Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 456992 - www-apache/mod_security-2.7.1 renders apache very slow to respond
Summary: www-apache/mod_security-2.7.1 renders apache very slow to respond
Status: RESOLVED INVALID
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Library (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Diego Elio Pettenò (RETIRED)
URL: https://www.modsecurity.org/tracker/b...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-02-12 20:43 UTC by Tobias Sager
Modified: 2013-02-18 22:15 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tobias Sager 2013-02-12 20:43:57 UTC 
Upgrading mod_security to 2.7.1 (from 2.7.0) renders apache (2.2.23) not responding to any request. Disabling mod_security or downgrading without any configuration changes makes it work again.

Port is listening, but server is not delivering any response.

Reproducible: Always

Steps to Reproduce:
1. emerge apache-2.2.23 mod_security-2.7.0 modsecurity-crs
2. Test OK
3. upgrade mod_security to 2.7.1
Actual Results:  
No response from apache server on any port (http/https) and any vhost

Expected Results:  
As with mod_security 2.7.0

 emerge --info mod_security
Portage 2.1.11.50 (default/linux/x86/13.0, gcc-4.6.3, glibc-2.15-r3, 2.6.32-062.2-openvz-intel i686)
=================================================================
                        System Settings
=================================================================
System uname: Linux-2.6.32-062.2-openvz-intel-i686-Intel-R-_Xeon-R-_CPU_E5530_@_2.40GHz-with-gentoo-2.1
KiB Mem:     1048576 total,    647264 free
KiB Swap:    1536000 total,   1524684 free
Timestamp of tree: Tue, 12 Feb 2013 01:45:01 +0000
ld GNU ld (GNU Binutils) 2.22
ccache version 3.1.8 [enabled]
app-shells/bash:          4.2_p37
dev-java/java-config:     2.1.12-r1
dev-lang/python:          2.6.5-r3, 2.7.3-r2, 3.1.5, 3.2.3
dev-util/ccache:          3.1.8
dev-util/cmake:           2.8.9
dev-util/pkgconfig:       0.28
sys-apps/baselayout:      2.1-r1
sys-apps/openrc:          0.11.8
sys-apps/sandbox:         2.5
sys-devel/autoconf:       2.13, 2.69
sys-devel/automake:       1.4_p6::<unknown repository>, 1.5::<unknown repository>, 1.6.3::<unknown repository>, 1.7.9-r1::<unknown repository>, 1.8.5-r3::<unknown repository>, 1.9.6-r2::<unknown repository>, 1.10.2, 1.11.6
sys-devel/binutils:       2.22-r1
sys-devel/gcc:            4.4.5, 4.5.4, 4.6.3
sys-devel/gcc-config:     1.7.3
sys-devel/libtool:        2.4-r1
sys-devel/make:           3.82-r4
sys-kernel/linux-headers: 3.6 (virtual/os-headers)
sys-libs/glibc:           2.15-r3
Repositories: gentoo x-portage
ACCEPT_KEYWORDS="x86"
ACCEPT_LICENSE="* -@EULA Oracle-BCLA-JavaSE"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=opteron -O2 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /var/www/localhost/cgi-bin /var/www/localhost/htdocs /var/www/toe.ch/htdocs"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/apache2-php5.4/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cgi-php5.4/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/php/cli-php5.4/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-march=opteron -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FCFLAGS="-O2 -march=i686 -pipe"
FEATURES="assume-digests binpkg-logs ccache collision-protect config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv"
FFLAGS="-O2 -march=i686 -pipe"
GENTOO_MIRRORS="ftp://ftp.ussg.iu.edu/pub/linux/gentoo ftp://ftp.ndlug.nd.edu/pub/gentoo/ ftp://distro.ibiblio.org/pub/linux/distributions/gentoo/"
ANG="en_US.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="acpi adns apache2 avi bash-completion berkdb bzip2 crypt cups cxx directfb fbcon gd gdbm geoip gif gpm imagemagick imap ipv6 java jpeg libwww maildir mbox mmx mpeg mysql ncurses nls nptl nptlonly pam pdflib pear perl php png python readline samba sasl slang socks5 sse ssl tiff usb vhosts x86 xml xml2 zlib" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_alias authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias cgi" CURL_SSL="openssl" ELIBC="glibc" KERNEL="linux" LINGUAS="de en" PYTHON_TARGETS="python2_7" USERLAND="GNU"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON

=================================================================
                        Package Settings
=================================================================

www-apache/mod_security-2.7.0 was built with the following:
USE="geoip -curl -jit -lua"

/etc/init.d/apache2 modules
Loaded Modules:
 core_module (static)
 mpm_prefork_module (static)
 http_module (static)
 so_module (static)
 actions_module (shared)
 alias_module (shared)
 auth_basic_module (shared)
 auth_digest_module (shared)
 authn_alias_module (shared)
 authn_anon_module (shared)
 authn_dbd_module (shared)
 authn_dbm_module (shared)
 authn_default_module (shared)
 authn_file_module (shared)
 authz_dbm_module (shared)
 authz_default_module (shared)
 authz_groupfile_module (shared)
 authz_host_module (shared)
 authz_owner_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 cgi_module (shared)
 dav_module (shared)
 dav_fs_module (shared)
 dav_lock_module (shared)
 dbd_module (shared)
 deflate_module (shared)
 dir_module (shared)
 env_module (shared)
 expires_module (shared)
 ext_filter_module (shared)
 filter_module (shared)
 headers_module (shared)
 ident_module (shared)
 imagemap_module (shared)
 include_module (shared)
 log_config_module (shared)
 logio_module (shared)
 mime_module (shared)
 mime_magic_module (shared)
 negotiation_module (shared)
 rewrite_module (shared)
 setenvif_module (shared)
 speling_module (shared)
 ssl_module (shared)
 unique_id_module (shared)
 userdir_module (shared)
 usertrack_module (shared)
 vhost_alias_module (shared)
 dav_svn_module (shared)
 authz_svn_module (shared)
 php5_module (shared)
 security2_module (shared)
Syntax OK


WORKING
Tue Feb 12 21:28:05 2013] [notice] ModSecurity for Apache/2.7.0 (http://www.modsecurity.org/) configured.
[Tue Feb 12 21:28:05 2013] [notice] ModSecurity: APR compiled version="1.4.5"; loaded version="1.4.5"
[Tue Feb 12 21:28:05 2013] [notice] ModSecurity: PCRE compiled version="8.30 "; loaded version="8.30 2012-02-04"
[Tue Feb 12 21:28:05 2013] [notice] ModSecurity: LIBXML compiled version="2.8.0"
[Tue Feb 12 21:28:05 2013] [notice] Digest: generating secret for digest authentication ...
[Tue Feb 12 21:28:06 2013] [notice] Digest: done
[Tue Feb 12 21:28:07 2013] [notice] Apache/2.2.23 (Unix) DAV/2 mod_ssl/2.2.23 OpenSSL/1.0.1c SVN/1.7.7 PHP/5.4.8--pl0-gentoo configured -- resuming normal operations

BROKEN
[Tue Feb 12 21:37:02 2013] [notice] ModSecurity for Apache/2.7.1 (http://www.modsecurity.org/) configured.
[Tue Feb 12 21:37:02 2013] [notice] ModSecurity: APR compiled version="1.4.5"; loaded version="1.4.5"
[Tue Feb 12 21:37:02 2013] [notice] ModSecurity: PCRE compiled version="8.30 "; loaded version="8.30 2012-02-04"
[Tue Feb 12 21:37:02 2013] [notice] ModSecurity: LIBXML compiled version="2.8.0"
[Tue Feb 12 21:37:02 2013] [notice] Digest: generating secret for digest authentication ...
[Tue Feb 12 21:37:02 2013] [notice] Digest: done
[Tue Feb 12 21:37:03 2013] [notice] Apache/2.2.23 (Unix) DAV/2 mod_ssl/2.2.23 OpenSSL/1.0.1c SVN/1.7.7 PHP/5.4.8--pl0-gentoo configured -- resuming normal operations
Comment 1 Diego Elio Pettenò (RETIRED) gentoo-dev 2013-02-13 20:21:56 UTC 
Hrm, can you contact upstream please? And maybe try 2.7.2 in ~arch? Because I can't reproduce here..
Comment 2 Diego Elio Pettenò (RETIRED) gentoo-dev 2013-02-16 17:50:47 UTC 
Do you use @ipMatchFromFile (or the alias @ipMatchF) in any configuration?
Comment 3 Tobias Sager 2013-02-16 21:09:43 UTC 
(In reply to comment #1)
> Hrm, can you contact upstream please? And maybe try 2.7.2 in ~arch? Because
> I can't reproduce here..

This is my upstream report: https://www.modsecurity.org/tracker/browse/MODSEC-384
And 2.7.2 does also break.

(In reply to comment #2)
> Do you use @ipMatchFromFile (or the alias @ipMatchF) in any configuration?

No use of both.
Comment 4 Tobias Sager 2013-02-18 22:15:28 UTC 
Worked it out with upstream.

mod_security-2.7.1 changes from a prng to apr_generate_random_bytes. As my apr was compiled without USE=urandom, it was using /dev/random to generate these bytes. That device is typically slow under virtual machines and finally led to a very slow apache because mod_security was reading from it for each request.

Re-compiling apr with USE=urandom did make the problem disappear, all works fine now with mod_security-2.7.2.

Thanks for listening.. ;-)