Nginx Error - Module 'resty.string' not found

[pixel1138]

What happened?

After install using apt install crowdsec-nginx-bouncer nginx will not start due to error:

2024/03/02 19:19:32 [error] 31516#31516: init_by_lua error: /usr/local/share/lua/5.1/resty/http_connect.lua:8: module 'resty.string' not found:
	no field package.preload['resty.string']
	no file '/usr/lib/crowdsec/lua/resty/string.lua'
	no file '/usr/share/lua/5.1/resty/string.lua'
	no file './resty/string.lua'
	no file '/usr/share/luajit-2.1.0-beta3/resty/string.lua'
	no file '/usr/local/share/lua/5.1/resty/string.lua'
	no file '/usr/local/share/lua/5.1/resty/string/init.lua'
	no file '/usr/share/lua/5.1/resty/string.lua'
	no file '/usr/share/lua/5.1/resty/string/init.lua'
	no file './resty/string.lua'
	no file './resty/string.so'
	no file '/usr/local/lib/lua/5.1/resty/string.so'
	no file '/usr/lib/x86_64-linux-gnu/lua/5.1/resty/string.so'
	no file '/usr/local/lib/lua/5.1/loadall.so'
	no file './resty.so'
	no file '/usr/local/lib/lua/5.1/resty.so'
	no file '/usr/lib/x86_64-linux-gnu/lua/5.1/resty.so'
	no file '/usr/local/lib/lua/5.1/loadall.so'
stack traceback:
	[C]: in function 'require'
	/usr/local/share/lua/5.1/resty/http_connect.lua:8: in main chunk
	[C]: in function 'require'
	/usr/local/share/lua/5.1/resty/http.lua:166: in main chunk
	[C]: in function 'require'
	/usr/lib/crowdsec/lua/crowdsec.lua:5: in main chunk
	[C]: in function 'require'
	init_by_lua(conf.d/crowdsec_nginx.conf:4):2: in main chunk

What did you expect to happen?

Nginx to start successfully and the bouncer to function.

How can we reproduce it (as minimally and precisely as possible)?

apt install crowdsec-nginx-bouncer on Debian 12

Anything else we need to know?

nginx/stable,now 1.22.1-9 amd64 [installed,automatic]

Crowdsec version

Details

2024/03/02 19:37:30 version: v1.6.0-debian-pragmatic-amd64-4b8e6cd7
2024/03/02 19:37:30 Codename: alphaga
2024/03/02 19:37:30 BuildDate: 2024-01-24_11:01:12
2024/03/02 19:37:30 GoVersion: 1.21.3
2024/03/02 19:37:30 Platform: linux
2024/03/02 19:37:30 libre2: C++
2024/03/02 19:37:30 Constraint_parser: >= 1.0, <= 3.0
2024/03/02 19:37:30 Constraint_scenario: >= 1.0, <= 3.0
2024/03/02 19:37:30 Constraint_api: v1
2024/03/02 19:37:30 Constraint_acquis: >= 1.0, < 2.0

OS version

Details

PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
Linux meet 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64 GNU/Linux

Enabled collections and parsers

Details

name,status,version,description,type
crowdsecurity/dateparse-enrich,enabled,0.2,,parsers
crowdsecurity/geoip-enrich,enabled,0.2,"Populate event with geoloc info : as, country, coords, source range.",parsers
crowdsecurity/http-logs,enabled,1.2,"Parse more Specifically HTTP logs, such as HTTP Code, HTTP path, HTTP args and if its a static ressource",parsers
crowdsecurity/nginx-logs,enabled,1.5,Parse nginx access and error logs,parsers
crowdsecurity/sshd-logs,enabled,2.3,Parse openSSH logs,parsers
crowdsecurity/syslog-logs,enabled,0.8,,parsers
crowdsecurity/whitelists,enabled,0.2,Whitelist events from private ipv4 addresses,parsers
crowdsecurity/apache_log4j2_cve-2021-44228,enabled,0.5,Detect cve-2021-44228 exploitation attemps,scenarios
crowdsecurity/CVE-2017-9841,enabled,0.2,Detect CVE-2017-9841 exploits,scenarios
crowdsecurity/CVE-2019-18935,enabled,0.2,Detect Telerik CVE-2019-18935 exploitation attempts,scenarios
crowdsecurity/CVE-2022-26134,enabled,0.2,Detect CVE-2022-26134 exploits,scenarios
crowdsecurity/CVE-2022-35914,enabled,0.2,Detect CVE-2022-35914 exploits,scenarios
crowdsecurity/CVE-2022-37042,enabled,0.2,Detect CVE-2022-37042 exploits,scenarios
crowdsecurity/CVE-2022-40684,enabled,0.3,Detect cve-2022-40684 exploitation attempts,scenarios
crowdsecurity/CVE-2022-41082,enabled,0.4,Detect CVE-2022-41082 exploits,scenarios
crowdsecurity/CVE-2022-41697,enabled,0.2,Detect CVE-2022-41697 enumeration,scenarios
crowdsecurity/CVE-2022-42889,enabled,0.3,Detect CVE-2022-42889 exploits (Text4Shell),scenarios
crowdsecurity/CVE-2022-44877,enabled,0.3,Detect CVE-2022-44877 exploits,scenarios
crowdsecurity/CVE-2022-46169,enabled,0.2,Detect CVE-2022-46169 brute forcing,scenarios
crowdsecurity/CVE-2023-22515,enabled,0.1,Detect CVE-2023-22515 exploitation,scenarios
crowdsecurity/CVE-2023-22518,enabled,0.2,Detect CVE-2023-22518 exploits,scenarios
crowdsecurity/CVE-2023-49103,enabled,0.3,Detect owncloud CVE-2023-49103 exploitation attempts,scenarios
crowdsecurity/f5-big-ip-cve-2020-5902,enabled,0.2,Detect cve-2020-5902 exploitation attemps,scenarios
crowdsecurity/fortinet-cve-2018-13379,enabled,0.3,Detect cve-2018-13379 exploitation attemps,scenarios
crowdsecurity/grafana-cve-2021-43798,enabled,0.2,Detect cve-2021-43798 exploitation attemps,scenarios
crowdsecurity/http-admin-interface-probing,enabled,0.3,Detect generic HTTP admin interface probing,scenarios
crowdsecurity/http-backdoors-attempts,enabled,0.5,Detect attempt to common backdoors,scenarios
crowdsecurity/http-bad-user-agent,enabled,1.1,Detect usage of bad User Agent,scenarios
crowdsecurity/http-crawl-non_statics,enabled,0.7,Detect aggressive crawl on non static resources,scenarios
crowdsecurity/http-cve-2021-41773,enabled,0.2,cve-2021-41773,scenarios
crowdsecurity/http-cve-2021-42013,enabled,0.2,cve-2021-42013,scenarios
crowdsecurity/http-generic-bf,enabled,0.6,Detect generic http brute force,scenarios
crowdsecurity/http-open-proxy,enabled,0.5,Detect scan for open proxy,scenarios
crowdsecurity/http-path-traversal-probing,enabled,0.3,Detect path traversal attempt,scenarios
crowdsecurity/http-probing,enabled,0.3,Detect site scanning/probing from a single ip,scenarios
crowdsecurity/http-sensitive-files,enabled,0.3,"Detect attempt to access to sensitive files (.log, .db ..) or folders (.git)",scenarios
crowdsecurity/http-sqli-probing,enabled,0.3,A scenario that detects SQL injection probing with minimal false positives,scenarios
crowdsecurity/http-xss-probing,enabled,0.3,A scenario that detects XSS probing with minimal false positives,scenarios
crowdsecurity/jira_cve-2021-26086,enabled,0.2,Detect Atlassian Jira CVE-2021-26086 exploitation attemps,scenarios
crowdsecurity/netgear_rce,enabled,0.3,Detect Netgear RCE DGN1000/DGN220 exploitation attempts,scenarios
crowdsecurity/nginx-req-limit-exceeded,enabled,0.3,Detects IPs which violate nginx's user set request limit.,scenarios
crowdsecurity/pulse-secure-sslvpn-cve-2019-11510,enabled,0.3,Detect cve-2019-11510 exploitation attemps,scenarios
crowdsecurity/spring4shell_cve-2022-22965,enabled,0.3,Detect cve-2022-22965 probing,scenarios
crowdsecurity/ssh-bf,enabled,0.3,Detect ssh bruteforce,scenarios
crowdsecurity/ssh-slow-bf,enabled,0.4,Detect slow ssh bruteforce,scenarios
crowdsecurity/thinkphp-cve-2018-20062,enabled,0.4,Detect ThinkPHP CVE-2018-20062 exploitation attemps,scenarios
crowdsecurity/vmware-cve-2022-22954,enabled,0.3,Detect Vmware CVE-2022-22954 exploitation attempts,scenarios
crowdsecurity/vmware-vcenter-vmsa-2021-0027,enabled,0.2,Detect VMSA-2021-0027 exploitation attemps,scenarios
ltsich/http-w00tw00t,enabled,0.2,detect w00tw00t,scenarios
crowdsecurity/bf_base,enabled,0.1,,contexts
crowdsecurity/http_base,enabled,0.2,,contexts
crowdsecurity/base-http-scenarios,enabled,0.8,http common : scanners detection,collections
crowdsecurity/http-cve,enabled,2.6,Detect CVE exploitation in http logs,collections
crowdsecurity/linux,enabled,0.2,core linux support : syslog+geoip+ssh,collections
crowdsecurity/nginx,enabled,0.2,nginx support : parser and generic http scenarios,collections
crowdsecurity/sshd,enabled,0.3,sshd support : parser and brute-force detection,collections

