Load Balanced Nginx Firewall on Ubuntu

October 9, 2015 1k views
Security Firewall Load Balancing Scaling Ubuntu

I am setting up two nginx web servers which will be behind a load balancer, either haproxy or nginx powered... not sure yet. Even though I plan on using Sucuri Web Firewall, it can be bypassed so I'd like to implement my own web application firewall as well.

If I was using Apache, of course, I'd use mod_security. But since I'm not, I'm not entirely sure what is available for nginx.

Also, I'm somewhat unsure where to implement it in a load balanced environment. Do I put it on it's own server (512mb) in front of the load balancer or do I put it on the same server as the load balancer? I don't think it'd be a good idea to put it on the web servers themselves though. I maybe wrong though.

What are your ideas?

1 Answer


mod_security now supports nginx. Check out the official guide on installing it, but keep in mind that you will have to remove your distribution's nginx package and compile nginx manually (and keep an eye on new releases so that you do not miss any important security updates as you'll have to recompile every time an update is released):

Another option would be using the Naxsi nginx module. It is not enabled by default and has to be explicitly enabled when compiling nginx. Most distributions do have an nginx-naxsi package which would be a drop-in replacement for the default package, though. Take a look at this tutorial if you decide to go with Naxsi:

As for where to install the 'firewall,' I would recommend installing it on the load balancer. That will make sure that the app servers only get 'good' requests and do not waste any resources on malicious ones. You can then scale the load balancer and app servers separately depending on the good requests:bad requests ratio.

Naxsi is a third party Nginx module which provides web application firewall features. It brings additional security to your web server and protects you from various web attacks such as XSS and SQL injections. This tutorial shows you how to install Naxsi, understand the rules, create a whitelist, and where to find rules already written for commonly-used web applications.
Have another answer? Share your knowledge.