{"id":3355,"date":"2016-04-07T17:45:00","date_gmt":"2016-04-07T17:45:00","guid":{"rendered":"https:\/\/news.dream.press\/?post_type=announcement&p=3355"},"modified":"2025-05-06T18:48:03","modified_gmt":"2025-05-06T18:48:03","slug":"introducing-extra-web-security-for-nginx-services","status":"publish","type":"announcement","link":"https:\/\/news.dream.press\/news\/announcements\/introducing-extra-web-security-for-nginx-services\/","title":{"rendered":"Introducing Extra Web Security for Nginx Services"},"content":{"rendered":"\n

Apache has traditionally been the king of shared web hosting<\/a>. It\u2019s popular, stable, flexible, and well-supported across a wide variety of platforms. It\u2019s certainly not, however, the only option available for serving HTTP traffic. Other alternatives, such as Nginx<\/a>, have existed for a while, and are growing in usage as website owners demand greater levels of performance and scalability. I want to spend a bit of time examining Nginx, some of its benefits and drawbacks, and how we\u2019re improving its provision to our customers as an alternative to traditional Apache servers.<\/p>\n\n\n\n

At its core, Nginx is an incredibly efficient and powerful HTTP server<\/a>. Its single-threaded, asynchronous request-handling model stands in contrast to Apache\u2019s process-per-connection. By leveraging a fast event loop, a single Nginx process can scale to handle thousands of concurrent requests while maintaining minimal memory usage (in most common workloads, just a few dozen megabytes of RAM). Additionally, Nginx\u2019s modular architecture allows developers and community members to build new solutions to extend Nginx functionality. In some cases open source module development has spawned active communities around extending Nginx functionality.<\/p>\n\n\n

\n\t
\"Ad<\/div>\n\n\t\n\t\tVPS Plans<\/span>\n\t\t<\/svg>\n\t<\/a>\n\n\t
\n\t\t

\n\t\t\tWe Know You’ve Got Lots of VPS Options\n\t\t<\/h2>\n\t\t

\n\t\t\tHere\u2019s how DreamHost\u2019s VPS offering stands apart: 24\/7 customer support, an intuitive panel, scalable RAM, unlimited bandwidth, unlimited hosting domains, and SSD storage.\n\t\t<\/p>\n\n\t\t \n Choose Your VPS Plan <\/a>\n\n\t<\/div>\n<\/div>\n\n\n

While we\u2019ve long offered Nginx for VPS and dedicated servers<\/a> as an alternative to the traditional Apache service, we haven\u2019t provided all of the extra bells and whistles we do with Apache, particularly with respect to built-in application security. Historically, community-driven web application firewall solutions for Nginx have been a bit lackluster. SpiderLabs<\/a>, the team behind the venerable ModSecurity<\/a> solution for Apache, did build support for Nginx as community adoption of the alternate server grew, but stability and compatibility problems have plagued the fork for years. SpiderLabs is working on a new version of ModSecurity designed to be portable to a number of HTTP servers, but the endeavor is still very much in beta. Other WAF solutions for Nginx, such as Naxsi (a native Nginx module designed to prevent XSS and SQLi attacks), do exist, but lack the robustness and feature set that ModSecurity provides. Ultimately, no stable, turnkey, open source solution exists as an alternative to ModSecurity for Nginx \u2014 until now.<\/p>\n\n\n\n

Enter <\/strong>lua-resty-waf<\/strong><\/a>.<\/strong><\/p>\n\n\n\n

This project is built on the OpenResty<\/a> platform, a software bundle combining the original Nginx project with the Lua interpreter and efficient JIT compiler. The platform allows users to quickly develop and scale applications using the Lua language, while leveraging the flexibility and power that Nginx provides. Lua-resty-waf seeks to provide a ModSecurity-compatible WAF feature set with Nginx, using the built-in LuaJIT compiler to provide an efficient application firewall platform capable of using existing ModSecurity rulesets.<\/p>\n\n\n\n

Lua-resty-waf was originally written as part of my Master\u2019s Thesis. The idea behind the project was to explore the costs, risks and requirements associated with developing a cloud WAF infrastructure, similar to what commercial cloud security providers like Cloudflare and Incapsula provide \u2014 and then provide that service free of charge. Totally unsustainable, of course, but as an academic exercise it was an educating experience. I decided to focus on releasing the source of the firewall engine powering the service, continuing to develop features and exploring new methods of anomalous and malicious behavior detection. As we examined our Nginx offering at DreamHost, we realized that we could leverage this project to provide the same application security that we do using ModSecurity for our Apache services.<\/p>\n\n\n\n

Developing this project has been another big win for DreamHost\u2019s commitment to contributing to open source projects<\/a>. We\u2019ve spent a good chunk of the last few months refactoring, adding new features, and testing the project, and we\u2019re now offering it to users running on modern VPS and dedicated server platforms. This means Nginx users can now receive the same built-in security that we provide for Apache services, including<\/strong>:<\/p>\n\n\n\n