我想就 Elastic Beanstalk 错误寻求帮助:
环境运行状况已从"正常"转换为"严重"。 81.8% 的请求在使用 HTTP 4xx 时出错。
我在这里阅读了一些文章,并遵循了 WAF 的解决方案,因此我创建了分配给我们的 CloudFront 的 ACL,然后创建了阻止所有 在 HTTP 方法中包含单词 HEAD 的请求。当我尝试从邮递员发送 HEAD 请求时,它就像我想要的那样工作(我收到错误 403),但不幸的是错误仍然 存在,我每天都在 apache 日志中看到很多 HEAD 请求。
请求列表:
[01/Aug/2017:07:42:09 +0000] "HEAD/mysql/dbadmin/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:42:11 +0000] "HEAD/mysql/mysqlmanager/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:42:11 +0000] "HEAD/phpMyadmin/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:42:11 +0000] "HEAD/phpmyAdmin/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:42:12 +0000] "HEAD/phpmyadmin3/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:42:13 +0000] "HEAD/2phpmyadmin/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:42:13 +0000] "HEAD/phppma/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:42:14 +0000] "HEAD/shopdb/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:42:15 +0000] "HEAD/program/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:42:15 +0000] "HEAD/dbadmin/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:42:16 +0000] "HEAD/db/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:42:16 +0000] "HEAD/mysql/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:42:17 +0000] "HEAD/db/phpmyadmin/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:42:17 +0000] "HEAD/sqlmanager/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:42:18 +0000] "HEAD/php-myadmin/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:42:19 +0000] "HEAD/mysqladmin/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:42:19 +0000] "HEAD/admin/phpmyadmin/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:42:20 +0000] "HEAD/admin/sysadmin/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:42:20 +0000] "HEAD/admin/db/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:42:21 +0000] "HEAD/admin/pMA/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:42:22 +0000] "HEAD/mysql/db/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:42:23 +0000] "HEAD/mysql/pMA/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:42:24 +0000] "HEAD/sql/php-myadmin/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:42:24 +0000] "HEAD/sql/sql/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:42:25 +0000] "HEAD/sql/webadmin/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:42:26 +0000] "HEAD/sql/websql/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:42:30 +0000] "HEAD/sql/sqladmin/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:42:30 +0000] "HEAD/sql/phpmyadmin2/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:42:31 +0000] "HEAD/sql/phpMyAdmin/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:42:38 +0000] "HEAD/db/webadmin/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:42:43 +0000] "HEAD/db/websql/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:42:49 +0000] "HEAD/db/dbadmin/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:42:49 +0000] "HEAD/db/phpmyadmin3/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:42:51 +0000] "HEAD/db/phpMyAdmin-3/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:42:52 +0000] "HEAD/administrator/phpMyAdmin/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:42:52 +0000] "HEAD/administrator/web/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:42:54 +0000] "HEAD/administrator/PMA/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:42:54 +0000] "HEAD/phpMyAdmin2/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:42:55 +0000] "HEAD/phpMyAdmin4/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:42:55 +0000] "HEAD/php-my-admin/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:42:56 +0000] "HEAD/PMA2012/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:42:56 +0000] "HEAD/PMA2014/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:42:57 +0000] "HEAD/PMA2016/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:42:57 +0000] "HEAD/PMA2018/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/8月/2017:07:42:58 +0000] "头/PMA2012/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/八月/2017:07:42:59 +0000] "头/PMA2014/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:43:00 +0000] "HEAD/pma2016/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:43:01 +0000] "HEAD/pma2018/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:43:01 +0000] "HEAD/phpmyadmin2012/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:43:02 +0000] "HEAD/phpmyadmin2014/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:43:02 +0000] "HEAD/phpmyadmin2016/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
[01/Aug/2017:07:43:04 +0000] "HEAD/phpmyadmin2018/HTTP/1.1" 404 260 "-" "Mozilla/5.0 Jorgee">
感谢您的帮助。
我直接联系了AWS支持,这是他们提供给我的解决方案:
我查看了您发布的日志以防万一,我发现代理 是豪尔赫,这是一种常见的恶意软件代理。我遇到了博客 关于这个代理[1],虽然它不是官方的,但得到了 对它的见解。
在 Elastic Beanstalk 环境实例中名为"healthd"的守护进程 通过监视特殊日志文件来监视运行状况。如果代理商找到拍品 的 4xx 在此文件中,环境将变为"严重"状态。
$ sudo tail /var/log/nginx/healthd/application.log.2017-08-21-07 1503299631.249"/asdf"404"0.075"0.075"- 1503299631.379"/asdf"404"0.002"0.002"-我看到您使用解决方案堆栈"64 位"启动了环境 运行 Docker 17.03.1-ce 的 Amazon Linux 2017.03 v2.7.2",因此我会 喜欢为此解决方案堆栈提供此问题的解决方法。
在解决方案堆栈"64 位亚马逊 Linux 2017.03 v2.7.2 运行 Docker 17.03.1-ce",上面的日志格式定义在 "/etc/nginx/nginx.conf",并在 "/etc/nginx/sites-enabled/elasticbeanstalk-nginx-docker-proxy.conf"。
因此,您可以在环境中将nginx配置为忽略 HTTP 状态为 404 或 403 的请求。请尝试添加以下内容 应用程序源的 .ebextensions 目录下的配置文件 代码包。
.ebextensions/healthd_ignore_4xx.config
files: "/etc/nginx/sites-enabled/elasticbeanstalk-nginx-docker-proxy.conf": mode: "000644" owner: root group: root content: | # modification No.1 map $status $logflag { 404 0; 403 0; default 1; } map $http_upgrade $connection_upgrade { default "upgrade"; "" ""; } server { listen 80; gzip on; gzip_comp_level 4; gzip_types text/html text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; if ($time_iso8601 ~ "^(d{4})-(d{2})-(d{2})T(d{2})") { set $year $1; set $month $2; set $day $3; set $hour $4; } # modification No.2 # access_log /var/log/nginx/healthd/application.log.$year-$month-$day-$hour healthd; access_log /var/log/nginx/healthd/application.log.$year-$month-$day-$hour healthd if=$logflag; access_log /var/log/nginx/access.log; location / { proxy_pass http://docker; proxy_http_version 1.1; proxy_set_header Connection $connection_upgrade; proxy_set_header Upgrade $http_upgrade; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } }此配置将替换默认配置/etc/nginx/sites-enabled/elasticbeanstalk-nginx-docker-proxy.conf file 使用您定义的内容。我所做的修改是:
- No.1:新增 map 指令,从 $status 映射到 $logflag。 当请求为 404 或 403 时,将 $logflag 设置为 0。
- No.2:在 [2] 指令中添加 if=$logflag access_log。仅当 HTTP 状态不是 404 或 403 时,才写入运行状况监视日志。
使用 ebextensions 配置部署新版本应用程序后 以上,您的环境状态不会受到无效 404 或 403 请求。
参考文献 [1]:http://www.skepticism.us/2015/05/new-malware-user-agent-value-jorgee/[2]: http://nginx.org/en/docs/stream/ngx_stream_log_module.html#access_log
对我来说,我没有对根(/)的响应,所以只需在 spring-boot 中添加一个虚拟页面,我的 ELB 问题就消失了。
@GetMapping("/")
@ResponseBody
public String sayHello() {
return "hello";
}
要解决此问题,
我将 elasticbeans 负载均衡器更改为应用程序级别 1,并启用了 WAF 集成。
在 WAF 中,我定义了以下规则来防止恶意软件请求。
URI contains: "/pma" after converting to lowercase.
URI contains: "/sql" after converting to lowercase.
URI contains: "/admin" after converting to lowercase.
URI ends with: "php" after converting to lowercase.
URI contains: "/mysql" after converting to lowercase.
URI contains: "/db" after converting to lowercase.
URI contains: "/2phpmyadmin/ " after converting to lowercase.
URI contains: "/shopdb/ " after converting to lowercase.
URI contains: "/php" after converting to lowercase.