ModSecurity (WAF) – File upload is extremely slow

Published on Author gryzliLeave a comment

Is your file upload extremely slow after activating ModSecurity or some rule ?

If you happen to experience extremely slow file uploads after activating some ModSecurity rules, there is one thing you should definetely check.

 

Recently I was trying to use the following directive:

SecStreamInBodyInspection On

 

in order to give me access to STREAM_INPUT_BODY, variable which is suggested by ModSecurity documentation as a faster option for matching upon request_body or request_headers.

Suddenly I started to receive complaints about POST file upload being extremely slow. After an hour of debugging it seemed that exactly this directive “SecStreamInBodyInspection On” was causing the slow down.

After ┬ásome tests I’ve made by myself it showed more then 20x times slower uploads combined with 100% CPU usage by the Apache worker, which was handling the upload.

I’m not sure if this is a bug or a planed behavior, but whatever it is, IT IS BAD !

Conclusion

If you happen to experience extreme upload slowdown after recently activating some mod_security rule or the module itself, then go and revise all of your ModSecurity configuration files, and search for one of these:

SecStreamInBodyInspection On

OR

ctl:SecStreamInBodyInspection=On placed inside a SecRule section

 

Leave a Reply

Your email address will not be published. Required fields are marked *

Captcha * Time limit is exhausted. Please reload CAPTCHA.