Apache w/mod_sec -> nginx -> mongrel SSL & ReqForCcomment

i need to run apache with mod_security proxying to nginx which will be
using basically ezras’ nginx.conf and doing caching etc. and then
proxying to mongrel.

the reason for this setup is b/c i NEED mod_security for an app im
deploying but i want to be able to use nginxs caching and other advanced
features and have it be the one that interacts with mongrel. so apache
is going to be layer-7 firewall and filter dynamic content only while
passing static to nginx.

first of all, is there a mod_secuity port of some sort out there for
nginx i couldn’t find? i looked around on the intergoogle and i saw in
the requestforfeatures doc on nginx home a request and no follow up so i
assume not.

as far as the config my question is regarding ssl. do i need to set up
an ssl vhost for nginx too and reset the X_FORWARDED_PROTO in nginx or
does that flag get preserved as it pases through? can i make that a moot
point by passing it through the apache vhost on 443 (basic vhost is
below post) and letting nginx handle ssl? i can’t see why not, except
that awstats might complain and nginx and aw don’t play so well together
so id be taking a hit on the stats. (if anyone has a log config for
nginx that works with aw please do share :slight_smile: but then again if i do
compression at nginx that might make aw complain too.

and also, what do i have to set in nginx so that it knows it has another
proxy upstream?

ideally i want nginx to handle pretty much everything and for apache to
do nothing besides run traffic through mod_security. i want to make
apache as transparent as possible. i think this vhost does that, and if
i could pass the buck on the ssl handling that would be wonderful. i
just don’t know going proxy to proxy who will get confused where

does anyone have any thoughts on or experience with this setup? i figure
before i move forward on this i better make sure im not doing something
stoopid and on top of that there’s a couple issues that could arise like
the awstats problems which i could solve it by putting nginx on the
outside but i really wanna put the security appliance on the border.

any thoughts on or experiences with this would be greatly appreciated

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs