Put the ModSecurity interception logic onto separated threads

src/ngx_http_modsecurity_body_filter.c

@@ -50,7 +50,7 @@ ngx_http_modsecurity_body_filter(ngx_http_request_t *r, ngx_chain_t *in)
 
     ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
 
-    dd("body filter, recovering ctx: %p", ctx);
+    ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "body filter, recovering ctx: %p", ctx);
 
     if (ctx == NULL) {
         return ngx_http_next_body_filter(r, in);
@@ -155,11 +155,11 @@ ngx_http_modsecurity_body_filter(ngx_http_request_t *r, ngx_chain_t *in)
         is_request_processed = chain->buf->last_buf;
 
         if (is_request_processed) {
-            ngx_pool_t *old_pool;
+            // ngx_pool_t *old_pool;
 
-            old_pool = ngx_http_modsecurity_pcre_malloc_init(r->pool);
+            // old_pool = ngx_http_modsecurity_pcre_malloc_init(r->pool);
             msc_process_response_body(ctx->modsec_transaction);
-            ngx_http_modsecurity_pcre_malloc_done(old_pool);
+            // ngx_http_modsecurity_pcre_malloc_done(old_pool);
 
 /* XXX: I don't get how body from modsec being transferred to nginx's buffer.  If so - after adjusting of nginx's
    XXX: body we can proceed to adjust body size (content-length).  see xslt_body_filter() for example */
@@ -176,7 +176,7 @@ ngx_http_modsecurity_body_filter(ngx_http_request_t *r, ngx_chain_t *in)
     }
     if (!is_request_processed)
     {
-        dd("buffer was not fully loaded! ctx: %p", ctx);
+        ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "buffer was not fully loaded! ctx: %p", ctx);
     }
 
 /* XXX: xflt_filter() -- return NGX_OK here */

src/ngx_http_modsecurity_common.h

@@ -21,6 +21,7 @@
 #include <ngx_config.h>
 #include <ngx_core.h>
 #include <ngx_http.h>
+#include <ngx_thread_pool.h>
 
 #include <modsecurity/modsecurity.h>
 #include <modsecurity/transaction.h>
@@ -117,6 +118,9 @@ typedef struct {
     void                      *rules_set;
 
     ngx_flag_t                 enable;
+
+    ngx_str_t                  thread_pool_name;
+    ngx_thread_pool_t          *thread_pool;
 #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
     ngx_flag_t                 sanity_checks_enabled;
 #endif

src/ngx_http_modsecurity_header_filter.c

@@ -415,18 +415,18 @@ ngx_http_modsecurity_header_filter(ngx_http_request_t *r)
     int ret = 0;
     ngx_uint_t status;
     char *http_response_ver;
-    ngx_pool_t *old_pool;
+    // ngx_pool_t *old_pool;
 
 
 /* XXX: if NOT_MODIFIED, do we need to process it at all?  see xslt_header_filter() */
 
     ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
 
-    dd("header filter, recovering ctx: %p", ctx);
+    ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "header filter, recovering ctx: %p", ctx);
 
     if (ctx == NULL)
     {
-        dd("something really bad happened or ModSecurity is disabled. going to the next filter.");
+        ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "something really bad happened or ModSecurity is disabled. going to the next filter.");
         return ngx_http_next_header_filter(r);
     }
 
@@ -442,7 +442,7 @@ ngx_http_modsecurity_header_filter(ngx_http_request_t *r)
         /*
          * FIXME: verify if this request is already processed.
          */
-        dd("Already processed... going to the next header...");
+        ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "Already processed... going to the next header...");
         return ngx_http_next_header_filter(r);
     }
 
@@ -469,13 +469,13 @@ ngx_http_modsecurity_header_filter(ngx_http_request_t *r)
      */
     for (i = 0; ngx_http_modsecurity_headers_out[i].name.len; i++)
     {
-        dd(" Sending header to ModSecurity - header: `%.*s'.",
-            (int) ngx_http_modsecurity_headers_out[i].name.len,
-            ngx_http_modsecurity_headers_out[i].name.data);
+        ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, " Sending header to ModSecurity - header: `%.*s'.",
+                      (int)ngx_http_modsecurity_headers_out[i].name.len,
+                      ngx_http_modsecurity_headers_out[i].name.data);
 
-                ngx_http_modsecurity_headers_out[i].resolver(r,
-                    ngx_http_modsecurity_headers_out[i].name,
-                    ngx_http_modsecurity_headers_out[i].offset);
+        ngx_http_modsecurity_headers_out[i].resolver(r,
+                                                     ngx_http_modsecurity_headers_out[i].name,
+                                                     ngx_http_modsecurity_headers_out[i].offset);
     }
 
     for (i = 0 ;; i++)
@@ -523,9 +523,9 @@ ngx_http_modsecurity_header_filter(ngx_http_request_t *r)
     }
 #endif
 
-    old_pool = ngx_http_modsecurity_pcre_malloc_init(r->pool);
+    // old_pool = ngx_http_modsecurity_pcre_malloc_init(r->pool);
     msc_process_response_headers(ctx->modsec_transaction, status, http_response_ver);
-    ngx_http_modsecurity_pcre_malloc_done(old_pool);
+    // ngx_http_modsecurity_pcre_malloc_done(old_pool);
     ret = ngx_http_modsecurity_process_intervention(ctx->modsec_transaction, r, 0);
     if (r->error_page) {
         return ngx_http_next_header_filter(r);

src/ngx_http_modsecurity_log.c

@@ -41,13 +41,13 @@ ngx_http_modsecurity_log_handler(ngx_http_request_t *r)
     ngx_http_modsecurity_ctx_t   *ctx;
     ngx_http_modsecurity_conf_t  *mcf;
 
-    dd("catching a new _log_ phase handler");
+    ngx_log_error(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "catching a new _log_ phase handler");
 
     mcf = ngx_http_get_module_loc_conf(r, ngx_http_modsecurity_module);
     if (mcf == NULL || mcf->enable != 1)
     {
-        dd("ModSecurity not enabled... returning");
-        return NGX_OK;
+        ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "ModSecurity not enabled... returning");
+        return NGX_DECLINED;
     }
 
     /*
@@ -63,19 +63,19 @@ ngx_http_modsecurity_log_handler(ngx_http_request_t *r)
     dd("recovering ctx: %p", ctx);
 
     if (ctx == NULL) {
-        dd("something really bad happened here. returning NGX_ERROR");
+        ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "something really bad happened here. returning NGX_ERROR");
         return NGX_ERROR;
     }
 
     if (ctx->logged) {
-        dd("already logged earlier");
-        return NGX_OK;
+        ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "already logged earlier");
+        return NGX_DECLINED;
     }
 
     dd("calling msc_process_logging for %p", ctx);
     old_pool = ngx_http_modsecurity_pcre_malloc_init(r->pool);
     msc_process_logging(ctx->modsec_transaction);
     ngx_http_modsecurity_pcre_malloc_done(old_pool);
 
-    return NGX_OK;
+    return NGX_DECLINED;
 }