access.log of Nginx filling up space (Ubuntu 22 Server)

Albert Einstein

5/30/24, 7:33 AM

Recently I have deployed my website using node.js server and using Nginx as reverse proxy, also nginx handles SSL, and forwards the HTTPS to HTTP server of node.js running at specific port. I am using UFW firewall and only allowed OpenSSH and Nginx Full. Within a few hours, my access.log fills up with requests as given below. After a day, access.log is around 7 to 8 GB, which is too big for my 10 GB Ubuntu Server.

Please tell me what I have done wrong or is there any configuration I have to do to not allow certain requests.

For deployment, I downloaded Node.js from node source repository and then installed necessary node modules, enabled UFW firewall, enabled SSL on my website and changed

nginx/conf.d/www.websitname.com.conf

to proxy request to

localhost:someport.

Also, I have created a websitename.conf file in the sites-available folder and enabled it via symbolic links, websitename.conf proxies the IP-Address of my website to IP-ADDRESS:PORT.
Overall, the website is up and running fine.
But the Access.log fills up my Ubuntu Server very fast and within few hours Ubuntu Server space running out.

For now, I am manually truncating content of access.log, but I am in doubt that access.log fills that quickly with so much request even though there is not much traffic on my website.

THIS IS THE SNAPSHOT OF tail access.log

51.15.188.226 - - [30/May/2023:07:16:50 +0000] "GET http://www.168mu.cn/ HTTP/1.1" 404 134 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; rv:11.0) like Gecko"
51.15.188.226 - - [30/May/2023:07:16:50 +0000] "GET http://www.168mu.cn/ HTTP/1.1" 404 197 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3599.0 Safari/537.36"
51.15.188.226 - - [30/May/2023:07:16:50 +0000] "GET http://www.168mu.cn/ HTTP/1.1" 404 134 "-" "Mozilla/5.0 (Linux; Android 5.0; SM-G920A) AppleWebKit (KHTML, like Gecko) Chrome Mobile Safari (compatible; AdsBot-Google-Mobile; +http://www.google.com/mobile/adsbot.html)"
51.15.188.226 - - [30/May/2023:07:16:50 +0000] "GET http://www.168mu.cn/ HTTP/1.1" 404 134 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; rv:11.0) like Gecko"
120.244.220.48 - - [30/May/2023:07:16:51 +0000] "HEAD http://www.baidu.com/ HTTP/1.1" 404 0 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0"
185.214.10.142 - - [30/May/2023:07:16:52 +0000] "GET http://azenv.net/ HTTP/1.1" 404 134 "-" "Go-http-client/1.1"
185.227.153.226 - - [30/May/2023:07:16:55 +0000] "CONNECT 182.22.25.124:443 HTTP/1.1" 400 166 "-" "-"
119.52.119.195 - - [30/May/2023:07:16:55 +0000] "CONNECT al.autohome.com.cn:443 HTTP/1.1" 400 166 "-" "-"
43.134.213.189 - - [30/May/2023:07:16:56 +0000] "CONNECT lumtest.com:443 HTTP/1.1" 400 166 "-" "-"
47.107.101.106 - - [30/May/2023:07:17:01 +0000] "CONNECT waiting.flypeach.com:443 HTTP/1.1" 400 166 "-" "-"

Please tell what's the solution, what I have done wrong, receiving so many access requests, and also, please tell are they genuine requests every server receives it, or it is just me due to any configuration issues or deployment issues.

0 + 7

ubuntu

nginx

logging

node.js

nginx-reverse-proxy

Gerald Schneider

5/30/24, 7:40 AM

Do you need the access log? If no, turn it off.

Albert Einstein

5/30/24, 7:42 AM

@GeraldSchneider Even if I don't need the access.log but issue is that it fills up so quickly with such requests, is this normal for a website with no or minimal traffic?

Gerald Schneider

5/30/24, 7:51 AM

I wouldn't call it typical, but not surprising either. If you got an IP address assigned that used to host a high traffic site, or many other DNS addresses are pointing to it for some reason (don't bother trying to find out, you can't), that would be perfectly normal, yes. Welcome to the Internet.

Gerald Schneider

5/30/24, 7:52 AM

Implementing fail2ban and similar tools should reduce the amount of requests.

HBruijn

5/30/24, 7:55 AM

The logs indicate abuse attempts on your web server; attempts to try to use your server as a proxy. Regular abuse attempts are considered the normal internet background noise, but such enormous numbers are not quite typical. Maybe you or the previous user of your IP had misconfigured their server as an open proxy for example in the past and your IP is still attracting higher than normal abuse attempts.

Albert Einstein

5/30/24, 7:57 AM

@HBruijn What you mean by open proxy, I have enabled ufw firewall and also proxying my domain only to localhost?

HBruijn

5/30/24, 8:12 AM

The attempts don't look successful based on the 404 and 400 response codes in the logs ; but in general GET and/OR CONNECT requests to some random domain are indicative of trying to use your web server as a proxy.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: access.log of Nginx filling up space (Ubuntu 22 Server)

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.