nginx/1.9.9 with modsecurity/2.9.0 crashes with segfault and worker process exited on signal 11

Robert Paprocki rpaprocki at fearnothingproductions.net
Tue Jan 19 23:14:14 UTC 2016


ModSecurity isn't a sub-process, it's compiled into the nginx binary and
runs as part of the worker process(es). Nginx doesn't have a concept of
spawning children in the manner you're referencing, so there's nothing to
be monitored wrt. resource consumption. Any resource monitoring would be
done by the kernel, and the target would be nginx itself.

If you're running into an OOM condition with the nginx worker process, it
sounds like a leak within one of the modules (possible, but not definitely,
ModSecurity, if it only happens when you load the OWASP CRS).



On Tue, Jan 19, 2016 at 3:10 PM, Lukas <l at ymx.ch> wrote:

> Hi Felipe
>
> > Felipe Zimmerle <felipe at zimmerle.org> [2016-01-11 17:12]:
> >
> > On Sun, Jan 10, 2016 at 11:05 AM Lukas <l at ymx.ch> wrote:
> >
> > > I found that recommendation.  Since I also read that it would not be
> > > fully compatible with OWASP/CRS I have not given it a try.
> > >
> > > What is the situation regrading OWASP/CRS?
> > >
> >
> > Currently there are three different versions of ModSecurity for nginx:
> >
> > - Version 2.9.0: That is the last released version, I think that is the
> one
> > that you are using.
> > - nginx_refactoring: That version contains some fixes on the top of
> v2.9.0,
> > but those fixes may lead to instabilities depending on your
> configuration.
> > - ModSecurity-connector: That is something that still under development
> and
> > we have some work to do, to be exactly:
> >
> >
> https://github.com/SpiderLabs/ModSecurity/labels/libmodsec%20-%20missing%20documentation
> >
> https://github.com/SpiderLabs/ModSecurity/labels/libmodsec%20-%20missing%20features
> >
> https://github.com/SpiderLabs/ModSecurity/labels/libmodsec%20-%20missing%20operators
> >
> https://github.com/SpiderLabs/ModSecurity/labels/libmodsec%20-%20missing%20transformation
> >
> https://github.com/SpiderLabs/ModSecurity/labels/libmodsec%20-%20missing%20variables
> >
> > Only use the ModSecurity-connector if you understands well the
> ModSecurity
> > rules and the consequences of the missing pieces.
> >
> > Further information about libModSecurity can be found here:
> >
> http://blog.zimmerle.org/2016/01/an-overview-of-upcoming-libmodsecurity.html
> > or:
> >
> https://www.trustwave.com/Resources/SpiderLabs-Blog/An-Overview-of-the-Upcoming-libModSecurity/
> >
>
> Thanks for pointing this out.
>
> What worries me a "little bit" is that nginx started crashing with an
> Out-of-Memory Exception when ModSecurity 2.9.0 with OWASP/CRS was
> activated.
>
> Have others experienced similar problems?
>
> Isn't there at least a run-time control in nginx that kills
> subprocesses like ModSecurity as soon as they start overconsuming
> resources/execution time?
>
> Thanks.
>
> wbr
> Lukas
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20160119/8979ceea/attachment.html>


More information about the nginx mailing list