Apache logs full URL rather than URI

Question

My Apache web server logged following messages to access.log:

46.22.173.131 - - [23/Dec/2014:15:34:54 +0100] "GET http://pl.wikipedia.org/wiki/Special:Search?search=&go=Go HTTP/1.1" 302 482 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
182.254.156.77 - - [23/Dec/2014:16:53:22 +0100] "GET http://www.ly.com/ HTTP/1.1" 302 433 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"`
182.254.208.62 - - [23/Dec/2014:17:57:49 +0100] "GET http://www.ly.com/ HTTP/1.1" 302 433 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"

I have two Virtualhosts defined - one for port 80 which just redirects to 443 ... and the Virtualhost for port 443 which logs into ssl_access.log.

I do not understand what these logs mean? Was someone trying to get to these URLs through my web server?

Please help me understand those logs.

Merry Christmas everyone!

Answer 1

http://wiki.apache.org/httpd/ProxyAbuse:

Why do I see requests for foreign sites appearing in my log files?

An access_log entry showing this situation could look like this:

63.251.56.142 - - [25/Jul/2002:12:48:04 -0700] "GET http://www.yahoo.com/ HTTP/1.0" 200 1456
For this log line, the 200 code (second to last field in this example) indicates that the request was successful – but see below for an explanation of what “success” means in this situation.

This is usually the result of malicious clients trying to exploit open proxy servers to access a website without revealing their true location. They could be doing this to manipulate pay-per-click ad systems, to add comment or link-spam to someone else's site, or just to do something nasty without being detected.

It is important to prevent your server from being used as an open proxy to abuse other sites.

Answer 2

In addition to the great answer from faker, the 302 response code is because of the HTTPS redirect you have configured.

To verify if you are vulnerable to the same exploit via HTTPS, run these commands [source]:

openssl s_client -connect yourdomain.com:443
[wait for the connection to initialise]
GET http://www.yahoo.com/ HTTP/1.1
Host: www.yahoo.com

Or with curl:

curl -H -x https://domain.name.here:443 www.google.de

As per the Apache documentation, you should not receive content from yahoo.com and should either display a 404 or 403 response. If this happens, these logs are nothing to worry about and are more than likely automated scanning done by bots.

Answer 3

As @faker notes it is important to configure your web server so that it can't be used as a public proxy. That should be the default behavior (i.e., proxying disabled) unless you've explicitly enabled one or more of the proxy modules (look at your httpd.conf for LoadModule statements that refer to proxy modules) and have added the relevant Proxy directives. Nonetheless, if want such requests to be explicitly blocked and logged as such then you can do what I did and add lines like these to your httpd.conf of .htaccess file:

# There is some seriously broken malware that attempts to proxy via our web
# server to www.baidu.com, planeta.ru, etc. The proxy attempt per se isn't
# broken (although we don't allow proxying via this web server). It's that
# only the first request makes any sense. Subsequent requests mangle both the
# HTTP_HOST and REQUEST_URI into nonsensical strings. Eventually the request
# is so mangled Apache responds with a 403 status.
#
# So check the request line to see if it looks like an attempt to proxy via
# our web server. Since we don't allow proxying nip the insanity in the bud.
RewriteCond %{THE_REQUEST} ^GET\s+https?:// [NC]
RewriteRule ^ blocked.php [NC,END,E=REASON:proxy-probe]

I have a "blocked.php" script that provides a custom response page including the REASON env var but you could just as well replace that rule with

RewriteRule ^ - [NC,L,R=403]