You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Ewald Dieterich <ew...@t-online.de> on 2013/12/12 10:16:51 UTC
Reverse proxy, mod_security, segmentation fault
I already asked on the mod_security developer mailing list for help, but
didn't get a response. So I'm trying my luck here.
On a Debian unstable installation (Apache 2.4.6, apr 1.4.8, apr-util
1.5.3, mod_security 2.7.5) I enabled mpm_worker and configured a simple
reverse proxy. When I enable mod_security and then send large amounts of
POST requests to a misconfigured backend server that just drops the
requests, I get segmentation faults.
For mod_security I only set "SecRequestBodyAccess On", I didn't enable
any rules. Here is the configuration for the location:
<Location />
SecRuleEngine On
SecRequestBodyAccess On
ProxyPass http://backend:8080/
ProxyPassReverse http://backend:8080/
</Location>
On the backend I run faucet to simulate the request-dropping backend
server:
faucet 8080 --out echo ""
If a client sends a request, the reverse proxy sends a "502 Bad Gateway"
response and logs the following errors:
[...] (104)Connection reset by peer: [client 10.128.128.81:49143]
AH01102: error reading status line from remote server backend:8080
[...] AH00898: Error reading from remote server returned by /
So everything works as expected.
Now I send POST requests in parallel by starting this loop on multiple
shells, the more the better (data_file is 25k):
while true ; do curl -d @data_file http://frontend/ ; done
Every once in a while I get a segmentation fault. If I enable
mpm_prefork (or disable mod_security) I don't get any segmentation faults.
This seems to be a multithreading race condition, so I'm not sure if
backtraces are of any help, but I attached two files with the output of
"thread apply all bt" from gdb for two segmentation faults.
Is this a bug or am I doing something wrong? Thanks for your help!
Re: Reverse proxy, mod_security, segmentation fault
Posted by Micha Lenk <mi...@lenk.info>.
Hi Ewald,
Am 12.12.2013 10:16, schrieb Ewald Dieterich:
> [...] Is this a bug or am I doing something wrong?
I would consider the segmentation faults to be bugs. The question is
whether they are bugs in httpd or in mod_security...
Looking at the backtraces I noticed that most threads are busy in a
syscall (i.e. poll(), read() and the like) or waiting on a thread mutex
(i.e. pthread_cond_wait() etc.). Those threads are blocked and most
likely do not actively contribute to a segfault. In both segfaults you
can find a thread that is currently running a signal handler (i.e.
kill()). If I remember correctly, it is quite error prone to handle
signals in multi-threaded applications. I would assume your segfaults
are related to these typical signal handling issues with multithreading.
Hope that helps...
Regards,
Micha
Re: Reverse proxy, mod_security, segmentation fault
Posted by Rainer Jung <ra...@kippdata.de>.
On 12.12.2013 16:16, Ewald Dieterich wrote:
> On 12/12/2013 11:53 AM, Rainer Jung wrote:
>> On 12.12.2013 10:16, Ewald Dieterich wrote:
>>> On a Debian unstable installation (Apache 2.4.6, apr 1.4.8, apr-util
>>> 1.5.3, mod_security 2.7.5) I enabled mpm_worker and configured a simple
>>> reverse proxy. When I enable mod_security and then send large amounts of
>>> POST requests to a misconfigured backend server that just drops the
>>> requests, I get segmentation faults.
>>
>> Could it be
>>
>> https://issues.apache.org/bugzilla/show_bug.cgi?id=50335
>>
>> See the patch discussion starting at comment #28.
>>
>> The currently committed trunk patches are
>>
>> http://svn.apache.org/viewvc?view=revision&revision=1534321
>>
>> and
>>
>> http://svn.apache.org/viewvc?view=revision&revision=1550061
>>
>> Those fixes might not yet be a complete solution to the problem, but
>> might be easy to backport to 2.4 to check whether they fix your problem.
>
> The patches fix my problem, no more segmentation faults.
Thanks for letting us know and updating the ticket.
Rainer
Re: Reverse proxy, mod_security, segmentation fault
Posted by Jim Jagielski <ji...@jaguNET.com>.
I've proposed for backport...
On Dec 12, 2013, at 10:16 AM, Ewald Dieterich <ew...@t-online.de> wrote:
> On 12/12/2013 11:53 AM, Rainer Jung wrote:
>> On 12.12.2013 10:16, Ewald Dieterich wrote:
>>> On a Debian unstable installation (Apache 2.4.6, apr 1.4.8, apr-util
>>> 1.5.3, mod_security 2.7.5) I enabled mpm_worker and configured a simple
>>> reverse proxy. When I enable mod_security and then send large amounts of
>>> POST requests to a misconfigured backend server that just drops the
>>> requests, I get segmentation faults.
>>
>> Could it be
>>
>> https://issues.apache.org/bugzilla/show_bug.cgi?id=50335
>>
>> See the patch discussion starting at comment #28.
>>
>> The currently committed trunk patches are
>>
>> http://svn.apache.org/viewvc?view=revision&revision=1534321
>>
>> and
>>
>> http://svn.apache.org/viewvc?view=revision&revision=1550061
>>
>> Those fixes might not yet be a complete solution to the problem, but
>> might be easy to backport to 2.4 to check whether they fix your problem.
>
> The patches fix my problem, no more segmentation faults.
>
Re: Reverse proxy, mod_security, segmentation fault
Posted by Ewald Dieterich <ew...@t-online.de>.
On 12/12/2013 11:53 AM, Rainer Jung wrote:
> On 12.12.2013 10:16, Ewald Dieterich wrote:
>> On a Debian unstable installation (Apache 2.4.6, apr 1.4.8, apr-util
>> 1.5.3, mod_security 2.7.5) I enabled mpm_worker and configured a simple
>> reverse proxy. When I enable mod_security and then send large amounts of
>> POST requests to a misconfigured backend server that just drops the
>> requests, I get segmentation faults.
>
> Could it be
>
> https://issues.apache.org/bugzilla/show_bug.cgi?id=50335
>
> See the patch discussion starting at comment #28.
>
> The currently committed trunk patches are
>
> http://svn.apache.org/viewvc?view=revision&revision=1534321
>
> and
>
> http://svn.apache.org/viewvc?view=revision&revision=1550061
>
> Those fixes might not yet be a complete solution to the problem, but
> might be easy to backport to 2.4 to check whether they fix your problem.
The patches fix my problem, no more segmentation faults.
Re: Reverse proxy, mod_security, segmentation fault
Posted by Rainer Jung <ra...@kippdata.de>.
On 12.12.2013 10:16, Ewald Dieterich wrote:
> I already asked on the mod_security developer mailing list for help, but
> didn't get a response. So I'm trying my luck here.
>
> On a Debian unstable installation (Apache 2.4.6, apr 1.4.8, apr-util
> 1.5.3, mod_security 2.7.5) I enabled mpm_worker and configured a simple
> reverse proxy. When I enable mod_security and then send large amounts of
> POST requests to a misconfigured backend server that just drops the
> requests, I get segmentation faults.
>
> For mod_security I only set "SecRequestBodyAccess On", I didn't enable
> any rules. Here is the configuration for the location:
>
> <Location />
> SecRuleEngine On
> SecRequestBodyAccess On
>
> ProxyPass http://backend:8080/
> ProxyPassReverse http://backend:8080/
> </Location>
>
> On the backend I run faucet to simulate the request-dropping backend
> server:
>
> faucet 8080 --out echo ""
>
> If a client sends a request, the reverse proxy sends a "502 Bad Gateway"
> response and logs the following errors:
>
> [...] (104)Connection reset by peer: [client 10.128.128.81:49143]
> AH01102: error reading status line from remote server backend:8080
> [...] AH00898: Error reading from remote server returned by /
>
> So everything works as expected.
>
> Now I send POST requests in parallel by starting this loop on multiple
> shells, the more the better (data_file is 25k):
>
> while true ; do curl -d @data_file http://frontend/ ; done
>
> Every once in a while I get a segmentation fault. If I enable
> mpm_prefork (or disable mod_security) I don't get any segmentation faults.
>
> This seems to be a multithreading race condition, so I'm not sure if
> backtraces are of any help, but I attached two files with the output of
> "thread apply all bt" from gdb for two segmentation faults.
>
> Is this a bug or am I doing something wrong? Thanks for your help!
Could it be
https://issues.apache.org/bugzilla/show_bug.cgi?id=50335
See the patch discussion starting at comment #28.
The currently committed trunk patches are
http://svn.apache.org/viewvc?view=revision&revision=1534321
and
http://svn.apache.org/viewvc?view=revision&revision=1550061
Those fixes might not yet be a complete solution to the problem, but
might be easy to backport to 2.4 to check whether they fix your problem.
Please add your finding to the above bugzilla.
Regards,
Rainer