NGINX as reverse proxy with mod.security - comodo waf rules

Laura

Verified User
Joined
Mar 15, 2018
Messages
16
Hello,

For quit a long time now I am running my server with nginx as reverse proxy and thought that it is not compatible with modsecurity. Recently I came accross the custombuild 2 plugin and decided to activate modsecurity and modsecurity ruleset. Installed it smoothly and everything worked fine.

In noticed two things, first the Ram usage of nginx was significant higher (from an average of 300 to 2GB) and second, when looking at permormance (gtmetrix) I noticed that gzip compression did not work anymore.

so my question are, is modsecurity compatible with nginx as reverse proxy in front of apache and if so, why is gzip disabled. Is it normal that ram usage is much higher then without modsecurity.

and least, is it dangerous to uninstall modsecurity in relation to security?

A lot of questions, but hope that someobe can clear out these things.

Best regards, Laura
 
Hello,

For quit a long time now I am running my server with nginx as reverse proxy and thought that it is not compatible with modsecurity. Recently I came accross the custombuild 2 plugin and decided to activate modsecurity and modsecurity ruleset. Installed it smoothly and everything worked fine.

In noticed two things, first the Ram usage of nginx was significant higher (from an average of 300 to 2GB) and second, when looking at permormance (gtmetrix) I noticed that gzip compression did not work anymore.

so my question are, is modsecurity compatible with nginx as reverse proxy in front of apache and if so, why is gzip disabled. Is it normal that ram usage is much higher then without modsecurity.

and least, is it dangerous to uninstall modsecurity in relation to security?

A lot of questions, but hope that someobe can clear out these things.

Best regards, Laura

ModSecurity is slower.

If you use DirectAdmin Varnish UNIXy Plugin, you have to implement the rules in the configuration file /etc/varnish/security.vcl

It is not advisable to deactivate the protection rules under any circumstances! Unless you want to suffer attacks of the following types: SQL injection, file injection, XSS attacks, etc.

More info:
https://unixy.net/secure/knowledgebase/241/Modsecurity-rules-integration-in-Varnish-feature.html

Regards.
 
okay, thanks. I am not using Varnish.

I did not mention any performance issues, only that gzip compression which I use in .htaccess for a lot of (Wordpress) websites (mod deflate, like this:
Code:
# Gzip compression
<IfModule mod_deflate.c>
# Active compression
SetOutputFilter DEFLATE
# Force deflate for mangled headers
<IfModule mod_setenvif.c>
<IfModule mod_headers.c>
SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
# Don’t compress images and other uncompressible content
SetEnvIfNoCase Request_URI \
\.(?:gif|jpe?g|png|rar|zip|exe|flv|mov|wma|mp3|avi|swf|mp?g|mp4|webm|webp|pdf)$ no-gzip dont-vary
</IfModule>

is not working anymore and above that, the ram usage of nginx is much higher (2GB instead of 300mb).

so how come and how to solve?
 
Yes, virtual RAM, but I have enough :)
most important for me is the gzip compression issue.

for example, in GTMetrix a website has a score of 90/90
but with modsecurity GZIP is not working and the numbers are 16/76

I found this threat: http://forum.directadmin.com/showthread.php?t=55392
For years I thought even that modsecurity was not compatible with apache and nginx as reverse proxy. But with custombuild 2 plugin I thought, let´s try it. But then I discoverd that GZIP is not working, so for performance it is a bad situation.

Could it be a problem with security, to run the server withoud modsecurity?
 
Hi Laura,

The best thing is going to be that you install the varnish plugin and that way you will be able to load the rules in RAM memory. Mod_security is quite slow. :)

Regards,
 
Tuning Nginx and activates Gzip in the CustomBuild of DA!

okay, thanks. I am not using Varnish.

I did not mention any performance issues, only that gzip compression which I use in .htaccess for a lot of (Wordpress) websites (mod deflate, like this:
Code:
# Gzip compression
<IfModule mod_deflate.c>
# Active compression
SetOutputFilter DEFLATE
# Force deflate for mangled headers
<IfModule mod_setenvif.c>
<IfModule mod_headers.c>
SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
# Don’t compress images and other uncompressible content
SetEnvIfNoCase Request_URI \
\.(?:gif|jpe?g|png|rar|zip|exe|flv|mov|wma|mp3|avi|swf|mp?g|mp4|webm|webp|pdf)$ no-gzip dont-vary
</IfModule>

is not working anymore and above that, the ram usage of nginx is much higher (2GB instead of 300mb).

so how come and how to solve?

In that case you should optimize Nginx! You just installed it and you're done? If you do not know how you can search in Google optimization guides using the term: tuning nginx. You should enable Gzip.

The same RAM consumption comes from not having optimized Nginx.
 
Could it be a problem with security, to run the server withoud modsecurity?

Well, that's a too ambiguous question. The same as if I'd ask is it secure not to lock car doors while you are shopping? You don't know what the car is that, right? What district, city, country, right? The same, I don't know what applications you host, how good security is organised on your server beside mod_security.

I don't use mod security on my server. I don't feel my server is less secured because of it.

