2

I have my Apache installed behind Nginx. So every request that comes in is first handeled by Nginx. If there is dynamic content needed the request is send to Apache which listens on port 8080.

Pretty basic reverse proxy setup.

Now with this setup the first entry point is Nginx. Is it still needed to install ModSecurity to protect Apache against unwanted request.

Or should I just focus on protecting Nginx as this is the first entry point.

All suggestions are welcome.

Saif Bechan
  • 10,892
  • 10
  • 40
  • 63

2 Answers2

4

I would say yes to hardening NginX as much as possible and yes to using ModSecurity on the Apache server if your site is hosting any sort of webapp or dynamic content that can be contributed by the end users, such as comments. Pretty much if your website has forms then ModSecurity is a good idea.

ModSecurity doesn't protect Apache per-say. It protects the webapps and forms that it's serving from exploitation. So it's purpose is to help protect the website from XSS, SQL Injection, and CSRF/XSRF attacks.

3dinfluence
  • 12,409
  • 2
  • 27
  • 41
  • Ah I see, thank you for pointing this out. I thought maybe ModSecurity would be overkill on such a setup. – Saif Bechan Apr 15 '10 at 15:37
  • mod_security does not stop csrf/xsrf, in fact no WAF can do this properly. – Rook Apr 15 '10 at 20:58
  • Well no security product will prevent everything but modsecurity can help prevent CSRF. http://knol.google.com/k/preventing-cross-site-request-forgeries-csrf-using-modsecurity# – 3dinfluence Apr 16 '10 at 00:43
2

Your main focus should be on the applications themselves. Things like Nginx and mod_security are helpful addons, a first line of defense perhaps, but they can do nothing if your webapplication has glaring holes in it.

davr
  • 1,729
  • 3
  • 14
  • 24
  • 1
    +1 Great point. I wouldn't go as far to say that mod_security wouldn't do anything to protect even a poorly written webapp. It will certainly help....but it's only as good ad the rule set that it's enforcing and nothing is 100%. You have to let certain things past or the webapp wouldn't work. But security is done in layers and relying on any one layer is always a bad idea. – 3dinfluence Apr 15 '10 at 15:55