• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Question Mod Security for apache or Nginx?

F

fliegerhermi

Regular Pleskian
Server operating system version
Ubuntu 18.04.6 LTS
Plesk version and microupdate number
18.0.49 Update #1
Hi! I wanted to activate mod security, but I noticed, that I have to choose between nginx oder apache.
Some websites don't support nginx so we are using php through apache and nginx.

Is my understanding right that one of the webservers is always unprotected by the web application firewall in this configuration?
 
As far as I know, ModSecurity is supported by all 3 supported web server that Plesk uses (Nginix, Apache, and IIS) according to this article:
docs.plesk.com

Web Application Firewall (ModSecurity)

In this topic, you will learn how to protect your web applications (such as WordPress, Joomla!, or Drupal) from attacks using ModSecurity, an Open Source web application firewall.
docs.plesk.com docs.plesk.com

So it should be protected either way as long as you have it configured and turned on.
 
I think the underlying question is whether Nginx will honor ModSecurity for all requested resources when it is configured as front-end proxy. It will clearly work when Nginx-only hosting is done with the ModSecurity 3.0 selection and its ruleset. It will also clearly work for Nginx+Apache combination when ModSecurity 2.0 is selected with the matching ruleset. But in the case described above, @fliegerhermi has some websites running as nginx-only and others as Nginx frontend. I admit that I personally have never tested the mix. I am not sure whether ModSecurity 3.0 is applied to all incoming requests when Nginx is proxying requests. I'd think it is not, but it will need to be tested. There is no mix configuration available. The user needs to go with either setup, 2.0 or 3.0.
 
Hi! Thank you for the replies.
When I am speaking of mixed configuration I am talking about some websites serving PHP as FPM (Apache) and others as FPM (NGinx).
Nginx is working in Proxy-Mode for Apache for some reasons. I have to look up my documentation why this is configured like this. I guess it is for compactability reasons.
So in my case I guess I have to take the Apache 2.9 Ruleset right?
 
is this option excluding the other?
or includes both?

My server has:
some sites only apache
some both
some sites only nginx

I want ModSecurity to be used on both: nginx and apache

how to make that happen?
 
General question?

How good is mod-security 2.9 for Apache VS 3.0 for nginx?

IMO:
a wordpress site is faster using nginx.

maybe I choose modsecurity 3.0 for nginx and just make sure sites are using nginx?

BUT wondering what others say about "modsecurity 3.0 for nginx"
 
You must log in or register to reply here.

Similar threads

X-HTTG
Resolved Apache + Nginx As Reverse Proxy Imunify360 Question
Replies
5
Views
962
Peter Debik
P
J
Question PHP-FPM Apache / Nginx
Replies
6
Views
2K
damiankozlowski
damiankozlowski
2
Issue index.php prepended to Drupal 10.1.x admin paths when running PHP as FPM Application served via Apache
Replies
3
Views
585
2dareis2do
2
R
Issue Problem with web application firewall - file extension is restricted by policy
Replies
3
Views
494
Linulex
Linulex
WhiteTiger
Question "Your server is neither Nginx nor Apache"
Replies
2
Views
978
WhiteTiger
WhiteTiger
Back
Top