In my practice mod_security is not used much (at least on servers which I maintained), as a server owner needs additional knowledge, skills, time to solve possible issues with it, or needs a server administrator by a hand to pay for a solution.
 
WAFs add an extra layer of security to a web server for typical attacks!

Well, that's a too ambiguous question. The same as if I'd ask is it secure not to lock car doors while you are shopping? You don't know what the car is that, right? What district, city, country, right? The same, I don't know what applications you host, how good security is organised on your server beside mod_security.

I don't use mod security on my server. I don't feel my server is less secured because of it.

In my practice mod_security is not used much (at least on servers which I maintained), as a server owner needs additional knowledge, skills, time to solve possible issues with it, or needs a server administrator by a hand to pay for a solution.

Hi,

WAFs add an extra layer of security to a web server for typical attacks. Although they are not the panacea of security, much less, everything helps! And they have to have good rules. The Comodo are better than those of OWASP. :)

https://www.akamai.com/uk/en/resources/increase-web-application-security.jsp

ModSecurity is slow. But the UNIXy plugin loads the rules into RAM and is faster!

Regards.
 
Are you a UNIXy representative by any chance?

I don't use their addon, and hardly will I ever use it. No offence....

And it seems they do not support NGINX+Apache scheme... or did I miss anything?
 
OK, thanks. Here are my thoughts on the matter (I might be wrong though):

1. Varnish is most suitable for a single project server, i.e. not shared-hosting environment.
2. Mod Security requires an admin by a hand to adjust things/rules periodically per needs.

I've got cases when server owners willing to save their time and money (they don't use monthly subscription for their reasons) asked me to remove mod security and varnish due to a constant need to adjust settings, as they give them much more troubles in a shared-hosting environments then they expected.

Please note I own a server which runs Varnish with NGINX+Apache. And I don't have any noticeable issues with it. And still I would not suggest using Varnish if you are not familiar with it.

A good option is to use Varnish with a CMS, when you can manage Varnish configs with ACL from within the CMS. This is not a shared-hosting environment, again.

This is all about my experience and I don't even think to persuade not to use varnish or mod security. I've only shared my thoughts.
 
Yes, virtual RAM, but I have enough :)
most important for me is the gzip compression issue.

for example, in GTMetrix a website has a score of 90/90
but with modsecurity GZIP is not working and the numbers are 16/76

I found this threat: http://forum.directadmin.com/showthread.php?t=55392
For years I thought even that modsecurity was not compatible with apache and nginx as reverse proxy. But with custombuild 2 plugin I thought, let´s try it. But then I discoverd that GZIP is not working, so for performance it is a bad situation.

Could it be a problem with security, to run the server withoud modsecurity?

Same problem you have in the node of your provider. Optimize the Nginx!. If you optimize and still give you performance problems, you have the problem in the node. You should look for some vps with dedicated memory and assigned CPU cores if you want optimal performance.
 
In that case you should optimize Nginx! You just installed it and you're done? If you do not know how you can search in Google optimization guides using the term: tuning nginx. You should enable Gzip.

That is not true and the case, Gzip is working, only when activating modsecurity Gzip fails.
 
OK, thanks. Here are my thoughts on the matter (I might be wrong though):

1. Varnish is most suitable for a single project server, i.e. not shared-hosting environment.
2. Mod Security requires an admin by a hand to adjust things/rules periodically per needs.

I've got cases when server owners willing to save their time and money (they don't use monthly subscription for their reasons) asked me to remove mod security and varnish due to a constant need to adjust settings, as they give them much more troubles in a shared-hosting environments then they expected.

Please note I own a server which runs Varnish with NGINX+Apache. And I don't have any noticeable issues with it. And still I would not suggest using Varnish if you are not familiar with it.

A good option is to use Varnish with a CMS, when you can manage Varnish configs with ACL from within the CMS. This is not a shared-hosting environment, again.

This is all about my experience and I don't even think to persuade not to use varnish or mod security. I've only shared my thoughts.
I have a similar issue as Laura, i installed modsecurity as the DirectAdmin documentation: https://docs.directadmin.com/webservices/apache/modsecurity.html

I notice the same , ram significant higher from 8GB to almost 80GB and gtmetrix bad score for all the domains

The server has 128GB RAM working on NGINX+Apache and 150 domains hosted.


I installed modsecurity because a big percent of domains use WordPress and Joomla but after installation performance is to bad.
Do you recomend disble modsecurity again?

Regards
 
If your WPs and Joomlas are up-to-date, theres little reason for modsec. On our box we deactivated it again because of lots of false positives. And speed drops too, yes.
 
Do you recomend disble modsecurity again?

That's up to you to decide. Mod_security is a big and universal solution. And as many other universal solutions, it might require a fine-tunning in some certain cases. If you see more harm from it and don't have time to dive into the issue trying to solve it, then you might better remove it.

And again are these my thoughts, a responsibility on all consequences is only yours.
 
Thank you very much zEitEr and johannes, It's been a few weeks since I disabled mod_security.
Everything working fine.
 
Back
Top