Hi Alvaro,
On Mon, Jun 24, 2019 at 04:59:29PM +0200, Álvaro Cano Blanco wrote:
>
> Recently, we (the Zevenet Team) integrated libmodsecurity 3.0.3 in Pound.
> So, if it is useful for anybody or somebody wants to try it, it is
> available in the GitHub Zevenet Pound repository:
>
> https://github.com/zevenet/pound.
first, thanks for your great work. I reviewed your repository,
please let me make a quick summary.
> I regret cannot add a patch only with the WAF code, but the Zevenet Pound
> code has diverged a lot from its original point. Other community patches
> have been applied and other developments too.
>
> As brief information:
> * The ruleset directives are global for all HTTP/S listeners in a Pound
> process.
I think this is a big disadvantage against the nGinx and Apache
(yes, the Apache is not production ready yet).
The libmodsecurity3's (aka ModSecurity3) great feature that the
admin can remove or add extra rule(s) to the each virtual hosts.
> * The "WafRule" directive is a file with the Modsecurity directives to
> execute. Several wafRule directives can be added to a pound config file.
> * The "WafBodySize" directive sets a limit for the body buffer. If the
> request body or response body is bigger than this value, the body will not
> be inspected. The 0 value does not set any limit.
I don't see the point, why did you choosed these directives. Now
the nGinx and Apache supports these directives:
modsecurity - enable or disable the engine
modsecurity_rules - inline ModSecurity rule(s)
modsecurity_rules_file - the ModSecurity3 configuration file,
which can includes many other files
modsecurity_rules_remote - most customer uses external/remote
rulesets (may be the commercial rules)
It would be good to make more compatible Pound with another HTTP
servers, which also supports libmodsecurity3.
Also wondering the WafBodySize keyword - the ModSecurity has an
own directive, which controls this size:
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secrequestbodylimit
There are so much warnings until the compilation. It would be
good to fix them.
The documentation is a bit poor - I just played about 20 minutes,
while I found the correct syntax. Okay, I used Pound several
years ago :). The right syntax:
WafRule "/path/to/modsecurity_includes.conf"
About your measurement: I also made a comparison with same
config, Pound and nGinx. The wrk didn't worked for me, so I
checked with ab, whith this command:
ab -c 20 -n 20 -t 10 "http://localhost/?a=pay%3D1+OR+2%2B";
Note, that this query triggers a CRS rule from the collection, what I used.
Here is the Pound result:
Document Path: /?a=pay%3D1+OR+2%2B
Document Length: 10701 bytes
Concurrency Level: 20
Time taken for tests: 10.257 seconds
Complete requests: 202
Failed requests: 0
Total transferred: 2219980 bytes
HTML transferred: 2161602 bytes
Requests per second: 19.69 [#/sec] (mean)
Time per request: 1015.525 [ms] (mean)
Time per request: 50.776 [ms] (mean, across all concurrent
requests)
Transfer rate: 211.37 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 0 0 0.6 0 4
Processing: 94 945 78.2 959 1032
Waiting: 89 945 78.5 959 1032
Total: 94 946 78.0 959 1032
Percentage of the requests served within a certain time (ms)
50% 959
66% 969
75% 975
80% 981
90% 993
95% 1004
98% 1014
99% 1018
100% 1032 (longest request)
and here is the nGinx:
Document Path: /?a=pay%3D1+OR+2%2B
Document Length: 10701 bytes
Concurrency Level: 20
Time taken for tests: 8.772 seconds
Complete requests: 50000
Failed requests: 0
Total transferred: 547550000 bytes
HTML transferred: 535050000 bytes
Requests per second: 5700.28 [#/sec] (mean)
Time per request: 3.509 [ms] (mean)
Time per request: 0.175 [ms] (mean, across all concurrent
requests)
Transfer rate: 60960.69 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 0 0 0.2 0 4
Processing: 1 3 2.5 3 38
Waiting: 0 3 2.5 3 38
Total: 1 3 2.5 3 38
Percentage of the requests served within a certain time (ms)
50% 3
66% 3
75% 3
80% 4
90% 6
95% 9
98% 13
99% 15
100% 38 (longest request)
As you can see, the nginx was more faster than Pound (but as I
see, Pound doesn't have own logger, it sends the logs through
syslog, while Nginx sends messages to its own log).
But it's true, that Pound worked as PROXY, while nGinx is a
native HTTP daemon... I should reconfigure my environments for
the correct result... But if you have any idea related to my
remarks above, please let me know!
And thanks again your works!
a.
--
To unsubscribe send an email with subject unsubscribe to pound@apsis.ch.
Please contact ro...@apsis.ch for questions.
