id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
1900	Nginx starting more worker processes when modsec rules are enabled	marferiky@…		"Hi there, we run Nginx in a Docker container as a sidecar in a pod in a Kubernetes cluster.

We have the ModSec module (version 3.0.3) enabled for Nginx. 

In our Nginx configuration, we set the number of worker processes to be 16 (we have 16 cpu cores on our machines):

{{{
    worker_processes 16;
    events {
      worker_connections 1024;
    }
}}}

Without modsec enabled, it all works fine, we can see in the access logs that requests are processed fine, there are 16 worker processes running and the memory usage is not higher than 200-300MB.

However, when the modsec is enabled, the initial number of worker processes in nginx is 16, but over a period of 12 hours, the number of worker processes increases whenever a given modsec rule is matched by an HTTP request (in our case it is ruleID: 920350).

 The number of worker processes increases until the memory limit (2GB, set at a kubernetes level) is met (at that point, nginx started up to 500 worker processes!)

When it hits the memory limit, nginx stops handling requests (according to the access log, we cannot see any requests being handled anymore). Furthermore, the issue is causing the entire machine where the nginx container is running to crash. 

I am wondering why is nginx starting more worker processes than the configured number? "	defect	closed	major		nginx-core	1.15.x	invalid	modsec, worker processes	marferiky@…	4.19.25-1.el7.centos.x86_64 #1 SMP Mon Feb 25 14:23:42 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux	"nginx version: nginx/1.15.4
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC)
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled"