Atomicorp

I've been playing with nginx in Plesk 12 for the first time, and I could do with some pointers please.

nginx general
It appears that if you allow nginx to be installed at all, it is ALWAYS active in one way or another, listening on port 80 with Apache running on port 7080. You can set nginx to serve only unmodified pages/files and nothing else, but this is the minimum - it is basically there all the time. Is this really the case? How many of you have it installed?

php-fpm and T-WAF
In Plesk 12.1 (not sure about earlier), php-fpm is supported out of the box and can be enabled on a per-domain basis, but only when php files are processed directly by nginx rather than apache (at least this is the case for Centos 6 and Apache 2.2). Obviously, in this configuration, mod_sec is now out of the equation as apache is not involved.

However, by enabling the T-WAF on port 80, we can bring mod_sec it back into play and this is how it should be done according to the Wiki.

But....on a Plesk server with lots of domains on a shared IP, if you have the T-WAF enabled on port 80, for all domains where nginx does not process php, which is going to be the majority, you'll end up with mod_sec on the T-WAF and mod_sec within apache itself. Does this result in mod_sec processing everything twice, or is there a mechanism that prevents this from happening?

But....on a Plesk server with lots of domains on a shared IP, if you have the T-WAF enabled on port 80, for all domains where nginx does not process php, which is going to be the majority, you'll end up with mod_sec on the T-WAF and mod_sec within apache itself. Does this result in mod_sec processing everything twice, or is there a mechanism that prevents this from happening?

They process them independently, so yes they both do it. You'd want to disable the embedded WAF in apache if you dont want to use it, which you really dont need if the T-WAF is processing all traffic to port 80. The embedded modsecurity module in apache isnt needed in that case.

Gosh. OK.

Is doing this common? What I mean is what do people most often do when they are running Plesk?
(I'm expecting the answer to be "not run nginx at all")

Why place a bulky Apache WAF in front of your lean Nginx setup?

Because the nginx mod_security isnt really there yet

Correct. The nginx mod_security port is not production quality at this time so you shouldnt rely on it to protect you or even operate correctly.

mikeshinn wrote:Correct. The nginx mod_security port is not production quality at this time so you shouldnt rely on it to protect you or even operate correctly.

With your permission, I would like to get an official (atomicorp) update upon the actual status of nginx mod_security port: does it fulfill the production quality now?

Thank you!

If you run Apache 2.4 with MPM Event, you really don't need Nginx, and you can still use an advanced mod_security setup.

@prupert: Thank you!

prupert wrote:If you run Apache 2.4 with MPM Event, you really don't need Nginx, and you can still use an advanced mod_security setup.

I'm interested in using MPM Events. Can you please give me more details on advanced mod_security setup (i use Cpanel, not plesk)?

Event is just one of the three Multi-Processing Modules ("MPM") available in Apache httpd 2.4. Event is much more efficient than Prefork, which is probably what you are using now.

A major difference between Event and Prefork, is that one httpd process in Event runs with multiple threads that can handle multiple requests, whereas in Prefork one httpd process can only handle one thread with one request at a time. This also means that all code that is executed by Apache under the Event MPM needs to be thread-safe, it needs to guarantee safe execution by multiple threads at the same time.

Some commonly used PHP modules are well known for not being thread-safe. Thus, if you want to use Apache with the Event MPM, you need to stop using the Apache PHP module (mod_php) - if you haven't already switched to PHP-FPM.

@prupert, many thanks for the explanation.
On the server, I use mod_fcgid in prefork.
I liked to use PHP-FPM but it is incompatible with the PHP Selector (http://docs.cloudlinux.com/index.html?c ... atrix.html).

Out of curiosity, I tested (on a test vps), the following configuration: Apache 2.4, MPM Event, Opcache, apcu, php 5.6.
Configuration that is best at the performance but ASL gives errors type: Access denied with code 400. Too many threads [32000] of 8096 allowed in READ...

Configuration that is best at the performance but ASL gives errors type: Access denied with code 400. Too many threads [32000] of 8096 allowed in READ...

http://wiki.atomicorp.com/wiki/index.php/HIDS_31102

Just increase this setting:

http://wiki.atomicorp.com/wiki/index.ph ... STATELIMIT