-
Notifications
You must be signed in to change notification settings - Fork 606
Nginx workers segfault with nginx 1.9.5, naxsi 0.54 if http2 is enabled #227
Comments
Backtrace:
|
Hi, From the full stacktrace, it seems that you are using HTTP/2, and naxsi has not been tested yet with it (we will start working on it soon). |
Seems that removing |
Maybe related to the "Bugfix: a segmentation fault might occur in a worker process when using HTTP/2." in the latest nginx version. I'll test tomorrow. |
I just tested it and unfortunately it is still not working. |
Same issue with nginx 1.9.7 EDIT : same with 1.9.8 & 1.9.9 |
@blotus : Hello, is there any news on this issue ? I really want to use naxsi with http2 :) |
Hi @rfnx :) We didn't start working on the http2 compat. |
@buixor Thanks for the answer ! |
@buixor: may be you could insert some warning or even error if naxsi is used with HTTP/2? It would be a small and easy change. Now it may be a bit confusing for new users. |
This is so sad :( |
Hi, Sorry for delay :) I'll keep you posted ;) |
Hate to make this thread sound like a broken record, but do you have any news concerning http2 compatibility? |
Hi, Don't worry, you request is totally legit. |
+1 |
1 similar comment
+1 |
Can you let me the status of this now that nginx 1.10.0 stable is released . I believe the bug affects this version too? |
Yep, unlike 1.9.x, which was mainline version, 1.10 is stable version, like 1.8 was. Is there anything you guys are going to do with it? I would even pay money for it (if I could convince my bosses that it's good investment). |
Hello, This is indeed something we need to work on, but as you might understand, we'd better not take the topic lightly. I plan to work on it as soon as we are done with release 0.55 (we have a few open bugs to close first), but tbh we didn't start working on http2 yet. It will come, I know some of you would have hoped sooner, please a bit more patience. |
Hi, just started to do some basic tests with http2, and it seems to be working so far. |
I am using vers=0.55rc1 with nginx-1.10.0 and having http2 enabled in ssl vhost. So far I have not seen any crashes and a test was blocked by naxsi just fine
|
The initial comment clarified: "Problem appeared after couple of minutes of nginx working with production load, synthetic tests did not reproduce it." This would make debugging the issue difficult. |
@Promaethius : yes exactly, that's why I'm begging for some test cases. |
@selivan : any chance you have more indications on what caused the crash ? |
@buixor: was long time ago, all that I saved is in this ticket. And I can't test new build on production load now, but I'll see if I can use it for 5-10 minutes on one of backends some days later. |
@buixor Hello, thanks again for your work. I tried and naxsi still crashed. This is very easy to reproduce : for me, it happens everytime I click the "connection" button on my wordpress site, to go to the admin connection page (default to /wp-admin). Configuration :
My system log after the crash :
|
Thanks :) Any chance you could provide a dump of the http request?
|
@buixor Do you want the headers ? |
I also have had a crash. I don't know how to reproduce it yet.
|
I have the same problem with nginx 1.10.3 + naxsi 0.55.3 when http2 is enabled. |
I actually had to remove all the $HEADERS_VAR:Cookie from all MainRules in the core.rules file. For some reason, having it with HTTP2 causes the segfaults. Removed them and no issues for 2 days. I know that removing it is not ideal but having HttpOnly; Secure in the headers kinda overcome most of the cookies attacks, so I'll leave it out for now. Does anyone have more insights on the risks and implications of leaving that out from the core rules? |
Hello, @danlsgiga / @Louvremaster : did this happen with the http2 branch ? Thanks ! ps: sorry for delay, I was kinda busy, http2 branch is going for merge in next major |
Hey @buixor, yeah, http2 branch and the latest nginx release. |
That is bad news :( I'm going to look at it when I come back from hollidays, end of April |
Hello, |
@danlsgiga @ManuelRighi Did you guys try PR #309 on top of http2 branch? We've been running HTTP/2 + Naxsi for months with no errors. The segfaults were caused by Naxsi trying to modify the header part of the request, which lives in read-only memory. See previous posts on this thread. Unless these are new segfaults, #309 should solve them =) |
Thanks @marcelomd ... I try http2 branch ;) |
Eh I guess I should really merge this one into http2 branch, @marcelomd : no update to do on this one ? |
@buixor Nothing new. Works beautifully for us as it is. Go ahead =) |
Hi @marcelomd, yeah, I was just using the http2 branch without the suggested PR #309. @buixor It would be nice to have that merged in http2 since I have a job that builds nginx automatically from that branch. |
merged into http2, which itself should make its way to master for 0.56 :) |
Beautiful! Thanks @buixor |
After recompiling nginx with the http2 branch with the merge of PR #309 I confirm that all issues and segfaults are gone. I've restored the original core.rules with all the $HEADERS_VAR:Cookie and everything is smooth again. |
Hello, What exactly is the commands for download branch HTTP2 and merger of PR # 309 ? |
It would be: But meanwhile #309 is merged into http2 branch. -> you can just checkout the http2 branch. |
@gutweiler thanks ;) |
Hello, objs/addon/src/ngx_url_async_fetcher.o:/opt/ngx_pagespeed-1.12.34.2-stable/src/ngx_url_async_fetcher.cc:89: first defined here If I use branch master, no problem, but I have issue with http2 ..... I need to merge http2 on master ? Thanks |
@ManuelRighi |
@combro2k nginx + pagespeed without naxsi compile is ok |
@ManuelRighi Maybe this is related? apache/incubator-pagespeed-ngx#1194 Did you try to compile it against nginx mainline version? |
Hello, |
@ManuelRighi : can you provide extra info ? :D |
If I compile with this ./configure order --add-module=/opt/ngx_pagespeed-1.12.34.2-stable --add-module=/opt/naxsi-0.55.3/naxsi_src compile fails. If I reverse order, --add-module=/opt/naxsi-0.55.3/naxsi_src --add-module=/opt/ngx_pagespeed-1.12.34.2-stable compile works |
Hello, Thanks |
EDIT: Solved it myself, error was caused by compiling as dynamic module. When using naxsi as static module, the http2 version works with the latest nginx version again. The issue was fixed before by compiling nginx from the http2 branch. But with the nginx release Any ideas? |
UPD: Problem occurs only if
http2
is enabled inlisten
directive.Here are core dump files, apport crash report and manulay built packages I used on Ubuntu 14.04: https://yadi.sk/d/6m32n8IFjRqrc
nasxi 0.54
Only module I used except naxsi is nginx-upstream-fair.
Problem appeared after couple of minutes of nginx working with production load, synthetic tests did not reproduce it.
nginx.conf
:naxsi_core.rules
taken unchanged from source.naxsi.rules
:Problem also appeared with naxsi 0.54rc3, which I accidentally built first.
The text was updated successfully, but these errors were encountered: