nginx bouncer: attempt to concatenate local 'ip_type' (a nil value)
I just noticed that my NGINX Bouncer has stopped contacting my LAPI for decisions and has stopped bouncing, I re-created the API token for the bouncer just in case it was a weird bug but that didn't fix it. I haven't changed my config in a while so that shouldn't be the issue.
I can see in NGINX's logs the Bouncer quits on startup and then never runs again.
Server Setup
Ubuntu 24.04
NGINX: 1.24.0
Bouncer Version: v1.1.3
34 Replies
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command
/resolve or press the green resolve button below.Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
Do you have any remeditions that dont follow types like "ip" or "range"
this where it returns nil which yeah we dont check for that value, which we should
https://github.com/crowdsecurity/lua-cs-bouncer/blob/7754a5aadfadc7e76940ff6f83f3c95fcb86052d/lib/plugins/crowdsec/utils.lua#L70-L73
GitHub
lua-cs-bouncer/lib/plugins/crowdsec/utils.lua at 7754a5aadfadc7e769...
Contribute to crowdsecurity/lua-cs-bouncer development by creating an account on GitHub.
Okay I see more now, it happens when the value is not an IP or maybe the ip function is somehow not handling it correctly
I'm importing some custom blocklists so it could be that, but all my decisions are either: ban, captcha, none
I mean the scope of the decisions we have
ip and range that are "first class" supported, but it can technically be any typealso I've been noticing a trend where the lua bouncers are very brittle
I do import some blocklists as an IP range, but other than that nothing special
Only way this can happen that I can think of is a decision with the scope
ip or range which does not contain a valid IP or range
but this should be prevented by crowdsec during import
would you mind dumping the full output of cscli decisions list --all ?well it's interesting that all my other bouncers work fine with this hypothetical issue
The lua is JIT but its never perfect cause there edge cases where in this case nil is returned but is not handled because lua doesnt have any typing system. We are improving the lua by using returned types but this case was missed.
Like with golang will warn us in the code editor that a nil type may be returned when lua doesnt care and wont inform us.
dm'd both of you
I get you, it's just frustrating dealing with issue after issue with bad logging
weird
I extracted the decisions and ran them through the lua parsing code, no errors
we merged well a "fix" as we couldnt replicate, but it at least will log some information and not crash
we are going to be testing, and then merge upstream into nginx / openresty bumps
is it this pr? https://github.com/crowdsecurity/lua-cs-bouncer/pull/127
GitHub
fix(stream): improve error handling in duration parsing by sabban ...
fix crowdsecurity/cs-nginx-bouncer#93
I applied this PR, but now I'm getting a different issue:
GitHub
Fix nil handling in utils.item_to_string calls by LaurenceJJones ·...
fix #128
Add nil checks and proper error handling for utils.item_to_string calls
Prevent runtime errors when item_to_string returns nil values
Add warning logs when parsing fails to help with debu...
should've checked the creation date lol
same error with this PR:
We dont even have a method called that anymore
stream_query
wait
let me go check the upper repos
looks like there is
yeah but the method isnt called just "stream_query"
maybe it's from this:
ahhh
we merged a mTLS pr
so you need to update your crowdsec.lua
GitHub
lua-cs-bouncer/lib/crowdsec.lua at 8bd0821f41cbea4b8e51dce332895817...
Contribute to crowdsecurity/lua-cs-bouncer development by creating an account on GitHub.
but... your on latest remediation
ohh
GitHub
Release v1.1.4 · crowdsecurity/cs-nginx-bouncer
What's Changed
update lua-cs-bouncer to 1.0.11 by @blotus in #95
Full Changelog: v1.1.3...v1.1.4
Finally working now
you might find this interesting
perfect!
so thats the issue its a range with scope Ip, so lets find why
testing in prod moment?
I thought 1.1.4 was what you was on
didnt realize it wasnt out
this list is imported as IP, but the bouncer is only complaining about the v6 addresses and not the v4 ones:
https://raw.githubusercontent.com/Xorlent/Internet-Scanners/refs/heads/main/_ALL.txt
but this address is scope Ip in your decisions
so crowdsec should really say "nope not correct scope"
I know, but
cscli decisions import didn't complain about it and the nginx bouncer is only complaining about the v6 addresses and not the v4 addressesinteresting