beansbaxter
Verified User
After using Apache for 20 years, this is my first time using Nginx. The last few days have been researching threads on the DA forums, reading through DA documentation, and piecing together things using Google searches. After moving one server over to Nginx, I notice a considerable performance improvement on the website end. Now my biggest concerns are security and making sure I have everything setup correctly, before rolling this out across multiple DA servers.
After successfully changing my DA server from apache to nginx, I installed ModSecurity:
All that said, I have some questions:
Using ModSecurity with CSF
How important is ModSecurity when my DA server is also running CSF for the firewall? My biggest concern is making sure the server is secure and minimizing any potential exploits.
ModSecurity Rulesets - owasp vs comodo
What is the best ModSecurity ruleset? The default option in my DA was "owasp" and I changed it to comodo, per what I was reading on the forums. I'm unable to find/understand the differences between these two rulesets?
Using ModSecurity in DA
The DA documentation for ModSecurity explains how to set this up, but it does not explain how to use this feature within the DA control panel. In some past posts, @smtalk said "native" support for ModSecurity is coming to DA, and I see it within the DA control panel, but I don't understand what I'm looking at or how to use it. Any guidance or direction here?
Furthermore, the DA documentation for ModSecurity goes into detail for customizing ModSecurity, but aside from the installation I outlined at the beginning of this post, what else should I do?
Understanding Comodo in DA
Same as my comments about ModSecurity, I see Comodo within my DA control panel, but what else should I do here?
From within Comodo inside the DA control panel, I see an alert "Custom Mod Security configuration found! Press "Update config" button to update it with values from this screen." Should I keep the custom Mod Security configuration (that I assume DA chose when it installed it) or click the Update Config button?
Password Protected Directories with nginx
When I used Apache before, I was able to easily setup password protected directories. This function is not working with nginx. Logged into the DA control panel, at the User Level, within File Manager, I choose the folder and "Protect" and configure the same as before. And from within the Password Protected Directories, I can see the directory setup here. But when I access the directory from the web browser, I do not receive any dialog box asking for credentials. Again, this function worked great when I was using apache, but has not been working since I moved to nginx. How to resolve this?
Custom HTTPD Configurations
I've slowly been able to figure out how to set this up, as I move sites from using .htaccess for apache to this Custom HTTPD for nginx. When I access this from within DA, I have been able to add what I need to the nginx.conf, but what is the purpose for the four different CUSTOM tokens? When should I insert my rewrites in the main customization window versus one of the four custom token windows?
Any help, thoughts, advice, links, anything would be greatly appreciated. Trying to consume and learn as fast as humanly possible on this, as I need to get this dialed in for my servers.
Thank you in advance.
After successfully changing my DA server from apache to nginx, I installed ModSecurity:
Code:
cd /usr/local/directadmin/custombuild
./build update
./build set modsecurity yes
./build set modsecurity_ruleset "comodo"
./build modsecurity
./build modsecurity_rules
./build rewrite_confsAll that said, I have some questions:
Using ModSecurity with CSF
How important is ModSecurity when my DA server is also running CSF for the firewall? My biggest concern is making sure the server is secure and minimizing any potential exploits.
ModSecurity Rulesets - owasp vs comodo
What is the best ModSecurity ruleset? The default option in my DA was "owasp" and I changed it to comodo, per what I was reading on the forums. I'm unable to find/understand the differences between these two rulesets?
Using ModSecurity in DA
The DA documentation for ModSecurity explains how to set this up, but it does not explain how to use this feature within the DA control panel. In some past posts, @smtalk said "native" support for ModSecurity is coming to DA, and I see it within the DA control panel, but I don't understand what I'm looking at or how to use it. Any guidance or direction here?
Furthermore, the DA documentation for ModSecurity goes into detail for customizing ModSecurity, but aside from the installation I outlined at the beginning of this post, what else should I do?
Understanding Comodo in DA
Same as my comments about ModSecurity, I see Comodo within my DA control panel, but what else should I do here?
From within Comodo inside the DA control panel, I see an alert "Custom Mod Security configuration found! Press "Update config" button to update it with values from this screen." Should I keep the custom Mod Security configuration (that I assume DA chose when it installed it) or click the Update Config button?
Password Protected Directories with nginx
When I used Apache before, I was able to easily setup password protected directories. This function is not working with nginx. Logged into the DA control panel, at the User Level, within File Manager, I choose the folder and "Protect" and configure the same as before. And from within the Password Protected Directories, I can see the directory setup here. But when I access the directory from the web browser, I do not receive any dialog box asking for credentials. Again, this function worked great when I was using apache, but has not been working since I moved to nginx. How to resolve this?
Custom HTTPD Configurations
I've slowly been able to figure out how to set this up, as I move sites from using .htaccess for apache to this Custom HTTPD for nginx. When I access this from within DA, I have been able to add what I need to the nginx.conf, but what is the purpose for the four different CUSTOM tokens? When should I insert my rewrites in the main customization window versus one of the four custom token windows?
Any help, thoughts, advice, links, anything would be greatly appreciated. Trying to consume and learn as fast as humanly possible on this, as I need to get this dialed in for my servers.
Thank you in advance.
