$ /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.9.9
built by gcc 4.7.2 (Debian 4.7.2-5)
built with OpenSSL 1.0.1e 11 Feb 2013
TLS SNI support enabled
configure arguments: --user=www-data --group=www-data --with-pcre-jit
–with-ipv6 --with-http_ssl_module
–add-module=…/modsecurity-2.9.0/nginx/modsecurity
–conf-path=/etc/nginx/nginx.conf --pid-path=/var/run/nginx.pid
–error-log-path=/var/log/nginx/error.log
–http-log-path=/var/log/nginx/access.log
$ tail error.log
2016/01/10 13:13:34 [notice] 10256#0: ModSecurity: LIBXML compiled
version=“2.8.0”
2016/01/10 13:13:34 [notice] 10256#0: ModSecurity: Status engine is
currently disabled, enable it by set SecStatusEngine to On.
2016/01/10 13:13:35 [notice] 10260#0: ModSecurity for nginx
(STABLE)/2.9.0 (http://www.modsecurity.org/) configured.
2016/01/10 13:13:35 [notice] 10260#0: ModSecurity: APR compiled
version=“1.4.6”; loaded version=“1.4.6”
2016/01/10 13:13:35 [notice] 10260#0: ModSecurity: PCRE compiled
version="8.30 "; loaded version=“8.30 2012-02-04”
2016/01/10 13:13:35 [notice] 10260#0: ModSecurity: LIBXML compiled
version=“2.8.0”
2016/01/10 13:13:35 [notice] 10260#0: ModSecurity: Status engine is
currently disabled, enable it by set SecStatusEngine to On.
2016/01/10 13:13:38 [alert] 10261#0: worker process 10267 exited on
signal 11
2016/01/10 13:13:38 [alert] 10261#0: worker process 10264 exited on
signal 11
2016/01/10 13:13:38 [alert] 10261#0: worker process 10265 exited on
signal 11
$ dmesg
[605432.202671] nginx[10267]: segfault at 70 ip 08093ba1 sp bfc9a7c0
error 4 in nginx[8048000+123000]
[605432.385414] nginx[10264]: segfault at 70 ip 08093ba1 sp bfc9a7c0
error 4 in nginx[8048000+123000]
[605432.409089] nginx[10265]: segfault at 70 ip 08093ba1 sp bfc9a7c0
error 4 in nginx[8048000+123000]
SecAudit* and even started modsecurity without rules – it continued
crashing.
Thank you for any hint on solving this issue.
Please find next information related to my setup including some logs.
By chance, I tried to get this to work just yesterday and also got only
SIGSEGV from it.
(nginx 1.8, FreeBSD 10.1-amd64, ap22-mod_security-2.9.0, all from my own
repository)
What worries me a “little bit” is that nginx started crashing with an
Out-of-Memory Exception when ModSecurity 2.9.0 with OWASP/CRS was
activated.
Have others experienced similar problems?
Isn’t there at least a run-time control in nginx that kills
subprocesses like ModSecurity as soon as they start overconsuming
resources/execution time?
ModSecurity isn’t a sub-process, it’s compiled into the nginx binary and
runs as part of the worker process(es). Nginx doesn’t have a concept of
spawning children in the manner you’re referencing, so there’s nothing to
be monitored wrt. resource consumption. Any resource monitoring would be
done by the kernel, and the target would be nginx itself.
Thanks for clarifying.
If you’re running into an OOM condition with the nginx worker process, it
sounds like a leak within one of the modules (possible, but not definitely,
ModSecurity, if it only happens when you load the OWASP CRS).
I have not had the time to test different variants yet. The
proxy-setup, however, works perfectly fine with “ModSecurityEnabled
off;” but crashes otherwise.
ModSecurity isn’t a sub-process, it’s compiled into the nginx binary and
runs as part of the worker process(es). Nginx doesn’t have a concept of
spawning children in the manner you’re referencing, so there’s nothing
to
be monitored wrt. resource consumption. Any resource monitoring would be
done by the kernel, and the target would be nginx itself.
If you’re running into an OOM condition with the nginx worker process,
it
sounds like a leak within one of the modules (possible, but not
definitely,
ModSecurity, if it only happens when you load the OWASP CRS).
Fascinated by nginx, I attempted to integrate it with modsecurity.
Unfortunately, ever when modsecurity is enabled, nginx reports a
sefault in sysmessages.
I tried debugging the issue a bit further (from a user perspective)
with common web-page and CalDAV with the following results:
nginx with modsecurity switched off works perfectly as a proxy nginx
nginx with modsecurity switched on with one owasp rule-set
(modsecurity_crs_20_protocol_violations.conf) works for common
web-pages with multi-media content (quick test without any errors
reported)
nginx with modsecurity switched on with one owasp rule-set
(modsecurity_crs_20_protocol_violations.conf) does not work for
CalDAV.
error.log: 2016/01/23 01:19:07 [emerg] 4844#0: *7 posix_memalign(16,
4096) failed (12: Cannot allocate memory) while logging request
nginx with modsecurity switched on without any ruleset
does not work for CalDAV – same error
nginx with modsecurity switched off without any ruleset
does work for CalDAV perfectly.
With modsecurity switched on, an Out-of-Memory exception took place
always reporting:
The modsec devel team is working hard on the new libmodsecurity. You may
just be better off waiting for them to put the finishing touches on that
project. Nginx + modsec 2.9 likely will get no dev attention moving
forward, given that the whole system is being revamped now.
Sent from my iPhone
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.