Text only | Text with Images

OPNsense Forum

English Forums => 24.7, 24.10 Legacy Series => Topic started by: Paweł on July 27, 2024, 06:48:17 PM

Title: The new GUI doesn't work on one of my several servers.
Post by: Paweł on July 27, 2024, 06:48:17 PM
After loading the page, everything is fine for about 30 seconds. Then all the widgets stop working one by one. They don't refresh the information or show the error: "Failed to load widget".

In the www graphical interface log, the following entry appears: "(/usr/obj/usr/ports/www/lighttpd/work/lighttpd-1.4.76/src/h2.c.612) h2: xx.xx.xx.xx sent too many RST_STREAM too quickly".

Can this be tuned somehow?
Title: Re: The new GUI doesn't work on one of my several servers.
Post by: meyergru on July 27, 2024, 07:38:00 PM
The new widgets are problematic because the web server has a limit on the number of concurrent connections, this has been reported before.

There is a patch for this that can be applied with "opnsense-patch 724f8494d6".
Title: Re: The new GUI doesn't work on one of my several servers.
Post by: gstrauss on July 28, 2024, 10:02:00 AM
FYI: "opnsense-patch 724f8494d6" gets you this workaround to the issue:
https://github.com/opnsense/core/commit/724f8494d64074e0384b9f593e699daf2d84d604

"(/usr/obj/usr/ports/www/lighttpd/work/lighttpd-1.4.76/src/h2.c.612) h2: xx.xx.xx.xx sent too many RST_STREAM too quickly"
That error is emitted after triggering the detection of activity which looks like the HTTP/2 rapid reset attack (CVE-2023-44487).

Maybe the client side of the GUI should manage widget requests through a queue to better limit the number of concurrent requests?
Title: Re: The new GUI doesn't work on one of my several servers.
Post by: meyergru on July 28, 2024, 11:03:40 AM
Quote from: gstrauss on July 28, 2024, 10:02:00 AM
Maybe the client side of the GUI should manage widget requests through a queue to better limit the number of concurrent requests?

Think about that! It leaves the attack-prevention logic that protects the server to the client (= attacker)... so: No! ;D
Title: Re: The new GUI doesn't work on one of my several servers.
Post by: gstrauss on December 01, 2024, 12:02:58 PM
> "(/usr/obj/usr/ports/www/lighttpd/work/lighttpd-1.4.76/src/h2.c.612) h2: xx.xx.xx.xx sent too many RST_STREAM too quickly"
> That error is emitted after triggering the detection of activity which looks like the HTTP/2 rapid reset attack (CVE-2023-44487).

I am the lighttpd developer who wrote this code.  lighttpd closes the connection if the request pattern looks like HTTP/2 rapid reset attack (CVE-2023-44487).

My comment about adjusting the client is for the benefit of valid clients.  If the behavior of a valid client looks like an attack on the server, then the client should be modified to avoid attacking the server, or appearing to attack the server.
Text only | Text with Images