Opened 5 years ago
Closed 5 years ago
#1900 closed defect (invalid)
Nginx starting more worker processes when modsec rules are enabled
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | nginx-core | Version: | 1.15.x |
| Keywords: | modsec, worker processes | Cc: | marferiky@… |
| uname -a: | 4.19.25-1.el7.centos.x86_64 #1 SMP Mon Feb 25 14:23:42 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.15.4
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017 TLS SNI support enabled |
||
Description
Hi there, we run Nginx in a Docker container as a sidecar in a pod in a Kubernetes cluster.
We have the ModSec module (version 3.0.3) enabled for Nginx.
In our Nginx configuration, we set the number of worker processes to be 16 (we have 16 cpu cores on our machines):
worker_processes 16;
events {
worker_connections 1024;
}
Without modsec enabled, it all works fine, we can see in the access logs that requests are processed fine, there are 16 worker processes running and the memory usage is not higher than 200-300MB.
However, when the modsec is enabled, the initial number of worker processes in nginx is 16, but over a period of 12 hours, the number of worker processes increases whenever a given modsec rule is matched by an HTTP request (in our case it is ruleID: 920350).
The number of worker processes increases until the memory limit (2GB, set at a kubernetes level) is met (at that point, nginx started up to 500 worker processes!)
When it hits the memory limit, nginx stops handling requests (according to the access log, we cannot see any requests being handled anymore). Furthermore, the issue is causing the entire machine where the nginx container is running to crash.
I am wondering why is nginx starting more worker processes than the configured number?
Attachments (1)
Change History (6)
comment:1 by , 5 years ago
comment:2 by , 5 years ago
hi Maxim, thanks for getting back!
When modsecurity is disabled, it all works fine: the number of worker processes in nginx is 16 as configured and the whole container memory usage is below 300MB.
The behavior is only happening when modsecurity is enabled and that rule matches HTTP requests
comment:3 by , 5 years ago
I would update both nginx and, more important, libmodsecurity and nginx modsecurity module to the most recent snapshot from their v3/master branch and try to reproduce this issue again.
So far it sounds like a bug in the modsecurity and should be reported the modsecurity developers https://github.com/SpiderLabs/ModSecurity
Thanks,
Maxim
comment:5 by , 5 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
Feedback timeout. Likely a bug in modsecurity.
Hi,
can you check whether nginx demonstrates the same behaviour with modsecurity disabled?
I see nothing in OWASP ruleid 920350 here https://github.com/SpiderLabs/owasp-modsecurity-crs/ that can trigger such behaviour unless some subtle bug in the modsecurity module.
Thanks,
Maxim