Acquisition config

Details

#Generated acquisition file - wizard.sh (service: nginx) / files : /var/log/nginx/error.log /var/log/nginx/access.log
filenames:
  - /var/log/nginx/error.log
  - /var/log/nginx/access.log
labels:
  type: nginx
---
#Generated acquisition file - wizard.sh (service: ssh) / files : /var/log/auth.log
filenames:
  - /var/log/auth.log
labels:
  type: syslog
---
#Generated acquisition file - wizard.sh (service: linux) / files : /var/log/syslog /var/log/kern.log
filenames:
  - /var/log/syslog
  - /var/log/kern.log
labels:
  type: syslog
---

Config show

Details

Global:
   - Configuration Folder   : /etc/crowdsec
   - Data Folder            : /var/lib/crowdsec/data
   - Hub Folder             : /etc/crowdsec/hub
   - Simulation File        : /etc/crowdsec/simulation.yaml
   - Log Folder             : /var/log
   - Log level              : info
   - Log Media              : file
Crowdsec:
  - Acquisition File        : /etc/crowdsec/acquis.yaml
  - Parsers routines        : 1
  - Acquisition Folder      : /etc/crowdsec/acquis.d
cscli:
  - Output                  : human
  - Hub Branch              :
API Client:
  - URL                     : http://10.33.0.2:8080/
  - Login                   : <redacted>
  - Credentials File        : /etc/crowdsec/local_api_credentials.yaml
Local API Server:
  - Listen URL              : 127.0.0.1:8080
  - Profile File            : /etc/crowdsec/profiles.yaml

  - Trusted IPs:
      - 127.0.0.1
      - ::1
  - Database:
      - Type                : sqlite
      - Path                : /var/lib/crowdsec/data/crowdsec.db
      - Flush age           : 7d
      - Flush size          : 5000

