is_ngx_cp_attachment_disabled@ngx_http_cp_attachment_module.c:253 | Reconfiguring the local NGINX attachment state - repeatedly logged (NPMplus)

[sym0nd0]

Hi all,
I am running NPMplus, an enhanced fork of Nginx Proxy Manager that includes openappsec as a module. Functionally everything appears to be working as expected, however the logs are being continuously flooded with the following message:
is_ngx_cp_attachment_disabled@ngx_http_cp_attachment_module.c:253 [uid a82c4c3a0fee_4 | pid 846] | Reconfiguring the local NGINX attachment state

This line is logged repeatedly, anywhere from every few seconds to every few minutes. In some entries the PID and UID change, while in others they remain the same.

I previously discussed this briefly with the NPMplus developer in this thread:
ZoeyVid/NPMplus#2451

They suggested that I raise the issue here to help identify the cause and a possible resolution.

Below is a representative log excerpt:

|2025-12-30T15:17:32.669: reset_attachment_config@ngx_cp_utils.c:1043 [uid a82c4c3a0fee_2 | pid 840] <session id 11> | Resetting attachment configuration
|2025-12-30T15:17:32.670: init_general_config@ngx_cp_utils.c:1034 [uid a82c4c3a0fee_2 | pid 840] <session id 11> | Successfully loaded configuration. inspection mode: 0, debug level: 2, failure mode: fail-open, fail mode timeout: 50 msec, failure wait mode: fail-open, fail mode wait timeout: 150 msec, sessions per minute limit verdict: Accpet, max sessions per minute: 0, req max processing time: 3000 msec, res max processing time: 3000 msec, registration thread timeout: 100 msec, req header thread timeout: 100 msec, req body thread timeout: 150 msec, res header thread timeout: 100 msec, res body thread timeout: 150 msec, wait thread timeout: 150 msec, static resources path: /dev/shm/static_resources, num of nginx ipc elements: 200, keep alive interval msec: 150000 msecmin retries for verdict: 3max retries for verdict: 15num retries for hold verdict: 3polling time for hold verdict: 1body size trigger for request: 200000
|2025-12-30T15:17:39.122: is_ngx_cp_attachment_disabled@ngx_http_cp_attachment_module.c:253 [uid a82c4c3a0fee_7 | pid 977] | Reconfiguring the local NGINX attachment state
|2025-12-30T15:17:44.429: is_ngx_cp_attachment_disabled@ngx_http_cp_attachment_module.c:253 [uid a82c4c3a0fee_3 | pid 841] | Reconfiguring the local NGINX attachment state
|2025-12-30T15:17:49.121: is_ngx_cp_attachment_disabled@ngx_http_cp_attachment_module.c:253 [uid a82c4c3a0fee_8 | pid 1046] | Reconfiguring the local NGINX attachment state
|2025-12-30T15:17:59.289: is_ngx_cp_attachment_disabled@ngx_http_cp_attachment_module.c:253 [uid a82c4c3a0fee_2 | pid 840] | Reconfiguring the local NGINX attachment state
|2025-12-30T15:18:00.349: is_ngx_cp_attachment_disabled@ngx_http_cp_attachment_module.c:253 [uid a82c4c3a0fee_1 | pid 839] | Reconfiguring the local NGINX attachment state
|2025-12-30T15:18:01.350: is_ngx_cp_attachment_disabled@ngx_http_cp_attachment_module.c:253 [uid a82c4c3a0fee_4 | pid 846] | Reconfiguring the local NGINX attachment state

After this point, the same line continues to be logged indefinitely.

For reference, this is the openappsec section of my compose.yml:

# This can be used to run openappsec, you must also set NGINX_LOAD_OPENAPPSEC_ATTACHMENT_MODULE to true and set ipc for NPMplus
  openappsec-agent:
    container_name: openappsec-agent
    image: ghcr.io/openappsec/agent:latest
    restart: unless-stopped
    ipc: host
    volumes:
      - "shm-volume:/dev/shm/check-point"
      - "/opt/openappsec/conf:/etc/cp/conf"
      - "/opt/openappsec/data:/etc/cp/data"
      - "/opt/openappsec/logs:/var/log/nano_agent"
      - "/opt/openappsec/localconf:/ext/appsec" # if you don't set AGENT_TOKEN, then please put a local_policy.yaml in the /opt/openappsec/localconf folder before deploying
      - "/opt/openappsec/open-appsec-advanced-model.tgz:/advanced-model/open-appsec-advanced-model.tgz" # optional, if you want to use a different model
    environment:
      - "TZ=Europe/London" # needs to be changed
      - "autoPolicyLoad=true"
      - "registered_server=NPMplus"
      - "user_email=<redacted>" # optional, from their docs: "This allows the open-appsec team to provide you easy assistance in case of any issues you might have with your specific deployment in the future and also to provide you information proactively regarding open-appsec in general or regarding your specific deployment. [...] If we send automatic emails there will also be an opt-out option included for receiving similar communication in the future."
      - "AGENT_TOKEN=<redacted>" # optional, you can specify an openappsec deployment profile token for connecting to their central webinterface  at https://my.openappsec.io, if you leave this commented, make sure to uncomment all other openappsec containers below, see: https://docs.openappsec.io/getting-started/using-the-web-ui-saas/create-a-profile
  #      - "SHARED_STORAGE_HOST=openappsec-shared-storage" # uncomment if you don't set AGENT_TOKEN
  #      - "LEARNING_HOST=openappsec-smartsync" # uncomment if you don't set AGENT_TOKEN
  #      - "TUNING_HOST=openappsec-tuning-svc" # uncomment if you don't set AGENT_TOKEN
    command: /cp-nano-agent

