Articles

Run DCC, Razor and Pyzor for rspamd from one token-authed Docker backend that never blocks the scanner and never writes your mail to disk. Here is how the shim works and why it looks the way it does.

Coraza is the memory-safe, Go-written WAF that speaks ModSecurity’s language and runs the OWASP CRS unchanged. Here is what libcoraza and the nginx-coraza module are, why we package them, and the fork-deadlock gotcha nobody warns you about.

JA3 and JA4 TLS fingerprinting read the bytes of the ClientHello to spot the software behind a connection, even when it lies about its User-Agent. Here is how it works on nginx with ngx_ssl_fingerprint_module, and why blocking on a fingerprint is riskier than it looks.

A page cache that lives inside nginx: no Varnish, no Lua, no second daemon. How cache-turbo uses stale-while-revalidate, L1/L2 tiers and single-flight refresh to keep your backend asleep under load.

A single misbehaving scraper can fire 40,000 requests an hour at a 404 it will never stop hitting, and your access log…

KAM.cf is 3,200+ SpamAssassin rules. Loading it through Rspamd compat mode drags the whole Perl engine along. Here is the converter that transpiles it to native Rspamd Lua instead.

Half of all web traffic is bots, and a growing slice are vibe-coded AI scanners written by a chatbot prompt. Here is the five-layer defense in depth that stops them: rate limiting, WAF, TLS hardening, request validation, access control, PHP and Docker hardening, plus the patching that does the most work.

WordPress XSS and SQL injection CVEs are exploding because AI now finds them faster than you can patch. This ModSecurity CRS plugin is the last wall: 40+ rules, typed-parameter SQLi blocking, rate limiting and GeoIP — before PHP ever boots.

A cryptographically relevant quantum computer doesn’t exist yet, and a nation-state is almost certainly recording your IMAP session anyway. That’s not paranoia,…

An AI noticed two ten-year-old HTTP/2 tricks could be combined into one critical exploit. CVE-2026-49975, the HTTP/2 Bomb, drives a single server to 32 GB of memory in seconds. Here is how it works on nginx, Apache, IIS, Envoy and Pingora — and how to defend it.

Our hardened Roundcube Docker image runs as nobody, can chown nothing, and treats every request as hostile. Here is the full unprivileged + WAF security model — and why default webmail containers are a liability.

Your mailbox table deserves better than raw SQL at 02:00. ViMbAdmin — modernised for PHP 8.5 — manages Postfix + Dovecot virtual domains, mailboxes and aliases via web UI or JSON-RPC API, with TOTP, brute-force protection and a hardened Docker image.

Five tools — eatmydata, mold, ccache, distcc, tmpfs — turn a 14-minute build into 90 seconds. Same compiler, same hardware. Any build system: make, cmake, autotools, ninja, Debian packaging. Here is how to wire them in, what each one breaks, and the order to enable them in.

The deb.myguard.nl APT repository now publishes clean per-distribution and per-package trees under /apt/. Here is why we split the old mixed pool, how the new layout works, and how to add exactly the packages you want.

Stock njs is an ES5.1 subset with selected ES6 bits and a wall behind every modern feature. Rebuild it against QuickJS-NG and you get a real ES2023 runtime inside NGINX — async/await, BigInt, Proxy, dynamic import(), modern regex, Intl, the lot. Here is what changes, how the build wires it together, and copy-paste examples.

In May 1998, Wietse Venema released the first public alpha of a mailer he’d been writing inside IBM Research and originally called…

Service account, JWT signing, OAuth2 dance, JSON key paste — the complete setup for Google’s Instant Indexing API on WordPress, with verified quota via Cloud Monitoring and an honest take on what it actually does for non-JobPosting content.

Aptly turns a folder of .deb files into a real signed APT repository — the same way deb.myguard.nl serves thousands of packages. Here is the full self-hosting walkthrough: install, sign, publish, NGINX, automation.

HTTP/3 finally works in mainline NGINX, but the config has sharp edges. Here is the real-world setup, the UDP sysctl knobs that actually matter, and the gotchas (alt-svc, MTU, ModSecurity, load balancers) that bite you in production.

The myguard OpenSSH 10.3 package rebuilds sshd for production servers: post-quantum key exchange, AEAD-only ciphers, an AppArmor profile, a fail2ban jail, monthly moduli regeneration, three switchable sshd flavours (default / gssapi / minimal), and compiler hardening beyond Debian’s default. Includes a 2026 SSH key-generation walkthrough and a stack of server-hardening tips.

Default Docker is barely a container at all — root, mutable, all caps, shared kernel. This is the ten-flag hardening checklist that turns it into something a real attacker has to work to break: rootless, read-only, cap-drop, no-new-privileges, distroless, secrets, segmentation, scanning. With a worked NGINX + PHP-FPM compose example.

Rspamd is the modern spam filter that runs Bayesian classifiers, neural networks, greylisting, DNS blacklists, Pyzor, Razor, OLEFY and DCC — all at once. Here is what rspamd does, how spam evolved, and why it crushes the inbox war.

Valkey is the BSD-licensed, Linux Foundation-backed fork of Redis — and as of 2026 it has overtaken Redis itself. Here is what Valkey is, why it exists, and why our hardened deb.myguard.nl build is the smartest way to install it on Debian or Ubuntu.

Run your own password manager with self-hosted Vaultwarden — a tiny Docker image, full Bitwarden client compatibility, and total control over your encrypted vault.

