Access.log entries with no code/router?

Traefik Traefik v2
1

Hi all

I'm just looking to tidy up/tighten my fail2ban logging with my traefik access.log, and I've noticed some entries that are not showing HTTP response codes or a matched router....

89.248.171.97 - - [01/Dec/2020:19:27:10 +0000] "GET / HTTP/1.1" - - "-" "-" 274990 "-" "-" 27ms
2.57.122.186 - - [02/Dec/2020:09:52:30 +0000] "GET /config/getuser?index=0 HTTP/1.1" - - "-" "-" 307452 "-" "-" 0ms
104.131.162.95 - - [02/Dec/2020:10:38:25 +0000] "GET / HTTP/1.0" - - "-" "-" 938 "-" "-" 0ms
181.215.223.57 - - [02/Dec/2020:15:51:32 +0000] "GET / HTTP/2.0" 403 9 "-" "-" 19952 "nohost@file" "-" 31ms
171.25.193.77 - - [03/Dec/2020:07:33:41 +0000] "GET / HTTP/1.1" - - "-" "-" 57563 "-" "-" 37ms
60.251.123.1 - - [03/Dec/2020:08:52:22 +0000] "GET /manager/html HTTP/1.1" - - "-" "-" 61536 "-" "-" 0ms
165.22.35.84 - - [03/Dec/2020:10:43:05 +0000] "GET / HTTP/1.0" 403 9 "-" "-" 65471 "nohost@file" "-" 0ms

As you can see above, lines 4 & 7 responded with a 403 and the "nohost@file" router - presumably as they hit my DNS name directly (which has a match), but the other lines didn't seem to get a response OR router?

My traefik.toml contains the following:

  [entryPoints.web]
    address = ":80"

  [entryPoints.web.http.redirections.entryPoint]
    to = "websecure"
    scheme = "https"

  [entryPoints.websecure]
    address = ":443"
    [entryPoints.websecure.forwardedHeaders]
      insecure=true

[accessLog]
  filePath = "/var/log/traefik/access.log"
    [accessLog.filters]
    statusCodes = [ "302","400-499" ]

I've then got the following included in my dynamic config which is intended to catch "stuff" with no hostname etc

[http.routers]
  [http.routers.nohost]
    rule = "HostHeader(`myhost.mydomain.com`)"
    entrypoints = [ "websecure" ]
    service = "nohost"
    middlewares = [ "blockexternal" ]
    [http.routers.nohost.tls]
      certResolver = "myresolver"
      # Define the domain to use, as it's one higher than the others
      [[http.routers.nohost.tls.domains]]
        main = "myhost.mydomain.com"
        sans = [ "myhost.mydomain.com" ]

  [http.routers.catcher]
     rule = "PathPrefix(`/`)"
     entrypoints = [ "websecure" ]
     priority = 1
     middlewares = [ "bouncer" ]
     service = "nohost"
     [http.routers.catcher.tls]
     certResolver = "myresolver"
       [[http.routers.catcher.tls.domains]]
         main = "myhost.mydomain.com"

[http.middlewares]
  [http.middlewares.internal-only-ip]
    [http.middlewares.internal-only-ip.ipWhitelist]
      sourceRange = [ "192.168.1.0/24","172.17.0.0/16" ]

  [http.middlewares.blockexternal]
    [http.middlewares.blockexternal.chain]
      # I have this as a chain so I can add/remove other items easily
      middlewares = [ "internal-only-ip" ]

  [http.middlewares.bouncer]
    [http.middlewares.bouncer.redirectRegex]
    regex=".*"
    replacement="https://www.somehost.com"

Is the problem that if someone points to the IP, or fudges a host to IP their end, that the SAN doesn't match, so no rule fires?

2

I doubt your router catcher is live, there is no service defined for nohost. You could use noop@internal so it has a 'real'. Unless you are redirecting to localhost then it is not a nice thing to be redirectinh traffic this way.

I would suggest using Strict SNI Checking instead And stop it at the TLS handshake.

3

It's not a full config snip (as mine was large) :slight_smile:
(but I'll admit that didn't help diagnosis!)

  [http.services.nohost.loadBalancer]
    [[http.services.nohost.loadBalancer.servers]]
      url = "http://192.168.0.50:80"

I'll check the strictSNI though - that may well assist.