nginx vs apache with rules only

Customer support forums for the modsecurity rules feed. There is no such thing as a bad question here as long as it pertains to using the real time modsecurity rules feed. Newbies feel free to get help getting started or asking questions that may be obvious.
taenzerme
Forum User
Forum User
Posts: 5
Joined: Sat Oct 10, 2015 10:00 am
Location: Germany

nginx vs apache with rules only

Unread post by taenzerme »

Hello all,

I'm setting up a reverse proxy in front of some of our websites (mostly WP). I have both Apache2.4 and ngingx running with the rules and additionally Varnish4 in front for caching. Initial tests showed some great difference in regards to filtering the bad stuff and reducing server loads (which I guess is because of caching primarly, too).

Basic question:

Is anyone using latest nginx + mod_security_dev in production? I did some benchmarks and testing and as expected nginx + mod_security still outperforms Apache under higher load. Has anyone run into problems with the nginx combination? With the latest mod_sec builds from github we don't get any Segfaults (using consecutive logging).

Are there any other "downsides" in regards to the ruleset compares to Apache?
Are the experimential rules really only the stable rules without the Apache2 directives like LocationMatch?

Any feedback is highly appreciated! Thanks!

Best,
Sebastian
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8330
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: nginx vs apache with rules only

Unread post by scott »

We dont recommend using mod_security in nginx yet. The code there isnt ready just yet, right now upstream is going through a rewrite of the module (it's referred to as the refactoring branch). You can see the current open issues for nginx here:

https://github.com/SpiderLabs/ModSecurity/issues
taenzerme
Forum User
Forum User
Posts: 5
Joined: Sat Oct 10, 2015 10:00 am
Location: Germany

Re: nginx vs apache with rules only

Unread post by taenzerme »

scott, thanks for the feedback. I understand that this is the official "recommendation", yet I'm curious if still anyone is using nginx with modsec in production at the moment. We've been working with the self compiled nginx-refactored branch for now and did not run into any problems (no memory leaks, no crashes) - but have only been testing with automated tools, to maybe that does not mean anything.

Are there any recommendations for Apache2 in regards to performance tuning as a reverse proxy?

We thought about going for ASL as a "out of the box solution", yet can't justify to spend the 1000$/month just for putting it in front of our customers websites (without compensation by them).

Are you using Apache2 in ASL as reverse proxy, too and is it performing well with a lot of hits?
prupert
Forum Regular
Forum Regular
Posts: 573
Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands

Re: nginx vs apache with rules only

Unread post by prupert »

taenzerme wrote:[...] I did some benchmarks and testing and as expected nginx + mod_security still outperforms Apache under higher load.
That depends on your setup. I have seen incredibly good results with Apache 2.4 and mpm_event.
Lemonbit Internet Dedicated Server Management
taenzerme
Forum User
Forum User
Posts: 5
Joined: Sat Oct 10, 2015 10:00 am
Location: Germany

Re: nginx vs apache with rules only

Unread post by taenzerme »

prupert wrote:That depends on your setup. I have seen incredibly good results with Apache 2.4 and mpm_event.
Thanks for the recommendation. After some tweaking mpm_event does the job really well.
Post Reply