0

Quite often i can see following request in nginx access log with 400 response code:

23.124.177.223 - - [26/May/2018:19:19:59 +0200] "\x97\x00\x00\x00G\xA0\x0B\xC9\xD2\x9C5\x95\xBF\x14\x8F\xEBj\xC8\x0EOqP\x09\xDB.\x8B\x1F\x8F3\x1C'\xA1pg\x22\xB9J\x19IFd\xFD\xC9L\x18z\xA3\xEE\x9AQ\x04\xD6\x22\x13]\xD4\xFD\xF03\x88'\xCC\xDB\x0F+\xC3{Ulds\x00\xA6\x10o\xD9\xFFMO\xA0\x08XL\xE1\xDE\xCA\xDB\x98\xAF\xB9\xE5\xAEU\xFB\x1B\xFD\x8F\x07\x0Bne\x03@\x16b4{\x958\xA8\x19\xD0&\x0E\x7F\x97SJ\x9E\x9F7\x7F\x8D\xC7\xCE\xD4+\xAA\x86%\x8F#\xEEB\x98G\x08\x13\x12\x06\xFDc/8\xC6\x8Dw\xFB\xBB\xBC\x97\xB9\xB9\xB3\xE2" 400 173 "-" "-"

Im aware it's automated vulnerability scanner, but im not sure what type of requests is and why nginx response with 400.

I already have following condition:

if ( $request_method !~ ^(GET|POST|HEAD)$ ) {
return 444; }

Is it a HEAD, any solution avoiding regex and yet blocking it (returning 444) ?

nginx -v 1.10.3

alex_rs
  • 1
  • 1
  • You should avoid using IF in Nginx - Google "Nginx if is evil" for details. For a better way see [this answer](https://serverfault.com/questions/637908/how-to-deny-post-to-a-url-in-nginx) – Tim May 27 '18 at 01:13
  • Agree, but this condition is used outside `location` directive. – alex_rs May 27 '18 at 23:14
  • If you have high scale, and it doesn't perform as well as you expect, you may want to review your config for things like this. – Tim May 28 '18 at 01:28

1 Answers1

0

That's not a request type at all. The 400 Bad Request is correct response for malformed request syntax. This error happens before your condition gets tested, being the reason you'd never see the (Nginx expanded error code) 444 No Response from your if directive.

Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129