Re: [mod-security-users] modsecurity Performance ?

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

> Has anyone applied modsecurity and observed performance ?

   I am using mod_security on many servers with no "visible"
   performance impact. Audit and debug logging are big bottlenecks,
   you have to be careful with them (there is no reason to use
   a debug log on a production server).

   I measured performance impact a while ago and it came to
   under 10%. In real-life, if you configure mod_security not to
   pay attention to static resources (images) the performance
   difference becomes very small as on a typical web site you
   get many accesses for static resources and only one access
   for a dynamic web page (which is where mod_security kicks in).

   I plan to do a comprehensive speed measurement again in the
   near future.

   There is another "problem", though. In order to be able to
   protect applications properly mod_security introduces full
   request buffering, keeping the whole request body in memory.
   This increases memory consumption, but there is no other way
   to do it. Increased memory consumption is only a problem for
   file upload. With Apache 1 you should turn mod_security off
   for pages where files are uploaded. Starting with 1.8 (soon),
   Apache 2 will not suffer from this problem; it will use a
   temporary file (after a certain memory limit) and will not
   use memory to store files in (it will still store complete
   request bodies for other types of requests).

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]