my server crashes everytime an annoying pentester tries to find security-holes in my application.
I see this in the errorlog:
17:48:48 +0200] "\x16\x03\x01\x00M\x01\x00\x00I\x03\x03\xDBJA\xC5\xB17\xF6\xDA \xD4\xEEEg0\xE0\xF2\xF2\xC9S\xE4\xF9v}\x1E\x00\xC8\xC3d\x 80h;= \x1F\xD2\xAF?\x88\x8A\xA2\xCF\x16G\x99\x1D\x91" 400 173 "-" "-"
The server is configured like a normal nginx + php-fpm server. Port 80 is redirected to 443 and ssl ist configured correctly.
I also added this line:
if ($request_method !~ ^(GET|HEAD|POST|OPTIONS|DELETE|PUT|PATCH)$) { return 405; }
(in both server-configurations)
This is also the only "pentesting" request that results in a 400. All other requests results in 301 or 404.
I found a similar issue where the ssl section of nginx is not configured correctly. I checked my configuration but it looks alright.
I have the same issue on another server that has a similar configuration and on a server that has a nginx -> apache_mpm_prefork_fpm config.
Any ideas what this is and how to protect the server from crashing.
How to reproduce such a pentesting request (I tried it in postman but I got a different result).
Thx alot.
EDIT
I figured out how to reproduce that log:
https://servername:80.
But I can't figure out how block this kind of requests.
I tried it with $scheme but the request is encrypted. I tried to add ssl to the config but nothing changed.
There must be a reason why those pentesting/exploid-sites try to send a https request to port 80.
