Skip to content

apache graceful restart + Apache connector + rules = memory leak #82

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Open
drmuey opened this issue May 18, 2021 · 3 comments
Open

apache graceful restart + Apache connector + rules = memory leak #82

drmuey opened this issue May 18, 2021 · 3 comments

Comments

@drmuey
Copy link

drmuey commented May 18, 2021
edited
Loading

  1. Set up memory test script
    • create this script at the end of this post
    • Make sure/etc/systemd/system.conf has these settings:
      • DefaultMemoryAccounting=yes
      • DefaultStartLimitInterval=1s
      • systemctl daemon-reexec if you had to edit those (and hard restart apache for good measure, systemctl status httpd | grep Memory should not have output).
    1. install and configure apache connector (but do not configure any rules)
  3. run memory test script ➜ no leak
# ~/check_httpd_memory_usage.sh
Memory usage before 200 restarts:
   Memory: 67.4M
...
Memory usage after 200 restarts:
   Memory: 67.3M
#
  1. install and configure OWASP CRS
  2. run memory test script ➜ leak
# ~/check_httpd_memory_usage.sh
Memory usage before 200 restarts:
   Memory: 67.4M
...
Memory usage after 200 restarts:
   Memory: 1.3G
# ~/check_httpd_memory_usage.sh
  1. change script to do a hard restart (e.g. systemctl restart httpd) and the leak goes away
#!/bin/bash

set -e

NREQUESTS=200

# for good measure
systemctl stop httpd
systemctl start httpd

echo "Memory usage before $NREQUESTS restarts:"
systemctl status httpd | grep Memory

for ((i = 0 ; i < $NREQUESTS ; i++)); do
    echo -n "$i … "
    /usr/sbin/apachectl graceful
    sleep 2;
done

echo
echo "Memory usage after $NREQUESTS restarts:"
systemctl status httpd | grep Memory
@drmuey drmuey changed the title apache graceful restart + ea-modsec30-connector-apache24 + rules = memory leak apache graceful restart + Apache connector + rules = memory leak Jun 3, 2021
@XJOJIX
Copy link

XJOJIX commented Aug 19, 2021

apache 2.4.48 mpm_event

I'm also having a problem with modsecurity-apache and memory leak issue.

even without apachectl graceful, the memory usage keeps on growing until crash.

@martinhsv
Copy link
Contributor

As mentioned in other issues, the ModSecurity-apache connector for use with ModSecurity v3 is not ready for production use.

With Apache, the recommendation is to use ModSecurity v2.9.

@XJOJIX
Copy link

XJOJIX commented Aug 20, 2021

thought of using nginx instead of apache as reverse proxy but modsecurity-nginx seems to have the same issue.
owasp-modsecurity/ModSecurity-nginx#236
and even same issue on modsecurity3 itself.
owasp-modsecurity/ModSecurity#2552

hope it'll be fixed soon, and also modsecurity-apache to stage to production.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@drmuey @martinhsv @XJOJIX