I came across a line in my Nginx access log:
126.96.36.199 - admin [12/Dec/2012:18:33:18 +0800] "GET /manager/html HTTP/1.1" 444 0 "-" "-"
Let me stress that there is only 1 record with this IP.
Notice the authenticated user admin.
After some googling, I was able to find out only that this is authenticated user (http://wiki.nginx.org/HttpCoreModule#.24remote_user), which was authenticated by the Auth Basic Module (http://wiki.nginx.org/HttpAuthBasicModule).
However, nowhere in my site (configuration) do I use HTTP basic authentication.
What is going on? How did it get there? Was the user authenticated?
The fact that a username was given in the log means only that the client passed a username (and presumably a password). It does not necessarily mean that it authenticated successfully. In fact, we can see from your log entry that it did not; nginx returned a 444, an internal error which means nginx dropped the connection without sending anything.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.