Skip to content

Comments

Support for building with nginx configured with PCRE2#260

Merged
martinhsv merged 1 commit intoowasp-modsecurity:masterfrom
defanator:pcre2
Apr 13, 2022
Merged

Support for building with nginx configured with PCRE2#260
martinhsv merged 1 commit intoowasp-modsecurity:masterfrom
defanator:pcre2

Conversation

@defanator
Copy link
Collaborator

@defanator defanator commented Dec 27, 2021

Related changes in upstream:
nginx/nginx@c6fec0b
nginx/nginx@931acbf

This is going to be a part of upcoming nginx/1.21.5 release scheduled for December 28, 2021.

@defanator
Copy link
Collaborator Author

defanator commented Dec 28, 2021
edited
Loading

Unfortunately, it doesn't work well when the connector module is built with PCRE2, nginx is built with PCRE2, and libmodsecurity is built with PCRE1:

start:      SUMMARY: AddressSanitizer: 59014 byte(s) leaked in 2698 allocation(s).
1st reload: SUMMARY: AddressSanitizer: 18741824 byte(s) leaked in 291932 allocation(s).
2nd reload: SUMMARY: AddressSanitizer: 37483648 byte(s) leaked in 583864 allocation(s).
3rd reload: SUMMARY: AddressSanitizer: 56225472 byte(s) leaked in 875796 allocation(s).
stop:       SUMMARY: AddressSanitizer: 74967296 byte(s) leaked in 1167728 allocation(s).

Full error log here: https://gist.github.com/defanator/de14eacd93eeb44a82c608d624702b85

Perhaps better option for now would be to continue building ModSecurity-nginx with PCRE1. It won't work in long-term however as PCRE1 is basically not supported anymore and eventually everything (including libmodsecurity) hopefully will migrate to PCRE2.

I'll leave this one open just in case if anyone would suggest other options.

@defanator
Copy link
Collaborator Author

defanator commented Dec 28, 2021
edited
Loading

Surprisingly, there are memory leaks when connector is built with PCRE1 and nginx is built with PCRE2:

start:      SUMMARY: AddressSanitizer: 59014 byte(s) leaked in 2698 allocation(s).
1st reload: SUMMARY: AddressSanitizer: 18014174 byte(s) leaked in 288592 allocation(s).
2nd reload: SUMMARY: AddressSanitizer: 36028348 byte(s) leaked in 577184 allocation(s).
3rd reload: SUMMARY: AddressSanitizer: 54042522 byte(s) leaked in 865776 allocation(s).
stop:       SUMMARY: AddressSanitizer: 72056696 byte(s) leaked in 1154368 allocation(s).

Full error log: https://gist.github.com/defanator/274356c4f0594331e9d128af898182ae

JFTR, here are the versions of all involved components:

ModSecurity-nginx: 2497e6a
ModSecurity: owasp-modsecurity/ModSecurity@52958fa
nginx: nginx/nginx@1f01183

The environment was built from https://github.com/defanator/modsecurity-performance (Ubuntu 20.04 "focal", vagrant box generic/ubuntu2004, version 3.6.2).

UPDATE: finally, leaks are still there with module built with PCRE1 and nginx built with PCRE1, so something bad is definitely happening in connector + libmodsec combo. Also, the above numbers were gathered without any external load between nginx reloads. If e.g. nikto scanning tool is running in a cycle (while [ :: ]; do nikto -host localhost -root /modsec-full/ ; done), worker's memory consumption wents crazy with every next nginx reload, especially in case when connector is using PCRE2.

This was referenced Dec 28, 2021
Closed
Closed
Closed
Closed
@martinhsv martinhsv mentioned this pull request Jan 5, 2022
Closed
@defanator defanator mentioned this pull request Jan 12, 2022
Closed
@martinhsv martinhsv merged commit 58e1ce2 into owasp-modsecurity:master Apr 13, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@defanator @martinhsv