Nginx mod_security leaks file descriptors
Kiril Kalchev
kirilk at cloudxcel.com
Thu Aug 22 11:26:03 UTC 2013
Hi,
I have a problem with nginx and mod_security module. After reloading nginx configuration (kill -HUP <master-nginx-pid>) all files opened by mod_security are opened once again without closing the old ones. That means at some point we hit the limit of open file descriptors, in my real life scenario I leak over 300 files on each reload.
Here are my sample configs just to illustrate the problem:
============================================================
nginx.conf
user www-data www-data;
worker_processes 6;
worker_rlimit_nofile 200000;
error_log /var/log/nginx/error.log debug;
events {
worker_connections 16384;
multi_accept on;
use epoll;
}
http {
server {
listen 80;
location / {
ModSecurityEnabled on;
ModSecurityConfig modsecurity.conf;
return 555;
}
}
}
============================================================
modsecurity.conf:
# Debug log
SecDebugLog /var/log/waf/events.log
============================================================
In this situation after each configuration reload I am leaking open files:
www-data at dev03 ~ # lsof | grep nginx | wc -l; kill -HUP `ps aux | grep 'nginx: master process' | grep -v grep | awk '{print $2}'`; sleep 2; lsof | grep nginx | wc -l
361
368
I am using Ubuntu 12.04 LTS and nginx _openresty 1.4.2.1
(DEPLOY)www-data at dev03:~# nginx -V
nginx version: ngx_openresty/1.4.2.1
built by gcc 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5)
TLS SNI support enabled
Does someone else have the same problem?
I will be happy to provide other information if necessary.
Regards,
Kiril
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3565 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20130822/a64b103f/attachment.bin>
More information about the nginx
mailing list