Troubleshooting NGINX App Protect DoS
This document describes how to troubleshoot problems when using NGINX Ingress Controller and the App Protect DoS module.
To troubleshoot other parts of NGINX Ingress Controller, check the troubleshooting section of the documentation.
Potential problems
The table below outlines potential problems with NGINX Ingress Controller when the App Protect DoS module is enabled. It suggests how to troubleshoot those problems with methods explained in the next section.
Problem area | Symptom | Troubleshooting method | Common cause |
---|---|---|---|
Start | NGINX Ingress Controller fails to start. | Check the NGINX Ingress Controller logs. | Misconfigured DosProtectedResource, APDosLogConf or APDosPolicy. |
DosProtectedResource, APDosLogConf, APDosPolicy or Ingress Resource. | The configuration is not applied. | Check the events of the DosProtectedResource, APDosLogConf, APDosPolicy and Ingress Resource, check the Ingress Controller logs. | DosProtectedResource, APDosLogConf or APDosPolicy is invalid. |
Troubleshooting ethods
Checking NGINX Ingress Controller and App Protect DoS logs
App Protect DoS logs are part of the NGINX Ingress Controller logs when the module is enabled. To check the Ingress Controller logs, follow the steps of Checking the Ingress Controller Logs of the Troubleshooting guide.
For App Protect DoS specific logs, look for messages starting with APP_PROTECT_DOS
, such as:
2021/06/14 08:17:50 [notice] 242#242: APP_PROTECT_DOS { "event": "shared_memory_connected", "worker_pid": 242, "mode": "operational", "mode_changed": true }
Checking Ingress Resource Events
Follow the steps of Troubleshooting Ingress Resources.
Checking VirtualServer Resource Events
Follow the steps of Troubleshooting VirtualServer Resources.
Checking for DoSProtectedResource Events
After you create or update an DosProtectedResource, you can immediately check if the NGINX configuration was successfully applied by NGINX:
kubectl describe dosprotectedresource dos-protected
Name: dos-protected
Namespace: default
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal AddedOrUpdated 2s nginx-ingress-controller Configuration for default/dos-protected was added or updated
Note that in the events section, we have a Normal
event with the AddedOrUpdated
reason, which informs us that the configuration was successfully applied.
If the DosProtectedResource refers to a missing resource, you should see a message like the following:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning Rejected 8s nginx-ingress-controller dos protected refers (default/dospolicy) to an invalid DosPolicy: DosPolicy default/dospolicy not found
This can be fixed by adding the missing resource.
Checking for APDosLogConf Events
After you create or update an APDosLogConf, you can immediately check if the NGINX configuration was successfully applied by NGINX:
kubectl describe apdoslogconf logconf
Name: logconf
Namespace: default
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal AddedOrUpdated 11s nginx-ingress-controller AppProtectDosLogConfig default/logconf was added or updated
Note that in the events section, we have a Normal
event with the AddedOrUpdated
reason, which informs us that the configuration was successfully applied.
Check events of APDosPolicy
After you create or update an APDosPolicy, you can immediately check if the NGINX configuration was successfully applied by NGINX:
kubectl describe apdospolicy dospolicy
Name: dospolicy
Namespace: default
. . .
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal AddedOrUpdated 2m25s nginx-ingress-controller AppProtectDosPolicy default/dospolicy was added or updated
The events section has a Normal event with the AddedOrUpdated reason, indicating the policy was successfully accepted.
Run App Protect DoS in Debug log Mode
When you set the Ingress Controller to use debug log mode, the setting also applies to the App Protect DoS module. See Running NGINX in the Debug Mode for instructions.
You can enable debug log mode to App Protect DoS module only by setting the app-protect-dos-debug
configmap.