Weird http request found in the Node.js Express log file –
my first public Node.js based web site (with Express) went to public couple weeks ago. I routinely checked the server log and sometimes there are some weird records.
Here are some examples:
- - - [Sat, 19 Oct 2013 08:44:38 GMT] "GET http://www.google.com/ HTTP/1.0" 200 3539 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" 220.127.116.11 - - [Sat, 19 Oct 2013 19:54:57 GMT] "GET http://www.wikipedia.org/ HTTP/1.1" 200 3539 "-" "Mozilla/5.0 (compatible; MSIE 5.01; Win2000)" 18.104.22.168 - - [Sun, 20 Oct 2013 06:04:23 GMT] "GET http://www.sciencedirect.com/ HTTP/1.1" 200 3539 "-" "Mozilla/5.0 (compatible; MSIE 5.01; Win2000)"
Those are generated by the
express.logger (logger: http://www.senchalabs.org/connect/logger.html) in the default format:
default ':remote-addr - - [:date] ":method :url HTTP/:http-version" :status :res[content-length] ":referrer" ":user-agent"'
express.urlencoded() is used and
express.session are not enable in my project.
Here are my questions:
remote-addrare missing in the log? Would it be extreme difficult to get this info on node.js + express?
- It seems like someone tried to use my website as a proxy. How did he/she send a http request like
GET http://www.google.com? And how should I block these kind of requests?
- Based on those records in the server log, is my web server security enough? Should I use helmet (github.com/evilpacket/helmet) or CSRF (www.senchalabs.org/connect/csrf.html) in my project?
Your server is sending back 200 responses for those requests, so they seem to be handled by some route in your app (perhaps a catch-all route; it’s always returning 3539 bytes so it seems to be the same handler). Without knowing why your server is accepting those requests, it’s difficult to say if it’s secure or not.
You can easily use curl to generate requests like that:
curl --proxy YOURSERVER:THEPORT http://www.google.com
As for the remote address being empty: sorry, don’t know 🙁 (
perhaps IPv6? nope, requests passed over IPv6 seem to get logged just fine)