NGINX App Protect WAF Troubleshooting Guide

Overview

This Troubleshooting Guide is intended to provide guidance to customers in the detection and correction of programming issues in F5 NGINX App Protect WAF. It may also be useful to IT in resolving any installation or configuration problems.

Refer to the below table for any NGINX App Protect WAF installation or configuration known problems.

Resolving Known Problems

Configuration

Problem	Solution
NGINX is not running (ps -aux) Reloading NGINX fails	Check the error log at `/var/log/nginx/error.log` Fix the problem and re-run NGINX.
NGINX App Protect WAF functionality is not as expected	NGINX App Protect WAF has several logs which can be used for troubleshooting. Usually, it is best to look for any warning or error messages within the logs. Refer to Logs Overview
`Too many open files` error message	Increase number of file descriptors. For example: `worker_rlimit_nofile 65535;` in the main context of `nginx.conf` file. Refer to worker_rlimit_nofile directive
`setrlimit ... failed (Permission denied)` error message	Increase the limit using the following command as the root user: `setsebool -P httpd_setrlimit 1;` Refer to Issue 4: Too many files are open Error
unknown directive `app_protect_xxx` error message	App Protect module is not loaded. Add this line to the main (global) context of nginx.conf: `load_module "/etc/nginx/modules/ngx_http_app_protect_module.so";`
Compiler error message: Expected declarative policy	Make sure your policy conforms to proper WAF policy standards. The proper structure is: `{ "policy": { ... } }`
Error messages: Policy Bundles version is older than the local version and Policy Bundles version is newer than the local version	Recompile all of your bundles from scratch. Bundles must always be recompiled whenever you install security updates.
Error messages: Found mixed content of compiled and raw configuration and Compiler is required, but not installed: Missing /opt/app_protect/bin/config_set_compiler	Only pre-compiled bundles can be used in the nginx.conf – don’t use JSON policies. Make sure the JSON policies are compiled to bundles first.
Error messages: Policy Bundles have differing global states and Policy Bundles have differing cookie seeds	Recompile all of your bundles from scratch with your custom compiler. Bundles must always be compiled using the same compiler image/version. Default and custom policy bundles can’t be mixed.
Error message: Duplicate policy name found	Don’t compile multiple policies with the same name, and don’t compile one policy to multiple bundles. Each policy can only be compiled once but the bundle can be reused many times.
Error message: Duplicate logging profile name found	Don’t compile the same logging profile to multiple bundles. Each logging profile can only be compiled once but the bundle can be reused many times.
Error message: Timeout waiting for enforcer	Likely an internal issue. Please contact support and provide the policies used in the bundles.

SELinux

In some operating systems, security mechanisms like SELinux or AppArmor are enabled by default, potentially blocking necessary file access for the nginx process and waf-config-mgr and waf-enforcer containers. To ensure NGINX App Protect WAF operates smoothly without compromising security, consider setting up a custom SELinux policy or AppArmor profile. For short-term troubleshooting, you may use permissive (SELinux) or complain (AppArmor) mode to avoid these restrictions, but keep in mind that this lowers security and isn’t advised for prolonged use.

For more information about how to use NGINX Plus with SELinux - check our blog.

Opening a Support Ticket

In order to open a support ticket, collect the troubleshooting information in one directory, create a tarball and send it to your customer support engineer:

For Docker compose deployment, run the following command to collect logs:
```
sudo docker compose logs > docker_compose_logs.txt
```
Alternatively, if a centralized logging system like the ELK stack is utilized, retrieve the logs in CSV format, docker_compose_logs.csv.

For Kubernetes deployment:

Replace default in code snippets below with the name of your namespace.

Locate the deployment and list all pods:

kubectl get pods -n default

Use the following script to collect logs from all pods:

#!/bin/bash

set -x

# Define the namespace variable
NAMESPACE="default"

# Define a directory to store log files
log_dir="k8s_logs_$(date +%Y%m%d_%H%M%S)"
mkdir -p "$log_dir"

# Loop through all pods and containers, saving logs to the defined directory
for pod in $(kubectl get pods -n $NAMESPACE -o=name | sed 's|pod/||g'); do
    for container in $(kubectl get pod/$pod -n $NAMESPACE -o=jsonpath='{.spec.containers[*].name}'); do
        kubectl logs $pod -c $container -n $NAMESPACE > "${log_dir}/${pod}_${container}_logs.txt"
    done
done

echo "Logs collected and archived in ${log_dir}.tar.gz"

This script iterates over each pod in your namespace, identifies each container within those pods, and then saves the logs of each container into separate files. These files are named after the respective pod and container and are stored in a directory named k8s_logs_<timestamp>.

If NGINX is directly installed on the host machine:

For CentOS / RHEL / Amazon Linux / Oracle Linux:

rpm -qa nginx* app-protect* > package_versions.txt

For Debian / Ubuntu:

apt list --installed | grep -E 'nginx|app-protect' > package_versions.txt

For Alpine Linux:

apk info -vv | grep -E 'nginx|app-protect' > package_versions.txt

Get OS information via:

cat /etc/os-release > system_version.txt && uname -r >> system_version.txt && cat /proc/version >> system_version.txt

Add nginx logs from /var/log/nginx/

Add all policies and log file configuration (JSON and bundle files).
Add all nginx configuration including all references such as /etc/nginx/nginx.conf
At the same direcotory, run the following command to create the tarball file:
```
tar cvfz logs.tgz .
```
Attach logs.tgz to support ticket.

Last modified August 22, 2024