nginx, php-fpm and T_WAF in Plesk 12

Community support for Plesk, CPanel, WebMin and others with insight from two of the founders of Plesk. Ask for help here! No question is too simple or complicated. :-)
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

nginx, php-fpm and T_WAF in Plesk 12

Unread post by faris »

I've been playing with nginx in Plesk 12 for the first time, and I could do with some pointers please.

nginx general
It appears that if you allow nginx to be installed at all, it is ALWAYS active in one way or another, listening on port 80 with Apache running on port 7080. You can set nginx to serve only unmodified pages/files and nothing else, but this is the minimum - it is basically there all the time. Is this really the case? How many of you have it installed?

php-fpm and T-WAF
In Plesk 12.1 (not sure about earlier), php-fpm is supported out of the box and can be enabled on a per-domain basis, but only when php files are processed directly by nginx rather than apache (at least this is the case for Centos 6 and Apache 2.2). Obviously, in this configuration, mod_sec is now out of the equation as apache is not involved.

However, by enabling the T-WAF on port 80, we can bring mod_sec it back into play and this is how it should be done according to the Wiki.

But....on a Plesk server with lots of domains on a shared IP, if you have the T-WAF enabled on port 80, for all domains where nginx does not process php, which is going to be the majority, you'll end up with mod_sec on the T-WAF and mod_sec within apache itself. Does this result in mod_sec processing everything twice, or is there a mechanism that prevents this from happening?
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: nginx, php-fpm and T_WAF in Plesk 12

Unread post by mikeshinn »

But....on a Plesk server with lots of domains on a shared IP, if you have the T-WAF enabled on port 80, for all domains where nginx does not process php, which is going to be the majority, you'll end up with mod_sec on the T-WAF and mod_sec within apache itself. Does this result in mod_sec processing everything twice, or is there a mechanism that prevents this from happening?
They process them independently, so yes they both do it. You'd want to disable the embedded WAF in apache if you dont want to use it, which you really dont need if the T-WAF is processing all traffic to port 80. The embedded modsecurity module in apache isnt needed in that case.
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: nginx, php-fpm and T_WAF in Plesk 12

Unread post by faris »

Gosh. OK.

Is doing this common? What I mean is what do people most often do when they are running Plesk?
(I'm expecting the answer to be "not run nginx at all")
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
prupert
Forum Regular
Forum Regular
Posts: 573
Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands

Re: nginx, php-fpm and T_WAF in Plesk 12

Unread post by prupert »

Why place a bulky Apache WAF in front of your lean Nginx setup?
Lemonbit Internet Dedicated Server Management
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: nginx, php-fpm and T_WAF in Plesk 12

Unread post by scott »

Because the nginx mod_security isnt really there yet
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: nginx, php-fpm and T_WAF in Plesk 12

Unread post by mikeshinn »

Correct. The nginx mod_security port is not production quality at this time so you shouldnt rely on it to protect you or even operate correctly.
itport
Forum User
Forum User
Posts: 9
Joined: Tue Jan 22, 2013 5:27 am
Location: Bucharest

Re: nginx, php-fpm and T_WAF in Plesk 12

Unread post by itport »

mikeshinn wrote:Correct. The nginx mod_security port is not production quality at this time so you shouldnt rely on it to protect you or even operate correctly.
With your permission, I would like to get an official (atomicorp) update upon the actual status of nginx mod_security port: does it fulfill the production quality now?

Thank you!
prupert
Forum Regular
Forum Regular
Posts: 573
Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands

Re: nginx, php-fpm and T_WAF in Plesk 12

Unread post by prupert »

If you run Apache 2.4 with MPM Event, you really don't need Nginx, and you can still use an advanced mod_security setup.
Lemonbit Internet Dedicated Server Management
itport
Forum User
Forum User
Posts: 9
Joined: Tue Jan 22, 2013 5:27 am
Location: Bucharest

Re: nginx, php-fpm and T_WAF in Plesk 12

Unread post by itport »

@prupert: Thank you!
copernic2006
Forum User
Forum User
Posts: 86
Joined: Wed Oct 03, 2012 2:51 pm
Location: Algiers

Re: nginx, php-fpm and T_WAF in Plesk 12

Unread post by copernic2006 »

prupert wrote:If you run Apache 2.4 with MPM Event, you really don't need Nginx, and you can still use an advanced mod_security setup.
I'm interested in using MPM Events. Can you please give me more details on advanced mod_security setup (i use Cpanel, not plesk)?
prupert
Forum Regular
Forum Regular
Posts: 573
Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands

Re: nginx, php-fpm and T_WAF in Plesk 12

Unread post by prupert »

Event is just one of the three Multi-Processing Modules ("MPM") available in Apache httpd 2.4. Event is much more efficient than Prefork, which is probably what you are using now.

A major difference between Event and Prefork, is that one httpd process in Event runs with multiple threads that can handle multiple requests, whereas in Prefork one httpd process can only handle one thread with one request at a time. This also means that all code that is executed by Apache under the Event MPM needs to be thread-safe, it needs to guarantee safe execution by multiple threads at the same time.

Some commonly used PHP modules are well known for not being thread-safe. Thus, if you want to use Apache with the Event MPM, you need to stop using the Apache PHP module (mod_php) - if you haven't already switched to PHP-FPM.
Lemonbit Internet Dedicated Server Management
copernic2006
Forum User
Forum User
Posts: 86
Joined: Wed Oct 03, 2012 2:51 pm
Location: Algiers

Re: nginx, php-fpm and T_WAF in Plesk 12

Unread post by copernic2006 »

@prupert, many thanks for the explanation.
On the server, I use mod_fcgid in prefork.
I liked to use PHP-FPM but it is incompatible with the PHP Selector (http://docs.cloudlinux.com/index.html?c ... atrix.html).

Out of curiosity, I tested (on a test vps), the following configuration: Apache 2.4, MPM Event, Opcache, apcu, php 5.6.
Configuration that is best at the performance but ASL gives errors type: Access denied with code 400. Too many threads [32000] of 8096 allowed in READ...
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: nginx, php-fpm and T_WAF in Plesk 12

Unread post by mikeshinn »

Configuration that is best at the performance but ASL gives errors type: Access denied with code 400. Too many threads [32000] of 8096 allowed in READ...
http://wiki.atomicorp.com/wiki/index.php/HIDS_31102

Just increase this setting:

http://wiki.atomicorp.com/wiki/index.ph ... STATELIMIT
Post Reply