Uploaded image for project: 'JBoss Core Services'
  1. JBoss Core Services
  2. JBCS-156

It appears that the ModSecurity module sometimes fails to increment an integer in persistent storage when many concurrent transactions are sent to the Apache web server.

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • httpd 2.4.23 CR1
    • httpd 2.4.6 GA
    • httpd

    • JBoss Web Server 3.0.2
      Oracle Enterprise Linux 6.7

    • CR1
    • Hide
      1. Create setup using configuration in this issue Description.
      2. Run load test using this script: 
        #!/bin/bash
for i in `seq 1 1000`;do
    curl -b "SESSIONID=testid" localhost/index.html &>/dev/null &
done
      3. You can either check the SecDebugLog or use the modsec-sdbm-util (https://github.com/SpiderLabs/modsec-sdbm-util/) to check the final count.
        • grep 'collection_store: Wrote variable: name "my_counter"' | tail -n1
        • OR
        • modsec-sdbm-util -du /dev/shm/modsec/default_SESSION
        • modsec-sdbm-util -du /dev/shm/modsec/global
        • If you have reproduced the issue, the final count will not be equal to the number of requests received by httpd.

      In my local testing, I would occasionally overload the httpd server and it was not able to receive all of the requests I sent. So, make sure you are not simply comparing the number of requests you sent to the final counter value. Make sure you check the number of request actually received into httpd against the final counter value.

      Show
      Create setup using configuration in this issue Description. Run load test using this script: #!/bin/bash for i in `seq 1 1000`; do curl -b "SESSIONID=testid" localhost/index.html &>/dev/ null & done You can either check the SecDebugLog or use the modsec-sdbm-util ( https://github.com/SpiderLabs/modsec-sdbm-util/ ) to check the final count. grep 'collection_store: Wrote variable: name "my_counter"' | tail -n1 OR modsec-sdbm-util -du /dev/shm/modsec/default_SESSION modsec-sdbm-util -du /dev/shm/modsec/global If you have reproduced the issue, the final count will not be equal to the number of requests received by httpd. In my local testing, I would occasionally overload the httpd server and it was not able to receive all of the requests I sent. So, make sure you are not simply comparing the number of requests you sent to the final counter value. Make sure you check the number of request actually received into httpd against the final counter value.

      This is the configuration that is breaking when hammered with many (~1000) concurrent requests:

          LoadModule security2_module ${MODULE_HOME}/modules/mod_security2.so
    <IfModule security2_module>
        SecRuleEngine On
        SecCollectionTimeout 15
        SecDataDir /dev/shm/modsec
        SecDebugLog /jws-3.0/httpd/logs/modsec-debug-GLOBAL-initcol.log
        SecDebugLogLevel 9

        SecRule REQUEST_COOKIES:SESSIONID !^$  phase:1,id:110,nolog,pass,setsid:%{REQUEST_COOKIES.SESSIONID}
        SecAction phase:1,id:111,nolog,pass,setvar:SESSION.my_counter=+1

        SecAction phase:1,id:112,nolog,pass,initcol:global=counter
        SecAction phase:1,id:113,nolog,pass,setvar:global.counter=+1
    </IfModule>

      The global "counter" and session "my_counter" should be equal. They should also be equal to the number of requests received by httpd in the 15 SecCollectionTimeout window.

              gzaronik@redhat.com George Zaronikas
              rhn-support-rbost Robert Bost
              Jan Onderka Jan Onderka
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: