|
From: highclass99 <hig...@gm...> - 2018-09-25 02:28:22
|
Thanks for the comment. Of note, I am doing over 600 million pageviews(reference data google analytics, so probably more considering bots and ad blockers blocking analytics) using the "nginx <-> static files nginx <-> apache modsecurity proxy <-> nginx <-> dynamic files(fastcgi)" setup. Regarding your comment "There are a lot of nginxes that could be removed from your setup", Actually it is a single nginx instance. What I figured works well is receive the initial traffic to nginx, then nginxs sends only the dynamic traffic to apache modsecurity proxy(which is prefork at this time), and then the apache connects to the same nginx again to get the dynamic files. It's a weird setup, but never has caused problems yet. I got the idea for the setup, while reading that Cloudflare in the past also used modsecurity with apache for there WAF before they patched nginx with a modsecurity compatible lua based nginx. The reason I selected prefork is because I think modsecurity is CPU bound in my setup, not IO bound like common static or proxing requests. Therefore my theory was that is would actually be harmful if I used event models. On Mon, Sep 24, 2018 at 5:26 PM Christian Folini < chr...@ne...> wrote: > Hello highclass99, > > There are a lot of nginxes that could be removed from your setup but that's > not the question you are asking. > > I do not know anybody who runs ModSec on prefork Apache, the event MPM is > clearly the standard these days. With that being said, I do not have the > perf numbers. If you do compare them, please be sure to share. > > As for ModSec3 on NGINX: I think it's a lot less buggy than it used to be. > Performance and a few isolated missing features are an issue though. > > You may want to keep an eye on this meta issue: > https://github.com/SpiderLabs/ModSecurity/issues/1734 > > Good luck, > > Christian > > > On Mon, Sep 24, 2018 at 04:35:35PM +0900, highclass99 wrote: > > Hello, > > > > I run a > > nginx <-> static files > > nginx <-> apache modsecurity proxy <-> nginx <-> dynamic files(fastcgi) > > > > configuration. > > > > So, apache is only 100% for WAF. > > In this case my theory was that since apache modsecurity is probably not > io > > bound but cpu bound, I set the apache MPM as prefork. > > This apache instance handles thousands of requests/sec. > > > > I could not find any good information on whether this is optimal > > performance wise. > > > > Performance wise is this a better choice than worker or event MPM, when > > considering the apache is 100% only modsecurity requests? > > > > Also, I used the above model because nginx modsecurity was too buggy in > the > > past, I am considering using modsecurity 3 with nginx. In that case > would > > it be optimal to increase nginx worker instances since modsecurity would > > probably be cpu bound? > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
