Chris Buechler wrote on Sat, Jan 16 2016 at 2:23 am: > The fact you're hitting at least one lighttpd crash makes me think > there's some other issue there, though no one else has seen any issues > in 2.2.6, the issue in 2.2.5 wasn't replicable in most cases either. > There's a reason nginx is now the web server in 2.3. > > That could be an issue in the Suricata package, given the web server > only crashed once it appears. Since you end up in a situation where > you're stuck until restarting php-fpm, that points to the issue being > in PHP, though an issue in lighttpd could impact PHP.
If I step back and look at the big picture it kind of got worse over time. It started off that restarting webConfigurator seemed to fix it, at least letting me log in to the web GUI and syncing for a while afterwards. Then restarting webConfigurator had no effect and restarting PHP-FPM would immediately yield an HTTP error (usually 500). And then Friday night it seemed like I had to restart the entire router to get to the web GUI. Is it conceivable that a temporary problem would survive restarting webConfigurator and PHP-FPM? I don't understand how. I'd guess Suricata was left running but the log says "Restarting/Starting all packages" at every firewall sync. I'd ask if someone with a couple of routers/VMs could install Suricata, enable some rule sets, disable all the rules in emerging-web_specific_apps.rules and try to duplicate it, but un-disabling them didn't fix the problem. Although I probably had not yet restarted our router2 at that point either, come to think of it. It's even weirder that a "successful" sync can be 1-4 seconds or 3 minutes. It does make me think the issue is with Suricata, but ideally whatever the issue is shouldn't block access to the web GUI. Luckily I can get to the router's console. Is there a way to get lighttpd to log errors? I was poking around while logged into the console but its log was blank (as I recall now). > Not sure offhand whether Suricata is even usable in 2.3, but that > might be worth a shot. Hmmm, we don't have a long history with packages. I was kind of assuming it would just work with new versions. :) Will have to test it out first. Usually I don't hurry to upgrade without a reason but I've never had a problem upgrading 2.x versions. That said I read the changelog-in-progress for 2.3 and it looks like a big overhaul. -- Steve Yates ITS, Inc. _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold