kubernetes-ingress icon indicating copy to clipboard operation
kubernetes-ingress copied to clipboard

Published 20 hours ago verified publisher icon nginxinc

Enforcer nmap v5 crashes on startup with no active waf policy configured

Open anderius opened this issue 1 year ago • 4 comments
trafficstars

Describe the bug Enforcer container fails to start without sites configured. NginxIC container also fails to start, waiting for the enforcer container.

To Reproduce Deploy the Helm chart with Nginx App Protect V5 enabled, but no resources that uses the WAF. That is, no VirtualServer with apBundle.

Expected behavior We expect the nginx ic and the enforcer container to start without errors, even when no virtualserver with WAF is deployed.

Your environment

  • Version of the Ingress Controller - 3.6.0, with Helm chart 1.3.0
  • Version of Kubernetes: 1.29.9
  • Kubernetes platform: AKS
  • Using NGINX Plus

Additional context Log from the enforcer container:

│ setting memory control callbacks for XML                                                                                                                                           │
│ BD_MISC|CRIT  |Aug 13 13:16:22.079|0013|/builds/6x631E1L/0/waf/waf-general/secore/bd/bd/manifest_listener.cpp:0198|failed to get manifest last modification time, err: No such fil │
│ Timeout detected while waiting for configuration. time since last config: 40 BD aborting                                                                                           │
│ BD_MISC|WARN  |Aug 13 13:16:22.080|0013|/builds/6x631E1L/0/waf/waf-general/secore/bd/bd/manifest_listener.cpp:0199|Timeout detected while waiting for configuration. time since la │
│                                                                                                                                                                                    │
│ BD_MISC|ERR   |Aug 13 13:16:22.081|0013|/builds/6x631E1L/0/waf/waf-general/secore/bd/bd/manifest_listener.cpp:0114|failed opening manifest out file. path=/opt/app_protect/bd_conf │
│ 2024/08/13 13:16:22 Execution failed: exit status 1

anderius avatar Aug 20 '24 12:08 anderius

Hi @anderius thanks for reporting!

Be sure to check out the docs and the Contributing Guidelines while you wait for a human to take a look at this :slightly_smiling_face:

Cheers!

github-actions[bot] avatar Aug 20 '24 12:08 github-actions[bot]

I'm also facing similar issue.

janibashamd avatar Aug 21 '24 14:08 janibashamd

Hi Folks, we are currently looking into this.

AlexFenlon avatar Aug 26 '24 15:08 AlexFenlon

Hi folks @anderius @janibashamd We've been in contact with the team that owns the development of this component of AppProtect v5. They are working on ensure the waf-enforcer wont crash in this scenario.

As soon as we have more info, we'll share it in this thread.

shaun-nx avatar Aug 29 '24 11:08 shaun-nx

@shaun-nx Is there any news about this? Currently we have to deploy failing dummy-applications (with ap-policies) to be able to roll out App Protect at all.

anderius avatar Nov 04 '24 08:11 anderius

Hi @anderius This fix for the waf-enforcer will be made available in our next release, v4.0.0 That version of the NGINX Ingress Controller will use v5.4.0 of the waf-enforcer which will no longer fail if a policy is not deployed.

shaun-nx avatar Dec 03 '24 16:12 shaun-nx

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 10 days.

github-actions[bot] avatar Mar 04 '25 02:03 github-actions[bot]

This issue was closed because it has been stalled for 10 days with no activity.

github-actions[bot] avatar Mar 14 '25 02:03 github-actions[bot]