Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

passenger_pre_start fails when empty user agent strings are blocked #1534

Closed
svoop opened this issue Jun 11, 2015 · 6 comments
Closed

passenger_pre_start fails when empty user agent strings are blocked #1534

svoop opened this issue Jun 11, 2015 · 6 comments

Comments

@svoop
Copy link

svoop commented Jun 11, 2015

In order to get rid of the most malicious user agents, I'm filtering a few of them:

# Block empty user agents
if ($http_user_agent ~ ^\s*$) { return 400; }

# Block evil bots
if ($http_user_agent ~* ^(Java|Jakarta)) { return 400; }
if ($http_user_agent ~* user-agent|morfeus) { return 400; }
if ($http_user_agent = Mozilla) { return 400; }

The first one will return 400 if no user agent string is present in the request at all. However, this causes the passenger_pre_start to fail, because apparently it does not pass a user agent string. Here's a pre-start request from our logs:

127.0.0.1 - - [11/Jun/2015:16:19:04 +0200] "HEAD / HTTP/1.1" 200 779 "-" "-" "-

Would it be possible to modify the pre-start code in order to have it set a user agent to something like "passenger_pre_start"?

For now, I'll change the filter rule to apply only to requests from localhost, but since Nginx doesn't support multiple if conditions nor nested ifs, it will be an ugly workaround.

@svoop
Copy link
Author

svoop commented Jun 11, 2015

This is somewhat related to #1392 because the new sudoless restart won't work unless at least one instance of the app ist running – passenger_pre_start to the rescue!

@svoop
Copy link
Author

svoop commented Jun 11, 2015

Just in case someone else is having the same problem, here's the workaround:

# Block empty user agents but from localhost (passenger_pre_start)
if ($http_user_agent ~ ^\s*$) { set $matches A; }
if ($remote_addr != 127.0.0.1) { set $matches "${matches}B"; }
if ($matches = AB) { return 400; }

@svoop
Copy link
Author

svoop commented Oct 28, 2019

While stuggling with #2230 I came across this old issue which hasn't received much love in the past 4 years.

Any chance you might give it a shot and set a user agent for the pre start HEAD request? This would come in handy to identify the source of these HEAD requests in access logs.

Shouldn't be hard to implement, yet really useful in some situations (see above). Thanks a lot!

/ping @FooBarWidget

@svoop
Copy link
Author

svoop commented Nov 7, 2019

Awesome, thanks a bunch, @CamJN !

@svoop
Copy link
Author

svoop commented Feb 14, 2020

@CamJN Would be cool to see this feature released at some point, it's already 5 months since the last patch release of Passenger. Thanks a bunch!!

@svoop
Copy link
Author

svoop commented May 31, 2020

@CamJN Thanks for the release!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants