nGinx shoots 100% CPU with modsecurity 2.8.0 and JSON request and response (YAJL compiled)

[ghost]

Hi,
So the request passes through to the backend and when the response comes back to nGinx, it shoots the CPU up to 100% and memory increases by 3 MB every 2 seconds and does not stop.

Backtrace:
#0 0x000000000046b4a9 in ngx_http_write_filter (r=0x192bbd0, in=0x1930100) at src/http/ngx_http_write_filter_module.c:135
#1 0x000000000047b77d in ngx_http_chunked_body_filter (r=0x192bbd0, in=) at src/http/modules/ngx_http_chunked_filter_module.c:111
#2 0x000000000048058c in ngx_http_gzip_body_filter (r=0x192bbd0, in=0x1930100) at src/http/modules/ngx_http_gzip_filter_module.c:325
#3 0x000000000048132d in ngx_http_postpone_filter (r=0x192bbd0, in=) at src/http/ngx_http_postpone_filter_module.c:83
#4 0x000000000048194c in ngx_http_ssi_body_filter (r=0x192bbd0, in=) at src/http/modules/ngx_http_ssi_filter_module.c:396
#5 0x0000000000485a6f in ngx_http_charset_body_filter (r=0x192bbd0, in=) at src/http/modules/ngx_http_charset_filter_module.c:553
#6 0x00000000004a0109 in ngx_http_modsecurity_body_filter (r=0x192cac8, in=)

at /ngs/app/shieldt/nginx/plugins/modsecurity-2.8.0/nginx/modsecurity/ngx_http_modsecurity.c:1209

#7 0x000000000043c332 in ngx_output_chain (ctx=0x19301c0, in=0x7fff5ad66760) at src/core/ngx_output_chain.c:66
#8 0x000000000046bb34 in ngx_http_copy_filter (r=0x192bbd0, in=0x7fff5ad66760) at src/http/ngx_http_copy_filter_module.c:143
#9 0x000000000047bacd in ngx_http_range_body_filter (r=0x192bbd0, in=) at src/http/modules/ngx_http_range_filter_module.c:587
#10 0x000000000045dc4b in ngx_http_output_filter (r=, in=) at src/http/ngx_http_core_module.c:1956
#11 0x00000000004650b7 in ngx_http_send_special (r=0x192bbd0, flags=1) at src/http/ngx_http_request.c:3229
#12 0x0000000000475276 in ngx_http_upstream_finalize_request (r=0x192bbd0, u=0x192f928, rc=) at src/http/ngx_http_upstream.c:3414
#13 0x0000000000475af4 in ngx_http_upstream_process_request (r=0x192bbd0) at src/http/ngx_http_upstream.c:3041
#14 0x0000000000475bb0 in ngx_http_upstream_process_upstream (r=0x192bbd0, u=0x192f928) at src/http/ngx_http_upstream.c:2975
#15 0x00000000004791d6 in ngx_http_upstream_send_response (r=0x192bbd0, u=0x192f928) at src/http/ngx_http_upstream.c:2392
#16 ngx_http_upstream_process_header (r=0x192bbd0, u=0x192f928) at src/http/ngx_http_upstream.c:1683
#17 0x0000000000475ca2 in ngx_http_upstream_handler (ev=) at src/http/ngx_http_upstream.c:969
#18 0x00000000004554ea in ngx_epoll_process_events (cycle=, timer=, flags=)

at src/event/modules/ngx_epoll_module.c:683

#19 0x000000000044dde3 in ngx_process_events_and_timers (cycle=0x1925010) at src/event/ngx_event.c:249
#20 0x0000000000453a33 in ngx_worker_process_cycle (cycle=0x1925010, data=) at src/os/unix/ngx_process_cycle.c:807
#21 0x0000000000452384 in ngx_spawn_process (cycle=0x1925010, proc=0x453960 <ngx_worker_process_cycle>, data=0x0, name=0x6167c6 "worker process", respawn=-3)

at src/os/unix/ngx_process.c:198

#22 0x0000000000452faa in ngx_start_worker_processes (cycle=0x1925010, n=1, type=-3) at src/os/unix/ngx_process_cycle.c:362
#23 0x0000000000453f54 in ngx_master_process_cycle (cycle=0x1925010) at src/os/unix/ngx_process_cycle.c:136
#24 0x0000000000439a2e in main (argc=, argv=) at src/core/nginx.c:412

Steps to reproduce the problem:

Get nGinx 1.4.7 and modsecurity 2-8.0 and compile it with yajl (Note the modsecurity yajl's build script find_yajl.m4 does not work correctly to find yajl, so I changed it to supply the LD FLAGS, INCLUDE, etc appropriately and compiled modsecurity with YAJL). Then install the OWASP CRS latest according to the below:

"You will need to modify the @backend definition to point to your correct back-end web application that Nginx is proxying to. The ModSecurityConfig modsecurity.conf directive lists the configuration file that contains all of your configurations and rules. Important - as opposed to the Apache version where you can dynamically specify multiple ModSecurity config/rule files using Includes, the current Nginx version requires you to put all data into a single file. This is easily accomplished by concatenating the following files into the modsecurity.conf file:

ModSecurity modsecurity.conf-recommended file which specifies the recommended default configurations
OWASP ModSecurity CRS modsecurity_crs_10_setup.conf file which specifies the main configurations for the CRS
OWASP ModSecurity CRS base_rules conf files
After you have concatenated these files into the modsecurity.conf file, you should also copy the OWASP ModSecurity base_rules/*.data files into the same directory so that any @pmFromFile operators can use them."

Once all this is done, create a VIP and post JSON requests to it. Any JSON will do. Make sure that the request goes to the upstream (Disable the request blocking rules one by one). After no rules are blocking the request, you will see this issue.

ModSecurity 2.8.0,YAJL, OWASP top 10 does not work for nGinx.

[zimmerle]

Hi @ashwanthfernando, this is related to #142. We are working at the branch: https://github.com/SpiderLabs/ModSecurity/tree/nginx_refactoring

[zimmerle]

Marking as won't fix in 2.x. It is already Ok in libModSecurity: https://github.com/SpiderLabs/ModSecurity/tree/v3/master

[rvmvsjvm]

we are using
Nginx version 1.12.2
openssl-1.1.0g
Nginx- Modsecurity 3.0
owasp-modsecurity-crs-3.0-master (Core Rule Set)

we are using nginx and the load average is shooting up more than 1 with 2 cores for 50 domains