Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Zenarmor (Sensei)
»
Elastic server being flooded by thousands of connections from Zenarmor
« previous
next »
Print
Pages: [
1
]
Author
Topic: Elastic server being flooded by thousands of connections from Zenarmor (Read 1970 times)
BillyJoePiano
Newbie
Posts: 16
Karma: 0
Elastic server being flooded by thousands of connections from Zenarmor
«
on:
December 30, 2022, 08:07:50 pm »
I recently installed Zenarmor on my home OPNsense router. I also installed Elasticsearch in my DMZ server which is running FreeBSD. Elasticsearch and Kibana are in their own jail, served on the loopback interface only, and they are proxied behind an NGINX server that handles the TLS/SSL.
I have no issue connecting to either of these proxied services (elasticsearch and kibana) from my desktop computer. However, it seems that the router is flooding the server with TCP requests on the elasticsearch port, to the order of
thousands
of open TCP sockets at a time:
Code:
[Select]
sockstat | grep <router ip> | wc -l
...inside the NGINX jail is currently showing 1786 connections. This is crippling NGINX's ability to serve the normal websites it serves to the public internet.
I have tried reconfiguring NGINX to eliminate "keepalive", in case that was the problem, but it seems to have no impact.
It is not clear what is causing this, because Zenarmor is not indicating any sort of error condition or connection issues. But maybe it is having these and is not indicating it in the GUI?
«
Last Edit: December 30, 2022, 08:14:29 pm by BillyJoePiano
»
Logged
mb
Hero Member
Posts: 941
Karma: 99
Re: Elastic server being flooded by thousands of connections from Zenarmor
«
Reply #1 on:
December 30, 2022, 08:15:11 pm »
Hi @BillyJoePiano,
This is not expected. In my home firewall, I see around 15-30 active connections.
Are they all in ESTABLISHED state?
Logged
BillyJoePiano
Newbie
Posts: 16
Karma: 0
Re: Elastic server being flooded by thousands of connections from Zenarmor
«
Reply #2 on:
December 30, 2022, 08:23:31 pm »
Thanks for asking. I checked netstat in the NGINX jail, and it looks like very few are in ESTABLISHED state. Most are CLOSE_WAIT or TIME_WAIT.
Also, I guess that ZenArmor is indicating a (possibly related) error condition. The reports page shows all errors ("An error occurred while report is being loaded), with the error message "Query timeout expired!"
I am starting to suspect there may be an issue with how the router is accessing the elastic server, relating to DNS of the elastic domain, and port forwarding... I am going to try reconfiguring that and see if it solves the problem.
Logged
mb
Hero Member
Posts: 941
Karma: 99
Re: Elastic server being flooded by thousands of connections from Zenarmor
«
Reply #3 on:
December 30, 2022, 08:32:51 pm »
Got it. It's ok to have some sockets lingering in TIME_WAIT / CLOSE_WAIT. They do not consume resources and will be purged by the OS network stack after their timeouts.
This might be the culprit. If there's a network problem between the router & ES server, connections might be stuck in a stale state.
Logged
BillyJoePiano
Newbie
Posts: 16
Karma: 0
Re: Elastic server being flooded by thousands of connections from Zenarmor
«
Reply #4 on:
December 30, 2022, 09:27:22 pm »
The problem is that there are ~5-10 new connections being created per second. So even if the old ones time out after a while, these build up pretty quickly into the thousands.
After further investigating, I don't think it is a network issue between the router and the ES server. Everything seems to be getting there and back fine. When I look at some TCP streams in Wireshark, there is definitely back-and-forth between the router and the server, so it wouldn't seem to be an issue on OSI layers 1-4. I'm starting to suspect the a problem is in the application layer... but I'm not getting much info from the Elasticsearch logs
Logged
BillyJoePiano
Newbie
Posts: 16
Karma: 0
Re: Elastic server being flooded by thousands of connections from Zenarmor
«
Reply #5 on:
December 30, 2022, 11:07:10 pm »
I think I've identified at least part of the problem.
ModSecurity is enabled by default on all of my NGINX server blocks, and this was generating 400 HTTP status codes for nearly all of the POST requests, so they weren't even being forwarded to the loopback listener. I disabled ModSecurity for the Elastic reverse proxy, and the traffic seems to flowing more normally now, when watching Wireshark on the Loopback interface (where I can see everything in plaintext)
I'm still getting error messages in the Zenarmour dashboard, though I can now see a few stats there. I'm not sure what would be causing this still. I may need to examine the NGINX logs more closely, in case there are other issues with the proxying.
«
Last Edit: December 30, 2022, 11:11:15 pm by BillyJoePiano
»
Logged
BillyJoePiano
Newbie
Posts: 16
Karma: 0
Re: Elastic server being flooded by thousands of connections from Zenarmor
«
Reply #6 on:
December 30, 2022, 11:43:07 pm »
Small update:
After solving the above issue, it revealed that there was an additional issue with my custom-made configuration of the NGINX jail, having to do with read-write permissions. That was relatively easy to fix, and based on the NGINX logs it would seem everything is running smoothly now (only 200 status codes)
However, the Zenarmor dashboard is still showing the same error messages screenshotted above
Logged
BillyJoePiano
Newbie
Posts: 16
Karma: 0
Re: Elastic server being flooded by thousands of connections from Zenarmor
«
Reply #7 on:
December 31, 2022, 01:46:48 am »
Solved the dashboard report errors... was another thing related to read/write permissions in the NGINX jail... temporary files NGINX needed to create for proxying and posting, needed to make those directories writable
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Zenarmor (Sensei)
»
Elastic server being flooded by thousands of connections from Zenarmor