Re: [mod-security-users] Trying out "early blocking"
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Trying out "early blocking"
|
From: Andrew H. <and...@ow...> - 2025-06-19 13:48:17
|
Hi CM, Early blocking mode can, in some scenarios, possibly save some CPU time and memory. (Was this your use case for early blocking? Or were you trying to achieve something else?) Take an environment that is request body heavy (maybe an API service that is expecting lots of large JSON payloads or similar). If you can filter out and block a large number of requests early, in phase 1 (e.g. by inspecting the request headers), you may be able to avoid unnecessary body processing for requests that have *already* reached the inbound score threshold *before* the body processing stage. Better (maybe) to skip body parsing and processing entirely, as it is usually the heaviest part of request processing when body data is involved. The documentation for early blocking mode contains this warning: "Warning: If early blocking is not enabled, there’s a chance that the web server will interfere with the handling of a request between phases 1 and 2. Take the example where the Apache web server issues a redirect to a new location. With a request that violates CRS rules in phase 1, this may mean that the request has a higher anomaly score than the defined threshold but it gets redirected away before blocking evaluation happens." That sounds like some of the behaviour you've described. (NB: I haven't had time right now to examine your audit log data so I cannot comment on that, sorry.) Thanks, Andrew |
