I see lots of people ask about mod security. Obviously on Nginx stand-alone mod security needs to be compiled with Nginx but when set up as Apache w/ Nginx reverse proxy, would mod security best be placed on Apache? Considering many of its features deal with sql and php, I would think it should run under the server that is “talking to them”. I did some googleing and found little but the bit i did find did suggest to install on apache in this configuration. If under the Apache/Nginx setup it should go under apache you may want to add a mention in to docs, i may limit the posts asking about installing mod sec lol
Sometimes I should under the Apache Nginx setup who should do what; is there may be a general rule to keep in mind?