id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 1900 Nginx starting more worker processes when modsec rules are enabled marferiky@… "Hi there, we run Nginx in a Docker container as a sidecar in a pod in a Kubernetes cluster. We have the ModSec module (version 3.0.3) enabled for Nginx. In our Nginx configuration, we set the number of worker processes to be 16 (we have 16 cpu cores on our machines): {{{ worker_processes 16; events { worker_connections 1024; } }}} Without modsec enabled, it all works fine, we can see in the access logs that requests are processed fine, there are 16 worker processes running and the memory usage is not higher than 200-300MB. However, when the modsec is enabled, the initial number of worker processes in nginx is 16, but over a period of 12 hours, the number of worker processes increases whenever a given modsec rule is matched by an HTTP request (in our case it is ruleID: 920350). The number of worker processes increases until the memory limit (2GB, set at a kubernetes level) is met (at that point, nginx started up to 500 worker processes!) When it hits the memory limit, nginx stops handling requests (according to the access log, we cannot see any requests being handled anymore). Furthermore, the issue is causing the entire machine where the nginx container is running to crash. I am wondering why is nginx starting more worker processes than the configured number? " defect closed major nginx-core 1.15.x invalid modsec, worker processes marferiky@… 4.19.25-1.el7.centos.x86_64 #1 SMP Mon Feb 25 14:23:42 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux "nginx version: nginx/1.15.4 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017 TLS SNI support enabled"