Invision Community 4: SEO, prepare for v5 and dormant account notifications Matt November 11, 2024Nov 11
Posted December 8, 20213 yr Hello, I want to put an nginx reverse proxy in front of my IPS server. Has anyone done this? Is there a special config for nginx? Thanks
December 8, 20213 yr You will really need to give a lot more information about what you exactly want to do and what you have server wise. Here are the Nginx docs
December 8, 20213 yr Community Expert The question is what benefit are you looking to gain from it. Adding that layer in front is going to make things more difficult for you going forward. For example, if Nginx has something cached, and you make a change in the ACP to a theme or a setting... but it does not bust the Nginx cache, you could be stuck troubleshooting other issues you did not anticipate or need to potentially address. You're going to have to weigh if the benefit that comes from adding it is outweighed by the potential problems and the extra maintenance involved.
December 8, 20213 yr Author The question is what benefit are you looking to gain from it. I was thinking security. I use Nginx reverse proxy with the open source ModSecurity (Web Application Firewall) module for other public facing servers for compliance reasons, and want to do the same with IPS. "Even when you understand security, it is difficult to create secure applications, especially when working under the pressures so common in today’s enterprise. The NGINX ModSecurity Web Application Firewall (WAF) protects applications against sophisticated Layer 7 attacks that might otherwise lead to systems being taken over by attackers, loss of sensitive data, and downtime. The NGINX ModSecurity WAF is based on the widely used ModSecurity open source software. " Detect and stop a broad range of Layer 7 attacks: SQL injection (SQLi), cross‑site scripting (XSS), and Local File Include (LFI), which which together account for over 90% of known Layer 7 attacks Cross‑site request forgery (CSRF), Remote File Include (RFI), remote code execution (RCE), and HTTP protocol violations Other common attack vectors, detected by your own custom regex‑based rules For example, if Nginx has something cached I hear that, we could disable caching... Edited December 8, 20213 yr by gigantor
December 8, 20213 yr Author One can use the WAF with the OWASP ruleset, it's supposed to be the cat's meow in web app security these days. Edited December 8, 20213 yr by gigantor
December 8, 20213 yr Community Expert Personally instead of doing Nginx, I would use a cloud based WAF to filter a request before it ever gets to my server/datacenter. The further away you can fight an attacker the better.
December 9, 20213 yr I prefer Immunity (although paid for) https://blog.imunify360.com/modsecurity-rules-how-to-guide https://www.imunify360.com/about-us/ We used to use OWASP - Imunify is a lot better for less false positives - Part of the cloudlinux suite, used them since 2012
December 9, 20213 yr Community Expert I have moved this to the self hosted guidance forum for you, where it is better placed for someone to assist
January 5, 20223 yr Author I went ahead and got nginx / modsecurity /owasp working. No issues at all, our community is actually faster now.