BREACH is a compression side-channel attack that can leak CSRF tokens and other secrets over HTTPS. Here is how the BREACH attack works, why padding is weak protection, and how to prevent it properly.

Zstd is the fast compression format suddenly showing up in browsers, package managers, and modern web stacks. Here is what it is, where it came from, which browsers and web servers support it, and how to use it with NGINX and Angie today.

Meet Database Boost, the free WordPress database optimization plugin that cleans, repairs, optimizes and indexes your database — and actually explains every step in plain English.

A beginner-friendly, step-by-step guide to installing ModSecurity and the OWASP Core Rule Set on NGINX for Debian and Ubuntu — from zero to a live WAF without taking your site down.

Zstd vs Brotli vs zlib-ng only makes sense once you separate browser encodings from compression engines. This deep dive covers support, CPU trade-offs, static vs dynamic compression, and the NGINX production patterns that actually work.

Angie 1.11.5 fixes five upstream security issues, including HTTP/3, OCSP, rewrite, SCGI/UWSGI, and charset handling hardening. Here is what changed and why it matters.

nginx 1.31.0 is out — six security fixes including a critical buffer overflow in the rewrite module that could lead to arbitrary code execution. Here is what changed, what is at risk, and how to upgrade from our repo.

The complete WordPress + NGINX + PHP-FPM setup for Debian and Ubuntu: server block config, pool tuning, FastCGI caching for anonymous traffic, Redis object cache, Brotli compression, and security hardening with ModSecurity and Snuffleupagus.

NGINX load balancing distributes traffic across multiple backends with automatic failover. This guide covers all five load balancing algorithms, passive health checks, keepalive connection pooling, backup servers, and TCP/UDP load balancing.

A reverse proxy puts NGINX in front of your Node.js, Python, or PHP backend — handling SSL termination, caching, buffering, and security. This guide covers proxy_pass, upstream keepalive, caching, WebSocket proxying, and security headers.

NGINX rate limiting with limit_req_zone stops credential stuffing, scrapers, and DDoS floods before they reach your application. This guide covers burst handling, per-endpoint limits, IP whitelisting, WordPress-specific config, and Redis-backed cross-server limiting.

Brotli achieves 15-26% better compression than gzip on HTML, CSS, and JavaScript. This guide covers installing the NGINX Brotli module, configuring on-the-fly compression, pre-compressing static assets at level 11, and running Brotli alongside gzip.

Debian 13 Trixie brings GCC 14, OpenSSL 3.3, PHP 8.4, systemd 256, and a newer Linux kernel. Here is what each change means for your NGINX and Angie setup, with a complete upgrade checklist.

Debian 13, codename Trixie, is the current Debian stable release, and the safest, most boring, most production-friendly Linux to run NGINX on…

A friendly, jargon-free walkthrough: install Snuffleupagus from the myguard APT repo, pick the right rulebook for your stack (WordPress, Roundcube, generic PHP, internal agent), wire it into a PHP-FPM pool, and avoid the 5 traps that bite everyone the first time.

A complete Postfix + Dovecot + Rspamd mail server on Debian 12 and 13 — with TLS, DKIM, SPF, DMARC, spam filtering, virtual mailboxes, security hardening, and a 10/10 score on mail-tester.com. No shortcuts.

ModSecurity v3 with the OWASP CRS blocks SQL injection, XSS, shell injection, and scanner traffic at the HTTP layer. This guide covers installation, CRS paranoia levels, WordPress tuning, false positive handling, and performance impact.

NGINX beats Apache at static files and high concurrency; Apache wins on .htaccess flexibility and legacy app compatibility. Benchmark tables for static files, PHP-FPM, TLS handshakes, and memory under load.

HTTP/3 runs on QUIC over UDP, eliminating TCP head-of-line blocking and enabling 0-RTT connection resumption. This guide covers installation, configuration, 0-RTT security, load balancer setup, and performance tuning.

We just upgraded our openssl-nginx package from OpenSSL 3.x to OpenSSL 4.0. This guide explains what openssl-nginx is, what changed in version 4.0, the real pros and cons of upgrading, and how to do it safely on your Debian or Ubuntu server.

The first audit found 22 issues, but the last two weeks of git history added 14 more issue-level fixes. This updated guide covers the full 36-issue fork-window story, the runtime and build bugs, and the CI tests now guarding the module.

Everything about Angie in one place: what it adds over NGINX (native ACME, JSON API, dynamic upstreams, monthly releases), how it performs, how to migrate from NGINX in five minutes, full ACME certificate setup, Prometheus monitoring, and a side-by-side comparison with NGINX Plus.

Nazi Germany built a cipher machine with 158 quintillion possible settings and called it unbreakable. They were wrong. Here’s the full story of the Enigma machine, the brilliant misfits at Bletchley Park who cracked it, and why the whole thing matters for every padlock icon in your browser today.

ML-KEM (Kyber) is in OpenSSL 3.5. Chrome has shipped hybrid X25519+ML-KEM since 2024. Here is what post-quantum TLS actually is, why it matters before quantum computers exist, and exactly how to configure NGINX and Angie for hybrid PQC key exchange today.

Learn how to configure TLS for maximum security and achieve a perfect A+++ rating on SSLLabs. A comprehensive guide covering cipher selection, certificates, and cryptographic best practices.

Google PageSpeed was the magic module that automatically made your website faster — until Google quietly walked away from it. Here’s the full story: what PageSpeed actually did, why it’s now effectively dead on NGINX and Angie, and what you should use instead.