From: David Christensen <toastedpenguinbrew@gmail.com>
Reply-To: "mod-security-users@lists.sourceforge.net" <mod-security-users@lists.sourceforge.net>
Date: Thursday, September 12, 2013 3:51 PM
To: "mod-security-users@lists.sourceforge.net" <mod-security-users@lists.sourceforge.net>
Subject: [mod-security-users] Using recommended conf with nginx causes system to swap and CPU load to increase

I am new to Modsecurity, trying to use 2.7.5 with nginx 1.4.1 on CentOS 6.4 and i am using the recommended modecurity.conf that was part of the source files.

nginx is setup as a reverse caching proxy to tomcat 7.0.42 and it is setup for SSL using openssl 1.0.1e.

When I enable modsecurity and make a single request for the site nginx is the proxy for, everything seems ok, but when I access the sign in page for the site and enter an incorrect login and password and submit it the system immediately starts to to swap and the CPU load increases.  The site never responds to the request and eventually times out.

When I do the same thing without modsecurity enabled the site immediately returns a failed login attempt.

Any idea why modesecurity would cause something like this?

Thanks,
David

David,
Based on what you are describing, perhaps there is something in the response that is triggering an outbound inspection rule.  Are there any messages in the error log file or in the ModSecurity audit log file?

Does it work fine if the authentication is successful?  

If you set the SecResponseBodyAccess Off, does the problem go away?

-Ryan



This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.