[mod-security-users] Performance woes - larger JSON payloads with CRS
Brought to you by:
victorhora,
zimmerletw
From: Henri C. <he...@pr...> - 2021-04-25 20:15:55
|
Hi all, I'm in a situation where the only solution seems to be to drop modsec/CRS and look at something like Cloudflare's WAF (and change our security model out of necessity). I'm hoping the esteemed membership of this list might have some thoughts. I've got about 1MB of JSON, payloads in our app might run to 20 or even 30MB ultimately. This 1MB of somewhat nested JSON (7 or 8 levels deep) can take 40 seconds to process in mod sec 3.0.4 with CRS 3.2.0 It takes 1 second to process in our API so the WAF element is a 39x slow down. I appreciate there'll be some delays in WAF. Cloudflare's WAF takes 5 seconds to scan this payload - and that's my target. Has anyone got any idea how to improve performance? Reading blog posts about the development of cloudflare's waf I see that memoization of common function calls was one of their absolute best performance improvements over their modsec implementation (e.g. strlen(response_body) so it's only calculated once instead of once per rule OR contains('somestring', response_body)... you get the drift). Do we have anything like this in modsec today? Is that already in place and my 39 seconds is after that? I appreciate that mod sec is fast on its own and adding complex rules can be said to slow it down. With CRS being by far the most common use case for mod sec (based on my googling) I'm surprised it's this slow, do you think i've missed something? To note: I'm only scanning JSON payloads, typically much less than 0.5MB but new, irregular ones that we need scanned in ideally <10 seconds that can range from 1MB-30MB Best regards, Henri Cook |