Re: [mod-security-users] huge performance hit with mod_security on "legacy" SPARC hardware

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Francois Boulanger wrote:
> Hello list!
> 
> I'm using mod_sec with Apache 1.3.33 and mod_security is a great
> product, but here the performance tradeoff is pretty bad.
> Our Apache server is a Sun Entreprise 450 equipped with 2 SPARC-II 400
> MHZ processors, with 1 GB ram and a few  SCSI 10000 rpm drive (no raid
> setup on the disk Apache is using). We're running Solaris 9.
> 
> With mod_security disabled (in the httpd.conf file) the server is very
> responsive and CPU usage averages 21% with peaks up to 50%.
> 
> With mod_security enabled, during peak hours the CPU is floored at 100%
> and our website is very slow to display, whether or not we are in the
> peak hours.
> 
> System is not out of ram, is not swapping or disk trashing. Debug is
> disabled on mod_security.
> 
> Our config file uses roughly a third of gotroot's rules for Apache 1.3...

  And how many rules is that? Personally I don't believe ModSecurity
  should be used with very large rule sets.

  I have only used x86 architectures myself and Apache 2.x. ModSecurity
  usually spends around 10 microseconds on a signature. Most of my
  rule sets execute under 1 millisecond.

  ModSecurity relies on the regular expression engine built into
  Apache. There is very little overhead on top of that. I have heard
  rumours the regular expression engine of Apache 1.3.x is slow (or
  at least slower than PCRE from Apache 2.x).

  Out of curiosity - why aren't you moving to Apache 2.x?

> Anybody else has similar hardware, or similar performance issues? Any
> pointers to what i could look for?

  If you have the time it would be nice if you could add some
  bits of code to ModSecurity to benchmark it (using gettimeofday,
  which returns values in microseconds).

> 
> If someone thinks it might be a config file issue, i'll gladly sanitize
> my config file and post it here.
> 
> Any input is greatly appreciated! Thanks!

  Have you tried configuring ModSecurity not to work on static
  resources, focusing on dynamic ones only?

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org