CLOSE_WAIT not released

Question

CLOSE_WAIT not released

mrbaiwei opened this issue a year ago · comments

After enabling the naxsi module, in certain cases, the communication IP remains in CLOSE_WAIT state without being released. This issue occurs in the new version of nginx, and it is suspected to be a compatibility problem.

netstat -tunp|grep nginx|grep CLOSE_WAIT|wc -l
40108

Giovanni · Answer 1 · Mon Jun 19 2023 12:11:08 GMT+0800 (China Standard Time)

interesting. how i can reproduce this?

mrbaiwei · Answer 2 · Mon Jun 19 2023 13:45:41 GMT+0800 (China Standard Time)

I found the reason for the problem, and the reason is the matching order of the 403 error page.

    location ~* ^/(.*)\.html$) {
        proxy_pass http://127.0.0.1:80;
    }

    location /RequestDenied {
        return 403;
    }
    error_page 403 /x403.html;

    location ~ ^/x403.html$ {
        root /etc/nginx/error;
    }

solve with the following configuration

    location ~ ^/x403.html$ {
        root /etc/nginx/error;
    }

    location ~* ^/(.*)\.html$) {
        proxy_pass http://127.0.0.1:80;
    }

    location /RequestDenied {
        return 403;
    }
    error_page 403 /x403.html;

Giovanni · Answer 3 · Mon Jun 19 2023 13:47:44 GMT+0800 (China Standard Time)

interesting. so is not a naxsi issue per se, but a configuration issue with nginx.

Giovanni · Answer 4 · Mon Jun 19 2023 13:48:20 GMT+0800 (China Standard Time)

also i suggest to mark /RequestDenied as internal

mrbaiwei · Answer 5 · Mon Jun 19 2023 13:52:33 GMT+0800 (China Standard Time)

also i suggest to mark /RequestDenied as internal

Ok, thank you. This issue has troubled me for a long time, to the point where I have had to restart nginx regularly.

Giovanni · Answer 6 · Mon Jun 19 2023 16:19:45 GMT+0800 (China Standard Time)

sorry to hear that.