[users@httpd] apache - mod_security Issue

[Prem Masarani <pr...@highq.com>]

Hi,

We have two application on different tomcats and both the applications
interacts through apache.
Apache is configured with mod_security rules.

In this setup I have faced two scenario:

Scenario 1:
---------------
First application is requesting second for any resource (e.g. any document).
In this case apache is taking more time in sending request to the second
application's tomcat.
As we have noticed sometimes it is taking around 30 sec to send request to
the second application's tomcat.
Due to this, response time is exceeding the the Read time out time set for
the request.

And On removing mod_security form apache we haven't faced this type of
issue.

Scenario 2:
---------------
When scenario 1 occurs we have multiple requests that is waiting long for
it's response.
On checking apache's server-status we found most of the worker threads in
"W" Sending Reply state.
And keep on increasing worker threads in "W" state.
This leads to a situation where the no. of request exceeds the number of
worker threads in the server process since multiple threads are in their
waiting state.

Please find attachment-screenshot of apache server-status
where all apache's working thread in "W" Sending Reply state.

And the strange thing is that even after stopping both application's
tomcats their still exists threads in "W" Sending Reply state in apache's
server-status.
It releases only after restarting apache.

We are facing this issue after updating from 2.4.10 to apache 2.4.12 or
2.4.16.
Haven't faced this scenario upto apache 2.4.10.

And On removing mod_security form apache we haven't faced this type of
scenario as well.

For now, we have given solution by just removing mod_security when both
application interact with each other.
But this does'nt seems a feasible solution as its working fine in apache
2.4.10.

Please suggest for this odd behave of apache 2.4.12 or 2.4.16 with
mod_security or reason for this.