Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Performance #262

Open
inssein opened this issue Mar 20, 2024 · 8 comments
Open

Performance #262

inssein opened this issue Mar 20, 2024 · 8 comments

Comments

@inssein
Copy link

inssein commented Mar 20, 2024

I am trialling this project out to see if its feasible for us, and so far I am running into some fairly large performance related challenges and I want to make sure I am not doing something silly.

When I have a very simple, single rule, I see a negligible performance impact:

SecRuleEngine On
SecRule REQUEST_HEADERS:User-Agent "@contains Fuzz" "id:100,phase:1,deny"

However, when I turn the default core rulesets on, I get almost a 5x hit on performance for our simple routes.

SecRuleEngine On
Include @crs-setup-conf
Include @owasp_crs/*.conf

I noticed I forgot to include either the demo or the recommended settings file first, which I will do next, but starting this thread anyways incase its something else.

@inssein
Copy link
Author

inssein commented Mar 21, 2024

To add a little bit more detail, the request looks like:

curl https://redacted-host/anything/performance-test \
  -H "Content-type: application/json" \
  -d '{"type": "MasterCard", "number": "2222630000001125", "name": "Name", "cvv": "118", "ccn": "10/23"}'

The config looks like this:

SecRuleEngine On
Include @demo-conf
Include @crs-setup-conf
Include @owasp_crs/*.conf

When running without the WAF, 50 requests over 5 connections look like:

Percentage of the requests served within a certain time (ms)
  50%    197
  66%    227
  75%    395
  80%    414
  90%    428
  95%    447
  98%    475
  99%    475
 100%    475 (longest request)

When running with the WAF, it looks like:

Percentage of the requests served within a certain time (ms)
  50%   1156
  66%   1158
  75%   1162
  80%   1174
  90%   1197
  95%   1438
  98%   1457
  99%   1457
 100%   1457 (longest request)

@jcchavezs
Copy link
Member

Hi @inssein , thanks for coming by.

There are a few things you can try out and see more acurate results.

  1. You can include the coraza recommended conf which sets limits.
  2. You can disable rules with the tag paranoia-level/2, paranoia-level/3 and paranoia-level/4.
  3. Evaluate if request/response body should be inspected.
  4. Tweak the content type you want to inspect for request/response body.

After that you can evaluate the performance hit and we can see what can we improve :).

@inssein
Copy link
Author

inssein commented Mar 21, 2024

@jcchavezs thanks for the pointers, will test out a few more things today. What's clear from this mornings testing is that requests with a POST body (json payload) are way slower.

@jcchavezs
Copy link
Member

Yes so inspecting a body is expensive so you better do that when needed.

@inssein
Copy link
Author

inssein commented Mar 21, 2024

Alright, so my config now looks like:

Include @recommended-conf
Include @crs-setup-conf
Include @owasp_crs/*.conf

SecRequestBodyLimitAction ProcessPartial
SecResponseBodyAccess Off
SecDebugLogLevel 2

SecRuleRemoveByTag paranoia-level/2
SecRuleRemoveByTag paranoia-level/3
SecRuleRemoveByTag paranoia-level/4

The performance is still over 5x worse, just from inspecting a small json request body.

@jcchavezs I hope that is the correct way of disabling rules by tag (SecRuleRemoveByTag), if you meant something else, let me know.

@inssein
Copy link
Author

inssein commented Mar 21, 2024

Also, do you know if we have benchmarked this project specifically? I can see that benchmarks exist for Coraza, but I am not sure if we are running up to issues with the wasm layer.

@guilinden
Copy link

@inssein Hello, I'm facing the same issues. Did you manage to figure out a way to optimize the performance of Coraza running as a WASM plugin? Or did you use something else as a WAF?

@inssein
Copy link
Author

inssein commented Sep 20, 2024

I couldn't get the performance we expected out of it, it's still running but for a very small subset of our requests.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants