CrowdSec NGINX Bouncer internal server error
After upgrading from 1.0.9 to 1.1.0 I started getting intermittent http 500 errors. The bouncer worked fine for a few hours until I started to get intermittent notification that some of my services were down (with an http 500 error code).
I've downgraded to 1.0.8 in the meantime
23 Replies
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command
/resolve or press the green resolve button below.Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
Hey,
Could you maybe try to run nginx with debug enabled for the error log ?
It will log how many timers are existing before creating new one.
If you cannot run in debug mode, you can also try to edit
/usr/lib/crowdsec/lua/crowdsec.lua and replace the ngx.DEBUG by ngx.INFO line 298 (this will log every UPDATE_FREQUENCY seconds)That will take a while for me to do and really clutter up my logs. Just FYI I'm using stream mode with
UPDATE_FREQUENCY set to 2
I'll report back once I reproduced and have the logsok, no worries, I'll try to see if I can reproduce
how many workers do you run ?
in theory, the max number of timer active at any time should be
2 * workers countmine is set to auto, the VM has 4 CPU cores assigned to it.
ok so 4 workers
by default, the lua module allows up to 1024 pending timers
and 256 running
if you look at
/var/log/crowdsec_api.log, do you see requests to /decisions/stream that take more than 2 seconds ?No, but I've noticed that the requests are around 200ms for each request for both versions
and how many requests per second does nginx receive ?
(on average, and burst if you know)
not a whole lot, its a very low traffic site. sometimes the only visitors are bots.
ok
nothing weird happened before the error occurred ?
No error in the logs or something ?
nope everything was working fine
just to be sure, is
lua_max_pending_timers set anywhere in your nginx config ?no
I've upgraded back to 1.1.0 and I've noticed the pending timers are slowly ticking up (It's been about 20 or so minutes)
pending timers: 15Not sure if this is an issue, but I'll keep my eye on it.
I saw them rising on my test machine as well, but it was going up and down
It has been running for a few days, and I'm at 6 currently
mine is at 892 now 100% my issue
Which nginx version are you running / which lua module version ?
OS: Ubuntu 24.04
Nginx Version: 1.24.0
Nginx Modules:
* libModSecurity3 3.0.14
* Brotli
* Lua > 1:0.10.26-2
* NDK > 1:0.3.3-1build1
* http-headers-more-filter > 1:0.37-2build1
fyi I downgraded to 1.0.8 since it's obvious stuff's about to break. I can go back to 1.1.0 if you need me to test something.
We have a PR (https://github.com/crowdsecurity/lua-cs-bouncer/pull/105 and https://github.com/crowdsecurity/cs-nginx-bouncer/pull/76) that will change the way the timer are creating, simplifying the code and avoiding trying to do it each time we receive a request, so in theory it should fix the number of timers to 2*worker count
(I haven't tested it yet, and the tests seem broken, but I will let you know once we managed to test it in depth/released a new version)
GitHub
feat: call SetupStream and SetupMetrics from nginx configuration by...
call SetupStream and SetupMetrics from nginx configuration
Hey @GNU Plus Windows User
We have released a new RC of the bouncer that will start the timers during nginx startup, which should hopefully fix your issue.
If you want to try it, go ahead and let us know if it seems to be better
Are all the files in the
t directory tests? I can't find them in my local installyes
Just upgraded to the release candidate, nothing's caught on fire so far.
I think the issue is fixed now
I'll report back if something breaks
great, thanks for the feedback