Imperva Cyber Community

Hi Guys!

We have an on-premises WAF (HA) deployed in KRP mode in our enviroment. On of our web applications use quite long (~10 mins) HTTP POSTs for some operations. 

Here is the connection layout:

Client -> Imperva WAF -> HAProxy LB -> Web Server

Problem is the request terminates around 5 minutes each and every time. HAProxy clearly states, that the client (in this case the WAF) unexpecdetly terminates the connection.

In case the traffic goes through HAProxy directly (avoiding the WAF) the request completes without any errors.

I went through alterts and violatoins multiple times but didn't find any cause for this, nothing blocked. In fact it happens as well when the Server Group runs in simulation mode.

Is there a default timeout for HTTP (or TCP?) sessions in Imperva WAF, what could be the problem? If so, how can I change it? Where should I look for errors?

Every idea or opinion is welcome!

Thanks




#On-PremisesWAF(formerlySecuresphere)

------------------------------
Attila Pozsonyi
Hungarian State Treasury
Budapest
------------------------------

There is a configuration called "reverse_proxy_inactivity_timeout" that is placed in /opt/SecureSphere/etc/hades.cfg.template file.
The default is 300 seconds , not sure its the same issue here as the connection should be closed only on inactivity (if its long upload than it shoudl not disconnect)
In any case a GW restart is required in order for the configuration to take place.
Other possibility that the connection is blocked by the LDR rule (inside of the http1 protocol policy)

------------------------------
Michael Sorin
------------------------------

Original Message:
Sent: 01-10-2021 08:49
From: Attila Pozsonyi
Subject: KRP HTTP timeout?

Hi Guys!

We have an on-premises WAF (HA) deployed in KRP mode in our enviroment. On of our web applications use quite long (~10 mins) HTTP POSTs for some operations. 

Here is the connection layout:

Client -> Imperva WAF -> HAProxy LB -> Web Server

Problem is the request terminates around 5 minutes each and every time. HAProxy clearly states, that the client (in this case the WAF) unexpecdetly terminates the connection.

In case the traffic goes through HAProxy directly (avoiding the WAF) the request completes without any errors.

I went through alterts and violatoins multiple times but didn't find any cause for this, nothing blocked. In fact it happens as well when the Server Group runs in simulation mode.

Is there a default timeout for HTTP (or TCP?) sessions in Imperva WAF, what could be the problem? If so, how can I change it? Where should I look for errors?

Every idea or opinion is welcome!

Thanks




#On-PremisesWAF(formerlySecuresphere)

------------------------------
Attila Pozsonyi
Hungarian State Treasury
Budapest
------------------------------

Hi Michiael!

Thank you for the tip, changeing the reverse_proxy_inactivity_timeout setting helped!

Context:

The long POST mentioned above is not an upload, it's used to post parameters for a (quite lage) report, generated on the server side. So basically the connection sits "idle" until the report is generated and once it's ready, it provides a download link to the client. Since the report generation took 6-8 minutes to complete, the WAF terminated the connection.

Another question. The "Connection Timeout" setting which is found in the GUI, under Service / Operation / Advanced HTTP Settings has nothing to do with idleness, it terminates the connection after the configured time, even if there is active data flowing in the connection, right?

Thank you very much, your answare was extremly helpful!



------------------------------
Attila Pozsonyi
Hungarian State Treasury
Budapest
------------------------------

Original Message:
Sent: 01-12-2021 07:16
From: Michael Sorin
Subject: KRP HTTP timeout?

There is a configuration called "reverse_proxy_inactivity_timeout" that is placed in /opt/SecureSphere/etc/hades.cfg.template file.
The default is 300 seconds , not sure its the same issue here as the connection should be closed only on inactivity (if its long upload than it shoudl not disconnect)
In any case a GW restart is required in order for the configuration to take place.
Other possibility that the connection is blocked by the LDR rule (inside of the http1 protocol policy)

------------------------------
Michael Sorin

Original Message:
Sent: 01-10-2021 08:49
From: Attila Pozsonyi
Subject: KRP HTTP timeout?

Hi Guys!

We have an on-premises WAF (HA) deployed in KRP mode in our enviroment. On of our web applications use quite long (~10 mins) HTTP POSTs for some operations. 

Here is the connection layout:

Client -> Imperva WAF -> HAProxy LB -> Web Server

Problem is the request terminates around 5 minutes each and every time. HAProxy clearly states, that the client (in this case the WAF) unexpecdetly terminates the connection.

In case the traffic goes through HAProxy directly (avoiding the WAF) the request completes without any errors.

I went through alterts and violatoins multiple times but didn't find any cause for this, nothing blocked. In fact it happens as well when the Server Group runs in simulation mode.

Is there a default timeout for HTTP (or TCP?) sessions in Imperva WAF, what could be the problem? If so, how can I change it? Where should I look for errors?

Every idea or opinion is welcome!

Thanks




#On-PremisesWAF(formerlySecuresphere)

------------------------------
Attila Pozsonyi
Hungarian State Treasury
Budapest
------------------------------