[SWAG - Crowdsec Docker mod] 500 Internal Server Error with recaptcha #772
Comments
alleyu2
changed the title
|
This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions. |
|
Wonder why this is closed as this is still an ongoing issue. |
|
I can confirm the issue and this must be related to http2 support. |
|
I've got the same error. Im using turnstile. Anything I could do? |
|
It seems they have added a check to see if the http2 request has a content length then accept the request https://github.com/openresty/lua-nginx-module/pull/2237/files I dont know which lua version swag is compiled with but if it becomes latest it should become supported for valid http requests with content length headers |
This is the version details for the latest SWAG container:
|
|
I was about to answer but you were faster @alleyu2 Latest NGINX version is 1.25.3 and contains many fixes for HTTP/2 and HTTP/3: https://nginx.org/en/CHANGES |
|
We install from the alpine repo |
|
I am still getting the error on latest SWAG:
|
|
Yes alpine edge and 3.19 have no been updated to latest and linuxserver uses 3.18 as base so one library has been updated we still need to wait for base image to be updated which I know is planned |
|
We won't get nginx 1.25 until at least Alpine 3.20, but we should be able to get the lua mod for 1.24 backported to 3.19 once edge is updated. |
|
This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions. |
Hi @thespad . Based on this "https://pkgs.alpinelinux.org/package/edge/main/x86_64/nginx-mod-http-lua" is lua updated to version v0.10.26 in alpine edge? if yes, can we backport it for SWAG? |
|
Issue not closed |
|
I contacted the maintainer, and he said he will backport |
|
You can track the commits here https://git.alpinelinux.org/aports/log/main/nginx?h=3.19-stable This is the commit for Edge that bumped it to 0.10.26 a couple of weeks ago https://git.alpinelinux.org/aports/commit/main/nginx?id=239a9ba729dc42dbe264e33816f880d89cdd5398 -_add_module "http-lua" "v0.10.25" "https://github.com/openresty/lua-nginx-module" "" "$_has_luajit"
+_add_module "http-lua" "v0.10.26" "https://github.com/openresty/lua-nginx-module" "" "$_has_luajit" |
|
Watching this closely as http2 is still broken in latest SWAG + Crowdsec |
this is a broad statement, i believe only captcha is broke in crowdsec. Suggest reading the OP which explains it quite well. to be clear, this is not something we can or will fix. once alpine backports the lua module, things will just work. |
I think it's Captcha and Appsec since both have dependency on lua module. |
Commented as I read OP and have the exact same issue ;) . Wouldn't have commented except this clearly broke with an update to SWAG as my configs have not changed, assuming a dependency bump caused it. Surprised this list a broader issue, but maybe not many people use SWAG with CS. Edit. Removing swag-crowdsec will fix this until its officially resolved, you don't need to remove anything else. |
|
ignoring captcha, you can also set |
Awesome! Yes can confirm this works. |
|
Just to add a FYI, please if you are NOT using captcha remediation anymore please remove the configuration for it via the bouncer config. By design because CrowdSec lua acts as a MITM we have to check all requests if captcha is configured, and this may inadvertently cause this stack trace from version |
|
Is there a way we can see when this plugin updates? Just trying to keep tabs on when I can remove |
|
you can monitor here https://pkgs.alpinelinux.org/packages?name=nginx-mod-http-lua&branch=v3.19&repo=&arch=&maintainer= im sure alpine also has changelogs... but this MOD itself wont show anything different. You have to track alpine. |
I don't know if it has been updated yet, but SWAG was based on alpine 3.18 so the packages need to be backported that far I believe |
|
Yeah, we bumped to 3.19 at the end of January https://github.com/linuxserver/docker-swag?tab=readme-ov-file#versions |
|
