Description
Looks like if an SPOP request to modsecurity exceeds the timeout processing
, the request will be allowed to proceed. Is there some way of configuring HAProxy to "fail closed" when it encounters a timeout?
Here's an example of the behavior. I sent 300 requests, 100 at a time to an haproxy server. This server is using spoa-modsecurity with timeout processing 1s
set:
$ hey -n 300 -c 100 -T "text/html" 'https://<myhost>?p=/etc/passwd'
Summary:
Total: 1.2475 secs
Slowest: 1.0317 secs
Fastest: 0.0204 secs
Average: 0.1325 secs
Requests/sec: 240.4834
Total data: 26319 bytes
Size/request: 87 bytes
Response time histogram:
0.020 [1] |
0.122 [212] |■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■
0.223 [70] |■■■■■■■■■■■■■
0.324 [0] |
0.425 [0] |
0.526 [0] |
0.627 [0] |
0.728 [0] |
0.829 [0] |
0.931 [0] |
1.032 [17] |■■■ <---------- NOTE
Latency distribution:
10% in 0.0310 secs
25% in 0.0442 secs
50% in 0.0670 secs
75% in 0.1245 secs
90% in 0.1611 secs
95% in 1.0182 secs
99% in 1.0309 secs
Details (average, fastest, slowest):
DNS+dialup: 0.0245 secs, 0.0204 secs, 1.0317 secs
DNS-lookup: 0.0012 secs, 0.0000 secs, 0.0046 secs
req write: 0.0000 secs, 0.0000 secs, 0.0007 secs
resp wait: 0.1061 secs, 0.0203 secs, 1.0315 secs
resp read: 0.0000 secs, 0.0000 secs, 0.0002 secs
Status code distribution:
[200] 17 responses <---------- NOTE
[403] 283 responses
Note how 17 requests took slightly longer than 1 second to process, but instead of being denied (403) by modsecurity for trying to access /etc/passwd
, the requests went through (200).
This might be a separate issue, but the request distribution also looks suspicious. I'd expect to have a long tail of requests between 0.2 and 1.0 seconds, but instead it's a sharp cliff. Maybe there's some other limit being hit here which causes modsecurity to lock up? I'm running modsecurity with "-n 16" worker threads on a VM with 4 CPUs, for context.