Hello all,
I'm setting up a reverse proxy in front of some of our websites (mostly WP). I have both Apache2.4 and ngingx running with the rules and additionally Varnish4 in front for caching. Initial tests showed some great difference in regards to filtering the bad stuff and reducing server loads (which I guess is because of caching primarly, too).
Basic question:
Is anyone using latest nginx + mod_security_dev in production? I did some benchmarks and testing and as expected nginx + mod_security still outperforms Apache under higher load. Has anyone run into problems with the nginx combination? With the latest mod_sec builds from github we don't get any Segfaults (using consecutive logging).
Are there any other "downsides" in regards to the ruleset compares to Apache?
Are the experimential rules really only the stable rules without the Apache2 directives like LocationMatch?
Any feedback is highly appreciated! Thanks!
Best,
Sebastian
nginx vs apache with rules only
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: nginx vs apache with rules only
We dont recommend using mod_security in nginx yet. The code there isnt ready just yet, right now upstream is going through a rewrite of the module (it's referred to as the refactoring branch). You can see the current open issues for nginx here:
https://github.com/SpiderLabs/ModSecurity/issues
https://github.com/SpiderLabs/ModSecurity/issues
Re: nginx vs apache with rules only
scott, thanks for the feedback. I understand that this is the official "recommendation", yet I'm curious if still anyone is using nginx with modsec in production at the moment. We've been working with the self compiled nginx-refactored branch for now and did not run into any problems (no memory leaks, no crashes) - but have only been testing with automated tools, to maybe that does not mean anything.
Are there any recommendations for Apache2 in regards to performance tuning as a reverse proxy?
We thought about going for ASL as a "out of the box solution", yet can't justify to spend the 1000$/month just for putting it in front of our customers websites (without compensation by them).
Are you using Apache2 in ASL as reverse proxy, too and is it performing well with a lot of hits?
Are there any recommendations for Apache2 in regards to performance tuning as a reverse proxy?
We thought about going for ASL as a "out of the box solution", yet can't justify to spend the 1000$/month just for putting it in front of our customers websites (without compensation by them).
Are you using Apache2 in ASL as reverse proxy, too and is it performing well with a lot of hits?
Re: nginx vs apache with rules only
That depends on your setup. I have seen incredibly good results with Apache 2.4 and mpm_event.taenzerme wrote:[...] I did some benchmarks and testing and as expected nginx + mod_security still outperforms Apache under higher load.
Lemonbit Internet Dedicated Server Management
Re: nginx vs apache with rules only
Thanks for the recommendation. After some tweaking mpm_event does the job really well.prupert wrote:That depends on your setup. I have seen incredibly good results with Apache 2.4 and mpm_event.