Prometheus metrics

Details

Acquisition Metrics:
╭───────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────╮
│            Source             │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │
├───────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┤
│ file:/var/log/auth.log        │ 236        │ 133          │ 103            │ 395                    │
│ file:/var/log/kern.log        │ 307        │ -            │ 307            │ -                      │
│ file:/var/log/nginx/error.log │ 56         │ -            │ 56             │ -                      │
│ file:/var/log/syslog          │ 2.64k      │ -            │ 2.64k          │ -                      │
╰───────────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────╯

Bucket Metrics:
╭─────────────────────────────────────┬───────────────┬───────────┬──────────────┬────────┬─────────╮
│               Bucket                │ Current Count │ Overflows │ Instantiated │ Poured │ Expired │
├─────────────────────────────────────┼───────────────┼───────────┼──────────────┼────────┼─────────┤
│ crowdsecurity/ssh-bf                │ -             │ -         │ 74           │ 132    │ 74      │
│ crowdsecurity/ssh-bf_user-enum      │ -             │ -         │ 74           │ 74     │ 74      │
│ crowdsecurity/ssh-slow-bf           │ 3             │ 1         │ 6            │ 132    │ 2       │
│ crowdsecurity/ssh-slow-bf_user-enum │ 3             │ -         │ 11           │ 57     │ 8       │
╰─────────────────────────────────────┴───────────────┴───────────┴──────────────┴────────┴─────────╯

Parser Metrics:
╭─────────────────────────────────┬───────┬────────┬──────────╮
│             Parsers             │ Hits  │ Parsed │ Unparsed │
├─────────────────────────────────┼───────┼────────┼──────────┤
│ child-crowdsecurity/nginx-logs  │ 336   │ -      │ 336      │
│ child-crowdsecurity/sshd-logs   │ 1.39k │ 133    │ 1.26k    │
│ child-crowdsecurity/syslog-logs │ 3.18k │ 3.18k  │ -        │
│ crowdsecurity/dateparse-enrich  │ 133   │ 133    │ -        │
│ crowdsecurity/geoip-enrich      │ 133   │ 133    │ -        │
│ crowdsecurity/nginx-logs        │ 112   │ -      │ 112      │
│ crowdsecurity/non-syslog        │ 56    │ 56     │ -        │
│ crowdsecurity/sshd-logs         │ 212   │ 133    │ 79       │
│ crowdsecurity/syslog-logs       │ 3.18k │ 3.18k  │ -        │
│ crowdsecurity/whitelists        │ 133   │ 133    │ -        │
╰─────────────────────────────────┴───────┴────────┴──────────╯

Local API Decisions:
╭───────────────────────────┬──────────┬────────┬───────╮
│          Reason           │  Origin  │ Action │ Count │
├───────────────────────────┼──────────┼────────┼───────┤
│ crowdsecurity/ssh-slow-bf │ crowdsec │ ban    │ 1     │
╰───────────────────────────┴──────────┴────────┴───────╯

Local API Alerts:
╭───────────────────────────┬───────╮
│          Reason           │ Count │
├───────────────────────────┼───────┤
│ crowdsecurity/ssh-slow-bf │ 1     │
╰───────────────────────────┴───────╯

Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

Details

The local parsers and bouncers are communicating with a remote security engine (LAPI).

[blotus]

Hello,

The issue is because we do not specify a specific version for our lua dependencies, and it looks like lua-resty-http got updated 2 days ago, and now requires lua-resty-string.

I've opened a PR to use the previous version while we check how to update to the latest version.

In the meantime, you should be able to fix your installation by running luarocks install lua-resty-http 0.17.1-0 and restarting nginx.

[pixel1138]

@blotus Thank you for the quick response! Yes, that worked, I appreciate it!

Do you want me to close this?

[blotus]

It will close automatically once I merge the PR.

[pixel1138]

Understood. Thank you again!

[Be-Mann]

The same problem exists with https://github.com/linuxserver/docker-mods/tree/swag-crowdsec, the operating system of the Docker SWAG is Alpine Linux 3.20