nginx/1.9.9 with modsecurity/2.9.0 crashes with segfault and worker process exited on signal 11

Lukas l at ymx.ch
Tue Jan 19 23:27:27 UTC 2016


Hi Robert

> Robert Paprocki <rpaprocki at fearnothingproductions.net> [2016-01-20 00:14]:
>
> ModSecurity isn't a sub-process, it's compiled into the nginx binary and
> runs as part of the worker process(es). Nginx doesn't have a concept of
> spawning children in the manner you're referencing, so there's nothing to
> be monitored wrt. resource consumption. Any resource monitoring would be
> done by the kernel, and the target would be nginx itself.
>
Thanks for clarifying.

> If you're running into an OOM condition with the nginx worker process, it
> sounds like a leak within one of the modules (possible, but not definitely,
> ModSecurity, if it only happens when you load the OWASP CRS).
>

I have not had the time to test different variants yet.  The
proxy-setup, however, works perfectly fine with "ModSecurityEnabled
off;" but crashes otherwise.

My current config:

  server {
    listen 443 ssl;
    listen [::]:443 ssl;

    root /var/www/html;

    index index.html index.htm index.nginx-debian.html;

    server_name foobar;

    ssl on;
    ssl_certificate     crt.stack.pem;
    ssl_certificate_key key.pem;

    ssl_session_timeout 5m;
    ssl_session_cache  builtin:1000  shared:SSL:10m;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;

    location / {

      ModSecurityEnabled off;
      ModSecurityConfig modsecurity/modsecurity_crs_10_setup.conf;

      proxy_force_ranges on;
      proxy_set_header Host                $host;
      proxy_set_header X-Real-IP           $remote_addr;
      proxy_set_header X-Forwarded-For     $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto   $scheme;

      proxy_pass      http://ip.ad.dr.ess:80;
      proxy_redirect  http://ip.ad.dr.ess:80 https://$host$request_uri;

      client_max_body_size       10m;
      client_body_buffer_size    128k;

      client_body_temp_path      /var/cache/nginx/client_body_temp;

      proxy_connect_timeout      90;
      proxy_send_timeout         90;
      proxy_read_timeout         90;

      proxy_buffer_size          4k;
      proxy_buffers              4 32k;
      proxy_busy_buffers_size    64k;
      proxy_temp_file_write_size 64k;

      proxy_temp_path            /var/cache/nginx/proxy_temp;

    }

    location ~ /\.ht {
      deny all;
    }

    access_log  /var/log/nginx/access.log upstreamlog;
    error_log   /var/log/nginx/error.log debug;
  }

Thanks.

wbr.
Lukas



More information about the nginx mailing list