Dedicated Apache for modsecurity, what is recommended MPM?

I run a
nginx <-> static files
nginx <-> apache modsecurity proxy <-> nginx <-> dynamic files(fastcgi)


So, apache is only 100% for WAF.
In this case my theory was that since apache modsecurity is probably not IO bound but cpu bound, I set the apache MPM as prefork.
This apache instance handles thousands of requests/sec.

I could not find any good information on whether this is optimal performance wise.

Performance wise is this a better choice than worker or event MPM, when considering the apache is 100% only modsecurity requests?

Also, I used the above model because nginx modsecurity was too buggy in the past, I am considering using modsecurity 3 with nginx. In that case would it be optimal to increase nginx worker instances since modsecurity would probably be cpu bound?

You might even consider using LiteSpeed in replacement for Apache - even if it’s just to handle modsec - now, it depends on your setup which license you’d need.

What’s nice about LiteSpeeds implementation of mod_security, is that they’ve written the engine in such a way that handling rules is a lot faster compared to Apache for example, additionally they only trigger rules for dynamic requests, so static files won’t trigger the rules, so you’ll save a whole lot of resources if you have a good amount of static content such as images, css or js going through your stack as well.

I prefer Apache + PHP-FPM + Event + nginx for caching purposes.

Prefork uses a lot more resourses then Event. Most importantly, prefork can handle one request a time while Event can’t handle more.

Hi forsec.
For now CWAF rules set for ModSecurity v3 and Nginx has absence of some features. So rules set for ModSecurity v2 and Apache has more rules and protection features than for other webservers.
But we work to improve rules set for ModSecurity v3.