Imperva Cyber Community

Expand all | Collapse all

Upstream timed out while reading response header from KRP

  • 1.  Upstream timed out while reading response header from KRP

    Posted 24 days ago
    Hello!

    I have on-prem WAF in KRP mode. The deploying scheme looks like this: Client -> Nginx -> WAF  -> Web Application.
    In some cases clients got 504 status reply from first nginx. The error.log contains standard upstream time out error. That's like KRP's port is close and nginx cannot establish connection to WAF. But manual test are ok and port is up and reply with  200 status.

    WAF protect complicated and high-loaded web application with many objects and parameters in profile. Maybe there is some limits for tcp or http connections that needs to rise? Or maby something else I need to check?

    Note: I didn't saw such behavior on v13.1 version v2500. Fist  case was after update to 13.6 on v2500. I hoped that this  problem resoled after migrating to x4510 v 13.6 but this didn't happens.
    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Anton Kazantsev
    Head of Cybersecurity Department
    JSC Tochka
    Moscow
    ------------------------------


  • 2.  RE: Upstream timed out while reading response header from KRP

    Posted 24 days ago
    I did some researches and found this:

    In nginx config we use keepalive directive in upstream context. If we disable this directive the 504 errors is disappeared. In my opinion WAF and nginx has different timeouts for keepalive connections.  And nginx send request to connection thats already closed by WAF with timeout reason

    How I can synchronise timeouts between waf and nginx for keepalive connections? Maybe some parameters in hades.cfg?

    ------------------------------
    Anton Kazantsev
    Head of Cybersecurity Department
    JSC Tochka
    Moscow
    ------------------------------