What is the best web server firewall for nginx?

February 9, 2014 14.2k views
I'm having hard time with setting mod_security module for my web server nginx. I get a lot of issues and errors before compiling the files. I followed a lot of tuts on the net, but mostly end up with either none working process or cut steps that I don't understand what to do next.... any idea?? Thanks
1 comment
  • Speaking about open-source solutions, you should definitely look at naxsi (NAXSI means Nginx Anti Xss & Sql Injection). This is short desc from official site:

    Technically, it is a third party nginx module, available as a package for many UNIX-like platforms. This module, by default, reads a small subset of simple rules (naxsi_core.rules) containing 99% of known patterns involved in websites vulnerabilities. For example, '<', '|' or 'drop' are not supposed to be part of a URI.

    In practice, you still need support it and keep rules up-to-date for your applications (but with help of built-in learning modules). If you're a looking for more efficient and easy-to-use solution, give a chance to Wallarm. It is built on NGINX, learns from traffic to craft blocking rules, has awesome interface and even vulnerability scanner built-in — but, unfortunately, it is not free.

5 Answers
What tuts have you tried following and what commands didn't work for you?
@Kamal, Thanks for asking. I tried the following specifically for mod_security...,nginx,modsecurity,howto,201.html

And the last one available at DO, but for Apache, not Nginx:

it doesn't seem to be compatible with Nginx. so That's why I was wondering if I can replace Mod_security with Naxsi or not!!!

Any idea??
by Jesin A
Here's how to set up mod_security with Apache on Debian/Ubuntu.

I'd enjoy finding a solution to this as well.. at the very least an alternative to modsecurity that plays well with nginx. I remember reading that modsecurity was (or is now) compatible with nginx? Not sure though as it seems one would need to have both apache and nginx to have this as a solution... in the meantime I have gone the money route by installing Dome9.

If anyone has a direction to point on this matter... how wonderful that would be!

Have another answer? Share your knowledge.