search

owasp-modsecurity / ModSecurity-apache

ModSecurity v3 Apache Connector
Apache License 2.0
87 stars 51 forks source link

apache graceful restart + Apache connector + rules = memory leak #82

Open drmuey opened 3 years ago

drmuey commented 3 years ago
  1. Set up memory test script
    • create this script at the end of this post
    • Make sure/etc/systemd/system.conf has these settings:
      • DefaultMemoryAccounting=yes
      • DefaultStartLimitInterval=1s
      • systemctl daemon-reexec if you had to edit those (and hard restart apache for good measure, systemctl status httpd | grep Memory should not have output).
    1. install and configure apache connector (but do not configure any rules)
  3. run memory test script ➜ no leak 
    # ~/check_httpd_memory_usage.sh
Memory usage before 200 restarts:
Memory: 67.4M
...
Memory usage after 200 restarts:
Memory: 67.3M
#
  4. install and configure OWASP CRS
  5. run memory test script ➜ leak 
    # ~/check_httpd_memory_usage.sh
Memory usage before 200 restarts:
Memory: 67.4M
...
Memory usage after 200 restarts:
Memory: 1.3G
# ~/check_httpd_memory_usage.sh
  6. change script to do a hard restart (e.g. systemctl restart httpd) and the leak goes away
#!/bin/bash

set -e

NREQUESTS=200

# for good measure
systemctl stop httpd
systemctl start httpd

echo "Memory usage before $NREQUESTS restarts:"
systemctl status httpd | grep Memory

for ((i = 0 ; i < $NREQUESTS ; i++)); do
    echo -n "$i … "
    /usr/sbin/apachectl graceful
    sleep 2;
done

echo
echo "Memory usage after $NREQUESTS restarts:"
systemctl status httpd | grep Memory
XJOJIX commented 3 years ago

apache 2.4.48 mpm_event

I'm also having a problem with modsecurity-apache and memory leak issue.

even without apachectl graceful, the memory usage keeps on growing until crash.

martinhsv commented 3 years ago

As mentioned in other issues, the ModSecurity-apache connector for use with ModSecurity v3 is not ready for production use.

With Apache, the recommendation is to use ModSecurity v2.9.

XJOJIX commented 3 years ago

thought of using nginx instead of apache as reverse proxy but modsecurity-nginx seems to have the same issue. https://github.com/SpiderLabs/ModSecurity-nginx/issues/236 and even same issue on modsecurity3 itself. https://github.com/SpiderLabs/ModSecurity/issues/2552

hope it'll be fixed soon, and also modsecurity-apache to stage to production.