Uploaded image for project: 'JBoss Web Server'
  1. JBoss Web Server
  2. JWS-489

It appears that the ModSecurity module sometimes fails to increment an integer in persistent storage when many concurrent transactions are sent to the Apache web server.

XMLWordPrintable

    • Release Notes
    • This is verified and is a part of JBoss Core Services
    • Hide
      1. Create setup using configuration in this issue Description.
      2. Run load test using this script:
        #!/bin/bash
        for i in `seq 1 1000`;do
            curl -b "SESSIONID=testid" localhost/index.html &>/dev/null &
        done
        
      3. You can either check the SecDebugLog or use the modsec-sdbm-util (https://github.com/SpiderLabs/modsec-sdbm-util/) to check the final count.
        • grep 'collection_store: Wrote variable: name "my_counter"' | tail -n1
        • OR
        • modsec-sdbm-util -du /dev/shm/modsec/default_SESSION
        • modsec-sdbm-util -du /dev/shm/modsec/global
        • If you have reproduced the issue, the final count will not be equal to the number of requests received by httpd.

      In my local testing, I would occasionally overload the httpd server and it was not able to receive all of the requests I sent. So, make sure you are not simply comparing the number of requests you sent to the final counter value. Make sure you check the number of request actually received into httpd against the final counter value.

      Show
      Create setup using configuration in this issue Description. Run load test using this script: #!/bin/bash for i in `seq 1 1000`; do curl -b "SESSIONID=testid" localhost/index.html &>/dev/ null & done You can either check the SecDebugLog or use the modsec-sdbm-util ( https://github.com/SpiderLabs/modsec-sdbm-util/ ) to check the final count. grep 'collection_store: Wrote variable: name "my_counter"' | tail -n1 OR modsec-sdbm-util -du /dev/shm/modsec/default_SESSION modsec-sdbm-util -du /dev/shm/modsec/global If you have reproduced the issue, the final count will not be equal to the number of requests received by httpd. In my local testing, I would occasionally overload the httpd server and it was not able to receive all of the requests I sent. So, make sure you are not simply comparing the number of requests you sent to the final counter value. Make sure you check the number of request actually received into httpd against the final counter value.

      This is the configuration that is breaking when hammered with many (~1000) concurrent requests:

          LoadModule security2_module ${MODULE_HOME}/modules/mod_security2-jws3.so
          <IfModule security2_module>
              SecRuleEngine On
              SecCollectionTimeout 15
              SecDataDir /dev/shm/modsec
              SecDebugLog /jws-3.0/httpd/logs/modsec-debug-GLOBAL-initcol.log
              SecDebugLogLevel 9
      
              SecRule REQUEST_COOKIES:SESSIONID !^$  phase:1,id:110,nolog,pass,setsid:%{REQUEST_COOKIES.SESSIONID}
              SecAction phase:1,id:111,nolog,pass,setvar:SESSION.my_counter=+1
      
              SecAction phase:1,id:112,nolog,pass,initcol:global=counter
              SecAction phase:1,id:113,nolog,pass,setvar:global.counter=+1
          </IfModule>
      

      The global "counter" and session "my_counter" should be equal. They should also be equal to the number of requests received by httpd in the 15 SecCollectionTimeout window.

        1. JWS-489.patch
          3 kB
          Mladen Turk

              gzaronik@redhat.com George Zaronikas
              rhn-support-rbost Robert Bost
              Jan Onderka Jan Onderka
              David Michael David Michael (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated:
                Resolved: