test(coraza): add middleware performance benchmarks

[gofurry]

This PR adds reproducible benchmarks for the Coraza middleware hot path.

Benchmarks added

• Plain Fiber GET baseline
• Coraza middleware without external rules
• Simple query rule allow/block cases
• Request body rule allow/block cases
• 64KB request body case
• Many-headers case
• Fiber-to-net/http adapter benchmarks
• processRequest benchmarks from *http.Request
• Direct Coraza transaction lower-bound benchmarks
• Default metrics collector serial/parallel benchmarks

Sample local results

Environment:

• OS: Windows
• Arch: amd64
• CPU: AMD Ryzen 7 5800H with Radeon Graphics
• Command:

go test -run '^$' -bench 'Benchmark(Fiber|Coraza|Convert|Process|DefaultMetrics)' -benchmem -count 1

Benchmark	ns/op	B/op	allocs/op
BenchmarkFiberBaseline_GET	12,293	6,149	26
BenchmarkCoraza_NoRules_GET	58,995	45,052	110
BenchmarkCoraza_QueryRule_GET_Allow	58,406	45,190	114
BenchmarkCoraza_QueryRule_GET_Block	60,093	47,666	155
BenchmarkCoraza_BodyRule_POST_1KB_Allow	86,675	103,892	328
BenchmarkCoraza_BodyRule_POST_1KB_Block	93,310	106,381	365
BenchmarkCoraza_BodyRule_POST_64KB_Allow	939,931	1,378,918	10,342
BenchmarkCoraza_ManyHeaders_GET	108,897	73,302	455
BenchmarkConvertFiberToStdRequest_GET	1,032	976	11
BenchmarkConvertFiberToStdRequest_POST_1KB	1,072	992	12
BenchmarkProcessRequest_FromStdRequest_GET	6,234	3,297	58
BenchmarkProcessRequest_FromStdRequest_POST_1KB	45,436	87,200	258
BenchmarkCorazaTransaction_Direct_GET	7,025	3,370	63
BenchmarkCorazaTransaction_Direct_POST_1KB	9,295	6,990	73
BenchmarkDefaultMetricsCollector_ObserveRequest	6.302	0	0
BenchmarkDefaultMetricsCollector_ObserveRequestParallel	66.82	0	0

These numbers are included as a local sample only.

Initial observations

• The no-rules middleware path adds roughly 46.7 us/op, 38 KB/op, and 84 allocs/op over the plain Fiber baseline in this local run.
• Simple query allow/block cases are close to the no-rules middleware baseline, so fixed middleware/transaction overhead is visible in low-rule scenarios.
• Request body inspection dominates cost growth, especially in the 64KB body case.
• Many headers significantly increase allocations, which gives us a useful benchmark for future adapter/header-path work.
• The default metrics collector is 0 allocs/op and does not appear to be a meaningful bottleneck.

Summary by CodeRabbit

• Tests
  • Added comprehensive benchmark suite to measure WAF performance across various scenarios, including different request types, body sizes, header counts, and integration layers.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1952086f-1dcb-463c-be53-78aa7182cb27

📥 Commits

Reviewing files that changed from the base of the PR and between 8b3c63d and 4bccdf2.

📒 Files selected for processing (1)

• v3/coraza/coraza_bench_test.go

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Tests (1.26.x)

🔇 Additional comments (8)

v3/coraza/coraza_bench_test.go (8)

1-18: LGTM!

---

20-35: LGTM!

---

37-121: LGTM!

---

123-188: LGTM!

---

190-240: LGTM!

---

242-331: LGTM!

---

333-406: LGTM!

---

13-17: Confirm dependency safety for Coraza/Fiber/fasthttp in the benchmarks

govulncheck ./... for v3/coraza reports no vulnerabilities found in the current Go vulnerability database for the module’s dependencies (including coraza v3.7.0, fiber v3.3.0, and fasthttp v1.71.0).

---

📝 Walkthrough

Walkthrough

This PR introduces a complete benchmark suite for the Coraza WAF middleware, comparing performance across different rule configurations, request sizes, and processing layers. The benchmarks measure baseline Fiber request handling, WAF processing with varying rules and payloads, request conversion to standard HTTP, and metrics collection both sequentially and in parallel.

Changes

Coraza Benchmarks

Layer / File(s)	Summary
Imports and benchmark constants v3/coraza/coraza_bench_test.go (lines 1–36)	Package imports, benchmark directive rule strings for query and body filtering, precomputed request bodies for consistent payloads, and a latency constant used across the suite.
Benchmark entry points and execution v3/coraza/coraza_bench_test.go (lines 37–241)	Sixteen benchmark functions covering: Fiber baseline GET, Coraza with no rules, query allow/block rules, POST with 1KB and 64KB body allow/block rules, many-header GET, Fiber-to-net/http conversion, net/http request processing, direct Coraza transaction execution, and default metrics collection (sequential and parallel).
Test infrastructure and utility functions v3/coraza/coraza_bench_test.go (lines 242–406)	Helper constructors for benchmark WAF engines and rule-backed WAF instances with temp-file directive writing, Fiber app builders with optional middleware integration, request body and context builders with form data and synthetic headers, direct transaction request processing with conditional body handling, and resource cleanup helpers for response bodies, request bodies, and transactions.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• gofiber/contrib#1759: Introduces the Coraza v3 middleware, request processing, and default metrics collector functionality that this benchmark suite exercises.

Suggested labels

✏️ Feature

Suggested reviewers

• gaby
• sixcolors
• efectn
• ReneWerner87

Poem

🐰 A rabbit's ode to benchmarks bright,
Where Coraza rules stand day and night,
From fiber threads to headers tall,
These benchmarks test them all!
With metrics flowing, parallel fast,
The WAF performance shall forever last! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'test(coraza): add middleware performance benchmarks' directly and accurately summarizes the main change: adding a benchmark suite to the coraza middleware.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

level=error msg="[linters_context] typechecking error: pattern ./...: directory prefix . does not contain main module or its selected dependencies"

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}