I will concede that nginx is a really good server and does have many strong points, so does apache. I do not think you can point and say which is better because you can still get hacked even if using nginx. From a security perspective, both applications require proper configs and proper monitoring. There is no way around that.

I have found for my personal situation nginx is great for static stuff and a proxy but for me when it comes to heavy lifting, apache never dissapoints. Scalling wise i prefer apache as well. Sure for a single machine, go nginx, but if you want a really solid cluster, running both is a better alternative than just saying apache is crap.

One of the big complaints is .htaccess people say it is slow. Well, how about not using them. Configure all that in the main config file and bobs your uncle. People complain about apache but never look past their noses to learn about workarounds / proper configs. On paper nginx appears more resource friendly, did you look at what the externally loaded modules do, not just the nginx process?

But believing nginx is better in the security layer, can you explain how this will better serve to protect against a flaw in the code of wordpress and specially how the xss could have been prevented. I fail to see how the choice of webserver affects a flaw in the pages served from an unmaintained version of code.

On top of that even though what you say is interesting, how is that better than my config where I have snort running? Is it not sort of the same thing in the end of the day?

The other major problem I have is that everything it loads is done as cgi. Now I do not know about you guys but i think cgi is pretty dangerous. At least with apache I have no requirement to have anything work as cgi and I can setup selinux to not allow cgi execution. Just that step I think is already a step towards a safer system.

So essentially now we are fighting a war to prevent xss and cgi exploits. With apache i can sit back and forget about cgi.

1 members found this post helpful.

First of all, I suggest You to read more about WAF and prevention process against common attacks.

Back to Naxsi, I really prefer the way Nginx with Naxsi works - "drop by default" rule is awesome. That means that any pattern in the POST or GET which is not recognized by Naxsi rules will be simply dropped. 99 of patterns used to common injection attacks are defined in the Naxsi rules (for example | or < are not allowed in the URL). Naxsi will block potential XSS attack even if the code has been written without any understanding of the security rules (for example missing proper escaping of the strings in the php code).
The same with SQL Injection... Blocking by default preventing also most of the new types of the attacks. In Apache You can protect system against "known" attacks but not new ones (not all of course, it could be always somebody which can find something new - there is always a risk)... this is the main difference. That`s why I`m saying that Apache never should be in front if You are taking care about the security.
DoS attack... its another story. Almost each standalone Apache server could be easily down... Till today I have never seen any sensible solution which will prevent Apache DoS attack.


CGI (also other things) is dangerous if You don`t know what You are doing. If You understand and You know how to properly protect CGI applications - it will work like the rest. Pretty dangerous is usually admin which doesnt understand what newly installed applications are doing on his server, so application security audit should be always done. The common mistake which I really love is bad protection of the upload folders. Another, off SELinux or wrong configured...



Return to word "crap" - its my personal opinion, I know I shouldn't use it here on the forum. I must go now... CU guys and have fun with Apache

So we are back at square one, even though using nginx you still have to know what you are doing, exactly what has been said previously in the post about apache too.

Maybe you should read about snort. It is not a waf, but can block xss as well and is webserver agnostic. The other fact is as soon as modules load for nginx, they are loaded usig fastcgi, so as soon as you use anything except html and php, you are running cgi, not necessarily your own cgi scrips.

On the other hand, thanks for sharing op, it is an eye opener because many of us do many things and forget the basics at times. It was an enlightning post.