confused about nginx ??

[mneese77]

I am toying with the idea of implementing nginx on my server because of all the great thing i've heard about it...
However, and these quotes are from another post, these statements are puzzling to me, and have instilled some doubt as to the security issues...maybe someone can help me clarify what issues there may be with nginx..
here is the original post:
http://www.atomicorp.com/forum/viewtopi ... inx#p23131

scott: 'Epic negative here with nginx, it does not support mod_security.'

mikeshinn: 'Keep in mind that if you are running PHP out of nginx you have no protection against web attacks. As Scott said, there is no WAF plugin for nginx, so you are wide open. We do not recommend you do this.'

Are these statements in reference to nginx in a default installation, or is in reference to some unusual configuration. So, is nginx not appropriate for web servers because of these security issues?

[faris]

nginx is not for us mere mortals at this point.

I know Scott and Mike and the nice bloke who posted in that other thread make it all sound wonderful and easy, but it is something you'd only implement on an experimental system, or on one that has a specific purpose.

Faris.

[scott]

definitely not, it has promise though. Definitely a project to keep an eye on

[mikeshinn]

From a security perspective, unless you are running a WAF in front of nginx, I definitely don't recommend you use it as your web server.

[mneese77]

Great, that sets my mind at ease, now there are only 201 things to check off my list for today.

[dayo]

To the OP:
Note that each of the answers you received can be accurately applied to Apache. Imagine this scenario.

Code: Select all

Q1: I am confused about Apache
A1: Apache is not for us mere mortals. It should only be used on an experimental system or for a specific purpose.
A2: I don't recommend it. It has promise though.
A3: From a security perspective, I definitely don't recommend it as a webserver unless running a WAF in front of it.

Each one, to varying degrees, is misleading either due to being incomplete or in the case of one, totally out of the park based on very little knowledge of the item in question. Anyway, all in all, it is probably not for you and it is best to continue with a mind at ease.

To Mike and Scott:
Noting your disapproval (as said tongue in cheek before, wouldn't expect turkeys to vote for Xmas ). Do you intend to keep the Nginx version on the repo up to date though?

Also, I have started to get Nginx to filter requests using elements from the delayed ASL rules as well as the spamhaus drop list and think it should be trivial given your immense experience and skill, to expand the coverage. Probably one to discuss offline.

Thanks for your input.

[scott]

I think its a project worth watching, sure. We'll keep updating it as time permits.

[mikeshinn]

Also, I have started to get Nginx to filter requests using elements from the delayed ASL rules as well as the spamhaus drop list

Can you be more specific about what you mean about this and provide some examples?

[dayo]

Can you be more specific about what you mean about this and provide some examples?

For the Spamhaus drop list, I took a script from cyberciti.biz and modified accordingly

Code: Select all

FILE="/tmp/drop.lasso.txt.$$"
 
# nginx config file - path to nginx drop conf file
OUT=/etc/nginx/conf.d/drop.lasso.conf
 
URL="http://www.spamhaus.org/drop/drop.lasso"
# reload command
RELOADNGINX="service nginx reload"
 
# remove old file
[[ -f $FILE ]] && /bin/rm -f $FILE
 
# empty current nginx deny file
>$OUT
 
# get database
/usr/bin/wget --output-document=$FILE "$URL"
 
# format in nginx deny netblock; format
/bin/egrep -v '^;' $FILE  | awk '{ print "deny " $1";"}' >>$OUT
 
# reload nginx
/bin/sync && ${RELOADNGINX}

Placed in my cron.daily folder as nginx.drop.lasso, it runs once a day, pulls the DROP list from Spamhaus and creates/updates a file (drop.lasso.conf) with a list of IP nets to deny in my /etc/nginx/conf.d folder and reloads Nginx. As you know, there is an "include /etc/nginx/conf.d/*.conf" in the Nginx conf file which will add this list to HTTP section.

As for the ASL rules, I later worked with a number of sources with emphasis on the perishablepress.com blacklist in the end (http://tinyurl.com/cbkfyf). It is a list of bad referrers and exploit strings. The implementation is still in the early days and knowing that referral strings can change easily means some further work is needed such as parsing an updated source such as ASL. Also doesn't cover form inputs like modsec does (more on that later) but a start and perhaps extendable.

I created a file called filter.default and it is included into the SERVER section in the domian.tld.conf file (near the "listen 80;" line outside the specific "location" bits).

I am unable to paste the code because it appears your modsec implementation is denying me permission (form input validation) and then locking me out lol. It is not possible to attach files to this forum (there is an attach file button but every file extension I have tried is not allowed).

Anyway, that is where I am right now and working on using PHPIDS (http://php-ids.org) to add another layer.

[dayo]

I forgot to write about the form validation.

I have not yet gotten so far, but since Nginx has inbuilt facilities to manipulate based on the request method, I believe I can carry out form validation in this way.

Code: Select all

IF Request Method = POST
   Deny access to requests with specified arguments
END IF 

I intend to use your lists (sql.txt, etc) as appropriate. Also to expand the drop.lasso to your domain-blacklist.txt and malware-blacklist.txt. Will look into parsing stuff out of the various conf files later.

However, I want to keep a balance at the end to make sure that the webserver is focussed on serving files with input validation and such security handled at the application level as much as possible.

PS. When you find some time to update the nginx version on the repo to 0.7.67 (22 Bug Fixes, 7 New Features, 3 New Changes and 2 Security Fixes over 0.7.65) if you can squeeze some time to test and add the suggested 3rd party modules, then things like the headers-more module can be used as well to check headers. (would be nice to have the 0.8.x branch in the testing repo as well but I felt asking for that would be pushing it with you and Scott lol)

The possibilities are limitless Mike, and you can once again be the pioneer leading us, your faithful flock, to a safer, fastest, less resource hungry online future!
The alternative is to get marooned in the desert as the caravan recedes over the horizon. I doubt this will happen though as it seems there is at least an open mind on this.