Strange access log entry repeating

Hello,

I already posted this into apache-users, but it probably is
too much 
httpd-internal, I haven't received an answer yet.

I have an ssl host for the domain test.com, configured with
these lines 
in httpd.conf:

Listen 1.2.3.4:80
NameVirtualHost 1.2.3.4:80

<VirtualHost 1.2.3.4:80>
         ServerName test.com
</VirtualHost>

Listen 1.2.3.4:443

<VirtualHost 1.2.3.4:443>
         ServerName test.com
         SSLEngine On
         SSLCertificateKeyFile
/etc/httpd/certs/test.com.key
         SSLCertificateFile /etc/httpd/certs/test.com.crt
</VirtualHost>


Everything worked fine before I enabled ssl. After that,
these lines 
occure every now and then, but always about once per
second:

test.com 1.2.3.4 - - [11/Oct/2007:19:11:25 +0200] "GET
/" 400 478 "-" "-"

It definetely started in the moment I stopped and restarted
apache after 
I made the URL configuration. It is a multi homed
environment and these 
entries appear for no other host (there is no other ssl host
on this 
server). Any ideas?

I have checked everything, there is nothing externally
calling this URL. 
It seems that apache is calling the URL on its own (maybe it
is trying 
to resolv something?). I'm not that much into the apache
details to have 
a clue.

I'm using httpd-2.2.4. If you don't have an idea, I can
maybe track it 
down a bit further. But so far this simpelst thing I can
explain is: 
With a pretty standard httpd.conf there is no long entry
unless someone 
actually calls a URL. But once I include the configuration
lines above 
and restart apache, strange log lines appear. Note: There is
always an 
error 400. And the URL called is always "GET /",
not even "GET / 
HTTP/1.0" or so.

Kind regards
Marten

On 10/15/07, Marten Lehmann <lehmanncnm.de> wrote:

> I'm using httpd-2.2.4. If you don't have an idea, I can
maybe track it
> down a bit further. But so far this simpelst thing I
can explain is:
> With a pretty standard httpd.conf there is no long
entry unless someone
> actually calls a URL. But once I include the
configuration lines above
> and restart apache, strange log lines appear. Note:
There is always an
> error 400. And the URL called is always "GET
/", not even "GET /
> HTTP/1.0" or so.

See:

http://wiki.apache.org/httpd/InternalDummyConnection

When the default vhost is SSL, you get the 400 because
apache doesn't
bother doing ssl negotiation -- it just sends an ordinary
http
request. But this doesn't matter since the request only
needs to wake
up the process, nothing else.

Joshua.

Hello,

> See:
> 
http://wiki.apache.org/httpd/InternalDummyConnection
> 
> When the default vhost is SSL, you get the 400 because
apache doesn't
> bother doing ssl negotiation -- it just sends an
ordinary http
> request. But this doesn't matter since the request only
needs to wake
> up the process, nothing else.

well, but it clutters up the logfiles so web statistic
software gives 
wrong data about web access, because it counts the internal
calls as well.

The Wiki page says, that all calls originate from the
lookback device, 
but thats not true. In my logfiles, all calls are originated
by the ip 
address of the ssl host(s), so I don't know how to
effectively exclude 
these calls.

We have a central, small httpd.conf which includes config
files for each 
virtual host. While the CustomLog settings are defined in
the 
httpd.conf, the individual listen and virtual host
configurationis done 
in the single files. That way, we can easily add and remove
files and 
simply restart apache without having to touch httpd.conf.

Are there variable which contains the complete request
("GET /") and the 
status code ("400")? This would be the only what
to detect such internal 
requests independend of servernames and ip addresses. What
could a 
SetenvIf directive look like that would set a
"skip" variable which I 
could use at the CustomLog setting?

Regards
Marten

Later versions of 2.2 (starting with 2.2.7) will have
Apache
send 'OPTIONS *' instead of the 'GET /' which will make
it easier for you to exclude those.

On Oct 17, 2007, at 7:08 AM, Marten Lehmann wrote:

> Hello,
>
>> See:
>> 
http://wiki.apache.org/httpd/InternalDummyConnection
>> When the default vhost is SSL, you get the 400
because apache doesn't
>> bother doing ssl negotiation -- it just sends an
ordinary http
>> request. But this doesn't matter since the request
only needs to wake
>> up the process, nothing else.
>
> well, but it clutters up the logfiles so web statistic
software  
> gives wrong data about web access, because it counts
the internal  
> calls as well.
>
> The Wiki page says, that all calls originate from the
lookback  
> device, but thats not true. In my logfiles, all calls
are  
> originated by the ip address of the ssl host(s), so I
don't know  
> how to effectively exclude these calls.
>
> We have a central, small httpd.conf which includes
config files for  
> each virtual host. While the CustomLog settings are
defined in the  
> httpd.conf, the individual listen and virtual host
configurationis  
> done in the single files. That way, we can easily add
and remove  
> files and simply restart apache without having to touch
httpd.conf.
>
> Are there variable which contains the complete request
("GET /")  
> and the status code ("400")? This would be
the only what to detect  
> such internal requests independend of servernames and
ip addresses.  
> What could a SetenvIf directive look like that would
set a "skip"  
> variable which I could use at the CustomLog setting?
>
> Regards
> Marten
>