Checklist
Describe the bug
Intermittent and reproducible instability in open-appsec (NGINX attachment + nano service) where requests fail with:
Reached timeout during attempt to signal nano service
This occurs even under very low traffic (~5 RPS) and becomes more frequent under higher load.
The system does not appear CPU or memory constrained, suggesting an internal communication/IPC issue rather than resource exhaustion.
To Reproduce
Steps to reproduce the behavior:
- Deploy open-appsec with NGINX (cloud-managed mode)
- Place it behind HAProxy (reverse proxy → WAF → internal HAProxy/backend)
- Send traffic through WAF path
Observed behavior:
• Works fine initially or under very light manual traffic
• Under sustained or slightly increased traffic:
• intermittent request failures
• increasing nano service timeouts
• Same issue reproducible even with ~5 RPS on a low-traffic site
Expected behavior
• Stable request processing through NGINX attachment
• No timeouts communicating with nano service
• WAF should handle low traffic without degradation
• Fail-open should not result in backend instability or connection failures
Screenshots or Logs
ngx_http_cp_wait_for_service: Reached timeout during attempt to signal nano service
Environment (please complete the following information):
- open-appsec version: 1.1.33-open-source
- Deployment type (Docker, Kubernetes, etc.): Linux
- OS: Ubuntu 24.04 LTS
Additional context
• Issue does not appear to be load-related, since it reproduces at very low traffic
• Behavior suggests instability in:
• NGINX attachment ↔ nano service communication
When the open-appsec NGINX attachment module is disabled (module removed from nginx.conf), traffic flows normally without any timeouts or instability.
Same configuration:
Client → HAProxy → NGINX (without open-appsec) → backend
Results:
- No timeouts
- No upstream errors
- Stable behavior even under higher load
Re-enabling open-appsec reintroduces:
- nano service timeouts
- intermittent request failures
Checklist
Describe the bug
Intermittent and reproducible instability in open-appsec (NGINX attachment + nano service) where requests fail with:
Reached timeout during attempt to signal nano serviceThis occurs even under very low traffic (~5 RPS) and becomes more frequent under higher load.
The system does not appear CPU or memory constrained, suggesting an internal communication/IPC issue rather than resource exhaustion.
To Reproduce
Steps to reproduce the behavior:
Observed behavior:
• Works fine initially or under very light manual traffic
• Under sustained or slightly increased traffic:
• intermittent request failures
• increasing nano service timeouts
• Same issue reproducible even with ~5 RPS on a low-traffic site
Expected behavior
• Stable request processing through NGINX attachment
• No timeouts communicating with nano service
• WAF should handle low traffic without degradation
• Fail-open should not result in backend instability or connection failures
Screenshots or Logs
ngx_http_cp_wait_for_service: Reached timeout during attempt to signal nano serviceEnvironment (please complete the following information):
Additional context
• Issue does not appear to be load-related, since it reproduces at very low traffic
• Behavior suggests instability in:
• NGINX attachment ↔ nano service communication
When the open-appsec NGINX attachment module is disabled (module removed from nginx.conf), traffic flows normally without any timeouts or instability.
Same configuration:
Client → HAProxy → NGINX (without open-appsec) → backend
Results:
Re-enabling open-appsec reintroduces: