Config file is unchanged from official recommend file:

 

]# cat /usr/local/nginx/conf/modsecurity.conf

# -- Rule engine initialization ----------------------------------------------

 

# Enable ModSecurity, attaching it to every transaction. Use detection

# only to start with, because that minimises the chances of post-installation

# disruption.

#

SecRuleEngine DetectionOnly

 

 

# -- Request body handling ---------------------------------------------------

 

# Allow ModSecurity to access request bodies. If you don't, ModSecurity

# won't be able to see any POST parameters, which opens a large security

# hole for attackers to exploit.

#

SecRequestBodyAccess On

 

 

# Enable XML request body parser.

# Initiate XML Processor in case of xml content-type

#

SecRule REQUEST_HEADERS:Content-Type "text/xml" \

     "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"

 

 

# Maximum request body size we will accept for buffering. If you support

# file uploads then the value given on the first line has to be as large

# as the largest file you are willing to accept. The second value refers

# to the size of data, with files excluded. You want to keep that value as

# low as practical.

#

SecRequestBodyLimit 13107200

SecRequestBodyNoFilesLimit 131072

 

# Store up to 128 KB of request body data in memory. When the multipart

# parser reachers this limit, it will start using your hard disk for

# storage. That is slow, but unavoidable.

#

SecRequestBodyInMemoryLimit 131072

 

# What do do if the request body size is above our configured limit.

# Keep in mind that this setting will automatically be set to ProcessPartial

# when SecRuleEngine is set to DetectionOnly mode in order to minimize

# disruptions when initially deploying ModSecurity.

#

SecRequestBodyLimitAction Reject

 

# Verify that we've correctly processed the request body.

# As a rule of thumb, when failing to process a request body

# you should reject the request (when deployed in blocking mode)

# or log a high-severity alert (when deployed in detection-only mode).

#

SecRule REQBODY_ERROR "!@eq 0" \

"id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"

 

# By default be strict with what we accept in the multipart/form-data

# request body. If the rule below proves to be too strict for your

# environment consider changing it to detection-only. You are encouraged

# _not_ to remove it altogether.

#

SecRule MULTIPART_STRICT_ERROR "!@eq 0" \

"id:'200002',phase:2,t:none,log,deny,status:44, \

msg:'Multipart request body failed strict validation: \

PE %{REQBODY_PROCESSOR_ERROR}, \

BQ %{MULTIPART_BOUNDARY_QUOTED}, \

BW %{MULTIPART_BOUNDARY_WHITESPACE}, \

DB %{MULTIPART_DATA_BEFORE}, \

DA %{MULTIPART_DATA_AFTER}, \

HF %{MULTIPART_HEADER_FOLDING}, \

LF %{MULTIPART_LF_LINE}, \

SM %{MULTIPART_MISSING_SEMICOLON}, \

IQ %{MULTIPART_INVALID_QUOTING}, \

IP %{MULTIPART_INVALID_PART}, \

IH %{MULTIPART_INVALID_HEADER_FOLDING}, \

FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"

 

# Did we see anything that might be a boundary?

#

SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \

"id:'200003',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"

 

# PCRE Tuning

# We want to avoid a potential RegEx DoS condition

#

SecPcreMatchLimit 1000

SecPcreMatchLimitRecursion 1000

 

# Some internal errors will set flags in TX and we will need to look for these.

# All of these are prefixed with "MSC_".  The following flags currently exist:

#

# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.

#

SecRule TX:/^MSC_/ "!@streq 0" \

        "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"

 

 

# -- Response body handling --------------------------------------------------

 

# Allow ModSecurity to access response bodies.

# You should have this directive enabled in order to identify errors

# and data leakage issues.

#

# Do keep in mind that enabling this directive does increases both

# memory consumption and response latency.

#

SecResponseBodyAccess On

 

# Which response MIME types do you want to inspect? You should adjust the

# configuration below to catch documents but avoid static files

# (e.g., images and archives).

#

SecResponseBodyMimeType text/plain text/html text/xml

 

# Buffer response bodies of up to 512 KB in length.

SecResponseBodyLimit 524288

 

# What happens when we encounter a response body larger than the configured

# limit? By default, we process what we have and let the rest through.

# That's somewhat less secure, but does not break any legitimate pages.

#

SecResponseBodyLimitAction ProcessPartial

 

 

# -- Filesystem configuration ------------------------------------------------

 

# The location where ModSecurity stores temporary files (for example, when

# it needs to handle a file upload that is larger than the configured limit).

#

# This default setting is chosen due to all systems have /tmp available however,

# this is less than ideal. It is recommended that you specify a location that's private.

#

SecTmpDir /tmp/

 

# The location where ModSecurity will keep its persistent data.  This default setting

# is chosen due to all systems have /tmp available however, it

# too should be updated to a place that other users can't access.

#

SecDataDir /tmp/

 

 

# -- File uploads handling configuration -------------------------------------

 

# The location where ModSecurity stores intercepted uploaded files. This

# location must be private to ModSecurity. You don't want other users on

# the server to access the files, do you?

#

#SecUploadDir /opt/modsecurity/var/upload/

 

# By default, only keep the files that were determined to be unusual

# in some way (by an external inspection script). For this to work you

# will also need at least one file inspection rule.

#

#SecUploadKeepFiles RelevantOnly

 

# Uploaded files are by default created with permissions that do not allow

# any other user to access them. You may need to relax that if you want to

# interface ModSecurity to an external program (e.g., an anti-virus).

#

#SecUploadFileMode 0600

 

 

# -- Debug log configuration -------------------------------------------------

 

# The default debug log configuration is to duplicate the error, warning

# and notice messages from the error log.

#

#SecDebugLog /opt/modsecurity/var/log/debug.log

#SecDebugLogLevel 3

 

 

# -- Audit log configuration -------------------------------------------------

 

# Log the transactions that are marked by a rule, as well as those that

# trigger a server error (determined by a 5xx or 4xx, excluding 404,

# level response status codes).

#

SecAuditEngine RelevantOnly

SecAuditLogRelevantStatus "^(?:5|4(?!04))"

 

# Log everything we know about a transaction.

SecAuditLogParts ABIJDEFHZ

 

# Use a single file for logging. This is much easier to look at, but

# assumes that you will use the audit log only ocassionally.

#

SecAuditLogType Serial

SecAuditLog /var/log/modsec_audit.log

 

# Specify the path for concurrent audit logging.

#SecAuditLogStorageDir /opt/modsecurity/var/audit/

 

 

# -- Miscellaneous -----------------------------------------------------------

 

# Use the most commonly used application/x-www-form-urlencoded parameter

# separator. There's probably only one application somewhere that uses

# something else so don't expect to change this value.

#

SecArgumentSeparator &

 

# Settle on version 0 (zero) cookies, as that is what most applications

# use. Using an incorrect cookie version may open your installation to

# evasion attacks (against the rules that examine named cookies).

#

SecCookieFormat 0

 

# Specify your Unicode Code Point.

# This mapping is used by the t:urlDecodeUni transformation function

# to properly map encoded data to your language. Properly setting

# these directives helps to reduce false positives and negatives.

#

#SecUnicodeCodePage 20127

#SecUnicodeMapFile unicode.mapping

 

 

 

发件人: 刘伟 [mailto:liuwei@nq.com]
发送时间: 2013114 21:56
收件人: 'mod-security-users@lists.sourceforge.net'
主题: Nginx+Mod security eats up Memory and CPU

 

Hi, All,

I’m a newbie to mod security, today I when I integrate Nginx with mod_security and find our memory is eats up,

Sometimes CPU load is 90%+.

If we comments out mod security settings, it goes well.

 

Please give some clue to fix this problem.

 

Blow is our Setting:

# /usr/local/nginx/sbin/nginx -V

nginx version: nginx/1.2.6

built by gcc 4.4.6 20110731 (Red Hat 4.4.6-3) (GCC)

TLS SNI support enabled

configure arguments: --user=nginx --group=nginx --with-http_secure_link_module --with-http_random_index_module --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module --with-http_image_filter_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_stub_status_module --with-http_perl_module --with-mail --with-mail_ssl_module --with-ipv6 --add-module=../modsecurity-apache_2.7.5/nginx/modsecurity/ --add-module=../nginx_tcp_proxy_module-0.26/ --add-module=../ngx_cache_purge-1.5/

 

I have attach to Nginx process for several times,  blow is the bt result:

#0  0x0000000000446df0 in ngx_http_write_filter ()

#1  0x00000000004557c1 in ngx_http_chunked_body_filter ()

#2  0x000000000045a323 in ngx_http_gzip_body_filter ()

#3  0x000000000045b0bd in ngx_http_postpone_filter ()

#4  0x000000000045b6d6 in ngx_http_ssi_body_filter ()

#5  0x000000000045f7df in ngx_http_charset_body_filter ()

#6  0x000000000046118c in ngx_http_xslt_body_filter ()

#7  0x0000000000462dc8 in ngx_http_image_body_filter ()

#8  0x000000000046379e in ngx_http_sub_body_filter ()

#9  0x000000000046414b in ngx_http_addition_body_filter ()

#10 0x000000000048f935 in ngx_http_modsecurity_body_filter ()

#11 0x000000000041a992 in ngx_output_chain ()

#12 0x0000000000447303 in ngx_http_copy_filter ()

#13 0x0000000000455b0d in ngx_http_range_body_filter ()

#14 0x000000000043a086 in ngx_http_output_filter ()

#15 0x00000000004410d2 in ngx_http_send_special ()

#16 0x000000000044f95c in ngx_http_upstream_finalize_request ()

#17 0x0000000000450419 in ngx_http_upstream_process_request ()

#18 0x00000000004504d5 in ngx_http_upstream_process_upstream ()

#19 0x00000000004531ce in ngx_http_upstream_process_header ()

#20 0x000000000045090a in ngx_http_upstream_handler ()

#21 0x000000000042cd8a in ngx_event_process_posted ()

#22 0x000000000042cc5a in ngx_process_events_and_timers ()

#23 0x0000000000432863 in ngx_worker_process_cycle ()

#24 0x00000000004311a4 in ngx_spawn_process ()

#25 0x0000000000432fff in ngx_master_process_cycle ()

#26 0x000000000041809a in main ()

 

#0  0x0000000000446d30 in ngx_http_write_filter ()

#1  0x00000000004557c1 in ngx_http_chunked_body_filter ()

#2  0x000000000045a323 in ngx_http_gzip_body_filter ()

#3  0x000000000045b0bd in ngx_http_postpone_filter ()

#4  0x000000000045b6d6 in ngx_http_ssi_body_filter ()

#5  0x000000000045f7df in ngx_http_charset_body_filter ()

#6  0x000000000046118c in ngx_http_xslt_body_filter ()

#7  0x0000000000462dc8 in ngx_http_image_body_filter ()

#8  0x000000000046379e in ngx_http_sub_body_filter ()

#9  0x000000000046414b in ngx_http_addition_body_filter ()

#10 0x000000000048f935 in ngx_http_modsecurity_body_filter ()

#11 0x000000000041a992 in ngx_output_chain ()

#12 0x0000000000447303 in ngx_http_copy_filter ()

#13 0x0000000000455b0d in ngx_http_range_body_filter ()

#14 0x000000000043a086 in ngx_http_output_filter ()

#15 0x00000000004410d2 in ngx_http_send_special ()

#16 0x000000000044f95c in ngx_http_upstream_finalize_request ()

#17 0x0000000000450419 in ngx_http_upstream_process_request ()

#18 0x00000000004504d5 in ngx_http_upstream_process_upstream ()

#19 0x00000000004531ce in ngx_http_upstream_process_header ()

#20 0x000000000045090a in ngx_http_upstream_handler ()

#21 0x000000000042cd8a in ngx_event_process_posted ()

#22 0x000000000042cc5a in ngx_process_events_and_timers ()

#23 0x0000000000432863 in ngx_worker_process_cycle ()

#24 0x00000000004311a4 in ngx_spawn_process ()

#25 0x0000000000431dda in ngx_start_worker_processes ()

#26 0x0000000000432d84 in ngx_master_process_cycle ()

#27 0x000000000041809a in main ()

 

(gdb) bt

#0  0x00002aebc10739e4 in _int_malloc () from /lib64/libc.so.6

#1  0x00002aebc107448d in malloc () from /lib64/libc.so.6

#2  0x00002aebc1075169 in posix_memalign () from /lib64/libc.so.6

#3  0x000000000042eff8 in ngx_memalign ()

#4  0x0000000000418bcd in ngx_palloc_block ()

#5  0x0000000000418dd6 in ngx_palloc ()

#6  0x000000000041a4e1 in ngx_alloc_chain_link ()

#7  0x0000000000446cff in ngx_http_write_filter ()

#8  0x00000000004557c1 in ngx_http_chunked_body_filter ()

#9  0x000000000045a323 in ngx_http_gzip_body_filter ()

#10 0x000000000045b0bd in ngx_http_postpone_filter ()

#11 0x000000000045b6d6 in ngx_http_ssi_body_filter ()

#12 0x000000000045f7df in ngx_http_charset_body_filter ()

#13 0x000000000046118c in ngx_http_xslt_body_filter ()

#14 0x0000000000462dc8 in ngx_http_image_body_filter ()

#15 0x000000000046379e in ngx_http_sub_body_filter ()

#16 0x000000000046414b in ngx_http_addition_body_filter ()

#17 0x000000000048f935 in ngx_http_modsecurity_body_filter ()

#18 0x000000000041a992 in ngx_output_chain ()

#19 0x0000000000447303 in ngx_http_copy_filter ()

#20 0x0000000000455b0d in ngx_http_range_body_filter ()

#21 0x000000000043a086 in ngx_http_output_filter ()

#22 0x00000000004410d2 in ngx_http_send_special ()

#23 0x000000000044f95c in ngx_http_upstream_finalize_request ()

#24 0x0000000000450419 in ngx_http_upstream_process_request ()

#25 0x00000000004504d5 in ngx_http_upstream_process_upstream ()

#26 0x00000000004531ce in ngx_http_upstream_process_header ()

#27 0x000000000045090a in ngx_http_upstream_handler ()

#28 0x000000000042cd8a in ngx_event_process_posted ()

#29 0x000000000042cc5a in ngx_process_events_and_timers ()

#30 0x0000000000432863 in ngx_worker_process_cycle ()

#31 0x00000000004311a4 in ngx_spawn_process ()

#32 0x0000000000431dda in ngx_start_worker_processes ()

#33 0x0000000000432d84 in ngx_master_process_cycle ()

#34 0x000000000041809a in main ()