Re: [mod-security-users] Apache hang on https protocol violation
Brought to you by:
victorhora,
zimmerletw
From: Nicola B. <bia...@gm...> - 2008-06-27 09:32:05
|
Hi Brian, I greatly appreciate your interest for my problem, thank you. Tomorrow I've recompiled apache and modsecurity for the external apr/apr-util version. I've followed this steps: export AMBIENTE=prod export XML_VERSIONE=2.6.32 export PCRE_VERSIONE=7.7 export LUA_VERSIONE=5.1.3 export APACHE_VERSIONE=2.2.9 export MODSEC_VERSIONE=2.5.5 export CORERULES_VERSIONE=2.5-1.6.1 export APR_VERSIONE=1.3.2 export APR_UTIL_VERSIONE=1.3.2 cd /tmp tar xzfv apr-${APR_VERSIONE}.tar.gz cd apr-${APR_VERSIONE} ./configure --prefix=/opt/waf/bin/apr-${APR_VERSIONE} make && make test make install cd /opt/waf/bin/ rm apr_${AMBIENTE} ln -s apr-1.3.2 apr_${AMBIENTE} cd /tmp tar xzvf apr-util-${APR_UTIL_VERSIONE}.tar.gz cd apr-util-${APR_UTIL_VERSIONE} ./configure --prefix=/opt/waf/bin/apr-util-${APR_UTIL_VERSIONE} --with-apr=/opt/waf/bin/apr-${APR_VERSIONE} make && make test make install cd /opt/waf/bin rm apr-util_${AMBIENTE} ln -s apr-util-${APR_UTIL_VERSIONE} apr-util_${AMBIENTE} cd /tmp tar xvfz httpd-${APACHE_VERSIONE}.tar.gz cd httpd-${APACHE_VERSIONE}/ ./configure \ --prefix=/opt/waf/bin/httpd-${APACHE_VERSIONE} \ --with-mpm=worker --enable-so \ --enable-unique-id \ --enable-proxy --enable-proxy-http --enable-proxy-balancer \ --enable-rewrite --enable-headers \ --enable-logio \ --enable-expires \ --enable-ssl \ --enable-deflate --enable-cache --enable-disk-cache --enable-mem-cache \ --disable-autoindex --disable-asis --disable-cgi --disable-cgid \ --disable-negotiation --disable-userdir \ --with-pcre=/opt/waf/bin/pcre-${PCRE_VERSIONE} \ --with-apr=/opt/waf/bin/apr-${APR_VERSIONE} \ --with-apr-util=/opt/waf/bin/apr-util-${APR_VERSIONE} make make install rm /opt/waf/bin/apache_${AMBIENTE} ln -s httpd-${APACHE_VERSIONE} /opt/waf/bin/apache_${AMBIENTE} cd /tmp tar xvfz modsecurity-apache_${MODSEC_VERSIONE}.tar.gz cd modsecurity-apache_${MODSEC_VERSIONE}/apache2/ ./configure \ --prefix=/opt/waf/bin/modsecurity-apache_${MODSEC_VERSIONE} \ --with-apxs=/opt/waf/bin/httpd-${APACHE_VERSIONE}/bin/apxs \ --with-pcre=/opt/waf/bin/pcre-${PCRE_VERSIONE} \ --with-libxml=/opt/waf/bin/libxml2-${XML_VERSIONE} \ --with-lua=/opt/waf/bin/lua-${LUA_VERSIONE} \ --with-apr=/opt/waf/bin/apr-${APR_VERSIONE} \ --with-apu=/opt/waf/bin/apr-util-${APR_VERSIONE} \ --enable-strict-compile make && make test # All tests passed (518). mkdir -p /opt/waf/bin/modsecurity-apache_${MODSEC_VERSIONE} rm /opt/waf/bin/modsecurity-apache_${AMBIENTE} ln -s modsecurity-apache_${MODSEC_VERSIONE} /opt/waf/bin/modsecurity-apache_${AMBIENTE} cp .libs/mod_security2.so /opt/waf/bin/modsecurity-apache_${MODSEC_VERSIONE}/ cd mlogc-src/ make chown -R root:root mlogc chmod -R go= mlogc rm -f /opt/waf/mod_security/${AMBIENTE}/bin/mlogc cp -p mlogc /opt/waf/mod_security/${AMBIENTE}/bin/ ##### check ldd /opt/waf/mod_security/${AMBIENTE}/bin/mlogc linux-gate.so.1 => (0xffffe000) libapr-1.so.0 => /opt/waf/bin/apr-1.3.2/lib/libapr-1.so.0 (0xb7ef3000) libcurl.so.3 => /usr/lib/libcurl.so.3 (0xb7ebf000) libidn.so.11 => /usr/lib/libidn.so.11 (0xb7e8f000) libssl.so.0.9.8 => /usr/lib/libssl.so.0.9.8 (0xb7e52000) libcrypto.so.0.9.8 => /usr/lib/libcrypto.so.0.9.8 (0xb7d29000) libdl.so.2 => /lib/libdl.so.2 (0xb7d25000) libz.so.1 => /lib/libz.so.1 (0xb7d13000) libpcre.so.0 => /usr/lib/libpcre.so.0 (0xb7ce7000) libpthread.so.0 => /lib/libpthread.so.0 (0xb7cd1000) libc.so.6 => /lib/libc.so.6 (0xb7ba5000) librt.so.1 => /lib/librt.so.1 (0xb7b9b000) libcrypt.so.1 => /lib/libcrypt.so.1 (0xb7b68000) /lib/ld-linux.so.2 (0xb7f21000) /opt/waf/bin/apache_${AMBIENTE}/bin/httpd -V Server version: Apache/2.2.9 (Unix) Server built: Jun 27 2008 10:08:36 Server's Module Magic Number: 20051115:15 Server loaded: APR 1.3.2, APR-Util 1.3.2 Compiled using: APR 1.3.2, APR-Util 1.3.2 Architecture: 32-bit Server MPM: Worker threaded: yes (fixed thread count) forked: yes (variable process count) Server compiled with.... -D