Marcus
Well-known member
Modsecurity is a Web Application Firewall and on nginx is according to the rules-maintainer (they are like the author whereas Modsecurity is like the publisher) not the best solution: its pretty slow and buggy.
1. They say PHP-FPM on nginx with modsecurity-nginx (3.x) is slower than Apache-PHP on nginx with modsecurity-apache (2.x). Did anyone confirm that? My AWS EC2 without modsecurity is always below 1%, with it I experience hikes up to 20%, usually in the lower one-figures. And that is with slow traffic. I expect more traffic soon but the current setup does not look to be best scaling one (20x difference on CPU on a slow day).
2. They also say the second release of modsecurity is 100% compatible to their rules (only apache) while the third current one (idea is compatible for all but currently only works with nginx) isn't on the same level.
Background is that the modsecurity maintainer is doing its own thing since some time and while the maintainer will "set it free" it will take some more years and until then there is a conflict of interest for the maintainer to deliver a free product where he sells a "superior one" at the same time. Now there are lots of new projects coming up trying to get modsecurities market and being compatible to "the rules".
1. They say PHP-FPM on nginx with modsecurity-nginx (3.x) is slower than Apache-PHP on nginx with modsecurity-apache (2.x). Did anyone confirm that? My AWS EC2 without modsecurity is always below 1%, with it I experience hikes up to 20%, usually in the lower one-figures. And that is with slow traffic. I expect more traffic soon but the current setup does not look to be best scaling one (20x difference on CPU on a slow day).
2. They also say the second release of modsecurity is 100% compatible to their rules (only apache) while the third current one (idea is compatible for all but currently only works with nginx) isn't on the same level.
Background is that the modsecurity maintainer is doing its own thing since some time and while the maintainer will "set it free" it will take some more years and until then there is a conflict of interest for the maintainer to deliver a free product where he sells a "superior one" at the same time. Now there are lots of new projects coming up trying to get modsecurities market and being compatible to "the rules".
