• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question Mod Security for apache or Nginx?

F

fliegerhermi

Regular Pleskian
Server operating system version
Ubuntu 18.04.6 LTS
Plesk version and microupdate number
18.0.49 Update #1
Hi! I wanted to activate mod security, but I noticed, that I have to choose between nginx oder apache.
Some websites don't support nginx so we are using php through apache and nginx.

Is my understanding right that one of the webservers is always unprotected by the web application firewall in this configuration?
 
As far as I know, ModSecurity is supported by all 3 supported web server that Plesk uses (Nginix, Apache, and IIS) according to this article:
docs.plesk.com

Web Application Firewall (ModSecurity)

In this topic, you will learn how to protect your web applications (such as WordPress, Joomla!, or Drupal) from attacks using ModSecurity, an Open Source web application firewall.
docs.plesk.com docs.plesk.com

So it should be protected either way as long as you have it configured and turned on.
 
I think the underlying question is whether Nginx will honor ModSecurity for all requested resources when it is configured as front-end proxy. It will clearly work when Nginx-only hosting is done with the ModSecurity 3.0 selection and its ruleset. It will also clearly work for Nginx+Apache combination when ModSecurity 2.0 is selected with the matching ruleset. But in the case described above, @fliegerhermi has some websites running as nginx-only and others as Nginx frontend. I admit that I personally have never tested the mix. I am not sure whether ModSecurity 3.0 is applied to all incoming requests when Nginx is proxying requests. I'd think it is not, but it will need to be tested. There is no mix configuration available. The user needs to go with either setup, 2.0 or 3.0.
 
Hi! Thank you for the replies.
When I am speaking of mixed configuration I am talking about some websites serving PHP as FPM (Apache) and others as FPM (NGinx).
Nginx is working in Proxy-Mode for Apache for some reasons. I have to look up my documentation why this is configured like this. I guess it is for compactability reasons.
So in my case I guess I have to take the Apache 2.9 Ruleset right?
 
is this option excluding the other?
or includes both?

My server has:
some sites only apache
some both
some sites only nginx

I want ModSecurity to be used on both: nginx and apache

how to make that happen?
 
General question?

How good is mod-security 2.9 for Apache VS 3.0 for nginx?

IMO:
a wordpress site is faster using nginx.

maybe I choose modsecurity 3.0 for nginx and just make sure sites are using nginx?

BUT wondering what others say about "modsecurity 3.0 for nginx"
 
You must log in or register to reply here.

Similar threads

brother4
Question Optimizing PHP FPM Handler Settings for Apache and Nginx in Plesk
Replies
0
Views
221
brother4
brother4
X-HTTG
Resolved Apache + Nginx As Reverse Proxy Imunify360 Question
Replies
5
Views
2K
Peter Debik
P
F
Resolved HTTP 3 is not used despite NGINX Only hosting
2
Replies
23
Views
2K
MartinT
M
brother4
Question Best way to block direct PHP file access and ensure .htaccess rules are always applied with Nginx as a reverse proxy?
Replies
1
Views
373
brother4
brother4
D
Question Service Unavailable port 8443 Plesk Not Working
Replies
1
Views
426
Kaspar@Plesk
Kaspar@Plesk
Back
Top