502 bad gateway

[raffus]

Hi there, After installing this script, my NGINX is returning HTTP 502 BAD GATEWAY for all honey's URLs. Any idea? Thanks

[raffus]

After digging a while, I've noticed that the fastcgi_pass was pointing to another folder different than the one used on ubuntu 22.

Default value: fastcgi_pass unix:/run/fcgiwrap/fcgiwrap-nginx.sock;

Ubuntu22 value: fastcgi_pass unix:/run/fcgiwrap.socket;

Even after the adjustments, I'm still getting HTTP 502 error, but with some differences.

Before adjustments, the output was

<html>
<head><title>502 Bad Gateway</title></head>
<body>
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.18.0 (Ubuntu)</center>
</body>
</html>

After the adjustments, only the TEXT message (without HTTP syntax): 502 Bad Gateway

Any idea? Thanks

[raffus]

Also, according to the documentation here (https://github.com/dvershinin/nginx-honeypot/blob/main/honeypot/handler.conf), the handler calls for a CGI file which is not part of the project: fastcgi_param SCRIPT_FILENAME /usr/local/libexec/block-ip.cgi; This file does not exists. I've created one:

echo "Status: 410 Gone"
echo "Content-type: text/plain"
echo "Connection: close"
echo

echo "Bye bye, $REMOTE_ADDR!"
sudo /usr/local/sbin/block-ip.sh

exit 0

In my case I moved the SH script to /usr/local/sbin but this is not the issue.

Any tip?

[dvershinin]

@raffus Since you're trying it on Ubuntu, I am sure you will need to address a lot of different things. The article and this repository only assume the use of RPM-based distros like RHEL. I'll make notes of it in the README.

As to what you might have to address is that e.g.:

• systemctl start fcgiwrap@nginx.socket on RHEL and similar distros uses a parametrized fcgiwrap service that will run a unit with the nginx user, ensuring that NGINX web server user can communicate with the fcgiwrap instance. In Ubuntu you probably have NGINX running under www-data (at least that's what I remember), so you will try a fcgiwrap@www-data or similar (first, check what actual UNIX user your NGINX runs with, then run the appropriate fcgiwrap service
• you need to create IP sets beforehand, using ipset or a wrapper as in firewall-cmd in RHEL, but on Ubuntu

The 502 error in NGINX means that either the socket file is incorrect or NGINX can't communicate with it. Check the socket existence via file /path/to/socket and stat /path/to/socket should report that the socket file is owned by the same user as your NGINX is running with.

[raffus]

Hi there, I've got it working after adding header references to bash script on block-ip.cgi. So in my case, file was changed to this:

#!/bin/bash
echo "Content-type: text/plain"
echo "Status: 410 Gone"
echo "Connection: close"
echo

echo "Bye bye, $REMOTE_ADDR!"
sudo /usr/local/sbin/block-ip.sh

exit 0

After that, it worked!

Cheers.