Add performance audit document for ModSecurity v3#41
Conversation
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
This reverts commit 4f7b7c61a40ea4d4ecdc6bdf938fd0dd8d69819e.
|
@Easton97-Jens Thanks for your thorough analysis! Would you mind elaborating your findings on the regex overhead? In particular, I would be interested in your methodology, i.e. how you came up with the 45–70% CPU share in the worst case? Would you mind sharing the traces/ruleset that you used? I tried to reproduce your results but found that the regex engine scales fairly well and only makes up around 15% of the run time, even for pathological cases. Your help would be very much appreciated :) Cheers, |
|
Thanks for checking this and trying to reproduce it. You are right to ask for the methodology here. The 45–70% figure was generated as a code-focused/heuristic worst-case estimate rather than from a reproducible benchmark run with attached traces. I do not currently have perf traces or a concrete ruleset/payload matrix that supports that exact range. |
|
@Easton97-Jens Thanks for the quick reply! I think if we want to be super thorough we could adapt |
|
Thanks, Laurin — that makes sense. I agree that adapting "test/benchmark/benchmark.cc" to support varying input messages would be a better way to validate this properly. Your observation is also important: if overall performance drops under PL=2 / large match-limit scenarios while regex still scales reasonably, then the audit should not assume regex is the main culprit. I’ll update the benchmark direction accordingly and treat the actual bottleneck as an open measurement question. I’ll also make sure the audit wording reflects that regex is only one candidate area to validate, not a proven dominant overhead. |
|
Brilliant, I keep you posted if I find anything out :) |
Motivation
Description
doc/performance_audit_modsecurity_2026-04-03.mdwhich contains a technical analysis of the request lifecycle, rule-evaluation hot paths (RulesSet::evaluate,RuleWithOperator::evaluate), parsing (URL-encoded/JSON/XML/multipart), regex/operator costs, collection locking behavior and a prioritized list of optimization opportunities; this change only adds documentation and does not modify runtime code.Testing
git status --short,git rev-parse --short HEAD, andgit show --stat --oneline -1.Codex Task