Solved

Vhosts and log mystery

Posted on 2007-12-03
8
369 Views
Last Modified: 2010-04-21
I am running Apache 2.0 on Fedora Core 4. I have set up several vhosts and all is working fine. My understanding is that when vhosts are used the original web directory (/var/www/html) is disabled. In fact I have put a simple index.html there and I cannot see from a browser at all. If I try to access my IP address directly, I get the first vhost defined in my httpd.conf file as I would expect. However I am getting occasional entries in my log file at /var/log/httpd/access_log. They tend to look like this -

66.6.223.34 - - [26/Nov/2007:18:39:24 -0700] "GET //drupal/xmlrpc.php HTTP/1.1" 404 295 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
66.6.223.34 - - [26/Nov/2007:18:39:24 -0700] "GET //community/xmlrpc.php HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
66.6.223.34 - - [26/Nov/2007:18:39:24 -0700] "GET //blogs/xmlrpc.php HTTP/1.1" 404 294 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
66.6.223.34 - - [26/Nov/2007:18:39:24 -0700] "GET //blogtest/xmlsrv/xmlrpc.php HTTP/1.1" 404 304 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

As though someone was looking for vulnerabilities. But how can any entry show up in this log when all of my vhosts each have their log in their vhost directory?
Thanks
0
Comment
Question by:modoor9
  • 5
  • 3
8 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 20400087
That I am aware of /var/www/html is never "disabled".

The first thing I see that seems unusual to me (until I do some testing) is that the GETs have double forward slashes.  
0
 
LVL 1

Author Comment

by:modoor9
ID: 20408269
Here is an excerpt from the Apache 2.0 documentation-
-------------------
Main host goes away

If you are adding virtual hosts to an existing web server, you must also create a <VirtualHost> block for the existing host. The ServerName and DocumentRoot included in this virtual host should be the same as the global ServerName and DocumentRoot. List this virtual host first in the configuration file so that it will act as the default host.
-------------------

Since it should not be possible to access the web page at /var/www/html ( I have not been able to ), it is certainly puzzling that there are log entries for it.

Thanks.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 20408653
Are you setup for ssl?

What are your logging options?  I just noticed that you are getting 404 errors and in my setup when I get page not found errors these go to my error log.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 1

Author Comment

by:modoor9
ID: 20414444
Thank you for your help.

I am not using SSL.
Here are the corresponding entries found in /var/log/httpd/error_log -

[Mon Nov 26 18:39:24 2007] [error] [client 66.6.223.34] File does not exist: /var/www/html/drupal
[Mon Nov 26 18:39:24 2007] [error] [client 66.6.223.34] File does not exist: /var/www/html/community
[Mon Nov 26 18:39:24 2007] [error] [client 66.6.223.34] File does not exist: /var/www/html/blogs
[Mon Nov 26 18:39:24 2007] [error] [client 66.6.223.34] File does not exist: /var/www/html/blogtest


Here is where the vhosts are set up in httpd.conf -
------------------
NameVirtualHost 64.79.xxx.xxx:80

<VirtualHost 64.79.xxx.xxx:80>
ServerName domain1.com
DocumentRoot /var/vhosts/domain1.com/html
ServerAlias "www.domain1.com"
CustomLog "/var/vhosts/domain1.com/access_log" "combined"
ErrorLog "/var/vhosts/domain1.com/error_log"
</VirtualHost>

<VirtualHost 64.79.xxx.xxx:80>
ServerName domain12.com
DocumentRoot /var/vhosts/domain2.com/html
ServerAlias "www.domain2.com"
ScriptAlias /cgi-bin/ "/var/vhosts/domain2.com/cgi-bin/"
CustomLog "/var/vhosts/domain2.com/access_log" "combined"
ErrorLog "/var/vhosts/domain2.com/error_log"
</VirtualHost>

<VirtualHost 64.79.xxx.xxx:80>
ServerName domain3.net
DocumentRoot /var/vhosts/domain3.net/html
ServerAlias "www.domain3.net"
CustomLog "/var/vhosts/domain3.net/access_log" "combined"
ErrorLog "/var/vhosts/domain3.net/error_log"
</VirtualHost>
---------------

All the logs are defined to exist under the vhost directory, so I don't know what activity could cause an entry to be written to the logs at /var/log/http/
Anything that I don't understand makes me nervous about security.

Thanks.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 20414557
What do you have for "Listen"?
How many IP addresses does this box have?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 20414633
What I think is happening, I have to test, is that you have "Listen 80" and you have more than on IP address on this box.

With

     NameVirtualServer 64.79.xxx.xxx:80

and all your virtual server setup with 64.79.xxx.xxx:80, only that IP address is being used for your named servers.

If you have a second (or more) IP address on that box, it will use the "defaults".  So say you have a second IP address of 10.1.1.1, and you do http://10.1.1.1, you will use the default non-virtual settings.

If I am correct you will need change "Listen 80" to "Listen 64.79.xxx.xxx:80" or change all instances of "64.79.xxx.xxx:80" to "*.80"

If you read the NameVirtualServer directive it does imply this:

Note, that the "main server" and any _default_ servers will never be served for a request to a NameVirtualHost IP address (unless for some reason you specify NameVirtualHost but then don't define any VirtualHosts for that address).

In your case, 64.79.xxx.xxx port 80 is the NameVirtualHost IP address.  If Apache is listening on an IP address other than that, the above implies that the non-VirtualHost stuff will be used.
0
 
LVL 57

Accepted Solution

by:
giltjr earned 250 total points
ID: 20414716
O.K. I just did a test and I had:

Listen 80
NameVirtualHost 10.1.1.1:80
<VirtualHost 10.1.1.1:80>
ServerName dummy
DocumentRoot /www/dummy
CustomLog "/var/log/dummy_access
ErrorLog "/var/log/dummy_error>
</VirtualHost>

and the normal "default" for non-virtual hosts.  The computer had two IP addresses, 10.1.1.1 and 10.1.1.2.  When I did http://dummy, I got the virtual host stuff, when I did http://10.1.1.2 I got the default apache stuff.

So, I am going to assume, for right now, that you have "Listen 80" and that this PC has more than one IP address and somebody accessing it using the "other" IP address.
0
 
LVL 1

Author Closing Comment

by:modoor9
ID: 31412420
You are absolutely correct. This is a Virtual Private Server that has 3 IP addresses. I never use the other two so I forgot all about them.
Thanks
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: kevp75
Hey folks, 'bout time for me to come around with a little tip. Thanks to IIS 7.5 Extensions and Microsoft (well... really Windows 8, and IIS 8 I guess...), we can now prime our Application Pools, when IIS starts. Now, though it would be nice t…
It is possible to boost certain documents at query time in Solr. Query time boosting can be a powerful resource for finding the most relevant and "best" content. Of course the more information you index, the more fields you will be able to use for y…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question