lua tcp socket read times out - MODE: stream

[baudneo]

I am running the latest commit build with the SSL_CERTS_PATH PR. After more debugging it seems that 'live' mode works while 'stream' mode does not.

Running nginx proxy manager and integrating the bouncer into the docker image. Everything seems to be installed correctly. On the lua/openresty end the logs have this ->

 2022/04/10 03:35:32 [error] 449#449: *447 lua tcp socket read timed out, context: ngx.timer, client: x.x.x.x, server: 0.0.0.0:443
  2022/04/10 03:35:32 [error] 449#449: *447 lua entry thread aborted: runtime error: /etc/nginx/lualib/crowdsec.lua:188: request failed: timeout
  stack traceback:
  coroutine 0:
      [C]: in function 'error'
      /etc/nginx/lualib/crowdsec.lua:188: in function </etc/nginx/lualib/crowdsec.lua:173>, context: ngx.timer, client: x.x.x.x, server: 0.0.0.0:443

On the crowdsec LAPI end the logs have broken pipe errors -<

==> /var/log/crowdsec.log <==
time="10-04-2022 03:38:12" level=warning msg="client 172.18.0.4 disconnected : write tcp 10.0.0.61:8080->172.18.0.4:36316: write: broken pipe"

==> /var/log/crowdsec_api.log <==
time="10-04-2022 03:38:12" level=info msg="172.18.0.4 - [Sun, 10 Apr 2022 03:38:12 MDT] \"GET /v1/decisions/stream?startup=true HTTP/1.1 200 465.955202ms \"crowdsec-openresty-bouncer/v0.1.10\" \""

So the bouncer is sending the startup request to LAPI but the connection is broken. Is it something to do with the ngx.timer? I dont know Lua but I tried to do some debugging. I added some debugging lines just to make sure the ip is correct and so is the request to LAPI. All seems well its just this tcp connection seems to break as soon as the request is sent off?

cscli bouncers list shows that the openresty bouncer is 'updating' every X seconds but it never gets past sending the first startup=true query. How can I help debug this further?

The cs instance initializes, the config file parsers and it makes a request to the LAPI, so I am assuming its installed correctly.

[baudneo]

I will add some additional info.

Inside the container

• crowdsec.lua is located in /etc/nginx/lualib/
• plugins/*.lua are located /etc/nginx/lualib/

/etc/nginx/conf.d/crowdsec_openresty.conf

lua_package_path '/etc/nginx/lualib/plugins/crowdsec/?.lua;;';
lua_shared_dict crowdsec_cache 50m;
lua_ssl_trusted_certificate /etc/ssl/certs/GTS_Root_R1.pem;

init_by_lua_block {
        cs = require "crowdsec"
        local ok, err = cs.init("/data/crowdsec/crowdsec-openresty-bouncer.conf", "crowdsec-openresty-bouncer/v0.1.10")
        if ok == nil then
                ngx.log(ngx.ERR, "[Crowdsec] " .. err)
                error()
        end
        if ok == "Disabled" then
                ngx.log(ngx.ALERT, "[Crowdsec] Bouncer Disabled")
        else
                ngx.log(ngx.ALERT, "[Crowdsec] Initialisation done")
        end
}

access_by_lua_block {
        local cs = require "crowdsec"
        cs.Allow(ngx.var.remote_addr)
}

Things tried to resolve

• Tried ca-certificates.crt instead of the Google Root for SSL_CERTS_PATH
• I have tried running with ban|captcha|all
• I have tried omitting the captcha secret and site key when using just ban
• Added all my IPs to decisions list manually on my LAPI instance using both ban and captcha remediation.
• Added some debugging lines to the Lua code to see if I can spot any easy issues

I have not been able to track down what the issue is. When I turn debug level logging on for crowdsec.log the parsers drown it out. I will keep grep and searching the logs for clues. Since crowdsec is reporting the broken pipe I am assuming it is the openresty/lua bouncer that is closing the request? It never gets past sending startup=true while in STREAM mode.

[baudneo]

I had installed lua-resty-http plugin as well, which caused all the errors I found. Everything is working as it should be now that plugin is removed.