在Node.js Express日志文件中找到奇怪的http请求 [英] Weird http request found in the Node.js Express log file

问题描述

我的第一个基于Node.js的公共网站(带有Express)几周前就进入了公共网站.我定期检查服务器日志，有时会有一些奇怪的记录. 以下是一些示例:

my first public Node.js based web site (with Express) went to public couple weeks ago. I routinely checked the server log and sometimes there are some weird records. Here are some examples:

- - - [Sat, 19 Oct 2013 08:44:38 GMT] "GET http://www.google.com/ HTTP/1.0" 200 3539 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
222.205.7.245 - - [Sat, 19 Oct 2013 19:54:57 GMT] "GET http://www.wikipedia.org/ HTTP/1.1" 200 3539 "-" "Mozilla/5.0 (compatible; MSIE 5.01; Win2000)"
223.94.178.192 - - [Sun, 20 Oct 2013 06:04:23 GMT] "GET http://www.sciencedirect.com/ HTTP/1.1" 200 3539 "-" "Mozilla/5.0 (compatible; MSIE 5.01; Win2000)"

这些是由express.logger生成的(记录器: http://www.senchalabs.org /connect/logger.html )的默认格式:

Those are generated by the express.logger (logger: http://www.senchalabs.org/connect/logger.html) in the default format:

default ':remote-addr - - [:date] ":method :url HTTP/:http-version" :status :res[content-length] ":referrer" ":user-agent"'

仅使用express.urlencoded()，并且在我的项目中未启用express.cookieParser和express.session.

Only express.urlencoded() is used and express.cookieParser and express.session are not enable in my project.

这是我的问题:

1. 为什么在日志中缺少remote-addr?在node.js + express上获得此信息会非常困难吗?
2. 似乎有人试图使用我的网站作为代理.他/她如何发送GET http://www.google.com之类的http请求?我应该如何阻止此类请求?
3. 基于服务器日志中的那些记录，我的Web服务器安全性是否足够?我应该在项目中使用头盔(github.com/evilpacket/helmet)还是CSRF(www.senchalabs.org/connect/csrf.html)?

1. Why remote-addr are missing in the log? Would it be extreme difficult to get this info on node.js + express?
2. It seems like someone tried to use my website as a proxy. How did he/she send a http request like GET http://www.google.com? And how should I block these kind of requests?
3. Based on those records in the server log, is my web server security enough? Should I use helmet (github.com/evilpacket/helmet) or CSRF (www.senchalabs.org/connect/csrf.html) in my project?

非常感谢.

推荐答案

您的服务器正在为这些请求发送回200条响应，因此它们似乎由您应用中的 some 路由处理(也许是包罗万象的路由；它总是返回3539字节，因此似乎是同一处理程序).不知道您的服务器为什么接受这些请求，很难说它是否安全.

Your server is sending back 200 responses for those requests, so they seem to be handled by some route in your app (perhaps a catch-all route; it's always returning 3539 bytes so it seems to be the same handler). Without knowing why your server is accepting those requests, it's difficult to say if it's secure or not.

您可以轻松地使用curl生成这样的请求:

You can easily use curl to generate requests like that:

curl --proxy YOURSERVER:THEPORT http://www.google.com

对于远程地址为空:抱歉，不知道:((也许是IPv6吗?否，通过IPv6传递的请求似乎被记录的很好)

As for the remote address being empty: sorry, don't know :( (perhaps IPv6? nope, requests passed over IPv6 seem to get logged just fine)

这篇关于在Node.js Express日志文件中找到奇怪的http请求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！