Question How do i find outgoing website uid when using nginx?

[Linulex]

Hello all,

I have a server that is blacklisted because a website makes connection with a bot. I want stop this offcourse, but i need to find wich website it is. It use to be as simple as login outgoing connections and the uid would show up in the log after a while.

iptables -I OUTPUT 1 -p tcp -m tcp -d xxx.xxx.xxx.xxx --dport 80 -j LOG --log-level 1 --log-uid

BUT ... when using nginx as proxy, the logs always show the uid of nginx, not of the system user of the website.
All i get now is

Apr 16 11:01:53 res5 kernel: IN= OUT=bond0 SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=64667 DF PROTO=TCP SPT=80 DPT=51448 WINDOW=165 RES=0x00 ACK URGP=0 UID=497 GID=498

497 = nginx, it doesn't log the system user anymore that goes with the website.

Does anyone knows a way to log outgoing connections that will give me the system uid?
Maybe in nginx or apache.

regards
Jan

 

[Aleksandr Dunaev]

Apr 16 11:01:53 res5 kernel: IN= OUT=bond0 SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=64667 DF PROTO=TCP SPT=80 DPT=51448 WINDOW=165 RES=0x00 ACK URGP=0 UID=497 GID=498

Hi, Jan!
> SPT=80 DPT=51448
It looks like you are catching outgoing packets in income session.

If I correctly understand, then you want to catch packets in outcome session?
If you make outcome session from server (e.g.

 wget http://google.com

), so in /var/log/messagesit it looks like ... SPT=43646 DPT=80 ...

Try to use variables $http_x_uuid $upstream_http_x_uuid in nginx logging, it may help to solve your situation:
NGINX Docs | Configuring Logging
nginx: Is it possible to capture response headers in access log when using nginx as a reverse proxy?

 

[Linulex]

hi @Aleksandr Dunaev

Thank you, ill give that a try.

regards
Jan