Nginx mod_security leaks file descriptors

Alan Silva alan.silva at gmail.com
Thu Aug 22 15:16:53 UTC 2013


Hi Kiril,

I think the better place to make this question its on modsecurity users list, because apparently its a problem in modsecurity module and don't in NGINX.

Regards,

Alan


On Aug 22, 2013, at 8:26 AM, Kiril Kalchev <kirilk at cloudxcel.com> wrote:

> Hi,
> 
> I have a problem with nginx and mod_security module. After reloading nginx configuration (kill -HUP <master-nginx-pid>) all files opened by mod_security are opened once again without closing the old ones. That means at some point we hit the limit of open file descriptors, in my real life scenario I leak over 300 files on each reload.
> 
> Here are my sample configs just to illustrate the problem:
> ============================================================
> nginx.conf
> user www-data www-data;
> worker_processes 6;
> worker_rlimit_nofile 200000;
> 
> error_log /var/log/nginx/error.log debug;
> 
> events {
>        worker_connections  16384;
>        multi_accept on;
>        use epoll;
> }
> 
> http {
>        server {
>                listen 80;
>                location / {
>                        ModSecurityEnabled on;
>                        ModSecurityConfig modsecurity.conf;
>                        return 555;
>                }
>        }
> }
> 
> ============================================================
> modsecurity.conf:
> 
> # Debug log
> SecDebugLog /var/log/waf/events.log
> ============================================================
> 
> In this situation after each configuration reload I am leaking open files:
> 
> www-data at dev03 ~ # lsof | grep nginx | wc -l; kill -HUP `ps aux | grep 'nginx: master process' | grep -v grep | awk '{print $2}'`; sleep 2; lsof | grep nginx |  wc -l
> 361
> 368
> 
> I am using Ubuntu 12.04 LTS and nginx _openresty 1.4.2.1
> 
> (DEPLOY)www-data at dev03:~# nginx -V
> nginx version: ngx_openresty/1.4.2.1
> built by gcc 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5)
> TLS SNI support enabled
> 
> Does someone else have the same problem?
> 
> I will be happy to provide other information if necessary.
> 
> Regards,
> Kiril
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx



More information about the nginx mailing list