[mod-security-users] The Apache reverse proxy server with mod security hang
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] The Apache reverse proxy server with mod security hang
|
From: Ruiyuan J. <Rui...@li...> - 2010-03-25 19:25:46
|
Hi, all I have two Apache reverse proxy servers that has the same hardware: SunFire V210, 2 GB RAM, 2 SPARC CPUs and Solaris 10 with the same patch bundle installed. One of them has Apache 2.2.14 (pre-compiled by internet user), mod_security 2.5.11 (disabled) installed. The other is Apache 2.2.15 (compiled by me for now) and mod_security 2.5.12 with CRS 2.0.6. The server with Apache 2.2.14 runs fine no problem. The server with Apache 2.2.15 with mod security 2.5.12 runs out of swap space frequently. The Apache error log shows can't fork out new process. Since one has no problem and one has problem, I would think mod security caused the problem. Does mod security uses a lot of resources? Yesterday morning I rebooted the server because the swap space was low and my ssh session to the server was very slow. After rebooted the server, I watched swap space during the day and it showed over 2 GB swap space available. I stopped and started Apache during the evening and two hours later, I could not ssh to the server and could not get in to console. The box is kind of hang. Also I have another question, the backend server of the reverse proxy servers is another server that has apache with tomcat installed. The reverse proxy servers and the server communicate through http. From the apache log on the reverse proxy server that has mod security, I see a lot of messages: ModSecurity: Warning: Operator LT matched 20 at TX:inbound_anormaly_score, [file "../modsecurity/base_rules/modsecurity_crs_60_correlation.conf"] [line "31"] [msg "Inbound Anomaly Score (Total Inbound Score: 5, SQLi=, XSS=): HTTP header is restricted by policy"] [hostname "www.xxx.com"] [url "/xxx/xxx/xxx.png"] [unique_id "xxxx"] I changed the notification score from 10 to 5, otherwise the site was blocked to access. This happens to every web sites that proxied through and every pages of a web site. Is this normal or how should I configure mod security better? Thanks in advance. Ryan This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. |
