• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question Mod Security for apache or Nginx?

fliegerhermi

Regular Pleskian
Server operating system version
Ubuntu 18.04.6 LTS
Plesk version and microupdate number
18.0.49 Update #1
Hi! I wanted to activate mod security, but I noticed, that I have to choose between nginx oder apache.
Some websites don't support nginx so we are using php through apache and nginx.

Is my understanding right that one of the webservers is always unprotected by the web application firewall in this configuration?
 
As far as I know, ModSecurity is supported by all 3 supported web server that Plesk uses (Nginix, Apache, and IIS) according to this article:

So it should be protected either way as long as you have it configured and turned on.
 
I think the underlying question is whether Nginx will honor ModSecurity for all requested resources when it is configured as front-end proxy. It will clearly work when Nginx-only hosting is done with the ModSecurity 3.0 selection and its ruleset. It will also clearly work for Nginx+Apache combination when ModSecurity 2.0 is selected with the matching ruleset. But in the case described above, @fliegerhermi has some websites running as nginx-only and others as Nginx frontend. I admit that I personally have never tested the mix. I am not sure whether ModSecurity 3.0 is applied to all incoming requests when Nginx is proxying requests. I'd think it is not, but it will need to be tested. There is no mix configuration available. The user needs to go with either setup, 2.0 or 3.0.
 
Hi! Thank you for the replies.
When I am speaking of mixed configuration I am talking about some websites serving PHP as FPM (Apache) and others as FPM (NGinx).
Nginx is working in Proxy-Mode for Apache for some reasons. I have to look up my documentation why this is configured like this. I guess it is for compactability reasons.
So in my case I guess I have to take the Apache 2.9 Ruleset right?
 
is this option excluding the other?
or includes both?

My server has:
some sites only apache
some both
some sites only nginx

I want ModSecurity to be used on both: nginx and apache

how to make that happen?
 
General question?

How good is mod-security 2.9 for Apache VS 3.0 for nginx?

IMO:
a wordpress site is faster using nginx.

maybe I choose modsecurity 3.0 for nginx and just make sure sites are using nginx?

BUT wondering what others say about "modsecurity 3.0 for nginx"
 
Back
Top