|
From: Francois B. <fra...@gm...> - 2005-11-09 00:15:35
|
Hello list! I'm using mod_sec with Apache 1.3.33 and mod_security is a great product, but here the performance tradeoff is pretty bad. Our Apache server is a Sun Entreprise 450 equipped with 2 SPARC-II 400 MHZ processors, with 1 GB ram and a few SCSI 10000 rpm drive (no raid setup on the disk Apache is using). We're running Solaris 9. With mod_security disabled (in the httpd.conf file) the server is very responsive and CPU usage averages 21% with peaks up to 50%. With mod_security enabled, during peak hours the CPU is floored at 100% and our website is very slow to display, whether or not we are in the peak hours. System is not out of ram, is not swapping or disk trashing. Debug is disabled on mod_security. Our config file uses roughly a third of gotroot's rules for Apache 1.3... Anybody else has similar hardware, or similar performance issues? Any pointers to what i could look for? If someone thinks it might be a config file issue, i'll gladly sanitize my config file and post it here. Any input is greatly appreciated! Thanks! Francois Boulanger |
|
From: Ivan R. <iv...@we...> - 2005-11-09 00:34:20
|
Francois Boulanger wrote: > Hello list! > > I'm using mod_sec with Apache 1.3.33 and mod_security is a great > product, but here the performance tradeoff is pretty bad. > Our Apache server is a Sun Entreprise 450 equipped with 2 SPARC-II 400 > MHZ processors, with 1 GB ram and a few SCSI 10000 rpm drive (no raid > setup on the disk Apache is using). We're running Solaris 9. > > With mod_security disabled (in the httpd.conf file) the server is very > responsive and CPU usage averages 21% with peaks up to 50%. > > With mod_security enabled, during peak hours the CPU is floored at 100% > and our website is very slow to display, whether or not we are in the > peak hours. > > System is not out of ram, is not swapping or disk trashing. Debug is > disabled on mod_security. > > Our config file uses roughly a third of gotroot's rules for Apache 1.3... And how many rules is that? Personally I don't believe ModSecurity should be used with very large rule sets. I have only used x86 architectures myself and Apache 2.x. ModSecurity usually spends around 10 microseconds on a signature. Most of my rule sets execute under 1 millisecond. ModSecurity relies on the regular expression engine built into Apache. There is very little overhead on top of that. I have heard rumours the regular expression engine of Apache 1.3.x is slow (or at least slower than PCRE from Apache 2.x). Out of curiosity - why aren't you moving to Apache 2.x? > Anybody else has similar hardware, or similar performance issues? Any > pointers to what i could look for? If you have the time it would be nice if you could add some bits of code to ModSecurity to benchmark it (using gettimeofday, which returns values in microseconds). > > If someone thinks it might be a config file issue, i'll gladly sanitize > my config file and post it here. > > Any input is greatly appreciated! Thanks! Have you tried configuring ModSecurity not to work on static resources, focusing on dynamic ones only? -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
|
From: Francois B. <fra...@gm...> - 2005-11-10 18:57:39
|
We've been sticking to Apache 1.3 because of time and budget constraints (It's a pretty long story, it's actually more a political issue than a technological one). But this performance issue just might be the occasion to push for a migration to 2.0. I'll compile with Apache 2.0 and do a few tests. If I hav= e enough time I'll add a few counters in the code to try to locate the bottleneck (if there is one) We're using roughly 250 rules; That doesn't sound to me as too much? Howeve= r the validations are system wide, that just might be the problem. Thanks for the suggestion, I'll try to make mod_sec only monitor the requests that are aimed to our app server and our perl pages. I'll post my findings on the thread! Thanks Ivan. Francois On 11/8/05, Ivan Ristic <iv...@we... > wrote: > > Francois Boulanger wrote: > > Hello list! > > > > I'm using mod_sec with Apache 1.3.33 and mod_security is a great > > product, but here the performance tradeoff is pretty bad. > > Our Apache server is a Sun Entreprise 450 equipped with 2 SPARC-II 400 > > MHZ processors, with 1 GB ram and a few SCSI 10000 rpm drive (no raid > > setup on the disk Apache is using). We're running Solaris 9. > > > > With mod_security disabled (in the httpd.conf file) the server is very > > responsive and CPU usage averages 21% with peaks up to 50%. > > > > With mod_security enabled, during peak hours the CPU is floored at 100% > > and our website is very slow to display, whether or not we are in the > > peak hours. > > > > System is not out of ram, is not swapping or disk trashing. Debug is > > disabled on mod_security. > > > > Our config file uses roughly a third of gotroot's rules for Apache 1.3.= . > . > > And how many rules is that? Personally I don't believe ModSecurity > should be used with very large rule sets. > > I have only used x86 architectures myself and Apache 2.x. ModSecurity > usually spends around 10 microseconds on a signature. Most of my > rule sets execute under 1 millisecond. > > ModSecurity relies on the regular expression engine built into > Apache. There is very little overhead on top of that. I have heard > rumours the regular expression engine of Apache 1.3.x is slow (or > at least slower than PCRE from Apache 2.x). > > Out of curiosity - why aren't you moving to Apache 2.x? > > > > Anybody else has similar hardware, or similar performance issues? Any > > pointers to what i could look for? > > If you have the time it would be nice if you could add some > bits of code to ModSecurity to benchmark it (using gettimeofday, > which returns values in microseconds). > > > > > If someone thinks it might be a config file issue, i'll gladly sanitize > > my config file and post it here. > > > > Any input is greatly appreciated! Thanks! > > Have you tried configuring ModSecurity not to work on static > resources, focusing on dynamic ones only? > > -- > Ivan Ristic > Apache Security (O'Reilly) - http://www.apachesecurity.net > Open source web application firewall - http://www.modsecurity.org > |
|
From: Ivan R. <iv...@we...> - 2005-11-10 19:11:05
|
Francois Boulanger wrote: > We've been sticking to Apache 1.3 because of time and budget constraints > (It's a pretty long story, it's actually more a political issue than a > technological one). > > But this performance issue just might be the occasion to push for a > migration to 2.0. I'll compile with Apache 2.0 and do a few tests. The entirely new branch of Apache, 2.2.0, is expected soon. You may want to wait just a bit longer and jump straight away to that one. I, for one, hope we get to have only one branch and leave 1.3.x behind. > If I > have enough time I'll add a few counters in the code to try to locate > the bottleneck (if there is one) Focus just on the speed of the regular expressions. There shouldn't be any bottlenecks in the ModSecurity code. > We're using roughly 250 rules; That doesn't sound to me as too much? No, it doesn't. (Feel free to send me the rules to my private address. I can test them on my development server for you if you wish.) > However the validations are system wide, that just might be the problem. Just to check, are you using the audit log at all? On a couple of occasions I was called to investigate performance problems the audit log was enabled (RelevantOnly) but there was a rule that emitted a warning (and thus caused the request to be logged) on every request. BTW, how many requests per second do you get? -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
