Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enforcer nmap v5 crashes on startup with no active waf policy configured #6251

Open
anderius opened this issue Aug 20, 2024 · 4 comments
Open

Enforcer nmap v5 crashes on startup with no active waf policy configured #6251

anderius opened this issue Aug 20, 2024 · 4 comments

Comments

@anderius
Copy link

Describe the bug
Enforcer container fails to start without sites configured. NginxIC container also fails to start, waiting for the enforcer container.

To Reproduce
Deploy the Helm chart with Nginx App Protect V5 enabled, but no resources that uses the WAF. That is, no VirtualServer with apBundle.

Expected behavior
We expect the nginx ic and the enforcer container to start without errors, even when no virtualserver with WAF is deployed.

Your environment

  • Version of the Ingress Controller - 3.6.0, with Helm chart 1.3.0
  • Version of Kubernetes: 1.29.9
  • Kubernetes platform: AKS
  • Using NGINX Plus

Additional context
Log from the enforcer container:

│ setting memory control callbacks for XML                                                                                                                                           │
│ BD_MISC|CRIT  |Aug 13 13:16:22.079|0013|/builds/6x631E1L/0/waf/waf-general/secore/bd/bd/manifest_listener.cpp:0198|failed to get manifest last modification time, err: No such fil │
│ Timeout detected while waiting for configuration. time since last config: 40 BD aborting                                                                                           │
│ BD_MISC|WARN  |Aug 13 13:16:22.080|0013|/builds/6x631E1L/0/waf/waf-general/secore/bd/bd/manifest_listener.cpp:0199|Timeout detected while waiting for configuration. time since la │
│                                                                                                                                                                                    │
│ BD_MISC|ERR   |Aug 13 13:16:22.081|0013|/builds/6x631E1L/0/waf/waf-general/secore/bd/bd/manifest_listener.cpp:0114|failed opening manifest out file. path=/opt/app_protect/bd_conf │
│ 2024/08/13 13:16:22 Execution failed: exit status 1
@github-actions GitHub Actions
Copy link

Hi @anderius thanks for reporting!

Be sure to check out the docs and the Contributing Guidelines while you wait for a human to take a look at this 🙂

Cheers!

@janibashamd
Copy link

I'm also facing similar issue.

@AlexFenlon
Copy link
Contributor

Hi Folks, we are currently looking into this.

@shaun-nx
Copy link
Contributor

Hi folks @anderius @janibashamd
We've been in contact with the team that owns the development of this component of AppProtect v5. They are working on ensure the waf-enforcer wont crash in this scenario.

As soon as we have more info, we'll share it in this thread.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
NGINX Ingress Controller
Status: Todo ☑
Milestone
No milestone
Development

No branches or pull requests
4 participants
@anderius @janibashamd @AlexFenlon @shaun-nx