Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

apache graceful restart + Apache connector + rules = memory leak #82

Open
drmuey opened this issue May 18, 2021 · 3 comments
Open

apache graceful restart + Apache connector + rules = memory leak #82

drmuey opened this issue May 18, 2021 · 3 comments

Comments

@drmuey
Copy link

drmuey commented May 18, 2021
edited
Loading

  1. Set up memory test script
    • create this script at the end of this post
    • Make sure/etc/systemd/system.conf has these settings:
      • DefaultMemoryAccounting=yes
      • DefaultStartLimitInterval=1s
      • systemctl daemon-reexec if you had to edit those (and hard restart apache for good measure, systemctl status httpd | grep Memory should not have output).
    1. install and configure apache connector (but do not configure any rules)
  3. run memory test script ➜ no leak
# ~/check_httpd_memory_usage.sh
Memory usage before 200 restarts:
   Memory: 67.4M
...
Memory usage after 200 restarts:
   Memory: 67.3M
#
  1. install and configure OWASP CRS
  2. run memory test script ➜ leak
# ~/check_httpd_memory_usage.sh
Memory usage before 200 restarts:
   Memory: 67.4M
...
Memory usage after 200 restarts:
   Memory: 1.3G
# ~/check_httpd_memory_usage.sh
  1. change script to do a hard restart (e.g. systemctl restart httpd) and the leak goes away
#!/bin/bash

set -e

NREQUESTS=200

# for good measure
systemctl stop httpd
systemctl start httpd

echo "Memory usage before $NREQUESTS restarts:"
systemctl status httpd | grep Memory

for ((i = 0 ; i < $NREQUESTS ; i++)); do
    echo -n "$i … "
    /usr/sbin/apachectl graceful
    sleep 2;
done

echo
echo "Memory usage after $NREQUESTS restarts:"
systemctl status httpd | grep Memory
@drmuey drmuey changed the title apache graceful restart + ea-modsec30-connector-apache24 + rules = memory leak apache graceful restart + Apache connector + rules = memory leak Jun 3, 2021
@XJOJIX
Copy link

XJOJIX commented Aug 19, 2021

apache 2.4.48 mpm_event

I'm also having a problem with modsecurity-apache and memory leak issue.

even without apachectl graceful, the memory usage keeps on growing until crash.

@martinhsv
Copy link
Contributor

As mentioned in other issues, the ModSecurity-apache connector for use with ModSecurity v3 is not ready for production use.

With Apache, the recommendation is to use ModSecurity v2.9.

@XJOJIX
Copy link

XJOJIX commented Aug 20, 2021

thought of using nginx instead of apache as reverse proxy but modsecurity-nginx seems to have the same issue.
owasp-modsecurity/ModSecurity-nginx#236
and even same issue on modsecurity3 itself.
owasp-modsecurity/ModSecurity#2552

hope it'll be fixed soon, and also modsecurity-apache to stage to production.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@drmuey @martinhsv @XJOJIX