Rigid Regex in /usr/sbin/gl-ngx-session causes infinite crash loop on GL-BE9300 (v5 Firmware)

heldvonwelt · December 31, 2025, 4:13pm

Description

On the GL-BE9300 (Flint 3) running Firmware v5 , the service eco (managed via /usr/sbin/gl-ngx-session) enters an infinite crash loop with the error daemon.err eco: get nginx port fail. This failure blocks the GL.iNet Mobile App from loading data, often resulting in "Password changed" or "Error 500" messages.

Root Cause

The Lua script /usr/sbin/gl-ngx-session uses a rigid regular expression to determine the Nginx port from /etc/nginx/conf.d/gl.conf. The specific code is: local port = conf:match('listen (%d+);')

If a user modifies the listen directive to bind Nginx to a specific IP—such as the LAN IP 192.168.31.1:80—the regex fails to capture the port number and returns nil. This lack of a valid return value causes the script to crash repeatedly.

The Necessity of IP-Binding (Use Case)

Binding the router's Nginx explicitly to the LAN IP (192.168.31.1) is a required configuration for users hosting their own Nginx Proxy Manager (NPM) or similar reverse proxies on internal servers (e.g., Unraid).

Default Behavior: By default, Nginx listens on all interfaces (0.0.0.0).

Conflict: When a user in the LAN tries to access their own public domain (e.g., assistances.de), the router's Nginx captures the packet on port 443/80 before the firewall can apply Port Forwarding rules.
Solution: Binding the router-Nginx to the LAN IP only keeps the WAN interface ports "free". This allows Hairpin-NAT (NAT Loopback) to function correctly, directing traffic to the internal proxy server (e.g., .228) instead of the router's own administration page.

Steps to Reproduce

Modify /etc/nginx/conf.d/gl.conf to use an IP-bound listener: listen 192.168.31.1:80; instead of the default listen 80;.
Restart Nginx and gl-ngx-session.
Observe logread -f | grep eco showing constant get nginx port fail errors.

Workaround Found

Inserting a commented-out standard listener line—e.g., # listen 80;—at the top of gl.conf allows the regex to find a match, stopping the crash loop while keeping the actual active IP-binding intact.

Requested Fix

Update the regex in /usr/sbin/gl-ngx-session to properly handle IP-bound addresses and optional spaces. A more robust matching pattern would be: conf:match('listen%s+[%d%.%:]*:(%d+);') This would allow the service to remain stable even when Nginx is configured for advanced routing and local server isolation.

will.qiu · January 4, 2026, 6:52am

Hi

Thank you for your feedback.
We have reported this to our development team for further investigation and a possible fix in a future release.