APACHE_MPM_DIR="server/mpm/worker" -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) -D APR_USE_SYSVSEM_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D DYNAMIC_MODULE_LIMIT=128 -D HTTPD_ROOT="/opt/waf/bin/httpd-2.2.9-apr" -D SUEXEC_BIN="/opt/waf/bin/httpd-2.2.9-apr/bin/suexec" -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" -D DEFAULT_ERRORLOG="logs/error_log" -D AP_TYPES_CONFIG_FILE="conf/mime.types" -D SERVER_CONFIG_FILE="conf/httpd.conf" #### end of check I've starded apache whitout error: /etc/init.d/apachectl_${AMBIENTE} start tail -10 /opt/waf/mod_security/${AMBIENTE}/logs/error_log Jun 27 11:02:40 ulxbwaf2 httpd[29961]: [info] RSA server certificate enables Server Gated Cryptography (SGC) Jun 27 11:02:40 ulxbwaf2 httpd[29961]: [info] Configuring server for SSL protocol Jun 27 11:02:40 ulxbwaf2 httpd[29961]: [info] RSA server certificate enables Server Gated Cryptography (SGC) Jun 27 11:02:40 ulxbwaf2 httpd[29961]: [info] Configuring server for SSL protocol Jun 27 11:02:40 ulxbwaf2 httpd[29961]: [info] RSA server certificate enables Server Gated Cryptography (SGC) Jun 27 11:02:40 ulxbwaf2 httpd[29961]: [info] Configuring server for SSL protocol Jun 27 11:02:40 ulxbwaf2 httpd[29961]: [info] RSA server certificate enables Server Gated Cryptography (SGC) Jun 27 11:02:40 ulxbwaf2 httpd[29961]: [info] mod_ssl/2.2.9 compiled against Server: Apache/2.2.9, Library: OpenSSL/0.9.8a Jun 27 11:02:40 ulxbwaf2 httpd[29961]: [notice] Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8a Server X configured -- resuming normal operations Jun 27 11:02:40 ulxbwaf2 httpd[29961]: [info] Server built: Jun 27 2008 10:08:36 tail -10 /opt/waf/mod_security/prod/logs/mlogc-error.log [Fri Jun 27 10:38:42 2008] [3] [27039/0] ModSecurity Audit Log Collector 1.4.4 started. [Fri Jun 27 10:38:43 2008] [3] [27048/0] ModSecurity Audit Log Collector 1.4.4 delaying startup for 1000ms [Fri Jun 27 10:38:43 2008] [3] [27044/0] ModSecurity Audit Log Collector 1.4.4 started. [Fri Jun 27 10:38:43 2008] [3] [27052/0] ModSecurity Audit Log Collector 1.4.4 delaying startup for 1000ms [Fri Jun 27 10:38:44 2008] [3] [27048/0] ModSecurity Audit Log Collector 1.4.4 started. [Fri Jun 27 10:38:44 2008] [3] [27052/0] ModSecurity Audit Log Collector 1.4.4 started. [Fri Jun 27 11:02:38 2008] [3] [29959/0] ModSecurity Audit Log Collector 1.4.4 delaying startup for 1000ms [Fri Jun 27 11:02:39 2008] [3] [29962/0] ModSecurity Audit Log Collector 1.4.4 delaying startup for 1000ms [Fri Jun 27 11:02:39 2008] [3] [29959/0] ModSecurity Audit Log Collector 1.4.4 started. [Fri Jun 27 11:02:40 2008] [3] [29962/0] ModSecurity Audit Log Collector 1.4.4 started. ps -ef | grep apache_${AMBIENTE} root 29961 1 0 11:02 ? 00:00:00 /opt/waf/bin/apache_prod/bin/httpd -f /opt/waf/mod_security/prod/conf/httpd.conf -k start wwwrun 29964 29961 0 11:02 ? 00:00:00 /opt/waf/bin/apache_prod/bin/httpd -f /opt/waf/mod_security/prod/conf/httpd.conf -k start wwwrun 29965 29961 0 11:02 ? 00:00:00 /opt/waf/bin/apache_prod/bin/httpd -f /opt/waf/mod_security/prod/conf/httpd.conf -k start ps -ef | grep mlogc root 29959 1 0 11:02 pts/2 00:00:00 /opt/jail/opt/waf/mod_security/prod/bin/mlogc /opt/jail/opt/waf/mod_security/prod/bin/mlogc.conf root 29962 29961 0 11:02 ? 00:00:00 /opt/jail/opt/waf/mod_security/prod/bin/mlogc /opt/jail/opt/waf/mod_security/prod/bin/mlogc.conf ##### always the strange parent shell .... but apache still hang !!! Same problem :( ... no log to the console and so on .. maybe after a weekend of relax I'll be more lucky... ;) byebye Nick PS: no jail ... only a nice to have On Thu, Jun 26, 2008 at 7:05 PM, Brian Rectanus <Bri...@br...