This topic has drifted from the original question of running discourse on apache (as opposed to a proxy back to nginx).
But I think a discussion on putting a WAF (mod_security or otherwise) before Discourse is useful to the community, so I’ve created a distinct topic to specifically discuss Discourse + WAF here: