Educause Security Discussion mailing list archives

Re: Nginx vs. Apache2 for web service

From: John Ladwig <John.Ladwig () SO MNSCU EDU>
Date: Tue, 12 Jun 2012 16:20:27 +0000

I heard a recent interview with some of the OpenBSD principals that they're considering nginx as a replacement for 
their forked version of Apache 1(.3?).

That suggests they think that the code is or can be made pretty secure, but doesn't necessarily speak as much for 
configuration security and simplicity (though they do tend to make that a priority).  Also, the long pole in OpenBSD 
tends to be concerns over 2-term BSD-compatible licensing terms.

   -jml


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Aaron 
Hockett
Sent: Tuesday, June 12, 2012 10:59 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Nginx vs. Apache2 for web service

Hello All,

I'm doing an in depth comparison to Nginx vs. Apache2 as a case study for moving towards using Nginx for our web 
servers and in doing so, I've hit the part where I believe some input from the group would be appreciated.

Security.

I'm fairly well versed in locking down vHosts, .htaccess files, redirects, rewrites, etc. on Apache2 and I'm just 
learning some of the techniques found in Nginx to do the configuration in their config files.  What I'm curious about 
is what the "buzz" is around if Nginx  and if it sacrifices any security for the speed?  The context of this is 
obviously important  so let me flesh that out.  This would be running on:  Ubuntu 12.04 64-bit VM, 100GB HD space, 1GB 
RAM, MySQL, PHP5 w/ php5-gd, php5-curl, php5-xcache, php5-fpm (for FastCGI which by most tutorials listed as the BKM, 
I've changed it from a :9000 port listening to an actual .socks listing) Varnish reverse proxy, PHPMyAdmin, 
Webmin,Shorewall FW (using IP Tables) and of course Nginx running a Wordpress site.  As mentioned I have everything 
setup and running right now and it is able to handle an absurd amount of web traffic compared to an Apache2 install; 
numbers wise we're talking 100 users max concurrent @ 5000 requests w/ Apache2 vs. 750+concurrent @ 5000 requests w/ 
Nginx.

Anyways, just curious what people's thoughts were on it.

Thanks.
-Aaron Hockett
Warner Pacific College
Network & Web Services Engineer

Current thread:

Nginx vs. Apache2 for web service Aaron Hockett (Jun 12)
- Re: Nginx vs. Apache2 for web service John Ladwig (Jun 12)
  - security management techniques David Pirolo (Jun 14)
    - Re: security management techniques Stephen C. Gay (Jun 14)
    - Re: security management techniques Dan Sarazen (Jun 14)
    - Re: security management techniques Wright, A J (A. J.) (Jun 14)
    - Re: security management techniques Dan Sarazen (Jun 14)
    - Re: security management techniques Wright, A J (A. J.) (Jun 14)
    - Re: security management techniques Carlos Lobato (Jun 14)
    - Re: security management techniques Shawn Kohrman (Jun 14)
    - Re: security management techniques Tammy Lynn Clark (Jun 14)
    - Re: security management techniques David Pirolo (Jun 14)

(Thread continues...)