How to add geoIP in http logs of zeek? - zeek

I have used geoIP in zeek for resolving IPs in conn.log but I am unable to do the same for http and dns logs. Can anyone guide how to do so?

Related

Configure Nginx as a reverse-proxy which forward all requests

I got a task to use Nginx as a reverse proxies to all requests, so if someone is going through the proxy and the SNI is www.google.com the Nginx will access www.google.com fetch the data and provide it to the user, but I need it to all domains and not just some.
Is it something Nginx can do?
Tnx,
Omer

Forced to use wss:// when behind proxy from https to http

I have setup a nginx proxy to pass https url to internal http neo4j web. I can reach the neo4j login page without any issue, but I am forced to use the neo4j+s/bolt+s interface.
Just wondering how I can configure nginx to remove any ssl related info via proxypass module, in order to login in neo4j with ws, no wss?
Thanks,
Chance
I managed to get rid of wss by adding another nginx proxy to set the https url as upstream server in location.proxy_pass. It won't show wss/neo4j+s/bolt+s any more once you visit the web by the http url. Hopefully it will help for anyone has the similar issue as me.

Should I use nginx as a proxy for WAMP?

guys!
I build a chat application based on WebSocket. As backend I use PHP and nginx as a proxy for WebSocket connection.
Searching about PHP libs for WS gave me Ratchet. This tools support WAMP protocol. Something about it: http://wamp-proto.org/why/
Well, I've decided to use this protocol - it seems useful. I tuned nginx for proxy WebSocket connections in standard way. And for common using WebSocket at frontend/backend - all is ok.
But, if I start use WAMP at backend and try to use autobahn.js for WAMP at frontend, I catch 426 No Sec-WebSocket-Protocols requested supported as response every time. At PHP I see that connection from nginx is not receiving. So, as I understood, nginx doesn't process connection with WAMP subprotocol in right way.
So, I don't understand, should I use nginx as a proxy for WAMP? WAMP is just a subprotocol for WebSocket, but doesn't work for me.
Does anybody knows where problem is?
Seems like Nginx isn't forwarding the WebSocket subprotocol announced by the client to the backend WAMP router.
Try adding this to your Nginx conf:
proxy_set_header Sec-WebSocket-Protocol $http_sec_websocket_protocol
See: https://stackoverflow.com/a/36506746/884770

nginx DNS redirect: how does it work

I'm trying to do some DNS redirect: if user access h##p://subdomain.mydomain.com, he/she will be redirected to h##p://www.mydomain.com/some/url.
I think it can be done with a URL record in the DNS server. But like mentioned [here] it can be done with HTTP server configuration as well. And ... that confused me.
AFAIK, a request starts with a DNS resolve, which give us the IP address of the server. From there one, HTTP traffic are IP based. So how does nginx/apache know the server name?
There is no DNS URL record. If you refer to DNSimple product, it's actually a combination of CNAME (or A) record and simple HTTP server.
HTTP clients (browsers) send server's name in a header as a part of HTTP request.

How to deny ip address automatically by parsing nginx log file

I have 4 webservers behind cloudflare and a loadbalancer, nginx is the webserver, php-fpm manages the php pages. I don't know how to block a simple dos attack ...
I'm able to detect this attack by using the http_limit_req module from nginx
http://wiki.nginx.org/HttpLimitReqModule
but this is not blocking the attack at all, yes this can mitigate but webservers are hit and hit again, and php-fpm goes to 80% and in a minute the website is unreachable.
I'm trying to find a way to block this kind of request.
I know how to block certain ip address or certain useragent with nginx but i want to do it automatically. I think that I cannot block the ip with iptables because the request come from the loadbalancer :( but i'm still able to detect the correct ip address with the set_real_ip_from and real_ip_header X-Forwarded-For with nginx.
I have the log file (error.log) filled with the correct ip address as you can see:
2012/03/27 18:34:02 [error] 31234#0: *1283 limiting connections by zone "staging", client: XX.XX.XX.XXX, server: www.xxxxxxx.com, request: "HEAD /it HTTP/1.1", host: "www.xxxxxxx.com"
Someone have an idea and can teach me how to block automatically this ip?
use fail2ban for this. It's a log-file parser for many different services which can detect failed logins, etc. and then block an IP-address.
http://www.fail2ban.org
Regards

Resources