• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question How do i find outgoing website uid when using nginx?

Linulex

Silver Pleskian
Hello all,

I have a server that is blacklisted because a website makes connection with a bot. I want stop this offcourse, but i need to find wich website it is. It use to be as simple as login outgoing connections and the uid would show up in the log after a while.

iptables -I OUTPUT 1 -p tcp -m tcp -d xxx.xxx.xxx.xxx --dport 80 -j LOG --log-level 1 --log-uid

BUT ... when using nginx as proxy, the logs always show the uid of nginx, not of the system user of the website.
All i get now is

Apr 16 11:01:53 res5 kernel: IN= OUT=bond0 SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=64667 DF PROTO=TCP SPT=80 DPT=51448 WINDOW=165 RES=0x00 ACK URGP=0 UID=497 GID=498

497 = nginx, it doesn't log the system user anymore that goes with the website.

Does anyone knows a way to log outgoing connections that will give me the system uid?
Maybe in nginx or apache.

regards
Jan
 
Apr 16 11:01:53 res5 kernel: IN= OUT=bond0 SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=64667 DF PROTO=TCP SPT=80 DPT=51448 WINDOW=165 RES=0x00 ACK URGP=0 UID=497 GID=498

Hi, Jan!
> SPT=80 DPT=51448
It looks like you are catching outgoing packets in income session.

If I correctly understand, then you want to catch packets in outcome session?
If you make outcome session from server (e.g.
Code:
 wget http://google.com
), so in /var/log/messagesit it looks like ... SPT=43646 DPT=80 ...

Try to use variables $http_x_uuid $upstream_http_x_uuid in nginx logging, it may help to solve your situation:
NGINX Docs | Configuring Logging
nginx: Is it possible to capture response headers in access log when using nginx as a reverse proxy?
 
Back
Top