APT installation broken when using Nginx's APT repository.

[justSem]

When using nginx's APT repo's the standard apt installation for the bouncer breaks due to a dependency issue.

Mainly because package names differ between the repos and the standard nginx-lua module is not included as separate package in the nginx repo. When apt attempts to install this, this results in a dependency conflict as shown below:

sudo apt-get install crowdsec-nginx-bouncer
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 nginx : Conflicts: nginx-common but 1.18.0-6.1 is to be installed
E: Error, pkgProblemResolver::Resolve generated breaks, this may be caused by held packages

Suggested resolution

Update the debian/control file to reflect a situation where only nginx being installed instead of both nginx and libnginx-mod-http-lua would be sufficient.

[franciscopaniskaseker]

Same problem here, using ubuntu 20.04 updated.

root@host:~# sudo apt install lua5.1 libnginx-mod-http-lua luarocks gettext-base
Reading package lists... Done
Building dependency tree
Reading state information... Done
gettext-base is already the newest version (0.19.8.1-10build1).
gettext-base set to manually installed.
The following additional packages will be installed:
  autoconf automake autotools-dev file libdpkg-perl libfile-fcntllock-perl libltdl-dev liblua5.1-0 liblua5.1-0-dev libluajit-5.1-2
  libluajit-5.1-common libncurses-dev libnginx-mod-http-ndk libreadline-dev libtool libtool-bin lua-any lua-sec lua-socket nginx-common
  pkg-config
Suggested packages:
  autoconf-archive gnu-standards autoconf-doc gettext debian-keyring bzr libtool-doc ncurses-doc readline-doc gfortran | fortran95-compiler
  gcj-jdk fcgiwrap nginx-doc dpkg-dev
The following packages will be REMOVED:
  nginx
The following NEW packages will be installed:
  autoconf automake autotools-dev file libdpkg-perl libfile-fcntllock-perl libltdl-dev liblua5.1-0 liblua5.1-0-dev libluajit-5.1-2
  libluajit-5.1-common libncurses-dev libnginx-mod-http-lua libnginx-mod-http-ndk libreadline-dev libtool libtool-bin lua-any lua-sec
  lua-socket lua5.1 luarocks nginx-common pkg-config
0 upgraded, 24 newly installed, 1 to remove and 103 not upgraded.
Need to get 3,092 kB of archives.
After this operation, 13.6 MB of additional disk space will be used.
Do you want to continue? [Y/n]

root@host:~# sudo apt install nginx lua5.1 libnginx-mod-http-lua luarocks gettext-base
Reading package lists... Done
Building dependency tree
Reading state information... Done
gettext-base is already the newest version (0.19.8.1-10build1).
gettext-base set to manually installed.
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 libnginx-mod-http-lua : Depends: libnginx-mod-http-ndk (= 1.18.0-0ubuntu1.2) but it is not going to be installed
                         Depends: nginx-common (= 1.18.0-0ubuntu1.2) but it is not going to be installed
E: Unable to correct problems, you have held broken packages.
root@host:~#

there is no problem to run nginx 1.22 with crowdsec, as far i know.

Basically it wants to remove my nginx 1.21 and setup nginx-comon 1.18.

[blotus]

Hello,

When using the nginx provided by ubuntu/debian, we need the dependancy on libnginx-mod-http-lua because the bouncer needs LUA to work, so removing the dependancy would likely break the installation for the majority of the users.

AFAIK, the nginx repository does not provide the LUA module (please correct me if this is wrong) so the bouncer won't work with it anyway.

We are currently exploring how to support the official nginx repositories, but for now the only way for you to use the bouncer would probably be to manually build the LUA module and install the bouncer using the install script in this repo or switch to openresty (should work pretty much out of the box with your nginx config, but that's likely a big change) and use the openresty bouncer.

[franciscopaniskaseker]

We are currently exploring how to support the official nginx repositories, but for now the only way for you to use the bouncer would probably be to manually build the LUA module and install the bouncer using the install script in this repo or switch to openresty (should work pretty much out of the box with your nginx config, but that's likely a big change) and use the openresty bouncer.

Of course we need to support nginx, at least from the linux repo, but as an extra comment: most of linux sysadmin use nginx bouncer because you can not see the real IP using iptables when you have a proxy between you and the user. Maybe I am missing windows servers or customized nginx configs, I do not know. So maybe the simplest and efficient solution is to provide a middleware between 80/443 ports and nginx, using iptables, like bitninja does. using iptables rules it will forward the traffic to the middleware and filter. and this middleware can be a simple nginx, that works out of the box.

I do not want to make it more complex, I am just saying that maybe most of the cases this is the problem about nginx use. - A very popular opensource panel called hestiacp use nginx from the oficial repo.

• There is another opensource panel called cyberpanel that use openlitespeed and is not compatible with crowdsec http bouncer
• And Plesk, one of most popular closed source panel, can not filter users that come from proxy using nginx bouncer because they use a custom nginx package (called sw-nginx)

So maybe a simple docker solution or a custom nginx instance that read 80/443 traffic just to block some IPs will not just fix the most common nginx use, but also will expand the crowdsec solution to another 3 very popular web server panels.

[luizvaz]

The solution to this issue is ppa/odrej repositories.

The steps below work on Ubuntu 20.04 and 22.04:

sudo add-apt-repository ppa:ondrej/nginx
sudo apt install nginx lua5.1 libnginx-mod-http-lua luarocks gettext-base lua-cjson
sudo apt install crowdsec-nginx-bouncer