ModSecurity Performance Benchmark https://www.litespeedtech.com/images/logos/litespeed/litespeed-logo.png 2019-12-03 19:13:23 ModSecurity has an impact on server performance, but to what extent? We tested ModSecurity performance in Apache, nginx, and LiteSpeed using both Comodo and OWASP WAF rules. See the benchmark tests for static and dynamic content, and WordPress.

ModSecurity Engine Benchmark Comparison

With static content, dynamic PHP, or cached WordPress:
across the board, LiteSpeed dramatically outperforms nginx and Apache when ModSecurity is enabled.

We wanted to know how ModSecurity impacts server performance, so we tested ModSecurity implementations on HTTP/2 from LiteSpeed, nginx, and Apache, to see how they would compare under a variety of conditions, and using either Comodo or OWASP rulesets.

In order to conduct these tests in all fairness, we set up each web server with the most curent, popular and sensible setup available on the market. See "Test Environment" below for more information. We followed the methodology laid out on http2benchmark.org, which means our results are verifiable and repeatable. For the full details of our ModSecurity testing, including our goals and testing strategy, please see ModSecurity Performance Comparison: Apache, nginx, LiteSpeed on our blog.

Dynamic PHP File Benchmark

Overview

When loading a Dynamic PHP file with ModSecurity enabled, LiteSpeed Enterprise beats nginx by up to 13X, while Apache loses to LiteSpeed Enterprise by nearly 6X!

Summary

HTTP/2 Test Results
h2load -n 1000 -c 10 -t 1 -T 5 -m 10 -H 'Accept-Encoding: gzip,deflate' https://benchmark.com/hello.php
Server No WAF WAF with OWASP WAF with Comodo
Litespeed Enterprise v5.4.2 11685 5824 4698
OpenLitespeed v1.6.4 8997 806 403
Nginx v1.17.6 8941 439 351
Apache v2.4.41 2618 1021 968

LiteSpeed Enterprise performs 13X faster than nginx and 6X faster than Apache with ModSecurity enabled when loading Dynamic PHP files.


Static HTML File Benchmark

Overview

When loading a Static HTML file with ModSecurity enabled, LiteSpeed Enterprise beats nginx by a remarkable 179X with Comodo rules! Apache loses to LiteSpeed Enterprise by over 33X.

Summary

HTTP/2 Test Results
h2load -n 1000 -c 10 -t 1 -T 5 -m 10 -H 'Accept-Encoding: gzip,deflate' https://benchmark.com/1kstatic.html
Server No WAF WAF with OWASP WAF with Comodo
Litespeed Enterprise v5.4.2 66321 61511 66573
OpenLitespeed v1.6.4 52562 46694 40753
Nginx v1.17.6 24263 497 371
Apache v2.4.41 5200 1259 1967

LiteSpeed Enterprise performs more than 123X faster than nginx and more than 33X faster than Apache with ModSecurity enabled when loading Static HTML.


Cached WordPress Front Page File Benchmark

Overview

For caching purposes, Apache was paired with W3Total Cache, nginx with FastCGI, and both LiteSpeed servers with LSCache.

When loading a Cached WordPress Front Page with ModSecurity enabled, LiteSpeed Enterprise beats nginx by an exceptional 220X with Comodo rules! Apache loses to LiteSpeed Enterprise by over 74X.

Summary

HTTP/2 Test Results
h2load -n 1000 -c 10 -t 1 -T 5 -m 10 -H 'Accept-Encoding: gzip,deflate' https://wordpress.benchmark.com/
Server No WAF WAF with OWASP WAF with Comodo
Litespeed Enterprise v5.4.2 37929 38248 41020
OpenLitespeed v1.6.4 14980 15030 15649
Nginx v1.17.6 5410 267 186
Apache v2.4.41 808 515 521

LiteSpeed Enterprise performs over 143X faster than nginx and 74X faster than Apache with ModSecurity enabled when loading Cached WordPress.


Test Environment

  • Server Tested:

    • LiteSpeed Enterprise v5.4.2
    • OpenLiteSpeed v1.6.4
    • Nginx v1.17.6 + Nginx ModSecurity connector v1.0.1
    • Apache v2.4.41
  • ModSecurity Rulesets Tested:

    • OWASP ModSecurity Core Rule Set
    • Comodo
  • Server/Client Machine:

    • Memory Size: 1GB
    • CPU number: 1
    • CPU Threads: 1
    • CPU Model: 3.8Ghz 6th Generation
    • Disk: NVMe SSD
  • ModSecurity Setup:

    • LiteSpeed Enterprise: LiteSpeed Enterprise + Internal ModeSecurity Engine
    • OpenLiteSpeed: OpenLiteSpeed + ModSecurity engine v3.0.4
    • Nginx: Nginx + Nginx ModSecurity connector + ModSecurity engine v3.0.3
    • Apache: Apache + ModSecurity engine v2.9.2
  • Cloud VM:

    • Vultr High Frequency Compute 1GB VM
  • Network:

    • Traffic: 10 Gbits/sec