NPMPlus not running anymore #1345

NazgulCoder · 2025-01-06T13:33:09Z

NazgulCoder
Jan 6, 2025

Hello,

I tried to setup your NPMplus, everything worked fine, I then tried to enable the LOGROTATE, and the other steps to bind it with Crowdsec but my UI won't work anymore.

All I did, I just setup 1 host only, and even if the NPMplus UI doesn't work, the reverse proxy works.

If I type nginx -t everything is fine.

Please find below the logs

'/usr/local/nginx/conf/conf.d/include/coreruleset/plugins/README.md' -> '/data/etc/modsecurity/crs-plugins/README.md'

'/usr/local/nginx/conf/conf.d/include/coreruleset/plugins/empty-after.conf' -> '/data/etc/modsecurity/crs-plugins/empty-after.conf'

'/usr/local/nginx/conf/conf.d/include/coreruleset/plugins/empty-before.conf' -> '/data/etc/modsecurity/crs-plugins/empty-before.conf'

'/usr/local/nginx/conf/conf.d/include/coreruleset/plugins/empty-config.conf' -> '/data/etc/modsecurity/crs-plugins/empty-config.conf'

no DEFAULT_CERT_ID set, using dummycerts.

Working on file: /data/nginx/default.conf

Working on file: /data/nginx/proxy_host/1.conf

Success.

-------------------------------------

 _ _  ___  __ __       _

| \ || . \|  \  \ ___ | | _ _  ___

|   ||  _/|     || . \| || | |[_-[

|_\_||_|  |_|_|_||  _/|_| \__|/__/

                 |_|

-------------------------------------

Version:  2.12.1+b091ad0

Date:     Mon Jan  6 14:25:35 CET 2025

User:     root

PUID:     0

User ID:  0

PGID:     0

Group ID: 0

-------------------------------------

reading config file /etc/logrotate

acquired lock on state file /data/etc/logrotate.stateReading state from file: /data/etc/logrotate.state

Allocating hash table for state file, size 64 entries

Creating new state

Creating new state

Handling 1 logs

rotating pattern: /data/nginx/*.log  after 1 days (3 rotations)

empty log files are not rotated, old logs are removed

considering log /data/nginx/access.log

  Now: 2025-01-06 14:25

  Last rotated at 2025-01-06 13:00

  log does not need rotating (log has been rotated at 2025-01-06 13:00, which is less than a day ago)

considering log /data/nginx/stream.log

  Now: 2025-01-06 14:25

  Last rotated at 2025-01-06 13:00

  log does not need rotating (log has been rotated at 2025-01-06 13:00, which is less than a day ago)

not running prerotate script, since no logs will be rotated

not running postrotate script, since no logs were rotated

[Global   ] › ℹ  info      Using Sqlite: /data/etc/npm/database.sqlite

[Migrate  ] › ℹ  info      Current database version: none

[IP Ranges] › ℹ  info      Fetching IP Ranges from online services...

[IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v4

[IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v6

[Global   ] › ⬤  debug     CMD: certbot-ocsp-fetcher.sh -c /data/tls/certbot -o /data/tls/certbot/live --no-reload-webserver --quiet

[SSL      ] › ℹ  info      Certbot Renewal Timer initialized

[IP Ranges] › ℹ  info      IP Ranges Renewal Timer initialized

[Global   ] › ℹ  info      Backend PID 601 listening on port 48693 ...

[Global   ] › ⬤  debug     CMD: nginx -tq

[Nginx    ] › ℹ  info      Starting Nginx

2025/01/06 14:25:39 [notice] 665#665: ModSecurity-nginx v1.0.3 (rules loaded inline/local/remote: 0/812/0)

Also, I tried to reverse all the changes and still no luck

Answered by NazgulCoder

Jan 6, 2025

did you replaced the api key in the crowdsec config file in npmplus? (and restarted npmplus?)

I know what happened, I'm an idiot. When you told me to recreate the crowdsec I mistakenly copied part of the container hostname 🤦‍♂️

I just tried now some common XSS and SQL Injection patterns, they get blocked (and logged correctly) by ModSecurity. After a few attempts CrowdSec correctly kicks in. Otherwise everything is smooth (even with double reverse proxy, but it will be removed soon).

time="2025-01-06T23:12:20+01:00" level=info msg="(localhost/crowdsec) LePresidente/http-generic-403-bf by ip 173.208.219.106 (US/32097) : 4h ban on Ip 173.208.219.106"

Sick! (IP is not mine ofc)

In the nex…

View full answer

NazgulCoder · 2025-01-06T13:50:53Z

NazgulCoder
Jan 6, 2025
Author

Just tried to redeploy it brand new... No luck, what is going on? xD

Date:     Mon Jan  6 14:48:29 CET 2025

User:     root

PUID:     0

User ID:  0

PGID:     0

Group ID: 0

-------------------------------------

Saving debug log to /tmp/certbot-log/letsencrypt.log

Account registered.

reading config file /etc/logrotate

Creating stub state file: /data/etc/logrotate.state

acquired lock on state file /data/etc/logrotate.stateReading state from file: /data/etc/logrotate.state

Allocating hash table for state file, size 64 entries

Handling 1 logs

rotating pattern: /data/nginx/*.log  after 1 days (3 rotations)

empty log files are not rotated, old logs are removed

considering log /data/nginx/access.log

Creating new state

  Now: 2025-01-06 14:48

  Last rotated at 2025-01-06 14:00

  log does not need rotating (log has already been rotated)

considering log /data/nginx/stream.log

Creating new state

  Now: 2025-01-06 14:48

  Last rotated at 2025-01-06 14:00

  log does not need rotating (log has already been rotated)

not running prerotate script, since no logs will be rotated

not running postrotate script, since no logs were rotated

[Global   ] › ℹ  info      Using Sqlite: /data/etc/npm/database.sqlite

[Global   ] › ℹ  info      Creating a new JWT key pair...

[Global   ] › ℹ  info      Wrote JWT key pair to config file: /data/etc/npm/keys.json

[Migrate  ] › ℹ  info      Current database version: none

[Migrate  ] › ℹ  info      [initial-schema] Migrating Up...

[Migrate  ] › ℹ  info      [initial-schema] auth Table created

[Migrate  ] › ℹ  info      [initial-schema] user Table created

[Migrate  ] › ℹ  info      [initial-schema] user_permission Table created

[Migrate  ] › ℹ  info      [initial-schema] proxy_host Table created

[Migrate  ] › ℹ  info      [initial-schema] redirection_host Table created

[Migrate  ] › ℹ  info      [initial-schema] dead_host Table created

[Migrate  ] › ℹ  info      [initial-schema] stream Table created

[Migrate  ] › ℹ  info      [initial-schema] access_list Table created

[Migrate  ] › ℹ  info      [initial-schema] certificate Table created

[Migrate  ] › ℹ  info      [initial-schema] access_list_auth Table created

[Migrate  ] › ℹ  info      [initial-schema] audit_log Table created

[Migrate  ] › ℹ  info      [websockets] Migrating Up...

[Migrate  ] › ℹ  info      [websockets] proxy_host Table altered

[Migrate  ] › ℹ  info      [forward_host] Migrating Up...

[Migrate  ] › ℹ  info      [forward_host] proxy_host Table altered

[Migrate  ] › ℹ  info      [http2_support] Migrating Up...

[Migrate  ] › ℹ  info      [http2_support] proxy_host Table altered

[Migrate  ] › ℹ  info      [http2_support] redirection_host Table altered

[Migrate  ] › ℹ  info      [http2_support] dead_host Table altered

[Migrate  ] › ℹ  info      [forward_scheme] Migrating Up...

[Migrate  ] › ℹ  info      [forward_scheme] proxy_host Table altered

[Migrate  ] › ℹ  info      [disabled] Migrating Up...

[Migrate  ] › ℹ  info      [disabled] proxy_host Table altered

[Migrate  ] › ℹ  info      [disabled] redirection_host Table altered

[Migrate  ] › ℹ  info      [disabled] dead_host Table altered

[Migrate  ] › ℹ  info      [disabled] stream Table altered

[Migrate  ] › ℹ  info      [custom_locations] Migrating Up...

[Migrate  ] › ℹ  info      [custom_locations] proxy_host Table altered

[Migrate  ] › ℹ  info      [hsts] Migrating Up...

[Migrate  ] › ℹ  info      [hsts] proxy_host Table altered

[Migrate  ] › ℹ  info      [hsts] redirection_host Table altered

[Migrate  ] › ℹ  info      [hsts] dead_host Table altered

[Migrate  ] › ℹ  info      [settings] Migrating Up...

[Migrate  ] › ℹ  info      [settings] setting Table created

[Migrate  ] › ℹ  info      [access_list_client] Migrating Up...

[Migrate  ] › ℹ  info      [access_list_client] access_list_client Table created

[Migrate  ] › ℹ  info      [access_list_client] access_list Table altered

[Migrate  ] › ℹ  info      [access_list_client_fix] Migrating Up...

[Migrate  ] › ℹ  info      [access_list_client_fix] access_list Table altered

[Migrate  ] › ℹ  info      [pass_auth] Migrating Up...

[Migrate  ] › ℹ  info      [pass_auth] access_list Table altered

[Migrate  ] › ℹ  info      [redirection_scheme] Migrating Up...

[Migrate  ] › ℹ  info      [redirection_scheme] redirection_host Table altered

[Migrate  ] › ℹ  info      [redirection_status_code] Migrating Up...

[Migrate  ] › ℹ  info      [redirection_status_code] redirection_host Table altered

[Migrate  ] › ℹ  info      [stream_domain] Migrating Up...

[Migrate  ] › ℹ  info      [stream_domain] stream Table altered

[Migrate  ] › ℹ  info      [stream_domain] Migrating Up...

[Migrate  ] › ℹ  info      [change_incoming_port_to_string] Migrating Up...

[Migrate  ] › ℹ  info      [change_incoming_port_to_string] stream Table altered

[Migrate  ] › ℹ  info      [regenerate_default_host] Migrating Up...

[Setup    ] › ℹ  info      Creating a new user: [email protected] with password: iArhP1j7p1P6TA92FA2FMbbUGYqwcYzxC4AVEe12Wbi94FY9gNN62aKyF1shrvG4NycjjX9KfmDQiwkLZH1ZDR9xMjiG2QmoHXi

[Setup    ] › ℹ  info      Initial admin setup completed

[Setup    ] › ℹ  info      Default settings added

[IP Ranges] › ℹ  info      Fetching IP Ranges from online services...

[IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v4

[IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v6

[Global   ] › ⬤  debug     CMD: certbot-ocsp-fetcher.sh -c /data/tls/certbot -o /data/tls/certbot/live --no-reload-webserver --quiet

[SSL      ] › ℹ  info      Certbot Renewal Timer initialized

[IP Ranges] › ℹ  info      IP Ranges Renewal Timer initialized

[Global   ] › ℹ  info      Backend PID 508 listening on port 48693 ...

[Global   ] › ⬤  debug     CMD: nginx -tq

[Nginx    ] › ℹ  info      Starting Nginx

2025/01/06 14:48:53 [notice] 537#537: ModSecurity-nginx v1.0.3 (rules loaded inline/local/remote: 0/7/0)

0 replies

Zoey2936 · 2025-01-06T15:15:56Z

Zoey2936
Jan 6, 2025
Maintainer

what does not work anymore?

24 replies

Zoey2936 Jan 6, 2025
Maintainer

Should it output something?

no, it is fine

acquis.d/npmplus.yaml and acquis.yaml should do the same, did you recreated the api key after recretaing the crowdsec container and does curl now output something? Is something written in npmplus logs?

Do you mean that it doesn't matter whether I have directly modified the acquis.yaml, right?

yes

Yes I recreated the API Key for crowdsec

ok, but is something written in npmplus logs?

NazgulCoder Jan 6, 2025
Author

2025/01/06 22:53:52 [error] 704#704: *64 [lua] crowdsec.lua:636: Allow(): [Crowdsec] bouncer error: Http error 403 while talking to LAPI (http://172.29.100.12:8080/v1/decisions?ip=172.29.100.2), client: 172.29.100.2, server: _, request: "GET /nginx/proxy HTTP/2.0", host: "172.29.100.11:81"
2025/01/06 22:53:52 [error] 704#704: *64 [lua] crowdsec.lua:597: AppSecCheck(): Unauthenticated request to APPSEC, client: 172.29.100.2, server: _, request: "GET /nginx/proxy HTTP/2.0", host: "172.29.100.11:81"
2025/01/06 22:53:52 [alert] 704#704: *64 [lua] crowdsec.lua:718: Allow(): [Crowdsec] denied '172.29.100.2' with 'ban' (by appsec), client: 172.29.100.2, server: _, request: "GET /nginx/proxy HTTP/2.0", host: "172.29.100.11:81"
2025/01/06 22:53:52 [error] 704#704: *64 [lua] crowdsec.lua:636: Allow(): [Crowdsec] bouncer error: Http error 403 while talking to LAPI (http://172.29.100.12:8080/v1/decisions?ip=172.29.100.2), client: 172.29.100.2, server: _, request: "GET /favicon.ico HTTP/2.0", host: "172.29.100.11:81", referrer: "https://172.29.100.11:81/nginx/proxy"
2025/01/06 22:53:52 [error] 704#704: *64 [lua] crowdsec.lua:597: AppSecCheck(): Unauthenticated request to APPSEC, client: 172.29.100.2, server: _, request: "GET /favicon.ico HTTP/2.0", host: "172.29.100.11:81", referrer: "https://172.29.100.11:81/nginx/proxy"
2025/01/06 22:53:52 [alert] 704#704: *64 [lua] crowdsec.lua:718: Allow(): [Crowdsec] denied '172.29.100.2' with 'ban' (by appsec), client: 172.29.100.2, server: _, request: "GET /favicon.ico HTTP/2.0", host: "172.29.100.11:81", referrer: "https://172.29.100.11:81/nginx/proxy"
2025/01/06 22:53:56 [error] 771#771: *68 [lua] crowdsec.lua:636: Allow(): [Crowdsec] bouncer error: Http error 403 while talking to LAPI (http://172.29.100.12:8080/v1/decisions?ip=PUBLIC MY IP REDACTED), client: PUBLIC MY IP REDACTED, server: PUBLIC FQDN REDACTED.com, request: "GET / HTTP/1.1", host: "PUBLIC FQDN REDACTED.com"
2025/01/06 22:53:56 [error] 771#771: *68 [lua] crowdsec.lua:597: AppSecCheck(): Unauthenticated request to APPSEC, client: PUBLIC MY IP REDACTED, server: PUBLIC FQDN REDACTED.com, request: "GET / HTTP/1.1", host: "PUBLIC FQDN REDACTED.com"
2025/01/06 22:53:56 [alert] 771#771: *68 [lua] crowdsec.lua:718: Allow(): [Crowdsec] denied 'PUBLIC MY IP REDACTED' with 'ban' (by appsec), client: PUBLIC MY IP REDACTED, server: PUBLIC FQDN REDACTED.com, request: "GET / HTTP/1.1", host: "PUBLIC FQDN REDACTED.com"

here you go.

Zoey2936 Jan 6, 2025
Maintainer

did you replaced the api key in the crowdsec config file in npmplus? (and restarted npmplus?)

NazgulCoder Jan 6, 2025
Author

did you replaced the api key in the crowdsec config file in npmplus? (and restarted npmplus?)

I know what happened, I'm an idiot. When you told me to recreate the crowdsec I mistakenly copied part of the container hostname 🤦‍♂️

I just tried now some common XSS and SQL Injection patterns, they get blocked (and logged correctly) by ModSecurity. After a few attempts CrowdSec correctly kicks in. Otherwise everything is smooth (even with double reverse proxy, but it will be removed soon).

time="2025-01-06T23:12:20+01:00" level=info msg="(localhost/crowdsec) LePresidente/http-generic-403-bf by ip 173.208.219.106 (US/32097) : 4h ban on Ip 173.208.219.106"

Sick! (IP is not mine ofc)

In the next days I will write down here if you want my whole config (I honestly found few parts confusing, I'll be honest I'm a rookie at linux, it's 1 year circa I deal with it as a hobbyist).

Eventually other people will benefit from this.

Answer selected by Zoey2936

Zoey2936 Jan 6, 2025
Maintainer

So it works now?

NazgulCoder Jan 6, 2025
Author

So it works now?

Seems so 😋

Thank you very much for your patience

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

NPMPlus not running anymore #1345

{{title}}

Replies: 2 comments 24 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

Select a reply

NPMPlus not running anymore #1345

NazgulCoder Jan 6, 2025

Replies: 2 comments · 24 replies

NazgulCoder Jan 6, 2025 Author

Zoey2936 Jan 6, 2025 Maintainer

Zoey2936 Jan 6, 2025 Maintainer

NazgulCoder Jan 6, 2025 Author

Zoey2936 Jan 6, 2025 Maintainer

NazgulCoder Jan 6, 2025 Author

Zoey2936 Jan 6, 2025 Maintainer

NazgulCoder Jan 6, 2025 Author

NazgulCoder
Jan 6, 2025

Replies: 2 comments 24 replies

NazgulCoder
Jan 6, 2025
Author

Zoey2936
Jan 6, 2025
Maintainer

Zoey2936 Jan 6, 2025
Maintainer

NazgulCoder Jan 6, 2025
Author

Zoey2936 Jan 6, 2025
Maintainer

NazgulCoder Jan 6, 2025
Author

Zoey2936 Jan 6, 2025
Maintainer

NazgulCoder Jan 6, 2025
Author