I installed ModSecurity on a web server running IIS 8.5, and noticed the response time has increased 15 times (0.15 ms/request vs. 2.2 ms/request), even with SecEngine set to off. It seems that IIS is running on single-threaded mode when ModSecurity is installed, because IIS Worker Process only uses around 15% of CPU with ModSecurity, but it can use up to 95% of CPU without it.
I'm using the conf file from the CSR installed by ModSecurity. Am I missing some configurations?
I've managed to confirm your observations (and mine) by looking into the code of ModSecurity IIS module, on GitHub.
I found that the code inside CMyHttpModule::OnSendResponse, CMyHttpModule::OnPostEndRequest and CMyHttpModule::OnBeginRequest is wrapped inside
EnterCriticalSection(&m_csLock);
...
LeaveCriticalSection(&m_csLock);
That, coupled with the singleton approach of CMyHttpModuleFactory::GetHttpModule() and the fact that m_csLock is a variable of CMyHttpModule only initialized in its constructor (called only once, because it uses the same instance for all requests), means that all the requests which arrive on different threads are put on hold and executed one by one.
I've also created a ticked for this issue on ModSecurity project page, on GitHub.
