4

我想就 Elastic Beanstalk 错误寻求帮助:

环境健康已从“正常”转变为“严重”。81.8% 的请求使用 HTTP 4xx 出错。

我在这里阅读了一些文章,并遵循了 WAF 的解决方案,因此我创建了分配给 CloudFront 的 ACL,然后我创建了规则,该规则阻止所有在 HTTP 方法中包含单词 HEAD 的请求。当我尝试从邮递员发送 HEAD 请求时,它就像我想要的那样工作(我收到错误 403),但不幸的是,错误仍然存​​在,我每天在 apache 日志中看到很多 HEAD 请求。

请求列表:

[01/Aug/2017:07:42:09 +0000]“HEAD /mysql/dbadmin/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:42:11 +0000]“HEAD /mysql/mysqlmanager/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:42:11 +0000]“头 /phpMyadmin/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:42:11 +0000]“头 /phpmyAdmin/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:42:12 +0000]“头 /phpmyadmin3/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:42:13 +0000]“HEAD /2phpmyadmin/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:42:13 +0000] “HEAD /phppma/HTTP/1.1”404 260 “-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:42:14 +0000]“HEAD /shopdb/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:42:15 +0000]“头/程序/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:42:15 +0000]“HEAD /dbadmin/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:42:16 +0000]“HEAD /db/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:42:16 +0000]“头 /mysql/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:42:17 +0000]“HEAD /db/phpmyadmin/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:42:17 +0000]“HEAD /sqlmanager/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:42:18 +0000]“头 /php-myadmin/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:42:19 +0000]“HEAD /mysqladmin/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:42:19 +0000]“HEAD /admin/phpmyadmin/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:42:20 +0000]“HEAD /admin/sysadmin/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:42:20 +0000]“HEAD /admin/db/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:42:21 +0000]“HEAD /admin/pMA/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:42:22 +0000]“HEAD /mysql/db/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:42:23 +0000]“HEAD /mysql/pMA/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:42:24 +0000]“HEAD /sql/php-myadmin/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:42:24 +0000]“头 /sql/sql/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:42:25 +0000]“头 /sql/webadmin/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:42:26 +0000] “HEAD /sql/websql/HTTP/1.1”404 260 “-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:42:30 +0000]“HEAD /sql/sqladmin/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:42:30 +0000]“HEAD /sql/phpmyadmin2/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:42:31 +0000]“HEAD /sql/phpMyAdmin/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:42:38 +0000]“HEAD /db/webadmin/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:42:43 +0000]“HEAD /db/websql/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:42:49 +0000]“HEAD /db/dbadmin/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:42:49 +0000]“HEAD /db/phpmyadmin3/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:42:51 +0000]“HEAD /db/phpMyAdmin-3/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:42:52 +0000]“HEAD /administrator/phpMyAdmin/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:42:52 +0000]“HEAD /administrator/web/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:42:54 +0000]“HEAD /administrator/PMA/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:42:54 +0000]“头 /phpMyAdmin2/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:42:55 +0000]“头 /phpMyAdmin4/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:42:55 +0000]“HEAD /php-my-admin/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:42:56 +0000]“HEAD /PMA2012/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:42:56 +0000]“HEAD /PMA2014/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:42:57 +0000]“HEAD /PMA2016/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:42:57 +0000]“HEAD /PMA2018/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:42:58 +0000]“HEAD /pma2012/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:42:59 +0000]“HEAD /pma2014/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:43:00 +0000]“HEAD /pma2016/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:43:01 +0000]“HEAD /pma2018/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:43:01 +0000]“头 /phpmyadmin2012/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:43:02 +0000]“头 /phpmyadmin2014/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:43:02 +0000]“头 /phpmyadmin2016/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

[01/Aug/2017:07:43:04 +0000]“HEAD /phpmyadmin2018/HTTP/1.1”404 260“-”“Mozilla/5.0 Jorgee”

谢谢您的帮助。

4

3 回答 3

3

我直接联系了 AWS Support,这是他们提供给我的解决方案:

我查看了您发布的日志以防万一,我发现代理是 Jorgee,这是一个常见的恶意软件代理。我看到了关于这个代理的博客 [1],虽然它不是官方的,但对它有所了解。

Elastic Beanstalk 环境实例中名为“healthd”的守护程序通过监视特殊日志文件来监控运行状况。如果代理在此文件中发现大量 4xx,则环境进入严重状态。

$ sudo tail /var/log/nginx/healthd/application.log.2017-08-21-07 1503299631.249"/asdf"404"0.075"0.075"- 1503299631.379"/asdf"404"0.002"0.002"-

我看到您使用解决方案堆栈“64bit Amazon Linux 2017.03 v2.7.2 running Docker 17.03.1-ce”启动了环境,因此我想为此解决方案堆栈提供此问题的解决方法。

在解决方案栈“64bit Amazon Linux 2017.03 v2.7.2 running Docker 17.03.1-ce”中,上面的日志格式在“/etc/nginx/nginx.conf”中定义,在“/etc/nginx/sites-enabled”中启用/elasticbeanstalk-nginx-docker-proxy.conf”。

因此,您可以在您的环境中配置 nginx 以忽略 HTTP 状态为 404 或 403 的请求。请尝试在应用程序源代码包的 .ebextensions 目录下添加以下配置文件。

.ebextensions/healthd_ignore_4xx.config

   files:
   "/etc/nginx/sites-enabled/elasticbeanstalk-nginx-docker-proxy.conf":
   mode: "000644"
   owner: root
   group: root
   content: |
     # modification No.1
      map $status $logflag {
          404 0;
          403 0;
          default 1;
      }

      map $http_upgrade $connection_upgrade {
          default        "upgrade";
          ""            "";
      }

      server {
          listen 80;

          gzip on;
              gzip_comp_level 4;
              gzip_types text/html text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

          if ($time_iso8601 ~ "^(\d{4})-(\d{2})-(\d{2})T(\d{2})") {
              set $year $1;
              set $month $2;
              set $day $3;
              set $hour $4;
          }

          # modification No.2
          # access_log /var/log/nginx/healthd/application.log.$year-$month-$day-$hour healthd;
            access_log /var/log/nginx/healthd/application.log.$year-$month-$day-$hour healthd if=$logflag;

          access_log    /var/log/nginx/access.log;

          location / {
              proxy_pass            http://docker;
              proxy_http_version    1.1;

              proxy_set_header    Connection            $connection_upgrade;
              proxy_set_header    Upgrade                $http_upgrade;
              proxy_set_header    Host                $host;
              proxy_set_header    X-Real-IP            $remote_addr;
              proxy_set_header    X-Forwarded-For        $proxy_add_x_forwarded_for;
          }
      }

此配置将使用您定义的内容替换默认的 /etc/nginx/sites-enabled/elasticbeanstalk-nginx-docker-proxy.conf 文件。我所做的修改是:

  • No.1:添加了从 $status 映射到 $logflag 的 map 指令。当请求为 404 或 403 时,将 $logflag 设置为 0。其他状态设置为 1。
  • No.2:在 access_log [2] 指令中添加了 if=$logflag。仅当 HTTP 状态不是 404 或 403 时才写入 healthd 监控日志。

使用上述 ebextensions 配置部署新版本应用程序后,您的环境状态将不会受到无效 404 或 403 请求的影响。

参考文献 [1]: http ://www.skepticism.us/2015/05/new-malware-user-agent-value-jorgee/ [2]: http: //nginx.org/en/docs/stream/ngx_stream_log_module .html#access_log

于 2017-08-22T18:31:58.770 回答
2

对我来说,我没有对 root( /) 的响应,所以只需在 spring-boot 中添加一个虚拟页面,我的 ELB 问题就消失了。

@GetMapping("/")
@ResponseBody
public String sayHello() {
    return "hello";
}
于 2021-05-27T00:26:50.490 回答
0

为了解决问题,

我将 elasticbeans 负载均衡器更改为应用程序级别 1 并启用 WAF 集成。

在 WAF 中,我定义了以下规则来防止恶意软件请求。

 URI contains: "/pma" after converting to lowercase.
 URI contains: "/sql" after converting to lowercase.
 URI contains: "/admin" after converting to lowercase.
 URI ends with: "php" after converting to lowercase.
 URI contains: "/mysql" after converting to lowercase.
 URI contains: "/db" after converting to lowercase.
 URI contains: "/2phpmyadmin/ " after converting to lowercase.
 URI contains: "/shopdb/ " after converting to lowercase.
 URI contains: "/php" after converting to lowercase.
于 2019-01-22T13:24:54.310 回答