I'm load testing our ASL config prior to going into production with it. Our IIS server that sits behind the ASL reverse proxy can serve about 3500 images a sec using jMeter. With ASL in front, that dropped to about 700/sec. I removed a few apache filters that we weren't using (no php, etc.) and enabled mod_cache. With mod_cache doing its thing, the ASL instance can max out my 3 jMeter clients at 7000/sec total without breaking a sweat. However, when I add a bunch of headers (cookies, etc.) to the jMeter requests, mod_security takes up a ton of resources and I'm back to the ~700/sec figure with ASL using 90% cpu.

So, while I really want/need mod_security for the dynamic parts of the proxied website, I'd like to disable mod_security by <Location> or <LocationMatch>. I was playing around with those directives and just couldn't seem to get the throughput up. So, I tried just doing "SecRuleEngine off" in /etc/httpd/modsecurity.d/tortix_waf.conf and using SecDebugLogLevel 4 just to watch and see whether mod_security was still doing stuff (just for clarification, I'm not running SecDebugLogLevel 4 for these benchmarks cited here, just when doing request-by-request experiments).

Sure enough, the mod_security module still seems to be interacting with requests (the requests are logged in SecDebugLog), although the rules aren't being processed. The only way that I've been able to get around that is by taking the 00_modsecurity.conf file out of /etc/httpd/conf.d/ entirely (in which case I'm back up to ~2000/sec with a single jMeter client).

I can use a rule like this:

SecRule REQUEST_URI "\.(jpg|gif|png|css)$" "nolog,phase:1,pass,ctl:ruleEngine=off"

to stop the rule engine, but the audit logs still show mod_security running to inspect headers, etc. and the performance overhead remains (although it's a little less at 1200 req/sec). I know the rule engine is, in fact, disabled because I can make requests that are normally denied by mod_security and they're allowed through with the rule in place.

I'm guessing that I'm missing something here - can you please tell me the proper way (if there is a way) to disable the rules engine at a low level so that mod_security doesn't get involved *at all* with certain requests/locations? I know one way to tackle this would be to setup another proxy in front of ASL that would cache/proxy static content and pass the dynamic requests through ASL. Still, this adds complexity and I'd like to avoid it.

Thanks!
Phil

PS. What would be really, really nice would be to disable the mod_security filter for anything being served directly from mod_proxy cache.

proxying to other servers is not supported with ASL licenses:

https://www.atomicorp.com/wiki/index.ph ... e_Proxying

If you want to setup a proxy please contact us for a proxy license.

With that said, if you want to do this your self, please know that you have to do a number of other things to make proxying work correctly, for example LocationMatch is not supported by Apaches mod_proxy. You have to account for the application on the back end, and setup additional rules for possible impedence mismatches, phases are different and you have to account for that with some of the rule families, etc.