Page 2 of 2
Re: Apache child processes not dying/timing out
Posted: Wed Dec 01, 2010 6:12 am
by premierhosting
Same problem posted here:
http://atomicorp.com/forums/viewtopic.php?f=1&t=4582
Anyone else notice that mod_security as implemented by ASL adds about 100MB of RSS to each httpd process? My load averages have been on the hot side since installing ASL and I think this is the prime culprit. Any thoughts?
Some of the 2006 vintage suggestions don't seem to apply directly to the current modsecurity rulesets.
Re: Apache child processes not dying/timing out
Posted: Wed Dec 01, 2010 6:37 am
by premierhosting
I was able to get between 10 and 40 mb taken off each httpd process by removing various files from /etc/httpd/modsecurity.d
The 10_asl_antimalware.conf was the biggest one.
Re: Apache child processes not dying/timing out
Posted: Wed Dec 01, 2010 6:16 pm
by mikeshinn
https://atomicorp.com/forums/viewtopic.php?f=3&t=4574
Its not a bug, its a byproduct of how parallel searches are done. The malware domain list is around 10K entries long, if we did a normal search of that list the process would slow down the webserver (thats how it used to be done back in the modsec 1.x days) but wouldn't use much memory. Now we do parallel searches which are lightning fast, and require more memory. So its a trade off, speed for memory, or memory for speed. So, if you don't have enough memory then you probably shouldnt use the antimalware rules.
Given the night and day performance enhancement parallel searches gives us, its the only way to do lookups in milliseconds on large lists. Any other method would kill the server. Most people don't have any issues with this ruleset memory being pretty cheap these days. So if memory is an issue for you, then you won't be able to use the antimalware blocklist.
A box with 1.5 GB of memory will do just fine.
Re: Apache child processes not dying/timing out
Posted: Wed Dec 01, 2010 6:24 pm
by premierhosting
Running 2 gb of ram on a VPS on top of xen hypervisor.
Re: Apache child processes not dying/timing out
Posted: Wed Dec 01, 2010 8:11 pm
by mikeshinn
You'll be fine then.
Re: Apache child processes not dying/timing out
Posted: Wed Dec 01, 2010 8:17 pm
by premierhosting
My loads have been pretty high. Seems that the 140-150mb httpd is part of that issue.
Re: Apache child processes not dying/timing out
Posted: Wed Dec 01, 2010 8:45 pm
by mikeshinn
So with load, its not the memory usage that will increase load on Linux (unless you are thrashing and dont have enough that will increase load as you run into I/O bottlennecks). You should see your box doing more work, afterall you just added a WAF to the box itself and its inspecting all that traffic for malicious activity and that is somewhat CPU intensive.
When you say your load went up, what was your CPU utilization before and after turning on the WAF?
Re: Apache child processes not dying/timing out
Posted: Wed Dec 01, 2010 9:27 pm
by premierhosting
Good question, I'll have to check into that.