Chris Buechler wrote on Sat, Jan 16 2016 at 2:23 am:
> The fact you're hitting at least one lighttpd crash makes me think
> there's some other issue there, though no one else has seen any issues
> in 2.2.6, the issue in 2.2.5 wasn't replicable in most cases either.
> There's a reason nginx is now the web server in 2.3.
>
> That could be an issue in the Suricata package, given the web server
> only crashed once it appears. Since you end up in a situation where
> you're stuck until restarting php-fpm, that points to the issue being
> in PHP, though an issue in lighttpd could impact PHP.
If I step back and look at the big picture it kind of got worse over
time. It started off that restarting webConfigurator seemed to fix it, at
least letting me log in to the web GUI and syncing for a while afterwards.
Then restarting webConfigurator had no effect and restarting PHP-FPM would
immediately yield an HTTP error (usually 500). And then Friday night it seemed
like I had to restart the entire router to get to the web GUI.
Is it conceivable that a temporary problem would survive restarting
webConfigurator and PHP-FPM? I don't understand how. I'd guess Suricata was
left running but the log says "Restarting/Starting all packages" at every
firewall sync.
I'd ask if someone with a couple of routers/VMs could install Suricata,
enable some rule sets, disable all the rules in
emerging-web_specific_apps.rules and try to duplicate it, but un-disabling them
didn't fix the problem. Although I probably had not yet restarted our router2
at that point either, come to think of it.
It's even weirder that a "successful" sync can be 1-4 seconds or 3
minutes. It does make me think the issue is with Suricata, but ideally
whatever the issue is shouldn't block access to the web GUI. Luckily I can get
to the router's console.
Is there a way to get lighttpd to log errors? I was poking around
while logged into the console but its log was blank (as I recall now).
> Not sure offhand whether Suricata is even usable in 2.3, but that
> might be worth a shot.
Hmmm, we don't have a long history with packages. I was kind of
assuming it would just work with new versions. :) Will have to test it out
first. Usually I don't hurry to upgrade without a reason but I've never had a
problem upgrading 2.x versions. That said I read the changelog-in-progress for
2.3 and it looks like a big overhaul.
--
Steve Yates
ITS, Inc.
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
