Osada Lakmal asked:
I have created a ghost VPS on DigitalOcean which has nginx running as a reverse proxy fronting ghost installation. While tailing access logs I saw numerous CONNECT commands and GET/POST as well to some websites (some spammy, fake and some legit ones – nandos.co.uk). So my questions are
- Is nginx acting on these commands?
- If so how can I prevent this?
- Are they DOSing people? Inflating traffic? or some other shenanigan?
Note: I don’t have the nginx conf since I rebuilt the VPS almost immediately afterwards.
Welcome to the Internet. This is just one small part of malicious traffic that blindly attempts to hit every IPv4 address with a wide variety of attacks.
In this case, they are trying to abuse misconfigured web servers in order to load other web pages through your server, disguising the origin of the traffic, using the HTTP CONNECT method.
This doesn’t work at all, because nginx is not designed to be a forward proxy, and does not support the CONNECT method.
You can safely ignore this traffic.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.