This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NOTE: WAF Changes will cause Apache to restart

I just learned that changes to WAF will cause Apache to restart, which is likely to cause users to experience a broken pipe error.   Therefore, we should be cautious about making changes during periods of peak usage.

When this occurs, you will see entries like this in the log file

Restarting gracefully

2018:05:05-11:07:34 defense httpd[25978]: [Sat May 05 11:07:34.590905 2018] [core:warn] [pid 25980] AH00111: Config variable ${URLHardening_HTTP_Hostname} is not defined

2018:05:05-11:07:34 defense httpd[25978]: AH00112: Warning: DocumentRoot [/var/www/REF_<someting>] does not exist

The DocumentRoot warning seems to appear at least once for each WAF site.   

The config variable error will also repeat multiple times, but I don't have a grasp on what parameter determiens the number of entries to expect.

I have been blithely making WAF changes assuming that they would be transparent to any active users, as long as a specific site was not enabled or disabled.   Now I know better.

 



This thread was automatically locked due to age.
Parents
  • In which scenario did you see a broken pipe error on the client?

    WAF restarts after configuration changes on UTM are "graceful". Running connections are not terminated immediately, they are allowed to finish. So there shouldn't be any impact on clients.

    (Note that this is different on XG. Here running connections are in fact terminated immediately after applying a configuration change.)

    The log messages you posted are annoying but don't have any operational impact.

  • Interesting.

    My first question with support was about those log entries.   First technician gave the standard response, "just let me poke around in your system for awhile"    Never worked out timing for a web session.

    Second technician conferred with someone else before reporting what you said, that they could be ignored.

    So then the question was, "Why no restarts  on some days and multiple restarts at random times on other days?"  That led to the insight that my changes caused them

    The Sophos technician said I might see broken pipes.  It seems odd that it could restart without losing track of active sessions.

    Thanks for a definitive answer.

Reply
  • Interesting.

    My first question with support was about those log entries.   First technician gave the standard response, "just let me poke around in your system for awhile"    Never worked out timing for a web session.

    Second technician conferred with someone else before reporting what you said, that they could be ignored.

    So then the question was, "Why no restarts  on some days and multiple restarts at random times on other days?"  That led to the insight that my changes caused them

    The Sophos technician said I might see broken pipes.  It seems odd that it could restart without losing track of active sessions.

    Thanks for a definitive answer.

Children
  • The "broken pipes" the technician was referring to are probably messages like this in reverseproxy.log:

    [...] (32)Broken pipe: [client 10.10.10.10:40410] AH00646: Error writing to |/bin/logger -p local1.info -t httpd

    But that's nothing client-related, it's purely internal. It's a consequence of the graceful restart I mentioned. WAF keeps worker threads around to allow the clients to finish any running requests. But the logger processes are already restarted. So the old, still running worker processes lose the connection the logger. And that's the broken pipe.

    To technical? Just don't worry about it. Your clients will be fine.