The new GUI doesn't work on one of my several servers.

Started by Paweł, July 27, 2024, 06:48:17 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 27, 2024, 06:48:17 PM
After loading the page, everything is fine for about 30 seconds. Then all the widgets stop working one by one. They don't refresh the information or show the error: "Failed to load widget".

In the www graphical interface log, the following entry appears: "(/usr/obj/usr/ports/www/lighttpd/work/lighttpd-1.4.76/src/h2.c.612) h2: xx.xx.xx.xx sent too many RST_STREAM too quickly".

Can this be tuned somehow?
July 27, 2024, 07:38:00 PM #1
The new widgets are problematic because the web server has a limit on the number of concurrent connections, this has been reported before.

There is a patch for this that can be applied with "opnsense-patch 724f8494d6".
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 770 up, Bufferbloat A
July 28, 2024, 10:02:00 AM #2
FYI: "opnsense-patch 724f8494d6" gets you this workaround to the issue:
https://github.com/opnsense/core/commit/724f8494d64074e0384b9f593e699daf2d84d604

"(/usr/obj/usr/ports/www/lighttpd/work/lighttpd-1.4.76/src/h2.c.612) h2: xx.xx.xx.xx sent too many RST_STREAM too quickly"
That error is emitted after triggering the detection of activity which looks like the HTTP/2 rapid reset attack (CVE-2023-44487).

Maybe the client side of the GUI should manage widget requests through a queue to better limit the number of concurrent requests?
July 28, 2024, 11:03:40 AM #3
Quote from: gstrauss on July 28, 2024, 10:02:00 AM
Maybe the client side of the GUI should manage widget requests through a queue to better limit the number of concurrent requests?

Think about that! It leaves the attack-prevention logic that protects the server to the client (= attacker)... so: No! ;D
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 770 up, Bufferbloat A
December 01, 2024, 12:02:58 PM #4
> "(/usr/obj/usr/ports/www/lighttpd/work/lighttpd-1.4.76/src/h2.c.612) h2: xx.xx.xx.xx sent too many RST_STREAM too quickly"
> That error is emitted after triggering the detection of activity which looks like the HTTP/2 rapid reset attack (CVE-2023-44487).

I am the lighttpd developer who wrote this code.  lighttpd closes the connection if the request pattern looks like HTTP/2 rapid reset attack (CVE-2023-44487).

My comment about adjusting the client is for the benefit of valid clients.  If the behavior of a valid client looks like an attack on the server, then the client should be modified to avoid attacking the server, or appearing to attack the server.
Print
Go Up Pages1
User actions