Nginx – Necesity of ModSecurity if Apache is behind Nginx

apache-2.2mod-securitynginxSecurity

I have my Apache installed behind Nginx. So every request that comes in is first handeled by Nginx. If there is dynamic content needed the request is send to Apache which listens on port 8080.

Pretty basic reverse proxy setup.

Now with this setup the first entry point is Nginx. Is it still needed to install ModSecurity to protect Apache against unwanted request.

Or should I just focus on protecting Nginx as this is the first entry point.

All suggestions are welcome.

Best Answer

I would say yes to hardening NginX as much as possible and yes to using ModSecurity on the Apache server if your site is hosting any sort of webapp or dynamic content that can be contributed by the end users, such as comments. Pretty much if your website has forms then ModSecurity is a good idea.

ModSecurity doesn't protect Apache per-say. It protects the webapps and forms that it's serving from exploitation. So it's purpose is to help protect the website from XSS, SQL Injection, and CSRF/XSRF attacks.

Related Solutions

Nginx – Problem with GWT behind a reverse proxy – either nginx or apache

I think you should

location /context/ {
    proxy_pass        http://backend/context/;
}

and then use rewrite to strip /context part from URL

Nginx – How many reverse proxies (nginx, haproxy) is too many

From a purely performance perspective, let benchmarking make these decisions for you rather than assuming -- using a tool like httperf is invaluable when making architecture changes.

From an architectural philosophy perspective, I'm a little curious why you have both nginx and apache on the application servers. Nginx blazes at static content and efficiently handles most backend frameworks/technologies (Rails, PHP via FastFCGI, etc), so I would drop the final Apache layer. Once again, this comes from a limited understanding of the technologies that you're using, so you may have a need for it that I'm not anticipating (but if that's the case, you could always drop nginx on the app servers and just use apache -- it's not THAT bad at static content when configured properly).

Currently, I use nginx -> haproxy on load balancing servers and nginx on the app servers with much success. As Willy Tarreau stated, nginx and haproxy are a very fast combination, so I wouldn't worry about the speed of having both on the front-end, but keep in mind that adding additional layers increases complexity as well as the number of points of failure.

Best Answer

Related Solutions

Nginx – Problem with GWT behind a reverse proxy – either nginx or apache

Nginx – How many reverse proxies (nginx, haproxy) is too many

Related Topic