Seeing odd response to /HNAP1/ POST

Curious about a response in the logs I’m seeing.

Surprise, surprise, surprise (NOT) I’m seeing my endpoint hit with a ton of bogus URLs probing various known endpoints (solr admin, wp admin, etc.).

My (very simple) Go Gin api service responds with 404s across the board, except for this:

2021-05-14T07:53:46.006Z app[b15f517f] iad [info] [GIN] 2021/05/14 - 07:53:46 | 404 | 1.402µs | | POST “/HNAP1/”
2021-05-14T07:53:51.394Z proxy[b15f517f] fra [error] error.code=1 error.message=“Undocumented” request.method=“POST” request.url="/HNAP1/"“01F5MXVSFVD4PX5NJK94CXT9NX” response.status=502

The /HNAP1/ thing is trying to hack some brands of internet router.

Important note: the /HNAP1/ endpoint is not handled by my app, and so should just give a 404 like everything else.

I’m using caddy in my container to be a reverse proxy, but if I run the container on my local machine, I just get a 404. So I’m guessing the proxy line here is, perhaps, something that is doing?

Thanks for any clues!

Yes this is a log from our proxy. We’ve recently added logging for any http responses coming from us (not from your app).

Most of them are currently “undocumented” because we’re slowly working through documenting each error case.

I looked up your request ID and the error is related to the request body:

error from user's HttpBody stream: error reading a body from connection: end of file before message length reached

Looks like some random bot sending jank requests :frowning:

1 Like

Thanks Jerome! Really appreciate the update. Yeah, definitely a hack attempt… I really need to batten down the hatches (er, figuratively speaking :slight_smile: ) on my code.

We should stop these someday. They’re an unintended side effect of giving apps dedicated IPs. :slight_smile: