We wanted to know how ModSecurity impacts server performance, so we tested ModSecurity implementations on HTTP/2 from LiteSpeed, nginx, and Apache, to see how they would compare under a variety of conditions, and using either Comodo or OWASP rulesets.
In order to conduct these tests in all fairness, we set up each web server with the most curent, popular and sensible setup available on the market. See "Test Environment" below for more information. We followed the methodology laid out on http2benchmark.org, which means our results are verifiable and repeatable. For the full details of our ModSecurity testing, including our goals and testing strategy, please see ModSecurity Performance Comparison: Apache, nginx, LiteSpeed on our blog.
Dynamic PHP File Benchmark
Overview
When loading a Dynamic PHP file with ModSecurity enabled, LiteSpeed Enterprise beats nginx by up to 13X, while Apache loses to LiteSpeed Enterprise by nearly 6X!
Summary
h2load -n 1000 -c 10 -t 1 -T 5 -m 10 -H 'Accept-Encoding: gzip,deflate' https://benchmark.com/hello.php
| Server | No WAF | WAF with OWASP | WAF with Comodo |
|---|---|---|---|
| Litespeed Enterprise v5.4.2 | 11685 | 5824 | 4698 |
| OpenLitespeed v1.6.4 | 8997 | 806 | 403 |
| Nginx v1.17.6 | 8941 | 439 | 351 |
| Apache v2.4.41 | 2618 | 1021 | 968 |
LiteSpeed Enterprise performs 13X faster than nginx and 6X faster than Apache with ModSecurity enabled when loading Dynamic PHP files.
Static HTML File Benchmark
Overview
When loading a Static HTML file with ModSecurity enabled, LiteSpeed Enterprise beats nginx by a remarkable 179X with Comodo rules! Apache loses to LiteSpeed Enterprise by over 33X.
Summary
h2load -n 1000 -c 10 -t 1 -T 5 -m 10 -H 'Accept-Encoding: gzip,deflate' https://benchmark.com/1kstatic.html
| Server | No WAF | WAF with OWASP | WAF with Comodo |
|---|---|---|---|
| Litespeed Enterprise v5.4.2 | 66321 | 61511 | 66573 |
| OpenLitespeed v1.6.4 | 52562 | 46694 | 40753 |
| Nginx v1.17.6 | 24263 | 497 | 371 |
| Apache v2.4.41 | 5200 | 1259 | 1967 |
LiteSpeed Enterprise performs more than 123X faster than nginx and more than 33X faster than Apache with ModSecurity enabled when loading Static HTML.
Cached WordPress Front Page File Benchmark
Overview
For caching purposes, Apache was paired with W3Total Cache, nginx with FastCGI, and both LiteSpeed servers with LSCache.
When loading a Cached WordPress Front Page with ModSecurity enabled, LiteSpeed Enterprise beats nginx by an exceptional 220X with Comodo rules! Apache loses to LiteSpeed Enterprise by over 74X.
Summary
h2load -n 1000 -c 10 -t 1 -T 5 -m 10 -H 'Accept-Encoding: gzip,deflate' https://wordpress.benchmark.com/
| Server | No WAF | WAF with OWASP | WAF with Comodo |
|---|---|---|---|
| Litespeed Enterprise v5.4.2 | 37929 | 38248 | 41020 |
| OpenLitespeed v1.6.4 | 14980 | 15030 | 15649 |
| Nginx v1.17.6 | 5410 | 267 | 186 |
| Apache v2.4.41 | 808 | 515 | 521 |
LiteSpeed Enterprise performs over 143X faster than nginx and 74X faster than Apache with ModSecurity enabled when loading Cached WordPress.
Test Environment
-
Server Tested:
- LiteSpeed Enterprise v5.4.2
- OpenLiteSpeed v1.6.4
- Nginx v1.17.6 + Nginx ModSecurity connector v1.0.1
- Apache v2.4.41
-
ModSecurity Rulesets Tested:
- OWASP ModSecurity Core Rule Set
- Comodo
-
Server/Client Machine:
- Memory Size: 1GB
- CPU number: 1
- CPU Threads: 1
- CPU Model: 3.8Ghz 6th Generation
- Disk: NVMe SSD
-
ModSecurity Setup:
- LiteSpeed Enterprise: LiteSpeed Enterprise + Internal ModeSecurity Engine
- OpenLiteSpeed: OpenLiteSpeed + ModSecurity engine v3.0.4
- Nginx: Nginx + Nginx ModSecurity connector + ModSecurity engine v3.0.3
- Apache: Apache + ModSecurity engine v2.9.2
-
Cloud VM:
- Vultr High Frequency Compute 1GB VM
-
Network:
- Traffic: 10 Gbits/sec