{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 Emotional °昔 的问题《Weird http request found in the Node.js Express lo》','https://www.manongdao.com/q-657449.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
my first public Node.js based web site (with Express) went to public couple weeks ago. I routinely checked the server log and sometimes there are some weird records. Here are some examples:
- - - [Sat, 19 Oct 2013 08:44:38 GMT] "GET http://www.google.com/ HTTP/1.0" 200 3539 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
222.205.7.245 - - [Sat, 19 Oct 2013 19:54:57 GMT] "GET http://www.wikipedia.org/ HTTP/1.1" 200 3539 "-" "Mozilla/5.0 (compatible; MSIE 5.01; Win2000)"
223.94.178.192 - - [Sun, 20 Oct 2013 06:04:23 GMT] "GET http://www.sciencedirect.com/ HTTP/1.1" 200 3539 "-" "Mozilla/5.0 (compatible; MSIE 5.01; Win2000)"
Those are generated by the express.logger (logger: http://www.senchalabs.org/connect/logger.html) in the default format:
default ':remote-addr - - [:date] ":method :url HTTP/:http-version" :status :res[content-length] ":referrer" ":user-agent"'
Only express.urlencoded() is used and express.cookieParser and express.session are not enable in my project.
Here are my questions:
- Why
remote-addrare missing in the log? Would it be extreme difficult to get this info on node.js + express? - It seems like someone tried to use my website as a proxy. How did he/she send a http request like
GET http://www.google.com? And how should I block these kind of requests? - Based on those records in the server log, is my web server security enough? Should I use helmet (github.com/evilpacket/helmet) or CSRF (www.senchalabs.org/connect/csrf.html) in my project?
Many thanks.
Your server is sending back 200 responses for those requests, so they seem to be handled by some route in your app (perhaps a catch-all route; it's always returning 3539 bytes so it seems to be the same handler). Without knowing why your server is accepting those requests, it's difficult to say if it's secure or not.
You can easily use curl to generate requests like that:
As for the remote address being empty: sorry, don't know :( (
perhaps IPv6?nope, requests passed over IPv6 seem to get logged just fine)