'[mod-security-users] =?utf-8?b?562U5aSNOiAg562U5aSNOiBJIGhhdmUg?= =?utf-8?q?a_question=3Anginx1=2E9='

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       mod-security-users
Subject:    [mod-security-users] =?utf-8?b?562U5aSNOiAg562U5aSNOiBJIGhhdmUg?= =?utf-8?q?a_question=3Anginx1=2E9=
From:       "Junjie, DONG(MIE BJ R&D CPD-BJ-TCT)" <junjie.dong () tcl ! com>
Date:       2015-07-29 2:51:59
Message-ID: 9A178CA37CB24F49AF250EE1208807E70D7111 () CNSZEXMB02
[Download RAW message or body]

The pcre version is 8.38-RC1.
Does anyone use nginx with mod-sec in reverse proxy-mode before? 

-----邮件原件-----
发件人: Reindl Harald [mailto:h.reindl@thelounge.net] 
发送时间: 2015年7月28日 18:18
收件人: mod-security-users@lists.sourceforge.net
主题: Re: [mod-security-users] 答复: I have a question:nginx1.9.2 with \
modsecurity2.9 in reverse proxy-mode

check your pcre version and if modsec is compiled with pcre-jit
https://bugzilla.redhat.com/show_bug.cgi?id=1215701

-------- Weitergeleitete Nachricht --------
Betreff: Re: [mod-security-users] --enable-pcre-jit: segfaults Fedora 21 and \
                roundcube 1.0.5
Datum: Mon, 27 Apr 2015 15:12:14 +0200
Von: Reindl Harald <h.reindl@thelounge.net> Antwort an: \
                mod-security-users@lists.sourceforge.net
Organisation: the lounge interactive design
An: mod-security-users@lists.sourceforge.net


BTW: it don't need rouncube, just call
http://somesite-behind-modsec-with-jit/plugins/jqueryui/js/i18n/jquery.ui.datepicker-de.jssg
 and the httpd preforker child crashs

and holy shit without the dots no crash
http://somesite-behind-modsec-with-jit/plugins/jqueryui/js/i18n/jqdueryhuihdatepicker-de.jssg
 on F21

Am 27.04.2015 um 14:44 schrieb Reindl Harald:
 > on Fedora 21 x86_64 mod_security 2.9.0 built with --enable-pcre-jit
 > crashs every time /plugins/jqueryui/js/i18n/jquery.ui.datepicker-de.js
 > from roundcube 1.0.5 is loaded
 > __________________________________
 >
 > not sure if it's GCC 4.9 or pcre which are newer than on Fedora 20 but
 > after seek the reason for random crashes over hourd at PHP/Apache side
 > it turend out that it practically happens only with that file and
 > without mod_securiyt or disable pcre-jit all is fine
 > __________________________________
 >
 > [Mon Apr 27 11:09:23.113259 2015] [core:notice] [pid 118704] AH00052:
 > child pid 118706 exit signal Segmentation fault (11)
 >
 > open("/dev/urandom", O_RDONLY)          = 13
 > read(13,
 > 
"\200\376%\23\240\236\n9\373\210\243%i\223\367J\210\271\177\26\207\331\177\r\372RB\342\2223\352="...,
  > 64) = 64
 > close(13)                               = 0
 > mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
 > = 0x7fcf70b39000
 > mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
 > = 0x7fcf70b37000
 > munmap(0x7fcf70b37000, 8192)            = 0
 > --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x8} ---
 > chdir("/etc/httpd")                     = 0
 > rt_sigaction(SIGSEGV, {SIG_DFL, [], SA_RESTORER|SA_INTERRUPT,
 > 0x7fcf754c70d0}, {SIG_DFL, [], SA_RESTORER|SA_RESETHAND,
 > 0x7fcf754c70d0}, 8) = 0
 > kill(118706, SIGSEGV)                   = 0
 > rt_sigreturn({mask=[]})                 = 32
 > --- SIGSEGV {si_signo=SIGSEGV, si_code=SI_USER, si_pid=118706,
 > si_uid=48} ---
 > +++ killed by SIGSEGV +++

Am 28.07.2015 um 12:13 schrieb Junjie, DONG(MIE BJ R&D CPD-BJ-TCT):
> Hi Felipe,
> 
> I have tried the method what you sent to me. But the problem
> still happens. It seems not the same problem. The attachment enclosure
> is my Nginx debug logs:
> 
> 106.39.108.46 is my client IP. I try to request a file called
> "jquery-1.11.1.min.js " on my Web App.
> 
> The problem maybe happens on phase 4.
> 
> Thanks.
> 
> *发件人:*Felipe Costa [mailto:FCosta@trustwave.com]
> *发送时间:*2015年7月27日20:13
> *收件人:*mod-security-users@lists.sourceforge.net
> *主题:*Re: [mod-security-users] I have a question:nginx1.9.2 with
> modsecurity2.9 in reverse proxy-mode
> 
> Hi Junjie,
> 
> Please look at issue #142
> (https://github.com/SpiderLabs/ModSecurity/issues/142) and give a try on
> branch nginx_refactoring -
> 
> https://github.com/SpiderLabs/ModSecurity/tree/nginx_refactoring
> 
> _Br,_
> 
> *Felipe **"**Zimmerle" Costa *
> 
> Security Researcher, SpiderLabs
> 
> *Trustwave***| SMART SECURITY ON DEMAND
> 
> www.trustwave.com <http://www.trustwave.com/>
> 
> *From: *<Junjie>, "DONG (MIE BJ R&D CPD-BJ-TCT)" <junjie.dong@tcl.com
> <mailto:junjie.dong@tcl.com>>
> *Reply-To: *"mod-security-users@lists.sourceforge.net
> <mailto:mod-security-users@lists.sourceforge.net>"
> <mod-security-users@lists.sourceforge.net
> <mailto:mod-security-users@lists.sourceforge.net>>
> *Date: *Monday, July 27, 2015 at 5:20 AM
> *To: *"mod-security-users@lists.sourceforge.net
> <mailto:mod-security-users@lists.sourceforge.net>"
> <mod-security-users@lists.sourceforge.net
> <mailto:mod-security-users@lists.sourceforge.net>>
> *Subject: *[mod-security-users] I have a question:nginx1.9.2 with
> modsecurity2.9 in reverse proxy-mode
> 
> Hi!
> 
> I try to use nginx1.9.2 with modsecurity2.9 in reverse proxy-mode to
> protect my Web App. The .js/.css/.png what in my Web App can't be
> response to the client. But the .html files are OK. There will be a lot
> of errors in the log like these:
> 
> 2015/07/27 15:52:06 [notice] 17130#0: start worker process 17284
> 
> 2015/07/27 15:52:06 [notice] 17130#0: signal 29 (SIGIO) received
> 
> 2015/07/27 15:52:06 [notice] 17130#0: signal 17 (SIGCHLD) received
> 
> 2015/07/27 15:52:06 [alert] 17130#0: worker process 17281 exited on
> signal 11 (core dumped)
> 
> 2015/07/27 15:52:06 [notice] 17130#0: start worker process 17286
> 
> 2015/07/27 15:52:06 [notice] 17130#0: signal 29 (SIGIO) received
> 
> 2015/07/27 15:52:06 [notice] 17130#0: signal 17 (SIGCHLD) received
> 
> 2015/07/27 15:52:06 [alert] 17130#0: worker process 17276 exited on
> signal 11 (core dumped)
> 
> 2015/07/27 15:52:06 [notice] 17130#0: start worker process 17288
> 
> 2015/07/27 15:52:06 [notice] 17130#0: signal 29 (SIGIO) received
> 
> When I delete the configurations of modsecurity in nginx.conf, the Web
> App can work normally.
> 
> Thanks for your help!

------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic