[Mod-security-developers] nginx 1.7.8 and 1.7.7 reverse proxy segfaults when backend returns 400, 5

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi All,

I've just started playing with nginx + modsec, so I thought I'd test
2.9.0-RC2 but it seems unusable in reverse proxy mode for nginx >= 1.7.7,
so I'm not sure the problem is with mod_sec or nginx. I will keep doing
some more tests with 1.7.6.

Affected mod_sec versions: 2.8.0, 2.9.0-RC1, 2.9.0-RC2 ( not tested earlier
versions)
Affected nginx versions: 1.7.7, 1.7.8.
Not affected nginx: 1.7.6 , 1.7.5, 1.7.4, 1.6.2 (not tested earlier
versions)

nginx compile options:

 CFLAGS="-g -O0" ./configure --with-debug
--add-module=../modsecurity-2.8.0/nginx/modsecurity/ --with-http_ssl_module
 --with-cc-opt="-I /usr/local/pcre/include"  --with-ld-opt="-L
/usr/local/pcre/lib"

mod_sec compile options:

./configure --enable-pcre-match-limit=100000
--enable-pcre-match-limit-recursion=100000 --with-apxs=/usr/bin/apxs
--with-apr=/usr/bin/apr-1-config --with-apu=/usr/bin/apu-1-config
--enable-pcre-study --enable-lua-cache --enable-standalone-module
--enable-pcre-jit --with-pcre=/usr/local/pcre

The setup is simple: client - > nginx + mod_sec -> apache backend (with
mod_security so I can force different error codes)

nginx vhost config:

server {

        listen   80;
        listen   443 ssl;
        server_name testing;
        root /var/www/nginx/testing;
        index index.html index.htm;

        ssl_certificate /usr/local/nginx/ssl/testing.crt;
        ssl_certificate_key /usr/local/nginx/ssl/testing.key;

        location / {
           ModSecurityEnabled on;
           ModSecurityConfig modsecurity.conf;

           proxy_set_header Host $host;
           proxy_pass http://172.16.0.10:80;
           proxy_read_timeout 20s;

        }
}

To replicate the issue, I configure the apache backend to thrown different
error codes with this rule:

SecRule REMOTE_ADDR "@ipMatch 1.1.1.1"
"phase:2,deny,status:500,t:none,id:'1',msg:'Testing'"

A simple curl request to http://testing then makes nginx segfault:

curl -k -v  -o /dev/null 'http://testing'
* Rebuilt URL to: http://testing/
* Hostname was NOT found in DNS cache
  % Total    % Received % Xferd  Average Speed   Time    Time     Time
 Current
                                 Dload  Upload   Total   Spent    Left
 Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--
  0*   Trying 10.9.0.89...
* Connected to testing (10.9.0.89) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.35.0
> Host: testing
> Accept: */*
>
* Empty reply from server
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--
  0
* Connection #0 to host testing left intact
curl: (52) Empty reply from server

2014/12/16 15:21:47 [debug] 11082#0: *1 http copy filter: "/?"
2014/12/16 15:21:47 [debug] 11082#0: *1 modSecurity: body filter
2014/12/16 15:21:47 [debug] 11082#0: *1 ModSecurity: load headers in:
"User-Agent: curl/7.35.0"
2014/12/16 15:21:47 [debug] 11082#0: *1 ModSecurity: load headers in:
"Host: testing"
2014/12/16 15:21:47 [debug] 11082#0: *1 ModSecurity: load headers in:
"Accept: */*"
2014/12/16 15:21:47 [debug] 11082#0: *1 ModSecurity: load headers in done
2014/12/16 15:21:47 [debug] 11082#0: *1 ModSecurity: load headers out:
"Last-Modified: Wed, 08 Oct 2014 11:52:10 GMT"
2014/12/16 15:21:47 [debug] 11082#0: *1 posix_memalign:
000000000238C4F0:4096 @16
2014/12/16 15:21:47 [debug] 11082#0: *1 ModSecurity: load headers out:
"ETag: "2b49-504e7f224ae80""
2014/12/16 15:21:47 [debug] 11082#0: *1 ModSecurity: load headers out:
"Accept-Ranges: bytes"
2014/12/16 15:21:47 [debug] 11082#0: *1 ModSecurity: load headers out:
"Vary: Accept-Encoding"
2014/12/16 15:21:47 [debug] 11082#0: *1 ModSecurity: load headers out:
"Content-Type: text/html"
2014/12/16 15:21:47 [debug] 11082#0: *1 ModSecurity: load headers out:
"Content-Length: 11081"
2014/12/16 15:21:47 [debug] 11082#0: *1 ModSecurity: load headers out:
"Last-Modified: Wed, 08 Oct 2014 11:52:10 GMT"
2014/12/16 15:21:47 [debug] 11082#0: *1 ModSecurity: load headers out:
"Connection: keep-alive"
2014/12/16 15:21:47 [debug] 11082#0: *1 ModSecurity: load headers out done
2014/12/16 15:21:47 [debug] 11082#0: *1 ModSecurity: status 0
2014/12/16 15:21:47 [debug] 11082#0: *1 ModSecurity: save headers in:
"User-Agent: curl/7.35.0"
2014/12/16 15:21:47 [debug] 11082#0: *1 ModSecurity: save headers in:
"Host: testing"
2014/12/16 15:21:47 [debug] 11082#0: *1 ModSecurity: save headers in:
"Accept: */*"
2014/12/16 15:21:47 [debug] 11082#0: *1 ModSecurity: save headers in done
2014/12/16 15:21:47 [debug] 11082#0: *1 ModSecurity: save headers out:
"Last-Modified: Wed, 08 Oct 2014 11:52:10 GMT"
2014/12/16 15:21:47 [debug] 11082#0: *1 ModSecurity: save headers out:
"ETag: "2b49-504e7f224ae80""
Segmentation fault

Let me know if you need any more information

-- 
- Bruno

[Mod-security-developers] nginx 1.7.8 and 1.7.7 reverse proxy segfaults when backend returns 400, 5

[Mod-security-developers] nginx 1.7.8 and 1.7.7 reverse proxy segfaults when backend returns 400, 500, 501 and 503