customers' presences on the Internet. If you would like to be excluded from our scans, please send IP addresses/domains to: scaninfo at paloaltonetworks.com"
> ...
> > 185.242.226.70 - - [23/Aug/2024:01:55:09 +0000] "<server's IPv4 address>" "GET / HTTP/1.1" 200 467 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrom324.190 Safari/537.36"
>
> While this one gets the expected 444:
>
> > 199.45.154.128 - - [23/Aug/2024:02:18:44 +0000] "<server's IPv4 address>" "GET / HTTP/1.1" 444 0 "-" "-"
>
> What's the difference between these two I wonder?
>
> Do I have more than one default config? (I think reloading the config
> would have failed then?
>
> The one that returns 444 has nothing in the server column, is that significant?

The first two which succeed have a user agent string ("Expanse..." and
"Mozilla/5.0..."). The third one which fails lacks the user agent
string ("-").

I'm not sure if that makes the difference in the behavior you are observing.

You may be able to test it with cURL or Wget. Here's how to fiddle
with the user agent with cURL:
<https://everything.curl.dev/http/modify/user-agent.html>; and Wget:
<https://www.gnu.org/software/wget/manual/wget.html#user_agent>.

Jeff


More information about the nginx mailing list