Question

Load Balanced Nginx Firewall on Ubuntu

I am setting up two nginx web servers which will be behind a load balancer, either haproxy or nginx powered… not sure yet. Even though I plan on using Sucuri Web Firewall, it can be bypassed so I’d like to implement my own web application firewall as well.

If I was using Apache, of course, I’d use mod_security. But since I’m not, I’m not entirely sure what is available for nginx.

Also, I’m somewhat unsure where to implement it in a load balanced environment. Do I put it on it’s own server (512mb) in front of the load balancer or do I put it on the same server as the load balancer? I don’t think it’d be a good idea to put it on the web servers themselves though. I maybe wrong though.

What are your ideas?


Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

Hi!

mod_security now supports nginx. Check out the official guide on installing it, but keep in mind that you will have to remove your distribution’s nginx package and compile nginx manually (and keep an eye on new releases so that you do not miss any important security updates as you’ll have to recompile every time an update is released):

Another option would be using the Naxsi nginx module. It is not enabled by default and has to be explicitly enabled when compiling nginx. Most distributions do have an nginx-naxsi package which would be a drop-in replacement for the default package, though. Take a look at this tutorial if you decide to go with Naxsi:

As for where to install the ‘firewall,’ I would recommend installing it on the load balancer. That will make sure that the app servers only get ‘good’ requests and do not waste any resources on malicious ones. You can then scale the load balancer and app servers separately depending on the good requests:bad requests ratio.