Welcome! Log In Create A New Profile

Advanced

Re: performance hit in using too many if's

Robert Paprocki
September 26, 2016 01:18PM
On Mon, Sep 26, 2016 at 4:28 AM, Anoop Alias <anoopalias01@gmail.com> wrote:

> Ok .. reiterating my original question.
>
> Is the usage of if / map in nginx config more efficient than say naxsi (
> or libmodsecurity ) for something like blocking SQL injection ?
>

Strictly speaking, and barring performance costs of the regexes themselves
using only if/map directives in place of a full-featured WAF would likely
be more less expensive, because any decent WAF will do more than just a
single regular expression. That doesn't make this a better solution, though.


> For example, https://github.com/nbs-system/naxsi/blob/master/nax
> si_config/naxsi_core.rules
> rules 1000-1099 - blockes sql injection attempt
>
> So ..do (to a limited extent )
>
> ## Block SQL injections
> set $block_sql_injections 0;
> if ($query_string ~ "union.*select.*\(") {
> set $block_sql_injections 1;
> ............
>

Using multiple .* patterns like this is pretty bad form. It doesn't lead to
_catastrophic_ backtracking, but there are certainly much smarter and
cheaper ways to accomplish this, particularly with larger input sets.

Beyond this, checking like this doesn't allow you to examine request body
data or arbitrary headers, which seems like a very poor approach.

.....................
> if ($block_file_injections = 1) {
> return 403;
> }
>
>
Using a simple return 403 here, without any logging or debug/audit
information, could make it very very difficult to track down false
positives and issues with your user base.



> From the point of application performance which one is better .. ?
> Performance for a shared hosting server with around 500 vhosts.
>

This smells very much like premature optimization. If you are truly
concerned with securing this many sites, adopting a more feature solution
should be the goal. If you are this truly focused on squeezing out every
bit of performance as possible, using such a large hammer with generic
regexes and hundreds of if/map blocks seems like the wrong road to take.

There is a reason that there is no good community solution for a WAF
replacement in vanilla Nginx config syntax. It's simply not a good idea.
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

performance hit in using too many if's

Anoop Alias September 24, 2016 05:00AM

Re: performance hit in using too many if's

gariac September 24, 2016 05:32AM

Re: performance hit in using too many if's

Anoop Alias September 24, 2016 05:40AM

Re: performance hit in using too many if's

gariac September 24, 2016 06:04AM

Re: performance hit in using too many if's

Robert Paprocki September 24, 2016 07:42AM

Re: performance hit in using too many if's

gariac September 24, 2016 10:10AM

Re: performance hit in using too many if's

Alt September 26, 2016 04:43AM

Re: performance hit in using too many if's

gariac September 26, 2016 06:10AM

Re: performance hit in using too many if's

Anoop Alias September 26, 2016 07:30AM

Re: performance hit in using too many if's

gariac September 26, 2016 11:18AM

Re: performance hit in using too many if's

c0nw0nk September 26, 2016 12:10PM

Re: performance hit in using too many if's

Robert Paprocki September 26, 2016 01:18PM

Re: performance hit in using too many if's

gariac September 26, 2016 03:00PM

Re: performance hit in using too many if's

Alt September 27, 2016 07:34AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 106
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready