Description
Looks like if an SPOP request to modsecurity exceeds the timeout processing, the request will be allowed to proceed. Is there some way of configuring HAProxy to "fail closed" when it encounters a timeout?
Here's an example of the behavior. I sent 300 requests, 100 at a time to an haproxy server. This server is using spoa-modsecurity with timeout processing 1s set:
$ hey -n 300 -c 100 -T "text/html" 'https://<myhost>?p=/etc/passwd'
Summary:
Total: 1.2475 secs
Slowest: 1.0317 secs
Fastest: 0.0204 secs
Average: 0.1325 secs
Requests/sec: 240.4834
Total data: 26319 bytes
Size/request: 87 bytes
Response time histogram:
0.020 [1] |
0.122 [212] |■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■
0.223 [70] |■■■■■■■■■■■■■
0.324 [0] |
0.425 [0] |
0.526 [0] |
0.627 [0] |
0.728 [0] |
0.829 [0] |
0.931 [0] |
1.032 [17] |■■■ <---------- NOTE
Latency distribution:
10% in 0.0310 secs
25% in 0.0442 secs
50% in 0.0670 secs
75% in 0.1245 secs
90% in 0.1611 secs
95% in 1.0182 secs
99% in 1.0309 secs
Details (average, fastest, slowest):
DNS+dialup: 0.0245 secs, 0.0204 secs, 1.0317 secs
DNS-lookup: 0.0012 secs, 0.0000 secs, 0.0046 secs
req write: 0.0000 secs, 0.0000 secs, 0.0007 secs
resp wait: 0.1061 secs, 0.0203 secs, 1.0315 secs
resp read: 0.0000 secs, 0.0000 secs, 0.0002 secs
Status code distribution:
[200] 17 responses <---------- NOTE
[403] 283 responses
Note how 17 requests took slightly longer than 1 second to process, but instead of being denied (403) by modsecurity for trying to access /etc/passwd, the requests went through (200).
This might be a separate issue, but the request distribution also looks suspicious. I'd expect to have a long tail of requests between 0.2 and 1.0 seconds, but instead it's a sharp cliff. Maybe there's some other limit being hit here which causes modsecurity to lock up? I'm running modsecurity with "-n 16" worker threads on a VM with 4 CPUs, for context.