Ryan,

I enabled debug logging in nginx but I don't see anything the log files when a request occurs during this failure condition and other than the standard start up stuff related to modsecurity after nginx starts there is nothing else in the nginx logs pertaining to modsecurity and the modsec_audit.log is empty.  Is there a way to make modsecurity logging more verbose?

I tested both with a successful log in and with a failed log in, it caused the same issue.

Do I set the SecResponseBodyAccess Off in any particular place in the nginx conf file?

David


On Thu, Sep 12, 2013 at 3:06 PM, Ryan Barnett <RBarnett@trustwave.com> wrote:

From: David Christensen <toastedpenguinbrew@gmail.com>
Reply-To: "mod-security-users@lists.sourceforge.net" <mod-security-users@lists.sourceforge.net>
Date: Thursday, September 12, 2013 3:51 PM
To: "mod-security-users@lists.sourceforge.net" <mod-security-users@lists.sourceforge.net>
Subject: [mod-security-users] Using recommended conf with nginx causes system to swap and CPU load to increase

I am new to Modsecurity, trying to use 2.7.5 with nginx 1.4.1 on CentOS 6.4 and i am using the recommended modecurity.conf that was part of the source files.

nginx is setup as a reverse caching proxy to tomcat 7.0.42 and it is setup for SSL using openssl 1.0.1e.

When I enable modsecurity and make a single request for the site nginx is the proxy for, everything seems ok, but when I access the sign in page for the site and enter an incorrect login and password and submit it the system immediately starts to to swap and the CPU load increases.  The site never responds to the request and eventually times out.

When I do the same thing without modsecurity enabled the site immediately returns a failed login attempt.

Any idea why modesecurity would cause something like this?

Thanks,
David

David,
Based on what you are describing, perhaps there is something in the response that is triggering an outbound inspection rule.  Are there any messages in the error log file or in the ModSecurity audit log file?

Does it work fine if the authentication is successful?  

If you set the SecResponseBodyAccess Off, does the problem go away?

-Ryan



This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. Consolidate legacy IT systems to a single system of record for IT
2. Standardize and globalize service processes across IT
3. Implement zero-touch automation to replace manual, redundant tasks
http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/