nginx, php-fpm and T_WAF in Plesk 12
nginx, php-fpm and T_WAF in Plesk 12
I've been playing with nginx in Plesk 12 for the first time, and I could do with some pointers please.
nginx general
It appears that if you allow nginx to be installed at all, it is ALWAYS active in one way or another, listening on port 80 with Apache running on port 7080. You can set nginx to serve only unmodified pages/files and nothing else, but this is the minimum - it is basically there all the time. Is this really the case? How many of you have it installed?
php-fpm and T-WAF
In Plesk 12.1 (not sure about earlier), php-fpm is supported out of the box and can be enabled on a per-domain basis, but only when php files are processed directly by nginx rather than apache (at least this is the case for Centos 6 and Apache 2.2). Obviously, in this configuration, mod_sec is now out of the equation as apache is not involved.
However, by enabling the T-WAF on port 80, we can bring mod_sec it back into play and this is how it should be done according to the Wiki.
But....on a Plesk server with lots of domains on a shared IP, if you have the T-WAF enabled on port 80, for all domains where nginx does not process php, which is going to be the majority, you'll end up with mod_sec on the T-WAF and mod_sec within apache itself. Does this result in mod_sec processing everything twice, or is there a mechanism that prevents this from happening?
nginx general
It appears that if you allow nginx to be installed at all, it is ALWAYS active in one way or another, listening on port 80 with Apache running on port 7080. You can set nginx to serve only unmodified pages/files and nothing else, but this is the minimum - it is basically there all the time. Is this really the case? How many of you have it installed?
php-fpm and T-WAF
In Plesk 12.1 (not sure about earlier), php-fpm is supported out of the box and can be enabled on a per-domain basis, but only when php files are processed directly by nginx rather than apache (at least this is the case for Centos 6 and Apache 2.2). Obviously, in this configuration, mod_sec is now out of the equation as apache is not involved.
However, by enabling the T-WAF on port 80, we can bring mod_sec it back into play and this is how it should be done according to the Wiki.
But....on a Plesk server with lots of domains on a shared IP, if you have the T-WAF enabled on port 80, for all domains where nginx does not process php, which is going to be the majority, you'll end up with mod_sec on the T-WAF and mod_sec within apache itself. Does this result in mod_sec processing everything twice, or is there a mechanism that prevents this from happening?
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: nginx, php-fpm and T_WAF in Plesk 12
They process them independently, so yes they both do it. You'd want to disable the embedded WAF in apache if you dont want to use it, which you really dont need if the T-WAF is processing all traffic to port 80. The embedded modsecurity module in apache isnt needed in that case.But....on a Plesk server with lots of domains on a shared IP, if you have the T-WAF enabled on port 80, for all domains where nginx does not process php, which is going to be the majority, you'll end up with mod_sec on the T-WAF and mod_sec within apache itself. Does this result in mod_sec processing everything twice, or is there a mechanism that prevents this from happening?
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: nginx, php-fpm and T_WAF in Plesk 12
Gosh. OK.
Is doing this common? What I mean is what do people most often do when they are running Plesk?
(I'm expecting the answer to be "not run nginx at all")
Is doing this common? What I mean is what do people most often do when they are running Plesk?
(I'm expecting the answer to be "not run nginx at all")
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Re: nginx, php-fpm and T_WAF in Plesk 12
Why place a bulky Apache WAF in front of your lean Nginx setup?
Lemonbit Internet Dedicated Server Management
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: nginx, php-fpm and T_WAF in Plesk 12
Because the nginx mod_security isnt really there yet
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: nginx, php-fpm and T_WAF in Plesk 12
Correct. The nginx mod_security port is not production quality at this time so you shouldnt rely on it to protect you or even operate correctly.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: nginx, php-fpm and T_WAF in Plesk 12
With your permission, I would like to get an official (atomicorp) update upon the actual status of nginx mod_security port: does it fulfill the production quality now?mikeshinn wrote:Correct. The nginx mod_security port is not production quality at this time so you shouldnt rely on it to protect you or even operate correctly.
Thank you!
Re: nginx, php-fpm and T_WAF in Plesk 12
If you run Apache 2.4 with MPM Event, you really don't need Nginx, and you can still use an advanced mod_security setup.
Lemonbit Internet Dedicated Server Management
Re: nginx, php-fpm and T_WAF in Plesk 12
@prupert: Thank you!
-
- Forum User
- Posts: 86
- Joined: Wed Oct 03, 2012 2:51 pm
- Location: Algiers
Re: nginx, php-fpm and T_WAF in Plesk 12
I'm interested in using MPM Events. Can you please give me more details on advanced mod_security setup (i use Cpanel, not plesk)?prupert wrote:If you run Apache 2.4 with MPM Event, you really don't need Nginx, and you can still use an advanced mod_security setup.
Re: nginx, php-fpm and T_WAF in Plesk 12
Event is just one of the three Multi-Processing Modules ("MPM") available in Apache httpd 2.4. Event is much more efficient than Prefork, which is probably what you are using now.
A major difference between Event and Prefork, is that one httpd process in Event runs with multiple threads that can handle multiple requests, whereas in Prefork one httpd process can only handle one thread with one request at a time. This also means that all code that is executed by Apache under the Event MPM needs to be thread-safe, it needs to guarantee safe execution by multiple threads at the same time.
Some commonly used PHP modules are well known for not being thread-safe. Thus, if you want to use Apache with the Event MPM, you need to stop using the Apache PHP module (mod_php) - if you haven't already switched to PHP-FPM.
A major difference between Event and Prefork, is that one httpd process in Event runs with multiple threads that can handle multiple requests, whereas in Prefork one httpd process can only handle one thread with one request at a time. This also means that all code that is executed by Apache under the Event MPM needs to be thread-safe, it needs to guarantee safe execution by multiple threads at the same time.
Some commonly used PHP modules are well known for not being thread-safe. Thus, if you want to use Apache with the Event MPM, you need to stop using the Apache PHP module (mod_php) - if you haven't already switched to PHP-FPM.
Lemonbit Internet Dedicated Server Management
-
- Forum User
- Posts: 86
- Joined: Wed Oct 03, 2012 2:51 pm
- Location: Algiers
Re: nginx, php-fpm and T_WAF in Plesk 12
@prupert, many thanks for the explanation.
On the server, I use mod_fcgid in prefork.
I liked to use PHP-FPM but it is incompatible with the PHP Selector (http://docs.cloudlinux.com/index.html?c ... atrix.html).
Out of curiosity, I tested (on a test vps), the following configuration: Apache 2.4, MPM Event, Opcache, apcu, php 5.6.
Configuration that is best at the performance but ASL gives errors type: Access denied with code 400. Too many threads [32000] of 8096 allowed in READ...
On the server, I use mod_fcgid in prefork.
I liked to use PHP-FPM but it is incompatible with the PHP Selector (http://docs.cloudlinux.com/index.html?c ... atrix.html).
Out of curiosity, I tested (on a test vps), the following configuration: Apache 2.4, MPM Event, Opcache, apcu, php 5.6.
Configuration that is best at the performance but ASL gives errors type: Access denied with code 400. Too many threads [32000] of 8096 allowed in READ...
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: nginx, php-fpm and T_WAF in Plesk 12
http://wiki.atomicorp.com/wiki/index.php/HIDS_31102Configuration that is best at the performance but ASL gives errors type: Access denied with code 400. Too many threads [32000] of 8096 allowed in READ...
Just increase this setting:
http://wiki.atomicorp.com/wiki/index.ph ... STATELIMIT
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone