Saying one will have NO protection from web threats and will get "owned" is a bit OTT but then, not wishing to be snarky, I wouldn't expect Turkeys to endorse Christmas either.
OK, this is a little OT, but for the benefit of anyone that follows this thread from a search engine I need to respond to this.
And you're welcome to ignore my advice on this, I don't want anyone to think I'm saying you have to protect your systems, etc. If you choose not to, so be it, I'm just passing my advice and experience, do with it as you will.
So, first of all I am not saying you can not run nginx securely. What I said was that you have to run a WAF in front of it. There is no plug in WAF for nginx, so how do the big sites do it? The put a WAF in front of it. So, to repeat, if you run nginx or ANY web server alone you should expect to get compromised. Thats not OTT, thats a fact. I'll go on to explain.
IMHO, running a web server these days without input validation protection is asking for trouble. Unless you can know that your box and all its web applications are vulnerability free sooner or later you will see applications, databases and probably even the server get compromised if you don't have some kind of input validation in place to protect it. Since its very very hard to know if something is vulnerability free (lets just say its essentially an undoable thing, lots of time and energy is spent making some software more secure, and so far no one has been able to prove an application does not have any vulnerabilities), we should assume our applications probably have some vulnerabilities.
Because there is no plug in solution for nginx to detect web attacks and to protect you from it, using nginx alone to protect your web applications won't do it for you. So, unless you run a WAF in front of it or know your apps are vuln free, sooner or later you're going to get owned.
So, the big sites that run nginx put WAFs in front of it. So, if you are not going to use mod_security as built into apache, and you're going to run nginx as your web server then you need to go buy a nice big expensive WAF appliance and plop it front of your web server.
Why is input validation important? Programmers are human beings and they make mistakes (I do it all the time). Input validation helps to protect you from the consequences of those mistakes. Applications are swiss cheese. I've written over 10K virtual patches alone in the last few years just for the major web apps. Its very very hard to write an application thats completely vulnerability free just as its hard to write a really complicated application to do lots of complicated stuff. Now compound that with all the people writing web apps, multipled by all the web apps out there, now compound that with all the apps using libraries written by someone else (and lets all be honest, thats what modern OSes do for us, we have no idea whats in those libraries no one has the time to read every last line of code their CPU is processing), now add in all the other code written by someone else thats all used, linked in, and relied upon and you are guaranteed to be running some web app that has a hole in it somewhere.
So, running a web server without input validation is like sky diving without a reserve, sooner or later something will go wrong, and then you have nothing to fall back on and its game over. I am a skydiver, I pack my own chute. I would *never* jump without a reserve packed by someone else licensed by the FAA as a rigger. I might make a mistaken with my main, and I might make the same mistake with my reserve. So I need something to make up for my imperfections.
The problem is worse for web applications than it is for skydivers because its not just a failure or a simple mistake you want to prevent, its intelligent malicious actions by human beings you must prevent. Imagine someone deliberately sabotaged my chutes, or was shooting at me as I dropped. I need some kind of security system to protect my chutes and myself, I need to lock up my chute between jumps, I need some checks on who packed my reserve. I need something to make sure my chute hasnt been sabotaged, and I need some protection from those bullets. Thankfully, no one is shooting at me when I jump for fun (it might have been different when I was in the Army, which is a different story) but web applications are not as lucky, and they need that kind of protection. They get attacked all day and all night.
nginx is not a security system, it was not built to stop web attacks - its just a web server. Don't expect it to protect you. Its a GREAT web server, there just isn't anything to protect it standing alone. If you want to use nginx as your web server you need to run a WAF in front of it or you run a very real risk of your web applications getting compromised, and more often than not, that will also them to compromise the server and whats on it.
So is it OTT to say you will get owned, I don't think so, but don't take my word for it just ask around.