|
From: Andrei B. <de...@ng...> - 2018-04-04 11:14:23
|
> On 04 Apr 2018, at 11:58, Christian Folini <chr...@ne...> wrote:
>
> Hello Andrei,
>
> On Wed, Apr 04, 2018 at 11:29:18AM +0300, Andrei Belov wrote:
>> I think that environment could be [relatively easily] extended to support
>> Apache + ModSec 2.x, in addition to nginx + ModSec 3.x, in order to simplify
>> "direct" comparison and provide reproducible, statistically significant results.
>
> Very cool. Thank you for sharing - and thanks for your contributions to
> ModSecurity, namely 3.0.1.
>
> The conceptual problem is see is that it's more than one variable here.
> Apache/ModSec2 vs. NGINX/ModSec3. I'm an Apache person, but when I stripped
> the two of Modsec and let the bare minimum installations serve static
> files, NGINX blew me away.
>
> So I kind of think that one would have to slow down NGINX to reach an Apache
> level and then in a 2nd step add ModSec again to be able to measure ModSec2 vs
> ModSec3.
>
> What is your take on this?
Well, ideally it would be awesome to have the following combos in [perf] tests:
a) Apache + ModSec 2.x + CRS 2.x
b) Apache + ModSec 3.x + CRS 3.x
c) nginx + ModSec 2.x + CRS 2.x
d) nginx + ModSec 3.x + CRS 3.x
(obviously, CRS component could be optional when one is going to measure
"generic overhead")
However, I have limited knowledge on the following:
- is ModSec 3.x has been ever targeted to support CRS < 3,
- is there a working Apache connector for ModSec 3.x.
Also I'm not sure whether ModSec 2.x has its own benchmarks (not related to any connector).
If it does, then perhaps it would be good to compare "generic" ModSec 2.x
vs "generic" ModSec 3.x as well.
BTW, for those who are familiar with tools like gdb / perf / systemtap etc,
there's the "debugenv" state in vagrant env:
https://github.com/defanator/modsecurity-performance/blob/master/states/debugenv.sls
It could be useful for some deeper investigations.
|
