theseion
commented
3 months ago Thanks for reporting. We'll look into, but it may take us a couple of days.
@TafkaMax, could you take a look?
Closed erseldev closed 2 months ago
theseion
commented
3 months ago Thanks for reporting. We'll look into, but it may take us a couple of days.
@TafkaMax, could you take a look?
TafkaMax
commented
3 months ago OK, will check once I have time. It seems the new version of CRS dropped. I have to test that out aswel...
What does docker logs <openresty-modsec-crs-container-name> say about the container ?
erseldev
commented
3 months ago Hi, The log is as follows:
-------------------
ted@ash1:~$ docker logs nginx
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
20-envsubst-on-templates.sh: Running envsubst on /usr/local/openresty/nginx/templates/conf.d/default.conf.template to /usr/local/openresty/nginx/conf/conf.d/default.conf
20-envsubst-on-templates.sh: Running envsubst on /usr/local/openresty/nginx/templates/conf.d/logging.conf.template to /usr/local/openresty/nginx/conf/conf.d/logging.conf
20-envsubst-on-templates.sh: Running envsubst on /usr/local/openresty/nginx/templates/conf.d/modsecurity.conf.template to /usr/local/openresty/nginx/conf/conf.d/modsecurity.conf
20-envsubst-on-templates.sh: Running envsubst on /usr/local/openresty/nginx/templates/nginx.conf.template to /usr/local/openresty/nginx/conf/nginx.conf
20-envsubst-on-templates.sh: Running envsubst on /usr/local/openresty/nginx/templates/modsecurity.d/modsecurity-override.conf.template to /usr/local/openresty/nginx/conf/modsecurity.d/modsecurity-override.conf
20-envsubst-on-templates.sh: Running envsubst on /usr/local/openresty/nginx/templates/modsecurity.d/setup.conf.template to /usr/local/openresty/nginx/conf/modsecurity.d/setup.conf
20-envsubst-on-templates.sh: Running envsubst on /usr/local/openresty/nginx/templates/includes/proxy_backend_ssl.conf.template to /usr/local/openresty/nginx/conf/includes/proxy_backend_ssl.conf
20-envsubst-on-templates.sh: Running envsubst on /usr/local/openresty/nginx/templates/includes/proxy_backend.conf.template to /usr/local/openresty/nginx/conf/includes/proxy_backend.conf
20-envsubst-on-templates.sh: Running envsubst on /usr/local/openresty/nginx/templates/includes/location_common.conf.template to /usr/local/openresty/nginx/conf/includes/location_common.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/25-listen-on-ipv6-by-default.sh
25-listen-on-ipv6-by-default.sh: info: Getting the checksum of /usr/local/openresty/nginx/conf/conf.d/default.conf
25-listen-on-ipv6-by-default.sh: info: /usr/local/openresty/nginx/conf/conf.d/default.conf differs from the packaged version
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/90-copy-modsecurity-config.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/91-update-resolver.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/92-update-real_ip.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/94-activate-plugins.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/95-activate-rules.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2024/03/18 18:32:48 [notice] 1#1: ModSecurity-nginx v1.0.3 (rules loaded inline/local/remote: 0/797/0)
ted@ash1:~$
--------------------This may not be so meaningful so I'm also posting the terminal messages:
--------------------
nginx | /docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
nginx | /docker-entrypoint.sh: Launching /docker-entrypoint.d/90-copy-modsecurity-config.sh
nginx | /docker-entrypoint.sh: Launching /docker-entrypoint.d/91-update-resolver.sh
nginx | /docker-entrypoint.sh: Launching /docker-entrypoint.d/92-update-real_ip.sh
nginx | /docker-entrypoint.sh: Launching /docker-entrypoint.d/94-activate-plugins.sh
nginx | /docker-entrypoint.sh: Launching /docker-entrypoint.d/95-activate-rules.sh
nginx | /docker-entrypoint.sh: Configuration complete; ready for start up
nginx | 2024/03/18 18:32:48 [notice] 1#1: ModSecurity-nginx v1.0.3 (rules loaded inline/local/remote: 0/797/0)
Gracefully stopping... (press Ctrl+C again to force)
dependency failed to start: container nginx is unhealthy
ted@ash1:~/docker/proxy$
--------------------I made a brief comparison between 3.5.5 and 4.0.0 and figured that generate-certificate script is not listed in "/usr/local/bin/" folder for 4.0.0 (healthcheck script is there). Could this be the reason?
erseldev
commented
3 months ago Let me also add this:
ted@ash1:~/docker/proxy$ docker exec -it nginx curl http://localhost:80/healthz
<html>
<head><title>503 Service Temporarily Unavailable</title></head>
<body>
<center><h1>503 Service Temporarily Unavailable</h1></center>
<hr><center>openresty</center>
</body>
</html>
ted@ash1:~/docker/proxy$Thanks @erseldev. The missing certificates aren't good but shouldn't be the reason for the issue. However, it looks like there's no endpoint for the health check.
I've been actively using version 3.5.5 for CrowdSec bouncers (firewall bouncer and django bouncer for django apps). However I wasn't able to implement nginx bouncer due to lack of lua package in version 3.5.5. So, I switched to 4.0.0-openresty-alpine-fat this weekend, however I couldn't get it running in a healthy state.
Healthcheck fails and the container stays in unhealthy condition. Pls find below the Health log from inspect:
I have no clue what I'm doing wrong?