FYI it seems the http2 content header fix broke a lot of things so they have reverted it back to the original it is not supported -> openresty/lua-nginx-module@e0d19f7 I think they are reaching the limitations of what lua can provide to Nginx so I dont know what to suggest as if the dependancy cant do it then neither can we. So moving forward the official line from CrowdSec is if you want to use Captcha or AppSec component within Nginx then your webserver must not use http2 or higher, simply put... its out of our hands we have no control over it. |
|
I'll look at adding something to that effect to the mod readme. |
I can close this ticket as it has reached a dead-end. Is there any alternative solution to get appsec or recpatcha working with nginx or we move on to another webserver to get these funtionlities working in crowdsec? |
|
if you are expecting an up to date reverse proxy to use http/1 i don't think you'll find it. However, this is nginx, just remove all the http2 refs... nothing magical here. honestly, i couldn't tell what your plan was anyway, it's never been our issue, never will be our issue, we were never going to do anything about it... and you closed/reopened this like 7 times anyway :p |
|
Just a further investigation, it seems they have now removed the restriction completely meaning in theory if you are using the master (or soon to be released version) it will now start working again, however, it important to read the note they added Note: This method will block while waiting for client request body to be fully received. Block time depends on the client_body_timeout directive and maximum body size specified by the client_max_body_size directive. If read timeout occurs or client body size exceeds the defined limit, this function will not return and So if you are using http2/3 and the client does send a body without a content-length then you may start getting the above status codes as a response to our middleware |
|
Blocking for 60 seconds per request seems like a great way to create a denial of service. |
Exactly, that why I said important to read the note 😆 |
I am using the crowdsec docker mod and it works perfectly with the "ban" remediation. However, when using "captcha" remediation, I get an error "500 Internal Server Error". When I use incognito mode, the captcha works but when the captcha is successfully solved, I get the error "500 Internal Server Error". Here are my configs:
crowdsec-nginx-bouncer.conf:
profiles.yaml:
Nginx Error Log:
2023/10/11 13:49:37 [alert] 553#553: *10002 [lua] crowdsec.lua:542: Allow(): [Crowdsec] denied 'XXX' with 'captcha', client: XXX, server: request.*, request: "POST / HTTP/2.0", host: "XXX.duckdns.org", referrer: "https://XXX.duckdns.org/" 2023/10/11 13:49:40 [error] 553#553: *10002 lua entry thread aborted: runtime error: /usr/local/lua/crowdsec/crowdsec.lua:485: http2 requests are not supported yet stack traceback: coroutine 0: [C]: in function 'read_body' /usr/local/lua/crowdsec/crowdsec.lua:485: in function 'Allow' access_by_lua(http.d/crowdsec_nginx.conf:14):3: in main chunk, client: XXX, server: request.*, request: "GET /favicon.ico HTTP/2.0", host: "XXX.org", referrer: "https://XXX.duckdns.org/" 2023/10/11 13:49:43 [error] 553#553: *10002 lua entry thread aborted: runtime error: /usr/local/lua/crowdsec/crowdsec.lua:485: http2 requests are not supported yet stack traceback: coroutine 0: [C]: in function 'read_body' /usr/local/lua/crowdsec/crowdsec.lua:485: in function 'Allow' access_by_lua(http.d/crowdsec_nginx.conf:14):3: in main chunk, client: XXX, server: request.*, request: "POST / HTTP/2.0", host: "XXX.duckdns.org", referrer: "https://XXX.duckdns.org/" 2023/10/11 13:49:43 [error] 553#553: *10002 lua entry thread aborted: runtime error: /usr/local/lua/crowdsec/crowdsec.lua:485: http2 requests are not supported yet stack traceback: coroutine 0: [C]: in function 'read_body' /usr/local/lua/crowdsec/crowdsec.lua:485: in function 'Allow' access_by_lua(http.d/crowdsec_nginx.conf:14):3: in main chunk, client: XXX, server: request.*, request: "GET /favicon.ico HTTP/2.0", host: "XXX.duckdns.org", referrer: "https://XXX.duckdns.org/"The text was updated successfully, but these errors were encountered: