Difference between revisions of "Atomicorp WAF Rules Troubleshooting"
(Created page with ''''Site loads slowly when the rules are loaded''' There can be a number of reasons for this. Below is a list of the more common issues: 1. RBL rules are activated, but there iā¦') |
m |
||
| Line 5: | Line 5: | ||
1. RBL rules are activated, but there is no local DNS server on the system | 1. RBL rules are activated, but there is no local DNS server on the system | ||
| ā | Check to see if you have the RBL rules loaded. These rules use Real Time Blacklists distributed via DNS. This means that for every connection to your system, a DNS lookup is done against the blacklist to see if the source IP is listed. If you do not have a local DNS server, this can take a very long time depending on how busy the DNS server is that you are communicating with, and because the request is not cached your system is asking the DNS server the same question several times in a row. This is because of the way HTTP works. A typical user request may need to open 100 or more connections to your site, and each time a DNS request is made to the RBL. | + | Check to see if you have the RBL rules loaded. These are the "00_asl_rbl.conf" rule files. |
| + | |||
| + | These rules use Real Time Blacklists distributed via DNS. This means that for every connection to your system, a DNS lookup is done against the blacklist to see if the source IP is listed. If you do not have a local DNS server, this can take a very long time depending on how busy the DNS server is that you are communicating with, and because the request is not cached your system is asking the DNS server the same question several times in a row. This is because of the way HTTP works. A typical user request may need to open 100 or more connections to your site, and each time a DNS request is made to the RBL. | ||
The simple fast solution is to make sure you are running a local DNS server on your system and that it caches requestys. That way your RBL lookups are only to your local system, and if it already has the answer it will not have to ask the RBLs DNS server across the Internet. The difference in performance is night and day with a local DNS server, so we highly recommend you use on if you are going to use any RBL with any product. | The simple fast solution is to make sure you are running a local DNS server on your system and that it caches requestys. That way your RBL lookups are only to your local system, and if it already has the answer it will not have to ask the RBLs DNS server across the Internet. The difference in performance is night and day with a local DNS server, so we highly recommend you use on if you are going to use any RBL with any product. | ||
| Line 16: | Line 18: | ||
If you are using custom rules, try disabling them. If a rule is written in an inefficient manner it can kill performance on the system. | If you are using custom rules, try disabling them. If a rule is written in an inefficient manner it can kill performance on the system. | ||
| + | |||
| + | 4. Rules are loaded twice | ||
| + | |||
| + | If you have setup modsecurity yourself, check to make sure you arent loading the rules more than once. One several cpanel installations we've seen cases where users inadvertently setup modsecurity to load the same rules twice, and in one case a user set them up to load three times. Apache is a literal animal, if you load the same rule twice it will process that same rule twice, doubling the work on the system! And because our rules use advanced branching logic, if you load them multiple times that can have a very adverse effect on performance as the branching tree logic won't work correctly and you lose our on all the performance benefits a modern ruleset provides. | ||
Revision as of 19:16, 16 October 2011
Site loads slowly when the rules are loaded
There can be a number of reasons for this. Below is a list of the more common issues:
1. RBL rules are activated, but there is no local DNS server on the system
Check to see if you have the RBL rules loaded. These are the "00_asl_rbl.conf" rule files.
These rules use Real Time Blacklists distributed via DNS. This means that for every connection to your system, a DNS lookup is done against the blacklist to see if the source IP is listed. If you do not have a local DNS server, this can take a very long time depending on how busy the DNS server is that you are communicating with, and because the request is not cached your system is asking the DNS server the same question several times in a row. This is because of the way HTTP works. A typical user request may need to open 100 or more connections to your site, and each time a DNS request is made to the RBL.
The simple fast solution is to make sure you are running a local DNS server on your system and that it caches requestys. That way your RBL lookups are only to your local system, and if it already has the answer it will not have to ask the RBLs DNS server across the Internet. The difference in performance is night and day with a local DNS server, so we highly recommend you use on if you are going to use any RBL with any product.
2. The system is low on resources
As with any piece of software, the WAF will consume some resources on the system. If the system is short on resources the WAF has to compete with other parts of the system for those resources. Check to make sure you do not have any process that is using up RAM or cycles on the system.
3. Custom rules may be inefficient
If you are using custom rules, try disabling them. If a rule is written in an inefficient manner it can kill performance on the system.
4. Rules are loaded twice
If you have setup modsecurity yourself, check to make sure you arent loading the rules more than once. One several cpanel installations we've seen cases where users inadvertently setup modsecurity to load the same rules twice, and in one case a user set them up to load three times. Apache is a literal animal, if you load the same rule twice it will process that same rule twice, doubling the work on the system! And because our rules use advanced branching logic, if you load them multiple times that can have a very adverse effect on performance as the branching tree logic won't work correctly and you lose our on all the performance benefits a modern ruleset provides.
