|
From: Jens S. <Jen...@t-...> - 2018-09-24 11:00:34
|
Hi Christian, > Hello highclass99, > > There are a lot of nginxes that could be removed from your setup but that's > not the question you are asking. > > I do not know anybody who runs ModSec on prefork Apache, the event MPM is > clearly the standard these days. For e.g. openSUSE seems to use per default the prefork MPM https://doc.opensuse.org/documentation/leap/reference/html/book.opensuse.reference/cha.apache2.html#sec.apache2.modules.mpm.prefork and shipped also mod_security as external module. And by the way, in a special case using a CGI bash script (I know that's not the best idea) I'm also using prefork Apache with ModSecurity v2 (since the ModSecurity v3 Apache connector is still beta). > With that being said, I do not have the > perf numbers. If you do compare them, please be sure to share. > > As for ModSec3 on NGINX: I think it's a lot less buggy than it used to be. > Performance and a few isolated missing features are an issue though. > > You may want to keep an eye on this meta issue: > https://github.com/SpiderLabs/ModSecurity/issues/1734 > > Good luck, > > Christian Regards Jens > On Mon, Sep 24, 2018 at 04:35:35PM +0900, highclass99 wrote: >> Hello, >> >> I run a >> nginx <-> static files >> nginx <-> apache modsecurity proxy <-> nginx <-> dynamic files(fastcgi) >> >> configuration. >> >> So, apache is only 100% for WAF. >> In this case my theory was that since apache modsecurity is probably not io >> bound but cpu bound, I set the apache MPM as prefork. >> This apache instance handles thousands of requests/sec. >> >> I could not find any good information on whether this is optimal >> performance wise. >> >> Performance wise is this a better choice than worker or event MPM, when >> considering the apache is 100% only modsecurity requests? >> >> Also, I used the above model because nginx modsecurity was too buggy in the >> past, I am considering using modsecurity 3 with nginx. In that case would >> it be optimal to increase nginx worker instances since modsecurity would >> probably be cpu bound? > > >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
