-
Notifications
You must be signed in to change notification settings - Fork 3
Home
Andrei Belov edited this page Mar 5, 2017
·
29 revisions
- nginx: 1.11.10
- ModSecurity: v3/dev/parser (8b8fd84)
- ModSecurity-nginx: v3/dev/parser (9f6d3a7)
- environment: 2-core VirtualBox VM on MBP A1502 (early 2015, 2-core i5 2.9GHz)
Summary for /modsec-off, RPS (count):
N Min Max Median Avg Stddev
x 10 39445.56 46228.25 44283.87 43476.616 2184.7312
latency (ms)
x 10 1.1 1.37 1.21 1.222 0.091627264
Summary for /modsec-light, RPS (count):
N Min Max Median Avg Stddev
x 10 8071.25 11953.68 10634.85 10374.126 1200.2281
latency (ms)
x 10 4.23 7.82 5 5.358 1.2109941
Summary for /modsec-full, RPS (count):
N Min Max Median Avg Stddev
x 10 238.8 259.02 246.88 247.418 5.9640549
latency (ms)
x 10 208.11 230.52 217.76 218.968 6.9131273
- nginx: 1.11.10
- ModSecurity: v3/master (3a41308)
- ModSecurity-nginx: master (134bd36)
- environment: 2-core VirtualBox VM on MBP A1502 (early 2015, 2-core i5 2.9GHz)
Summary for /modsec-off, RPS (count):
N Min Max Median Avg Stddev
x 10 38136.4 47561.79 44300.42 43351.954 2743.1755
latency (ms)
x 10 1.07 1.4 1.19 1.206 0.099911072
Summary for /modsec-light, RPS (count):
N Min Max Median Avg Stddev
x 10 10120.76 12979.9 12727.41 12290.594 891.67524
latency (ms)
x 10 3.88 5.02 3.98 4.128 0.34726871
Summary for /modsec-full, RPS (count):
N Min Max Median Avg Stddev
x 10 334.64 370.86 363.77 356.733 13.667706
latency (ms)
x 10 142.49 158.27 147.04 148.176 5.8598297
- nginx: 1.11.10
- ModSecurity: v3/dev/parser (8b8fd84)
- ModSecurity-nginx: v3/dev/parser (9f6d3a7)
- environment: 12-core KVM/libvirt VM on bare-metal server (Intel Xeon E5645 2.4GHz, 24 cores total)
- configuration details:
- nginx:
worker_processes 6; worker_cpu_affinity 111111000000;
- wrk:
taskset -c 0-5 wrk -t6 -c600 -d30s
(10 iterations)
Summary for /modsec-off, RPS (count):
N Min Max Median Avg Stddev
x 10 87538.41 97062.44 93506.49 92832.83 2717.0839
latency (ms)
x 10 6.22 6.88 6.49 6.508 0.21054427
Summary for /modsec-light, RPS (count):
N Min Max Median Avg Stddev
x 10 27984.07 31588.76 31013.95 30484.634 1151.9494
latency (ms)
x 10 18.98 21.57 20.06 20.01 0.81266366
Summary for /modsec-full, RPS (count):
N Min Max Median Avg Stddev
x 10 164.5 251.93 181.79 191.226 28.760167
latency (ms)
x 10 197.41 429.26 330.67 308.639 73.228166
The numbers for /modsec-off
and /modsec-light
with multi-worker nginx setup are significantly better than in single-worker mode, but /modsec-full
does not show any difference. In the process of investigation it turned out that disabling audit log (by setting SecAuditEngine Off
) greatly improves overall performance with OWASP CRS v3.0.0 loaded:
Summary for /modsec-full, RPS (count):
N Min Max Median Avg Stddev
x 10 577.99 864.63 854.69 823.902 87.17359
latency (ms)
x 10 633.42 730.81 646.95 654.834 28.487218
Further investigation showed that in case of SecAuditEngine RelevantOnly
only one CPU core (among the set of cores nginx is using according to worker_cpu_affinity
) is 100% busy:
With SecAuditEngine Off
, all cores that are being used by nginx are constantly busy: