Discussion:
"unknown" IP address in access log
(too old to reply)
Janine Sisk
2007-11-14 23:49:24 UTC
Permalink
Does anyone know what causes the IP address to be reported as
"unknown" for a handful of acesses each day?
unknown - - [13/Nov/2007:12:32:06 -0800] "GET / HTTP/1.0" 200 17880
"" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.9)
Gecko/20071025 Firefox/2.0.0.9" "
janine
Juan José del Río [Simple Option]
2007-11-15 00:18:01 UTC
Permalink
That's very weird, Janine. Maybe some other knows what's going on.

In my case, I have a weird behaviour too...

213.99.4.203, 212.170.235.17 - - [14/nov/2007:19:32:31 +0100] "GET /
HTTP/1.0" 200 3295 "" "Mozilla/5.0 (Windows; U; Windows
NT 5.0; es-ES; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.4" 0.077743

What about this? I don't know what's going on with the *TWO* IPs

Regards,

Juan José


-
Juan José del Río | Comercio online / e-commerce
+34 616 512 340 | ***@simpleoption.com


Simple Option S.L.
Tel: +34 951 930 122
Fax: +34 952 792 455
http://www.simpleoption.com
Post by Janine Sisk
Does anyone know what causes the IP address to be reported as
"unknown" for a handful of acesses each day?
unknown - - [13/Nov/2007:12:32:06 -0800] "GET / HTTP/1.0" 200 17880
"" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.9)
Gecko/20071025 Firefox/2.0.0.9" "
janine
--
AOLserver - http://www.aolserver.com/
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Tom Jackson
2007-11-15 01:25:01 UTC
Permalink
This looks like a reverse lookup, but very strange.

Janine's case is also weird. The access log is a small chunk of code, so it
might be easy to figure it out.

Which versions of AOLserver are being used here?

tom jackson
Post by Juan José del Río [Simple Option]
That's very weird, Janine. Maybe some other knows what's going on.
In my case, I have a weird behaviour too...
213.99.4.203, 212.170.235.17 - - [14/nov/2007:19:32:31 +0100] "GET /
HTTP/1.0" 200 3295 "" "Mozilla/5.0 (Windows; U; Windows
NT 5.0; es-ES; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.4" 0.077743
What about this? I don't know what's going on with the *TWO* IPs
Regards,
Juan José
-
Juan José del Río | Comercio online / e-commerce
Simple Option S.L.
Tel: +34 951 930 122
Fax: +34 952 792 455
http://www.simpleoption.com
Post by Janine Sisk
Does anyone know what causes the IP address to be reported as
"unknown" for a handful of acesses each day?
unknown - - [13/Nov/2007:12:32:06 -0800] "GET / HTTP/1.0" 200 17880
"" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.9)
Gecko/20071025 Firefox/2.0.0.9" "
janine
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to
email message. You can leave the Subject: field of your email blank.
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to
email message. You can leave the Subject: field of your email blank.
Juan José del Río [Simple Option]
2007-11-15 01:44:24 UTC
Permalink
In my case,

$ ./nsd -V
AOLserver/4.5.0 (aolserver4_5)
CVS Tag: $Name: $
Built: Sep 9 2007 at 20:01:03
Tcl version: 8.5
Platform: freebsd


Version (as you can see) was built from CVS HEAD at Sept 9th.

Around 1% of the entries in my access logs look have that double IP
issue. That happened with older versions too, and even with TCL 8.4

The set-up I have working is lighttpd as a frontend proxying requests,
and aolserver replying them. I got the same behaviour with Apache as
frontend too, so I guess it's AOLserver's thing.

Thank you very much for your help on this,

Juan José



-
Juan José del Río | Comercio online / e-commerce
+34 616 512 340 | ***@simpleoption.com


Simple Option S.L.
Tel: +34 951 930 122
Fax: +34 952 792 455
http://www.simpleoption.com
Post by Tom Jackson
This looks like a reverse lookup, but very strange.
Janine's case is also weird. The access log is a small chunk of code, so it
might be easy to figure it out.
Which versions of AOLserver are being used here?
tom jackson
Post by Juan José del Río [Simple Option]
That's very weird, Janine. Maybe some other knows what's going on.
In my case, I have a weird behaviour too...
213.99.4.203, 212.170.235.17 - - [14/nov/2007:19:32:31 +0100] "GET /
HTTP/1.0" 200 3295 "" "Mozilla/5.0 (Windows; U; Windows
NT 5.0; es-ES; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.4" 0.077743
What about this? I don't know what's going on with the *TWO* IPs
Regards,
Juan José
-
Juan José del Río | Comercio online / e-commerce
Simple Option S.L.
Tel: +34 951 930 122
Fax: +34 952 792 455
http://www.simpleoption.com
Post by Janine Sisk
Does anyone know what causes the IP address to be reported as
"unknown" for a handful of acesses each day?
unknown - - [13/Nov/2007:12:32:06 -0800] "GET / HTTP/1.0" 200 17880
"" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.9)
Gecko/20071025 Firefox/2.0.0.9" "
janine
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to
email message. You can leave the Subject: field of your email blank.
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to
email message. You can leave the Subject: field of your email blank.
--
AOLserver - http://www.aolserver.com/
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Janine Sisk
2007-11-15 06:07:46 UTC
Permalink
I am using 4.0.10.

