Atomicorp

Security for Everyone
https://forums.atomicorp.com/

nginx vs apache with rules only

https://forums.atomicorp.com/viewtopic.php?t=8184

Page 1 of 1

nginx vs apache with rules only

Posted: Mon Oct 12, 2015 10:24 am
by taenzerme
Hello all,

I'm setting up a reverse proxy in front of some of our websites (mostly WP). I have both Apache2.4 and ngingx running with the rules and additionally Varnish4 in front for caching. Initial tests showed some great difference in regards to filtering the bad stuff and reducing server loads (which I guess is because of caching primarly, too).

Basic question:

Is anyone using latest nginx + mod_security_dev in production? I did some benchmarks and testing and as expected nginx + mod_security still outperforms Apache under higher load. Has anyone run into problems with the nginx combination? With the latest mod_sec builds from github we don't get any Segfaults (using consecutive logging).

Are there any other "downsides" in regards to the ruleset compares to Apache?
Are the experimential rules really only the stable rules without the Apache2 directives like LocationMatch?

Any feedback is highly appreciated! Thanks!

Best,
Sebastian

Re: nginx vs apache with rules only

Posted: Mon Oct 12, 2015 7:44 pm
by scott
We dont recommend using mod_security in nginx yet. The code there isnt ready just yet, right now upstream is going through a rewrite of the module (it's referred to as the refactoring branch). You can see the current open issues for nginx here:

https://github.com/SpiderLabs/ModSecurity/issues

Re: nginx vs apache with rules only

Posted: Tue Oct 13, 2015 4:38 am
by taenzerme
scott, thanks for the feedback. I understand that this is the official "recommendation", yet I'm curious if still anyone is using nginx with modsec in production at the moment. We've been working with the self compiled nginx-refactored branch for now and did not run into any problems (no memory leaks, no crashes) - but have only been testing with automated tools, to maybe that does not mean anything.

Are there any recommendations for Apache2 in regards to performance tuning as a reverse proxy?

We thought about going for ASL as a "out of the box solution", yet can't justify to spend the 1000$/month just for putting it in front of our customers websites (without compensation by them).

Are you using Apache2 in ASL as reverse proxy, too and is it performing well with a lot of hits?

Re: nginx vs apache with rules only

Posted: Tue Oct 13, 2015 7:11 am
by prupert
taenzerme wrote:[...] I did some benchmarks and testing and as expected nginx + mod_security still outperforms Apache under higher load.
That depends on your setup. I have seen incredibly good results with Apache 2.4 and mpm_event.

Re: nginx vs apache with rules only

Posted: Wed Oct 28, 2015 11:15 am
by taenzerme
prupert wrote:That depends on your setup. I have seen incredibly good results with Apache 2.4 and mpm_event.
Thanks for the recommendation. After some tweaking mpm_event does the job really well.
All times are UTC-04:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited