Hello, as you might know I'm going to set up a new hosting company and currently I'm going to set up my server for it and now I need to decide whether I use apache (2.4) or nginx. Security is very important thus I wonder which of both webservers will guarantee me more security. Unfortunately I don't know but hopefully you do.
Neither -- both. Security is far more a factor the the application you run and how the systems are setup. I can deploy both Apache and Nginx securely or insecurely. In terms of inherit security of the program itself, I would say that Apache core tends to have fewer major issues due to its maturity. There have been a number of exploits, but they are mostly in add-in modules. See: http://secunia.com/community/advisories/search/?search=nginx http://secunia.com/community/advisories/search/?search=apache
Running Apache with PHP as DSO (mod_php) is always a bad idea as running as nobody. nginx should be more lightweight and protected. I am not sure about secure as there might be 0-day exploits for everything.
I am not sure which one is the best regarding your security purpose. Can you describe your specifications regarding server????
Nginx have protection for small ddos attack what apache doesn't have. NGINX is a powerful engine.. and it's used as main http server by google.com
Security for web apps ultimately resides on the applications itself. Of course there are some stuff that we can do at web server level ( like DDoS limiting modules, mod_security kind of WAF, etc ); still it cannot give protection if your application has security holes. Especially when you build a shared hosting, you will have limited ability to the user's code and main thing that you can do is to add some security at web server level by using the security features provided by the web server. Nginx is not recommended for shared servers due to many factors ( its not an issue with Nginx ) 1. There is no major control panel, which comes with Nginx alone web server stack. 2. You will end up with lots of rewrite rule issues / tickets Still you have an option to run Nginx in front of Apache and proxy requests to Apache; that is the web server stack major control panel follow right now. It is a recommended setup and it can add some improvements to the website loading speed as well. But if you are going to build a server that is for personal use or without control panel and to host your own apps, Nginx will be fine.
It's terribly hard to secure a service, even if you know what you're doing. Things tend to go to shit once you put a lot of random people with insecure applications on a single shared server. Honestly, I'd just buy a reseller account from an established host that already has everything setup, secured, and optimized for a shared hosting environment. You'll save yourself a lot of time and worry, and your clients will thank you for it.
I run a hosting company right now. If you are looking to use cPanel, you are going to be running apache unless you decide to do lots of modifications (which can open security holes ) Without a CP, it really depends on the way you configure and secure them. I'm sure both have flaws, but, depending on how you set them up they can be mitigated.
As far as security against hacks neither is any better than the other as stated above. A good thing is mod security is now working with both so that helps for adding rulesets against attacks. As far as security against ddos and attacks, apache is a lot better than it used to be but nginx is still better in that regard. When it is a GET attack against php sites though it really dont matter. The only web server that I have personally seen hacked causing mayhem is litespeed. When it first came out I was a big fanboy because it handled high traffic and ddos so well. I got many clients to switch over to it. I even got a very high profile security and hacking site to switch to it. All was awesome for about a year then comes the buffer overflow exploits which got many servers hacked and rooted. When I first seen the exploit I contacted the owner/main developer only to be brushed off with disbelief. He would ask for logs, Id give them to him, he would say he couldnt find anything, that it must have been something else. Then I gave him packet captures, etc; Still wasnt listening, then the exploit went out into the wild, it was a private 0 day only a few hackers had when I was bugging him to fix it then when the crap finally hit the fan, His fix was to add a request filter instead of simply fixing it. When all said and done I lost nearly all clients I had change to it, it hurt my credibility a great deal and Sorry for long post about that but apache and nginx both have came a long way, have a team of great developers and you simply wont find any better or more secure. If you go off and think paid alternatives are better you may just find out the hard way like I did.
Also I want to add there are decent control panels now that support nginx. ISPConfig is one of them and it is totally viable for a hosting platform.