> wrote: > I still cannot duplicate - sorry. Try recompiling with APR/APU 1.3.2 > and see if that makes a difference for you. Results below... > > Nicola Bianchi wrote: > > Brian, > > have you tryed with httpS request? Without S I don't have hang > problems... > > $ ab -k -c 1000 -n 10000 https://127.0.1.1:8100/cgi-bin/dump > This is ApacheBench, Version 2.3 <$Revision: 655654 $> > Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/ > Licensed to The Apache Software Foundation, http://www.apache.org/ > > Benchmarking 127.0.1.1 (be patient) > Completed 1000 requests > Completed 2000 requests > Completed 3000 requests > Completed 4000 requests > Completed 5000 requests > Completed 6000 requests > Completed 7000 requests > Completed 8000 requests > Completed 9000 requests > Completed 10000 requests > Finished 10000 requests > > > Server Software: FooBar/1.2.3 > Server Hostname: 127.0.1.1 > Server Port: 8100 > SSL/TLS Protocol: TLSv1/SSLv3,DHE-RSA-AES256-SHA,1024,256 > > Document Path: /cgi-bin/dump > Document Length: 226 bytes > > Concurrency Level: 1000 > Time taken for tests: 121.536 seconds > Complete requests: 10000 > Failed requests: 0 > Write errors: 0 > Non-2xx responses: 10303 > Keep-Alive requests: 0 > Total transferred: 4072344 bytes > HTML transferred: 2300228 bytes > Requests per second: 82.28 [#/sec] (mean) > Time per request: 12153.563 [ms] (mean) > Time per request: 12.154 [ms] (mean, across all concurrent requests) > Transfer rate: 32.72 [Kbytes/sec] received > > Connection Times (ms) > min mean[+/-sd] median max > Connect: 115 7139 10962.6 4574 98384 > Processing: 4 4075 1088.8 4217 6623 > Waiting: 3 1254 652.5 1270 3484 > Total: 174 11214 11049.4 9159 102880 > > Percentage of the requests served within a certain time (ms) > 50% 9159 > 66% 9953 > 75% 10954 > 80% 11610 > 90% 17395 > 95% 19417 > 98% 30490 > 99% 99874 > 100% 102880 (longest request) > > > > > > > My compiling configurations: > > > > ################################################################ > > tar xvfz httpd-${APACHE_VERSIONE}.tar.gz > > cd httpd-${APACHE_VERSIONE}/ > > ./configure \ > > --prefix=/opt/waf/bin/httpd-${APACHE_VERSIONE} \ > > --with-mpm=worker --enable-so \ > > --enable-unique-id \ > > --enable-proxy --enable-proxy-http --enable-proxy-balancer \ > > --enable-rewrite --enable-headers \ > > --enable-logio \ > > --enable-expires \ > > --enable-ssl \ > > --enable-deflate --enable-cache --enable-disk-cache --enable-mem-cache \ > > --disable-autoindex --disable-asis --disable-cgi --disable-cgid \ > > --disable-negotiation --disable-userdir \ > > --with-pcre=/opt/waf/bin/pcre-${PCRE_VERSIONE} > > ################################################################ > > > > ################################################################ > > cd modsecurity-apache_${MODSEC_VERSIONE}/apache2/ > > ./configure \ > > --prefix=/opt/waf/bin/modsecurity-apache_${MODSEC_VERSIONE} \ > > --with-apxs=/opt/waf/bin/httpd-${APACHE_VERSIONE}/bin/apxs \ > > --with-apr=/opt/waf/bin/httpd-${APACHE_VERSIONE}/bin \ > > --with-apu=/opt/waf/bin/httpd-${APACHE_VERSIONE}/bin \ > > --with-pcre=/opt/waf/bin/pcre-${PCRE_VERSIONE} \ > > --with-libxml=/opt/waf/bin/libxml2-${XML_VERSIONE} \ > > --with-lua=/opt/waf/bin/lua-${LUA_VERSIONE} \ > > --enable-strict-compile > > ################################################################ > > And compiled your way (mostly - I am still 64 bit): > > Mine is faster, BTW - kidding ;) > > $ httpd -V > Server version: Apache/2.2.9 (Unix) > Server built: Jun 26 2008 09:56:07 > Server's Module Magic Number: 20051115:15 > Server loaded: APR 1.3.0, APR-Util 1.3.0 > Compiled using: APR 1.3.0, APR-Util 1.3.0 > Architecture: 64-bit > Server MPM: Worker > threaded: yes (fixed thread count) > forked: yes (variable process count) > Server compiled with.... > -D APACHE_MPM_DIR="server/mpm/worker" > -D APR_HAS_SENDFILE > -D APR_HAS_MMAP > -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) > -D APR_USE_SYSVSEM_SERIALIZE > -D APR_USE_PTHREAD_SERIALIZE > -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT > -D APR_HAS_OTHER_CHILD > -D AP_HAVE_RELIABLE_PIPED_LOGS > -D DYNAMIC_MODULE_LIMIT=128 > -D HTTPD_ROOT="/apps/httpd-2.2.9-nicola" > -D SUEXEC_BIN="/apps/httpd-2.2.9-nicola/bin/suexec" > -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" > -D DEFAULT_ERRORLOG="logs/error_log" > -D AP_TYPES_CONFIG_FILE="conf/mime.types" > -D SERVER_CONFIG_FILE="conf/httpd.conf" > > $ httpd -l > Compiled in modules: > core.c > mod_authn_file.c > mod_authn_default.c > mod_authz_host.c > mod_authz_groupfile.c > mod_authz_user.c > mod_authz_default.c > mod_auth_basic.c > mod_cache.c > mod_disk_cache.c > mod_mem_cache.c > mod_include.c > mod_filter.c > mod_deflate.c > mod_log_config.c > mod_logio.c > mod_env.c > mod_expires.c > mod_headers.c > mod_unique_id.c > mod_setenvif.c > mod_proxy.c > mod_proxy_connect.c > mod_proxy_ftp.c > mod_proxy_http.c > mod_proxy_ajp.c > mod_proxy_balancer.c > mod_ssl.c > worker.c > http_core.c > mod_mime.c > mod_status.c > mod_dir.c > mod_actions.c > mod_alias.c > mod_rewrite.c > mod_so.c > > $ ab -k -c 1000 -n 10000 https://127.0.1.1:8100/cgi-bin/dump > This is ApacheBench, Version 2.3 <$Revision: 655654 $> > Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/ > Licensed to The Apache Software Foundation, http://www.apache.org/ > > Benchmarking 127.0.1.1 (be patient) > Completed 1000 requests > Completed 2000 requests > Completed 3000 requests > Completed 4000 requests > Completed 5000 requests > Completed 6000 requests > Completed 7000 requests > Completed 8000 requests > Completed 9000 requests > Completed 10000 requests > Finished 10000 requests > > > Server Software: > Server Hostname: 127.0.1.1 > Server Port: 8100 > SSL/TLS Protocol: TLSv1/SSLv3,DHE-RSA-AES256-SHA,1024,256 > > Document Path: /cgi-bin/dump > Document Length: 226 bytes > > Concurrency Level: 1000 > Time taken for tests: 123.303 seconds > Complete requests: 10000 > Failed requests: 0 > Write errors: 0 > Non-2xx responses: 10313 > Keep-Alive requests: 0 > Total transferred: 3854410 bytes > HTML transferred: 2307460 bytes > Requests per second: 81.10 [#/sec] (mean) > Time per request: 12330.260 [ms] (mean) > Time per request: 12.330 [ms] (mean, across all concurrent requests) > Transfer rate: 30.53 [Kbytes/sec] received > > Connection Times (ms) > min mean[+/-sd] median max > Connect: 203 7297 8204.7 5242 99241 > Processing: 26 4395 1357.0 4492 7688 > Waiting: 7 1384 728.3 1404 4157 > Total: 846 11692 8415.4 10091 103464 > > Percentage of the requests served within a certain time (ms) > 50% 10091 > 66% 11590 > 75% 12576 > 80% 13366 > 90% 17806 > 95% 19963 > 98% 30589 > 99% 56842 > 100% 103464 (longest request) > > > > > > > > > > On Thu, Jun 26, 2008 at 1:38 AM, Brian Rectanus > > <Bri...@br... <mailto:Bri...@br...>> wrote: > > > > Nick, > > > > I was not able to duplicate this. Below I have 2.2.9 apache running > as > > a reverse proxy with modsecurity 2.5.5 and core rules 1.6.1 and mlogc > > running to a console. Each request produced an alert about the IP in > > the host header. Additionally, I up'ed the ab test considerably. I > > also tried mis-configuring mlogc in various ways, but these yielded > > similar results. > > > > There are some differences in our setups. I have most modules as > > modules vs compiled in as you have them. I am also running 64bit. > But > > I do not think these should make that much difference. > > > > If you would send me the exact configure options you used with your > > 2.2.9 apache I will compile one here and test if you want. > > > > > > $ httpd -V > > Server version: Apache/2.2.9 (Unix) > > Server built: Jun 25 2008 16:25:03 > > Server's Module Magic Number: 20051115:15 > > Server loaded: APR 1.3.0, APR-Util 1.3.0 > > Compiled using: APR 1.3.0, APR-Util 1.3.0 > > Architecture: 64-bit > > Server MPM: Worker > > threaded: yes (fixed thread count) > > forked: yes (variable process count) > > Server compiled with.... > > -D APACHE_MPM_DIR="server/mpm/worker" > > -D APR_HAS_SENDFILE > > -D APR_HAS_MMAP > > -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) > > -D APR_USE_SYSVSEM_SERIALIZE > > -D APR_USE_PTHREAD_SERIALIZE > > -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT > > -D APR_HAS_OTHER_CHILD > > -D AP_HAVE_RELIABLE_PIPED_LOGS > > -D DYNAMIC_MODULE_LIMIT=128 > > -D HTTPD_ROOT="/apps/httpd-2.2.9" > > -D SUEXEC_BIN="/apps/httpd-2.2.9/bin/suexec" > > -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" > > -D DEFAULT_ERRORLOG="logs/error_log" > > -D AP_TYPES_CONFIG_FILE="conf/mime.types" > > -D SERVER_CONFIG_FILE="conf/httpd.conf" > > > > $ httpd -lCompiled in modules: > > core.c > > worker.c > > http_core.c > > mod_so.c > > > > $ ab -k -c 1000 -n 10000 http://127.0.1.1:8100/cgi-bin/dump > > This is ApacheBench, Version 2.3 <$Revision: 655654 $> > > Copyright 1996 Adam Twiss, Zeus Technology Ltd, > http://www.zeustech.net/ > > Licensed to The Apache Software Foundation, http://www.apache.org/ > > > > Benchmarking 127.0.1.1 <http://127.0.1.1> (be patient) > > Completed 1000 requests > > Completed 2000 requests > > Completed 3000 requests > > Completed 4000 requests > > Completed 5000 requests > > Completed 6000 requests > > Completed 7000 requests > > Completed 8000 requests > > Completed 9000 requests > > Completed 10000 requests > > Finished 10000 requests > > > > > > Server Software: FooBar/1.2.3 > > Server Hostname: 127.0.1.1 <http://127.0.1.1> > > Server Port: 8100 > > > > Document Path: /cgi-bin/dump > > Document Length: 226 bytes > > > > Concurrency Level: 1000 > > Time taken for tests: 44.678 seconds > > Complete requests: 10000 > > Failed requests: 0 > > Write errors: 0 > > Non-2xx responses: 10000 > > Keep-Alive requests: 0 > > Total transferred: 3980000 bytes > > HTML transferred: 2260000 bytes > > Requests per second: 223.82 [#/sec] (mean) > > Time per request: 4467.792 [ms] (mean) > > Time per request: 4.468 [ms] (mean, across all concurrent > > requests) > > Transfer rate: 86.99 [Kbytes/sec] received > > > > Connection Times (ms) > > min mean[+/-sd] median max > > Connect: 0 469 1819.0 0 20999 > > Processing: 3 3814 4000.3 2614 27551 > > Waiting: 3 3258 3543.1 2191 26116 > > Total: 3 4283 4748.7 3025 36558 > > > > Percentage of the requests served within a certain time (ms) > > 50% 3025 > > 66% 4818 > > 75% 6226 > > 80% 7324 > > 90% 10264 > > 95% 13155 > > 98% 18743 > > 99% 23293 > > 100% 36558 (longest request) > > > > > > > > Nicola Bianchi wrote: > > > Hi Brian, > > > here the information that you require! > > > If you need additional info just tell me... > > > > > > Thank you a lot for the help ;) > > > Regards. > > > Nick > > > > > > ##### grep -v "^#" modsecurity_crs_10_config.conf | grep .. > > > SecRuleEngine On > > > SecRequestBodyAccess On > > > SecResponseBodyAccess On > > > SecResponseBodyMimeType (null) text/html text/plain text/xml > > > SecResponseBodyLimit 524288 > > > SecServerSignature "Apache/2.2.0 (Fedora)" > > > SecComponentSignature "core ruleset/1.6.1" > > > SecUploadDir /tmp > > > SecUploadKeepFiles Off > > > SecAuditEngine RelevantOnly > > > SecAuditLogRelevantStatus "^(?:5|4(?!04))" > > > SecAuditLogType Serial > > > SecAuditLog logs/modsec_audit.log > > > SecAuditLogParts "ABIFHKZ" > > > SecArgumentSeparator "&" > > > SecCookieFormat 0 > > > SecRequestBodyInMemoryLimit 131072 > > > SecDebugLog logs/modsec_debug.log > > > SecDebugLogLevel 1 > > > SecDataDir /tmp > > > SecTmpDir /tmp > > > > > > > > > ##### grep -v "^#" modsecurity_crs_15_cb_config.conf | grep .. > > > SecRuleEngine On > > > SecRequestBodyAccess On > > > SecResponseBodyAccess On > > > SecResponseBodyMimeType (null) text/html text/plain text/xml > > > SecDefaultAction > > > > > > "phase:2,log,auditlog,deny,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace" > > > SecServerSignature "Server X" > > > SecUploadDir /opt/jail/tmp > > > SecAuditLogType Concurrent > > > SecAuditLog "|bin/mlogc /opt/waf/mod_security/prod/bin/mlogc.conf" > > > SecAuditLogStorageDir logs/modsec_audit/ > > > SecDebugLogLevel 0 > > > SecDataDir /opt/jail/tmp > > > SecTmpDir /opt/jail/tmp > > > > > > > > > ##### /opt/waf/bin/apache_prod/bin/httpd -V > > > Server version: Apache/2.2.9 (Unix) > > > Server built: Jun 18 2008 11:18:47 > > > Server's Module Magic Number: 20051115:15 > > > Server loaded: APR 1.3.0, APR-Util 1.3.0 > > > Compiled using: APR 1.3.0, APR-Util 1.3.0 > > > Architecture: 32-bit > > > Server MPM: Worker > > > threaded: yes (fixed thread count) > > > forked: yes (variable process count) > > > Server compiled with.... > > > -D APACHE_MPM_DIR="server/mpm/worker" > > > -D APR_HAS_SENDFILE > > > -D APR_HAS_MMAP > > > -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) > > > -D APR_USE_SYSVSEM_SERIALIZE > > > -D APR_USE_PTHREAD_SERIALIZE > > > -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT > > > -D APR_HAS_OTHER_CHILD > > > -D AP_HAVE_RELIABLE_PIPED_LOGS > > > -D DYNAMIC_MODULE_LIMIT=128 > > > -D HTTPD_ROOT="/opt/waf/bin/httpd-2.2.9" > > > -D SUEXEC_BIN="/opt/waf/bin/httpd-2.2.9/bin/suexec" > > > -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" > > > -D DEFAULT_ERRORLOG="logs/error_log" > > > -D AP_TYPES_CONFIG_FILE="conf/mime.types" > > > -D SERVER_CONFIG_FILE="conf/httpd.conf" > > > > > > > > > > > > ##### /opt/waf/bin/apache_prod/bin/httpd -l > > > Compiled in modules: > > > core.c > > > mod_authn_file.c > > > mod_authn_default.c > > > mod_authz_host.c > > > mod_authz_groupfile.c > > > mod_authz_user.c > > > mod_authz_default.c > > > mod_auth_basic.c > > > mod_cache.c > > > mod_disk_cache.c > > > mod_mem_cache.c > > > mod_include.c > > > mod_filter.c > > > mod_deflate.c > > > mod_log_config.c > > > mod_logio.c > > > mod_env.c > > > mod_expires.c > > > mod_headers.c > > > mod_unique_id.c > > > mod_setenvif.c > > > mod_proxy.c > > > mod_proxy_connect.c > > > mod_proxy_ftp.c > > > mod_proxy_http.c > > > mod_proxy_ajp.c > > > mod_proxy_balancer.c > > > mod_ssl.c > > > worker.c > > > http_core.c > > > mod_mime.c > > > mod_status.c > > > mod_dir.c > > > mod_actions.c > > > mod_alias.c > > > mod_rewrite.c > > > mod_so.c > > > > > > > > > ##### grep -v "^#" httpd-mpm.conf | grep .. > > > <IfModule !mpm_netware_module> > > > PidFile "logs/httpd.pid" > > > </IfModule> > > > <IfModule !mpm_winnt_module> > > > <IfModule !mpm_netware_module> > > > LockFile "logs/accept.lock" > > > </IfModule> > > > </IfModule> > > > <IfModule mpm_worker_module> > > > StartServers 5 > > > MaxClients 400 > > > MinSpareThreads 25 > > > MaxSpareThreads 75 > > > ThreadsPerChild 25 > > > MaxRequestsPerChild 1000 > > > </IfModule> > > > > > > > > > #### grep KeepAlive httpd-default.conf | grep -v "^#" > > > KeepAlive On > > > MaxKeepAliveRequests 100 > > > KeepAliveTimeout 5 > > > > > > > > > #### cat vhosts.d/www.mysite.com.conf > > > > > > <VirtualHost 192.168.168.100:80 <http://192.168.168.100:80> > > <http://192.168.168.100:80>> > > > ServerName www.mysite.com <http://www.mysite.com> > > <http://www.mysite.com> > > > ServerAlias mysite.com <http://mysite.com> <http://mysite.com> > > > > > > # Log files > > > # ErrorLog logs/www.mysite.com-error_log > > > # CustomLog logs/www.mysite.com-access_log combined > > > > > > # Add ClientIP to the Request Headers > > > RewriteEngine On > > > RewriteCond %{REMOTE_ADDR} (.*) > > > RewriteRule .* - [E=R_A:%1] > > > RequestHeader add ClientIP %{R_A}e > > > > > > # Send all pages except the manut one to the internal web server > > > ProxyPreserveHost On > > > ProxyPass /manut.html ! > > > ProxyPass / http://www.mysite.com/ > > > ProxyPassReverse / http://www.mysite.com/ > > > > > > # ModSecurity specific rules (no additional rules enabled for > > the moment) > > > Include conf/rules.d/www.mysite.com.rules > > > </VirtualHost> > > > > > > <VirtualHost 192.168.168.100:443 <http://192.168.168.100:443> > > <http://192.168.168.100:443>> > > > ServerName www.mysite.com <http://www.mysite.com> > > <http://www.mysite.com> > > > ServerAlias mysite.com <http://mysite.com> <http://mysite.com> > > > > > > # Log files > > > # ErrorLog logs/www.mysite.com-error_log > > > # CustomLog logs/www.mysite.com-access_log combined > > > > > > # SSL config > > > SSLEngine on > > > SSLProtocol All -SSLv2 > > > SSLCipherSuite ALL:!EXP:!NULL:!ADH:!LOW > > > SSLCertificateFile conf/cert/www.mysite.com.crt > > > SSLCertificateKeyFile conf/cert/www.mysite.com.key > > > SSLCertificateChainFile conf/cert/Verisign04.crt > > > > > > # Add ClientIP to the Request Headers > > > RewriteEngine On > > > RewriteCond %{REMOTE_ADDR} (.*) > > > RewriteRule .