yoctoserge
commented
3 years ago Yes, this is confusing, but the schema specifies that mask should also be in IpV4 format. Like: 255.255.255.0.
Closed shubhammishra9 closed 2 years ago
yoctoserge
commented
3 years ago Yes, this is confusing, but the schema specifies that mask should also be in IpV4 format. Like: 255.255.255.0.
shubhammishra9
commented
3 years ago @yoctoserge, Tried the way you suggested but even then also unable to bring up nginx service, error message: ipAddress and ipMask combination is not valid
Applied Policy:
Error Message: Oct 13 06:23:13 ip-172-31-28-230.ap-south-1.compute.internal nginx[5516]: "completed_successfully" : false, Oct 13 06:23:13 ip-172-31-28-230.ap-south-1.compute.internal nginx[5516]: "error_message" : "Failed to import Policy 'policy_name' from '/etc/app_protect/conf/waf-1633516938513.json': Could not add the Allowlist IP Address '192.168.1.1/255.255.255.0'. ipAddress and ipMask combination is not valid", Oct 13 06:23:13 ip-172-31-28-230.ap-south-1.compute.internal nginx[5516]: "error_line_number" : 24 Oct 13 06:23:13 ip-172-31-28-230.ap-south-1.compute.internal nginx[5516]: } Oct 13 06:23:13 ip-172-31-28-230.ap-south-1.compute.internal nginx[5516]: nginx: [error] APP_PROTECT { "event": "configuration_load_failure", "software_version": "3.639.0", "error_message":"Failed to import Policy 'policy_name' from '/etc/app_protect/conf/waf-1633516938513.json': Could not add the Allowlist IP Address '192.168.1.1/255.255.255.0'. ipAddress and ipMask combination is not valid","completed_successfully":false,"error_line_number":24} Oct 13 06:23:13 ip-172-31-28-230.ap-south-1.compute.internal systemd[1]: nginx.service: control process exited, code=exited status=1 Oct 13 06:23:13 ip-172-31-28-230.ap-south-1.compute.internal systemd[1]: Failed to start NGINX Plus - high performance web server.
yoctoserge
commented
3 years ago Samples from the doc (https://docs.nginx.com/nginx-app-protect/configuration/):
shubhammishra9
commented
3 years ago @yoctoserge, Observed if any of the contiguous octet has value > 0 it needed to be masked or entire IP itself needed to be masked then only nginx service is getting active without error message.
valid examples for whitelist-ip: ip - 172.16.0.0 mask - 255.255.0.0 ip- 172.16.23.233 mask-255.255.255.255
invalid example for whitelist-ip: ip - 172.16.0.1 mask- 255.255.0.0 ip - 10.10.10.10 mask- 255.0.0.0
Need your inputs on the above observations.
464d41
commented
3 years ago @shubhammishra9 In this case network address should be used. ip - 172.16.0.0 mask - 255.255.0.0 - valid network address containing 2^16 IPs ip- 172.16.23.233 mask-255.255.255.255 - valid network address containing 1 IP ip - 172.16.0.1 mask- 255.255.0.0 - It is an IP address out of 172.16.0.0/255.255.255.0 network. In order to block a single IP mask 255.255.255.255 should be used. See above. ip - 10.10.10.10 mask- 255.0.0.0 - Same as above.
Observed error message "ipMask is not compatible with ipAddress" while adding IP address and IP mask in Whitelist IPs section.
Applied policy
Error Message:
Oct 07 13:33:32 ip-172-31-28-230.ap-south-1.compute.internal nginx[2884]: { Oct 07 13:33:32 ip-172-31-28-230.ap-south-1.compute.internal nginx[2884]: "completed_successfully" : false, Oct 07 13:33:32 ip-172-31-28-230.ap-south-1.compute.internal nginx[2884]: "error_message" : "Failed to import Policy 'myPolicy' from '/etc/app_protect/conf/waf-1633516938513.json': Could not add the Allowlist IP Address '192.168.0.1/24'. ipMask is not compatible with ipAddress", Oct 07 13:33:32 ip-172-31-28-230.ap-south-1.compute.internal nginx[2884]: "error_line_number" : 24 Oct 07 13:33:32 ip-172-31-28-230.ap-south-1.compute.internal nginx[2884]: } Oct 07 13:33:32 ip-172-31-28-230.ap-south-1.compute.internal nginx[2884]: nginx: [error] APP_PROTECT { "event": "configuration_load_failure", "software_version": "3.639.0", "error_message":"Failed to import Policy 'myPolicy' from '/etc/app_protect/conf/waf-1633516938513.json': Could not add the Allowlist IP Address '192.168.0.1/24'. ipMask is not compatible with ipAddress","completed_success Oct 07 13:33:32 ip-172-31-28-230.ap-south-1.compute.internal systemd[1]: nginx.service: control process exited, code=exited status=1 Oct 07 13:33:32 ip-172-31-28-230.ap-south-1.compute.internal systemd[1]: Failed to start NGINX Plus - high performance web server.