nginx as reverse proxy to apache. Security?

Community support for Plesk, CPanel, WebMin and others with insight from two of the founders of Plesk. Ask for help here! No question is too simple or complicated. :-)
srpurdy
Forum Regular
Forum Regular
Posts: 110
Joined: Sat Jan 21, 2012 6:37 pm
Location: Canada

nginx as reverse proxy to apache. Security?

Unread post by srpurdy »

I'm considering setting up nginx to serve static files like images, my only concern is security. I've brushed up on some nginx specific security issues, but it seems like I can't find any information anywhere about mod_security and is it needed in a case where your only serving images. Apache would handle php processing which seems to me is the majority of where the security would need to be. So I'm looking for maybe some information from someone that actually knows this, and what I should look out for for this kind of setup?

The whole nginx community seems rather focused on performance, and a majority of users unfamiliar with nginx seems to just go with it based on these performance reviews without actually thinking at all about security. Which is frustrating to me. While I'm not that familiar with nginx myself the first thing I think about is security. :)

Hopefully someone can help me decide as this server I'd like to deploy this on is a shared environment. So I'd like to know the do's and dont's that may apply. :)

And I'm sure others that are security consensus will be interested to know too. :)

Not sure where the right section would be for this. But I'm using cPanel. So my issue isn't so much the Control Panell just wither it can be secure. :)
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4133
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: nginx as reverse proxy to apache. Security?

Unread post by mikeshinn »

Thanks for the questions. So first, modsecurity is available for nginx. Hurray! The bad news is that its very very new, and there have been bugs with it. So I wouldnt count on it yet. Its not clear that everything works correctly, or that all the capabilities are there.

That issue asside, so heres my take from the security perspective on WAFs. You have a number of different security issues with web servers that boil down to:

1) Vulnerabilities in the web server itself
2) Vulnerabilities in web applications server by the server
3) Malicious code being served up by the server
4) Sensitive information being served up by the server
5) Availability attacks on the web server (DOS/DDOS)

Issue 1:

A WAF in front of a web server may be able to protect the web server from attacks on itself. An embedded WAF might be able to do this too, but it depends if the attack happens before the embedded WAF can see it and stop it. In general, these types of attacks are prevented by a WAF in front of the web server, and by server side protections like kernel level immunity to attack types (overflows for example), and very very rarely MAC and RBAC might be able to prevent expansion of the attack (but not stop it).

Issue 2:

If the server does not have the ability to service applications (which is different from them being installed), then this is not an issue.

If it does have the ability to service applications, but they are not installed, then your risk is if someone accidentally misconfigures the server and putts an app there - then it wont be protected. The most likely scenario is that a bad guy will put a malicious app there that the WAF would normally detect and stop, in this case it won't. We have seen this happen quite a bit with the scenario of using one web server for certain content, and another for web applications. If the web server can process the web application, and the bad guy can install it under the "static content" only web server you wont be able to stop the app from running.

So if you do setup a web server to only service static content, its vitally important that you confirm that it can not serve up dynamic content, like PHP, PERL, CGI, etc.

Issue 3:

You will be vulnerable to this without something to prevent the malicious app from running, if the web server can service it. If it cant, then this isnt an issue.

This is a bit different from issue 2, if you only serve up "static content", keep in mind that you may still be able to serve up malicious code for other people. For example RFI attacks, remotely hosted malicious javascript, etc. download the code form another server. So a static content server is actually ideal for this kind of malicious activity.

Just remember, static content can still be malicious, even "image" files may not actually be image files. It might not effect your server, but it might effect someone else. We see a lot of maliciously hosted malware that pretends to be a GIF, it will even have a GIF89 header - a VALID one - but contains HTML and PHP, which a remote server or client will load as HTML or PHP and will ignore the header.

Issue 4:

You'll be vulnerable to this. If somehow sensitive content gets served up by the "static content" server, then the bad guys will have it.

Issue 5:

You may be vulnerable to this as well. It depends on the DOS attack, this is related to Issue 1. If this kind of DOS attack could be stopped by the WAF, you'll be vulnerable to it.

I hope this helps.
srpurdy
Forum Regular
Forum Regular
Posts: 110
Joined: Sat Jan 21, 2012 6:37 pm
Location: Canada

Re: nginx as reverse proxy to apache. Security?

Unread post by srpurdy »

Hi Mike,

Woah nice post. :)

Yeah injected images is always a concern.
I guess this is really a concern on an already hacked system. I guess I'm looking to prevent that from happening lol. :)

Do you have any suggestions on how to test if say nginx can/can't be tricked into running php/cgi etc? I do have a server I can test this on. I've tried getting a php script to run from the browser it always went to apache. But I'm wondering if there is some tricky way to do this. I even tried the known issue of passing a php file then a jpg after it in the URI, but this failed. Which is good. :)

Really appreciate the informative response. :D
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4133
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: nginx as reverse proxy to apache. Security?

Unread post by mikeshinn »

I guess this is really a concern on an already hacked system. I guess I'm looking to prevent that from happening lol. :)
Yes indeed. Keep in mind that if you allow users to upload images, this is one of the easiest ways for this to occur. Several of the big file sharing sites get used all the time in this way, they only allow certain file extensions to be uploaded, but because a remote instance of PHP doesnt care what the file extension is - its just data - this method of controlling the uploaded files does not work. Equally, for the sites that check the header, that doesnt work either because of the afore mentioned trick of putting a valid GIF header on a PHP or HTML file. Works fine in the browser, and on the remote system as PHP or HTML and the GIF header just gets ignored.
Do you have any suggestions on how to test if say nginx can/can't be tricked into running php/cgi etc?
Well, nginx can be setup to serve PHP:

http://wiki.nginx.org/Configuration#PHP_via_FastCGI

So the first thing I would do is make sure its not, and then test a PHP app thats confirmed to work in Apache (a simple one, like hellow world) and make sure it doesnt work in nginx.
breun
Long Time Forum Regular
Long Time Forum Regular
Posts: 2813
Joined: Sat Aug 20, 2005 9:30 am
Location: The Netherlands

Re: nginx as reverse proxy to apache. Security?

Unread post by breun »

Plesk 11 includes an optional nginx reverse proxy setup: http://download1.parallels.com/Plesk/PP ... /70837.htm Anyone tried this yet with ASL? How much less secure would this be compared to not using the nginx option in Plesk 11?
Lemonbit Internet Dedicated Server Management
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4133
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: nginx as reverse proxy to apache. Security?

Unread post by mikeshinn »

Same issues as before. Its a web server.
srpurdy
Forum Regular
Forum Regular
Posts: 110
Joined: Sat Jan 21, 2012 6:37 pm
Location: Canada

Re: nginx as reverse proxy to apache. Security?

Unread post by srpurdy »

Cool Thanks for the info. :)
Post Reply