Hi Jakub,
> we have nginx+modsecurity on aws ECS with 1vCPU and 2GB RAM, we are experiencing long processing time with json payload of 10 000 keys. My first guess is the HW is not enough. What are you running on ?
For a moment, let's ignore the problem with the massive JSON payloads...
Is this a dev/testing WAF machine? If it is then fine, you can stop
reading here :)
Otherwise, regardless of the JSON question, those specs are
fundamentally insufficient for real world use as a WAF (unless you
have many small 1 vCPU machines clustered together, which is certainly
an option.)
If this machine is, or is going to be, a standalone production WAF
then you should seriously bump up those specifications. I work for a
ModSecurity + CRS integrator and we advise our customers that, to have
a reliable WAF box in a busy production environment, to use a VM with
4 vCPUs and 16 GB of RAM. You could probably halve those numbers,
though, as long as you keep an eye on CPU and memory load.
Also, is the box handling TLS termination or are you handling HTTP
traffic only? If your machine is stripping the TLS then that will
further increase the load and you'll need to take that into account.
I hope that's useful.
Thanks,
Andrew
--
Andrew Howe
Loadbalancer.org Ltd.
www.loadbalancer.org
+1 888 867 9504 /
+44 (0)330 380 1064