If the modsec backend fails the whole middleware goes down

[david-garcia-garcia]

I already experienced this in production, if the modsec instance is unable to keep up with the load, it will fail some requests, resulting in 502 errors under high load.

Or if for whatever reason the modsec service is down or temporarily unavailable, the whole middleware goes down. Too risky for something that is part of the critical path.

In this PR I'm proposing a new configuration setting UnhealthyWafBackOffPeriodSecs that will backoff from using the modsec ir a request fails to reach the modsec.

#19

Of course one can think that with this setting you can evade the WAF with some DDoS, and you can indeed. But I'd rather have that than the whole ingress down. And even in those situations there are other protection layers. Plus, it's Opt-in, default behaviour is what it was before (502 when waf is down).

[troyxmccall]

hey @david-garcia-garcia, thanks for this issue and PR, this is certainly something we want to address

do you have a rough idea of the traffic/load numbers that lead to modsec 502ing alongside the specs of your server? I'd like to do some of my own benchmarking.

additionally, have you also tried using replicas for that container, ie:

  owasp:
    deploy:
      replicas: 2 # Number of instances
    #container_name: "owasp"
    restart: always
    # apache image has a better tolerance for our apps than nginx
    image: owasp/modsecurity-crs:4.10.0-apache-alpine-202501270601
    labels:
      # TRAEFIK NEEDS TO BE ABLE TO ROUTE TO THE WAF YA DUMDUM
      - "traefik.enable=true"
    environment:
        #######################################################
        # PROXY
        #######################################################

        # owasp forwards to a blackhole, our middleware hijacks the request in traffic and passes it to the appropiate container if it passes modsecurity
        - BACKEND=http://blackhole
        #use our laravel error pages
        - PROXY_ERROR_OVERRIDE=off

        #############################################
        # CRS Variables
        #############################################
        # Paranoia Level
        - PARANOIA=1
        # Replaces PARANOIA as of CRS 4
        - BLOCKING_PARANOIA=1
        # Inbound and Outbound Anomaly Score Threshold
        - ANOMALY_INBOUND=5
        - ANOMALY_OUTBOUND=5
        # Executing Paranoia Level
        # - EXECUTING_PARANOIA=2
        #
        # Replaces EXECUTING_PARANOIA as of CRS 4
        # - DETECTION_PARANOIA=2
        #
        # New in CRS 4
        - REPORTING_LEVEL=2

        #######################################################
        # Various CRS Variables - commented out are default values
        #######################################################
        #- ENFORCE_BODYPROC_URLENCODED=1
        #- ALLOWED_METHODS=GET HEAD POST OPTIONS
        #- ALLOWED_REQUEST_CONTENT_TYPE=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|text/plain
        #- ALLOWED_REQUEST_CONTENT_TYPE_CHARSET=utf-8|iso-8859-1|iso-8859-15|windows-1252
        #- ALLOWED_HTTP_VERSIONS=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0
        #- RESTRICTED_EXTENSIONS=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/
        #- RESTRICTED_HEADERS=/proxy/ /lock-token/ /content-range/ /if/
        #- STATIC_EXTENSIONS=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/

        #######################################################
        # CRS Variables with Default Value unlimited
        #######################################################
        #- MAX_NUM_ARGS=255
        #- ARG_NAME_LENGTH=100
        #- ARG_LENGTH=400
        #- TOTAL_ARG_LENGTH=64000
        #- MAX_FILE_SIZE=1048576
        #- COMBINED_FILE_SIZES=1048576


        #######################################################
        # ModSecurity ENV Variables
        #######################################################

        - MODSEC_AUDIT_LOG_FORMAT=JSON
        - MODSEC_RULE_ENGINE=On

    networks:
      - traefik-public

[david-garcia-garcia]

@troyxmccall it should not be difficult to reproduce if you set TimeoutMillis to a very low limit, the lower you set it, the greater chance additional load that delays modsec responses will eventually reach the timeout. You can also push down the modsecurity pod CPU capacity with an arbitrarily low CPU limit (i.e. 10m) so that the pod gets throttled.

additionally, have you also tried using replicas for that container, ie:

I am doing load testing with only one replica and CPU limit set to 1000m and timeoutMillis at 500ms to stress the component.

Once this goes production it will autoscale with Keda/VPA/HPA and have replicas and HA, but scaling reaction times in K8S are pretty slow and the chance of a temporary modsecurity degradation/unavailability are there.

What I don't like about the implementation in the PR is the fact that a single failure will trigger the backoff.

[troyxmccall]

noting that I am still looking into this, it's been a crazy month

[david-garcia-garcia]

@troyxmccall any chance to get a review on this? Thanks!