This is driving me insane!!
I'm running a web server on Ubuntu 18.04, and using plain ol Apache2. I've done countless searches and it all points to servers running other platforms, never the basic Apache2 system.
I have been trying to get the websites on my server going (virtual hosts) and have been having nothing but trouble getting each one to show when typing the url.
Anyway, I've been doing some tweaking here and there going by other suggestions here, and unfortunately, haven't kept track of what I have done. My memory is horrible due to some old man conditions I have, so I just can't remember where it all went wrong.
Here's what's happening:
All of my sites had been going to the same page on my server. But now, every site just brings up a blank page with
Invalid Host header
at the top left of the page.
That's it! I have gone through every error log on my system to no avail. All of the logs are showing the basics.
Here's the last line or two of each:
access.log: 192.168.86.1 - - [07/Jan/2022:08:39:33 -0700] "GET / HTTP/1.1" 200 447 "http://jonezhost.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36"
error.log:
[Sat Jan 15 07:28:57.253840 2022] [mpm_prefork:info] [pid 23104] AH00164: Server built: 2022-01-05T14:50:41
[Sat Jan 15 07:28:57.253847 2022] [core:notice] [pid 23104] AH00094: Command line: '/usr/sbin/apache2'
[Sat Jan 15 07:51:10.359888 2022] [core:info] [pid 23104] AH00096: removed PID file /var/run/apache2/apache2.pid (pid=23104)
[Sat Jan 15 07:51:10.359916 2022] [mpm_prefork:notice] [pid 23104] AH00169: caught SIGTERM, shutting down
[Sat Jan 15 07:52:22.983318 2022] [mpm_prefork:notice] [pid 1458] AH00163: Apache/2.4.29 (Ubuntu) configured -- resuming normal operations
other_vhosts_access.log:
jonez.co:80 192.168.86.1 - - [13/Jan/2022:16:26:40 -0700] "GET /icons/folder.gif HTTP/1.1" 200 491 "http://24.51.60.170/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15"
jonez.co:80 192.168.86.1 - - [13/Jan/2022:16:26:58 -0700] "GET /html/ HTTP/1.1" 200 447 "http://24.51.60.170/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15"
jonez.co:80 87.251.64.141 - - [13/Jan/2022:16:38:03 -0700] "\x03" 400 497 "-" "-"
That's...it! The system logs aren't showing anything Apache based.
The only thing I can figure out that's remotely close is it's trying to run in SSL, and I don't have SSL set up yet.
So I'm clueless! And ANY help would be HUGELY appreciated!!! I'm disabled and unable to leave home most of the time, so this is all I got to keep me busy. It's just a hobby, but an important one to me.
Thanks!!!
FIXED IT!!! lol
Turns out the problem wasn't with my server at all. It was my router's port forwarding!
I use Google Home stuff and Google Wi-Fi points. I don't recall their names atm, but they're Google. (Probably a red flag right there! lol)
Anyway, I have two IP Addresses on my server (I'm not doing any mail or dns stuff, so really just need one). I had them both pointing towards different websites. And herein lies the issue.
My main IP for the server was 192.XXX.XXX.200, and the second was 192.XXX.XXX.202. But I wasn't pointing them correctly. They both needed to point to port 80. I had .200 pointing to 80 and .202 pointing to 8080. So there was some confusion when setting up my virtual hosts. Something happened, I don't remember what, that made me decide to use .202 as the primary IP for vHosts. Then in my /etc/hosts file, I used both IP's going to the same location - let's say example.com.
So, all I can think of is that the sites weren't seeing the .202 and using the .200 since it was first on the list. And the "Invalid Host Header" was showing up due to the IP address confusion.
So, I just removed the .200 from all the settings, removed the port forwarding for it and set .202 to use ports 80 and 8080, 10000 for Webmin (cool little script if you want to monitor things away from home), 25, yadda. The sites came right up!
I still have some cleaning up to do with everything that I have tried, but at least THAT issue is done and gone! And I also know that "Invalid Host Header" will come up for many reasons depending on the platform you are using. So this is just one thing for people to check when frantically trying to get their websites back up!
Thanks for all the responses with great help!
Related
I have a Tomcat server running on Linux. When viewing a png on Chrome in Windows, this image looks like this
http://imgur.com/x08QkUD in contrast the image on any Unix system: http://imgur.com/OIk84Cb
As you can see it is totally corrupted. Viewing the image in any Unix system it looks just fine (Without all those yellow weird lines).
If I look at this in Firefox (Windows), the browser response with "Cannot display this image because it contains errors"
Here is my request and response headers for this image (this is the same Response, Request as on a Unix system)
Request Method:GET
Status Code:200 OK
Response Headers
view source
Accept-Ranges:bytes
Content-Length:15432
Content-Type:image/png
Date:Tue, 01 Sep 2015 17:21:23 GMT
ETag:W/"15432-1441113486000"
Last-Modified:Tue, 01 Sep 2015 13:18:06 GMT
Server:Apache-Coyote/1.1
Request Headers
view source
Accept:image/webp,*/*;q=0.8
Accept-Encoding:gzip, deflate, sdch
Accept-Language:de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
Cache-Control:no-cache
Connection:keep-alive
Host:148.251.217.3
Pragma:no-cache
Referer:http://148.251.217.3/
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135
Is there anything that I can change in Tomcat to change this weird behavior?
I am thinking of mimetype, compression, ...
I have basically have the default configuration of Ubuntu 15.04 just now
I have noticed numerous entries in Tomcat's local_access_log for various resources coming from IP address 127.0.0.1. These are clearly attempts to hack in. For example, here is a request to get access to the "manager" app:
127.0.0.1 - - [30/Apr/2015:13:35:13 +0000] "GET /manager/html HTTP/1.1" 401 2474
here is another one:
127.0.0.1 - - [30/Apr/2015:21:23:37 +0000] "POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%22%79%65%73%22+%2D%64+%63%67%69%2E%66%69%78%5F%70%61%74%68%69%6E%66%6F%3D%31+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1" 404 1016
When decoded, the URL is this:
127.0.0.1 - - [30/Apr/2015:21:23:37 0000] "POST /cgi-bin/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env="yes" -d cgi.fix_pathinfo=1 -d auto_prepend_file=php://input -n HTTP/1.1" 404 1016
There are lots of such entries, all from IP address 127.0.0.1. Obviously, since this is the address of localhost, I can't block it. More over, I am not sure if there is something that I can do about it. Is there possibly an exploit that should be patched up? For instance, is there a version of Tomcat that has a related vulnerability? I am running Tomcat 8.
Much thanks for any advice!
UPDATE: thanks for the suggestion about a proxy. Turned out that httpd was indeed installed and not surprisingly, there are suspicious request. For example:
[Sat Mar 30 17:26:49 2013] [error] [client 5.34.247.59] Invalid URI in request GET /_mem_bin/../../../../winnt/system32/cmd.exe?/c+dir HTTP/1.0
[Sat Mar 30 17:26:49 2013] [error] [client 5.34.247.59] Invalid URI in request GET /_mem_bin/../../../../winnt/system32/cmd.exe?/c+dir%20c:\\ HTTP/1.0
[Sat Mar 30 17:26:49 2013] [error] [client 5.34.247.59] Invalid URI in request GET /_mem_bin/../../../../winnt/system32/cmd.exe?/c+dir%20c:\\ HTTP/1.0
This is not a windows system so cmd.exe has not place for it...
If you have a proxy server running on your computer, that will often receive requests and then call the primary server using the localhost (127.0.0.1) interface.
This could explain why you're logging these requests.
Started official tutorial of AngularJS. It works fine in firefox, but can't open example and run tests on Chrome.
Chrome Version 34.0.1847.116
node --version v0.10.26
Mac OS X Version 10.9.2
Tried wget some json resource, it works.
wget http://localhost:8000/app/phones/phones.json
--2014-04-20 01:14:37-- http://localhost:8000/app/phones/phones.json
Resolving localhost (localhost)... ::1, 127.0.0.1, fe80::1
Connecting to localhost (localhost)|::1|:8000... failed: Connection refused.
Connecting to localhost (localhost)|127.0.0.1|:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6845 (6.7K) [application/json]
Saving to: 'phones.json'
100%[======================================>] 6,845 --.-K/s in 0s
2014-04-20 01:14:37 (466 MB/s) - 'phones.json' saved [6845/6845]
HTTP logs:
Starting up http-server, serving ./ on port: 8000
Hit CTRL-C to stop the server
[Sat, 19 Apr 2014 22:14:37 GMT] "GET /app/phones/phones.json" "Wget/1.15 (darwin13.0.0)"
[Sat, 19 Apr 2014 22:16:06 GMT] "GET /app/phones/phones.json" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Firefox/24.0"
Same resource on Chrome:
Oops! Google Chrome could not connect to localhost:8000
Empty in Chrome Console and in Network:
Found solution for my case.
Firstly started looking for proxies. After sniffing around loopback interface with wireshark, found that localhost is linked to ::1. "::1" is 127.0.0.1 for IPv6.
Firefox is somehow resolves the problem, but Chrome not.
Simply add the line below to hosts file.
127.0.0.1 localhost
It fixes problem.
I don't want to see a log for every request the server receives when I'm testing (it makes reading the results much harder). Is there a simple way to start up Node so that it doesn't do that?
I'm referring the the lines that look like this just to be perfectly clear:
127.0.0.1 - - [Mon, 07 Jan 2013 15:59:52 GMT] "GET / HTTP/1.1" 200 1039 "-" "Mozilla/5.0 Chrome/10.0.613.0 Safari/534.15 Zombie.js/1.4.1"
NodeJS does not do this automatically.
Assuming you are using express, you need to remove the logger middleware. Remove this line:
app.use(express.logger());
I'm currently testing LocomotiveJS and have a very simple "hello world" app up
I thought I'd set up the connect favicon middleware, but when I visit any route ('/' for example) I get the following in the console:
127.0.0.1 - - [Tue, 17 Jul 2012 21:41:25 GMT] "GET / HTTP/1.1" 200 1491 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.57 Safari/536.11"
Error: Forbidden
at SendStream.error (/Users/alex/Desktop/LocoTest/node_modules/express/node_modules/send/lib/send.js:142:16)
at SendStream.pipe (/Users/alex/Desktop/LocoTest/node_modules/express/node_modules/send/lib/send.js:307:52)
at Object.static (/Users/alex/Desktop/LocoTest/node_modules/express/node_modules/connect/lib/middleware/static.js:78:8)
at next (/usr/local/lib/node_modules/locomotive/node_modules/express/node_modules/connect/lib/http.js:204:15)
at pass (/usr/local/lib/node_modules/locomotive/node_modules/express/lib/router/index.js:219:24)
at Router._dispatch (/usr/local/lib/node_modules/locomotive/node_modules/express/lib/router/index.js:280:5)
at Object.middleware [as handle] (/usr/local/lib/node_modules/locomotive/node_modules/express/lib/router/index.js:45:10)
at next (/usr/local/lib/node_modules/locomotive/node_modules/express/node_modules/connect/lib/http.js:204:15)
at multipart (/Users/alex/Desktop/LocoTest/node_modules/express/node_modules/connect/lib/middleware/multipart.js:52:61)
at module.exports (/Users/alex/Desktop/LocoTest/node_modules/express/node_modules/connect/lib/middleware/bodyParser.js:57:9)
127.0.0.1 - - [Tue, 17 Jul 2012 21:41:25 GMT] "GET /favicon.ico HTTP/1.1" 403 - "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.57 Safari/536.11"
Any idea what's causing this?
It looks like the send middleware is considering this request malicious because it's not the root and contains "..". I'm not sure why /favicon.ico would cause isMalicious to return true though. I'd suggest debugging into isMalicious and examining this._root and this.path. Could either be some bug in send or favicon middleware or perhaps your code isn't configuring them. Can't help with that unless you post some code.
What version of Express and Connect were pulled in as dependencies? I encountered a bug with express#3.0.0beta6, which I think has been fixed in beta7 (though I haven't confirmed that myself). I'm running on express#3.0.0beta4, which I know works, and you can revert to that by doing:
$ npm uninstall express
$ npm install express#3.0.0beta4
The master branch of Locomotive is using the Express 3.x betas, which have generally been pretty solid. I'm looking forward to that being stable, and pushing out new releases.