时间戳

首页 > 解决方案 > “400 Bad Request”回答(看似)正确的 HTTP 请求

http - “400 Bad Request”回答(看似)正确的 HTTP 请求

问题描述

我有一个设备,一个 Geiger 计数器,它被编程为在我的本地网络上向同一网络上的 Apache 服务器发出一个 HTTP 请求。该服务器总是以“400 Bad request”回答。与此一致,Apache 的错误日志显示:“AH00566:请求失败:请求行格式错误”。

现在我从wireshark 输出中复制这条“格式错误”的行,并将这一行输入浏览器(Firefox 和Chrome 都使用): 服务器给出200 响应,当然没有错误。所以看起来HTTP请求是正确的。为什么不是来自盖革计数器?

Wireshark不应该给出答案吗?我对wireshark的解释已经到了极限,希望大家帮忙。

我附上了wireshark的两行,请求和响应,完全扩展,希望这包含我需要注意的东西。

编辑:我现在已将 mod_log_forensic 模块添加到我的 Apache 服务器。这应该在处理它们之前和之后给我所有的标题信息。令人遗憾的是,它在请求成功时给了我所有的标头信息,但是当它失败时没有任何信息,就像我的“格式错误的请求”一样。我没有看到为此模块设置的任何选项:-((

HTTP request of device at 10.0.0.42 to server at 10.0.0.20:
====================================================================================================
Frame 67003: 165 bytes on wire (1320 bits), 165 bytes captured (1320 bits) on interface 0
    Interface id: 0 (enp3s0)
        Interface name: enp3s0
    Encapsulation type: Ethernet (1)
    Arrival Time: Sep  4, 2021 10:28:38.486223543 CEST
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1630744118.486223543 seconds
    [Time delta from previous captured frame: 0.317684532 seconds]
    [Time delta from previous displayed frame: 63.093693181 seconds]
    [Time since reference or first frame: 3654.295052488 seconds]
    Frame Number: 67003
    Frame Length: 165 bytes (1320 bits)
    Capture Length: 165 bytes (1320 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:tcp:http]
    [Coloring Rule Name: HTTP]
    [Coloring Rule String: http || tcp.port == 80 || http2]
Ethernet II, Src: Espressi_36:ac:ba (a0:20:a6:36:ac:ba), Dst: AsustekC_c3:68:12 (ac:22:0b:c3:68:12)
    Destination: AsustekC_c3:68:12 (ac:22:0b:c3:68:12)
        Address: AsustekC_c3:68:12 (ac:22:0b:c3:68:12)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: Espressi_36:ac:ba (a0:20:a6:36:ac:ba)
        Address: Espressi_36:ac:ba (a0:20:a6:36:ac:ba)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 10.0.0.42, Dst: 10.0.0.20
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 151
    Identification: 0x0006 (6)
    Flags: 0x0000
        0... .... .... .... = Reserved bit: Not set
        .0.. .... .... .... = Don't fragment: Not set
        ..0. .... .... .... = More fragments: Not set
        ...0 0000 0000 0000 = Fragment offset: 0
    Time to live: 127
    Protocol: TCP (6)
    Header checksum: 0x271e [validation disabled]
    [Header checksum status: Unverified]
    Source: 10.0.0.42
    Destination: 10.0.0.20
Transmission Control Protocol, Src Port: 17062, Dst Port: 80, Seq: 1, Ack: 1, Len: 111
    Source Port: 17062
    Destination Port: 80
    [Stream index: 347]
    [TCP Segment Len: 111]
    Sequence number: 1    (relative sequence number)
    [Next sequence number: 112    (relative sequence number)]
    Acknowledgment number: 1    (relative ack number)
    0101 .... = Header Length: 20 bytes (5)
    Flags: 0x018 (PSH, ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 1... = Push: Set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
        [TCP Flags: ·······AP···]
    Window size value: 2920
    [Calculated window size: 2920]
    [Window size scaling factor: -2 (no window scaling used)]
    Checksum: 0xf631 [unverified]
    [Checksum Status: Unverified]
    Urgent pointer: 0
    [SEQ/ACK analysis]
        [iRTT: 0.004491340 seconds]
        [Bytes in flight: 111]
        [Bytes sent since last PSH flag: 111]
    [Timestamps]
        [Time since first frame in this TCP stream: 0.322175872 seconds]
        [Time since previous frame in this TCP stream: 0.317684532 seconds]
    TCP payload (111 bytes)
Hypertext Transfer Protocol
    GET /?AID=0123&GID=4567&CPM=22&ACPM=20.39&uSV=0.14 HTTP/1.1\n
        [Expert Info (Chat/Sequence): GET /?AID=0123&GID=4567&CPM=22&ACPM=20.39&uSV=0.14 HTTP/1.1\n]
            [GET /?AID=0123&GID=4567&CPM=22&ACPM=20.39&uSV=0.14 HTTP/1.1\n]
            [Severity level: Chat]
            [Group: Sequence]
        Request Method: GET
        Request URI: /?AID=0123&GID=4567&CPM=22&ACPM=20.39&uSV=0.14
            Request URI Path: /
            Request URI Query: AID=0123&GID=4567&CPM=22&ACPM=20.39&uSV=0.14
                Request URI Query Parameter: AID=0123
                Request URI Query Parameter: GID=4567
                Request URI Query Parameter: CPM=22
                Request URI Query Parameter: ACPM=20.39
                Request URI Query Parameter: uSV=0.14
        Request Version: HTTP/1.1
    Host: 10.0.0.20\r\n
    Connection: close\r\n
    Accept: */*\r\n
    \r\n
    [Full request URI: http://10.0.0.20/?AID=0123&GID=4567&CPM=22&ACPM=20.39&uSV=0.14]
    [HTTP request 1/1]
    [Response in frame: 67005]

====================================================================================================
====================================================================================================


HTTP response of server at 10.0.0.20 to device at 10.0.0.42 :
====================================================================================================
Frame 67005: 538 bytes on wire (4304 bits), 538 bytes captured (4304 bits) on interface 0
    Interface id: 0 (enp3s0)
        Interface name: enp3s0
    Encapsulation type: Ethernet (1)
    Arrival Time: Sep  4, 2021 10:28:38.486469123 CEST
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1630744118.486469123 seconds
    [Time delta from previous captured frame: 0.000198404 seconds]
    [Time delta from previous displayed frame: 0.000245580 seconds]
    [Time since reference or first frame: 3654.295298068 seconds]
    Frame Number: 67005
    Frame Length: 538 bytes (4304 bits)
    Capture Length: 538 bytes (4304 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:tcp:http:data-text-lines]
    [Coloring Rule Name: HTTP]
    [Coloring Rule String: http || tcp.port == 80 || http2]
Ethernet II, Src: AsustekC_c3:68:12 (ac:22:0b:c3:68:12), Dst: Espressi_36:ac:ba (a0:20:a6:36:ac:ba)
    Destination: Espressi_36:ac:ba (a0:20:a6:36:ac:ba)
        Address: Espressi_36:ac:ba (a0:20:a6:36:ac:ba)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: AsustekC_c3:68:12 (ac:22:0b:c3:68:12)
        Address: AsustekC_c3:68:12 (ac:22:0b:c3:68:12)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 10.0.0.20, Dst: 10.0.0.42
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 524
    Identification: 0x8870 (34928)
    Flags: 0x4000, Don't fragment
        0... .... .... .... = Reserved bit: Not set
        .1.. .... .... .... = Don't fragment: Set
        ..0. .... .... .... = More fragments: Not set
        ...0 0000 0000 0000 = Fragment offset: 0
    Time to live: 64
    Protocol: TCP (6)
    Header checksum: 0x9c3e [validation disabled]
    [Header checksum status: Unverified]
    Source: 10.0.0.20
    Destination: 10.0.0.42
Transmission Control Protocol, Src Port: 80, Dst Port: 17062, Seq: 1, Ack: 112, Len: 484
    Source Port: 80
    Destination Port: 17062
    [Stream index: 347]
    [TCP Segment Len: 484]
    Sequence number: 1    (relative sequence number)
    [Next sequence number: 485    (relative sequence number)]
    Acknowledgment number: 112    (relative ack number)
    0101 .... = Header Length: 20 bytes (5)
    Flags: 0x018 (PSH, ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 1... = Push: Set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
        [TCP Flags: ·······AP···]
    Window size value: 64129
    [Calculated window size: 64129]
    [Window size scaling factor: -2 (no window scaling used)]
    Checksum: 0x25ca [unverified]
    [Checksum Status: Unverified]
    Urgent pointer: 0
    [SEQ/ACK analysis]
        [iRTT: 0.004491340 seconds]
        [Bytes in flight: 484]
        [Bytes sent since last PSH flag: 484]
    [Timestamps]
        [Time since first frame in this TCP stream: 0.322421452 seconds]
        [Time since previous frame in this TCP stream: 0.000198404 seconds]
    TCP payload (484 bytes)
Hypertext Transfer Protocol
    HTTP/1.1 400 Bad Request\r\n
        [Expert Info (Chat/Sequence): HTTP/1.1 400 Bad Request\r\n]
            [HTTP/1.1 400 Bad Request\r\n]
            [Severity level: Chat]
            [Group: Sequence]
        Response Version: HTTP/1.1
        Status Code: 400
        [Status Code Description: Bad Request]
        Response Phrase: Bad Request
    Date: Sat, 04 Sep 2021 08:28:38 GMT\r\n
    Server: Apache/2.4.18 (Ubuntu)\r\n
    Content-Length: 302\r\n
        [Content length: 302]
    Connection: close\r\n
    Content-Type: text/html; charset=iso-8859-1\r\n
    \r\n
    [HTTP response 1/1]
    [Time since request: 0.000245580 seconds]
    [Request in frame: 67003]
    [Request URI: http://10.0.0.20/?AID=0123&GID=4567&CPM=22&ACPM=20.39&uSV=0.14]
    File Data: 302 bytes
Line-based text data: text/html (10 lines)
    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n
    <html><head>\n
    <title>400 Bad Request</title>\n
    </head><body>\n
    <h1>Bad Request</h1>\n
    <p>Your browser sent a request that this server could not understand.<br />\n
    </p>\n
    <hr>\n
    <address>Apache/2.4.18 (Ubuntu) Server at meinserver Port 80</address>\n
    </body></html>\n

标签: httpheader

解决方案

这个问题在 Wireshark 找到了答案: https ://ask.wireshark.org/question/24316/where-do-i-even-look-to-find-the-reason-for-a-400-bad- request/?answer=24330#post-id-24330

问题是盖革计数器形成了一个不完全符合http规则的http请求:https ://datatracker.ietf.org/doc/html/rfc7230#section-3.5

即,它仅以 LF 结束 http 请求,而它应该发送 CRLF。

Microsoft ASP 服务器接受这一点,而 Apache 服务器将其作为安全问题拒绝 ( https://httpd.apache.org/security/vulnerabilities_24.html,滚动至:“重要:Apache HTTP 请求解析空白缺陷 (CVE-2016) -8743)")

HttpProtocolOptions Unsafe可以通过插入apache2.conf. 在我的本地 Apache 服务器上测试,它可以工作!

我想知道管理员在他们的配置文件中插入“不安全”这个词会有什么感觉......

推荐阅读