# uncomment if you don't set AGENT_TOKEN
#  openappsec-smartsync:
#    container_name: openappsec-smartsync
#    image: ghcr.io/openappsec/smartsync:latest
#    restart: always
#    environment:
#      - "TZ=your-timezone" # needs to be changed
#      - "SHARED_STORAGE_HOST=openappsec-shared-storage"
#    depends_on:
#      - openappsec-shared-storage
#  openappsec-shared-storage:
#    container_name: openappsec-shared-storage
#    image: ghcr.io/openappsec/smartsync-shared-files:latest
#    restart: always
#    ipc: service:openappsec-agent
#    user: root # if you do not want to run this container as "root" user you can comment it out and instead run the following command after the deployment: docker exec -u root openappsec-shared-storage chown -R appuser:appuser /db
#    environment:
#      - "TZ=your-timezone" # needs to be changed
#    volumes:
#      - "/opt/openappsec/storage:/db"
#  openappsec-tuning-svc:
#    container_name: openappsec-tuning-svc
#    image: ghcr.io/openappsec/smartsync-tuning:latest
#    restart: always
#    environment:
#      - "TZ=your-timezone" # needs to be changed
#      - "SHARED_STORAGE_HOST=openappsec-shared-storage"
#      - "QUERY_DB_HOST=openappsec-db"
#      - "QUERY_DB_PASSWORD=password" # replace with something secure, should match POSTGRES_PASSWORD from openappsec-db container
#      - "QUERY_DB_USER=appsec"
#    volumes:
#      - "/opt/openappsec/conf:/etc/cp/conf"
#    depends_on:
#      - openappsec-shared-storage
#      - openappsec-db
#  openappsec-db:
#    container_name: openappsec-db
#    image: postgres:17-alpine
#    restart: always
#    environment:
#      - "TZ=your-timezone" # needs to be changed
#      - "POSTGRES_PASSWORD=password" # replace with something secure, should match QUERY_DB_PASSWORD from openappsec-tuning-svc container
#      - "POSTGRES_USER=appsec"
#    volumes:
#      - "/opt/openappsec/pgdb:/var/lib/postgresql/data"

volumes:
  shm-volume:
    driver: local
    driver_opts:
      type: tmpfs
      device: tmpfs

Is this behaviour expected or does it indicate a configuration or attachment issue between NPMplus and openappsec? Any guidance on where to start troubleshooting or how to reduce or eliminate this log spam would be appreciated.

Thanks.

[tttestttesting]

I'm experiencing the same issue with NPMplus + openappsec, but with an additional critical problem: traffic on port 443 (HTTPS) is not being intercepted at all.

My Setup:

• NPMplus (zoeyvid/npmplus:latest) with openappsec attachment
• openappsec-agent connected to my.openappsec.io (SaaS)
• Multiple proxy hosts configured

The Problem:

• Traffic arriving on port 80 (via Cloudflare Tunnel) → correctly intercepted and logged ✓
• Traffic arriving on port 443 (direct HTTPS) → NOT intercepted, no logs ✗

Evidence:

1. SQL injection test on port 80 domains (e.g., ofood.noruletech.com) → detected and logged
2. SQL injection test on port 443 domain (webhook.noruletech.com) → never appears in logs
3. Policy is correctly configured with EqualListeningPort(443) for the HTTPS asset
4. The same "Reconfiguring the local NGINX attachment state" message appears repeatedly in logs

Logs showing the issue:

is_ngx_cp_attachment_disabled@ngx_http_cp_attachment_module.c:249 | Reconfiguring the local NGINX attachment state

This repeated reconfiguration might be causing the attachment to miss traffic on certain ports (specifically 443/SSL).

Questions:

1. Is this a known limitation with SSL-terminated traffic on port 443?
2. Could the repeated "Reconfiguring attachment state" cause traffic to be missed?
3. Is there a workaround to ensure HTTPS traffic is intercepted?

Thanks!