|
From: Ruiyuan J. <Rui...@li...> - 2010-03-25 21:36:10
|
Hi, Brian Unfortunately I did not collect the web server stats. There are multiple virtual servers defined on the Apache. I can give you general information: * How much traffic you get (bandwidth, connections/sec, requests/sec, etc.). DS3 internet link * What rules you have enabled in the CRS (and what CRS version). I used all the rules in CRS 2.0.6. Include modsecurity/*.conf Include modsecurity/base_rules/*.conf Include modsecurity/optional_rules/*.conf * Speed of your CPUs. 2 x 1 Ghz UltraSPARC III. How do I turn off response inspection? When I did functionality test with little traffic, it worked fine. For the traffic, I only have production web servers and it causes me problem. On the box without Mod Security, the available virtual space is about 1.8 GB. On the box with Mod Security, the available virtual space is about 2 GB when it worked fine. Ryan -----Original Message----- From: Brian Rectanus [mailto:Bri...@br...] Sent: Thursday, March 25, 2010 4:54 PM To: Ruiyuan Jiang Cc: mod...@li... Subject: Re: [mod-security-users] The Apache reverse proxy server with mod security hang Ruiyuan Jiang wrote: > Hi, all > > I have two Apache reverse proxy servers that has the same hardware: > > SunFire V210, 2 GB RAM, 2 SPARC CPUs and Solaris 10 with the same patch bundle installed. > > One of them has Apache 2.2.14 (pre-compiled by internet user), mod_security 2.5.11 (disabled) installed. The other is Apache 2.2.15 (compiled by me for now) and mod_security 2.5.12 with CRS 2.0.6. > > The server with Apache 2.2.14 runs fine no problem. > The server with Apache 2.2.15 with mod security 2.5.12 runs out of swap space frequently. The Apache error log shows can't fork out new process. > > Since one has no problem and one has problem, I would think mod security caused the problem. Does mod security uses a lot of resources? Yesterday morning I rebooted the server because the swap space was low and my ssh session to the server was very slow. After rebooted the server, I watched swap space during the day and it showed over 2 GB swap space available. I stopped and started Apache during the evening and two hours later, I could not ssh to the server and could not get in to console. The box is kind of hang. > > Also I have another question, the backend server of the reverse proxy servers is another server that has apache with tomcat installed. The reverse proxy servers and the server communicate through http. From the apache log on the reverse proxy server that has mod security, I see a lot of messages: > > ModSecurity: Warning: Operator LT matched 20 at TX:inbound_anormaly_score, [file "../modsecurity/base_rules/modsecurity_crs_60_correlation.conf"] [line "31"] [msg "Inbound Anomaly Score (Total Inbound Score: 5, SQLi=, XSS=): HTTP header is restricted by policy"] [hostname "www.xxx.com"] [url "/xxx/xxx/xxx.png"] [unique_id "xxxx"] > > I changed the notification score from 10 to 5, otherwise the site was blocked to access. This happens to every web sites that proxied through and every pages of a web site. Is this normal or how should I configure mod security better? Thanks in advance. > Sounds like you have quite a bit of traffic and not enough RAM. I'd first try turning off response inspection and do not enable any of the optional CRS rules. You did not mention... * How much traffic you get (bandwidth, connections/sec, requests/sec, etc.). * What rules you have enabled in the CRS (and what CRS version). * Speed of your CPUs. * Memory usage without ModSecurity and with normal traffic. If you are tight on RAM already, ModSecurity + Full CRS may destroy you, heh. -B -- Brian Rectanus Breach Security This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. |
