NGINX, Litespeed and IIS rules
Posted: Thu Jul 31, 2014 1:55 pm
Litespeed is supported with our standard rules out of the box. We actually finished this port at the beginning of the year, but since people keep asking I thought we should post something on the forums to help answer that question in the future. Please see the litespeed article for additional information on Litespeed and mosecurity:
https://www.atomicorp.com/wiki/index.php/Litespeed
NGINX and IIS are also supported. NGINX and IIS do not support the same rule syntax that apache supports, and therefore have their own rules (they use the same rules, so there isnt a set for nginx and IIS, its the same set for either one).
You will find those rules under the "experimental" subfolder. These are considered experimental for one reason: mod_security itself on those platforms either has bugs, or is not reliable (read: lots of bugs). This has nothing to do with the rules, mod_security is just less mature on those platforms, and the mod_security ports operate differently than in apache. In some cases, the port isnt working so well. The nginx port is a good example, its got bugs. More on this in a moment.
Therefore, if you are using IIS, we'd consider mod_security to be of release candidate/beta quality. The rules are fine, its the mod_security port we caution our customers to be mindful of. For the most part you should be fine, but there are some bugs in the mod_security port. Its almost there.
For nginx, the mod_security port unfortunately has lots of bugs. Again, this doesnt have anything to do with rules. If someone claims their rules work perfectly with nginx, they arent telling you the truth. The nginx port is a work in progress and is being refactored. We dont recommend using nginx with mod_security for production use at this time unless you are a developer and are prepared to chip in and fix bugs. It absolutely will miss things and does not work as expected. The code is being refactored to address this, so if you must use nginx alone, then you will want to use the latest svn code. Please understand that this code is under development, and should be considered alpha quality.
https://www.atomicorp.com/wiki/index.php/Litespeed
NGINX and IIS are also supported. NGINX and IIS do not support the same rule syntax that apache supports, and therefore have their own rules (they use the same rules, so there isnt a set for nginx and IIS, its the same set for either one).
You will find those rules under the "experimental" subfolder. These are considered experimental for one reason: mod_security itself on those platforms either has bugs, or is not reliable (read: lots of bugs). This has nothing to do with the rules, mod_security is just less mature on those platforms, and the mod_security ports operate differently than in apache. In some cases, the port isnt working so well. The nginx port is a good example, its got bugs. More on this in a moment.
Therefore, if you are using IIS, we'd consider mod_security to be of release candidate/beta quality. The rules are fine, its the mod_security port we caution our customers to be mindful of. For the most part you should be fine, but there are some bugs in the mod_security port. Its almost there.
For nginx, the mod_security port unfortunately has lots of bugs. Again, this doesnt have anything to do with rules. If someone claims their rules work perfectly with nginx, they arent telling you the truth. The nginx port is a work in progress and is being refactored. We dont recommend using nginx with mod_security for production use at this time unless you are a developer and are prepared to chip in and fix bugs. It absolutely will miss things and does not work as expected. The code is being refactored to address this, so if you must use nginx alone, then you will want to use the latest svn code. Please understand that this code is under development, and should be considered alpha quality.