[mod-security-users] Performance woes - larger JSON payloads with CRS
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] Performance woes - larger JSON payloads with CRS
|
From: Henri C. <he...@pr...> - 2021-04-25 20:15:55
|
Hi all,
I'm in a situation where the only solution seems to be to drop modsec/CRS
and look at something like Cloudflare's WAF (and change our security model
out of necessity). I'm hoping the esteemed membership of this list might
have some thoughts.
I've got about 1MB of JSON, payloads in our app might run to 20 or even
30MB ultimately.
This 1MB of somewhat nested JSON (7 or 8 levels deep) can take 40 seconds
to process in mod sec 3.0.4 with CRS 3.2.0
It takes 1 second to process in our API so the WAF element is a 39x slow
down. I appreciate there'll be some delays in WAF. Cloudflare's WAF takes 5
seconds to scan this payload - and that's my target.
Has anyone got any idea how to improve performance? Reading blog posts
about the development of cloudflare's waf I see that memoization of common
function calls was one of their absolute best performance improvements over
their modsec implementation (e.g. strlen(response_body) so it's only
calculated once instead of once per rule OR contains('somestring',
response_body)... you get the drift). Do we have anything like this in
modsec today? Is that already in place and my 39 seconds is after that?
I appreciate that mod sec is fast on its own and adding complex rules can
be said to slow it down. With CRS being by far the most common use case for
mod sec (based on my googling) I'm surprised it's this slow, do you think
i've missed something?
To note: I'm only scanning JSON payloads, typically much less than 0.5MB
but new, irregular ones that we need scanned in ideally <10 seconds that
can range from 1MB-30MB
Best regards,
Henri Cook
|
