Apache w/mod_sec -> nginx -> mongrel SSL & ReqForCcomment

i need to run apache with mod_security proxying to nginx which will be
using basically ezras’ nginx.conf and doing caching etc. and then
proxying to mongrel.

the reason for this setup is b/c i NEED mod_security for an app im
deploying but i want to be able to use nginxs caching and other advanced
features and have it be the one that interacts with mongrel. so apache
is going to be layer-7 firewall and filter dynamic content only while
passing static to nginx.

first of all, is there a mod_secuity port of some sort out there for
nginx i couldn’t find? i looked around on the intergoogle and i saw in
the requestforfeatures doc on nginx home a request and no follow up so i
assume not.

as far as the config my question is regarding ssl. do i need to set up
an ssl vhost for nginx too and reset the X_FORWARDED_PROTO in nginx or
does that flag get preserved as it pases through? can i make that a moot
point by passing it through the apache vhost on 443 (basic vhost is
below post) and letting nginx handle ssl? i can’t see why not, except
that awstats might complain and nginx and aw don’t play so well together
so id be taking a hit on the stats. (if anyone has a log config for
nginx that works with aw please do share :slight_smile: but then again if i do
compression at nginx that might make aw complain too.

and also, what do i have to set in nginx so that it knows it has another
proxy upstream?

ideally i want nginx to handle pretty much everything and for apache to
do nothing besides run traffic through mod_security. i want to make
apache as transparent as possible. i think this vhost does that, and if
i could pass the buck on the ssl handling that would be wonderful. i
just don’t know going proxy to proxy who will get confused where

does anyone have any thoughts on or experience with this setup? i figure
before i move forward on this i better make sure im not doing something
stoopid and on top of that there’s a couple issues that could arise like
the awstats problems which i could solve it by putting nginx on the
outside but i really wanna put the security appliance on the border.

any thoughts on or experiences with this would be greatly appreciated