本文主要介绍在CentOS下,对安装ModSecurity 2.9.3与ModSecurity 3.0.4的Nginx分别进行并发性能测试,观察WAF造成的性能损耗。
结论:如果要在Nginx上使用ModSecurity,个人建议使用2.9.3版本。
最新结论(20220114):请勿在Nginx使用ModSecurity V2版本,V2版本与Nginx存在兼容问题,且目前官方团队明确表示不会进行修复。
测试环境:
1、两台虚拟机,配置同为2核CPU、1G内存、20G硬盘;
2、IP为192.168.142.134的虚机环境为Nginx+ModSecurity 2.9.3,IP为192.168.142.136的虚机环境为Nginx+ModSecurity 3.0.4;
2、Nginx仅进行最小化简单安装,不进行任何性能优化,直接对html进行测试,安装流程完全参照CentOS下Nginx+ModSecurity(2.9.3)安装教程及配置WAF规则文件,CentOS下Nginx+ModSecurity(3.0.x)安装教程及配置WAF规则文件;
3、分别对不开启WAF、开启WAF并配置全部规则、开启WAF但删除非必要规则三种情景进行测试;
4、使用并发100,总量10000的访问进行测试(ab -c 100 -n 10000 URL),每项共测试10次,取最优结果。
不开启WAF的测试结果
不开启WAF的情况下,192.168.142.134虚机的QPS最大为4190.11,192.168.142.136虚机的QPS最大为4024.15,结果不分伯仲。
192.168.142.134虚机的详细测试数据如下:
Server Software: nginx/1.16.1 Server Hostname: 192.168.142.134 Server Port: 80 Document Path: / Document Length: 612 bytes Concurrency Level: 100 Time taken for tests: 2.387 seconds Complete requests: 10000 Failed requests: 0 Write errors: 0 Total transferred: 8450000 bytes HTML transferred: 6120000 bytes Requests per second: 4190.11 [#/sec] (mean) Time per request: 23.866 [ms] (mean) Time per request: 0.239 [ms] (mean, across all concurrent requests) Transfer rate: 3457.66 [Kbytes/sec] received Connection Times (ms) min mean[+/-sd] median max Connect: 0 0 0.4 0 3 Processing: 1 23 3.7 24 36 Waiting: 1 16 5.0 16 34 Total: 1 24 3.7 24 36 Percentage of the requests served within a certain time (ms) 50% 24 66% 26 75% 27 80% 27 90% 27 95% 29 98% 31 99% 33 100% 36 (longest request)
192.168.142.136虚机的详细测试数据如下:
Server Software: nginx/1.16.1 Server Hostname: 192.168.142.136 Server Port: 80 Document Path: / Document Length: 612 bytes Concurrency Level: 100 Time taken for tests: 2.485 seconds Complete requests: 10000 Failed requests: 0 Write errors: 0 Total transferred: 8450000 bytes HTML transferred: 6120000 bytes Requests per second: 4024.15 [#/sec] (mean) Time per request: 24.850 [ms] (mean) Time per request: 0.248 [ms] (mean, across all concurrent requests) Transfer rate: 3320.71 [Kbytes/sec] received Connection Times (ms) min mean[+/-sd] median max Connect: 0 0 0.5 0 3 Processing: 1 24 4.7 24 39 Waiting: 0 17 6.1 17 36 Total: 1 25 4.7 24 39 Percentage of the requests served within a certain time (ms) 50% 24 66% 26 75% 28 80% 29 90% 31 95% 33 98% 35 99% 36 100% 39 (longest request)
开启WAF并配置全部规则的测试结果
开启WAF并配置全部规则的情况下,192.168.142.134虚机(Nginx+ModSecurity 2.9.3)的QPS最大为1092.41,192.168.142.136虚机(Nginx+ModSecurity 3.0.4)的QPS最大为419.95,数据相差明显。
192.168.142.134虚机(Nginx+ModSecurity 2.9.3)的详细测试数据如下:
Server Software: nginx/1.16.1 Server Hostname: 192.168.142.134 Server Port: 80 Document Path: / Document Length: 612 bytes Concurrency Level: 100 Time taken for tests: 9.154 seconds Complete requests: 10000 Failed requests: 0 Write errors: 0 Total transferred: 8450000 bytes HTML transferred: 6120000 bytes Requests per second: 1092.41 [#/sec] (mean) Time per request: 91.541 [ms] (mean) Time per request: 0.915 [ms] (mean, across all concurrent requests) Transfer rate: 901.45 [Kbytes/sec] received Connection Times (ms) min mean[+/-sd] median max Connect: 0 1 1.0 1 17 Processing: 15 90 15.6 88 176 Waiting: 1 62 26.3 64 155 Total: 16 91 15.6 89 176 Percentage of the requests served within a certain time (ms) 50% 89 66% 93 75% 97 80% 99 90% 110 95% 118 98% 137 99% 140 100% 176 (longest request)
192.168.142.136虚机(Nginx+ModSecurity 3.0.4)的详细数据如下:
Server Software: nginx/1.16.1 Server Hostname: 192.168.142.136 Server Port: 80 Document Path: / Document Length: 612 bytes Concurrency Level: 100 Time taken for tests: 23.812 seconds Complete requests: 10000 Failed requests: 0 Write errors: 0 Total transferred: 8450000 bytes HTML transferred: 6120000 bytes Requests per second: 419.95 [#/sec] (mean) Time per request: 238.123 [ms] (mean) Time per request: 2.381 [ms] (mean, across all concurrent requests) Transfer rate: 346.54 [Kbytes/sec] received Connection Times (ms) min mean[+/-sd] median max Connect: 0 1 1.5 1 17 Processing: 130 235 15.0 237 287 Waiting: 23 233 19.3 237 287 Total: 131 236 14.9 239 289 Percentage of the requests served within a certain time (ms) 50% 239 66% 241 75% 242 80% 243 90% 246 95% 249 98% 257 99% 261 100% 289 (longest request)
开启WAF但删除非必要规则的测试结果
将规则文件903.*、934、944、952、954删除后,192.168.142.134虚机(Nginx+ModSecurity 2.9.3)的QPS最大为1264.68,较开启全部规则时略有上升;192.168.142.136虚机(Nginx+ModSecurity 3.0.4)的QPS最大为418.37,无任何提升。
192.168.142.134虚机(Nginx+ModSecurity 2.9.3)的详细测试数据如下:
Server Software: nginx/1.16.1 Server Hostname: 192.168.142.134 Server Port: 80 Document Path: / Document Length: 612 bytes Concurrency Level: 100 Time taken for tests: 7.907 seconds Complete requests: 10000 Failed requests: 0 Write errors: 0 Total transferred: 8450000 bytes HTML transferred: 6120000 bytes Requests per second: 1264.68 [#/sec] (mean) Time per request: 79.071 [ms] (mean) Time per request: 0.791 [ms] (mean, across all concurrent requests) Transfer rate: 1043.61 [Kbytes/sec] received Connection Times (ms) min mean[+/-sd] median max Connect: 0 1 0.9 1 19 Processing: 28 78 15.8 76 140 Waiting: 2 57 22.2 60 134 Total: 28 78 15.9 77 141 Percentage of the requests served within a certain time (ms) 50% 77 66% 81 75% 84 80% 87 90% 99 95% 108 98% 121 99% 131 100% 141 (longest request)
192.168.142.136虚机(Nginx+ModSecurity 3.0.4)的详细测试数据如下:
Server Software: nginx/1.16.1 Server Hostname: 192.168.142.136 Server Port: 80 Document Path: / Document Length: 612 bytes Concurrency Level: 100 Time taken for tests: 23.902 seconds Complete requests: 10000 Failed requests: 0 Write errors: 0 Total transferred: 8450000 bytes HTML transferred: 6120000 bytes Requests per second: 418.37 [#/sec] (mean) Time per request: 239.022 [ms] (mean) Time per request: 2.390 [ms] (mean, across all concurrent requests) Transfer rate: 345.24 [Kbytes/sec] received Connection Times (ms) min mean[+/-sd] median max Connect: 0 1 1.3 1 17 Processing: 138 235 24.1 233 406 Waiting: 2 229 38.1 232 405 Total: 139 237 24.0 234 407 Percentage of the requests served within a certain time (ms) 50% 234 66% 237 75% 239 80% 241 90% 247 95% 266 98% 312 99% 342 100% 407 (longest request)
版权声明
本文仅代表作者观点,不代表本站立场。
本文系作者授权发表,未经许可,不得转载。
