• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:
    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved WAF / NGINX ONLY

O

othmaqsa

Regular Pleskian
Server operating system version
Ubuntu 20.04.5 LTS
Plesk version and microupdate number
18.0.49
Hello,

I use nginx only (reverse proxy unchecked).

How can I use a WAF in this case ?
 
Hi @othmaqsa, you can run WAF basically the same like with the Nginx/Apache combination, however on the "settings" page of your WAF configuration, please select the appropriate web server. Please see the documentation for details:
docs.plesk.com

Web Application Firewall (ModSecurity)

In this topic, you will learn how to protect your web applications (such as WordPress, Joomla!, or Drupal) from attacks using ModSecurity, an Open Source web application firewall.
docs.plesk.com docs.plesk.com
 

Nginx and ModSecurity Notes (Linux)​

On Linux, ModSecurity is a module for Apache. Thus, it can check only HTTP requests that reach Apache. Apache can be supplemented with another web server - nginx. If you turn on the Process PHP by nginx option of the nginx web server for dynamic content of your website (in Apache & nginx settings for a website), the web application firewall will not be able to check HTTP requests because they will never reach Apache. For static content, if the Serve static files directly by nginx option is on, then HTTP requests will not reach Apache, so ModSecurity will not check them.

So there is no way to run a WAF in NGINX server ?
 
I've seen the "Notes" yesterday, too, and immediately asked staff about it. We believe that is a leftover of the times when only Apache was supported. These notes will be removed in a future update of the documentation.
 
Peter Debik said:
I've seen the "Notes" yesterday, too, and immediately asked staff about it. We believe that is a leftover of the times when only Apache was supported. These notes will be removed in a future update of the documentation.
Click to expand...
Hello @Peter Debik ,

Is is it safe to keep Modsec + Comodo even if Comodo have not updated the rulesets since 2020-11-19 22:32:48 ?

If not, what is the best alternative ?
 
Some users recommend to stop using Comodo. I am not using that on my servers either. Instead I am back to Atomic, but this is probably a matter of taste.
 
Hello,
I'm using Ubuntu 20.04.5 LTS, Atomic is not available unfortunately.

Just Comodo and OWASP are available.
 
You must log in or register to reply here.

Similar threads

X-HTTG
Resolved Apache + Nginx As Reverse Proxy Imunify360 Question
Replies
5
Views
2K
Peter Debik
P
U
Question Text/event streaming: Outputs chat answers streamed.
Replies
0
Views
109
Ultaschall4D
U
B
Question Disable WAF (ModSecurity) if using Immunify360?
Replies
1
Views
844
Kaspar
K
L
Resolved ModSecurity: Access denied with code 403 (phase 2). Match of "contains /wp-json/yoast/"
Replies
7
Views
537
loman
L
X-HTTG
Question Apache With Nginx Reverse Proxy Question
Replies
0
Views
1K
X-HTTG
X-HTTG
Back
Top