mod-security-users

[mod-security-users] ModSecurity cost in Nginx

[Wang X. <xia...@in...>]

Hi all,

I am testing ModSecurity with Nginx.

I downloaded open source rule-set owasp-modsecurity-crs at Github and fed a captured real http traffic into Nginx to see the overhead of ModSecurity within Nginx. But a total of less than 1% CPU cycles are spent on ModSecurity. Do you have any insights of the percentage of time spent on ModSecurity within Nginx based on your experience?

Thanks,
Xiang

Re: [mod-security-users] ModSecurity cost in Nginx

[Christian F. <chr...@ne...>]

Hello Xiang,

Little amounts of traffic won't get nginx to sweat, but the higher you go, the
larger percentage of CPU will be spent on ModSecurity. Nginx is a very lean
reverse proxy, but with ModSecurity on top, it gains significant overhead.

The best is probably to run a real stress test with locust or some other tool
and see how the server behaves. There are a lot of factors that play into
this.

I have come to see that ModSecurity 2.9 on Apache 2.4 is substantially faster
than ModSecurity 3 on Nginx.

Good luck!

Christian



On Tue, Sep 24, 2019 at 10:34:03PM -0400, Wang Xiang wrote:
> Hi all,
> 
> I am testing ModSecurity with Nginx.
> 
> I downloaded open source rule-set owasp-modsecurity-crs at Github and fed a captured real http traffic into Nginx to see the overhead of ModSecurity within Nginx. But a total of less than 1% CPU cycles are spent on ModSecurity. Do you have any insights of the percentage of time spent on ModSecurity within Nginx based on your experience?
> 
> Thanks,
> Xiang
> 
> 
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/