2

My servers have been crashing recently. I am running two nginx servers on one shared server using Ruby Version Manager to tackle gem dependencies. Everything was going fairly smooth after I setup an .rvmrc to toggle calls made from the application. But once every couple days it will crash.

I think the reason may be that I'm pulling code, or restarting the other box. Not entirely sure. I went into the logs and found this, and found a really really strange link as the "referrer". No idea was a "referrer" is, and it definately has nothing to do with my site www.truejersey.com. I have no idea what these logs mean so just a simple explanation will suffice for an answer. Thanks so much!

2011/03/04 10:11:38 [info] 25504#0: *20008271 client closed prematurely connection, so upstream connection is closed too (104: Connection reset by peer) while sending request to upstream, client: 194.65.234.120, server: true.shadyfront.webfactional.com, request: "GET /pages/aboutjersey/photos/thumbs/nj-gazette.jpg HTTP/1.1", upstream: "http://127.0.0.1:11363/pages/aboutjersey/photos/thumbs/nj-gazette.jpg", host: "www.truejersey.com", referrer: "http://www.portalentretextos.com.br/colunas/recontando-estorias-do-dominio-publico/e-o-demonio-de-nova-jersey-o-decimo-terceiro-filho-de-deborah-leeds,236,4485.html"
2011/03/04 10:22:02 [info] 25503#0: *20018714 client 207.46.204.197 closed keepalive connection (104: Connection reset by peer)
2011/03/04 10:22:40 [info] 25503#0: *20019126 client 207.46.204.197 closed keepalive connection (104: Connection reset by peer)
2011/03/04 10:26:09 [info] 25503#0: *20022733 client 65.52.110.26 closed keepalive connection (104: Connection reset by peer)
2011/03/04 10:38:46 [error] 25503#0: *20034686 connect() failed (111: Connection refused) while connecting to upstream, client: 2.80.170.148, server: true.shadyfront.webfactional.com, request: "GET /pages/aboutjersey/photos/thumbs/nj-gazette.jpg HTTP/1.1", upstream: "http://127.0.0.1:11363/pages/aboutjersey/photos/thumbs/nj-gazette.jpg", host: "www.truejersey.com", referrer: "http://www.portalentretextos.com.br/colunas/recontando-estorias-do-dominio-publico/e-o-demonio-de-nova-jersey-o-decimo-terceiro-filho-de-deborah-leeds,236,4485.html"
2011/03/04 10:39:48 [error] 25503#0: *20035361 connect() failed (111: Connection refused) while connecting to upstream, client: 68.204.64.69, server: true.shadyfront.webfactional.com, request: "GET /pages/aboutjersey/photos/thumbs/tat6.jpg HTTP/1.1", upstream: "http://127.0.0.1:11363/pages/aboutjersey/photos/thumbs/tat6.jpg", host: "www.truejersey.com", referrer: "http://matthewraphaelmelvin.blogspot.com/2011/02/jersey-tattoos.html"
2011/03/04 10:39:48 [error] 25503#0: *20035371 connect() failed (111: Connection refused) while connecting to upstream, client: 68.204.64.69, server: true.shadyfront.webfactional.com, request: "GET /pages/aboutjersey/photos/thumbs/tat8.jpg HTTP/1.1", upstream: "http://127.0.0.1:11363/pages/aboutjersey/photos/thumbs/tat8.jpg", host: "www.truejersey.com", referrer: "http://matthewraphaelmelvin.blogspot.com/2011/02/jersey-tattoos.html"
2011/03/04 10:40:00 [error] 25503#0: *20035641 connect() failed (111: Connection refused) while connecting to upstream, client: 2.80.170.148, server: true.shadyfront.webfactional.com, request: "GET /pages/aboutjersey/photos/thumbs/nj-gazette.jpg HTTP/1.1", upstream: http://127.0.0.1:11363/pages/aboutjersey/photos/thumbs/nj-gazette.jpg", host: "www.truejersey.com", referrer: "http://www.portalentretextos.com.br/colunas/recontando-estorias-do-dominio-publico/e-o-demonio-de-nova-jersey-o-decimo-terceiro-filho-de-deborah-leeds,236,4485.html"
JeffG
  • 1,194
  • 6
  • 18
Trip
  • 205
  • 4
  • 9

2 Answers2

4

HTTP access logs are full of weird things; often, it's script kiddies or bots just spamming weird user agent strings or referrer URLs to see if yours is a web server that's got a known buffer overflow-type vulnerability. Unless you can consistently tie those weird log entries to a fault event in your system, they're typically not worth following up; most often, a genuine application or system crash will be accompanied by helpful (or at least expository) information in syslog. That's where I'd start looking.

Jeff Albert
  • 1,987
  • 9
  • 14
4

referrer is voluntarily sent in HTTP headers from the client/browser to the server, so the server logs can be used to determine things like how people are finding your site, etc. The problem is that since it is sent by the client, it cannot be trusted. A malicious client (or script kiddie) can forge this information.

JeffG
  • 1,194
  • 6
  • 18