Nginx access log shows authenticated user "admin"

bearcat asked:

I came across a line in my Nginx access log:

218.201.121.99 - admin [12/Dec/2012:18:33:18 +0800] "GET /manager/html HTTP/1.1" 444 0 "-" "-"

Let me stress that there is only 1 record with this IP.

Notice the authenticated user admin.

After some googling, I was able to find out only that this is authenticated user (http://wiki.nginx.org/HttpCoreModule#.24remote_user), which was authenticated by the Auth Basic Module (http://wiki.nginx.org/HttpAuthBasicModule).

However, nowhere in my site (configuration) do I use HTTP basic authentication.

What is going on? How did it get there? Was the user authenticated?

My answer:


The fact that a username was given in the log means only that the client passed a username (and presumably a password). It does not necessarily mean that it authenticated successfully. In fact, we can see from your log entry that it did not; nginx returned a 444, an internal error which means nginx dropped the connection without sending anything.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.