Anyone switched to Apache-PHP just for a faster modsecurity?


Well-known member
Modsecurity is a Web Application Firewall and on nginx is according to the rules-maintainer (they are like the author whereas Modsecurity is like the publisher) not the best solution: its pretty slow and buggy.

1. They say PHP-FPM on nginx with modsecurity-nginx (3.x) is slower than Apache-PHP on nginx with modsecurity-apache (2.x). Did anyone confirm that? My AWS EC2 without modsecurity is always below 1%, with it I experience hikes up to 20%, usually in the lower one-figures. And that is with slow traffic. I expect more traffic soon but the current setup does not look to be best scaling one (20x difference on CPU on a slow day).
2. They also say the second release of modsecurity is 100% compatible to their rules (only apache) while the third current one (idea is compatible for all but currently only works with nginx) isn't on the same level.

Background is that the modsecurity maintainer is doing its own thing since some time and while the maintainer will "set it free" it will take some more years and until then there is a conflict of interest for the maintainer to deliver a free product where he sells a "superior one" at the same time. Now there are lots of new projects coming up trying to get modsecurities market and being compatible to "the rules".
ModSecurity is more or less destined to die as a rule engine.

The problem being that indeed its maintainer decided to drop it, and refused to do the necessary licensing changes such that OWASP’s CoreRuleSet team (who writes and maintains most of the rules people actually install) could maintain it. (see

I would encourage anyone interested in keeping their eyes out for replacement ( seemed promising) rule engines and not worry too much about modsecurity directly at this point…

That said these things take time, and to reply to your initial inquiry specifically, I can’t say easily because the CPU costs of our webservers themselves is rather low compared to everything else (ie nginx+modsec is way below that of php-fpm, which is way below database etc)
Top Bottom