store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Mon Oct 21, 2019 3:55 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 13 posts ] 
Author Message
 Post subject: nginx, php-fpm and T_WAF in Plesk 12
Unread postPosted: Sat Apr 11, 2015 4:10 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
I've been playing with nginx in Plesk 12 for the first time, and I could do with some pointers please.

nginx general
It appears that if you allow nginx to be installed at all, it is ALWAYS active in one way or another, listening on port 80 with Apache running on port 7080. You can set nginx to serve only unmodified pages/files and nothing else, but this is the minimum - it is basically there all the time. Is this really the case? How many of you have it installed?

php-fpm and T-WAF
In Plesk 12.1 (not sure about earlier), php-fpm is supported out of the box and can be enabled on a per-domain basis, but only when php files are processed directly by nginx rather than apache (at least this is the case for Centos 6 and Apache 2.2). Obviously, in this configuration, mod_sec is now out of the equation as apache is not involved.

However, by enabling the T-WAF on port 80, we can bring mod_sec it back into play and this is how it should be done according to the Wiki.

But....on a Plesk server with lots of domains on a shared IP, if you have the T-WAF enabled on port 80, for all domains where nginx does not process php, which is going to be the majority, you'll end up with mod_sec on the T-WAF and mod_sec within apache itself. Does this result in mod_sec processing everything twice, or is there a mechanism that prevents this from happening?

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: nginx, php-fpm and T_WAF in Plesk 12
Unread postPosted: Wed Apr 15, 2015 10:21 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4086
Location: Chantilly, VA
Quote:
But....on a Plesk server with lots of domains on a shared IP, if you have the T-WAF enabled on port 80, for all domains where nginx does not process php, which is going to be the majority, you'll end up with mod_sec on the T-WAF and mod_sec within apache itself. Does this result in mod_sec processing everything twice, or is there a mechanism that prevents this from happening?


They process them independently, so yes they both do it. You'd want to disable the embedded WAF in apache if you dont want to use it, which you really dont need if the T-WAF is processing all traffic to port 80. The embedded modsecurity module in apache isnt needed in that case.

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
 Post subject: Re: nginx, php-fpm and T_WAF in Plesk 12
Unread postPosted: Wed Apr 15, 2015 11:40 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
Gosh. OK.

Is doing this common? What I mean is what do people most often do when they are running Plesk?
(I'm expecting the answer to be "not run nginx at all")

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: nginx, php-fpm and T_WAF in Plesk 12
Unread postPosted: Thu Apr 16, 2015 5:51 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Aug 01, 2006 2:45 pm
Posts: 573
Location: Netherlands
Why place a bulky Apache WAF in front of your lean Nginx setup?

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
Reply with quote  
 Post subject: Re: nginx, php-fpm and T_WAF in Plesk 12
Unread postPosted: Thu Apr 16, 2015 8:37 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 8329
Location: earth
Because the nginx mod_security isnt really there yet


Top
 Profile  
Reply with quote  
 Post subject: Re: nginx, php-fpm and T_WAF in Plesk 12
Unread postPosted: Fri Apr 17, 2015 5:52 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4086
Location: Chantilly, VA
Correct. The nginx mod_security port is not production quality at this time so you shouldnt rely on it to protect you or even operate correctly.

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
 Post subject: Re: nginx, php-fpm and T_WAF in Plesk 12
Unread postPosted: Thu Apr 14, 2016 3:58 am 
Offline
Forum User
Forum User

Joined: Tue Jan 22, 2013 5:27 am
Posts: 9
Location: Bucharest
mikeshinn wrote:
Correct. The nginx mod_security port is not production quality at this time so you shouldnt rely on it to protect you or even operate correctly.


With your permission, I would like to get an official (atomicorp) update upon the actual status of nginx mod_security port: does it fulfill the production quality now?

Thank you!


Top
 Profile  
Reply with quote  
 Post subject: Re: nginx, php-fpm and T_WAF in Plesk 12
Unread postPosted: Thu Apr 14, 2016 4:27 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Aug 01, 2006 2:45 pm
Posts: 573
Location: Netherlands
If you run Apache 2.4 with MPM Event, you really don't need Nginx, and you can still use an advanced mod_security setup.

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
Reply with quote  
 Post subject: Re: nginx, php-fpm and T_WAF in Plesk 12
Unread postPosted: Thu Apr 14, 2016 10:32 am 
Offline
Forum User
Forum User

Joined: Tue Jan 22, 2013 5:27 am
Posts: 9
Location: Bucharest
@prupert: Thank you!


Top
 Profile  
Reply with quote  
 Post subject: Re: nginx, php-fpm and T_WAF in Plesk 12
Unread postPosted: Sun Oct 02, 2016 8:28 am 
Offline
Forum User
Forum User

Joined: Wed Oct 03, 2012 2:51 pm
Posts: 86
Location: Algiers
prupert wrote:
If you run Apache 2.4 with MPM Event, you really don't need Nginx, and you can still use an advanced mod_security setup.


I'm interested in using MPM Events. Can you please give me more details on advanced mod_security setup (i use Cpanel, not plesk)?


Top
 Profile  
Reply with quote  
 Post subject: Re: nginx, php-fpm and T_WAF in Plesk 12
Unread postPosted: Mon Oct 03, 2016 10:54 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Aug 01, 2006 2:45 pm
Posts: 573
Location: Netherlands
Event is just one of the three Multi-Processing Modules ("MPM") available in Apache httpd 2.4. Event is much more efficient than Prefork, which is probably what you are using now.

A major difference between Event and Prefork, is that one httpd process in Event runs with multiple threads that can handle multiple requests, whereas in Prefork one httpd process can only handle one thread with one request at a time. This also means that all code that is executed by Apache under the Event MPM needs to be thread-safe, it needs to guarantee safe execution by multiple threads at the same time.

Some commonly used PHP modules are well known for not being thread-safe. Thus, if you want to use Apache with the Event MPM, you need to stop using the Apache PHP module (mod_php) - if you haven't already switched to PHP-FPM.

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
Reply with quote  
 Post subject: Re: nginx, php-fpm and T_WAF in Plesk 12
Unread postPosted: Tue Oct 04, 2016 5:13 am 
Offline
Forum User
Forum User

Joined: Wed Oct 03, 2012 2:51 pm
Posts: 86
Location: Algiers
@prupert, many thanks for the explanation.
On the server, I use mod_fcgid in prefork.
I liked to use PHP-FPM but it is incompatible with the PHP Selector (http://docs.cloudlinux.com/index.html?c ... atrix.html).

Out of curiosity, I tested (on a test vps), the following configuration: Apache 2.4, MPM Event, Opcache, apcu, php 5.6.
Configuration that is best at the performance but ASL gives errors type: Access denied with code 400. Too many threads [32000] of 8096 allowed in READ...


Top
 Profile  
Reply with quote  
 Post subject: Re: nginx, php-fpm and T_WAF in Plesk 12
Unread postPosted: Fri Oct 14, 2016 1:47 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4086
Location: Chantilly, VA
Quote:
Configuration that is best at the performance but ASL gives errors type: Access denied with code 400. Too many threads [32000] of 8096 allowed in READ...


http://wiki.atomicorp.com/wiki/index.php/HIDS_31102

Just increase this setting:

http://wiki.atomicorp.com/wiki/index.ph ... STATELIMIT

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 13 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group