<div dir="ltr">ModSecurity isn't a sub-process, it's compiled into the nginx binary and runs as part of the worker process(es). Nginx doesn't have a concept of spawning children in the manner you're referencing, so there's nothing to be monitored wrt. resource consumption. Any resource monitoring would be done by the kernel, and the target would be nginx itself.<div><br></div><div>If you're running into an OOM condition with the nginx worker process, it sounds like a leak within one of the modules (possible, but not definitely, ModSecurity, if it only happens when you load the OWASP CRS).<br><div><br></div><div><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jan 19, 2016 at 3:10 PM, Lukas <span dir="ltr"><<a href="mailto:l@ymx.ch" target="_blank">l@ymx.ch</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Felipe<br>
<br>
> Felipe Zimmerle <<a href="mailto:felipe@zimmerle.org">felipe@zimmerle.org</a>> [2016-01-11 17:12]:<br>
<span class="">><br>
> On Sun, Jan 10, 2016 at 11:05 AM Lukas <<a href="mailto:l@ymx.ch">l@ymx.ch</a>> wrote:<br>
><br>
> > I found that recommendation. Since I also read that it would not be<br>
> > fully compatible with OWASP/CRS I have not given it a try.<br>
> ><br>
> > What is the situation regrading OWASP/CRS?<br>
> ><br>
><br>
> Currently there are three different versions of ModSecurity for nginx:<br>
><br>
> - Version 2.9.0: That is the last released version, I think that is the one<br>
> that you are using.<br>
> - nginx_refactoring: That version contains some fixes on the top of v2.9.0,<br>
> but those fixes may lead to instabilities depending on your configuration.<br>
> - ModSecurity-connector: That is something that still under development and<br>
> we have some work to do, to be exactly:<br>
><br>
> <a href="https://github.com/SpiderLabs/ModSecurity/labels/libmodsec%20-%20missing%20documentation" rel="noreferrer" target="_blank">https://github.com/SpiderLabs/ModSecurity/labels/libmodsec%20-%20missing%20documentation</a><br>
> <a href="https://github.com/SpiderLabs/ModSecurity/labels/libmodsec%20-%20missing%20features" rel="noreferrer" target="_blank">https://github.com/SpiderLabs/ModSecurity/labels/libmodsec%20-%20missing%20features</a><br>
> <a href="https://github.com/SpiderLabs/ModSecurity/labels/libmodsec%20-%20missing%20operators" rel="noreferrer" target="_blank">https://github.com/SpiderLabs/ModSecurity/labels/libmodsec%20-%20missing%20operators</a><br>
> <a href="https://github.com/SpiderLabs/ModSecurity/labels/libmodsec%20-%20missing%20transformation" rel="noreferrer" target="_blank">https://github.com/SpiderLabs/ModSecurity/labels/libmodsec%20-%20missing%20transformation</a><br>
> <a href="https://github.com/SpiderLabs/ModSecurity/labels/libmodsec%20-%20missing%20variables" rel="noreferrer" target="_blank">https://github.com/SpiderLabs/ModSecurity/labels/libmodsec%20-%20missing%20variables</a><br>
><br>
> Only use the ModSecurity-connector if you understands well the ModSecurity<br>
> rules and the consequences of the missing pieces.<br>
><br>
> Further information about libModSecurity can be found here:<br>
> <a href="http://blog.zimmerle.org/2016/01/an-overview-of-upcoming-libmodsecurity.html" rel="noreferrer" target="_blank">http://blog.zimmerle.org/2016/01/an-overview-of-upcoming-libmodsecurity.html</a><br>
> or:<br>
> <a href="https://www.trustwave.com/Resources/SpiderLabs-Blog/An-Overview-of-the-Upcoming-libModSecurity/" rel="noreferrer" target="_blank">https://www.trustwave.com/Resources/SpiderLabs-Blog/An-Overview-of-the-Upcoming-libModSecurity/</a><br>
><br>
<br>
</span>Thanks for pointing this out.<br>
<br>
What worries me a "little bit" is that nginx started crashing with an<br>
Out-of-Memory Exception when ModSecurity 2.9.0 with OWASP/CRS was<br>
activated.<br>
<br>
Have others experienced similar problems?<br>
<br>
Isn't there at least a run-time control in nginx that kills<br>
subprocesses like ModSecurity as soon as they start overconsuming<br>
resources/execution time?<br>
<br>
Thanks.<br>
<div class="HOEnZb"><div class="h5"><br>
wbr<br>
Lukas<br>
<br>
_______________________________________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a><br>
</div></div></blockquote></div><br></div>