nginx and mod_security

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Ideas Centre
Post Reply
User avatar
MarkDHamill
Registered User
Posts: 4885
Joined: Fri Aug 02, 2002 12:36 am
Location: Florence, MA USA
Contact:

nginx and mod_security

Post by MarkDHamill »

I do phpBB consulting. I am noticing more issues with phpBB and nginx and phpBB and mod_security.

With nginx on shared hosting I am noticing quirks. For example, just the other day I had a client who failed to upgrade to phpBB 3.2 because a "No input file found" error message during the update. The host this time was GoDaddy and the web server I believe is nginx. It's hard to tell because the web server reports "CGI/FastCGI". When I spoke with GoDaddy support they said it was Apache, but I don't believe them. In any event after extensive trial and error I found the only way I could upgrade the forum was to convert the database on my machine (running Apache under XAMPP) then upload the database.

I've had similar quirks like this where the web server shows "CGI/FastCGI" that I believe is running nginx, specifically issues that only went away when mod_security was disabled. In one recent case an attempt to login into the ACP redirected everything to the site's main page. The host in this case was Dreamhost and I could not fix it until I figured out how to disable mod_security via their strange control panel.

I think the two issues are interrelated. For nginx, I think hosts are configuring nginx in some way that causes phpBB to behave incorrectly. My understanding is there is a nginx.conf file somewhere that controls nginx. I have read that unlike Apache you can't change the .htaccess file to change certain web server configurations. I don't believe there is a way to create your own file to override nginx settings.

I also suspect that mod_security has a set of rules for how it is configured and either the defaults or the way web hosts area configuring it is causing a lot of these problems.

So I'm wondering if some sort of research project is needed to provide guidance to web hosts on configuring nginx and mod_security for phpBB. Most hosts seem to be centered around the Wordpress framework and optimizing for that. Since I am seeing a steady increase in these issues I think some attention is warranted. I'm hoping there is someone in the community with nginx and/or mod_security expertise that can post some recommendations.

In particular if there are ways to override these settings for a forum I'd like to learn more. For Apache I've been successful disabling mod_security in the .htaccess file.

I suspect that most phpBB forums are on shared hosting so some best practices are needed.
Need phpBB services or a phpBB consultant? I offer most phpBB services. Getting lost managing phpBB? Buy my book, Mastering phpBB Administration. Covers through phpBB 3.3.7. eBook and paper versions available.
Macko
Registered User
Posts: 45
Joined: Fri Jun 03, 2016 8:38 pm
Location: Online
Name: Mac Ko

Re: nginx and mod_security

Post by Macko »

We're on shared hosting, and it has been suggested that we switch from Apache to Nginx, but I'm hesitant. Anyone else have any pros cons for Apache vs Nginx?
sakm
Registered User
Posts: 713
Joined: Sun Jan 21, 2007 8:14 pm
Location: Hull, uk
Name: Stu
Contact:

Re: nginx and mod_security

Post by sakm »

Macko wrote: Fri Feb 09, 2018 12:51 pm We're on shared hosting, and it has been suggested that we switch from Apache to Nginx, but I'm hesitant. Anyone else have any pros cons for Apache vs Nginx?
you can't switch to nginx if you are on shared hosting! the hosting provider would have to do it for the whole server and not just you!
Macko
Registered User
Posts: 45
Joined: Fri Jun 03, 2016 8:38 pm
Location: Online
Name: Mac Ko

Re: nginx and mod_security

Post by Macko »

sakm wrote: Fri Feb 09, 2018 9:18 pm
Macko wrote: Fri Feb 09, 2018 12:51 pm We're on shared hosting, and it has been suggested that we switch from Apache to Nginx, but I'm hesitant. Anyone else have any pros cons for Apache vs Nginx?
you can't switch to nginx if you are on shared hosting! the hosting provider would have to do it for the whole server and not just you!
Haha, thanks! That settles that. :)
sakm
Registered User
Posts: 713
Joined: Sun Jan 21, 2007 8:14 pm
Location: Hull, uk
Name: Stu
Contact:

Re: nginx and mod_security

Post by sakm »

Macko wrote: Fri Feb 09, 2018 9:42 pm
sakm wrote: Fri Feb 09, 2018 9:18 pm
Macko wrote: Fri Feb 09, 2018 12:51 pm We're on shared hosting, and it has been suggested that we switch from Apache to Nginx, but I'm hesitant. Anyone else have any pros cons for Apache vs Nginx?
you can't switch to nginx if you are on shared hosting! the hosting provider would have to do it for the whole server and not just you!
Haha, thanks! That settles that. :)
But to answer your actual question server load would be lower but a well optimised apache server can be fast ....very fast

Trust me ;)
Post Reply

Return to “phpBB Discussion”