CloudPanel Dependency Issue: Lua Module for CrowdSec Nginx remediation component Installation
Hi everyone,
I'm encountering a dependency issue while trying to install CrowdSec with its Nginx Lua remediation component. When I run:
sudo apt install nginx lua5.1 libnginx-mod-http-lua luarocks gettext-base lua-cjson
I get the following error:
libnginx-mod-http-lua : Depends: nginx-abi-1.24.0-1
E: Unable to correct problems, you have held broken packages.
It appears that the installed Nginx version (1.26.3-2+clp-noble) doesn't match the required nginx ABI (nginx-abi-1.24.0-1) for the Lua module. I've tried checking for held packages and reviewing my repositories, but I haven't found a clear solution yet.
Has anyone experienced this issue or have suggestions on how to resolve this dependency conflict? Any help is appreciated!
Thanks in advance!
45 Replies
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command
/resolve or press the green resolve button below.Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
Your cloudplanel version
And your os version?
The answer depends on this
CloudPanel: v2.5.1
OS: Ubuntu 24.04.2 LTS
Thank you!
it will not work with ubuntu 24.04
pagespeed plugin causes issues
You can use Crowdsec with 24.04 and Cloudpanel without the nginx bouncer
Thanks for your response!
I have already installed CrowdSec Security engine and I'm using iptables as the remediation component. My goal now is to install the AppSec (WAF) component following this guide:
🔗 https://doc.crowdsec.net/docs/next/appsec/quickstart/nginxopenresty
Would there be any alternatives or solutions to get it installed on my setup? Any advice would be greatly appreciated!
Nginx / OpenResty | CrowdSec
Objectives
You will have to use 22.04 os with cloudplanel
It works perfectly
I followed the advice and installed CrowdSec Nginx Bouncer on Ubuntu 22.04 instead of 24.04. The installation completed successfully, but I am now facing a new issue:
The crowdsec-nginx-bouncer service does not start.
I have followed this documentation: https://doc.crowdsec.net/u/bouncers/nginx
the output of cscli metrics
the nginx bouncer is not a service, but simply a configuration file for nginx placed in
/etc/nginx/conf.d/
so as long as the nginx configuration is informed to load this directory it should load. The bouncer configuration itself is within /etc/crowdsec/bouncers/Ok, thank you. I checked the configuration file in /etc/nginx/conf.d/, and it seems fine.
Could the issue be in the main Nginx configuration file? How can I check?
It depends on cloudpanel loads the configuration, if i remember there 2 nginx process that runs one for clp and another for admin dashboard.
You will have to find which one is for client sites and ensure the configuration is set to load them.
/etc/nginx is for the client
so i moved the conf file inside sites-enabled folder
But after restarting the nginx service i get this error:
not inside site folder
in
nginx.conf file towards the bottom you'll see a line that says include sites-enabled. Add a similar line but separately for the crowdsec file. before adding the file you need to restart the nginx.
its not arm right?yes it's arm...
is it not supported?
nope. i am sorry
i couldn't figure out why.
your road ends here
but in the documentation it says that arm is supported
or i miss something?
anyway thanks for the support.
so the crowdsec-nginx-bouncer is not supported on arm, right?
crowdsec-firewall-bouncer-iptables is working
its cloudpanel the problem
not crowdsec
its dependencies clash with lua.
i have spent too many nights to get it solved
and cloudpanel is closed source to i can't do much.
x86_64 works for sure on 22.04 clp
can you maybe try to install
luajit then restart nginx ?
(be careful, I don't know what impact this can have if you have other things depending on lua).dosent work
Got it. Thank you so much for your help and for sharing your experience! I really appreciate it.
it only works on 22.04 x86_64.
i hope developer looks into it. clp has more than 12k users on cord
I've already tried installing it with apt install luajit, but it still doesn't work.
telling you not worth spending more time. straight 2 weeks i tried with all permutation combinations.
FYI, i just tested the bouncer on ubuntu 24.04 on ARM, and I had no issue at all
I've never used cloudpanel, does it ship by default with LUA ?
no no, its not the crowdsec at all
i have successfully deployed on most of the os.
its how cloudpanel have packaged nginx and its dep
does it ship by default with LUA? nohence my question
does cloudpanel ship the lua nginx module ?
We know the bouncer works on a "clean" 24.04, and if cloudpanel does not ship lua (and assuming it's not a custom nginx version), in theory it should be easy to make it work
does cloudpanel ship the lua nginx module ? no
and there are various issues. so on 22.04 it comes with 1.25/24
so pagespeed module doesn't interfere somehow.
but on arm it dosent work
when it come to 24.04 it up to 1.26 and pagespeed module causes issues
all this on which clp versions remains the same.
https://forum.hhf.technology/t/comprehensive-guide-compiling-lua-nginx-module-with-nginx-1-26-2-cloudpanel-ubuntu-24-04/
i have tried with extracting deb packages also
with no luck
and developer is not keen in implementing any major changes
so i gave it up
my full-time mission is to integrate crowdsec to opensource and protect homelabs and developers. this one was very imp because a lot of small-time developers are using this platform
any ways.I'll try to setup a cloudpanel at some point, it really seems weird
especially if it works on x86
on 22.04 only
it dosent work on 24.04 on any
so 22.04 x86 is ok, but not ARM ? or does it work for any arch on 22.04 ?
so 22.04 x86 is ok, but not ARM ? correct
does it work for any arch on 22.04 ? not supported only arm and x86 are supported for clpthat doesn't make a lot of sense :/
the only native dep we have for the nginx bouncer is the lua ffi module, which AFAIK is part of the lua package itself
i know. let me know the results
Getting Started | CloudPanel | Documentation
Choose a favorite cloud platform or dedicated server and run CloudPanel in a few clicks.
https://d17k9fuiwb52nc.cloudfront.net deb packages if you want to extract and have a look
Sorry to ping you. Did you have a chance to look at this. 🙏
Hey @blotus , just following up on this — no rush at all, but I was curious if you had a chance to look into it when you get a moment 🙏
Appreciate any insight you might have!
if you have a working iptables remediation I see no point in additionally trying to install nginx component.
IPtables will drop the packets on the kernel level so it won't reach the application layer (in that case nginx).
So adding additional remediation on the app level in nginx is not really needed. Especially if it gets super complicated as you shown in previous posts 🙂
Hi, thanks a lot for your feedback!
I agree that iptables remediation is great for blocking bad traffic at the network layer, but it doesn’t replace what a Web Application Firewall (WAF) does. The nginx/appsec component of CrowdSec provides application-level protection, which is especially useful for blocking attacks like SQL injection, XSS, and other threats that can’t be stopped by iptables alone.
As the official documentation says, the AppSec Component offers:
-Low-effort virtual patching capabilities.
-Support for legacy ModSecurity rules.
-The ability to combine classic WAF benefits with advanced CrowdSec features for advanced behavior detection.
-Full integration with the CrowdSec software stack, including the console and other remediation components.
That’s why I’m interested in running the nginx/appsec module in addition to iptables, so I can benefit from both network-level and application-level security.
Of course, if I’m getting anything wrong or there’s something I’m missing, let me know!
The issue is when you using a "panel" that bundles custom builds of Nginx it hard for to us to just "bolt on" as it is up to maintainer of the panel to bundle the dependancies that we need. (even though lua package is widely used everywhere and they should include it by default)
I spoke to the cloudpanel dev ages ago which crowdsec was on the roadmap but I dont think much time has been invested as far as I can see from the ticket.
So the only thing would be checking their nginx bundled dependancies and then building a custom nginx binary on top that includes the lua packages.
or put an nginx server with a crowdsec as a proxy before the cloudpanel
I use traefik in front of clp. Much better
Hi! I'm curious about your setup — could you share a bit more about how you're using Traefik in front of CloudPanel?