|
From: Christian F. <chr...@ne...> - 2018-04-04 12:03:25
|
Hello Andrei, On Wed, Apr 04, 2018 at 02:14:12PM +0300, Andrei Belov wrote: > Well, ideally it would be awesome to have the following combos in [perf] tests: > > a) Apache + ModSec 2.x + CRS 2.x > b) Apache + ModSec 3.x + CRS 3.x > c) nginx + ModSec 2.x + CRS 2.x > d) nginx + ModSec 3.x + CRS 3.x > > (obviously, CRS component could be optional when one is going to measure > "generic overhead") I think CRS3 can serve as a general baseline to get a standard rule base. As a CRS project lead, I hope people abandon CRS2 and move to CRS3 not the least because the performance is better due to the smaller rule set in the default installation. The ModSecurity Handbook has the numbers on Apache / ModSec 2.9.x. Personally, I would not test CRS2 anymore. > However, I have limited knowledge on the following: > - is ModSec 3.x has been ever targeted to support CRS < 3, See above. > - is there a working Apache connector for ModSec 3.x. According to Felipe it is not ready for production. > Also I'm not sure whether ModSec 2.x has its own benchmarks (not related to any connector). > If it does, then perhaps it would be good to compare "generic" ModSec 2.x > vs "generic" ModSec 3.x as well. Yes, that would be cool. But from what I understand, ModSec 2.9.x is deeply integrated into the webserver. But I read from your proposal above that the real base to gauge ModSec 2.9.x vs 3.0 would be to test on NGINX. > BTW, for those who are familiar with tools like gdb / perf / systemtap etc, > there's the "debugenv" state in vagrant env: > > https://github.com/defanator/modsecurity-performance/blob/master/states/debugenv.sls Thanks. Ahoj, Christian -- Money is always to be found when men are to be sent to the frontiers to be destroyed: when the object is to preserve them, it is no longer so. -- Voltaire |
