• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Question Mod Security for apache or Nginx?

F

fliegerhermi

Regular Pleskian
Server operating system version
Ubuntu 18.04.6 LTS
Plesk version and microupdate number
18.0.49 Update #1
Hi! I wanted to activate mod security, but I noticed, that I have to choose between nginx oder apache.
Some websites don't support nginx so we are using php through apache and nginx.

Is my understanding right that one of the webservers is always unprotected by the web application firewall in this configuration?
 
As far as I know, ModSecurity is supported by all 3 supported web server that Plesk uses (Nginix, Apache, and IIS) according to this article:
docs.plesk.com

Web Application Firewall (ModSecurity)

In this topic, you will learn how to protect your web applications (such as WordPress, Joomla!, or Drupal) from attacks using ModSecurity, an Open Source web application firewall.
docs.plesk.com docs.plesk.com

So it should be protected either way as long as you have it configured and turned on.
 
I think the underlying question is whether Nginx will honor ModSecurity for all requested resources when it is configured as front-end proxy. It will clearly work when Nginx-only hosting is done with the ModSecurity 3.0 selection and its ruleset. It will also clearly work for Nginx+Apache combination when ModSecurity 2.0 is selected with the matching ruleset. But in the case described above, @fliegerhermi has some websites running as nginx-only and others as Nginx frontend. I admit that I personally have never tested the mix. I am not sure whether ModSecurity 3.0 is applied to all incoming requests when Nginx is proxying requests. I'd think it is not, but it will need to be tested. There is no mix configuration available. The user needs to go with either setup, 2.0 or 3.0.
 
Hi! Thank you for the replies.
When I am speaking of mixed configuration I am talking about some websites serving PHP as FPM (Apache) and others as FPM (NGinx).
Nginx is working in Proxy-Mode for Apache for some reasons. I have to look up my documentation why this is configured like this. I guess it is for compactability reasons.
So in my case I guess I have to take the Apache 2.9 Ruleset right?
 
is this option excluding the other?
or includes both?

My server has:
some sites only apache
some both
some sites only nginx

I want ModSecurity to be used on both: nginx and apache

how to make that happen?
 
General question?

How good is mod-security 2.9 for Apache VS 3.0 for nginx?

IMO:
a wordpress site is faster using nginx.

maybe I choose modsecurity 3.0 for nginx and just make sure sites are using nginx?

BUT wondering what others say about "modsecurity 3.0 for nginx"
 
You must log in or register to reply here.

Similar threads

K
Resolved Web Application Firewall: Security rule IDs broken/reset
Replies
8
Views
1K
pleskpanel
P
brother4
Question Optimizing PHP FPM Handler Settings for Apache and Nginx in Plesk
Replies
0
Views
1K
brother4
brother4
P
Resolved Disable output buffering
Replies
4
Views
384
Patashoow
P
majdi draouil
Question How to Block Direct IP Access and Ensure All Traffic Routes Through Cloudflare
Replies
1
Views
597
Raul A.
R
H
Resolved Unable to Disable Node.js Application in Plesk – App Remains Accessible
Replies
1
Views
850
HawkSky
H
Back
Top