nginx -t failing for higher number of domains about modsecurity-nginx HOT 7 CLOSED

modsecurity_rules_file is valid in the server context too (but the doc says to put it in location context).
I had put it in 2 locations per server. Now i removed it and put it outside location block (only once per server in this case )

Even now nginx -t is consuming a lot of time to finish. I guess it needs to loop through all the crs file for each server?.

Following is the time taken for 36 domains in a 2 GB KVM vps

# time nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

real	0m23.287s
user	0m22.147s
sys	0m0.863s

I am sure this will be almost on a very big scale for servers hosting 500+ domains.

from modsecurity-nginx.

Hi @AnoopAlias,

any reason why not to use the configuration in the global (http) section ?

from modsecurity-nginx.

@zimmerle - Ok putting this in the http context works. I was just following the docs which mention about putting the rules file in location context.

So I guess the best way to do this put

modsecurity on;
modsecurity_rules_file /etc/nginx/conf.d/zz_modsecurity.conf;

in the http context and for vhost's that dont need mod_sec put

modsecurity off;
in the server section
?

from modsecurity-nginx.

That would be a good idea :)

Tell me if you face any problems.

from modsecurity-nginx.

@zimmerle I have the same problem here. Stopped the groups, increased sh.min and sh.memmax in /etc/sysctl.conf but nginx does not start again. I use mosecurity on in the server { block, but not in http because I don't want modsec to be turned for all customers, every customer has a user.conf.

from modsecurity-nginx.

@intelbg - if you set modsecurity off; in the server {} context it dosnt work for the vhost ,so is fine.

from modsecurity-nginx.

@AnoopAlias the problem exists even if mod security directive is not present on the vhosts. I created another post for that - even when modsec does not work work for the vhosts , only compiled in the nginx binary it has memory allocation problems and servers loads on 150+ immediately after nginx configtest or restart. Without modsec there isn't a problems.

from modsecurity-nginx.