-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use v3/dev/performance of ModSecurity because of performance #1996
Conversation
Hey @aledbf - any chance of merging this? |
In fact, do NOT merge this. Just found it doesn't work :'(
ModSecurity is turning out to be a bloody nightmare. |
@Stono I need to test manually because the tests do not cover the nginx docker image. At the end of the day, I will test this and the brotli rollback publishing an image in quay repo for testing. |
@Stono merging this does not update the image the nginx ingress controller will use. |
@aledbf yeah that's me testing locally, and rebuilding the nginx base image - as you can see it doesn't work :'( so i wouldn't bother with this PR for now. Sorry. |
@aledbf I cracked it! I have a fully enabled WAF now which isn't user impacting! I'd really suggest testing and merging this quickly as the current build of modsecurity is crippling. |
modsecurity-crs to deal with performance problems
/assign @aledbf |
If mod_security |
@pieterlange i see your point however modsecurity with ingress-nginx in its current state is unusable. I would event suggest you rolling back to a main release <= 3.0.0 of modsecurity than stay where you are. And also as it stood each build of the image was just pulling in the latest master anyway |
@Stono please test |
sure, can do. What changes have you made in that build (so i know what i'm looking for?) |
@aledbf no problem, leave it with me and i'll get back to you shortly. |
Hi dude,
|
Update:
And this is me running
|
@Stono sorry about that. Use |
@aledbf that worked a treat, i can confirm modsec is working beautifully without any performance degradation :-) |
@Stono lets wait for the feedback on the brotli issue until the end of the day, if there's no feedback I will just merge this PR |
Sure thing, and no problem. We're going to be making very heavy use of this ingress controller so you'll be hearing a lot more from me! |
@Stono this is the diff: diff --git a/Makefile b/Makefile
index fa895736..617b4f13 100644
--- a/Makefile
+++ b/Makefile
@@ -50,7 +50,7 @@ IMAGE = $(REGISTRY)/$(IMGNAME)
MULTI_ARCH_IMG = $(IMAGE)-$(ARCH)
# Set default base image dynamically for each arch
-BASEIMAGE?=quay.io/kubernetes-ingress-controller/nginx-$(ARCH):0.32
+BASEIMAGE?=quay.io/kubernetes-ingress-controller/nginx-$(ARCH):0.33
ifeq ($(ARCH),arm)
QEMUARCH=arm
diff --git a/images/nginx/Makefile b/images/nginx/Makefile
index e6f2f2f8..15c39ddf 100644
--- a/images/nginx/Makefile
+++ b/images/nginx/Makefile
@@ -13,7 +13,7 @@
# limitations under the License.
# 0.0.0 shouldn't clobber any released builds
-TAG ?= 0.32
+TAG ?= 0.33
REGISTRY ?= quay.io/kubernetes-ingress-controller
ARCH ?= $(shell go env GOARCH)
DOCKER ?= gcloud docker --
diff --git a/images/nginx/build.sh b/images/nginx/build.sh
index f4d44c06..4669079e 100755
--- a/images/nginx/build.sh
+++ b/images/nginx/build.sh
@@ -181,8 +181,8 @@ make install
# Get Brotli source and deps
cd "$BUILD_PATH"
-git clone --depth=1 https://github.com/eustas/ngx_brotli.git
-cd ngx_brotli
+git clone --depth=1 https://github.com/google/ngx_brotli.git
+cd ngx_brotli
git submodule init
git submodule update |
@aledbf just pushed, sorry for the delay! |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: aledbf, Stono The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
@Stono thanks! |
Merging this broke building for me because as it bumped the TAG to a version that hasn't been uploaded yet for arm: NVM, I think this PR will actually fix the problem if someone pushes the image. #2019 is what broke it for me actually. |
@kinghrothgar I am checking why the image is not published |
Fixes: #1995
fixes #1958