NGINX App Protect WAF Troubleshooting Guide
Overview
This Troubleshooting Guide is intended to provide guidance to customers in the detection and correction of programming issues in F5 NGINX App Protect. It may also be useful to IT in resolving any installation or configuration problems.
Refer to the below table for any NGINX App Protect WAF installation or configuration known problems.
Resolving Known Problems
Installation
| Problem | Solution |
|---|---|
| Starting version 3.12, installation steps and Docker deployment examples were changed in the Admin Guide. You may encounter one of the following error messages: # example of yum installation error when the app-protect-security-updates repository is missing: # example of apt installation error when the app-protect-security-updates repository is missing: |
Enable the app-protect-security-updates repository. |
Configuration
| Problem | Solution |
|---|---|
| NGINX is not running (ps -aux) Reloading NGINX fails |
Check the error log at /var/log/nginx/error.logFix the problem and re-run NGINX. |
| NGINX App Protect WAF functionality is not as expected | NGINX App Protect WAF has several logs which can be used for troubleshooting. Usually, it is best to look for any warning or error messages within the logs. Refer to Logs Overview |
Too many open files error message |
Increase number of file descriptors. For example: worker_rlimit_nofile 65535; in the main context of nginx.conf file. Refer to worker_rlimit_nofile directive |
setrlimit ... failed (Permission denied) error message |
Increase the limit using the following command as the root user:setsebool -P httpd_setrlimit 1; Refer to Issue 4: Too many files are open Error |
unknown directive app_protect_xxx error message |
App Protect module is not loaded. Add this line to the main (global) context of nginx.conf:load_module "/etc/nginx/modules/ngx_http_app_protect_module.so"; |
ELK issues
ELK issues are addressed directly in GitHub by posting the issue to Kibana dashboards for F5 App Protect WAF GitHub repo.
SELinux
App Protect files and processes are labeled with the following two contexts:
nap-compiler_tnap-engine_t
NGINX Plus is labeled with the httpd_t context.
If you run into a situation where SELinux denies access to something, start the troubleshooting by searching for audit denials related to one of the above contexts.
For example:
ausearch --start recent -m avc --raw -se nap-engine_t
--start recenthere means to start the search from 10 minutes ago
For more information about how to use NGINX Plus with SELinux - check our blog
Opening a Support Ticket
In order to open a support ticket, collect the troubleshooting information in a tarball and send it to your customer support engineer.
-
Tarball preparation to collect data for troubleshooting:
- Get all versions via:
cat /opt/app_protect/VERSION /opt/app_protect/RELEASE > package_versions.txtFor CentOS:
rpm -qa nginx-plus* app-protect* >> package_versions.txtFor Debian:
apt list --installed | grep -E 'nginx-plus|app-protect' >> package_versions.txt- Get OS via:
cat /etc/os-release > system_version.txt && uname -r >> system_version.txt && cat /proc/version >> system_version.txt -
Create a list of files for tarball in a file called logs.txt:
package_versions.txtsystem_version.txt/var/log/app_protect/*(all app protect files)/var/log/nginx/*(all NGINX files)
-
Add all policies and log file configuration
-
Add all nginx configuration including all references such as
/etc/nginx/nginx.conf -
Create the tarball:
tar cvfz logs.tgz `cat logs.txt` -
Attach
logs.tgzto support ticket. -
On the support ticket, in the NGINX App Protect WAF, set the release version according to the
opt/app_protect/RELEASEfile.