Skip to main content
Version: 3.14.x.x LTS

Troubleshooting

This chapter describes some known issues and how to solve them.

RedHat 7.2 issue

The following error may occur if you leave the shell where you start nevisproxy: "Invalid argument: apr_proc_mutex_lock failed. Attempting to shutdown process gracefully." This is due to a bug in RedHat 7.2. RedHat proposes the following workaround:

  • Edit /etc/systemd/logind.conf to add
  • RemoveIPC=no
  • Restart the application (nevisproxy) so that the changes take effect.

The following workaround works as well:

  • use the option '-t' if you login with ssh on the host where you start nevisproxy.

Performance optimization notice

  • To keep a high-performance functioning of regexp, remove irrelevant wildcard patterns with ".". For example, instead of ".someValue.**", you can use directly "someValue*".
  • Enable "keep-alive" between the proxy and the application.

Authentication with a client certificate and OpenSSL 1.1.1

As of release 3.14.3.0, authentication with a client certificate possibly does not work as expected anymore. This is due to the upgrade of nevisProxy to OpenSSL version 1.1.1. The problems may occur if you have set the parameter ClientCert of the IdentityCreationFilter to "optional" or "optional_no_ca".

There are two possible workarounds to fix this problem:

Via the IdentityCreationFilter

If you want to fix this problem via the IdentityCreationFilter, set the filter parameter StoreClientCert to "true".

This fix works without any performance loss, but is not so secure: A user using a smart card will not be logged out automatically if he removes the smart card from the slot. To avoid this, use the crypto API of the browsers to notify the application of card removal events. Make the application act accordingly.

Via the ApacheConfigFilter

If you want to fix this problem via the ApacheConfigFilter, configure the filter as follows:

 <filter>
<filter-name>ClientCertApacheConfigFilter</filter-name>
<filter-class>ch:nevis::navajo::apglue::httpd_${HTTPD_LIB_VERSION}_x::servlet::ApacheConfigFilter</filter-class>
<filter-lib>/opt/nevisproxy/webapp/WEB-INF/lib/libApache${HTTPD_LIB_VERSION}_Servlet.so.1</filter-lib>
<init-param>
<param-name>
LocationConfig
</param-name>
<param-value>
SSLVerifyClient optional_no_ca
SSLVerifyDepth 2
</param-value>
</init-param>
</filter>

Pay attention to the following points:

  • Set the value of the parameter SSLVerifyClient to "optional", if the parameter ClientCert of the IdentityCreationFilteris also set to "optional" (<SSLVerifyClient> field).
  • Give the parameter SSLVerifyDepth the same value as the parameter ClientCert of the IdentityCreationFilter (<SSLVerifyDepth> field).
  • Map the filter to the same URL as the one set in the IdentityCreationFilter.

This is the most secure workaround. But it can slow down performance, especially if you use a smart card. To optimize performance, increase the value of the attribute MaxKeepAliveRequests and/or KeepAliveTimeout in the navajo.xml configuration file.

Depending on the smart card used, the user may be forced to enter its password after the keep-alive timeout expires.

Lost POST request body in LuaFilter in case of chunked transfer-encoding

The LuaFilter sometimes omits the body of a chunked POST request. This may happen if the LuaFilter comes before the IdentityCreationFilter in the filter chain.

To solve this problem, add the modifier flag RESET_BUFFERED_BODY to the configuration of the respective LuaFilter:

   <init-param>
<param-name>ModifierFlags</param-name>
<param-value>+RESET_BUFFERED_BODY</param-value>
</init-param>