Coraza/HAProxy returning 500(Internal Server Error) during stress test

[keilonX]

I'm building a WAF to sit in front of my project, hosting HAProxy and Coraza on Azure as container apps. During a stress test, where I send 50 concurrent requests to download a file(max 300KB file size) from the site, I get 500 errors returning after the first couple OK responses. In HAPRoxy logs, it shows "coraza-spoa - 1" but coraza does not log any errors to the console. After increasing the vCPU and Memory on Azure for each container to the max, the 500 errors go away.

Here are my directives from coraza-spoa.yaml

applications:
  #name is used as key to identify the directives
  - name: sample_app
    # Some example rules.
    # The built-in OWASP CRS rules are available in @owasp_crs/
    directives: |
      Include @coraza.conf-recommended
      Include @crs-setup.conf.example
      Include @owasp_crs/*.conf
      SecRuleEngine On
      SecDebugLog var/log/debug.log
      SecDebugLogLevel 3
    # HAProxy configured to send requests only, that means no cache required
    response_check: false
    # The transaction cache lifetime in milliseconds (60000ms = 60s)
    transaction_ttl_ms: 60000

These are my defaults:

log global
option httplog
option dontlognull
timeout client 1m
timeout server 1m
timeout connect 10s

And this is the 500 condition in my frontend https from haproxy.cfg

# Deny in case of an error, when processing with the Coraza SPOA
    http-request deny deny_status 500 if { var(txn.coraza.error) -m int gt 0 }
    http-response deny deny_status 500 if { var(txn.coraza.error) -m int gt 0 }

I'm not getting an error message from Coraza console logs, but haproxy is showing that coraza-spoa has an error and is throwing the 500 response. Am I missing something in my config?

[fionera]

This happens because of memory limits. It has to buffer the whole request to analyze it. Check your memory usage while these errors appear