thanks,

janine
Post by Tom Jackson
This looks like a reverse lookup, but very strange.
Janine's case is also weird. The access log is a small chunk of code, so it
might be easy to figure it out.
Which versions of AOLserver are being used here?
tom jackson
Post by Juan José del Río [Simple Option]
That's very weird, Janine. Maybe some other knows what's going on.
In my case, I have a weird behaviour too...
213.99.4.203, 212.170.235.17 - - [14/nov/2007:19:32:31 +0100] "GET /
HTTP/1.0" 200 3295 "" "Mozilla/5.0 (Windows; U; Windows
NT 5.0; es-ES; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.4" 0.077743
What about this? I don't know what's going on with the *TWO* IPs
Regards,
Juan José
-
Juan José del Río | Comercio online / e-commerce
Simple Option S.L.
Tel: +34 951 930 122
Fax: +34 952 792 455
http://www.simpleoption.com
Post by Janine Sisk
Does anyone know what causes the IP address to be reported as
"unknown" for a handful of acesses each day?
unknown - - [13/Nov/2007:12:32:06 -0800] "GET / HTTP/1.0" 200 17880
"" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.9)
Gecko/20071025 Firefox/2.0.0.9" "
janine
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to
email message. You can leave the Subject: field of your email blank.
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to
email message. You can leave the Subject: field of your email blank.
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to
body of "SIGNOFF AOLSERVER" in the email message. You can leave the
Subject: field of your email blank.
Janine Sisk
2007-11-29 20:32:40 UTC
Permalink
I'm looking at nslog.c and I think this is probably the bit that's
responsible for my "unknown"s:

/*
* Append the peer address and auth user (if any).
* Watch for users comming from proxy servers.
*/

if (conn->headers && (p = Ns_SetIGet(conn->headers, "X-Forwarded-
For"))) {
Ns_DStringAppend(&ds, p);
} else {
Ns_DStringAppend(&ds, Ns_ConnPeer(conn));
}

I've even found one today that has both my problem and the one Juan
reported:

66.102.186.10, unknown - - [29/Nov/2007:00:09:57 -0800] ...

What I don't know is, is there anything I can do to get a valid IP
address? I don't know how Ns_ConnPeer(conn) gets set - if the X-
Forwarded_For header is present but set to "unknown" (which is my
guess as to what's happening), can I revert to using Ns_ConnPeer
(conn) instead? Or am I just outta luck? It seems like there ought
to be a valid IP address somewhere, as the request isn't supposed to
be able to be delivered to the server without one.

The reason I care about this is that we've implemented IP-based site
subscriptions, and the folks coming in with "unknown" aren't able to
access the site. In this particular instance it's better to get the
IP of the proxy server than have it unavailable entirely.

janine
Post by Tom Jackson
This looks like a reverse lookup, but very strange.
Janine's case is also weird. The access log is a small chunk of code, so it
might be easy to figure it out.
Which versions of AOLserver are being used here?
tom jackson
Post by Juan José del Río [Simple Option]
That's very weird, Janine. Maybe some other knows what's going on.
In my case, I have a weird behaviour too...
213.99.4.203, 212.170.235.17 - - [14/nov/2007:19:32:31 +0100] "GET /
HTTP/1.0" 200 3295 "" "Mozilla/5.0 (Windows; U; Windows
NT 5.0; es-ES; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.4" 0.077743
What about this? I don't know what's going on with the *TWO* IPs
Regards,
Juan José
-
Juan José del Río | Comercio online / e-commerce
Simple Option S.L.
Tel: +34 951 930 122
Fax: +34 952 792 455
http://www.simpleoption.com
Post by Janine Sisk
Does anyone know what causes the IP address to be reported as
"unknown" for a handful of acesses each day?
unknown - - [13/Nov/2007:12:32:06 -0800] "GET / HTTP/1.0" 200 17880
"" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.9)
Gecko/20071025 Firefox/2.0.0.9" "
janine
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to
email message. You can leave the Subject: field of your email blank.
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to
email message. You can leave the Subject: field of your email blank.
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to
body of "SIGNOFF AOLSERVER" in the email message. You can leave the
Subject: field of your email blank.
Carsten Clasohm
2007-11-15 07:50:14 UTC
Permalink
Post by Juan José del Río [Simple Option]
213.99.4.203, 212.170.235.17 - - [14/nov/2007:19:32:31 +0100] "GET /
HTTP/1.0" 200 3295 "" "Mozilla/5.0 (Windows; U; Windows
NT 5.0; es-ES; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.4" 0.077743
What about this? I don't know what's going on with the *TWO* IPs
You get two IP addresses in the access log if the client sent the
request via an HTTP proxy. The first address is the client's address,
the second one is the proxy's address. You can also have multiple proxy
addresses, if the request passed through more than one proxy, or if you
have set up a reverse proxy on your server.


Carsten
Loading...