Lighttpd Crash
Added by InfraPrime_User over 11 years ago
Hello!
We've been using pfsense for as captive portal, specially for user's authentication.
Then, due a lighttpd vulnerabilitie, which was exploited for someone to knock our Captive Portal down, we decided upgrade PFSense to the latest version: 2.1.
After such upgrade, PFSense started working fine, and the earlier exploitation has stopped.
But, afterwards, another problem has appeared: the Captive Portal stops, showing in its logs that the issue regards Lighttpd.
The logs are like this:
lighttpd[26290]: (mod_fastcgi.c.3370) got a FDEVENT_OUT and didn't know why: 5 kernel: pid 26290 (lighttpd), uid 0: exited on signal 6 (core dumped)
Below, follows more information about our environment:
- S.O.: FreeBSD 8.3-RELEASE-p11 (a VM over VMWare ESXi 5)
- Lighttpd Version: 1.4.32
- Can we reproduce the error? No, unfortunatelly
- Lighttp configuration:
################################################################################################
server.event-handler = "freebsd-kqueue"
server.network-backend = "writev"
#server.use-ipv6 = "enable"
server.modules = ( "mod_access", "mod_expire", "mod_compress", "mod_redirect",
,"mod_rewrite","mod_evasive", "mod_fastcgi"
)
server.max-keep-alive-requests = 15
server.max-keep-alive-idle = 30
server.document-root = "/usr/local/captiveportal"
url.rewrite-once = ( "(.*captiveportal.*)" => "$1", "(.*)" => "/index.php?zone=eniac&redirurl=$1" )
server.max-write-idle = 999
server.indexfiles = ( "index.php", "index.html",
"index.htm", "default.htm" )
mimetype.assign = (
".pdf" => "application/pdf",
".sig" => "application/pgp-signature",
".spl" => "application/futuresplash",
".class" => "application/octet-stream",
".ps" => "application/postscript",
".torrent" => "application/x-bittorrent",
".dvi" => "application/x-dvi",
".gz" => "application/x-gzip",
".pac" => "application/x-ns-proxy-autoconfig",
".swf" => "application/x-shockwave-flash",
".tar.gz" => "application/x-tgz",
".tgz" => "application/x-tgz",
".tar" => "application/x-tar",
".zip" => "application/zip",
".mp3" => "audio/mpeg",
".m3u" => "audio/x-mpegurl",
".wma" => "audio/x-ms-wma",
".wax" => "audio/x-ms-wax",
".ogg" => "audio/x-wav",
".wav" => "audio/x-wav",
".gif" => "image/gif",
".jpg" => "image/jpeg",
".jpeg" => "image/jpeg",
".png" => "image/png",
".xbm" => "image/x-xbitmap",
".xpm" => "image/x-xpixmap",
".xwd" => "image/x-xwindowdump",
".css" => "text/css",
".html" => "text/html",
".htm" => "text/html",
".js" => "text/javascript",
".asc" => "text/plain",
".c" => "text/plain",
".conf" => "text/plain",
".text" => "text/plain",
".txt" => "text/plain",
".dtd" => "text/xml",
".xml" => "text/xml",
".mpeg" => "video/mpeg",
".mpg" => "video/mpeg",
".mov" => "video/quicktime",
".qt" => "video/quicktime",
".avi" => "video/x-msvideo",
".asf" => "video/x-ms-asf",
".asx" => "video/x-ms-asf",
".wmv" => "video/x-ms-wmv",
".bz2" => "application/x-bzip",
".tbz" => "application/x-bzip-compressed-tar",
".tar.bz2" => "application/x-bzip-compressed-tar"
)
#mimetypes.use-xattr = "enable"
url.access-deny = ( "~", ".inc" )
server.bind = "0.0.0.0"
server.port = 8001
$SERVER["socket"] == "0.0.0.0:8001" { }
$SERVER["socket"] == "[::]:8001" {
ssl.engine = "enable"
ssl.pemfile = "/var/etc/cert-eniac-portal.pem"
ssl.ca-file = "/var/etc/ca-eniac-portal.pem"
}
#server.error-handler-404 = "/error-handler.html"
#server.error-handler-404 = "/error-handler.php"
server.pid-file = "/var/run/lighty-eniac-CaptivePortal-SSL.pid"
server.dir-listing = "disable"
debug.log-request-header = "disable"
debug.log-response-header = "disable"
debug.log-request-handling = "disable"
debug.log-file-not-found = "disable"
compress.cache-dir = "/tmp/lighttpdcompress/"
compress.filetype = ("text/plain","text/css", "text/xml", "text/javascript" )
server.upload-dirs = ( "/tmp/captiveportal/" )
server.max-request-size = 384
fastcgi.server = ( ".php" =>
( "localhost" =>
(
"socket" => "/tmp/php-fastcgi-eniac.socket",
"max-procs" => 6,
"bin-environment" => (
"PHP_FCGI_CHILDREN" => "3",
"PHP_FCGI_MAX_REQUESTS" => "500"
),
"bin-path" => "/usr/local/bin/php"
)
)
)
evasive.max-conns-per-ip = 16
expire.url = (
"" => "access 50 hours",
)
ssl.engine = "enable"
ssl.pemfile = "/var/etc/cert-eniac-portal.pem"
ssl.use-sslv2 = "disable"
ssl.cipher-list = "DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:CAMELLIA256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:CAMELLIA128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC4-SHA:RC4-MD5:!aNULL:!eNULL:!3DES:@STRENGTH"
ssl.ca-file = "/var/etc/ca-eniac-portal.pem"
################################################################################################
There are something we can do about it?
Can you, please, help us?
Thanks in advance.
Cezar dos Santos
Replies (4)
RE: Lighttpd Crash - Added by stbuehler over 11 years ago
The first log messages means that there is something wrong with the (internal) event handling (could also be triggered by buggy/unexpected kernel behaviour).
The second message means that lighttpd was terminated due to a SIGABRT, which usually is triggered by failed assert()s; without knowing which assert() failed it is pretty hard to solve it.
But you should start by not running lighttpd as root, use the server.username option.
RE: Lighttpd Crash - Added by InfraPrime_User over 11 years ago
Thank you for your feedback, Mr. Stbuehler!
By the way, do you know how I can get such 'assert()'? Is such information in some log or coredump file?
Thanks in advance!
RE: Lighttpd Crash - Added by stbuehler over 11 years ago
I would have hoped that such assert() prints out a message before killing itself with SIGABRT. But it probably ends on stderr (instead of the log file); you could configure server.breakagelog which lighttpd should open as stderr, or run lighttpd in foreground (no daemonize).
RE: Lighttpd Crash - Added by InfraPrime_User over 11 years ago
Again, thank you very much for your attention and information!
We will configure such parameter ('server.breakagelog') and wait for the outcomes.
My best regards!