* - [E=R_A:%1] > > > RequestHeader add ClientIP %{R_A}e > > > > > > # Send all pages except the manut one to the internal web server > > > ProxyPreserveHost On > > > ProxyPass /manut.html ! > > > ProxyPass / http://www.mysite.com/ > > > ProxyPassReverse / http://www.mysite.com/ > > > > > > # ModSecurity specific rules (no additional rules enabled for > the > > > moment) > > > Include conf/rules.d/www.mysite.com.rules > > > > > > </VirtualHost> > > > > > > > > > In attach the error_log of a test with: > > > #### ./ab -k -c 200 -n 2000 https://192.168.168.100/ > > > Hang after 272 request... (restart of apache needed!) > > > > > > > > > #### top -d 1 (snapshot in the half of test) > > > Tasks: 240 total, 1 running, 237 sleeping, 0 stopped, 2 > zombie > > > Cpu(s): 9.5%us, 0.5%sy, 0.0%ni, 75.4%id, 14.4%wa, 0.0%hi, > 0.2%si, > > > 0.0%st > > > Mem: 5185028k total, 1462924k used, 3722104k free, 2832k > > buffers > > > Swap: 4194296k total, 0k used, 4194296k free, 1130024k > > cached > > > > > > PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ > > > COMMAND > > > > > > 9302 wwwrun 18 0 233m 11m 2332 S 6 0.2 0:00.44 > > > httpd > > > > > > 9388 wwwrun 16 0 233m 10m 2232 S 5 0.2 0:00.27 > > > httpd > > > > > > 9332 wwwrun 16 0 234m 10m 2312 S 4 0.2 0:00.32 > > > httpd > > > > > > 9532 wwwrun 16 0 231m 9144 2240 S 4 0.2 0:00.11 > > > httpd > > > > > > 9392 wwwrun 16 0 234m 10m 2232 S 3 0.2 0:00.29 > > > httpd > > > > > > 9498 wwwrun 17 0 231m 9856 2296 S 3 0.2 0:00.13 > > > httpd > > > > > > 9499 wwwrun 17 0 230m 9100 2264 S 3 0.2 0:00.08 > > > httpd > > > > > > 9600 wwwrun 21 0 230m 9140 2272 S 3 0.2 0:00.08 > > > httpd > > > > > > 9386 wwwrun 15 0 232m 10m 2284 S 2 0.2 0:00.20 > > > httpd > > > > > > 9390 wwwrun 16 0 234m 10m 2220 S 2 0.2 0:00.23 > > > httpd > > > > > > 9530 wwwrun 16 0 230m 9056 2264 S 2 0.2 0:00.09 > > > httpd > > > > > > 1024 root 10 -5 0 0 0 S 1 0.0 0:02.81 > > > xfsdatad/0 > > > > > > 9330 wwwrun 16 0 234m 10m 2288 S 1 0.2 0:00.30 > > > httpd > > > > > > 9505 wwwrun 16 0 230m 9124 2224 S 1 0.2 0:00.09 > > > httpd > > > > > > 1 root 16 0 732 284 244 S 0 0.0 0:02.00 > > > init > > > > > > 2 root RT 0 0 0 0 S 0 0.0 0:00.74 > > > migration/0 > > > > > > 3 root 34 19 0 0 0 S 0 0.0 0:00.05 > > > ksoftirqd/0 > > > > > > > > > > > > > > > On Tue, Jun 24, 2008 at 7:18 PM, Brian Rectanus > > > <Bri...@br... <mailto:Bri...@br...> > > <mailto:Bri...@br... > > <mailto:Bri...@br...>>> wrote: > > > > > > Nicola, > > > > > > I need to be able to duplicate this problem. Would you please > > send your > > > settings for Apache and modsecurity? > > > > > > For ModSecurity, I need your config settings (usually in > > > modsecurity_crs_10_config.conf) and which other files you are > > including. > > > > > > For Apache I at least need these: > > > > > > 1. Output from "httpd -V" and "httpd -l" > > > > > > 2. Values for the following directives: > > > > > > ServerLimit > > > StartServers > > > MaxClients > > > MinSpareThreads > > > MaxSpareThreads > > > ThreadsPerChild > > > MaxRequestsPerChild > > > MaxRequestsPerThread > > > KeepAlive > > > KeepAliveTimeout > > > > > > 3. As well as your config for proxying (Balancer, ProxyPass, > etc)? > > > > > > 4. Additionally, your entire error_log at at least level > > "info" (cleared > > > before the test), the server-status output during (or near) > > the hang and > > > CPU/Mem usage stats during the test would be nice as well. > > > > > > thanks, > > > -B > > > > > > > > > Ivan Ristic wrote: > > > > Hi Nicola, > > > > > > > > We'll have to try to reproduce your problem somehow, as it > > doesn't > > > > happen in my tests. I've been using ab constantly over the > > years for > > > > testing, and I don't recall any problems either. > > > > > > > > Are you using mlogc or any other mechanism to transmit alerts > > > elsewhere? > > > > > > > > > > > > On Mon, Jun 23, 2008 at 2:51 PM, Nicola Bianchi > > > > <bia...@gm... <mailto:bia...@gm...> > > <mailto:bia...@gm... <mailto:bia...@gm...>>> > > wrote: > > > >> Hi people, > > > >> I'm a new modsecurity user and I've a problem which maybe > > some of > > > you can > > > >> resolve ;). > > > >> > > > >> My configuration is: reverse proxy (http/https) with apache > > 2.2.9 and > > > >> modsecurity 2.5.5 (core rules 2.5-1.6.1) on Linux SUSE > SLES10. > > > >> Hardware: 2CPU dual core Intel(R) Xeon(R) @ 2.33GHz, 4GB of > RAM > > > >> > > > >> If I try this benchmark all work fine, without problem: > > > >> ab -k -c 200 -n 8000 http://www.mysite.com/ > > > >> ab -k -c 200 -n 8000 https://www.mysite.com/ > > > >> > > > >> ... no lost requests, no particular delay. > > > >> > > > >> The problem come out if I try to do a "DOS attack" pointing > > directly > > > > to the > > > >> ip address of mysite in https > > > >> After few request (~200) apache hang and stop responding ... > > > >> > > > >> ab -k -c 200 -n 8000 https://192.168.168.100/). > > > >> > > > > > > > > > > ############################################################################# > > > >> # This is ApacheBench, Version 2.3 <$Revision: 655654 $> > > > >> # Copyright 1996 Adam Twiss, Zeus Technology Ltd, > > > http://www.zeustech.net/ > > > >> # Licensed to The Apache Software Foundation, > > http://www.apache.org/ > > > >> # > > > >> # Benchmarking 192.168.168.100 <http://192.168.168.100> > > <http://192.168.168.100> (be patient) > > > >> # Completed 200 requests > > > >> # apr_poll: The timeout specified has expired (70007) > > > >> # Total of 272 requests completed > > > >> > > > > > > > > > > ############################################################################# > > > >> > > > >> Here an extract from the logs: > > > >> > > > > > > > > > > ############################################################################# > > > >> Jun 23 14:31:47 ulxbwaf httpd[8103]: [error] [client > > > 192.168.168.168 <http://192.168.168.168> < > http://192.168.168.168>] > > > >> ModSecurity: Access denied with code 400 (phase 2). Pattern > > match > > > >> "^[\\d\\.]+$" at REQUEST_HEADERS:Host. [file > > > >> > > > > > > > > > > "/opt/jail/opt/waf/mod_security/prod/conf/core_rules/modsecurity_crs_21_protocol_anomalies.conf"] > > > >> [line "60"] [id "960017"] [msg "Host header is a numeric IP > > address"] > > > >> [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] > > [hostname > > > >> "192.168.168.100 <http://192.168.168.100> > > <http://192.168.168.100>"] [uri "/"] [unique_id > > > "SF@XssIL0NIAAB@ncMAAAACI"] > > > >> > > > > > > > > > > ############################################################################# > > > >> > > > >> If I turn off modsecurity (SecRuleEngine Off) and I repeat > > the test I > > > > don't > > > >> have problem! > > > >> If I disable the specific rule (SecRuleRemoveById "960017") > all > > > work fine! > > > >> > > > >> So, have you some idea about this issue? > > > >> How can I prevent this kind of "DOS attack"? > > > >> > > > >> Thanks a lot! Regards > > > >> Nick > > > >> > > > >> PS: sorry for my ridicolous english ;) > > > >> > > > >> > > > > > > ------------------------------------------------------------------------- > > > >> Check out the new SourceForge.net Marketplace. > > > >> It's the best place to buy or sell services for > > > >> just about anything Open Source. > > > >> http://sourceforge.net/services/buy/index.php > > > >> _______________________________________________ > > > >> mod-security-users mailing list > > > >> mod...@li... > > <mailto:mod...@li...> > > > <mailto:mod...@li... > > <mailto:mod...@li...>> > > > >> > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > >> > > > >> > > > > > > > > > > > > > > > > -- > > > > Ivan Ristic > > > > > > > > > > > > > > ------------------------------------------------------------------------- > > > > Check out the new SourceForge.net Marketplace. > > > > It's the best place to buy or sell services for > > > > just about anything Open Source. > > > > http://sourceforge.net/services/buy/index.php > > > > _______________________________________________ > > > > mod-security-users mailing list > > > > mod...@li... > > <mailto:mod...@li...> > > > <mailto:mod...@li... > > <mailto:mod...@li...>> > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > > > > > > > -- > > > Brian Rectanus > > > Breach Security > > > > > > > > > > > > -- > > Brian Rectanus > > Breach Security > > > > > > > -- > Brian Rectanus > Breach Security > |