Nginx with naxsi enabled does not finish standard request processing under some configs

[cuper6]

Nginx does not finish standard processing cycle for some requests under some configs with naxsi enabled.
At least:

1. The response are not sent to client.
2. A request is not logged in the access.log
3. nginx stub status module's (ngx_http_stub_status_module) "writing" counter is not decremented.

How to reproduce:

1. Use the sample config (below) with needed changes to the directives such as server_name, root, listen, access_log, etc.
2. Send 2 simultaneous GET requests: http://some_site.net:888/1/index.html?v<<<<>>>>

These requests will be processed by naxsi and triggered an denied action.
The key factor here is "limit_req" in the /403.html location.
The second request is paused by limit rate.
After resuming processing the second request is not finished by nginx as normal.
access.log has only one request logged.

We can send 2 simultaneous GET requests to the second location (without naxsi): http://some_site.net:888/2/index.html?v<<<<>>>>
to satisfy that the similar requests are finished if naxsi is not using.

Was tested on clean nginx 1.22.1 with naxsi 1.3 module linked as static.

Sample nginx.conf

user www-data;
worker_processes  auto;

error_log  /var/log/nginx-test/error.log debug;
pid        /var/run/nginx-test.pid;

events {
    worker_connections  4096;
}

http {
    include naxsi_core.rules; # naxsi core rules

    index index.php index.html;
    resolver 8.8.8.8 ipv6=off;

    limit_req_zone $binary_remote_addr zone=test:1m rate=1r/s;

    log_format main	'[$host] $remote_addr $remote_user [$time_local] "$request" '
    		'$status $body_bytes_sent "$http_referer" '
    		'"$http_user_agent" "$http_x_forwarded_for"';

    include mime.types;
    default_type application/octet-stream;

    access_log	/var/log/nginx-test/access.log main;

    server {
		root /home/some_site/www;
                server_name some_site.net;

                listen *:888;

		error_page 403 /403.html;
		location = /403.html {
		        limit_req zone=test burst=1;
			internal;
			etag off;
		}

		# special location for naxsi
                location /RequestDenied {
			internal;
                        return 403;
                }

                location /1 {
			SecRulesEnabled;

			## check rules
			DeniedUrl "/RequestDenied";
			CheckRule "$SQL >= 8" BLOCK;
			CheckRule "$RFI >= 8" BLOCK;
			CheckRule "$TRAVERSAL >= 4" BLOCK;
			CheckRule "$UPLOAD >= 8" BLOCK;
			CheckRule "$XSS >= 8" BLOCK;
			CheckRule "$EVADE >= 4" BLOCK;
                }

                location /2 {
		    return 403;
                }
   }
}

[wargio]

sounds like the ngx_http_limit_req_module module is doing something weird, not naxsi.
I do not see any reason to rate limit /403.html

[cuper6]

ngx_http_limit_req_module module is doing something weird

it just delays the processing request.

I do not see any reason to rate limit /403.html

This is minimal config to illustrate the problem.
In real environment rate limit may be set at the upper level.

[wargio]

@cuper6 could you please try with the latest version of naxsi? https://github.com/wargio/naxsi/releases/tag/1.4 (yes different repo because this is now abandonware)

[cuper6]

try with the latest version of naxsi?

I tried with: https://github.com/wargio/naxsi/archive/refs/tags/1.4.zip

There are the missing files errors during configure and make:

...
configuring additional modules
adding module in /usr/local/src/nginx-test/naxsi/naxsi-1.4/naxsi_src
cp: cannot stat '/usr/local/src/nginx-test/naxsi/naxsi-1.4/naxsi_src/libinjection/src/*.h': No such file or directory
cat: /usr/local/src/nginx-test/naxsi/naxsi-1.4/naxsi_src/libinjection/src/libinjection_html5.c: No such file or directory
cat: /usr/local/src/nginx-test/naxsi/naxsi-1.4/naxsi_src/libinjection/src/libinjection_sqli.c: No such file or directory
cat: /usr/local/src/nginx-test/naxsi/naxsi-1.4/naxsi_src/libinjection/src/libinjection_xss.c: No such file or directory
 + naxsi was configured

...
        /usr/local/src/nginx-test/naxsi/naxsi-1.4/naxsi_src/naxsi_config.c
In file included from /usr/local/src/nginx-test/naxsi/naxsi-1.4/naxsi_src/naxsi_config.c:6:0:
/usr/local/src/nginx-test/naxsi/naxsi-1.4/naxsi_src/naxsi.h:19:48: fatal error: libinjection/src/libinjection_sqli.h: No such file or directory
 #include "libinjection/src/libinjection_sqli.h"
                                                ^

[wargio]

there are not. you haven't followed the building instructions.
If you are using the tarball/zip files that GH has created, please instead download the one named naxsi-1.4-src-with-deps.zip

[cuper6]

please instead download the one named

ok, I did it with 1.4.
Got the same results as with 1.3:

For second (delayed by Limit_req) request:
    The response is not sent to client.
    A request is not logged in the access.log
    nginx stub status module's (ngx_http_stub_status_module) "writing" counter is not decremented.

[wargio]

I have no clue on what is wrong. i have to check that other module