The modsec devel team is working hard on the new libmodsecurity. You may just be better off waiting for them to put the finishing touches on that project. Nginx + modsec 2.9 likely will get no dev attention moving forward, given that the whole system is being revamped now.
Sent from my iPhone
> On Jan 22, 2016, at 16:44, Lukas <l@ymx.ch> wrote:
>
> Dear all
>
>> Lukas <l@ymx.ch> [2016-01-10 14:39]:
>>
>> Fascinated by nginx, I attempted to integrate it with modsecurity.
>>
>> Unfortunately, ever when modsecurity is enabled, nginx reports a
>> sefault in sysmessages.
>
> I tried debugging the issue a bit further (from a user perspective)
> with common web-page and CalDAV with the following results:
>
> * nginx with modsecurity switched off works perfectly as a proxy nginx
> * nginx with modsecurity switched on with one owasp rule-set
> (modsecurity_crs_20_protocol_violations.conf) works for common
> web-pages with multi-media content (quick test without any errors
> reported)
> * nginx with modsecurity switched on with one owasp rule-set
> (modsecurity_crs_20_protocol_violations.conf) does not work for
> CalDAV.
> error.log: 2016/01/23 01:19:07 [emerg] 4844#0: *7 posix_memalign(16,
> 4096) failed (12: Cannot allocate memory) while logging request
> * nginx with modsecurity switched on without any ruleset
> does not work for CalDAV -- same error
> * nginx with modsecurity switched off without any ruleset
> does work for CalDAV perfectly.
>
> With modsecurity switched on, an Out-of-Memory exception took place
> always reporting:
>
> [876715.533926] nginx invoked oom-killer: gfp_mask=0x280da, order=0, oom_score_adj=0
> [876715.533930] nginx cpuset=/ mems_allowed=0
> [876715.533936] CPU: 0 PID: 4844 Comm: nginx Not tainted 4.3.3-consecom-ag #1
> [876715.533937] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS debian/1.7.5-1-0-g506b58d-dirty-20140812_231322-gandalf 04/01/2014
> [876715.533939] f5a53ed0 d52542a6 f5a6b7c0 d5110792 d55a6db0 f5a6bab4 000280da 00000000
> [876715.533943] 00000000 ffffffff 0d3f1361 00031d5e f4929cb8 00200282 f4929cb8 f4929cb0
> [876715.533946] d50babb7 00200206 d525956e 00000002 00000002 f5020840 f5020bc4 d55a5702
> [876715.533949] Call Trace:
> [876715.533955] [<d52542a6>] ? dump_stack+0x3e/0x58
> [876715.533959] [<d5110792>] ? dump_header.isra.8+0x65/0x1be
> [876715.533963] [<d50babb7>] ? delayacct_end+0x47/0xa0
> [876715.533967] [<d525956e>] ? ___ratelimit+0x7e/0xe0
> [876715.533970] [<d50d0fa9>] ? oom_kill_process+0x1d9/0x380
> [876715.533973] [<d51e9d3a>] ? security_capable_noaudit+0x3a/0x60
> [876715.533977] [<d5047b0b>] ? has_ns_capability_noaudit+0xb/0x20
> [876715.533979] [<d50d0b76>] ? oom_badness+0x96/0x100
> [876715.533981] [<d50d1402>] ? out_of_memory+0x252/0x320
> [876715.533984] [<d50d4f5e>] ? __alloc_pages_nodemask+0x77e/0x7a0
> [876715.533989] [<d50efd24>] ? handle_mm_fault+0xd54/0xf50
> [876715.533990] [<d50f2cef>] ? vma_merge+0x1bf/0x280
> [876715.533992] [<d50f414a>] ? do_brk+0x1ca/0x2b0
> [876715.533995] [<d5037657>] ? __do_page_fault+0x137/0x3a0
> [876715.533998] [<d50379f0>] ? vmalloc_sync_all+0x130/0x130
> [876715.534001] [<d54d3566>] ? error_code+0x5a/0x60
> [876715.534003] [<d50379f0>] ? vmalloc_sync_all+0x130/0x130
> [876715.534004] Mem-Info:
> [876715.534008] active_anon:543864 inactive_anon:208884 isolated_anon:0
> [876715.534008] active_file:54 inactive_file:77 isolated_file:0
> [876715.534008] unevictable:0 dirty:1 writeback:0 unstable:0
> [876715.534008] slab_reclaimable:326 slab_unreclaimable:997
> [876715.534008] mapped:88 shmem:4 pagetables:957 bounce:0
> [876715.534008] free:21502 free_pcp:289 free_cma:0
> [876715.534014] DMA free:12152kB min:64kB low:80kB high:96kB active_anon:1676kB inactive_anon:1928kB active_file:8kB inactive_file:4kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:15992kB managed:15916kB mlocked:0kB dirty:0kB writeback:0kB mapped:8kB shmem:0kB slab_reclaimable:16kB slab_unreclaimable:76kB kernel_stack:8kB pagetables:20kB unstable:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB writeback_tmp:0kB pages_scanned:120 all_unreclaimable? yes
> [876715.534016] lowmem_reserve[]: 0 839 3023 3023
> [876715.534021] Normal free:73380kB min:3528kB low:4408kB high:5292kB active_anon:386788kB inactive_anon:386844kB active_file:208kB inactive_file:276kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:892920kB managed:859928kB mlocked:0kB dirty:4kB writeback:0kB mapped:324kB shmem:0kB slab_reclaimable:1288kB slab_unreclaimable:3912kB kernel_stack:672kB pagetables:3808kB unstable:0kB bounce:0kB free_pcp:564kB local_pcp:564kB free_cma:0kB writeback_tmp:0kB pages_scanned:115004 all_unreclaimable? yes
> [876715.534022] lowmem_reserve[]: 0 0 17471 17471
> [876715.534027] HighMem free:476kB min:512kB low:2808kB high:5104kB active_anon:1786992kB inactive_anon:446764kB active_file:0kB inactive_file:28kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:2236296kB managed:2236296kB mlocked:0kB dirty:0kB writeback:0kB mapped:20kB shmem:16kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB unstable:0kB bounce:0kB free_pcp:592kB local_pcp:592kB free_cma:0kB writeback_tmp:0kB pages_scanned:7836 all_unreclaimable? yes
> [876715.534028] lowmem_reserve[]: 0 0 0 0
> [876715.534030] DMA: 4*4kB (E) 7*8kB (UE) 5*16kB (UEM) 3*32kB (U) 2*64kB (EM) 2*128kB (EM) 3*256kB (UEM) 1*512kB (E) 2*1024kB (UE) 2*2048kB (UE) 1*4096kB (M) = 12152kB
> [876715.534039] Normal: 149*4kB (UEM) 108*8kB (UEM) 63*16kB (UE) 32*32kB (UEM) 10*64kB (UE) 11*128kB (UEM) 5*256kB (UE) 2*512kB (EM) 2*1024kB (UM) 3*2048kB (UEM) 14*4096kB (M) = 73380kB
> [876715.534047] HighMem: 1*4kB (U) 1*8kB (U) 1*16kB (M) 2*32kB (UM) 0*64kB 1*128kB (M) 1*256kB (M) 0*512kB 0*1024kB 0*2048kB 0*4096kB = 476kB
> [876715.534054] Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=4096kB
>
> Thanks for any hints
>
> Lukas
>
>
> --
> Lukas Ruf http://www.lpr.ch | Ad Personam
> Consecom http://www.consecom.com | Ad Laborem
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
