ModSecurity-apache icon indicating copy to clipboard operation
ModSecurity-apache copied to clipboard

Published 20 hours ago verified publisher icon owasp-modsecurity

apache graceful restart + Apache connector + rules = memory leak

Open drmuey opened this issue 3 years ago • 3 comments

  1. Set up memory test script
    • create this script at the end of this post
    • Make sure/etc/systemd/system.conf has these settings:
      • DefaultMemoryAccounting=yes
      • DefaultStartLimitInterval=1s
      • systemctl daemon-reexec if you had to edit those (and hard restart apache for good measure, systemctl status httpd | grep Memory should not have output).
    1. install and configure apache connector (but do not configure any rules)
  3. run memory test script ➜ no leak
# ~/check_httpd_memory_usage.sh
Memory usage before 200 restarts:
   Memory: 67.4M
...
Memory usage after 200 restarts:
   Memory: 67.3M
#
  1. install and configure OWASP CRS
  2. run memory test script ➜ leak
# ~/check_httpd_memory_usage.sh
Memory usage before 200 restarts:
   Memory: 67.4M
...
Memory usage after 200 restarts:
   Memory: 1.3G
# ~/check_httpd_memory_usage.sh
  1. change script to do a hard restart (e.g. systemctl restart httpd) and the leak goes away
#!/bin/bash

set -e

NREQUESTS=200

# for good measure
systemctl stop httpd
systemctl start httpd

echo "Memory usage before $NREQUESTS restarts:"
systemctl status httpd | grep Memory

for ((i = 0 ; i < $NREQUESTS ; i++)); do
    echo -n "$i … "
    /usr/sbin/apachectl graceful
    sleep 2;
done

echo
echo "Memory usage after $NREQUESTS restarts:"
systemctl status httpd | grep Memory

drmuey avatar May 18 '21 22:05 drmuey

apache 2.4.48 mpm_event

I'm also having a problem with modsecurity-apache and memory leak issue.

even without apachectl graceful, the memory usage keeps on growing until crash.

XJOJIX avatar Aug 19 '21 17:08 XJOJIX

As mentioned in other issues, the ModSecurity-apache connector for use with ModSecurity v3 is not ready for production use.

With Apache, the recommendation is to use ModSecurity v2.9.

martinhsv avatar Aug 19 '21 17:08 martinhsv

thought of using nginx instead of apache as reverse proxy but modsecurity-nginx seems to have the same issue. https://github.com/SpiderLabs/ModSecurity-nginx/issues/236 and even same issue on modsecurity3 itself. https://github.com/SpiderLabs/ModSecurity/issues/2552

hope it'll be fixed soon, and also modsecurity-apache to stage to production.

XJOJIX avatar Aug 20 '21 06:08 XJOJIX